Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240729-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    20-10-2024 05:34

General

  • Target

    609c1238af802ede246b1bb55d355dc5_JaffaCakes118

  • Size

    52KB

  • MD5

    609c1238af802ede246b1bb55d355dc5

  • SHA1

    74f2ced35a758f572e1c070e438d2056cdb16acc

  • SHA256

    64adef1e782de63ce018d9dfb619f1c98c1bc4ec67380b9b1a4d7cb929977e40

  • SHA512

    2c8555de4477cce4f1b84a5813ce0c727e04bac3a2472fd1e2b0944bee4c2653ef63c3ba7e1a2f233073ed3f0bd31f7f9ea83b0363b1a0d361bb63e6e711d54d

  • SSDEEP

    1536:Yo2kkuHsKrYyn+rOXxt2oNuL6eAvFR4pH:/S2Bakz5uLkuN

Malware Config

Extracted

Family

mirai

Botnet

UNSTABLE

C2

scanmaccas.duckdns.org

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

  • Contacts a large (81635) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Writes file to system bin folder 2 IoCs
  • Changes its process name 1 IoCs
  • Reads runtime system information 1 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/609c1238af802ede246b1bb55d355dc5_JaffaCakes118
    /tmp/609c1238af802ede246b1bb55d355dc5_JaffaCakes118
    1⤵
    • Modifies Watchdog functionality
    • Writes file to system bin folder
    • Changes its process name
    • Reads runtime system information
    PID:646

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads