General
-
Target
bins.sh
-
Size
2KB
-
Sample
250203-hdt3vsvpep
-
MD5
117c2965eb47f06d0de1d96fd49e4713
-
SHA1
959ce6a78f5d2c0bad3314409a7dfe2323f98902
-
SHA256
cbac01aa815a84b35d73ba422eddc59b9cae2ad224c76635319f9d3caa9d0f88
-
SHA512
9996ca57694330ad1c3ccba35f04dc18581a4687e9fc91ec8af2d0c5cca99abf9b3456cebf6d1cf9225334f5b822a4062760d62bfd4f029d50f98cb3d5d17ad0
Malware Config
Extracted
gafgyt
185.237.15.131:666
Targets
-
-
Target
bins.sh
-
Size
2KB
-
MD5
117c2965eb47f06d0de1d96fd49e4713
-
SHA1
959ce6a78f5d2c0bad3314409a7dfe2323f98902
-
SHA256
cbac01aa815a84b35d73ba422eddc59b9cae2ad224c76635319f9d3caa9d0f88
-
SHA512
9996ca57694330ad1c3ccba35f04dc18581a4687e9fc91ec8af2d0c5cca99abf9b3456cebf6d1cf9225334f5b822a4062760d62bfd4f029d50f98cb3d5d17ad0
Score10/10-
Detected Gafgyt variant
-
Gafgyt family
-
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
-
File and Directory Permissions Modification
Adversaries may modify file or directory permissions to evade defenses.
-
Deletes Audit logs
Deletes logs related to the Linux Audit framework.
-
Deletes journal logs
Deletes systemd journal logs. Likely to evade detection.
-
Deletes system logs
Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.
-
Executes dropped EXE
-
Writes DNS configuration
Writes data to DNS resolver config file.
-
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
Abuse sudo or cached sudo credentials to execute code.
-
Deletes log files
Deletes log files on the system.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Abuse Elevation Control Mechanism
1Sudo and Sudo Caching
1File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Indicator Removal
4Clear Linux or Mac System Logs
4Virtualization/Sandbox Evasion
1System Checks
1