b41973732cf5c61e2d125b7eae5595763c61b81be0e360fff13db93566e2ba0c

Analysis

max time kernel
145s
max time network
153s
platform
ubuntu-20.04_amd64
resource
ubuntu2004-amd64-20240508-en
resource tags

arch:amd64arch:i386image:ubuntu2004-amd64-20240508-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
submitted
09/05/2024, 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ba5d696542a22d833ab4b2abfc658f8_JaffaCakes118
Size

6.9MB
MD5

2ba5d696542a22d833ab4b2abfc658f8
SHA1

3af1f86f96a46c14f6d1f0ac434db893bdd45bb7
SHA256

b41973732cf5c61e2d125b7eae5595763c61b81be0e360fff13db93566e2ba0c
SHA512

1fd0020933dad474c411ca8acc8fbf3008d91ef9db8e6f4cdde62b491dc68f7e938b83dc939b92f6731937ee6781397f45bf4d62f8d412a9a293ae3d4882d85c
SSDEEP

49152:DQuany9LtKnp7/Od3UWqxEW1BOKi8Nu6uuAIhlPebGNtpo/UOdZmanODQmc93LfU:6QLInpRb6Ki80LbylttpU3LfhIujIX

Score

6^/10

antivm persistence

Malware Config

Signatures

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.SnPqD8	crontab

Checks CPU configuration 1 TTPs 2 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened for reading	/proc/cpuinfo	cat
File opened for reading	/proc/cpuinfo	cat

Reads runtime system information 4 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/sys/net/core/somaxconn	2ba5d696542a22d833ab4b2abfc658f8_JaffaCakes118
File opened for reading	/proc/version	cat
File opened for reading	/proc/sys/net/core/somaxconn	2ba5d696542a22d833ab4b2abfc658f8_JaffaCakes118
File opened for reading	/proc/version	cat

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/.pid	2ba5d696542a22d833ab4b2abfc658f8_JaffaCakes118
File opened for modification	/tmp/nip9iNeiph5chee	2ba5d696542a22d833ab4b2abfc658f8_JaffaCakes118
File opened for modification	/tmp/[stealth].pid	2ba5d696542a22d833ab4b2abfc658f8_JaffaCakes118

/tmp/2ba5d696542a22d833ab4b2abfc658f8_JaffaCakes118
/tmp/2ba5d696542a22d833ab4b2abfc658f8_JaffaCakes118
1⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1414
- /usr/bin/cat
  cat /proc/version
  2⤵
  - Reads runtime system information
  PID:1419
- /usr/bin/cat
  cat /proc/cpuinfo
  2⤵
  - Checks CPU configuration
  PID:1420
- /usr/bin/uname
  uname -a
  2⤵
  PID:1424
- /usr/bin/getconf
  getconf LONG_BIT
  2⤵
  PID:1425
- /tmp/2ba5d696542a22d833ab4b2abfc658f8_JaffaCakes118
  "[stealth]"
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1426
- - /usr/bin/cat
    cat /proc/version
    3⤵
    - Reads runtime system information
    PID:1431
- - /usr/bin/cat
    cat /proc/cpuinfo
    3⤵
    - Checks CPU configuration
    PID:1437
- - /usr/bin/uname
    uname -a
    3⤵
    PID:1439
- - /usr/bin/getconf
    getconf LONG_BIT
    3⤵
    PID:1440
- - /usr/bin/crontab
    /usr/bin/crontab /tmp/nip9iNeiph5chee
    3⤵
    - Creates/modifies Cron job
    PID:1441

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.pid

Filesize
4B

MD5
299fb2142d7de959380f91c01c3a293c

SHA1
8e3c07a198efa67e51a01f3ab800663a57ea6e50

SHA256
2c29bd822988ccf7b83e0baf85cefe1253e718cbe4ee54a119efd998260a85b7

SHA512
80905d93da51d3df5af39204c25aa9edfd48ef56a7c857d23c088231d717f8b63e605ff3dab578b75d4dbea0dfd287f9c3de85a2fb5f6d28a0ce13348dbc5212

Download Submit
/tmp/nip9iNeiph5chee

Filesize
80B

MD5
733fd18957568960d049cf884461434b

SHA1
a13d101d92286425f8032f4dfde25b3cec01c562

SHA256
eb832bae0bd8a092f89e8457eb07378f48f372f9fd9f80bae69d512f514ef961

SHA512
814ad3265887d8809354714dfd08c9b67d95399087f6c475d8fdeaca559ebfb98bee76924d518cba5188496c2714fc73953c4f0bdc2457e1c27895be5bc47d3c

Download Submit
/var/spool/cron/crontabs/tmp.SnPqD8

Filesize
274B

MD5
d1ec8b4fe29ce90a537c302ea5672c0c

SHA1
c5481073b44f24278f12a5eaf02eb085a356e3c7

SHA256
d034034b665dd3b3d91c793ea6c3b5fc432b4b62c1090492f9cb1de07315fd63

SHA512
66b242e1728ad903659c8e2f9d41ad949460a0e0ffadfdd016df496d126e56e8dbb6d32cf2fad3941b543fd8f82d622e844b9e64d4f1368d7ed867d969ba7e75

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads