gafgyt | f79cb8e4cc631cfa06d36918eead77185a6a82c5cbfb1c2db6aca186e9d45cb6 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

2a9b1218874c19d69e94228a3f54f25f
Size

93KB
Sample

231219-2rnmsadcfq
MD5

2a9b1218874c19d69e94228a3f54f25f
SHA1

a4a395390b8c925706c8bef68a2bd1288d848183
SHA256

f79cb8e4cc631cfa06d36918eead77185a6a82c5cbfb1c2db6aca186e9d45cb6
SHA512

60051b9a5504228b6ff9d65986c259e80a7940eb9cc1ee67a9ba451cda1b53e7a85d12035a3537524a02e03f738458157a0475662dfac84d58e11e6cc6d1488b
SSDEEP

1536:O03hlMYGq9RWfCMfNKyWQ6nRlEwscCnMCYeZALe5htzxrlLbPM37K8PN2UrYe:5hJGq9RJINetnRpsJMCYeYe5htjbE371

Score

10^/10

gafgyt discovery linux

Malware Config

Extracted

Family

gafgyt

C2

167.99.91.177:23

Targets

- Target
  
  2a9b1218874c19d69e94228a3f54f25f
- Size
  
  93KB
- MD5
  
  2a9b1218874c19d69e94228a3f54f25f
- SHA1
  
  a4a395390b8c925706c8bef68a2bd1288d848183
- SHA256
  
  f79cb8e4cc631cfa06d36918eead77185a6a82c5cbfb1c2db6aca186e9d45cb6
- SHA512
  
  60051b9a5504228b6ff9d65986c259e80a7940eb9cc1ee67a9ba451cda1b53e7a85d12035a3537524a02e03f738458157a0475662dfac84d58e11e6cc6d1488b
- SSDEEP
  
  1536:O03hlMYGq9RWfCMfNKyWQ6nRlEwscCnMCYeZALe5htzxrlLbPM37K8PN2UrYe:5hJGq9RJINetnRpsJMCYeYe5htjbE371
Score

7^/10

discovery
- Changes its process name
- Deletes itself
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Reads system routing table
  Gets active network interfaces from /proc virtual filesystem.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

System Network Configuration Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1