Overview

overview

10

Static

static

10

hoodlum.i686.elf

ubuntu-22.04-amd64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    hoodlum.i686.elf

  • Size

    111KB

  • Sample

    250222-vqyb9stnhw

  • MD5

    1d94761620e2fb40d084f3b1d8029a67

  • SHA1

    80e691debcf5981bbe1a8d27b848fe581453299f

  • SHA256

    8fd2ef68325614ca08a318ee89a9747fcc680b5802fe64b3439e25fb987d375f

  • SHA512

    9db49a44d4d32c6bc1e8ed76f5de5e852e97d5b7495eb06c1ce40ac50ac19c29baa525685914d414c388d3c397233ea894abd1d3508d03b1fbbb564d9497836e

  • SSDEEP

    3072:p61RPKvVjRWDTEEvQVzCdUC/EWi1sB5htYozmB80CjKaIU:p61RPKvVjRWDTEzb1sB5ht/mB80C+aIU

Score
10/10
gafgytdefense_evasiondiscoverylinuxprivilege_escalation

Malware Config

Extracted

Family

gafgyt

C2

37.44.238.66:23

Targets

    • Target

      hoodlum.i686.elf

    • Size

      111KB

    • MD5

      1d94761620e2fb40d084f3b1d8029a67

    • SHA1

      80e691debcf5981bbe1a8d27b848fe581453299f

    • SHA256

      8fd2ef68325614ca08a318ee89a9747fcc680b5802fe64b3439e25fb987d375f

    • SHA512

      9db49a44d4d32c6bc1e8ed76f5de5e852e97d5b7495eb06c1ce40ac50ac19c29baa525685914d414c388d3c397233ea894abd1d3508d03b1fbbb564d9497836e

    • SSDEEP

      3072:p61RPKvVjRWDTEEvQVzCdUC/EWi1sB5htYozmB80CjKaIU:p61RPKvVjRWDTEzb1sB5ht/mB80C+aIU

    Score
    7/10
    defense_evasiondiscoveryprivilege_escalation

    • Deletes itself

    • Deletes journal logs

      Deletes systemd journal logs. Likely to evade detection.

      defense_evasion

    • Flushes firewall rules

      Flushes/ disables firewall rules inside the Linux kernel.

      defense_evasion

    • Writes DNS configuration

      Writes data to DNS resolver config file.

    • Abuse Elevation Control Mechanism: Sudo and Sudo Caching

      Abuse sudo or cached sudo credentials to execute code.

      privilege_escalationdefense_evasion

    • Deletes log files

      Deletes log files on the system.

      defense_evasion

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Reads system routing table

      Gets active network interfaces from /proc virtual filesystem.

      discovery
    behavioral1

MITRE ATT&CK Enterprise v15

Tasks