gafgyt | b9e524468ec5048568a79d4586bd4c162c9698e04fcf7b928c804dc107be7a56 | Triage

Submit
Reports

Overview

overview

Static

static

1

VirtualBox...in.exe

windows10-1703-x64

VirtualBox...in.exe

macos-10.15-amd64

7

VirtualBox...in.exe

ubuntu-18.04-amd64

Resubmissions

26/12/2023, 03:54

231226-egcffaacfk 10

26/12/2023, 03:18

231226-dtwt6secbl 10

26/12/2023, 03:10

231226-dn95lseeb3 6

26/12/2023, 02:49

231226-dbbraabber 6

25/12/2023, 23:42

231225-3p4fwshchq 6

25/12/2023, 15:43

231225-s6cdmaabam 6

25/12/2023, 15:36

231225-s16qaaahb6 6

Sharing

General

Target

VirtualBox-6.0.24-139119-Win.exe
Size

162.6MB
Sample

231226-egcffaacfk
MD5

bf0d15ed303a38875006ffea1fc08cd5
SHA1

26b9ea5d6b12d669ffb7b0e705f7119ef9fc1166
SHA256

b9e524468ec5048568a79d4586bd4c162c9698e04fcf7b928c804dc107be7a56
SHA512

56b67a8aaf8d321883ec168d9cb2fdc98ab95c8d8daf6066c5f727ca5a9b8cf25a0fcb83082a11f55a8e05c65991c85af98ddffff372e2307a20d3f681daa911
SSDEEP

3145728:MEHxTKgumdU38cEu4LQb443ZywG6YVWlRwx/jiYcsUYoYC3C1oH:MEHMxmlVLQVZVGqlRwx29sU3v33

Score

10^/10

gafgyt botnet discovery evasion execution link linux macos pdf persistence

Static task

static1

Behavioral task

behavioral1

Sample

VirtualBox-6.0.24-139119-Win.exe

Resource

win10-20231220-en

gafgyt botnet link pdf persistence

windows10-1703-x64

32 signatures

1800 seconds

Behavioral task

behavioral2

Sample

VirtualBox-6.0.24-139119-Win.exe

Resource

macos-20231201-en

discovery evasion execution

macos-10.15-amd64

5 signatures

1800 seconds

Behavioral task

behavioral3

Sample

VirtualBox-6.0.24-139119-Win.exe

Resource

ubuntu1804-amd64-20231215-en

ubuntu-18.04-amd64

0 signatures

1800 seconds

Malware Config

Targets

- Target
  
  VirtualBox-6.0.24-139119-Win.exe
- Size
  
  162.6MB
- MD5
  
  bf0d15ed303a38875006ffea1fc08cd5
- SHA1
  
  26b9ea5d6b12d669ffb7b0e705f7119ef9fc1166
- SHA256
  
  b9e524468ec5048568a79d4586bd4c162c9698e04fcf7b928c804dc107be7a56
- SHA512
  
  56b67a8aaf8d321883ec168d9cb2fdc98ab95c8d8daf6066c5f727ca5a9b8cf25a0fcb83082a11f55a8e05c65991c85af98ddffff372e2307a20d3f681daa911
- SSDEEP
  
  3145728:MEHxTKgumdU38cEu4LQb443ZywG6YVWlRwx/jiYcsUYoYC3C1oH:MEHMxmlVLQVZVGqlRwx29sU3v33
Score

10^/10

gafgyt botnet link pdf persistence discovery evasion execution
- Detected Gafgyt variant
- Gafgyt/Bashlite
  IoT botnet with numerous variants first seen in 2014.
  botnet gafgyt
- Drops file in Drivers directory
- Manipulates Digital Signatures
  Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
- Queries the macOS version information.
  discovery
- file permission
  evasion
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Unix Shell

System Services

Launchctl

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

File and Directory Permissions Modification

Linux and Mac File and Directory Permissions Modification

Modify Registry

Subvert Trust Controls

Install Root Certificate

SIP and Trust Provider Hijacking

Credential Access

Discovery

File and Directory Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

gafgytbotnetlinkpdfpersistence

behavioral2

discoveryevasionexecution

behavioral3

© 2018-2025

Terms | Privacy