mrblack | c2995a7967fc091aa81ca0b203281e8084215ee95bbc4f70d02f334f299f1544

Processes:

0ddda3bb8590616f803a7320d890645e_JaffaCakes118cpcpcpcpcpgettycp

description	ioc	process
File opened for modification	/usr/bin/bsd-port/getty.lock	0ddda3bb8590616f803a7320d890645e_JaffaCakes118
File opened for modification	/usr/bin/bsd-port/udevd.lock	0ddda3bb8590616f803a7320d890645e_JaffaCakes118
File opened for modification	/usr/bin/bsd-port/getty	cp
File opened for modification	/usr/bin/dpkgd/lsof	cp
File opened for modification	/usr/bin/lsof	cp
File opened for modification	/usr/bin/ps	cp
File opened for modification	/usr/bin/l1bhr	cp
File opened for modification	/usr/bin/bsd-port/getty.lock	getty
File opened for modification	/usr/bin/dpkgd/ps	cp

Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow
T1574

Processes:

cpcp

description ioc process

File opened for modification /bin/lsof cp
File opened for modification /bin/ps cp
Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

Virtualization/Sandbox Evasion
T1497

Processes:

0ddda3bb8590616f803a7320d890645e_JaffaCakes118getty

description ioc process

File opened for reading /proc/cpuinfo 0ddda3bb8590616f803a7320d890645e_JaffaCakes118
File opened for reading /proc/cpuinfo getty

description	ioc	process
File opened for modification	/bin/lsof	cp
File opened for modification	/bin/ps	cp

description	ioc	process
File opened for reading	/proc/cpuinfo	0ddda3bb8590616f803a7320d890645e_JaffaCakes118
File opened for reading	/proc/cpuinfo	getty

Reads system network configuration 1 TTPs 4 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

Processes:

getty0ddda3bb8590616f803a7320d890645e_JaffaCakes118

description	ioc	process
File opened for reading	/proc/net/dev	getty
File opened for reading	/proc/net/dev	0ddda3bb8590616f803a7320d890645e_JaffaCakes118
File opened for reading	/proc/net/route	0ddda3bb8590616f803a7320d890645e_JaffaCakes118
File opened for reading	/proc/net/arp	0ddda3bb8590616f803a7320d890645e_JaffaCakes118

Reads runtime system information 24 IoCs

Reads data from /proc virtual filesystem.

Processes:

cpcpinsmodmkdirmkdirmkdirmkdir0ddda3bb8590616f803a7320d890645e_JaffaCakes118insmodcpcpmkdirgettymkdirl1bhrcpmkdircpcpcp

description	ioc	process
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/sys/kernel/version	0ddda3bb8590616f803a7320d890645e_JaffaCakes118
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/stat	getty
File opened for reading	/proc/sys/kernel/version	getty
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/sys/kernel/version	l1bhr
File opened for reading	/proc/stat	0ddda3bb8590616f803a7320d890645e_JaffaCakes118
File opened for reading	/proc/meminfo	0ddda3bb8590616f803a7320d890645e_JaffaCakes118
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/meminfo	getty
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp

Writes file to tmp directory 8 IoCs

Malware often drops required files in the /tmp directory.

Processes:

0ddda3bb8590616f803a7320d890645e_JaffaCakes118l1bhr

description	ioc	process
File opened for modification	/tmp/moni.lock	0ddda3bb8590616f803a7320d890645e_JaffaCakes118
File opened for modification	/tmp/bill.lock	0ddda3bb8590616f803a7320d890645e_JaffaCakes118
File opened for modification	/tmp/gates.lock	0ddda3bb8590616f803a7320d890645e_JaffaCakes118
File opened for modification	/tmp/notify.file	0ddda3bb8590616f803a7320d890645e_JaffaCakes118
File opened for modification	/tmp/conf.n	0ddda3bb8590616f803a7320d890645e_JaffaCakes118
File opened for modification	/tmp/moni.lock	l1bhr
File opened for modification	/tmp/notify.file	l1bhr
File opened for modification	/tmp/gates.lock	l1bhr

/tmp/0ddda3bb8590616f803a7320d890645e_JaffaCakes118
/tmp/0ddda3bb8590616f803a7320d890645e_JaffaCakes118
1⤵
- Modifies init.d
- Reads system routing table
- Write file to user bin folder
- Checks CPU configuration
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1353

/bin/sh
sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt"
2⤵
PID:1359

/usr/bin/ln
ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt
3⤵
PID:1360

/bin/sh
sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt"
2⤵
PID:1361

/usr/bin/ln
ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt
3⤵
PID:1362

/bin/sh
sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt"
2⤵
PID:1363

/usr/bin/ln
ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt
3⤵
PID:1364

/bin/sh
sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt"
2⤵
PID:1365

/usr/bin/ln
ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt
3⤵
PID:1366

/bin/sh
sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt"
2⤵
PID:1367

/usr/bin/ln
ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt
3⤵
PID:1368

/bin/sh
sh -c "mkdir -p /usr/bin/bsd-port"
2⤵
PID:1369

/usr/bin/mkdir
mkdir -p /usr/bin/bsd-port
3⤵
- Reads runtime system information
PID:1370

/bin/sh
sh -c "cp -f /tmp/0ddda3bb8590616f803a7320d890645e_JaffaCakes118 /usr/bin/bsd-port/getty"
2⤵
PID:1371

/usr/bin/cp
cp -f /tmp/0ddda3bb8590616f803a7320d890645e_JaffaCakes118 /usr/bin/bsd-port/getty
3⤵
- Write file to user bin folder
- Reads runtime system information
PID:1372

/bin/sh
sh -c /usr/bin/bsd-port/getty
2⤵
PID:1374

/usr/bin/bsd-port/getty
/usr/bin/bsd-port/getty
3⤵
- Executes dropped EXE
- Modifies init.d
- Write file to user bin folder
- Checks CPU configuration
- Reads system network configuration
- Reads runtime system information
PID:1375

/bin/sh
sh -c "ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux"
4⤵
PID:1396

/usr/bin/ln
ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux
5⤵
PID:1397

/bin/sh
sh -c "ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux"
4⤵
PID:1398

/usr/bin/ln
ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux
5⤵
PID:1399

/bin/sh
sh -c "ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux"
4⤵
PID:1400

/usr/bin/ln
ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux
5⤵
PID:1401

/bin/sh
sh -c "ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux"
4⤵
PID:1402

/usr/bin/ln
ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux
5⤵
PID:1403

/bin/sh
sh -c "ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux"
4⤵
PID:1404

/usr/bin/ln
ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux
5⤵
PID:1405

/bin/sh
sh -c "mkdir -p /usr/bin/dpkgd"
4⤵
PID:1406

/usr/bin/mkdir
mkdir -p /usr/bin/dpkgd
5⤵
- Reads runtime system information
PID:1407

/bin/sh
sh -c "cp -f /bin/lsof /usr/bin/dpkgd/lsof"
4⤵
PID:1408

/usr/bin/cp
cp -f /bin/lsof /usr/bin/dpkgd/lsof
5⤵
- Write file to user bin folder
- Reads runtime system information
PID:1409

/bin/sh
sh -c "mkdir -p /bin"
4⤵
PID:1410

/usr/bin/mkdir
mkdir -p /bin
5⤵
- Reads runtime system information
PID:1411

/bin/sh
sh -c "cp -f /usr/bin/bsd-port/getty /bin/lsof"
4⤵
PID:1412

/usr/bin/cp
cp -f /usr/bin/bsd-port/getty /bin/lsof
5⤵
- Writes file to system bin folder
- Reads runtime system information
PID:1413

/bin/sh
sh -c "chmod 0755 /bin/lsof"
4⤵
PID:1414

/usr/bin/chmod
chmod 0755 /bin/lsof
5⤵
PID:1415

/bin/sh
sh -c "cp -f /bin/ps /usr/bin/dpkgd/ps"
4⤵
PID:1416

/usr/bin/cp
cp -f /bin/ps /usr/bin/dpkgd/ps
5⤵
- Write file to user bin folder
- Reads runtime system information
PID:1417

/bin/sh
sh -c "mkdir -p /bin"
4⤵
PID:1418

/usr/bin/mkdir
mkdir -p /bin
5⤵
- Reads runtime system information
PID:1419

/bin/sh
sh -c "cp -f /usr/bin/bsd-port/getty /bin/ps"
4⤵
PID:1420

/usr/bin/cp
cp -f /usr/bin/bsd-port/getty /bin/ps
5⤵
- Writes file to system bin folder
- Reads runtime system information
PID:1421

/bin/sh
sh -c "chmod 0755 /bin/ps"
4⤵
PID:1422

/usr/bin/chmod
chmod 0755 /bin/ps
5⤵
PID:1423

/bin/sh
sh -c "mkdir -p /usr/bin"
4⤵
PID:1424

/usr/bin/mkdir
mkdir -p /usr/bin
5⤵
- Reads runtime system information
PID:1425

/bin/sh
sh -c "cp -f /usr/bin/bsd-port/getty /usr/bin/lsof"
4⤵
PID:1426

/usr/bin/cp
cp -f /usr/bin/bsd-port/getty /usr/bin/lsof
5⤵
- Write file to user bin folder
- Reads runtime system information
PID:1427

/bin/sh
sh -c "chmod 0755 /usr/bin/lsof"
4⤵
PID:1430

/usr/bin/chmod
chmod 0755 /usr/bin/lsof
5⤵
PID:1431

/bin/sh
sh -c "mkdir -p /usr/bin"
4⤵
PID:1432

/usr/bin/mkdir
mkdir -p /usr/bin
5⤵
- Reads runtime system information
PID:1433

/bin/sh
sh -c "cp -f /usr/bin/bsd-port/getty /usr/bin/ps"
4⤵
PID:1434

/usr/bin/cp
cp -f /usr/bin/bsd-port/getty /usr/bin/ps
5⤵
- Write file to user bin folder
- Reads runtime system information
PID:1435

/bin/sh
sh -c "chmod 0755 /usr/bin/ps"
4⤵
PID:1436

/usr/bin/chmod
chmod 0755 /usr/bin/ps
5⤵
PID:1437

/bin/sh
sh -c "insmod /usr/lib/xpacket.ko"
4⤵
PID:1438

/usr/sbin/insmod
insmod /usr/lib/xpacket.ko
5⤵
- Reads runtime system information
PID:1439

/bin/sh
sh -c "mkdir -p /usr/bin"
2⤵
PID:1377

/usr/bin/mkdir
mkdir -p /usr/bin
3⤵
- Reads runtime system information
PID:1378

/bin/sh
sh -c "cp -f /tmp/0ddda3bb8590616f803a7320d890645e_JaffaCakes118 /usr/bin/l1bhr"
2⤵
PID:1379

/usr/bin/cp
cp -f /tmp/0ddda3bb8590616f803a7320d890645e_JaffaCakes118 /usr/bin/l1bhr
3⤵
- Write file to user bin folder
- Reads runtime system information
PID:1380

/bin/sh
sh -c /usr/bin/l1bhr
2⤵
PID:1382

/usr/bin/l1bhr
/usr/bin/l1bhr
3⤵
- Executes dropped EXE
- Reads runtime system information
- Writes file to tmp directory
PID:1383

/bin/sh
sh -c "insmod /usr/lib/xpacket.ko"
2⤵
PID:1386

/usr/sbin/insmod
insmod /usr/lib/xpacket.ko
3⤵
- Reads runtime system information
PID:1387

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

Defense Evasion

Hijack Execution Flow

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion