gafgyt | a18ad447236c0345bbaae2ff79e736af5de72ed5eae0d7389690e74b0cd79246 | Triage

Submit
Reports

Overview

overview

Static

static

hoodlum.mpsl.elf

debian-12-mipsel

7

Sharing

General

Target

hoodlum.mpsl.elf
Size

175KB
Sample

250222-vqyb9svkhp
MD5

53eeaa32c2da81e31c8e98445a210369
SHA1

b5a9d9041b91d115be38eea10a30e49f50489178
SHA256

a18ad447236c0345bbaae2ff79e736af5de72ed5eae0d7389690e74b0cd79246
SHA512

c328257a071900adba1d6cdca70c2fe4eb085209800bd6f8d12bf37d1bb841e8d1a429532c19f9b72996afbd6f8c84972448c8d63ac1357a9c106ac1cb85d21b
SSDEEP

1536:CY0XpUX0eej8bxwSOrgflgiLhoykWN1d2RNzSB5hhWQivYtrvxGfosmaVj3OOKIf:p/5nYXiSyR7sM5hhW7vgrfsmsj3tKIWe

Score

10^/10

gafgyt defense_evasion discovery execution privilege_escalation

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

hoodlum.mpsl.elf

Resource

debian12-mipsel-20240221-en

defense_evasion discovery execution privilege_escalation

debian-12-mipsel

16 signatures

150 seconds

Malware Config

Extracted

Family

gafgyt

C2

37.44.238.66:23

Targets

- Target
  
  hoodlum.mpsl.elf
- Size
  
  175KB
- MD5
  
  53eeaa32c2da81e31c8e98445a210369
- SHA1
  
  b5a9d9041b91d115be38eea10a30e49f50489178
- SHA256
  
  a18ad447236c0345bbaae2ff79e736af5de72ed5eae0d7389690e74b0cd79246
- SHA512
  
  c328257a071900adba1d6cdca70c2fe4eb085209800bd6f8d12bf37d1bb841e8d1a429532c19f9b72996afbd6f8c84972448c8d63ac1357a9c106ac1cb85d21b
- SSDEEP
  
  1536:CY0XpUX0eej8bxwSOrgflgiLhoykWN1d2RNzSB5hhWQivYtrvxGfosmaVj3OOKIf:p/5nYXiSyR7sM5hhW7vgrfsmsj3tKIWe
Score

7^/10

defense_evasion discovery execution privilege_escalation
- Deletes Audit logs
  Deletes logs related to the Linux Audit framework.
  defense_evasion
- Deletes itself
- Deletes journal logs
  Deletes systemd journal logs. Likely to evade detection.
  defense_evasion
- Flushes firewall rules
  Flushes/ disables firewall rules inside the Linux kernel.
  defense_evasion
- Writes DNS configuration
  Writes data to DNS resolver config file.
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  Abuse sudo or cached sudo credentials to execute code.
  privilege_escalation defense_evasion
- Deletes log files
  Deletes log files on the system.
  defense_evasion
- Enumerates running processes
  Discovers information about currently running processes on the system
- Reads system routing table
  Gets active network interfaces from /proc virtual filesystem.
  discovery
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Unix Shell

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

Sudo and Sudo Caching

Defense Evasion

Abuse Elevation Control Mechanism

Sudo and Sudo Caching

Impair Defenses

Disable or Modify System Firewall

Indicator Removal

Clear Linux or Mac System Logs

Credential Access

Adversary-in-the-Middle

Discovery

System Information Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Adversary-in-the-Middle

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

defense_evasiondiscoveryexecutionprivilege_escalation

© 2018-2025

Terms | Privacy