Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    ubuntu-22.04_amd64
  • resource
    ubuntu2204-amd64-20240729-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2204-amd64-20240729-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
  • submitted
    28-07-2024 17:57

General

  • Target

    1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118

  • Size

    384KB

  • MD5

    1ad0c890f8fbb9b392e0acb425de4f3c

  • SHA1

    de9a9671cc45e0a486c8d4e3c1f2c9156cf1673a

  • SHA256

    18f26cbad0f228e1bd4042603dfcb5e1b597f66dd968c832f77ea41564e808c2

  • SHA512

    fa7ad4d586839c94b0f8025e8a1106f8609c1a44e720dc2882b5ee4af739d34b40720d8bd83130d7bac375ca8ccbf5efe0278e04ff7b9f2d8805ea25972304d4

  • SSDEEP

    6144:6H0cwGaZNuEtdb3usKYgoJ4o+dp5ky7fyQ8v+byH2R9yMl0gXQYjTwk73c:6HZwBTdbFKVy+dp5k0Uv+byu08QgwGc

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Modifies init.d 1 TTPs 2 IoCs

    Adds/modifies system service, likely for persistence.

  • Reads system routing table 1 TTPs 1 IoCs

    Gets active network interfaces from /proc virtual filesystem.

  • Write file to user bin folder 1 TTPs 9 IoCs
  • Writes file to system bin folder 1 TTPs 2 IoCs
  • Checks CPU configuration 1 TTPs 2 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Reads system network configuration 1 TTPs 4 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • Reads runtime system information 24 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 8 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118
    /tmp/1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118
    1⤵
    • Modifies init.d
    • Reads system routing table
    • Write file to user bin folder
    • Checks CPU configuration
    • Reads system network configuration
    • Reads runtime system information
    • Writes file to tmp directory
    PID:1510
    • /bin/sh
      sh -c "ln -s /etc/init.d/VsystemsshMdt /etc/rc1.d/S97VsystemsshMdt"
      2⤵
        PID:1516
        • /usr/bin/ln
          ln -s /etc/init.d/VsystemsshMdt /etc/rc1.d/S97VsystemsshMdt
          3⤵
            PID:1517
        • /bin/sh
          sh -c "ln -s /etc/init.d/VsystemsshMdt /etc/rc2.d/S97VsystemsshMdt"
          2⤵
            PID:1518
            • /usr/bin/ln
              ln -s /etc/init.d/VsystemsshMdt /etc/rc2.d/S97VsystemsshMdt
              3⤵
                PID:1519
            • /bin/sh
              sh -c "ln -s /etc/init.d/VsystemsshMdt /etc/rc3.d/S97VsystemsshMdt"
              2⤵
                PID:1520
                • /usr/bin/ln
                  ln -s /etc/init.d/VsystemsshMdt /etc/rc3.d/S97VsystemsshMdt
                  3⤵
                    PID:1521
                • /bin/sh
                  sh -c "ln -s /etc/init.d/VsystemsshMdt /etc/rc4.d/S97VsystemsshMdt"
                  2⤵
                    PID:1522
                    • /usr/bin/ln
                      ln -s /etc/init.d/VsystemsshMdt /etc/rc4.d/S97VsystemsshMdt
                      3⤵
                        PID:1523
                    • /bin/sh
                      sh -c "ln -s /etc/init.d/VsystemsshMdt /etc/rc5.d/S97VsystemsshMdt"
                      2⤵
                        PID:1524
                        • /usr/bin/ln
                          ln -s /etc/init.d/VsystemsshMdt /etc/rc5.d/S97VsystemsshMdt
                          3⤵
                            PID:1525
                        • /bin/sh
                          sh -c "mkdir -p /usr/bin/bsd-port"
                          2⤵
                            PID:1526
                            • /usr/bin/mkdir
                              mkdir -p /usr/bin/bsd-port
                              3⤵
                              • Reads runtime system information
                              PID:1527
                          • /bin/sh
                            sh -c "cp -f /tmp/1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118 /usr/bin/bsd-port/knerl"
                            2⤵
                              PID:1528
                              • /usr/bin/cp
                                cp -f /tmp/1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118 /usr/bin/bsd-port/knerl
                                3⤵
                                • Write file to user bin folder
                                • Reads runtime system information
                                PID:1529
                            • /bin/sh
                              sh -c /usr/bin/bsd-port/knerl
                              2⤵
                                PID:1531
                                • /usr/bin/bsd-port/knerl
                                  /usr/bin/bsd-port/knerl
                                  3⤵
                                  • Executes dropped EXE
                                  • Modifies init.d
                                  • Write file to user bin folder
                                  • Checks CPU configuration
                                  • Reads system network configuration
                                  • Reads runtime system information
                                  PID:1532
                                  • /bin/sh
                                    sh -c "ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux"
                                    4⤵
                                      PID:1547
                                      • /usr/bin/ln
                                        ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux
                                        5⤵
                                          PID:1548
                                      • /bin/sh
                                        sh -c "ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux"
                                        4⤵
                                          PID:1549
                                          • /usr/bin/ln
                                            ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux
                                            5⤵
                                              PID:1550
                                          • /bin/sh
                                            sh -c "ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux"
                                            4⤵
                                              PID:1551
                                              • /usr/bin/ln
                                                ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux
                                                5⤵
                                                  PID:1552
                                              • /bin/sh
                                                sh -c "ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux"
                                                4⤵
                                                  PID:1553
                                                  • /usr/bin/ln
                                                    ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux
                                                    5⤵
                                                      PID:1554
                                                  • /bin/sh
                                                    sh -c "ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux"
                                                    4⤵
                                                      PID:1555
                                                      • /usr/bin/ln
                                                        ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux
                                                        5⤵
                                                          PID:1556
                                                      • /bin/sh
                                                        sh -c "mkdir -p /usr/bin/dpkgd"
                                                        4⤵
                                                          PID:1557
                                                          • /usr/bin/mkdir
                                                            mkdir -p /usr/bin/dpkgd
                                                            5⤵
                                                            • Reads runtime system information
                                                            PID:1558
                                                        • /bin/sh
                                                          sh -c "cp -f /bin/lsof /usr/bin/dpkgd/lsof"
                                                          4⤵
                                                            PID:1559
                                                            • /usr/bin/cp
                                                              cp -f /bin/lsof /usr/bin/dpkgd/lsof
                                                              5⤵
                                                              • Write file to user bin folder
                                                              • Reads runtime system information
                                                              PID:1561
                                                          • /bin/sh
                                                            sh -c "mkdir -p /bin"
                                                            4⤵
                                                              PID:1562
                                                              • /usr/bin/mkdir
                                                                mkdir -p /bin
                                                                5⤵
                                                                • Reads runtime system information
                                                                PID:1563
                                                            • /bin/sh
                                                              sh -c "cp -f /usr/bin/bsd-port/knerl /bin/lsof"
                                                              4⤵
                                                                PID:1564
                                                                • /usr/bin/cp
                                                                  cp -f /usr/bin/bsd-port/knerl /bin/lsof
                                                                  5⤵
                                                                  • Writes file to system bin folder
                                                                  • Reads runtime system information
                                                                  PID:1565
                                                              • /bin/sh
                                                                sh -c "chmod 0755 /bin/lsof"
                                                                4⤵
                                                                  PID:1566
                                                                  • /usr/bin/chmod
                                                                    chmod 0755 /bin/lsof
                                                                    5⤵
                                                                      PID:1567
                                                                  • /bin/sh
                                                                    sh -c "cp -f /bin/ps /usr/bin/dpkgd/ps"
                                                                    4⤵
                                                                      PID:1568
                                                                      • /usr/bin/cp
                                                                        cp -f /bin/ps /usr/bin/dpkgd/ps
                                                                        5⤵
                                                                        • Write file to user bin folder
                                                                        • Reads runtime system information
                                                                        PID:1569
                                                                    • /bin/sh
                                                                      sh -c "mkdir -p /bin"
                                                                      4⤵
                                                                        PID:1571
                                                                        • /usr/bin/mkdir
                                                                          mkdir -p /bin
                                                                          5⤵
                                                                          • Reads runtime system information
                                                                          PID:1572
                                                                      • /bin/sh
                                                                        sh -c "cp -f /usr/bin/bsd-port/knerl /bin/ps"
                                                                        4⤵
                                                                          PID:1573
                                                                          • /usr/bin/cp
                                                                            cp -f /usr/bin/bsd-port/knerl /bin/ps
                                                                            5⤵
                                                                            • Writes file to system bin folder
                                                                            • Reads runtime system information
                                                                            PID:1574
                                                                        • /bin/sh
                                                                          sh -c "chmod 0755 /bin/ps"
                                                                          4⤵
                                                                            PID:1575
                                                                            • /usr/bin/chmod
                                                                              chmod 0755 /bin/ps
                                                                              5⤵
                                                                                PID:1576
                                                                            • /bin/sh
                                                                              sh -c "mkdir -p /usr/bin"
                                                                              4⤵
                                                                                PID:1577
                                                                                • /usr/bin/mkdir
                                                                                  mkdir -p /usr/bin
                                                                                  5⤵
                                                                                  • Reads runtime system information
                                                                                  PID:1579
                                                                              • /bin/sh
                                                                                sh -c "cp -f /usr/bin/bsd-port/knerl /usr/bin/lsof"
                                                                                4⤵
                                                                                  PID:1580
                                                                                  • /usr/bin/cp
                                                                                    cp -f /usr/bin/bsd-port/knerl /usr/bin/lsof
                                                                                    5⤵
                                                                                    • Write file to user bin folder
                                                                                    • Reads runtime system information
                                                                                    PID:1581
                                                                                • /bin/sh
                                                                                  sh -c "chmod 0755 /usr/bin/lsof"
                                                                                  4⤵
                                                                                    PID:1582
                                                                                    • /usr/bin/chmod
                                                                                      chmod 0755 /usr/bin/lsof
                                                                                      5⤵
                                                                                        PID:1583
                                                                                    • /bin/sh
                                                                                      sh -c "mkdir -p /usr/bin"
                                                                                      4⤵
                                                                                        PID:1584
                                                                                        • /usr/bin/mkdir
                                                                                          mkdir -p /usr/bin
                                                                                          5⤵
                                                                                          • Reads runtime system information
                                                                                          PID:1585
                                                                                      • /bin/sh
                                                                                        sh -c "cp -f /usr/bin/bsd-port/knerl /usr/bin/ps"
                                                                                        4⤵
                                                                                          PID:1586
                                                                                          • /usr/bin/cp
                                                                                            cp -f /usr/bin/bsd-port/knerl /usr/bin/ps
                                                                                            5⤵
                                                                                            • Write file to user bin folder
                                                                                            • Reads runtime system information
                                                                                            PID:1587
                                                                                        • /bin/sh
                                                                                          sh -c "chmod 0755 /usr/bin/ps"
                                                                                          4⤵
                                                                                            PID:1589
                                                                                            • /usr/bin/chmod
                                                                                              chmod 0755 /usr/bin/ps
                                                                                              5⤵
                                                                                                PID:1590
                                                                                            • /bin/sh
                                                                                              sh -c "insmod /usr/lib/xpacket.ko"
                                                                                              4⤵
                                                                                                PID:1591
                                                                                                • /usr/sbin/insmod
                                                                                                  insmod /usr/lib/xpacket.ko
                                                                                                  5⤵
                                                                                                  • Reads runtime system information
                                                                                                  PID:1592
                                                                                          • /bin/sh
                                                                                            sh -c "mkdir -p /usr/bin"
                                                                                            2⤵
                                                                                              PID:1534
                                                                                              • /usr/bin/mkdir
                                                                                                mkdir -p /usr/bin
                                                                                                3⤵
                                                                                                • Reads runtime system information
                                                                                                PID:1535
                                                                                            • /bin/sh
                                                                                              sh -c "cp -f /tmp/1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118 /usr/bin/pythno"
                                                                                              2⤵
                                                                                                PID:1536
                                                                                                • /usr/bin/cp
                                                                                                  cp -f /tmp/1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118 /usr/bin/pythno
                                                                                                  3⤵
                                                                                                  • Write file to user bin folder
                                                                                                  • Reads runtime system information
                                                                                                  PID:1537
                                                                                              • /bin/sh
                                                                                                sh -c /usr/bin/pythno
                                                                                                2⤵
                                                                                                  PID:1539
                                                                                                  • /usr/bin/pythno
                                                                                                    /usr/bin/pythno
                                                                                                    3⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Reads runtime system information
                                                                                                    • Writes file to tmp directory
                                                                                                    PID:1540
                                                                                                • /bin/sh
                                                                                                  sh -c "insmod /usr/lib/xpacket.ko"
                                                                                                  2⤵
                                                                                                    PID:1542
                                                                                                    • /usr/sbin/insmod
                                                                                                      insmod /usr/lib/xpacket.ko
                                                                                                      3⤵
                                                                                                      • Reads runtime system information
                                                                                                      PID:1543

                                                                                                Network

                                                                                                MITRE ATT&CK Enterprise v15

                                                                                                Replay Monitor

                                                                                                Loading Replay Monitor...

                                                                                                Downloads

                                                                                                • /etc/init.d/VsystemsshMdt

                                                                                                  Filesize

                                                                                                  64B

                                                                                                  MD5

                                                                                                  b29de5cc181ffee698b7d2bfffa3671f

                                                                                                  SHA1

                                                                                                  5584faa078c8f4014a9acb622ec6401f3e3cde9b

                                                                                                  SHA256

                                                                                                  04fdb37f1673309d0929c98bd850f93336ac8374d4d117bd986d89530e6ab027

                                                                                                  SHA512

                                                                                                  2fe4873f48f3557e34c313ffd0ab0ba5806845d122c839d96405551a1d5efbebf7df9cd8f7b5be2ab89357692ed87aba2859237e3d53acf546843dcbe180c616

                                                                                                • /etc/init.d/selinux

                                                                                                  Filesize

                                                                                                  36B

                                                                                                  MD5

                                                                                                  caa27b819c9303446f702929874a00e8

                                                                                                  SHA1

                                                                                                  d24199c0e376edea3f822b215148cc0dc78364bf

                                                                                                  SHA256

                                                                                                  da9b535a14c6d9152857e211f14fb8da9056e84ba1b8d4dc27ab79c98264050b

                                                                                                  SHA512

                                                                                                  dcd9413eb2cb24d77f637edfc00ca0bb42229a1a3b0d84e29eff94a7b91aee6ee8c126c286a4b4103e01834d1c6aec9de09ffab3927e8de8015421005f31446e

                                                                                                • /tmp/conf.n

                                                                                                  Filesize

                                                                                                  69B

                                                                                                  MD5

                                                                                                  8f7922b090f3e1801fdb1d71d9c49abc

                                                                                                  SHA1

                                                                                                  626214a41cf5b8e83c3be7af1efe4cca585bb6b6

                                                                                                  SHA256

                                                                                                  fbf9d6e9acf4a30f08791be7f9416de4452e6b364867a52dd15cf5571d82aaf4

                                                                                                  SHA512

                                                                                                  54ac6efc27fd1ebf96b791732dc2e57c50c9ebd47c30c4c1d4f9d0f4f16a5450af7d911e92851a756a70511a85478e7fcafcdc9801fad7db51d265939bc5c155

                                                                                                • /tmp/idus.log

                                                                                                  Filesize

                                                                                                  4B

                                                                                                  MD5

                                                                                                  1373b284bc381890049e92d324f56de0

                                                                                                  SHA1

                                                                                                  d05785002742a30502dde3731b28883334e46040

                                                                                                  SHA256

                                                                                                  477e2d13152129e72c4a47a5abed06ce422daff2ca0e99d33bc527477effee34

                                                                                                  SHA512

                                                                                                  b409dbef7cad909beab9e2b251590e7a6773e6ef7bc3782a9adb4be3a2765fdefca68cb96b9b31e92e0edb23d521aa3adfb7c90ade660e75b1a04832d19d59f4

                                                                                                • /tmp/notify.file

                                                                                                  Filesize

                                                                                                  51B

                                                                                                  MD5

                                                                                                  31475e954686ec0a008f86dc13b8fd22

                                                                                                  SHA1

                                                                                                  d2fdde5e7d26b546436cae313287aef8045346c9

                                                                                                  SHA256

                                                                                                  1ce47d832cb496a83bc09bd75b004c702b81b4e0e2f184a96ca2945aa68f2aa7

                                                                                                  SHA512

                                                                                                  6cd6d9b53d27456bbf8679b9933f8b0141fdf225bf3d7879418db591ed2d7af988ea7b5b50b2c6af9e638883981d54b2b6d571d4e7a44b76a35b664132e46a3d

                                                                                                • /tmp/vga.conf

                                                                                                  Filesize

                                                                                                  4B

                                                                                                  MD5

                                                                                                  ebb71045453f38676c40deb9864f811d

                                                                                                  SHA1

                                                                                                  810bd2adca8109e71a0fa4995bb7a965fd8d905a

                                                                                                  SHA256

                                                                                                  0d0c9bc37ae955b26c8bfecc22fcd072c4ea5ce95947a5051b5ed7399bff4f2e

                                                                                                  SHA512

                                                                                                  3a3fc2e1174cf6fa5acf3b1d706c3f21b85915b8f7bc2bae7c5ca6ceb86fc5377e33ff347264e1dd620fcba5fec174ae4b8793e7a9aaaf2b0ec06d85e077efdf

                                                                                                • /usr/bin/bsd-port/knerl

                                                                                                  Filesize

                                                                                                  384KB

                                                                                                  MD5

                                                                                                  1ad0c890f8fbb9b392e0acb425de4f3c

                                                                                                  SHA1

                                                                                                  de9a9671cc45e0a486c8d4e3c1f2c9156cf1673a

                                                                                                  SHA256

                                                                                                  18f26cbad0f228e1bd4042603dfcb5e1b597f66dd968c832f77ea41564e808c2

                                                                                                  SHA512

                                                                                                  fa7ad4d586839c94b0f8025e8a1106f8609c1a44e720dc2882b5ee4af739d34b40720d8bd83130d7bac375ca8ccbf5efe0278e04ff7b9f2d8805ea25972304d4

                                                                                                • /usr/bin/dpkgd/lsof

                                                                                                  Filesize

                                                                                                  163KB

                                                                                                  MD5

                                                                                                  ab57b66cc531ae0f996963223e632b60

                                                                                                  SHA1

                                                                                                  bf7e5becd33f21c2539f5a75ffa0ab61c49c8795

                                                                                                  SHA256

                                                                                                  2484863a7bfda7f97b90bfd5dfceed4ec9f27dd51f9c5158c8daabbf4309b1df

                                                                                                  SHA512

                                                                                                  908acef13f3c1d80b7169ec3b16bb67006013453348fff75550bc3c6c2137e798b21d7990edbd5be63d756d9c41b06160aebf38aa80547e4bafa3a62596057f6

                                                                                                • /usr/bin/dpkgd/ps

                                                                                                  Filesize

                                                                                                  138KB

                                                                                                  MD5

                                                                                                  8146139c2ad7e550b1d1f49480997446

                                                                                                  SHA1

                                                                                                  074db8890c3227bd8a588417f5b9bde637bcf3af

                                                                                                  SHA256

                                                                                                  207df9d438f75185ab3af2ab1173d104831a6631c28ef40d38b2ab43de27b40f

                                                                                                  SHA512

                                                                                                  b6d71d537f593b9af833e6f798e412e95fc486a313414ed8cca9639f61be7ac9dca700e9f861c0d07c7f65b3783127a67f829f422472cad8938ba01d397ab9de

                                                                                                • memory/1510-1-0x0000000008048000-0x0000000008129e8c-memory.dmp

                                                                                                • memory/1532-2-0x0000000008048000-0x0000000008129e8c-memory.dmp

                                                                                                • memory/1540-3-0x0000000008048000-0x0000000008129e8c-memory.dmp