gafgyt | d3102a23a69dcc14e275b16b133137d42979f840851e22c2688420d0dfbb0f8e | Triage

Submit
Reports

Overview

overview

Static

static

1

d3102a23a6...f8e.sh

ubuntu-18.04-amd64

d3102a23a6...f8e.sh

debian-9-armhf

d3102a23a6...f8e.sh

debian-9-mips

d3102a23a6...f8e.sh

debian-9-mipsel

Sharing

General

Target

d3102a23a69dcc14e275b16b133137d42979f840851e22c2688420d0dfbb0f8e.sh
Size

2KB
Sample

241208-c89txaykfv
MD5

0f886518495ede0d60cb0be5653a4907
SHA1

8adeb236ab6d2503646382bfbbfc9d24aea427c2
SHA256

d3102a23a69dcc14e275b16b133137d42979f840851e22c2688420d0dfbb0f8e
SHA512

61c8ccce22606ef885b6d79c9093b9fbdc977a9ab39d80715117b21d0251b6134c69682bee3ae667884e6ad3d85f9ef9ec75fb101c59e30cb02b73ab0fc0df7a

Score

10^/10

gafgyt botnet defense_evasion discovery linux

Static task

static1

Behavioral task

behavioral1

Sample

d3102a23a69dcc14e275b16b133137d42979f840851e22c2688420d0dfbb0f8e.sh

Resource

ubuntu1804-amd64-20240611-en

gafgyt botnet defense_evasion discovery

ubuntu-18.04-amd64

8 signatures

150 seconds

Behavioral task

behavioral2

Sample

d3102a23a69dcc14e275b16b133137d42979f840851e22c2688420d0dfbb0f8e.sh

Resource

debian9-armhf-20240729-en

gafgyt botnet defense_evasion discovery

debian-9-armhf

9 signatures

150 seconds

Behavioral task

behavioral3

Sample

d3102a23a69dcc14e275b16b133137d42979f840851e22c2688420d0dfbb0f8e.sh

Resource

debian9-mipsbe-20240611-en

gafgyt botnet defense_evasion discovery

debian-9-mips

8 signatures

150 seconds

Behavioral task

behavioral4

Sample

d3102a23a69dcc14e275b16b133137d42979f840851e22c2688420d0dfbb0f8e.sh

Resource

debian9-mipsel-20240418-en

gafgyt botnet defense_evasion discovery

debian-9-mipsel

8 signatures

150 seconds

Malware Config

Extracted

Family

gafgyt

C2

93.123.85.191:12345

Targets

- Target
  
  d3102a23a69dcc14e275b16b133137d42979f840851e22c2688420d0dfbb0f8e.sh
- Size
  
  2KB
- MD5
  
  0f886518495ede0d60cb0be5653a4907
- SHA1
  
  8adeb236ab6d2503646382bfbbfc9d24aea427c2
- SHA256
  
  d3102a23a69dcc14e275b16b133137d42979f840851e22c2688420d0dfbb0f8e
- SHA512
  
  61c8ccce22606ef885b6d79c9093b9fbdc977a9ab39d80715117b21d0251b6134c69682bee3ae667884e6ad3d85f9ef9ec75fb101c59e30cb02b73ab0fc0df7a
Score

10^/10

gafgyt botnet defense_evasion discovery
- Detected Gafgyt variant
- Gafgyt family
  gafgyt
- Gafgyt/Bashlite
  IoT botnet with numerous variants first seen in 2014.
  botnet gafgyt
- File and Directory Permissions Modification
  Adversaries may modify file or directory permissions to evade defenses.
  defense_evasion
- Executes dropped EXE
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Reads system routing table
  Gets active network interfaces from /proc virtual filesystem.
  discovery
behavioral1 behavioral2 behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

Linux and Mac File and Directory Permissions Modification

Credential Access

Discovery

Network Service Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gafgytbotnetdefense_evasiondiscovery

behavioral2

gafgytbotnetdefense_evasiondiscovery

behavioral3

gafgytbotnetdefense_evasiondiscovery

behavioral4

gafgytbotnetdefense_evasiondiscovery

© 2018-2025

Terms | Privacy