60650c52a29c29e37dc369dab1f645e12a89ccdba8229a57689b03595ba54ad7

Analysis

max time kernel
135s
max time network
143s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20240522.1-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20240522.1-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
28/09/2024, 03:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fb699604a233d74316aab739a9c499ba_JaffaCakes118
Size

141KB
MD5

fb699604a233d74316aab739a9c499ba
SHA1

ce5225255035ffdb723e197be715d652ae6ffd2c
SHA256

60650c52a29c29e37dc369dab1f645e12a89ccdba8229a57689b03595ba54ad7
SHA512

5be99079ea41fcd62769147c096bede3187ba1e5d408807e495189cf3db98b3aed553fc8b7ec55b50ba1609456a175eef8b0eff83f0fe41bec4838c241855e5c
SSDEEP

3072:eWj2XFPG3QLoqnl0mGD8tn0B4ANKG7F/8GQxe83RL:esEmmGDOnnANKG7F/8GQxe83RL

Score

7^/10

defense_evasion discovery execution persistence privilege_escalatio

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 2 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1560	sh
1561	chmod

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

description	ioc	Process
File opened for modification	/etc/crontab	fb699604a233d74316aab739a9c499ba_JaffaCakes118

Modifies rc script 2 TTPs 1 IoCs

Adding/modifying system rc scripts is a common persistence mechanism.

persistence

Boot or Logon Autostart Execution

T1547

RC Scripts

T1037.004

description	ioc	Process
File opened for modification	/etc/rc.local	fb699604a233d74316aab739a9c499ba_JaffaCakes118

Writes file to system bin folder 3 IoCs

description	ioc	Process
File opened for modification	/bin/fb699604a233d74316aab739a9c499ba_JaffaCakes118.local	fb699604a233d74316aab739a9c499ba_JaffaCakes118
File opened for modification	/bin/fb699604a233d74316aab739a9c499ba_JaffaCakes118.sh	fb699604a233d74316aab739a9c499ba_JaffaCakes118
File opened for modification	/bin/fb699604a233d74316aab739a9c499ba_JaffaCakes118crontab	fb699604a233d74316aab739a9c499ba_JaffaCakes118

Reads runtime system information 3 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/filesystems	systemctl

/tmp/fb699604a233d74316aab739a9c499ba_JaffaCakes118
/tmp/fb699604a233d74316aab739a9c499ba_JaffaCakes118
1⤵
- Creates/modifies Cron job
- Modifies rc script
- Writes file to system bin folder
PID:1549
- /bin/sh
  sh -c "service crond start"
  2⤵
  PID:1550
- - /usr/sbin/service
    service crond start
    3⤵
    PID:1551
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:1552
  - - /usr/bin/basename
      basename /usr/sbin/service
      4⤵
      PID:1553
  - - /usr/bin/sed
      sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
      4⤵
      Reads runtime system information
      PID:1556
  - - /usr/bin/systemctl
      systemctl list-unit-files --full "--type=socket"
      4⤵
      Reads runtime system information
      PID:1555
- - /usr/local/sbin/systemctl
    systemctl start crond.service
    3⤵
    PID:1551
- - /usr/local/bin/systemctl
    systemctl start crond.service
    3⤵
    PID:1551
- - /usr/sbin/systemctl
    systemctl start crond.service
    3⤵
    PID:1551
- - /usr/bin/systemctl
    systemctl start crond.service
    3⤵
    - Reads runtime system information
    PID:1551
- /bin/sh
  sh -c "/etc/rc.d/init.d/crond start"
  2⤵
  PID:1558
- - /etc/rc.d/init.d/crond
    /etc/rc.d/init.d/crond start
    3⤵
    PID:1559
- /bin/sh
  sh -c "chmod 777 /bin/fb699604a233d74316aab739a9c499ba_JaffaCakes118.sh"
  2⤵
  - File and Directory Permissions Modification
  PID:1560
- - /usr/bin/chmod
    chmod 777 /bin/fb699604a233d74316aab739a9c499ba_JaffaCakes118.sh
    3⤵
    - File and Directory Permissions Modification
    PID:1561

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/usr/bin/fb699604a233d74316aab739a9c499ba_JaffaCakes118.local

Filesize
52B

MD5
e212263c3843aac1779c0e0c54ace4cf

SHA1
c66a0fe45216130ad3aaa44d2c1c450125a0a28f

SHA256
3370b71b9ba0c07283c73b9b1bee99c10c350cea1279fc094439f69e16b249ce

SHA512
906d3cab62eafd2454e0238f209299c8f6ca7990b1aef3e8a9db366d5a36f7d2bfffabf7e974c6ee5965e6e7475a7d7f7f49876002d9b91c11e64e0d5dac7b4f

Download Submit
/usr/bin/fb699604a233d74316aab739a9c499ba_JaffaCakes118crontab

Filesize
1KB

MD5
f81990dad81f4b7e2257ca8f93b236a9

SHA1
bd535ed68db838c14f6d41f482351ebb2e2e1496

SHA256
81cc4958e581b6846f8babe180d8ece2e7f6677449daf646440244a2036a5b49

SHA512
41d59200ccc10b95c24d72b42b23d470e8bdce23b0e820416cc1df4942ffde4276a077d343094d817912fc79f92b738a4835708b5fa7eb7b02e1ebf1dac9b27e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads