MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c5a252c6c7613e4a50ced47a624ed4ce3787b115518114a0555b31d9a63ea4e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gafgyt

Vendor detections: 11

Intelligence 11 IOCs YARA 5 File information Comments

SHA256 hash:	c5a252c6c7613e4a50ced47a624ed4ce3787b115518114a0555b31d9a63ea4e5
SHA3-384 hash:	f14a24be3e905a68ae5e7e0b2093e310adaf0f8cab533aeb1e84dc625432dc54c21879c45c8f591cc075d9a290035c80
SHA1 hash:	c9adec5b578e60c2a77a183c0eb659470c1eb44b
MD5 hash:	41962367fbea4ae1e6a76f575f71acb8
humanhash:	carolina-apart-kentucky-enemy
File name:	jackmymips
Download:	download sample
Signature	Gafgyt Create hunting rule
File size:	182'117 bytes
First seen:	2025-02-07 21:26:11 UTC
Last seen:	Never
File type:	elf
MIME type:	application/x-executable
ssdeep	3072:7xXan2+Zg8PKetJ8aBGc9pS6ZetURxRGqJkMipPn:NNwlKetJ8aHS6KURxRGqJkMipPn
TLSH	T1DD0473AE3A126F7EE3E8C6750BFB5FB0D35525D222919B52D22CC6045FB438C494E7A0
telfhash	t19f210643a9b646286ff36c3458fc06b11952a6237250bf70ff0ec1405d37016b475e8b
Magika	elf
Reporter	abuse_ch
Tags:	elf gafgyt

Intelligence

File Origin

# of uploads :

# of downloads :

151

Origin country :

Vendor Threat Intelligence

Detection(s):

Unix.Trojan.Gafgyt-6981154-0

Unix.Trojan.Gafgyt-6981165-0

Unix.Dropper.Mirai-7135946-0

Unix.Dropper.Mirai-7139223-0

Unix.Dropper.Mirai-7139232-0

Unix.Proxy.Mirai-7844054-0

Unix.Trojan.Mirai-8041698-0

Unix.Trojan.Mirai-10004218-0

Verdict:

Clean

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67a67b67dbfc8aaee8cd9380linux22vpnfull_triage

Tags:

n/a

Result

Verdict:

Malware

Maliciousness:

Behaviour

Gains root access

Removes directories

Launching a process

Connection attempt

Creating a file

Removes directories from a subdirectory of a temporary directory

Removes directories from a temporary directory

Deletes a file

Sends data to a server

Substitutes an application name

Verdict:

Malicious

Uses P2P?:

false

Uses anti-vm?:

false

Architecture:

mips

Packer:

not packed

Botnet:

unknown

Number of open files:

Number of processes launched:

Processes remaning?

true

Remote TCP ports scanned:

not identified

Full report:

https://elfdigest.com/brief/c5a252c6c7613e4a50ced47a624ed4ce3787b115518114a0555b31d9a63ea4e5

Behaviour

Process Renaming

Botnet C2s

TCP botnet C2(s):

not identified

UDP botnet C2(s):

not identified

Result

Verdict:

MALICIOUS

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/bc1e0d72-5e7a-455c-a6e7-17cf2c5cfeb6

Score:

100%

Verdict:

Malware

File Type:

ELF

Link:

https://malprob.io/report/c5a252c6c7613e4a50ced47a624ed4ce3787b115518114a0555b31d9a63ea4e5

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c5a252c6c7613e4a50ced47a624ed4ce3787b115518114a0555b31d9a63ea4e5/

Threat name:

Linux.Trojan.Gafgyt

Status:

Malicious

First seen:

2025-02-07 21:27:11 UTC

File Type:

ELF32 Big (Exe)

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ywrffrwhme7euugo2r5getwuzy3ypmivkgarjicvlmy5tjr6utsq._file

Result

Malware family:

gafgyt

Score:

10/10

Tags:

family:gafgyt discovery

Link:

https://tria.ge/reports/250207-1atxsszlhl/

Behaviour

System Network Configuration Discovery

Changes its process name

Writes DNS configuration

Malware Config

C2 Extraction:

165.154.224.116:443

Verdict:

Malicious

Tags:

Unix.Trojan.Gafgyt-6981154-0

YARA:

n/a

Link:

https://app.threat.zone/submission/4b5baf6f-5bd1-4b69-b6cd-12781cfbf77b

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

BASHLITE

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/c5a252c6c7613e4a50ced47a624ed4ce3787b115518114a0555b31d9a63ea4e5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	linux_generic_ipv6_catcher Create hunting rule
Author:	@_lubiedo
Description:	ELF samples using IPv6 addresses

Rule name:	Mal_LNX_Gafgyt_Botnet_ELF Create hunting rule
Author:	Phatcharadol Thangplub
Description:	Use to detect Gafgyt botnet, and there variants.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	setsockopt Create hunting rule
Author:	Tim Brown @timb_machine
Description:	Hunts for setsockopt() red flags

Rule name:	unixredflags3 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh 27a3f1fe57a508b7cf3dfde7f35725744529b7c29a38e1128682a11c04c69aad

Gafgyt

elf c5a252c6c7613e4a50ced47a624ed4ce3787b115518114a0555b31d9a63ea4e5

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3423405/

Delivery method

Distributed via web download

Dropped by

SHA256 27a3f1fe57a508b7cf3dfde7f35725744529b7c29a38e1128682a11c04c69aad

Dropped by

MD5 df6a79f7147320373a182c0b701f36af

URLhaus

https://urlhaus.abuse.ch/url/3419853/

URLhaus

https://urlhaus.abuse.ch/url/3419859/

URLhaus

https://urlhaus.abuse.ch/url/3433391/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample