Analysis
-
max time kernel
149s -
max time network
150s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system -
submitted
30-08-2024 08:12
General
-
Target
ca785e533e644889320e1c4782debf7b_JaffaCakes118
-
Size
1.1MB
-
MD5
ca785e533e644889320e1c4782debf7b
-
SHA1
81c26ef5d51bc1e93abe5d56de9d68ebf6e3b42e
-
SHA256
d4a70373861d049caeff39740346b3121cef99571f5591e6ca18c3f76b95657c
-
SHA512
267efd0fb5c9771367f7ad3d370e1d6083eedd7c302c4b08560bae204d8904ba5e32ef840249a1f668e707d8e09a8f43a22d6927f0ebc2b825eaa2a5f4a3094e
-
SSDEEP
24576:8SlXre0q1r+GsNUV81TSCi1RAi2siFvO0LxT0OhCw3Tjkz3YPbk:8SNt4rONU6NO2JvLxIFwjon
Malware Config
Signatures
-
Deletes itself 2 IoCs
pid Process 1590 freeBSD 1605 ca785e533e644889320e1c4782debf7b_JaffaCakes118a -
Executes dropped EXE 3 IoCs
ioc pid Process /tmp/freeBSD 1590 freeBSD /tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes118a 1605 ca785e533e644889320e1c4782debf7b_JaffaCakes118a /tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes118 1606 ca785e533e644889320e1c4782debf7b_JaffaCakes118 -
resource yara_rule behavioral1/files/fstream-1.dat upx -
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo ca785e533e644889320e1c4782debf7b_JaffaCakes118 -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/dev ca785e533e644889320e1c4782debf7b_JaffaCakes118 -
Reads runtime system information 5 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems cp File opened for reading /proc/sys/kernel/version ca785e533e644889320e1c4782debf7b_JaffaCakes118 File opened for reading /proc/stat ca785e533e644889320e1c4782debf7b_JaffaCakes118 -
Writes file to tmp directory 5 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/fake.cfg ca785e533e644889320e1c4782debf7b_JaffaCakes118 File opened for modification /tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes118 cp File opened for modification /tmp/freeBSD cp File opened for modification /tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes118a cp File opened for modification /tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes118 ca785e533e644889320e1c4782debf7b_JaffaCakes118a
Processes
-
/tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes118/tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes1181⤵PID:1573
-
/bin/shsh -c "cp /tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes118 /tmp/freeBSD"2⤵PID:1587
-
/usr/bin/cpcp /tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes118 /tmp/freeBSD3⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1589
-
-
-
/tmp/freeBSD/tmp/freeBSD /tmp/freeBSD 12⤵
- Deletes itself
- Executes dropped EXE
PID:1590
-
-
/bin/shsh -c "cp /tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes118 /tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes118a"2⤵PID:1591
-
/usr/bin/cpcp /tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes118 /tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes118a3⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1600
-
-
-
/tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes118a/tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes118a /tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes1181⤵
- Deletes itself
- Executes dropped EXE
- Writes file to tmp directory
PID:1605 -
/tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes1182⤵
- Executes dropped EXE
- Checks CPU configuration
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1606
-
-
/bin/shsh -c "cp /tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes118a /tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes118"2⤵PID:1616
-
/usr/bin/cpcp /tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes118a /tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes1183⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1617
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD591450d6fa9824d86424ccaae4e089629
SHA1961b2f27081ee83b43ec6b0dd2d1aea59942d3f0
SHA256aa9d435d8a7e9331a9d2400435e6c98ed876050f6acd0a2ecfa3eb3435ed8221
SHA512d93f44c8c1af0047baa261bdca2dc60d1d4c28c8e0adcb65c1eb8f411c951dda49bad7eb69e82ac9cc0a808db8048740d68dc58aa13759eba575ae975c869da8
-
Filesize
1.1MB
MD5ca785e533e644889320e1c4782debf7b
SHA181c26ef5d51bc1e93abe5d56de9d68ebf6e3b42e
SHA256d4a70373861d049caeff39740346b3121cef99571f5591e6ca18c3f76b95657c
SHA512267efd0fb5c9771367f7ad3d370e1d6083eedd7c302c4b08560bae204d8904ba5e32ef840249a1f668e707d8e09a8f43a22d6927f0ebc2b825eaa2a5f4a3094e