Source: x-3.2-.SNOOPY |
Virustotal: Detection: 57% |
Perma Link |
Source: x-3.2-.SNOOPY |
ReversingLabs: Detection: 58% |
Source: Traffic |
Snort IDS: 2841335 ETPRO TROJAN ELF/Mirai Variant CnC Checkin 192.168.2.23:39906 -> 163.123.143.81:839 |
Source: /usr/bin/dash (PID: 6276) |
Wget executable: /usr/bin/wget -> wget --timeout 60 -U "wget/1.20.3-1ubuntu1 Ubuntu/20.04.2/LTS GNU/Linux/5.4.0-72-generic/x86_64 Intel(R)/Xeon(R)/Silver/4210/CPU/@/2.20GHz cloud_id/none" -O- --content-on-error https://motd.ubuntu.com |
Jump to behavior |
Source: global traffic |
TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443 |
Source: global traffic |
TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80 |
Source: global traffic |
TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443 |
Source: global traffic |
TCP traffic: 192.168.2.23:39906 -> 163.123.143.81:839 |
Source: unknown |
Network traffic detected: HTTP traffic on port 43928 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 42836 -> 443 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.189.91.43 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.202.202.202 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 163.123.143.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 163.123.143.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 163.123.143.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 163.123.143.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.189.91.42 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.189.91.43 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 163.123.143.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 163.123.143.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.202.202.202 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.189.91.42 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 163.123.143.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 163.123.143.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 163.123.143.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 163.123.143.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 163.123.143.81 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 163.123.143.81 |
Source: tmp.1y2FR6QFox.14.dr |
String found in binary or memory: https://motd.ubuntu.com/ |
Source: motd-news.32.dr, tmp.hDXKGVsUIR.14.dr |
String found in binary or memory: https://ubuntu.com/blog/microk8s-memory-optimisation |
Source: x-3.2-.SNOOPY, type: SAMPLE |
Matched rule: Linux_Trojan_Gafgyt_6122acdf Author: unknown |
Source: x-3.2-.SNOOPY, type: SAMPLE |
Matched rule: Linux_Trojan_Gafgyt_1b2e2a3a Author: unknown |
Source: x-3.2-.SNOOPY, type: SAMPLE |
Matched rule: Linux_Trojan_Gafgyt_9127f7be Author: unknown |
Source: 6322.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Gafgyt_6122acdf Author: unknown |
Source: 6322.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Gafgyt_1b2e2a3a Author: unknown |
Source: 6322.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Gafgyt_9127f7be Author: unknown |
Source: 6319.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Gafgyt_6122acdf Author: unknown |
Source: 6319.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Gafgyt_1b2e2a3a Author: unknown |
Source: 6319.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Gafgyt_9127f7be Author: unknown |
Source: ELF static info symbol of initial sample |
Name: vseattack |
Source: x-3.2-.SNOOPY, type: SAMPLE |
Matched rule: Linux_Trojan_Gafgyt_6122acdf os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 283275705c729be23d7dc75056388ecae00390bd25ee7b66b0cfc9b85feee212, id = 6122acdf-1eef-45ea-83ea-699d21c2dc20, last_modified = 2021-09-16 |
Source: x-3.2-.SNOOPY, type: SAMPLE |
Matched rule: Linux_Trojan_Gafgyt_1b2e2a3a reference_sample = 899c072730590003b98278bdda21c15ecaa2f49ad51e417ed59e88caf054a72d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 6f24b67d0a6a4fc4e1cfea5a5414b82af1332a3e6074eb2178aee6b27702b407, id = 1b2e2a3a-1302-41c7-be99-43edb5563294, last_modified = 2021-09-16 |
Source: x-3.2-.SNOOPY, type: SAMPLE |
Matched rule: Linux_Trojan_Gafgyt_9127f7be reference_sample = 899c072730590003b98278bdda21c15ecaa2f49ad51e417ed59e88caf054a72d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 72c742cb8b11ddf030e10f67e13c0392748dcd970394ec77ace3d2baa705a375, id = 9127f7be-6e82-46a1-9f11-0b3570b0cd76, last_modified = 2021-09-16 |
Source: 6322.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Gafgyt_6122acdf os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 283275705c729be23d7dc75056388ecae00390bd25ee7b66b0cfc9b85feee212, id = 6122acdf-1eef-45ea-83ea-699d21c2dc20, last_modified = 2021-09-16 |
Source: 6322.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Gafgyt_1b2e2a3a reference_sample = 899c072730590003b98278bdda21c15ecaa2f49ad51e417ed59e88caf054a72d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 6f24b67d0a6a4fc4e1cfea5a5414b82af1332a3e6074eb2178aee6b27702b407, id = 1b2e2a3a-1302-41c7-be99-43edb5563294, last_modified = 2021-09-16 |
Source: 6322.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Gafgyt_9127f7be reference_sample = 899c072730590003b98278bdda21c15ecaa2f49ad51e417ed59e88caf054a72d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 72c742cb8b11ddf030e10f67e13c0392748dcd970394ec77ace3d2baa705a375, id = 9127f7be-6e82-46a1-9f11-0b3570b0cd76, last_modified = 2021-09-16 |
Source: 6319.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Gafgyt_6122acdf os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 283275705c729be23d7dc75056388ecae00390bd25ee7b66b0cfc9b85feee212, id = 6122acdf-1eef-45ea-83ea-699d21c2dc20, last_modified = 2021-09-16 |
Source: 6319.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Gafgyt_1b2e2a3a reference_sample = 899c072730590003b98278bdda21c15ecaa2f49ad51e417ed59e88caf054a72d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 6f24b67d0a6a4fc4e1cfea5a5414b82af1332a3e6074eb2178aee6b27702b407, id = 1b2e2a3a-1302-41c7-be99-43edb5563294, last_modified = 2021-09-16 |
Source: 6319.1.0000000008048000.0000000008055000.r-x.sdmp, type: MEMORY |
Matched rule: Linux_Trojan_Gafgyt_9127f7be reference_sample = 899c072730590003b98278bdda21c15ecaa2f49ad51e417ed59e88caf054a72d, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 72c742cb8b11ddf030e10f67e13c0392748dcd970394ec77ace3d2baa705a375, id = 9127f7be-6e82-46a1-9f11-0b3570b0cd76, last_modified = 2021-09-16 |
Source: classification engine |
Classification label: mal76.spre.linSNOOPY@0/3@0/0 |
Source: x-3.2-.SNOOPY |
ELF static info symbol of initial sample: libc/sysdeps/linux/i386/crt1.S |
Source: x-3.2-.SNOOPY |
ELF static info symbol of initial sample: libc/sysdeps/linux/i386/crti.S |
Source: x-3.2-.SNOOPY |
ELF static info symbol of initial sample: libc/sysdeps/linux/i386/crtn.S |
Source: x-3.2-.SNOOPY |
ELF static info symbol of initial sample: libc/sysdeps/linux/i386/mmap.S |
Source: /usr/bin/dash (PID: 6276) |
Wget executable: /usr/bin/wget -> wget --timeout 60 -U "wget/1.20.3-1ubuntu1 Ubuntu/20.04.2/LTS GNU/Linux/5.4.0-72-generic/x86_64 Intel(R)/Xeon(R)/Silver/4210/CPU/@/2.20GHz cloud_id/none" -O- --content-on-error https://motd.ubuntu.com |
Jump to behavior |
Source: /usr/sbin/logrotate (PID: 6264) |
Shell command executed: sh -c /usr/lib/rsyslog/rsyslog-rotate logrotate_script /var/log/syslog |
Jump to behavior |
Source: /usr/lib/rsyslog/rsyslog-rotate (PID: 6266) |
Systemctl executable: /usr/bin/systemctl -> systemctl kill -s HUP rsyslog.service |
Jump to behavior |
Source: /usr/bin/dash (PID: 6286) |
Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.hDXKGVsUIR /tmp/tmp.1y2FR6QFox /tmp/tmp.5piRJmkiY5 |
Jump to behavior |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 5.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36 |
Source: /usr/bin/python3.8 (PID: 6269) |
Uname executable: /usr/bin/uname -> uname -p |
Jump to behavior |