gafgyt | 959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393 | Triage

Submit
Reports

Overview

overview

Static

static

959c319a9e...93.elf

debian-9-armhf

9

Sharing

General

Target

959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf
Size

128KB
Sample

241231-c6yzmazndk
MD5

f89c58a614a3bf3ec16f7016d09d6111
SHA1

b481be23aaf7e2606c98d336d17dd803cf853f0a
SHA256

959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393
SHA512

3bb4067351b366a8e746dc269612ed83ddf47d376df77f741d9c01996a3643e4589d705214165cb6efcfcb75ebe4dab855bf83f9f458e66df58607732b474d02
SSDEEP

3072:BXv8ZkG9EqpIj6H6dXxf08hE+DOYS/SQvPyiiXNg:H5qpAwaXxfS+DOYS/SQvPyiiXNg

Score

10^/10

gafgyt credential_access defense_evasion discovery

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf

Resource

debian9-armhf-20240611-en

credential_access defense_evasion discovery

debian-9-armhf

8 signatures

150 seconds

Malware Config

Targets

- Target
  
  959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393.elf
- Size
  
  128KB
- MD5
  
  f89c58a614a3bf3ec16f7016d09d6111
- SHA1
  
  b481be23aaf7e2606c98d336d17dd803cf853f0a
- SHA256
  
  959c319a9e229efab77eba8cd10fea63cbfbf6fde045785a6eeeb7a6007a4393
- SHA512
  
  3bb4067351b366a8e746dc269612ed83ddf47d376df77f741d9c01996a3643e4589d705214165cb6efcfcb75ebe4dab855bf83f9f458e66df58607732b474d02
- SSDEEP
  
  3072:BXv8ZkG9EqpIj6H6dXxf08hE+DOYS/SQvPyiiXNg:H5qpAwaXxfS+DOYS/SQvPyiiXNg
Score

9^/10

credential_access defense_evasion discovery
- Contacts a large (23516) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Modifies Watchdog functionality
  Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
  defense_evasion
- Reads system routing table
  Gets active network interfaces from /proc virtual filesystem.
  discovery
- Reads process memory
  Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
  credential_access
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

Credential Access

OS Credential Dumping

Proc Filesystem

Discovery

Network Service Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

credential_accessdefense_evasiondiscovery

© 2018-2025

Terms | Privacy