ioc[.]one - OSINT Cyber Threat Intelligence Database

Malware Analysis Report

Show in Graph

Common Information

Type	Value
UUID	63d2025a-54f4-4afc-aedc-f56b9533d4a6
Fingerprint	c06d763c6ad49fc1e339ac4d93e7e9d49ad7adb94f51dc253c85b0fe5954f70d
Analysis status	DONE
Considered CTI value	2
Text language
Published	Sept. 26, 2024, 11:36 a.m.
Added to db	Nov. 6, 2024, 10:51 a.m.
Last updated	Nov. 6, 2024, 10:53 a.m.
Headline	Malware Analysis Report
Title	Malware Analysis Report
Detected Hints/Tags/Attributes	96/2/76

Source URLs

	Redirection	Url
Details	Source	https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf

URL Provider

Details	Provider	Source level domain
Details	ncsc.gov.uk	www.ncsc.gov.uk

Attributes

Details	Type	#Events	Value
Details	Domain	7	libsophos.so
Details	Domain	4	sshd.pid
Details	Domain	2	sh.org
Details	Domain	4	lysator.liu.se
Details	Domain	1	openssh.co
Details	Domain	1	penssh.com
Details	Domain	9	openssh.com
Details	Domain	1	enssh.com
Details	Domain	2	sh.com
Details	Domain	1	nssh.com
Details	Domain	24	man7.org
Details	Domain	1	rootkiter.com
Details	Domain	4127	github.com
Details	Domain	182	www.mandiant.com
Details	Domain	172	www.crowdstrike.com
Details	Domain	831	example.com
Details	Domain	1	sshdd.pid
Details	Domain	3	goat.pid
Details	Domain	53	ncsc.gov.uk
Details	Email	1	c@lysator.liu.se
Details	Email	1	y1305@openssh.co
Details	Email	1	6-etm@openssh.co
Details	Email	1	etm@openssh.com
Details	Email	1	4@openssh.com
Details	Email	1	5-etm@openssh.co
Details	Email	1	160@openssh.com
Details	Email	1	m@openssh.com
Details	Email	1	28@openssh.com
Details	Email	2	zlib@openssh.com
Details	Email	22	ncscinfoleg@ncsc.gov.uk
Details	File	10	c.html
Details	File	816	index.html
Details	md5	3	c71cd27efcdb8c44ab8c29d51f033a22
Details	md5	1	3f28196675dc8cb20cf5b5f80ea29310
Details	md5	1	d45eadb1d50562927512b7f545a02b65
Details	md5	1	eae7cc16a30ed5a98916f9f381a5bcb2
Details	md5	1	e1b9842e7e0b9cf722bcc7d08c768486
Details	sha1	1	71f70d61af00542b2e9ad64abd2dda7e437536ff
Details	sha1	1	7ace663c22b3e800fc17c1477d54b533f7002833
Details	sha1	1	1f1ee5b93a9f071a47aead76016dee487b8b0d7d
Details	sha1	1	b87a11fc647eed1aed3543237cb1540d99ead580
Details	sha1	1	241a37a7ac3e26d8d703a8058ffe100dd1150193
Details	sha1	1	d05ec61f560ec38990760bbb71339e09ebd3a4cc
Details	sha1	1	1febcf83a6f6e2598a5288a0e57742d1fc6e7620
Details	sha1	1	8d453ff52947af1842a0231d74ffbb6faacf6167
Details	sha256	1	6455de74ae15071fa98f18cdbc3148c967755e69df7dee747bc31d0387751162
Details	sha256	1	823b079c75f4e6a5905d9eea9a60c62e1f0995bfc25764d1ba0407a5bd78c962
Details	sha256	1	29ccf0cc16c5466e5219828e8665428c1f1ad4c3a5b1cbfcc0266c313c5c903a
Details	sha256	1	247de4d3576dda8ecbf466d1cb814f63fd4afa06e47e4ca09591bdcb97a4b30f
Details	sha256	1	efbb9150e66eff1492404ca6bfb219dd656c640814e27cfb3e757ff94fe6aa5a
Details	sha256	1	8049bd8e86a6b5f382639b0739c78c5fd55780c72d3b5c9a6084e22981f9dc51
Details	sha256	1	7eb70ee5729867faf02c3285e8478c373e0c61342b90d4f077554faf1303c12a
Details	sha256	1	f85280bd427aa2e9d714ea3bc11febf5a436cfc04fcbbe708c2592a88b6000a3
Details	sha256	1	ef0ae22901ab9ab07f3b6e1f80ee41cd21deee957e81d7a48fac2517ae5ce87e
Details	IPv4	1	192.168.6.1
Details	IPv4	7	49.1.1.11
Details	IPv4	6	49.1.1.1
Details	MITRE ATT&CK Techniques	16	T1574.006
Details	MITRE ATT&CK Techniques	86	T1059.004
Details	MITRE ATT&CK Techniques	44	T1053.003
Details	MITRE ATT&CK Techniques	25	T1559
Details	MITRE ATT&CK Techniques	42	T1040
Details	MITRE ATT&CK Techniques	1	T1205.001
Details	MITRE ATT&CK Techniques	10	T1001.003
Details	MITRE ATT&CK Techniques	74	T1573.002
Details	MITRE ATT&CK Techniques	95	T1572
Details	MITRE ATT&CK Techniques	29	T1560.002
Details	MITRE ATT&CK Techniques	422	T1041
Details	Url	1	https://man7.org/tlpi/code/online/dist/pty/pty_fork.c.html
Details	Url	1	https://rootkiter.com/earthworm/en/index.html
Details	Url	1	https://github.com/anhilo/xiaogongju/blob/master/rssocks_pro.c#l3
Details	Url	1	https://www.crowdstrike.com/blog/overwatch-insights-reviewing-a-new-intrusion-
Details	Url	1	https://github.com/anhilo/xiaogongju
Details	Url	3	https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem
Details	Yara rule	1	rule pygmy_goat_aes_key { meta: author = "NCSC" description = "Pygmy Goat AES key built on the stack or in data" date = "2024-10-22" hash1 = "71f70d61af00542b2e9ad64abd2dda7e437536ff" strings: $dword_1 = { 59 4B 6E 77 } $dword_2 = { 51 6A 6D 41 } $dword_3 = { 54 62 41 6E } $dword_4 = { 52 6F 5A 6D } $dword_5 = { 30 66 47 37 } $dword_6 = { 55 5A 57 62 } $dword_7 = { 32 59 55 78 } $dword_8 = { 55 51 50 77 } condition: (uint32(0) == 0x464c457f) and all of them }
Details	Yara rule	1	rule pygmy_goat_magic_strings { meta: author = "NCSC" description = "Pygmy Goat magic byte sequences used in C2 comms" date = "2024-10-22" hash1 = "71f70d61af00542b2e9ad64abd2dda7e437536ff" strings: $c2_magic_handshake = ",bEB3?=o" $fake_ssh_banner = "SSH-2.0-D8pjE" $fake_ed25519_key = { 29 CC F0 CC 16 C5 46 6E 52 19 82 8E 86 65 42 8C 1F 1A D4 C3 A5 B1 CB FC C0 26 6C 31 3C 5C 90 3A 24 7D E4 D3 57 6D DA 8E CB F4 66 D1 CB 81 4F 63 FD 4A FA 06 E4 7E 4C A0 95 91 BD CB 97 A4 B3 0F } condition: (uint32(0) == 0x464c457f) and any of them }