Analysis

  • max time kernel
    146s
  • max time network
    142s
  • platform
    ubuntu-24.04_amd64
  • resource
    ubuntu2404-amd64-20240523-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
  • submitted
    31-08-2024 17:25

General

  • Target

    cd41c0e3d6aa075cbacadee78a42986c_JaffaCakes118

  • Size

    159KB

  • MD5

    cd41c0e3d6aa075cbacadee78a42986c

  • SHA1

    1b83fb5e33e0f33ad739c43cd55a90c8e3117431

  • SHA256

    3bb3a370af8aaefefff36a0c408ddf41f49c1a8bf176a68c2bf3f042bc8a2c5d

  • SHA512

    7eaa370e2e335a7c5a22b70425a0bdf2f34116f03e0723eaa620b395798ae2270ce25edd3809881eafc628c8c408bd90a435e6a52cfb27c25238c9912d307ca1

  • SSDEEP

    3072:ZYWzXRu1b1O9CPfRtNtkJ6rf+R0QA/DlkLi8zw1KW1x16wlwzaSwJvCBdnLk:+1RiC33Du6triLlIdDrwOS6ik

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies systemd 1 TTPs 1 IoCs

    Adds/ modifies systemd service files. Likely to achieve persistence.

  • Reads MAC address of network interface 2 TTPs 1 IoCs

    Fetches the MAC address of active network interfaces. May be used to detect known values for hypervisors.

  • Write file to user bin folder 1 TTPs 1 IoCs
  • Changes its process name 3 IoCs
  • Checks CPU configuration 1 TTPs 1 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 19 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/cd41c0e3d6aa075cbacadee78a42986c_JaffaCakes118
    /tmp/cd41c0e3d6aa075cbacadee78a42986c_JaffaCakes118
    1⤵
    • Deletes itself
    • Modifies systemd
    • Write file to user bin folder
    PID:2485
    • /bin/sh
      sh -c "mount -o remount,rw /system"
      2⤵
        PID:2486
        • /usr/bin/mount
          mount -o "remount,rw" /system
          3⤵
          • Enumerates kernel/hardware configuration
          • Reads runtime system information
          PID:2487
      • /bin/sh
        sh -c "which semanage 2> /dev/null"
        2⤵
          PID:2489
          • /usr/bin/which
            which semanage
            3⤵
              PID:2490
          • /bin/sh
            sh -c "semanage fcontext -a -t bin_t \"/usr/bin/fsopen\" 2> /dev/null && restorecon \"/usr/bin/fsopen\""
            2⤵
              PID:2491
              • /usr/sbin/semanage
                semanage fcontext -a -t bin_t /usr/bin/fsopen
                3⤵
                • Reads runtime system information
                PID:2492
                • /sbin/setfiles
                  /sbin/setfiles -q -c /var/lib/selinux/final/default/policy/policy.33 /var/lib/selinux/final/default/contexts/files/file_contexts
                  4⤵
                  • Reads runtime system information
                  PID:2496
                • /sbin/sefcontext_compile
                  /sbin/sefcontext_compile /var/lib/selinux/final/default/contexts/files/file_contexts
                  4⤵
                  • Reads runtime system information
                  PID:2497
                • /sbin/sefcontext_compile
                  /sbin/sefcontext_compile /var/lib/selinux/final/default/contexts/files/file_contexts.local
                  4⤵
                  • Reads runtime system information
                  PID:2498
                • /sbin/sefcontext_compile
                  /sbin/sefcontext_compile /var/lib/selinux/final/default/contexts/files/file_contexts.homedirs
                  4⤵
                  • Reads runtime system information
                  PID:2499
              • /usr/sbin/restorecon
                restorecon /usr/bin/fsopen
                3⤵
                • Reads runtime system information
                PID:2500
            • /bin/sh
              sh -c "systemctl enable fsopen.service 2>/dev/null"
              2⤵
                PID:2501
                • /usr/bin/systemctl
                  systemctl enable fsopen.service
                  3⤵
                  • Reads runtime system information
                  PID:2502
              • /bin/sh
                sh -c "/usr/bin/fsopen 0 &"
                2⤵
                  PID:2626
              • /usr/bin/fsopen
                /usr/bin/fsopen 0
                1⤵
                • Executes dropped EXE
                • Reads MAC address of network interface
                • Changes its process name
                • Enumerates kernel/hardware configuration
                PID:2627
                • /bin/sh
                  sh -c "id 2>/dev/null"
                  2⤵
                    PID:2629
                    • /usr/bin/id
                      id
                      3⤵
                      • Reads runtime system information
                      PID:2630
                  • /bin/sh
                    sh -c "uname -a 2>/dev/null"
                    2⤵
                      PID:2631
                      • /usr/bin/uname
                        uname -a
                        3⤵
                          PID:2632
                      • /bin/sh
                        sh -c "whoami 2>/dev/null"
                        2⤵
                          PID:2633
                          • /usr/bin/whoami
                            whoami
                            3⤵
                              PID:2634
                          • /bin/sh
                            sh -c "cat /proc/cpuinfo 2>/dev/null"
                            2⤵
                              PID:2635
                              • /usr/bin/cat
                                cat /proc/cpuinfo
                                3⤵
                                • Checks CPU configuration
                                PID:2636
                            • /bin/sh
                              sh -c "cat /proc/meminfo 2>/dev/null"
                              2⤵
                                PID:2637
                                • /usr/bin/cat
                                  cat /proc/meminfo
                                  3⤵
                                  • Reads runtime system information
                                  PID:2638
                              • /bin/sh
                                sh -c "cat /proc/version 2>/dev/null"
                                2⤵
                                  PID:2639
                                  • /usr/bin/cat
                                    cat /proc/version
                                    3⤵
                                    • Reads runtime system information
                                    PID:2640
                                • /bin/sh
                                  sh -c "cat /proc/partitions 2>/dev/null"
                                  2⤵
                                    PID:2641
                                    • /usr/bin/cat
                                      cat /proc/partitions
                                      3⤵
                                      • Reads runtime system information
                                      PID:2642
                                  • /bin/sh
                                    sh -c "cat /etc/*release /etc/issue 2>/dev/null"
                                    2⤵
                                      PID:2643
                                      • /usr/bin/cat
                                        cat /etc/lsb-release /etc/os-release /etc/issue
                                        3⤵
                                          PID:2644

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • /etc/.wbgngofGaCave

                                      Filesize

                                      16B

                                      MD5

                                      13430ab9c49230b370b6493421901ff8

                                      SHA1

                                      d69fb1b454678c4227b4a1a9407b30be6886460d

                                      SHA256

                                      57b3ba1044a73ed7e94788fa16da34ba58158e56747021edd31534e13774fad8

                                      SHA512

                                      d36d023d967f78d6971afc659dce260f2c114f61b4c7fe7466f0828a0d5570132e81a6dbbe2de9f9d4355346255a11dc3152390e2e22f191521ca78ee7bc396a

                                    • /etc/selinux/default/contexts/files/file_contexts.bin.tmp

                                      Filesize

                                      7.0MB

                                      MD5

                                      ecb2bed67a80b89150f39755a10ec8dd

                                      SHA1

                                      47039a0c0fc1de9af4438dd4166e779245d27276

                                      SHA256

                                      d99557a86112aeb9dcc7c556e9f97055b22cfa955062083bbe665317a0193c06

                                      SHA512

                                      38f6e38dea462391103e0e7e228d02d2ee7dcdbb0efd0cb51312ee15ecd5f8c125fc96070e58fbba894249c0a0db51c30ff6f6c0cfeaeb382d841e283eb648b7

                                    • /etc/selinux/default/contexts/files/file_contexts.homedirs.bin.tmp

                                      Filesize

                                      526KB

                                      MD5

                                      31a81f7c0f0680bfead94e98a915a170

                                      SHA1

                                      130d569980b7970c98c898c8f32ac9900d5c8dff

                                      SHA256

                                      f5ab9ca11563dbc9228a6c6a76aa1abe2a5727f91dd3a9bf273979bcf6c94ac5

                                      SHA512

                                      91ce73bbcb5b30bac72e65acb8debb28b6b09e127f70dd185f8221159fe45ee624935c564dfbb361d8f11b3c40e2426e6947aad94fdfa6e9cbdbae590527dc69

                                    • /etc/selinux/default/contexts/files/file_contexts.local.bin.tmp

                                      Filesize

                                      1KB

                                      MD5

                                      eee8bda5044925fabc2ee733c855fbf9

                                      SHA1

                                      b086958f36cfb14155464a3cca9b5058aa2313fa

                                      SHA256

                                      ff4d08ec3190a17945cae2298e9bbce43226a5ba82fe4d192c5bf034390a7928

                                      SHA512

                                      a1d7661009669013ede1f2e214db6caf690add0696e7dd13a2346f5e963f758016fe00ff80e525a86bfd18673d5c066825eecc8b7221f6630a593c6ed089b0c8

                                    • /usr/bin/fsopen

                                      Filesize

                                      108KB

                                      MD5

                                      1ea98f56aaeedf1bb67080a14f80cb17

                                      SHA1

                                      93de5f011e7d978f7efbd81eeddd616bf0e6aa98

                                      SHA256

                                      d23ed0abcfafb30198a437866ffe4b29a4cc33889b04684f6b8fac283eab0d29

                                      SHA512

                                      57a225efb718574bbb57fcb6886b4d648787b5cb65ec6ebf47009bb2e990049f22ada85dc45a97f6cf12ff87e03c86ba522c91ab1ff48071a4f2f2db324f03ed

                                    • /usr/lib/systemd/system/fsopen.service

                                      Filesize

                                      183B

                                      MD5

                                      de5ea06884f7fab857b6ef207be08208

                                      SHA1

                                      f4b6d4a5b03c7ffb6476bd2030199b70371279fe

                                      SHA256

                                      f08c96015bb7a54439af159c89df88bb036dfa9a0567cf4a3f627993544ce888

                                      SHA512

                                      2f4cee23b3f99c43408e60125fa6981954be02d9b8cc560f057de9c8a0ed52a0104e769a76ca4693ab956bddec9f721a1edd9242d572bfe2843e2fae9ef4af0c

                                    • /var/lib/selinux/default/tmp/commit_num

                                      Filesize

                                      32B

                                      MD5

                                      f9e86c7eb87008df11e1a658d9d4eb1a

                                      SHA1

                                      8d098113aca266b66df06d5e73fea5d07ba6ac1e

                                      SHA256

                                      bab5ee4df3e95905a9287de62ed921465a107f2571992a977afc70ecd135ac39

                                      SHA512

                                      3b9285a9ed41d11a9b5d30787e4e834860e67eb06e6756c1cbc3b0bd2e74f763839b5b680114981d031bd97d87a4d7d8b52aed829de471b1a0d5ac74eb2bcee3

                                    • /var/lib/selinux/default/tmp/commit_num.tmp

                                      Filesize

                                      32B

                                      MD5

                                      c08cc266624f6409b01432dac9576ab0

                                      SHA1

                                      f4d5a962086e8355e71ca948173917b55fa44e39

                                      SHA256

                                      255cbe0ae3ec01b56845b0d03a121e2f2eef1815b019731507a6f19fa140f148

                                      SHA512

                                      a45d8ffd265afd524d2d97b6bf6754efaa8f77afcc2fd71e657e8910d7944102d0340760571e043d58a9e33066520fbed67ac7e5acf4850f694960c7fa851673

                                    • /var/lib/selinux/default/tmp/file_contexts.homedirs.tmp

                                      Filesize

                                      27KB

                                      MD5

                                      10b9e663623f5903829e995949c5f5a8

                                      SHA1

                                      3749fb7c0b3115cf85e223ca4c22c5cb645be322

                                      SHA256

                                      958812d26d5e8aa58e00d8b2fe9914f9ec635c414d69f9e21cb242b82753df1c

                                      SHA512

                                      04d5cad77ad424ba3354ca158c99727a6753ef661b0238a62fecee819e3ddf51019218ec3a8301d7d403842f1920d2bab4ee036b421d18754b31cbb52bb85d9a

                                    • /var/lib/selinux/default/tmp/homedir_template.tmp

                                      Filesize

                                      13KB

                                      MD5

                                      7876fd19db5e8146f0edc9e27092b719

                                      SHA1

                                      46433f610d6cd3c81782c417d06a4de7398da1d3

                                      SHA256

                                      1e92a147532caa911fe62c2d7783168ed26326285878ecc64f2cc4ec75eaa668

                                      SHA512

                                      9b7451c230071e1eefc7e683d27fe7206cc55b01dfb0fea08f06e542729e0a01c39d681430eabe1ef15c52197e4033e142c68c07e641f7ff6b53c53d2bbb788d

                                    • /var/lib/selinux/default/tmp/modules/100/logadm/cil.tmp

                                      Filesize

                                      3KB

                                      MD5

                                      d2ec00f0deae3b67ec710e34a70269d4

                                      SHA1

                                      59f9d89fb1c100adfb075f0e2b720ee81c95f0ab

                                      SHA256

                                      2153d172b8d3465cc71350076f9baa4794b2c1fa51dcf07542e4abd420d6225f

                                      SHA512

                                      4bd874c841b14e7cf9861c4cbcad8a6f9d43412d1d5faaeb8377d1bb71bd0fecf6899ca06eebf0243c7714f8a392f300e3c9261c975354e5040ac362bf10793b

                                    • /var/lib/selinux/default/tmp/modules/100/logadm/hll.tmp

                                      Filesize

                                      11KB

                                      MD5

                                      3b0c1f1663a45c303a60af61bf66418d

                                      SHA1

                                      b7c56398101c92c00bbc3672394df5997fc068be

                                      SHA256

                                      e9dfcd89c06618c28711415351a2a13582352f24790b2af2b800f4380f3b72d4

                                      SHA512

                                      f739d8be306e7ab5f8748d32f04679c7f0d2e1f1611a14df6c554fda1b25ee9666c4a6a640f10f93bdbca501f142223ada144cc2200fa9a948d8e756370158de

                                    • /var/lib/selinux/default/tmp/modules/100/logadm/lang_ext.tmp

                                      Filesize

                                      2B

                                      MD5

                                      c483f6ce851c9ecd9fb835ff7551737c

                                      SHA1

                                      6d3236ec3c88039ca534b81acad564e847ecb062

                                      SHA256

                                      d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e

                                      SHA512

                                      745d02ffe3f66d0e8d77936c200e1474f2ee8e6f1b1ffdeaeda983ffb722d883c31be89d7188b63bb0e9718569af03fc0f067d28f12bf318a94dbc07cae404ba

                                    • /var/lib/selinux/default/tmp/modules_checksum.tmp

                                      Filesize

                                      72B

                                      MD5

                                      e7696ee9880e18e7a0792bb1dfcac652

                                      SHA1

                                      eabe757a6ed4673b8136b42eae4aa873aadd31cb

                                      SHA256

                                      adb0d234a14c09fb728ebdffd4022ae4aba45ebd5ff3d336565afd58943ecb37

                                      SHA512

                                      5ed5566621a428d6865c26c0c5cb10c7cc267a3f6e569fbe360c07e97996586998aac62fef460fc5c51a6684583972718a16663d575fc04242d545639d384ca6

                                    • /var/lib/selinux/default/tmp/policy.kern.tmp

                                      Filesize

                                      2.1MB

                                      MD5

                                      c795304f0657512f5b7fa00456a9a5fa

                                      SHA1

                                      2b1a977b539abd2362bd65dc0ef838d528df5278

                                      SHA256

                                      77dbef770ee7d1b18b76558524c09a317d1737722b1bd2f5e84d979999d4d176

                                      SHA512

                                      52ac5fc70bcf803e15b296af72c6e1070fc952de392e704ee167c0bdea7d4ee076f9460c4ba88c6f47ec963a25574fb7963dbcda86b4d23324007ea4153b7de9

                                    • /var/lib/selinux/default/tmp/policy.linked.tmp

                                      Filesize

                                      2.1MB

                                      MD5

                                      d1694e2e68cfd4080b22a81785729427

                                      SHA1

                                      9ee9643428c5c94c14e29414ac76f469d27a67fb

                                      SHA256

                                      41351967cdd01df72b527f317f44d04925cd49f06d409ac4802d9b31dbdc14b6

                                      SHA512

                                      f1b9f759cb0fcd5e126230c40dda2b849afd291c396c63e89b719784224afe1737552d794d4d5f67a16eede12ac85dd5be0a8bbe4ba7ef2cbe8a84fecb86bfdd

                                    • /var/lib/selinux/default/tmp/seusers.tmp

                                      Filesize

                                      88B

                                      MD5

                                      aad081dbd35481f70deec3aa7bac1dec

                                      SHA1

                                      6869925f38ad06a8fc5fbc56b6b6119d6f2ae731

                                      SHA256

                                      fc941b384be1ddf9f423feafc0cd64680df0ea5abec78b5286a9bba181d4562f

                                      SHA512

                                      14e153db2a3593d0860f1b3373b7f2f576677b97c06a6dda5ad3f55cce254d217f7e794646feb143d7604e90436f64be7e0b619236ef6d36a51f68d45cde1485

                                    • /var/lib/selinux/default/tmp/users_extra.linked.tmp

                                      Filesize

                                      143B

                                      MD5

                                      af66bbd7e3ab3608e1e413489e0b5090

                                      SHA1

                                      cb7c139f454e0dc1eafe71514b9477bf758fe45f

                                      SHA256

                                      99a883604033179c920b5d17f590c74ebc15d29c581b632d030c35ed7f8eb1cf

                                      SHA512

                                      1d9b0d398d60d4d8bfbc3dc1913d0ed99ee629e63aec2e66d3bbccdf26b8766ef21d91fbf6ce96456473189e9b80ccfe0aa88e49f723b586a8c153889195a87c

                                    • /var/lib/selinux/final/default/contexts/files/file_contexts.local.tmp

                                      Filesize

                                      116B

                                      MD5

                                      4546e05c360a5255e1e4a4d248d46920

                                      SHA1

                                      df357815dbde9998040d1c66d4e681bc6d10cc67

                                      SHA256

                                      c25817343836442811b3ba3480983921e5a83930128c6172a10f9db7d90054a8

                                      SHA512

                                      5c282a15ce2aa83d80eeb08900d4ff609f4a4cd46c2315bbcc4dcdaea5fd10d1b2dbb7802263d4f32e1e9325e67b37f79523e429b3fc1f74b271b530f12bf296

                                    • /var/lib/selinux/final/default/policy/policy.33.tmp

                                      Filesize

                                      2.1MB

                                      MD5

                                      132131b105f95f879cdb42281e4663fd

                                      SHA1

                                      b874099b17125ee3042aececc99a65c64b24b662

                                      SHA256

                                      a5bf89bad096b40b9a7a0cf9075bfb8466c2137f48ef11bca54036b54dd21d56

                                      SHA512

                                      4668f202aa096f25abd5032c5ae73ab19ab2b3b3152269d5b1c41060347a5c935842d90c97cdf4b00dab71583853af0c077b122fcdf73ef0237bef8c9617218c