Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

x-3.2-.SNOOPY

ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped

initial sample

Details

Filetype:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped
Entropy:	6.390591865594507
Filename:	x-3.2-.SNOOPY
Filesize:	74024
MD5:	ca34f09d0fe8bd0dddd1443e401781d7
SHA1:	da043d55a48b11f1c0b47b38bd2bb279454a3ac4
SHA256:	3d4c4cc860a146597b5830fa4e4c5ab9a5eb32304bd88a9e6256452740998727
SHA512:	de5af8be9508268a2c25efb73f0841b068224c80b492f67e271a0e808ae9b15a98e4d22c844fce2b69701db5ff94474e710377b008b71447d23b3489e20a1d2f
SSDEEP:	1536:nm+c5osQWiKLoxKFn6pD+OTxzMvMmLI2VOCjXUfJRk:45omr0xKFn6J+OkMmU2VOCbUfJRk
Preview:	.ELF....................h...4...........4. ...(..............................................U...U.......i..........Q.td............................U..S............h........[]...$.............U......=.X...t..1.....U......U......u........t...$.E..........X

Signature Hits	Behavior Group	Mitre Attack
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
Opens /proc/net/* files useful for finding connected devices and routers	Spreading	Remote System Discovery
Machine Learning detection for sample	AV Detection
Yara signature match	System Summary
Sample and/or dropped files contains symbols with file path information	System Summary

/tmp/tmp.1y2FR6QFox

UTF-8 Unicode text

dropped

Details

File:	/tmp/tmp.1y2FR6QFox
Category:	dropped
Dump:	tmp.1y2FR6QFox.14.dr
ID:	dr_0
Target ID:	14
Process:	/usr/bin/wget
Type:	UTF-8 Unicode text
Entropy:	4.942242112845035
Encrypted:	false
Ssdeep:	6:HXTFpF4AYLEHKLG13/3xg7F/uZCHKLGZgM/Tt5RhgZDl7jzisnf53GV8F8ETa4k4:HDfF4TL6OM48QTt5Rh0ish3GV8WEgzG
Size:	494
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Executes the "rm" command used to delete files or directories	Persistence and Installation Behavior	File Deletion

/tmp/tmp.hDXKGVsUIR

ASCII text

dropped

Details

File:	/tmp/tmp.hDXKGVsUIR
Category:	dropped
Dump:	tmp.hDXKGVsUIR.14.dr
ID:	dr_1
Target ID:	14
Process:	/usr/bin/wget
Type:	ASCII text
Entropy:	4.515771857099866
Encrypted:	false
Ssdeep:	3:P2lnI+5MsqqzNLz+FRNScHUBfRau95++sZzR5woLB1Fh0VTGTl/X5kURn:OZ8uNLzDc0pR75+9Zz/woFmIT52URn
Size:	191
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Executes the "rm" command used to delete files or directories	Persistence and Installation Behavior	File Deletion

/var/cache/motd-news

ASCII text

dropped

Details

File:	/var/cache/motd-news
Category:	dropped
Dump:	motd-news.32.dr
ID:	dr_2
Target ID:	32
Process:	/usr/bin/cut
Type:	ASCII text
Entropy:	4.515771857099866
Encrypted:	false
Ssdeep:	3:P2lnI+5MsqqzNLz+FRNScHUBfRau95++sZzR5woLB1Fh0VTGTl/X5kURn:OZ8uNLzDc0pR75+9Zz/woFmIT52URn
Size:	191
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

/usr/sbin/logrotate

n/a

/bin/sh

sh -c /usr/lib/rsyslog/rsyslog-rotate logrotate_script /var/log/syslog

/bin/sh

n/a

/usr/lib/rsyslog/rsyslog-rotate

n/a

/usr/bin/systemctl

systemctl kill -s HUP rsyslog.service

/usr/bin/python3.8

n/a

/usr/bin/uname

uname -p

/usr/bin/dash

n/a

/usr/bin/cut

cut -c -40 /tmp/tmp.5piRJmkiY5

/usr/bin/dash

n/a

/usr/bin/tr

tr -c -d [:alnum:]

/usr/bin/dash

n/a

/usr/bin/wget

wget --timeout 60 -U "wget/1.20.3-1ubuntu1 Ubuntu/20.04.2/LTS GNU/Linux/5.4.0-72-generic/x86_64 Intel(R)/Xeon(R)/Silver/4210/CPU/@/2.20GHz cloud_id/none" -O- --content-on-error https://motd.ubuntu.com

/usr/bin/dash

n/a

/usr/bin/cat

cat /tmp/tmp.hDXKGVsUIR

/usr/bin/dash

n/a

/usr/bin/head

head -n 10

/usr/bin/dash

n/a

/usr/bin/tr

tr -d \\000-\\011\\013\\014\\016-\\037

/usr/bin/dash

n/a

/usr/bin/cut

cut -c -80

/usr/bin/dash

n/a

/usr/bin/cat

cat /tmp/tmp.hDXKGVsUIR

/usr/bin/dash

n/a

/usr/bin/head

head -n 10

/usr/bin/dash

n/a

/usr/bin/tr

tr -d \\000-\\011\\013\\014\\016-\\037

/usr/bin/dash

n/a

/usr/bin/cut

cut -c -80

/usr/bin/dash

n/a

/usr/bin/rm

rm -f /tmp/tmp.hDXKGVsUIR /tmp/tmp.1y2FR6QFox /tmp/tmp.5piRJmkiY5

/tmp/x-3.2-.SNOOPY

n/a

/tmp/x-3.2-.SNOOPY

n/a

There are 25 hidden processes, click here to show them.

URLs

Name

Malicious

https://motd.ubuntu.com/

unknown

https://ubuntu.com/blog/microk8s-memory-optimisation

unknown

IPs

Domain

Country

Malicious

163.123.143.81

unknown

Reserved

Details

IP:	163.123.143.81
TargetID:	-1
Country:	Reserved
Countrycode:	ZZZ
ASN number:	1767
ASN name:	ILIGHT-NETUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
x-3.2-.SNOOPY

Files

Processes

URLs

IPs

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportx-3.2-.SNOOPY

Files

Processes

URLs

IPs

IOC Report
x-3.2-.SNOOPY