Analysis
-
max time kernel
149s -
max time network
147s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240729-en -
resource tags
-
submitted
28-07-2024 23:36
General
-
Target
2b404255f46cc50edb66b11d3c559636_JaffaCakes118
-
Size
57KB
-
MD5
2b404255f46cc50edb66b11d3c559636
-
SHA1
149d024cd07e346b9bc983153ccd544997efa77a
-
SHA256
594a4bc0f819e60976e43139ae1f09259a87c5c014e1bfde62efabe34997beb7
-
SHA512
6ff44170d0b610d3ffa2b8c61b2cc70b68b856b1d8b065e77299c49e8e0f6d6cb9b06a37325332b8c330ff7405bbc5ebd64824b67018b4247f3ef16e16c05047
-
SSDEEP
1536:/oo48wXR5lvyN76/KTRAjDSzEhVcuqqBW:AopwXR55+6STzsV7vBW
Malware Config
Signatures
-
Detects Kaiten/Tsunami Payload 1 IoCs
-
Kaiten/Tsunami
Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
-
Writes DNS configuration 1 TTPs 1 IoCs
Writes data to DNS resolver config file.
-
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
Processes
-
/tmp/2b404255f46cc50edb66b11d3c559636_JaffaCakes118/tmp/2b404255f46cc50edb66b11d3c559636_JaffaCakes1181⤵
-
/bin/shsh -c "rm -rf /var/run/wgsh > /dev/null 2>&1 &"2⤵
-
-
/bin/shsh -c "rm -rf /var/run/bbsh > /dev/null 2>&1 &"2⤵
-
-
/bin/shsh -c "rm -rf /var/run/tty0 > /dev/null 2>&1 &"2⤵
-
-
/bin/shsh -c "rm -rf /var/run/tty2 > /dev/null 2>&1 &"2⤵
-
-
/bin/shsh -c "rm -rf /var/run/tty3 > /dev/null 2>&1 &"2⤵
-
-
/bin/shsh -c "rm -rf /var/run/tty4 > /dev/null 2>&1 &"2⤵
-
-
/bin/shsh -c "rm -rf /var/run/tty5 > /dev/null 2>&1 &"2⤵
-
-
/bin/shsh -c "rm -rf /var/run/tty6 > /dev/null 2>&1 &"2⤵
-
-
/bin/shsh -c "rm -rf /tmp/tty0 > /dev/null 2>&1 &"2⤵
-
-
/bin/shsh -c "rm -rf /tmp/tty2 > /dev/null 2>&1 &"2⤵
-
-
/bin/shsh -c "rm -rf /tmp/tty3 > /dev/null 2>&1 &"2⤵
-
-
/bin/shsh -c "rm -rf /tmp/tty4 > /dev/null 2>&1 &"2⤵
-
-
/bin/shsh -c "rm -rf /tmp/tty5 > /dev/null 2>&1 &"2⤵
-
-
/bin/shsh -c "rm -rf /tmp/tty6 > /dev/null 2>&1 &"2⤵
-
-
/bin/shsh -c "rm -rf /var/run/pty > /dev/null 2>&1 &"2⤵
-
-
/bin/shsh -c "killall -9 arm > /dev/null 2>&1 &"2⤵
-
-
/bin/shsh -c "killall -9 mips > /dev/null 2>&1 &"2⤵
-
-
/bin/shsh -c "killall -9 mipsel > /dev/null 2>&1 &"2⤵
-
-
/bin/shsh -c "killall -9 powerpc > /dev/null 2>&1 &"2⤵
-
-
/bin/shsh -c "killall -9 ppc > /dev/null 2>&1 &"2⤵
-
-
/bin/shsh -c "killall -9 daemon.armv4l.mod > /dev/null 2>&1 &"2⤵
-
-
/bin/shsh -c "killall -9 daemon.i686.mod > /dev/null 2>&1 &"2⤵
-
-
/bin/shsh -c "killall -9 daemon.mips.mod > /dev/null 2>&1 &"2⤵
-
-
/bin/shsh -c "killall -9 daemon.mipsel.mod > /dev/null 2>&1 &"2⤵
-
-
/bin/shsh -c "kill -9 `cat /tmp/.xs/*.pid` > /dev/null 2>&1 &"2⤵
-
/bin/catcat "/tmp/.xs/*.pid"3⤵
-
-
-
/bin/shsh -c "rm -rf /tmp/.xs/* > /dev/null 2>&1 &"2⤵
-
-
/bin/shsh -c "echo \"nameserver 8.8.8.8\" > /etc/resolv.conf &"2⤵
- Writes DNS configuration
-
-
/bin/shsh -c "chmod 700 /tmp/2b404255f46cc50edb66b11d3c559636_JaffaCakes118 > /dev/null 2>&1 &"2⤵
-
-
/bin/shsh -c "touch -acmr /bin/ls /tmp/2b404255f46cc50edb66b11d3c559636_JaffaCakes118"2⤵
-
/usr/bin/touchtouch -acmr /bin/ls /tmp/2b404255f46cc50edb66b11d3c559636_JaffaCakes1183⤵
-
-
-
/bin/shsh -c "(crontab -l | grep -v \"/tmp/2b404255f46cc50edb66b11d3c559636_JaffaCakes118\" | grep -v \"no cron\" | grep -v \"lesshts/run.sh\" > /var/run/.x001804289383) > /dev/null 2>&1"2⤵
-
/bin/grepgrep -v "no cron"3⤵
-
-
/bin/grepgrep -v /tmp/2b404255f46cc50edb66b11d3c559636_JaffaCakes1183⤵
-
-
/usr/bin/crontabcrontab -l3⤵
-
-
/bin/grepgrep -v lesshts/run.sh3⤵
-
-
-
/bin/shsh -c "echo \"* * * * * /tmp/2b404255f46cc50edb66b11d3c559636_JaffaCakes118 > /dev/null 2>&1 &\" >> /var/run/.x001804289383"2⤵
-
-
/bin/shsh -c "crontab /var/run/.x001804289383"2⤵
-
/usr/bin/crontabcrontab /var/run/.x0018042893833⤵
- Creates/modifies Cron job
-
-
-
/bin/shsh -c "rm -rf /var/run/.x001804289383"2⤵
-
/bin/rmrm -rf /var/run/.x0018042893833⤵
-
-
-
/bin/shsh -c "/bin/uname -n"2⤵
-
/bin/uname/bin/uname -n3⤵
-
-
-
/bin/shsh -c "/bin/uname -n"2⤵
-
/bin/uname/bin/uname -n3⤵
-
-
-
/bin/rmrm -rf /var/run/wgsh1⤵
-
/bin/rmrm -rf /var/run/bbsh1⤵
-
/bin/rmrm -rf /var/run/tty01⤵
-
/bin/rmrm -rf /var/run/tty21⤵
-
/bin/rmrm -rf /var/run/tty31⤵
-
/bin/rmrm -rf /var/run/tty41⤵
-
/bin/rmrm -rf /var/run/tty51⤵
-
/bin/rmrm -rf /var/run/tty61⤵
-
/bin/rmrm -rf /tmp/tty01⤵
-
/bin/rmrm -rf /tmp/tty21⤵
-
/bin/rmrm -rf /tmp/tty31⤵
-
/bin/rmrm -rf /tmp/tty41⤵
-
/bin/rmrm -rf /tmp/tty51⤵
-
/bin/rmrm -rf /tmp/tty61⤵
-
/bin/rmrm -rf /var/run/pty1⤵
-
/usr/bin/killallkillall -9 arm1⤵
- Reads runtime system information
-
/usr/bin/killallkillall -9 mips1⤵
- Reads runtime system information
-
/usr/bin/killallkillall -9 mipsel1⤵
- Reads runtime system information
-
/usr/bin/killallkillall -9 powerpc1⤵
- Reads runtime system information
-
/usr/bin/killallkillall -9 ppc1⤵
- Reads runtime system information
-
/usr/bin/killallkillall -9 daemon.armv4l.mod1⤵
- Reads runtime system information
-
/usr/bin/killallkillall -9 daemon.i686.mod1⤵
- Reads runtime system information
-
/usr/bin/killallkillall -9 daemon.mips.mod1⤵
- Reads runtime system information
-
/usr/bin/killallkillall -9 daemon.mipsel.mod1⤵
- Reads runtime system information
-
/bin/rmrm -rf "/tmp/.xs/*"1⤵
-
/bin/chmodchmod 700 /tmp/2b404255f46cc50edb66b11d3c559636_JaffaCakes1181⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
81B
MD5b2167fad29aba1362be262f298d2ac1f
SHA18f1bf83b382faeb4d65f8f4226b1eb98bf00e710
SHA256ff067b17364203690705d954896b2d896f6806cda942ef794a24cee6e0bdb768
SHA51230637718075e34ef8ef921fcfb476b019fbc7357ef836b5c41a5877063fa2859ba58d2b3de7563a8607215b2d94e4483a9082088dad4eb798b072d3ac9d8cb6b
-
Filesize
278B
MD5b7aa03929d3184a33fe1f3b44968594b
SHA1fe22f61afbf2c558e3c6eac7b123387d87775ca9
SHA2561da14e1325c6b592de6cc032e534d8e55aaa80c6e83c21cfa629720df5b0a5fa
SHA51228e8f6869591c824fd11530dc216ad986987e0eaaa22b1dca157efa6369d90425fe97799bf1cfeaf695b18c39ff9b2ac8ccc509b97c068bb96eee644e0252880