Trojan.SH.CUTTLESNIFF.AA

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Dropping Routine

This Trojan drops the following file, into which it saves gathered information:

• /tmp/co.tmp → deleted afterwards

Information Theft

This Trojan gathers the following data:

• Contents of directories
• Running processes
• Network Connections
• Mounted devices

Other Details

This Trojan attempts to access the following websites to download files, which are possibly malicious:

• http://{BLOCKED}.{BLOCKED}.{BLOCKED}.178/dajfdsfadsfa/

It does the following:

• It creates a tar compressed file /tmp/co.tmp.tar.gz → deleted afterwards
  • containing the previously created temporary file and the /etc/config directory
• It tries to download different versions of a file based on different architectures (like arm, i386, i386_i686, i386_x64, mips32, mips64)
• Each downloaded file is saved as /tmp/.timezone, made executable, and then run with certain parameters:
  • -f /tmp/co.tmp.tar.gz : Specifies the file to be uploaded.
  • -u https://www.{BLOCKED}as.com/upload : Specifies the URL to which the file will be uploaded.
  • -a : enables the append mode.
  • -b 5000 : Sets the buffer size to 5000 bytes
  • -z : Enables Compression
  • -d : Enables the delete option