Analysis
-
max time kernel
149s -
max time network
148s -
platform
ubuntu-24.04_amd64 -
resource
ubuntu2404-amd64-20240523-en -
resource tags
arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system -
submitted
25-09-2024 23:50
Behavioral task
behavioral1
Sample
f71a34d018f804dc607ce170b9869f89_JaffaCakes118
Resource
ubuntu2404-amd64-20240523-en
General
-
Target
f71a34d018f804dc607ce170b9869f89_JaffaCakes118
-
Size
1.1MB
-
MD5
f71a34d018f804dc607ce170b9869f89
-
SHA1
006c8ddeb0667cdf4c4230003530ed4128286426
-
SHA256
363b6bc50cb7412f6aac924a70e059ab1d1fe4515e3e2b8ec2ca533aa7ee134e
-
SHA512
4b136235b1fb32eaa9f197ff7ea5eb3ec7b45d957e8290df8b230b67afb31fbee83cfb862a9294e7a3fcc22f33526fa553bc8c0f546bd29bd98043afd509b341
-
SSDEEP
24576:4vRE7caCfKGPqVEDNLFxKsfaiI+gIGYuuCol7r:4vREKfPqVE5jKsfaiRHGVo7r
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 4 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 2518 chmod 2528 chmod 2534 chmod 2540 chmod -
Executes dropped EXE 2 IoCs
ioc pid Process /usr/bin/bsd-port/getty 2482 getty /usr/bin/.sshA 2498 .sshA -
Loads a kernel module 64 IoCs
Loads a Linux kernel module, potentially to achieve persistence
pid Process 2443 f71a34d018f804dc607ce170b9869f89_JaffaCakes118 2444 Process not Found 2460 Process not Found 2444 Process not Found 2444 Process not Found 2462 Process not Found 2444 Process not Found 2444 Process not Found 2464 Process not Found 2444 Process not Found 2444 Process not Found 2466 Process not Found 2444 Process not Found 2444 Process not Found 2468 Process not Found 2444 Process not Found 2444 Process not Found 2476 Process not Found 2444 Process not Found 2444 Process not Found 2478 Process not Found 2444 Process not Found 2480 Process not Found 2481 Process not Found 2482 getty 2480 Process not Found 2444 Process not Found 2484 Process not Found 2444 Process not Found 2444 Process not Found 2486 Process not Found 2444 Process not Found 2483 Process not Found 2488 Process not Found 2483 Process not Found 2483 Process not Found 2490 Process not Found 2483 Process not Found 2483 Process not Found 2492 Process not Found 2483 Process not Found 2483 Process not Found 2494 Process not Found 2496 Process not Found 2497 Process not Found 2498 .sshA 2483 Process not Found 2483 Process not Found 2499 Process not Found 2496 Process not Found 2444 Process not Found 2502 Process not Found 2483 Process not Found 2483 Process not Found 2504 Process not Found 2483 Process not Found 2483 Process not Found 2444 Process not Found 2506 Process not Found 2483 Process not Found 2483 Process not Found 2509 Process not Found 2483 Process not Found 2483 Process not Found -
Write file to user bin folder 6 IoCs
description ioc Process File opened for modification /usr/bin/bsd-port/getty cp File opened for modification /usr/bin/.sshA cp File opened for modification /usr/bin/dpkgd/lsof cp File opened for modification /usr/bin/dpkgd/ps cp File opened for modification /usr/bin/lsof cp File opened for modification /usr/bin/ps cp -
Writes file to system bin folder 2 IoCs
description ioc Process File opened for modification /bin/lsof cp File opened for modification /bin/ps cp -
Enumerates kernel/hardware configuration 1 TTPs 2 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/module/compression insmod File opened for reading /sys/module/compression insmod -
description ioc Process File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems mkdir File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems cp File opened for reading /proc/cmdline insmod File opened for reading /proc/filesystems mkdir File opened for reading /proc/filesystems mkdir File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems mkdir File opened for reading /proc/filesystems mkdir File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems mkdir File opened for reading /proc/filesystems mkdir File opened for reading /proc/filesystems cp File opened for reading /proc/cmdline insmod
Processes
-
/tmp/f71a34d018f804dc607ce170b9869f89_JaffaCakes118/tmp/f71a34d018f804dc607ce170b9869f89_JaffaCakes1181⤵
- Loads a kernel module
PID:2443 -
/usr/bin/lnln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt2⤵PID:2461
-
-
/usr/bin/lnln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt2⤵PID:2463
-
-
/usr/bin/lnln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt2⤵PID:2465
-
-
/usr/bin/lnln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt2⤵PID:2467
-
-
/usr/bin/lnln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt2⤵PID:2469
-
-
/usr/bin/mkdirmkdir -p /usr/bin/bsd-port2⤵
- Reads runtime system information
PID:2477
-
-
/usr/bin/cpcp -f /tmp/f71a34d018f804dc607ce170b9869f89_JaffaCakes118 /usr/bin/bsd-port/getty2⤵
- Write file to user bin folder
- Reads runtime system information
PID:2479
-
-
/usr/bin/bsd-port/getty/usr/bin/bsd-port/getty2⤵
- Executes dropped EXE
- Loads a kernel module
PID:2482 -
/usr/bin/lnln -s /etc/init.d/selinux /etc/rc1.d/S99selinux3⤵PID:2489
-
-
/usr/bin/lnln -s /etc/init.d/selinux /etc/rc2.d/S99selinux3⤵PID:2491
-
-
/usr/bin/lnln -s /etc/init.d/selinux /etc/rc3.d/S99selinux3⤵PID:2493
-
-
/usr/bin/lnln -s /etc/init.d/selinux /etc/rc4.d/S99selinux3⤵PID:2495
-
-
/usr/bin/lnln -s /etc/init.d/selinux /etc/rc5.d/S99selinux3⤵PID:2501
-
-
/usr/bin/mkdirmkdir -p /usr/bin/dpkgd3⤵
- Reads runtime system information
PID:2505
-
-
/usr/bin/cpcp -f /bin/lsof /usr/bin/dpkgd/lsof3⤵
- Write file to user bin folder
- Reads runtime system information
PID:2507
-
-
/usr/bin/mkdirmkdir -p /bin3⤵
- Reads runtime system information
PID:2511
-
-
/usr/bin/cpcp -f /usr/bin/bsd-port/getty /bin/lsof3⤵
- Writes file to system bin folder
- Reads runtime system information
PID:2514
-
-
/usr/bin/chmodchmod 0755 /bin/lsof3⤵
- File and Directory Permissions Modification
PID:2518
-
-
/usr/bin/cpcp -f /bin/ps /usr/bin/dpkgd/ps3⤵
- Write file to user bin folder
- Reads runtime system information
PID:2521
-
-
/usr/bin/mkdirmkdir -p /bin3⤵
- Reads runtime system information
PID:2524
-
-
/usr/bin/cpcp -f /usr/bin/bsd-port/getty /bin/ps3⤵
- Writes file to system bin folder
- Reads runtime system information
PID:2526
-
-
/usr/bin/chmodchmod 0755 /bin/ps3⤵
- File and Directory Permissions Modification
PID:2528
-
-
/usr/bin/mkdirmkdir -p /usr/bin3⤵
- Reads runtime system information
PID:2530
-
-
/usr/bin/cpcp -f /usr/bin/bsd-port/getty /usr/bin/lsof3⤵
- Write file to user bin folder
- Reads runtime system information
PID:2532
-
-
/usr/bin/chmodchmod 0755 /usr/bin/lsof3⤵
- File and Directory Permissions Modification
PID:2534
-
-
/usr/bin/mkdirmkdir -p /usr/bin3⤵
- Reads runtime system information
PID:2536
-
-
/usr/bin/cpcp -f /usr/bin/bsd-port/getty /usr/bin/ps3⤵
- Write file to user bin folder
- Reads runtime system information
PID:2538
-
-
/usr/bin/chmodchmod 0755 /usr/bin/ps3⤵
- File and Directory Permissions Modification
PID:2540
-
-
/usr/sbin/insmodinsmod /usr/lib/xpacket.ko3⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:2542
-
-
-
/usr/bin/mkdirmkdir -p /usr/bin2⤵
- Reads runtime system information
PID:2485
-
-
/usr/bin/cpcp -f /tmp/f71a34d018f804dc607ce170b9869f89_JaffaCakes118 /usr/bin/.sshA2⤵
- Write file to user bin folder
- Reads runtime system information
PID:2487
-
-
/usr/bin/.sshA/usr/bin/.sshA2⤵
- Executes dropped EXE
- Loads a kernel module
PID:2498
-
-
/usr/sbin/insmodinsmod /usr/lib/xpacket.ko2⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:2503
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64B
MD53badebd94dbaecf32d0457216b021a0c
SHA13ca6f354234c5728cf62161d7df8189baa455c96
SHA256e9b6a35b87b790bf0977ad7ad1a60a3dab90f9055feae5bb7796123746fd2dc0
SHA512141810b69c5b0292c0b0201fa051508437ca3fac41fe6fedec8565405f7606e57d5fd08b9083802c518dead7356c2fad0b72de38a83cd6e366ca5a1352371775
-
Filesize
36B
MD5993cc15058142d96c3daf7852c3d5ee8
SHA10950b8b391b04dd3895ea33cd3141543ebd2525d
SHA2568171d077918611803d93088409f220c66fae1c670b297e1aa5d8cbd548ce9208
SHA5120c4256c00a3710f97e92581b552682b36b62afc35fe72622c491323c618c19ea62611ac04ccafc3dfcde2254a2ebbd93b69b66795b16e36332293bed83adb928
-
Filesize
69B
MD59d43d0ccaf4c220df2084963e4a706c9
SHA1ff20434e6a0ff49fcb62021573b72517edd01114
SHA256fe0dd682b5621325fd4d2e0f122b14ba1764bc650c4b635f79777bd71512c863
SHA512c316de7fead8a3f56c895b4608340b119aa59ced4fa46e0ae29c9559707b92e3411a252dc83ac33227d3222ee42b730765da9c3d4437fa19bb723cae31d4606b
-
Filesize
4B
MD57fd804295ef7f6a2822bf4c61f9dc4a8
SHA106fa43a4b4a63b622e36e3cd4ef55fcfec070b97
SHA256580ade0f132b4228ea4fe1a289f318f2402fdcd2682ed057a3785fed4312f9f3
SHA512de133cf529ff1ecced4eca1a3fe4d20ba069a1015dd35fd7e6762e7814348ad1f64524e7166286be38bf71ee0aa4a69db76edbbca4114381a07085cf1539b6d0
-
Filesize
4B
MD5f7696a9b362ac5a51c3dc8f098b73923
SHA1a6a0845258a40575703021e5244ff9c70838a23b
SHA2565a0b83e19c5750eed6d8d46cb858d15c956a657093c08afa53133c0fbe5f04fb
SHA5123ae0f24c4f1fe6593f20f92f251c54c1d10e6f576340c9ae31a46d50cf3b49c364d1a0ab6b9d5702cb057077db52a48f192b491f142315311629b9ad7cc11fdb
-
Filesize
51B
MD5ee3f1daf22baf84a73a40a9811e81dea
SHA1ccbc7046047b174415559209364b73fc10dfecff
SHA256ef93ac4bf9d810bd910c9027bf46f084051a692bf106862b3feb8b692007910a
SHA512269b03a64d77524b846b1406784963ad05de7737c167fd99e8d7b998acb9e80a095048329c0cb1e5e639346a2e156acf1a3e21be1f9c3212832512252ef2653c