Overview

overview

10

Static

static

10

hoodlum.arm6.elf

debian-12-armhf

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    hoodlum.arm6.elf

  • Size

    139KB

  • Sample

    250222-vqym2avlaj

  • MD5

    6f351c4bf02ac3ad8450c60ba15fdbdc

  • SHA1

    13551e83e841067672693fea3f1af0f905ef3d70

  • SHA256

    d761ae38684f805fd09725a77aeb65ead2b807a023d0d7de3f8c0148d0355d69

  • SHA512

    eb6cb8ec276a8e612dfb0e6f355aa6bbc41b6ef1fd1f3ec140a6475eb305eb3e9327b6e29ef04ec69d11e89007868d6d95a6222b3b3f9a707c8761000e3409de

  • SSDEEP

    3072:p7dxHETIJTWhmXUI8ma3xXVuu9KrKedP5hwf254Khh6myPQaS+pg7e:pAI8ma3xX4dP5hwf2ymyPQaSGg7e

Score
10/10
gafgytdefense_evasiondiscoveryprivilege_escalation

Malware Config

Extracted

Family

gafgyt

C2

37.44.238.66:23

Targets

    • Target

      hoodlum.arm6.elf

    • Size

      139KB

    • MD5

      6f351c4bf02ac3ad8450c60ba15fdbdc

    • SHA1

      13551e83e841067672693fea3f1af0f905ef3d70

    • SHA256

      d761ae38684f805fd09725a77aeb65ead2b807a023d0d7de3f8c0148d0355d69

    • SHA512

      eb6cb8ec276a8e612dfb0e6f355aa6bbc41b6ef1fd1f3ec140a6475eb305eb3e9327b6e29ef04ec69d11e89007868d6d95a6222b3b3f9a707c8761000e3409de

    • SSDEEP

      3072:p7dxHETIJTWhmXUI8ma3xXVuu9KrKedP5hwf254Khh6myPQaS+pg7e:pAI8ma3xX4dP5hwf2ymyPQaSGg7e

    Score
    7/10
    defense_evasiondiscoveryprivilege_escalation

    • Deletes Audit logs

      Deletes logs related to the Linux Audit framework.

      defense_evasion

    • Deletes itself

    • Deletes journal logs

      Deletes systemd journal logs. Likely to evade detection.

      defense_evasion

    • Flushes firewall rules

      Flushes/ disables firewall rules inside the Linux kernel.

      defense_evasion

    • Writes DNS configuration

      Writes data to DNS resolver config file.

    • Abuse Elevation Control Mechanism: Sudo and Sudo Caching

      Abuse sudo or cached sudo credentials to execute code.

      privilege_escalationdefense_evasion

    • Deletes log files

      Deletes log files on the system.

      defense_evasion

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Reads system routing table

      Gets active network interfaces from /proc virtual filesystem.

      discovery
    behavioral1

MITRE ATT&CK Enterprise v15

Tasks