Overview

overview

10

Static

static

1

0076fe37f4...b6c.sh

ubuntu-18.04-amd64

3

0076fe37f4...b6c.sh

debian-9-armhf

4

0076fe37f4...b6c.sh

debian-9-mips

10

0076fe37f4...b6c.sh

debian-9-mipsel

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c.sh

  • Size

    3KB

  • Sample

    241023-bcs1vaveml

  • MD5

    cf70ee36f1e9247f2146e4981924d4f4

  • SHA1

    7eabae4200118c4e89979658db6e4d905fe3dae9

  • SHA256

    0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c

  • SHA512

    60f6bdf8813ee328f747b722e8d8abb8ecd91836a96de7e877217c6794d4dcef56130f3f833f748637b0a7b81bac94ea7e3d9cb3dfff0a2060eab34c20070bd0

Score
10/10
gafgytkaitenantivmbotnetdefense_evasiondiscoverylinuxpersistenceprivilege_escalation

Malware Config

Extracted

Family

gafgyt

C2

104.234.24.138:1990

Targets

    • Target

      0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c.sh

    • Size

      3KB

    • MD5

      cf70ee36f1e9247f2146e4981924d4f4

    • SHA1

      7eabae4200118c4e89979658db6e4d905fe3dae9

    • SHA256

      0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c

    • SHA512

      60f6bdf8813ee328f747b722e8d8abb8ecd91836a96de7e877217c6794d4dcef56130f3f833f748637b0a7b81bac94ea7e3d9cb3dfff0a2060eab34c20070bd0

    Score
    10/10
    antivmdiscoverygafgytkaitenbotnetdefense_evasionpersistenceprivilege_escalation

    • Detected Gafgyt variant

    • Detects Kaiten/Tsunami Payload

    • Detects Kaiten/Tsunami payload

    • Gafgyt/Bashlite

      IoT botnet with numerous variants first seen in 2014.

      botnetgafgyt

    • Kaiten/Tsunami

      Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.

      botnetkaiten

    • File and Directory Permissions Modification

      Adversaries may modify file or directory permissions to evade defenses.

      defense_evasion

    • Executes dropped EXE

    • Creates/modifies environment variables

      Creating/modifying environment variables is a common persistence mechanism.

      persistenceprivilege_escalationdefense_evasion

    • Modifies Bash startup script

      persistence
    behavioral1behavioral2behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Event Triggered Execution

1
T1546

Unix Shell Configuration Modification

1
T1546.004

Hijack Execution Flow

1
T1574

Path Interception by PATH Environment Variable

1
T1574.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Event Triggered Execution

1
T1546

Unix Shell Configuration Modification

1
T1546.004

Hijack Execution Flow

1
T1574

Path Interception by PATH Environment Variable

1
T1574.007

Defense Evasion

File and Directory Permissions Modification

1
T1222

Linux and Mac File and Directory Permissions Modification

1
T1222.002

Hijack Execution Flow

1
T1574

Path Interception by PATH Environment Variable

1
T1574.007

Virtualization/Sandbox Evasion

1
T1497

System Checks

1
T1497.001

Credential Access

Discovery

Virtualization/Sandbox Evasion

1
T1497

System Checks

1
T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks