Analysis
-
max time kernel
149s -
max time network
162s -
platform
debian-12_armhf -
resource
debian12-armhf-20240221-en -
resource tags
arch:armhfimage:debian12-armhf-20240221-enkernel:6.1.0-17-armmp-lpaelocale:en-usos:debian-12-armhfsystem -
submitted
18-12-2024 01:01
Behavioral task
behavioral1
Sample
f97ffb8896fd6f6ce7a605a8b3324ae9_JaffaCakes118
Resource
debian12-armhf-20240221-en
General
-
Target
f97ffb8896fd6f6ce7a605a8b3324ae9_JaffaCakes118
-
Size
140KB
-
MD5
f97ffb8896fd6f6ce7a605a8b3324ae9
-
SHA1
e88b7423e1692885ccd8fd0eb0d3f803c5f088d3
-
SHA256
45fa5f05d85fdcf3fdfe4be2698c7af2f8d7d3db0951a72898bb384c0208cefb
-
SHA512
0ae80f4a751c455789ff0f6151d721e75c2ed019fff26f35ab9f739ca2a20f0fbdf56a0db7bb2a777a36667243459a2d45b59d4b39e9f1c054b46f74294613d2
-
SSDEEP
3072:VYbSBRRYlfDsajlYqN3032IK4px3X4jj3CPazWZSM/98/r:abqRefDsskRK4px3XKjEazZM/98/r
Malware Config
Signatures
-
Contacts a large (23841) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog f97ffb8896fd6f6ce7a605a8b3324ae9_JaffaCakes118 File opened for modification /dev/misc/watchdog f97ffb8896fd6f6ce7a605a8b3324ae9_JaffaCakes118 -
Reads process memory 1 TTPs 13 IoCs
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
description ioc Process File opened for reading /proc/699/maps f97ffb8896fd6f6ce7a605a8b3324ae9_JaffaCakes118 File opened for reading /proc/714/maps f97ffb8896fd6f6ce7a605a8b3324ae9_JaffaCakes118 File opened for reading /proc/715/maps f97ffb8896fd6f6ce7a605a8b3324ae9_JaffaCakes118 File opened for reading /proc/723/maps f97ffb8896fd6f6ce7a605a8b3324ae9_JaffaCakes118 File opened for reading /proc/646/maps f97ffb8896fd6f6ce7a605a8b3324ae9_JaffaCakes118 File opened for reading /proc/662/maps f97ffb8896fd6f6ce7a605a8b3324ae9_JaffaCakes118 File opened for reading /proc/664/maps f97ffb8896fd6f6ce7a605a8b3324ae9_JaffaCakes118 File opened for reading /proc/678/maps f97ffb8896fd6f6ce7a605a8b3324ae9_JaffaCakes118 File opened for reading /proc/704/maps f97ffb8896fd6f6ce7a605a8b3324ae9_JaffaCakes118 File opened for reading /proc/705/maps f97ffb8896fd6f6ce7a605a8b3324ae9_JaffaCakes118 File opened for reading /proc/712/maps f97ffb8896fd6f6ce7a605a8b3324ae9_JaffaCakes118 File opened for reading /proc/629/maps f97ffb8896fd6f6ce7a605a8b3324ae9_JaffaCakes118 File opened for reading /proc/647/maps f97ffb8896fd6f6ce7a605a8b3324ae9_JaffaCakes118 -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself a 708 f97ffb8896fd6f6ce7a605a8b3324ae9_JaffaCakes118