Analysis
-
max time kernel
149s -
max time network
150s -
platform
ubuntu-20.04_amd64 -
resource
ubuntu2004-amd64-20240729-en -
resource tags
arch:amd64arch:i386image:ubuntu2004-amd64-20240729-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system -
submitted
29-07-2024 05:26
Static task
static1
Behavioral task
behavioral1
Sample
399176415f868f4635f2ebc0f16e4676_JaffaCakes118
Resource
ubuntu2004-amd64-20240729-en
General
-
Target
399176415f868f4635f2ebc0f16e4676_JaffaCakes118
-
Size
2.3MB
-
MD5
399176415f868f4635f2ebc0f16e4676
-
SHA1
c6637bb1d77cc394af34c71efd15f9de31210050
-
SHA256
8e2219230f2e3f5978f48a74e2184a42f4557ea99b9baace3834a73b5f5e3010
-
SHA512
22d3c07c9b60f8856337bfa32c9f3c3b7fcdc797a3d5b64991afa948d6235ab5bab85658f95c72f8e38996cd0e613df4120d74aa2e03533991487d99d2aba9ad
-
SSDEEP
49152:FcXS0KUlIx32lkpQmQkpfb4Zs7SLGHrWu9Paue/Rr/S+iGonw3Eb0Q4eHJHme6V4:FcXS1UlIx32lk7pfb4Zs7SL7J1B/SMo9
Malware Config
Signatures
-
Deletes itself 2 IoCs
Processes:
freeBSD399176415f868f4635f2ebc0f16e4676_JaffaCakes118apid process 1343 freeBSD 1346 399176415f868f4635f2ebc0f16e4676_JaffaCakes118a -
Executes dropped EXE 3 IoCs
Processes:
freeBSD399176415f868f4635f2ebc0f16e4676_JaffaCakes118a399176415f868f4635f2ebc0f16e4676_JaffaCakes118ioc pid process /tmp/freeBSD 1343 freeBSD /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118a 1346 399176415f868f4635f2ebc0f16e4676_JaffaCakes118a /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118 1347 399176415f868f4635f2ebc0f16e4676_JaffaCakes118 -
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
399176415f868f4635f2ebc0f16e4676_JaffaCakes118description ioc process File opened for reading /proc/cpuinfo 399176415f868f4635f2ebc0f16e4676_JaffaCakes118 -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
399176415f868f4635f2ebc0f16e4676_JaffaCakes118description ioc process File opened for reading /proc/net/dev 399176415f868f4635f2ebc0f16e4676_JaffaCakes118 -
Reads runtime system information 5 IoCs
Reads data from /proc virtual filesystem.
Processes:
cpcp399176415f868f4635f2ebc0f16e4676_JaffaCakes118cpdescription ioc process File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems cp File opened for reading /proc/sys/kernel/version 399176415f868f4635f2ebc0f16e4676_JaffaCakes118 File opened for reading /proc/stat 399176415f868f4635f2ebc0f16e4676_JaffaCakes118 File opened for reading /proc/filesystems cp -
Writes file to tmp directory 5 IoCs
Malware often drops required files in the /tmp directory.
Processes:
399176415f868f4635f2ebc0f16e4676_JaffaCakes118a399176415f868f4635f2ebc0f16e4676_JaffaCakes118cpcpcpdescription ioc process File opened for modification /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118 399176415f868f4635f2ebc0f16e4676_JaffaCakes118a File opened for modification /tmp/fake.cfg 399176415f868f4635f2ebc0f16e4676_JaffaCakes118 File opened for modification /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118 cp File opened for modification /tmp/freeBSD cp File opened for modification /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118a cp
Processes
-
/tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118/tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes1181⤵PID:1340
-
/bin/shsh -c "cp /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118 /tmp/freeBSD"2⤵PID:1341
-
/usr/bin/cpcp /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118 /tmp/freeBSD3⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1342 -
/bin/shsh -c "cp /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118 /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118a"2⤵PID:1344
-
/usr/bin/cpcp /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118 /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118a3⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1345 -
/tmp/freeBSD/tmp/freeBSD /tmp/freeBSD 12⤵
- Deletes itself
- Executes dropped EXE
PID:1343
-
/tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118a/tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118a /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes1181⤵
- Deletes itself
- Executes dropped EXE
- Writes file to tmp directory
PID:1346 -
/tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes1182⤵
- Executes dropped EXE
- Checks CPU configuration
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1347 -
/bin/shsh -c "cp /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118a /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118"2⤵PID:1353
-
/usr/bin/cpcp /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118a /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes1183⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1354
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD508a05734595d2fdf700b2e4e5e513683
SHA1daa4ca8a22a60845088f0a9f69a9938baea7eecc
SHA2562c801bad37a668d45e125f509dd208473b319b4106b08d706a6a9e71b9753a6d
SHA512380656eed4bcd98cef180dd03745bf6cd607ffb09b82c762d1491f39ee03ad034d0cf27ed92aeae179f65adc149fa91e21e9c8a2fe0a8d6606bbe22a5da5e4b1
-
Filesize
2.3MB
MD5399176415f868f4635f2ebc0f16e4676
SHA1c6637bb1d77cc394af34c71efd15f9de31210050
SHA2568e2219230f2e3f5978f48a74e2184a42f4557ea99b9baace3834a73b5f5e3010
SHA51222d3c07c9b60f8856337bfa32c9f3c3b7fcdc797a3d5b64991afa948d6235ab5bab85658f95c72f8e38996cd0e613df4120d74aa2e03533991487d99d2aba9ad