Overview

overview

10

Static

static

10

e1f3f59b74...kes118

ubuntu-24.04-amd64

7

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    ubuntu-24.04_amd64
  • resource
    ubuntu2404-amd64-20240523-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
  • submitted
    15-09-2024 07:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e1f3f59b74b2c888f1deed1475d7fa73_JaffaCakes118

  • Size

    1.2MB

  • MD5

    e1f3f59b74b2c888f1deed1475d7fa73

  • SHA1

    4e4158ac9ee8e3cb997f75d5eddbb30243623906

  • SHA256

    009714340e1b9cd089d6801bca92ebd507dfe37c80ba72d607e32f212de3e6a0

  • SHA512

    527c91fe8cf5ef3cdbba3711266aead92ab3ddd9fca311b38c5f6cc13d8a6d1b01a23d5db13ead315aeb5485d22692ff869f4fc77b0e25323d300e36ba6b7179

  • SSDEEP

    24576:e845rGHu6gVJKG75oFpA0VWIX4m2y1q2rJp0:745vRVJKGtSA0VWIo1u9p0

Score
7/10
defense_evasiondiscoverypersistencerootkit

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 6 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 2 IoCs
  • Loads a kernel module 64 IoCs

    Loads a Linux kernel module, potentially to achieve persistence

    rootkit
  • Write file to user bin folder 8 IoCs
    persistence
  • Writes file to system bin folder 3 IoCs
  • Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

    discovery
  • Reads runtime system information 30 IoCs

    Reads data from /proc virtual filesystem.

    discovery

Processes

  • /tmp/e1f3f59b74b2c888f1deed1475d7fa73_JaffaCakes118
    /tmp/e1f3f59b74b2c888f1deed1475d7fa73_JaffaCakes118
    1⤵
    • Loads a kernel module
    PID:2479
    • /usr/bin/ln
      ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt
      2⤵
        PID:2486
      • /usr/bin/ln
        ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt
        2⤵
          PID:2488
        • /usr/bin/ln
          ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt
          2⤵
            PID:2490
          • /usr/bin/ln
            ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt
            2⤵
              PID:2492
            • /usr/bin/ln
              ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt
              2⤵
                PID:2494
              • /usr/bin/mkdir
                mkdir -p /usr/bin/bsd-port
                2⤵
                • Reads runtime system information
                PID:2514
              • /usr/bin/mkdir
                mkdir -p /usr/bin/bsd-port
                2⤵
                • Reads runtime system information
                PID:2516
              • /usr/bin/cp
                cp -f /tmp/e1f3f59b74b2c888f1deed1475d7fa73_JaffaCakes118 /usr/bin/bsd-port/getty
                2⤵
                • Write file to user bin folder
                • Reads runtime system information
                PID:2518
              • /usr/bin/bsd-port/getty
                /usr/bin/bsd-port/getty
                2⤵
                • Executes dropped EXE
                • Loads a kernel module
                PID:2521
                • /usr/bin/ln
                  ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux
                  3⤵
                    PID:2530
                  • /usr/bin/ln
                    ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux
                    3⤵
                      PID:2532
                    • /usr/bin/ln
                      ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux
                      3⤵
                        PID:2534
                      • /usr/bin/ln
                        ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux
                        3⤵
                          PID:2536
                        • /usr/bin/ln
                          ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux
                          3⤵
                            PID:2538
                          • /usr/bin/mkdir
                            mkdir -p /usr/bin/dpkgd
                            3⤵
                            • Reads runtime system information
                            PID:2540
                          • /usr/bin/cp
                            cp -f /bin/lsof /usr/bin/dpkgd/lsof
                            3⤵
                            • Write file to user bin folder
                            • Reads runtime system information
                            PID:2545
                          • /usr/bin/mkdir
                            mkdir -p /bin
                            3⤵
                            • Reads runtime system information
                            PID:2547
                          • /usr/bin/mkdir
                            mkdir -p /bin
                            3⤵
                            • Reads runtime system information
                            PID:2549
                          • /usr/bin/cp
                            cp -f /usr/bin/bsd-port/getty /bin/lsof
                            3⤵
                            • Writes file to system bin folder
                            • Reads runtime system information
                            PID:2551
                          • /usr/bin/chmod
                            chmod 0755 /bin/lsof
                            3⤵
                            • File and Directory Permissions Modification
                            PID:2553
                          • /usr/bin/cp
                            cp -f /bin/ps /usr/bin/dpkgd/ps
                            3⤵
                            • Write file to user bin folder
                            • Reads runtime system information
                            PID:2555
                          • /usr/bin/mkdir
                            mkdir -p /bin
                            3⤵
                            • Reads runtime system information
                            PID:2557
                          • /usr/bin/mkdir
                            mkdir -p /bin
                            3⤵
                            • Reads runtime system information
                            PID:2559
                          • /usr/bin/cp
                            cp -f /usr/bin/bsd-port/getty /bin/ps
                            3⤵
                            • Writes file to system bin folder
                            • Reads runtime system information
                            PID:2561
                          • /usr/bin/chmod
                            chmod 0755 /bin/ps
                            3⤵
                            • File and Directory Permissions Modification
                            PID:2563
                          • /usr/bin/cp
                            cp -f /bin/ss /usr/bin/dpkgd/ss
                            3⤵
                            • Write file to user bin folder
                            • Reads runtime system information
                            PID:2565
                          • /usr/bin/mkdir
                            mkdir -p /bin
                            3⤵
                            • Reads runtime system information
                            PID:2567
                          • /usr/bin/mkdir
                            mkdir -p /bin
                            3⤵
                            • Reads runtime system information
                            PID:2569
                          • /usr/bin/cp
                            cp -f /usr/bin/bsd-port/getty /bin/ss
                            3⤵
                            • Writes file to system bin folder
                            • Reads runtime system information
                            PID:2571
                          • /usr/bin/chmod
                            chmod 0755 /bin/ss
                            3⤵
                            • File and Directory Permissions Modification
                            PID:2573
                          • /usr/bin/mkdir
                            mkdir -p /usr/bin
                            3⤵
                            • Reads runtime system information
                            PID:2575
                          • /usr/bin/mkdir
                            mkdir -p /usr/bin
                            3⤵
                            • Reads runtime system information
                            PID:2577
                          • /usr/bin/cp
                            cp -f /usr/bin/bsd-port/getty /usr/bin/lsof
                            3⤵
                            • Write file to user bin folder
                            • Reads runtime system information
                            PID:2579
                          • /usr/bin/chmod
                            chmod 0755 /usr/bin/lsof
                            3⤵
                            • File and Directory Permissions Modification
                            PID:2581
                          • /usr/bin/mkdir
                            mkdir -p /usr/bin
                            3⤵
                            • Reads runtime system information
                            PID:2583
                          • /usr/bin/mkdir
                            mkdir -p /usr/bin
                            3⤵
                            • Reads runtime system information
                            PID:2585
                          • /usr/bin/cp
                            cp -f /usr/bin/bsd-port/getty /usr/bin/ps
                            3⤵
                            • Write file to user bin folder
                            • Reads runtime system information
                            PID:2589
                          • /usr/bin/chmod
                            chmod 0755 /usr/bin/ps
                            3⤵
                            • File and Directory Permissions Modification
                            PID:2591
                          • /usr/bin/mkdir
                            mkdir -p /usr/bin
                            3⤵
                            • Reads runtime system information
                            PID:2593
                          • /usr/bin/mkdir
                            mkdir -p /usr/bin
                            3⤵
                            • Reads runtime system information
                            PID:2595
                          • /usr/bin/cp
                            cp -f /usr/bin/bsd-port/getty /usr/bin/ss
                            3⤵
                            • Write file to user bin folder
                            • Reads runtime system information
                            PID:2597
                          • /usr/bin/chmod
                            chmod 0755 /usr/bin/ss
                            3⤵
                            • File and Directory Permissions Modification
                            PID:2599
                          • /usr/sbin/insmod
                            insmod /usr/bin/bsd-port/xpacket.ko
                            3⤵
                            • Enumerates kernel/hardware configuration
                            • Reads runtime system information
                            PID:2608
                        • /usr/bin/mkdir
                          mkdir -p /usr/bin
                          2⤵
                          • Reads runtime system information
                          PID:2524
                        • /usr/bin/mkdir
                          mkdir -p /usr/bin
                          2⤵
                          • Reads runtime system information
                          PID:2526
                        • /usr/bin/cp
                          cp -f /tmp/e1f3f59b74b2c888f1deed1475d7fa73_JaffaCakes118 /usr/bin/.sshd
                          2⤵
                          • Write file to user bin folder
                          • Reads runtime system information
                          PID:2528
                        • /usr/bin/.sshd
                          /usr/bin/.sshd
                          2⤵
                          • Executes dropped EXE
                          • Loads a kernel module
                          PID:2543
                        • /usr/sbin/insmod
                          insmod /tmp/xpacket.ko
                          2⤵
                          • Enumerates kernel/hardware configuration
                          • Reads runtime system information
                          PID:2601

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • /etc/init.d/DbSecuritySpt
                        Filesize

                        64B

                        MD5

                        80f186da602196653482db9a1c34352e

                        SHA1

                        5f2582c8d19315add4504b7d49992e6490e4e8f4

                        SHA256

                        075c7cf9b1853e9fb3129e6171060856d73cf0f568de1d517176b286ce884c6b

                        SHA512

                        b95039547553ca0b2f558a151cda476507bb828f4c459e279ddf87195d27ed65f1ed24c0508cb096b03a63decdf8b8e6c140e0648e2c36a87f55b95f7c94ea2a

                        Download Submit

                      • /etc/init.d/selinux
                        Filesize

                        36B

                        MD5

                        993cc15058142d96c3daf7852c3d5ee8

                        SHA1

                        0950b8b391b04dd3895ea33cd3141543ebd2525d

                        SHA256

                        8171d077918611803d93088409f220c66fae1c670b297e1aa5d8cbd548ce9208

                        SHA512

                        0c4256c00a3710f97e92581b552682b36b62afc35fe72622c491323c618c19ea62611ac04ccafc3dfcde2254a2ebbd93b69b66795b16e36332293bed83adb928

                        Download Submit

                      • /tmp/gates.lod
                        Filesize

                        4B

                        MD5

                        6b5754d737784b51ec5075c0dc437bf0

                        SHA1

                        8f6dd7f20b5b462c73891d9bec1614fdf113ad74

                        SHA256

                        3d73cd5cb74f8ab1d4496133cde249d9825e0f19d0f1a011f46afc287f881299

                        SHA512

                        91139ce513e3e19b88696e922857e8c1f7d251131f9e71047dc35e43aaef4cc6765b55f9b94864fa1504e6870188a215a66d0c3b6a75f2fc093dcd42856ee065

                        Download Submit

                      • /tmp/moni.lod
                        Filesize

                        4B

                        MD5

                        c57168a952f5d46724cf35dfc3d48a7f

                        SHA1

                        3057153b64fd2455411534a93c8b74c0b8854807

                        SHA256

                        cfb05fff77b9b26d027b12c345d05bd1d453619318c52e827458b865860f6a85

                        SHA512

                        8201b1a143f83a6352e1c9b34a0b0a053c9d63ea18b8ad0b8c4b90670f7b3b91262665d90ecb78826580a3b21a3393a5fb58e8700a9ef121d962718864bce43f

                        Download Submit

                      • /tmp/notify.file
                        Filesize

                        51B

                        MD5

                        06ac979059d6a91f39511c848e995a66

                        SHA1

                        4398f0c5fac4cdbfab71813b85cd9a4ab841d059

                        SHA256

                        cce5b97b0f40b0d4248dce10c50bebae0a270f9ad3851713ee728b8a67074f31

                        SHA512

                        4764d9cd7ae0a353e9174298626b96fa45979f61dd3524455a4e9d990f84f5b57d12773835251592828d830239f1f117f642984a1e34afbfa6ae0dd1c410de25

                        Download Submit