General

  • Target

    SnOoPy.sh

  • Size

    2KB

  • Sample

    241203-16rsbaxkaw

  • MD5

    8ea1e7d08dd0cf52bbdddc3222e9b8af

  • SHA1

    f031a227d961d83fc0083c4b5b7b4ccdfe64e711

  • SHA256

    2884954c3ee63cc245def342b3946b24b0aa2cbaebf7d6b2c5a8fd009760a469

  • SHA512

    1be9d8a04c9b95e9e07c6fad4ae90a160219b05d0bf4b77578ac7dee91b5f336688ac792aab88cc78b5923963e1c9bacf8c0407fc22119041e9def0f217800da

Malware Config

Extracted

Family

gafgyt

C2

192.3.179.33:23

Targets

    • Target

      SnOoPy.sh

    • Size

      2KB

    • MD5

      8ea1e7d08dd0cf52bbdddc3222e9b8af

    • SHA1

      f031a227d961d83fc0083c4b5b7b4ccdfe64e711

    • SHA256

      2884954c3ee63cc245def342b3946b24b0aa2cbaebf7d6b2c5a8fd009760a469

    • SHA512

      1be9d8a04c9b95e9e07c6fad4ae90a160219b05d0bf4b77578ac7dee91b5f336688ac792aab88cc78b5923963e1c9bacf8c0407fc22119041e9def0f217800da

    • Detected Gafgyt variant

    • Gafgyt family

    • Gafgyt/Bashlite

      IoT botnet with numerous variants first seen in 2014.

    • File and Directory Permissions Modification

      Adversaries may modify file or directory permissions to evade defenses.

    • Executes dropped EXE

    • Reads system routing table

      Gets active network interfaces from /proc virtual filesystem.

MITRE ATT&CK Enterprise v15

Tasks