Analysis
-
max time kernel
149s -
max time network
134s -
platform
ubuntu-20.04_amd64 -
resource
ubuntu2004-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu2004-amd64-20240611-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system -
submitted
31-08-2024 09:01
General
-
Target
cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118
-
Size
1.1MB
-
MD5
cc85aa29aaefeb42659d1fea3a84bf91
-
SHA1
cdaed4c668a6028337855f156556c311e0c3fc3e
-
SHA256
1511b961af2df26097d353ea30e24acc5372af97c77dd510ed42a7526005535e
-
SHA512
5ece883badd8f84e9be54d2b6303913243c3cda2d76e40bd8a60952743d5cb90437e600cdbb295ae2e751315e0b0ccbbd85b2c24b7475e7e720a54bd512d4200
-
SSDEEP
24576:8SlXre0q1r+GsNUV81TSCi1R5qoaMeLCA10vbG62OgH4/okMcEbpdUu58:8SNt4rONU6NUqoaVbKFgHCofcENdUu58
Malware Config
Signatures
-
Deletes itself 2 IoCs
pid Process 1410 freeBSD 1413 cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118a -
Executes dropped EXE 3 IoCs
ioc pid Process /tmp/freeBSD 1410 freeBSD /tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118a 1413 cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118a /tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118 1414 cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118 -
resource yara_rule behavioral1/files/fstream-1.dat upx -
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118 -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc Process File opened for reading /proc/net/dev cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118 -
Reads runtime system information 5 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems cp File opened for reading /proc/sys/kernel/version cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118 File opened for reading /proc/stat cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118 File opened for reading /proc/filesystems cp -
Writes file to tmp directory 5 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118a cp File opened for modification /tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118 cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118a File opened for modification /tmp/fake.cfg cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118 File opened for modification /tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118 cp File opened for modification /tmp/freeBSD cp
Processes
-
/tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118/tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes1181⤵PID:1404
-
/bin/shsh -c "cp /tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118 /tmp/freeBSD"2⤵PID:1405
-
/usr/bin/cpcp /tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118 /tmp/freeBSD3⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1406
-
-
-
/tmp/freeBSD/tmp/freeBSD /tmp/freeBSD 12⤵
- Deletes itself
- Executes dropped EXE
PID:1410
-
-
/bin/shsh -c "cp /tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118 /tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118a"2⤵PID:1411
-
/usr/bin/cpcp /tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118 /tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118a3⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1412
-
-
-
/tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118a/tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118a /tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes1181⤵
- Deletes itself
- Executes dropped EXE
- Writes file to tmp directory
PID:1413 -
/tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes1182⤵
- Executes dropped EXE
- Checks CPU configuration
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1414
-
-
/bin/shsh -c "cp /tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118a /tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118"2⤵PID:1415
-
/usr/bin/cpcp /tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118a /tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes1183⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1418
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD59cc45ca3218455a6d9fc20da1d7876e2
SHA14122ab96334e9745a7f1b06c6d3da9048a9bdab4
SHA25608345e090465730e6b37c9c67b98d391880064db3e2d01d4adde4b113f276dc6
SHA512c2a13b9b370ed401145200be47e60f89c0607d547e3b897c8751911ff1424da29ec3149d7fe07fcedba948f5392f39dfff7802a739933734249eb969db1422e7
-
Filesize
1.1MB
MD5cc85aa29aaefeb42659d1fea3a84bf91
SHA1cdaed4c668a6028337855f156556c311e0c3fc3e
SHA2561511b961af2df26097d353ea30e24acc5372af97c77dd510ed42a7526005535e
SHA5125ece883badd8f84e9be54d2b6303913243c3cda2d76e40bd8a60952743d5cb90437e600cdbb295ae2e751315e0b0ccbbd85b2c24b7475e7e720a54bd512d4200