General
-
Target
pay.sh
-
Size
3KB
-
Sample
241022-tj267svgrq
-
MD5
cf70ee36f1e9247f2146e4981924d4f4
-
SHA1
7eabae4200118c4e89979658db6e4d905fe3dae9
-
SHA256
0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c
-
SHA512
60f6bdf8813ee328f747b722e8d8abb8ecd91836a96de7e877217c6794d4dcef56130f3f833f748637b0a7b81bac94ea7e3d9cb3dfff0a2060eab34c20070bd0
Static task
static1
Behavioral task
behavioral1
Sample
pay.sh
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral2
Sample
pay.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
pay.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
pay.sh
Resource
debian9-mipsel-20240729-en
Malware Config
Extracted
gafgyt
104.234.24.138:1990
Targets
-
-
Target
pay.sh
-
Size
3KB
-
MD5
cf70ee36f1e9247f2146e4981924d4f4
-
SHA1
7eabae4200118c4e89979658db6e4d905fe3dae9
-
SHA256
0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c
-
SHA512
60f6bdf8813ee328f747b722e8d8abb8ecd91836a96de7e877217c6794d4dcef56130f3f833f748637b0a7b81bac94ea7e3d9cb3dfff0a2060eab34c20070bd0
-
Detected Gafgyt variant
-
Detects Kaiten/Tsunami Payload
-
Detects Kaiten/Tsunami payload
-
File and Directory Permissions Modification
Adversaries may modify file or directory permissions to evade defenses.
-
Executes dropped EXE
-
Creates/modifies environment variables
Creating/modifying environment variables is a common persistence mechanism.
-
Modifies Bash startup script
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Privilege Escalation
Boot or Logon Autostart Execution
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1