4e529958e608aea7f4a7916fc45e2dc475339b0e431227b5638e0ed330c50574

Analysis

max time kernel
6s
platform
debian-9_mips
resource
debian9-mipsbe-20240611-en
resource tags

arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
21/09/2024, 22:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f0bc404f2a37988b3d9af5718e0058cc_JaffaCakes118
Size

1KB
MD5

f0bc404f2a37988b3d9af5718e0058cc
SHA1

ba254afebb83eaa1894f5fb8eec8aeced1420272
SHA256

4e529958e608aea7f4a7916fc45e2dc475339b0e431227b5638e0ed330c50574
SHA512

add92f394e29ad8f502462b1c34ea837b446ac36794e55a2956d39da10eb0140b7a66ad80bb632d1f0a3151ee19de388a1d423f4783041de3a7df07b25713e0b

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 13 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
733	chmod
756	chmod
764	chmod
775	chmod
770	chmod
780	chmod
785	chmod
742	chmod
749	chmod
790	chmod
795	chmod
717	chmod
725	chmod

Executes dropped EXE 13 IoCs

ioc	pid	Process
/tmp/badbox	719	badbox
/tmp/badbox	727	badbox
/tmp/badbox	735	badbox
/tmp/badbox	744	badbox
/tmp/badbox	750	badbox
/tmp/badbox	758	badbox
/tmp/badbox	765	badbox
/tmp/badbox	771	badbox
/tmp/badbox	776	badbox
/tmp/badbox	781	badbox
/tmp/badbox	786	badbox
/tmp/badbox	791	badbox
/tmp/badbox	796	badbox

Reads runtime system information 1 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	cp

Writes file to tmp directory 2 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/busybox	cp
File opened for modification	/tmp/badbox	f0bc404f2a37988b3d9af5718e0058cc_JaffaCakes118

/tmp/f0bc404f2a37988b3d9af5718e0058cc_JaffaCakes118
/tmp/f0bc404f2a37988b3d9af5718e0058cc_JaffaCakes118
1⤵
- Writes file to tmp directory
PID:704
- /bin/cp
  cp /bin/busybox /tmp/
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:707
- /bin/cat
  cat ntpd
  2⤵
  PID:712
- /bin/chmod
  chmod +x badbox busybox f0bc404f2a37988b3d9af5718e0058cc_JaffaCakes118 systemd-private-e748058ea2794903a7c0f0558291be4c-systemd-timedated.service-EJ7QSd
  2⤵
  - File and Directory Permissions Modification
  PID:717
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:719
- /bin/cat
  cat sshd
  2⤵
  PID:723
- /bin/chmod
  chmod +x badbox busybox f0bc404f2a37988b3d9af5718e0058cc_JaffaCakes118 systemd-private-e748058ea2794903a7c0f0558291be4c-systemd-timedated.service-EJ7QSd
  2⤵
  - File and Directory Permissions Modification
  PID:725
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:727
- /bin/cat
  cat openssh
  2⤵
  PID:731
- /bin/chmod
  chmod +x badbox busybox f0bc404f2a37988b3d9af5718e0058cc_JaffaCakes118 systemd-private-e748058ea2794903a7c0f0558291be4c-systemd-timedated.service-EJ7QSd
  2⤵
  - File and Directory Permissions Modification
  PID:733
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:735
- /bin/cat
  cat bash
  2⤵
  PID:740
- /bin/chmod
  chmod +x badbox busybox f0bc404f2a37988b3d9af5718e0058cc_JaffaCakes118 systemd-private-e748058ea2794903a7c0f0558291be4c-systemd-timedated.service-EJ7QSd
  2⤵
  - File and Directory Permissions Modification
  PID:742
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:744
- /bin/cat
  cat tftp
  2⤵
  PID:747
- /bin/chmod
  chmod +x badbox busybox f0bc404f2a37988b3d9af5718e0058cc_JaffaCakes118 systemd-private-e748058ea2794903a7c0f0558291be4c-systemd-timedated.service-EJ7QSd
  2⤵
  - File and Directory Permissions Modification
  PID:749
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:750
- /bin/cat
  cat wget
  2⤵
  PID:754
- /bin/chmod
  chmod +x badbox busybox f0bc404f2a37988b3d9af5718e0058cc_JaffaCakes118 systemd-private-e748058ea2794903a7c0f0558291be4c-systemd-timedated.service-EJ7QSd
  2⤵
  - File and Directory Permissions Modification
  PID:756
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:758
- /bin/cat
  cat cron
  2⤵
  PID:762
- /bin/chmod
  chmod +x badbox busybox f0bc404f2a37988b3d9af5718e0058cc_JaffaCakes118 systemd-private-e748058ea2794903a7c0f0558291be4c-systemd-timedated.service-EJ7QSd
  2⤵
  - File and Directory Permissions Modification
  PID:764
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:765
- /bin/cat
  cat ftp
  2⤵
  PID:768
- /bin/chmod
  chmod +x badbox busybox f0bc404f2a37988b3d9af5718e0058cc_JaffaCakes118 systemd-private-e748058ea2794903a7c0f0558291be4c-systemd-timedated.service-EJ7QSd
  2⤵
  - File and Directory Permissions Modification
  PID:770
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:771
- /bin/cat
  cat pftp
  2⤵
  PID:774
- /bin/chmod
  chmod +x badbox busybox f0bc404f2a37988b3d9af5718e0058cc_JaffaCakes118 systemd-private-e748058ea2794903a7c0f0558291be4c-systemd-timedated.service-EJ7QSd
  2⤵
  - File and Directory Permissions Modification
  PID:775
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:776
- /bin/cat
  cat sh
  2⤵
  PID:779
- /bin/chmod
  chmod +x badbox busybox f0bc404f2a37988b3d9af5718e0058cc_JaffaCakes118 systemd-private-e748058ea2794903a7c0f0558291be4c-systemd-timedated.service-EJ7QSd
  2⤵
  - File and Directory Permissions Modification
  PID:780
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:781
- /bin/cat
  cat " "
  2⤵
  PID:784
- /bin/chmod
  chmod +x badbox busybox f0bc404f2a37988b3d9af5718e0058cc_JaffaCakes118 systemd-private-e748058ea2794903a7c0f0558291be4c-systemd-timedated.service-EJ7QSd
  2⤵
  - File and Directory Permissions Modification
  PID:785
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:786
- /bin/cat
  cat apache2
  2⤵
  PID:789
- /bin/chmod
  chmod +x badbox busybox f0bc404f2a37988b3d9af5718e0058cc_JaffaCakes118 systemd-private-e748058ea2794903a7c0f0558291be4c-systemd-timedated.service-EJ7QSd
  2⤵
  - File and Directory Permissions Modification
  PID:790
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:791
- /bin/cat
  cat telnetd
  2⤵
  PID:794
- /bin/chmod
  chmod +x badbox busybox f0bc404f2a37988b3d9af5718e0058cc_JaffaCakes118 systemd-private-e748058ea2794903a7c0f0558291be4c-systemd-timedated.service-EJ7QSd
  2⤵
  - File and Directory Permissions Modification
  PID:795
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/busybox

Filesize
857KB

MD5
a39fe8036e559ce804e26518061e59ff

SHA1
8df27f6e8a48b762d945ea2f2b87390c80acd4de

SHA256
3180df117342646dcdc4c436f95b41e15587e2238ec59064b4b06c065d56cf38

SHA512
e97756f316fceef7360e789362648529eea50eb6f7cc56cf654b3fc43ca61f0e4d9f366ed8fd59b73dd5a49615e935e9f53686d15f9a83c7fa472a70e7196d0d

Download Submit