Analysis
-
max time kernel
149s -
max time network
15s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
24/10/2024, 18:05
Static task
static1
Behavioral task
behavioral1
Sample
74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118
Resource
debian9-mipsel-20240226-en
General
-
Target
74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118
-
Size
1KB
-
MD5
74accae8c7e0093939ab4e0cd1c2a7fd
-
SHA1
ae3b26988c72634e3f0daeb6486332530ba58324
-
SHA256
d5b4d0376c9b07f5be237d0e47aa9aa321489917d30559328e544c5d0347e5ea
-
SHA512
7e784dce4b2fa0f5a3659ccf7af43b3f4886bd5ea32acb26a60ccad38c5bc918789d7d01f2090bd3a053d783c6eba4571865f7e54de106232d83cae57e4172b9
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 704 chmod -
Executes dropped EXE 1 IoCs
ioc pid Process /tmp/i 707 i -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 checkip.amazonaws.com -
Deobfuscate/Decode Files or Information 1 TTPs 1 IoCs
Adversaries may deobfuscate or decode files or information to evade detection mechanisms.
pid Process 683 base64 -
Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/filesystems id File opened for reading /proc/filesystems ls -
System Network Configuration Discovery 1 TTPs 1 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 736 curl -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/i bash
Processes
-
/tmp/74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118/tmp/74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes1181⤵PID:675
-
/usr/bin/base64base64 -d2⤵
- Deobfuscate/Decode Files or Information
PID:683
-
-
/bin/bashbash2⤵
- Writes file to tmp directory
PID:684 -
/usr/bin/cutcut -d: -f63⤵PID:690
-
-
/usr/bin/idid -u3⤵
- Reads runtime system information
PID:692
-
-
/bin/grepgrep x:0: /etc/passwd3⤵PID:689
-
-
/usr/bin/headhead -n 1 /tmp/.X11-unix/013⤵PID:699
-
-
/bin/lsls /proc//status3⤵
- Reads runtime system information
PID:702
-
-
/bin/chmodchmod +x ./i3⤵
- File and Directory Permissions Modification
PID:704
-
-
/tmp/i./i3⤵
- Executes dropped EXE
PID:707
-
-
/bin/rmrm -f i3⤵PID:709
-
-
/bin/grepgrep -oE "\\b([0-9]{1,3}\\.){3}[0-9]{1,3}\\b"3⤵PID:714
-
-
/usr/bin/trtr " " "\\n"3⤵PID:715
-
-
/usr/bin/curlcurl -4fsSLkA- -m200 "https://dns.digitale-gesellschaft.ch/dns-query?name=relay.tor2socks.in"3⤵
- Checks CPU configuration
- Reads runtime system information
PID:713
-
-
/usr/bin/sortsort -uR3⤵PID:717
-
-
/bin/grepgrep -Ev "[.]0"3⤵PID:716
-
-
/usr/bin/headhead -n 13⤵PID:718
-
-
/bin/unameuname -m3⤵PID:730
-
-
/bin/datedate3⤵PID:732
-
-
/usr/bin/md5summd5sum3⤵PID:733
-
-
/usr/bin/cutcut -f1 -d-3⤵PID:734
-
-
/usr/bin/curlcurl -4fsSLk checkip.amazonaws.com3⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
PID:736
-
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Deobfuscate/Decode Files or Information
1File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5B
MD5f4b524261fce06c1fbd10b4681ad0b97
SHA1c595d1a14f6aa42cc1aa7ab4416c39ada07ca89d
SHA2569577a8bfed904bd55390ba203f1a233be1981b36fa945537eb3be5b2446de031
SHA512ab280f109ee7dcfb8031e160d0235e9bfb72cabde44b21355d9e6db2873530d8537e3bdbb8faf6cd8d6b3eac33f58de7694201b93f277d0b587bf2534df14449