MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cdca813e68da420c7aae63fc7a31f926413c8d24e42c0add78795e339509a3f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Gafgyt


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments

SHA256 hash: cdca813e68da420c7aae63fc7a31f926413c8d24e42c0add78795e339509a3f0
SHA3-384 hash: 87c5154018c62f560a92d9520a8b436179443d9edaf4c3b2cc9d817750f3280f825c69ead55fc7dee5884cc45ba0271e
SHA1 hash: 48259056b027078885b96e415b44a3d824dea23d
MD5 hash: 6aab1daa89d7868a4f5eb5e0c66598cd
humanhash: fillet-three-snake-oklahoma
File name:ARMV7L
Download: download sample
Signature Gafgyt
File size:110'324 bytes
First seen:2026-04-24 09:52:20 UTC
Last seen:2026-04-24 16:52:51 UTC
File type: elf
MIME type:application/x-executable
ssdeep 3072:GBO64nHoaq5QotwxaZqb2MdgyMtsIiNfz:GYoaqGotwxaobYyMtsIkfz
TLSH T1C4B31B49E9519B1AC6E231FEFB8D418E33131FACE3EA3115D9307BA023F5ADA0A75511
Magika elf
Reporter BlinkzSec
Tags:gafgyt

Intelligence


File Origin
# of uploads :
2
# of downloads :
150
Origin country :
SK SK
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Receives data from a server
Sends data to a server
Substitutes an application name
Gathering data
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
arm
Packer:
not packed
Botnet:
unknown
Number of open files:
2
Number of processes launched:
3
Processes remaning?
true
Remote TCP ports scanned:
not identified
Behaviour
Process Renaming
Botnet C2s
TCP botnet C2(s):
type:Gafgyt 176.65.139.115:6999
UDP botnet C2(s):
not identified
Verdict:
Malicious
File Type:
elf.32.le
First seen:
2026-04-24T04:55:00Z UTC
Last seen:
2026-04-24T08:50:00Z UTC
Hits:
~10
Detections:
HEUR:Backdoor.Linux.Mirai.h HEUR:Backdoor.Linux.Mirai.b
Status:
terminated
Behavior Graph:
%3 guuid=03a5d3dd-1800-0000-ff3b-e226650e0000 pid=3685 /usr/bin/sudo guuid=93b6eadf-1800-0000-ff3b-e2266a0e0000 pid=3690 /tmp/sample.bin guuid=03a5d3dd-1800-0000-ff3b-e226650e0000 pid=3685->guuid=93b6eadf-1800-0000-ff3b-e2266a0e0000 pid=3690 execve
Threat name:
Linux.Trojan.Gafgyt
Status:
Malicious
First seen:
2026-04-24 09:48:19 UTC
File Type:
ELF32 Little (Exe)
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion discovery
Behaviour
Changes its process name
Reads system network configuration
Reads system routing table
Modifies Watchdog functionality
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ELF_Toriilike_persist
Author:4r4
Description:Detects Torii IoT Botnet (stealthier Mirai alternative)
Reference:Identified via researched data
Rule name:Linux_Trojan_Gafgyt_6a510422
Author:Elastic Security
Reference:14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628
Rule name:Linux_Trojan_Gafgyt_d2953f92
Author:Elastic Security
Reference:14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628
Rule name:TH_Generic_MassHunt_Linux_Malware_2026_CYFARE
Author:CYFARE
Description:Generic Linux malware mass-hunt rule - 2026
Reference:https://cyfare.net/
Rule name:unixredflags3
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

elf cdca813e68da420c7aae63fc7a31f926413c8d24e42c0add78795e339509a3f0

(this sample)

  
Delivery method
Distributed via web download

Comments