Overview

overview

9

Static

static

8

cb762ff46d...kes118

debian-9-mips

9

Sharing

Copy URL Twitter E-mail

General

  • Target

    cb762ff46d251c45799f314ee446eef3_JaffaCakes118

  • Size

    300KB

  • Sample

    240405-flz8qscf3w

  • MD5

    cb762ff46d251c45799f314ee446eef3

  • SHA1

    99f7fac4c21d0a6f46206e8faba681385f75f9f5

  • SHA256

    271379bd82ef77b79ca57504e5609e70c0aee8d30f976c6ad75ce3648f8ef8ef

  • SHA512

    53b7737100ab5c98075bc5f3917e51d2aed0b7c1b500eceb6b526cd00377a5dc4b6de03ac028f7feb7ebc3a559b8e27ef806560d991712621f4b05676246fea7

  • SSDEEP

    3072:/TNVO/QJHZcfFj4rwLQGTNO5VZLwHm7vuQTpZUyY6coKPa5POdOQ33Q:7O/QJHZweEL/NOjCHm7FZZnc4PqOJ

Score
9/10
discoverypersistenceupx

Malware Config

Targets

    • Target

      cb762ff46d251c45799f314ee446eef3_JaffaCakes118

    • Size

      300KB

    • MD5

      cb762ff46d251c45799f314ee446eef3

    • SHA1

      99f7fac4c21d0a6f46206e8faba681385f75f9f5

    • SHA256

      271379bd82ef77b79ca57504e5609e70c0aee8d30f976c6ad75ce3648f8ef8ef

    • SHA512

      53b7737100ab5c98075bc5f3917e51d2aed0b7c1b500eceb6b526cd00377a5dc4b6de03ac028f7feb7ebc3a559b8e27ef806560d991712621f4b05676246fea7

    • SSDEEP

      3072:/TNVO/QJHZcfFj4rwLQGTNO5VZLwHm7vuQTpZUyY6coKPa5POdOQ33Q:7O/QJHZweEL/NOjCHm7FZZnc4PqOJ

    Score
    9/10
    discoverypersistenceupx

    • Contacts a large (20050) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Patched UPX-packed file

      Sample is packed with UPX but required header fields are zeroed out to prevent unpacking with the default UPX tool.

    • Changes its process name

    • Modifies Watchdog functionality

      Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Enumerates active TCP sockets

      Gets active TCP sockets from /proc virtual filesystem.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

      persistence

    • Reads system routing table

      Gets active network interfaces from /proc virtual filesystem.

    • Writes file to system bin folder

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks