095d26ab1d106af253d83a06494af2b017459bc156039e437d022fe46449cb77

Analysis

max time kernel
4s
max time network
143s
platform
debian-12_armhf
resource
debian12-armhf-20240221-en
resource tags

arch:armhfimage:debian12-armhf-20240221-enkernel:6.1.0-17-armmp-lpaelocale:en-usos:debian-12-armhfsystem
submitted
21-09-2024 00:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eeb66a34284f69384da78f9cfd8654b4_JaffaCakes118
Size

736KB
MD5

eeb66a34284f69384da78f9cfd8654b4
SHA1

850495ed6d926bb4717120cedb14bcaadd1c31c8
SHA256

095d26ab1d106af253d83a06494af2b017459bc156039e437d022fe46449cb77
SHA512

a8a108156f84b6e0f929cdf2773394191c253d28cddd453e9a1724f2aab2b92313c4ab77c0d02bda70b3309d9907da124cb944ac8343b2075736e0132d9c205b
SSDEEP

12288:4Gj66PClnU+OdKCSHolO1TsjaPYcpMplwNSWCJz1mYona3dnCtd7efSJ9ywK:padU1ONsjaPYcpvSBtCzefs9q

Score

7^/10

antivm defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 4 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
718	chmod
701	sh
705	chmod
716	sh

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	eeb66a34284f69384da78f9cfd8654b4_JaffaCakes118

Reads runtime system information 7 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed

/tmp/eeb66a34284f69384da78f9cfd8654b4_JaffaCakes118
/tmp/eeb66a34284f69384da78f9cfd8654b4_JaffaCakes118
1⤵
- Checks CPU configuration
PID:700
- /bin/sh
  sh -c "chmod +x /etc/rc.local"
  2⤵
  - File and Directory Permissions Modification
  PID:701
- - /usr/bin/chmod
    chmod +x /etc/rc.local
    3⤵
    - File and Directory Permissions Modification
    PID:705
- /bin/sh
  sh -c "mv /tmp/eeb66a34284f69384da78f9cfd8654b4_JaffaCakes118 /etc/eeb66a34284f69384da78f9cfd8654b4_JaffaCakes118"
  2⤵
  PID:710
- - /usr/bin/mv
    mv /tmp/eeb66a34284f69384da78f9cfd8654b4_JaffaCakes118 /etc/eeb66a34284f69384da78f9cfd8654b4_JaffaCakes118
    3⤵
    - Reads runtime system information
    PID:713
- /bin/sh
  sh -c "cd /etc;chmod 777 eeb66a34284f69384da78f9cfd8654b4_JaffaCakes118"
  2⤵
  - File and Directory Permissions Modification
  PID:716
- - /usr/bin/chmod
    chmod 777 eeb66a34284f69384da78f9cfd8654b4_JaffaCakes118
    3⤵
    - File and Directory Permissions Modification
    PID:718
- /bin/sh
  sh -c "sed -i -e '/exit/d' /etc/rc.local"
  2⤵
  PID:720
- - /usr/bin/sed
    sed -i -e /exit/d /etc/rc.local
    3⤵
    - Reads runtime system information
    PID:722
- /bin/sh
  sh -c "sed -i -e '/^ | | \$/d' /etc/rc.local"
  2⤵
  PID:725
- - /usr/bin/sed
    sed -i -e "/^ | | \$/d" /etc/rc.local
    3⤵
    - Reads runtime system information
    PID:727
- /bin/sh
  sh -c "sed -i -e '/eeb66a34284f69384da78f9cfd8654b4_JaffaCakes118/d' /etc/rc.local"
  2⤵
  PID:731
- - /usr/bin/sed
    sed -i -e /eeb66a34284f69384da78f9cfd8654b4_JaffaCakes118/d /etc/rc.local
    3⤵
    - Reads runtime system information
    PID:733
- /bin/sh
  sh -c "sed -i -e '2 i/etc/eeb66a34284f69384da78f9cfd8654b4_JaffaCakes118 reboot' /etc/rc.local"
  2⤵
  PID:737
- - /usr/bin/sed
    sed -i -e "2 i/etc/eeb66a34284f69384da78f9cfd8654b4_JaffaCakes118 reboot" /etc/rc.local
    3⤵
    - Reads runtime system information
    PID:738
- /bin/sh
  sh -c "sed -i -e '2 i/etc/eeb66a34284f69384da78f9cfd8654b4_JaffaCakes118 start' /etc/rc.d/rc.local"
  2⤵
  PID:741
- - /usr/bin/sed
    sed -i -e "2 i/etc/eeb66a34284f69384da78f9cfd8654b4_JaffaCakes118 start" /etc/rc.d/rc.local
    3⤵
    - Reads runtime system information
    PID:743
- /bin/sh
  sh -c "sed -i -e '2 i/etc/eeb66a34284f69384da78f9cfd8654b4_JaffaCakes118 start' /etc/init.d/boot.local"
  2⤵
  PID:747
- - /usr/bin/sed
    sed -i -e "2 i/etc/eeb66a34284f69384da78f9cfd8654b4_JaffaCakes118 start" /etc/init.d/boot.local
    3⤵
    - Reads runtime system information
    PID:749

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads