gafgyt | d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d

Analysis

max time kernel
149s
max time network
128s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20240729-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20240729-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
26-11-2024 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
Size

137KB
MD5

6c729f11f6803f98780dd8fb703fd3f4
SHA1

c34ea885a9e186d052f47af72d4a7951afc868ab
SHA256

d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d
SHA512

9f3dcca10b0f0e317be246eedc8127dc198ce9b6c604608365304a5f1d018c4ee72c1e7999517113d0e88b5f9f4a757336bd4db91cca16e9fa189e613d686325
SSDEEP

3072:62RZGGZgLuthhI2fKGHOZOVp6iK65dnmr1zwTRWNn:6IkubvXz5Bmr1zwTRWNn

Score

10^/10

gafgyt botnet discovery execution persistence privilege_escalatio

Malware Config

Signatures

Detected Gafgyt variant 2 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_gafgyt
behavioral1/files/fstream-4.dat	family_gafgyt

Gafgyt family
gafgyt
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt

Executes dropped EXE 44 IoCs

ioc	pid	Process
/tmp/file0WfRoQ	1579	file0WfRoQ
/tmp/fileoHbECY	1580	fileoHbECY
/tmp/file8ZPAdI	1581	file8ZPAdI
/tmp/filerieaLz	1582	filerieaLz
/tmp/filew7Ftdk	1583	filew7Ftdk
/tmp/filededo1p	1584	filededo1p
/tmp/filezE9yHW	1585	filezE9yHW
/tmp/fileZOX7iz	1586	fileZOX7iz
/tmp/fileZDyddC	1587	fileZDyddC
/tmp/file5B7GWi	1588	file5B7GWi
/tmp/filebSxXRV	1589	filebSxXRV
/tmp/fileWhc0ph	1590	fileWhc0ph
/tmp/filei2PwzU	1591	filei2PwzU
/tmp/file9nyHCc	1592	file9nyHCc
/tmp/file2G7H5Y	1593	file2G7H5Y
/tmp/filesFj05n	1594	filesFj05n
/tmp/fileXMOR0E	1595	fileXMOR0E
/tmp/fileI0f6k4	1596	fileI0f6k4
/tmp/file9sSuRa	1597	file9sSuRa
/tmp/fileghZMhY	1600	fileghZMhY
/tmp/file8Dwbex	1601	file8Dwbex
/tmp/fileGMFBnE	1602	fileGMFBnE
/tmp/fileBssqoB	1603	fileBssqoB
/tmp/fileSuj8PI	1604	fileSuj8PI
/tmp/filekjQh5B	1605	filekjQh5B
/tmp/fileN7QG1y	1606	fileN7QG1y
/tmp/file4ncDrb	1607	file4ncDrb
/tmp/filewU07aK	1608	filewU07aK
/tmp/fileHxaO7E	1609	fileHxaO7E
/tmp/file4pq8yX	1610	file4pq8yX
/tmp/filegcxE52	1611	filegcxE52
/tmp/fileifuTlW	1612	fileifuTlW
/tmp/fileuqiSUr	1613	fileuqiSUr
/tmp/fileITHqh3	1614	fileITHqh3
/tmp/filenMhI5f	1615	filenMhI5f
/tmp/file58qMJP	1616	file58qMJP
/tmp/fileOVo2kx	1617	fileOVo2kx
/tmp/filemtWayI	1618	filemtWayI
/tmp/filePVV4XQ	1619	filePVV4XQ
/tmp/fileivlepL	1620	fileivlepL
/tmp/filewLd1Ai	1621	filewLd1Ai
/tmp/filedZF8WB	1622	filedZF8WB
/tmp/fileVdmEM1	1623	fileVdmEM1
/tmp/fileANG1pA	1624	fileANG1pA

Creates/modifies Cron job 1 TTPs 44 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

description	ioc	Process
File opened for modification	/etc/cron.hourly/0	fileoHbECY
File opened for modification	/etc/cron.hourly/0	filededo1p
File opened for modification	/etc/cron.hourly/0	fileghZMhY
File opened for modification	/etc/cron.hourly/0	fileGMFBnE
File opened for modification	/etc/cron.hourly/0	file9nyHCc
File opened for modification	/etc/cron.hourly/0	filesFj05n
File opened for modification	/etc/cron.hourly/0	file8Dwbex
File opened for modification	/etc/cron.hourly/0	filegcxE52
File opened for modification	/etc/cron.hourly/0	file8ZPAdI
File opened for modification	/etc/cron.hourly/0	file5B7GWi
File opened for modification	/etc/cron.hourly/0	fileWhc0ph
File opened for modification	/etc/cron.hourly/0	filei2PwzU
File opened for modification	/etc/cron.hourly/0	fileuqiSUr
File opened for modification	/etc/cron.hourly/0	fileivlepL
File opened for modification	/etc/cron.hourly/0	filedZF8WB
File opened for modification	/etc/cron.hourly/0	filewU07aK
File opened for modification	/etc/cron.hourly/0	filewLd1Ai
File opened for modification	/etc/cron.hourly/0	filebSxXRV
File opened for modification	/etc/cron.hourly/0	fileXMOR0E
File opened for modification	/etc/cron.hourly/0	file9sSuRa
File opened for modification	/etc/cron.hourly/0	file4ncDrb
File opened for modification	/etc/cron.hourly/0	filenMhI5f
File opened for modification	/etc/cron.hourly/0	fileVdmEM1
File opened for modification	/etc/cron.hourly/0	filezE9yHW
File opened for modification	/etc/cron.hourly/0	fileBssqoB
File opened for modification	/etc/cron.hourly/0	fileN7QG1y
File opened for modification	/etc/cron.hourly/0	fileHxaO7E
File opened for modification	/etc/cron.hourly/0	fileZOX7iz
File opened for modification	/etc/cron.hourly/0	fileZDyddC
File opened for modification	/etc/cron.hourly/0	filekjQh5B
File opened for modification	/etc/cron.hourly/0	file4pq8yX
File opened for modification	/etc/cron.hourly/0	fileifuTlW
File opened for modification	/etc/cron.hourly/0	filePVV4XQ
File opened for modification	/etc/cron.hourly/0	fileOVo2kx
File opened for modification	/etc/cron.hourly/0	filerieaLz
File opened for modification	/etc/cron.hourly/0	fileI0f6k4
File opened for modification	/etc/cron.hourly/0	fileSuj8PI
File opened for modification	/etc/cron.hourly/0	file58qMJP
File opened for modification	/etc/cron.hourly/0	fileITHqh3
File opened for modification	/etc/cron.hourly/0	filemtWayI
File opened for modification	/etc/cron.hourly/0	d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
File opened for modification	/etc/cron.hourly/0	file0WfRoQ
File opened for modification	/etc/cron.hourly/0	filew7Ftdk
File opened for modification	/etc/cron.hourly/0	file2G7H5Y

Reads system routing table 1 TTPs 1 IoCs

Gets active network interfaces from /proc virtual filesystem.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	fileANG1pA

Writes file to system bin folder 1 IoCs

description	ioc	Process
File opened for modification	/bin/ls	d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	/usr/sbin/dropbear	1624	fileANG1pA

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	fileANG1pA

Reads runtime system information 44 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/self/exe	filew7Ftdk
File opened for reading	/proc/self/exe	file9nyHCc
File opened for reading	/proc/self/exe	file8Dwbex
File opened for reading	/proc/self/exe	fileHxaO7E
File opened for reading	/proc/self/exe	fileVdmEM1
File opened for reading	/proc/self/exe	filerieaLz
File opened for reading	/proc/self/exe	fileZDyddC
File opened for reading	/proc/self/exe	file5B7GWi
File opened for reading	/proc/self/exe	file4ncDrb
File opened for reading	/proc/self/exe	fileuqiSUr
File opened for reading	/proc/self/exe	filezE9yHW
File opened for reading	/proc/self/exe	fileWhc0ph
File opened for reading	/proc/self/exe	file2G7H5Y
File opened for reading	/proc/self/exe	fileN7QG1y
File opened for reading	/proc/self/exe	file4pq8yX
File opened for reading	/proc/self/exe	filemtWayI
File opened for reading	/proc/self/exe	filededo1p
File opened for reading	/proc/self/exe	file9sSuRa
File opened for reading	/proc/self/exe	fileITHqh3
File opened for reading	/proc/self/exe	file8ZPAdI
File opened for reading	/proc/self/exe	fileGMFBnE
File opened for reading	/proc/self/exe	filePVV4XQ
File opened for reading	/proc/self/exe	fileoHbECY
File opened for reading	/proc/self/exe	file58qMJP
File opened for reading	/proc/self/exe	filesFj05n
File opened for reading	/proc/self/exe	fileXMOR0E
File opened for reading	/proc/self/exe	fileghZMhY
File opened for reading	/proc/self/exe	fileBssqoB
File opened for reading	/proc/self/exe	fileSuj8PI
File opened for reading	/proc/self/exe	filegcxE52
File opened for reading	/proc/self/exe	fileifuTlW
File opened for reading	/proc/self/exe	filenMhI5f
File opened for reading	/proc/self/exe	filebSxXRV
File opened for reading	/proc/self/exe	fileivlepL
File opened for reading	/proc/self/exe	fileOVo2kx
File opened for reading	/proc/self/exe	file0WfRoQ
File opened for reading	/proc/self/exe	fileZOX7iz
File opened for reading	/proc/self/exe	filei2PwzU
File opened for reading	/proc/self/exe	fileI0f6k4
File opened for reading	/proc/self/exe	filekjQh5B
File opened for reading	/proc/self/exe	filewU07aK
File opened for reading	/proc/self/exe	filewLd1Ai
File opened for reading	/proc/self/exe	d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
File opened for reading	/proc/self/exe	filedZF8WB

Writes file to tmp directory 44 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/fileOVo2kx	file58qMJP
File opened for modification	/tmp/fileWhc0ph	filebSxXRV
File opened for modification	/tmp/file9nyHCc	filei2PwzU
File opened for modification	/tmp/fileXMOR0E	filesFj05n
File opened for modification	/tmp/fileghZMhY	file9sSuRa
File opened for modification	/tmp/filekjQh5B	fileSuj8PI
File opened for modification	/tmp/fileifuTlW	filegcxE52
File opened for modification	/tmp/filenMhI5f	fileITHqh3
File opened for modification	/tmp/filePVV4XQ	filemtWayI
File opened for modification	/tmp/file0WfRoQ	d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
File opened for modification	/tmp/filezE9yHW	filededo1p
File opened for modification	/tmp/fileZDyddC	fileZOX7iz
File opened for modification	/tmp/filesFj05n	file2G7H5Y
File opened for modification	/tmp/fileGMFBnE	file8Dwbex
File opened for modification	/tmp/file4pq8yX	fileHxaO7E
File opened for modification	/tmp/fileivlepL	filePVV4XQ
File opened for modification	/tmp/fileANG1pA	fileVdmEM1
File opened for modification	/tmp/fileoHbECY	file0WfRoQ
File opened for modification	/tmp/fileI0f6k4	fileXMOR0E
File opened for modification	/tmp/file9sSuRa	fileI0f6k4
File opened for modification	/tmp/filewU07aK	file4ncDrb
File opened for modification	/tmp/fileuqiSUr	fileifuTlW
File opened for modification	/tmp/file58qMJP	filenMhI5f
File opened for modification	/tmp/filewLd1Ai	fileivlepL
File opened for modification	/tmp/file8ZPAdI	fileoHbECY
File opened for modification	/tmp/fileZOX7iz	filezE9yHW
File opened for modification	/tmp/fileSuj8PI	fileBssqoB
File opened for modification	/tmp/fileN7QG1y	filekjQh5B
File opened for modification	/tmp/fileITHqh3	fileuqiSUr
File opened for modification	/tmp/filew7Ftdk	filerieaLz
File opened for modification	/tmp/file4ncDrb	fileN7QG1y
File opened for modification	/tmp/fileHxaO7E	filewU07aK
File opened for modification	/tmp/filedZF8WB	filewLd1Ai
File opened for modification	/tmp/fileVdmEM1	filedZF8WB
File opened for modification	/tmp/filerieaLz	file8ZPAdI
File opened for modification	/tmp/file5B7GWi	fileZDyddC
File opened for modification	/tmp/fileBssqoB	fileGMFBnE
File opened for modification	/tmp/filemtWayI	fileOVo2kx
File opened for modification	/tmp/filededo1p	filew7Ftdk
File opened for modification	/tmp/filebSxXRV	file5B7GWi
File opened for modification	/tmp/filei2PwzU	fileWhc0ph
File opened for modification	/tmp/file2G7H5Y	file9nyHCc
File opened for modification	/tmp/file8Dwbex	fileghZMhY
File opened for modification	/tmp/filegcxE52	file4pq8yX

/tmp/d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
/tmp/d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
1⤵
- Creates/modifies Cron job
- Writes file to system bin folder
- Reads runtime system information
- Writes file to tmp directory
PID:1569
- /tmp/file0WfRoQ
  /tmp/d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
  2⤵
  - Executes dropped EXE
  - Creates/modifies Cron job
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1579
- - /tmp/fileoHbECY
    /tmp/d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
    3⤵
    - Executes dropped EXE
    - Creates/modifies Cron job
    - Reads runtime system information
    - Writes file to tmp directory
    PID:1580
  - - /tmp/file8ZPAdI
      /tmp/d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
      4⤵
      Executes dropped EXE
      Creates/modifies Cron job
      Reads runtime system information
      Writes file to tmp directory
      PID:1581
    - - /tmp/filerieaLz
        
        /tmp/d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
        5⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1582
      - /tmp/filew7Ftdk
        
        /tmp/d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
        6⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1583
        
        /tmp/filededo1p
        
        /tmp/d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
        7⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1584
        
        /tmp/filezE9yHW
        
        /tmp/d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
        8⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1585
        
        /tmp/fileZOX7iz
        
        /tmp/d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
        9⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1586
        
        /tmp/fileZDyddC
        
        /tmp/d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
        10⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1587
        
        /tmp/file5B7GWi
        
        /tmp/d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
        11⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1588
        
        /tmp/filebSxXRV
        
        /tmp/d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
        12⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1589
        
        /tmp/fileWhc0ph
        
        /tmp/d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
        13⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1590
        
        /tmp/filei2PwzU
        
        /tmp/d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
        14⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1591
        
        /tmp/file9nyHCc
        
        /tmp/d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
        15⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1592
        
        /tmp/file2G7H5Y
        
        /tmp/d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
        16⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1593
        
        /tmp/filesFj05n
        
        /tmp/d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
        17⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1594
        
        /tmp/fileXMOR0E
        
        /tmp/d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
        18⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1595
        
        /tmp/fileI0f6k4
        
        /tmp/d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
        19⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1596
        
        /tmp/file9sSuRa
        
        /tmp/d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
        20⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1597
        
        /tmp/fileghZMhY
        
        /tmp/d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
        21⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1600
        
        /tmp/file8Dwbex
        
        /tmp/d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
        22⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1601
        
        /tmp/fileGMFBnE
        
        /tmp/d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
        23⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1602
        
        /tmp/fileBssqoB
        
        /tmp/d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
        24⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1603
        
        /tmp/fileSuj8PI
        
        /tmp/d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
        25⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1604
        
        /tmp/filekjQh5B
        
        /tmp/d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
        26⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1605
        
        /tmp/fileN7QG1y
        
        /tmp/d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
        27⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1606
        
        /tmp/file4ncDrb
        
        /tmp/d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
        28⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1607
        
        /tmp/filewU07aK
        
        /tmp/d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
        29⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1608
        
        /tmp/fileHxaO7E
        
        /tmp/d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
        30⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1609
        
        /tmp/file4pq8yX
        
        /tmp/d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
        31⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1610
        
        /tmp/filegcxE52
        
        /tmp/d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
        32⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1611
        
        /tmp/fileifuTlW
        
        /tmp/d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
        33⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1612
        
        /tmp/fileuqiSUr
        
        /tmp/d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
        34⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1613
        
        /tmp/fileITHqh3
        
        /tmp/d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
        35⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1614
        
        /tmp/filenMhI5f
        
        /tmp/d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
        36⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1615
        
        /tmp/file58qMJP
        
        /tmp/d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
        37⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1616
        
        /tmp/fileOVo2kx
        
        /tmp/d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
        38⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1617
        
        /tmp/filemtWayI
        
        /tmp/d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
        39⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1618
        
        /tmp/filePVV4XQ
        
        /tmp/d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
        40⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1619
        
        /tmp/fileivlepL
        
        /tmp/d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
        41⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1620
        
        /tmp/filewLd1Ai
        
        /tmp/d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
        42⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1621
        
        /tmp/filedZF8WB
        
        /tmp/d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
        43⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1622
        
        /tmp/fileVdmEM1
        
        /tmp/d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
        44⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1623
        
        /tmp/fileANG1pA
        
        /tmp/d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d.elf
        45⤵
        Executes dropped EXE
        Reads system routing table
        Changes its process name
        Reads system network configuration
        
        PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/0

Filesize
92B

MD5
3f006f7f81fc17be7f4a0d3da0fad5de

SHA1
97a94d3d0654c6551057af3809b52572bd7f9f5d

SHA256
982f9e0f089b91ba79df723435099df15c72e1201a45010ee60226ab136c93bf

SHA512
97d2ac0057427b940ada7c0fc805c1966e2535c3c3767ca85fef4a7e0fdc9d4ef9eb133530408b1e439df067881cb317e948ad9bfd487e958a04c97d9db978e0

Download Submit
/tmp/file0WfRoQ

Filesize
129KB

MD5
27bd44e4c530ed74dd07d47ed96b6c2f

SHA1
04968669348fe3cd4641f04a499777c69feaa306

SHA256
8bc608a0a11065e89d412f35dce45af2823765de6000d2223b16c9e797eefb8a

SHA512
913c5d2e4bf011b44b552f7118dbef34a3ef339757878ec04372b6768edba6e56b62cfa03606cb5ce1d09959931d5d2840768828614828d4730ccf7822c1e261

Download Submit
/tmp/file0WfRoQ

Filesize
137KB

MD5
6c729f11f6803f98780dd8fb703fd3f4

SHA1
c34ea885a9e186d052f47af72d4a7951afc868ab

SHA256
d6c811a85da0937edf987d3cd032b13903ba7ea0c1796f654f7c5a2c9593d55d

SHA512
9f3dcca10b0f0e317be246eedc8127dc198ce9b6c604608365304a5f1d018c4ee72c1e7999517113d0e88b5f9f4a757336bd4db91cca16e9fa189e613d686325

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads