Analysis
-
max time kernel
149s -
max time network
132s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
24/10/2024, 18:05
Static task
static1
Behavioral task
behavioral1
Sample
74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118
Resource
debian9-mipsel-20240226-en
General
-
Target
74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118
-
Size
1KB
-
MD5
74accae8c7e0093939ab4e0cd1c2a7fd
-
SHA1
ae3b26988c72634e3f0daeb6486332530ba58324
-
SHA256
d5b4d0376c9b07f5be237d0e47aa9aa321489917d30559328e544c5d0347e5ea
-
SHA512
7e784dce4b2fa0f5a3659ccf7af43b3f4886bd5ea32acb26a60ccad38c5bc918789d7d01f2090bd3a053d783c6eba4571865f7e54de106232d83cae57e4172b9
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 1512 chmod -
Executes dropped EXE 1 IoCs
ioc pid Process /tmp/i 1513 i -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 checkip.amazonaws.com -
Deobfuscate/Decode Files or Information 1 TTPs 1 IoCs
Adversaries may deobfuscate or decode files or information to evade detection mechanisms.
pid Process 1500 base64 -
description ioc Process File opened for reading /proc/filesystems id File opened for reading /proc/filesystems ls -
System Network Configuration Discovery 1 TTPs 1 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 1530 curl -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/i bash
Processes
-
/tmp/74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118/tmp/74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes1181⤵PID:1494
-
/bin/bashbash2⤵
- Writes file to tmp directory
PID:1501 -
/usr/bin/cutcut -d: -f63⤵PID:1505
-
-
/usr/bin/idid -u3⤵
- Reads runtime system information
PID:1507
-
-
/bin/grepgrep x:0: /etc/passwd3⤵PID:1504
-
-
/usr/bin/headhead -n 1 /tmp/.X11-unix/013⤵PID:1510
-
-
/bin/lsls /proc//status3⤵
- Reads runtime system information
PID:1511
-
-
/bin/chmodchmod +x ./i3⤵
- File and Directory Permissions Modification
PID:1512
-
-
/tmp/i./i3⤵
- Executes dropped EXE
PID:1513
-
-
/bin/rmrm -f i3⤵PID:1514
-
-
/usr/bin/trtr " " "\\n"3⤵PID:1519
-
-
/usr/bin/sortsort -uR3⤵PID:1521
-
-
/usr/bin/headhead -n 13⤵PID:1522
-
-
/bin/grepgrep -Ev "[.]0"3⤵PID:1520
-
-
/bin/grepgrep -oE "\\b([0-9]{1,3}\\.){3}[0-9]{1,3}\\b"3⤵PID:1518
-
-
/usr/bin/curlcurl -4fsSLkA- -m200 "https://doh-fi.blahdns.com/dns-query?name=relay.tor2socks.in"3⤵PID:1517
-
-
/bin/unameuname -m3⤵PID:1524
-
-
/usr/bin/cutcut -f1 -d-3⤵PID:1528
-
-
/usr/bin/md5summd5sum3⤵PID:1527
-
-
/bin/datedate3⤵PID:1526
-
-
/usr/bin/curlcurl -4fsSLk checkip.amazonaws.com3⤵
- System Network Configuration Discovery
PID:1530
-
-
-
/usr/bin/base64base64 -d2⤵
- Deobfuscate/Decode Files or Information
PID:1500
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5B
MD5f4b524261fce06c1fbd10b4681ad0b97
SHA1c595d1a14f6aa42cc1aa7ab4416c39ada07ca89d
SHA2569577a8bfed904bd55390ba203f1a233be1981b36fa945537eb3be5b2446de031
SHA512ab280f109ee7dcfb8031e160d0235e9bfb72cabde44b21355d9e6db2873530d8537e3bdbb8faf6cd8d6b3eac33f58de7694201b93f277d0b587bf2534df14449