Analysis
-
max time kernel
0s -
max time network
131s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
16-06-2024 23:43
Static task
static1
Behavioral task
behavioral1
Sample
b5cd35d83aa5cc3634567ce7908a98ff_JaffaCakes118
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
b5cd35d83aa5cc3634567ce7908a98ff_JaffaCakes118
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
b5cd35d83aa5cc3634567ce7908a98ff_JaffaCakes118
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
b5cd35d83aa5cc3634567ce7908a98ff_JaffaCakes118
Resource
debian9-mipsel-20240611-en
General
-
Target
b5cd35d83aa5cc3634567ce7908a98ff_JaffaCakes118
-
Size
1KB
-
MD5
b5cd35d83aa5cc3634567ce7908a98ff
-
SHA1
6a70cc544133210fbfa3785076da3f972a75f3b5
-
SHA256
1e92da3f3107469f9830f8551affa8b028a67af43e75c8aaedd59b646c5e8251
-
SHA512
a0c697e6e4edeae75e96469ca554bd14b732f112ed6fe00ce36246491198ee7fe1bf8d84c84275c288b89b7f2b4557a178a815f25d389a24aee02f1671253997
Malware Config
Signatures
-
Executes dropped EXE 10 IoCs
Processes:
zantari32zantari32zantari32zantari32zantari32zantari32zantari32zantari32zantari32zantari32ioc pid process /tmp/zantari32 1469 zantari32 /tmp/zantari32 1474 zantari32 /tmp/zantari32 1479 zantari32 /tmp/zantari32 1484 zantari32 /tmp/zantari32 1489 zantari32 /tmp/zantari32 1494 zantari32 /tmp/zantari32 1499 zantari32 /tmp/zantari32 1504 zantari32 /tmp/zantari32 1509 zantari32 /tmp/zantari32 1514 zantari32 -
Reads runtime system information 1 IoCs
Reads data from /proc virtual filesystem.
Processes:
cpdescription ioc process File opened for reading /proc/filesystems cp -
Writes file to tmp directory 2 IoCs
Malware often drops required files in the /tmp directory.
Processes:
cpb5cd35d83aa5cc3634567ce7908a98ff_JaffaCakes118description ioc process File opened for modification /tmp/busybox cp File opened for modification /tmp/zantari32 b5cd35d83aa5cc3634567ce7908a98ff_JaffaCakes118
Processes
-
/tmp/b5cd35d83aa5cc3634567ce7908a98ff_JaffaCakes118/tmp/b5cd35d83aa5cc3634567ce7908a98ff_JaffaCakes1181⤵
- Writes file to tmp directory
PID:1464 -
/bin/cpcp /bin/busybox /tmp/2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1465 -
/bin/catcat zantari.x862⤵PID:1467
-
/bin/chmodchmod +x b5cd35d83aa5cc3634567ce7908a98ff_JaffaCakes118 busybox config-err-KaZKo5 netplan_shzgbutu snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy3 systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-timedated.service-BTz1IL zantari322⤵PID:1468
-
/tmp/zantari32./zantari32 ssh2⤵
- Executes dropped EXE
PID:1469 -
/bin/catcat zantari.mips2⤵PID:1472
-
/bin/chmodchmod +x b5cd35d83aa5cc3634567ce7908a98ff_JaffaCakes118 busybox config-err-KaZKo5 netplan_shzgbutu snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy3 systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-timedated.service-BTz1IL zantari322⤵PID:1473
-
/tmp/zantari32./zantari32 ssh2⤵
- Executes dropped EXE
PID:1474 -
/bin/catcat zantari.mpsl2⤵PID:1477
-
/bin/chmodchmod +x b5cd35d83aa5cc3634567ce7908a98ff_JaffaCakes118 busybox config-err-KaZKo5 netplan_shzgbutu snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy3 systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-timedated.service-BTz1IL zantari322⤵PID:1478
-
/tmp/zantari32./zantari32 ssh2⤵
- Executes dropped EXE
PID:1479 -
/bin/catcat zantari.arm42⤵PID:1482
-
/bin/chmodchmod +x b5cd35d83aa5cc3634567ce7908a98ff_JaffaCakes118 busybox config-err-KaZKo5 netplan_shzgbutu snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy3 systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-timedated.service-BTz1IL zantari322⤵PID:1483
-
/tmp/zantari32./zantari32 ssh2⤵
- Executes dropped EXE
PID:1484 -
/bin/catcat zantari.arm52⤵PID:1487
-
/bin/chmodchmod +x b5cd35d83aa5cc3634567ce7908a98ff_JaffaCakes118 busybox config-err-KaZKo5 netplan_shzgbutu snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy3 systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-timedated.service-BTz1IL zantari322⤵PID:1488
-
/tmp/zantari32./zantari32 ssh2⤵
- Executes dropped EXE
PID:1489 -
/bin/catcat zantari.arm62⤵PID:1492
-
/bin/chmodchmod +x b5cd35d83aa5cc3634567ce7908a98ff_JaffaCakes118 busybox config-err-KaZKo5 netplan_shzgbutu snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy3 systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-timedated.service-BTz1IL zantari322⤵PID:1493
-
/tmp/zantari32./zantari32 ssh2⤵
- Executes dropped EXE
PID:1494 -
/bin/catcat zantari.arm72⤵PID:1497
-
/bin/chmodchmod +x b5cd35d83aa5cc3634567ce7908a98ff_JaffaCakes118 busybox config-err-KaZKo5 netplan_shzgbutu snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy3 systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-timedated.service-BTz1IL zantari322⤵PID:1498
-
/tmp/zantari32./zantari32 ssh2⤵
- Executes dropped EXE
PID:1499 -
/bin/catcat zantari.ppc2⤵PID:1502
-
/bin/chmodchmod +x b5cd35d83aa5cc3634567ce7908a98ff_JaffaCakes118 busybox config-err-KaZKo5 netplan_shzgbutu snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy3 systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-timedated.service-BTz1IL zantari322⤵PID:1503
-
/tmp/zantari32./zantari32 ssh2⤵
- Executes dropped EXE
PID:1504 -
/bin/catcat zantari.m68k2⤵PID:1507
-
/bin/chmodchmod +x b5cd35d83aa5cc3634567ce7908a98ff_JaffaCakes118 busybox config-err-KaZKo5 netplan_shzgbutu snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy3 systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-timedated.service-BTz1IL zantari322⤵PID:1508
-
/tmp/zantari32./zantari32 ssh2⤵
- Executes dropped EXE
PID:1509 -
/bin/catcat zantari.sh42⤵PID:1512
-
/bin/chmodchmod +x b5cd35d83aa5cc3634567ce7908a98ff_JaffaCakes118 busybox config-err-KaZKo5 netplan_shzgbutu snap-private-tmp ssh-DJAIfF5vDuSn systemd-private-405cfb5ad6264ab195f9c96db16d9d87-bolt.service-TbhmLP systemd-private-405cfb5ad6264ab195f9c96db16d9d87-colord.service-Zm2MHU systemd-private-405cfb5ad6264ab195f9c96db16d9d87-ModemManager.service-byjNAE systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-resolved.service-9DiRy3 systemd-private-405cfb5ad6264ab195f9c96db16d9d87-systemd-timedated.service-BTz1IL zantari322⤵PID:1513
-
/tmp/zantari32./zantari32 ssh2⤵
- Executes dropped EXE
PID:1514
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD5b4dede5fc0b1bad5cb8e901bde126b97
SHA110cbe9a418ad84a1ed297948539d37aeb58dd810
SHA256a9f0735d28f9a6a4f2634d3b144156f7b3df3b476a16a5ab0c7bdf98d74dd020
SHA51245665ce3a42f63a01fdef517e0c4cb943efce64c8a32d3ce07ab4f1fafc23cda77f378d324342efc79dc9d2293c4b4454d06c1cf4997b9e866784de01cb546e6