1c41c82bdbcea4eb23cde97b947e5a32a8a08511588780b0e3285f65a7ce2578

Analysis

max time kernel
13s
platform
debian-9_mips
resource
debian9-mipsbe-20240611-en
resource tags

arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
21/09/2024, 08:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118
Size

1KB
MD5

ef74797ed93ffcc0506a4be0bf2fc3d8
SHA1

df1af944cc6d2f580e879f7ffb5d902704728c46
SHA256

1c41c82bdbcea4eb23cde97b947e5a32a8a08511588780b0e3285f65a7ce2578
SHA512

bf357fc02eeaa20a920d66d3e981aadddc45ec004fd31b72f34d020626cbfa5bcf57b72c12ac0db47b1e88d38d076e41d9dbad165d9e8ab86552a12c23a34a4d

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 13 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
742	chmod
711	chmod
757	chmod
763	chmod
774	chmod
779	chmod
789	chmod
750	chmod
728	chmod
736	chmod
769	chmod
720	chmod
784	chmod

Executes dropped EXE 13 IoCs

ioc	pid	Process
/tmp/badbox	713	badbox
/tmp/badbox	721	badbox
/tmp/badbox	730	badbox
/tmp/badbox	738	badbox
/tmp/badbox	743	badbox
/tmp/badbox	751	badbox
/tmp/badbox	759	badbox
/tmp/badbox	764	badbox
/tmp/badbox	770	badbox
/tmp/badbox	775	badbox
/tmp/badbox	780	badbox
/tmp/badbox	785	badbox
/tmp/badbox	790	badbox

Reads runtime system information 1 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	cp

Writes file to tmp directory 2 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/busybox	cp
File opened for modification	/tmp/badbox	ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118

/tmp/ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118
/tmp/ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118
1⤵
- Writes file to tmp directory
PID:698
- /bin/cp
  cp /bin/busybox /tmp/
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:704
- /bin/cat
  cat ntpd
  2⤵
  PID:709
- /bin/chmod
  chmod +x badbox busybox ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118 systemd-private-ce7c6e8a3a3f4152b6b47b0b826ed39e-systemd-timedated.service-U4YAHY
  2⤵
  - File and Directory Permissions Modification
  PID:711
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:713
- /bin/cat
  cat sshd
  2⤵
  PID:717
- /bin/chmod
  chmod +x badbox busybox ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118 systemd-private-ce7c6e8a3a3f4152b6b47b0b826ed39e-systemd-timedated.service-U4YAHY
  2⤵
  - File and Directory Permissions Modification
  PID:720
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:721
- /bin/cat
  cat openssh
  2⤵
  PID:726
- /bin/chmod
  chmod +x badbox busybox ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118 systemd-private-ce7c6e8a3a3f4152b6b47b0b826ed39e-systemd-timedated.service-U4YAHY
  2⤵
  - File and Directory Permissions Modification
  PID:728
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:730
- /bin/cat
  cat bash
  2⤵
  PID:734
- /bin/chmod
  chmod +x badbox busybox ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118 systemd-private-ce7c6e8a3a3f4152b6b47b0b826ed39e-systemd-timedated.service-U4YAHY
  2⤵
  - File and Directory Permissions Modification
  PID:736
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:738
- /bin/cat
  cat tftp
  2⤵
  PID:741
- /bin/chmod
  chmod +x badbox busybox ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118 systemd-private-ce7c6e8a3a3f4152b6b47b0b826ed39e-systemd-timedated.service-U4YAHY
  2⤵
  - File and Directory Permissions Modification
  PID:742
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:743
- /bin/cat
  cat wget
  2⤵
  PID:748
- /bin/chmod
  chmod +x badbox busybox ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118 systemd-private-ce7c6e8a3a3f4152b6b47b0b826ed39e-systemd-timedated.service-U4YAHY
  2⤵
  - File and Directory Permissions Modification
  PID:750
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:751
- /bin/cat
  cat cron
  2⤵
  PID:756
- /bin/chmod
  chmod +x badbox busybox ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118 systemd-private-ce7c6e8a3a3f4152b6b47b0b826ed39e-systemd-timedated.service-U4YAHY
  2⤵
  - File and Directory Permissions Modification
  PID:757
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:759
- /bin/cat
  cat ftp
  2⤵
  PID:762
- /bin/chmod
  chmod +x badbox busybox ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118 systemd-private-ce7c6e8a3a3f4152b6b47b0b826ed39e-systemd-timedated.service-U4YAHY
  2⤵
  - File and Directory Permissions Modification
  PID:763
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:764
- /bin/cat
  cat pftp
  2⤵
  PID:768
- /bin/chmod
  chmod +x badbox busybox ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118 systemd-private-ce7c6e8a3a3f4152b6b47b0b826ed39e-systemd-timedated.service-U4YAHY
  2⤵
  - File and Directory Permissions Modification
  PID:769
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:770
- /bin/cat
  cat sh
  2⤵
  PID:773
- /bin/chmod
  chmod +x badbox busybox ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118 systemd-private-ce7c6e8a3a3f4152b6b47b0b826ed39e-systemd-timedated.service-U4YAHY
  2⤵
  - File and Directory Permissions Modification
  PID:774
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:775
- /bin/cat
  cat " "
  2⤵
  PID:778
- /bin/chmod
  chmod +x badbox busybox ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118 systemd-private-ce7c6e8a3a3f4152b6b47b0b826ed39e-systemd-timedated.service-U4YAHY
  2⤵
  - File and Directory Permissions Modification
  PID:779
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:780
- /bin/cat
  cat apache2
  2⤵
  PID:783
- /bin/chmod
  chmod +x badbox busybox ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118 systemd-private-ce7c6e8a3a3f4152b6b47b0b826ed39e-systemd-timedated.service-U4YAHY
  2⤵
  - File and Directory Permissions Modification
  PID:784
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:785
- /bin/cat
  cat telnetd
  2⤵
  PID:788
- /bin/chmod
  chmod +x badbox busybox ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118 systemd-private-ce7c6e8a3a3f4152b6b47b0b826ed39e-systemd-timedated.service-U4YAHY
  2⤵
  - File and Directory Permissions Modification
  PID:789
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:790

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/busybox

Filesize
857KB

MD5
a39fe8036e559ce804e26518061e59ff

SHA1
8df27f6e8a48b762d945ea2f2b87390c80acd4de

SHA256
3180df117342646dcdc4c436f95b41e15587e2238ec59064b4b06c065d56cf38

SHA512
e97756f316fceef7360e789362648529eea50eb6f7cc56cf654b3fc43ca61f0e4d9f366ed8fd59b73dd5a49615e935e9f53686d15f9a83c7fa472a70e7196d0d

Download Submit