Analysis
-
max time kernel
149s -
max time network
148s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20240729-en -
resource tags
arch:amd64arch:i386image:ubuntu2204-amd64-20240729-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system -
submitted
28-07-2024 04:22
General
-
Target
08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118
-
Size
1.1MB
-
MD5
08e635ad50de0e51bcce87bbae1d424b
-
SHA1
912579d64cdd6e04a6b7111ea611d1e4fee2e88d
-
SHA256
63bc03d3d2fe38d005b5ee7f629aa0d9f1b8ebfb415471ee829284267b29450f
-
SHA512
80f58194aaebb06957e324919a3573d1c0aca7f0766094398010ecf3d84be304e7732e7c60f3f493e1a82c8e1a990ab65a79bb54c044e1f713afb30bccf47670
-
SSDEEP
24576:8SlXre0q1r+GsNUV81TSCi1RDDJpPX93k1erknwbrA7nrq3BIiZh:8SNt4rONU6NoD3X0ewwnA7nyCiP
Malware Config
Signatures
-
Deletes itself 2 IoCs
Processes:
freeBSD08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118apid process 1512 freeBSD 1515 08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118a -
Executes dropped EXE 3 IoCs
Processes:
freeBSD08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118a08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118ioc pid process /tmp/freeBSD 1512 freeBSD /tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118a 1515 08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118a /tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118 1516 08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118 -
Processes:
resource yara_rule /tmp/freeBSD upx -
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118description ioc process File opened for reading /proc/cpuinfo 08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118 -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118description ioc process File opened for reading /proc/net/dev 08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118 -
Reads runtime system information 5 IoCs
Reads data from /proc virtual filesystem.
Processes:
08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118cpcpcpdescription ioc process File opened for reading /proc/stat 08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118 File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems cp File opened for reading /proc/sys/kernel/version 08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118 -
Writes file to tmp directory 5 IoCs
Malware often drops required files in the /tmp directory.
Processes:
cpcp08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118a08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118cpdescription ioc process File opened for modification /tmp/freeBSD cp File opened for modification /tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118a cp File opened for modification /tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118 08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118a File opened for modification /tmp/fake.cfg 08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118 File opened for modification /tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118 cp
Processes
-
/tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118/tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes1181⤵PID:1509
-
/bin/shsh -c "cp /tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118 /tmp/freeBSD"2⤵PID:1510
-
/usr/bin/cpcp /tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118 /tmp/freeBSD3⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1511 -
/bin/shsh -c "cp /tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118 /tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118a"2⤵PID:1513
-
/usr/bin/cpcp /tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118 /tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118a3⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1514 -
/tmp/freeBSD/tmp/freeBSD /tmp/freeBSD 12⤵
- Deletes itself
- Executes dropped EXE
PID:1512
-
/tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118a/tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118a /tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes1181⤵
- Deletes itself
- Executes dropped EXE
- Writes file to tmp directory
PID:1515 -
/tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes1182⤵
- Executes dropped EXE
- Checks CPU configuration
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1516 -
/bin/shsh -c "cp /tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118a /tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118"2⤵PID:1523
-
/usr/bin/cpcp /tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118a /tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes1183⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1524
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD52a2c922ee8da011c0d8f6b4bff7710d9
SHA1825e26405d3d474e82818e23b4851bcd24552479
SHA2565a908ec622fa0dee4aa4eb364d569950c8725c07d16a16a68dc84bed0027608b
SHA512430cf621238637fb0c6191ed0439c472017a7fe2d4855c1205c4dd256141ae49fc00028ab655550592040f7747b4a1ce4131b5e3846e8e8dcfe9d9491046a90d
-
Filesize
1.1MB
MD508e635ad50de0e51bcce87bbae1d424b
SHA1912579d64cdd6e04a6b7111ea611d1e4fee2e88d
SHA25663bc03d3d2fe38d005b5ee7f629aa0d9f1b8ebfb415471ee829284267b29450f
SHA51280f58194aaebb06957e324919a3573d1c0aca7f0766094398010ecf3d84be304e7732e7c60f3f493e1a82c8e1a990ab65a79bb54c044e1f713afb30bccf47670