Analysis
-
max time kernel
149s -
max time network
149s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20240729-en -
resource tags
arch:amd64arch:i386image:ubuntu2204-amd64-20240729-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system -
submitted
29-07-2024 11:21
General
-
Target
43536e52614ea838a6955cc7603c833a_JaffaCakes118
-
Size
821KB
-
MD5
43536e52614ea838a6955cc7603c833a
-
SHA1
38353898e4a2048b866c5a53a3e52d3006f6c890
-
SHA256
72a9ed5d3658cb4cf7d226ef8421844476a3ed4ad43f63783304150249c3dba2
-
SHA512
78b2f711448d7da7e9d65666ecbc84593aa434b5414c2aa23638825f61c7593218ed47dd73f0b6526a11156ea1eb621a7478c118a2f05ad1ddce55cd73a9920f
-
SSDEEP
24576:wwijaA7f7G35Mn4WaFbiN4SJySwxKDS2Oio4BEfU:wwSlfyJq4FTV32Od46fU
Malware Config
Signatures
-
Deletes itself 2 IoCs
Processes:
freeBSD43536e52614ea838a6955cc7603c833a_JaffaCakes118apid process 1511 freeBSD 1514 43536e52614ea838a6955cc7603c833a_JaffaCakes118a -
Executes dropped EXE 3 IoCs
Processes:
freeBSD43536e52614ea838a6955cc7603c833a_JaffaCakes118a43536e52614ea838a6955cc7603c833a_JaffaCakes118ioc pid process /tmp/freeBSD 1511 freeBSD /tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes118a 1514 43536e52614ea838a6955cc7603c833a_JaffaCakes118a /tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes118 1515 43536e52614ea838a6955cc7603c833a_JaffaCakes118 -
Processes:
resource yara_rule /tmp/freeBSD upx -
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
43536e52614ea838a6955cc7603c833a_JaffaCakes118description ioc process File opened for reading /proc/cpuinfo 43536e52614ea838a6955cc7603c833a_JaffaCakes118 -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
43536e52614ea838a6955cc7603c833a_JaffaCakes118description ioc process File opened for reading /proc/net/dev 43536e52614ea838a6955cc7603c833a_JaffaCakes118 -
Reads runtime system information 5 IoCs
Reads data from /proc virtual filesystem.
Processes:
cpcp43536e52614ea838a6955cc7603c833a_JaffaCakes118cpdescription ioc process File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems cp File opened for reading /proc/sys/kernel/version 43536e52614ea838a6955cc7603c833a_JaffaCakes118 File opened for reading /proc/stat 43536e52614ea838a6955cc7603c833a_JaffaCakes118 File opened for reading /proc/filesystems cp -
Writes file to tmp directory 5 IoCs
Malware often drops required files in the /tmp directory.
Processes:
cpcp43536e52614ea838a6955cc7603c833a_JaffaCakes118a43536e52614ea838a6955cc7603c833a_JaffaCakes118cpdescription ioc process File opened for modification /tmp/freeBSD cp File opened for modification /tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes118a cp File opened for modification /tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes118 43536e52614ea838a6955cc7603c833a_JaffaCakes118a File opened for modification /tmp/fake.cfg 43536e52614ea838a6955cc7603c833a_JaffaCakes118 File opened for modification /tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes118 cp
Processes
-
/tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes118/tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes1181⤵PID:1508
-
/bin/shsh -c "cp /tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes118 /tmp/freeBSD"2⤵PID:1509
-
/usr/bin/cpcp /tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes118 /tmp/freeBSD3⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1510 -
/bin/shsh -c "cp /tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes118 /tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes118a"2⤵PID:1512
-
/usr/bin/cpcp /tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes118 /tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes118a3⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1513 -
/tmp/freeBSD/tmp/freeBSD /tmp/freeBSD 12⤵
- Deletes itself
- Executes dropped EXE
PID:1511
-
/tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes118a/tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes118a /tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes1181⤵
- Deletes itself
- Executes dropped EXE
- Writes file to tmp directory
PID:1514 -
/tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes1182⤵
- Executes dropped EXE
- Checks CPU configuration
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1515 -
/bin/shsh -c "cp /tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes118a /tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes118"2⤵PID:1521
-
/usr/bin/cpcp /tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes118a /tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes1183⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1522
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD581120b9ff418d5d660f21a8c389ec27e
SHA1b0cd2f53ca40e5aaabb4e6134d96e580d40f11bd
SHA256869f93060e503f1084c322e6bdce66ac04d7d11b236eab3b509e7a1c9d0cd227
SHA512b4685fbff8b6eb2a41afce7c8a3fd0df8e389639421e9343eac18a45f9a229e0355afbe234a90f330328825434871ff2e39f6c2fde2ee2a7626f4aaee673382e
-
Filesize
821KB
MD543536e52614ea838a6955cc7603c833a
SHA138353898e4a2048b866c5a53a3e52d3006f6c890
SHA25672a9ed5d3658cb4cf7d226ef8421844476a3ed4ad43f63783304150249c3dba2
SHA51278b2f711448d7da7e9d65666ecbc84593aa434b5414c2aa23638825f61c7593218ed47dd73f0b6526a11156ea1eb621a7478c118a2f05ad1ddce55cd73a9920f