Analysis
-
max time kernel
146s -
max time network
142s -
platform
ubuntu-24.04_amd64 -
resource
ubuntu2404-amd64-20240523-en -
resource tags
arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system -
submitted
31-08-2024 17:25
Static task
static1
Behavioral task
behavioral1
Sample
cd41c0e3d6aa075cbacadee78a42986c_JaffaCakes118
Resource
ubuntu2404-amd64-20240523-en
General
-
Target
cd41c0e3d6aa075cbacadee78a42986c_JaffaCakes118
-
Size
159KB
-
MD5
cd41c0e3d6aa075cbacadee78a42986c
-
SHA1
1b83fb5e33e0f33ad739c43cd55a90c8e3117431
-
SHA256
3bb3a370af8aaefefff36a0c408ddf41f49c1a8bf176a68c2bf3f042bc8a2c5d
-
SHA512
7eaa370e2e335a7c5a22b70425a0bdf2f34116f03e0723eaa620b395798ae2270ce25edd3809881eafc628c8c408bd90a435e6a52cfb27c25238c9912d307ca1
-
SSDEEP
3072:ZYWzXRu1b1O9CPfRtNtkJ6rf+R0QA/DlkLi8zw1KW1x16wlwzaSwJvCBdnLk:+1RiC33Du6triLlIdDrwOS6ik
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2485 cd41c0e3d6aa075cbacadee78a42986c_JaffaCakes118 -
Executes dropped EXE 1 IoCs
ioc pid Process /usr/bin/fsopen 2627 fsopen -
Modifies systemd 1 TTPs 1 IoCs
Adds/ modifies systemd service files. Likely to achieve persistence.
description ioc Process File opened for modification /lib/systemd/system/fsopen.service cd41c0e3d6aa075cbacadee78a42986c_JaffaCakes118 -
Reads MAC address of network interface 2 TTPs 1 IoCs
Fetches the MAC address of active network interfaces. May be used to detect known values for hypervisors.
description ioc Process File opened for reading /sys/class/net/ens3/address fsopen -
Write file to user bin folder 1 TTPs 1 IoCs
description ioc Process File opened for modification /usr/bin/fsopen cd41c0e3d6aa075cbacadee78a42986c_JaffaCakes118 -
Changes its process name 3 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself [ighlfflicj] 2627 fsopen Changes the process name, possibly in an attempt to hide itself [ighlfflicj] 2628 Process not Found Changes the process name, possibly in an attempt to hide itself [nhdhirnapwuy] 2784 Process not Found -
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo cat -
Enumerates kernel/hardware configuration 1 TTPs 2 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/block/dm-0/dm/name mount File opened for reading /sys/class/net fsopen -
Reads runtime system information 19 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/filesystems mount File opened for reading /proc/self/mountinfo mount File opened for reading /proc/filesystems systemctl File opened for reading /proc/version cat File opened for reading /proc/filesystems setfiles File opened for reading /proc/filesystems sefcontext_compile File opened for reading /proc/filesystems sefcontext_compile File opened for reading /proc/filesystems sefcontext_compile File opened for reading /proc/filesystems semanage File opened for reading /proc/sys/kernel/cap_last_cap semanage File opened for reading /proc/sys/kernel/cap_last_cap restorecon File opened for reading /proc/filesystems restorecon File opened for reading /proc/filesystems id File opened for reading /proc/partitions cat File opened for reading /proc/sys/crypto/fips_enabled semanage File opened for reading /proc/sys/kernel/random/boot_id semanage File opened for reading /proc/sys/kernel/cap_last_cap setfiles File opened for reading /proc/sys/kernel/ngroups_max id File opened for reading /proc/meminfo cat
Processes
-
/tmp/cd41c0e3d6aa075cbacadee78a42986c_JaffaCakes118/tmp/cd41c0e3d6aa075cbacadee78a42986c_JaffaCakes1181⤵
- Deletes itself
- Modifies systemd
- Write file to user bin folder
PID:2485 -
/bin/shsh -c "mount -o remount,rw /system"2⤵PID:2486
-
/usr/bin/mountmount -o "remount,rw" /system3⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:2487
-
-
-
/bin/shsh -c "which semanage 2> /dev/null"2⤵PID:2489
-
/usr/bin/whichwhich semanage3⤵PID:2490
-
-
-
/bin/shsh -c "semanage fcontext -a -t bin_t \"/usr/bin/fsopen\" 2> /dev/null && restorecon \"/usr/bin/fsopen\""2⤵PID:2491
-
/usr/sbin/semanagesemanage fcontext -a -t bin_t /usr/bin/fsopen3⤵
- Reads runtime system information
PID:2492 -
/sbin/setfiles/sbin/setfiles -q -c /var/lib/selinux/final/default/policy/policy.33 /var/lib/selinux/final/default/contexts/files/file_contexts4⤵
- Reads runtime system information
PID:2496
-
-
/sbin/sefcontext_compile/sbin/sefcontext_compile /var/lib/selinux/final/default/contexts/files/file_contexts4⤵
- Reads runtime system information
PID:2497
-
-
/sbin/sefcontext_compile/sbin/sefcontext_compile /var/lib/selinux/final/default/contexts/files/file_contexts.local4⤵
- Reads runtime system information
PID:2498
-
-
/sbin/sefcontext_compile/sbin/sefcontext_compile /var/lib/selinux/final/default/contexts/files/file_contexts.homedirs4⤵
- Reads runtime system information
PID:2499
-
-
-
/usr/sbin/restoreconrestorecon /usr/bin/fsopen3⤵
- Reads runtime system information
PID:2500
-
-
-
/bin/shsh -c "systemctl enable fsopen.service 2>/dev/null"2⤵PID:2501
-
/usr/bin/systemctlsystemctl enable fsopen.service3⤵
- Reads runtime system information
PID:2502
-
-
-
/bin/shsh -c "/usr/bin/fsopen 0 &"2⤵PID:2626
-
-
/usr/bin/fsopen/usr/bin/fsopen 01⤵
- Executes dropped EXE
- Reads MAC address of network interface
- Changes its process name
- Enumerates kernel/hardware configuration
PID:2627 -
/bin/shsh -c "id 2>/dev/null"2⤵PID:2629
-
/usr/bin/idid3⤵
- Reads runtime system information
PID:2630
-
-
-
/bin/shsh -c "uname -a 2>/dev/null"2⤵PID:2631
-
/usr/bin/unameuname -a3⤵PID:2632
-
-
-
/bin/shsh -c "whoami 2>/dev/null"2⤵PID:2633
-
/usr/bin/whoamiwhoami3⤵PID:2634
-
-
-
/bin/shsh -c "cat /proc/cpuinfo 2>/dev/null"2⤵PID:2635
-
/usr/bin/catcat /proc/cpuinfo3⤵
- Checks CPU configuration
PID:2636
-
-
-
/bin/shsh -c "cat /proc/meminfo 2>/dev/null"2⤵PID:2637
-
/usr/bin/catcat /proc/meminfo3⤵
- Reads runtime system information
PID:2638
-
-
-
/bin/shsh -c "cat /proc/version 2>/dev/null"2⤵PID:2639
-
/usr/bin/catcat /proc/version3⤵
- Reads runtime system information
PID:2640
-
-
-
/bin/shsh -c "cat /proc/partitions 2>/dev/null"2⤵PID:2641
-
/usr/bin/catcat /proc/partitions3⤵
- Reads runtime system information
PID:2642
-
-
-
/bin/shsh -c "cat /etc/*release /etc/issue 2>/dev/null"2⤵PID:2643
-
/usr/bin/catcat /etc/lsb-release /etc/os-release /etc/issue3⤵PID:2644
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16B
MD513430ab9c49230b370b6493421901ff8
SHA1d69fb1b454678c4227b4a1a9407b30be6886460d
SHA25657b3ba1044a73ed7e94788fa16da34ba58158e56747021edd31534e13774fad8
SHA512d36d023d967f78d6971afc659dce260f2c114f61b4c7fe7466f0828a0d5570132e81a6dbbe2de9f9d4355346255a11dc3152390e2e22f191521ca78ee7bc396a
-
Filesize
7.0MB
MD5ecb2bed67a80b89150f39755a10ec8dd
SHA147039a0c0fc1de9af4438dd4166e779245d27276
SHA256d99557a86112aeb9dcc7c556e9f97055b22cfa955062083bbe665317a0193c06
SHA51238f6e38dea462391103e0e7e228d02d2ee7dcdbb0efd0cb51312ee15ecd5f8c125fc96070e58fbba894249c0a0db51c30ff6f6c0cfeaeb382d841e283eb648b7
-
Filesize
526KB
MD531a81f7c0f0680bfead94e98a915a170
SHA1130d569980b7970c98c898c8f32ac9900d5c8dff
SHA256f5ab9ca11563dbc9228a6c6a76aa1abe2a5727f91dd3a9bf273979bcf6c94ac5
SHA51291ce73bbcb5b30bac72e65acb8debb28b6b09e127f70dd185f8221159fe45ee624935c564dfbb361d8f11b3c40e2426e6947aad94fdfa6e9cbdbae590527dc69
-
Filesize
1KB
MD5eee8bda5044925fabc2ee733c855fbf9
SHA1b086958f36cfb14155464a3cca9b5058aa2313fa
SHA256ff4d08ec3190a17945cae2298e9bbce43226a5ba82fe4d192c5bf034390a7928
SHA512a1d7661009669013ede1f2e214db6caf690add0696e7dd13a2346f5e963f758016fe00ff80e525a86bfd18673d5c066825eecc8b7221f6630a593c6ed089b0c8
-
Filesize
108KB
MD51ea98f56aaeedf1bb67080a14f80cb17
SHA193de5f011e7d978f7efbd81eeddd616bf0e6aa98
SHA256d23ed0abcfafb30198a437866ffe4b29a4cc33889b04684f6b8fac283eab0d29
SHA51257a225efb718574bbb57fcb6886b4d648787b5cb65ec6ebf47009bb2e990049f22ada85dc45a97f6cf12ff87e03c86ba522c91ab1ff48071a4f2f2db324f03ed
-
Filesize
183B
MD5de5ea06884f7fab857b6ef207be08208
SHA1f4b6d4a5b03c7ffb6476bd2030199b70371279fe
SHA256f08c96015bb7a54439af159c89df88bb036dfa9a0567cf4a3f627993544ce888
SHA5122f4cee23b3f99c43408e60125fa6981954be02d9b8cc560f057de9c8a0ed52a0104e769a76ca4693ab956bddec9f721a1edd9242d572bfe2843e2fae9ef4af0c
-
Filesize
32B
MD5f9e86c7eb87008df11e1a658d9d4eb1a
SHA18d098113aca266b66df06d5e73fea5d07ba6ac1e
SHA256bab5ee4df3e95905a9287de62ed921465a107f2571992a977afc70ecd135ac39
SHA5123b9285a9ed41d11a9b5d30787e4e834860e67eb06e6756c1cbc3b0bd2e74f763839b5b680114981d031bd97d87a4d7d8b52aed829de471b1a0d5ac74eb2bcee3
-
Filesize
32B
MD5c08cc266624f6409b01432dac9576ab0
SHA1f4d5a962086e8355e71ca948173917b55fa44e39
SHA256255cbe0ae3ec01b56845b0d03a121e2f2eef1815b019731507a6f19fa140f148
SHA512a45d8ffd265afd524d2d97b6bf6754efaa8f77afcc2fd71e657e8910d7944102d0340760571e043d58a9e33066520fbed67ac7e5acf4850f694960c7fa851673
-
Filesize
27KB
MD510b9e663623f5903829e995949c5f5a8
SHA13749fb7c0b3115cf85e223ca4c22c5cb645be322
SHA256958812d26d5e8aa58e00d8b2fe9914f9ec635c414d69f9e21cb242b82753df1c
SHA51204d5cad77ad424ba3354ca158c99727a6753ef661b0238a62fecee819e3ddf51019218ec3a8301d7d403842f1920d2bab4ee036b421d18754b31cbb52bb85d9a
-
Filesize
13KB
MD57876fd19db5e8146f0edc9e27092b719
SHA146433f610d6cd3c81782c417d06a4de7398da1d3
SHA2561e92a147532caa911fe62c2d7783168ed26326285878ecc64f2cc4ec75eaa668
SHA5129b7451c230071e1eefc7e683d27fe7206cc55b01dfb0fea08f06e542729e0a01c39d681430eabe1ef15c52197e4033e142c68c07e641f7ff6b53c53d2bbb788d
-
Filesize
3KB
MD5d2ec00f0deae3b67ec710e34a70269d4
SHA159f9d89fb1c100adfb075f0e2b720ee81c95f0ab
SHA2562153d172b8d3465cc71350076f9baa4794b2c1fa51dcf07542e4abd420d6225f
SHA5124bd874c841b14e7cf9861c4cbcad8a6f9d43412d1d5faaeb8377d1bb71bd0fecf6899ca06eebf0243c7714f8a392f300e3c9261c975354e5040ac362bf10793b
-
Filesize
11KB
MD53b0c1f1663a45c303a60af61bf66418d
SHA1b7c56398101c92c00bbc3672394df5997fc068be
SHA256e9dfcd89c06618c28711415351a2a13582352f24790b2af2b800f4380f3b72d4
SHA512f739d8be306e7ab5f8748d32f04679c7f0d2e1f1611a14df6c554fda1b25ee9666c4a6a640f10f93bdbca501f142223ada144cc2200fa9a948d8e756370158de
-
Filesize
2B
MD5c483f6ce851c9ecd9fb835ff7551737c
SHA16d3236ec3c88039ca534b81acad564e847ecb062
SHA256d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e
SHA512745d02ffe3f66d0e8d77936c200e1474f2ee8e6f1b1ffdeaeda983ffb722d883c31be89d7188b63bb0e9718569af03fc0f067d28f12bf318a94dbc07cae404ba
-
Filesize
72B
MD5e7696ee9880e18e7a0792bb1dfcac652
SHA1eabe757a6ed4673b8136b42eae4aa873aadd31cb
SHA256adb0d234a14c09fb728ebdffd4022ae4aba45ebd5ff3d336565afd58943ecb37
SHA5125ed5566621a428d6865c26c0c5cb10c7cc267a3f6e569fbe360c07e97996586998aac62fef460fc5c51a6684583972718a16663d575fc04242d545639d384ca6
-
Filesize
2.1MB
MD5c795304f0657512f5b7fa00456a9a5fa
SHA12b1a977b539abd2362bd65dc0ef838d528df5278
SHA25677dbef770ee7d1b18b76558524c09a317d1737722b1bd2f5e84d979999d4d176
SHA51252ac5fc70bcf803e15b296af72c6e1070fc952de392e704ee167c0bdea7d4ee076f9460c4ba88c6f47ec963a25574fb7963dbcda86b4d23324007ea4153b7de9
-
Filesize
2.1MB
MD5d1694e2e68cfd4080b22a81785729427
SHA19ee9643428c5c94c14e29414ac76f469d27a67fb
SHA25641351967cdd01df72b527f317f44d04925cd49f06d409ac4802d9b31dbdc14b6
SHA512f1b9f759cb0fcd5e126230c40dda2b849afd291c396c63e89b719784224afe1737552d794d4d5f67a16eede12ac85dd5be0a8bbe4ba7ef2cbe8a84fecb86bfdd
-
Filesize
88B
MD5aad081dbd35481f70deec3aa7bac1dec
SHA16869925f38ad06a8fc5fbc56b6b6119d6f2ae731
SHA256fc941b384be1ddf9f423feafc0cd64680df0ea5abec78b5286a9bba181d4562f
SHA51214e153db2a3593d0860f1b3373b7f2f576677b97c06a6dda5ad3f55cce254d217f7e794646feb143d7604e90436f64be7e0b619236ef6d36a51f68d45cde1485
-
Filesize
143B
MD5af66bbd7e3ab3608e1e413489e0b5090
SHA1cb7c139f454e0dc1eafe71514b9477bf758fe45f
SHA25699a883604033179c920b5d17f590c74ebc15d29c581b632d030c35ed7f8eb1cf
SHA5121d9b0d398d60d4d8bfbc3dc1913d0ed99ee629e63aec2e66d3bbccdf26b8766ef21d91fbf6ce96456473189e9b80ccfe0aa88e49f723b586a8c153889195a87c
-
Filesize
116B
MD54546e05c360a5255e1e4a4d248d46920
SHA1df357815dbde9998040d1c66d4e681bc6d10cc67
SHA256c25817343836442811b3ba3480983921e5a83930128c6172a10f9db7d90054a8
SHA5125c282a15ce2aa83d80eeb08900d4ff609f4a4cd46c2315bbcc4dcdaea5fd10d1b2dbb7802263d4f32e1e9325e67b37f79523e429b3fc1f74b271b530f12bf296
-
Filesize
2.1MB
MD5132131b105f95f879cdb42281e4663fd
SHA1b874099b17125ee3042aececc99a65c64b24b662
SHA256a5bf89bad096b40b9a7a0cf9075bfb8466c2137f48ef11bca54036b54dd21d56
SHA5124668f202aa096f25abd5032c5ae73ab19ab2b3b3152269d5b1c41060347a5c935842d90c97cdf4b00dab71583853af0c077b122fcdf73ef0237bef8c9617218c