General

  • Target

    7080f56e8be79f89d154730ffb07e9d9f22bb754c6ee295548593245bc21a1af.sh

  • Size

    2KB

  • Sample

    241226-cnfekatrbs

  • MD5

    297b82d777e2257fda8221703403b2d3

  • SHA1

    d1ebd4f576bf89adcdf9453879c3ae2adeeb42ed

  • SHA256

    7080f56e8be79f89d154730ffb07e9d9f22bb754c6ee295548593245bc21a1af

  • SHA512

    dc0fc05650eca6bde3d5b02568e68810c61e1b6b58f5bb31f4847ef4082cd63f7aae45db042ec4e7f659615e761dcd472c6b8e20abd6e8431a3bd0c0f2ecea81

Malware Config

Extracted

Family

gafgyt

C2

154.213.186.115:4444

Targets

    • Target

      7080f56e8be79f89d154730ffb07e9d9f22bb754c6ee295548593245bc21a1af.sh

    • Size

      2KB

    • MD5

      297b82d777e2257fda8221703403b2d3

    • SHA1

      d1ebd4f576bf89adcdf9453879c3ae2adeeb42ed

    • SHA256

      7080f56e8be79f89d154730ffb07e9d9f22bb754c6ee295548593245bc21a1af

    • SHA512

      dc0fc05650eca6bde3d5b02568e68810c61e1b6b58f5bb31f4847ef4082cd63f7aae45db042ec4e7f659615e761dcd472c6b8e20abd6e8431a3bd0c0f2ecea81

    • Detected Gafgyt variant

    • Gafgyt family

    • Gafgyt/Bashlite

      IoT botnet with numerous variants first seen in 2014.

    • File and Directory Permissions Modification

      Adversaries may modify file or directory permissions to evade defenses.

    • Executes dropped EXE

    • Reads system routing table

      Gets active network interfaces from /proc virtual filesystem.

MITRE ATT&CK Enterprise v15

Tasks