MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 78d96a4effda17c79b5677e2b6cb7dd31facc6e84e84a3e5ab0d6ed108e4f1f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Gafgyt


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments

SHA256 hash: 78d96a4effda17c79b5677e2b6cb7dd31facc6e84e84a3e5ab0d6ed108e4f1f9
SHA3-384 hash: 95c3d978f0fdaa4cc2acd799bb3b0fad5cc6a72bd97bb53e0537195bb2c3d6f54c2989e41db8be73fbe091d415ce436d
SHA1 hash: 723e97dcfd0da107147e86c8cf16585bbb62e011
MD5 hash: bf5b54df009277788e7b20dfa258f18c
humanhash: kentucky-minnesota-bakerloo-yellow
File name:mips
Download: download sample
Signature Gafgyt
File size:254'364 bytes
First seen:2025-08-23 03:05:17 UTC
Last seen:2025-08-24 02:07:46 UTC
File type: elf
MIME type:application/x-executable
ssdeep 3072:MfXGqVFpUnQpLEoamTFLFWG4hfPFUXokytveyO+DO+zQ5iISf:usWwoamdFWG4hffM1g
TLSH T13144C70E6E959F3CF35886314BB74F24924926950BE2C775F3ADA5101E2035EAC1FBB8
telfhash t1b13114594a7412e0a3344d89596dff7791b132eb37222d3b4f11b96fab7c9825e14c0c
Magika elf
Reporter abuse_ch
Tags:elf gafgyt

Intelligence


File Origin
# of uploads :
2
# of downloads :
68
Origin country :
DE DE
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Receives data from a server
Kills processes
DNS request
Runs as daemon
Creating a file
Sends data to a server
Connection attempt
Substitutes an application name
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
mips
Packer:
not packed
Botnet:
unknown
Number of open files:
32
Number of processes launched:
1
Processes remaning?
false
Remote TCP ports scanned:
not identified
Behaviour
no suspicious findings
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Malicious
File Type:
elf.32.be
First seen:
2025-08-23T01:15:00Z UTC
Last seen:
2025-08-23T01:15:00Z UTC
Hits:
~10
Status:
terminated
Behavior Graph:
%3 guuid=48685dd2-1900-0000-1c3c-21b7650c0000 pid=3173 /usr/bin/sudo guuid=683565d5-1900-0000-1c3c-21b7660c0000 pid=3174 /tmp/sample.bin guuid=48685dd2-1900-0000-1c3c-21b7650c0000 pid=3173->guuid=683565d5-1900-0000-1c3c-21b7660c0000 pid=3174 execve
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Signature
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Threat name:
Linux.Backdoor.Gafgyt
Status:
Malicious
First seen:
2025-08-23 03:06:43 UTC
File Type:
ELF32 Big (Exe)
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  7/10
Tags:
antivm defense_evasion discovery
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
System Network Configuration Discovery
Changes its process name
Checks hardware identifiers (DMI)
Enumerates running processes
Reads MAC address of network interface
Reads network interface configuration
Renames itself
Verdict:
Malicious
Tags:
Unix.Trojan.Gafgyt-6981160-0
YARA:
n/a
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:enterpriseapps2
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:linux_generic_ipv6_catcher
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:unixredflags3
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

elf 78d96a4effda17c79b5677e2b6cb7dd31facc6e84e84a3e5ab0d6ed108e4f1f9

(this sample)

BLint


The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh

Comments