MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cfed0b36678bddecb63cdbc437860dcd72a66eb3c3c5a169d6d7e0bbc76bac4b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cfed0b36678bddecb63cdbc437860dcd72a66eb3c3c5a169d6d7e0bbc76bac4b
SHA3-384 hash: 996a5a36d3cdc2401faa59594a52a2d5b591ce8b10586c05a4d592a07d10e2fd1c38aa0e7042125135fa2cd71065d1d3
SHA1 hash: e9aaf7735bef233da5bf9ac40f2492abd7e4ebbe
MD5 hash: 7dd1328c8b65428d8ebf788eaff0af26
humanhash: seven-two-sink-bakerloo
File name:mips
Download: download sample
Signature Gafgyt
Create hunting rule
File size:199'520 bytes
First seen:2024-04-14 20:23:28 UTC
Last seen:2024-04-14 20:23:50 UTC
File type: elf
MIME type:application/x-executable
ssdeep 3072:qHsSeg2hEXrJgM765cC/gwbEQvreI/R84Ah81Q:qHsSeZhEXrJ27/vJTeR4AoQ
TLSH T14D14961E6A328F7DF669873047F78A21A76D33D623E1D645E2ACC1105F2029E541FFA8
telfhash t16c4174180db813e4a2256c5d44adff26e6a330cb7e172c278a51e86ee769f834d10c0d
Reporter elfdigest
Tags:gafgyt mirai

Intelligence

File Origin
# of uploads :
2
# of downloads :
92
Origin country :
DE DE
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Receives data from a server
Runs as daemon
DNS request
Opens a port
Sends data to a server
Connection attempt
Substitutes an application name
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug bash lolbin remote
Link:
https://www.filescan.io/uploads/661c3b650b46b30369379e2d/reports/47b6801f-b917-4a5d-918c-24cbd94fa893/overview
Result
Verdict:
MALICIOUS
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/9fc16830-3b55-47c4-9bfe-b53693d3d3be
Result
Threat name:
Gafgyt
Create hunting rule
Detection:
malicious
Classification:
spre.troj
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1425827
Signature
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to kill multiple processes (SIGKILL)
Yara detected Gafgyt
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1425827 Sample: mips.elf Startdate: 14/04/2024 Architecture: LINUX Score: 72 24 85.239.34.72, 59356, 64356 RAINBOW-HKRainbownetworklimitedHK Russian Federation 2->24 26 109.202.202.202, 80 INIT7CH Switzerland 2->26 28 3 other IPs or domains 2->28 30 Antivirus / Scanner detection for submitted sample 2->30 32 Multi AV Scanner detection for submitted file 2->32 34 Yara detected Gafgyt 2->34 8 mips.elf 2->8         started        10 gvfsd-fuse fusermount 2->10         started        13 gnome-session-binary sh gsd-sharing 1 2->13         started        15 38 other processes 2->15 signatures3 process4 signatures5 17 mips.elf 8->17         started        38 Sample reads /proc/mounts (often used for finding a writable filesystem) 10->38 process6 process7 19 mips.elf 17->19         started        22 mips.elf 17->22         started        signatures8 36 Sample tries to kill multiple processes (SIGKILL) 19->36
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/cfed0b36678bddecb63cdbc437860dcd72a66eb3c3c5a169d6d7e0bbc76bac4b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cfed0b36678bddecb63cdbc437860dcd72a66eb3c3c5a169d6d7e0bbc76bac4b/
Threat name:
Linux.Trojan.Mirai
Create hunting rule
Status:
Malicious
First seen:
2024-04-14 06:10:30 UTC
File Type:
ELF32 Big (Exe)
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z7wqwnthrpo6znr43pcdpbqnzvzkm3vtypc2c2ow27qlxr3lvrfq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/240414-y6pa3scg29/
Behaviour
Reads system network configuration
Enumerates active TCP sockets
Changes its process name
Unexpected DNS network traffic destination
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cfed0b36678bddecb63cdbc437860dcd72a66eb3c3c5a169d6d7e0bbc76bac4b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

elf cfed0b36678bddecb63cdbc437860dcd72a66eb3c3c5a169d6d7e0bbc76bac4b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2808044/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2803848/
  
URLhaus
https://urlhaus.abuse.ch/url/2803838/
  
URLhaus
https://urlhaus.abuse.ch/url/2798757/
  
URLhaus
https://urlhaus.abuse.ch/url/2812200/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh

Comments