Analysis
-
max time kernel
149s -
max time network
149s -
platform
ubuntu-24.04_amd64 -
resource
ubuntu2404-amd64-20240523-en -
resource tags
arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system -
submitted
19-09-2024 01:18
Behavioral task
behavioral1
Sample
ea5336057c90d93f0196e60b267a10bc_JaffaCakes118
Resource
ubuntu2404-amd64-20240523-en
General
-
Target
ea5336057c90d93f0196e60b267a10bc_JaffaCakes118
-
Size
1.1MB
-
MD5
ea5336057c90d93f0196e60b267a10bc
-
SHA1
bd9defee681f4bab8ce3ffe07582e3df6a9fb865
-
SHA256
3bcb3bb397ed0f5c72de9e19109f6daef8d0a03b8951406b2d442fbb90cdf83d
-
SHA512
3bdf430fe823d0a2145b17b21a8da4c4e8e30ee2c6fb58b98e472a2b1057ac6c5caa1e336c39d5617542274645294662575f05cc06bca1947ed27d810c04b2bd
-
SSDEEP
24576:4vRE7caCfKGPqVEDNLFxKsfahI+gIGYuuCol7r:4vREKfPqVE5jKsfahRHGVo7r
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 4 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 2536 chmod 2542 chmod 2548 chmod 2527 chmod -
Executes dropped EXE 2 IoCs
ioc pid Process /usr/bin/bsd-port/knerl 2489 knerl /usr/bin/pythno 2497 pythno -
Loads a kernel module 64 IoCs
Loads a Linux kernel module, potentially to achieve persistence
pid Process 2449 ea5336057c90d93f0196e60b267a10bc_JaffaCakes118 2450 Process not Found 2455 Process not Found 2450 Process not Found 2450 Process not Found 2457 Process not Found 2450 Process not Found 2450 Process not Found 2459 Process not Found 2450 Process not Found 2450 Process not Found 2461 Process not Found 2450 Process not Found 2450 Process not Found 2463 Process not Found 2450 Process not Found 2450 Process not Found 2483 Process not Found 2450 Process not Found 2450 Process not Found 2485 Process not Found 2450 Process not Found 2487 Process not Found 2488 Process not Found 2489 knerl 2487 Process not Found 2450 Process not Found 2491 Process not Found 2450 Process not Found 2450 Process not Found 2493 Process not Found 2450 Process not Found 2495 Process not Found 2496 Process not Found 2497 pythno 2495 Process not Found 2450 Process not Found 2499 Process not Found 2450 Process not Found 2490 Process not Found 2505 Process not Found 2490 Process not Found 2490 Process not Found 2508 Process not Found 2490 Process not Found 2490 Process not Found 2511 Process not Found 2490 Process not Found 2490 Process not Found 2513 Process not Found 2490 Process not Found 2490 Process not Found 2516 Process not Found 2490 Process not Found 2490 Process not Found 2518 Process not Found 2490 Process not Found 2490 Process not Found 2520 Process not Found 2490 Process not Found 2490 Process not Found 2522 Process not Found 2490 Process not Found 2490 Process not Found -
Write file to user bin folder 6 IoCs
description ioc Process File opened for modification /usr/bin/pythno cp File opened for modification /usr/bin/dpkgd/lsof cp File opened for modification /usr/bin/dpkgd/ps cp File opened for modification /usr/bin/lsof cp File opened for modification /usr/bin/ps cp File opened for modification /usr/bin/bsd-port/knerl cp -
Writes file to system bin folder 2 IoCs
description ioc Process File opened for modification /bin/lsof cp File opened for modification /bin/ps cp -
Enumerates kernel/hardware configuration 1 TTPs 2 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/module/compression insmod File opened for reading /sys/module/compression insmod -
description ioc Process File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems cp File opened for reading /proc/cmdline insmod File opened for reading /proc/filesystems mkdir File opened for reading /proc/filesystems cp File opened for reading /proc/cmdline insmod File opened for reading /proc/filesystems mkdir File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems mkdir File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems mkdir File opened for reading /proc/filesystems mkdir File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems mkdir File opened for reading /proc/filesystems mkdir File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems cp
Processes
-
/tmp/ea5336057c90d93f0196e60b267a10bc_JaffaCakes118/tmp/ea5336057c90d93f0196e60b267a10bc_JaffaCakes1181⤵
- Loads a kernel module
PID:2449 -
/usr/bin/lnln -s /etc/init.d/VsystemsshMdt /etc/rc1.d/S97VsystemsshMdt2⤵PID:2456
-
-
/usr/bin/lnln -s /etc/init.d/VsystemsshMdt /etc/rc2.d/S97VsystemsshMdt2⤵PID:2458
-
-
/usr/bin/lnln -s /etc/init.d/VsystemsshMdt /etc/rc3.d/S97VsystemsshMdt2⤵PID:2460
-
-
/usr/bin/lnln -s /etc/init.d/VsystemsshMdt /etc/rc4.d/S97VsystemsshMdt2⤵PID:2462
-
-
/usr/bin/lnln -s /etc/init.d/VsystemsshMdt /etc/rc5.d/S97VsystemsshMdt2⤵PID:2464
-
-
/usr/bin/mkdirmkdir -p /usr/bin/bsd-port2⤵
- Reads runtime system information
PID:2484
-
-
/usr/bin/cpcp -f /tmp/ea5336057c90d93f0196e60b267a10bc_JaffaCakes118 /usr/bin/bsd-port/knerl2⤵
- Write file to user bin folder
- Reads runtime system information
PID:2486
-
-
/usr/bin/bsd-port/knerl/usr/bin/bsd-port/knerl2⤵
- Executes dropped EXE
- Loads a kernel module
PID:2489 -
/usr/bin/lnln -s /etc/init.d/selinux /etc/rc1.d/S99selinux3⤵PID:2507
-
-
/usr/bin/lnln -s /etc/init.d/selinux /etc/rc2.d/S99selinux3⤵PID:2509
-
-
/usr/bin/lnln -s /etc/init.d/selinux /etc/rc3.d/S99selinux3⤵PID:2512
-
-
/usr/bin/lnln -s /etc/init.d/selinux /etc/rc4.d/S99selinux3⤵PID:2514
-
-
/usr/bin/lnln -s /etc/init.d/selinux /etc/rc5.d/S99selinux3⤵PID:2517
-
-
/usr/bin/mkdirmkdir -p /usr/bin/dpkgd3⤵
- Reads runtime system information
PID:2519
-
-
/usr/bin/cpcp -f /bin/lsof /usr/bin/dpkgd/lsof3⤵
- Write file to user bin folder
- Reads runtime system information
PID:2521
-
-
/usr/bin/mkdirmkdir -p /bin3⤵
- Reads runtime system information
PID:2523
-
-
/usr/bin/cpcp -f /usr/bin/bsd-port/knerl /bin/lsof3⤵
- Writes file to system bin folder
- Reads runtime system information
PID:2525
-
-
/usr/bin/chmodchmod 0755 /bin/lsof3⤵
- File and Directory Permissions Modification
PID:2527
-
-
/usr/bin/cpcp -f /bin/ps /usr/bin/dpkgd/ps3⤵
- Write file to user bin folder
- Reads runtime system information
PID:2529
-
-
/usr/bin/mkdirmkdir -p /bin3⤵
- Reads runtime system information
PID:2531
-
-
/usr/bin/cpcp -f /usr/bin/bsd-port/knerl /bin/ps3⤵
- Writes file to system bin folder
- Reads runtime system information
PID:2534
-
-
/usr/bin/chmodchmod 0755 /bin/ps3⤵
- File and Directory Permissions Modification
PID:2536
-
-
/usr/bin/mkdirmkdir -p /usr/bin3⤵
- Reads runtime system information
PID:2538
-
-
/usr/bin/cpcp -f /usr/bin/bsd-port/knerl /usr/bin/lsof3⤵
- Write file to user bin folder
- Reads runtime system information
PID:2540
-
-
/usr/bin/chmodchmod 0755 /usr/bin/lsof3⤵
- File and Directory Permissions Modification
PID:2542
-
-
/usr/bin/mkdirmkdir -p /usr/bin3⤵
- Reads runtime system information
PID:2544
-
-
/usr/bin/cpcp -f /usr/bin/bsd-port/knerl /usr/bin/ps3⤵
- Write file to user bin folder
- Reads runtime system information
PID:2546
-
-
/usr/bin/chmodchmod 0755 /usr/bin/ps3⤵
- File and Directory Permissions Modification
PID:2548
-
-
/usr/sbin/insmodinsmod /usr/lib/xpacket.ko3⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:2550
-
-
-
/usr/bin/mkdirmkdir -p /usr/bin2⤵
- Reads runtime system information
PID:2492
-
-
/usr/bin/cpcp -f /tmp/ea5336057c90d93f0196e60b267a10bc_JaffaCakes118 /usr/bin/pythno2⤵
- Write file to user bin folder
- Reads runtime system information
PID:2494
-
-
/usr/bin/pythno/usr/bin/pythno2⤵
- Executes dropped EXE
- Loads a kernel module
PID:2497
-
-
/usr/sbin/insmodinsmod /usr/lib/xpacket.ko2⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:2500
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64B
MD5c4d29fb7fe447dd0e3062496aeff92bc
SHA1fe9df22475eba1db6f0e418e39ab0ca194f10809
SHA256271d3f1c4841b989d5a701a92afe74da29a5ff5a15e07fb74396196eb0dbba83
SHA512185aaef996424e81d5a1b0ffd9b955a274747f956d89f6017bfb9bafafe86079fa72bed5d7bcf1c0535845235f59914659a44ec91d49fb22ddbf108ff625102e
-
Filesize
36B
MD5caa27b819c9303446f702929874a00e8
SHA1d24199c0e376edea3f822b215148cc0dc78364bf
SHA256da9b535a14c6d9152857e211f14fb8da9056e84ba1b8d4dc27ab79c98264050b
SHA512dcd9413eb2cb24d77f637edfc00ca0bb42229a1a3b0d84e29eff94a7b91aee6ee8c126c286a4b4103e01834d1c6aec9de09ffab3927e8de8015421005f31446e
-
Filesize
69B
MD5e084c3ab43cf461f393e03eae961e866
SHA1c55f0429e636ae475c96ba9a1b6f49cd8ac4970f
SHA2563bea0ab298e1a9b7be6e333724fd7c49319864d665841d4b2d9c296fbf0f524f
SHA5127bccfcffb8fc65a419b3c2e0332a2bf7745a0c4244b733b407b2373676e75cf5f5ada4593e6996d10d1fc96156ad919af51f8a1408bdaee4167d37478fc2a465
-
Filesize
4B
MD59af76329c78e28c977ab1bcd1c3fe9b8
SHA1b99dfad9dfce6db8291c587455dec8f5ab378920
SHA2560b8c4c7c81ac3255024f978a24c4c63bb034cc40ed2fe51dec83cb28c8785a87
SHA512668d2295ecadcda8fcc02a365e4581723081509faa870d4f5d8fdb6af85519d477b0c8529212449f9f4d2d880c57d205b85753f42f6e5e25295b9ec473a9a953
-
Filesize
51B
MD535627a515a28d8045b3fa3251463a525
SHA102e368475dab72599c36417cf67b6c2bec274d00
SHA25632e61510c8739d86d42c17ffca0984b35e5d2ba994c40f7e0a6d2b87209f9785
SHA5126e0b6cc434429238d9a0eaa7c369802b1ad6e96f1881c294c51bb6a2345e6e18c9df96db349139bf5f1c3c889f15c8214ee96baf69660b4c7f6884688c40e1da
-
Filesize
4B
MD549d4b2faeb4b7b9e745775793141e2b2
SHA13dae524e50058ba5db59f21a1e88a4afb176c122
SHA256b0b03d744a85f4459c71437fe196dd925a299a06ae7a425615c903c97c36b8fb
SHA51255d648b97149a610c92bd881b5f99e0dcb6fa5bab48de9184dbda98cab5a8d33c4e5c91b2fffbe5da8f404db0d65b840a868d63a8403a584a5b721086b52f821