Analysis Overview
SHA256
33368eb166229b262cb964cfa6412478278b2a23e5f0c3de24a56c28dac5eeb0
Threat Level: Known bad
The file tyo2831qq.x86.elf was found to be: Known bad.
Malicious Activity Summary
Detected Gafgyt variant
Gafgyt family
Gafgyt/Bashlite
Executes dropped EXE
Creates/modifies Cron job
Writes file to system bin folder
Writes file to tmp directory
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 04:09
Signatures
Detected Gafgyt variant
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gafgyt family
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 04:09
Reported
2024-11-09 04:11
Platform
ubuntu1804-amd64-20240611-en
Max time kernel
84s
Max time network
128s
Command Line
Signatures
Detected Gafgyt variant
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gafgyt family
Gafgyt/Bashlite
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/filetypTHP | /tmp/filetypTHP | N/A |
| N/A | /tmp/filetPWVCX | /tmp/filetPWVCX | N/A |
| N/A | /tmp/file4IrhXZ | /tmp/file4IrhXZ | N/A |
| N/A | /tmp/filejjfKV2 | /tmp/filejjfKV2 | N/A |
| N/A | /tmp/fileol5O31 | /tmp/fileol5O31 | N/A |
| N/A | /tmp/fileRICDTW | /tmp/fileRICDTW | N/A |
| N/A | /tmp/file25mfc0 | /tmp/file25mfc0 | N/A |
| N/A | /tmp/fileKea4vV | /tmp/fileKea4vV | N/A |
| N/A | /tmp/fileTWdAI5 | /tmp/fileTWdAI5 | N/A |
| N/A | /tmp/fileHDP6yd | /tmp/fileHDP6yd | N/A |
| N/A | /tmp/filedx7FQd | /tmp/filedx7FQd | N/A |
| N/A | /tmp/fileL8oi2g | /tmp/fileL8oi2g | N/A |
| N/A | /tmp/fileuxsdXi | /tmp/fileuxsdXi | N/A |
| N/A | /tmp/filemB0QBj | /tmp/filemB0QBj | N/A |
| N/A | /tmp/filee3PW3i | /tmp/filee3PW3i | N/A |
| N/A | /tmp/file5hx6Xg | /tmp/file5hx6Xg | N/A |
| N/A | /tmp/fileo1Ggxg | /tmp/fileo1Ggxg | N/A |
| N/A | /tmp/filePDohpm | /tmp/filePDohpm | N/A |
| N/A | /tmp/file9EdyXl | /tmp/file9EdyXl | N/A |
| N/A | /tmp/fileUa1NVl | /tmp/fileUa1NVl | N/A |
| N/A | /tmp/file8uMF1l | /tmp/file8uMF1l | N/A |
| N/A | /tmp/fileeInw9l | /tmp/fileeInw9l | N/A |
| N/A | /tmp/fileQgrnfh | /tmp/fileQgrnfh | N/A |
| N/A | /tmp/file8Lj3Vh | /tmp/file8Lj3Vh | N/A |
| N/A | /tmp/filewYrpbg | /tmp/filewYrpbg | N/A |
| N/A | /tmp/filethKssd | /tmp/filethKssd | N/A |
| N/A | /tmp/fileuRpwAa | /tmp/fileuRpwAa | N/A |
| N/A | /tmp/filee4x1rd | /tmp/filee4x1rd | N/A |
| N/A | /tmp/fileMg1YGg | /tmp/fileMg1YGg | N/A |
| N/A | /tmp/fileIsHo9j | /tmp/fileIsHo9j | N/A |
| N/A | /tmp/file9HaENn | /tmp/file9HaENn | N/A |
| N/A | /tmp/filejx9O4r | /tmp/filejx9O4r | N/A |
| N/A | /tmp/file39w9Iz | /tmp/file39w9Iz | N/A |
| N/A | /tmp/filek2O76z | /tmp/filek2O76z | N/A |
| N/A | /tmp/fileLx7EhH | /tmp/fileLx7EhH | N/A |
| N/A | /tmp/filepBA5XP | /tmp/filepBA5XP | N/A |
| N/A | /tmp/file4KvgdL | /tmp/file4KvgdL | N/A |
| N/A | /tmp/fileNWoLxH | /tmp/fileNWoLxH | N/A |
| N/A | /tmp/fileJuCPdH | /tmp/fileJuCPdH | N/A |
| N/A | /tmp/file8xdTOM | /tmp/file8xdTOM | N/A |
| N/A | /tmp/fileHWigTK | /tmp/fileHWigTK | N/A |
| N/A | /tmp/fileaEomLO | /tmp/fileaEomLO | N/A |
| N/A | /tmp/file0dGPLU | /tmp/file0dGPLU | N/A |
| N/A | /tmp/filetRQhiY | /tmp/filetRQhiY | N/A |
Creates/modifies Cron job
| Description | Indicator | Process | Target |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filejjfKV2 | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileUa1NVl | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/file39w9Iz | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileJuCPdH | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/file4KvgdL | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileRICDTW | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filemB0QBj | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filePDohpm | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filethKssd | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/file9HaENn | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/file4IrhXZ | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileol5O31 | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/tyo2831qq.x86.elf | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileeInw9l | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/file8Lj3Vh | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/file8xdTOM | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filetypTHP | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileTWdAI5 | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/file8uMF1l | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filee4x1rd | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileHWigTK | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileaEomLO | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/file25mfc0 | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileHDP6yd | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filedx7FQd | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/file5hx6Xg | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/file9EdyXl | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/file0dGPLU | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filek2O76z | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileNWoLxH | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filetPWVCX | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileL8oi2g | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filewYrpbg | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileuRpwAa | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filejx9O4r | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileMg1YGg | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileIsHo9j | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileLx7EhH | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileKea4vV | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileuxsdXi | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filee3PW3i | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileo1Ggxg | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileQgrnfh | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filepBA5XP | N/A |
Writes file to system bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /bin/ls | /tmp/tyo2831qq.x86.elf | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/self/exe | /tmp/fileaEomLO | N/A |
| File opened for reading | /proc/self/exe | /tmp/filee3PW3i | N/A |
| File opened for reading | /proc/self/exe | /tmp/file5hx6Xg | N/A |
| File opened for reading | /proc/self/exe | /tmp/file39w9Iz | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileHWigTK | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileMg1YGg | N/A |
| File opened for reading | /proc/self/exe | /tmp/filejx9O4r | N/A |
| File opened for reading | /proc/self/exe | /tmp/filepBA5XP | N/A |
| File opened for reading | /proc/self/exe | /tmp/filejjfKV2 | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileo1Ggxg | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileQgrnfh | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileuRpwAa | N/A |
| File opened for reading | /proc/self/exe | /tmp/file8uMF1l | N/A |
| File opened for reading | /proc/self/exe | /tmp/filewYrpbg | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileIsHo9j | N/A |
| File opened for reading | /proc/self/exe | /tmp/file8xdTOM | N/A |
| File opened for reading | /proc/self/exe | /tmp/file4IrhXZ | N/A |
| File opened for reading | /proc/self/exe | /tmp/file25mfc0 | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileTWdAI5 | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileHDP6yd | N/A |
| File opened for reading | /proc/self/exe | /tmp/tyo2831qq.x86.elf | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileL8oi2g | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileuxsdXi | N/A |
| File opened for reading | /proc/self/exe | /tmp/file9EdyXl | N/A |
| File opened for reading | /proc/self/exe | /tmp/file0dGPLU | N/A |
| File opened for reading | /proc/self/exe | /tmp/file8Lj3Vh | N/A |
| File opened for reading | /proc/self/exe | /tmp/filek2O76z | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileLx7EhH | N/A |
| File opened for reading | /proc/self/exe | /tmp/filetRQhiY | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileol5O31 | N/A |
| File opened for reading | /proc/self/exe | /tmp/filedx7FQd | N/A |
| File opened for reading | /proc/self/exe | /tmp/filemB0QBj | N/A |
| File opened for reading | /proc/self/exe | /tmp/filePDohpm | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileJuCPdH | N/A |
| File opened for reading | /proc/self/exe | /tmp/filetPWVCX | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileKea4vV | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileeInw9l | N/A |
| File opened for reading | /proc/self/exe | /tmp/filee4x1rd | N/A |
| File opened for reading | /proc/self/exe | /tmp/file9HaENn | N/A |
| File opened for reading | /proc/self/exe | /tmp/file4KvgdL | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileNWoLxH | N/A |
| File opened for reading | /proc/self/exe | /tmp/filetypTHP | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileRICDTW | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileUa1NVl | N/A |
| File opened for reading | /proc/self/exe | /tmp/filethKssd | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/filetPWVCX | /tmp/filetypTHP | N/A |
| File opened for modification | /tmp/file4IrhXZ | /tmp/filetPWVCX | N/A |
| File opened for modification | /tmp/fileuxsdXi | /tmp/fileL8oi2g | N/A |
| File opened for modification | /tmp/filePDohpm | /tmp/fileo1Ggxg | N/A |
| File opened for modification | /tmp/filewYrpbg | /tmp/file8Lj3Vh | N/A |
| File opened for modification | /tmp/filee4x1rd | /tmp/fileuRpwAa | N/A |
| File opened for modification | /tmp/fileIsHo9j | /tmp/fileMg1YGg | N/A |
| File opened for modification | /tmp/fileJuCPdH | /tmp/fileNWoLxH | N/A |
| File opened for modification | /tmp/filetypTHP | /tmp/tyo2831qq.x86.elf | N/A |
| File opened for modification | /tmp/filemB0QBj | /tmp/fileuxsdXi | N/A |
| File opened for modification | /tmp/filee3PW3i | /tmp/filemB0QBj | N/A |
| File opened for modification | /tmp/file5hx6Xg | /tmp/filee3PW3i | N/A |
| File opened for modification | /tmp/file8uMF1l | /tmp/fileUa1NVl | N/A |
| File opened for modification | /tmp/fileuRpwAa | /tmp/filethKssd | N/A |
| File opened for modification | /tmp/fileLx7EhH | /tmp/filek2O76z | N/A |
| File opened for modification | /tmp/file8xdTOM | /tmp/fileJuCPdH | N/A |
| File opened for modification | /tmp/file0dGPLU | /tmp/fileaEomLO | N/A |
| File opened for modification | /tmp/fileRICDTW | /tmp/fileol5O31 | N/A |
| File opened for modification | /tmp/fileKea4vV | /tmp/file25mfc0 | N/A |
| File opened for modification | /tmp/fileTWdAI5 | /tmp/fileKea4vV | N/A |
| File opened for modification | /tmp/fileL8oi2g | /tmp/filedx7FQd | N/A |
| File opened for modification | /tmp/fileo1Ggxg | /tmp/file5hx6Xg | N/A |
| File opened for modification | /tmp/fileMg1YGg | /tmp/filee4x1rd | N/A |
| File opened for modification | /tmp/filejx9O4r | /tmp/file9HaENn | N/A |
| File opened for modification | /tmp/filetRQhiY | /tmp/file0dGPLU | N/A |
| File opened for modification | /tmp/fileRQyjt3 | /tmp/filetRQhiY | N/A |
| File opened for modification | /tmp/file25mfc0 | /tmp/fileRICDTW | N/A |
| File opened for modification | /tmp/filethKssd | /tmp/filewYrpbg | N/A |
| File opened for modification | /tmp/file4KvgdL | /tmp/filepBA5XP | N/A |
| File opened for modification | /tmp/fileaEomLO | /tmp/fileHWigTK | N/A |
| File opened for modification | /tmp/fileol5O31 | /tmp/filejjfKV2 | N/A |
| File opened for modification | /tmp/fileHDP6yd | /tmp/fileTWdAI5 | N/A |
| File opened for modification | /tmp/filedx7FQd | /tmp/fileHDP6yd | N/A |
| File opened for modification | /tmp/file9HaENn | /tmp/fileIsHo9j | N/A |
| File opened for modification | /tmp/file39w9Iz | /tmp/filejx9O4r | N/A |
| File opened for modification | /tmp/fileNWoLxH | /tmp/file4KvgdL | N/A |
| File opened for modification | /tmp/fileHWigTK | /tmp/file8xdTOM | N/A |
| File opened for modification | /tmp/filejjfKV2 | /tmp/file4IrhXZ | N/A |
| File opened for modification | /tmp/fileUa1NVl | /tmp/file9EdyXl | N/A |
| File opened for modification | /tmp/fileeInw9l | /tmp/file8uMF1l | N/A |
| File opened for modification | /tmp/fileQgrnfh | /tmp/fileeInw9l | N/A |
| File opened for modification | /tmp/file9EdyXl | /tmp/filePDohpm | N/A |
| File opened for modification | /tmp/file8Lj3Vh | /tmp/fileQgrnfh | N/A |
| File opened for modification | /tmp/filek2O76z | /tmp/file39w9Iz | N/A |
| File opened for modification | /tmp/filepBA5XP | /tmp/fileLx7EhH | N/A |
Processes
/tmp/tyo2831qq.x86.elf
[/tmp/tyo2831qq.x86.elf]
/tmp/filetypTHP
[/tmp/tyo2831qq.x86.elf]
/tmp/filetPWVCX
[/tmp/tyo2831qq.x86.elf]
/tmp/file4IrhXZ
[/tmp/tyo2831qq.x86.elf]
/tmp/filejjfKV2
[/tmp/tyo2831qq.x86.elf]
/tmp/fileol5O31
[/tmp/tyo2831qq.x86.elf]
/tmp/fileRICDTW
[/tmp/tyo2831qq.x86.elf]
/tmp/file25mfc0
[/tmp/tyo2831qq.x86.elf]
/tmp/fileKea4vV
[/tmp/tyo2831qq.x86.elf]
/tmp/fileTWdAI5
[/tmp/tyo2831qq.x86.elf]
/tmp/fileHDP6yd
[/tmp/tyo2831qq.x86.elf]
/tmp/filedx7FQd
[/tmp/tyo2831qq.x86.elf]
/tmp/fileL8oi2g
[/tmp/tyo2831qq.x86.elf]
/tmp/fileuxsdXi
[/tmp/tyo2831qq.x86.elf]
/tmp/filemB0QBj
[/tmp/tyo2831qq.x86.elf]
/tmp/filee3PW3i
[/tmp/tyo2831qq.x86.elf]
/tmp/file5hx6Xg
[/tmp/tyo2831qq.x86.elf]
/tmp/fileo1Ggxg
[/tmp/tyo2831qq.x86.elf]
/tmp/filePDohpm
[/tmp/tyo2831qq.x86.elf]
/tmp/file9EdyXl
[/tmp/tyo2831qq.x86.elf]
/tmp/fileUa1NVl
[/tmp/tyo2831qq.x86.elf]
/tmp/file8uMF1l
[/tmp/tyo2831qq.x86.elf]
/tmp/fileeInw9l
[/tmp/tyo2831qq.x86.elf]
/tmp/fileQgrnfh
[/tmp/tyo2831qq.x86.elf]
/tmp/file8Lj3Vh
[/tmp/tyo2831qq.x86.elf]
/tmp/filewYrpbg
[/tmp/tyo2831qq.x86.elf]
/tmp/filethKssd
[/tmp/tyo2831qq.x86.elf]
/tmp/fileuRpwAa
[/tmp/tyo2831qq.x86.elf]
/tmp/filee4x1rd
[/tmp/tyo2831qq.x86.elf]
/tmp/fileMg1YGg
[/tmp/tyo2831qq.x86.elf]
/tmp/fileIsHo9j
[/tmp/tyo2831qq.x86.elf]
/tmp/file9HaENn
[/tmp/tyo2831qq.x86.elf]
/tmp/filejx9O4r
[/tmp/tyo2831qq.x86.elf]
/tmp/file39w9Iz
[/tmp/tyo2831qq.x86.elf]
/tmp/filek2O76z
[/tmp/tyo2831qq.x86.elf]
/tmp/fileLx7EhH
[/tmp/tyo2831qq.x86.elf]
/tmp/filepBA5XP
[/tmp/tyo2831qq.x86.elf]
/tmp/file4KvgdL
[/tmp/tyo2831qq.x86.elf]
/tmp/fileNWoLxH
[/tmp/tyo2831qq.x86.elf]
/tmp/fileJuCPdH
[/tmp/tyo2831qq.x86.elf]
/tmp/file8xdTOM
[/tmp/tyo2831qq.x86.elf]
/tmp/fileHWigTK
[/tmp/tyo2831qq.x86.elf]
/tmp/fileaEomLO
[/tmp/tyo2831qq.x86.elf]
/tmp/file0dGPLU
[/tmp/tyo2831qq.x86.elf]
/tmp/filetRQhiY
[/tmp/tyo2831qq.x86.elf]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 185.125.188.61:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| US | 151.101.1.91:443 | tcp | |
| US | 151.101.1.91:443 | tcp | |
| GB | 195.181.164.19:443 | tcp |
Files
/tmp/filetypTHP
| MD5 | a8a6992775589faecef1bc8cf38bdfc5 |
| SHA1 | b6903301aecf34539654f309b8c12773461920dc |
| SHA256 | cae053bfac71081a19bd64ae66f3fc9a149bcbe492eeb46d33647e01ab18eb52 |
| SHA512 | dd803894a1bb9caa2bb4d1da70d35a531a7f76718d23392ff7ee511f489f413f2c79e82a3d7432685a36f470b69c74d211d18d050bee1a5d261c75131ee58fb8 |
/etc/cron.hourly/0
| MD5 | 3f006f7f81fc17be7f4a0d3da0fad5de |
| SHA1 | 97a94d3d0654c6551057af3809b52572bd7f9f5d |
| SHA256 | 982f9e0f089b91ba79df723435099df15c72e1201a45010ee60226ab136c93bf |
| SHA512 | 97d2ac0057427b940ada7c0fc805c1966e2535c3c3767ca85fef4a7e0fdc9d4ef9eb133530408b1e439df067881cb317e948ad9bfd487e958a04c97d9db978e0 |
/tmp/filetypTHP
| MD5 | 4ac062e7bafef554949de20763c54f7b |
| SHA1 | 24355a299d9aca3953a9fac256cdaf7be0249fda |
| SHA256 | 33368eb166229b262cb964cfa6412478278b2a23e5f0c3de24a56c28dac5eeb0 |
| SHA512 | b12f82c346dbe62b6a96e7c9d3185eb2fdca9cc29ba83e29a102fd746c93d72d919d8146840ab9338dc8a25a7fb2b400a0cd9d0ac2ea5a0471d283f81d115bb9 |