7f0e07d0e5f7af973ab0f2768f06c00efb7f37da49fb6939df547d076e2c62d5

General

Target

fe70c19936ef32efb00f3c75ea90e701_JaffaCakes118
Size

27KB
MD5

fe70c19936ef32efb00f3c75ea90e701
SHA1

461514742ae77741e53efb6975ffd8d3db264c92
SHA256

7f0e07d0e5f7af973ab0f2768f06c00efb7f37da49fb6939df547d076e2c62d5
SHA512

dad1271c0984f3120dc0c35725212fdccf707b4c3e5ecc6b1fe9e5ba95b295398d17fdac46c767375268fb1577128d23aa519ebfabc881a3b11e78de1b6a8f4b
SSDEEP

384:G7pQQwQHDf6jlpTWg3vMGQiKMvh/4Qdre21jT58vKpG2Y0orcfKLUv0KZnNEVdeD:G7JoFNcDvFLcIwgiYq0xzBWjzr2W

Score

7^/10

defense_evasion discovery evasion privilege_escalation

Malware Config

Signatures

Deletes system logs 1 TTPs 1 IoCs
Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.
evasion

Clear Linux or Mac System Logs
T1070.002

Processes:

rm

description ioc process

File deleted /var/log/syslog rm
Flushes firewall rules 1 TTPs 1 IoCs
Flushes/ disables firewall rules inside the Linux kernel.
defense_evasion

Disable or Modify System Firewall
T1562.004

Processes:

iptables

pid process

653 iptables
Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 1 IoCs
Abuse sudo or cached sudo credentials to execute code.
privilege_escalation defense_evasion

Sudo and Sudo Caching
T1548.003

Processes:

sudo

pid process

662 sudo

description	ioc	process
File deleted	/var/log/syslog	rm

pid	process
653	iptables

pid	process
662	sudo

Attempts to change immutable files 22 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

Processes:

grepxargsxargsxargsxargsxargsxargsxargschattrchattrchattrxargsxargsxargsxargsxargsgrepxargsxargsxargschattrxargs

pid	process
689	grep
708	xargs
721	xargs
739	xargs
775	xargs
745	xargs
751	xargs
757	xargs
649	chattr
651	chattr
679	chattr
702	xargs
715	xargs
769	xargs
781	xargs
787	xargs
685	grep
727	xargs
733	xargs
763	xargs
676	chattr
696	xargs

Enumerates running processes
Discovers information about currently running processes on the system
Reads CPU attributes 1 TTPs 2 IoCs
discovery

System Information Discovery
T1082

Processes:

psps

description ioc process

File opened for reading /sys/devices/system/cpu/online ps
File opened for reading /sys/devices/system/cpu/online ps
Process Discovery 1 TTPs 2 IoCs
Adversaries may try to discover information about running processes.
discovery

Process Discovery
T1057

Processes:

psps

pid process

684 ps
688 ps

description	ioc	process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps

pid	process
684	ps
688	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

pspsawkawkawksudoxargs

description	ioc	process
File opened for reading	/proc/322/cmdline	ps
File opened for reading	/proc/21/cmdline	ps
File opened for reading	/proc/27/stat	ps
File opened for reading	/proc/271/cmdline	ps
File opened for reading	/proc/639/status	ps
File opened for reading	/proc/7/status	ps
File opened for reading	/proc/18/stat	ps
File opened for reading	/proc/2/stat	ps
File opened for reading	/proc/8/status	ps
File opened for reading	/proc/601/status	ps
File opened for reading	/proc/3/stat	ps
File opened for reading	/proc/5/stat	ps
File opened for reading	/proc/600/status	ps
File opened for reading	/proc/25/status	ps
File opened for reading	/proc/656/cmdline	ps
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/148/cmdline	ps
File opened for reading	/proc/638/stat	ps
File opened for reading	/proc/18/cmdline	ps
File opened for reading	/proc/148/stat	ps
File opened for reading	/proc/638/stat	ps
File opened for reading	/proc/222/stat	ps
File opened for reading	/proc/305/status	ps
File opened for reading	/proc/1/stat	ps
File opened for reading	/proc/25/stat	ps
File opened for reading	/proc/322/stat	ps
File opened for reading	/proc/685/cmdline	ps
File opened for reading	/proc/16/cmdline	ps
File opened for reading	/proc/669/stat	ps
File opened for reading	/proc/271/stat	ps
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/8/cmdline	ps
File opened for reading	/proc/sys/kernel/pid_max	ps
File opened for reading	/proc/13/status	ps
File opened for reading	/proc/276/cmdline	ps
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/115/status	ps
File opened for reading	/proc/145/cmdline	ps
File opened for reading	/proc/42/status	ps
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/305/stat	ps
File opened for reading	/proc/26/cmdline	ps
File opened for reading	/proc/9/cmdline	ps
File opened for reading	/proc/15/cmdline	ps
File opened for reading	/proc/28/status	ps
File opened for reading	/proc/656/status	ps
File opened for reading	/proc/289/status	ps
File opened for reading	/proc/meminfo	ps
File opened for reading	/proc/3/cmdline	ps
File opened for reading	/proc/271/status	ps
File opened for reading	/proc/278/stat	ps
File opened for reading	/proc/5/status	ps
File opened for reading	/proc/11/stat	ps
File opened for reading	/proc/41/stat	ps
File opened for reading	/proc/11/stat	ps
File opened for reading	/proc/656/cmdline	ps
File opened for reading	/proc/20/stat	ps
File opened for reading	/proc/116/stat	ps
File opened for reading	/proc/17/stat	ps
File opened for reading	/proc/29/stat	ps
File opened for reading	/proc/self/fd	xargs
File opened for reading	/proc/689/status	ps
File opened for reading	/proc/41/cmdline	ps
File opened for reading	/proc/16/stat	ps

Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

fe70c19936ef32efb00f3c75ea90e701_JaffaCakes118

description ioc process

File opened for modification /tmp/log_rot fe70c19936ef32efb00f3c75ea90e701_JaffaCakes118

description	ioc	process
File opened for modification	/tmp/log_rot	fe70c19936ef32efb00f3c75ea90e701_JaffaCakes118

/tmp/fe70c19936ef32efb00f3c75ea90e701_JaffaCakes118
/tmp/fe70c19936ef32efb00f3c75ea90e701_JaffaCakes118
1⤵
- Writes file to tmp directory
PID:646

/bin/rm
rm -rf /var/log/syslog
2⤵
- Deletes system logs
PID:647

/usr/bin/chattr
chattr -iua /tmp/
2⤵
- Attempts to change immutable files
PID:649

/usr/bin/chattr
chattr -iua /var/tmp/
2⤵
- Attempts to change immutable files
PID:651

/sbin/iptables
iptables -F
2⤵
- Flushes firewall rules
PID:653

/usr/bin/sudo
sudo sysctl "kernel.nmi_watchdog=0"
2⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
- Reads runtime system information
PID:662

/usr/sbin/userdel
userdel akay
2⤵
PID:668

/usr/sbin/userdel
userdel vfinder
2⤵
PID:673

/usr/bin/chattr
chattr -iae /root/.ssh/
2⤵
- Attempts to change immutable files
PID:676

/usr/bin/chattr
chattr -iae /root/.ssh/authorized_keys
2⤵
- Attempts to change immutable files
PID:679

/bin/rm
rm -rf "/tmp/addres*"
2⤵
PID:680

/bin/rm
rm -rf "/tmp/walle*"
2⤵
PID:681

/bin/rm
rm -rf /tmp/keys
2⤵
PID:682

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Process Discovery
- Reads runtime system information
PID:684

/bin/grep
grep -i "[a]liyun"
2⤵
- Attempts to change immutable files
PID:685

/bin/grep
grep -i "[y]unjing"
2⤵
- Attempts to change immutable files
PID:689

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Process Discovery
- Reads runtime system information
PID:688

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
- Reads runtime system information
PID:695

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:694

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:696

/bin/grep
grep 185.71.65.238
2⤵
PID:693

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:702

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:701

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:700

/bin/grep
grep 140.82.52.87
2⤵
PID:699

/bin/grep
grep -v -
2⤵
PID:707

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:706

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:708

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:705

/bin/grep
grep :443
2⤵
PID:704

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
- Reads runtime system information
PID:713

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:715

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:712

/bin/grep
grep :23
2⤵
PID:711

/bin/grep
grep -v -
2⤵
PID:714

/bin/grep
grep -v -
2⤵
PID:720

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:719

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:721

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:718

/bin/grep
grep :443
2⤵
PID:717

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:727

/bin/grep
grep -v -
2⤵
PID:726

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
- Reads runtime system information
PID:725

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:724

/bin/grep
grep :143
2⤵
PID:723

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:733

/bin/grep
grep -v -
2⤵
PID:732

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:731

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:730

/bin/grep
grep :2222
2⤵
PID:729

/bin/grep
grep -v -
2⤵
PID:738

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:737

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:739

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:736

/bin/grep
grep :3333
2⤵
PID:735

/bin/grep
grep -v -
2⤵
PID:744

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:743

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:745

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:742

/bin/grep
grep :3389
2⤵
PID:741

/bin/grep
grep -v -
2⤵
PID:750

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:749

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:751

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:748

/bin/grep
grep :4444
2⤵
PID:747

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:757

/bin/grep
grep -v -
2⤵
PID:756

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:755

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:754

/bin/grep
grep :5555
2⤵
PID:753

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:763

/bin/grep
grep -v -
2⤵
PID:762

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:761

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:760

/bin/grep
grep :6666
2⤵
PID:759

/bin/grep
grep -v -
2⤵
PID:768

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:767

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
- Reads runtime system information
PID:769

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:766

/bin/grep
grep :6665
2⤵
PID:765

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:775

/bin/grep
grep -v -
2⤵
PID:774

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:773

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:772

/bin/grep
grep :6667
2⤵
PID:771

/bin/grep
grep -v -
2⤵
PID:780

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:779

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:778

/bin/grep
grep :7777
2⤵
PID:777

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:781

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:787

/bin/grep
grep -v -
2⤵
PID:786

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:785

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:784

/bin/grep
grep :8444
2⤵
PID:783

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Sudo and Sudo Caching

1

T1548.003

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Sudo and Sudo Caching

1

T1548.003

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Indicator Removal

1

T1070

Clear Linux or Mac System Logs

1

T1070.002

Credential Access

Discovery

Process Discovery

1

T1057

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/log_rot

Filesize
5B

MD5
727479ef7cedf30c03459bec7d87b0f0

SHA1
2082e7f715f058acab2398d25d135cf5f4c0ce41

SHA256
29872037c9573567744ef10ed2de57864ded7554c9fa2ef03fc1244c65794ba6

SHA512
4cb59d37f8481f9bb2745f494baa0910a68aad40ac2903ef1513547e091e1e772a5f9436f789ab91fcafb75b8a28c2112ede89004be41f33c01d936b542ca6ba

Download Submit
memory/771-1-0xb6c4a000-0xb6c5b044-memory.dmp

Download

Analysis

Sharing