gafgyt | 10962293ec817a48997b8d2c9e4a43610373a35fe7360937f261e5d278fdef7e | Triage

Sharing

General

Target

hoodlum.arm5.elf
Size

176KB
Sample

250222-vtmd6stpcy
MD5

2b53d328406f21f18f0930ce47556dca
SHA1

becfbb4b3a4c072f51e0080922de28aebeb3ef71
SHA256

10962293ec817a48997b8d2c9e4a43610373a35fe7360937f261e5d278fdef7e
SHA512

81107e7c660809fde0c6740412a2570b9275d0024cef2766fe2f730d4391c709fcf76e5d06aa8162bd6a43eb9dd8700de09151610147037a75443bf75bb6db0e
SSDEEP

3072:NBx2mxpI1Tzhm4yjeBaHX2b+/h81pNV2OnZW5hBL22WJV70+w2mowhbRWz3e:NJCBaHX2bE81sOng5hBL22WJV70p2mo8

Score

10^/10

gafgyt defense_evasion discovery execution privilege_escalation

Malware Config

Extracted

Family

gafgyt

C2

37.44.238.66:23

Targets

- Target
  
  hoodlum.arm5.elf
- Size
  
  176KB
- MD5
  
  2b53d328406f21f18f0930ce47556dca
- SHA1
  
  becfbb4b3a4c072f51e0080922de28aebeb3ef71
- SHA256
  
  10962293ec817a48997b8d2c9e4a43610373a35fe7360937f261e5d278fdef7e
- SHA512
  
  81107e7c660809fde0c6740412a2570b9275d0024cef2766fe2f730d4391c709fcf76e5d06aa8162bd6a43eb9dd8700de09151610147037a75443bf75bb6db0e
- SSDEEP
  
  3072:NBx2mxpI1Tzhm4yjeBaHX2b+/h81pNV2OnZW5hBL22WJV70+w2mowhbRWz3e:NJCBaHX2bE81sOng5hBL22WJV70p2mo8
Score

7^/10

defense_evasion discovery execution privilege_escalation
- Deletes Audit logs
  Deletes logs related to the Linux Audit framework.
  defense_evasion
- Deletes itself
- Deletes journal logs
  Deletes systemd journal logs. Likely to evade detection.
  defense_evasion
- Flushes firewall rules
  Flushes/ disables firewall rules inside the Linux kernel.
  defense_evasion
- Writes DNS configuration
  Writes data to DNS resolver config file.
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  Abuse sudo or cached sudo credentials to execute code.
  privilege_escalation defense_evasion
- Deletes log files
  Deletes log files on the system.
  defense_evasion
- Enumerates running processes
  Discovers information about currently running processes on the system
- Reads system routing table
  Gets active network interfaces from /proc virtual filesystem.
  discovery
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Unix Shell

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

Sudo and Sudo Caching

Defense Evasion

Abuse Elevation Control Mechanism

Sudo and Sudo Caching

Impair Defenses

Disable or Modify System Firewall

Indicator Removal

Clear Linux or Mac System Logs

Credential Access

Adversary-in-the-Middle

Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Adversary-in-the-Middle

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

defense_evasiondiscoveryexecutionprivilege_escalation