gafgyt | 33368eb166229b262cb964cfa6412478278b2a23e5f0c3de24a56c28dac5eeb0 | Triage

Sharing

General

Target

tyo2831qq.x86.elf
Size

164KB
Sample

241109-eqsh1sxdle
MD5

4ac062e7bafef554949de20763c54f7b
SHA1

24355a299d9aca3953a9fac256cdaf7be0249fda
SHA256

33368eb166229b262cb964cfa6412478278b2a23e5f0c3de24a56c28dac5eeb0
SHA512

b12f82c346dbe62b6a96e7c9d3185eb2fdca9cc29ba83e29a102fd746c93d72d919d8146840ab9338dc8a25a7fb2b400a0cd9d0ac2ea5a0471d283f81d115bb9
SSDEEP

3072:62RroorS3/kjk3GWOwnzuXr+wMxphaMpFncunTieFIMK0UpW2mBT38dAY4:6IrqnrVxphaM2SFcRmBT38dAY4

Score

10^/10

gafgyt botnet discovery execution linux persistence privilege_escalatio

Malware Config

Extracted

Family

gafgyt

C2

31.172.80.237:706

Targets

- Target
  
  tyo2831qq.x86.elf
- Size
  
  164KB
- MD5
  
  4ac062e7bafef554949de20763c54f7b
- SHA1
  
  24355a299d9aca3953a9fac256cdaf7be0249fda
- SHA256
  
  33368eb166229b262cb964cfa6412478278b2a23e5f0c3de24a56c28dac5eeb0
- SHA512
  
  b12f82c346dbe62b6a96e7c9d3185eb2fdca9cc29ba83e29a102fd746c93d72d919d8146840ab9338dc8a25a7fb2b400a0cd9d0ac2ea5a0471d283f81d115bb9
- SSDEEP
  
  3072:62RroorS3/kjk3GWOwnzuXr+wMxphaMpFncunTieFIMK0UpW2mBT38dAY4:6IrqnrVxphaM2SFcRmBT38dAY4
Score

10^/10

gafgyt botnet discovery execution persistence privilege_escalatio
- Detected Gafgyt variant
- Gafgyt family
  gafgyt
- Gafgyt/Bashlite
  IoT botnet with numerous variants first seen in 2014.
  botnet gafgyt
- Executes dropped EXE
- Creates/modifies Cron job
  Cron allows running tasks on a schedule, and is commonly used for malware persistence.
  execution persistence privilege_escalatio
- Writes file to system bin folder
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Cron

Persistence

Scheduled Task/Job

Cron

Privilege Escalation

Scheduled Task/Job

Cron

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

gafgytbotnetdiscoveryexecutionpersistenceprivilege_escalatio