Overview

overview

10

Static

static

10

e1b8a13735...kes118

ubuntu-24.04-amd64

7

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    ubuntu-24.04_amd64
  • resource
    ubuntu2404-amd64-20240729-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2404-amd64-20240729-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
  • submitted
    15-09-2024 04:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e1b8a137359d28ce3a2c74cfbf5d8084_JaffaCakes118

  • Size

    1.1MB

  • MD5

    e1b8a137359d28ce3a2c74cfbf5d8084

  • SHA1

    43a403a2b708a14f0badecf79ba8cc68a22a6f3e

  • SHA256

    4df9bbf754dec327eae069fdbc525041f5ec7ad1bfd7e2488a8501cac9e67129

  • SHA512

    d872e4135f0afdf8019a1b81691839e0496c5caf93ff5dc1e051fd99622da718619929e2665c5e3ceb4fe837f0e603423e4fc3119ec5428eb401745b4f08c919

  • SSDEEP

    24576:4vRE7caCfKGPqVEDNLFxKsfaMI+gIGYuuCol7r:4vREKfPqVE5jKsfaMRHGVo7r

Score
7/10
defense_evasiondiscoverypersistencerootkit

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 4 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 2 IoCs
  • Loads a kernel module 64 IoCs

    Loads a Linux kernel module, potentially to achieve persistence

    rootkit
  • Write file to user bin folder 6 IoCs
    persistence
  • Writes file to system bin folder 2 IoCs
  • Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

    discovery
  • Reads runtime system information 17 IoCs

    Reads data from /proc virtual filesystem.

    discovery

Processes

  • /tmp/e1b8a137359d28ce3a2c74cfbf5d8084_JaffaCakes118
    /tmp/e1b8a137359d28ce3a2c74cfbf5d8084_JaffaCakes118
    1⤵
    • Loads a kernel module
    PID:2499
    • /usr/bin/ln
      ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt
      2⤵
        PID:2506
      • /usr/bin/ln
        ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt
        2⤵
          PID:2508
        • /usr/bin/ln
          ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt
          2⤵
            PID:2510
          • /usr/bin/ln
            ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt
            2⤵
              PID:2512
            • /usr/bin/ln
              ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt
              2⤵
                PID:2514
              • /usr/bin/mkdir
                mkdir -p /usr/bin/bsd-port
                2⤵
                • Reads runtime system information
                PID:2533
              • /usr/bin/cp
                cp -f /tmp/e1b8a137359d28ce3a2c74cfbf5d8084_JaffaCakes118 /usr/bin/bsd-port/getty
                2⤵
                • Write file to user bin folder
                • Reads runtime system information
                PID:2535
              • /usr/bin/bsd-port/getty
                /usr/bin/bsd-port/getty
                2⤵
                • Executes dropped EXE
                • Loads a kernel module
                PID:2538
                • /usr/bin/ln
                  ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux
                  3⤵
                    PID:2556
                  • /usr/bin/ln
                    ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux
                    3⤵
                      PID:2559
                    • /usr/bin/ln
                      ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux
                      3⤵
                        PID:2561
                      • /usr/bin/ln
                        ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux
                        3⤵
                          PID:2563
                        • /usr/bin/ln
                          ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux
                          3⤵
                            PID:2565
                          • /usr/bin/mkdir
                            mkdir -p /usr/bin/dpkgd
                            3⤵
                            • Reads runtime system information
                            PID:2568
                          • /usr/bin/cp
                            cp -f /bin/lsof /usr/bin/dpkgd/lsof
                            3⤵
                            • Write file to user bin folder
                            • Reads runtime system information
                            PID:2570
                          • /usr/bin/mkdir
                            mkdir -p /bin
                            3⤵
                            • Reads runtime system information
                            PID:2572
                          • /usr/bin/cp
                            cp -f /usr/bin/bsd-port/getty /bin/lsof
                            3⤵
                            • Writes file to system bin folder
                            • Reads runtime system information
                            PID:2574
                          • /usr/bin/chmod
                            chmod 0755 /bin/lsof
                            3⤵
                            • File and Directory Permissions Modification
                            PID:2576
                          • /usr/bin/cp
                            cp -f /bin/ps /usr/bin/dpkgd/ps
                            3⤵
                            • Write file to user bin folder
                            • Reads runtime system information
                            PID:2578
                          • /usr/bin/mkdir
                            mkdir -p /bin
                            3⤵
                            • Reads runtime system information
                            PID:2581
                          • /usr/bin/cp
                            cp -f /usr/bin/bsd-port/getty /bin/ps
                            3⤵
                            • Writes file to system bin folder
                            • Reads runtime system information
                            PID:2583
                          • /usr/bin/chmod
                            chmod 0755 /bin/ps
                            3⤵
                            • File and Directory Permissions Modification
                            PID:2585
                          • /usr/bin/mkdir
                            mkdir -p /usr/bin
                            3⤵
                            • Reads runtime system information
                            PID:2587
                          • /usr/bin/cp
                            cp -f /usr/bin/bsd-port/getty /usr/bin/lsof
                            3⤵
                            • Write file to user bin folder
                            • Reads runtime system information
                            PID:2589
                          • /usr/bin/chmod
                            chmod 0755 /usr/bin/lsof
                            3⤵
                            • File and Directory Permissions Modification
                            PID:2591
                          • /usr/bin/mkdir
                            mkdir -p /usr/bin
                            3⤵
                            • Reads runtime system information
                            PID:2593
                          • /usr/bin/cp
                            cp -f /usr/bin/bsd-port/getty /usr/bin/ps
                            3⤵
                            • Write file to user bin folder
                            • Reads runtime system information
                            PID:2595
                          • /usr/bin/chmod
                            chmod 0755 /usr/bin/ps
                            3⤵
                            • File and Directory Permissions Modification
                            PID:2597
                          • /usr/sbin/insmod
                            insmod /usr/lib/xpacket.ko
                            3⤵
                            • Enumerates kernel/hardware configuration
                            • Reads runtime system information
                            PID:2599
                        • /usr/bin/mkdir
                          mkdir -p /usr/bin
                          2⤵
                          • Reads runtime system information
                          PID:2541
                        • /usr/bin/cp
                          cp -f /tmp/e1b8a137359d28ce3a2c74cfbf5d8084_JaffaCakes118 /usr/bin/.systime
                          2⤵
                          • Write file to user bin folder
                          • Reads runtime system information
                          PID:2543
                        • /usr/bin/.systime
                          /usr/bin/.systime
                          2⤵
                          • Executes dropped EXE
                          • Loads a kernel module
                          PID:2546
                        • /usr/sbin/insmod
                          insmod /usr/lib/xpacket.ko
                          2⤵
                          • Enumerates kernel/hardware configuration
                          • Reads runtime system information
                          PID:2549

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • /etc/init.d/DbSecuritySpt
                        Filesize

                        64B

                        MD5

                        91d41a24652377c9eea756266c582e1e

                        SHA1

                        aafd3e0aab7a0070b4ee36027efb63b8570cb27c

                        SHA256

                        7768b5156f9f30ddc4cb684dbef829c86b0f0a9a89ff195303792179d0718d27

                        SHA512

                        e857158affb5698ca841d3fbc79bf75095d7b7a40cf87fe29e5187f934602943395cf93e3da44c8f9c7807d4776558c05e6b8373d933a40ba2dd8748595877cd

                        Download Submit

                      • /etc/init.d/selinux
                        Filesize

                        36B

                        MD5

                        993cc15058142d96c3daf7852c3d5ee8

                        SHA1

                        0950b8b391b04dd3895ea33cd3141543ebd2525d

                        SHA256

                        8171d077918611803d93088409f220c66fae1c670b297e1aa5d8cbd548ce9208

                        SHA512

                        0c4256c00a3710f97e92581b552682b36b62afc35fe72622c491323c618c19ea62611ac04ccafc3dfcde2254a2ebbd93b69b66795b16e36332293bed83adb928

                        Download Submit

                      • /tmp/conf.n
                        Filesize

                        69B

                        MD5

                        1c79a03ccad332a63141bb8ff284318a

                        SHA1

                        b1a38ad7b3d6513466545b72ea01338b1d0524d3

                        SHA256

                        d3bb96f256ae595287c6bf7c09cff8b4fb600687e980a894187241fd9bb9290f

                        SHA512

                        405e69cf82cc4bd880adfb88c3a22c4f0acc31b8c46abb6bf1d19bedfcf4d30b1bf1a8fa903078423d1c10b2eeb5c259edda1b3a9e2899d2dcf2a56b69c1ad5d

                        Download Submit

                      • /tmp/gates.lock
                        Filesize

                        4B

                        MD5

                        f7696a9b362ac5a51c3dc8f098b73923

                        SHA1

                        a6a0845258a40575703021e5244ff9c70838a23b

                        SHA256

                        5a0b83e19c5750eed6d8d46cb858d15c956a657093c08afa53133c0fbe5f04fb

                        SHA512

                        3ae0f24c4f1fe6593f20f92f251c54c1d10e6f576340c9ae31a46d50cf3b49c364d1a0ab6b9d5702cb057077db52a48f192b491f142315311629b9ad7cc11fdb

                        Download Submit

                      • /tmp/moni.lock
                        Filesize

                        4B

                        MD5

                        86ecfcbc1e9f1ae5ee2d71910877da36

                        SHA1

                        55f21e37af5e8742143a8e69b2e15811d316de36

                        SHA256

                        c2d735ed61274b73ed20a49594661e35185797b6ee082cb5145383e548d4f9d0

                        SHA512

                        cd9e05cc4e86cc31dce0c27ab36ca3974d7ec8857a40d4bd04143b886c189b8ced08d06b7494871d335b59d9c018661809980f08514c5cf5d4099714c49ccebe

                        Download Submit

                      • /tmp/notify.file
                        Filesize

                        51B

                        MD5

                        615b441278fcd0a0e66729bff6ba49cd

                        SHA1

                        1240bf105778d796ef5a0e0c6b07b0ab01345efb

                        SHA256

                        24a7f9f4757031f2965a3b52985293c3c06bd03d6818150cededbf817c6993e9

                        SHA512

                        87477cd7bd1ef216f1dd4c874feb68ffbb58479aea2cdb69f3ebb37e77fcc8f3a9a672dcdfcf36960dfe3959d5398965f82b519e519f3b94c616d4c42d1594d3

                        Download Submit