8043562533fc8cf2fa9480353cc1c8ffaf34e3f299e6d06b477ea293a4646c00

Analysis

max time kernel
5s
platform
debian-9_mipsel
resource
debian9-mipsel-20240418-en
resource tags

arch:mipselimage:debian9-mipsel-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
27-09-2024 15:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

faa1fa0ce90152a29a6824f7bfe33418_JaffaCakes118
Size

1KB
MD5

faa1fa0ce90152a29a6824f7bfe33418
SHA1

24e07639524a9bbdbedc648f10289cb0ab0039ef
SHA256

8043562533fc8cf2fa9480353cc1c8ffaf34e3f299e6d06b477ea293a4646c00
SHA512

4e6c9f3d5c2c7cf8c2110ca021aeb2cbbdb032d8212eeda613d54aeae4cea613cac82c4a0165197912e93bffef372aa4f0f3ca4ae66be4eaa0473d0d19cd8f60

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 13 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
781	chmod
786	chmod
730	chmod
745	chmod
759	chmod
771	chmod
776	chmod
796	chmod
720	chmod
739	chmod
751	chmod
765	chmod
791	chmod

Executes dropped EXE 13 IoCs

ioc	pid	Process
/tmp/badbox	722	badbox
/tmp/badbox	732	badbox
/tmp/badbox	740	badbox
/tmp/badbox	746	badbox
/tmp/badbox	752	badbox
/tmp/badbox	761	badbox
/tmp/badbox	766	badbox
/tmp/badbox	772	badbox
/tmp/badbox	777	badbox
/tmp/badbox	782	badbox
/tmp/badbox	787	badbox
/tmp/badbox	792	badbox
/tmp/badbox	797	badbox

Reads runtime system information 1 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	cp

Writes file to tmp directory 2 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/busybox	cp
File opened for modification	/tmp/badbox	faa1fa0ce90152a29a6824f7bfe33418_JaffaCakes118

/tmp/faa1fa0ce90152a29a6824f7bfe33418_JaffaCakes118
/tmp/faa1fa0ce90152a29a6824f7bfe33418_JaffaCakes118
1⤵
- Writes file to tmp directory
PID:706
- /bin/cp
  cp /bin/busybox /tmp/
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:710
- /bin/cat
  cat ntpd
  2⤵
  PID:718
- /bin/chmod
  chmod +x badbox busybox faa1fa0ce90152a29a6824f7bfe33418_JaffaCakes118 systemd-private-1cf8b6e8793e4fab844e6ddbaf438d0d-systemd-timedated.service-hZhrgc
  2⤵
  - File and Directory Permissions Modification
  PID:720
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:722
- /bin/cat
  cat sshd
  2⤵
  PID:727
- /bin/chmod
  chmod +x badbox busybox faa1fa0ce90152a29a6824f7bfe33418_JaffaCakes118 systemd-private-1cf8b6e8793e4fab844e6ddbaf438d0d-systemd-timedated.service-hZhrgc
  2⤵
  - File and Directory Permissions Modification
  PID:730
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:732
- /bin/cat
  cat openssh
  2⤵
  PID:737
- /bin/chmod
  chmod +x badbox busybox faa1fa0ce90152a29a6824f7bfe33418_JaffaCakes118 systemd-private-1cf8b6e8793e4fab844e6ddbaf438d0d-systemd-timedated.service-hZhrgc
  2⤵
  - File and Directory Permissions Modification
  PID:739
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:740
- /bin/cat
  cat bash
  2⤵
  PID:743
- /bin/chmod
  chmod +x badbox busybox faa1fa0ce90152a29a6824f7bfe33418_JaffaCakes118 systemd-private-1cf8b6e8793e4fab844e6ddbaf438d0d-systemd-timedated.service-hZhrgc
  2⤵
  - File and Directory Permissions Modification
  PID:745
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:746
- /bin/cat
  cat tftp
  2⤵
  PID:750
- /bin/chmod
  chmod +x badbox busybox faa1fa0ce90152a29a6824f7bfe33418_JaffaCakes118 systemd-private-1cf8b6e8793e4fab844e6ddbaf438d0d-systemd-timedated.service-hZhrgc
  2⤵
  - File and Directory Permissions Modification
  PID:751
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:752
- /bin/cat
  cat wget
  2⤵
  PID:758
- /bin/chmod
  chmod +x badbox busybox faa1fa0ce90152a29a6824f7bfe33418_JaffaCakes118 systemd-private-1cf8b6e8793e4fab844e6ddbaf438d0d-systemd-timedated.service-hZhrgc
  2⤵
  - File and Directory Permissions Modification
  PID:759
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:761
- /bin/cat
  cat cron
  2⤵
  PID:764
- /bin/chmod
  chmod +x badbox busybox faa1fa0ce90152a29a6824f7bfe33418_JaffaCakes118 systemd-private-1cf8b6e8793e4fab844e6ddbaf438d0d-systemd-timedated.service-hZhrgc
  2⤵
  - File and Directory Permissions Modification
  PID:765
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:766
- /bin/cat
  cat ftp
  2⤵
  PID:770
- /bin/chmod
  chmod +x badbox busybox faa1fa0ce90152a29a6824f7bfe33418_JaffaCakes118 systemd-private-1cf8b6e8793e4fab844e6ddbaf438d0d-systemd-timedated.service-hZhrgc
  2⤵
  - File and Directory Permissions Modification
  PID:771
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:772
- /bin/cat
  cat pftp
  2⤵
  PID:775
- /bin/chmod
  chmod +x badbox busybox faa1fa0ce90152a29a6824f7bfe33418_JaffaCakes118 systemd-private-1cf8b6e8793e4fab844e6ddbaf438d0d-systemd-timedated.service-hZhrgc
  2⤵
  - File and Directory Permissions Modification
  PID:776
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:777
- /bin/cat
  cat sh
  2⤵
  PID:780
- /bin/chmod
  chmod +x badbox busybox faa1fa0ce90152a29a6824f7bfe33418_JaffaCakes118 systemd-private-1cf8b6e8793e4fab844e6ddbaf438d0d-systemd-timedated.service-hZhrgc
  2⤵
  - File and Directory Permissions Modification
  PID:781
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:782
- /bin/cat
  cat " "
  2⤵
  PID:785
- /bin/chmod
  chmod +x badbox busybox faa1fa0ce90152a29a6824f7bfe33418_JaffaCakes118 systemd-private-1cf8b6e8793e4fab844e6ddbaf438d0d-systemd-timedated.service-hZhrgc
  2⤵
  - File and Directory Permissions Modification
  PID:786
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:787
- /bin/cat
  cat apache2
  2⤵
  PID:790
- /bin/chmod
  chmod +x badbox busybox faa1fa0ce90152a29a6824f7bfe33418_JaffaCakes118 systemd-private-1cf8b6e8793e4fab844e6ddbaf438d0d-systemd-timedated.service-hZhrgc
  2⤵
  - File and Directory Permissions Modification
  PID:791
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:792
- /bin/cat
  cat telnetd
  2⤵
  PID:795
- /bin/chmod
  chmod +x badbox busybox faa1fa0ce90152a29a6824f7bfe33418_JaffaCakes118 systemd-private-1cf8b6e8793e4fab844e6ddbaf438d0d-systemd-timedated.service-hZhrgc
  2⤵
  - File and Directory Permissions Modification
  PID:796
- /tmp/badbox
  ./badbox
  2⤵
  - Executes dropped EXE
  PID:797

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/busybox

Filesize
857KB

MD5
6ffc46165b5d9726a6607f3ea5305589

SHA1
ab127220f42e816b413dde0d17031e251a7bc98f

SHA256
80d636e2f1237e9adc9ea0bf7f42b17d7df8781db0684c33696411e50588a38c

SHA512
456fcd5d5bda524ef5236e00695a891cfefe15364f9c7a4ff04ad7dfdc7fd1726f037e905622216f13aee6c2d4ee90be0c850de82b3aac1d02a643db9f935af8

Download Submit