Analysis
-
max time kernel
147s -
max time network
145s -
platform
debian-12_armhf -
resource
debian12-armhf-20240729-en -
resource tags
arch:armhfimage:debian12-armhf-20240729-enkernel:6.1.0-17-armmp-lpaelocale:en-usos:debian-12-armhfsystem -
submitted
29-07-2024 12:09
Static task
static1
Behavioral task
behavioral1
Sample
45b6935f88538f5531afc2610a1cca23_JaffaCakes118
Resource
debian12-armhf-20240729-en
General
-
Target
45b6935f88538f5531afc2610a1cca23_JaffaCakes118
-
Size
790KB
-
MD5
45b6935f88538f5531afc2610a1cca23
-
SHA1
b6e478830b5de582eb06168fb65b301c136aa8cc
-
SHA256
fb7052fcf6f82cc40730deb412f0600946d01b2c2ba4b63db8e4de5dd3f897db
-
SHA512
8bb687ea5df3490c93893ca9aff0e99e27c9e127b3f31b8a8e73862c617224a8899a14c1c437c0c524615fb98c8c40894073ce4d0f24aa387c2a4859c2cf17e6
-
SSDEEP
12288:AfcfPG+rfi1BqAvtmDgsHIyyeSsZcgWaWSQCs9YB7HRvuWsvy/Pqks99FHvhWqVN:DW5fIDgsHt8McgWZ4V5o9Hv8qVPEuiU
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
pro.shpro.shioc pid process /tmp/pro.sh 693 pro.sh /tmp/pro.sh 709 pro.sh -
Renames itself 1 IoCs
Processes:
pid 688 -
Enumerates running processes
Discovers information about currently running processes on the system
-
Checks CPU configuration 1 TTPs 29 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
pscatpspspscatcatcatpscatcatpspscatpspscatpscatpscatpspspscatcatcatpspsdescription ioc process File opened for reading /proc/cpuinfo ps File opened for reading /proc/cpuinfo cat File opened for reading /proc/cpuinfo ps File opened for reading /proc/cpuinfo ps File opened for reading /proc/cpuinfo ps File opened for reading /proc/cpuinfo cat File opened for reading /proc/cpuinfo cat File opened for reading /proc/cpuinfo cat File opened for reading /proc/cpuinfo ps File opened for reading /proc/cpuinfo cat File opened for reading /proc/cpuinfo cat File opened for reading /proc/cpuinfo ps File opened for reading /proc/cpuinfo ps File opened for reading /proc/cpuinfo cat File opened for reading /proc/cpuinfo ps File opened for reading /proc/cpuinfo ps File opened for reading /proc/cpuinfo cat File opened for reading /proc/cpuinfo ps File opened for reading /proc/cpuinfo cat File opened for reading /proc/cpuinfo ps File opened for reading /proc/cpuinfo cat File opened for reading /proc/cpuinfo ps File opened for reading /proc/cpuinfo ps File opened for reading /proc/cpuinfo ps File opened for reading /proc/cpuinfo cat File opened for reading /proc/cpuinfo cat File opened for reading /proc/cpuinfo cat File opened for reading /proc/cpuinfo ps File opened for reading /proc/cpuinfo ps -
Reads CPU attributes 1 TTPs 1 IoCs
Processes:
._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes118description ioc process File opened for reading /sys/devices/system/cpu/online ._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes118 -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
Processes:
pspspspspspspspspspspspspspspspsdescription ioc process File opened for reading /proc/301/cmdline ps File opened for reading /proc/46/cmdline ps File opened for reading /proc/4/status ps File opened for reading /proc/20/stat ps File opened for reading /proc/207/cmdline ps File opened for reading /proc/206/stat ps File opened for reading /proc/344/ctty ps File opened for reading /proc/18/ctty ps File opened for reading /proc/3/ctty ps File opened for reading /proc/143/stat ps File opened for reading /proc/28/cmdline ps File opened for reading /proc/653/environ ps File opened for reading /proc/142/cmdline ps File opened for reading /proc/9/cmdline ps File opened for reading /proc/783/environ ps File opened for reading /proc/9/status ps File opened for reading /proc/187/ctty ps File opened for reading /proc/362/cmdline ps File opened for reading /proc/734/stat ps File opened for reading /proc/193/environ ps File opened for reading /proc/26/environ ps File opened for reading /proc/14/stat ps File opened for reading /proc/73/ctty ps File opened for reading /proc/19/cmdline ps File opened for reading /proc/44/stat ps File opened for reading /proc/26/status ps File opened for reading /proc/3/environ ps File opened for reading /proc/7/ctty ps File opened for reading /proc/36/status ps File opened for reading /proc/652/stat ps File opened for reading /proc/323/cmdline ps File opened for reading /proc/762/ctty ps File opened for reading /proc/1/status ps File opened for reading /proc/9/stat ps File opened for reading /proc/9/stat ps File opened for reading /proc/28/ctty ps File opened for reading /proc/73/cmdline ps File opened for reading /proc/18/ctty ps File opened for reading /proc/206/ctty ps File opened for reading /proc/652/cmdline ps File opened for reading /proc/25/stat ps File opened for reading /proc/16/environ ps File opened for reading /proc/694/stat ps File opened for reading /proc/839/stat ps File opened for reading /proc/143/ctty ps File opened for reading /proc/753/cmdline ps File opened for reading /proc/19/stat ps File opened for reading /proc/637/environ ps File opened for reading /proc/9/ctty ps File opened for reading /proc/350/environ ps File opened for reading /proc/1/status ps File opened for reading /proc/36/ctty ps File opened for reading /proc/704/cmdline ps File opened for reading /proc/35/ctty ps File opened for reading /proc/9/ctty ps File opened for reading /proc/27/ctty ps File opened for reading /proc/44/ctty ps File opened for reading /proc/694/cmdline ps File opened for reading /proc/25/stat ps File opened for reading /proc/10/cmdline ps File opened for reading /proc/51/status ps File opened for reading /proc/36/cmdline ps File opened for reading /proc/323/ctty ps File opened for reading /proc/12/ctty ps -
Writes file to tmp directory 4 IoCs
Malware often drops required files in the /tmp directory.
Processes:
45b6935f88538f5531afc2610a1cca23_JaffaCakes118._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes118description ioc process File opened for modification /tmp/._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes118.lock 45b6935f88538f5531afc2610a1cca23_JaffaCakes118 File opened for modification /tmp/pro.sh 45b6935f88538f5531afc2610a1cca23_JaffaCakes118 File opened for modification /tmp/._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes118.lock ._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes118 File opened for modification /tmp/pro.sh ._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes118
Processes
-
/tmp/45b6935f88538f5531afc2610a1cca23_JaffaCakes118/tmp/45b6935f88538f5531afc2610a1cca23_JaffaCakes1181⤵
- Writes file to tmp directory
PID:685 -
/bin/shsh -c "ulimit -n 2048"2⤵PID:689
-
/bin/shsh -c "chmod 777 pro.sh"2⤵PID:690
-
/usr/bin/chmodchmod 777 pro.sh3⤵PID:691
-
/bin/shsh -c "./pro.sh ._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes118 &"2⤵PID:692
-
/tmp/pro.sh./pro.sh ._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes1181⤵
- Executes dropped EXE
PID:693 -
/usr/bin/psps -ef2⤵
- Checks CPU configuration
- Reads runtime system information
PID:698 -
/usr/bin/grepgrep ._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes1182⤵PID:699
-
/usr/bin/grepgrep -v grep2⤵PID:700
-
/usr/bin/grepgrep -v pro.sh2⤵PID:701
-
/usr/bin/nohupnohup ./._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes1181⤵PID:702
-
/tmp/._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes118./._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes1181⤵
- Reads CPU attributes
- Writes file to tmp directory
PID:702 -
/bin/shsh -c "ulimit -n 2048"2⤵PID:705
-
/bin/shsh -c "chmod 777 pro.sh"2⤵PID:706
-
/usr/bin/chmodchmod 777 pro.sh3⤵PID:707
-
/bin/shsh -c "./pro.sh ._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes118 &"2⤵PID:708
-
/bin/shsh -c "cat /proc/cpuinfo|grep 'cpu MHz'|sed -e 's/.*:[^0-9]//'"2⤵PID:710
-
/usr/bin/catcat /proc/cpuinfo3⤵
- Checks CPU configuration
PID:711 -
/usr/bin/grepgrep "cpu MHz"3⤵PID:712
-
/usr/bin/sedsed -e "s/.*:[^0-9]//"3⤵PID:713
-
/bin/shsh -c "cat /proc/cpuinfo|grep 'cpu MHz'|sed -e 's/.*:[^0-9]//'"2⤵PID:726
-
/usr/bin/catcat /proc/cpuinfo3⤵
- Checks CPU configuration
PID:727 -
/usr/bin/grepgrep "cpu MHz"3⤵PID:728
-
/usr/bin/sedsed -e "s/.*:[^0-9]//"3⤵PID:729
-
/bin/shsh -c "cat /proc/cpuinfo|grep 'cpu MHz'|sed -e 's/.*:[^0-9]//'"2⤵PID:736
-
/usr/bin/grepgrep "cpu MHz"3⤵PID:738
-
/usr/bin/catcat /proc/cpuinfo3⤵
- Checks CPU configuration
PID:737 -
/usr/bin/sedsed -e "s/.*:[^0-9]//"3⤵PID:739
-
/bin/shsh -c "cat /proc/cpuinfo|grep 'cpu MHz'|sed -e 's/.*:[^0-9]//'"2⤵PID:748
-
/usr/bin/catcat /proc/cpuinfo3⤵
- Checks CPU configuration
PID:749 -
/usr/bin/grepgrep "cpu MHz"3⤵PID:750
-
/usr/bin/sedsed -e "s/.*:[^0-9]//"3⤵PID:751
-
/bin/shsh -c "cat /proc/cpuinfo|grep 'cpu MHz'|sed -e 's/.*:[^0-9]//'"2⤵PID:758
-
/usr/bin/catcat /proc/cpuinfo3⤵
- Checks CPU configuration
PID:759 -
/usr/bin/grepgrep "cpu MHz"3⤵PID:760
-
/usr/bin/sedsed -e "s/.*:[^0-9]//"3⤵PID:761
-
/bin/shsh -c "cat /proc/cpuinfo|grep 'cpu MHz'|sed -e 's/.*:[^0-9]//'"2⤵PID:768
-
/usr/bin/catcat /proc/cpuinfo3⤵
- Checks CPU configuration
PID:769 -
/usr/bin/grepgrep "cpu MHz"3⤵PID:770
-
/usr/bin/sedsed -e "s/.*:[^0-9]//"3⤵PID:771
-
/bin/shsh -c "cat /proc/cpuinfo|grep 'cpu MHz'|sed -e 's/.*:[^0-9]//'"2⤵PID:778
-
/usr/bin/catcat /proc/cpuinfo3⤵
- Checks CPU configuration
PID:779 -
/usr/bin/grepgrep "cpu MHz"3⤵PID:780
-
/usr/bin/sedsed -e "s/.*:[^0-9]//"3⤵PID:781
-
/bin/shsh -c "cat /proc/cpuinfo|grep 'cpu MHz'|sed -e 's/.*:[^0-9]//'"2⤵PID:788
-
/usr/bin/catcat /proc/cpuinfo3⤵
- Checks CPU configuration
PID:789 -
/usr/bin/grepgrep "cpu MHz"3⤵PID:790
-
/usr/bin/sedsed -e "s/.*:[^0-9]//"3⤵PID:791
-
/bin/shsh -c "cat /proc/cpuinfo|grep 'cpu MHz'|sed -e 's/.*:[^0-9]//'"2⤵PID:803
-
/usr/bin/catcat /proc/cpuinfo3⤵
- Checks CPU configuration
PID:804 -
/usr/bin/grepgrep "cpu MHz"3⤵PID:805
-
/usr/bin/sedsed -e "s/.*:[^0-9]//"3⤵PID:806
-
/bin/shsh -c "cat /proc/cpuinfo|grep 'cpu MHz'|sed -e 's/.*:[^0-9]//'"2⤵PID:814
-
/usr/bin/catcat /proc/cpuinfo3⤵
- Checks CPU configuration
PID:815 -
/usr/bin/grepgrep "cpu MHz"3⤵PID:816
-
/usr/bin/sedsed -e "s/.*:[^0-9]//"3⤵PID:817
-
/bin/shsh -c "cat /proc/cpuinfo|grep 'cpu MHz'|sed -e 's/.*:[^0-9]//'"2⤵PID:824
-
/usr/bin/catcat /proc/cpuinfo3⤵
- Checks CPU configuration
PID:825 -
/usr/bin/grepgrep "cpu MHz"3⤵PID:826
-
/usr/bin/sedsed -e "s/.*:[^0-9]//"3⤵PID:827
-
/bin/shsh -c "cat /proc/cpuinfo|grep 'cpu MHz'|sed -e 's/.*:[^0-9]//'"2⤵PID:835
-
/usr/bin/catcat /proc/cpuinfo3⤵
- Checks CPU configuration
PID:836 -
/usr/bin/grepgrep "cpu MHz"3⤵PID:837
-
/usr/bin/sedsed -e "s/.*:[^0-9]//"3⤵PID:838
-
/bin/shsh -c "cat /proc/cpuinfo|grep 'cpu MHz'|sed -e 's/.*:[^0-9]//'"2⤵PID:845
-
/usr/bin/catcat /proc/cpuinfo3⤵
- Checks CPU configuration
PID:846 -
/usr/bin/grepgrep "cpu MHz"3⤵PID:847
-
/usr/bin/sedsed -e "s/.*:[^0-9]//"3⤵PID:848
-
/tmp/pro.sh./pro.sh ._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes1181⤵
- Executes dropped EXE
PID:709 -
/usr/bin/psps -ef2⤵
- Checks CPU configuration
- Reads runtime system information
PID:715 -
/usr/bin/grepgrep ._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes1182⤵PID:716
-
/usr/bin/grepgrep -v grep2⤵PID:717
-
/usr/bin/grepgrep -v pro.sh2⤵PID:718
-
/usr/bin/sleepsleep 102⤵PID:719
-
/usr/bin/psps -ef2⤵
- Checks CPU configuration
- Reads runtime system information
PID:721 -
/usr/bin/grepgrep ._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes1182⤵PID:722
-
/usr/bin/grepgrep -v grep2⤵PID:723
-
/usr/bin/grepgrep -v pro.sh2⤵PID:724
-
/usr/bin/sleepsleep 102⤵PID:725
-
/usr/bin/psps -ef2⤵
- Checks CPU configuration
- Reads runtime system information
PID:731 -
/usr/bin/grepgrep ._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes1182⤵PID:732
-
/usr/bin/grepgrep -v grep2⤵PID:733
-
/usr/bin/grepgrep -v pro.sh2⤵PID:734
-
/usr/bin/sleepsleep 102⤵PID:735
-
/usr/bin/psps -ef2⤵
- Checks CPU configuration
- Reads runtime system information
PID:743 -
/usr/bin/grepgrep ._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes1182⤵PID:744
-
/usr/bin/grepgrep -v grep2⤵PID:745
-
/usr/bin/grepgrep -v pro.sh2⤵PID:746
-
/usr/bin/sleepsleep 102⤵PID:747
-
/usr/bin/grepgrep ._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes1182⤵PID:754
-
/usr/bin/psps -ef2⤵
- Checks CPU configuration
- Reads runtime system information
PID:753 -
/usr/bin/grepgrep -v grep2⤵PID:755
-
/usr/bin/grepgrep -v pro.sh2⤵PID:756
-
/usr/bin/sleepsleep 102⤵PID:757
-
/usr/bin/psps -ef2⤵
- Checks CPU configuration
- Reads runtime system information
PID:763 -
/usr/bin/grepgrep ._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes1182⤵PID:764
-
/usr/bin/grepgrep -v grep2⤵PID:765
-
/usr/bin/grepgrep -v pro.sh2⤵PID:766
-
/usr/bin/sleepsleep 102⤵PID:767
-
/usr/bin/psps -ef2⤵
- Checks CPU configuration
- Reads runtime system information
PID:773 -
/usr/bin/grepgrep ._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes1182⤵PID:774
-
/usr/bin/grepgrep -v grep2⤵PID:775
-
/usr/bin/grepgrep -v pro.sh2⤵PID:776
-
/usr/bin/sleepsleep 102⤵PID:777
-
/usr/bin/psps -ef2⤵
- Checks CPU configuration
- Reads runtime system information
PID:783 -
/usr/bin/grepgrep ._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes1182⤵PID:784
-
/usr/bin/grepgrep -v grep2⤵PID:785
-
/usr/bin/grepgrep -v pro.sh2⤵PID:786
-
/usr/bin/sleepsleep 102⤵PID:787
-
/usr/bin/psps -ef2⤵
- Checks CPU configuration
- Reads runtime system information
PID:793 -
/usr/bin/grepgrep ._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes1182⤵PID:794
-
/usr/bin/grepgrep -v grep2⤵PID:795
-
/usr/bin/grepgrep -v pro.sh2⤵PID:796
-
/usr/bin/sleepsleep 102⤵PID:797
-
/usr/bin/grepgrep ._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes1182⤵PID:800
-
/usr/bin/psps -ef2⤵
- Checks CPU configuration
- Reads runtime system information
PID:799 -
/usr/bin/grepgrep -v grep2⤵PID:801
-
/usr/bin/grepgrep -v pro.sh2⤵PID:802
-
/usr/bin/sleepsleep 102⤵PID:807
-
/usr/bin/psps -ef2⤵
- Checks CPU configuration
- Reads runtime system information
PID:809 -
/usr/bin/grepgrep ._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes1182⤵PID:810
-
/usr/bin/grepgrep -v grep2⤵PID:811
-
/usr/bin/grepgrep -v pro.sh2⤵PID:812
-
/usr/bin/sleepsleep 102⤵PID:813
-
/usr/bin/grepgrep ._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes1182⤵PID:820
-
/usr/bin/psps -ef2⤵
- Checks CPU configuration
- Reads runtime system information
PID:819 -
/usr/bin/grepgrep -v grep2⤵PID:821
-
/usr/bin/grepgrep -v pro.sh2⤵PID:822
-
/usr/bin/sleepsleep 102⤵PID:823
-
/usr/bin/psps -ef2⤵
- Checks CPU configuration
- Reads runtime system information
PID:830 -
/usr/bin/grepgrep ._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes1182⤵PID:831
-
/usr/bin/grepgrep -v grep2⤵PID:832
-
/usr/bin/grepgrep -v pro.sh2⤵PID:833
-
/usr/bin/sleepsleep 102⤵PID:834
-
/usr/bin/psps -ef2⤵
- Checks CPU configuration
- Reads runtime system information
PID:840 -
/usr/bin/grepgrep ._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes1182⤵PID:841
-
/usr/bin/grepgrep -v grep2⤵PID:842
-
/usr/bin/grepgrep -v pro.sh2⤵PID:843
-
/usr/bin/sleepsleep 102⤵PID:844
-
/usr/bin/psps -ef2⤵
- Checks CPU configuration
- Reads runtime system information
PID:850 -
/usr/bin/grepgrep ._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes1182⤵PID:851
-
/usr/bin/grepgrep -v grep2⤵PID:852
-
/usr/bin/grepgrep -v pro.sh2⤵PID:853
-
/usr/bin/sleepsleep 102⤵PID:854
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
161B
MD540d8d561d8ae7796e03a4f0f8e62a1ab
SHA12bc467db7ab4eb2bb4a5d082c452c0ad57a9813c
SHA2566300dc9fa2a9a7d30906a535d938d6960dbbe883b93c6eeb12fa3a5696dd0010
SHA51203743f2227c851bf0c3ad2e2fa4face0a0462c4f1c0d25b4beca5c511388b56c580b7ed38502ab1017b932edd5588c23563333a0dd055b649b708e7c0f7b2735