Analysis
-
max time kernel
149s -
max time network
150s -
platform
ubuntu-24.04_amd64 -
resource
ubuntu2404-amd64-20240523-en -
resource tags
-
submitted
22-09-2024 07:52
General
-
Target
f197672395432b1cca10bb2324f8bbb0_JaffaCakes118
-
Size
1.1MB
-
MD5
f197672395432b1cca10bb2324f8bbb0
-
SHA1
14244002684fea5883200559d825dc4f6bc09072
-
SHA256
2d4129a21494cbb8bb2846b39266bf4e15accd20aca97ecaff664a363ddd50bc
-
SHA512
5ab9b5769c0c9b3527bd1bd931cb25ce378823a57760240c7d70a454a0aab1fc3d8ac7094d0603623cc3f9c27e5659825060b2adaa7885039b94f7a198e947c5
-
SSDEEP
24576:4vRE7caCfKGPqVEDNLFxKsfanI+gIGYuuCol7r:4vREKfPqVE5jKsfanRHGVo7r
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 4 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Executes dropped EXE 2 IoCs
-
Loads a kernel module 64 IoCs
Loads a Linux kernel module, potentially to achieve persistence
-
Write file to user bin folder 6 IoCs
-
Writes file to system bin folder 2 IoCs
-
Enumerates kernel/hardware configuration 1 TTPs 2 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
-
Reads runtime system information 17 IoCs
Reads data from /proc virtual filesystem.
Processes
-
/tmp/f197672395432b1cca10bb2324f8bbb0_JaffaCakes118/tmp/f197672395432b1cca10bb2324f8bbb0_JaffaCakes1181⤵
- Loads a kernel module
-
/usr/bin/lnln -s /etc/init.d/VsystemsshMdt /etc/rc1.d/S97VsystemsshMdt2⤵
-
-
/usr/bin/lnln -s /etc/init.d/VsystemsshMdt /etc/rc2.d/S97VsystemsshMdt2⤵
-
-
/usr/bin/lnln -s /etc/init.d/VsystemsshMdt /etc/rc3.d/S97VsystemsshMdt2⤵
-
-
/usr/bin/lnln -s /etc/init.d/VsystemsshMdt /etc/rc4.d/S97VsystemsshMdt2⤵
-
-
/usr/bin/lnln -s /etc/init.d/VsystemsshMdt /etc/rc5.d/S97VsystemsshMdt2⤵
-
-
/usr/bin/mkdirmkdir -p /usr/bin/bsd-port2⤵
- Reads runtime system information
-
-
/usr/bin/cpcp -f /tmp/f197672395432b1cca10bb2324f8bbb0_JaffaCakes118 /usr/bin/bsd-port/knerl2⤵
- Write file to user bin folder
- Reads runtime system information
-
-
/usr/bin/bsd-port/knerl/usr/bin/bsd-port/knerl2⤵
- Executes dropped EXE
- Loads a kernel module
-
/usr/bin/lnln -s /etc/init.d/selinux /etc/rc1.d/S99selinux3⤵
-
-
/usr/bin/lnln -s /etc/init.d/selinux /etc/rc2.d/S99selinux3⤵
-
-
/usr/bin/lnln -s /etc/init.d/selinux /etc/rc3.d/S99selinux3⤵
-
-
/usr/bin/lnln -s /etc/init.d/selinux /etc/rc4.d/S99selinux3⤵
-
-
/usr/bin/lnln -s /etc/init.d/selinux /etc/rc5.d/S99selinux3⤵
-
-
/usr/bin/mkdirmkdir -p /usr/bin/dpkgd3⤵
- Reads runtime system information
-
-
/usr/bin/cpcp -f /bin/lsof /usr/bin/dpkgd/lsof3⤵
- Write file to user bin folder
- Reads runtime system information
-
-
/usr/bin/mkdirmkdir -p /bin3⤵
- Reads runtime system information
-
-
/usr/bin/cpcp -f /usr/bin/bsd-port/knerl /bin/lsof3⤵
- Writes file to system bin folder
- Reads runtime system information
-
-
/usr/bin/chmodchmod 0755 /bin/lsof3⤵
- File and Directory Permissions Modification
-
-
/usr/bin/cpcp -f /bin/ps /usr/bin/dpkgd/ps3⤵
- Write file to user bin folder
- Reads runtime system information
-
-
/usr/bin/mkdirmkdir -p /bin3⤵
- Reads runtime system information
-
-
/usr/bin/cpcp -f /usr/bin/bsd-port/knerl /bin/ps3⤵
- Writes file to system bin folder
- Reads runtime system information
-
-
/usr/bin/chmodchmod 0755 /bin/ps3⤵
- File and Directory Permissions Modification
-
-
/usr/bin/mkdirmkdir -p /usr/bin3⤵
- Reads runtime system information
-
-
/usr/bin/cpcp -f /usr/bin/bsd-port/knerl /usr/bin/lsof3⤵
- Write file to user bin folder
- Reads runtime system information
-
-
/usr/bin/chmodchmod 0755 /usr/bin/lsof3⤵
- File and Directory Permissions Modification
-
-
/usr/bin/mkdirmkdir -p /usr/bin3⤵
- Reads runtime system information
-
-
/usr/bin/cpcp -f /usr/bin/bsd-port/knerl /usr/bin/ps3⤵
- Write file to user bin folder
- Reads runtime system information
-
-
/usr/bin/chmodchmod 0755 /usr/bin/ps3⤵
- File and Directory Permissions Modification
-
-
/usr/sbin/insmodinsmod /usr/lib/xpacket.ko3⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
/usr/bin/mkdirmkdir -p /usr/bin2⤵
- Reads runtime system information
-
-
/usr/bin/cpcp -f /tmp/f197672395432b1cca10bb2324f8bbb0_JaffaCakes118 /usr/bin/pythno2⤵
- Write file to user bin folder
- Reads runtime system information
-
-
/usr/bin/pythno/usr/bin/pythno2⤵
- Executes dropped EXE
- Loads a kernel module
-
-
/usr/sbin/insmodinsmod /usr/lib/xpacket.ko2⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64B
MD540b78cc69f5a5384274e08000360eb82
SHA12b299ce0b515c00a01af23a366cae01f7fc69b0b
SHA256e9dbfaba79d66095a3e02825d85de96066ea71073f011d391661f1e2dadcb3a2
SHA512bed78fe156ed18684fff2fcde62bcb9ab579110620076ad7658394dfae62971397a29deb75c3f4665443064ff836ba354af45c9bfc99093aa30716b0480076ed
-
Filesize
36B
MD5caa27b819c9303446f702929874a00e8
SHA1d24199c0e376edea3f822b215148cc0dc78364bf
SHA256da9b535a14c6d9152857e211f14fb8da9056e84ba1b8d4dc27ab79c98264050b
SHA512dcd9413eb2cb24d77f637edfc00ca0bb42229a1a3b0d84e29eff94a7b91aee6ee8c126c286a4b4103e01834d1c6aec9de09ffab3927e8de8015421005f31446e
-
Filesize
4B
MD584b20b1f5a0d103f5710bb67a043cd78
SHA16286b52ae81a4481bb77caf4d35139764e32d0c8
SHA256479f8ec909fe2e84ad23cb8a55e3fc41bc84659e81be514db4b989a89a9bd2a0
SHA512872205d00ae9b4d75c687abd62636954f7ebcc4f6065e8c61f5b069a433648d5b678739e0fb44e8e7bdd32d6306044a8254fa44760ccef65d95ebe33d0d59528
-
Filesize
51B
MD5f6c5a5e3fbd42ebe3698d77d3ae0d528
SHA11a689d44d5b14e6866141b6396c476f3ea636f93
SHA256d3a200d9b955473c9f107e069bf69ccf0a26b0587dd55323c331c0aa6a879c91
SHA512557df0fccd6e27d8231c5e390eb3ba79c4acbfb120ba22bceef63e3eae0413c41f6ff3f1f7d970e561ec40714bad8225a4712670b2b3def1078bf7ca1ed7bdad
-
Filesize
4B
MD51e0a84051e6a4a7381473328f43c4884
SHA1070ee49d20d19d115980014895f74c406c05bf05
SHA2563045ad039274b9fcf0ec609cc45c0d8e3558c06315802f46946d8d0e014b4520
SHA51260674d6204f97956e6dd536d5d99306f4ce1ecaf7e2ff744a87a555fbefbf1d32e7d907ae796c78485cd4fcabfd93b375f54fe6041daf1a3d2bb5a1b821b459d