Overview

overview

10

Static

static

10

f55b3b99e0...kes118

ubuntu-24.04-amd64

7

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    ubuntu-24.04_amd64
  • resource
    ubuntu2404-amd64-20240523-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
  • submitted
    25-09-2024 06:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f55b3b99e0b783b60e27202f1c839ab1_JaffaCakes118

  • Size

    1.5MB

  • MD5

    f55b3b99e0b783b60e27202f1c839ab1

  • SHA1

    62a9eea529000e27e7524c1a87ee6379fa090d6d

  • SHA256

    2cf26b87030f07a237b9a714bf4f0fb0cc0a20d88a39f2ffba8e516ff6763dd9

  • SHA512

    6fb80e752eac21961c00accce0239cd720f11b7fca776ec068625314594c868bd3fd126a197560a176f1906b2b5e8dbb4a720a44badfb5747b36e1870be5aaf9

  • SSDEEP

    24576:GA46TrzJBisiOvhlOHdSbQmHyJgf/kgX0Exb2cyaGpIoiM1nnLmYXqSYKKZdTrnD:zRNi6OHdSbQoyJyXpxb2PaGpXiM1nLmB

Score
7/10
defense_evasiondiscoverypersistencerootkit

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 4 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 2 IoCs
  • Loads a kernel module 64 IoCs

    Loads a Linux kernel module, potentially to achieve persistence

    rootkit
  • Write file to user bin folder 6 IoCs
    persistence
  • Writes file to system bin folder 2 IoCs
  • Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

    discovery
  • Reads runtime system information 17 IoCs

    Reads data from /proc virtual filesystem.

    discovery

Processes

  • /tmp/f55b3b99e0b783b60e27202f1c839ab1_JaffaCakes118
    /tmp/f55b3b99e0b783b60e27202f1c839ab1_JaffaCakes118
    1⤵
    • Loads a kernel module
    PID:2417
    • /usr/bin/ln
      ln -s /etc/init.d/DbSecurityMdt /etc/rc1.d/S97DbSecurityMdt
      2⤵
        PID:2425
      • /usr/bin/ln
        ln -s /etc/init.d/DbSecurityMdt /etc/rc2.d/S97DbSecurityMdt
        2⤵
          PID:2432
        • /usr/bin/ln
          ln -s /etc/init.d/DbSecurityMdt /etc/rc3.d/S97DbSecurityMdt
          2⤵
            PID:2437
          • /usr/bin/ln
            ln -s /etc/init.d/DbSecurityMdt /etc/rc4.d/S97DbSecurityMdt
            2⤵
              PID:2440
            • /usr/bin/ln
              ln -s /etc/init.d/DbSecurityMdt /etc/rc5.d/S97DbSecurityMdt
              2⤵
                PID:2442
              • /usr/bin/mkdir
                mkdir -p /usr/bin/bsd-port
                2⤵
                • Reads runtime system information
                PID:2453
              • /usr/bin/cp
                cp -f /tmp/f55b3b99e0b783b60e27202f1c839ab1_JaffaCakes118 /usr/bin/bsd-port/agent
                2⤵
                • Write file to user bin folder
                • Reads runtime system information
                PID:2455
              • /usr/bin/bsd-port/agent
                /usr/bin/bsd-port/agent
                2⤵
                • Executes dropped EXE
                • Loads a kernel module
                PID:2458
                • /usr/bin/ln
                  ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux
                  3⤵
                    PID:2479
                  • /usr/bin/ln
                    ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux
                    3⤵
                      PID:2481
                    • /usr/bin/ln
                      ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux
                      3⤵
                        PID:2483
                      • /usr/bin/ln
                        ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux
                        3⤵
                          PID:2485
                        • /usr/bin/ln
                          ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux
                          3⤵
                            PID:2487
                          • /usr/bin/mkdir
                            mkdir -p /usr/bin/dpkgd
                            3⤵
                            • Reads runtime system information
                            PID:2489
                          • /usr/bin/cp
                            cp -f /bin/lsof /usr/bin/dpkgd/lsof
                            3⤵
                            • Write file to user bin folder
                            • Reads runtime system information
                            PID:2491
                          • /usr/bin/mkdir
                            mkdir -p /bin
                            3⤵
                            • Reads runtime system information
                            PID:2493
                          • /usr/bin/cp
                            cp -f /usr/bin/bsd-port/agent /bin/lsof
                            3⤵
                            • Writes file to system bin folder
                            • Reads runtime system information
                            PID:2495
                          • /usr/bin/chmod
                            chmod 0755 /bin/lsof
                            3⤵
                            • File and Directory Permissions Modification
                            PID:2498
                          • /usr/bin/cp
                            cp -f /bin/ps /usr/bin/dpkgd/ps
                            3⤵
                            • Write file to user bin folder
                            • Reads runtime system information
                            PID:2501
                          • /usr/bin/mkdir
                            mkdir -p /bin
                            3⤵
                            • Reads runtime system information
                            PID:2503
                          • /usr/bin/cp
                            cp -f /usr/bin/bsd-port/agent /bin/ps
                            3⤵
                            • Writes file to system bin folder
                            • Reads runtime system information
                            PID:2505
                          • /usr/bin/chmod
                            chmod 0755 /bin/ps
                            3⤵
                            • File and Directory Permissions Modification
                            PID:2507
                          • /usr/bin/mkdir
                            mkdir -p /usr/bin
                            3⤵
                            • Reads runtime system information
                            PID:2509
                          • /usr/bin/cp
                            cp -f /usr/bin/bsd-port/agent /usr/bin/lsof
                            3⤵
                            • Write file to user bin folder
                            • Reads runtime system information
                            PID:2511
                          • /usr/bin/chmod
                            chmod 0755 /usr/bin/lsof
                            3⤵
                            • File and Directory Permissions Modification
                            PID:2513
                          • /usr/bin/mkdir
                            mkdir -p /usr/bin
                            3⤵
                            • Reads runtime system information
                            PID:2515
                          • /usr/bin/cp
                            cp -f /usr/bin/bsd-port/agent /usr/bin/ps
                            3⤵
                            • Write file to user bin folder
                            • Reads runtime system information
                            PID:2517
                          • /usr/bin/chmod
                            chmod 0755 /usr/bin/ps
                            3⤵
                            • File and Directory Permissions Modification
                            PID:2519
                          • /usr/sbin/insmod
                            insmod /usr/lib/xpacket.ko
                            3⤵
                            • Enumerates kernel/hardware configuration
                            • Reads runtime system information
                            PID:2521
                        • /usr/bin/mkdir
                          mkdir -p /usr/bin
                          2⤵
                          • Reads runtime system information
                          PID:2461
                        • /usr/bin/cp
                          cp -f /tmp/f55b3b99e0b783b60e27202f1c839ab1_JaffaCakes118 /usr/bin/acpid
                          2⤵
                          • Write file to user bin folder
                          • Reads runtime system information
                          PID:2463
                        • /usr/bin/acpid
                          /usr/bin/acpid
                          2⤵
                          • Executes dropped EXE
                          • Loads a kernel module
                          PID:2466
                        • /usr/sbin/insmod
                          insmod /usr/lib/xpacket.ko
                          2⤵
                          • Enumerates kernel/hardware configuration
                          • Reads runtime system information
                          PID:2469

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • /etc/init.d/DbSecurityMdt
                        Filesize

                        64B

                        MD5

                        2c8b14d471037d6f815ba0c49cab0354

                        SHA1

                        44153a1a9fa481c336e3359b51676a861ea4d8cf

                        SHA256

                        18e1235775de52781eee486b1245c76aac2eb0552f8ec58c01436ddab0de3085

                        SHA512

                        21d321e0256909d03076586bfd307cbf995c22d13f5d3a38fd948374febb52b7d9787a68afefc7291cbc7d635f0f0fa45e108753d9232fbda03e0061aab132cf

                        Download Submit

                      • /etc/init.d/selinux
                        Filesize

                        36B

                        MD5

                        c6a80f08539a4c3176762f514976dd24

                        SHA1

                        bbc5826b01d20f5c4d315ff5dbc3f216760c64ef

                        SHA256

                        ea47e885ae227059ce55d020335f7869c565ec6d85f484497e83cd4998149d5d

                        SHA512

                        9a1e3b0142876305fe389e07880bd586e97bf709273a66299d9128ff2861459104054d4e5d836aecdf73f2c11886fa3a2a8498741adb3211b96116658b856175

                        Download Submit

                      • /tmp/gates.note
                        Filesize

                        4B

                        MD5

                        db60b95decdeed944b4cd8685417cfdc

                        SHA1

                        a9666b5dccd77a3e1c93eca34dce8eca6683bdbb

                        SHA256

                        3451d35d093f0572f939572b1d8fa2a20a41cf62f5b5927c1c79c37d98aaaa9b

                        SHA512

                        571241b6d2c50ae8e7850326c3143a4e882b7ef83c49f0d1d38ba858da3938c35c814649f691540298fb9e2d848034dadb9d48257a4e60552655873a41ae377e

                        Download Submit

                      • /tmp/moni.note
                        Filesize

                        4B

                        MD5

                        250413d2982f1f83aa62a3a323cd2a87

                        SHA1

                        3c24f257fbe14b58141a0ab7dbd5484c1d561f2c

                        SHA256

                        54a462dce3c1abb2b43ba63a42bc391fa5561bfeafe737bd1f4845b902ffbfe3

                        SHA512

                        e62538b99ca820e4ef2c24da6dc2afbe963c6793f0f7a93dbc231bdf44b77baa288d4ed18e8b05a3e5446454029d127fa54ead1c5fd9d7ff91fa21006e12f699

                        Download Submit

                      • /tmp/notify.file
                        Filesize

                        51B

                        MD5

                        c6e27017f641a35c6bb9ae119f043fd7

                        SHA1

                        ff686d62d35d66d522ea955cb52eaf653ceaffc0

                        SHA256

                        2a939ea80e761bec1662c47f6eb9848355bb86cb27c75ee22f3479a066411d8e

                        SHA512

                        1ff19fcdcdd597d7b242bde669180657604b0c51e9de29856330b75f133ac96f73af509b9b978a4c6cef2779f34d1e194882ff2ac169b02590d7da98758fa6eb

                        Download Submit

                      • /usr/bin/bsd-port/conf.n
                        Filesize

                        69B

                        MD5

                        23ac4898e33edc2acd9a1089a8f7bd0b

                        SHA1

                        0c640293454c44ef7e9a0b9a8b9c698e98d46fa5

                        SHA256

                        36123b54e2a7ab923a8ebac6c2308771b26af7c9d8c30cdfa05260ed474c23b9

                        SHA512

                        e4798993c4f871b7e70eaeb1c48988f64134808a801185859f5a2ce672291b19f555577520eaee4e7a95396c865acf580c2e3d0c95353a35bb8e2c34edab5b18

                        Download Submit