enemybot | 2fcede6b116076661ecb2ec903f38c34d47fc98e999d395b85efbe84703bc0ce | Triage

Sharing

General

Target

285418c5f17819c83932f4c42809f9b7
Size

165KB
Sample

240220-2sefhage72
MD5

285418c5f17819c83932f4c42809f9b7
SHA1

e5b438026f9e9862df34e2d7eb5a1642f1f5004f
SHA256

2fcede6b116076661ecb2ec903f38c34d47fc98e999d395b85efbe84703bc0ce
SHA512

952b4969a4b0ecb7f1771f5c1854453b5aa9f0c8e778d9509afdfe60d805d458fff4c69f4a4c93d3e334aa0fa2243050f8df664ce27dd343e1ebd857ed7651b0
SSDEEP

3072:hxkUUnWy5cv49uUzeVr2mmQ1N031Kw6uP/n2bhtBeUmMJvkmBqs7WxlvWQcY1EKD:hFUWy5cA9uRSYi3k/E/2peUmu5IBlvWE

Score

10^/10

enemybot gafgyt linux persistence

Malware Config

Extracted

Family

gafgyt

C2

239.255.255.250:1900

Targets

- Target
  
  285418c5f17819c83932f4c42809f9b7
- Size
  
  165KB
- MD5
  
  285418c5f17819c83932f4c42809f9b7
- SHA1
  
  e5b438026f9e9862df34e2d7eb5a1642f1f5004f
- SHA256
  
  2fcede6b116076661ecb2ec903f38c34d47fc98e999d395b85efbe84703bc0ce
- SHA512
  
  952b4969a4b0ecb7f1771f5c1854453b5aa9f0c8e778d9509afdfe60d805d458fff4c69f4a4c93d3e334aa0fa2243050f8df664ce27dd343e1ebd857ed7651b0
- SSDEEP
  
  3072:hxkUUnWy5cv49uUzeVr2mmQ1N031Kw6uP/n2bhtBeUmMJvkmBqs7WxlvWQcY1EKD:hFUWy5cA9uRSYi3k/E/2peUmu5IBlvWE
Score

7^/10

persistence
- Modifies Watchdog functionality
  Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
- Creates/modifies Cron job
  Cron allows running tasks on a schedule, and is commonly used for malware persistence.
  persistence
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Impair Defenses

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1