In the present article we'll go through a deep analysis of a Gafgyt malware sample.
The hash of the sample is 331f16cb8a09aa942afe48fee5b014d694f4a0619d578c8cad958741ac20844c, it is not packed and its entropy is 6.6722
The entrypoint address is 0x4001a0
The section with the biggest size is the .text one, which contains the CPU instructions:
We can see the PT_LOAD header with Write flag to the address 0x42436c as Program header which permits to load in RAM memory ELF segments related to specific addresses:
We can see a lot of STT_OBJECTs in the Symbol table referred to network capabilities and C&C, botnet activities:
There are evidences related to different protocols, like LDAP, HTTP, NTP, telnet, SNMP, TFTP, sockets objects to perform network communications:
The threat gets access also to network configuration files, like resolv.conf (which is related to DNS domain definitions) and /etc/hosts.
Following are some functions called to perform C&C activities and botnet tasks:
With the heuristic analysis of the ELF threat we can see the score is very high (96) and it highlights some anti-debugging evidences.
Here is an evidence of the C&C IP address to which the threat communicates 45.156.87[.]140 on the port 1111:
There are references to TSource Engine Query, flooded in DDoS attacks, also seen in Mirai threat infections. In those references we can see also two details that could be deifned as "easter eggs": "chickennuggets" and "ilovecocaine":
We can have evidence of a lot of different useragents, for example related to iPhone, Samsung and MacIntosh:
Gafgyt uses PGET to download further files from an HTTP host (as string variable %s) and User-Agent (as string variable %s) and there are details linked to watchdog configuration to manipulate the devices subjects to the infections and the DDoS. We can also see the search of the pattern "00000000" in the /proc/net/route and we can see also for tracking purposes of the victim a connection to 8.8.8.8. There is a reference to the "[INFECTED]" marker and a reference to Oreo 1.0, which seems to be a Gafgyt variant.
Like another "easter egg" we can see this sentence "been_there_done_that":
And the read_etc_hosts_r.c:
Get_Hostbyname function used in network communications contexts:
The C&C IP address is recognized as malicious by OSINT sources, currently it has the following ports and services opened:
22 (SSH), 80 (HTTP), 111 (PORTMAP), 5985 (WINRM)
The IP in question has been seen in a lot of attacks and scans, malicious spams:
In the target ports we can also see port 22 (SSH protocol):
By observing the activities trend we can see a recent attacks increase:
IOCs:
- 331f16cb8a09aa942afe48fee5b014d694f4a0619d578c8cad958741ac20844c
- d082b5855d10845594a568af36c76eb96380370d
- 0809c65bf81afc6631358d56d8abfa04
- 45.156.87[.]140
- been_there_done_that
YARA rules:
import "vt"
rule Gafgyt_20260411 {
meta:
description = "C&C IP address of a new Gafgyt malware sample"
author = "malwareanalysis0"
target_entity = "url"
condition:
vt.net.ip.ip_as_int == 765220748
}
rule Gafgyt_1_20260411
{
strings:
$str = "been_there_done_that"
$hex = { 62 65 65 6e 5f 74 68 65 72 65 5f 64 6f 6e 65 5f 74 68 61 74 }
condition:
any of them
}
Sources of the OSINT screenshots: VirusTotal, ThreatBook, Censys, OTX AlienVault, AbuseIPDB