Analysis
-
max time kernel
149s -
max time network
154s -
platform
ubuntu-20.04_amd64 -
resource
ubuntu2004-amd64-20240508-en -
resource tags
arch:amd64arch:i386image:ubuntu2004-amd64-20240508-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system -
submitted
13-05-2024 10:59
Behavioral task
behavioral1
Sample
3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118
Resource
ubuntu2004-amd64-20240508-en
ubuntu-20.04-amd64
7 signatures
150 seconds
General
-
Target
3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118
-
Size
64KB
-
MD5
3f2667834d3d0abbcd7f89674b89f405
-
SHA1
af9d54c5c727d0e63c942b68458b3896254b06b7
-
SHA256
c2eacfb5b2333e6ba535c29210ee54991cdbf337acfb1b8b57dd4a0d3e2168b5
-
SHA512
e60c86d05d84bd6a2bb60b31d0782b2d7380d765a54c61027ab6f533e75845b588547696b764b8a907f6b74fb0989a46e2495ddc034b0de81a5da7581e62e5e3
-
SSDEEP
1536:IIG9170vwHbQXZ5+qXDEuXi9aBSW7V/DjObeFt6PuQ4Zr:I917iwHbQXZ5+qXA59eSWZ/XObeb6GZZ
Score
9/10
Malware Config
Signatures
-
Contacts a large (20618) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for modification /dev/misc/watchdog 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 -
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
description ioc Process File opened for reading /proc/net/tcp 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/tcp 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/1408/fd 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/1054/fd 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/1129/fd 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/612/exe 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/690/fd 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/1340/fd 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/1352/fd 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/534/fd 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/1040/exe 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/1022/fd 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/1036/fd 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/564/fd 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/565/exe 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/694/exe 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/1044/exe 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/1111/fd 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/1333/fd 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/552/exe 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/957/fd 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/1076/fd 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/613/exe 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/269/fd 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/1137/exe 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/762/exe 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/1240/exe 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/1257/fd 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/456/exe 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/1089/fd 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/1330/fd 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/636/exe 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/1022/exe 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/850/fd 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/1091/exe 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/613/fd 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/1118/exe 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/1328/fd 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/967/exe 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/779/exe 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/694/fd 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/994/fd 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/674/fd 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/803/fd 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/964/fd 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/1129/exe 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/636/fd 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/989/fd 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/579/exe 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/669/exe 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/779/fd 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/561/fd 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/441/fd 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/1331/fd 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/611/exe 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/1142/fd 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/446/exe 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/472/exe 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/801/exe 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/1074/exe 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/1200/exe 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/1324/fd 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/500/fd 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/1007/exe 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/1081/exe 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118 File opened for reading /proc/1156/exe 3f2667834d3d0abbcd7f89674b89f405_JaffaCakes118