Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    ubuntu-20.04_amd64
  • resource
    ubuntu2004-amd64-20240508-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2004-amd64-20240508-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
  • submitted
    20-05-2024 07:16

General

  • Target

    5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118

  • Size

    1.3MB

  • MD5

    5dd0958ec75fcf14d16d03b2ec7629d0

  • SHA1

    b72c201d1fb3b239395b1136675760e3a7365111

  • SHA256

    bb6cb684d2845050828adef8e78e6a242ad595064bce60d675d2b240a4ebf87d

  • SHA512

    74bfda790e337735e33d7a1b633369f64cb3ba8df4280213f3d4f6a7cb9dbd73db3f77f305d34cf7868fd3da251a15f152dc7db89091ae8bcf475c1f72535ee4

  • SSDEEP

    24576:yCa8ARRfmnnphS5aczgzKJFVhtwyhOuaX92Io44FbUwaBN6c:ja8AHmnnS5acketwyhO/IE8bUV6c

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Modifies init.d 1 TTPs 2 IoCs

    Adds/modifies system service, likely for persistence.

  • Reads system routing table 1 TTPs 2 IoCs

    Gets active network interfaces from /proc virtual filesystem.

  • Write file to user bin folder 1 TTPs 9 IoCs
  • Writes file to system bin folder 1 TTPs 2 IoCs
  • Checks CPU configuration 1 TTPs 4 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Reads system network configuration 1 TTPs 8 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • Reads runtime system information 30 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 9 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118
    /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118
    1⤵
    • Modifies init.d
    • Reads system routing table
    • Write file to user bin folder
    • Checks CPU configuration
    • Reads system network configuration
    • Reads runtime system information
    • Writes file to tmp directory
    PID:1400
    • /bin/sh
      sh -c /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118h
      2⤵
        PID:1442
        • /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118h
          /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118h
          3⤵
          • Executes dropped EXE
          • Reads system routing table
          • Checks CPU configuration
          • Reads system network configuration
          • Reads runtime system information
          • Writes file to tmp directory
          PID:1443
          • /bin/sh
            sh -c "insmod /usr/lib/xpacket.ko"
            4⤵
              PID:1445
              • /usr/sbin/insmod
                insmod /usr/lib/xpacket.ko
                5⤵
                • Reads runtime system information
                PID:1446
        • /bin/sh
          sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt"
          2⤵
            PID:1449
            • /usr/bin/ln
              ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt
              3⤵
                PID:1450
            • /bin/sh
              sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt"
              2⤵
                PID:1451
                • /usr/bin/ln
                  ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt
                  3⤵
                    PID:1452
                • /bin/sh
                  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt"
                  2⤵
                    PID:1453
                    • /usr/bin/ln
                      ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt
                      3⤵
                        PID:1454
                    • /bin/sh
                      sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt"
                      2⤵
                        PID:1455
                        • /usr/bin/ln
                          ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt
                          3⤵
                            PID:1456
                        • /bin/sh
                          sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt"
                          2⤵
                            PID:1457
                            • /usr/bin/ln
                              ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt
                              3⤵
                                PID:1458
                            • /bin/sh
                              sh -c "mkdir -p /usr/bin/bsd-port"
                              2⤵
                                PID:1459
                                • /usr/bin/mkdir
                                  mkdir -p /usr/bin/bsd-port
                                  3⤵
                                  • Reads runtime system information
                                  PID:1460
                              • /bin/sh
                                sh -c "cp -f /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118 /usr/bin/bsd-port/getty"
                                2⤵
                                  PID:1461
                                  • /usr/bin/cp
                                    cp -f /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118 /usr/bin/bsd-port/getty
                                    3⤵
                                    • Write file to user bin folder
                                    • Reads runtime system information
                                    PID:1462
                                • /bin/sh
                                  sh -c /usr/bin/bsd-port/getty
                                  2⤵
                                    PID:1464
                                    • /usr/bin/bsd-port/getty
                                      /usr/bin/bsd-port/getty
                                      3⤵
                                      • Executes dropped EXE
                                      • Modifies init.d
                                      • Write file to user bin folder
                                      • Checks CPU configuration
                                      • Reads system network configuration
                                      • Reads runtime system information
                                      PID:1465
                                      • /bin/sh
                                        sh -c "ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux"
                                        4⤵
                                          PID:1479
                                          • /usr/bin/ln
                                            ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux
                                            5⤵
                                              PID:1480
                                          • /bin/sh
                                            sh -c "ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux"
                                            4⤵
                                              PID:1481
                                              • /usr/bin/ln
                                                ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux
                                                5⤵
                                                  PID:1482
                                              • /bin/sh
                                                sh -c "ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux"
                                                4⤵
                                                  PID:1483
                                                  • /usr/bin/ln
                                                    ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux
                                                    5⤵
                                                      PID:1484
                                                  • /bin/sh
                                                    sh -c "ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux"
                                                    4⤵
                                                      PID:1485
                                                      • /usr/bin/ln
                                                        ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux
                                                        5⤵
                                                          PID:1486
                                                      • /bin/sh
                                                        sh -c "ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux"
                                                        4⤵
                                                          PID:1487
                                                          • /usr/bin/ln
                                                            ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux
                                                            5⤵
                                                              PID:1489
                                                          • /bin/sh
                                                            sh -c /usr/bin/bsd-port/udevd
                                                            4⤵
                                                              PID:1492
                                                              • /usr/bin/bsd-port/udevd
                                                                /usr/bin/bsd-port/udevd
                                                                5⤵
                                                                • Executes dropped EXE
                                                                • Write file to user bin folder
                                                                • Checks CPU configuration
                                                                • Reads system network configuration
                                                                • Reads runtime system information
                                                                PID:1493
                                                                • /bin/sh
                                                                  sh -c "insmod /usr/lib/xpacket.ko"
                                                                  6⤵
                                                                    PID:1497
                                                                    • /usr/sbin/insmod
                                                                      insmod /usr/lib/xpacket.ko
                                                                      7⤵
                                                                      • Reads runtime system information
                                                                      PID:1498
                                                              • /bin/sh
                                                                sh -c "mkdir -p /usr/bin/dpkgd"
                                                                4⤵
                                                                  PID:1496
                                                                  • /usr/bin/mkdir
                                                                    mkdir -p /usr/bin/dpkgd
                                                                    5⤵
                                                                    • Reads runtime system information
                                                                    PID:1499
                                                                • /bin/sh
                                                                  sh -c "cp -f /bin/lsof /usr/bin/dpkgd/lsof"
                                                                  4⤵
                                                                    PID:1500
                                                                    • /usr/bin/cp
                                                                      cp -f /bin/lsof /usr/bin/dpkgd/lsof
                                                                      5⤵
                                                                      • Write file to user bin folder
                                                                      • Reads runtime system information
                                                                      PID:1501
                                                                  • /bin/sh
                                                                    sh -c "mkdir -p /bin"
                                                                    4⤵
                                                                      PID:1502
                                                                      • /usr/bin/mkdir
                                                                        mkdir -p /bin
                                                                        5⤵
                                                                        • Reads runtime system information
                                                                        PID:1503
                                                                    • /bin/sh
                                                                      sh -c "cp -f /usr/bin/bsd-port/getty /bin/lsof"
                                                                      4⤵
                                                                        PID:1506
                                                                        • /usr/bin/cp
                                                                          cp -f /usr/bin/bsd-port/getty /bin/lsof
                                                                          5⤵
                                                                          • Writes file to system bin folder
                                                                          • Reads runtime system information
                                                                          PID:1507
                                                                      • /bin/sh
                                                                        sh -c "chmod 0755 /bin/lsof"
                                                                        4⤵
                                                                          PID:1508
                                                                          • /usr/bin/chmod
                                                                            chmod 0755 /bin/lsof
                                                                            5⤵
                                                                              PID:1509
                                                                          • /bin/sh
                                                                            sh -c "cp -f /bin/ps /usr/bin/dpkgd/ps"
                                                                            4⤵
                                                                              PID:1510
                                                                              • /usr/bin/cp
                                                                                cp -f /bin/ps /usr/bin/dpkgd/ps
                                                                                5⤵
                                                                                • Write file to user bin folder
                                                                                • Reads runtime system information
                                                                                PID:1511
                                                                            • /bin/sh
                                                                              sh -c "mkdir -p /bin"
                                                                              4⤵
                                                                                PID:1514
                                                                                • /usr/bin/mkdir
                                                                                  mkdir -p /bin
                                                                                  5⤵
                                                                                  • Reads runtime system information
                                                                                  PID:1515
                                                                              • /bin/sh
                                                                                sh -c "cp -f /usr/bin/bsd-port/getty /bin/ps"
                                                                                4⤵
                                                                                  PID:1516
                                                                                  • /usr/bin/cp
                                                                                    cp -f /usr/bin/bsd-port/getty /bin/ps
                                                                                    5⤵
                                                                                    • Writes file to system bin folder
                                                                                    • Reads runtime system information
                                                                                    PID:1517
                                                                                • /bin/sh
                                                                                  sh -c "chmod 0755 /bin/ps"
                                                                                  4⤵
                                                                                    PID:1518
                                                                                    • /usr/bin/chmod
                                                                                      chmod 0755 /bin/ps
                                                                                      5⤵
                                                                                        PID:1519
                                                                                    • /bin/sh
                                                                                      sh -c "mkdir -p /usr/bin"
                                                                                      4⤵
                                                                                        PID:1520
                                                                                        • /usr/bin/mkdir
                                                                                          mkdir -p /usr/bin
                                                                                          5⤵
                                                                                          • Reads runtime system information
                                                                                          PID:1521
                                                                                      • /bin/sh
                                                                                        sh -c "cp -f /usr/bin/bsd-port/getty /usr/bin/lsof"
                                                                                        4⤵
                                                                                          PID:1522
                                                                                          • /usr/bin/cp
                                                                                            cp -f /usr/bin/bsd-port/getty /usr/bin/lsof
                                                                                            5⤵
                                                                                            • Write file to user bin folder
                                                                                            • Reads runtime system information
                                                                                            PID:1523
                                                                                        • /bin/sh
                                                                                          sh -c "chmod 0755 /usr/bin/lsof"
                                                                                          4⤵
                                                                                            PID:1524
                                                                                            • /usr/bin/chmod
                                                                                              chmod 0755 /usr/bin/lsof
                                                                                              5⤵
                                                                                                PID:1525
                                                                                            • /bin/sh
                                                                                              sh -c "mkdir -p /usr/bin"
                                                                                              4⤵
                                                                                                PID:1526
                                                                                                • /usr/bin/mkdir
                                                                                                  mkdir -p /usr/bin
                                                                                                  5⤵
                                                                                                  • Reads runtime system information
                                                                                                  PID:1527
                                                                                              • /bin/sh
                                                                                                sh -c "cp -f /usr/bin/bsd-port/getty /usr/bin/ps"
                                                                                                4⤵
                                                                                                  PID:1528
                                                                                                  • /usr/bin/cp
                                                                                                    cp -f /usr/bin/bsd-port/getty /usr/bin/ps
                                                                                                    5⤵
                                                                                                    • Write file to user bin folder
                                                                                                    • Reads runtime system information
                                                                                                    PID:1529
                                                                                                • /bin/sh
                                                                                                  sh -c "chmod 0755 /usr/bin/ps"
                                                                                                  4⤵
                                                                                                    PID:1530
                                                                                                    • /usr/bin/chmod
                                                                                                      chmod 0755 /usr/bin/ps
                                                                                                      5⤵
                                                                                                        PID:1531
                                                                                                • /bin/sh
                                                                                                  sh -c "mkdir -p /etc/ssh"
                                                                                                  2⤵
                                                                                                    PID:1467
                                                                                                    • /usr/bin/mkdir
                                                                                                      mkdir -p /etc/ssh
                                                                                                      3⤵
                                                                                                      • Reads runtime system information
                                                                                                      PID:1468
                                                                                                  • /bin/sh
                                                                                                    sh -c "cp -f /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118 /etc/ssh/sshpa"
                                                                                                    2⤵
                                                                                                      PID:1469
                                                                                                      • /usr/bin/cp
                                                                                                        cp -f /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118 /etc/ssh/sshpa
                                                                                                        3⤵
                                                                                                        • Reads runtime system information
                                                                                                        PID:1470
                                                                                                    • /bin/sh
                                                                                                      sh -c /etc/ssh/sshpa
                                                                                                      2⤵
                                                                                                        PID:1472
                                                                                                        • /etc/ssh/sshpa
                                                                                                          /etc/ssh/sshpa
                                                                                                          3⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Reads runtime system information
                                                                                                          • Writes file to tmp directory
                                                                                                          PID:1473

                                                                                                    Network

                                                                                                    MITRE ATT&CK Enterprise v15

                                                                                                    Replay Monitor

                                                                                                    Loading Replay Monitor...

                                                                                                    Downloads

                                                                                                    • /etc/init.d/DbSecuritySpt

                                                                                                      Filesize

                                                                                                      64B

                                                                                                      MD5

                                                                                                      0d18626dc1370fb69a3dcadbdb62af33

                                                                                                      SHA1

                                                                                                      4253c6aaeaeee1d6c706f24fc2a5124a4a119a3a

                                                                                                      SHA256

                                                                                                      72a6861b01758fdb3b00ea9652e6336a4c24ec198bd0bb9ab683e90c6afb7b41

                                                                                                      SHA512

                                                                                                      3a7e3376a0fb8f4ccdc1107c8f69b6c7f04bf8fa6d3e0a441c8fe8626be0a294cd3da3512a59038df20b3bbff097adf67f6b54c955532d6953bf2b977494469b

                                                                                                    • /etc/init.d/selinux

                                                                                                      Filesize

                                                                                                      36B

                                                                                                      MD5

                                                                                                      993cc15058142d96c3daf7852c3d5ee8

                                                                                                      SHA1

                                                                                                      0950b8b391b04dd3895ea33cd3141543ebd2525d

                                                                                                      SHA256

                                                                                                      8171d077918611803d93088409f220c66fae1c670b297e1aa5d8cbd548ce9208

                                                                                                      SHA512

                                                                                                      0c4256c00a3710f97e92581b552682b36b62afc35fe72622c491323c618c19ea62611ac04ccafc3dfcde2254a2ebbd93b69b66795b16e36332293bed83adb928

                                                                                                    • /tmp/5dd0958ec75fcf14d16d03b2ec7629d0_JaffaCakes118h

                                                                                                      Filesize

                                                                                                      345KB

                                                                                                      MD5

                                                                                                      ba0fe97c515fad8562417fed51763a26

                                                                                                      SHA1

                                                                                                      9127171c177261ccc5745715223d51d8553be510

                                                                                                      SHA256

                                                                                                      e20cdd06a09e352ec1037385f226ec1c5ad2248d539a91e0f9f2a81c2609d7b8

                                                                                                      SHA512

                                                                                                      4c5464dbcaea48440c6469ef51d289951df5ad395bee4e66c41173760400e4136e2229820c673f0e897277bb27aa915ab1dc0d3b3d482ce3efef5325548271b4

                                                                                                    • /tmp/bill.lock

                                                                                                      Filesize

                                                                                                      4B

                                                                                                      MD5

                                                                                                      afe434653a898da20044041262b3ac74

                                                                                                      SHA1

                                                                                                      ee176776f84a8e7eb91c3560943535558748ab9e

                                                                                                      SHA256

                                                                                                      2315bd64e75a346541681575e5b227059bc726907f5a5b893505b648a3062e77

                                                                                                      SHA512

                                                                                                      fe563a8a3e842094a20ab2263438dedd05cf2b347a0e541a4198a855514788fe8a3c1ddfdaf6af76a554da878694296b74e7cbe75eaf4a94111cde51299c9faf

                                                                                                    • /tmp/gates.lock

                                                                                                      Filesize

                                                                                                      4B

                                                                                                      MD5

                                                                                                      9701a1c165dd9420816bfec5edd6c2b1

                                                                                                      SHA1

                                                                                                      e4b5a2b01ee1b51b2d17a165855b43c142d822c4

                                                                                                      SHA256

                                                                                                      afd679cd3f9a81fd9ce02e6434a24f848937f09909fabcc3b3781e06036e284c

                                                                                                      SHA512

                                                                                                      f4596df70f72dc79c62da6b3a8af26ff242ae224525a1e241006735ddc8b04bf95c59b03bf095873e1fcfa28a68029146a9f8f66ddf0198710448b385eb1721c

                                                                                                    • /tmp/moni.lock

                                                                                                      Filesize

                                                                                                      4B

                                                                                                      MD5

                                                                                                      7d6044e95a16761171b130dcb476a43e

                                                                                                      SHA1

                                                                                                      fcd8b5b9ecb89e65d56504f6f6cfe82eed26887e

                                                                                                      SHA256

                                                                                                      3a047b4a81effb2caf23b20df833b025335658cf85b97b02138786ff6301be36

                                                                                                      SHA512

                                                                                                      9a56f289b19b3466787c937bcb7e1b83668939aa733c0baac5c10afaa3ef1c4a676defb299db217aa7089747fd788fe49acdf48a563489efa1f4df5b1630777b

                                                                                                    • /tmp/notify.file

                                                                                                      Filesize

                                                                                                      51B

                                                                                                      MD5

                                                                                                      fbf63607cb2541b33889789656aff149

                                                                                                      SHA1

                                                                                                      824a5166c2daec99b7ecb9aff8ba86866527cb09

                                                                                                      SHA256

                                                                                                      ff21aac2d30e7b2704e7d504629a879797fc3faa9a0da014e06e831305092f7b

                                                                                                      SHA512

                                                                                                      bc9cae6409a0b2d4ee0019b7d2bb34c28b9691dcf45c42fb70d505c8846b2caac9eb091427dd52d34641eb476d7f9f0e491e63cc5e513779f22cb356fd19da54

                                                                                                    • /usr/bin/bsd-port/getty

                                                                                                      Filesize

                                                                                                      1.3MB

                                                                                                      MD5

                                                                                                      5dd0958ec75fcf14d16d03b2ec7629d0

                                                                                                      SHA1

                                                                                                      b72c201d1fb3b239395b1136675760e3a7365111

                                                                                                      SHA256

                                                                                                      bb6cb684d2845050828adef8e78e6a242ad595064bce60d675d2b240a4ebf87d

                                                                                                      SHA512

                                                                                                      74bfda790e337735e33d7a1b633369f64cb3ba8df4280213f3d4f6a7cb9dbd73db3f77f305d34cf7868fd3da251a15f152dc7db89091ae8bcf475c1f72535ee4

                                                                                                    • /usr/bin/dpkgd/lsof

                                                                                                      Filesize

                                                                                                      171KB

                                                                                                      MD5

                                                                                                      061386937ec7acf924438a2643a32be0

                                                                                                      SHA1

                                                                                                      01a044b9e58839bea3e58c66cb32acc16241bf91

                                                                                                      SHA256

                                                                                                      8a26bbae9eb85aa98ef29cfe5b0a291234db6eb394c3e0c2841983dcf7dda959

                                                                                                      SHA512

                                                                                                      2de2e56ac4c32f47b4a1945ccfb0db378e6d59019ee8004e3e5d2ec8935efb5aa8ee14b8a0b21c61a267e195d42a3232a6dcade8720de06118fd579277f59db7

                                                                                                    • /usr/bin/dpkgd/ps

                                                                                                      Filesize

                                                                                                      134KB

                                                                                                      MD5

                                                                                                      d194576b899af45b1d2a448612ec21e5

                                                                                                      SHA1

                                                                                                      492f7d8f28cd4397ce22fcf0d8bf3304ea93465a

                                                                                                      SHA256

                                                                                                      a8cf81f3a1137c999c3cf336507ce120b3065e633ade01db6280d427b7d986ca

                                                                                                      SHA512

                                                                                                      b323babd9580b91772cde29c9f22ae75b27f5ce8ce0268a48ca41713c3545dd72409932a5c48f6af66ac6e43127eb5461d1f686bd667fa1b0e56a1564db3c539

                                                                                                    • memory/1443-1-0x0000000008048000-0x0000000008112c2c-memory.dmp

                                                                                                    • memory/1493-2-0x0000000008048000-0x0000000008112c2c-memory.dmp