gafgyt | ad54fc11ccdbac99d10fd5c5b38eaaa680677ee3832425f35230fc9ac09b631f | Triage

Submit
Reports

Overview

overview

Static

static

1

wget.sh

ubuntu-18.04-amd64

wget.sh

debian-9-armhf

wget.sh

debian-9-mips

wget.sh

debian-9-mipsel

Sharing

General

Target

wget.sh
Size

1KB
Sample

250105-gw2pzsvldx
MD5

3556efaeedbc73136a9b2628ea6002b6
SHA1

2c4795c1553f260dbb662b883dddaae6eee48f54
SHA256

ad54fc11ccdbac99d10fd5c5b38eaaa680677ee3832425f35230fc9ac09b631f
SHA512

7bab0772028c781d292d5676bf57e25f247bde34a4ddc4ac60585db666f7666ce1153eff5db289c85c62e791d3e31aed06d455ff02cae5cc35e9d08e5816117b

Score

10^/10

gafgyt botnet defense_evasion discovery linux

Static task

static1

Behavioral task

behavioral1

Sample

wget.sh

Resource

ubuntu1804-amd64-20240611-en

gafgyt botnet defense_evasion discovery

ubuntu-18.04-amd64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

wget.sh

Resource

debian9-armhf-20240611-en

gafgyt botnet defense_evasion discovery

debian-9-armhf

10 signatures

150 seconds

Behavioral task

behavioral3

Sample

wget.sh

Resource

debian9-mipsbe-20240729-en

gafgyt botnet defense_evasion discovery

debian-9-mips

10 signatures

150 seconds

Behavioral task

behavioral4

Sample

wget.sh

Resource

debian9-mipsel-20240418-en

gafgyt botnet defense_evasion discovery

debian-9-mipsel

10 signatures

150 seconds

Malware Config

Targets

- Target
  
  wget.sh
- Size
  
  1KB
- MD5
  
  3556efaeedbc73136a9b2628ea6002b6
- SHA1
  
  2c4795c1553f260dbb662b883dddaae6eee48f54
- SHA256
  
  ad54fc11ccdbac99d10fd5c5b38eaaa680677ee3832425f35230fc9ac09b631f
- SHA512
  
  7bab0772028c781d292d5676bf57e25f247bde34a4ddc4ac60585db666f7666ce1153eff5db289c85c62e791d3e31aed06d455ff02cae5cc35e9d08e5816117b
Score

10^/10

gafgyt botnet defense_evasion discovery
- Detected Gafgyt variant
- Gafgyt family
  gafgyt
- Gafgyt/Bashlite
  IoT botnet with numerous variants first seen in 2014.
  botnet gafgyt
- File and Directory Permissions Modification
  Adversaries may modify file or directory permissions to evade defenses.
  defense_evasion
- Executes dropped EXE
- Modifies Watchdog functionality
  Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
  defense_evasion
- Reads system routing table
  Gets active network interfaces from /proc virtual filesystem.
  discovery
behavioral1 behavioral2 behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

Linux and Mac File and Directory Permissions Modification

Impair Defenses

Credential Access

Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gafgytbotnetdefense_evasiondiscovery

behavioral2

gafgytbotnetdefense_evasiondiscovery

behavioral3

gafgytbotnetdefense_evasiondiscovery

behavioral4

gafgytbotnetdefense_evasiondiscovery

© 2018-2025

Terms | Privacy