gafgyt | efd2f23a5daa24d925987ae5645cac9963757bc0ccc1c383a9c652634e2aa559 | Triage

Submit
Reports

Overview

overview

Static

static

vcimanagem...4l.elf

debian-9-armhf

9

Sharing

General

Target

vcimanagement.armv4l.elf
Size

135KB
Sample

241230-mr8wdsvlaq
MD5

3c6c60b6f04061407a67d4b3a7d48daf
SHA1

720b890ede5f9a135ac48fa1416eccae5cfa02c8
SHA256

efd2f23a5daa24d925987ae5645cac9963757bc0ccc1c383a9c652634e2aa559
SHA512

008ee67ba176427788a42e5c1aee83923d37d6e2fdb3d2612287936e5c96221994875cac768891773948143a1a12ec616e069174df958c00947c9a683dd014cb
SSDEEP

3072:rXdRZbLPWtIUio0QGRogfiVgDuj7+SmfIhi8hNg:JStIpaGRogf3Duj7+SmfIhi8hNg

Score

10^/10

gafgyt credential_access defense_evasion discovery

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

vcimanagement.armv4l.elf

Resource

debian9-armhf-20240611-en

credential_access defense_evasion discovery

debian-9-armhf

8 signatures

150 seconds

Malware Config

Targets

- Target
  
  vcimanagement.armv4l.elf
- Size
  
  135KB
- MD5
  
  3c6c60b6f04061407a67d4b3a7d48daf
- SHA1
  
  720b890ede5f9a135ac48fa1416eccae5cfa02c8
- SHA256
  
  efd2f23a5daa24d925987ae5645cac9963757bc0ccc1c383a9c652634e2aa559
- SHA512
  
  008ee67ba176427788a42e5c1aee83923d37d6e2fdb3d2612287936e5c96221994875cac768891773948143a1a12ec616e069174df958c00947c9a683dd014cb
- SSDEEP
  
  3072:rXdRZbLPWtIUio0QGRogfiVgDuj7+SmfIhi8hNg:JStIpaGRogf3Duj7+SmfIhi8hNg
Score

9^/10

credential_access defense_evasion discovery
- Contacts a large (23355) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Modifies Watchdog functionality
  Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
  defense_evasion
- Reads system routing table
  Gets active network interfaces from /proc virtual filesystem.
  discovery
- Reads process memory
  Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
  credential_access
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

Credential Access

OS Credential Dumping

Proc Filesystem

Discovery

Network Service Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

credential_accessdefense_evasiondiscovery

© 2018-2025

Terms | Privacy