Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    ubuntu-24.04_amd64
  • resource
    ubuntu2404-amd64-20240523-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
  • submitted
    19-09-2024 01:18

General

  • Target

    ea5336057c90d93f0196e60b267a10bc_JaffaCakes118

  • Size

    1.1MB

  • MD5

    ea5336057c90d93f0196e60b267a10bc

  • SHA1

    bd9defee681f4bab8ce3ffe07582e3df6a9fb865

  • SHA256

    3bcb3bb397ed0f5c72de9e19109f6daef8d0a03b8951406b2d442fbb90cdf83d

  • SHA512

    3bdf430fe823d0a2145b17b21a8da4c4e8e30ee2c6fb58b98e472a2b1057ac6c5caa1e336c39d5617542274645294662575f05cc06bca1947ed27d810c04b2bd

  • SSDEEP

    24576:4vRE7caCfKGPqVEDNLFxKsfahI+gIGYuuCol7r:4vREKfPqVE5jKsfahRHGVo7r

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 4 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 2 IoCs
  • Loads a kernel module 64 IoCs

    Loads a Linux kernel module, potentially to achieve persistence

  • Write file to user bin folder 6 IoCs
  • Writes file to system bin folder 2 IoCs
  • Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 17 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/ea5336057c90d93f0196e60b267a10bc_JaffaCakes118
    /tmp/ea5336057c90d93f0196e60b267a10bc_JaffaCakes118
    1⤵
    • Loads a kernel module
    PID:2449
    • /usr/bin/ln
      ln -s /etc/init.d/VsystemsshMdt /etc/rc1.d/S97VsystemsshMdt
      2⤵
        PID:2456
      • /usr/bin/ln
        ln -s /etc/init.d/VsystemsshMdt /etc/rc2.d/S97VsystemsshMdt
        2⤵
          PID:2458
        • /usr/bin/ln
          ln -s /etc/init.d/VsystemsshMdt /etc/rc3.d/S97VsystemsshMdt
          2⤵
            PID:2460
          • /usr/bin/ln
            ln -s /etc/init.d/VsystemsshMdt /etc/rc4.d/S97VsystemsshMdt
            2⤵
              PID:2462
            • /usr/bin/ln
              ln -s /etc/init.d/VsystemsshMdt /etc/rc5.d/S97VsystemsshMdt
              2⤵
                PID:2464
              • /usr/bin/mkdir
                mkdir -p /usr/bin/bsd-port
                2⤵
                • Reads runtime system information
                PID:2484
              • /usr/bin/cp
                cp -f /tmp/ea5336057c90d93f0196e60b267a10bc_JaffaCakes118 /usr/bin/bsd-port/knerl
                2⤵
                • Write file to user bin folder
                • Reads runtime system information
                PID:2486
              • /usr/bin/bsd-port/knerl
                /usr/bin/bsd-port/knerl
                2⤵
                • Executes dropped EXE
                • Loads a kernel module
                PID:2489
                • /usr/bin/ln
                  ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux
                  3⤵
                    PID:2507
                  • /usr/bin/ln
                    ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux
                    3⤵
                      PID:2509
                    • /usr/bin/ln
                      ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux
                      3⤵
                        PID:2512
                      • /usr/bin/ln
                        ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux
                        3⤵
                          PID:2514
                        • /usr/bin/ln
                          ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux
                          3⤵
                            PID:2517
                          • /usr/bin/mkdir
                            mkdir -p /usr/bin/dpkgd
                            3⤵
                            • Reads runtime system information
                            PID:2519
                          • /usr/bin/cp
                            cp -f /bin/lsof /usr/bin/dpkgd/lsof
                            3⤵
                            • Write file to user bin folder
                            • Reads runtime system information
                            PID:2521
                          • /usr/bin/mkdir
                            mkdir -p /bin
                            3⤵
                            • Reads runtime system information
                            PID:2523
                          • /usr/bin/cp
                            cp -f /usr/bin/bsd-port/knerl /bin/lsof
                            3⤵
                            • Writes file to system bin folder
                            • Reads runtime system information
                            PID:2525
                          • /usr/bin/chmod
                            chmod 0755 /bin/lsof
                            3⤵
                            • File and Directory Permissions Modification
                            PID:2527
                          • /usr/bin/cp
                            cp -f /bin/ps /usr/bin/dpkgd/ps
                            3⤵
                            • Write file to user bin folder
                            • Reads runtime system information
                            PID:2529
                          • /usr/bin/mkdir
                            mkdir -p /bin
                            3⤵
                            • Reads runtime system information
                            PID:2531
                          • /usr/bin/cp
                            cp -f /usr/bin/bsd-port/knerl /bin/ps
                            3⤵
                            • Writes file to system bin folder
                            • Reads runtime system information
                            PID:2534
                          • /usr/bin/chmod
                            chmod 0755 /bin/ps
                            3⤵
                            • File and Directory Permissions Modification
                            PID:2536
                          • /usr/bin/mkdir
                            mkdir -p /usr/bin
                            3⤵
                            • Reads runtime system information
                            PID:2538
                          • /usr/bin/cp
                            cp -f /usr/bin/bsd-port/knerl /usr/bin/lsof
                            3⤵
                            • Write file to user bin folder
                            • Reads runtime system information
                            PID:2540
                          • /usr/bin/chmod
                            chmod 0755 /usr/bin/lsof
                            3⤵
                            • File and Directory Permissions Modification
                            PID:2542
                          • /usr/bin/mkdir
                            mkdir -p /usr/bin
                            3⤵
                            • Reads runtime system information
                            PID:2544
                          • /usr/bin/cp
                            cp -f /usr/bin/bsd-port/knerl /usr/bin/ps
                            3⤵
                            • Write file to user bin folder
                            • Reads runtime system information
                            PID:2546
                          • /usr/bin/chmod
                            chmod 0755 /usr/bin/ps
                            3⤵
                            • File and Directory Permissions Modification
                            PID:2548
                          • /usr/sbin/insmod
                            insmod /usr/lib/xpacket.ko
                            3⤵
                            • Enumerates kernel/hardware configuration
                            • Reads runtime system information
                            PID:2550
                        • /usr/bin/mkdir
                          mkdir -p /usr/bin
                          2⤵
                          • Reads runtime system information
                          PID:2492
                        • /usr/bin/cp
                          cp -f /tmp/ea5336057c90d93f0196e60b267a10bc_JaffaCakes118 /usr/bin/pythno
                          2⤵
                          • Write file to user bin folder
                          • Reads runtime system information
                          PID:2494
                        • /usr/bin/pythno
                          /usr/bin/pythno
                          2⤵
                          • Executes dropped EXE
                          • Loads a kernel module
                          PID:2497
                        • /usr/sbin/insmod
                          insmod /usr/lib/xpacket.ko
                          2⤵
                          • Enumerates kernel/hardware configuration
                          • Reads runtime system information
                          PID:2500

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • /etc/init.d/VsystemsshMdt

                        Filesize

                        64B

                        MD5

                        c4d29fb7fe447dd0e3062496aeff92bc

                        SHA1

                        fe9df22475eba1db6f0e418e39ab0ca194f10809

                        SHA256

                        271d3f1c4841b989d5a701a92afe74da29a5ff5a15e07fb74396196eb0dbba83

                        SHA512

                        185aaef996424e81d5a1b0ffd9b955a274747f956d89f6017bfb9bafafe86079fa72bed5d7bcf1c0535845235f59914659a44ec91d49fb22ddbf108ff625102e

                      • /etc/init.d/selinux

                        Filesize

                        36B

                        MD5

                        caa27b819c9303446f702929874a00e8

                        SHA1

                        d24199c0e376edea3f822b215148cc0dc78364bf

                        SHA256

                        da9b535a14c6d9152857e211f14fb8da9056e84ba1b8d4dc27ab79c98264050b

                        SHA512

                        dcd9413eb2cb24d77f637edfc00ca0bb42229a1a3b0d84e29eff94a7b91aee6ee8c126c286a4b4103e01834d1c6aec9de09ffab3927e8de8015421005f31446e

                      • /tmp/conf.n

                        Filesize

                        69B

                        MD5

                        e084c3ab43cf461f393e03eae961e866

                        SHA1

                        c55f0429e636ae475c96ba9a1b6f49cd8ac4970f

                        SHA256

                        3bea0ab298e1a9b7be6e333724fd7c49319864d665841d4b2d9c296fbf0f524f

                        SHA512

                        7bccfcffb8fc65a419b3c2e0332a2bf7745a0c4244b733b407b2373676e75cf5f5ada4593e6996d10d1fc96156ad919af51f8a1408bdaee4167d37478fc2a465

                      • /tmp/idus.log

                        Filesize

                        4B

                        MD5

                        9af76329c78e28c977ab1bcd1c3fe9b8

                        SHA1

                        b99dfad9dfce6db8291c587455dec8f5ab378920

                        SHA256

                        0b8c4c7c81ac3255024f978a24c4c63bb034cc40ed2fe51dec83cb28c8785a87

                        SHA512

                        668d2295ecadcda8fcc02a365e4581723081509faa870d4f5d8fdb6af85519d477b0c8529212449f9f4d2d880c57d205b85753f42f6e5e25295b9ec473a9a953

                      • /tmp/notify.file

                        Filesize

                        51B

                        MD5

                        35627a515a28d8045b3fa3251463a525

                        SHA1

                        02e368475dab72599c36417cf67b6c2bec274d00

                        SHA256

                        32e61510c8739d86d42c17ffca0984b35e5d2ba994c40f7e0a6d2b87209f9785

                        SHA512

                        6e0b6cc434429238d9a0eaa7c369802b1ad6e96f1881c294c51bb6a2345e6e18c9df96db349139bf5f1c3c889f15c8214ee96baf69660b4c7f6884688c40e1da

                      • /tmp/vga.conf

                        Filesize

                        4B

                        MD5

                        49d4b2faeb4b7b9e745775793141e2b2

                        SHA1

                        3dae524e50058ba5db59f21a1e88a4afb176c122

                        SHA256

                        b0b03d744a85f4459c71437fe196dd925a299a06ae7a425615c903c97c36b8fb

                        SHA512

                        55d648b97149a610c92bd881b5f99e0dcb6fa5bab48de9184dbda98cab5a8d33c4e5c91b2fffbe5da8f404db0d65b840a868d63a8403a584a5b721086b52f821