Overview

overview

10

Static

static

1

d66aca7338...kes118

ubuntu-18.04-amd64

10

d66aca7338...kes118

debian-9-armhf

7

d66aca7338...kes118

debian-9-mips

8

d66aca7338...kes118

debian-9-mipsel

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d66aca73387d8ab787f71544777285b5_JaffaCakes118

  • Size

    36KB

  • Sample

    240909-qt6etszhpp

  • MD5

    d66aca73387d8ab787f71544777285b5

  • SHA1

    526715af85f935e34b15f124d4b57c8fc37fc1a5

  • SHA256

    3c7faf7512565d86b1ec4fe2810b2006b75c3476b4a5b955f0141d9a1c237d38

  • SHA512

    c9ab083fa7d6a49c333020c13e241303da28afe5a8bd2cf60733fc419ecabef91a9360ac70b5425ee85109367554f3d2a9bf1434dd918ab514fe6ac8800de5ed

  • SSDEEP

    384:x7DQQwQHDf6jlpTWg3vMQ4Qdre21jT58vKpG2Y0orcfKLUv0KZnNEVdeUoJpJyd5:x7kFNc48FkcOYq0xvQGd51ZdAAPPD

Score
10/10
xmrig_linuxdefense_evasiondiscoveryevasionexecutionlinuxminerpersistenceprivilege_escalatioprivilege_escalationrootkit

Malware Config

Targets

    • Target

      d66aca73387d8ab787f71544777285b5_JaffaCakes118

    • Size

      36KB

    • MD5

      d66aca73387d8ab787f71544777285b5

    • SHA1

      526715af85f935e34b15f124d4b57c8fc37fc1a5

    • SHA256

      3c7faf7512565d86b1ec4fe2810b2006b75c3476b4a5b955f0141d9a1c237d38

    • SHA512

      c9ab083fa7d6a49c333020c13e241303da28afe5a8bd2cf60733fc419ecabef91a9360ac70b5425ee85109367554f3d2a9bf1434dd918ab514fe6ac8800de5ed

    • SSDEEP

      384:x7DQQwQHDf6jlpTWg3vMQ4Qdre21jT58vKpG2Y0orcfKLUv0KZnNEVdeUoJpJyd5:x7kFNc48FkcOYq0xvQGd51ZdAAPPD

    Score
    10/10
    xmrig_linuxdefense_evasiondiscoveryevasionexecutionminerpersistenceprivilege_escalatioprivilege_escalationrootkit

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig_linux

    • Adds new SSH keys

      Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.

      persistenceprivilege_escalation

    • File and Directory Permissions Modification

      Adversaries may modify file or directory permissions to evade defenses.

      defense_evasion

    • Deletes system logs

      Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

      evasion

    • Executes dropped EXE

    • Flushes firewall rules

      Flushes/ disables firewall rules inside the Linux kernel.

    • Loads a kernel module

      Loads a Linux kernel module, potentially to achieve persistence

      rootkit

    • Attempts to change immutable files

      Modifies inode attributes on the filesystem to allow changing of immutable files.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

      executionpersistenceprivilege_escalatio

    • Deletes log files

      Deletes log files on the system.

      defense_evasion

    • Disables AppArmor

      Disables AppArmor security module.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    behavioral1behavioral2behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Unix Shell

1
T1059.004

Scheduled Task/Job

1
T1053

Cron

1
T1053.003

Software Deployment Tools

1
T1072

Persistence

Account Manipulation

1
T1098

SSH Authorized Keys

1
T1098.004

Scheduled Task/Job

1
T1053

Cron

1
T1053.003

Privilege Escalation

Account Manipulation

1
T1098

SSH Authorized Keys

1
T1098.004

Scheduled Task/Job

1
T1053

Cron

1
T1053.003

Defense Evasion

File and Directory Permissions Modification

1
T1222

Linux and Mac File and Directory Permissions Modification

1
T1222.002

Indicator Removal

2
T1070

Clear Linux or Mac System Logs

2
T1070.002

Credential Access

Discovery

System Information Discovery

2
T1082

Lateral Movement

Software Deployment Tools

1
T1072

Collection

Command and Control

Exfiltration

Impact

Tasks