Analysis
-
max time kernel
149s -
max time network
148s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20240729-en -
resource tags
arch:amd64arch:i386image:ubuntu2204-amd64-20240729-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system -
submitted
29-07-2024 06:50
General
-
Target
3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118
-
Size
821KB
-
MD5
3b5dc047c1aa2200136cce6490b9c912
-
SHA1
bd273b4aa47546d108119a45212bb96bbb216eb1
-
SHA256
4bccf3d04c1a8dbd6be13c07f42e9467f21b2e2d0a89134e4db55b3e924fbd6c
-
SHA512
f92c245beb9537fe1e4d9b6c09c3c7a62ae6b3ee5728189515fba07a0157c3a61a0dd922120bb4d77ce872e06193d12a126ca9ff48a9730093f2683889ccabe2
-
SSDEEP
24576:4wijaA7f7G35Mn4WahdvOItw02h90PG+bwYh:4wSlfyJq4FhuTheFbJ
Malware Config
Signatures
-
Deletes itself 2 IoCs
Processes:
freeBSD3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118apid process 1510 freeBSD 1513 3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118a -
Executes dropped EXE 3 IoCs
Processes:
freeBSD3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118a3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118ioc pid process /tmp/freeBSD 1510 freeBSD /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118a 1513 3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118a /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118 1514 3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118 -
Processes:
resource yara_rule /tmp/freeBSD upx -
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118description ioc process File opened for reading /proc/cpuinfo 3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118 -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118description ioc process File opened for reading /proc/net/dev 3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118 -
Reads runtime system information 5 IoCs
Reads data from /proc virtual filesystem.
Processes:
cp3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118cpcpdescription ioc process File opened for reading /proc/filesystems cp File opened for reading /proc/sys/kernel/version 3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118 File opened for reading /proc/stat 3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118 File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems cp -
Writes file to tmp directory 5 IoCs
Malware often drops required files in the /tmp directory.
Processes:
3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118a3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118cpcpcpdescription ioc process File opened for modification /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118 3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118a File opened for modification /tmp/fake.cfg 3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118 File opened for modification /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118 cp File opened for modification /tmp/freeBSD cp File opened for modification /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118a cp
Processes
-
/tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118/tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes1181⤵PID:1507
-
/bin/shsh -c "cp /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118 /tmp/freeBSD"2⤵PID:1508
-
/usr/bin/cpcp /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118 /tmp/freeBSD3⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1509 -
/bin/shsh -c "cp /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118 /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118a"2⤵PID:1511
-
/usr/bin/cpcp /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118 /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118a3⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1512 -
/tmp/freeBSD/tmp/freeBSD /tmp/freeBSD 12⤵
- Deletes itself
- Executes dropped EXE
PID:1510
-
/tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118a/tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118a /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes1181⤵
- Deletes itself
- Executes dropped EXE
- Writes file to tmp directory
PID:1513 -
/tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes1182⤵
- Executes dropped EXE
- Checks CPU configuration
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1514 -
/bin/shsh -c "cp /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118a /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118"2⤵PID:1519
-
/usr/bin/cpcp /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118a /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes1183⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1520
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD52c87dc6553988b587e0755a1bd11d265
SHA19e63beee5f714dd36ae867008e9cfd4022dd0e4e
SHA256229ab234a460de38c88542c1a8f07e476f6680f4e3cd87c3143b5cb21942aba9
SHA51227a77bfd62f23f7a1c8fe8d95b56ebb1ab71b483d909f7c8a48b351d4ba4b93df2e3d568da49bf23fda992dfc983300146c2b64db10328cec2e55bbb42c965df
-
Filesize
821KB
MD53b5dc047c1aa2200136cce6490b9c912
SHA1bd273b4aa47546d108119a45212bb96bbb216eb1
SHA2564bccf3d04c1a8dbd6be13c07f42e9467f21b2e2d0a89134e4db55b3e924fbd6c
SHA512f92c245beb9537fe1e4d9b6c09c3c7a62ae6b3ee5728189515fba07a0157c3a61a0dd922120bb4d77ce872e06193d12a126ca9ff48a9730093f2683889ccabe2