enemybot | 3f1389bc57d457bf9dfc0cd70ddd2fba878eea14db51bb54944579fb85990d8e | Triage

Sharing

General

Target

3f1389bc57d457bf9dfc0cd70ddd2fba878eea14db51bb54944579fb85990d8e.elf
Size

168KB
Sample

240221-dr1qcaah79
MD5

d128cd316b18328301e7127f59d16a02
SHA1

26bae1e3ec8d4043b3c0c0c68d6c538782856eca
SHA256

3f1389bc57d457bf9dfc0cd70ddd2fba878eea14db51bb54944579fb85990d8e
SHA512

93ded5471caf892b1ce5049363468c65b92c03365f048f064e2ade2190f7a913c70c497eca62d8d0ff6b4fc758bb6b4ce37363fc56fd37737bf8f269243740fe
SSDEEP

3072:8PSi28gcKeX9BCHDd4tccPifbAI9XYM2bkzBe/B+hVn8vWQcY1EKk5WcTM:B8gSGd4pPCf9XY1Ke/ghZ8vWQcY1EKkM

Score

10^/10

enemybot gafgyt linux persistence

Malware Config

Extracted

Family

gafgyt

C2

239.255.255.250:1900

Targets

- Target
  
  3f1389bc57d457bf9dfc0cd70ddd2fba878eea14db51bb54944579fb85990d8e.elf
- Size
  
  168KB
- MD5
  
  d128cd316b18328301e7127f59d16a02
- SHA1
  
  26bae1e3ec8d4043b3c0c0c68d6c538782856eca
- SHA256
  
  3f1389bc57d457bf9dfc0cd70ddd2fba878eea14db51bb54944579fb85990d8e
- SHA512
  
  93ded5471caf892b1ce5049363468c65b92c03365f048f064e2ade2190f7a913c70c497eca62d8d0ff6b4fc758bb6b4ce37363fc56fd37737bf8f269243740fe
- SSDEEP
  
  3072:8PSi28gcKeX9BCHDd4tccPifbAI9XYM2bkzBe/B+hVn8vWQcY1EKk5WcTM:B8gSGd4pPCf9XY1Ke/ghZ8vWQcY1EKkM
Score

7^/10

persistence
- Modifies Watchdog functionality
  Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
- Creates/modifies Cron job
  Cron allows running tasks on a schedule, and is commonly used for malware persistence.
  persistence
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Impair Defenses

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1