6e022b434deca2c970d00ec6ffaf7b4ce9af89f33df6cb28b85d343e247a9268

Analysis

max time kernel
8s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
01-08-2024 06:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f93143f631265468b8d584aab70b897_JaffaCakes118
Size

30KB
MD5

7f93143f631265468b8d584aab70b897
SHA1

32f181c3fee32fa450b0d4842eb871337a73f0b1
SHA256

6e022b434deca2c970d00ec6ffaf7b4ce9af89f33df6cb28b85d343e247a9268
SHA512

83a3f3038455d629d92c658c0d99950680379d14d72b7471447f628bfd45e2ceb7b392dce05f54fa02420915b7e27b3d1ed82381c8b54ce24c4277f58c52a93f
SSDEEP

768:n+78zQ5VFNcDAFLcIwgnoYq0xFBVdAw2v:nMVF+D6cIwgosz+

Score

7^/10

evasion

Malware Config

Signatures

Deletes system logs 1 TTPs 1 IoCs

Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

evasion

Indicator Removal

T1070

Processes:

description	ioc	Process
File deleted	/var/log/syslog	rm

Flushes firewall rules 1 IoCs

Flushes/ disables firewall rules inside the Linux kernel.

Processes:

iptables

pid	Process
673	iptables

Attempts to change immutable files 24 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

Processes:

chattrchattrxargsxargsxargsxargsxargsxargschattrchattrgrepxargsxargsxargsxargsgrepxargsxargschattrchattrxargsxargsxargsxargs

pid	Process
668	chattr
690	chattr
719	xargs
743	xargs
749	xargs
761	xargs
781	xargs
793	xargs
661	chattr
670	chattr
697	grep
707	xargs
725	xargs
774	xargs
799	xargs
701	grep
731	xargs
787	xargs
666	chattr
689	chattr
712	xargs
737	xargs
755	xargs
767	xargs

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 2 IoCs

System Information Discovery

T1082

Processes:

psps

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

pspsxargsawkawkawkawkxargsxargssudo

description	ioc	Process
File opened for reading	/proc/656/stat	ps
File opened for reading	/proc/663/stat	ps
File opened for reading	/proc/8/stat	ps
File opened for reading	/proc/13/stat	ps
File opened for reading	/proc/338/stat	ps
File opened for reading	/proc/298/stat	ps
File opened for reading	/proc/42/status	ps
File opened for reading	/proc/272/cmdline	ps
File opened for reading	/proc/self/fd	xargs
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/162/status	ps
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/662/status	ps
File opened for reading	/proc/271/cmdline	ps
File opened for reading	/proc/25/cmdline	ps
File opened for reading	/proc/104/stat	ps
File opened for reading	/proc/268/stat	ps
File opened for reading	/proc/206/status	ps
File opened for reading	/proc/96/cmdline	ps
File opened for reading	/proc/107/stat	ps
File opened for reading	/proc/269/stat	ps
File opened for reading	/proc/606/status	ps
File opened for reading	/proc/654/status	ps
File opened for reading	/proc/17/cmdline	ps
File opened for reading	/proc/16/status	ps
File opened for reading	/proc/19/cmdline	ps
File opened for reading	/proc/271/stat	ps
File opened for reading	/proc/75/cmdline	ps
File opened for reading	/proc/43/status	ps
File opened for reading	/proc/146/cmdline	ps
File opened for reading	/proc/18/stat	ps
File opened for reading	/proc/21/cmdline	ps
File opened for reading	/proc/107/cmdline	ps
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/655/stat	ps
File opened for reading	/proc/272/cmdline	ps
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/136/stat	ps
File opened for reading	/proc/7/stat	ps
File opened for reading	/proc/131/cmdline	ps
File opened for reading	/proc/self/stat	ps
File opened for reading	/proc/self/fd	xargs
File opened for reading	/proc/29/stat	ps
File opened for reading	/proc/41/cmdline	ps
File opened for reading	/proc/self/fd	xargs
File opened for reading	/proc/301/stat	ps
File opened for reading	/proc/23/stat	ps
File opened for reading	/proc/606/cmdline	ps
File opened for reading	/proc/642/cmdline	ps
File opened for reading	/proc/29/status	ps
File opened for reading	/proc/701/cmdline	ps
File opened for reading	/proc/4/status	ps
File opened for reading	/proc/41/status	ps
File opened for reading	/proc/598/stat	ps
File opened for reading	/proc/654/stat	ps
File opened for reading	/proc/28/cmdline	ps
File opened for reading	/proc/26/status	ps
File opened for reading	/proc/4/cmdline	ps
File opened for reading	/proc/5/cmdline	ps
File opened for reading	/proc/13/stat	ps
File opened for reading	/proc/642/status	ps
File opened for reading	/proc/662/stat	ps
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/700/cmdline	ps

Writes file to tmp directory 2 IoCs

Malware often drops required files in the /tmp directory.

Processes:

touch7f93143f631265468b8d584aab70b897_JaffaCakes118

description	ioc	Process
File opened for modification	/tmp/zzza	touch
File opened for modification	/tmp/log_rot	7f93143f631265468b8d584aab70b897_JaffaCakes118

/tmp/7f93143f631265468b8d584aab70b897_JaffaCakes118
/tmp/7f93143f631265468b8d584aab70b897_JaffaCakes118
1⤵
- Writes file to tmp directory
PID:656
- /usr/bin/touch
  touch /tmp/zzza
  2⤵
  - Writes file to tmp directory
  PID:658
- /bin/rm
  rm -rf /var/log/syslog
  2⤵
  - Deletes system logs
  PID:659
- /usr/bin/chattr
  chattr -iua /tmp/
  2⤵
  - Attempts to change immutable files
  PID:661
- /usr/bin/chattr
  chattr -iua /var/tmp/
  2⤵
  - Attempts to change immutable files
  PID:666
- /usr/bin/chattr
  chattr -R -i /var/spool/cron
  2⤵
  - Attempts to change immutable files
  PID:668
- /usr/bin/chattr
  chattr -i /etc/crontab
  2⤵
  - Attempts to change immutable files
  PID:670
- /sbin/iptables
  iptables -F
  2⤵
  - Flushes firewall rules
  PID:673
- /usr/bin/sudo
  sudo sysctl "kernel.nmi_watchdog=0"
  2⤵
  - Reads runtime system information
  PID:679
- /usr/sbin/userdel
  userdel akay
  2⤵
  PID:684
- /usr/sbin/userdel
  userdel vfinder
  2⤵
  PID:687
- /usr/bin/chattr
  chattr -iae /root/.ssh/
  2⤵
  - Attempts to change immutable files
  PID:689
- /usr/bin/chattr
  chattr -iae /root/.ssh/authorized_keys
  2⤵
  - Attempts to change immutable files
  PID:690
- /bin/rm
  rm -rf "/tmp/addres*"
  2⤵
  PID:692
- /bin/rm
  rm -rf "/tmp/walle*"
  2⤵
  PID:693
- /bin/rm
  rm -rf /tmp/keys
  2⤵
  PID:695
- /bin/grep
  grep -i "[a]liyun"
  2⤵
  - Attempts to change immutable files
  PID:697
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:696
- /bin/grep
  grep -i "[y]unjing"
  2⤵
  - Attempts to change immutable files
  PID:701
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:700
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:705
- /bin/grep
  grep 185.71.65.238
  2⤵
  PID:704
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:706
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:707
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:711
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:710
- /bin/grep
  grep 140.82.52.87
  2⤵
  PID:709
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  - Reads runtime system information
  PID:712
- /bin/grep
  grep :143
  2⤵
  PID:715
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:716
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:717
- /bin/grep
  grep -v -
  2⤵
  PID:718
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:719
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:723
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:722
- /bin/grep
  grep :2222
  2⤵
  PID:721
- /bin/grep
  grep -v -
  2⤵
  PID:724
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:725
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:729
- /bin/grep
  grep -v -
  2⤵
  PID:730
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:728
- /bin/grep
  grep :3333
  2⤵
  PID:727
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  - Reads runtime system information
  PID:731
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:735
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:734
- /bin/grep
  grep -v -
  2⤵
  PID:736
- /bin/grep
  grep :3389
  2⤵
  PID:733
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:737
- /bin/grep
  grep :4444
  2⤵
  PID:739
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:740
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:741
- /bin/grep
  grep -v -
  2⤵
  PID:742
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:743
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:747
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:746
- /bin/grep
  grep -v -
  2⤵
  PID:748
- /bin/grep
  grep :5555
  2⤵
  PID:745
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:749
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  - Reads runtime system information
  PID:753
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:752
- /bin/grep
  grep -v -
  2⤵
  PID:754
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:755
- /bin/grep
  grep :6666
  2⤵
  PID:751
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:758
- /bin/grep
  grep :6665
  2⤵
  PID:757
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:759
- /bin/grep
  grep -v -
  2⤵
  PID:760
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:761
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:765
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  - Reads runtime system information
  PID:764
- /bin/grep
  grep :6667
  2⤵
  PID:763
- /bin/grep
  grep -v -
  2⤵
  PID:766
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:767
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:771
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:772
- /bin/grep
  grep -v -
  2⤵
  PID:773
- /bin/grep
  grep :7777
  2⤵
  PID:769
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:774
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  - Reads runtime system information
  PID:778
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:779
- /bin/grep
  grep :8444
  2⤵
  PID:777
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:781
- /bin/grep
  grep -v -
  2⤵
  PID:780
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:785
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:784
- /bin/grep
  grep -v -
  2⤵
  PID:786
- /bin/grep
  grep :3347
  2⤵
  PID:783
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  - Reads runtime system information
  PID:787
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  - Reads runtime system information
  PID:790
- /bin/grep
  grep -v -
  2⤵
  PID:792
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:791
- /bin/grep
  grep :14444
  2⤵
  PID:789
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:793
- /bin/grep
  grep -v -
  2⤵
  PID:798
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:797
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:796
- /bin/grep
  grep :14433
  2⤵
  PID:795
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:799

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/log_rot

Filesize
5B

MD5
727479ef7cedf30c03459bec7d87b0f0

SHA1
2082e7f715f058acab2398d25d135cf5f4c0ce41

SHA256
29872037c9573567744ef10ed2de57864ded7554c9fa2ef03fc1244c65794ba6

SHA512
4cb59d37f8481f9bb2745f494baa0910a68aad40ac2903ef1513547e091e1e772a5f9436f789ab91fcafb75b8a28c2112ede89004be41f33c01d936b542ca6ba

Download Submit