Analysis
-
max time kernel
149s -
max time network
150s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240729-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240729-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
28-07-2024 00:51
General
-
Target
041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118
-
Size
833KB
-
MD5
041f6a1b500fe2a6ed9dbea66c741bd6
-
SHA1
aab7f55d4e09b3fe17c27189736c391e62e88856
-
SHA256
bdb1dc0d6bb4a1abe8c68df20f28a484c17fdc97f920d0a1285b245965e2bedf
-
SHA512
b0e90de75d1c9a85d6649890fad18030ad99c1cfa2f05f76e13c778756da10f47a64dbc7ca15a8737a89080059ed72d11427944208c3d4d34b521c6aac325c20
-
SSDEEP
24576:4RkqHKolTb+eDYUDztiy6yu3oo6U/Xt8MBiVa14t:4RkpoAiHfwyduYw/98JG4t
Malware Config
Signatures
-
Deletes itself 2 IoCs
Processes:
freeBSD041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118apid process 1514 freeBSD 1517 041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118a -
Executes dropped EXE 3 IoCs
Processes:
freeBSD041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118a041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118ioc pid process /tmp/freeBSD 1514 freeBSD /tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118a 1517 041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118a /tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118 1518 041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118 -
Processes:
resource yara_rule /tmp/freeBSD upx -
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118description ioc process File opened for reading /proc/cpuinfo 041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118 -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118description ioc process File opened for reading /proc/net/dev 041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118 -
Reads runtime system information 4 IoCs
Reads data from /proc virtual filesystem.
Processes:
041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118cpcpcpdescription ioc process File opened for reading /proc/stat 041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118 File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems cp -
Writes file to tmp directory 5 IoCs
Malware often drops required files in the /tmp directory.
Processes:
cpcp041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118a041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118cpdescription ioc process File opened for modification /tmp/freeBSD cp File opened for modification /tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118a cp File opened for modification /tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118 041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118a File opened for modification /tmp/fake.cfg 041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118 File opened for modification /tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118 cp
Processes
-
/tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118/tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes1181⤵PID:1510
-
/bin/shsh -c "cp /tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118 /tmp/freeBSD"2⤵PID:1512
-
/bin/cpcp /tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118 /tmp/freeBSD3⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1513 -
/bin/shsh -c "cp /tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118 /tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118a"2⤵PID:1515
-
/bin/cpcp /tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118 /tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118a3⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1516 -
/tmp/freeBSD/tmp/freeBSD /tmp/freeBSD 12⤵
- Deletes itself
- Executes dropped EXE
PID:1514
-
/tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118a/tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118a /tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes1181⤵
- Deletes itself
- Executes dropped EXE
- Writes file to tmp directory
PID:1517 -
/tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes1182⤵
- Executes dropped EXE
- Checks CPU configuration
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1518 -
/bin/shsh -c "cp /tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118a /tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118"2⤵PID:1521
-
/bin/cpcp /tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118a /tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes1183⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1522
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5e81d759964abe7c10d478336a126b70b
SHA11699583f10309a0633e35fe86e693a0874206695
SHA25669069b25fcec9c1f4977df0790a56bf3db20265ef3c3f1615c5d48e35e9c9bda
SHA5128990e4654f78178c0175f3f6a684e45a7b305e6b80da9d8219022a89d976fa46ce347da26695a6689405a9e496d092f0b0c03471fb7fa857e874b0530dfccc14
-
Filesize
833KB
MD5041f6a1b500fe2a6ed9dbea66c741bd6
SHA1aab7f55d4e09b3fe17c27189736c391e62e88856
SHA256bdb1dc0d6bb4a1abe8c68df20f28a484c17fdc97f920d0a1285b245965e2bedf
SHA512b0e90de75d1c9a85d6649890fad18030ad99c1cfa2f05f76e13c778756da10f47a64dbc7ca15a8737a89080059ed72d11427944208c3d4d34b521c6aac325c20