Analysis

  • max time kernel
    149s
  • max time network
    15s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    24/10/2024, 18:05

General

  • Target

    74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118

  • Size

    1KB

  • MD5

    74accae8c7e0093939ab4e0cd1c2a7fd

  • SHA1

    ae3b26988c72634e3f0daeb6486332530ba58324

  • SHA256

    d5b4d0376c9b07f5be237d0e47aa9aa321489917d30559328e544c5d0347e5ea

  • SHA512

    7e784dce4b2fa0f5a3659ccf7af43b3f4886bd5ea32acb26a60ccad38c5bc918789d7d01f2090bd3a053d783c6eba4571865f7e54de106232d83cae57e4172b9

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 1 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Deobfuscate/Decode Files or Information 1 TTPs 1 IoCs

    Adversaries may deobfuscate or decode files or information to evade detection mechanisms.

  • Checks CPU configuration 1 TTPs 2 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Reads runtime system information 6 IoCs

    Reads data from /proc virtual filesystem.

  • System Network Configuration Discovery 1 TTPs 1 IoCs

    Adversaries may gather information about the network configuration of a system.

  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118
    /tmp/74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118
    1⤵
      PID:675
      • /usr/bin/base64
        base64 -d
        2⤵
        • Deobfuscate/Decode Files or Information
        PID:683
      • /bin/bash
        bash
        2⤵
        • Writes file to tmp directory
        PID:684
        • /usr/bin/cut
          cut -d: -f6
          3⤵
            PID:690
          • /usr/bin/id
            id -u
            3⤵
            • Reads runtime system information
            PID:692
          • /bin/grep
            grep x:0: /etc/passwd
            3⤵
              PID:689
            • /usr/bin/head
              head -n 1 /tmp/.X11-unix/01
              3⤵
                PID:699
              • /bin/ls
                ls /proc//status
                3⤵
                • Reads runtime system information
                PID:702
              • /bin/chmod
                chmod +x ./i
                3⤵
                • File and Directory Permissions Modification
                PID:704
              • /tmp/i
                ./i
                3⤵
                • Executes dropped EXE
                PID:707
              • /bin/rm
                rm -f i
                3⤵
                  PID:709
                • /bin/grep
                  grep -oE "\\b([0-9]{1,3}\\.){3}[0-9]{1,3}\\b"
                  3⤵
                    PID:714
                  • /usr/bin/tr
                    tr " " "\\n"
                    3⤵
                      PID:715
                    • /usr/bin/curl
                      curl -4fsSLkA- -m200 "https://dns.digitale-gesellschaft.ch/dns-query?name=relay.tor2socks.in"
                      3⤵
                      • Checks CPU configuration
                      • Reads runtime system information
                      PID:713
                    • /usr/bin/sort
                      sort -uR
                      3⤵
                        PID:717
                      • /bin/grep
                        grep -Ev "[.]0"
                        3⤵
                          PID:716
                        • /usr/bin/head
                          head -n 1
                          3⤵
                            PID:718
                          • /bin/uname
                            uname -m
                            3⤵
                              PID:730
                            • /bin/date
                              date
                              3⤵
                                PID:732
                              • /usr/bin/md5sum
                                md5sum
                                3⤵
                                  PID:733
                                • /usr/bin/cut
                                  cut -f1 -d-
                                  3⤵
                                    PID:734
                                  • /usr/bin/curl
                                    curl -4fsSLk checkip.amazonaws.com
                                    3⤵
                                    • Checks CPU configuration
                                    • Reads runtime system information
                                    • System Network Configuration Discovery
                                    PID:736

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • /tmp/i

                                Filesize

                                5B

                                MD5

                                f4b524261fce06c1fbd10b4681ad0b97

                                SHA1

                                c595d1a14f6aa42cc1aa7ab4416c39ada07ca89d

                                SHA256

                                9577a8bfed904bd55390ba203f1a233be1981b36fa945537eb3be5b2446de031

                                SHA512

                                ab280f109ee7dcfb8031e160d0235e9bfb72cabde44b21355d9e6db2873530d8537e3bdbb8faf6cd8d6b3eac33f58de7694201b93f277d0b587bf2534df14449