enemybot | 7e2cb1fd2c19485eb6b4604a3656477f628712f2e4fec202f7dcd105957e3b94 | Triage

Submit
Reports

Overview

overview

Static

static

4470dffdf4...1b.elf

ubuntu-18.04-amd64

9

Sharing

General

Target

635310bf9fce382320b3ee8716a1424f.bin
Size

78KB
Sample

240203-bvw58agbbq
MD5

01d577465255d1c1f7d31777681912fb
SHA1

df24e7358fbaecf0012605c6e866feb24ea98f0c
SHA256

7e2cb1fd2c19485eb6b4604a3656477f628712f2e4fec202f7dcd105957e3b94
SHA512

80131d9cf8f4499ffefeabd0bb37407d886a6148e0c026982f58d7cdd9a669c4d0c2f9bcc0751e4f200e53ef3931ee70a7306b9d9beaf64795ea7d49c5ff487e
SSDEEP

1536:Z3jX8ICvlKVPdTS7Wox5FfAhOt9X1nFTsXR3dbUCrGAYx91c:Zz8fvw7TS7BHFsOvt9sfUChYxI

Score

10^/10

enemybot gafgyt discovery linux persistence

Static task

static1

enemybot gafgyt

4 signatures

Behavioral task

behavioral1

Sample

4470dffdf485099a7ebbe92b3e8d1db1ff14d8b2c39e3aabaa69c8122e86b91b.elf

Resource

ubuntu1804-amd64-20231221-en

discovery persistence

ubuntu-18.04-amd64

5 signatures

150 seconds

Malware Config

Extracted

Family

gafgyt

C2

239.255.255.250:1900

Targets

- Target
  
  4470dffdf485099a7ebbe92b3e8d1db1ff14d8b2c39e3aabaa69c8122e86b91b.elf
- Size
  
  168KB
- MD5
  
  635310bf9fce382320b3ee8716a1424f
- SHA1
  
  e80ec55bfb60d8629d887e07f925adcc09edd301
- SHA256
  
  4470dffdf485099a7ebbe92b3e8d1db1ff14d8b2c39e3aabaa69c8122e86b91b
- SHA512
  
  7889bb91634d2dbaa7c5eb70314f7d80590fc770cb31e178c547f38a0ccccd6c297d831b687589126316ea80d8a237ccd6afc4e0b41b8103b0ad9c6575a6cd88
- SSDEEP
  
  3072:8PSi28gcKeX9BCxDFwlcgPifbAIBXYM2bkzBe/B+NJP8vWQcY1EKk5WcTM:B8gSsFwdPCfBXY1Ke/gNN8vWQcY1EKkM
Score

9^/10

discovery persistence
- Contacts a large (1128064) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Modifies Watchdog functionality
  Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
- Creates/modifies Cron job
  Cron allows running tasks on a schedule, and is commonly used for malware persistence.
  persistence
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Impair Defenses

Credential Access

Discovery

Network Service Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoverypersistence

© 2018-2024

Terms | Privacy