a81f677c5e70b1031e5faddd50ba3492e6d536ce672fa17c173f916b88e45d46

Resubmissions

02-01-2025 21:38

250102-1hhjqszkgl 10

15-12-2024 00:39

241215-az46ys1kbl 10

Analysis

max time kernel
72s
max time network
72s
platform
ubuntu-24.04_amd64
resource
ubuntu2404-amd64-20240523-en
resource tags

arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
submitted
02-01-2025 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
Size

1.1MB
MD5

f17b36cfddb5242cb530ee6f62fd72ad
SHA1

1dad9668f72f681c865d058027d0eb474f920613
SHA256

a81f677c5e70b1031e5faddd50ba3492e6d536ce672fa17c173f916b88e45d46
SHA512

c0edc007a5030e95cc63467e5de00ba3152f3150dc9247850553fbf0542e2c6bf59543d6cca1e38dd8fdc490a2984d515a6d984e6d8833e64c90e07383d7fa16
SSDEEP

24576:4vRE7caCfKGPqVEDNLFxKsfamI+gIGYuuCol7r:4vREKfPqVE5jKsfamRHGVo7r

Score

7^/10

defense_evasion discovery persistence rootkit

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 4 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
2568	chmod
2546	chmod
2555	chmod
2561	chmod

Executes dropped EXE 2 IoCs

ioc	pid	Process
/usr/bin/bsd-port/agent	2509	agent
/usr/bin/acpid	2521	acpid

Loads a kernel module 64 IoCs

Loads a Linux kernel module, potentially to achieve persistence

rootkit

pid	Process
2469	f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
2470	f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
2475	f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
2470	f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
2470	f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
2477	f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
2470	f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
2470	f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
2479	f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
2470	f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
2470	f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
2481	f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
2470	f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
2470	f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
2483	f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
2470	f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
2470	f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
2503	f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
2470	f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
2470	f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
2505	f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
2470	f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
2507	f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
2508	f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
2509	agent
2507	f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
2470	f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
2511	f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
2470	f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
2470	f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
2513	f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
2470	f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
2510	agent
2515	agent
2510	agent
2510	agent
2517	agent
2519	f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
2520	f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
2521	acpid
2510	agent
2510	agent
2519	f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
2523	agent
2470	f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
2524	f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
2510	agent
2510	agent
2527	agent
2510	agent
2510	agent
2470	f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
2529	agent
2510	agent
2510	agent
2532	agent
2510	agent
2510	agent
2535	agent
2510	agent
2510	agent
2538	agent
2510	agent
2510	agent

Write file to user bin folder 6 IoCs

persistence

description	ioc	Process
File opened for modification	/usr/bin/bsd-port/agent	cp
File opened for modification	/usr/bin/acpid	cp
File opened for modification	/usr/bin/dpkgd/lsof	cp
File opened for modification	/usr/bin/dpkgd/ps	cp
File opened for modification	/usr/bin/lsof	cp
File opened for modification	/usr/bin/ps	cp

Writes file to system bin folder 2 IoCs

description	ioc	Process
File opened for modification	/bin/lsof	cp
File opened for modification	/bin/ps	cp

Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/module/compression	insmod
File opened for reading	/sys/module/compression	insmod

Reads runtime system information 17 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/filesystems	mkdir

/tmp/f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
/tmp/f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118
1⤵
- Loads a kernel module
PID:2469
- /usr/bin/ln
  ln -s /etc/init.d/DbSecurityMdt /etc/rc1.d/S97DbSecurityMdt
  2⤵
  PID:2476
- /usr/bin/ln
  ln -s /etc/init.d/DbSecurityMdt /etc/rc2.d/S97DbSecurityMdt
  2⤵
  PID:2478
- /usr/bin/ln
  ln -s /etc/init.d/DbSecurityMdt /etc/rc3.d/S97DbSecurityMdt
  2⤵
  PID:2480
- /usr/bin/ln
  ln -s /etc/init.d/DbSecurityMdt /etc/rc4.d/S97DbSecurityMdt
  2⤵
  PID:2482
- /usr/bin/ln
  ln -s /etc/init.d/DbSecurityMdt /etc/rc5.d/S97DbSecurityMdt
  2⤵
  PID:2484
- /usr/bin/mkdir
  mkdir -p /usr/bin/bsd-port
  2⤵
  - Reads runtime system information
  PID:2504
- /usr/bin/cp
  cp -f /tmp/f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118 /usr/bin/bsd-port/agent
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:2506
- /usr/bin/bsd-port/agent
  /usr/bin/bsd-port/agent
  2⤵
  - Executes dropped EXE
  - Loads a kernel module
  PID:2509
- - /usr/bin/ln
    ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux
    3⤵
    PID:2516
- - /usr/bin/ln
    ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux
    3⤵
    PID:2518
- - /usr/bin/ln
    ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux
    3⤵
    PID:2525
- - /usr/bin/ln
    ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux
    3⤵
    PID:2528
- - /usr/bin/ln
    ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux
    3⤵
    PID:2530
- - /usr/bin/mkdir
    mkdir -p /usr/bin/dpkgd
    3⤵
    - Reads runtime system information
    PID:2533
- - /usr/bin/cp
    cp -f /bin/lsof /usr/bin/dpkgd/lsof
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:2536
- - /usr/bin/mkdir
    mkdir -p /bin
    3⤵
    - Reads runtime system information
    PID:2540
- - /usr/bin/cp
    cp -f /usr/bin/bsd-port/agent /bin/lsof
    3⤵
    - Writes file to system bin folder
    - Reads runtime system information
    PID:2543
- - /usr/bin/chmod
    chmod 0755 /bin/lsof
    3⤵
    - File and Directory Permissions Modification
    PID:2546
- - /usr/bin/cp
    cp -f /bin/ps /usr/bin/dpkgd/ps
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:2549
- - /usr/bin/mkdir
    mkdir -p /bin
    3⤵
    - Reads runtime system information
    PID:2551
- - /usr/bin/cp
    cp -f /usr/bin/bsd-port/agent /bin/ps
    3⤵
    - Writes file to system bin folder
    - Reads runtime system information
    PID:2553
- - /usr/bin/chmod
    chmod 0755 /bin/ps
    3⤵
    - File and Directory Permissions Modification
    PID:2555
- - /usr/bin/mkdir
    mkdir -p /usr/bin
    3⤵
    - Reads runtime system information
    PID:2557
- - /usr/bin/cp
    cp -f /usr/bin/bsd-port/agent /usr/bin/lsof
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:2559
- - /usr/bin/chmod
    chmod 0755 /usr/bin/lsof
    3⤵
    - File and Directory Permissions Modification
    PID:2561
- - /usr/bin/mkdir
    mkdir -p /usr/bin
    3⤵
    - Reads runtime system information
    PID:2564
- - /usr/bin/cp
    cp -f /usr/bin/bsd-port/agent /usr/bin/ps
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:2566
- - /usr/bin/chmod
    chmod 0755 /usr/bin/ps
    3⤵
    - File and Directory Permissions Modification
    PID:2568
- - /usr/sbin/insmod
    insmod /usr/lib/xpacket.ko
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2570
- /usr/bin/mkdir
  mkdir -p /usr/bin
  2⤵
  - Reads runtime system information
  PID:2512
- /usr/bin/cp
  cp -f /tmp/f17b36cfddb5242cb530ee6f62fd72ad_JaffaCakes118 /usr/bin/acpid
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:2514
- /usr/bin/acpid
  /usr/bin/acpid
  2⤵
  - Executes dropped EXE
  - Loads a kernel module
  PID:2521
- /usr/sbin/insmod
  insmod /usr/lib/xpacket.ko
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:2526

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/init.d/DbSecurityMdt

Filesize
64B

MD5
4b28dd51490de8e95c780ae9561e1255

SHA1
71912a13d958ba296fea6a71df500bfc64ac95be

SHA256
4c5053f7a5bf93fc510ea44d82208ccf2429fe4e5789e52fcab3d6a8c5eb2bab

SHA512
7dfe9547d9b335259a80469bb8a0b9fa399f89f868c140448099f890fa67c4b92899e590558d25f8435ff556975e93e0e148068323dc2ea6c480ed7a67b08462

Download Submit
/etc/init.d/selinux

Filesize
36B

MD5
c6a80f08539a4c3176762f514976dd24

SHA1
bbc5826b01d20f5c4d315ff5dbc3f216760c64ef

SHA256
ea47e885ae227059ce55d020335f7869c565ec6d85f484497e83cd4998149d5d

SHA512
9a1e3b0142876305fe389e07880bd586e97bf709273a66299d9128ff2861459104054d4e5d836aecdf73f2c11886fa3a2a8498741adb3211b96116658b856175

Download Submit
/tmp/gates.note

Filesize
4B

MD5
7cc234202e98d2722580858573fd0817

SHA1
8e3d85dccb3590a3a24194d0736e4054d699460f

SHA256
1f87635aff05d8cfd5081f572fc9c14d7b14b4f40cbf6b6f077437c48ac844e7

SHA512
65455e82449cb18531d35ae450c17fb3e81fb3b9dc1e72810a1359b99fdd58e2f67a2ea87b984e61917d03dc9d804337218ae399cd5504dacfca43e94cce6af1

Download Submit
/tmp/moni.note

Filesize
4B

MD5
0d7363894acdee742caf7fe4e97c4d49

SHA1
807c96dd078cc58d390e6eae0488d04429877634

SHA256
58180bb12beb55a4bffb10de75ca8c53dcc8061c3cdee52e0ebdcd74049d374e

SHA512
bbdf54b0aafaf5b0da2013c1d431342069f4c61b9d6b2cfb9f1cf37d70cd55cef841e6a2767000a1e6a64f836d3214eb7b955e94b6dab5584fac918c79c33e7a

Download Submit
/tmp/notify.file

Filesize
51B

MD5
79088c38abb3a242f72d3bef40de7e71

SHA1
dae965ccd8e9598f28d41f637aa0d26ed27fe254

SHA256
cb231b01ee637b58abe40914373e8eb921e5de1f3bca2a4f64e1e5ae001c273c

SHA512
5d4e06c1a9a3b40c8397f78beb7173dddefc8737fdc649a40e6e59c3df387c4e02d3c3cfa0d1c794d8b1e16d0e1a4f47e854bf602044fce7db48aff00ce4cf04

Download Submit