12013662c71da69de977c04cd7021f13a70cf7bed4ca6c82acbc100464d4b0ef

Analysis

max time kernel
30s
max time network
91s
platform
debian-9_armhf
resource
debian9-armhf-20240729-en
resource tags

arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
21-09-2024 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eec5c6c219535fba3a0492ea8118b397_JaffaCakes118
Size

300KB
MD5

eec5c6c219535fba3a0492ea8118b397
SHA1

292559e94f1c04b7d0c65d4a01bbbc5dc1ff6f21
SHA256

12013662c71da69de977c04cd7021f13a70cf7bed4ca6c82acbc100464d4b0ef
SHA512

3482c8324a18302f0f37b6e23ed85f24fff9f50bb568d8fd7461bf57f077a7c592f7a88bb2e1c398699958946d87bb93ab744d13a0003f9b879c15e6471f7400
SSDEEP

6144:T2s/gAWuboqsJ9xcJxspJBqQgTuaJZRhVabE5wKSDP99zBa77oNsKqqfPqOJ:T2s/bW+UmJqBxAuaPRhVabEDSDP99zBT

Score

9^/10

defense_evasion discovery execution persistence

Malware Config

Signatures

Contacts a large (3262) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

Processes:

eec5c6c219535fba3a0492ea8118b397_JaffaCakes118

description	ioc	process
File opened for modification	/dev/watchdog	eec5c6c219535fba3a0492ea8118b397_JaffaCakes118
File opened for modification	/dev/misc/watchdog	eec5c6c219535fba3a0492ea8118b397_JaffaCakes118

Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
discovery

System Network Connections Discovery
T1049

Processes:

eec5c6c219535fba3a0492ea8118b397_JaffaCakes118

description ioc process

File opened for reading /proc/net/tcp eec5c6c219535fba3a0492ea8118b397_JaffaCakes118
Enumerates running processes
Discovers information about currently running processes on the system

Modifies init.d 2 TTPs 4 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

RC Scripts

T1037.004

Processes:

eec5c6c219535fba3a0492ea8118b397_JaffaCakes118

description	ioc	process
File opened for modification	/etc/init.d/S95baby.sh	eec5c6c219535fba3a0492ea8118b397_JaffaCakes118
File opened for modification	/etc/init.d/console-setup.sh	eec5c6c219535fba3a0492ea8118b397_JaffaCakes118
File opened for modification	/etc/init.d/keyboard-setup.sh	eec5c6c219535fba3a0492ea8118b397_JaffaCakes118
File opened for modification	/etc/init.d/hwclock.sh	eec5c6c219535fba3a0492ea8118b397_JaffaCakes118

Reads system routing table 1 TTPs 1 IoCs
Gets active network interfaces from /proc virtual filesystem.
discovery

Internet Connection Discovery
T1016.001

Processes:

eec5c6c219535fba3a0492ea8118b397_JaffaCakes118

description ioc process

File opened for reading /proc/net/route eec5c6c219535fba3a0492ea8118b397_JaffaCakes118

description	ioc	process
File opened for reading	/proc/net/route	eec5c6c219535fba3a0492ea8118b397_JaffaCakes118

Writes file to system bin folder 2 IoCs

Processes:

eec5c6c219535fba3a0492ea8118b397_JaffaCakes118

description	ioc	process
File opened for modification	/sbin/watchdog	eec5c6c219535fba3a0492ea8118b397_JaffaCakes118
File opened for modification	/bin/watchdog	eec5c6c219535fba3a0492ea8118b397_JaffaCakes118

Changes its process name 1 IoCs

Processes:

description ioc pid

Changes the process name, possibly in an attempt to hide itself sshd 662

description	ioc	pid
Changes the process name, possibly in an attempt to hide itself	sshd	662

Reads system network configuration 1 TTPs 3 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

Processes:

eec5c6c219535fba3a0492ea8118b397_JaffaCakes118

description	ioc	process
File opened for reading	/proc/net/tcp	eec5c6c219535fba3a0492ea8118b397_JaffaCakes118
File opened for reading	/proc/net/raw	eec5c6c219535fba3a0492ea8118b397_JaffaCakes118
File opened for reading	/proc/net/route	eec5c6c219535fba3a0492ea8118b397_JaffaCakes118

Command and Scripting Interpreter: Unix Shell 1 TTPs 17 IoCs
Execute scripts via Unix Shell.
execution

Unix Shell
T1059.004

Processes:

shshshshshshshshshshshshshshshshsh

pid process

810 sh
818 sh
790 sh
811 sh
822 sh
830 sh
840 sh
780 sh
794 sh
808 sh
816 sh
663 sh
799 sh
804 sh
828 sh
834 sh
847 sh

pid	process
810	sh
818	sh
790	sh
811	sh
822	sh
830	sh
840	sh
780	sh
794	sh
808	sh
816	sh
663	sh
799	sh
804	sh
828	sh
834	sh
847	sh

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

killalleec5c6c219535fba3a0492ea8118b397_JaffaCakes118

description	ioc	process
File opened for reading	/proc/21/stat	killall
File opened for reading	/proc/41/stat	killall
File opened for reading	/proc/112/cmdline	killall
File opened for reading	/proc/11/stat	killall
File opened for reading	/proc/12/stat	killall
File opened for reading	/proc/314/stat	killall
File opened for reading	/proc/610/stat	killall
File opened for reading	/proc/658/stat	killall
File opened for reading	/proc/14/stat	killall
File opened for reading	/proc/26/stat	killall
File opened for reading	/proc/27/stat	killall
File opened for reading	/proc/170/stat	killall
File opened for reading	/proc/307/stat	killall
File opened for reading	/proc/614/stat	killall
File opened for reading	/proc/646/stat	killall
File opened for reading	/proc/1/stat	killall
File opened for reading	/proc/6/stat	killall
File opened for reading	/proc/138/stat	killall
File opened for reading	/proc/22/stat	killall
File opened for reading	/proc/23/stat	killall
File opened for reading	/proc/111/stat	killall
File opened for reading	/proc/202/stat	killall
File opened for reading	/proc/607/stat	killall
File opened for reading	/proc/8/stat	killall
File opened for reading	/proc/20/stat	killall
File opened for reading	/proc/652/cmdline	killall
File opened for reading	/proc/filesystems	killall
File opened for reading	/proc/10/stat	killall
File opened for reading	/proc/13/stat	killall
File opened for reading	/proc/157/stat	killall
File opened for reading	/proc/271/stat	killall
File opened for reading	/proc/615/stat	killall
File opened for reading	/proc/7/stat	killall
File opened for reading	/proc/28/stat	killall
File opened for reading	/proc/43/stat	killall
File opened for reading	/proc/101/stat	killall
File opened for reading	/proc/272/stat	killall
File opened for reading	/proc/stat	eec5c6c219535fba3a0492ea8118b397_JaffaCakes118
File opened for reading	/proc/42/stat	killall
File opened for reading	/proc/288/stat	killall
File opened for reading	/proc/359/stat	killall
File opened for reading	/proc/594/stat	killall
File opened for reading	/proc/663/stat	killall
File opened for reading	/proc/3/stat	killall
File opened for reading	/proc/15/stat	killall
File opened for reading	/proc/666/stat	killall
File opened for reading	/proc/145/stat	killall
File opened for reading	/proc/276/stat	killall
File opened for reading	/proc/652/stat	killall
File opened for reading	/proc/653/cmdline	killall
File opened for reading	/proc/mounts	eec5c6c219535fba3a0492ea8118b397_JaffaCakes118
File opened for reading	/proc/4/stat	killall
File opened for reading	/proc/17/stat	killall
File opened for reading	/proc/29/stat	killall
File opened for reading	/proc/657/stat	killall
File opened for reading	/proc/662/cmdline	killall
File opened for reading	/proc/2/stat	killall
File opened for reading	/proc/18/stat	killall
File opened for reading	/proc/138/cmdline	killall
File opened for reading	/proc/144/stat	killall
File opened for reading	/proc/275/stat	killall
File opened for reading	/proc/653/stat	killall
File opened for reading	/proc/662/stat	killall
File opened for reading	/proc/5/stat	killall

System Network Configuration Discovery 1 TTPs 14 IoCs
Adversaries may gather information about the network configuration of a system.
discovery

System Network Configuration Discovery
T1016

Processes:

shshshshshshshshshshshshshsh

pid process

828 sh
780 sh
790 sh
794 sh
808 sh
818 sh
822 sh
834 sh
799 sh
804 sh
830 sh
816 sh
840 sh
847 sh
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

eec5c6c219535fba3a0492ea8118b397_JaffaCakes118

description ioc process

File opened for modification /tmp/.ips eec5c6c219535fba3a0492ea8118b397_JaffaCakes118

pid	process
828	sh
780	sh
790	sh
794	sh
808	sh
818	sh
822	sh
834	sh
799	sh
804	sh
830	sh
816	sh
840	sh
847	sh

description	ioc	process
File opened for modification	/tmp/.ips	eec5c6c219535fba3a0492ea8118b397_JaffaCakes118

/tmp/eec5c6c219535fba3a0492ea8118b397_JaffaCakes118
/tmp/eec5c6c219535fba3a0492ea8118b397_JaffaCakes118
1⤵
- Modifies Watchdog functionality
- Enumerates active TCP sockets
- Modifies init.d
- Reads system routing table
- Writes file to system bin folder
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:660
- /bin/sh
  /bin/sh -c "killall -9 telnetd utelnetd scfgmgr"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:663
- - /usr/bin/killall
    killall -9 telnetd utelnetd scfgmgr
    3⤵
    - Reads runtime system information
    PID:665
- /bin/sh
  /bin/sh -c "iptables -I INPUT -p tcp --destination-port 48677 -j ACCEPT"
  2⤵
  PID:774
- - /sbin/iptables
    iptables -I INPUT -p tcp --destination-port 48677 -j ACCEPT
    3⤵
    PID:775
- /bin/sh
  /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 48677 -j ACCEPT"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  - System Network Configuration Discovery
  PID:780
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --source-port 48677 -j ACCEPT
    3⤵
    PID:781
- /bin/sh
  /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --destination-port 48677 -j ACCEPT"
  2⤵
  PID:782
- - /sbin/iptables
    iptables -I PREROUTING -t nat -p tcp --destination-port 48677 -j ACCEPT
    3⤵
    PID:783
- /bin/sh
  /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --source-port 48677 -j ACCEPT"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  - System Network Configuration Discovery
  PID:790
- - /sbin/iptables
    iptables -I POSTROUTING -t nat -p tcp --source-port 48677 -j ACCEPT
    3⤵
    PID:791
- /bin/sh
  /bin/sh -c "iptables -I INPUT -p tcp --dport 48677 -j ACCEPT"
  2⤵
  PID:792
- - /sbin/iptables
    iptables -I INPUT -p tcp --dport 48677 -j ACCEPT
    3⤵
    PID:793
- /bin/sh
  /bin/sh -c "iptables -I OUTPUT -p tcp --sport 48677 -j ACCEPT"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  - System Network Configuration Discovery
  PID:794
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --sport 48677 -j ACCEPT
    3⤵
    PID:795
- /bin/sh
  /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --dport 48677 -j ACCEPT"
  2⤵
  PID:797
- - /sbin/iptables
    iptables -I PREROUTING -t nat -p tcp --dport 48677 -j ACCEPT
    3⤵
    PID:798
- /bin/sh
  /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --sport 48677 -j ACCEPT"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  - System Network Configuration Discovery
  PID:799
- - /sbin/iptables
    iptables -I POSTROUTING -t nat -p tcp --sport 48677 -j ACCEPT
    3⤵
    PID:800
- /bin/sh
  /bin/sh -c "iptables -I INPUT -p tcp --destination-port 58000 -j DROP"
  2⤵
  PID:802
- - /sbin/iptables
    iptables -I INPUT -p tcp --destination-port 58000 -j DROP
    3⤵
    PID:803
- /bin/sh
  /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 58000 -j DROP"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  - System Network Configuration Discovery
  PID:804
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
    3⤵
    PID:805
- /bin/sh
  /bin/sh -c "iptables -I INPUT -p tcp --dport 58000 -j DROP"
  2⤵
  PID:806
- - /sbin/iptables
    iptables -I INPUT -p tcp --dport 58000 -j DROP
    3⤵
    PID:807
- /bin/sh
  /bin/sh -c "iptables -I OUTPUT -p tcp --sport 58000 -j DROP"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  - System Network Configuration Discovery
  PID:808
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --sport 58000 -j DROP
    3⤵
    PID:809
- /bin/sh
  /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL \"http://127.0.0.1\""
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:810
- /bin/sh
  /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword \"acsMozi\""
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  PID:811
- /bin/sh
  /bin/sh -c "iptables -I INPUT -p tcp --destination-port 35000 -j DROP"
  2⤵
  PID:812
- - /sbin/iptables
    iptables -I INPUT -p tcp --destination-port 35000 -j DROP
    3⤵
    PID:813
- /bin/sh
  /bin/sh -c "iptables -I INPUT -p tcp --destination-port 50023 -j DROP"
  2⤵
  PID:814
- - /sbin/iptables
    iptables -I INPUT -p tcp --destination-port 50023 -j DROP
    3⤵
    PID:815
- /bin/sh
  /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 50023 -j DROP"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  - System Network Configuration Discovery
  PID:816
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
    3⤵
    PID:817
- /bin/sh
  /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 35000 -j DROP"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  - System Network Configuration Discovery
  PID:818
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
    3⤵
    PID:819
- /bin/sh
  /bin/sh -c "iptables -I INPUT -p tcp --destination-port 7547 -j DROP"
  2⤵
  PID:820
- - /sbin/iptables
    iptables -I INPUT -p tcp --destination-port 7547 -j DROP
    3⤵
    PID:821
- /bin/sh
  /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 7547 -j DROP"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  - System Network Configuration Discovery
  PID:822
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
    3⤵
    PID:823
- /bin/sh
  /bin/sh -c "iptables -I INPUT -p tcp --dport 35000 -j DROP"
  2⤵
  PID:824
- - /sbin/iptables
    iptables -I INPUT -p tcp --dport 35000 -j DROP
    3⤵
    PID:825
- /bin/sh
  /bin/sh -c "iptables -I INPUT -p tcp --dport 50023 -j DROP"
  2⤵
  PID:826
- - /sbin/iptables
    iptables -I INPUT -p tcp --dport 50023 -j DROP
    3⤵
    PID:827
- /bin/sh
  /bin/sh -c "iptables -I OUTPUT -p tcp --sport 50023 -j DROP"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  - System Network Configuration Discovery
  PID:828
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --sport 50023 -j DROP
    3⤵
    PID:829
- /bin/sh
  /bin/sh -c "iptables -I OUTPUT -p tcp --sport 35000 -j DROP"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  - System Network Configuration Discovery
  PID:830
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --sport 35000 -j DROP
    3⤵
    PID:831
- /bin/sh
  /bin/sh -c "iptables -I INPUT -p tcp --dport 7547 -j DROP"
  2⤵
  PID:832
- - /sbin/iptables
    iptables -I INPUT -p tcp --dport 7547 -j DROP
    3⤵
    PID:833
- /bin/sh
  /bin/sh -c "iptables -I OUTPUT -p tcp --sport 7547 -j DROP"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  - System Network Configuration Discovery
  PID:834
- - /sbin/iptables
    iptables -I OUTPUT -p tcp --sport 7547 -j DROP
    3⤵
    PID:835
- /bin/sh
  /bin/sh -c "iptables -I INPUT -p udp --destination-port 8080 -j ACCEPT"
  2⤵
  PID:838
- - /sbin/iptables
    iptables -I INPUT -p udp --destination-port 8080 -j ACCEPT
    3⤵
    PID:839
- /bin/sh
  /bin/sh -c "iptables -I OUTPUT -p udp --source-port 8080 -j ACCEPT"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  - System Network Configuration Discovery
  PID:840
- - /sbin/iptables
    iptables -I OUTPUT -p udp --source-port 8080 -j ACCEPT
    3⤵
    PID:844
- /bin/sh
  /bin/sh -c "iptables -I PREROUTING -t nat -p udp --destination-port 8080 -j ACCEPT"
  2⤵
  PID:845
- - /sbin/iptables
    iptables -I PREROUTING -t nat -p udp --destination-port 8080 -j ACCEPT
    3⤵
    PID:846
- /bin/sh
  /bin/sh -c "iptables -I POSTROUTING -t nat -p udp --source-port 8080 -j ACCEPT"
  2⤵
  - Command and Scripting Interpreter: Unix Shell
  - System Network Configuration Discovery
  PID:847
- - /sbin/iptables
    iptables -I POSTROUTING -t nat -p udp --source-port 8080 -j ACCEPT
    3⤵
    PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Unix Shell

T1059.004

Persistence

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/rcS.d/S95baby.sh

Filesize
25B

MD5
1b3235ba10fc04836c941d3d27301956

SHA1
8909655763143702430b8c58b3ae3b04cfd3a29c

SHA256
01ba1fb41632594997a41d0c3a911ae5b3034d566ebb991ef76ad76e6f9e283a

SHA512
98bdb5c266222ccbd63b6f80c87e501c8033dc53b0513d300b8da50e39a207a0b69f8cd3ecc4a128dec340a1186779fedd1049c9b0a70e90d2cb3ae6ebfa4c4d

Download Submit
/usr/networks

Filesize
300KB

MD5
eec5c6c219535fba3a0492ea8118b397

SHA1
292559e94f1c04b7d0c65d4a01bbbc5dc1ff6f21

SHA256
12013662c71da69de977c04cd7021f13a70cf7bed4ca6c82acbc100464d4b0ef

SHA512
3482c8324a18302f0f37b6e23ed85f24fff9f50bb568d8fd7461bf57f077a7c592f7a88bb2e1c398699958946d87bb93ab744d13a0003f9b879c15e6471f7400

Download Submit
memory/819-1-0xb6dd7000-0xb6de8070-memory.dmp

Download
memory/823-2-0xb6d57000-0xb6d68070-memory.dmp

Download
memory/835-3-0xb6d83000-0xb6d94070-memory.dmp

Download

pid	process
810	sh
818	sh
790	sh
811	sh
822	sh
830	sh
840	sh
780	sh
794	sh
808	sh
816	sh
663	sh
799	sh
804	sh
828	sh
834	sh
847	sh

pid	process
828	sh
780	sh
790	sh
794	sh
808	sh
818	sh
822	sh
834	sh
799	sh
804	sh
830	sh
816	sh
840	sh
847	sh

pid	process
810	sh
818	sh
790	sh
811	sh
822	sh
830	sh
840	sh
780	sh
794	sh
808	sh
816	sh
663	sh
799	sh
804	sh
828	sh
834	sh
847	sh

pid	process
828	sh
780	sh
790	sh
794	sh
808	sh
818	sh
822	sh
834	sh
799	sh
804	sh
830	sh
816	sh
840	sh
847	sh

pid	process
810	sh
818	sh
790	sh
811	sh
822	sh
830	sh
840	sh
780	sh
794	sh
808	sh
816	sh
663	sh
799	sh
804	sh
828	sh
834	sh
847	sh

pid	process
828	sh
780	sh
790	sh
794	sh
808	sh
818	sh
822	sh
834	sh
799	sh
804	sh
830	sh
816	sh
840	sh
847	sh