Analysis
-
max time kernel
149s -
max time network
148s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20240729-en -
resource tags
arch:amd64arch:i386image:ubuntu2204-amd64-20240729-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system -
submitted
28-07-2024 02:28
General
-
Target
05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118
-
Size
821KB
-
MD5
05f44e74d3557c4e2e43c0b237b0972f
-
SHA1
9e38cd9c2eb810442bcaa658d301e4777ba3c962
-
SHA256
7d32806b4bd7f853c7cbfaee0b6a644e3828200a055778275b846cc855bec588
-
SHA512
bcdb6be64bfb0f66205616be84d39dba0e6cc855ef8b6999deeb456edb03693e6e7d3cb852b7f540d8fd8cb171204556807e72f6ca6af4bd73db908696e8f7d3
-
SSDEEP
24576:MwijaA7f7G35Mn4Wa50vcKDHf8tG4LFvIhA3n1N39a9O:MwSlfyJq4FivJ8tGEFFP39a4
Malware Config
Signatures
-
Deletes itself 2 IoCs
Processes:
freeBSD05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118apid process 1518 freeBSD 1521 05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118a -
Executes dropped EXE 3 IoCs
Processes:
freeBSD05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118a05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118ioc pid process /tmp/freeBSD 1518 freeBSD /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118a 1521 05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118a /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118 1522 05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118 -
Processes:
resource yara_rule /tmp/freeBSD upx -
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118description ioc process File opened for reading /proc/cpuinfo 05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118 -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118description ioc process File opened for reading /proc/net/dev 05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118 -
Reads runtime system information 5 IoCs
Reads data from /proc virtual filesystem.
Processes:
cpcp05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118cpdescription ioc process File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems cp File opened for reading /proc/sys/kernel/version 05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118 File opened for reading /proc/stat 05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118 File opened for reading /proc/filesystems cp -
Writes file to tmp directory 5 IoCs
Malware often drops required files in the /tmp directory.
Processes:
05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118cpcpcp05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118adescription ioc process File opened for modification /tmp/fake.cfg 05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118 File opened for modification /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118 cp File opened for modification /tmp/freeBSD cp File opened for modification /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118a cp File opened for modification /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118 05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118a
Processes
-
/tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118/tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes1181⤵PID:1515
-
/bin/shsh -c "cp /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118 /tmp/freeBSD"2⤵PID:1516
-
/usr/bin/cpcp /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118 /tmp/freeBSD3⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1517 -
/bin/shsh -c "cp /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118 /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118a"2⤵PID:1519
-
/usr/bin/cpcp /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118 /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118a3⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1520 -
/tmp/freeBSD/tmp/freeBSD /tmp/freeBSD 12⤵
- Deletes itself
- Executes dropped EXE
PID:1518
-
/tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118a/tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118a /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes1181⤵
- Deletes itself
- Executes dropped EXE
- Writes file to tmp directory
PID:1521 -
/tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes1182⤵
- Executes dropped EXE
- Checks CPU configuration
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1522 -
/bin/shsh -c "cp /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118a /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118"2⤵PID:1528
-
/usr/bin/cpcp /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118a /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes1183⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1529
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5cb8907209654960b42324acee6af2e3c
SHA13d74c3840178bf9ed9a7627014db33dbd9f8c761
SHA256cc49bbdb1a9232a2694f31159d65197367f8ee28255c7c8995afa25e9dbe3a72
SHA51209dc16e75c46087fc7b6f517c91cab25104302eb039b0a33ac4f8bd048541603c8c951456d15c356e2a2307c46eed40eb9ab3b52a7fc5e91e734b266ca3fa5e8
-
Filesize
821KB
MD505f44e74d3557c4e2e43c0b237b0972f
SHA19e38cd9c2eb810442bcaa658d301e4777ba3c962
SHA2567d32806b4bd7f853c7cbfaee0b6a644e3828200a055778275b846cc855bec588
SHA512bcdb6be64bfb0f66205616be84d39dba0e6cc855ef8b6999deeb456edb03693e6e7d3cb852b7f540d8fd8cb171204556807e72f6ca6af4bd73db908696e8f7d3