Analysis Overview
SHA256
c1d8a7ed1e88ccc6ac4bd7002b2f9279031c82f45bf8e6f33aaa87602b1d8365
Threat Level: Known bad
The file qkdjdjj22.x86.elf was found to be: Known bad.
Malicious Activity Summary
Gafgyt family
Gafgyt/Bashlite
Detected Gafgyt variant
Executes dropped EXE
Creates/modifies Cron job
Writes file to system bin folder
Reads runtime system information
Writes file to tmp directory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-02 05:54
Signatures
Detected Gafgyt variant
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gafgyt family
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-02 05:54
Reported
2024-07-02 05:56
Platform
ubuntu2404-amd64-20240523-en
Max time kernel
92s
Max time network
128s
Command Line
Signatures
Detected Gafgyt variant
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gafgyt/Bashlite
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/fileZqoP6M | /tmp/fileZqoP6M | N/A |
| N/A | /tmp/fileHJX6xr | /tmp/fileHJX6xr | N/A |
| N/A | /tmp/file2DIUFK | /tmp/file2DIUFK | N/A |
| N/A | /tmp/files3PI62 | /tmp/files3PI62 | N/A |
| N/A | /tmp/filecBRUBM | /tmp/filecBRUBM | N/A |
| N/A | /tmp/file7iWVI1 | /tmp/file7iWVI1 | N/A |
| N/A | /tmp/filesUlba6 | /tmp/filesUlba6 | N/A |
| N/A | /tmp/fileTzvpb0 | /tmp/fileTzvpb0 | N/A |
| N/A | /tmp/fileFFwSJ8 | /tmp/fileFFwSJ8 | N/A |
| N/A | /tmp/fileWVgLOX | /tmp/fileWVgLOX | N/A |
| N/A | /tmp/fileLOSLKp | /tmp/fileLOSLKp | N/A |
| N/A | /tmp/fileGCFU2s | /tmp/fileGCFU2s | N/A |
| N/A | /tmp/fileplZShR | /tmp/fileplZShR | N/A |
| N/A | /tmp/fileozNxO5 | /tmp/fileozNxO5 | N/A |
| N/A | /tmp/fileBBsOHz | /tmp/fileBBsOHz | N/A |
| N/A | /tmp/fileoDVmuc | /tmp/fileoDVmuc | N/A |
| N/A | /tmp/filel62aWE | /tmp/filel62aWE | N/A |
| N/A | /tmp/fileXFuICN | /tmp/fileXFuICN | N/A |
| N/A | /tmp/filesxpw9s | /tmp/filesxpw9s | N/A |
| N/A | /tmp/filegqhLdZ | /tmp/filegqhLdZ | N/A |
| N/A | /tmp/filelyOJaB | /tmp/filelyOJaB | N/A |
| N/A | /tmp/file5aNS9Z | /tmp/file5aNS9Z | N/A |
| N/A | /tmp/fileF8zpZJ | /tmp/fileF8zpZJ | N/A |
| N/A | /tmp/file7WychX | /tmp/file7WychX | N/A |
| N/A | /tmp/filePzm7fn | /tmp/filePzm7fn | N/A |
| N/A | /tmp/fileh6G8iG | /tmp/fileh6G8iG | N/A |
| N/A | /tmp/file3r8Iv3 | /tmp/file3r8Iv3 | N/A |
| N/A | /tmp/fileJPL41s | /tmp/fileJPL41s | N/A |
| N/A | /tmp/fileMVSQeW | /tmp/fileMVSQeW | N/A |
| N/A | /tmp/filee34F2O | /tmp/filee34F2O | N/A |
| N/A | /tmp/fileLSc0HM | /tmp/fileLSc0HM | N/A |
| N/A | /tmp/filev0eUGm | /tmp/filev0eUGm | N/A |
| N/A | /tmp/filepQ1J8K | /tmp/filepQ1J8K | N/A |
| N/A | /tmp/fileJrGkAA | /tmp/fileJrGkAA | N/A |
| N/A | /tmp/filet0oiKk | /tmp/filet0oiKk | N/A |
| N/A | /tmp/filefKjT2N | /tmp/filefKjT2N | N/A |
| N/A | /tmp/fileVTNxt2 | /tmp/fileVTNxt2 | N/A |
| N/A | /tmp/file2S93nT | /tmp/file2S93nT | N/A |
| N/A | /tmp/fileLx49Eb | /tmp/fileLx49Eb | N/A |
| N/A | /tmp/fileKUgSV8 | /tmp/fileKUgSV8 | N/A |
| N/A | /tmp/filezXgSsm | /tmp/filezXgSsm | N/A |
| N/A | /tmp/fileCcgaTB | /tmp/fileCcgaTB | N/A |
| N/A | /tmp/filePAdnYD | /tmp/filePAdnYD | N/A |
| N/A | /tmp/filesmVeYr | /tmp/filesmVeYr | N/A |
Creates/modifies Cron job
| Description | Indicator | Process | Target |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileoDVmuc | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filesxpw9s | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/file5aNS9Z | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filePzm7fn | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileVTNxt2 | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileCcgaTB | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filePAdnYD | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileTzvpb0 | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileGCFU2s | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filel62aWE | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileXFuICN | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/file2S93nT | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileLx49Eb | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filelyOJaB | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileh6G8iG | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filefKjT2N | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filesUlba6 | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileplZShR | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileozNxO5 | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/file3r8Iv3 | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileMVSQeW | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileLSc0HM | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filepQ1J8K | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileHJX6xr | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filecBRUBM | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileWVgLOX | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filegqhLdZ | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileJPL41s | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filev0eUGm | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileFFwSJ8 | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileLOSLKp | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileBBsOHz | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileZqoP6M | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/files3PI62 | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/file7WychX | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filee34F2O | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filet0oiKk | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filezXgSsm | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/qkdjdjj22.x86.elf | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/file2DIUFK | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/file7iWVI1 | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileF8zpZJ | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileJrGkAA | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileKUgSV8 | N/A |
Writes file to system bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /bin/ls | /tmp/qkdjdjj22.x86.elf | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/self/exe | /tmp/fileZqoP6M | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileozNxO5 | N/A |
| File opened for reading | /proc/self/exe | /tmp/file7WychX | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileJPL41s | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileLSc0HM | N/A |
| File opened for reading | /proc/self/exe | /tmp/filesmVeYr | N/A |
| File opened for reading | /proc/self/exe | /tmp/file7iWVI1 | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileTzvpb0 | N/A |
| File opened for reading | /proc/self/exe | /tmp/filesxpw9s | N/A |
| File opened for reading | /proc/self/exe | /tmp/filepQ1J8K | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileJrGkAA | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileKUgSV8 | N/A |
| File opened for reading | /proc/self/exe | /tmp/filezXgSsm | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileXFuICN | N/A |
| File opened for reading | /proc/self/exe | /tmp/file5aNS9Z | N/A |
| File opened for reading | /proc/self/exe | /tmp/file3r8Iv3 | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileLx49Eb | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileHJX6xr | N/A |
| File opened for reading | /proc/self/exe | /tmp/files3PI62 | N/A |
| File opened for reading | /proc/self/exe | /tmp/filesUlba6 | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileFFwSJ8 | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileWVgLOX | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileLOSLKp | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileGCFU2s | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileF8zpZJ | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileMVSQeW | N/A |
| File opened for reading | /proc/self/exe | /tmp/filefKjT2N | N/A |
| File opened for reading | /proc/self/exe | /tmp/qkdjdjj22.x86.elf | N/A |
| File opened for reading | /proc/self/exe | /tmp/filecBRUBM | N/A |
| File opened for reading | /proc/self/exe | /tmp/filePzm7fn | N/A |
| File opened for reading | /proc/self/exe | /tmp/filev0eUGm | N/A |
| File opened for reading | /proc/self/exe | /tmp/filet0oiKk | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileCcgaTB | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileplZShR | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileoDVmuc | N/A |
| File opened for reading | /proc/self/exe | /tmp/filel62aWE | N/A |
| File opened for reading | /proc/self/exe | /tmp/filePAdnYD | N/A |
| File opened for reading | /proc/self/exe | /tmp/file2DIUFK | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileBBsOHz | N/A |
| File opened for reading | /proc/self/exe | /tmp/filegqhLdZ | N/A |
| File opened for reading | /proc/self/exe | /tmp/filelyOJaB | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileh6G8iG | N/A |
| File opened for reading | /proc/self/exe | /tmp/filee34F2O | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileVTNxt2 | N/A |
| File opened for reading | /proc/self/exe | /tmp/file2S93nT | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/fileZqoP6M | /tmp/qkdjdjj22.x86.elf | N/A |
| File opened for modification | /tmp/fileHJX6xr | /tmp/fileZqoP6M | N/A |
| File opened for modification | /tmp/files3PI62 | /tmp/file2DIUFK | N/A |
| File opened for modification | /tmp/filePzm7fn | /tmp/file7WychX | N/A |
| File opened for modification | /tmp/fileJPL41s | /tmp/file3r8Iv3 | N/A |
| File opened for modification | /tmp/filepQ1J8K | /tmp/filev0eUGm | N/A |
| File opened for modification | /tmp/fileTzvpb0 | /tmp/filesUlba6 | N/A |
| File opened for modification | /tmp/fileWVgLOX | /tmp/fileFFwSJ8 | N/A |
| File opened for modification | /tmp/fileLOSLKp | /tmp/fileWVgLOX | N/A |
| File opened for modification | /tmp/fileLSc0HM | /tmp/filee34F2O | N/A |
| File opened for modification | /tmp/file2S93nT | /tmp/fileVTNxt2 | N/A |
| File opened for modification | /tmp/filezXgSsm | /tmp/fileKUgSV8 | N/A |
| File opened for modification | /tmp/file2DIUFK | /tmp/fileHJX6xr | N/A |
| File opened for modification | /tmp/file7iWVI1 | /tmp/filecBRUBM | N/A |
| File opened for modification | /tmp/fileFFwSJ8 | /tmp/fileTzvpb0 | N/A |
| File opened for modification | /tmp/fileoDVmuc | /tmp/fileBBsOHz | N/A |
| File opened for modification | /tmp/fileJrGkAA | /tmp/filepQ1J8K | N/A |
| File opened for modification | /tmp/fileC6vg8b | /tmp/filesmVeYr | N/A |
| File opened for modification | /tmp/fileGCFU2s | /tmp/fileLOSLKp | N/A |
| File opened for modification | /tmp/fileBBsOHz | /tmp/fileozNxO5 | N/A |
| File opened for modification | /tmp/fileXFuICN | /tmp/filel62aWE | N/A |
| File opened for modification | /tmp/filesxpw9s | /tmp/fileXFuICN | N/A |
| File opened for modification | /tmp/filee34F2O | /tmp/fileMVSQeW | N/A |
| File opened for modification | /tmp/fileKUgSV8 | /tmp/fileLx49Eb | N/A |
| File opened for modification | /tmp/fileplZShR | /tmp/fileGCFU2s | N/A |
| File opened for modification | /tmp/filel62aWE | /tmp/fileoDVmuc | N/A |
| File opened for modification | /tmp/filelyOJaB | /tmp/filegqhLdZ | N/A |
| File opened for modification | /tmp/filev0eUGm | /tmp/fileLSc0HM | N/A |
| File opened for modification | /tmp/filet0oiKk | /tmp/fileJrGkAA | N/A |
| File opened for modification | /tmp/fileLx49Eb | /tmp/file2S93nT | N/A |
| File opened for modification | /tmp/filesUlba6 | /tmp/file7iWVI1 | N/A |
| File opened for modification | /tmp/fileozNxO5 | /tmp/fileplZShR | N/A |
| File opened for modification | /tmp/fileF8zpZJ | /tmp/file5aNS9Z | N/A |
| File opened for modification | /tmp/fileMVSQeW | /tmp/fileJPL41s | N/A |
| File opened for modification | /tmp/fileVTNxt2 | /tmp/filefKjT2N | N/A |
| File opened for modification | /tmp/filePAdnYD | /tmp/fileCcgaTB | N/A |
| File opened for modification | /tmp/filecBRUBM | /tmp/files3PI62 | N/A |
| File opened for modification | /tmp/filegqhLdZ | /tmp/filesxpw9s | N/A |
| File opened for modification | /tmp/file5aNS9Z | /tmp/filelyOJaB | N/A |
| File opened for modification | /tmp/file7WychX | /tmp/fileF8zpZJ | N/A |
| File opened for modification | /tmp/fileh6G8iG | /tmp/filePzm7fn | N/A |
| File opened for modification | /tmp/file3r8Iv3 | /tmp/fileh6G8iG | N/A |
| File opened for modification | /tmp/filefKjT2N | /tmp/filet0oiKk | N/A |
| File opened for modification | /tmp/fileCcgaTB | /tmp/filezXgSsm | N/A |
| File opened for modification | /tmp/filesmVeYr | /tmp/filePAdnYD | N/A |
Processes
/tmp/qkdjdjj22.x86.elf
[/tmp/qkdjdjj22.x86.elf]
/tmp/fileZqoP6M
[/tmp/qkdjdjj22.x86.elf]
/tmp/fileHJX6xr
[/tmp/qkdjdjj22.x86.elf]
/tmp/file2DIUFK
[/tmp/qkdjdjj22.x86.elf]
/tmp/files3PI62
[/tmp/qkdjdjj22.x86.elf]
/tmp/filecBRUBM
[/tmp/qkdjdjj22.x86.elf]
/tmp/file7iWVI1
[/tmp/qkdjdjj22.x86.elf]
/tmp/filesUlba6
[/tmp/qkdjdjj22.x86.elf]
/tmp/fileTzvpb0
[/tmp/qkdjdjj22.x86.elf]
/tmp/fileFFwSJ8
[/tmp/qkdjdjj22.x86.elf]
/tmp/fileWVgLOX
[/tmp/qkdjdjj22.x86.elf]
/tmp/fileLOSLKp
[/tmp/qkdjdjj22.x86.elf]
/tmp/fileGCFU2s
[/tmp/qkdjdjj22.x86.elf]
/tmp/fileplZShR
[/tmp/qkdjdjj22.x86.elf]
/tmp/fileozNxO5
[/tmp/qkdjdjj22.x86.elf]
/tmp/fileBBsOHz
[/tmp/qkdjdjj22.x86.elf]
/tmp/fileoDVmuc
[/tmp/qkdjdjj22.x86.elf]
/tmp/filel62aWE
[/tmp/qkdjdjj22.x86.elf]
/tmp/fileXFuICN
[/tmp/qkdjdjj22.x86.elf]
/tmp/filesxpw9s
[/tmp/qkdjdjj22.x86.elf]
/tmp/filegqhLdZ
[/tmp/qkdjdjj22.x86.elf]
/tmp/filelyOJaB
[/tmp/qkdjdjj22.x86.elf]
/tmp/file5aNS9Z
[/tmp/qkdjdjj22.x86.elf]
/tmp/fileF8zpZJ
[/tmp/qkdjdjj22.x86.elf]
/tmp/file7WychX
[/tmp/qkdjdjj22.x86.elf]
/tmp/filePzm7fn
[/tmp/qkdjdjj22.x86.elf]
/tmp/fileh6G8iG
[/tmp/qkdjdjj22.x86.elf]
/tmp/file3r8Iv3
[/tmp/qkdjdjj22.x86.elf]
/tmp/fileJPL41s
[/tmp/qkdjdjj22.x86.elf]
/tmp/fileMVSQeW
[/tmp/qkdjdjj22.x86.elf]
/tmp/filee34F2O
[/tmp/qkdjdjj22.x86.elf]
/tmp/fileLSc0HM
[/tmp/qkdjdjj22.x86.elf]
/tmp/filev0eUGm
[/tmp/qkdjdjj22.x86.elf]
/tmp/filepQ1J8K
[/tmp/qkdjdjj22.x86.elf]
/tmp/fileJrGkAA
[/tmp/qkdjdjj22.x86.elf]
/tmp/filet0oiKk
[/tmp/qkdjdjj22.x86.elf]
/tmp/filefKjT2N
[/tmp/qkdjdjj22.x86.elf]
/tmp/fileVTNxt2
[/tmp/qkdjdjj22.x86.elf]
/tmp/file2S93nT
[/tmp/qkdjdjj22.x86.elf]
/tmp/fileLx49Eb
[/tmp/qkdjdjj22.x86.elf]
/tmp/fileKUgSV8
[/tmp/qkdjdjj22.x86.elf]
/tmp/filezXgSsm
[/tmp/qkdjdjj22.x86.elf]
/tmp/fileCcgaTB
[/tmp/qkdjdjj22.x86.elf]
/tmp/filePAdnYD
[/tmp/qkdjdjj22.x86.elf]
/tmp/filesmVeYr
[/tmp/qkdjdjj22.x86.elf]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
/tmp/fileZqoP6M
| MD5 | d7c06cd80f877b3697b829ee12851d5d |
| SHA1 | 977a6258d47f140effe07e1b1d6a93ea161ad138 |
| SHA256 | 4fedb406cadc190c90b552b01e5cb1891568db837cccd121fa9965223d21bc22 |
| SHA512 | 19f524abef2e7ffd9908ef34459c6388780e30d69499315a1b70362441ab897af1158bd14c0133d3be8bb27381787c6062f55e8d99be06ee93736cbba535d295 |
/etc/cron.hourly/0
| MD5 | 3f006f7f81fc17be7f4a0d3da0fad5de |
| SHA1 | 97a94d3d0654c6551057af3809b52572bd7f9f5d |
| SHA256 | 982f9e0f089b91ba79df723435099df15c72e1201a45010ee60226ab136c93bf |
| SHA512 | 97d2ac0057427b940ada7c0fc805c1966e2535c3c3767ca85fef4a7e0fdc9d4ef9eb133530408b1e439df067881cb317e948ad9bfd487e958a04c97d9db978e0 |
/tmp/fileZqoP6M
| MD5 | 6f344240f3686c40e24f9bb30af5bd93 |
| SHA1 | f3b470c47d9a74c91097836be07f7fc51fd977d6 |
| SHA256 | c1d8a7ed1e88ccc6ac4bd7002b2f9279031c82f45bf8e6f33aaa87602b1d8365 |
| SHA512 | 187ac80956d59e6d5ef0d5b43a4c6c2faf94a4734e834f475421da103b4542571d6928bbbf3a8da0349578985bfefd3175fc908d8a1778f2b6311bb1fe7a1c39 |