General

  • Target

    e18e805087ea6f63cf907907dc1d0a08_JaffaCakes118

  • Size

    64KB

  • Sample

    240915-c9h3kssanl

  • MD5

    e18e805087ea6f63cf907907dc1d0a08

  • SHA1

    ebe527ca26f78e5d347f22f323ee3f11d58cd57a

  • SHA256

    e1d7014b84618cd7fbf94439c78fe7d67f351cbc5536885fa3d94ea15325d83b

  • SHA512

    92115775959fa27619200334a0add1a448440ae5512aded7bd55937fec1daa0964d54f2e0f881b61515270f5bb783c9d2ab5096fd452529b8af633bff0938784

  • SSDEEP

    768:57kFIBuFkc2zq0xvMGd5QP5ez4Z88mqKWCgpK8d7Cuaxz5st3P/hpE90550RQKIR:KF2Lc2Xnd5QhK8dmtq7b50BIR

Malware Config

Targets

    • Target

      e18e805087ea6f63cf907907dc1d0a08_JaffaCakes118

    • Size

      64KB

    • MD5

      e18e805087ea6f63cf907907dc1d0a08

    • SHA1

      ebe527ca26f78e5d347f22f323ee3f11d58cd57a

    • SHA256

      e1d7014b84618cd7fbf94439c78fe7d67f351cbc5536885fa3d94ea15325d83b

    • SHA512

      92115775959fa27619200334a0add1a448440ae5512aded7bd55937fec1daa0964d54f2e0f881b61515270f5bb783c9d2ab5096fd452529b8af633bff0938784

    • SSDEEP

      768:57kFIBuFkc2zq0xvMGd5QP5ez4Z88mqKWCgpK8d7Cuaxz5st3P/hpE90550RQKIR:KF2Lc2Xnd5QhK8dmtq7b50BIR

    • XMRig Miner payload

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • File and Directory Permissions Modification

      Adversaries may modify file or directory permissions to evade defenses.

    • Deletes system logs

      Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

    • Executes dropped EXE

    • Flushes firewall rules

      Flushes/ disables firewall rules inside the Linux kernel.

    • Loads a kernel module

      Loads a Linux kernel module, potentially to achieve persistence

    • Writes DNS configuration

      Writes data to DNS resolver config file.

    • Abuse Elevation Control Mechanism: Sudo and Sudo Caching

      Abuse sudo or cached sudo credentials to execute code.

    • Attempts to change immutable files

      Modifies inode attributes on the filesystem to allow changing of immutable files.

    • Disables AppArmor

      Disables AppArmor security module.

    • Disables SELinux

      Disables SELinux security module.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Write file to user bin folder

MITRE ATT&CK Enterprise v15

Tasks