Analysis
-
max time kernel
149s -
max time network
148s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20240729-en -
resource tags
arch:amd64arch:i386image:ubuntu2204-amd64-20240729-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system -
submitted
27-07-2024 21:59
Static task
static1
Behavioral task
behavioral1
Sample
012f908e1c651d794e47178fa27a540c_JaffaCakes118
Resource
ubuntu2204-amd64-20240729-en
General
-
Target
012f908e1c651d794e47178fa27a540c_JaffaCakes118
-
Size
2.3MB
-
MD5
012f908e1c651d794e47178fa27a540c
-
SHA1
faf4ee0b07020a0940c822d609d57977fb5707bb
-
SHA256
3999afa4fac1040d414538ee7e5f4f4ec1678f28beb4a0445155b55bbd491cc4
-
SHA512
02adeeefd4b3c937f5704bcbe208e99376a7f1f6410314301bf5320f24b72b18fc1e84aca433549281a3f4575a0d213957d66679d1a4d678d9095b97de20ecf2
-
SSDEEP
49152:FcXS0KUlIx32lkpQmQkpfb4Zs7SLGHrWu9Paue/gr/S+iGonw3Eb0Q4eHJHme6V4:FcXS1UlIx32lk7pfb4Zs7SL7J1A/SMo9
Malware Config
Signatures
-
Deletes itself 2 IoCs
Processes:
freeBSD012f908e1c651d794e47178fa27a540c_JaffaCakes118apid process 1517 freeBSD 1520 012f908e1c651d794e47178fa27a540c_JaffaCakes118a -
Executes dropped EXE 3 IoCs
Processes:
freeBSD012f908e1c651d794e47178fa27a540c_JaffaCakes118a012f908e1c651d794e47178fa27a540c_JaffaCakes118ioc pid process /tmp/freeBSD 1517 freeBSD /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118a 1520 012f908e1c651d794e47178fa27a540c_JaffaCakes118a /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118 1521 012f908e1c651d794e47178fa27a540c_JaffaCakes118 -
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
012f908e1c651d794e47178fa27a540c_JaffaCakes118description ioc process File opened for reading /proc/cpuinfo 012f908e1c651d794e47178fa27a540c_JaffaCakes118 -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
012f908e1c651d794e47178fa27a540c_JaffaCakes118description ioc process File opened for reading /proc/net/dev 012f908e1c651d794e47178fa27a540c_JaffaCakes118 -
Reads runtime system information 5 IoCs
Reads data from /proc virtual filesystem.
Processes:
cpcp012f908e1c651d794e47178fa27a540c_JaffaCakes118cpdescription ioc process File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems cp File opened for reading /proc/sys/kernel/version 012f908e1c651d794e47178fa27a540c_JaffaCakes118 File opened for reading /proc/stat 012f908e1c651d794e47178fa27a540c_JaffaCakes118 File opened for reading /proc/filesystems cp -
Writes file to tmp directory 5 IoCs
Malware often drops required files in the /tmp directory.
Processes:
cpcp012f908e1c651d794e47178fa27a540c_JaffaCakes118a012f908e1c651d794e47178fa27a540c_JaffaCakes118cpdescription ioc process File opened for modification /tmp/freeBSD cp File opened for modification /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118a cp File opened for modification /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118 012f908e1c651d794e47178fa27a540c_JaffaCakes118a File opened for modification /tmp/fake.cfg 012f908e1c651d794e47178fa27a540c_JaffaCakes118 File opened for modification /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118 cp
Processes
-
/tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118/tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes1181⤵PID:1514
-
/bin/shsh -c "cp /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118 /tmp/freeBSD"2⤵PID:1515
-
/usr/bin/cpcp /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118 /tmp/freeBSD3⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1516 -
/bin/shsh -c "cp /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118 /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118a"2⤵PID:1518
-
/usr/bin/cpcp /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118 /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118a3⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1519 -
/tmp/freeBSD/tmp/freeBSD /tmp/freeBSD 12⤵
- Deletes itself
- Executes dropped EXE
PID:1517
-
/tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118a/tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118a /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes1181⤵
- Deletes itself
- Executes dropped EXE
- Writes file to tmp directory
PID:1520 -
/tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes1182⤵
- Executes dropped EXE
- Checks CPU configuration
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1521 -
/bin/shsh -c "cp /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118a /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118"2⤵PID:1527
-
/usr/bin/cpcp /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118a /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes1183⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1528
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5d449ecaae747f7cd27adfe47358b366b
SHA17bc8908a7fa02b525df54b8c8236ae744d56bf60
SHA256ef2943942946fbfd4ce4852f4e1ac443e75f6575f71f7a94a853cfb142ec970d
SHA5122b6ecf953e59b0c0ff0ab19f9a146707bce82258db26b380ed5775b18b542e4e67dcc1bfb24587619a04ff2dc660f284b1dc43ab84adae54df307dedd58e42d0
-
Filesize
2.3MB
MD5012f908e1c651d794e47178fa27a540c
SHA1faf4ee0b07020a0940c822d609d57977fb5707bb
SHA2563999afa4fac1040d414538ee7e5f4f4ec1678f28beb4a0445155b55bbd491cc4
SHA51202adeeefd4b3c937f5704bcbe208e99376a7f1f6410314301bf5320f24b72b18fc1e84aca433549281a3f4575a0d213957d66679d1a4d678d9095b97de20ecf2