5db035748dfe4e98c21333ffe337e15cd4d8ae517fe69d18932a34951e27c8ac

Analysis

max time kernel
17s
platform
debian-9_armhf
resource
debian9-armhf-20240418-en
resource tags

arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
10-07-2024 00:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32a30f66357df628722b04a97de6a145_JaffaCakes118
Size

30KB
MD5

32a30f66357df628722b04a97de6a145
SHA1

381e82ee576e535463f4917dcf4d0ddb1bce5be2
SHA256

5db035748dfe4e98c21333ffe337e15cd4d8ae517fe69d18932a34951e27c8ac
SHA512

2eba41598a178936eb2ada59bdda10e532d55e157fb573d1f011d0ae0c2c9247c71b1bf86990f32a50e38fa19426283cb11a314568475a1b41db4a34d677772e
SSDEEP

384:p7pQBDf6jlpTWg3vMGQiirhHwMyGj4CC9vEKMvU/4Qdre21jT58vKpG2Y0orcfKU:p78zQ5VFNcDAFLcIwgnoYq0xFBVdHt7n

Score

7^/10

evasion

Malware Config

Signatures

Deletes system logs 1 TTPs 1 IoCs

Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

evasion

Indicator Removal

T1070

description	ioc	Process
File deleted	/var/log/syslog	rm

Flushes firewall rules 1 IoCs

Flushes/ disables firewall rules inside the Linux kernel.

pid	Process
685	iptables

Attempts to change immutable files 37 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

pid	Process
721	xargs
727	xargs
745	xargs
793	xargs
825	xargs
829	xargs
674	chattr
677	chattr
716	grep
757	xargs
781	xargs
811	xargs
683	chattr
733	xargs
769	xargs
702	chattr
739	xargs
787	xargs
751	xargs
817	xargs
821	xargs
841	xargs
887	xargs
799	xargs
819	xargs
823	xargs
848	xargs
862	xargs
676	chattr
704	chattr
763	xargs
805	xargs
896	xargs
711	grep
775	xargs
827	xargs
875	xargs

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 10 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/291/cmdline	ps
File opened for reading	/proc/138/cmdline	pkill
File opened for reading	/proc/152/cmdline	ps
File opened for reading	/proc/81/stat	ps
File opened for reading	/proc/2/cmdline	ps
File opened for reading	/proc/112/stat	ps
File opened for reading	/proc/624/status	pkill
File opened for reading	/proc/4/cmdline	pkill
File opened for reading	/proc/603/stat	ps
File opened for reading	/proc/meminfo	ps
File opened for reading	/proc/623/stat	ps
File opened for reading	/proc/164/status	pkill
File opened for reading	/proc/306/status	pkill
File opened for reading	/proc/662/cmdline	ps
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/281/stat	ps
File opened for reading	/proc/5/status	ps
File opened for reading	/proc/sys/kernel/osrelease	ps
File opened for reading	/proc/10/cmdline	ps
File opened for reading	/proc/20/stat	ps
File opened for reading	/proc/113/stat	ps
File opened for reading	/proc/320/cmdline	ps
File opened for reading	/proc/854/stat	ps
File opened for reading	/proc/24/status	ps
File opened for reading	/proc/20/cmdline	ps
File opened for reading	/proc/112/status	ps
File opened for reading	/proc/25/cmdline	ps
File opened for reading	/proc/671/status	ps
File opened for reading	/proc/19/cmdline	ps
File opened for reading	/proc/141/cmdline	pkill
File opened for reading	/proc/11/status	ps
File opened for reading	/proc/838/stat	ps
File opened for reading	/proc/679/cmdline	ps
File opened for reading	/proc/23/stat	ps
File opened for reading	/proc/152/stat	ps
File opened for reading	/proc/329/cmdline	pkill
File opened for reading	/proc/661/stat	ps
File opened for reading	/proc/850/cmdline	ps
File opened for reading	/proc/879/stat	ps
File opened for reading	/proc/1/status	ps
File opened for reading	/proc/661/status	pkill
File opened for reading	/proc/110/cmdline	pkill
File opened for reading	/proc/17/stat	ps
File opened for reading	/proc/288/stat	ps
File opened for reading	/proc/715/status	ps
File opened for reading	/proc/668/status	pkill
File opened for reading	/proc/26/stat	ps
File opened for reading	/proc/22/status	ps
File opened for reading	/proc/713/cmdline	ps
File opened for reading	/proc/623/cmdline	pkill
File opened for reading	/proc/22/stat	ps
File opened for reading	/proc/678/stat	ps
File opened for reading	/proc/112/stat	ps
File opened for reading	/proc/875/cmdline	ps
File opened for reading	/proc/filesystems	userdel
File opened for reading	/proc/23/cmdline	ps
File opened for reading	/proc/329/cmdline	ps
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/667/status	pkill
File opened for reading	/proc/22/status	ps
File opened for reading	/proc/27/status	ps
File opened for reading	/proc/14/status	pkill
File opened for reading	/proc/678/status	ps
File opened for reading	/proc/5/stat	ps

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/log_rot	32a30f66357df628722b04a97de6a145_JaffaCakes118

/tmp/32a30f66357df628722b04a97de6a145_JaffaCakes118
/tmp/32a30f66357df628722b04a97de6a145_JaffaCakes118
1⤵
- Writes file to tmp directory
PID:670
- /bin/rm
  rm -rf /var/log/syslog
  2⤵
  - Deletes system logs
  PID:672
- /usr/bin/chattr
  chattr -iua /tmp/
  2⤵
  - Attempts to change immutable files
  PID:674
- /usr/bin/chattr
  chattr -iua /var/tmp/
  2⤵
  - Attempts to change immutable files
  PID:676
- /usr/bin/chattr
  chattr -R -i /var/spool/cron
  2⤵
  - Attempts to change immutable files
  PID:677
- /usr/bin/chattr
  chattr -i /etc/crontab
  2⤵
  - Attempts to change immutable files
  PID:683
- /sbin/iptables
  iptables -F
  2⤵
  - Flushes firewall rules
  PID:685
- /usr/bin/sudo
  sudo sysctl "kernel.nmi_watchdog=0"
  2⤵
  PID:691
- /usr/sbin/userdel
  userdel akay
  2⤵
  - Reads runtime system information
  PID:697
- /usr/sbin/userdel
  userdel vfinder
  2⤵
  PID:701
- /usr/bin/chattr
  chattr -iae /root/.ssh/
  2⤵
  - Attempts to change immutable files
  PID:702
- /usr/bin/chattr
  chattr -iae /root/.ssh/authorized_keys
  2⤵
  - Attempts to change immutable files
  PID:704
- /bin/rm
  rm -rf "/tmp/addres*"
  2⤵
  PID:706
- /bin/rm
  rm -rf "/tmp/walle*"
  2⤵
  PID:707
- /bin/rm
  rm -rf /tmp/keys
  2⤵
  PID:709
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:710
- /bin/grep
  grep -i "[a]liyun"
  2⤵
  - Attempts to change immutable files
  PID:711
- /bin/grep
  grep -i "[y]unjing"
  2⤵
  - Attempts to change immutable files
  PID:716
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:715
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:719
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:720
- /bin/grep
  grep 185.71.65.238
  2⤵
  PID:718
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:721
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:725
- /bin/grep
  grep 140.82.52.87
  2⤵
  PID:724
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:726
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:727
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:730
- /bin/grep
  grep :143
  2⤵
  PID:729
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:731
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:733
- /bin/grep
  grep -v -
  2⤵
  PID:732
- /bin/grep
  grep :2222
  2⤵
  PID:735
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:736
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:737
- /bin/grep
  grep -v -
  2⤵
  PID:738
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:739
- /bin/grep
  grep :3333
  2⤵
  PID:741
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:742
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:743
- /bin/grep
  grep -v -
  2⤵
  PID:744
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:745
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:748
- /bin/grep
  grep :3389
  2⤵
  PID:747
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  - Reads runtime system information
  PID:749
- /bin/grep
  grep -v -
  2⤵
  PID:750
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:751
- /bin/grep
  grep :4444
  2⤵
  PID:753
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:754
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:755
- /bin/grep
  grep -v -
  2⤵
  PID:756
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:757
- /bin/grep
  grep :5555
  2⤵
  PID:759
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:760
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:761
- /bin/grep
  grep -v -
  2⤵
  PID:762
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:763
- /bin/grep
  grep :6666
  2⤵
  PID:765
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:766
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:767
- /bin/grep
  grep -v -
  2⤵
  PID:768
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:769
- /bin/grep
  grep :6665
  2⤵
  PID:771
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:772
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:773
- /bin/grep
  grep -v -
  2⤵
  PID:774
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:775
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:778
- /bin/grep
  grep :6667
  2⤵
  PID:777
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:779
- /bin/grep
  grep -v -
  2⤵
  PID:780
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:781
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:784
- /bin/grep
  grep :7777
  2⤵
  PID:783
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:785
- /bin/grep
  grep -v -
  2⤵
  PID:786
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:787
- /bin/grep
  grep :8444
  2⤵
  PID:789
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:790
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:791
- /bin/grep
  grep -v -
  2⤵
  PID:792
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:793
- /bin/grep
  grep :3347
  2⤵
  PID:795
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:796
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:797
- /bin/grep
  grep -v -
  2⤵
  PID:798
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:799
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:802
- /bin/grep
  grep :14444
  2⤵
  PID:801
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:803
- /bin/grep
  grep -v -
  2⤵
  PID:804
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:805
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:808
- /bin/grep
  grep :14433
  2⤵
  PID:807
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:809
- /bin/grep
  grep -v -
  2⤵
  PID:810
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:811
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:814
- /bin/grep
  grep :13531
  2⤵
  PID:813
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:815
- /bin/grep
  grep -v -
  2⤵
  PID:816
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:817
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:819
- /bin/cat
  cat /tmp/.X11-unix/01
  2⤵
  PID:818
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:821
- /bin/cat
  cat /tmp/.X11-unix/11
  2⤵
  PID:820
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:823
- /bin/cat
  cat /tmp/.X11-unix/22
  2⤵
  PID:822
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:825
- /bin/cat
  cat /tmp/.pg_stat.0
  2⤵
  PID:824
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:827
- /bin/cat
  cat /tmp/.pg_stat.1
  2⤵
  PID:826
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:829
- /bin/cat
  cat /data/./oka.pid
  2⤵
  PID:828
- /usr/bin/pkill
  pkill -f zsvc
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:830
- /usr/bin/pkill
  pkill -f pdefenderd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:832
- /usr/bin/pkill
  pkill -f updatecheckerd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:834
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:841
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:840
- /bin/grep
  grep -v grep
  2⤵
  PID:839
- /bin/grep
  grep ./oka
  2⤵
  PID:838
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:837
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:848
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:847
- /bin/grep
  grep -v grep
  2⤵
  PID:846
- /bin/grep
  grep "postgres: autovacum"
  2⤵
  PID:845
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:844
- /bin/grep
  grep -v bin
  2⤵
  PID:853
- /bin/ps
  ps ax -o "command,pid" -www
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:851
- /usr/bin/awk
  awk "length(\$1) == 8"
  2⤵
  PID:852
- /bin/grep
  grep -v "\\["
  2⤵
  PID:854
- /bin/grep
  grep -v "("
  2⤵
  PID:855
- /bin/grep
  grep -v php-fpm
  2⤵
  PID:856
- /bin/grep
  grep -v proxymap
  2⤵
  PID:857
- /bin/grep
  grep -v postgres
  2⤵
  PID:858
- /bin/grep
  grep -v postgrey
  2⤵
  PID:859
- /bin/grep
  grep -v kinsing
  2⤵
  PID:860
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:861
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:862
- /usr/bin/awk
  awk "length(\$1) == 16"
  2⤵
  - Reads runtime system information
  PID:866
- /bin/grep
  grep -v bin
  2⤵
  PID:867
- /bin/ps
  ps ax -o "command,pid" -www
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:865
- /bin/grep
  grep -v "\\["
  2⤵
  PID:868
- /bin/grep
  grep -v "("
  2⤵
  PID:869
- /bin/grep
  grep -v php-fpm
  2⤵
  PID:870
- /bin/grep
  grep -v proxymap
  2⤵
  PID:871
- /bin/grep
  grep -v postgres
  2⤵
  PID:872
- /bin/grep
  grep -v postgrey
  2⤵
  PID:873
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:874
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:875
- /bin/grep
  grep -v bin
  2⤵
  PID:879
- /usr/bin/awk
  awk "length(\$5) == 8"
  2⤵
  PID:878
- /bin/grep
  grep -v "\\["
  2⤵
  PID:880
- /bin/ps
  ps ax
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:877
- /bin/grep
  grep -v "("
  2⤵
  PID:881
- /bin/grep
  grep -v php-fpm
  2⤵
  PID:882
- /bin/grep
  grep -v proxymap
  2⤵
  PID:883
- /bin/grep
  grep -v postgres
  2⤵
  PID:884
- /bin/grep
  grep -v postgrey
  2⤵
  PID:885
- /usr/bin/awk
  awk "{print \$1}"
  2⤵
  PID:886
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:887
- /bin/grep
  grep /tmp/sscks
  2⤵
  PID:894
- /bin/ps
  ps aux
  2⤵
  PID:892
- /bin/grep
  grep -v grep
  2⤵
  PID:893
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:895
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/log_rot

Filesize
5B

MD5
727479ef7cedf30c03459bec7d87b0f0

SHA1
2082e7f715f058acab2398d25d135cf5f4c0ce41

SHA256
29872037c9573567744ef10ed2de57864ded7554c9fa2ef03fc1244c65794ba6

SHA512
4cb59d37f8481f9bb2745f494baa0910a68aad40ac2903ef1513547e091e1e772a5f9436f789ab91fcafb75b8a28c2112ede89004be41f33c01d936b542ca6ba

Download Submit