Analysis
-
max time kernel
149s -
max time network
146s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20240729-en -
resource tags
arch:amd64arch:i386image:ubuntu2204-amd64-20240729-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system -
submitted
28-07-2024 17:57
Behavioral task
behavioral1
Sample
1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118
Resource
ubuntu2204-amd64-20240729-en
General
-
Target
1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118
-
Size
384KB
-
MD5
1ad0c890f8fbb9b392e0acb425de4f3c
-
SHA1
de9a9671cc45e0a486c8d4e3c1f2c9156cf1673a
-
SHA256
18f26cbad0f228e1bd4042603dfcb5e1b597f66dd968c832f77ea41564e808c2
-
SHA512
fa7ad4d586839c94b0f8025e8a1106f8609c1a44e720dc2882b5ee4af739d34b40720d8bd83130d7bac375ca8ccbf5efe0278e04ff7b9f2d8805ea25972304d4
-
SSDEEP
6144:6H0cwGaZNuEtdb3usKYgoJ4o+dp5ky7fyQ8v+byH2R9yMl0gXQYjTwk73c:6HZwBTdbFKVy+dp5k0Uv+byu08QgwGc
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
knerlpythnoioc pid process /usr/bin/bsd-port/knerl 1532 knerl /usr/bin/pythno 1540 pythno -
Processes:
resource yara_rule /usr/bin/bsd-port/knerl upx -
Processes:
1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118knerldescription ioc process File opened for modification /etc/init.d/VsystemsshMdt 1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118 File opened for modification /etc/init.d/selinux knerl -
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.
Processes:
1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118description ioc process File opened for reading /proc/net/route 1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118 -
Write file to user bin folder 1 TTPs 9 IoCs
Processes:
1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118cpcpknerlcpcpcpcpdescription ioc process File opened for modification /usr/bin/bsd-port/knerl.conf 1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118 File opened for modification /usr/bin/bsd-port/udevd.conf 1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118 File opened for modification /usr/bin/bsd-port/knerl cp File opened for modification /usr/bin/pythno cp File opened for modification /usr/bin/bsd-port/knerl.conf knerl File opened for modification /usr/bin/dpkgd/lsof cp File opened for modification /usr/bin/dpkgd/ps cp File opened for modification /usr/bin/lsof cp File opened for modification /usr/bin/ps cp -
Writes file to system bin folder 1 TTPs 2 IoCs
Processes:
cpcpdescription ioc process File opened for modification /bin/lsof cp File opened for modification /bin/ps cp -
Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118knerldescription ioc process File opened for reading /proc/cpuinfo 1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118 File opened for reading /proc/cpuinfo knerl -
Reads system network configuration 1 TTPs 4 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118knerldescription ioc process File opened for reading /proc/net/dev 1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118 File opened for reading /proc/net/dev knerl File opened for reading /proc/net/route 1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118 File opened for reading /proc/net/arp 1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118 -
Reads runtime system information 24 IoCs
Reads data from /proc virtual filesystem.
Processes:
mkdirmkdircpmkdirknerlpythnocpmkdirinsmod1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118cpcpcpmkdirinsmodmkdirmkdircpcpcpdescription ioc process File opened for reading /proc/filesystems mkdir File opened for reading /proc/filesystems mkdir File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems mkdir File opened for reading /proc/sys/kernel/version knerl File opened for reading /proc/sys/kernel/version pythno File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems mkdir File opened for reading /proc/stat knerl File opened for reading /proc/cmdline insmod File opened for reading /proc/sys/kernel/version 1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118 File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems cp File opened for reading /proc/meminfo knerl File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems mkdir File opened for reading /proc/cmdline insmod File opened for reading /proc/filesystems mkdir File opened for reading /proc/filesystems mkdir File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems cp File opened for reading /proc/stat 1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118 File opened for reading /proc/meminfo 1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118 -
Writes file to tmp directory 8 IoCs
Malware often drops required files in the /tmp directory.
Processes:
1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118pythnodescription ioc process File opened for modification /tmp/idus.log 1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118 File opened for modification /tmp/apsh.conf 1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118 File opened for modification /tmp/vga.conf 1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118 File opened for modification /tmp/notify.file 1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118 File opened for modification /tmp/idus.log pythno File opened for modification /tmp/notify.file pythno File opened for modification /tmp/conf.n 1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118 File opened for modification /tmp/vga.conf pythno
Processes
-
/tmp/1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118/tmp/1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes1181⤵
- Modifies init.d
- Reads system routing table
- Write file to user bin folder
- Checks CPU configuration
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1510 -
/bin/shsh -c "ln -s /etc/init.d/VsystemsshMdt /etc/rc1.d/S97VsystemsshMdt"2⤵PID:1516
-
/usr/bin/lnln -s /etc/init.d/VsystemsshMdt /etc/rc1.d/S97VsystemsshMdt3⤵PID:1517
-
/bin/shsh -c "ln -s /etc/init.d/VsystemsshMdt /etc/rc2.d/S97VsystemsshMdt"2⤵PID:1518
-
/usr/bin/lnln -s /etc/init.d/VsystemsshMdt /etc/rc2.d/S97VsystemsshMdt3⤵PID:1519
-
/bin/shsh -c "ln -s /etc/init.d/VsystemsshMdt /etc/rc3.d/S97VsystemsshMdt"2⤵PID:1520
-
/usr/bin/lnln -s /etc/init.d/VsystemsshMdt /etc/rc3.d/S97VsystemsshMdt3⤵PID:1521
-
/bin/shsh -c "ln -s /etc/init.d/VsystemsshMdt /etc/rc4.d/S97VsystemsshMdt"2⤵PID:1522
-
/usr/bin/lnln -s /etc/init.d/VsystemsshMdt /etc/rc4.d/S97VsystemsshMdt3⤵PID:1523
-
/bin/shsh -c "ln -s /etc/init.d/VsystemsshMdt /etc/rc5.d/S97VsystemsshMdt"2⤵PID:1524
-
/usr/bin/lnln -s /etc/init.d/VsystemsshMdt /etc/rc5.d/S97VsystemsshMdt3⤵PID:1525
-
/bin/shsh -c "mkdir -p /usr/bin/bsd-port"2⤵PID:1526
-
/usr/bin/mkdirmkdir -p /usr/bin/bsd-port3⤵
- Reads runtime system information
PID:1527 -
/bin/shsh -c "cp -f /tmp/1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118 /usr/bin/bsd-port/knerl"2⤵PID:1528
-
/usr/bin/cpcp -f /tmp/1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118 /usr/bin/bsd-port/knerl3⤵
- Write file to user bin folder
- Reads runtime system information
PID:1529 -
/bin/shsh -c /usr/bin/bsd-port/knerl2⤵PID:1531
-
/usr/bin/bsd-port/knerl/usr/bin/bsd-port/knerl3⤵
- Executes dropped EXE
- Modifies init.d
- Write file to user bin folder
- Checks CPU configuration
- Reads system network configuration
- Reads runtime system information
PID:1532 -
/bin/shsh -c "ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux"4⤵PID:1547
-
/usr/bin/lnln -s /etc/init.d/selinux /etc/rc1.d/S99selinux5⤵PID:1548
-
/bin/shsh -c "ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux"4⤵PID:1549
-
/usr/bin/lnln -s /etc/init.d/selinux /etc/rc2.d/S99selinux5⤵PID:1550
-
/bin/shsh -c "ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux"4⤵PID:1551
-
/usr/bin/lnln -s /etc/init.d/selinux /etc/rc3.d/S99selinux5⤵PID:1552
-
/bin/shsh -c "ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux"4⤵PID:1553
-
/usr/bin/lnln -s /etc/init.d/selinux /etc/rc4.d/S99selinux5⤵PID:1554
-
/bin/shsh -c "ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux"4⤵PID:1555
-
/usr/bin/lnln -s /etc/init.d/selinux /etc/rc5.d/S99selinux5⤵PID:1556
-
/bin/shsh -c "mkdir -p /usr/bin/dpkgd"4⤵PID:1557
-
/usr/bin/mkdirmkdir -p /usr/bin/dpkgd5⤵
- Reads runtime system information
PID:1558 -
/bin/shsh -c "cp -f /bin/lsof /usr/bin/dpkgd/lsof"4⤵PID:1559
-
/usr/bin/cpcp -f /bin/lsof /usr/bin/dpkgd/lsof5⤵
- Write file to user bin folder
- Reads runtime system information
PID:1561 -
/bin/shsh -c "mkdir -p /bin"4⤵PID:1562
-
/usr/bin/mkdirmkdir -p /bin5⤵
- Reads runtime system information
PID:1563 -
/bin/shsh -c "cp -f /usr/bin/bsd-port/knerl /bin/lsof"4⤵PID:1564
-
/usr/bin/cpcp -f /usr/bin/bsd-port/knerl /bin/lsof5⤵
- Writes file to system bin folder
- Reads runtime system information
PID:1565 -
/bin/shsh -c "chmod 0755 /bin/lsof"4⤵PID:1566
-
/usr/bin/chmodchmod 0755 /bin/lsof5⤵PID:1567
-
/bin/shsh -c "cp -f /bin/ps /usr/bin/dpkgd/ps"4⤵PID:1568
-
/usr/bin/cpcp -f /bin/ps /usr/bin/dpkgd/ps5⤵
- Write file to user bin folder
- Reads runtime system information
PID:1569 -
/bin/shsh -c "mkdir -p /bin"4⤵PID:1571
-
/usr/bin/mkdirmkdir -p /bin5⤵
- Reads runtime system information
PID:1572 -
/bin/shsh -c "cp -f /usr/bin/bsd-port/knerl /bin/ps"4⤵PID:1573
-
/usr/bin/cpcp -f /usr/bin/bsd-port/knerl /bin/ps5⤵
- Writes file to system bin folder
- Reads runtime system information
PID:1574 -
/bin/shsh -c "chmod 0755 /bin/ps"4⤵PID:1575
-
/usr/bin/chmodchmod 0755 /bin/ps5⤵PID:1576
-
/bin/shsh -c "mkdir -p /usr/bin"4⤵PID:1577
-
/usr/bin/mkdirmkdir -p /usr/bin5⤵
- Reads runtime system information
PID:1579 -
/bin/shsh -c "cp -f /usr/bin/bsd-port/knerl /usr/bin/lsof"4⤵PID:1580
-
/usr/bin/cpcp -f /usr/bin/bsd-port/knerl /usr/bin/lsof5⤵
- Write file to user bin folder
- Reads runtime system information
PID:1581 -
/bin/shsh -c "chmod 0755 /usr/bin/lsof"4⤵PID:1582
-
/usr/bin/chmodchmod 0755 /usr/bin/lsof5⤵PID:1583
-
/bin/shsh -c "mkdir -p /usr/bin"4⤵PID:1584
-
/usr/bin/mkdirmkdir -p /usr/bin5⤵
- Reads runtime system information
PID:1585 -
/bin/shsh -c "cp -f /usr/bin/bsd-port/knerl /usr/bin/ps"4⤵PID:1586
-
/usr/bin/cpcp -f /usr/bin/bsd-port/knerl /usr/bin/ps5⤵
- Write file to user bin folder
- Reads runtime system information
PID:1587 -
/bin/shsh -c "chmod 0755 /usr/bin/ps"4⤵PID:1589
-
/usr/bin/chmodchmod 0755 /usr/bin/ps5⤵PID:1590
-
/bin/shsh -c "insmod /usr/lib/xpacket.ko"4⤵PID:1591
-
/usr/sbin/insmodinsmod /usr/lib/xpacket.ko5⤵
- Reads runtime system information
PID:1592 -
/bin/shsh -c "mkdir -p /usr/bin"2⤵PID:1534
-
/usr/bin/mkdirmkdir -p /usr/bin3⤵
- Reads runtime system information
PID:1535 -
/bin/shsh -c "cp -f /tmp/1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118 /usr/bin/pythno"2⤵PID:1536
-
/usr/bin/cpcp -f /tmp/1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118 /usr/bin/pythno3⤵
- Write file to user bin folder
- Reads runtime system information
PID:1537 -
/bin/shsh -c /usr/bin/pythno2⤵PID:1539
-
/usr/bin/pythno/usr/bin/pythno3⤵
- Executes dropped EXE
- Reads runtime system information
- Writes file to tmp directory
PID:1540 -
/bin/shsh -c "insmod /usr/lib/xpacket.ko"2⤵PID:1542
-
/usr/sbin/insmodinsmod /usr/lib/xpacket.ko3⤵
- Reads runtime system information
PID:1543
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64B
MD5b29de5cc181ffee698b7d2bfffa3671f
SHA15584faa078c8f4014a9acb622ec6401f3e3cde9b
SHA25604fdb37f1673309d0929c98bd850f93336ac8374d4d117bd986d89530e6ab027
SHA5122fe4873f48f3557e34c313ffd0ab0ba5806845d122c839d96405551a1d5efbebf7df9cd8f7b5be2ab89357692ed87aba2859237e3d53acf546843dcbe180c616
-
Filesize
36B
MD5caa27b819c9303446f702929874a00e8
SHA1d24199c0e376edea3f822b215148cc0dc78364bf
SHA256da9b535a14c6d9152857e211f14fb8da9056e84ba1b8d4dc27ab79c98264050b
SHA512dcd9413eb2cb24d77f637edfc00ca0bb42229a1a3b0d84e29eff94a7b91aee6ee8c126c286a4b4103e01834d1c6aec9de09ffab3927e8de8015421005f31446e
-
Filesize
69B
MD58f7922b090f3e1801fdb1d71d9c49abc
SHA1626214a41cf5b8e83c3be7af1efe4cca585bb6b6
SHA256fbf9d6e9acf4a30f08791be7f9416de4452e6b364867a52dd15cf5571d82aaf4
SHA51254ac6efc27fd1ebf96b791732dc2e57c50c9ebd47c30c4c1d4f9d0f4f16a5450af7d911e92851a756a70511a85478e7fcafcdc9801fad7db51d265939bc5c155
-
Filesize
4B
MD51373b284bc381890049e92d324f56de0
SHA1d05785002742a30502dde3731b28883334e46040
SHA256477e2d13152129e72c4a47a5abed06ce422daff2ca0e99d33bc527477effee34
SHA512b409dbef7cad909beab9e2b251590e7a6773e6ef7bc3782a9adb4be3a2765fdefca68cb96b9b31e92e0edb23d521aa3adfb7c90ade660e75b1a04832d19d59f4
-
Filesize
51B
MD531475e954686ec0a008f86dc13b8fd22
SHA1d2fdde5e7d26b546436cae313287aef8045346c9
SHA2561ce47d832cb496a83bc09bd75b004c702b81b4e0e2f184a96ca2945aa68f2aa7
SHA5126cd6d9b53d27456bbf8679b9933f8b0141fdf225bf3d7879418db591ed2d7af988ea7b5b50b2c6af9e638883981d54b2b6d571d4e7a44b76a35b664132e46a3d
-
Filesize
4B
MD5ebb71045453f38676c40deb9864f811d
SHA1810bd2adca8109e71a0fa4995bb7a965fd8d905a
SHA2560d0c9bc37ae955b26c8bfecc22fcd072c4ea5ce95947a5051b5ed7399bff4f2e
SHA5123a3fc2e1174cf6fa5acf3b1d706c3f21b85915b8f7bc2bae7c5ca6ceb86fc5377e33ff347264e1dd620fcba5fec174ae4b8793e7a9aaaf2b0ec06d85e077efdf
-
Filesize
384KB
MD51ad0c890f8fbb9b392e0acb425de4f3c
SHA1de9a9671cc45e0a486c8d4e3c1f2c9156cf1673a
SHA25618f26cbad0f228e1bd4042603dfcb5e1b597f66dd968c832f77ea41564e808c2
SHA512fa7ad4d586839c94b0f8025e8a1106f8609c1a44e720dc2882b5ee4af739d34b40720d8bd83130d7bac375ca8ccbf5efe0278e04ff7b9f2d8805ea25972304d4
-
Filesize
163KB
MD5ab57b66cc531ae0f996963223e632b60
SHA1bf7e5becd33f21c2539f5a75ffa0ab61c49c8795
SHA2562484863a7bfda7f97b90bfd5dfceed4ec9f27dd51f9c5158c8daabbf4309b1df
SHA512908acef13f3c1d80b7169ec3b16bb67006013453348fff75550bc3c6c2137e798b21d7990edbd5be63d756d9c41b06160aebf38aa80547e4bafa3a62596057f6
-
Filesize
138KB
MD58146139c2ad7e550b1d1f49480997446
SHA1074db8890c3227bd8a588417f5b9bde637bcf3af
SHA256207df9d438f75185ab3af2ab1173d104831a6631c28ef40d38b2ab43de27b40f
SHA512b6d71d537f593b9af833e6f798e412e95fc486a313414ed8cca9639f61be7ac9dca700e9f861c0d07c7f65b3783127a67f829f422472cad8938ba01d397ab9de