Analysis
-
max time kernel
149s -
max time network
153s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system -
submitted
29-07-2024 11:02
General
-
Target
426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118
-
Size
1.1MB
-
MD5
426cc76727e027d992c2de8f3fb6d5b7
-
SHA1
2f4e032c375ed5cf78fb7971b842eb43ee545655
-
SHA256
832afec6e96ed9c35fd606254a0ad6b5a7222dd318235a80bc100e10560feb48
-
SHA512
f4c8753fbb838b9c37a2c0cb2768e6f3d664a7f32d7c8ce7692d314f6d2c0f15db86e2857e69f9b010dbc2030acf31d2e3555c465e1b47bf2c055ba570f2f387
-
SSDEEP
24576:8SlXre0q1r+GsNUV81TSCi1REMVuS3CLOGqjnY4wHFTBjjo2OsLBB4J:8SNt4rONU6N1AUJ82OsLBBy
Malware Config
Signatures
-
Deletes itself 2 IoCs
Processes:
freeBSD426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118apid process 1583 freeBSD 1593 426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118a -
Executes dropped EXE 3 IoCs
Processes:
freeBSD426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118a426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118ioc pid process /tmp/freeBSD 1583 freeBSD /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118a 1593 426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118a /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118 1594 426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118 -
Processes:
resource yara_rule /tmp/freeBSD upx -
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118description ioc process File opened for reading /proc/cpuinfo 426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118 -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118description ioc process File opened for reading /proc/net/dev 426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118 -
Reads runtime system information 5 IoCs
Reads data from /proc virtual filesystem.
Processes:
cpcp426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118cpdescription ioc process File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems cp File opened for reading /proc/sys/kernel/version 426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118 File opened for reading /proc/stat 426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118 File opened for reading /proc/filesystems cp -
Writes file to tmp directory 5 IoCs
Malware often drops required files in the /tmp directory.
Processes:
426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118cpcpcp426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118adescription ioc process File opened for modification /tmp/fake.cfg 426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118 File opened for modification /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118 cp File opened for modification /tmp/freeBSD cp File opened for modification /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118a cp File opened for modification /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118 426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118a
Processes
-
/tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118/tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes1181⤵PID:1563
-
/bin/shsh -c "cp /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118 /tmp/freeBSD"2⤵PID:1576
-
/usr/bin/cpcp /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118 /tmp/freeBSD3⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1577 -
/tmp/freeBSD/tmp/freeBSD /tmp/freeBSD 12⤵
- Deletes itself
- Executes dropped EXE
PID:1583 -
/bin/shsh -c "cp /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118 /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118a"2⤵PID:1584
-
/usr/bin/cpcp /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118 /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118a3⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1588
-
/tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118a/tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118a /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes1181⤵
- Deletes itself
- Executes dropped EXE
- Writes file to tmp directory
PID:1593 -
/tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes1182⤵
- Executes dropped EXE
- Checks CPU configuration
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1594 -
/bin/shsh -c "cp /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118a /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118"2⤵PID:1597
-
/usr/bin/cpcp /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118a /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes1183⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1598
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD571c1364cd454c66c9fe53d4f1a0dca43
SHA113bcaa53e432d43c7b412077060a69b39d6db13a
SHA256e1714f503e4c55ea56c97e869c4d915165a6a64b5644176f083a462d9029c7af
SHA51280eb96ae6f6507d9baa16c540fc838d5d23542653f993bb6636cc7772b959b69bbf76a116ed760b3d353317a25f2af7cefe36614a26d1c51734da66735e44e58
-
Filesize
1.1MB
MD5426cc76727e027d992c2de8f3fb6d5b7
SHA12f4e032c375ed5cf78fb7971b842eb43ee545655
SHA256832afec6e96ed9c35fd606254a0ad6b5a7222dd318235a80bc100e10560feb48
SHA512f4c8753fbb838b9c37a2c0cb2768e6f3d664a7f32d7c8ce7692d314f6d2c0f15db86e2857e69f9b010dbc2030acf31d2e3555c465e1b47bf2c055ba570f2f387