Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
151s -
platform
ubuntu-24.04_amd64 -
resource
ubuntu2404-amd64-20240523-en -
resource tags
arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system -
submitted
07/01/2025, 21:35
Behavioral task
behavioral1
Sample
JaffaCakes118_7a9d83a1af4a72c8f4f3acdfe39e445f
Resource
ubuntu2404-amd64-20240523-en
General
-
Target
JaffaCakes118_7a9d83a1af4a72c8f4f3acdfe39e445f
-
Size
2.7MB
-
MD5
7a9d83a1af4a72c8f4f3acdfe39e445f
-
SHA1
93202614e194352633aafe3a4cd46f75aeafe4d6
-
SHA256
05448a71894d641cfe3c4ad2797077433307ef092d6f3da1082806a129583efb
-
SHA512
c179295b7825a0fd24dd1fa3f75e7b9081b675ab67fc9d12717ba95a5b6c30d0f246a672b565351469e1672acb260fa8648b3e59d0c0c209c9fb19cff2f07caa
-
SSDEEP
49152:stm70wqFk+DowagvqTdxi1sK5UGmgck/b5FRGGdLaEF9An2R1yhVf:stm7VQkMZ7gRqUPgcM5FvaqyhVf
Malware Config
Extracted
stealthworker
Signatures
-
StealthWorker
StealthWorker is golang-based brute force malware.
-
Stealthworker family
-
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /var/spool/cron/crontabs/tmp.YALe0c crontab -
Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo cat File opened for reading /proc/cpuinfo cat -
description ioc Process File opened for reading /proc/self/exe JaffaCakes118_7a9d83a1af4a72c8f4f3acdfe39e445f File opened for reading /proc/sys/net/core/somaxconn JaffaCakes118_7a9d83a1af4a72c8f4f3acdfe39e445f File opened for reading /proc/version cat File opened for reading /proc/self/exe JaffaCakes118_7a9d83a1af4a72c8f4f3acdfe39e445f File opened for reading /proc/sys/net/core/somaxconn JaffaCakes118_7a9d83a1af4a72c8f4f3acdfe39e445f File opened for reading /proc/version cat -
System Network Configuration Discovery 1 TTPs 1 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 2843 crontab -
Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/.pid JaffaCakes118_7a9d83a1af4a72c8f4f3acdfe39e445f File opened for modification /tmp/nip9iNeiph5chee JaffaCakes118_7a9d83a1af4a72c8f4f3acdfe39e445f File opened for modification /tmp/[stealth].pid JaffaCakes118_7a9d83a1af4a72c8f4f3acdfe39e445f
Processes
-
/tmp/JaffaCakes118_7a9d83a1af4a72c8f4f3acdfe39e445f/tmp/JaffaCakes118_7a9d83a1af4a72c8f4f3acdfe39e445f1⤵
- Reads runtime system information
- Writes file to tmp directory
PID:2819 -
/usr/bin/catcat /proc/version2⤵
- Reads runtime system information
PID:2824
-
-
/usr/bin/catcat /proc/cpuinfo2⤵
- Checks CPU configuration
PID:2826
-
-
/usr/bin/unameuname -a2⤵PID:2827
-
-
/usr/bin/getconfgetconf LONG_BIT2⤵PID:2829
-
-
/tmp/JaffaCakes118_7a9d83a1af4a72c8f4f3acdfe39e445f"[stealth]"2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:2830 -
/usr/bin/catcat /proc/version3⤵
- Reads runtime system information
PID:2837
-
-
/usr/bin/catcat /proc/cpuinfo3⤵
- Checks CPU configuration
PID:2839
-
-
/usr/bin/unameuname -a3⤵PID:2841
-
-
/usr/bin/getconfgetconf LONG_BIT3⤵PID:2842
-
-
/usr/bin/crontab/usr/bin/crontab /tmp/nip9iNeiph5chee3⤵
- Creates/modifies Cron job
- System Network Configuration Discovery
PID:2843
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4B
MD50738069b244a1c43c83112b735140a16
SHA1371822d2fa85504960f9581cfaeae6e7059bab61
SHA256c6637ffab46701f1f145156dafcd21176a85a95c0f5ab71eecb03d15899efd05
SHA512b3c23981c3eecd7f527dfa49958aa6f32a30d88ee1675cf7d7d233cfba2620bfea8ff18ac7d6b337d34e6f5f4b14dda0e5af01937e02bc224dd678e788714242
-
Filesize
80B
MD5fb9dae132cb60aa445373d12cd678b19
SHA140afa063d5401201ee2f3cfada33b724c846ebfc
SHA256af2fc048cdb260afeb9ea374c620a39ad1bee29eee7e361d7f648eff3b8c5540
SHA512f0dea792eb947b60ad0ed1685bcd3a78914996b2b5d08be4b85ce76c4f1bbb755a24fbe4f111ba0e34acb8dfb859745e34fe9a16c7d985ea3b582dc89d3fe158
-
Filesize
274B
MD58b1c6d7ab80ffb9e766486cf711667d3
SHA12245988199c8e749d0f67ac2ac41151d8c72deb4
SHA256d9b43781857054defad7e79fa91f74f262cc62efb51982d0b6dec36ead9b5f36
SHA5129d97d0068209c0d41f82b18117e64c167c53248c0b9239a9fb570ac3aab01bb61c9775a95a7c2a124a6382f508acd74ca0dee361133b2a8a708b7aafc1e51b51