Analysis
-
max time kernel
149s -
max time network
148s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20240729-en -
resource tags
arch:amd64arch:i386image:ubuntu2204-amd64-20240729-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system -
submitted
28-07-2024 16:39
Static task
static1
Behavioral task
behavioral1
Sample
17ebd53ea0834244677e4b6214c69192_JaffaCakes118
Resource
ubuntu2204-amd64-20240729-en
General
-
Target
17ebd53ea0834244677e4b6214c69192_JaffaCakes118
-
Size
2.4MB
-
MD5
17ebd53ea0834244677e4b6214c69192
-
SHA1
056a4e25c5e569f46d90d892793b078b131d1132
-
SHA256
7cfa4573cad5c3387f58cbf1e49ed6210fbeb4de06e814a9b35ecbd933144f0a
-
SHA512
b82439bbc33253452b3b6985f8638d63c6e3e5dd5e1f2651d8850303b69f31d2cb017360468d3f964bea7c39af97043b687e9e659bd4352562a07e968e8fd258
-
SSDEEP
49152:GcXSFzulIxJ2lG4EmR8pfbTZsDjai1HrkEgJRuYabWJbiGVetR65nZmRHX0gFJKM:GcXS1ulIxJ2lGHpfbTZsDjDaRnRiGURJ
Malware Config
Signatures
-
Deletes itself 2 IoCs
Processes:
freeBSD17ebd53ea0834244677e4b6214c69192_JaffaCakes118apid process 1514 freeBSD 1517 17ebd53ea0834244677e4b6214c69192_JaffaCakes118a -
Executes dropped EXE 3 IoCs
Processes:
freeBSD17ebd53ea0834244677e4b6214c69192_JaffaCakes118a17ebd53ea0834244677e4b6214c69192_JaffaCakes118ioc pid process /tmp/freeBSD 1514 freeBSD /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118a 1517 17ebd53ea0834244677e4b6214c69192_JaffaCakes118a /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118 1518 17ebd53ea0834244677e4b6214c69192_JaffaCakes118 -
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
17ebd53ea0834244677e4b6214c69192_JaffaCakes118description ioc process File opened for reading /proc/cpuinfo 17ebd53ea0834244677e4b6214c69192_JaffaCakes118 -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
17ebd53ea0834244677e4b6214c69192_JaffaCakes118description ioc process File opened for reading /proc/net/dev 17ebd53ea0834244677e4b6214c69192_JaffaCakes118 -
Reads runtime system information 5 IoCs
Reads data from /proc virtual filesystem.
Processes:
cpcp17ebd53ea0834244677e4b6214c69192_JaffaCakes118cpdescription ioc process File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems cp File opened for reading /proc/sys/kernel/version 17ebd53ea0834244677e4b6214c69192_JaffaCakes118 File opened for reading /proc/stat 17ebd53ea0834244677e4b6214c69192_JaffaCakes118 File opened for reading /proc/filesystems cp -
Writes file to tmp directory 5 IoCs
Malware often drops required files in the /tmp directory.
Processes:
17ebd53ea0834244677e4b6214c69192_JaffaCakes118a17ebd53ea0834244677e4b6214c69192_JaffaCakes118cpcpcpdescription ioc process File opened for modification /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118 17ebd53ea0834244677e4b6214c69192_JaffaCakes118a File opened for modification /tmp/fake.cfg 17ebd53ea0834244677e4b6214c69192_JaffaCakes118 File opened for modification /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118 cp File opened for modification /tmp/freeBSD cp File opened for modification /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118a cp
Processes
-
/tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118/tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes1181⤵PID:1511
-
/bin/shsh -c "cp /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118 /tmp/freeBSD"2⤵PID:1512
-
/usr/bin/cpcp /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118 /tmp/freeBSD3⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1513 -
/bin/shsh -c "cp /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118 /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118a"2⤵PID:1515
-
/usr/bin/cpcp /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118 /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118a3⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1516 -
/tmp/freeBSD/tmp/freeBSD /tmp/freeBSD 12⤵
- Deletes itself
- Executes dropped EXE
PID:1514
-
/tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118a/tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118a /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes1181⤵
- Deletes itself
- Executes dropped EXE
- Writes file to tmp directory
PID:1517 -
/tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes1182⤵
- Executes dropped EXE
- Checks CPU configuration
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1518 -
/bin/shsh -c "cp /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118a /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118"2⤵PID:1523
-
/usr/bin/cpcp /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118a /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes1183⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1524
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD50bc785619a6a46d1f931de5fd34e6912
SHA1aaeece46bda245f0a3199231cfe99837c195b6b5
SHA25619212bbee34e2ed8ec9c583ed3d95d7d682e78895133dc19bf53ddce7e5d69af
SHA5120bf581ff1df47258f19ac060c88b0ec7a06e114c4cec989a3fb27d4ef13b9f7dfccebfc3cf32107c3efbd4ed6b944adbd2cb8abe1739a5621dbf489dacc01494
-
Filesize
2.4MB
MD517ebd53ea0834244677e4b6214c69192
SHA1056a4e25c5e569f46d90d892793b078b131d1132
SHA2567cfa4573cad5c3387f58cbf1e49ed6210fbeb4de06e814a9b35ecbd933144f0a
SHA512b82439bbc33253452b3b6985f8638d63c6e3e5dd5e1f2651d8850303b69f31d2cb017360468d3f964bea7c39af97043b687e9e659bd4352562a07e968e8fd258