90be418508dffa4910e0fd27fd29627260bb3fab2147344c624f99c51fd56404

Analysis

max time kernel
18s
max time network
21s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
27-06-2024 11:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15c7b600329249a4895395e61a9a88fe_JaffaCakes118
Size

1KB
MD5

15c7b600329249a4895395e61a9a88fe
SHA1

9b0ea0243e1c9b94847c11f7b444122d41740a58
SHA256

90be418508dffa4910e0fd27fd29627260bb3fab2147344c624f99c51fd56404
SHA512

5cec126597949a66c1bb4a7c92a96f0d48b4b4db1557848692179bd09ba065c6a9e1d4d17335cf967489f0d853a03568dbf208af60e17eafc3931ca3ac9fc04d

Score

4^/10

antivm

Malware Config

Signatures

Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

Virtualization/Sandbox Evasion
T1497

Processes:

cat

description ioc process

File opened for reading /proc/cpuinfo cat

description	ioc	process
File opened for reading	/proc/cpuinfo	cat

Reads CPU attributes 1 TTPs 4 IoCs

System Information Discovery

T1082

Processes:

exim4uptimefreeexim4

description	ioc	process
File opened for reading	/sys/devices/system/cpu/online	exim4
File opened for reading	/sys/devices/system/cpu/online	uptime
File opened for reading	/sys/devices/system/cpu/online	free
File opened for reading	/sys/devices/system/cpu/online	exim4

Reads runtime system information 10 IoCs

Reads data from /proc virtual filesystem.

Processes:

uptimefreesendmailexim4df

description	ioc	process
File opened for reading	/proc/sys/kernel/osrelease	uptime
File opened for reading	/proc/uptime	uptime
File opened for reading	/proc/sys/kernel/osrelease	free
File opened for reading	/proc/filesystems	free
File opened for reading	/proc/meminfo	free
File opened for reading	/proc/sys/kernel/ngroups_max	sendmail
File opened for reading	/proc/sys/kernel/ngroups_max	exim4
File opened for reading	/proc/filesystems	uptime
File opened for reading	/proc/loadavg	uptime
File opened for reading	/proc/self/mountinfo	df

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

Processes:

mail15c7b600329249a4895395e61a9a88fe_JaffaCakes118

description	ioc	process
File opened for modification	/tmp/muMv7q9y	mail
File opened for modification	/tmp/info2	15c7b600329249a4895395e61a9a88fe_JaffaCakes118
File opened for modification	/tmp/mu0nxEma	mail

/tmp/15c7b600329249a4895395e61a9a88fe_JaffaCakes118
/tmp/15c7b600329249a4895395e61a9a88fe_JaffaCakes118
1⤵
- Writes file to tmp directory
PID:646
- /bin/uname
  uname -a
  2⤵
  PID:648
- /sbin/ifconfig
  /sbin/ifconfig
  2⤵
  PID:653
- /bin/grep
  grep inet
  2⤵
  PID:654
- /usr/bin/uptime
  uptime
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:659
- /bin/cat
  cat /proc/cpuinfo
  2⤵
  - Checks CPU configuration
  PID:662
- /bin/cat
  cat /etc/passwd
  2⤵
  PID:664
- /bin/cat
  cat /etc/shadow
  2⤵
  PID:666
- /bin/df
  df -h
  2⤵
  - Reads runtime system information
  PID:668
- /usr/bin/free
  free
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:671
- /bin/ping
  ping -c 2 216.115.108.245
  2⤵
  PID:673
- /bin/cat
  cat /etc/hosts
  2⤵
  PID:678
- /bin/sleep
  sleep 5
  2⤵
  PID:680
- /bin/cat
  cat info2
  2⤵
  PID:698
- /bin/uname
  uname -a
  2⤵
  PID:700
- /usr/bin/mail
  mail -s "Linux debian9-armhf-20240611-en-7 4.9.0-13-armmp-lpae #1 SMP Debian 4.9.228-1 (2020-07-05) armv7l GNU/Linux" "[email protected]"
  2⤵
  - Writes file to tmp directory
  PID:699
- - /usr/sbin/sendmail
    /usr/sbin/sendmail -oi -f "root@debian9-armhf-20240611-en-7" -t
    3⤵
    - Reads runtime system information
    PID:707
  - - /usr/sbin/exim4
      /usr/sbin/exim4 -Mc 1sMl9o-0000BP-2E
      4⤵
      Reads CPU attributes
      PID:713
    - - /usr/sbin/exim4
        
        /usr/sbin/exim4 -t -oem -oi -f "<>" -E1sMl9o-0000BP-2E
        5⤵
        Reads runtime system information
        
        PID:722
      - /usr/sbin/exim4
        
        /usr/sbin/exim4 -Mc 1sMl9r-0000Be-Ow
        6⤵
        Reads CPU attributes
        
        PID:729
- /bin/sleep
  sleep 5
  2⤵
  PID:715

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/info2

Filesize
4B

MD5
2bb6aed5111ef9726bcf6eef982ff32b

SHA1
4d49d894436449e792b0cdf8522584065b298c90

SHA256
e5e61fed291cefe8bd2c2b895b3001e679931c3d93f3597fb5e27b5bcae8f825

SHA512
5c0aa37c6fa67edf72abdd2f7789538d0a2c12a1fec2dc575ee1df3c1874a4bda33259b3b60127ef4365410d85c742a0fb463f920b99c30863ff3c502494b3bf

Download Submit
/tmp/info2

Filesize
112B

MD5
903670a38483b980318f98b150af5e7e

SHA1
d9b2a72f60d7cd0aa21eab4dc978be181ea241ae

SHA256
93fe87fb401dedd150de8622a5422e07f50d2113d1637da87160399e917fbc96

SHA512
98d0477745e111563325df8254a95a7e1305522e6daf659791ad157eeb4ab949d883f95a12b3c9ef390ad2f746050539d535ad433d82c8dbb29913d56c3c4d3e

Download Submit
/tmp/info2

Filesize
116B

MD5
88d609b25a8d9c552cb539261483f936

SHA1
ede078695f97bf559efbf3d4c86776c2037315c2

SHA256
03153481a83245ce82a3b3ecf76684446d129ae759fe91d154ebaa6b87ce606d

SHA512
196fc9f706a4a1a3fe7b55525a44ecbb511d7074a0d6a5e310474049e17df6e40e450a8c70de6e16ee196d29f7a84bc9360e5d1dc30cb87c1605e9f127c9c6ab

Download Submit
/tmp/info2

Filesize
117B

MD5
6bccf5861b3d60ff36a794f0b9c90898

SHA1
65b6ed091dda6e7ec7e3ca3646880d018751e2ca

SHA256
4a31dab07ccaafacfad98c186640e2e4c86af6b96d10818732af23924731437a

SHA512
afcf7b5a76ad39de053e82bd4bbe39bac370641a86593a10f103c2d9237d39697d3e87893c5578eef6ed0d594016fc0eedcb9189b3db2ef89f4c73866dbedf48

Download Submit
/tmp/info2

Filesize
131B

MD5
e8cf5823d4b3e8f453cfae1dc1e343ed

SHA1
b277cad63e1daec54027bca427be63713742e646

SHA256
8aeb6b0cdaa39af408d33a71784981cf1be5e251b1817af3d5f169798be77d94

SHA512
001d2e7f43322802c9f2bc6ae633a3e8f6703a8247e30ac91c7c2e62ff4c3839befe24d458c885ab81c65f555057733e2bb9e80e17c0a31f99be3d3d03e4dc19

Download Submit
/tmp/info2

Filesize
3KB

MD5
7289e35b3777e55732c7832cd79a196a

SHA1
bd5d2ed181de9ecbfa8863e379743772b8467c23

SHA256
38272b344be7cc003a9535e0bcd4e3fa520997e7363168468e0e598e8f9d149b

SHA512
dbcab41ed6b7ac1277b5e5f153876bb4a406ea829d884ba1ba4c386c6981148ae6a9615e951d885721fdae1fc58ab82c4e46dd0611959ad2a188e5f524c57f51

Download Submit
/var/mail/user

Filesize
5KB

MD5
4275f4ffb87a044f6315d870df0b37a3

SHA1
b71f04a5f73286bba95e04b4a488b2cb5e4118c4

SHA256
a61118165453514b76f7a1f175500d55a7382a0d24d34dac715b198986443f72

SHA512
2f87fc51fc1a504769be18c6269170901f06e82d304723a2edcd5676d7d5d676e98c26168972bdec6fc53b1cd6fe3d52e3152626325a2612550bdb615fe12266

Download Submit
/var/spool/exim4/input/1sMl9o-0000BP-2E-D

Filesize
3KB

MD5
252e90165600b216897520af4651d365

SHA1
e7c3d7d22a455c6b4be3da584df8c464017349d7

SHA256
bae03c9507e59c15c707124b7317d6f27b932ea2d68e878aec0295069e825138

SHA512
04d0a8dc3c8c0146e2c630499f93d90fa13afba1cb739f4d96b9c116d5f5e9d07ff275317bb6a3aa9af5c7228a99f00481ae757509b9212732dc8419d1405e09

Download Submit
/var/spool/exim4/input/1sMl9r-0000Be-Ow-D

Filesize
4KB

MD5
44e43453150ae4e9261ebecfd33dc5bf

SHA1
73fff7b9ff889747216ee28d4c46ca6a01df2cce

SHA256
da736bd8e4c48a02bb65e0e5939088f2c27d6b94e89d8b257d2ace187ad63dc8

SHA512
67ca65ab0621c3d6731931c0eec0326897b9661a837c3f5bb797c4a39d346f4942212d02bad93f74e81b79d94f8d09da0565746b647cffee573855358b34028d

Download Submit
/var/spool/exim4/input/1sMl9r-0000Be-Ow-J

Filesize
34B

MD5
d7d96d63d643a4ce3e408eba7dfcedc5

SHA1
c53607f95c5c57beafc1d8266646797a035f76ea

SHA256
21db3a59b2d0ce18fb250b787d6e2c85d12919f5fdf1448c8f48207c4083b159

SHA512
703a03e54776a6ad9b8adc6c475bbc91c06502618fa3b6f495b1a01a4f6f7aa6fb65dc6ba6885ddc6af961627062f1ce1e1d66688288cbd3bef7754d249fa9b3

Download Submit
/var/spool/exim4/input/hdr.707

Filesize
822B

MD5
9c5dee6e7563e37f484ccf907157edda

SHA1
8a681af6a7489a07bac173eb20f130ddfe411807

SHA256
8f26da4161c54fdf411dd0602b4b3da166bd30e62219f8e654034e3ca4ae09ca

SHA512
674d4ca5f963dd95b3fb97f2a076088e6e043c70001b49a99c77fea25bf7a77823a854f2f20d1be5817c8ea3de8d74fcb9c5a91efb6f21afc13ba9508d0bdc3f

Download Submit
/var/spool/exim4/input/hdr.713

Filesize
843B

MD5
6f6a7c6c332a08ab6c982acdf34117f4

SHA1
03e8c95d020a9f6ec81b1838caf656fc7154e26a

SHA256
fbd687a45d5d3d545f24d4651f334327ac33eb4e39e31f149a8c076eb36a735d

SHA512
a0be90e8ec23963268f29ed89ca44a74eedeef440802009111169847f9cb852052b264b2f0a55c396732aee907e1473c0c8e65d5a8e2ef202a84281f7985825e

Download Submit
/var/spool/exim4/input/hdr.722

Filesize
951B

MD5
79c9a7ba4c3d1c644772cb3842d75248

SHA1
1ead640a1d571c30b7f6ae076f238f9e8c134405

SHA256
7a8ac66d9cb22a7838421613dbb65e69c43914fe68e1aba6282c6f354db4e4cc

SHA512
a8841db8a238a9c525253f0b9a269c10264278c172d9b5f8bd4a6fc662850c13ece3b555d3996692e94215d4dd8f93b9a647c41052ff3576f8e7017b1d75f567

Download Submit
/var/spool/exim4/msglog/1sMl9o-0000BP-2E

Filesize
89B

MD5
8608aa6c39c516a1b3dbe2ce47801e1a

SHA1
fd0b1152dd65f80e190577824d5b9cee7ff2a7d6

SHA256
e9b1052de7904483433f1d3175ebaebc5ae46be8fcf3cb9dea2ce616035e1c59

SHA512
d67b34370cabd108d4cf88fe0afcdfdaeae480693729374228e915a1cd781e3b41d964e76e76a916d993d2560dc3a17b10a0fe9d50fb05418293b03405bee734

Download Submit
/var/spool/exim4/msglog/1sMl9o-0000BP-2E

Filesize
182B

MD5
b2e0e175bb592a71f906ce85f1b0c777

SHA1
76ac787566330e04cff1f37c24d7ca816790b7ed

SHA256
4cd942bbe021a0d12194269980962e9421099503fe47385123755e9c7356758d

SHA512
5066df3ec71822928c51f750fda681cd8a504e4e329166ae1f171c708bc552df39e1746ed7a01e3e27a4b6dfc952562afe55d2f4cc57d97fac8a1eea608060fc

Download Submit
/var/spool/exim4/msglog/1sMl9r-0000Be-Ow

Filesize
85B

MD5
0c05b6c2476107483ffeefeef603d247

SHA1
3eb339f9c6bcabfbf969d002d234474001fbe604

SHA256
53b1be03c1c48c27c05a9984b6150eefa970a93e40d0225e3d6a9b6404d7e267

SHA512
7404c2e39887c7b39cc03983f90caa3b8eb7e578d2206d21d170fcd2aa6a0951788bc7ffc5631ed9beb34985861fbdfea63b3e473f73775367dd734fdd87d15d

Download Submit
/var/spool/exim4/msglog/1sMl9r-0000Be-Ow

Filesize
282B

MD5
349f43aeee342f44d53f7268d8a96269

SHA1
737b1f30b9c7e72f20411996dbfab05ad0c258cf

SHA256
37f4959f2c9ba4116f2949ea3da25e065a7cf7bb76de82ab85249e1f51106925

SHA512
590e87f2871a419cee80fb9f25d4180ef1076d0b41c6f253c4fdbd82df48b1bf87674a8de1edca97037e8be37cb4d6d8541642099a23ae3434ac8c40b2f5a47a

Download Submit