| Source: OkTC3AlPZZ.elf |
Malware Configuration Extractor: Gafgyt {"C2 url": "193.35.18.56:65490"} |
| Source: OkTC3AlPZZ.elf |
ReversingLabs: Detection: 50% |
| Source: OkTC3AlPZZ.elf |
Virustotal: Detection: 58% |
Perma Link |
| Source: /tmp/OkTC3AlPZZ.elf (PID: 5528) |
Opens: /proc/net/route |
Jump to behavior |
| Source: global traffic |
TCP traffic: 193.35.18.56 ports 0,4,5,6,9,65490 |
| Source: global traffic |
TCP traffic: 192.168.2.15:49560 -> 193.35.18.56:65490 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 193.35.18.56 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 193.35.18.56 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 193.35.18.56 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 193.35.18.56 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 193.35.18.56 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 193.35.18.56 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 193.35.18.56 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 193.35.18.56 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 193.35.18.56 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 193.35.18.56 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 193.35.18.56 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 193.35.18.56 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 193.35.18.56 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 193.35.18.56 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 193.35.18.56 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 193.35.18.56 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 193.35.18.56 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 193.35.18.56 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 193.35.18.56 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 193.35.18.56 |
| Source: unknown |
TCP traffic detected without corresponding DNS query: 193.35.18.56 |
| Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
| Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
| Source: unknown |
DNS traffic detected: queries for: daisy.ubuntu.com |
| Source: OkTC3AlPZZ.elf, type: SAMPLE |
Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown |
| Source: 5530.1.00007f905c017000.00007f905c030000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown |
| Source: 5528.1.00007f905c017000.00007f905c030000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown |
| Source: Process Memory Space: OkTC3AlPZZ.elf PID: 5528, type: MEMORYSTR |
Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown |
| Source: Process Memory Space: OkTC3AlPZZ.elf PID: 5530, type: MEMORYSTR |
Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown |
| Source: OkTC3AlPZZ.elf |
ELF static info symbol of initial sample: __gnu_unwind_execute |
| Source: Initial sample |
String containing 'busybox' found: /bin/busybox |
| Source: Initial sample |
String containing 'busybox' found: LZRDskidx86?-_-=1IObeENwjmipsvlxx.arm6vlxx.armvlxx.x86_64vlxx.mipsvlxx.arm7vlxx.m68kvlxx.mpslvlxx.ppcvlxx.sh4vlxx.x86vlxx.arm5sys64.m68ksys64.x86sys64.x86_64sys64.arm6sys64.mpslsys64.spcsys64.ar64besys64.sh4sys64.aarch64sys64.i686sys64.arm7sys64.armsys64.mipssys64.arm5IObeENwjmpslIObeENwjarmIObeENwjarm4IObeENwjarm5IObeENwjarm6IObeENwjarm7.x86.x86_64.arm.arm5.arm6.arm7.mips.mipsel.sh4.ppcdvrhelperhuhudvrsupportmiraiArceusla.bot.0xc2sfuckjewishpeople.mipsfuckjewishpeoplessh.mipsHadesboatnetloligangSakuraDemonbladedemonhohohakaisoramessiahmipsmipselsh4superhx86armv7armv6i686campnig.x86nigpercx86dosbotBOTDOS@DOSBOTDOSBOTperci5perci6percmipspercmpslpercsparkpercm68kpercppcpercsh4percshpercoarmperceightysixpercmips&lperc.shCronx86anacronCronarmCronmipsCronmpslCronspcCronm68kCronppcCronsh4Cronshcnrpox(deleted)killpstreekillallbgpmaplsofarmUser-Agent:/dev/nullSTD/etc/rc.conf/proc/net/tcp/proc/self/exeUPX!/proc/net/route/etc/rc.d/rc.local/bin/shtophtopgrepbashcatnanopssshtelnetdpcbashdvarsshdcurltftpdtelnetvar/Challen |
| Source: OkTC3AlPZZ.elf, type: SAMPLE |
Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16 |
| Source: 5530.1.00007f905c017000.00007f905c030000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16 |
| Source: 5528.1.00007f905c017000.00007f905c030000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16 |
| Source: Process Memory Space: OkTC3AlPZZ.elf PID: 5528, type: MEMORYSTR |
Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16 |
| Source: Process Memory Space: OkTC3AlPZZ.elf PID: 5530, type: MEMORYSTR |
Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16 |
| Source: classification engine |
Classification label: mal96.spre.troj.linELF@0/0@2/0 |
| Source: /tmp/OkTC3AlPZZ.elf (PID: 5528) |
Queries kernel information via 'uname': |
Jump to behavior |
| Source: OkTC3AlPZZ.elf, 5528.1.00005622ed323000.00005622ed472000.rw-.sdmp, OkTC3AlPZZ.elf, 5530.1.00005622ed323000.00005622ed451000.rw-.sdmp |
Binary or memory string: "V!/etc/qemu-binfmt/arm |
| Source: OkTC3AlPZZ.elf, 5528.1.00005622ed323000.00005622ed472000.rw-.sdmp, OkTC3AlPZZ.elf, 5530.1.00005622ed323000.00005622ed451000.rw-.sdmp |
Binary or memory string: /etc/qemu-binfmt/arm |
| Source: OkTC3AlPZZ.elf, 5528.1.00007ffed8320000.00007ffed8341000.rw-.sdmp, OkTC3AlPZZ.elf, 5530.1.00007ffed8320000.00007ffed8341000.rw-.sdmp |
Binary or memory string: /usr/bin/qemu-arm |
| Source: OkTC3AlPZZ.elf, 5528.1.00007ffed8320000.00007ffed8341000.rw-.sdmp, OkTC3AlPZZ.elf, 5530.1.00007ffed8320000.00007ffed8341000.rw-.sdmp |
Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/OkTC3AlPZZ.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/OkTC3AlPZZ.elf |
| Source: Yara match |
File source: OkTC3AlPZZ.elf, type: SAMPLE |
| Source: Yara match |
File source: OkTC3AlPZZ.elf, type: SAMPLE |
| Source: Yara match |
File source: 5530.1.00007f905c017000.00007f905c030000.r-x.sdmp, type: MEMORY |
| Source: Yara match |
File source: 5528.1.00007f905c017000.00007f905c030000.r-x.sdmp, type: MEMORY |
| Source: Yara match |
File source: Process Memory Space: OkTC3AlPZZ.elf PID: 5528, type: MEMORYSTR |
| Source: Yara match |
File source: Process Memory Space: OkTC3AlPZZ.elf PID: 5530, type: MEMORYSTR |
| Source: Initial sample |
User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.1 31.5 |
| Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.3 17.34 |
| Source: Initial sample |
User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.2 Safari/605.1.1 11.27 |
| Source: Initial sample |
User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Safari/605.1.1 9.83 |
| Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.3 9.25 |
| Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120. 6.94 |
| Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117. 2.31 |
| Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Edg/119.0.0. 2.31 |
| Source: Initial sample |
User agent string found: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.3 1.16 |
| Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115. 1.16 |
| Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.3 1.16 |
| Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Herring/90.1.9310.1 1.16 |
| Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 OPR/105.0.0. 1.16 |
| Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.4 1.16 |
| Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3 1.16 |
| Source: Initial sample |
User agent string found: Mozilla/5.0 (iPhone; CPU iPhone OS 17_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/119.0.6045.169 Mobile/15E148 Safari/604. |
| Source: Initial sample |
User agent string found: Mozilla/5.0 (iPhone; CPU iPhone OS 17_1_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Mobile/15E148 Safari/604. |
| Source: Yara match |
File source: OkTC3AlPZZ.elf, type: SAMPLE |
| Source: Yara match |
File source: OkTC3AlPZZ.elf, type: SAMPLE |
| Source: Yara match |
File source: 5530.1.00007f905c017000.00007f905c030000.r-x.sdmp, type: MEMORY |
| Source: Yara match |
File source: 5528.1.00007f905c017000.00007f905c030000.r-x.sdmp, type: MEMORY |
| Source: Yara match |
File source: Process Memory Space: OkTC3AlPZZ.elf PID: 5528, type: MEMORYSTR |
| Source: Yara match |
File source: Process Memory Space: OkTC3AlPZZ.elf PID: 5530, type: MEMORYSTR |
