Analysis
-
max time kernel
4s -
platform
debian-9_armhf -
resource
debian9-armhf-20240418-en -
resource tags
arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
10-08-2024 05:05
Static task
static1
Behavioral task
behavioral1
Sample
84e5ee91b2eecfb946ff935cd8ff5e80_JaffaCakes118
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
84e5ee91b2eecfb946ff935cd8ff5e80_JaffaCakes118
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
84e5ee91b2eecfb946ff935cd8ff5e80_JaffaCakes118
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
84e5ee91b2eecfb946ff935cd8ff5e80_JaffaCakes118
Resource
debian9-mipsel-20240418-en
General
-
Target
84e5ee91b2eecfb946ff935cd8ff5e80_JaffaCakes118
-
Size
35KB
-
MD5
84e5ee91b2eecfb946ff935cd8ff5e80
-
SHA1
f7cb4120aacc2fc85e7eb655cc2d8fc4d40e59e6
-
SHA256
1b0be209ed0d4918c70b84427667f164f40d90efc2998553cd08f2219d2e6f04
-
SHA512
8b918c0e9c8c42018df31da1eef062215ef6ff4f12046e5ca987aa1e0df7a8a85bad8e5db8cfef4b6fdbfab7be470e250e4bc5845e77b9f0422b6aef966f9485
-
SSDEEP
384:zQQwQHDf6lpTWg3vM4Qdre21jT58vKpG2Y0orcfKLUv0KZnNEVdUeUoJpJydIDbv:TFNB48Fkc2zq0xvcGGIr9L8eT
Malware Config
Signatures
-
Deletes system logs 1 TTPs 1 IoCs
Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.
-
Flushes firewall rules 1 IoCs
Flushes/ disables firewall rules inside the Linux kernel.
Processes:
iptablespid Process 673 iptables -
Attempts to change immutable files 14 IoCs
Modifies inode attributes on the filesystem to allow changing of immutable files.
Processes:
xargsxargsxargschattrchattrxargsxargsxargsxargsxargsxargsxargsxargsxargspid Process 744 xargs 750 xargs 738 xargs 668 chattr 671 chattr 694 xargs 701 xargs 720 xargs 707 xargs 713 xargs 726 xargs 756 xargs 762 xargs 732 xargs -
Reads CPU attributes 1 TTPs 1 IoCs
Processes:
sysctldescription ioc Process File opened for reading /sys/devices/system/cpu/online sysctl -
Reads runtime system information 41 IoCs
Reads data from /proc virtual filesystem.
Processes:
awkmvxargsxargsxargsawkawkxargsawkmvmvuserdelawkxargsawkawkuserdelsysctlxargsawkawkmvawkxargsawkxargsxargsawkawkxargsawkawkawkawkawkawkawkawkawkxargsdescription ioc Process File opened for reading /proc/self/maps awk File opened for reading /proc/filesystems mv File opened for reading /proc/self/fd xargs File opened for reading /proc/self/fd xargs File opened for reading /proc/self/fd xargs File opened for reading /proc/self/maps awk File opened for reading /proc/self/maps awk File opened for reading /proc/self/fd xargs File opened for reading /proc/self/maps awk File opened for reading /proc/filesystems mv File opened for reading /proc/filesystems mv File opened for reading /proc/filesystems userdel File opened for reading /proc/self/maps awk File opened for reading /proc/self/fd xargs File opened for reading /proc/self/maps awk File opened for reading /proc/self/maps awk File opened for reading /proc/filesystems userdel File opened for reading /proc/sys/kernel/osrelease sysctl File opened for reading /proc/self/fd xargs File opened for reading /proc/self/maps awk File opened for reading /proc/self/maps awk File opened for reading /proc/filesystems mv File opened for reading /proc/self/maps awk File opened for reading /proc/self/fd xargs File opened for reading /proc/self/maps awk File opened for reading /proc/self/fd xargs File opened for reading /proc/self/fd xargs File opened for reading /proc/filesystems sysctl File opened for reading /proc/self/maps awk File opened for reading /proc/self/maps awk File opened for reading /proc/self/fd xargs File opened for reading /proc/self/maps awk File opened for reading /proc/self/maps awk File opened for reading /proc/self/maps awk File opened for reading /proc/self/maps awk File opened for reading /proc/self/maps awk File opened for reading /proc/self/maps awk File opened for reading /proc/self/maps awk File opened for reading /proc/self/maps awk File opened for reading /proc/self/maps awk File opened for reading /proc/self/fd xargs -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
84e5ee91b2eecfb946ff935cd8ff5e80_JaffaCakes118description ioc Process File opened for modification /tmp/dev/null 84e5ee91b2eecfb946ff935cd8ff5e80_JaffaCakes118
Processes
-
/tmp/84e5ee91b2eecfb946ff935cd8ff5e80_JaffaCakes118/tmp/84e5ee91b2eecfb946ff935cd8ff5e80_JaffaCakes1181⤵
- Writes file to tmp directory
PID:643 -
/bin/syncsync2⤵PID:644
-
-
/bin/catcat /var/spool/cron/2⤵PID:651
-
-
/bin/catcat /root/.ssh/authorized_keys2⤵PID:653
-
-
/bin/mvmv /usr/bin/curl /usr/bin/url2⤵
- Reads runtime system information
PID:656
-
-
/bin/mvmv /usr/bin/url /usr/bin/cd12⤵
- Reads runtime system information
PID:658
-
-
/bin/mvmv /usr/bin/wget /usr/bin/get2⤵
- Reads runtime system information
PID:661
-
-
/bin/mvmv /usr/bin/get /usr/bin/wd12⤵
- Reads runtime system information
PID:663
-
-
/bin/rmrm -rf /var/log/syslog2⤵
- Deletes system logs
PID:666
-
-
/usr/bin/chattrchattr -iua /tmp/2⤵
- Attempts to change immutable files
PID:668
-
-
/usr/bin/chattrchattr -iua /var/tmp/2⤵
- Attempts to change immutable files
PID:671
-
-
/sbin/iptablesiptables -F2⤵
- Flushes firewall rules
PID:673
-
-
/usr/sbin/userdeluserdel akay2⤵
- Reads runtime system information
PID:677
-
-
/usr/sbin/userdeluserdel vfinder2⤵
- Reads runtime system information
PID:679
-
-
/bin/rmrm -rf "/tmp/addres*"2⤵PID:681
-
-
/bin/rmrm -rf "/tmp/walle*"2⤵PID:682
-
-
/bin/rmrm -rf /tmp/keys2⤵PID:683
-
-
/bin/rmrm -f /tmp/.null2⤵PID:685
-
-
/sbin/sysctlsysctl -w "vm.nr_hugepages=128"2⤵
- Reads CPU attributes
- Reads runtime system information
PID:687
-
-
/bin/grepgrep 185.71.65.2382⤵PID:691
-
-
/usr/bin/awkawk "{print \$7}"2⤵
- Reads runtime system information
PID:692
-
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵
- Reads runtime system information
PID:693
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
- Reads runtime system information
PID:694
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
- Reads runtime system information
PID:701
-
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵
- Reads runtime system information
PID:700
-
-
/usr/bin/awkawk "{print \$7}"2⤵
- Reads runtime system information
PID:699
-
-
/bin/grepgrep 140.82.52.872⤵PID:698
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
- Reads runtime system information
PID:707
-
-
/bin/grepgrep -v -2⤵PID:706
-
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵
- Reads runtime system information
PID:705
-
-
/usr/bin/awkawk "{print \$7}"2⤵
- Reads runtime system information
PID:704
-
-
/bin/grepgrep :4432⤵PID:703
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
- Reads runtime system information
PID:713
-
-
/bin/grepgrep -v -2⤵PID:712
-
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵
- Reads runtime system information
PID:711
-
-
/usr/bin/awkawk "{print \$7}"2⤵
- Reads runtime system information
PID:710
-
-
/bin/grepgrep :232⤵PID:709
-
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵
- Reads runtime system information
PID:718
-
-
/usr/bin/awkawk "{print \$7}"2⤵
- Reads runtime system information
PID:717
-
-
/bin/grepgrep :4432⤵PID:716
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
- Reads runtime system information
PID:720
-
-
/bin/grepgrep -v -2⤵PID:719
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
- Reads runtime system information
PID:726
-
-
/bin/grepgrep -v -2⤵PID:725
-
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵
- Reads runtime system information
PID:724
-
-
/usr/bin/awkawk "{print \$7}"2⤵
- Reads runtime system information
PID:723
-
-
/bin/grepgrep :1432⤵PID:722
-
-
/bin/grepgrep -v -2⤵PID:731
-
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵
- Reads runtime system information
PID:730
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
- Reads runtime system information
PID:732
-
-
/usr/bin/awkawk "{print \$7}"2⤵
- Reads runtime system information
PID:729
-
-
/bin/grepgrep :22222⤵PID:728
-
-
/bin/grepgrep -v -2⤵PID:737
-
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵
- Reads runtime system information
PID:736
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
- Reads runtime system information
PID:738
-
-
/usr/bin/awkawk "{print \$7}"2⤵
- Reads runtime system information
PID:735
-
-
/bin/grepgrep :33332⤵PID:734
-
-
/bin/grepgrep -v -2⤵PID:743
-
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵
- Reads runtime system information
PID:742
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
- Reads runtime system information
PID:744
-
-
/usr/bin/awkawk "{print \$7}"2⤵
- Reads runtime system information
PID:741
-
-
/bin/grepgrep :33892⤵PID:740
-
-
/bin/grepgrep -v -2⤵PID:749
-
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵
- Reads runtime system information
PID:748
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
- Reads runtime system information
PID:750
-
-
/usr/bin/awkawk "{print \$7}"2⤵
- Reads runtime system information
PID:747
-
-
/bin/grepgrep :55552⤵PID:746
-
-
/bin/grepgrep -v -2⤵PID:755
-
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵
- Reads runtime system information
PID:754
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
- Reads runtime system information
PID:756
-
-
/usr/bin/awkawk "{print \$7}"2⤵
- Reads runtime system information
PID:753
-
-
/bin/grepgrep :66662⤵PID:752
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
PID:762
-
-
/bin/grepgrep -v -2⤵PID:761
-
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵PID:760
-
-
/usr/bin/awkawk "{print \$7}"2⤵PID:759
-
-
/bin/grepgrep :66652⤵PID:758
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5b026324c6904b2a9cb4b88d6d61c81d1
SHA1e5fa44f2b31c1fb553b6021e7360d07d5d91ff5e
SHA2564355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865
SHA5123abb6677af34ac57c0ca5828fd94f9d886c26ce59a8ce60ecf6778079423dccff1d6f19cb655805d56098e6d38a1a710dee59523eed7511e5a9e4b8ccb3a4686