Malware Analysis Report

2024-11-13 18:03

Sample ID 241109-eqsh1sxdle
Target tyo2831qq.x86.elf
SHA256 33368eb166229b262cb964cfa6412478278b2a23e5f0c3de24a56c28dac5eeb0
Tags
gafgyt botnet discovery execution persistence privilege_escalatio
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

33368eb166229b262cb964cfa6412478278b2a23e5f0c3de24a56c28dac5eeb0

Threat Level: Known bad

The file tyo2831qq.x86.elf was found to be: Known bad.

Malicious Activity Summary

gafgyt botnet discovery execution persistence privilege_escalatio

Detected Gafgyt variant

Gafgyt family

Gafgyt/Bashlite

Executes dropped EXE

Creates/modifies Cron job

Writes file to system bin folder

Writes file to tmp directory

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 04:09

Signatures

Detected Gafgyt variant

Description Indicator Process Target
N/A N/A N/A N/A

Gafgyt family

gafgyt

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 04:09

Reported

2024-11-09 04:11

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

84s

Max time network

128s

Command Line

[/tmp/tyo2831qq.x86.elf]

Signatures

Detected Gafgyt variant

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Gafgyt family

gafgyt

Gafgyt/Bashlite

botnet gafgyt

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/filetypTHP /tmp/filetypTHP N/A
N/A /tmp/filetPWVCX /tmp/filetPWVCX N/A
N/A /tmp/file4IrhXZ /tmp/file4IrhXZ N/A
N/A /tmp/filejjfKV2 /tmp/filejjfKV2 N/A
N/A /tmp/fileol5O31 /tmp/fileol5O31 N/A
N/A /tmp/fileRICDTW /tmp/fileRICDTW N/A
N/A /tmp/file25mfc0 /tmp/file25mfc0 N/A
N/A /tmp/fileKea4vV /tmp/fileKea4vV N/A
N/A /tmp/fileTWdAI5 /tmp/fileTWdAI5 N/A
N/A /tmp/fileHDP6yd /tmp/fileHDP6yd N/A
N/A /tmp/filedx7FQd /tmp/filedx7FQd N/A
N/A /tmp/fileL8oi2g /tmp/fileL8oi2g N/A
N/A /tmp/fileuxsdXi /tmp/fileuxsdXi N/A
N/A /tmp/filemB0QBj /tmp/filemB0QBj N/A
N/A /tmp/filee3PW3i /tmp/filee3PW3i N/A
N/A /tmp/file5hx6Xg /tmp/file5hx6Xg N/A
N/A /tmp/fileo1Ggxg /tmp/fileo1Ggxg N/A
N/A /tmp/filePDohpm /tmp/filePDohpm N/A
N/A /tmp/file9EdyXl /tmp/file9EdyXl N/A
N/A /tmp/fileUa1NVl /tmp/fileUa1NVl N/A
N/A /tmp/file8uMF1l /tmp/file8uMF1l N/A
N/A /tmp/fileeInw9l /tmp/fileeInw9l N/A
N/A /tmp/fileQgrnfh /tmp/fileQgrnfh N/A
N/A /tmp/file8Lj3Vh /tmp/file8Lj3Vh N/A
N/A /tmp/filewYrpbg /tmp/filewYrpbg N/A
N/A /tmp/filethKssd /tmp/filethKssd N/A
N/A /tmp/fileuRpwAa /tmp/fileuRpwAa N/A
N/A /tmp/filee4x1rd /tmp/filee4x1rd N/A
N/A /tmp/fileMg1YGg /tmp/fileMg1YGg N/A
N/A /tmp/fileIsHo9j /tmp/fileIsHo9j N/A
N/A /tmp/file9HaENn /tmp/file9HaENn N/A
N/A /tmp/filejx9O4r /tmp/filejx9O4r N/A
N/A /tmp/file39w9Iz /tmp/file39w9Iz N/A
N/A /tmp/filek2O76z /tmp/filek2O76z N/A
N/A /tmp/fileLx7EhH /tmp/fileLx7EhH N/A
N/A /tmp/filepBA5XP /tmp/filepBA5XP N/A
N/A /tmp/file4KvgdL /tmp/file4KvgdL N/A
N/A /tmp/fileNWoLxH /tmp/fileNWoLxH N/A
N/A /tmp/fileJuCPdH /tmp/fileJuCPdH N/A
N/A /tmp/file8xdTOM /tmp/file8xdTOM N/A
N/A /tmp/fileHWigTK /tmp/fileHWigTK N/A
N/A /tmp/fileaEomLO /tmp/fileaEomLO N/A
N/A /tmp/file0dGPLU /tmp/file0dGPLU N/A
N/A /tmp/filetRQhiY /tmp/filetRQhiY N/A

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /etc/cron.hourly/0 /tmp/filejjfKV2 N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileUa1NVl N/A
File opened for modification /etc/cron.hourly/0 /tmp/file39w9Iz N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileJuCPdH N/A
File opened for modification /etc/cron.hourly/0 /tmp/file4KvgdL N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileRICDTW N/A
File opened for modification /etc/cron.hourly/0 /tmp/filemB0QBj N/A
File opened for modification /etc/cron.hourly/0 /tmp/filePDohpm N/A
File opened for modification /etc/cron.hourly/0 /tmp/filethKssd N/A
File opened for modification /etc/cron.hourly/0 /tmp/file9HaENn N/A
File opened for modification /etc/cron.hourly/0 /tmp/file4IrhXZ N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileol5O31 N/A
File opened for modification /etc/cron.hourly/0 /tmp/tyo2831qq.x86.elf N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileeInw9l N/A
File opened for modification /etc/cron.hourly/0 /tmp/file8Lj3Vh N/A
File opened for modification /etc/cron.hourly/0 /tmp/file8xdTOM N/A
File opened for modification /etc/cron.hourly/0 /tmp/filetypTHP N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileTWdAI5 N/A
File opened for modification /etc/cron.hourly/0 /tmp/file8uMF1l N/A
File opened for modification /etc/cron.hourly/0 /tmp/filee4x1rd N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileHWigTK N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileaEomLO N/A
File opened for modification /etc/cron.hourly/0 /tmp/file25mfc0 N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileHDP6yd N/A
File opened for modification /etc/cron.hourly/0 /tmp/filedx7FQd N/A
File opened for modification /etc/cron.hourly/0 /tmp/file5hx6Xg N/A
File opened for modification /etc/cron.hourly/0 /tmp/file9EdyXl N/A
File opened for modification /etc/cron.hourly/0 /tmp/file0dGPLU N/A
File opened for modification /etc/cron.hourly/0 /tmp/filek2O76z N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileNWoLxH N/A
File opened for modification /etc/cron.hourly/0 /tmp/filetPWVCX N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileL8oi2g N/A
File opened for modification /etc/cron.hourly/0 /tmp/filewYrpbg N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileuRpwAa N/A
File opened for modification /etc/cron.hourly/0 /tmp/filejx9O4r N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileMg1YGg N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileIsHo9j N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileLx7EhH N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileKea4vV N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileuxsdXi N/A
File opened for modification /etc/cron.hourly/0 /tmp/filee3PW3i N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileo1Ggxg N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileQgrnfh N/A
File opened for modification /etc/cron.hourly/0 /tmp/filepBA5XP N/A

Writes file to system bin folder

Description Indicator Process Target
File opened for modification /bin/ls /tmp/tyo2831qq.x86.elf N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/self/exe /tmp/fileaEomLO N/A
File opened for reading /proc/self/exe /tmp/filee3PW3i N/A
File opened for reading /proc/self/exe /tmp/file5hx6Xg N/A
File opened for reading /proc/self/exe /tmp/file39w9Iz N/A
File opened for reading /proc/self/exe /tmp/fileHWigTK N/A
File opened for reading /proc/self/exe /tmp/fileMg1YGg N/A
File opened for reading /proc/self/exe /tmp/filejx9O4r N/A
File opened for reading /proc/self/exe /tmp/filepBA5XP N/A
File opened for reading /proc/self/exe /tmp/filejjfKV2 N/A
File opened for reading /proc/self/exe /tmp/fileo1Ggxg N/A
File opened for reading /proc/self/exe /tmp/fileQgrnfh N/A
File opened for reading /proc/self/exe /tmp/fileuRpwAa N/A
File opened for reading /proc/self/exe /tmp/file8uMF1l N/A
File opened for reading /proc/self/exe /tmp/filewYrpbg N/A
File opened for reading /proc/self/exe /tmp/fileIsHo9j N/A
File opened for reading /proc/self/exe /tmp/file8xdTOM N/A
File opened for reading /proc/self/exe /tmp/file4IrhXZ N/A
File opened for reading /proc/self/exe /tmp/file25mfc0 N/A
File opened for reading /proc/self/exe /tmp/fileTWdAI5 N/A
File opened for reading /proc/self/exe /tmp/fileHDP6yd N/A
File opened for reading /proc/self/exe /tmp/tyo2831qq.x86.elf N/A
File opened for reading /proc/self/exe /tmp/fileL8oi2g N/A
File opened for reading /proc/self/exe /tmp/fileuxsdXi N/A
File opened for reading /proc/self/exe /tmp/file9EdyXl N/A
File opened for reading /proc/self/exe /tmp/file0dGPLU N/A
File opened for reading /proc/self/exe /tmp/file8Lj3Vh N/A
File opened for reading /proc/self/exe /tmp/filek2O76z N/A
File opened for reading /proc/self/exe /tmp/fileLx7EhH N/A
File opened for reading /proc/self/exe /tmp/filetRQhiY N/A
File opened for reading /proc/self/exe /tmp/fileol5O31 N/A
File opened for reading /proc/self/exe /tmp/filedx7FQd N/A
File opened for reading /proc/self/exe /tmp/filemB0QBj N/A
File opened for reading /proc/self/exe /tmp/filePDohpm N/A
File opened for reading /proc/self/exe /tmp/fileJuCPdH N/A
File opened for reading /proc/self/exe /tmp/filetPWVCX N/A
File opened for reading /proc/self/exe /tmp/fileKea4vV N/A
File opened for reading /proc/self/exe /tmp/fileeInw9l N/A
File opened for reading /proc/self/exe /tmp/filee4x1rd N/A
File opened for reading /proc/self/exe /tmp/file9HaENn N/A
File opened for reading /proc/self/exe /tmp/file4KvgdL N/A
File opened for reading /proc/self/exe /tmp/fileNWoLxH N/A
File opened for reading /proc/self/exe /tmp/filetypTHP N/A
File opened for reading /proc/self/exe /tmp/fileRICDTW N/A
File opened for reading /proc/self/exe /tmp/fileUa1NVl N/A
File opened for reading /proc/self/exe /tmp/filethKssd N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/filetPWVCX /tmp/filetypTHP N/A
File opened for modification /tmp/file4IrhXZ /tmp/filetPWVCX N/A
File opened for modification /tmp/fileuxsdXi /tmp/fileL8oi2g N/A
File opened for modification /tmp/filePDohpm /tmp/fileo1Ggxg N/A
File opened for modification /tmp/filewYrpbg /tmp/file8Lj3Vh N/A
File opened for modification /tmp/filee4x1rd /tmp/fileuRpwAa N/A
File opened for modification /tmp/fileIsHo9j /tmp/fileMg1YGg N/A
File opened for modification /tmp/fileJuCPdH /tmp/fileNWoLxH N/A
File opened for modification /tmp/filetypTHP /tmp/tyo2831qq.x86.elf N/A
File opened for modification /tmp/filemB0QBj /tmp/fileuxsdXi N/A
File opened for modification /tmp/filee3PW3i /tmp/filemB0QBj N/A
File opened for modification /tmp/file5hx6Xg /tmp/filee3PW3i N/A
File opened for modification /tmp/file8uMF1l /tmp/fileUa1NVl N/A
File opened for modification /tmp/fileuRpwAa /tmp/filethKssd N/A
File opened for modification /tmp/fileLx7EhH /tmp/filek2O76z N/A
File opened for modification /tmp/file8xdTOM /tmp/fileJuCPdH N/A
File opened for modification /tmp/file0dGPLU /tmp/fileaEomLO N/A
File opened for modification /tmp/fileRICDTW /tmp/fileol5O31 N/A
File opened for modification /tmp/fileKea4vV /tmp/file25mfc0 N/A
File opened for modification /tmp/fileTWdAI5 /tmp/fileKea4vV N/A
File opened for modification /tmp/fileL8oi2g /tmp/filedx7FQd N/A
File opened for modification /tmp/fileo1Ggxg /tmp/file5hx6Xg N/A
File opened for modification /tmp/fileMg1YGg /tmp/filee4x1rd N/A
File opened for modification /tmp/filejx9O4r /tmp/file9HaENn N/A
File opened for modification /tmp/filetRQhiY /tmp/file0dGPLU N/A
File opened for modification /tmp/fileRQyjt3 /tmp/filetRQhiY N/A
File opened for modification /tmp/file25mfc0 /tmp/fileRICDTW N/A
File opened for modification /tmp/filethKssd /tmp/filewYrpbg N/A
File opened for modification /tmp/file4KvgdL /tmp/filepBA5XP N/A
File opened for modification /tmp/fileaEomLO /tmp/fileHWigTK N/A
File opened for modification /tmp/fileol5O31 /tmp/filejjfKV2 N/A
File opened for modification /tmp/fileHDP6yd /tmp/fileTWdAI5 N/A
File opened for modification /tmp/filedx7FQd /tmp/fileHDP6yd N/A
File opened for modification /tmp/file9HaENn /tmp/fileIsHo9j N/A
File opened for modification /tmp/file39w9Iz /tmp/filejx9O4r N/A
File opened for modification /tmp/fileNWoLxH /tmp/file4KvgdL N/A
File opened for modification /tmp/fileHWigTK /tmp/file8xdTOM N/A
File opened for modification /tmp/filejjfKV2 /tmp/file4IrhXZ N/A
File opened for modification /tmp/fileUa1NVl /tmp/file9EdyXl N/A
File opened for modification /tmp/fileeInw9l /tmp/file8uMF1l N/A
File opened for modification /tmp/fileQgrnfh /tmp/fileeInw9l N/A
File opened for modification /tmp/file9EdyXl /tmp/filePDohpm N/A
File opened for modification /tmp/file8Lj3Vh /tmp/fileQgrnfh N/A
File opened for modification /tmp/filek2O76z /tmp/file39w9Iz N/A
File opened for modification /tmp/filepBA5XP /tmp/fileLx7EhH N/A

Processes

/tmp/tyo2831qq.x86.elf

[/tmp/tyo2831qq.x86.elf]

/tmp/filetypTHP

[/tmp/tyo2831qq.x86.elf]

/tmp/filetPWVCX

[/tmp/tyo2831qq.x86.elf]

/tmp/file4IrhXZ

[/tmp/tyo2831qq.x86.elf]

/tmp/filejjfKV2

[/tmp/tyo2831qq.x86.elf]

/tmp/fileol5O31

[/tmp/tyo2831qq.x86.elf]

/tmp/fileRICDTW

[/tmp/tyo2831qq.x86.elf]

/tmp/file25mfc0

[/tmp/tyo2831qq.x86.elf]

/tmp/fileKea4vV

[/tmp/tyo2831qq.x86.elf]

/tmp/fileTWdAI5

[/tmp/tyo2831qq.x86.elf]

/tmp/fileHDP6yd

[/tmp/tyo2831qq.x86.elf]

/tmp/filedx7FQd

[/tmp/tyo2831qq.x86.elf]

/tmp/fileL8oi2g

[/tmp/tyo2831qq.x86.elf]

/tmp/fileuxsdXi

[/tmp/tyo2831qq.x86.elf]

/tmp/filemB0QBj

[/tmp/tyo2831qq.x86.elf]

/tmp/filee3PW3i

[/tmp/tyo2831qq.x86.elf]

/tmp/file5hx6Xg

[/tmp/tyo2831qq.x86.elf]

/tmp/fileo1Ggxg

[/tmp/tyo2831qq.x86.elf]

/tmp/filePDohpm

[/tmp/tyo2831qq.x86.elf]

/tmp/file9EdyXl

[/tmp/tyo2831qq.x86.elf]

/tmp/fileUa1NVl

[/tmp/tyo2831qq.x86.elf]

/tmp/file8uMF1l

[/tmp/tyo2831qq.x86.elf]

/tmp/fileeInw9l

[/tmp/tyo2831qq.x86.elf]

/tmp/fileQgrnfh

[/tmp/tyo2831qq.x86.elf]

/tmp/file8Lj3Vh

[/tmp/tyo2831qq.x86.elf]

/tmp/filewYrpbg

[/tmp/tyo2831qq.x86.elf]

/tmp/filethKssd

[/tmp/tyo2831qq.x86.elf]

/tmp/fileuRpwAa

[/tmp/tyo2831qq.x86.elf]

/tmp/filee4x1rd

[/tmp/tyo2831qq.x86.elf]

/tmp/fileMg1YGg

[/tmp/tyo2831qq.x86.elf]

/tmp/fileIsHo9j

[/tmp/tyo2831qq.x86.elf]

/tmp/file9HaENn

[/tmp/tyo2831qq.x86.elf]

/tmp/filejx9O4r

[/tmp/tyo2831qq.x86.elf]

/tmp/file39w9Iz

[/tmp/tyo2831qq.x86.elf]

/tmp/filek2O76z

[/tmp/tyo2831qq.x86.elf]

/tmp/fileLx7EhH

[/tmp/tyo2831qq.x86.elf]

/tmp/filepBA5XP

[/tmp/tyo2831qq.x86.elf]

/tmp/file4KvgdL

[/tmp/tyo2831qq.x86.elf]

/tmp/fileNWoLxH

[/tmp/tyo2831qq.x86.elf]

/tmp/fileJuCPdH

[/tmp/tyo2831qq.x86.elf]

/tmp/file8xdTOM

[/tmp/tyo2831qq.x86.elf]

/tmp/fileHWigTK

[/tmp/tyo2831qq.x86.elf]

/tmp/fileaEomLO

[/tmp/tyo2831qq.x86.elf]

/tmp/file0dGPLU

[/tmp/tyo2831qq.x86.elf]

/tmp/filetRQhiY

[/tmp/tyo2831qq.x86.elf]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 185.125.188.61:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.1.91:443 tcp
US 151.101.1.91:443 tcp
GB 195.181.164.19:443 tcp

Files

/tmp/filetypTHP

MD5 a8a6992775589faecef1bc8cf38bdfc5
SHA1 b6903301aecf34539654f309b8c12773461920dc
SHA256 cae053bfac71081a19bd64ae66f3fc9a149bcbe492eeb46d33647e01ab18eb52
SHA512 dd803894a1bb9caa2bb4d1da70d35a531a7f76718d23392ff7ee511f489f413f2c79e82a3d7432685a36f470b69c74d211d18d050bee1a5d261c75131ee58fb8

/etc/cron.hourly/0

MD5 3f006f7f81fc17be7f4a0d3da0fad5de
SHA1 97a94d3d0654c6551057af3809b52572bd7f9f5d
SHA256 982f9e0f089b91ba79df723435099df15c72e1201a45010ee60226ab136c93bf
SHA512 97d2ac0057427b940ada7c0fc805c1966e2535c3c3767ca85fef4a7e0fdc9d4ef9eb133530408b1e439df067881cb317e948ad9bfd487e958a04c97d9db978e0

/tmp/filetypTHP

MD5 4ac062e7bafef554949de20763c54f7b
SHA1 24355a299d9aca3953a9fac256cdaf7be0249fda
SHA256 33368eb166229b262cb964cfa6412478278b2a23e5f0c3de24a56c28dac5eeb0
SHA512 b12f82c346dbe62b6a96e7c9d3185eb2fdca9cc29ba83e29a102fd746c93d72d919d8146840ab9338dc8a25a7fb2b400a0cd9d0ac2ea5a0471d283f81d115bb9