Analysis

  • max time kernel
    149s
  • max time network
    162s
  • platform
    debian-12_armhf
  • resource
    debian12-armhf-20240221-en
  • resource tags

    arch:armhfimage:debian12-armhf-20240221-enkernel:6.1.0-17-armmp-lpaelocale:en-usos:debian-12-armhfsystem
  • submitted
    18-12-2024 01:01

General

  • Target

    f97ffb8896fd6f6ce7a605a8b3324ae9_JaffaCakes118

  • Size

    140KB

  • MD5

    f97ffb8896fd6f6ce7a605a8b3324ae9

  • SHA1

    e88b7423e1692885ccd8fd0eb0d3f803c5f088d3

  • SHA256

    45fa5f05d85fdcf3fdfe4be2698c7af2f8d7d3db0951a72898bb384c0208cefb

  • SHA512

    0ae80f4a751c455789ff0f6151d721e75c2ed019fff26f35ab9f739ca2a20f0fbdf56a0db7bb2a777a36667243459a2d45b59d4b39e9f1c054b46f74294613d2

  • SSDEEP

    3072:VYbSBRRYlfDsajlYqN3032IK4px3X4jj3CPazWZSM/98/r:abqRefDsskRK4px3XKjEazZM/98/r

Malware Config

Signatures

  • Contacts a large (23841) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Reads process memory 1 TTPs 13 IoCs

    Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.

  • Changes its process name 1 IoCs

Processes

  • /tmp/f97ffb8896fd6f6ce7a605a8b3324ae9_JaffaCakes118
    /tmp/f97ffb8896fd6f6ce7a605a8b3324ae9_JaffaCakes118
    1⤵
    • Modifies Watchdog functionality
    • Reads process memory
    • Changes its process name
    PID:708

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads