798725bcb7292e8b41279521dde20eea17c119e8a37c39dea098091a210f611c

General

Target

d253b6fc961673435c0e034675f43cf6_JaffaCakes118
Size

134KB
MD5

d253b6fc961673435c0e034675f43cf6
SHA1

0594b9aa72a54bbf69d99fee3d0ba75dd9f06e72
SHA256

798725bcb7292e8b41279521dde20eea17c119e8a37c39dea098091a210f611c
SHA512

6ad42f065811e4667246d97d64331528806f7ddf71be60606733e3fe6bffcab8aae4351cc4ebd08dbbf0d03cb90f3af91e20ab3cd94ebdb593915bf5693e83d3
SSDEEP

3072:biMYFJvw6Yh0b1gKobtCMCmCRlrisfrYm:fYFJvwe1gKCYjl2szN

Score

9^/10

defense_evasion discovery persistence upx

Malware Config

Signatures

Contacts a large (8649) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Patched UPX-packed file 1 IoCs
Sample is packed with UPX but required header fields are zeroed out to prevent unpacking with the default UPX tool.

Processes:

resource yara_rule

/usr/networks patched_upx

resource	yara_rule
/usr/networks	patched_upx

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

Processes:

d253b6fc961673435c0e034675f43cf6_JaffaCakes118

description	ioc	process
File opened for modification	/dev/watchdog	d253b6fc961673435c0e034675f43cf6_JaffaCakes118
File opened for modification	/dev/misc/watchdog	d253b6fc961673435c0e034675f43cf6_JaffaCakes118

UPX packed file 1 IoCs
Detects executables packed with UPX/modified UPX open source packer.
upx

Processes:

resource yara_rule

/usr/networks upx
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
discovery

System Network Connections Discovery
T1049

Processes:

d253b6fc961673435c0e034675f43cf6_JaffaCakes118

description ioc process

File opened for reading /proc/net/tcp d253b6fc961673435c0e034675f43cf6_JaffaCakes118
Enumerates running processes
Discovers information about currently running processes on the system

resource	yara_rule
/usr/networks	upx

Modifies init.d 2 TTPs 4 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

RC Scripts

T1037.004

Processes:

d253b6fc961673435c0e034675f43cf6_JaffaCakes118

description	ioc	process
File opened for modification	/etc/init.d/console-setup.sh	d253b6fc961673435c0e034675f43cf6_JaffaCakes118
File opened for modification	/etc/init.d/keyboard-setup.sh	d253b6fc961673435c0e034675f43cf6_JaffaCakes118
File opened for modification	/etc/init.d/S95baby.sh	d253b6fc961673435c0e034675f43cf6_JaffaCakes118
File opened for modification	/etc/init.d/hwclock.sh	d253b6fc961673435c0e034675f43cf6_JaffaCakes118

Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.
discovery

Internet Connection Discovery
T1016.001

Processes:

d253b6fc961673435c0e034675f43cf6_JaffaCakes118

description ioc process

File opened for reading /proc/net/route d253b6fc961673435c0e034675f43cf6_JaffaCakes118

description	ioc	process
File opened for reading	/proc/net/route	d253b6fc961673435c0e034675f43cf6_JaffaCakes118

Writes file to system bin folder 2 IoCs

Processes:

d253b6fc961673435c0e034675f43cf6_JaffaCakes118

description	ioc	process
File opened for modification	/sbin/watchdog	d253b6fc961673435c0e034675f43cf6_JaffaCakes118
File opened for modification	/bin/watchdog	d253b6fc961673435c0e034675f43cf6_JaffaCakes118

Changes its process name 1 IoCs

Processes:

description ioc pid

Changes the process name, possibly in an attempt to hide itself sshd 706

description	ioc	pid
Changes the process name, possibly in an attempt to hide itself	sshd	706

Reads system network configuration 1 TTPs 3 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

Processes:

d253b6fc961673435c0e034675f43cf6_JaffaCakes118

description	ioc	process
File opened for reading	/proc/net/tcp	d253b6fc961673435c0e034675f43cf6_JaffaCakes118
File opened for reading	/proc/net/raw	d253b6fc961673435c0e034675f43cf6_JaffaCakes118
File opened for reading	/proc/net/route	d253b6fc961673435c0e034675f43cf6_JaffaCakes118

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

killalld253b6fc961673435c0e034675f43cf6_JaffaCakes118

description	ioc	process
File opened for reading	/proc/696/cmdline	killall
File opened for reading	/proc/10/stat	killall
File opened for reading	/proc/79/stat	killall
File opened for reading	/proc/335/stat	killall
File opened for reading	/proc/17/stat	killall
File opened for reading	/proc/36/stat	killall
File opened for reading	/proc/380/stat	killall
File opened for reading	/proc/7/stat	killall
File opened for reading	/proc/12/stat	killall
File opened for reading	/proc/24/stat	killall
File opened for reading	/proc/21/stat	killall
File opened for reading	/proc/70/stat	killall
File opened for reading	/proc/315/stat	killall
File opened for reading	/proc/1/stat	killall
File opened for reading	/proc/76/stat	killall
File opened for reading	/proc/702/stat	killall
File opened for reading	/proc/119/cmdline	killall
File opened for reading	/proc/142/stat	killall
File opened for reading	/proc/682/stat	killall
File opened for reading	/proc/697/stat	killall
File opened for reading	/proc/706/cmdline	killall
File opened for reading	/proc/filesystems	killall
File opened for reading	/proc/2/stat	killall
File opened for reading	/proc/119/stat	killall
File opened for reading	/proc/16/stat	killall
File opened for reading	/proc/74/stat	killall
File opened for reading	/proc/665/stat	killall
File opened for reading	/proc/669/stat	killall
File opened for reading	/proc/4/stat	killall
File opened for reading	/proc/18/stat	killall
File opened for reading	/proc/23/stat	killall
File opened for reading	/proc/696/stat	killall
File opened for reading	/proc/8/stat	killall
File opened for reading	/proc/14/stat	killall
File opened for reading	/proc/19/stat	killall
File opened for reading	/proc/672/stat	killall
File opened for reading	/proc/707/stat	killall
File opened for reading	/proc/334/stat	killall
File opened for reading	/proc/338/stat	killall
File opened for reading	/proc/357/stat	killall
File opened for reading	/proc/mounts	d253b6fc961673435c0e034675f43cf6_JaffaCakes118
File opened for reading	/proc/20/stat	killall
File opened for reading	/proc/72/stat	killall
File opened for reading	/proc/110/stat	killall
File opened for reading	/proc/82/stat	killall
File opened for reading	/proc/142/cmdline	killall
File opened for reading	/proc/199/stat	killall
File opened for reading	/proc/470/stat	killall
File opened for reading	/proc/701/stat	killall
File opened for reading	/proc/self/exe	d253b6fc961673435c0e034675f43cf6_JaffaCakes118
File opened for reading	/proc/13/stat	killall
File opened for reading	/proc/75/stat	killall
File opened for reading	/proc/703/stat	killall
File opened for reading	/proc/171/stat	killall
File opened for reading	/proc/699/stat	killall
File opened for reading	/proc/37/stat	killall
File opened for reading	/proc/73/stat	killall
File opened for reading	/proc/156/stat	killall
File opened for reading	/proc/15/stat	killall
File opened for reading	/proc/71/stat	killall
File opened for reading	/proc/231/stat	killall
File opened for reading	/proc/361/stat	killall
File opened for reading	/proc/671/stat	killall
File opened for reading	/proc/3/stat	killall

Writes file to tmp directory 2 IoCs

Malware often drops required files in the /tmp directory.

Processes:

d253b6fc961673435c0e034675f43cf6_JaffaCakes118

description	ioc	process
File opened for modification	/tmp/.config	d253b6fc961673435c0e034675f43cf6_JaffaCakes118
File opened for modification	/tmp/.ips	d253b6fc961673435c0e034675f43cf6_JaffaCakes118

/tmp/d253b6fc961673435c0e034675f43cf6_JaffaCakes118
/tmp/d253b6fc961673435c0e034675f43cf6_JaffaCakes118
1⤵
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Modifies init.d
- Reads system routing table
- Writes file to system bin folder
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:704

/bin/sh
sh -c "killall -9 telnetd utelnetd scfgmgr"
2⤵
PID:707

/usr/bin/killall
killall -9 telnetd utelnetd scfgmgr
3⤵
- Reads runtime system information
PID:709

/bin/sh
sh -c "iptables -I INPUT -p tcp --destination-port 39107 -j ACCEPT"
2⤵
PID:789

/sbin/iptables
iptables -I INPUT -p tcp --destination-port 39107 -j ACCEPT
3⤵
PID:790

/bin/sh
sh -c "iptables -I OUTPUT -p tcp --source-port 39107 -j ACCEPT"
2⤵
PID:794

/sbin/iptables
iptables -I OUTPUT -p tcp --source-port 39107 -j ACCEPT
3⤵
PID:797

/bin/sh
sh -c "iptables -I PREROUTING -t nat -p tcp --destination-port 39107 -j ACCEPT"
2⤵
PID:799

/sbin/iptables
iptables -I PREROUTING -t nat -p tcp --destination-port 39107 -j ACCEPT
3⤵
PID:800

/bin/sh
sh -c "iptables -I POSTROUTING -t nat -p tcp --source-port 39107 -j ACCEPT"
2⤵
PID:805

/sbin/iptables
iptables -I POSTROUTING -t nat -p tcp --source-port 39107 -j ACCEPT
3⤵
PID:807

/bin/sh
sh -c "iptables -I INPUT -p tcp --dport 39107 -j ACCEPT"
2⤵
PID:809

/sbin/iptables
iptables -I INPUT -p tcp --dport 39107 -j ACCEPT
3⤵
PID:810

/bin/sh
sh -c "iptables -I OUTPUT -p tcp --sport 39107 -j ACCEPT"
2⤵
PID:811

/sbin/iptables
iptables -I OUTPUT -p tcp --sport 39107 -j ACCEPT
3⤵
PID:812

/bin/sh
sh -c "iptables -I INPUT -p tcp --destination-port 22 -j DROP"
2⤵
PID:814

/sbin/iptables
iptables -I INPUT -p tcp --destination-port 22 -j DROP
3⤵
PID:816

/bin/sh
sh -c "iptables -I PREROUTING -t nat -p tcp --dport 39107 -j ACCEPT"
2⤵
PID:817

/sbin/iptables
iptables -I PREROUTING -t nat -p tcp --dport 39107 -j ACCEPT
3⤵
PID:818

/bin/sh
sh -c "iptables -I INPUT -p tcp --destination-port 23 -j DROP"
2⤵
PID:820

/sbin/iptables
iptables -I INPUT -p tcp --destination-port 23 -j DROP
3⤵
PID:821

/bin/sh
sh -c "iptables -I INPUT -p tcp --destination-port 2323 -j DROP"
2⤵
PID:822

/sbin/iptables
iptables -I INPUT -p tcp --destination-port 2323 -j DROP
3⤵
PID:823

/bin/sh
sh -c "iptables -I POSTROUTING -t nat -p tcp --sport 39107 -j ACCEPT"
2⤵
PID:824

/sbin/iptables
iptables -I POSTROUTING -t nat -p tcp --sport 39107 -j ACCEPT
3⤵
PID:825

/bin/sh
sh -c "iptables -I OUTPUT -p tcp --source-port 22 -j DROP"
2⤵
PID:826

/sbin/iptables
iptables -I OUTPUT -p tcp --source-port 22 -j DROP
3⤵
PID:828

/bin/sh
sh -c "iptables -I OUTPUT -p tcp --source-port 23 -j DROP"
2⤵
PID:830

/sbin/iptables
iptables -I OUTPUT -p tcp --source-port 23 -j DROP
3⤵
PID:831

/bin/sh
sh -c "iptables -I OUTPUT -p tcp --source-port 2323 -j DROP"
2⤵
PID:832

/sbin/iptables
iptables -I OUTPUT -p tcp --source-port 2323 -j DROP
3⤵
PID:833

/bin/sh
sh -c "iptables -I INPUT -p tcp --dport 22 -j DROP"
2⤵
PID:834

/sbin/iptables
iptables -I INPUT -p tcp --dport 22 -j DROP
3⤵
PID:836

/bin/sh
sh -c "iptables -I INPUT -p tcp --dport 23 -j DROP"
2⤵
PID:838

/sbin/iptables
iptables -I INPUT -p tcp --dport 23 -j DROP
3⤵
PID:839

/bin/sh
sh -c "iptables -I INPUT -p tcp --dport 2323 -j DROP"
2⤵
PID:840

/sbin/iptables
iptables -I INPUT -p tcp --dport 2323 -j DROP
3⤵
PID:841

/bin/sh
sh -c "iptables -I OUTPUT -p tcp --sport 22 -j DROP"
2⤵
PID:843

/sbin/iptables
iptables -I OUTPUT -p tcp --sport 22 -j DROP
3⤵
PID:844

/bin/sh
sh -c "iptables -I OUTPUT -p tcp --sport 23 -j DROP"
2⤵
PID:846

/sbin/iptables
iptables -I OUTPUT -p tcp --sport 23 -j DROP
3⤵
PID:847

/bin/sh
sh -c "iptables -I OUTPUT -p tcp --sport 2323 -j DROP"
2⤵
PID:848

/sbin/iptables
iptables -I OUTPUT -p tcp --sport 2323 -j DROP
3⤵
PID:849

/bin/sh
sh -c "iptables -I INPUT -p tcp --destination-port 58000 -j DROP"
2⤵
PID:852

/sbin/iptables
iptables -I INPUT -p tcp --destination-port 58000 -j DROP
3⤵
PID:853

/bin/sh
sh -c "iptables -I OUTPUT -p tcp --source-port 58000 -j DROP"
2⤵
PID:854

/sbin/iptables
iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
3⤵
PID:855

/bin/sh
sh -c "iptables -I INPUT -p tcp --dport 58000 -j DROP"
2⤵
PID:857

/sbin/iptables
iptables -I INPUT -p tcp --dport 58000 -j DROP
3⤵
PID:859

/bin/sh
sh -c "iptables -I OUTPUT -p tcp --sport 58000 -j DROP"
2⤵
PID:863

/sbin/iptables
iptables -I OUTPUT -p tcp --sport 58000 -j DROP
3⤵
PID:864

/bin/sh
sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL \"http://127.0.0.1\""
2⤵
PID:866

/bin/sh
sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword \"acsMozi\""
2⤵
PID:868

/bin/sh
sh -c "iptables -I INPUT -p tcp --destination-port 35000 -j DROP"
2⤵
PID:869

/sbin/iptables
iptables -I INPUT -p tcp --destination-port 35000 -j DROP
3⤵
PID:870

/bin/sh
sh -c "iptables -I INPUT -p tcp --destination-port 50023 -j DROP"
2⤵
PID:872

/sbin/iptables
iptables -I INPUT -p tcp --destination-port 50023 -j DROP
3⤵
PID:874

/bin/sh
sh -c "iptables -I OUTPUT -p tcp --source-port 50023 -j DROP"
2⤵
PID:875

/sbin/iptables
iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
3⤵
PID:876

/bin/sh
sh -c "iptables -I OUTPUT -p tcp --source-port 35000 -j DROP"
2⤵
PID:878

/sbin/iptables
iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
3⤵
PID:879

/bin/sh
sh -c "iptables -I INPUT -p tcp --destination-port 7547 -j DROP"
2⤵
PID:881

/sbin/iptables
iptables -I INPUT -p tcp --destination-port 7547 -j DROP
3⤵
PID:882

/bin/sh
sh -c "iptables -I OUTPUT -p tcp --source-port 7547 -j DROP"
2⤵
PID:883

/sbin/iptables
iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
3⤵
PID:885

/bin/sh
sh -c "iptables -I INPUT -p tcp --dport 35000 -j DROP"
2⤵
PID:887

/sbin/iptables
iptables -I INPUT -p tcp --dport 35000 -j DROP
3⤵
PID:888

/bin/sh
sh -c "iptables -I INPUT -p tcp --dport 50023 -j DROP"
2⤵
PID:889

/sbin/iptables
iptables -I INPUT -p tcp --dport 50023 -j DROP
3⤵
PID:890

/bin/sh
sh -c "iptables -I OUTPUT -p tcp --sport 50023 -j DROP"
2⤵
PID:892

/sbin/iptables
iptables -I OUTPUT -p tcp --sport 50023 -j DROP
3⤵
PID:893

/bin/sh
sh -c "iptables -I OUTPUT -p tcp --sport 35000 -j DROP"
2⤵
PID:895

/sbin/iptables
iptables -I OUTPUT -p tcp --sport 35000 -j DROP
3⤵
PID:896

/bin/sh
sh -c "iptables -I INPUT -p tcp --dport 7547 -j DROP"
2⤵
PID:897

/sbin/iptables
iptables -I INPUT -p tcp --dport 7547 -j DROP
3⤵
PID:898

/bin/sh
sh -c "iptables -I OUTPUT -p tcp --sport 7547 -j DROP"
2⤵
PID:900

/sbin/iptables
iptables -I OUTPUT -p tcp --sport 7547 -j DROP
3⤵
PID:902

/bin/sh
sh -c "iptables -I INPUT -p udp --destination-port 1900 -j ACCEPT"
2⤵
PID:903

/sbin/iptables
iptables -I INPUT -p udp --destination-port 1900 -j ACCEPT
3⤵
PID:904

/bin/sh
sh -c "iptables -I OUTPUT -p udp --source-port 1900 -j ACCEPT"
2⤵
PID:905

/sbin/iptables
iptables -I OUTPUT -p udp --source-port 1900 -j ACCEPT
3⤵
PID:906

/bin/sh
sh -c "iptables -I PREROUTING -t nat -p udp --destination-port 1900 -j ACCEPT"
2⤵
PID:907

/sbin/iptables
iptables -I PREROUTING -t nat -p udp --destination-port 1900 -j ACCEPT
3⤵
PID:908

/bin/sh
sh -c "iptables -I POSTROUTING -t nat -p udp --source-port 1900 -j ACCEPT"
2⤵
PID:909

/sbin/iptables
iptables -I POSTROUTING -t nat -p udp --source-port 1900 -j ACCEPT
3⤵
PID:910

/bin/sh
sh -c "iptables -I INPUT -p udp --dport 1900 -j ACCEPT"
2⤵
PID:911

/sbin/iptables
iptables -I INPUT -p udp --dport 1900 -j ACCEPT
3⤵
PID:912

/bin/sh
sh -c "iptables -I OUTPUT -p udp --sport 1900 -j ACCEPT"
2⤵
PID:913

/sbin/iptables
iptables -I OUTPUT -p udp --sport 1900 -j ACCEPT
3⤵
PID:914

/bin/sh
sh -c "iptables -I PREROUTING -t nat -p udp --dport 1900 -j ACCEPT"
2⤵
PID:915

/sbin/iptables
iptables -I PREROUTING -t nat -p udp --dport 1900 -j ACCEPT
3⤵
PID:916

/bin/sh
sh -c "iptables -I POSTROUTING -t nat -p udp --sport 1900 -j ACCEPT"
2⤵
PID:917

/sbin/iptables
iptables -I POSTROUTING -t nat -p udp --sport 1900 -j ACCEPT
3⤵
PID:918

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Boot or Logon Initialization Scripts

1

T1037

RC Scripts

1

T1037.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Boot or Logon Initialization Scripts

1

T1037

RC Scripts

1

T1037.004

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Network Service Discovery

2

T1046

System Network Connections Discovery

1

T1049

System Network Configuration Discovery

2

T1016

Internet Connection Discovery

2

T1016.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/rcS.d/S95baby.sh
Filesize
25B

MD5
1b3235ba10fc04836c941d3d27301956

SHA1
8909655763143702430b8c58b3ae3b04cfd3a29c

SHA256
01ba1fb41632594997a41d0c3a911ae5b3034d566ebb991ef76ad76e6f9e283a

SHA512
98bdb5c266222ccbd63b6f80c87e501c8033dc53b0513d300b8da50e39a207a0b69f8cd3ecc4a128dec340a1186779fedd1049c9b0a70e90d2cb3ae6ebfa4c4d

Download Submit
/tmp/.config
Filesize
140B

MD5
457412db2275c971a2f32aef0c05f0ef

SHA1
81634d651b7bd25434966cb91dd5f1f1683ae363

SHA256
348a557ecef7585e315fa04bea4a179b715c795993ca331fbaf3677c79e0be5e

SHA512
4bf11f480c43a51666b8ddb335c59159c142299995ef5aad0cabe266e9652482f3032759150d6c467494ac10e7210976a935b61642cb214a438be016a7244a2c

Download Submit
/tmp/.config
Filesize
33B

MD5
54b9d9d2f4aa11e4c379282bd6d7f9aa

SHA1
2a03ed1727e05b808830d4043e18a730fc0a6977

SHA256
4c7ff3d79289279e21ca58917087a01e0135cc18369757f83d438d399205ff44

SHA512
9200bfce56ff2f0b871e5989fb1f469eeec7ea16aa9d9aa2073767667a75822910c37186807dfaa71094e3ba37ba292d9199f1e7f573a42fce9c236b56ba3955

Download Submit
/usr/networks
Filesize
134KB

MD5
d253b6fc961673435c0e034675f43cf6

SHA1
0594b9aa72a54bbf69d99fee3d0ba75dd9f06e72

SHA256
798725bcb7292e8b41279521dde20eea17c119e8a37c39dea098091a210f611c

SHA512
6ad42f065811e4667246d97d64331528806f7ddf71be60606733e3fe6bffcab8aae4351cc4ebd08dbbf0d03cb90f3af91e20ab3cd94ebdb593915bf5693e83d3

Download Submit
memory/704-1-0x00400000-0x004c2f18-memory.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads