Analysis
-
max time kernel
149s -
max time network
151s -
platform
ubuntu-20.04_amd64 -
resource
ubuntu2004-amd64-20240508-en -
resource tags
arch:amd64arch:i386image:ubuntu2004-amd64-20240508-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system -
submitted
20-05-2024 07:16
Behavioral task
behavioral1
Sample
5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118
Resource
ubuntu2004-amd64-20240508-en
General
-
Target
5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118
-
Size
1.3MB
-
MD5
5dd0958ec75fcf14d16d03b2ec7629d0
-
SHA1
b72c201d1fb3b239395b1136675760e3a7365111
-
SHA256
bb6cb684d2845050828adef8e78e6a242ad595064bce60d675d2b240a4ebf87d
-
SHA512
74bfda790e337735e33d7a1b633369f64cb3ba8df4280213f3d4f6a7cb9dbd73db3f77f305d34cf7868fd3da251a15f152dc7db89091ae8bcf475c1f72535ee4
-
SSDEEP
24576:yCa8ARRfmnnphS5aczgzKJFVhtwyhOuaX92Io44FbUwaBN6c:ja8AHmnnS5acketwyhO/IE8bUV6c
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118hgettysshpaudevdioc pid process /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118h 1443 5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118h /usr/bin/bsd-port/getty 1465 getty /etc/ssh/sshpa 1473 sshpa /usr/bin/bsd-port/udevd 1493 udevd -
Processes:
resource yara_rule /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118h upx /usr/bin/bsd-port/getty upx -
Processes:
5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118gettydescription ioc process File opened for modification /etc/init.d/DbSecuritySpt 5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118 File opened for modification /etc/init.d/selinux getty -
Reads system routing table 1 TTPs 2 IoCs
Gets active network interfaces from /proc virtual filesystem.
Processes:
5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118h5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118description ioc process File opened for reading /proc/net/route 5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118h File opened for reading /proc/net/route 5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118 -
Write file to user bin folder 1 TTPs 9 IoCs
Processes:
cpcp5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118cpgettyudevdcpcpdescription ioc process File opened for modification /usr/bin/lsof cp File opened for modification /usr/bin/ps cp File opened for modification /usr/bin/bsd-port/getty.lock 5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118 File opened for modification /usr/bin/bsd-port/getty cp File opened for modification /usr/bin/bsd-port/udevd getty File opened for modification /usr/bin/bsd-port/udevd.lock udevd File opened for modification /usr/bin/bsd-port/getty.lock getty File opened for modification /usr/bin/dpkgd/lsof cp File opened for modification /usr/bin/dpkgd/ps cp -
Writes file to system bin folder 1 TTPs 2 IoCs
Processes:
cpcpdescription ioc process File opened for modification /bin/lsof cp File opened for modification /bin/ps cp -
Checks CPU configuration 1 TTPs 4 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118h5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118udevdgettydescription ioc process File opened for reading /proc/cpuinfo 5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118h File opened for reading /proc/cpuinfo 5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118 File opened for reading /proc/cpuinfo udevd File opened for reading /proc/cpuinfo getty -
Reads system network configuration 1 TTPs 8 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118hgetty5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118udevddescription ioc process File opened for reading /proc/net/route 5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118h File opened for reading /proc/net/arp 5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118h File opened for reading /proc/net/dev getty File opened for reading /proc/net/dev 5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118h File opened for reading /proc/net/dev 5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118 File opened for reading /proc/net/dev udevd File opened for reading /proc/net/route 5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118 File opened for reading /proc/net/arp 5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118 -
Reads runtime system information 30 IoCs
Reads data from /proc virtual filesystem.
Processes:
5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118cpinsmod5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118hudevdmkdircpmkdircpgettycpcpmkdirmkdirmkdirmkdircpcpcpinsmodsshpamkdirdescription ioc process File opened for reading /proc/sys/kernel/version 5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118 File opened for reading /proc/filesystems cp File opened for reading /proc/cmdline insmod File opened for reading /proc/sys/kernel/version 5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118h File opened for reading /proc/stat 5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118 File opened for reading /proc/sys/kernel/version udevd File opened for reading /proc/filesystems mkdir File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems mkdir File opened for reading /proc/meminfo 5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118 File opened for reading /proc/filesystems cp File opened for reading /proc/sys/kernel/version getty File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems mkdir File opened for reading /proc/filesystems mkdir File opened for reading /proc/meminfo getty File opened for reading /proc/meminfo 5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118h File opened for reading /proc/filesystems mkdir File opened for reading /proc/filesystems mkdir File opened for reading /proc/stat udevd File opened for reading /proc/meminfo udevd File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems cp File opened for reading /proc/stat 5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118h File opened for reading /proc/cmdline insmod File opened for reading /proc/sys/kernel/version sshpa File opened for reading /proc/filesystems mkdir File opened for reading /proc/stat getty -
Writes file to tmp directory 9 IoCs
Malware often drops required files in the /tmp directory.
Processes:
sshpa5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes1185dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118hdescription ioc process File opened for modification /tmp/moni.lock sshpa File opened for modification /tmp/notify.file sshpa File opened for modification /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118h 5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118 File opened for modification /tmp/notify.file 5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118 File opened for modification /tmp/conf.n 5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118 File opened for modification /tmp/gates.lock sshpa File opened for modification /tmp/moni.lock 5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118 File opened for modification /tmp/gates.lock 5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118 File opened for modification /tmp/bill.lock 5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118h
Processes
-
/tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118/tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes1181⤵
- Modifies init.d
- Reads system routing table
- Write file to user bin folder
- Checks CPU configuration
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1400 -
/bin/shsh -c /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118h2⤵PID:1442
-
/tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118h/tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118h3⤵
- Executes dropped EXE
- Reads system routing table
- Checks CPU configuration
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1443 -
/bin/shsh -c "insmod /usr/lib/xpacket.ko"4⤵PID:1445
-
/usr/sbin/insmodinsmod /usr/lib/xpacket.ko5⤵
- Reads runtime system information
PID:1446 -
/bin/shsh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt"2⤵PID:1449
-
/usr/bin/lnln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt3⤵PID:1450
-
/bin/shsh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt"2⤵PID:1451
-
/usr/bin/lnln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt3⤵PID:1452
-
/bin/shsh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt"2⤵PID:1453
-
/usr/bin/lnln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt3⤵PID:1454
-
/bin/shsh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt"2⤵PID:1455
-
/usr/bin/lnln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt3⤵PID:1456
-
/bin/shsh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt"2⤵PID:1457
-
/usr/bin/lnln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt3⤵PID:1458
-
/bin/shsh -c "mkdir -p /usr/bin/bsd-port"2⤵PID:1459
-
/usr/bin/mkdirmkdir -p /usr/bin/bsd-port3⤵
- Reads runtime system information
PID:1460 -
/bin/shsh -c "cp -f /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118 /usr/bin/bsd-port/getty"2⤵PID:1461
-
/usr/bin/cpcp -f /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118 /usr/bin/bsd-port/getty3⤵
- Write file to user bin folder
- Reads runtime system information
PID:1462 -
/bin/shsh -c /usr/bin/bsd-port/getty2⤵PID:1464
-
/usr/bin/bsd-port/getty/usr/bin/bsd-port/getty3⤵
- Executes dropped EXE
- Modifies init.d
- Write file to user bin folder
- Checks CPU configuration
- Reads system network configuration
- Reads runtime system information
PID:1465 -
/bin/shsh -c "ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux"4⤵PID:1479
-
/usr/bin/lnln -s /etc/init.d/selinux /etc/rc1.d/S99selinux5⤵PID:1480
-
/bin/shsh -c "ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux"4⤵PID:1481
-
/usr/bin/lnln -s /etc/init.d/selinux /etc/rc2.d/S99selinux5⤵PID:1482
-
/bin/shsh -c "ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux"4⤵PID:1483
-
/usr/bin/lnln -s /etc/init.d/selinux /etc/rc3.d/S99selinux5⤵PID:1484
-
/bin/shsh -c "ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux"4⤵PID:1485
-
/usr/bin/lnln -s /etc/init.d/selinux /etc/rc4.d/S99selinux5⤵PID:1486
-
/bin/shsh -c "ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux"4⤵PID:1487
-
/usr/bin/lnln -s /etc/init.d/selinux /etc/rc5.d/S99selinux5⤵PID:1489
-
/bin/shsh -c /usr/bin/bsd-port/udevd4⤵PID:1492
-
/usr/bin/bsd-port/udevd/usr/bin/bsd-port/udevd5⤵
- Executes dropped EXE
- Write file to user bin folder
- Checks CPU configuration
- Reads system network configuration
- Reads runtime system information
PID:1493 -
/bin/shsh -c "insmod /usr/lib/xpacket.ko"6⤵PID:1497
-
/usr/sbin/insmodinsmod /usr/lib/xpacket.ko7⤵
- Reads runtime system information
PID:1498 -
/bin/shsh -c "mkdir -p /usr/bin/dpkgd"4⤵PID:1496
-
/usr/bin/mkdirmkdir -p /usr/bin/dpkgd5⤵
- Reads runtime system information
PID:1499 -
/bin/shsh -c "cp -f /bin/lsof /usr/bin/dpkgd/lsof"4⤵PID:1500
-
/usr/bin/cpcp -f /bin/lsof /usr/bin/dpkgd/lsof5⤵
- Write file to user bin folder
- Reads runtime system information
PID:1501 -
/bin/shsh -c "mkdir -p /bin"4⤵PID:1502
-
/usr/bin/mkdirmkdir -p /bin5⤵
- Reads runtime system information
PID:1503 -
/bin/shsh -c "cp -f /usr/bin/bsd-port/getty /bin/lsof"4⤵PID:1506
-
/usr/bin/cpcp -f /usr/bin/bsd-port/getty /bin/lsof5⤵
- Writes file to system bin folder
- Reads runtime system information
PID:1507 -
/bin/shsh -c "chmod 0755 /bin/lsof"4⤵PID:1508
-
/usr/bin/chmodchmod 0755 /bin/lsof5⤵PID:1509
-
/bin/shsh -c "cp -f /bin/ps /usr/bin/dpkgd/ps"4⤵PID:1510
-
/usr/bin/cpcp -f /bin/ps /usr/bin/dpkgd/ps5⤵
- Write file to user bin folder
- Reads runtime system information
PID:1511 -
/bin/shsh -c "mkdir -p /bin"4⤵PID:1514
-
/usr/bin/mkdirmkdir -p /bin5⤵
- Reads runtime system information
PID:1515 -
/bin/shsh -c "cp -f /usr/bin/bsd-port/getty /bin/ps"4⤵PID:1516
-
/usr/bin/cpcp -f /usr/bin/bsd-port/getty /bin/ps5⤵
- Writes file to system bin folder
- Reads runtime system information
PID:1517 -
/bin/shsh -c "chmod 0755 /bin/ps"4⤵PID:1518
-
/usr/bin/chmodchmod 0755 /bin/ps5⤵PID:1519
-
/bin/shsh -c "mkdir -p /usr/bin"4⤵PID:1520
-
/usr/bin/mkdirmkdir -p /usr/bin5⤵
- Reads runtime system information
PID:1521 -
/bin/shsh -c "cp -f /usr/bin/bsd-port/getty /usr/bin/lsof"4⤵PID:1522
-
/usr/bin/cpcp -f /usr/bin/bsd-port/getty /usr/bin/lsof5⤵
- Write file to user bin folder
- Reads runtime system information
PID:1523 -
/bin/shsh -c "chmod 0755 /usr/bin/lsof"4⤵PID:1524
-
/usr/bin/chmodchmod 0755 /usr/bin/lsof5⤵PID:1525
-
/bin/shsh -c "mkdir -p /usr/bin"4⤵PID:1526
-
/usr/bin/mkdirmkdir -p /usr/bin5⤵
- Reads runtime system information
PID:1527 -
/bin/shsh -c "cp -f /usr/bin/bsd-port/getty /usr/bin/ps"4⤵PID:1528
-
/usr/bin/cpcp -f /usr/bin/bsd-port/getty /usr/bin/ps5⤵
- Write file to user bin folder
- Reads runtime system information
PID:1529 -
/bin/shsh -c "chmod 0755 /usr/bin/ps"4⤵PID:1530
-
/usr/bin/chmodchmod 0755 /usr/bin/ps5⤵PID:1531
-
/bin/shsh -c "mkdir -p /etc/ssh"2⤵PID:1467
-
/usr/bin/mkdirmkdir -p /etc/ssh3⤵
- Reads runtime system information
PID:1468 -
/bin/shsh -c "cp -f /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118 /etc/ssh/sshpa"2⤵PID:1469
-
/usr/bin/cpcp -f /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118 /etc/ssh/sshpa3⤵
- Reads runtime system information
PID:1470 -
/bin/shsh -c /etc/ssh/sshpa2⤵PID:1472
-
/etc/ssh/sshpa/etc/ssh/sshpa3⤵
- Executes dropped EXE
- Reads runtime system information
- Writes file to tmp directory
PID:1473
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64B
MD50d18626dc1370fb69a3dcadbdb62af33
SHA14253c6aaeaeee1d6c706f24fc2a5124a4a119a3a
SHA25672a6861b01758fdb3b00ea9652e6336a4c24ec198bd0bb9ab683e90c6afb7b41
SHA5123a7e3376a0fb8f4ccdc1107c8f69b6c7f04bf8fa6d3e0a441c8fe8626be0a294cd3da3512a59038df20b3bbff097adf67f6b54c955532d6953bf2b977494469b
-
Filesize
36B
MD5993cc15058142d96c3daf7852c3d5ee8
SHA10950b8b391b04dd3895ea33cd3141543ebd2525d
SHA2568171d077918611803d93088409f220c66fae1c670b297e1aa5d8cbd548ce9208
SHA5120c4256c00a3710f97e92581b552682b36b62afc35fe72622c491323c618c19ea62611ac04ccafc3dfcde2254a2ebbd93b69b66795b16e36332293bed83adb928
-
Filesize
345KB
MD5ba0fe97c515fad8562417fed51763a26
SHA19127171c177261ccc5745715223d51d8553be510
SHA256e20cdd06a09e352ec1037385f226ec1c5ad2248d539a91e0f9f2a81c2609d7b8
SHA5124c5464dbcaea48440c6469ef51d289951df5ad395bee4e66c41173760400e4136e2229820c673f0e897277bb27aa915ab1dc0d3b3d482ce3efef5325548271b4
-
Filesize
4B
MD5afe434653a898da20044041262b3ac74
SHA1ee176776f84a8e7eb91c3560943535558748ab9e
SHA2562315bd64e75a346541681575e5b227059bc726907f5a5b893505b648a3062e77
SHA512fe563a8a3e842094a20ab2263438dedd05cf2b347a0e541a4198a855514788fe8a3c1ddfdaf6af76a554da878694296b74e7cbe75eaf4a94111cde51299c9faf
-
Filesize
4B
MD59701a1c165dd9420816bfec5edd6c2b1
SHA1e4b5a2b01ee1b51b2d17a165855b43c142d822c4
SHA256afd679cd3f9a81fd9ce02e6434a24f848937f09909fabcc3b3781e06036e284c
SHA512f4596df70f72dc79c62da6b3a8af26ff242ae224525a1e241006735ddc8b04bf95c59b03bf095873e1fcfa28a68029146a9f8f66ddf0198710448b385eb1721c
-
Filesize
4B
MD57d6044e95a16761171b130dcb476a43e
SHA1fcd8b5b9ecb89e65d56504f6f6cfe82eed26887e
SHA2563a047b4a81effb2caf23b20df833b025335658cf85b97b02138786ff6301be36
SHA5129a56f289b19b3466787c937bcb7e1b83668939aa733c0baac5c10afaa3ef1c4a676defb299db217aa7089747fd788fe49acdf48a563489efa1f4df5b1630777b
-
Filesize
51B
MD5fbf63607cb2541b33889789656aff149
SHA1824a5166c2daec99b7ecb9aff8ba86866527cb09
SHA256ff21aac2d30e7b2704e7d504629a879797fc3faa9a0da014e06e831305092f7b
SHA512bc9cae6409a0b2d4ee0019b7d2bb34c28b9691dcf45c42fb70d505c8846b2caac9eb091427dd52d34641eb476d7f9f0e491e63cc5e513779f22cb356fd19da54
-
Filesize
1.3MB
MD55dd0958ec75fcf14d16d03b2ec7629d0
SHA1b72c201d1fb3b239395b1136675760e3a7365111
SHA256bb6cb684d2845050828adef8e78e6a242ad595064bce60d675d2b240a4ebf87d
SHA51274bfda790e337735e33d7a1b633369f64cb3ba8df4280213f3d4f6a7cb9dbd73db3f77f305d34cf7868fd3da251a15f152dc7db89091ae8bcf475c1f72535ee4
-
Filesize
171KB
MD5061386937ec7acf924438a2643a32be0
SHA101a044b9e58839bea3e58c66cb32acc16241bf91
SHA2568a26bbae9eb85aa98ef29cfe5b0a291234db6eb394c3e0c2841983dcf7dda959
SHA5122de2e56ac4c32f47b4a1945ccfb0db378e6d59019ee8004e3e5d2ec8935efb5aa8ee14b8a0b21c61a267e195d42a3232a6dcade8720de06118fd579277f59db7
-
Filesize
134KB
MD5d194576b899af45b1d2a448612ec21e5
SHA1492f7d8f28cd4397ce22fcf0d8bf3304ea93465a
SHA256a8cf81f3a1137c999c3cf336507ce120b3065e633ade01db6280d427b7d986ca
SHA512b323babd9580b91772cde29c9f22ae75b27f5ce8ce0268a48ca41713c3545dd72409932a5c48f6af66ac6e43127eb5461d1f686bd667fa1b0e56a1564db3c539