Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    ubuntu-24.04_amd64
  • resource
    ubuntu2404-amd64-20240523-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
  • submitted
    25-09-2024 23:50

General

  • Target

    f71a34d018f804dc607ce170b9869f89_JaffaCakes118

  • Size

    1.1MB

  • MD5

    f71a34d018f804dc607ce170b9869f89

  • SHA1

    006c8ddeb0667cdf4c4230003530ed4128286426

  • SHA256

    363b6bc50cb7412f6aac924a70e059ab1d1fe4515e3e2b8ec2ca533aa7ee134e

  • SHA512

    4b136235b1fb32eaa9f197ff7ea5eb3ec7b45d957e8290df8b230b67afb31fbee83cfb862a9294e7a3fcc22f33526fa553bc8c0f546bd29bd98043afd509b341

  • SSDEEP

    24576:4vRE7caCfKGPqVEDNLFxKsfaiI+gIGYuuCol7r:4vREKfPqVE5jKsfaiRHGVo7r

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 4 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 2 IoCs
  • Loads a kernel module 64 IoCs

    Loads a Linux kernel module, potentially to achieve persistence

  • Write file to user bin folder 6 IoCs
  • Writes file to system bin folder 2 IoCs
  • Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 17 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/f71a34d018f804dc607ce170b9869f89_JaffaCakes118
    /tmp/f71a34d018f804dc607ce170b9869f89_JaffaCakes118
    1⤵
    • Loads a kernel module
    PID:2443
    • /usr/bin/ln
      ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt
      2⤵
        PID:2461
      • /usr/bin/ln
        ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt
        2⤵
          PID:2463
        • /usr/bin/ln
          ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt
          2⤵
            PID:2465
          • /usr/bin/ln
            ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt
            2⤵
              PID:2467
            • /usr/bin/ln
              ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt
              2⤵
                PID:2469
              • /usr/bin/mkdir
                mkdir -p /usr/bin/bsd-port
                2⤵
                • Reads runtime system information
                PID:2477
              • /usr/bin/cp
                cp -f /tmp/f71a34d018f804dc607ce170b9869f89_JaffaCakes118 /usr/bin/bsd-port/getty
                2⤵
                • Write file to user bin folder
                • Reads runtime system information
                PID:2479
              • /usr/bin/bsd-port/getty
                /usr/bin/bsd-port/getty
                2⤵
                • Executes dropped EXE
                • Loads a kernel module
                PID:2482
                • /usr/bin/ln
                  ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux
                  3⤵
                    PID:2489
                  • /usr/bin/ln
                    ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux
                    3⤵
                      PID:2491
                    • /usr/bin/ln
                      ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux
                      3⤵
                        PID:2493
                      • /usr/bin/ln
                        ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux
                        3⤵
                          PID:2495
                        • /usr/bin/ln
                          ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux
                          3⤵
                            PID:2501
                          • /usr/bin/mkdir
                            mkdir -p /usr/bin/dpkgd
                            3⤵
                            • Reads runtime system information
                            PID:2505
                          • /usr/bin/cp
                            cp -f /bin/lsof /usr/bin/dpkgd/lsof
                            3⤵
                            • Write file to user bin folder
                            • Reads runtime system information
                            PID:2507
                          • /usr/bin/mkdir
                            mkdir -p /bin
                            3⤵
                            • Reads runtime system information
                            PID:2511
                          • /usr/bin/cp
                            cp -f /usr/bin/bsd-port/getty /bin/lsof
                            3⤵
                            • Writes file to system bin folder
                            • Reads runtime system information
                            PID:2514
                          • /usr/bin/chmod
                            chmod 0755 /bin/lsof
                            3⤵
                            • File and Directory Permissions Modification
                            PID:2518
                          • /usr/bin/cp
                            cp -f /bin/ps /usr/bin/dpkgd/ps
                            3⤵
                            • Write file to user bin folder
                            • Reads runtime system information
                            PID:2521
                          • /usr/bin/mkdir
                            mkdir -p /bin
                            3⤵
                            • Reads runtime system information
                            PID:2524
                          • /usr/bin/cp
                            cp -f /usr/bin/bsd-port/getty /bin/ps
                            3⤵
                            • Writes file to system bin folder
                            • Reads runtime system information
                            PID:2526
                          • /usr/bin/chmod
                            chmod 0755 /bin/ps
                            3⤵
                            • File and Directory Permissions Modification
                            PID:2528
                          • /usr/bin/mkdir
                            mkdir -p /usr/bin
                            3⤵
                            • Reads runtime system information
                            PID:2530
                          • /usr/bin/cp
                            cp -f /usr/bin/bsd-port/getty /usr/bin/lsof
                            3⤵
                            • Write file to user bin folder
                            • Reads runtime system information
                            PID:2532
                          • /usr/bin/chmod
                            chmod 0755 /usr/bin/lsof
                            3⤵
                            • File and Directory Permissions Modification
                            PID:2534
                          • /usr/bin/mkdir
                            mkdir -p /usr/bin
                            3⤵
                            • Reads runtime system information
                            PID:2536
                          • /usr/bin/cp
                            cp -f /usr/bin/bsd-port/getty /usr/bin/ps
                            3⤵
                            • Write file to user bin folder
                            • Reads runtime system information
                            PID:2538
                          • /usr/bin/chmod
                            chmod 0755 /usr/bin/ps
                            3⤵
                            • File and Directory Permissions Modification
                            PID:2540
                          • /usr/sbin/insmod
                            insmod /usr/lib/xpacket.ko
                            3⤵
                            • Enumerates kernel/hardware configuration
                            • Reads runtime system information
                            PID:2542
                        • /usr/bin/mkdir
                          mkdir -p /usr/bin
                          2⤵
                          • Reads runtime system information
                          PID:2485
                        • /usr/bin/cp
                          cp -f /tmp/f71a34d018f804dc607ce170b9869f89_JaffaCakes118 /usr/bin/.sshA
                          2⤵
                          • Write file to user bin folder
                          • Reads runtime system information
                          PID:2487
                        • /usr/bin/.sshA
                          /usr/bin/.sshA
                          2⤵
                          • Executes dropped EXE
                          • Loads a kernel module
                          PID:2498
                        • /usr/sbin/insmod
                          insmod /usr/lib/xpacket.ko
                          2⤵
                          • Enumerates kernel/hardware configuration
                          • Reads runtime system information
                          PID:2503

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • /etc/init.d/DbSecuritySpt

                        Filesize

                        64B

                        MD5

                        3badebd94dbaecf32d0457216b021a0c

                        SHA1

                        3ca6f354234c5728cf62161d7df8189baa455c96

                        SHA256

                        e9b6a35b87b790bf0977ad7ad1a60a3dab90f9055feae5bb7796123746fd2dc0

                        SHA512

                        141810b69c5b0292c0b0201fa051508437ca3fac41fe6fedec8565405f7606e57d5fd08b9083802c518dead7356c2fad0b72de38a83cd6e366ca5a1352371775

                      • /etc/init.d/selinux

                        Filesize

                        36B

                        MD5

                        993cc15058142d96c3daf7852c3d5ee8

                        SHA1

                        0950b8b391b04dd3895ea33cd3141543ebd2525d

                        SHA256

                        8171d077918611803d93088409f220c66fae1c670b297e1aa5d8cbd548ce9208

                        SHA512

                        0c4256c00a3710f97e92581b552682b36b62afc35fe72622c491323c618c19ea62611ac04ccafc3dfcde2254a2ebbd93b69b66795b16e36332293bed83adb928

                      • /tmp/conf.n

                        Filesize

                        69B

                        MD5

                        9d43d0ccaf4c220df2084963e4a706c9

                        SHA1

                        ff20434e6a0ff49fcb62021573b72517edd01114

                        SHA256

                        fe0dd682b5621325fd4d2e0f122b14ba1764bc650c4b635f79777bd71512c863

                        SHA512

                        c316de7fead8a3f56c895b4608340b119aa59ced4fa46e0ae29c9559707b92e3411a252dc83ac33227d3222ee42b730765da9c3d4437fa19bb723cae31d4606b

                      • /tmp/gates.lock

                        Filesize

                        4B

                        MD5

                        7fd804295ef7f6a2822bf4c61f9dc4a8

                        SHA1

                        06fa43a4b4a63b622e36e3cd4ef55fcfec070b97

                        SHA256

                        580ade0f132b4228ea4fe1a289f318f2402fdcd2682ed057a3785fed4312f9f3

                        SHA512

                        de133cf529ff1ecced4eca1a3fe4d20ba069a1015dd35fd7e6762e7814348ad1f64524e7166286be38bf71ee0aa4a69db76edbbca4114381a07085cf1539b6d0

                      • /tmp/moni.lock

                        Filesize

                        4B

                        MD5

                        f7696a9b362ac5a51c3dc8f098b73923

                        SHA1

                        a6a0845258a40575703021e5244ff9c70838a23b

                        SHA256

                        5a0b83e19c5750eed6d8d46cb858d15c956a657093c08afa53133c0fbe5f04fb

                        SHA512

                        3ae0f24c4f1fe6593f20f92f251c54c1d10e6f576340c9ae31a46d50cf3b49c364d1a0ab6b9d5702cb057077db52a48f192b491f142315311629b9ad7cc11fdb

                      • /tmp/notify.file

                        Filesize

                        51B

                        MD5

                        ee3f1daf22baf84a73a40a9811e81dea

                        SHA1

                        ccbc7046047b174415559209364b73fc10dfecff

                        SHA256

                        ef93ac4bf9d810bd910c9027bf46f084051a692bf106862b3feb8b692007910a

                        SHA512

                        269b03a64d77524b846b1406784963ad05de7737c167fd99e8d7b998acb9e80a095048329c0cb1e5e639346a2e156acf1a3e21be1f9c3212832512252ef2653c