869948540d5d277b5d7316aeec1a07f9d34c04797fd6866557de7eef63921135

Analysis

max time kernel
6s
platform
debian-9_mipsel
resource
debian9-mipsel-20240611-en
resource tags

arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
06/09/2024, 19:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d05962107e522931fc17a26e7fc4fbbb_JaffaCakes118
Size

1KB
MD5

d05962107e522931fc17a26e7fc4fbbb
SHA1

6d2de05ef9581aa3a718d80114a13fd58578dc36
SHA256

869948540d5d277b5d7316aeec1a07f9d34c04797fd6866557de7eef63921135
SHA512

befe624bdfecca47f23949314b5a3c4a75f6d2704d5723471018d0b11cdf3dee312cf7d23b358c4baadbf06aed6c0af3cc09cd15eb6135a6e68fffe274f05a67

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 15 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
748	chmod
774	chmod
795	chmod
800	chmod
731	chmod
761	chmod
768	chmod
739	chmod
754	chmod
780	chmod
790	chmod
805	chmod
810	chmod
722	chmod
785	chmod

Executes dropped EXE 15 IoCs

ioc	pid	Process
/tmp/badbox	724	badbox
/tmp/badbox	732	badbox
/tmp/badbox	741	badbox
/tmp/badbox	749	badbox
/tmp/badbox	755	badbox
/tmp/badbox	762	badbox
/tmp/badbox	770	badbox
/tmp/badbox	775	badbox
/tmp/badbox	781	badbox
/tmp/badbox	786	badbox
/tmp/badbox	791	badbox
/tmp/badbox	796	badbox
/tmp/badbox	801	badbox
/tmp/badbox	806	badbox
/tmp/badbox	811	badbox

Reads runtime system information 1 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	cp

Writes file to tmp directory 2 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/badbox	d05962107e522931fc17a26e7fc4fbbb_JaffaCakes118
File opened for modification	/tmp/busybox	cp

/tmp/d05962107e522931fc17a26e7fc4fbbb_JaffaCakes118
/tmp/d05962107e522931fc17a26e7fc4fbbb_JaffaCakes118
1⤵
- Writes file to tmp directory
PID:709
- /bin/cp
  cp /bin/busybox /tmp/
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:712
- /bin/cat
  cat ntpd
  2⤵
  PID:720
- /bin/chmod
  chmod +x badbox busybox d05962107e522931fc17a26e7fc4fbbb_JaffaCakes118 systemd-private-431a5c22c369426d8da8ffd9746f5eb3-systemd-timedated.service-msufzL
  2⤵
  - File and Directory Permissions Modification
  PID:722
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:724
- /bin/cat
  cat sshd
  2⤵
  PID:729
- /bin/chmod
  chmod +x badbox busybox d05962107e522931fc17a26e7fc4fbbb_JaffaCakes118 systemd-private-431a5c22c369426d8da8ffd9746f5eb3-systemd-timedated.service-msufzL
  2⤵
  - File and Directory Permissions Modification
  PID:731
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:732
- /bin/cat
  cat openssh
  2⤵
  PID:737
- /bin/chmod
  chmod +x badbox busybox d05962107e522931fc17a26e7fc4fbbb_JaffaCakes118 systemd-private-431a5c22c369426d8da8ffd9746f5eb3-systemd-timedated.service-msufzL
  2⤵
  - File and Directory Permissions Modification
  PID:739
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:741
- /bin/cat
  cat bash
  2⤵
  PID:746
- /bin/chmod
  chmod +x badbox busybox d05962107e522931fc17a26e7fc4fbbb_JaffaCakes118 systemd-private-431a5c22c369426d8da8ffd9746f5eb3-systemd-timedated.service-msufzL
  2⤵
  - File and Directory Permissions Modification
  PID:748
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:749
- /bin/cat
  cat tftp
  2⤵
  PID:752
- /bin/chmod
  chmod +x badbox busybox d05962107e522931fc17a26e7fc4fbbb_JaffaCakes118 systemd-private-431a5c22c369426d8da8ffd9746f5eb3-systemd-timedated.service-msufzL
  2⤵
  - File and Directory Permissions Modification
  PID:754
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:755
- /bin/cat
  cat pstree
  2⤵
  PID:759
- /bin/chmod
  chmod +x badbox busybox d05962107e522931fc17a26e7fc4fbbb_JaffaCakes118 systemd-private-431a5c22c369426d8da8ffd9746f5eb3-systemd-timedated.service-msufzL
  2⤵
  - File and Directory Permissions Modification
  PID:761
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:762
- /bin/cat
  cat dropbear
  2⤵
  PID:767
- /bin/chmod
  chmod +x badbox busybox d05962107e522931fc17a26e7fc4fbbb_JaffaCakes118 systemd-private-431a5c22c369426d8da8ffd9746f5eb3-systemd-timedated.service-msufzL
  2⤵
  - File and Directory Permissions Modification
  PID:768
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:770
- /bin/cat
  cat wget
  2⤵
  PID:773
- /bin/chmod
  chmod +x badbox busybox d05962107e522931fc17a26e7fc4fbbb_JaffaCakes118 systemd-private-431a5c22c369426d8da8ffd9746f5eb3-systemd-timedated.service-msufzL
  2⤵
  - File and Directory Permissions Modification
  PID:774
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:775
- /bin/cat
  cat cron
  2⤵
  PID:779
- /bin/chmod
  chmod +x badbox busybox d05962107e522931fc17a26e7fc4fbbb_JaffaCakes118 systemd-private-431a5c22c369426d8da8ffd9746f5eb3-systemd-timedated.service-msufzL
  2⤵
  - File and Directory Permissions Modification
  PID:780
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:781
- /bin/cat
  cat ftp
  2⤵
  PID:784
- /bin/chmod
  chmod +x badbox busybox d05962107e522931fc17a26e7fc4fbbb_JaffaCakes118 systemd-private-431a5c22c369426d8da8ffd9746f5eb3-systemd-timedated.service-msufzL
  2⤵
  - File and Directory Permissions Modification
  PID:785
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:786
- /bin/cat
  cat pftp
  2⤵
  PID:789
- /bin/chmod
  chmod +x badbox busybox d05962107e522931fc17a26e7fc4fbbb_JaffaCakes118 systemd-private-431a5c22c369426d8da8ffd9746f5eb3-systemd-timedated.service-msufzL
  2⤵
  - File and Directory Permissions Modification
  PID:790
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:791
- /bin/cat
  cat sh
  2⤵
  PID:794
- /bin/chmod
  chmod +x badbox busybox d05962107e522931fc17a26e7fc4fbbb_JaffaCakes118 systemd-private-431a5c22c369426d8da8ffd9746f5eb3-systemd-timedated.service-msufzL
  2⤵
  - File and Directory Permissions Modification
  PID:795
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:796
- /bin/cat
  cat " "
  2⤵
  PID:799
- /bin/chmod
  chmod +x badbox busybox d05962107e522931fc17a26e7fc4fbbb_JaffaCakes118 systemd-private-431a5c22c369426d8da8ffd9746f5eb3-systemd-timedated.service-msufzL
  2⤵
  - File and Directory Permissions Modification
  PID:800
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:801
- /bin/cat
  cat apache2
  2⤵
  PID:804
- /bin/chmod
  chmod +x badbox busybox d05962107e522931fc17a26e7fc4fbbb_JaffaCakes118 systemd-private-431a5c22c369426d8da8ffd9746f5eb3-systemd-timedated.service-msufzL
  2⤵
  - File and Directory Permissions Modification
  PID:805
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:806
- /bin/cat
  cat telnetd
  2⤵
  PID:809
- /bin/chmod
  chmod +x badbox busybox d05962107e522931fc17a26e7fc4fbbb_JaffaCakes118 systemd-private-431a5c22c369426d8da8ffd9746f5eb3-systemd-timedated.service-msufzL
  2⤵
  - File and Directory Permissions Modification
  PID:810
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:811

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/busybox

Filesize
857KB

MD5
6ffc46165b5d9726a6607f3ea5305589

SHA1
ab127220f42e816b413dde0d17031e251a7bc98f

SHA256
80d636e2f1237e9adc9ea0bf7f42b17d7df8781db0684c33696411e50588a38c

SHA512
456fcd5d5bda524ef5236e00695a891cfefe15364f9c7a4ff04ad7dfdc7fd1726f037e905622216f13aee6c2d4ee90be0c850de82b3aac1d02a643db9f935af8

Download Submit