2c6351a60f83ef185be9991b8ebfc11af7c29c59572a0b2af2471b10392614d7

Analysis

max time kernel
149s
max time network
151s
platform
ubuntu-24.04_amd64
resource
ubuntu2404-amd64-20240523-en
resource tags

arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
submitted
29-09-2024 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff3a8d23aab424bfd9db6505b77ab05d_JaffaCakes118
Size

1.1MB
MD5

ff3a8d23aab424bfd9db6505b77ab05d
SHA1

3228c70108778f9cd58237141652ec4ad2b01b33
SHA256

2c6351a60f83ef185be9991b8ebfc11af7c29c59572a0b2af2471b10392614d7
SHA512

9dfdab046b8d9e079115ad14c1b000ee7a9df5d7e0b8a09c5d7b4f3eb88117f79652f4a5582e69b1e9e2983564253005fdd82748e03722ccbafe06799d8fe9bd
SSDEEP

24576:4vRE7caCfKGPqVEDNLFxKsfawI+gIGYuuCol7r:4vREKfPqVE5jKsfawRHGVo7r

Score

7^/10

defense_evasion discovery persistence rootkit

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 4 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
2520	chmod
2529	chmod
2535	chmod
2541	chmod

Executes dropped EXE 2 IoCs

ioc	pid	Process
/usr/bin/bsd-port/getty	2482	getty
/usr/bin/.sshd	2490	.sshd

Loads a kernel module 64 IoCs

Loads a Linux kernel module, potentially to achieve persistence

rootkit

pid	Process
2441	ff3a8d23aab424bfd9db6505b77ab05d_JaffaCakes118
2442	ff3a8d23aab424bfd9db6505b77ab05d_JaffaCakes118
2460	ff3a8d23aab424bfd9db6505b77ab05d_JaffaCakes118
2442	ff3a8d23aab424bfd9db6505b77ab05d_JaffaCakes118
2442	ff3a8d23aab424bfd9db6505b77ab05d_JaffaCakes118
2462	ff3a8d23aab424bfd9db6505b77ab05d_JaffaCakes118
2442	ff3a8d23aab424bfd9db6505b77ab05d_JaffaCakes118
2442	ff3a8d23aab424bfd9db6505b77ab05d_JaffaCakes118
2464	ff3a8d23aab424bfd9db6505b77ab05d_JaffaCakes118
2442	ff3a8d23aab424bfd9db6505b77ab05d_JaffaCakes118
2442	ff3a8d23aab424bfd9db6505b77ab05d_JaffaCakes118
2466	ff3a8d23aab424bfd9db6505b77ab05d_JaffaCakes118
2442	ff3a8d23aab424bfd9db6505b77ab05d_JaffaCakes118
2442	ff3a8d23aab424bfd9db6505b77ab05d_JaffaCakes118
2468	ff3a8d23aab424bfd9db6505b77ab05d_JaffaCakes118
2442	ff3a8d23aab424bfd9db6505b77ab05d_JaffaCakes118
2442	ff3a8d23aab424bfd9db6505b77ab05d_JaffaCakes118
2476	ff3a8d23aab424bfd9db6505b77ab05d_JaffaCakes118
2442	ff3a8d23aab424bfd9db6505b77ab05d_JaffaCakes118
2442	ff3a8d23aab424bfd9db6505b77ab05d_JaffaCakes118
2478	ff3a8d23aab424bfd9db6505b77ab05d_JaffaCakes118
2442	ff3a8d23aab424bfd9db6505b77ab05d_JaffaCakes118
2480	ff3a8d23aab424bfd9db6505b77ab05d_JaffaCakes118
2481	ff3a8d23aab424bfd9db6505b77ab05d_JaffaCakes118
2482	getty
2480	ff3a8d23aab424bfd9db6505b77ab05d_JaffaCakes118
2442	ff3a8d23aab424bfd9db6505b77ab05d_JaffaCakes118
2484	ff3a8d23aab424bfd9db6505b77ab05d_JaffaCakes118
2442	ff3a8d23aab424bfd9db6505b77ab05d_JaffaCakes118
2442	ff3a8d23aab424bfd9db6505b77ab05d_JaffaCakes118
2486	ff3a8d23aab424bfd9db6505b77ab05d_JaffaCakes118
2442	ff3a8d23aab424bfd9db6505b77ab05d_JaffaCakes118
2488	ff3a8d23aab424bfd9db6505b77ab05d_JaffaCakes118
2489	ff3a8d23aab424bfd9db6505b77ab05d_JaffaCakes118
2490	.sshd
2488	ff3a8d23aab424bfd9db6505b77ab05d_JaffaCakes118
2442	ff3a8d23aab424bfd9db6505b77ab05d_JaffaCakes118
2492	ff3a8d23aab424bfd9db6505b77ab05d_JaffaCakes118
2442	ff3a8d23aab424bfd9db6505b77ab05d_JaffaCakes118
2483	getty
2500	getty
2483	getty
2483	getty
2502	getty
2483	getty
2483	getty
2505	getty
2483	getty
2483	getty
2507	getty
2483	getty
2483	getty
2509	getty
2483	getty
2483	getty
2511	getty
2483	getty
2483	getty
2513	getty
2483	getty
2483	getty
2515	getty
2483	getty
2483	getty

Write file to user bin folder 6 IoCs

persistence

description	ioc	Process
File opened for modification	/usr/bin/dpkgd/ps	cp
File opened for modification	/usr/bin/lsof	cp
File opened for modification	/usr/bin/ps	cp
File opened for modification	/usr/bin/bsd-port/getty	cp
File opened for modification	/usr/bin/.sshd	cp
File opened for modification	/usr/bin/dpkgd/lsof	cp

Writes file to system bin folder 2 IoCs

description	ioc	Process
File opened for modification	/bin/ps	cp
File opened for modification	/bin/lsof	cp

Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/module/compression	insmod
File opened for reading	/sys/module/compression	insmod

Reads runtime system information 17 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/cmdline	insmod

/tmp/ff3a8d23aab424bfd9db6505b77ab05d_JaffaCakes118
/tmp/ff3a8d23aab424bfd9db6505b77ab05d_JaffaCakes118
1⤵
- Loads a kernel module
PID:2441
- /usr/bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt
  2⤵
  PID:2461
- /usr/bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt
  2⤵
  PID:2463
- /usr/bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt
  2⤵
  PID:2465
- /usr/bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt
  2⤵
  PID:2467
- /usr/bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt
  2⤵
  PID:2469
- /usr/bin/mkdir
  mkdir -p /usr/bin/bsd-port
  2⤵
  - Reads runtime system information
  PID:2477
- /usr/bin/cp
  cp -f /tmp/ff3a8d23aab424bfd9db6505b77ab05d_JaffaCakes118 /usr/bin/bsd-port/getty
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:2479
- /usr/bin/bsd-port/getty
  /usr/bin/bsd-port/getty
  2⤵
  - Executes dropped EXE
  - Loads a kernel module
  PID:2482
- - /usr/bin/ln
    ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux
    3⤵
    PID:2501
- - /usr/bin/ln
    ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux
    3⤵
    PID:2503
- - /usr/bin/ln
    ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux
    3⤵
    PID:2506
- - /usr/bin/ln
    ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux
    3⤵
    PID:2508
- - /usr/bin/ln
    ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux
    3⤵
    PID:2510
- - /usr/bin/mkdir
    mkdir -p /usr/bin/dpkgd
    3⤵
    - Reads runtime system information
    PID:2512
- - /usr/bin/cp
    cp -f /bin/lsof /usr/bin/dpkgd/lsof
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:2514
- - /usr/bin/mkdir
    mkdir -p /bin
    3⤵
    - Reads runtime system information
    PID:2516
- - /usr/bin/cp
    cp -f /usr/bin/bsd-port/getty /bin/lsof
    3⤵
    - Writes file to system bin folder
    - Reads runtime system information
    PID:2518
- - /usr/bin/chmod
    chmod 0755 /bin/lsof
    3⤵
    - File and Directory Permissions Modification
    PID:2520
- - /usr/bin/cp
    cp -f /bin/ps /usr/bin/dpkgd/ps
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:2522
- - /usr/bin/mkdir
    mkdir -p /bin
    3⤵
    - Reads runtime system information
    PID:2525
- - /usr/bin/cp
    cp -f /usr/bin/bsd-port/getty /bin/ps
    3⤵
    - Writes file to system bin folder
    - Reads runtime system information
    PID:2527
- - /usr/bin/chmod
    chmod 0755 /bin/ps
    3⤵
    - File and Directory Permissions Modification
    PID:2529
- - /usr/bin/mkdir
    mkdir -p /usr/bin
    3⤵
    - Reads runtime system information
    PID:2531
- - /usr/bin/cp
    cp -f /usr/bin/bsd-port/getty /usr/bin/lsof
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:2533
- - /usr/bin/chmod
    chmod 0755 /usr/bin/lsof
    3⤵
    - File and Directory Permissions Modification
    PID:2535
- - /usr/bin/mkdir
    mkdir -p /usr/bin
    3⤵
    - Reads runtime system information
    PID:2537
- - /usr/bin/cp
    cp -f /usr/bin/bsd-port/getty /usr/bin/ps
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:2539
- - /usr/bin/chmod
    chmod 0755 /usr/bin/ps
    3⤵
    - File and Directory Permissions Modification
    PID:2541
- - /usr/sbin/insmod
    insmod /usr/lib/xpacket.ko
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2543
- /usr/bin/mkdir
  mkdir -p /usr/bin
  2⤵
  - Reads runtime system information
  PID:2485
- /usr/bin/cp
  cp -f /tmp/ff3a8d23aab424bfd9db6505b77ab05d_JaffaCakes118 /usr/bin/.sshd
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:2487
- /usr/bin/.sshd
  /usr/bin/.sshd
  2⤵
  - Executes dropped EXE
  - Loads a kernel module
  PID:2490
- /usr/sbin/insmod
  insmod /usr/lib/xpacket.ko
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:2493

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/init.d/DbSecuritySpt

Filesize
64B

MD5
fc91a7c93c02895817e6a22945c1469e

SHA1
b05af2657871d92726a190c260caf1918d809186

SHA256
8810e312f5d8433e4f62947b74a92110d14129c6ea22ab887fb8ea33e675510c

SHA512
32f7414740ae758b8e4c43543627461c344404982ade964707fedeff0ac7a204fd79ba0246726fbf6f890c082efc13897d8a7fd9c74b3faea300a7ce82f21022

Download Submit
/etc/init.d/selinux

Filesize
36B

MD5
993cc15058142d96c3daf7852c3d5ee8

SHA1
0950b8b391b04dd3895ea33cd3141543ebd2525d

SHA256
8171d077918611803d93088409f220c66fae1c670b297e1aa5d8cbd548ce9208

SHA512
0c4256c00a3710f97e92581b552682b36b62afc35fe72622c491323c618c19ea62611ac04ccafc3dfcde2254a2ebbd93b69b66795b16e36332293bed83adb928

Download Submit
/tmp/gates.lock

Filesize
4B

MD5
6048ff4e8cb07aa60b6777b6f7384d52

SHA1
93af2d29fceaaff90391bae9bfb5b4f18a50b2c9

SHA256
069170cf54b2e58a1057173196abf680efbeb5863deb2b59cbfe61f5faa735e6

SHA512
81374b04ca4a028d2f8c85153d5bf32a658d3b9643119629c07434cec764d2171fa24b2ac4996cd58befbdbf58bf03085c47f0f968ccd9b5d2e9d8cbedb0773f

Download Submit
/tmp/moni.lock

Filesize
4B

MD5
01a0683665f38d8e5e567b3b15ca98bf

SHA1
82f752807893c63f06db6a25fe56160403214fb3

SHA256
dc7d6256d124bcc9244d6d0e437beabded4b25d4fbf77ccb595375b8f5f1e903

SHA512
856e740801bf35defc00762472a14cdd4aae90fdf63b6ba5dc04ba831c1a61cfa24a34fe85ab1791bed50668ee6049c7707b17207b5e6f6076995abed723eb57

Download Submit
/tmp/notify.file

Filesize
51B

MD5
4cdc850c124759c36db6e3d4980ccc32

SHA1
73550141208a3584f5de7f522f525f57f11e8b0a

SHA256
75569c986c2924df50e45ee99faee76d7d51bd81d1cc15ce8919741b4643eabc

SHA512
42f4a561441ba30e77b32d2158f56103caff6b6ccd72d27897161bd6b795a144ab9bee28aae8be6ff091538de5857d81c80b5ddef61fb9db863cbf4e0bef6bac

Download Submit