gafgyt | ad2aa8ad7e9f46168c811aae08adbe5e6ae58a8ff84cacd3aa0e630f84b08d14 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

7d386ac57d...1c68b8

debian-9-armhf

9

Sharing

General

Target

7d386ac57d8ddc0e544e3a69641c68b8
Size

157KB
Sample

231220-crxs1sgbfq
MD5

7d386ac57d8ddc0e544e3a69641c68b8
SHA1

dfe78f65e0bfc96dbed20b8ab5ca9398ced30bd1
SHA256

ad2aa8ad7e9f46168c811aae08adbe5e6ae58a8ff84cacd3aa0e630f84b08d14
SHA512

b3394b83bb129877091c17b7eea655f30ae538c62c9c5a89ff89b71f395a366baca969db4d505d776b73ac27961849e23d1bfcb08243c76eb51b7e711cb63d46
SSDEEP

3072:q1buCcJqcKxZe/3boPOkqNvfJTtmI5mPAZaQhSmWitCBNU:qGw5fybomlvfJTVmPAZaQhSmWitCBNU

Score

10^/10

gafgyt discovery

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

7d386ac57d8ddc0e544e3a69641c68b8

Resource

debian9-armhf-20231215-en

debian-9-armhf

9 signatures

150 seconds

Malware Config

Targets

- Target
  
  7d386ac57d8ddc0e544e3a69641c68b8
- Size
  
  157KB
- MD5
  
  7d386ac57d8ddc0e544e3a69641c68b8
- SHA1
  
  dfe78f65e0bfc96dbed20b8ab5ca9398ced30bd1
- SHA256
  
  ad2aa8ad7e9f46168c811aae08adbe5e6ae58a8ff84cacd3aa0e630f84b08d14
- SHA512
  
  b3394b83bb129877091c17b7eea655f30ae538c62c9c5a89ff89b71f395a366baca969db4d505d776b73ac27961849e23d1bfcb08243c76eb51b7e711cb63d46
- SSDEEP
  
  3072:q1buCcJqcKxZe/3boPOkqNvfJTtmI5mPAZaQhSmWitCBNU:qGw5fybomlvfJTVmPAZaQhSmWitCBNU
Score

9^/10

discovery
- Contacts a large (15439) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Changes its process name
- Modifies Watchdog functionality
  Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Enumerates active TCP sockets
  Gets active TCP sockets from /proc virtual filesystem.
- Enumerates running processes
  Discovers information about currently running processes on the system
- Reads system routing table
  Gets active network interfaces from /proc virtual filesystem.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

Credential Access

Discovery

Network Service Discovery

System Network Configuration Discovery

System Network Connections Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

© 2018-2025

Terms | Privacy