gafgyt | fabd6308a61a5991c5da0945256ceee26cc88b5e839e41dc02444bdafe485667 | Triage

Submit
Reports

Overview

overview

Static

static

hoodlum.arm4.elf

debian-9-armhf

7

Sharing

General

Target

hoodlum.arm4.elf
Size

135KB
Sample

250222-vw8p7avlhq
MD5

bae707d3b1c351126c597d6758a4cffe
SHA1

96bd39a7e0b1f08c29a8c739af86a371b54e22a3
SHA256

fabd6308a61a5991c5da0945256ceee26cc88b5e839e41dc02444bdafe485667
SHA512

1dfe52fef9d30f628c4e7a9ab4480ad78a102bf0251f543095823023330d58def3ba7c9f372f5a195f563bebed9b8921050f23dd9a932a5b4da5142d8a2e962a
SSDEEP

3072:EHHyPnuTxmxpjcVhyofAWuvm5ReFfgK4iOtQlQ+135hwP/TJo1m6QNdNpHOe:wHyBvgwEtQlQC35hwP/Ti1m6QNdLHOe

Score

10^/10

gafgyt defense_evasion discovery

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

hoodlum.arm4.elf

Resource

debian9-armhf-20240729-en

defense_evasion discovery

debian-9-armhf

14 signatures

150 seconds

Malware Config

Extracted

Family

gafgyt

C2

37.44.238.66:23

Targets

- Target
  
  hoodlum.arm4.elf
- Size
  
  135KB
- MD5
  
  bae707d3b1c351126c597d6758a4cffe
- SHA1
  
  96bd39a7e0b1f08c29a8c739af86a371b54e22a3
- SHA256
  
  fabd6308a61a5991c5da0945256ceee26cc88b5e839e41dc02444bdafe485667
- SHA512
  
  1dfe52fef9d30f628c4e7a9ab4480ad78a102bf0251f543095823023330d58def3ba7c9f372f5a195f563bebed9b8921050f23dd9a932a5b4da5142d8a2e962a
- SSDEEP
  
  3072:EHHyPnuTxmxpjcVhyofAWuvm5ReFfgK4iOtQlQ+135hwP/TJo1m6QNdNpHOe:wHyBvgwEtQlQC35hwP/Ti1m6QNdLHOe
Score

7^/10

defense_evasion discovery
- Deletes Audit logs
  Deletes logs related to the Linux Audit framework.
  defense_evasion
- Deletes itself
- Deletes system logs
  Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.
  defense_evasion
- Flushes firewall rules
  Flushes/ disables firewall rules inside the Linux kernel.
  defense_evasion
- Writes DNS configuration
  Writes data to DNS resolver config file.
- Deletes log files
  Deletes log files on the system.
  defense_evasion
- Enumerates running processes
  Discovers information about currently running processes on the system
- Reads system routing table
  Gets active network interfaces from /proc virtual filesystem.
  discovery
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Indicator Removal

Clear Linux or Mac System Logs

Credential Access

Adversary-in-the-Middle

Discovery

System Information Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Adversary-in-the-Middle

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

defense_evasiondiscovery

© 2018-2025

Terms | Privacy