ae4d52616a89bd1f4438d696b4917d57b22df0197c815e769e2859faffe22492

Analysis

max time kernel
11s
platform
debian-9_armhf
resource
debian9-armhf-20240418-en
resource tags

arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
15-08-2024 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9bdbe7cc8c0c8ef3d375b1f671796336_JaffaCakes118
Size

30KB
MD5

9bdbe7cc8c0c8ef3d375b1f671796336
SHA1

b0cd1a13849276d0c173ef9390dd22673a1908ee
SHA256

ae4d52616a89bd1f4438d696b4917d57b22df0197c815e769e2859faffe22492
SHA512

2fe708ebc92daf8c9c4ef9d84fa71619c42728c40b097ee2f4e049022c25253298505f7dc6f7bf724ea4e3ec4f46e03e826ec9e30bc5e57a946c233252d50317
SSDEEP

768:n+78zQ5VFNcDAFLcIwgnoYq0xFBVZAw2v:nMVF+D6cIwgoszS

Score

7^/10

evasion

Malware Config

Signatures

Deletes system logs 1 TTPs 1 IoCs
Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.
evasion

Indicator Removal
T1070

Processes:

rm

description ioc process

File deleted /var/log/syslog rm
Flushes firewall rules 1 IoCs
Flushes/ disables firewall rules inside the Linux kernel.

Processes:

iptables

pid process

654 iptables

description	ioc	process
File deleted	/var/log/syslog	rm

pid	process
654	iptables

Attempts to change immutable files 33 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

Processes:

xargsxargschattrxargsxargsxargsxargsxargschattrchattrxargsxargsxargsxargschattrgrepxargsxargsxargsxargsxargschattrgrepxargsxargsxargsxargschattrxargsxargsxargsxargsxargs

pid	process
738	xargs
805	xargs
644	chattr
764	xargs
822	xargs
702	xargs
708	xargs
829	xargs
651	chattr
673	chattr
690	xargs
787	xargs
794	xargs
802	xargs
642	chattr
680	grep
696	xargs
744	xargs
771	xargs
780	xargs
797	xargs
649	chattr
685	grep
750	xargs
807	xargs
714	xargs
800	xargs
671	chattr
720	xargs
726	xargs
732	xargs
756	xargs
810	xargs

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 7 IoCs

System Information Discovery

T1082

Processes:

pspspspspkillpkillpkill

description	ioc	process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

pspspspkillpspkillpkill

description	ioc	process
File opened for reading	/proc/1/cmdline	ps
File opened for reading	/proc/12/stat	ps
File opened for reading	/proc/23/status	ps
File opened for reading	/proc/318/status	pkill
File opened for reading	/proc/10/stat	ps
File opened for reading	/proc/15/cmdline	ps
File opened for reading	/proc/17/status	ps
File opened for reading	/proc/uptime	ps
File opened for reading	/proc/8/cmdline	pkill
File opened for reading	/proc/2/status	pkill
File opened for reading	/proc/20/cmdline	pkill
File opened for reading	/proc/7/cmdline	ps
File opened for reading	/proc/149/status	ps
File opened for reading	/proc/587/cmdline	pkill
File opened for reading	/proc/636/status	pkill
File opened for reading	/proc/635/stat	ps
File opened for reading	/proc/6/stat	ps
File opened for reading	/proc/273/cmdline	ps
File opened for reading	/proc/43/stat	ps
File opened for reading	/proc/223/status	ps
File opened for reading	/proc/5/cmdline	ps
File opened for reading	/proc/278/cmdline	ps
File opened for reading	/proc/8/stat	ps
File opened for reading	/proc/113/cmdline	ps
File opened for reading	/proc/637/cmdline	pkill
File opened for reading	/proc/629/status	ps
File opened for reading	/proc/641/status	ps
File opened for reading	/proc/685/stat	ps
File opened for reading	/proc/6/status	pkill
File opened for reading	/proc/278/status	ps
File opened for reading	/proc/13/cmdline	ps
File opened for reading	/proc/152/stat	ps
File opened for reading	/proc/170/status	ps
File opened for reading	/proc/18/cmdline	pkill
File opened for reading	/proc/22/cmdline	ps
File opened for reading	/proc/680/stat	ps
File opened for reading	/proc/103/cmdline	ps
File opened for reading	/proc/289/status	ps
File opened for reading	/proc/4/status	pkill
File opened for reading	/proc/27/cmdline	pkill
File opened for reading	/proc/11/status	pkill
File opened for reading	/proc/41/status	pkill
File opened for reading	/proc/18/status	ps
File opened for reading	/proc/588/status	ps
File opened for reading	/proc/680/cmdline	ps
File opened for reading	/proc/170/stat	ps
File opened for reading	/proc/tty/drivers	ps
File opened for reading	/proc/21/status	pkill
File opened for reading	/proc/170/cmdline	pkill
File opened for reading	/proc/828/cmdline	ps
File opened for reading	/proc/42/status	ps
File opened for reading	/proc/142/cmdline	ps
File opened for reading	/proc/7/status	ps
File opened for reading	/proc/571/cmdline	pkill
File opened for reading	/proc/25/status	pkill
File opened for reading	/proc/276/status	pkill
File opened for reading	/proc/41/cmdline	pkill
File opened for reading	/proc/149/cmdline	pkill
File opened for reading	/proc/27/status	pkill
File opened for reading	/proc/14/cmdline	pkill
File opened for reading	/proc/308/stat	ps
File opened for reading	/proc/6/cmdline	ps
File opened for reading	/proc/42/cmdline	ps
File opened for reading	/proc/12/cmdline	pkill

Writes file to tmp directory 2 IoCs

Malware often drops required files in the /tmp directory.

Processes:

9bdbe7cc8c0c8ef3d375b1f671796336_JaffaCakes118touch

description	ioc	process
File opened for modification	/tmp/log_rot	9bdbe7cc8c0c8ef3d375b1f671796336_JaffaCakes118
File opened for modification	/tmp/zzza	touch

/tmp/9bdbe7cc8c0c8ef3d375b1f671796336_JaffaCakes118
/tmp/9bdbe7cc8c0c8ef3d375b1f671796336_JaffaCakes118
1⤵
- Writes file to tmp directory
PID:637
- /usr/bin/touch
  touch /tmp/zzza
  2⤵
  - Writes file to tmp directory
  PID:638
- /bin/rm
  rm -rf /var/log/syslog
  2⤵
  - Deletes system logs
  PID:640
- /usr/bin/chattr
  chattr -iua /tmp/
  2⤵
  - Attempts to change immutable files
  PID:642
- /usr/bin/chattr
  chattr -iua /var/tmp/
  2⤵
  - Attempts to change immutable files
  PID:644
- /usr/bin/chattr
  chattr -R -i /var/spool/cron
  2⤵
  - Attempts to change immutable files
  PID:649
- /usr/bin/chattr
  chattr -i /etc/crontab
  2⤵
  - Attempts to change immutable files
  PID:651
- /sbin/iptables
  iptables -F
  2⤵
  - Flushes firewall rules
  PID:654
- /usr/bin/sudo
  sudo sysctl "kernel.nmi_watchdog=0"
  2⤵
  PID:660
- /usr/sbin/userdel
  userdel akay
  2⤵
  PID:667
- /usr/sbin/userdel
  userdel vfinder
  2⤵
  PID:670
- /usr/bin/chattr
  chattr -iae /root/.ssh/
  2⤵
  - Attempts to change immutable files
  PID:671
- /usr/bin/chattr
  chattr -iae /root/.ssh/authorized_keys
  2⤵
  - Attempts to change immutable files
  PID:673
- /bin/rm
  rm -rf "/tmp/addres*"
  2⤵
  PID:675
- /bin/rm
  rm -rf "/tmp/walle*"
  2⤵
  PID:676
- /bin/rm
  rm -rf /tmp/keys
  2⤵
  PID:677
- /bin/grep
  grep -i "[a]liyun"
  2⤵
  - Attempts to change immutable files
  PID:680
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:679
- /bin/grep
  grep -i "[y]unjing"
  2⤵
  - Attempts to change immutable files
  PID:685
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:684
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:689
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:688
- /bin/grep
  grep 185.71.65.238
  2⤵
  PID:687
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:690
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:696
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:695
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:694
- /bin/grep
  grep 140.82.52.87
  2⤵
  PID:693
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:699
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:700
- /bin/grep
  grep :143
  2⤵
  PID:698
- /bin/grep
  grep -v -
  2⤵
  PID:701
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:702
- /bin/grep
  grep -v -
  2⤵
  PID:707
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:706
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:708
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:705
- /bin/grep
  grep :2222
  2⤵
  PID:704
- /bin/grep
  grep -v -
  2⤵
  PID:713
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:711
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:714
- /bin/grep
  grep :3333
  2⤵
  PID:710
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:712
- /bin/grep
  grep -v -
  2⤵
  PID:719
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:718
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:717
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:720
- /bin/grep
  grep :3389
  2⤵
  PID:716
- /bin/grep
  grep -v -
  2⤵
  PID:725
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:724
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:723
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:726
- /bin/grep
  grep :4444
  2⤵
  PID:722
- /bin/grep
  grep -v -
  2⤵
  PID:731
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:730
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:732
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:729
- /bin/grep
  grep :5555
  2⤵
  PID:728
- /bin/grep
  grep -v -
  2⤵
  PID:737
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:736
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:738
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:735
- /bin/grep
  grep :6666
  2⤵
  PID:734
- /bin/grep
  grep -v -
  2⤵
  PID:743
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:742
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:741
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:744
- /bin/grep
  grep :6665
  2⤵
  PID:740
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:748
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:747
- /bin/grep
  grep -v -
  2⤵
  PID:749
- /bin/grep
  grep :6667
  2⤵
  PID:746
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:750
- /bin/grep
  grep -v -
  2⤵
  PID:755
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:754
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:753
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:756
- /bin/grep
  grep :7777
  2⤵
  PID:752
- /bin/grep
  grep -v -
  2⤵
  PID:763
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:762
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:764
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:761
- /bin/grep
  grep :8444
  2⤵
  PID:760
- /bin/grep
  grep -v -
  2⤵
  PID:770
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:769
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:768
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:771
- /bin/grep
  grep :3347
  2⤵
  PID:767
- /bin/grep
  grep -v -
  2⤵
  PID:779
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:778
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:780
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:777
- /bin/grep
  grep :14444
  2⤵
  PID:776
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:787
- /bin/grep
  grep -v -
  2⤵
  PID:786
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:785
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:784
- /bin/grep
  grep :14433
  2⤵
  PID:783
- /bin/grep
  grep -v -
  2⤵
  PID:793
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:794
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:792
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:791
- /bin/grep
  grep :13531
  2⤵
  PID:790
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:797
- /bin/cat
  cat /tmp/.X11-unix/01
  2⤵
  PID:796
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:800
- /bin/cat
  cat /tmp/.X11-unix/11
  2⤵
  PID:799
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:802
- /bin/cat
  cat /tmp/.X11-unix/22
  2⤵
  PID:801
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:805
- /bin/cat
  cat /tmp/.pg_stat.0
  2⤵
  PID:804
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:807
- /bin/cat
  cat /tmp/.pg_stat.1
  2⤵
  PID:806
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:810
- /bin/cat
  cat /data/./oka.pid
  2⤵
  PID:809
- /usr/bin/pkill
  pkill -f zsvc
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:811
- /usr/bin/pkill
  pkill -f pdefenderd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:814
- /usr/bin/pkill
  pkill -f updatecheckerd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:816
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:822
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:821
- /bin/grep
  grep -v grep
  2⤵
  PID:820
- /bin/grep
  grep ./oka
  2⤵
  PID:819
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:818
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:829
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:828
- /bin/grep
  grep -v grep
  2⤵
  PID:827
- /bin/grep
  grep "postgres: autovacum"
  2⤵
  PID:826
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:825

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/log_rot

Filesize
5B

MD5
727479ef7cedf30c03459bec7d87b0f0

SHA1
2082e7f715f058acab2398d25d135cf5f4c0ce41

SHA256
29872037c9573567744ef10ed2de57864ded7554c9fa2ef03fc1244c65794ba6

SHA512
4cb59d37f8481f9bb2745f494baa0910a68aad40ac2903ef1513547e091e1e772a5f9436f789ab91fcafb75b8a28c2112ede89004be41f33c01d936b542ca6ba

Download Submit