9b2a132a1b8109f3b68f63c95cc3bf499f246e2db435a58f3c294c570f62f38b

Analysis

max time kernel
149s
max time network
151s
platform
ubuntu-24.04_amd64
resource
ubuntu2404-amd64-20240523-en
resource tags

arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
submitted
07-09-2024 16:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d25035c6ed07605dc33f3c35ed590d6b_JaffaCakes118
Size

1.2MB
MD5

d25035c6ed07605dc33f3c35ed590d6b
SHA1

7626d77ae4d3ba50fcf9982bbf2e2123765af664
SHA256

9b2a132a1b8109f3b68f63c95cc3bf499f246e2db435a58f3c294c570f62f38b
SHA512

6ced92d77f63bbe5e66aa14e7ee6aa65363a98acd06854795dd2ede142d2900646ffabfb75fe882a2f77a1a87d9e0f68b9a1010bb63e0dabe6d2e23f7681f89a
SSDEEP

24576:e845rGHu6gVJKG75oFpA0VWIX4t2y1q2rJp0:745vRVJKGtSA0VWIoku9p0

Score

7^/10

defense_evasion discovery persistence rootkit

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 6 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
2589	chmod
2597	chmod
2551	chmod
2561	chmod
2571	chmod
2580	chmod

Executes dropped EXE 2 IoCs

ioc	pid	Process
/usr/bin/bsd-port/getty	2519	getty
/usr/bin/.sshd	2539	.sshd

Loads a kernel module 64 IoCs

Loads a Linux kernel module, potentially to achieve persistence

rootkit

pid	Process
2475	d25035c6ed07605dc33f3c35ed590d6b_JaffaCakes118
2478	Process not Found
2495	Process not Found
2478	Process not Found
2478	Process not Found
2497	Process not Found
2478	Process not Found
2478	Process not Found
2499	Process not Found
2478	Process not Found
2478	Process not Found
2501	Process not Found
2478	Process not Found
2478	Process not Found
2503	Process not Found
2478	Process not Found
2478	Process not Found
2511	Process not Found
2478	Process not Found
2478	Process not Found
2513	Process not Found
2478	Process not Found
2478	Process not Found
2515	Process not Found
2478	Process not Found
2517	Process not Found
2518	Process not Found
2519	getty
2517	Process not Found
2478	Process not Found
2521	Process not Found
2478	Process not Found
2478	Process not Found
2523	Process not Found
2478	Process not Found
2478	Process not Found
2525	Process not Found
2478	Process not Found
2520	Process not Found
2527	Process not Found
2520	Process not Found
2520	Process not Found
2529	Process not Found
2520	Process not Found
2520	Process not Found
2531	Process not Found
2520	Process not Found
2520	Process not Found
2533	Process not Found
2520	Process not Found
2520	Process not Found
2535	Process not Found
2536	Process not Found
2537	Process not Found
2539	.sshd
2520	Process not Found
2520	Process not Found
2540	Process not Found
2520	Process not Found
2520	Process not Found
2542	Process not Found
2520	Process not Found
2520	Process not Found
2544	Process not Found

Write file to user bin folder 8 IoCs

persistence

description	ioc	Process
File opened for modification	/usr/bin/.sshd	cp
File opened for modification	/usr/bin/dpkgd/lsof	cp
File opened for modification	/usr/bin/dpkgd/ps	cp
File opened for modification	/usr/bin/dpkgd/ss	cp
File opened for modification	/usr/bin/lsof	cp
File opened for modification	/usr/bin/ps	cp
File opened for modification	/usr/bin/ss	cp
File opened for modification	/usr/bin/bsd-port/getty	cp

Writes file to system bin folder 3 IoCs

description	ioc	Process
File opened for modification	/bin/ss	cp
File opened for modification	/bin/lsof	cp
File opened for modification	/bin/ps	cp

Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/module/compression	insmod
File opened for reading	/sys/module/compression	insmod

Reads runtime system information 30 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/cmdline	insmod

/tmp/d25035c6ed07605dc33f3c35ed590d6b_JaffaCakes118
/tmp/d25035c6ed07605dc33f3c35ed590d6b_JaffaCakes118
1⤵
- Loads a kernel module
PID:2475
- /usr/bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt
  2⤵
  PID:2496
- /usr/bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt
  2⤵
  PID:2498
- /usr/bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt
  2⤵
  PID:2500
- /usr/bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt
  2⤵
  PID:2502
- /usr/bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt
  2⤵
  PID:2504
- /usr/bin/mkdir
  mkdir -p /usr/bin/bsd-port
  2⤵
  - Reads runtime system information
  PID:2512
- /usr/bin/mkdir
  mkdir -p /usr/bin/bsd-port
  2⤵
  - Reads runtime system information
  PID:2514
- /usr/bin/cp
  cp -f /tmp/d25035c6ed07605dc33f3c35ed590d6b_JaffaCakes118 /usr/bin/bsd-port/getty
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:2516
- /usr/bin/bsd-port/getty
  /usr/bin/bsd-port/getty
  2⤵
  - Executes dropped EXE
  - Loads a kernel module
  PID:2519
- - /usr/bin/ln
    ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux
    3⤵
    PID:2528
- - /usr/bin/ln
    ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux
    3⤵
    PID:2530
- - /usr/bin/ln
    ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux
    3⤵
    PID:2532
- - /usr/bin/ln
    ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux
    3⤵
    PID:2534
- - /usr/bin/ln
    ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux
    3⤵
    PID:2538
- - /usr/bin/mkdir
    mkdir -p /usr/bin/dpkgd
    3⤵
    - Reads runtime system information
    PID:2541
- - /usr/bin/cp
    cp -f /bin/lsof /usr/bin/dpkgd/lsof
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:2543
- - /usr/bin/mkdir
    mkdir -p /bin
    3⤵
    - Reads runtime system information
    PID:2545
- - /usr/bin/mkdir
    mkdir -p /bin
    3⤵
    - Reads runtime system information
    PID:2547
- - /usr/bin/cp
    cp -f /usr/bin/bsd-port/getty /bin/lsof
    3⤵
    - Writes file to system bin folder
    - Reads runtime system information
    PID:2549
- - /usr/bin/chmod
    chmod 0755 /bin/lsof
    3⤵
    - File and Directory Permissions Modification
    PID:2551
- - /usr/bin/cp
    cp -f /bin/ps /usr/bin/dpkgd/ps
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:2553
- - /usr/bin/mkdir
    mkdir -p /bin
    3⤵
    - Reads runtime system information
    PID:2555
- - /usr/bin/mkdir
    mkdir -p /bin
    3⤵
    - Reads runtime system information
    PID:2557
- - /usr/bin/cp
    cp -f /usr/bin/bsd-port/getty /bin/ps
    3⤵
    - Writes file to system bin folder
    - Reads runtime system information
    PID:2559
- - /usr/bin/chmod
    chmod 0755 /bin/ps
    3⤵
    - File and Directory Permissions Modification
    PID:2561
- - /usr/bin/cp
    cp -f /bin/ss /usr/bin/dpkgd/ss
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:2563
- - /usr/bin/mkdir
    mkdir -p /bin
    3⤵
    - Reads runtime system information
    PID:2565
- - /usr/bin/mkdir
    mkdir -p /bin
    3⤵
    - Reads runtime system information
    PID:2567
- - /usr/bin/cp
    cp -f /usr/bin/bsd-port/getty /bin/ss
    3⤵
    - Writes file to system bin folder
    - Reads runtime system information
    PID:2569
- - /usr/bin/chmod
    chmod 0755 /bin/ss
    3⤵
    - File and Directory Permissions Modification
    PID:2571
- - /usr/bin/mkdir
    mkdir -p /usr/bin
    3⤵
    - Reads runtime system information
    PID:2573
- - /usr/bin/mkdir
    mkdir -p /usr/bin
    3⤵
    - Reads runtime system information
    PID:2575
- - /usr/bin/cp
    cp -f /usr/bin/bsd-port/getty /usr/bin/lsof
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:2577
- - /usr/bin/chmod
    chmod 0755 /usr/bin/lsof
    3⤵
    - File and Directory Permissions Modification
    PID:2580
- - /usr/bin/mkdir
    mkdir -p /usr/bin
    3⤵
    - Reads runtime system information
    PID:2583
- - /usr/bin/mkdir
    mkdir -p /usr/bin
    3⤵
    - Reads runtime system information
    PID:2585
- - /usr/bin/cp
    cp -f /usr/bin/bsd-port/getty /usr/bin/ps
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:2587
- - /usr/bin/chmod
    chmod 0755 /usr/bin/ps
    3⤵
    - File and Directory Permissions Modification
    PID:2589
- - /usr/bin/mkdir
    mkdir -p /usr/bin
    3⤵
    - Reads runtime system information
    PID:2591
- - /usr/bin/mkdir
    mkdir -p /usr/bin
    3⤵
    - Reads runtime system information
    PID:2593
- - /usr/bin/cp
    cp -f /usr/bin/bsd-port/getty /usr/bin/ss
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:2595
- - /usr/bin/chmod
    chmod 0755 /usr/bin/ss
    3⤵
    - File and Directory Permissions Modification
    PID:2597
- - /usr/sbin/insmod
    insmod /usr/bin/bsd-port/xpacket.ko
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2607
- /usr/bin/mkdir
  mkdir -p /usr/bin
  2⤵
  - Reads runtime system information
  PID:2522
- /usr/bin/mkdir
  mkdir -p /usr/bin
  2⤵
  - Reads runtime system information
  PID:2524
- /usr/bin/cp
  cp -f /tmp/d25035c6ed07605dc33f3c35ed590d6b_JaffaCakes118 /usr/bin/.sshd
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:2526
- /usr/bin/.sshd
  /usr/bin/.sshd
  2⤵
  - Executes dropped EXE
  - Loads a kernel module
  PID:2539
- /usr/sbin/insmod
  insmod /tmp/xpacket.ko
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:2599

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/init.d/DbSecuritySpt

Filesize
64B

MD5
1cbce280d5dcadba9d23d3f8eea943b9

SHA1
1cded1b736092af93019164580220b245d8b35ad

SHA256
4c2526e9f3c91aaadcc001f440ed5f3cb4876ad6f2fc37f218b35bbea59d4d28

SHA512
4769cd5abf1943c46d1875f02ca0da325930a8794cefd89c1f6d8b2a43af7ceb4de8ee8cf05017a3ccb771c15f1f7ef9154fc54eb64ab5907c06d33b9bd906c6

Download Submit
/etc/init.d/selinux

Filesize
36B

MD5
993cc15058142d96c3daf7852c3d5ee8

SHA1
0950b8b391b04dd3895ea33cd3141543ebd2525d

SHA256
8171d077918611803d93088409f220c66fae1c670b297e1aa5d8cbd548ce9208

SHA512
0c4256c00a3710f97e92581b552682b36b62afc35fe72622c491323c618c19ea62611ac04ccafc3dfcde2254a2ebbd93b69b66795b16e36332293bed83adb928

Download Submit
/tmp/conf.n

Filesize
73B

MD5
50e6e98ae3553e9fa64577ae49d93521

SHA1
30b5c55c7acb66115fd4ca04139553dec07628e9

SHA256
1e0e5711a0ba87dad72db523c7cd9523ef0afe60d5d4f78373636bc8fe3ec143

SHA512
38b17d6475eddfb64951261c7312a5183448381032f40fa9ef7e0eae3c398d9227da406456b825925d66801a6b403bcb0b8e5ed9091662c706910c84a1e44c69

Download Submit
/tmp/gates.lod

Filesize
4B

MD5
53f0d7c537d99b3824f0f99d62ea2428

SHA1
fd036c77bc43059b0dfa9067039290b8f17440e5

SHA256
aabbb2bd43c0fb27462f139e0274faa6c3a5c6d600e1b2fc6d3c96c18503607e

SHA512
f934b9aec051382903f7bf391e6ea8d79771c4d95e804f47ee016b69985af5d651003595dda29c494ab592b0928dca406bdd56fc1352f5d471ab3b86f4dd9813

Download Submit
/tmp/moni.lod

Filesize
4B

MD5
9457fc28ceb408103e13533e4a5b6bd1

SHA1
6b889c330f46dc311cc666b585f113a1460792a3

SHA256
b1ac3a14adbfd6d9c4c4641a18c04de2b5370726980041058edfa926a49a9fb5

SHA512
994452b4326b179c4cf4dbbbfb0b9fd04fec9004064c9bfe1f954837a3ca3a29b456c1ea82175026d183b2aac450e9d1b12feb5799fbeef949911bd377783299

Download Submit
/tmp/notify.file

Filesize
51B

MD5
6270e4e7491b35971a18650704072f32

SHA1
db16943981ea57e551966336faf5e253fbbb209b

SHA256
25c8d47ba4112ea2fea760ec96da4e83c0ea6831a5a673a4e151949e48f5dd23

SHA512
498c15fdf6c00f77f9239e403ba28e7ad6418fe44f5ad16624772515c62c112907633e6f460e741a3210634b11383814cf880e8866efc7ed3f00e7386176f986

Download Submit