来源：https://bazaar.abuse.ch/sample/4069c7c6838a37b7f273724e379abce999a696ec9d24e3add3f1908c53321f37/

时间：2021

背景：Gafgyt malware first made its appearance back in 2014 as a malware strain that exploited known vulnerabilities in small home and small office (SOHO) routers to launch Distributed Denial of Service (DDoS) attacks, much like those orchestrated by the well-known Mirai botnet.

该程序是ARM32 ELF

进入main函数，程序会先修改自身参数和通过prctl设置进程名

通过socket获取ip，设置程序当前目录到根目录

进入被控循环

首先分割c2 ip和port ，连接上c2 45.61.185.83:812

发送上线信息并删除某些文件，如bash_history,关闭防火墙

循环从c2接收指令 并且执行

telnet扫描爆破，通过ON/OFF控制扫描功能