Analysis
-
max time kernel
149s -
max time network
148s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20240729-en -
resource tags
arch:amd64arch:i386image:ubuntu2204-amd64-20240729-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system -
submitted
28-07-2024 16:40
Static task
static1
Behavioral task
behavioral1
Sample
17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118
Resource
ubuntu2204-amd64-20240729-en
General
-
Target
17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118
-
Size
2.4MB
-
MD5
17f5e59fcd4e55d0cc56e080fe5ce4b4
-
SHA1
4e7dfdc42b1364fcc47d49664220c99891daa761
-
SHA256
512183f4f032655ddcc163c995e3da7d7aa37202e457fb25c212cfc45c3f2e5f
-
SHA512
458ea7bcf2e8dcfd49601df7f79a9932276d9066b59b740d5fecd342a4de0a93a0707cc72283380b15f8ad8562280ba784fa826fbcf095e7a18ef8a6cbbeeeaf
-
SSDEEP
49152:GcXSFzulIxJ2lG4EmR8pfbTZsDjai1HrkEgJRuYaEWJbiGVetR65nZmRHX0gFJKM:GcXS1ulIxJ2lGHpfbTZsDjDaRnkiGURJ
Malware Config
Signatures
-
Deletes itself 2 IoCs
Processes:
conimet17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118apid process 1511 conimet 1514 17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118a -
Executes dropped EXE 3 IoCs
Processes:
conimet17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118a17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118ioc pid process /tmp/conimet 1511 conimet /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118a 1514 17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118a /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118 1515 17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118 -
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118description ioc process File opened for reading /proc/cpuinfo 17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118 -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118description ioc process File opened for reading /proc/net/dev 17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118 -
Reads runtime system information 5 IoCs
Reads data from /proc virtual filesystem.
Processes:
17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118cpcpcpdescription ioc process File opened for reading /proc/stat 17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118 File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems cp File opened for reading /proc/sys/kernel/version 17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118 -
Writes file to tmp directory 5 IoCs
Malware often drops required files in the /tmp directory.
Processes:
cpcp17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118a17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118cpdescription ioc process File opened for modification /tmp/conimet cp File opened for modification /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118a cp File opened for modification /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118 17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118a File opened for modification /tmp/fake.cfg 17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118 File opened for modification /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118 cp
Processes
-
/tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118/tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes1181⤵PID:1508
-
/bin/shsh -c "cp /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118 /tmp/conimet"2⤵PID:1509
-
/usr/bin/cpcp /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118 /tmp/conimet3⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1510 -
/bin/shsh -c "cp /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118 /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118a"2⤵PID:1512
-
/usr/bin/cpcp /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118 /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118a3⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1513 -
/tmp/conimet/tmp/conimet /tmp/conimet 12⤵
- Deletes itself
- Executes dropped EXE
PID:1511
-
/tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118a/tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118a /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes1181⤵
- Deletes itself
- Executes dropped EXE
- Writes file to tmp directory
PID:1514 -
/tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes1182⤵
- Executes dropped EXE
- Checks CPU configuration
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1515 -
/bin/shsh -c "cp /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118a /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118"2⤵PID:1520
-
/usr/bin/cpcp /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118a /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes1183⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1521
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5dffc8eaf00c21b5c1c273c7e265229e0
SHA145d44447b31fd18495e5bbd26f01d935e5f9424b
SHA256f6260c40e72cf02acdc0c7ce7fe8ae4d3455500e8fb2f7a7caf6a34a6506a44a
SHA5121517c24518a91ea25bd3ac712daa9f67637d48860e51602ce59a1de4741dda6f8cda63c08390c6c879da9a8e63691446480cc560118dd6edb5cb75e1ebac1f41
-
Filesize
2.4MB
MD517f5e59fcd4e55d0cc56e080fe5ce4b4
SHA14e7dfdc42b1364fcc47d49664220c99891daa761
SHA256512183f4f032655ddcc163c995e3da7d7aa37202e457fb25c212cfc45c3f2e5f
SHA512458ea7bcf2e8dcfd49601df7f79a9932276d9066b59b740d5fecd342a4de0a93a0707cc72283380b15f8ad8562280ba784fa826fbcf095e7a18ef8a6cbbeeeaf