206dd07c43b83afb9e50e26a04dd5ae8027c9e215eeafbfd92c74439b8d77607

General

Target

0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
Size

64KB
MD5

0120a1ce75c1a1c3e7350604756a3aa5
SHA1

7d983822e752580108b796be1b26cafe67133004
SHA256

206dd07c43b83afb9e50e26a04dd5ae8027c9e215eeafbfd92c74439b8d77607
SHA512

a7e4423f45b5e37f4becf75ff84e61cd78fd0ed3ad0d681124e404cfd626177acb8e2cd672a43733cb7c769c79ddf8193020f2a9cee573d38a70b811d7e8d55f
SSDEEP

1536:IoRC9170vwHbQXZ5+qXDEuXi90dSW7V/DjObeFt6PuQ4Zy:PC917iwHbQXZ5+qXA594SWZ/XObeb6G7

Score

9^/10

discovery

Malware Config

Signatures

Contacts a large (20573) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses

T1562

Processes:

0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118

description	ioc	process
File opened for modification	/dev/watchdog	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for modification	/dev/misc/watchdog	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118

Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery
T1049

Processes:

0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118

description ioc process

File opened for reading /proc/net/tcp 0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
Enumerates running processes
Discovers information about currently running processes on the system
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery
T1016

Processes:

0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118

description ioc process

File opened for reading /proc/net/tcp 0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118

description	ioc	process
File opened for reading	/proc/net/tcp	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118

description	ioc	process
File opened for reading	/proc/net/tcp	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118

description	ioc	process
File opened for reading	/proc/1440/fd	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/499/exe	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/859/exe	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/1099/fd	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/540/exe	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/498/fd	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/1025/exe	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/2113/exe	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/811/exe	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/855/exe	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/1444/fd	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/482/exe	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/498/exe	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/1081/fd	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/588/exe	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/867/exe	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/950/fd	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/998/fd	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/1516/fd	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/493/fd	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/1096/fd	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/969/fd	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/1003/fd	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/508/exe	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/486/fd	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/692/fd	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/860/fd	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/508/fd	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/950/exe	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/993/exe	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/2122/exe	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/612/fd	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/1140/fd	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/1439/fd	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/642/fd	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/1120/fd	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/2118/exe	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/456/fd	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/499/fd	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/582/fd	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/764/fd	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/830/fd	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/859/fd	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/2116/exe	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/1494/fd	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/1120/exe	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/1414/exe	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/786/exe	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/796/exe	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/1290/exe	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/2115/exe	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/504/fd	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/805/fd	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/1056/fd	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/867/fd	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/1095/fd	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/642/exe	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/670/exe	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/1081/exe	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/1085/exe	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/270/fd	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/1436/fd	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/1447/fd	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
File opened for reading	/proc/1443/fd	0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118

/tmp/0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
/tmp/0120a1ce75c1a1c3e7350604756a3aa5_JaffaCakes118
1⤵
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
PID:1504