6d0e7d4cca4c9034489b13e09697e1f114ded712d96c06d5a8c4b4d4606ffa94

General

Target

322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
Size

64KB
MD5

322886be2addf148c6bfd0bcb104ba15
SHA1

8f09a5a3252caa7652443b134f1bcb6691f992a0
SHA256

6d0e7d4cca4c9034489b13e09697e1f114ded712d96c06d5a8c4b4d4606ffa94
SHA512

ad234e0397d51a73bba64fcdaf998c82d06be4345f1f610d4136702e9b3fbcc2738a88c4dade945afc97aa7232d580c338448435df32a7c4f7a80edd2368f36a
SSDEEP

1536:IoRC9170vwHbQXZ5+qXDEuXi90dSW7V/DjObeFt6PuQ4Z2:PC917iwHbQXZ5+qXA594SWZ/XObeb6G7

Score

9^/10

discovery

Malware Config

Signatures

Contacts a large (20505) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses

T1562

Processes:

322886be2addf148c6bfd0bcb104ba15_JaffaCakes118

description	ioc	process
File opened for modification	/dev/watchdog	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for modification	/dev/misc/watchdog	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118

Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery
T1049

Processes:

322886be2addf148c6bfd0bcb104ba15_JaffaCakes118

description ioc process

File opened for reading /proc/net/tcp 322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
Enumerates running processes
Discovers information about currently running processes on the system
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery
T1016

Processes:

322886be2addf148c6bfd0bcb104ba15_JaffaCakes118

description ioc process

File opened for reading /proc/net/tcp 322886be2addf148c6bfd0bcb104ba15_JaffaCakes118

description	ioc	process
File opened for reading	/proc/net/tcp	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118

description	ioc	process
File opened for reading	/proc/net/tcp	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

322886be2addf148c6bfd0bcb104ba15_JaffaCakes118

description	ioc	process
File opened for reading	/proc/1073/fd	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/1352/fd	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/1075/exe	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/794/fd	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/672/exe	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/1045/exe	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/618/exe	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/636/exe	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/925/exe	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/1404/exe	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/1081/fd	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/972/exe	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/981/exe	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/526/fd	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/637/fd	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/456/exe	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/1410/exe	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/1114/exe	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/502/fd	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/1083/fd	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/1126/fd	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/445/fd	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/953/exe	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/1082/fd	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/1054/exe	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/1074/fd	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/1449/fd	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/1127/exe	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/498/fd	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/948/fd	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/918/exe	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/959/exe	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/1023/fd	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/1127/fd	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/443/exe	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/1041/exe	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/1090/exe	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/1157/exe	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/1332/fd	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/1400/fd	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/893/exe	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/893/fd	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/1111/fd	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/1120/exe	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/1090/fd	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/458/exe	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/1204/fd	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/1098/exe	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/536/fd	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/618/fd	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/784/fd	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/1257/exe	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/1405/exe	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/1377/fd	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/445/exe	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/690/exe	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/491/fd	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/1073/exe	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/894/exe	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/953/fd	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/1355/fd	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/508/exe	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/803/fd	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
File opened for reading	/proc/587/exe	322886be2addf148c6bfd0bcb104ba15_JaffaCakes118

/tmp/322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
/tmp/322886be2addf148c6bfd0bcb104ba15_JaffaCakes118
1⤵
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
PID:1406