62957aa4421c044927269e9bf3300515cf01225fd4c3c3811f8ebfac7a9f8585

Analysis

max time kernel
10s
platform
debian-9_armhf
resource
debian9-armhf-20240418-en
resource tags

arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
17-08-2024 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3a2b8d782d7603114155af78350fd22_JaffaCakes118
Size

35KB
MD5

a3a2b8d782d7603114155af78350fd22
SHA1

19a17dafb9fb5d8a20fe534d19be2c9a3af58f4e
SHA256

62957aa4421c044927269e9bf3300515cf01225fd4c3c3811f8ebfac7a9f8585
SHA512

5c2d116a578294a7e1325f5d4dfa05f31c16926999efeaf4e4fc9dba8256971a8e00a13ada85b16935877027bb527ee7c8c526d594c19c29f34bf6ac7c6127ee
SSDEEP

384:X7CQQwQHDf6lpTWg3vM4Qdre21jT58vKpG2Y0orcfKLUv0KZnNEVdUeUoJpJydIB:X72FNB48Fkc2zq0xvMGdtz8G

Score

7^/10

evasion

Malware Config

Signatures

Deletes system logs 1 TTPs 1 IoCs

Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

evasion

Indicator Removal

T1070

description	ioc	Process
File deleted	/var/log/syslog	rm

Flushes firewall rules 1 IoCs

Flushes/ disables firewall rules inside the Linux kernel.

pid	Process
670	iptables

Attempts to change immutable files 24 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

pid	Process
790	xargs
798	xargs
666	chattr
668	chattr
684	grep
696	xargs
707	xargs
713	xargs
737	xargs
820	xargs
768	xargs
776	xargs
813	xargs
701	xargs
749	xargs
755	xargs
761	xargs
743	xargs
782	xargs
806	xargs
688	grep
719	xargs
725	xargs
731	xargs

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 6 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	sysctl
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	ps
File opened for reading	/proc/588/cmdline	ps
File opened for reading	/proc/15/status	ps
File opened for reading	/proc/20/stat	ps
File opened for reading	/proc/97/status	ps
File opened for reading	/proc/135/status	ps
File opened for reading	/proc/163/stat	ps
File opened for reading	/proc/2/status	ps
File opened for reading	/proc/272/stat	ps
File opened for reading	/proc/592/cmdline	ps
File opened for reading	/proc/641/stat	ps
File opened for reading	/proc/17/cmdline	ps
File opened for reading	/proc/42/cmdline	ps
File opened for reading	/proc/630/status	ps
File opened for reading	/proc/572/status	ps
File opened for reading	/proc/683/cmdline	ps
File opened for reading	/proc/2/stat	ps
File opened for reading	/proc/303/status	ps
File opened for reading	/proc/23/cmdline	ps
File opened for reading	/proc/27/stat	ps
File opened for reading	/proc/75/stat	ps
File opened for reading	/proc/26/cmdline	ps
File opened for reading	/proc/269/stat	ps
File opened for reading	/proc/12/stat	ps
File opened for reading	/proc/21/stat	ps
File opened for reading	/proc/42/cmdline	ps
File opened for reading	/proc/108/cmdline	ps
File opened for reading	/proc/1/status	ps
File opened for reading	/proc/15/cmdline	ps
File opened for reading	/proc/14/status	ps
File opened for reading	/proc/27/stat	ps
File opened for reading	/proc/2/cmdline	ps
File opened for reading	/proc/26/status	ps
File opened for reading	/proc/593/stat	ps
File opened for reading	/proc/647/stat	ps
File opened for reading	/proc/688/cmdline	ps
File opened for reading	/proc/572/stat	ps
File opened for reading	/proc/23/status	ps
File opened for reading	/proc/135/cmdline	ps
File opened for reading	/proc/137/status	ps
File opened for reading	/proc/18/status	ps
File opened for reading	/proc/13/stat	ps
File opened for reading	/proc/27/cmdline	ps
File opened for reading	/proc/16/status	ps
File opened for reading	/proc/11/cmdline	ps
File opened for reading	/proc/163/status	ps
File opened for reading	/proc/630/stat	ps
File opened for reading	/proc/42/stat	ps
File opened for reading	/proc/43/status	ps
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/108/status	ps
File opened for reading	/proc/1/cmdline	ps
File opened for reading	/proc/29/stat	ps
File opened for reading	/proc/self/fd	xargs
File opened for reading	/proc/572/status	ps
File opened for reading	/proc/572/cmdline	ps
File opened for reading	/proc/108/cmdline	ps
File opened for reading	/proc/303/cmdline	ps
File opened for reading	/proc/21/status	ps
File opened for reading	/proc/105/status	ps
File opened for reading	/proc/214/cmdline	ps
File opened for reading	/proc/22/cmdline	ps
File opened for reading	/proc/21/cmdline	ps
File opened for reading	/proc/self/maps	awk

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/dev/null	a3a2b8d782d7603114155af78350fd22_JaffaCakes118

/tmp/a3a2b8d782d7603114155af78350fd22_JaffaCakes118
/tmp/a3a2b8d782d7603114155af78350fd22_JaffaCakes118
1⤵
- Writes file to tmp directory
PID:638
- /bin/sync
  sync
  2⤵
  PID:639
- /bin/cat
  cat /var/spool/cron/
  2⤵
  PID:646
- /bin/cat
  cat /root/.ssh/authorized_keys
  2⤵
  PID:649
- /bin/mv
  mv /usr/bin/curl /usr/bin/url
  2⤵
  PID:651
- /bin/mv
  mv /usr/bin/url /usr/bin/cd1
  2⤵
  PID:653
- /bin/mv
  mv /usr/bin/wget /usr/bin/get
  2⤵
  PID:657
- /bin/mv
  mv /usr/bin/get /usr/bin/wd1
  2⤵
  PID:661
- /bin/rm
  rm -rf /var/log/syslog
  2⤵
  - Deletes system logs
  PID:664
- /usr/bin/chattr
  chattr -iua /tmp/
  2⤵
  - Attempts to change immutable files
  PID:666
- /usr/bin/chattr
  chattr -iua /var/tmp/
  2⤵
  - Attempts to change immutable files
  PID:668
- /sbin/iptables
  iptables -F
  2⤵
  - Flushes firewall rules
  PID:670
- /usr/sbin/userdel
  userdel akay
  2⤵
  PID:674
- /usr/sbin/userdel
  userdel vfinder
  2⤵
  PID:676
- /bin/rm
  rm -rf "/tmp/addres*"
  2⤵
  PID:678
- /bin/rm
  rm -rf "/tmp/walle*"
  2⤵
  PID:679
- /bin/rm
  rm -rf /tmp/keys
  2⤵
  PID:681
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:683
- /bin/grep
  grep -i "[a]liyun"
  2⤵
  - Attempts to change immutable files
  PID:684
- /bin/grep
  grep -i "[y]unjing"
  2⤵
  - Attempts to change immutable files
  PID:688
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:687
- /bin/rm
  rm -f /tmp/.null
  2⤵
  PID:690
- /sbin/sysctl
  sysctl -w "vm.nr_hugepages=128"
  2⤵
  - Reads CPU attributes
  PID:691
- /bin/grep
  grep 185.71.65.238
  2⤵
  PID:693
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:694
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:695
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:696
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:701
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:700
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:699
- /bin/grep
  grep 140.82.52.87
  2⤵
  PID:698
- /bin/grep
  grep -v -
  2⤵
  PID:706
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:705
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:704
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:707
- /bin/grep
  grep :443
  2⤵
  PID:703
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:713
- /bin/grep
  grep -v -
  2⤵
  PID:712
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:711
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:710
- /bin/grep
  grep :23
  2⤵
  PID:709
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:719
- /bin/grep
  grep -v -
  2⤵
  PID:718
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:717
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:716
- /bin/grep
  grep :443
  2⤵
  PID:715
- /bin/grep
  grep -v -
  2⤵
  PID:724
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:723
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:725
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:722
- /bin/grep
  grep :143
  2⤵
  PID:721
- /bin/grep
  grep -v -
  2⤵
  PID:730
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:729
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:728
- /bin/grep
  grep :2222
  2⤵
  PID:727
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:731
- /bin/grep
  grep -v -
  2⤵
  PID:736
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:735
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:734
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:737
- /bin/grep
  grep :3333
  2⤵
  PID:733
- /bin/grep
  grep -v -
  2⤵
  PID:742
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:741
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:740
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:743
- /bin/grep
  grep :3389
  2⤵
  PID:739
- /bin/grep
  grep -v -
  2⤵
  PID:748
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:747
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:746
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  - Reads runtime system information
  PID:749
- /bin/grep
  grep :5555
  2⤵
  PID:745
- /bin/grep
  grep -v -
  2⤵
  PID:754
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  - Reads runtime system information
  PID:753
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:752
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:755
- /bin/grep
  grep :6666
  2⤵
  PID:751
- /bin/grep
  grep -v -
  2⤵
  PID:760
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:759
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:758
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:761
- /bin/grep
  grep :6665
  2⤵
  PID:757
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:768
- /bin/grep
  grep -v -
  2⤵
  PID:767
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:766
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:765
- /bin/grep
  grep :6667
  2⤵
  PID:764
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:776
- /bin/grep
  grep -v -
  2⤵
  PID:775
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:774
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:773
- /bin/grep
  grep :7777
  2⤵
  PID:772
- /bin/grep
  grep -v -
  2⤵
  PID:781
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:780
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:782
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:779
- /bin/grep
  grep :8444
  2⤵
  PID:778
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:790
- /bin/grep
  grep -v -
  2⤵
  PID:789
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:788
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:787
- /bin/grep
  grep :3347
  2⤵
  PID:786
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:798
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  - Reads runtime system information
  PID:797
- /bin/grep
  grep :3333
  2⤵
  PID:796
- /bin/grep
  grep -v grep
  2⤵
  PID:795
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:794
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:806
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:805
- /bin/grep
  grep :5555
  2⤵
  PID:804
- /bin/grep
  grep -v grep
  2⤵
  PID:803
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:802
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:813
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:812
- /bin/grep
  grep "kworker -c\\"
  2⤵
  PID:811
- /bin/grep
  grep -v grep
  2⤵
  PID:810
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:809
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:820
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:819
- /bin/grep
  grep log_
  2⤵
  PID:818
- /bin/grep
  grep -v grep
  2⤵
  PID:817
- /bin/ps
  ps aux
  2⤵
  PID:816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/zzhs

Filesize
2B

MD5
b026324c6904b2a9cb4b88d6d61c81d1

SHA1
e5fa44f2b31c1fb553b6021e7360d07d5d91ff5e

SHA256
4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865

SHA512
3abb6677af34ac57c0ca5828fd94f9d886c26ce59a8ce60ecf6778079423dccff1d6f19cb655805d56098e6d38a1a710dee59523eed7511e5a9e4b8ccb3a4686

Download Submit