Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    13s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20240611-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    21/09/2024, 08:56

General

  • Target

    ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118

  • Size

    1KB

  • MD5

    ef74797ed93ffcc0506a4be0bf2fc3d8

  • SHA1

    df1af944cc6d2f580e879f7ffb5d902704728c46

  • SHA256

    1c41c82bdbcea4eb23cde97b947e5a32a8a08511588780b0e3285f65a7ce2578

  • SHA512

    bf357fc02eeaa20a920d66d3e981aadddc45ec004fd31b72f34d020626cbfa5bcf57b72c12ac0db47b1e88d38d076e41d9dbad165d9e8ab86552a12c23a34a4d

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 13 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 13 IoCs
  • Reads runtime system information 1 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 2 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118
    /tmp/ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118
    1⤵
    • Writes file to tmp directory
    PID:698
    • /bin/cp
      cp /bin/busybox /tmp/
      2⤵
      • Reads runtime system information
      • Writes file to tmp directory
      PID:704
    • /bin/cat
      cat ntpd
      2⤵
        PID:709
      • /bin/chmod
        chmod +x badbox busybox ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118 systemd-private-ce7c6e8a3a3f4152b6b47b0b826ed39e-systemd-timedated.service-U4YAHY
        2⤵
        • File and Directory Permissions Modification
        PID:711
      • /tmp/badbox
        ./badbox
        2⤵
        • Executes dropped EXE
        PID:713
      • /bin/cat
        cat sshd
        2⤵
          PID:717
        • /bin/chmod
          chmod +x badbox busybox ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118 systemd-private-ce7c6e8a3a3f4152b6b47b0b826ed39e-systemd-timedated.service-U4YAHY
          2⤵
          • File and Directory Permissions Modification
          PID:720
        • /tmp/badbox
          ./badbox
          2⤵
          • Executes dropped EXE
          PID:721
        • /bin/cat
          cat openssh
          2⤵
            PID:726
          • /bin/chmod
            chmod +x badbox busybox ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118 systemd-private-ce7c6e8a3a3f4152b6b47b0b826ed39e-systemd-timedated.service-U4YAHY
            2⤵
            • File and Directory Permissions Modification
            PID:728
          • /tmp/badbox
            ./badbox
            2⤵
            • Executes dropped EXE
            PID:730
          • /bin/cat
            cat bash
            2⤵
              PID:734
            • /bin/chmod
              chmod +x badbox busybox ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118 systemd-private-ce7c6e8a3a3f4152b6b47b0b826ed39e-systemd-timedated.service-U4YAHY
              2⤵
              • File and Directory Permissions Modification
              PID:736
            • /tmp/badbox
              ./badbox
              2⤵
              • Executes dropped EXE
              PID:738
            • /bin/cat
              cat tftp
              2⤵
                PID:741
              • /bin/chmod
                chmod +x badbox busybox ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118 systemd-private-ce7c6e8a3a3f4152b6b47b0b826ed39e-systemd-timedated.service-U4YAHY
                2⤵
                • File and Directory Permissions Modification
                PID:742
              • /tmp/badbox
                ./badbox
                2⤵
                • Executes dropped EXE
                PID:743
              • /bin/cat
                cat wget
                2⤵
                  PID:748
                • /bin/chmod
                  chmod +x badbox busybox ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118 systemd-private-ce7c6e8a3a3f4152b6b47b0b826ed39e-systemd-timedated.service-U4YAHY
                  2⤵
                  • File and Directory Permissions Modification
                  PID:750
                • /tmp/badbox
                  ./badbox
                  2⤵
                  • Executes dropped EXE
                  PID:751
                • /bin/cat
                  cat cron
                  2⤵
                    PID:756
                  • /bin/chmod
                    chmod +x badbox busybox ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118 systemd-private-ce7c6e8a3a3f4152b6b47b0b826ed39e-systemd-timedated.service-U4YAHY
                    2⤵
                    • File and Directory Permissions Modification
                    PID:757
                  • /tmp/badbox
                    ./badbox
                    2⤵
                    • Executes dropped EXE
                    PID:759
                  • /bin/cat
                    cat ftp
                    2⤵
                      PID:762
                    • /bin/chmod
                      chmod +x badbox busybox ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118 systemd-private-ce7c6e8a3a3f4152b6b47b0b826ed39e-systemd-timedated.service-U4YAHY
                      2⤵
                      • File and Directory Permissions Modification
                      PID:763
                    • /tmp/badbox
                      ./badbox
                      2⤵
                      • Executes dropped EXE
                      PID:764
                    • /bin/cat
                      cat pftp
                      2⤵
                        PID:768
                      • /bin/chmod
                        chmod +x badbox busybox ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118 systemd-private-ce7c6e8a3a3f4152b6b47b0b826ed39e-systemd-timedated.service-U4YAHY
                        2⤵
                        • File and Directory Permissions Modification
                        PID:769
                      • /tmp/badbox
                        ./badbox
                        2⤵
                        • Executes dropped EXE
                        PID:770
                      • /bin/cat
                        cat sh
                        2⤵
                          PID:773
                        • /bin/chmod
                          chmod +x badbox busybox ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118 systemd-private-ce7c6e8a3a3f4152b6b47b0b826ed39e-systemd-timedated.service-U4YAHY
                          2⤵
                          • File and Directory Permissions Modification
                          PID:774
                        • /tmp/badbox
                          ./badbox
                          2⤵
                          • Executes dropped EXE
                          PID:775
                        • /bin/cat
                          cat " "
                          2⤵
                            PID:778
                          • /bin/chmod
                            chmod +x badbox busybox ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118 systemd-private-ce7c6e8a3a3f4152b6b47b0b826ed39e-systemd-timedated.service-U4YAHY
                            2⤵
                            • File and Directory Permissions Modification
                            PID:779
                          • /tmp/badbox
                            ./badbox
                            2⤵
                            • Executes dropped EXE
                            PID:780
                          • /bin/cat
                            cat apache2
                            2⤵
                              PID:783
                            • /bin/chmod
                              chmod +x badbox busybox ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118 systemd-private-ce7c6e8a3a3f4152b6b47b0b826ed39e-systemd-timedated.service-U4YAHY
                              2⤵
                              • File and Directory Permissions Modification
                              PID:784
                            • /tmp/badbox
                              ./badbox
                              2⤵
                              • Executes dropped EXE
                              PID:785
                            • /bin/cat
                              cat telnetd
                              2⤵
                                PID:788
                              • /bin/chmod
                                chmod +x badbox busybox ef74797ed93ffcc0506a4be0bf2fc3d8_JaffaCakes118 systemd-private-ce7c6e8a3a3f4152b6b47b0b826ed39e-systemd-timedated.service-U4YAHY
                                2⤵
                                • File and Directory Permissions Modification
                                PID:789
                              • /tmp/badbox
                                ./badbox
                                2⤵
                                • Executes dropped EXE
                                PID:790

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • /tmp/busybox

                              Filesize

                              857KB

                              MD5

                              a39fe8036e559ce804e26518061e59ff

                              SHA1

                              8df27f6e8a48b762d945ea2f2b87390c80acd4de

                              SHA256

                              3180df117342646dcdc4c436f95b41e15587e2238ec59064b4b06c065d56cf38

                              SHA512

                              e97756f316fceef7360e789362648529eea50eb6f7cc56cf654b3fc43ca61f0e4d9f366ed8fd59b73dd5a49615e935e9f53686d15f9a83c7fa472a70e7196d0d