gafgyt | d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7 | Triage

Submit
Reports

Overview

overview

Static

static

vcimanagem...el.elf

debian-12-mipsel

9

Sharing

General

Target

vcimanagement.mipsel.elf
Size

161KB
Sample

241230-myal6sxngt
MD5

1b0406420db984c2cbb6ee3aad698637
SHA1

a7ee0caf351694ddfbe3f7bc92210e4ee0b759df
SHA256

d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7
SHA512

538d60ab70f0308bedd3daf9b05353179ba9543ba58c8fd9eca26c3f6e3ad99784f87f55b5e7be9387e8af4153fe1ff4d6117a03ac7a48bec26aa31d39a9e431
SSDEEP

1536:CQWeTCeoEVT/UCVlF3G9a2yydAZF7bZBFAKlP/Ua8xliPQsiDDTlm8WDEqO+rKNg:tedE2yqAzbrSl+iDDTljWDET+rKNg

Score

10^/10

gafgyt credential_access defense_evasion discovery

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

vcimanagement.mipsel.elf

Resource

debian12-mipsel-20240221-en

credential_access defense_evasion discovery

debian-12-mipsel

9 signatures

150 seconds

Malware Config

Targets

- Target
  
  vcimanagement.mipsel.elf
- Size
  
  161KB
- MD5
  
  1b0406420db984c2cbb6ee3aad698637
- SHA1
  
  a7ee0caf351694ddfbe3f7bc92210e4ee0b759df
- SHA256
  
  d61b9d0ad1315a14e02a1f43215eea25d42f796a38c3b6b791a71a3333a247b7
- SHA512
  
  538d60ab70f0308bedd3daf9b05353179ba9543ba58c8fd9eca26c3f6e3ad99784f87f55b5e7be9387e8af4153fe1ff4d6117a03ac7a48bec26aa31d39a9e431
- SSDEEP
  
  1536:CQWeTCeoEVT/UCVlF3G9a2yydAZF7bZBFAKlP/Ua8xliPQsiDDTlm8WDEqO+rKNg:tedE2yqAzbrSl+iDDTljWDET+rKNg
Score

9^/10

credential_access defense_evasion discovery
- Contacts a large (23354) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Modifies Watchdog functionality
  Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
  defense_evasion
- Reads system routing table
  Gets active network interfaces from /proc virtual filesystem.
  discovery
- Reads process memory
  Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
  credential_access
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

Credential Access

OS Credential Dumping

Proc Filesystem

Discovery

Network Service Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

credential_accessdefense_evasiondiscovery

© 2018-2025

Terms | Privacy