a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3

General

Target

9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
Size

78KB
MD5

9b6c3518a91d23ed77504b5416bfb5b3
SHA1

0a2d170abbf5031566377b01431e3b82d342630a
SHA256

a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3
SHA512

b2b08d5d5e6c6708d88b793e9340a780d47b5dce61e0a3026b4cdea8a9e4cbf9824037255e4ea4a40fee5bce956485232376d4677ce72ccb6c7f00badd09956e
SSDEEP

1536:87vbq1lGAXSEYQjbChaAU2yU23M51DjZgSQAvcYkFtZTjzBht5:8D+CAXFYQChaAUk5ljnQssL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

pid

707

pid
707

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

Impair Defenses

T1562

Processes:

9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118

description	ioc	process
File opened for modification	/dev/watchdog	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for modification	/dev/misc/watchdog	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118

Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery
T1049

Processes:

9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118

description ioc process

File opened for reading /proc/net/tcp 9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
Enumerates running processes
Discovers information about currently running processes on the system
Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.

System Network Configuration Discovery
T1016

Processes:

9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118

description ioc process

File opened for reading /proc/net/route 9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
Changes its process name 1 IoCs

Processes:

description ioc pid

Changes the process name, possibly in an attempt to hide itself telnetd 707

description	ioc	process
File opened for reading	/proc/net/tcp	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118

description	ioc	pid
Changes the process name, possibly in an attempt to hide itself	telnetd	707

Reads system network configuration 1 TTPs 3 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

Processes:

9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118

description	ioc	process
File opened for reading	/proc/net/route	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/net/tcp	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/net/tcp6	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118

description	ioc	process
File opened for reading	/proc/324/cmdline	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/186/fd	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/29/cmdline	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/1/fd	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/323/fd	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/44/cmdline	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/32/cmdline	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/11/cmdline	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/4/cmdline	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/678/cmdline	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/208/cmdline	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/57/cmdline	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/27/cmdline	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/8/cmdline	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/73/cmdline	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/46/cmdline	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/30/cmdline	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/707/cmdline	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/702/cmdline	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/678/fd	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/629/fd	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/365/cmdline	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/20/cmdline	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/12/cmdline	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/3/cmdline	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/56/cmdline	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/13/cmdline	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/7/cmdline	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/646/fd	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/645/fd	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/354/fd	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/351/fd	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/267/fd	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/42/cmdline	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/25/cmdline	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/19/cmdline	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/646/cmdline	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/330/fd	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/45/cmdline	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/31/cmdline	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/22/cmdline	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/324/fd	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/23/cmdline	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/18/cmdline	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/708/cmdline	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/707/fd	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/661/cmdline	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/629/cmdline	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/333/fd	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/17/cmdline	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/701/cmdline	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/212/cmdline	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/15/cmdline	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/661/fd	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/645/cmdline	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/10/cmdline	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/6/cmdline	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/143/cmdline	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/36/cmdline	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/33/cmdline	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/24/cmdline	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/2/cmdline	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/665/cmdline	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
File opened for reading	/proc/330/cmdline	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118

Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118

description ioc process

File opened for modification /tmp/fifo 9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118

description	ioc	process
File opened for modification	/tmp/fifo	9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118

/tmp/9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
/tmp/9b6c3518a91d23ed77504b5416bfb5b3_JaffaCakes118
1⤵
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Reads system routing table
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:704
- /bin/sh
  /bin/sh -c "iptables -A INPUT -p tcp --destination-port 23 -j DROP"
  2⤵
  PID:758
- /bin/sh
  /bin/sh -c "iptables -A INPUT -p tcp --destination-port 7547 -j DROP"
  2⤵
  PID:759
- /bin/sh
  /bin/sh -c "iptables -A INPUT -p tcp --destination-port 5555 -j DROP"
  2⤵
  PID:760
- /bin/sh
  /bin/sh -c "iptables -A INPUT -p tcp --destination-port 5358 -j DROP"
  2⤵
  PID:761
- /bin/sh
  /bin/sh -c "iptables -D INPUT -j CWMP_CR"
  2⤵
  PID:762
- /bin/sh
  /bin/sh -c "iptables -X CWMP_CR"
  2⤵
  PID:763
- /bin/sh
  /bin/sh -c "iptables -I INPUT -p udp --dport 51313 -j ACCEPT"
  2⤵
  PID:764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

System Network Configuration Discovery

2

T1016

System Network Connections Discovery

1

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/704-1-0x00010000-0x000506fc-memory.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads