44832ee8b46d8f32f5aaad9ee62e67a5b84af8516d0f8ef9f9052171b58ffa0e

General

Target

ae82d283c9d196bcc0b7b8539f40d6e8_JaffaCakes118
Size

30KB
MD5

ae82d283c9d196bcc0b7b8539f40d6e8
SHA1

3ba79f0318344ea58c233706be999f1f786ef1fc
SHA256

44832ee8b46d8f32f5aaad9ee62e67a5b84af8516d0f8ef9f9052171b58ffa0e
SHA512

5e7ae874850938c1467bd481f4f2e3daceeca74fca796572a4a5b488cb880de428b4cf77c8fb8eaebbb0866d0d55c95d5cbacf53023ad1ff02e1332393768510
SSDEEP

384:p7pQBDf6jlpTWg3vMGQiirhHwMyGj4CC9vEKMvU/4Qdre21jT58vKpG2Y0orcfKs:p78zQ5VFNcDAFLcIwgnoYq0xFBVdHtXn

Score

7^/10

evasion

Malware Config

Signatures

Deletes system logs 1 TTPs 1 IoCs
Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.
evasion

Indicator Removal
T1070

Processes:

rm

description ioc process

File deleted /var/log/syslog rm
Flushes firewall rules 1 IoCs
Flushes/ disables firewall rules inside the Linux kernel.

Processes:

iptables

pid process

668 iptables

description	ioc	process
File deleted	/var/log/syslog	rm

pid	process
668	iptables

Attempts to change immutable files 25 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

Processes:

xargschattrchattrxargschattrxargsxargschattrxargsxargsxargsgrepgrepxargschattrxargsxargsxargsxargschattrxargsxargsxargsxargsxargs

pid	process
796	xargs
662	chattr
686	chattr
766	xargs
659	chattr
724	xargs
772	xargs
657	chattr
736	xargs
802	xargs
706	xargs
694	grep
700	grep
711	xargs
685	chattr
718	xargs
742	xargs
754	xargs
760	xargs
666	chattr
778	xargs
784	xargs
790	xargs
730	xargs
748	xargs

Enumerates running processes
Discovers information about currently running processes on the system
Reads CPU attributes 1 TTPs 2 IoCs

System Information Discovery
T1082

Processes:

psps

description ioc process

File opened for reading /sys/devices/system/cpu/online ps
File opened for reading /sys/devices/system/cpu/online ps

description	ioc	process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

pspsawkawkawkxargsxargsawkxargsawkawkuserdel

description	ioc	process
File opened for reading	/proc/28/status	ps
File opened for reading	/proc/276/stat	ps
File opened for reading	/proc/2/cmdline	ps
File opened for reading	/proc/6/cmdline	ps
File opened for reading	/proc/20/stat	ps
File opened for reading	/proc/10/cmdline	ps
File opened for reading	/proc/22/cmdline	ps
File opened for reading	/proc/599/stat	ps
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/21/status	ps
File opened for reading	/proc/16/cmdline	ps
File opened for reading	/proc/647/cmdline	ps
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/16/status	ps
File opened for reading	/proc/334/status	ps
File opened for reading	/proc/133/cmdline	ps
File opened for reading	/proc/316/stat	ps
File opened for reading	/proc/2/status	ps
File opened for reading	/proc/654/stat	ps
File opened for reading	/proc/sys/kernel/osrelease	ps
File opened for reading	/proc/29/stat	ps
File opened for reading	/proc/21/cmdline	ps
File opened for reading	/proc/276/status	ps
File opened for reading	/proc/693/stat	ps
File opened for reading	/proc/143/status	ps
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/self/fd	xargs
File opened for reading	/proc/self/stat	ps
File opened for reading	/proc/13/status	ps
File opened for reading	/proc/20/stat	ps
File opened for reading	/proc/270/status	ps
File opened for reading	/proc/270/cmdline	ps
File opened for reading	/proc/5/cmdline	ps
File opened for reading	/proc/7/cmdline	ps
File opened for reading	/proc/42/cmdline	ps
File opened for reading	/proc/self/fd	xargs
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/612/status	ps
File opened for reading	/proc/651/stat	ps
File opened for reading	/proc/self/fd	xargs
File opened for reading	/proc/2/status	ps
File opened for reading	/proc/22/status	ps
File opened for reading	/proc/27/cmdline	ps
File opened for reading	/proc/uptime	ps
File opened for reading	/proc/tty/drivers	ps
File opened for reading	/proc/15/stat	ps
File opened for reading	/proc/15/status	ps
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/104/stat	ps
File opened for reading	/proc/695/cmdline	ps
File opened for reading	/proc/3/cmdline	ps
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/8/cmdline	ps
File opened for reading	/proc/41/cmdline	ps
File opened for reading	/proc/meminfo	ps
File opened for reading	/proc/25/stat	ps
File opened for reading	/proc/97/status	ps
File opened for reading	/proc/106/stat	ps
File opened for reading	/proc/334/cmdline	ps
File opened for reading	/proc/filesystems	userdel
File opened for reading	/proc/8/cmdline	ps
File opened for reading	/proc/271/status	ps
File opened for reading	/proc/12/stat	ps
File opened for reading	/proc/306/status	ps

Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

ae82d283c9d196bcc0b7b8539f40d6e8_JaffaCakes118

description ioc process

File opened for modification /tmp/log_rot ae82d283c9d196bcc0b7b8539f40d6e8_JaffaCakes118

description	ioc	process
File opened for modification	/tmp/log_rot	ae82d283c9d196bcc0b7b8539f40d6e8_JaffaCakes118

/tmp/ae82d283c9d196bcc0b7b8539f40d6e8_JaffaCakes118
/tmp/ae82d283c9d196bcc0b7b8539f40d6e8_JaffaCakes118
1⤵
- Writes file to tmp directory
PID:654

/bin/rm
rm -rf /var/log/syslog
2⤵
- Deletes system logs
PID:655

/usr/bin/chattr
chattr -iua /tmp/
2⤵
- Attempts to change immutable files
PID:657

/usr/bin/chattr
chattr -iua /var/tmp/
2⤵
- Attempts to change immutable files
PID:659

/usr/bin/chattr
chattr -R -i /var/spool/cron
2⤵
- Attempts to change immutable files
PID:662

/usr/bin/chattr
chattr -i /etc/crontab
2⤵
- Attempts to change immutable files
PID:666

/sbin/iptables
iptables -F
2⤵
- Flushes firewall rules
PID:668

/usr/bin/sudo
sudo sysctl "kernel.nmi_watchdog=0"
2⤵
PID:674

/usr/sbin/userdel
userdel akay
2⤵
PID:678

/usr/sbin/userdel
userdel vfinder
2⤵
- Reads runtime system information
PID:682

/usr/bin/chattr
chattr -iae /root/.ssh/
2⤵
- Attempts to change immutable files
PID:685

/usr/bin/chattr
chattr -iae /root/.ssh/authorized_keys
2⤵
- Attempts to change immutable files
PID:686

/bin/rm
rm -rf "/tmp/addres*"
2⤵
PID:688

/bin/rm
rm -rf "/tmp/walle*"
2⤵
PID:689

/bin/rm
rm -rf /tmp/keys
2⤵
PID:691

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:693

/bin/grep
grep -i "[a]liyun"
2⤵
- Attempts to change immutable files
PID:694

/bin/grep
grep -i "[y]unjing"
2⤵
- Attempts to change immutable files
PID:700

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:699

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:704

/bin/grep
grep 185.71.65.238
2⤵
PID:703

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
- Reads runtime system information
PID:705

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
- Reads runtime system information
PID:706

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:711

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:710

/usr/bin/awk
awk "{print \$7}"
2⤵
- Reads runtime system information
PID:709

/bin/grep
grep 140.82.52.87
2⤵
PID:708

/bin/grep
grep -v -
2⤵
PID:717

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:716

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:715

/bin/grep
grep :143
2⤵
PID:714

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:718

/bin/grep
grep -v -
2⤵
PID:723

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:722

/usr/bin/awk
awk "{print \$7}"
2⤵
- Reads runtime system information
PID:721

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:724

/bin/grep
grep :2222
2⤵
PID:720

/bin/grep
grep -v -
2⤵
PID:729

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:728

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
- Reads runtime system information
PID:730

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:727

/bin/grep
grep :3333
2⤵
PID:726

/bin/grep
grep -v -
2⤵
PID:735

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:734

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:733

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:736

/bin/grep
grep :3389
2⤵
PID:732

/bin/grep
grep -v -
2⤵
PID:741

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
- Reads runtime system information
PID:740

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
- Reads runtime system information
PID:742

/bin/grep
grep :4444
2⤵
PID:738

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:739

/bin/grep
grep -v -
2⤵
PID:747

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:746

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:745

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:748

/bin/grep
grep :5555
2⤵
PID:744

/bin/grep
grep -v -
2⤵
PID:753

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:752

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:754

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:751

/bin/grep
grep :6666
2⤵
PID:750

/bin/grep
grep -v -
2⤵
PID:759

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:758

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:757

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:760

/bin/grep
grep :6665
2⤵
PID:756

/bin/grep
grep -v -
2⤵
PID:765

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
- Reads runtime system information
PID:764

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:766

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:763

/bin/grep
grep :6667
2⤵
PID:762

/bin/grep
grep -v -
2⤵
PID:771

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:770

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:769

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:772

/bin/grep
grep :7777
2⤵
PID:768

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:776

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:775

/bin/grep
grep -v -
2⤵
PID:777

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:778

/bin/grep
grep :8444
2⤵
PID:774

/bin/grep
grep -v -
2⤵
PID:783

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:782

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:781

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:784

/bin/grep
grep :3347
2⤵
PID:780

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:788

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:787

/bin/grep
grep :14444
2⤵
PID:786

/bin/grep
grep -v -
2⤵
PID:789

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:790

/bin/grep
grep -v -
2⤵
PID:795

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:793

/bin/grep
grep :14433
2⤵
PID:792

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:796

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
- Reads runtime system information
PID:794

/bin/grep
grep -v -
2⤵
PID:801

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:800

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:802

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:799

/bin/grep
grep :13531
2⤵
PID:798

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

1

T1070

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/log_rot

Filesize
5B

MD5
727479ef7cedf30c03459bec7d87b0f0

SHA1
2082e7f715f058acab2398d25d135cf5f4c0ce41

SHA256
29872037c9573567744ef10ed2de57864ded7554c9fa2ef03fc1244c65794ba6

SHA512
4cb59d37f8481f9bb2745f494baa0910a68aad40ac2903ef1513547e091e1e772a5f9436f789ab91fcafb75b8a28c2112ede89004be41f33c01d936b542ca6ba

Download Submit
memory/793-1-0xb6af7000-0xb6b08044-memory.dmp

Download

Analysis

Sharing