1c41c82bdbcea4eb23cde97b947e5a32a8a08511588780b0e3285f65a7ce2578

Analysis

max time kernel
0s
max time network
128s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240508-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
21/09/2024, 08:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118
Size

1KB
MD5

ef74797ed93ffcc0506a4be0bf2fc3d8
SHA1

df1af944cc6d2f580e879f7ffb5d902704728c46
SHA256

1c41c82bdbcea4eb23cde97b947e5a32a8a08511588780b0e3285f65a7ce2578
SHA512

bf357fc02eeaa20a920d66d3e981aadddc45ec004fd31b72f34d020626cbfa5bcf57b72c12ac0db47b1e88d38d076e41d9dbad165d9e8ab86552a12c23a34a4d

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 13 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1522	chmod
1537	chmod
1547	chmod
1552	chmod
1512	chmod
1532	chmod
1542	chmod
1572	chmod
1527	chmod
1557	chmod
1562	chmod
1567	chmod
1517	chmod

Executes dropped EXE 13 IoCs

ioc	pid	Process
/tmp/badbox	1513	badbox
/tmp/badbox	1518	badbox
/tmp/badbox	1523	badbox
/tmp/badbox	1528	badbox
/tmp/badbox	1533	badbox
/tmp/badbox	1538	badbox
/tmp/badbox	1543	badbox
/tmp/badbox	1548	badbox
/tmp/badbox	1553	badbox
/tmp/badbox	1558	badbox
/tmp/badbox	1563	badbox
/tmp/badbox	1568	badbox
/tmp/badbox	1573	badbox

Reads runtime system information 1 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	cp

Writes file to tmp directory 2 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/badbox	ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118
File opened for modification	/tmp/busybox	cp

/tmp/ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118
/tmp/ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118
1⤵
- Writes file to tmp directory
PID:1508
- /bin/cp
  cp /bin/busybox /tmp/
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1509
- /bin/cat
  cat ntpd
  2⤵
  PID:1511
- /bin/chmod
  chmod +x badbox busybox config-err-gSYeSF ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118 netplan_escgt653 snap-private-tmp ssh-DGjiLaK51db6 systemd-private-7d704eabf2e542bc8051481b6b431471-bolt.service-e6jDAF systemd-private-7d704eabf2e542bc8051481b6b431471-colord.service-KeVe2N systemd-private-7d704eabf2e542bc8051481b6b431471-ModemManager.service-AQvz0Z systemd-private-7d704eabf2e542bc8051481b6b431471-systemd-resolved.service-Km8n5c systemd-private-7d704eabf2e542bc8051481b6b431471-systemd-timedated.service-0exMmn
  2⤵
  - File and Directory Permissions Modification
  PID:1512
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:1513
- /bin/cat
  cat sshd
  2⤵
  PID:1516
- /bin/chmod
  chmod +x badbox busybox config-err-gSYeSF ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118 netplan_escgt653 snap-private-tmp ssh-DGjiLaK51db6 systemd-private-7d704eabf2e542bc8051481b6b431471-bolt.service-e6jDAF systemd-private-7d704eabf2e542bc8051481b6b431471-colord.service-KeVe2N systemd-private-7d704eabf2e542bc8051481b6b431471-ModemManager.service-AQvz0Z systemd-private-7d704eabf2e542bc8051481b6b431471-systemd-resolved.service-Km8n5c systemd-private-7d704eabf2e542bc8051481b6b431471-systemd-timedated.service-0exMmn
  2⤵
  - File and Directory Permissions Modification
  PID:1517
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:1518
- /bin/cat
  cat openssh
  2⤵
  PID:1521
- /bin/chmod
  chmod +x badbox busybox config-err-gSYeSF ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118 netplan_escgt653 snap-private-tmp ssh-DGjiLaK51db6 systemd-private-7d704eabf2e542bc8051481b6b431471-bolt.service-e6jDAF systemd-private-7d704eabf2e542bc8051481b6b431471-colord.service-KeVe2N systemd-private-7d704eabf2e542bc8051481b6b431471-ModemManager.service-AQvz0Z systemd-private-7d704eabf2e542bc8051481b6b431471-systemd-resolved.service-Km8n5c systemd-private-7d704eabf2e542bc8051481b6b431471-systemd-timedated.service-0exMmn
  2⤵
  - File and Directory Permissions Modification
  PID:1522
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:1523
- /bin/cat
  cat bash
  2⤵
  PID:1526
- /bin/chmod
  chmod +x badbox busybox config-err-gSYeSF ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118 netplan_escgt653 snap-private-tmp ssh-DGjiLaK51db6 systemd-private-7d704eabf2e542bc8051481b6b431471-bolt.service-e6jDAF systemd-private-7d704eabf2e542bc8051481b6b431471-colord.service-KeVe2N systemd-private-7d704eabf2e542bc8051481b6b431471-ModemManager.service-AQvz0Z systemd-private-7d704eabf2e542bc8051481b6b431471-systemd-resolved.service-Km8n5c systemd-private-7d704eabf2e542bc8051481b6b431471-systemd-timedated.service-0exMmn
  2⤵
  - File and Directory Permissions Modification
  PID:1527
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:1528
- /bin/cat
  cat tftp
  2⤵
  PID:1531
- /bin/chmod
  chmod +x badbox busybox config-err-gSYeSF ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118 netplan_escgt653 snap-private-tmp ssh-DGjiLaK51db6 systemd-private-7d704eabf2e542bc8051481b6b431471-bolt.service-e6jDAF systemd-private-7d704eabf2e542bc8051481b6b431471-colord.service-KeVe2N systemd-private-7d704eabf2e542bc8051481b6b431471-ModemManager.service-AQvz0Z systemd-private-7d704eabf2e542bc8051481b6b431471-systemd-resolved.service-Km8n5c systemd-private-7d704eabf2e542bc8051481b6b431471-systemd-timedated.service-0exMmn
  2⤵
  - File and Directory Permissions Modification
  PID:1532
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:1533
- /bin/cat
  cat wget
  2⤵
  PID:1536
- /bin/chmod
  chmod +x badbox busybox config-err-gSYeSF ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118 netplan_escgt653 snap-private-tmp ssh-DGjiLaK51db6 systemd-private-7d704eabf2e542bc8051481b6b431471-bolt.service-e6jDAF systemd-private-7d704eabf2e542bc8051481b6b431471-colord.service-KeVe2N systemd-private-7d704eabf2e542bc8051481b6b431471-ModemManager.service-AQvz0Z systemd-private-7d704eabf2e542bc8051481b6b431471-systemd-resolved.service-Km8n5c systemd-private-7d704eabf2e542bc8051481b6b431471-systemd-timedated.service-0exMmn
  2⤵
  - File and Directory Permissions Modification
  PID:1537
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:1538
- /bin/cat
  cat cron
  2⤵
  PID:1541
- /bin/chmod
  chmod +x badbox busybox config-err-gSYeSF ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118 netplan_escgt653 snap-private-tmp ssh-DGjiLaK51db6 systemd-private-7d704eabf2e542bc8051481b6b431471-bolt.service-e6jDAF systemd-private-7d704eabf2e542bc8051481b6b431471-colord.service-KeVe2N systemd-private-7d704eabf2e542bc8051481b6b431471-ModemManager.service-AQvz0Z systemd-private-7d704eabf2e542bc8051481b6b431471-systemd-resolved.service-Km8n5c systemd-private-7d704eabf2e542bc8051481b6b431471-systemd-timedated.service-0exMmn
  2⤵
  - File and Directory Permissions Modification
  PID:1542
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:1543
- /bin/cat
  cat ftp
  2⤵
  PID:1546
- /bin/chmod
  chmod +x badbox busybox config-err-gSYeSF ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118 netplan_escgt653 snap-private-tmp ssh-DGjiLaK51db6 systemd-private-7d704eabf2e542bc8051481b6b431471-bolt.service-e6jDAF systemd-private-7d704eabf2e542bc8051481b6b431471-colord.service-KeVe2N systemd-private-7d704eabf2e542bc8051481b6b431471-ModemManager.service-AQvz0Z systemd-private-7d704eabf2e542bc8051481b6b431471-systemd-resolved.service-Km8n5c systemd-private-7d704eabf2e542bc8051481b6b431471-systemd-timedated.service-0exMmn
  2⤵
  - File and Directory Permissions Modification
  PID:1547
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:1548
- /bin/cat
  cat pftp
  2⤵
  PID:1551
- /bin/chmod
  chmod +x badbox busybox config-err-gSYeSF ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118 netplan_escgt653 snap-private-tmp ssh-DGjiLaK51db6 systemd-private-7d704eabf2e542bc8051481b6b431471-bolt.service-e6jDAF systemd-private-7d704eabf2e542bc8051481b6b431471-colord.service-KeVe2N systemd-private-7d704eabf2e542bc8051481b6b431471-ModemManager.service-AQvz0Z systemd-private-7d704eabf2e542bc8051481b6b431471-systemd-resolved.service-Km8n5c systemd-private-7d704eabf2e542bc8051481b6b431471-systemd-timedated.service-0exMmn
  2⤵
  - File and Directory Permissions Modification
  PID:1552
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:1553
- /bin/cat
  cat sh
  2⤵
  PID:1556
- /bin/chmod
  chmod +x badbox busybox config-err-gSYeSF ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118 netplan_escgt653 snap-private-tmp ssh-DGjiLaK51db6 systemd-private-7d704eabf2e542bc8051481b6b431471-bolt.service-e6jDAF systemd-private-7d704eabf2e542bc8051481b6b431471-colord.service-KeVe2N systemd-private-7d704eabf2e542bc8051481b6b431471-ModemManager.service-AQvz0Z systemd-private-7d704eabf2e542bc8051481b6b431471-systemd-resolved.service-Km8n5c systemd-private-7d704eabf2e542bc8051481b6b431471-systemd-timedated.service-0exMmn
  2⤵
  - File and Directory Permissions Modification
  PID:1557
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:1558
- /bin/cat
  cat " "
  2⤵
  PID:1561
- /bin/chmod
  chmod +x badbox busybox config-err-gSYeSF ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118 netplan_escgt653 snap-private-tmp ssh-DGjiLaK51db6 systemd-private-7d704eabf2e542bc8051481b6b431471-bolt.service-e6jDAF systemd-private-7d704eabf2e542bc8051481b6b431471-colord.service-KeVe2N systemd-private-7d704eabf2e542bc8051481b6b431471-ModemManager.service-AQvz0Z systemd-private-7d704eabf2e542bc8051481b6b431471-systemd-resolved.service-Km8n5c systemd-private-7d704eabf2e542bc8051481b6b431471-systemd-timedated.service-0exMmn
  2⤵
  - File and Directory Permissions Modification
  PID:1562
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:1563
- /bin/cat
  cat apache2
  2⤵
  PID:1566
- /bin/chmod
  chmod +x badbox busybox config-err-gSYeSF ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118 netplan_escgt653 snap-private-tmp ssh-DGjiLaK51db6 systemd-private-7d704eabf2e542bc8051481b6b431471-bolt.service-e6jDAF systemd-private-7d704eabf2e542bc8051481b6b431471-colord.service-KeVe2N systemd-private-7d704eabf2e542bc8051481b6b431471-ModemManager.service-AQvz0Z systemd-private-7d704eabf2e542bc8051481b6b431471-systemd-resolved.service-Km8n5c systemd-private-7d704eabf2e542bc8051481b6b431471-systemd-timedated.service-0exMmn
  2⤵
  - File and Directory Permissions Modification
  PID:1567
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:1568
- /bin/cat
  cat telnetd
  2⤵
  PID:1571
- /bin/chmod
  chmod +x badbox busybox config-err-gSYeSF ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118 netplan_escgt653 snap-private-tmp ssh-DGjiLaK51db6 systemd-private-7d704eabf2e542bc8051481b6b431471-bolt.service-e6jDAF systemd-private-7d704eabf2e542bc8051481b6b431471-colord.service-KeVe2N systemd-private-7d704eabf2e542bc8051481b6b431471-ModemManager.service-AQvz0Z systemd-private-7d704eabf2e542bc8051481b6b431471-systemd-resolved.service-Km8n5c systemd-private-7d704eabf2e542bc8051481b6b431471-systemd-timedated.service-0exMmn
  2⤵
  - File and Directory Permissions Modification
  PID:1572
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:1573

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/busybox

Filesize
2.0MB

MD5
b4dede5fc0b1bad5cb8e901bde126b97

SHA1
10cbe9a418ad84a1ed297948539d37aeb58dd810

SHA256
a9f0735d28f9a6a4f2634d3b144156f7b3df3b476a16a5ab0c7bdf98d74dd020

SHA512
45665ce3a42f63a01fdef517e0c4cb943efce64c8a32d3ce07ab4f1fafc23cda77f378d324342efc79dc9d2293c4b4454d06c1cf4997b9e866784de01cb546e6

Download Submit