来源:https://bazaar.abuse.ch/sample/4069c7c6838a37b7f273724e379abce999a696ec9d24e3add3f1908c53321f37/
时间:2021
背景:Gafgyt malware first made its appearance back in 2014 as a malware strain that exploited known vulnerabilities in small home and small office (SOHO) routers to launch Distributed Denial of Service (DDoS) attacks, much like those orchestrated by the well-known Mirai botnet.
该程序是ARM32 ELF
进入main函数,程序会先修改自身参数和通过prctl设置进程名
通过socket获取ip,设置程序当前目录到根目录
进入被控循环
首先分割c2 ip和port ,连接上c2 45.61.185.83:812
发送上线信息并删除某些文件,如bash_history,关闭防火墙
循环从c2接收指令 并且执行
telnet扫描爆破,通过ON/OFF控制扫描功能