Analysis
-
max time kernel
149s -
max time network
150s -
platform
debian-9_armhf -
resource
debian9-armhf-20240226-en -
resource tags
arch:armhfimage:debian9-armhf-20240226-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
19/04/2024, 03:11
Behavioral task
behavioral1
Sample
f95f7a9fc6e5cf9ea176e6aca714e562_JaffaCakes118
Resource
debian9-armhf-20240226-en
General
-
Target
f95f7a9fc6e5cf9ea176e6aca714e562_JaffaCakes118
-
Size
70KB
-
MD5
f95f7a9fc6e5cf9ea176e6aca714e562
-
SHA1
7c0a31fc4152f17f6c4109058151dabd760b4bde
-
SHA256
d5a3b0d096103bf875a7e00ab4194460858ba1ba6a8f40ac9cd49159901b3ba3
-
SHA512
2d6a10f08bdf0d42760827bbe59a7f214218128b3fd80afb4cef8ebac74b8c4dec85277a96e009bed323fe2aa53bdeffdc55a0dedc88f3b74fc18d89889115bd
-
SSDEEP
1536:GbtexU5L9XouIRhb96pUQzXtwavaJ3V8OHxouJeZWDFI84M:GbtexU0r8QCKw2FbB
Malware Config
Signatures
-
Contacts a large (20620) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc File opened for modification /dev/watchdog File opened for modification /dev/misc/watchdog -
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
description ioc File opened for reading /proc/net/tcp -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc File opened for reading /proc/net/tcp -
Reads runtime system information 41 IoCs
Reads data from /proc virtual filesystem.
description ioc File opened for reading /proc/598/exe File opened for reading /proc/765/exe File opened for reading /proc/297/fd File opened for reading /proc/320/fd File opened for reading /proc/603/exe File opened for reading /proc/775/exe File opened for reading /proc/781/exe File opened for reading /proc/143/fd File opened for reading /proc/329/fd File opened for reading /proc/583/exe File opened for reading /proc/656/exe File opened for reading /proc/779/exe File opened for reading /proc/787/exe File opened for reading /proc/1/fd File opened for reading /proc/235/fd File opened for reading /proc/322/fd File opened for reading /proc/641/exe File opened for reading /proc/646/exe File opened for reading /proc/286/fd File opened for reading /proc/299/fd File opened for reading /proc/303/fd File opened for reading /proc/604/exe File opened for reading /proc/771/exe File opened for reading /proc/773/exe File opened for reading /proc/172/fd File opened for reading /proc/669/exe File opened for reading /proc/777/exe File opened for reading /proc/783/exe File opened for reading /proc/785/exe File opened for reading /proc/793/exe File opened for reading /proc/650/exe File opened for reading /proc/653/exe File opened for reading /proc/648/exe File opened for reading /proc/791/exe File opened for reading /proc/285/fd File opened for reading /proc/298/fd File opened for reading /proc/599/exe File opened for reading /proc/647/exe File opened for reading /proc/688/exe File opened for reading /proc/767/exe File opened for reading /proc/789/exe