Analysis
-
max time kernel
6s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
29-09-2024 11:33
Static task
static1
Behavioral task
behavioral1
Sample
fe70c19936ef32efb00f3c75ea90e701_JaffaCakes118
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
fe70c19936ef32efb00f3c75ea90e701_JaffaCakes118
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
fe70c19936ef32efb00f3c75ea90e701_JaffaCakes118
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral4
Sample
fe70c19936ef32efb00f3c75ea90e701_JaffaCakes118
Resource
debian9-mipsel-20240418-en
General
-
Target
fe70c19936ef32efb00f3c75ea90e701_JaffaCakes118
-
Size
27KB
-
MD5
fe70c19936ef32efb00f3c75ea90e701
-
SHA1
461514742ae77741e53efb6975ffd8d3db264c92
-
SHA256
7f0e07d0e5f7af973ab0f2768f06c00efb7f37da49fb6939df547d076e2c62d5
-
SHA512
dad1271c0984f3120dc0c35725212fdccf707b4c3e5ecc6b1fe9e5ba95b295398d17fdac46c767375268fb1577128d23aa519ebfabc881a3b11e78de1b6a8f4b
-
SSDEEP
384:G7pQQwQHDf6jlpTWg3vMGQiKMvh/4Qdre21jT58vKpG2Y0orcfKLUv0KZnNEVdeD:G7JoFNcDvFLcIwgiYq0xzBWjzr2W
Malware Config
Signatures
-
Deletes system logs 1 TTPs 1 IoCs
Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.
Processes:
rmdescription ioc process File deleted /var/log/syslog rm -
Flushes firewall rules 1 TTPs 1 IoCs
Flushes/ disables firewall rules inside the Linux kernel.
-
Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 1 IoCs
Abuse sudo or cached sudo credentials to execute code.
-
Attempts to change immutable files 22 IoCs
Modifies inode attributes on the filesystem to allow changing of immutable files.
Processes:
grepxargsxargsxargsxargsxargsxargsxargschattrchattrchattrxargsxargsxargsxargsxargsgrepxargsxargsxargschattrxargspid process 689 grep 708 xargs 721 xargs 739 xargs 775 xargs 745 xargs 751 xargs 757 xargs 649 chattr 651 chattr 679 chattr 702 xargs 715 xargs 769 xargs 781 xargs 787 xargs 685 grep 727 xargs 733 xargs 763 xargs 676 chattr 696 xargs -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads CPU attributes 1 TTPs 2 IoCs
Processes:
pspsdescription ioc process File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps -
Process Discovery 1 TTPs 2 IoCs
Adversaries may try to discover information about running processes.
-
Processes:
pspsawkawkawksudoxargsdescription ioc process File opened for reading /proc/322/cmdline ps File opened for reading /proc/21/cmdline ps File opened for reading /proc/27/stat ps File opened for reading /proc/271/cmdline ps File opened for reading /proc/639/status ps File opened for reading /proc/7/status ps File opened for reading /proc/18/stat ps File opened for reading /proc/2/stat ps File opened for reading /proc/8/status ps File opened for reading /proc/601/status ps File opened for reading /proc/3/stat ps File opened for reading /proc/5/stat ps File opened for reading /proc/600/status ps File opened for reading /proc/25/status ps File opened for reading /proc/656/cmdline ps File opened for reading /proc/self/maps awk File opened for reading /proc/148/cmdline ps File opened for reading /proc/638/stat ps File opened for reading /proc/18/cmdline ps File opened for reading /proc/148/stat ps File opened for reading /proc/638/stat ps File opened for reading /proc/222/stat ps File opened for reading /proc/305/status ps File opened for reading /proc/1/stat ps File opened for reading /proc/25/stat ps File opened for reading /proc/322/stat ps File opened for reading /proc/685/cmdline ps File opened for reading /proc/16/cmdline ps File opened for reading /proc/669/stat ps File opened for reading /proc/271/stat ps File opened for reading /proc/self/maps awk File opened for reading /proc/8/cmdline ps File opened for reading /proc/sys/kernel/pid_max ps File opened for reading /proc/13/status ps File opened for reading /proc/276/cmdline ps File opened for reading /proc/self/maps awk File opened for reading /proc/115/status ps File opened for reading /proc/145/cmdline ps File opened for reading /proc/42/status ps File opened for reading /proc/self/stat sudo File opened for reading /proc/305/stat ps File opened for reading /proc/26/cmdline ps File opened for reading /proc/9/cmdline ps File opened for reading /proc/15/cmdline ps File opened for reading /proc/28/status ps File opened for reading /proc/656/status ps File opened for reading /proc/289/status ps File opened for reading /proc/meminfo ps File opened for reading /proc/3/cmdline ps File opened for reading /proc/271/status ps File opened for reading /proc/278/stat ps File opened for reading /proc/5/status ps File opened for reading /proc/11/stat ps File opened for reading /proc/41/stat ps File opened for reading /proc/11/stat ps File opened for reading /proc/656/cmdline ps File opened for reading /proc/20/stat ps File opened for reading /proc/116/stat ps File opened for reading /proc/17/stat ps File opened for reading /proc/29/stat ps File opened for reading /proc/self/fd xargs File opened for reading /proc/689/status ps File opened for reading /proc/41/cmdline ps File opened for reading /proc/16/stat ps -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
fe70c19936ef32efb00f3c75ea90e701_JaffaCakes118description ioc process File opened for modification /tmp/log_rot fe70c19936ef32efb00f3c75ea90e701_JaffaCakes118
Processes
-
/tmp/fe70c19936ef32efb00f3c75ea90e701_JaffaCakes118/tmp/fe70c19936ef32efb00f3c75ea90e701_JaffaCakes1181⤵
- Writes file to tmp directory
PID:646 -
/bin/rmrm -rf /var/log/syslog2⤵
- Deletes system logs
PID:647
-
-
/usr/bin/chattrchattr -iua /tmp/2⤵
- Attempts to change immutable files
PID:649
-
-
/usr/bin/chattrchattr -iua /var/tmp/2⤵
- Attempts to change immutable files
PID:651
-
-
/sbin/iptablesiptables -F2⤵
- Flushes firewall rules
PID:653
-
-
/usr/bin/sudosudo sysctl "kernel.nmi_watchdog=0"2⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
- Reads runtime system information
PID:662
-
-
/usr/sbin/userdeluserdel akay2⤵PID:668
-
-
/usr/sbin/userdeluserdel vfinder2⤵PID:673
-
-
/usr/bin/chattrchattr -iae /root/.ssh/2⤵
- Attempts to change immutable files
PID:676
-
-
/usr/bin/chattrchattr -iae /root/.ssh/authorized_keys2⤵
- Attempts to change immutable files
PID:679
-
-
/bin/rmrm -rf "/tmp/addres*"2⤵PID:680
-
-
/bin/rmrm -rf "/tmp/walle*"2⤵PID:681
-
-
/bin/rmrm -rf /tmp/keys2⤵PID:682
-
-
/bin/psps aux2⤵
- Reads CPU attributes
- Process Discovery
- Reads runtime system information
PID:684
-
-
/bin/grepgrep -i "[a]liyun"2⤵
- Attempts to change immutable files
PID:685
-
-
/bin/grepgrep -i "[y]unjing"2⤵
- Attempts to change immutable files
PID:689
-
-
/bin/psps aux2⤵
- Reads CPU attributes
- Process Discovery
- Reads runtime system information
PID:688
-
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵
- Reads runtime system information
PID:695
-
-
/usr/bin/awkawk "{print \$7}"2⤵PID:694
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
PID:696
-
-
/bin/grepgrep 185.71.65.2382⤵PID:693
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
PID:702
-
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵PID:701
-
-
/usr/bin/awkawk "{print \$7}"2⤵PID:700
-
-
/bin/grepgrep 140.82.52.872⤵PID:699
-
-
/bin/grepgrep -v -2⤵PID:707
-
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵PID:706
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
PID:708
-
-
/usr/bin/awkawk "{print \$7}"2⤵PID:705
-
-
/bin/grepgrep :4432⤵PID:704
-
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵
- Reads runtime system information
PID:713
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
PID:715
-
-
/usr/bin/awkawk "{print \$7}"2⤵PID:712
-
-
/bin/grepgrep :232⤵PID:711
-
-
/bin/grepgrep -v -2⤵PID:714
-
-
/bin/grepgrep -v -2⤵PID:720
-
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵PID:719
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
PID:721
-
-
/usr/bin/awkawk "{print \$7}"2⤵PID:718
-
-
/bin/grepgrep :4432⤵PID:717
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
PID:727
-
-
/bin/grepgrep -v -2⤵PID:726
-
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵
- Reads runtime system information
PID:725
-
-
/usr/bin/awkawk "{print \$7}"2⤵PID:724
-
-
/bin/grepgrep :1432⤵PID:723
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
PID:733
-
-
/bin/grepgrep -v -2⤵PID:732
-
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵PID:731
-
-
/usr/bin/awkawk "{print \$7}"2⤵PID:730
-
-
/bin/grepgrep :22222⤵PID:729
-
-
/bin/grepgrep -v -2⤵PID:738
-
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵PID:737
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
PID:739
-
-
/usr/bin/awkawk "{print \$7}"2⤵PID:736
-
-
/bin/grepgrep :33332⤵PID:735
-
-
/bin/grepgrep -v -2⤵PID:744
-
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵PID:743
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
PID:745
-
-
/usr/bin/awkawk "{print \$7}"2⤵PID:742
-
-
/bin/grepgrep :33892⤵PID:741
-
-
/bin/grepgrep -v -2⤵PID:750
-
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵PID:749
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
PID:751
-
-
/usr/bin/awkawk "{print \$7}"2⤵PID:748
-
-
/bin/grepgrep :44442⤵PID:747
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
PID:757
-
-
/bin/grepgrep -v -2⤵PID:756
-
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵PID:755
-
-
/usr/bin/awkawk "{print \$7}"2⤵PID:754
-
-
/bin/grepgrep :55552⤵PID:753
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
PID:763
-
-
/bin/grepgrep -v -2⤵PID:762
-
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵PID:761
-
-
/usr/bin/awkawk "{print \$7}"2⤵PID:760
-
-
/bin/grepgrep :66662⤵PID:759
-
-
/bin/grepgrep -v -2⤵PID:768
-
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵PID:767
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
- Reads runtime system information
PID:769
-
-
/usr/bin/awkawk "{print \$7}"2⤵PID:766
-
-
/bin/grepgrep :66652⤵PID:765
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
PID:775
-
-
/bin/grepgrep -v -2⤵PID:774
-
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵PID:773
-
-
/usr/bin/awkawk "{print \$7}"2⤵PID:772
-
-
/bin/grepgrep :66672⤵PID:771
-
-
/bin/grepgrep -v -2⤵PID:780
-
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵PID:779
-
-
/usr/bin/awkawk "{print \$7}"2⤵PID:778
-
-
/bin/grepgrep :77772⤵PID:777
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
PID:781
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
PID:787
-
-
/bin/grepgrep -v -2⤵PID:786
-
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵PID:785
-
-
/usr/bin/awkawk "{print \$7}"2⤵PID:784
-
-
/bin/grepgrep :84442⤵PID:783
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5B
MD5727479ef7cedf30c03459bec7d87b0f0
SHA12082e7f715f058acab2398d25d135cf5f4c0ce41
SHA25629872037c9573567744ef10ed2de57864ded7554c9fa2ef03fc1244c65794ba6
SHA5124cb59d37f8481f9bb2745f494baa0910a68aad40ac2903ef1513547e091e1e772a5f9436f789ab91fcafb75b8a28c2112ede89004be41f33c01d936b542ca6ba