Linux Analysis Report
x-3.2-.SNOOPY

ID:	679558
Product:	CloudBasic
Start time:	01:52:11
Start date:	06.08.2022
Sample:	x-3.2-.SNOOPY
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	ca34f09d0fe8bd0dddd1443e401781d7
SHA1:	da043d55a48b11f1c0b47b38bd2bb279454a3ac4
SHA256:	3d4c4cc860a146597b5830fa4e4c5ab9a5eb32304bd88a9e6256452740998727
Filetype:	ELF Executable and Linkable format (Linux) (4029/14) 50.16%

Name	Type	MD5	SHA1	SHA256
/tmp/tmp.1y2FR6QFox	UTF-8 Unicode text	939805A2DE862140C43456F85CDCF889	45BFA80A0FA084970E567BA10A3E0687D8C0483E	E17608051FFD0540555DA96B9CBD4F57FE256637E718CE2C11171C069C352B67
/tmp/tmp.hDXKGVsUIR	ASCII text	DD514F892B5F93ED615D366E58AC58AF	BA75EDB3C2232CC260BC187F604DC8F25AA72C11	F40D0DCE6E83DF74109FEF5E68E51CC255727783EEAE04C3E34677E23F7552CF
/var/cache/motd-news	ASCII text	DD514F892B5F93ED615D366E58AC58AF	BA75EDB3C2232CC260BC187F604DC8F25AA72C11	F40D0DCE6E83DF74109FEF5E68E51CC255727783EEAE04C3E34677E23F7552CF

AV Detection

Source: x-3.2-.SNOOPY	Virustotal: Detection: 57%			Perma Link
Source: x-3.2-.SNOOPY	ReversingLabs: Detection: 58%

Source: x-3.2-.SNOOPY

Joe Sandbox ML: detected

Spreading

Source: /tmp/x-3.2-.SNOOPY (PID: 6319)

Opens: /proc/net/route

Jump to behavior

Networking

Source: Traffic

Snort IDS: 2841335 ETPRO TROJAN ELF/Mirai Variant CnC Checkin 192.168.2.23:39906 -> 163.123.143.81:839

Source: /usr/bin/dash (PID: 6276)

Wget executable: /usr/bin/wget -> wget --timeout 60 -U "wget/1.20.3-1ubuntu1 Ubuntu/20.04.2/LTS GNU/Linux/5.4.0-72-generic/x86_64 Intel(R)/Xeon(R)/Silver/4210/CPU/@/2.20GHz cloud_id/none" -O- --content-on-error https://motd.ubuntu.com

Jump to behavior

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: global traffic

TCP traffic: 192.168.2.23:39906 -> 163.123.143.81:839

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 163.123.143.81
Source: unknown	TCP traffic detected without corresponding DNS query: 163.123.143.81
Source: unknown	TCP traffic detected without corresponding DNS query: 163.123.143.81
Source: unknown	TCP traffic detected without corresponding DNS query: 163.123.143.81
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 163.123.143.81
Source: unknown	TCP traffic detected without corresponding DNS query: 163.123.143.81
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 163.123.143.81
Source: unknown	TCP traffic detected without corresponding DNS query: 163.123.143.81
Source: unknown	TCP traffic detected without corresponding DNS query: 163.123.143.81
Source: unknown	TCP traffic detected without corresponding DNS query: 163.123.143.81
Source: unknown	TCP traffic detected without corresponding DNS query: 163.123.143.81
Source: unknown	TCP traffic detected without corresponding DNS query: 163.123.143.81

Source: tmp.1y2FR6QFox.14.dr	String found in binary or memory: https://motd.ubuntu.com/
Source: motd-news.32.dr, tmp.hDXKGVsUIR.14.dr	String found in binary or memory: https://ubuntu.com/blog/microk8s-memory-optimisation

System Summary

Source: x-3.2-.SNOOPY, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_6122acdf Author: unknown
Source: x-3.2-.SNOOPY, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_1b2e2a3a Author: unknown
Source: x-3.2-.SNOOPY, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_9127f7be Author: unknown
Source: 6322.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_6122acdf Author: unknown
Source: 6322.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_1b2e2a3a Author: unknown
Source: 6322.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9127f7be Author: unknown
Source: 6319.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_6122acdf Author: unknown
Source: 6319.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_1b2e2a3a Author: unknown
Source: 6319.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9127f7be Author: unknown

Source: ELF static info symbol of initial sample

Name: vseattack

Source: x-3.2-.SNOOPY, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_6122acdf os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 283275705c729be23d7dc75056388ecae00390bd25ee7b66b0cfc9b85feee212, id = 6122acdf-1eef-45ea-83ea-699d21c2dc20, last_modified = 2021-09-16
Source: x-3.2-.SNOOPY, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_1b2e2a3a reference_sample = 899c072730590003b98278bdda21c15ecaa2f49ad51e417ed59e88caf054a72d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 6f24b67d0a6a4fc4e1cfea5a5414b82af1332a3e6074eb2178aee6b27702b407, id = 1b2e2a3a-1302-41c7-be99-43edb5563294, last_modified = 2021-09-16
Source: x-3.2-.SNOOPY, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_9127f7be reference_sample = 899c072730590003b98278bdda21c15ecaa2f49ad51e417ed59e88caf054a72d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 72c742cb8b11ddf030e10f67e13c0392748dcd970394ec77ace3d2baa705a375, id = 9127f7be-6e82-46a1-9f11-0b3570b0cd76, last_modified = 2021-09-16
Source: 6322.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_6122acdf os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 283275705c729be23d7dc75056388ecae00390bd25ee7b66b0cfc9b85feee212, id = 6122acdf-1eef-45ea-83ea-699d21c2dc20, last_modified = 2021-09-16
Source: 6322.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_1b2e2a3a reference_sample = 899c072730590003b98278bdda21c15ecaa2f49ad51e417ed59e88caf054a72d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 6f24b67d0a6a4fc4e1cfea5a5414b82af1332a3e6074eb2178aee6b27702b407, id = 1b2e2a3a-1302-41c7-be99-43edb5563294, last_modified = 2021-09-16
Source: 6322.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9127f7be reference_sample = 899c072730590003b98278bdda21c15ecaa2f49ad51e417ed59e88caf054a72d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 72c742cb8b11ddf030e10f67e13c0392748dcd970394ec77ace3d2baa705a375, id = 9127f7be-6e82-46a1-9f11-0b3570b0cd76, last_modified = 2021-09-16
Source: 6319.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_6122acdf os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 283275705c729be23d7dc75056388ecae00390bd25ee7b66b0cfc9b85feee212, id = 6122acdf-1eef-45ea-83ea-699d21c2dc20, last_modified = 2021-09-16
Source: 6319.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_1b2e2a3a reference_sample = 899c072730590003b98278bdda21c15ecaa2f49ad51e417ed59e88caf054a72d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 6f24b67d0a6a4fc4e1cfea5a5414b82af1332a3e6074eb2178aee6b27702b407, id = 1b2e2a3a-1302-41c7-be99-43edb5563294, last_modified = 2021-09-16
Source: 6319.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9127f7be reference_sample = 899c072730590003b98278bdda21c15ecaa2f49ad51e417ed59e88caf054a72d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 72c742cb8b11ddf030e10f67e13c0392748dcd970394ec77ace3d2baa705a375, id = 9127f7be-6e82-46a1-9f11-0b3570b0cd76, last_modified = 2021-09-16

Source: classification engine

Classification label: mal76.spre.linSNOOPY@0/3@0/0

Source: x-3.2-.SNOOPY	ELF static info symbol of initial sample: libc/sysdeps/linux/i386/crt1.S
Source: x-3.2-.SNOOPY	ELF static info symbol of initial sample: libc/sysdeps/linux/i386/crti.S
Source: x-3.2-.SNOOPY	ELF static info symbol of initial sample: libc/sysdeps/linux/i386/crtn.S
Source: x-3.2-.SNOOPY	ELF static info symbol of initial sample: libc/sysdeps/linux/i386/mmap.S

Persistence and Installation Behavior

Source: /usr/bin/dash (PID: 6276)

Wget executable: /usr/bin/wget -> wget --timeout 60 -U "wget/1.20.3-1ubuntu1 Ubuntu/20.04.2/LTS GNU/Linux/5.4.0-72-generic/x86_64 Intel(R)/Xeon(R)/Silver/4210/CPU/@/2.20GHz cloud_id/none" -O- --content-on-error https://motd.ubuntu.com

Jump to behavior

Source: /usr/sbin/logrotate (PID: 6264)

Shell command executed: sh -c /usr/lib/rsyslog/rsyslog-rotate logrotate_script /var/log/syslog

Jump to behavior

Source: /usr/lib/rsyslog/rsyslog-rotate (PID: 6266)

Systemctl executable: /usr/bin/systemctl -> systemctl kill -s HUP rsyslog.service

Jump to behavior

Source: /usr/bin/dash (PID: 6286)

Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.hDXKGVsUIR /tmp/tmp.1y2FR6QFox /tmp/tmp.5piRJmkiY5

Jump to behavior

Stealing of Sensitive Information

Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 5.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36

Source: /usr/bin/python3.8 (PID: 6269)

Uname executable: /usr/bin/uname -> uname -p

Jump to behavior