d79cdb9675eb67f51ecd17bcb09b386687283869463ebaf519eebd513d192168

Analysis

max time kernel
148s
max time network
150s
platform
ubuntu-20.04_amd64
resource
ubuntu2004-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu2004-amd64-20240611-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
submitted
10-08-2024 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85875d200b500aa669e97e71af918cc4_JaffaCakes118
Size

2.1MB
MD5

85875d200b500aa669e97e71af918cc4
SHA1

bad1846c71fc23d28e22c20048f7490fd96c8347
SHA256

d79cdb9675eb67f51ecd17bcb09b386687283869463ebaf519eebd513d192168
SHA512

a3dd36d067501e2f19d1eeedaf079008c72cc769dd19afab975677b6fd7220e3857cdca29520badbdb88fba8a996af75c270d59cfb63cac4288dc57c2120d5f2
SSDEEP

49152:AdfjEIRbloS+0dpxt+DNAE7CGh4UQM6e/VgzQX:ANjEIxiSbpxtMGC4BM6UvX

Score

6^/10

antivm persistence

Malware Config

Signatures

Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.3qKeRH crontab
Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

Virtualization/Sandbox Evasion
T1497

Processes:

catcat

description ioc process

File opened for reading /proc/cpuinfo cat
File opened for reading /proc/cpuinfo cat

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.3qKeRH	crontab

description	ioc	process
File opened for reading	/proc/cpuinfo	cat
File opened for reading	/proc/cpuinfo	cat

Reads runtime system information 6 IoCs

Reads data from /proc virtual filesystem.

Processes:

85875d200b500aa669e97e71af918cc4_JaffaCakes118cat85875d200b500aa669e97e71af918cc4_JaffaCakes118cat

description	ioc	process
File opened for reading	/proc/self/exe	85875d200b500aa669e97e71af918cc4_JaffaCakes118
File opened for reading	/proc/sys/net/core/somaxconn	85875d200b500aa669e97e71af918cc4_JaffaCakes118
File opened for reading	/proc/version	cat
File opened for reading	/proc/self/exe	85875d200b500aa669e97e71af918cc4_JaffaCakes118
File opened for reading	/proc/sys/net/core/somaxconn	85875d200b500aa669e97e71af918cc4_JaffaCakes118
File opened for reading	/proc/version	cat

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

Processes:

85875d200b500aa669e97e71af918cc4_JaffaCakes11885875d200b500aa669e97e71af918cc4_JaffaCakes118

description	ioc	process
File opened for modification	/tmp/.pid	85875d200b500aa669e97e71af918cc4_JaffaCakes118
File opened for modification	/tmp/nip9iNeiph5chee	85875d200b500aa669e97e71af918cc4_JaffaCakes118
File opened for modification	/tmp/[stealth].pid	85875d200b500aa669e97e71af918cc4_JaffaCakes118

/tmp/85875d200b500aa669e97e71af918cc4_JaffaCakes118
/tmp/85875d200b500aa669e97e71af918cc4_JaffaCakes118
1⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1378

/usr/bin/cat
cat /proc/version
2⤵
- Reads runtime system information
PID:1397

/usr/bin/cat
cat /proc/cpuinfo
2⤵
- Checks CPU configuration
PID:1405

/usr/bin/uname
uname -a
2⤵
PID:1407

/usr/bin/getconf
getconf LONG_BIT
2⤵
PID:1409

/tmp/85875d200b500aa669e97e71af918cc4_JaffaCakes118
"[stealth]"
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1410

/usr/bin/cat
cat /proc/version
3⤵
- Reads runtime system information
PID:1429

/usr/bin/cat
cat /proc/cpuinfo
3⤵
- Checks CPU configuration
PID:1431

/usr/bin/uname
uname -a
3⤵
PID:1432

/usr/bin/getconf
getconf LONG_BIT
3⤵
PID:1434

/usr/bin/crontab
/usr/bin/crontab /tmp/nip9iNeiph5chee
3⤵
- Creates/modifies Cron job
PID:1435

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.pid

Filesize
4B

MD5
512c5cad6c37edb98ae91c8a76c3a291

SHA1
8d93c9b0486a80bc7b6909df5440d0c190eccd4e

SHA256
4103f0a4e707b1c7bebbc42809ab0ace8dd3f56d844d7903bfe9f95a2ccc6972

SHA512
e57d0f76f2ca0d41959c6878e7004b0027e3ef0f75d9cfbb03bab02b5171a541c92297536b6af90ca5634cf085659ed2c4a371ee163bc29609e05e29bb0cee08

Download Submit
/tmp/nip9iNeiph5chee

Filesize
80B

MD5
8c2357e1a534866d7cfcd79f03f8bce7

SHA1
0c11d4eb454ef86be2e8fa744ccdf2662dcf9e7b

SHA256
d902afad990b9ce44adb3fbc630fd3436e5ab18f639b40a1dbe4ff2abcad65ab

SHA512
72ea4a445e3bef7c333ff26b507c171bdb0c4b065610d25af3e202eb77938141b8f2a570413f2643dd42be0ac2a21a3507ccf5cca968723033066add687a45f5

Download Submit
/var/spool/cron/crontabs/tmp.3qKeRH

Filesize
274B

MD5
df3bdbd90fb51ec4c2d163d7fa456685

SHA1
8efb48c85fdf072647eb75cb2dac65a6dd0e9eed

SHA256
b5d18617db1d874fa8635c9a2236b41849ad6d94684659afa9dd2600c5b0765e

SHA512
ce272040e00dfaa185f21a24c60b210db8ce6b451987d7a19b8c1016ce7c628430a76a42a4e13d0e0990353e71942cd18e6c9c61ce8da7ae9c3d21da88af0ea5

Download Submit
memory/1378-1-0x0000000008048000-0x00000000087584a8-memory.dmp

Download
memory/1410-2-0x0000000008048000-0x00000000087584a8-memory.dmp

Download