enemybot | 4470dffdf485099a7ebbe92b3e8d1db1ff14d8b2c39e3aabaa69c8122e86b91b | Triage

Resubmissions

09-04-2024 08:37

240409-kjmxvaeb2s 10

09-04-2024 08:37

240409-kjmbbaag86 10

09-04-2024 08:37

240409-kjlpsaea91 10

07-02-2024 14:38

240207-rzqr1ahge3 10

Sharing

General

Target

4470dffdf485099a7ebbe92b3e8d1db1ff14d8b2c39e3aabaa69c8122e86b91b.elf
Size

168KB
Sample

240207-rzqr1ahge3
MD5

635310bf9fce382320b3ee8716a1424f
SHA1

e80ec55bfb60d8629d887e07f925adcc09edd301
SHA256

4470dffdf485099a7ebbe92b3e8d1db1ff14d8b2c39e3aabaa69c8122e86b91b
SHA512

7889bb91634d2dbaa7c5eb70314f7d80590fc770cb31e178c547f38a0ccccd6c297d831b687589126316ea80d8a237ccd6afc4e0b41b8103b0ad9c6575a6cd88
SSDEEP

3072:8PSi28gcKeX9BCxDFwlcgPifbAIBXYM2bkzBe/B+NJP8vWQcY1EKk5WcTM:B8gSsFwdPCfBXY1Ke/gNN8vWQcY1EKkM

Score

10^/10

enemybot gafgyt discovery linux persistence

Malware Config

Extracted

Family

gafgyt

C2

239.255.255.250:1900

Targets

- Target
  
  4470dffdf485099a7ebbe92b3e8d1db1ff14d8b2c39e3aabaa69c8122e86b91b.elf
- Size
  
  168KB
- MD5
  
  635310bf9fce382320b3ee8716a1424f
- SHA1
  
  e80ec55bfb60d8629d887e07f925adcc09edd301
- SHA256
  
  4470dffdf485099a7ebbe92b3e8d1db1ff14d8b2c39e3aabaa69c8122e86b91b
- SHA512
  
  7889bb91634d2dbaa7c5eb70314f7d80590fc770cb31e178c547f38a0ccccd6c297d831b687589126316ea80d8a237ccd6afc4e0b41b8103b0ad9c6575a6cd88
- SSDEEP
  
  3072:8PSi28gcKeX9BCxDFwlcgPifbAIBXYM2bkzBe/B+NJP8vWQcY1EKk5WcTM:B8gSsFwdPCfBXY1Ke/gNN8vWQcY1EKkM
Score

9^/10

discovery persistence
- Contacts a large (354941) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Modifies Watchdog functionality
  Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
- Creates/modifies Cron job
  Cron allows running tasks on a schedule, and is commonly used for malware persistence.
  persistence
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Impair Defenses

Credential Access

Discovery

Network Service Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoverypersistence