Analysis
-
max time kernel
149s -
max time network
150s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20240729-en -
resource tags
arch:amd64arch:i386image:ubuntu2204-amd64-20240729-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system -
submitted
29-07-2024 11:34
Static task
static1
Behavioral task
behavioral1
Sample
43d39f56904dcd521660465f2d217b75_JaffaCakes118
Resource
ubuntu2204-amd64-20240729-en
General
-
Target
43d39f56904dcd521660465f2d217b75_JaffaCakes118
-
Size
2.3MB
-
MD5
43d39f56904dcd521660465f2d217b75
-
SHA1
eaaa5de68271d6f19e1c56cc60913614c7e9f836
-
SHA256
2f5090315c92f675c4a7ce2b9a8feb6b850b13f5c1ca40646f71154dd6ea8158
-
SHA512
45d75b4af604d9599d3b037e8df97f9df31257060b29d68529af1e93a02070959b767cee7944b96462589b49fed7165fd1746ff834922fc5a644ff5ddeabb43d
-
SSDEEP
49152:FcXS0KUlIx32lkpQmQkpfb4Zs7SLGHrWu9Paue/er/S+iGonw3Eb0Q4eHJHme6V4:FcXS1UlIx32lk7pfb4Zs7SL7J1K/SMo9
Malware Config
Signatures
-
Deletes itself 2 IoCs
Processes:
freeBSD43d39f56904dcd521660465f2d217b75_JaffaCakes118apid process 1512 freeBSD 1515 43d39f56904dcd521660465f2d217b75_JaffaCakes118a -
Executes dropped EXE 3 IoCs
Processes:
freeBSD43d39f56904dcd521660465f2d217b75_JaffaCakes118a43d39f56904dcd521660465f2d217b75_JaffaCakes118ioc pid process /tmp/freeBSD 1512 freeBSD /tmp/43d39f56904dcd521660465f2d217b75_JaffaCakes118a 1515 43d39f56904dcd521660465f2d217b75_JaffaCakes118a /tmp/43d39f56904dcd521660465f2d217b75_JaffaCakes118 1516 43d39f56904dcd521660465f2d217b75_JaffaCakes118 -
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
43d39f56904dcd521660465f2d217b75_JaffaCakes118description ioc process File opened for reading /proc/cpuinfo 43d39f56904dcd521660465f2d217b75_JaffaCakes118 -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
43d39f56904dcd521660465f2d217b75_JaffaCakes118description ioc process File opened for reading /proc/net/dev 43d39f56904dcd521660465f2d217b75_JaffaCakes118 -
Reads runtime system information 5 IoCs
Reads data from /proc virtual filesystem.
Processes:
cp43d39f56904dcd521660465f2d217b75_JaffaCakes118cpcpdescription ioc process File opened for reading /proc/filesystems cp File opened for reading /proc/sys/kernel/version 43d39f56904dcd521660465f2d217b75_JaffaCakes118 File opened for reading /proc/stat 43d39f56904dcd521660465f2d217b75_JaffaCakes118 File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems cp -
Writes file to tmp directory 5 IoCs
Malware often drops required files in the /tmp directory.
Processes:
cpcp43d39f56904dcd521660465f2d217b75_JaffaCakes118a43d39f56904dcd521660465f2d217b75_JaffaCakes118cpdescription ioc process File opened for modification /tmp/freeBSD cp File opened for modification /tmp/43d39f56904dcd521660465f2d217b75_JaffaCakes118a cp File opened for modification /tmp/43d39f56904dcd521660465f2d217b75_JaffaCakes118 43d39f56904dcd521660465f2d217b75_JaffaCakes118a File opened for modification /tmp/fake.cfg 43d39f56904dcd521660465f2d217b75_JaffaCakes118 File opened for modification /tmp/43d39f56904dcd521660465f2d217b75_JaffaCakes118 cp
Processes
-
/tmp/43d39f56904dcd521660465f2d217b75_JaffaCakes118/tmp/43d39f56904dcd521660465f2d217b75_JaffaCakes1181⤵PID:1509
-
/bin/shsh -c "cp /tmp/43d39f56904dcd521660465f2d217b75_JaffaCakes118 /tmp/freeBSD"2⤵PID:1510
-
/usr/bin/cpcp /tmp/43d39f56904dcd521660465f2d217b75_JaffaCakes118 /tmp/freeBSD3⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1511 -
/bin/shsh -c "cp /tmp/43d39f56904dcd521660465f2d217b75_JaffaCakes118 /tmp/43d39f56904dcd521660465f2d217b75_JaffaCakes118a"2⤵PID:1513
-
/usr/bin/cpcp /tmp/43d39f56904dcd521660465f2d217b75_JaffaCakes118 /tmp/43d39f56904dcd521660465f2d217b75_JaffaCakes118a3⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1514 -
/tmp/freeBSD/tmp/freeBSD /tmp/freeBSD 12⤵
- Deletes itself
- Executes dropped EXE
PID:1512
-
/tmp/43d39f56904dcd521660465f2d217b75_JaffaCakes118a/tmp/43d39f56904dcd521660465f2d217b75_JaffaCakes118a /tmp/43d39f56904dcd521660465f2d217b75_JaffaCakes1181⤵
- Deletes itself
- Executes dropped EXE
- Writes file to tmp directory
PID:1515 -
/tmp/43d39f56904dcd521660465f2d217b75_JaffaCakes1182⤵
- Executes dropped EXE
- Checks CPU configuration
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1516 -
/bin/shsh -c "cp /tmp/43d39f56904dcd521660465f2d217b75_JaffaCakes118a /tmp/43d39f56904dcd521660465f2d217b75_JaffaCakes118"2⤵PID:1521
-
/usr/bin/cpcp /tmp/43d39f56904dcd521660465f2d217b75_JaffaCakes118a /tmp/43d39f56904dcd521660465f2d217b75_JaffaCakes1183⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1522
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD591450d6fa9824d86424ccaae4e089629
SHA1961b2f27081ee83b43ec6b0dd2d1aea59942d3f0
SHA256aa9d435d8a7e9331a9d2400435e6c98ed876050f6acd0a2ecfa3eb3435ed8221
SHA512d93f44c8c1af0047baa261bdca2dc60d1d4c28c8e0adcb65c1eb8f411c951dda49bad7eb69e82ac9cc0a808db8048740d68dc58aa13759eba575ae975c869da8
-
Filesize
2.3MB
MD543d39f56904dcd521660465f2d217b75
SHA1eaaa5de68271d6f19e1c56cc60913614c7e9f836
SHA2562f5090315c92f675c4a7ce2b9a8feb6b850b13f5c1ca40646f71154dd6ea8158
SHA51245d75b4af604d9599d3b037e8df97f9df31257060b29d68529af1e93a02070959b767cee7944b96462589b49fed7165fd1746ff834922fc5a644ff5ddeabb43d