Malware Analysis Report

2024-11-15 05:02

Sample ID 240702-glxnaaygpb
Target qkdjdjj22.x86.elf
SHA256 c1d8a7ed1e88ccc6ac4bd7002b2f9279031c82f45bf8e6f33aaa87602b1d8365
Tags
gafgyt botnet persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c1d8a7ed1e88ccc6ac4bd7002b2f9279031c82f45bf8e6f33aaa87602b1d8365

Threat Level: Known bad

The file qkdjdjj22.x86.elf was found to be: Known bad.

Malicious Activity Summary

gafgyt botnet persistence

Gafgyt family

Gafgyt/Bashlite

Detected Gafgyt variant

Executes dropped EXE

Creates/modifies Cron job

Writes file to system bin folder

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-02 05:54

Signatures

Detected Gafgyt variant

Description Indicator Process Target
N/A N/A N/A N/A

Gafgyt family

gafgyt

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-02 05:54

Reported

2024-07-02 05:56

Platform

ubuntu2404-amd64-20240523-en

Max time kernel

92s

Max time network

128s

Command Line

[/tmp/qkdjdjj22.x86.elf]

Signatures

Detected Gafgyt variant

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Gafgyt/Bashlite

botnet gafgyt

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/fileZqoP6M /tmp/fileZqoP6M N/A
N/A /tmp/fileHJX6xr /tmp/fileHJX6xr N/A
N/A /tmp/file2DIUFK /tmp/file2DIUFK N/A
N/A /tmp/files3PI62 /tmp/files3PI62 N/A
N/A /tmp/filecBRUBM /tmp/filecBRUBM N/A
N/A /tmp/file7iWVI1 /tmp/file7iWVI1 N/A
N/A /tmp/filesUlba6 /tmp/filesUlba6 N/A
N/A /tmp/fileTzvpb0 /tmp/fileTzvpb0 N/A
N/A /tmp/fileFFwSJ8 /tmp/fileFFwSJ8 N/A
N/A /tmp/fileWVgLOX /tmp/fileWVgLOX N/A
N/A /tmp/fileLOSLKp /tmp/fileLOSLKp N/A
N/A /tmp/fileGCFU2s /tmp/fileGCFU2s N/A
N/A /tmp/fileplZShR /tmp/fileplZShR N/A
N/A /tmp/fileozNxO5 /tmp/fileozNxO5 N/A
N/A /tmp/fileBBsOHz /tmp/fileBBsOHz N/A
N/A /tmp/fileoDVmuc /tmp/fileoDVmuc N/A
N/A /tmp/filel62aWE /tmp/filel62aWE N/A
N/A /tmp/fileXFuICN /tmp/fileXFuICN N/A
N/A /tmp/filesxpw9s /tmp/filesxpw9s N/A
N/A /tmp/filegqhLdZ /tmp/filegqhLdZ N/A
N/A /tmp/filelyOJaB /tmp/filelyOJaB N/A
N/A /tmp/file5aNS9Z /tmp/file5aNS9Z N/A
N/A /tmp/fileF8zpZJ /tmp/fileF8zpZJ N/A
N/A /tmp/file7WychX /tmp/file7WychX N/A
N/A /tmp/filePzm7fn /tmp/filePzm7fn N/A
N/A /tmp/fileh6G8iG /tmp/fileh6G8iG N/A
N/A /tmp/file3r8Iv3 /tmp/file3r8Iv3 N/A
N/A /tmp/fileJPL41s /tmp/fileJPL41s N/A
N/A /tmp/fileMVSQeW /tmp/fileMVSQeW N/A
N/A /tmp/filee34F2O /tmp/filee34F2O N/A
N/A /tmp/fileLSc0HM /tmp/fileLSc0HM N/A
N/A /tmp/filev0eUGm /tmp/filev0eUGm N/A
N/A /tmp/filepQ1J8K /tmp/filepQ1J8K N/A
N/A /tmp/fileJrGkAA /tmp/fileJrGkAA N/A
N/A /tmp/filet0oiKk /tmp/filet0oiKk N/A
N/A /tmp/filefKjT2N /tmp/filefKjT2N N/A
N/A /tmp/fileVTNxt2 /tmp/fileVTNxt2 N/A
N/A /tmp/file2S93nT /tmp/file2S93nT N/A
N/A /tmp/fileLx49Eb /tmp/fileLx49Eb N/A
N/A /tmp/fileKUgSV8 /tmp/fileKUgSV8 N/A
N/A /tmp/filezXgSsm /tmp/filezXgSsm N/A
N/A /tmp/fileCcgaTB /tmp/fileCcgaTB N/A
N/A /tmp/filePAdnYD /tmp/filePAdnYD N/A
N/A /tmp/filesmVeYr /tmp/filesmVeYr N/A

Creates/modifies Cron job

persistence
Description Indicator Process Target
File opened for modification /etc/cron.hourly/0 /tmp/fileoDVmuc N/A
File opened for modification /etc/cron.hourly/0 /tmp/filesxpw9s N/A
File opened for modification /etc/cron.hourly/0 /tmp/file5aNS9Z N/A
File opened for modification /etc/cron.hourly/0 /tmp/filePzm7fn N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileVTNxt2 N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileCcgaTB N/A
File opened for modification /etc/cron.hourly/0 /tmp/filePAdnYD N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileTzvpb0 N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileGCFU2s N/A
File opened for modification /etc/cron.hourly/0 /tmp/filel62aWE N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileXFuICN N/A
File opened for modification /etc/cron.hourly/0 /tmp/file2S93nT N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileLx49Eb N/A
File opened for modification /etc/cron.hourly/0 /tmp/filelyOJaB N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileh6G8iG N/A
File opened for modification /etc/cron.hourly/0 /tmp/filefKjT2N N/A
File opened for modification /etc/cron.hourly/0 /tmp/filesUlba6 N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileplZShR N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileozNxO5 N/A
File opened for modification /etc/cron.hourly/0 /tmp/file3r8Iv3 N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileMVSQeW N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileLSc0HM N/A
File opened for modification /etc/cron.hourly/0 /tmp/filepQ1J8K N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileHJX6xr N/A
File opened for modification /etc/cron.hourly/0 /tmp/filecBRUBM N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileWVgLOX N/A
File opened for modification /etc/cron.hourly/0 /tmp/filegqhLdZ N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileJPL41s N/A
File opened for modification /etc/cron.hourly/0 /tmp/filev0eUGm N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileFFwSJ8 N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileLOSLKp N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileBBsOHz N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileZqoP6M N/A
File opened for modification /etc/cron.hourly/0 /tmp/files3PI62 N/A
File opened for modification /etc/cron.hourly/0 /tmp/file7WychX N/A
File opened for modification /etc/cron.hourly/0 /tmp/filee34F2O N/A
File opened for modification /etc/cron.hourly/0 /tmp/filet0oiKk N/A
File opened for modification /etc/cron.hourly/0 /tmp/filezXgSsm N/A
File opened for modification /etc/cron.hourly/0 /tmp/qkdjdjj22.x86.elf N/A
File opened for modification /etc/cron.hourly/0 /tmp/file2DIUFK N/A
File opened for modification /etc/cron.hourly/0 /tmp/file7iWVI1 N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileF8zpZJ N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileJrGkAA N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileKUgSV8 N/A

Writes file to system bin folder

Description Indicator Process Target
File opened for modification /bin/ls /tmp/qkdjdjj22.x86.elf N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/self/exe /tmp/fileZqoP6M N/A
File opened for reading /proc/self/exe /tmp/fileozNxO5 N/A
File opened for reading /proc/self/exe /tmp/file7WychX N/A
File opened for reading /proc/self/exe /tmp/fileJPL41s N/A
File opened for reading /proc/self/exe /tmp/fileLSc0HM N/A
File opened for reading /proc/self/exe /tmp/filesmVeYr N/A
File opened for reading /proc/self/exe /tmp/file7iWVI1 N/A
File opened for reading /proc/self/exe /tmp/fileTzvpb0 N/A
File opened for reading /proc/self/exe /tmp/filesxpw9s N/A
File opened for reading /proc/self/exe /tmp/filepQ1J8K N/A
File opened for reading /proc/self/exe /tmp/fileJrGkAA N/A
File opened for reading /proc/self/exe /tmp/fileKUgSV8 N/A
File opened for reading /proc/self/exe /tmp/filezXgSsm N/A
File opened for reading /proc/self/exe /tmp/fileXFuICN N/A
File opened for reading /proc/self/exe /tmp/file5aNS9Z N/A
File opened for reading /proc/self/exe /tmp/file3r8Iv3 N/A
File opened for reading /proc/self/exe /tmp/fileLx49Eb N/A
File opened for reading /proc/self/exe /tmp/fileHJX6xr N/A
File opened for reading /proc/self/exe /tmp/files3PI62 N/A
File opened for reading /proc/self/exe /tmp/filesUlba6 N/A
File opened for reading /proc/self/exe /tmp/fileFFwSJ8 N/A
File opened for reading /proc/self/exe /tmp/fileWVgLOX N/A
File opened for reading /proc/self/exe /tmp/fileLOSLKp N/A
File opened for reading /proc/self/exe /tmp/fileGCFU2s N/A
File opened for reading /proc/self/exe /tmp/fileF8zpZJ N/A
File opened for reading /proc/self/exe /tmp/fileMVSQeW N/A
File opened for reading /proc/self/exe /tmp/filefKjT2N N/A
File opened for reading /proc/self/exe /tmp/qkdjdjj22.x86.elf N/A
File opened for reading /proc/self/exe /tmp/filecBRUBM N/A
File opened for reading /proc/self/exe /tmp/filePzm7fn N/A
File opened for reading /proc/self/exe /tmp/filev0eUGm N/A
File opened for reading /proc/self/exe /tmp/filet0oiKk N/A
File opened for reading /proc/self/exe /tmp/fileCcgaTB N/A
File opened for reading /proc/self/exe /tmp/fileplZShR N/A
File opened for reading /proc/self/exe /tmp/fileoDVmuc N/A
File opened for reading /proc/self/exe /tmp/filel62aWE N/A
File opened for reading /proc/self/exe /tmp/filePAdnYD N/A
File opened for reading /proc/self/exe /tmp/file2DIUFK N/A
File opened for reading /proc/self/exe /tmp/fileBBsOHz N/A
File opened for reading /proc/self/exe /tmp/filegqhLdZ N/A
File opened for reading /proc/self/exe /tmp/filelyOJaB N/A
File opened for reading /proc/self/exe /tmp/fileh6G8iG N/A
File opened for reading /proc/self/exe /tmp/filee34F2O N/A
File opened for reading /proc/self/exe /tmp/fileVTNxt2 N/A
File opened for reading /proc/self/exe /tmp/file2S93nT N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/fileZqoP6M /tmp/qkdjdjj22.x86.elf N/A
File opened for modification /tmp/fileHJX6xr /tmp/fileZqoP6M N/A
File opened for modification /tmp/files3PI62 /tmp/file2DIUFK N/A
File opened for modification /tmp/filePzm7fn /tmp/file7WychX N/A
File opened for modification /tmp/fileJPL41s /tmp/file3r8Iv3 N/A
File opened for modification /tmp/filepQ1J8K /tmp/filev0eUGm N/A
File opened for modification /tmp/fileTzvpb0 /tmp/filesUlba6 N/A
File opened for modification /tmp/fileWVgLOX /tmp/fileFFwSJ8 N/A
File opened for modification /tmp/fileLOSLKp /tmp/fileWVgLOX N/A
File opened for modification /tmp/fileLSc0HM /tmp/filee34F2O N/A
File opened for modification /tmp/file2S93nT /tmp/fileVTNxt2 N/A
File opened for modification /tmp/filezXgSsm /tmp/fileKUgSV8 N/A
File opened for modification /tmp/file2DIUFK /tmp/fileHJX6xr N/A
File opened for modification /tmp/file7iWVI1 /tmp/filecBRUBM N/A
File opened for modification /tmp/fileFFwSJ8 /tmp/fileTzvpb0 N/A
File opened for modification /tmp/fileoDVmuc /tmp/fileBBsOHz N/A
File opened for modification /tmp/fileJrGkAA /tmp/filepQ1J8K N/A
File opened for modification /tmp/fileC6vg8b /tmp/filesmVeYr N/A
File opened for modification /tmp/fileGCFU2s /tmp/fileLOSLKp N/A
File opened for modification /tmp/fileBBsOHz /tmp/fileozNxO5 N/A
File opened for modification /tmp/fileXFuICN /tmp/filel62aWE N/A
File opened for modification /tmp/filesxpw9s /tmp/fileXFuICN N/A
File opened for modification /tmp/filee34F2O /tmp/fileMVSQeW N/A
File opened for modification /tmp/fileKUgSV8 /tmp/fileLx49Eb N/A
File opened for modification /tmp/fileplZShR /tmp/fileGCFU2s N/A
File opened for modification /tmp/filel62aWE /tmp/fileoDVmuc N/A
File opened for modification /tmp/filelyOJaB /tmp/filegqhLdZ N/A
File opened for modification /tmp/filev0eUGm /tmp/fileLSc0HM N/A
File opened for modification /tmp/filet0oiKk /tmp/fileJrGkAA N/A
File opened for modification /tmp/fileLx49Eb /tmp/file2S93nT N/A
File opened for modification /tmp/filesUlba6 /tmp/file7iWVI1 N/A
File opened for modification /tmp/fileozNxO5 /tmp/fileplZShR N/A
File opened for modification /tmp/fileF8zpZJ /tmp/file5aNS9Z N/A
File opened for modification /tmp/fileMVSQeW /tmp/fileJPL41s N/A
File opened for modification /tmp/fileVTNxt2 /tmp/filefKjT2N N/A
File opened for modification /tmp/filePAdnYD /tmp/fileCcgaTB N/A
File opened for modification /tmp/filecBRUBM /tmp/files3PI62 N/A
File opened for modification /tmp/filegqhLdZ /tmp/filesxpw9s N/A
File opened for modification /tmp/file5aNS9Z /tmp/filelyOJaB N/A
File opened for modification /tmp/file7WychX /tmp/fileF8zpZJ N/A
File opened for modification /tmp/fileh6G8iG /tmp/filePzm7fn N/A
File opened for modification /tmp/file3r8Iv3 /tmp/fileh6G8iG N/A
File opened for modification /tmp/filefKjT2N /tmp/filet0oiKk N/A
File opened for modification /tmp/fileCcgaTB /tmp/filezXgSsm N/A
File opened for modification /tmp/filesmVeYr /tmp/filePAdnYD N/A

Processes

/tmp/qkdjdjj22.x86.elf

[/tmp/qkdjdjj22.x86.elf]

/tmp/fileZqoP6M

[/tmp/qkdjdjj22.x86.elf]

/tmp/fileHJX6xr

[/tmp/qkdjdjj22.x86.elf]

/tmp/file2DIUFK

[/tmp/qkdjdjj22.x86.elf]

/tmp/files3PI62

[/tmp/qkdjdjj22.x86.elf]

/tmp/filecBRUBM

[/tmp/qkdjdjj22.x86.elf]

/tmp/file7iWVI1

[/tmp/qkdjdjj22.x86.elf]

/tmp/filesUlba6

[/tmp/qkdjdjj22.x86.elf]

/tmp/fileTzvpb0

[/tmp/qkdjdjj22.x86.elf]

/tmp/fileFFwSJ8

[/tmp/qkdjdjj22.x86.elf]

/tmp/fileWVgLOX

[/tmp/qkdjdjj22.x86.elf]

/tmp/fileLOSLKp

[/tmp/qkdjdjj22.x86.elf]

/tmp/fileGCFU2s

[/tmp/qkdjdjj22.x86.elf]

/tmp/fileplZShR

[/tmp/qkdjdjj22.x86.elf]

/tmp/fileozNxO5

[/tmp/qkdjdjj22.x86.elf]

/tmp/fileBBsOHz

[/tmp/qkdjdjj22.x86.elf]

/tmp/fileoDVmuc

[/tmp/qkdjdjj22.x86.elf]

/tmp/filel62aWE

[/tmp/qkdjdjj22.x86.elf]

/tmp/fileXFuICN

[/tmp/qkdjdjj22.x86.elf]

/tmp/filesxpw9s

[/tmp/qkdjdjj22.x86.elf]

/tmp/filegqhLdZ

[/tmp/qkdjdjj22.x86.elf]

/tmp/filelyOJaB

[/tmp/qkdjdjj22.x86.elf]

/tmp/file5aNS9Z

[/tmp/qkdjdjj22.x86.elf]

/tmp/fileF8zpZJ

[/tmp/qkdjdjj22.x86.elf]

/tmp/file7WychX

[/tmp/qkdjdjj22.x86.elf]

/tmp/filePzm7fn

[/tmp/qkdjdjj22.x86.elf]

/tmp/fileh6G8iG

[/tmp/qkdjdjj22.x86.elf]

/tmp/file3r8Iv3

[/tmp/qkdjdjj22.x86.elf]

/tmp/fileJPL41s

[/tmp/qkdjdjj22.x86.elf]

/tmp/fileMVSQeW

[/tmp/qkdjdjj22.x86.elf]

/tmp/filee34F2O

[/tmp/qkdjdjj22.x86.elf]

/tmp/fileLSc0HM

[/tmp/qkdjdjj22.x86.elf]

/tmp/filev0eUGm

[/tmp/qkdjdjj22.x86.elf]

/tmp/filepQ1J8K

[/tmp/qkdjdjj22.x86.elf]

/tmp/fileJrGkAA

[/tmp/qkdjdjj22.x86.elf]

/tmp/filet0oiKk

[/tmp/qkdjdjj22.x86.elf]

/tmp/filefKjT2N

[/tmp/qkdjdjj22.x86.elf]

/tmp/fileVTNxt2

[/tmp/qkdjdjj22.x86.elf]

/tmp/file2S93nT

[/tmp/qkdjdjj22.x86.elf]

/tmp/fileLx49Eb

[/tmp/qkdjdjj22.x86.elf]

/tmp/fileKUgSV8

[/tmp/qkdjdjj22.x86.elf]

/tmp/filezXgSsm

[/tmp/qkdjdjj22.x86.elf]

/tmp/fileCcgaTB

[/tmp/qkdjdjj22.x86.elf]

/tmp/filePAdnYD

[/tmp/qkdjdjj22.x86.elf]

/tmp/filesmVeYr

[/tmp/qkdjdjj22.x86.elf]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

/tmp/fileZqoP6M

MD5 d7c06cd80f877b3697b829ee12851d5d
SHA1 977a6258d47f140effe07e1b1d6a93ea161ad138
SHA256 4fedb406cadc190c90b552b01e5cb1891568db837cccd121fa9965223d21bc22
SHA512 19f524abef2e7ffd9908ef34459c6388780e30d69499315a1b70362441ab897af1158bd14c0133d3be8bb27381787c6062f55e8d99be06ee93736cbba535d295

/etc/cron.hourly/0

MD5 3f006f7f81fc17be7f4a0d3da0fad5de
SHA1 97a94d3d0654c6551057af3809b52572bd7f9f5d
SHA256 982f9e0f089b91ba79df723435099df15c72e1201a45010ee60226ab136c93bf
SHA512 97d2ac0057427b940ada7c0fc805c1966e2535c3c3767ca85fef4a7e0fdc9d4ef9eb133530408b1e439df067881cb317e948ad9bfd487e958a04c97d9db978e0

/tmp/fileZqoP6M

MD5 6f344240f3686c40e24f9bb30af5bd93
SHA1 f3b470c47d9a74c91097836be07f7fc51fd977d6
SHA256 c1d8a7ed1e88ccc6ac4bd7002b2f9279031c82f45bf8e6f33aaa87602b1d8365
SHA512 187ac80956d59e6d5ef0d5b43a4c6c2faf94a4734e834f475421da103b4542571d6928bbbf3a8da0349578985bfefd3175fc908d8a1778f2b6311bb1fe7a1c39