gafgyt | c01b1e7fdd3f14fd99523c71da4ce97497b4262065a6f29d9251b26cab7e03bb

Sharing

Copy URL

Twitter E-mail

General

Target

c01b1e7fdd3f14fd99523c71da4ce97497b4262065a6f29d9251b26cab7e03bb.tar
Size

10.2MB
Sample

240925-qthzja1ejd
MD5

a4d9843cc8166e0543d309cc47e3f46a
SHA1

d7612c1831b3321e97d890de0387df12b5c57fa3
SHA256

c01b1e7fdd3f14fd99523c71da4ce97497b4262065a6f29d9251b26cab7e03bb
SHA512

5a3ee382f32e3e3e5058a56841ab71441f23bf250784563e68fa84c1638bcc5762335432d118b7996c323162f8d8bf980bc1042ccc7ac91f13cc6f871c54afa3
SSDEEP

196608:RDH6rsox3zJUEKBHjVoeW3+Jp3wkETTV0wRDByc9YZSrd+TDD:BaQoEHBoeW3Ap3wkoTV0pKYZSZ+Tv

Score

10^/10

Malware Config

Extracted

Family

gafgyt

255.255.255.255:1900

194.48.250.133:23

Extracted

Family

mirai

hou.zu0x.com

Extracted

Family

mirai

Botnet

CHARYBDIS

216.219.94.5

216.219.94.57

Extracted

Family

risepro

193.233.132.49:50500

Targets

- Target
  
  27960730119663739
- Size
  
  85KB
- MD5
  
  4f8c2f12d1eb4961813d21d9abf6dc2d
- SHA1
  
  f6b2ee4baf47335288d8ed5fc538a49822edbbb5
- SHA256
  
  e0f54d1599e7bbfc47af48d1de7665a01a5e6b3f6e0cc29d98782c6d995b1394
- SHA512
  
  7d7d7a84ea3b0ecdb89f55e39dca057f408b2e76f1b38f58043148c36007fc6aa94ce9e7c8308f7ad880f0dbd59ed2c62e5624801e4cd8ffd7f92a154bc12c9d
- SSDEEP
  
  1536:AamwtHJfIP6A8+Uc4HjCbsPdkyOGit5K4KxPFY1Jrb4VxCE2M16y+:At+IP6+Iu5GW5K/x44VxV1I
Score

1^/10
behavioral1 behavioral2 behavioral3 behavioral4
- Target
  
  32825050225637941
- Size
  
  71KB
- MD5
  
  1b2d3d937052ac1d989a7e5bfd9d28f6
- SHA1
  
  5979c7ac4862133628386135a845893d38e218bb
- SHA256
  
  718cb76210b528fe1eddf533a352a2f4583957a0f4144a9b6389c600273bf6be
- SHA512
  
  89f454a499a1e6e3010a57315f9ed11324813b39638fcc843778c75e163c85bd36d8d0b32839487c7979cf194dd99a7e0451ab03bb31257eb257453782bd1489
- SSDEEP
  
  768:TLGl3o5UaqLQqeuuBLvDn9N1FdVtlb/T3etCj/zGxcLso+kw6R2CC76t16v219/A:TD5bdw6Q77yd5Lehk0oXAH
Score

7^/10

defense_evasion discovery
- Deletes itself
- Modifies Watchdog functionality
  Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
  defense_evasion
- Enumerates running processes
  Discovers information about currently running processes on the system
behavioral5
- Target
  
  35616602442412040
- Size
  
  385KB
- MD5
  
  b27315d7b16e45c1ed5dadb86bed7280
- SHA1
  
  eba49957cc5f7933aed7deee0fd798abd7ddca55
- SHA256
  
  f26910f97d3e1ba27299a5b3e05c6a344dd80a8d84ceb5288723ab5e3c3b7753
- SHA512
  
  71e026059e9026af839e6584d450a061239abaf39bd1f3deba8e63e28850d68a10d1a4891d8aae8328468b7fb57116a12b6a43bd0f9d4dc4d5c0180616a749bc
- SSDEEP
  
  6144:Z6xeJy0ykZ1e5hhdO1j33ZWPBmhGQQTvD0R/bl:Z6xeJy7GI5hOjHOmhGQQvD0R/bl
Score

6^/10

discovery
- Reads system routing table
  Gets active network interfaces from /proc virtual filesystem.
  discovery
behavioral6
- Target
  
  40378277128495512
- Size
  
  85KB
- MD5
  
  4f8c2f12d1eb4961813d21d9abf6dc2d
- SHA1
  
  f6b2ee4baf47335288d8ed5fc538a49822edbbb5
- SHA256
  
  e0f54d1599e7bbfc47af48d1de7665a01a5e6b3f6e0cc29d98782c6d995b1394
- SHA512
  
  7d7d7a84ea3b0ecdb89f55e39dca057f408b2e76f1b38f58043148c36007fc6aa94ce9e7c8308f7ad880f0dbd59ed2c62e5624801e4cd8ffd7f92a154bc12c9d
- SSDEEP
  
  1536:AamwtHJfIP6A8+Uc4HjCbsPdkyOGit5K4KxPFY1Jrb4VxCE2M16y+:At+IP6+Iu5GW5K/x44VxV1I
Score

1^/10
behavioral10 behavioral7 behavioral8 behavioral9
- Target
  
  45331149853509989
- Size
  
  2.9MB
- MD5
  
  f859a0b06d2eaf5b7916755c0ab0f8a2
- SHA1
  
  26fa0aef74b9914f302bf8bf01c8ce82043d410b
- SHA256
  
  ff20608f0d92ae1c6af3b4170e7627e1f292845df8d943a5bd3117fff04c1650
- SHA512
  
  3961ccc0329b567383f9598abb2f900deea79865bf10d99f8615f234a82fdaa2ac7b6bcf3e13e97b7e4127627157c12bd3708b6cd9e856bdde08344338542187
- SSDEEP
  
  49152:ounwv2WHwr9tZ6ekkLL5Tk9oxp1RxJVJgda5KBH4UJk95IuyVWU/qEE0nWXPJ:oxvLH6NpkkZ+ox3RxJUEKBHJJk9oVNxs
Score

1^/10
behavioral11 behavioral12 behavioral13
- Target
  
  56618521379097511
- Size
  
  191KB
- MD5
  
  1e93874a2e62119775e545c413b6c168
- SHA1
  
  33e471c1622ef34d4d3e681a570af22b4a17bd19
- SHA256
  
  2d894d197ce20ac34f74d35eafb11605efc3dc6ea286dd6c1a2f3542bf75db21
- SHA512
  
  7f8b606aff6319104392436628485365cf2de94b9dcddca5dc0c596120a1b46ea3ceea8a903f8b0e027e457b6f79dd8125e11108390c6fe25dace28dd5c939d3
- SSDEEP
  
  3072:K+Ag8mGa4ybxHot+ykaTs/eNBHONTEfIg6tLUbt8k8iKkoEM/9y2VLXmFj35VTK:K+ZQapl5aTs/eNBHOREEypKkrM/9y2RT
Score

7^/10

credential_access defense_evasion discovery
- Modifies Watchdog functionality
  Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
  defense_evasion
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Enumerates running processes
  Discovers information about currently running processes on the system
- Reads process memory
  Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
  credential_access
behavioral14
- Target
  
  99971917023891412
- Size
  
  6.5MB
- MD5
  
  6c445fd49061f4c9849fa6fecb3ecea8
- SHA1
  
  d7cd4c01cd9afc838a1e657925153bf219eee41d
- SHA256
  
  9e303948d961216b83748b22811d3f0b287d8c22040ae24f5a618b5866d96719
- SHA512
  
  4958c04e6b201d0dfed9a72235dddb8752becbebd53ecdc79878abf5a4e72939d09ce504c44b6cd6ce0a740bf0c793e21bef330a94ec0e9443c4d3a12287e181
- SSDEEP
  
  98304:KG7JJLb33yLkX0JlTVWZVr76RDBY4ScF/VbBYZKrrd+TDfcOCbhxNGYOQ2fx:K+Jp3wkETTV0wRDByc9YZSrd+TDD
Score

10^/10

risepro discovery stealer
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
behavioral15 behavioral16

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

OS Credential Dumping

T1003

Proc Filesystem

T1003.007

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Targets

Deletes itself

Modifies Watchdog functionality

Enumerates running processes

Reads system routing table

Modifies Watchdog functionality

Unexpected DNS network traffic destination

Enumerates running processes

Reads process memory

RisePro

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16