gafgyt | 51194a1ba8b942d5f90b2f8ec686bb3db64b40ca528caaa1aa5e48c4f11c41ce | Triage

Sharing

General

Target

51194a1ba8b942d5f90b2f8ec686bb3db64b40ca528caaa1aa5e48c4f11c41ce
Size

151KB
Sample

221125-k1r8wsae7y
MD5

a07d71222cc127866f602c10300b8acb
SHA1

f36db9d543610fdacc042ee4c8486aa85ec1dbbb
SHA256

51194a1ba8b942d5f90b2f8ec686bb3db64b40ca528caaa1aa5e48c4f11c41ce
SHA512

ecb955c178003503aaf9bce4caea6896ad507bec6cd86535f46fca88dfc3263c015df095345beb458f82edf6b2f6994ae6771438df1cd5cd9a84fe5eebf12b76
SSDEEP

3072:dgZc9h1jlnLA2PiXYeyCc2VNMVGuo9mrThPaLEnvPrNb:dd7lnLA2PiIeyZ2VWDo9mrThPaLEnvP5

Score

10^/10

gafgyt

Malware Config

Targets

- Target
  
  51194a1ba8b942d5f90b2f8ec686bb3db64b40ca528caaa1aa5e48c4f11c41ce
- Size
  
  151KB
- MD5
  
  a07d71222cc127866f602c10300b8acb
- SHA1
  
  f36db9d543610fdacc042ee4c8486aa85ec1dbbb
- SHA256
  
  51194a1ba8b942d5f90b2f8ec686bb3db64b40ca528caaa1aa5e48c4f11c41ce
- SHA512
  
  ecb955c178003503aaf9bce4caea6896ad507bec6cd86535f46fca88dfc3263c015df095345beb458f82edf6b2f6994ae6771438df1cd5cd9a84fe5eebf12b76
- SSDEEP
  
  3072:dgZc9h1jlnLA2PiXYeyCc2VNMVGuo9mrThPaLEnvPrNb:dd7lnLA2PiIeyZ2VWDo9mrThPaLEnvP5
Score

9^/10
- Modifies the Watchdog daemon
  Malware like Mirai modify the Watchdog to prevent it restarting an infected system.
- Reads system routing table
  Gets active network interfaces from /proc virtual filesystem.
- Reads system network configuration
  Uses contents of /proc filesystem to enumerate network settings.
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

Credential Access

Discovery

System Network Configuration Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1