4e529958e608aea7f4a7916fc45e2dc475339b0e431227b5638e0ed330c50574

Analysis

max time kernel
0s
max time network
131s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
21/09/2024, 22:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f0bc404f2a37988b3d9af5718e0058cc_JaffaCakes118
Size

1KB
MD5

f0bc404f2a37988b3d9af5718e0058cc
SHA1

ba254afebb83eaa1894f5fb8eec8aeced1420272
SHA256

4e529958e608aea7f4a7916fc45e2dc475339b0e431227b5638e0ed330c50574
SHA512

add92f394e29ad8f502462b1c34ea837b446ac36794e55a2956d39da10eb0140b7a66ad80bb632d1f0a3151ee19de388a1d423f4783041de3a7df07b25713e0b

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 13 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1565	chmod
1515	chmod
1525	chmod
1530	chmod
1540	chmod
1570	chmod
1520	chmod
1545	chmod
1550	chmod
1555	chmod
1510	chmod
1535	chmod
1560	chmod

Executes dropped EXE 13 IoCs

ioc	pid	Process
/tmp/badbox	1511	badbox
/tmp/badbox	1516	badbox
/tmp/badbox	1521	badbox
/tmp/badbox	1526	badbox
/tmp/badbox	1531	badbox
/tmp/badbox	1536	badbox
/tmp/badbox	1541	badbox
/tmp/badbox	1546	badbox
/tmp/badbox	1551	badbox
/tmp/badbox	1556	badbox
/tmp/badbox	1561	badbox
/tmp/badbox	1566	badbox
/tmp/badbox	1571	badbox

Reads runtime system information 1 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	cp

Writes file to tmp directory 2 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/badbox	f0bc404f2a37988b3d9af5718e0058cc_JaffaCakes118
File opened for modification	/tmp/busybox	cp

/tmp/f0bc404f2a37988b3d9af5718e0058cc_JaffaCakes118
/tmp/f0bc404f2a37988b3d9af5718e0058cc_JaffaCakes118
1⤵
- Writes file to tmp directory
PID:1506
- /bin/cp
  cp /bin/busybox /tmp/
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1507
- /bin/cat
  cat ntpd
  2⤵
  PID:1509
- /bin/chmod
  chmod +x badbox busybox config-err-YvAF7p f0bc404f2a37988b3d9af5718e0058cc_JaffaCakes118 netplan_3yg3w1r3 snap-private-tmp ssh-N29aQDHlpq0p systemd-private-f361587230ee480e9c0796bd45f0999b-bolt.service-9JZRxt systemd-private-f361587230ee480e9c0796bd45f0999b-colord.service-JSsEOw systemd-private-f361587230ee480e9c0796bd45f0999b-ModemManager.service-lFa7oV systemd-private-f361587230ee480e9c0796bd45f0999b-systemd-resolved.service-dTi7u9 systemd-private-f361587230ee480e9c0796bd45f0999b-systemd-timedated.service-DnrFrM
  2⤵
  - File and Directory Permissions Modification
  PID:1510
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:1511
- /bin/cat
  cat sshd
  2⤵
  PID:1514
- /bin/chmod
  chmod +x badbox busybox config-err-YvAF7p f0bc404f2a37988b3d9af5718e0058cc_JaffaCakes118 netplan_3yg3w1r3 snap-private-tmp ssh-N29aQDHlpq0p systemd-private-f361587230ee480e9c0796bd45f0999b-bolt.service-9JZRxt systemd-private-f361587230ee480e9c0796bd45f0999b-colord.service-JSsEOw systemd-private-f361587230ee480e9c0796bd45f0999b-ModemManager.service-lFa7oV systemd-private-f361587230ee480e9c0796bd45f0999b-systemd-resolved.service-dTi7u9 systemd-private-f361587230ee480e9c0796bd45f0999b-systemd-timedated.service-DnrFrM
  2⤵
  - File and Directory Permissions Modification
  PID:1515
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:1516
- /bin/cat
  cat openssh
  2⤵
  PID:1519
- /bin/chmod
  chmod +x badbox busybox config-err-YvAF7p f0bc404f2a37988b3d9af5718e0058cc_JaffaCakes118 netplan_3yg3w1r3 snap-private-tmp ssh-N29aQDHlpq0p systemd-private-f361587230ee480e9c0796bd45f0999b-bolt.service-9JZRxt systemd-private-f361587230ee480e9c0796bd45f0999b-colord.service-JSsEOw systemd-private-f361587230ee480e9c0796bd45f0999b-ModemManager.service-lFa7oV systemd-private-f361587230ee480e9c0796bd45f0999b-systemd-resolved.service-dTi7u9 systemd-private-f361587230ee480e9c0796bd45f0999b-systemd-timedated.service-DnrFrM
  2⤵
  - File and Directory Permissions Modification
  PID:1520
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:1521
- /bin/cat
  cat bash
  2⤵
  PID:1524
- /bin/chmod
  chmod +x badbox busybox config-err-YvAF7p f0bc404f2a37988b3d9af5718e0058cc_JaffaCakes118 netplan_3yg3w1r3 snap-private-tmp ssh-N29aQDHlpq0p systemd-private-f361587230ee480e9c0796bd45f0999b-bolt.service-9JZRxt systemd-private-f361587230ee480e9c0796bd45f0999b-colord.service-JSsEOw systemd-private-f361587230ee480e9c0796bd45f0999b-ModemManager.service-lFa7oV systemd-private-f361587230ee480e9c0796bd45f0999b-systemd-resolved.service-dTi7u9 systemd-private-f361587230ee480e9c0796bd45f0999b-systemd-timedated.service-DnrFrM
  2⤵
  - File and Directory Permissions Modification
  PID:1525
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:1526
- /bin/cat
  cat tftp
  2⤵
  PID:1529
- /bin/chmod
  chmod +x badbox busybox config-err-YvAF7p f0bc404f2a37988b3d9af5718e0058cc_JaffaCakes118 netplan_3yg3w1r3 snap-private-tmp ssh-N29aQDHlpq0p systemd-private-f361587230ee480e9c0796bd45f0999b-bolt.service-9JZRxt systemd-private-f361587230ee480e9c0796bd45f0999b-colord.service-JSsEOw systemd-private-f361587230ee480e9c0796bd45f0999b-ModemManager.service-lFa7oV systemd-private-f361587230ee480e9c0796bd45f0999b-systemd-resolved.service-dTi7u9 systemd-private-f361587230ee480e9c0796bd45f0999b-systemd-timedated.service-DnrFrM
  2⤵
  - File and Directory Permissions Modification
  PID:1530
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:1531
- /bin/cat
  cat wget
  2⤵
  PID:1534
- /bin/chmod
  chmod +x badbox busybox config-err-YvAF7p f0bc404f2a37988b3d9af5718e0058cc_JaffaCakes118 netplan_3yg3w1r3 snap-private-tmp ssh-N29aQDHlpq0p systemd-private-f361587230ee480e9c0796bd45f0999b-bolt.service-9JZRxt systemd-private-f361587230ee480e9c0796bd45f0999b-colord.service-JSsEOw systemd-private-f361587230ee480e9c0796bd45f0999b-ModemManager.service-lFa7oV systemd-private-f361587230ee480e9c0796bd45f0999b-systemd-resolved.service-dTi7u9 systemd-private-f361587230ee480e9c0796bd45f0999b-systemd-timedated.service-DnrFrM
  2⤵
  - File and Directory Permissions Modification
  PID:1535
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:1536
- /bin/cat
  cat cron
  2⤵
  PID:1539
- /bin/chmod
  chmod +x badbox busybox config-err-YvAF7p f0bc404f2a37988b3d9af5718e0058cc_JaffaCakes118 netplan_3yg3w1r3 snap-private-tmp ssh-N29aQDHlpq0p systemd-private-f361587230ee480e9c0796bd45f0999b-bolt.service-9JZRxt systemd-private-f361587230ee480e9c0796bd45f0999b-colord.service-JSsEOw systemd-private-f361587230ee480e9c0796bd45f0999b-ModemManager.service-lFa7oV systemd-private-f361587230ee480e9c0796bd45f0999b-systemd-resolved.service-dTi7u9 systemd-private-f361587230ee480e9c0796bd45f0999b-systemd-timedated.service-DnrFrM
  2⤵
  - File and Directory Permissions Modification
  PID:1540
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:1541
- /bin/cat
  cat ftp
  2⤵
  PID:1544
- /bin/chmod
  chmod +x badbox busybox config-err-YvAF7p f0bc404f2a37988b3d9af5718e0058cc_JaffaCakes118 netplan_3yg3w1r3 snap-private-tmp ssh-N29aQDHlpq0p systemd-private-f361587230ee480e9c0796bd45f0999b-bolt.service-9JZRxt systemd-private-f361587230ee480e9c0796bd45f0999b-colord.service-JSsEOw systemd-private-f361587230ee480e9c0796bd45f0999b-ModemManager.service-lFa7oV systemd-private-f361587230ee480e9c0796bd45f0999b-systemd-resolved.service-dTi7u9 systemd-private-f361587230ee480e9c0796bd45f0999b-systemd-timedated.service-DnrFrM
  2⤵
  - File and Directory Permissions Modification
  PID:1545
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:1546
- /bin/cat
  cat pftp
  2⤵
  PID:1549
- /bin/chmod
  chmod +x badbox busybox config-err-YvAF7p f0bc404f2a37988b3d9af5718e0058cc_JaffaCakes118 netplan_3yg3w1r3 snap-private-tmp ssh-N29aQDHlpq0p systemd-private-f361587230ee480e9c0796bd45f0999b-bolt.service-9JZRxt systemd-private-f361587230ee480e9c0796bd45f0999b-colord.service-JSsEOw systemd-private-f361587230ee480e9c0796bd45f0999b-ModemManager.service-lFa7oV systemd-private-f361587230ee480e9c0796bd45f0999b-systemd-resolved.service-dTi7u9 systemd-private-f361587230ee480e9c0796bd45f0999b-systemd-timedated.service-DnrFrM
  2⤵
  - File and Directory Permissions Modification
  PID:1550
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:1551
- /bin/cat
  cat sh
  2⤵
  PID:1554
- /bin/chmod
  chmod +x badbox busybox config-err-YvAF7p f0bc404f2a37988b3d9af5718e0058cc_JaffaCakes118 netplan_3yg3w1r3 snap-private-tmp ssh-N29aQDHlpq0p systemd-private-f361587230ee480e9c0796bd45f0999b-bolt.service-9JZRxt systemd-private-f361587230ee480e9c0796bd45f0999b-colord.service-JSsEOw systemd-private-f361587230ee480e9c0796bd45f0999b-ModemManager.service-lFa7oV systemd-private-f361587230ee480e9c0796bd45f0999b-systemd-resolved.service-dTi7u9 systemd-private-f361587230ee480e9c0796bd45f0999b-systemd-timedated.service-DnrFrM
  2⤵
  - File and Directory Permissions Modification
  PID:1555
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:1556
- /bin/cat
  cat " "
  2⤵
  PID:1559
- /bin/chmod
  chmod +x badbox busybox config-err-YvAF7p f0bc404f2a37988b3d9af5718e0058cc_JaffaCakes118 netplan_3yg3w1r3 snap-private-tmp ssh-N29aQDHlpq0p systemd-private-f361587230ee480e9c0796bd45f0999b-bolt.service-9JZRxt systemd-private-f361587230ee480e9c0796bd45f0999b-colord.service-JSsEOw systemd-private-f361587230ee480e9c0796bd45f0999b-ModemManager.service-lFa7oV systemd-private-f361587230ee480e9c0796bd45f0999b-systemd-resolved.service-dTi7u9 systemd-private-f361587230ee480e9c0796bd45f0999b-systemd-timedated.service-DnrFrM
  2⤵
  - File and Directory Permissions Modification
  PID:1560
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:1561
- /bin/cat
  cat apache2
  2⤵
  PID:1564
- /bin/chmod
  chmod +x badbox busybox config-err-YvAF7p f0bc404f2a37988b3d9af5718e0058cc_JaffaCakes118 netplan_3yg3w1r3 snap-private-tmp ssh-N29aQDHlpq0p systemd-private-f361587230ee480e9c0796bd45f0999b-bolt.service-9JZRxt systemd-private-f361587230ee480e9c0796bd45f0999b-colord.service-JSsEOw systemd-private-f361587230ee480e9c0796bd45f0999b-ModemManager.service-lFa7oV systemd-private-f361587230ee480e9c0796bd45f0999b-systemd-resolved.service-dTi7u9 systemd-private-f361587230ee480e9c0796bd45f0999b-systemd-timedated.service-DnrFrM
  2⤵
  - File and Directory Permissions Modification
  PID:1565
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:1566
- /bin/cat
  cat telnetd
  2⤵
  PID:1569
- /bin/chmod
  chmod +x badbox busybox config-err-YvAF7p f0bc404f2a37988b3d9af5718e0058cc_JaffaCakes118 netplan_3yg3w1r3 snap-private-tmp ssh-N29aQDHlpq0p systemd-private-f361587230ee480e9c0796bd45f0999b-bolt.service-9JZRxt systemd-private-f361587230ee480e9c0796bd45f0999b-colord.service-JSsEOw systemd-private-f361587230ee480e9c0796bd45f0999b-ModemManager.service-lFa7oV systemd-private-f361587230ee480e9c0796bd45f0999b-systemd-resolved.service-dTi7u9 systemd-private-f361587230ee480e9c0796bd45f0999b-systemd-timedated.service-DnrFrM
  2⤵
  - File and Directory Permissions Modification
  PID:1570
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:1571

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/busybox

Filesize
2.0MB

MD5
b4dede5fc0b1bad5cb8e901bde126b97

SHA1
10cbe9a418ad84a1ed297948539d37aeb58dd810

SHA256
a9f0735d28f9a6a4f2634d3b144156f7b3df3b476a16a5ab0c7bdf98d74dd020

SHA512
45665ce3a42f63a01fdef517e0c4cb943efce64c8a32d3ce07ab4f1fafc23cda77f378d324342efc79dc9d2293c4b4454d06c1cf4997b9e866784de01cb546e6

Download Submit