90be418508dffa4910e0fd27fd29627260bb3fab2147344c624f99c51fd56404

Analysis

max time kernel
30s
max time network
34s
platform
debian-9_mips
resource
debian9-mipsbe-20240611-en
resource tags

arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
27-06-2024 11:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15c7b600329249a4895395e61a9a88fe_JaffaCakes118
Size

1KB
MD5

15c7b600329249a4895395e61a9a88fe
SHA1

9b0ea0243e1c9b94847c11f7b444122d41740a58
SHA256

90be418508dffa4910e0fd27fd29627260bb3fab2147344c624f99c51fd56404
SHA512

5cec126597949a66c1bb4a7c92a96f0d48b4b4db1557848692179bd09ba065c6a9e1d4d17335cf967489f0d853a03568dbf208af60e17eafc3931ca3ac9fc04d

Score

4^/10

antivm

Malware Config

Signatures

Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

Virtualization/Sandbox Evasion
T1497

Processes:

cat

description ioc process

File opened for reading /proc/cpuinfo cat

description	ioc	process
File opened for reading	/proc/cpuinfo	cat

Reads CPU attributes 1 TTPs 4 IoCs

System Information Discovery

T1082

Processes:

uptimefreeexim4exim4

description	ioc	process
File opened for reading	/sys/devices/system/cpu/online	uptime
File opened for reading	/sys/devices/system/cpu/online	free
File opened for reading	/sys/devices/system/cpu/online	exim4
File opened for reading	/sys/devices/system/cpu/online	exim4

Reads runtime system information 10 IoCs

Reads data from /proc virtual filesystem.

Processes:

uptimeexim4dffreesendmail

description	ioc	process
File opened for reading	/proc/loadavg	uptime
File opened for reading	/proc/sys/kernel/ngroups_max	exim4
File opened for reading	/proc/self/mountinfo	df
File opened for reading	/proc/filesystems	free
File opened for reading	/proc/sys/kernel/osrelease	free
File opened for reading	/proc/meminfo	free
File opened for reading	/proc/sys/kernel/ngroups_max	sendmail
File opened for reading	/proc/filesystems	uptime
File opened for reading	/proc/sys/kernel/osrelease	uptime
File opened for reading	/proc/uptime	uptime

Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.

Processes:

15c7b600329249a4895395e61a9a88fe_JaffaCakes118mail

description ioc process

File opened for modification /tmp/info2 15c7b600329249a4895395e61a9a88fe_JaffaCakes118
File opened for modification /tmp/mupIalin mail
File opened for modification /tmp/mupzzMbI mail

description	ioc	process
File opened for modification	/tmp/info2	15c7b600329249a4895395e61a9a88fe_JaffaCakes118
File opened for modification	/tmp/mupIalin	mail
File opened for modification	/tmp/mupzzMbI	mail

/tmp/15c7b600329249a4895395e61a9a88fe_JaffaCakes118
/tmp/15c7b600329249a4895395e61a9a88fe_JaffaCakes118
1⤵
- Writes file to tmp directory
PID:696

/bin/uname
uname -a
2⤵
PID:698

/sbin/ifconfig
/sbin/ifconfig
2⤵
PID:700

/bin/grep
grep inet
2⤵
PID:701

/usr/bin/uptime
uptime
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:707

/bin/cat
cat /proc/cpuinfo
2⤵
- Checks CPU configuration
PID:710

/bin/cat
cat /etc/passwd
2⤵
PID:712

/bin/cat
cat /etc/shadow
2⤵
PID:714

/bin/df
df -h
2⤵
- Reads runtime system information
PID:716

/usr/bin/free
free
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:718

/bin/ping
ping -c 2 216.115.108.245
2⤵
PID:721

/bin/cat
cat /etc/hosts
2⤵
PID:726

/bin/sleep
sleep 5
2⤵
PID:727

/bin/cat
cat info2
2⤵
PID:736

/bin/uname
uname -a
2⤵
PID:738

/usr/bin/mail
mail -s "Linux debian9-mipsbe-20240611-en-2 4.9.0-13-4kc-malta #1 Debian 4.9.228-1 (2020-07-05) mips GNU/Linux" "[email protected]"
2⤵
- Writes file to tmp directory
PID:737

/usr/sbin/sendmail
/usr/sbin/sendmail -oi -f "root@debian9-mipsbe-20240611-en-2" -t
3⤵
- Reads runtime system information
PID:739

/usr/sbin/exim4
/usr/sbin/exim4 -Mc 1sMl9w-0000Bv-NJ
4⤵
- Reads CPU attributes
PID:740

/usr/sbin/exim4
/usr/sbin/exim4 -t -oem -oi -f "<>" -E1sMl9w-0000Bv-NJ
5⤵
- Reads runtime system information
PID:742

/usr/sbin/exim4
/usr/sbin/exim4 -Mc 1sMlA5-0000By-UI
6⤵
- Reads CPU attributes
PID:781

/bin/sleep
sleep 5
2⤵
PID:741

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/info2
Filesize
4B

MD5
2bb6aed5111ef9726bcf6eef982ff32b

SHA1
4d49d894436449e792b0cdf8522584065b298c90

SHA256
e5e61fed291cefe8bd2c2b895b3001e679931c3d93f3597fb5e27b5bcae8f825

SHA512
5c0aa37c6fa67edf72abdd2f7789538d0a2c12a1fec2dc575ee1df3c1874a4bda33259b3b60127ef4365410d85c742a0fb463f920b99c30863ff3c502494b3bf

Download Submit
/tmp/info2
Filesize
106B

MD5
e797a6d6452f2e9b0bec3fb481474e76

SHA1
8210d76a37aa5214ca436f510647134647a2020e

SHA256
ea81f932b0736b26fa123427b61d4fb505d631553a0e5c0b7281e956b6e1e36e

SHA512
aa8d94576a38eb29b6bf7a70c478cbe5dbb04e972d0d4596afef091b9f4df6133796d1a0ab183ec6902c18572995767653580b52fc5c0d98f78f3e10a1b86713

Download Submit
/tmp/info2
Filesize
110B

MD5
c9d801e5d5f2753a07c1a307045b8cf2

SHA1
29001e54f57a5e264b3760f70c5d6b3c34850e9f

SHA256
f34b16685e23364aaa810d0e190d5992da35c440ab9c1a2770f652ecb8b0831f

SHA512
5643bc1ad8812d520dd89d10080f5d2f7c8cacde58e2e4bccbcde01e75887ea836bc22add7e01e652ef3f5317a736775dce934d3a5a492c035acea2f3073cbd6

Download Submit
/tmp/info2
Filesize
111B

MD5
8ca71b821bac4b134680ec78feefd883

SHA1
3954007726c32e7c4a79a404bbb30000f0cc0ebb

SHA256
334748cfac8c69e731eab0a1b10b531c0f9c5fe9480d59d4d8d71ccbe58fd097

SHA512
29ce141eacc766a7f32dd685e4ab473f8ec230bcc522ae61ed190b4491f291169b23a6403a90b7a728367ffa59f67e0d0bf60e0469d748681cb7496aa37e82d7

Download Submit
/tmp/info2
Filesize
125B

MD5
0e3e21bce64867fc6bec23e24d08f81e

SHA1
fdc6cfb76e7ac6547e437cf0b8b21881a4c4ddbf

SHA256
dbbd961c7bb7342809575a9d52c4f2ec25f40a8fa9812dc3c2438cbac4c65ce8

SHA512
3f9eb23aaaa5614b50478d458bb3a0d5d5334129c33a487496563545bbd5860fa0857e288c612ab766008f368c501c708b1a38bbc0d88522fec95c878bc7311f

Download Submit
/tmp/info2
Filesize
4KB

MD5
14d0b7ed1644a1c2b90e919b47e3e6ce

SHA1
8c044a952a046cc558af0ce3ae8a43bb72b0ce94

SHA256
7915b58d0bf16108faf62a5858f3e978017e15fc7f0b66b2879e2fdcf9f5c99c

SHA512
755364b301a0a8038b43fa973b60bebb18cf8244e23117b54f6da4b78726b39d7ce15020bde8d37a43e7c09e7971b32fc87a69bc22497984dc202a066ad94b70

Download Submit
/var/mail/user
Filesize
5KB

MD5
5471f53b1487964143cead1539c0156a

SHA1
e263808dfc68ccacfadcf4e2bce740e86b861e09

SHA256
64328ba9c42cd8845f54a82f2b8eed2e87a52d1d4c542f871cea58ccce2fd7a6

SHA512
80a9c221fc7df2b4629ac0e2d256cdbf880fd74655826d565362fc779b6332d08fa250a499a0164af0ac3324a991327653b8e157456ca8052858b1ac8a688e62

Download Submit
/var/spool/exim4/input/1sMl9w-0000Bv-NJ-D
Filesize
4KB

MD5
453f20bbeede53fd99eb3ec6208f7f71

SHA1
b8c6aa011f756fec1a0945f46d2c49cac0605cf0

SHA256
f46e288f77b829e278186e6843394db376c2b9625ad1604ccdc96683980b354c

SHA512
d350c4d624582f772ae8320aeef22441082ce477c1c1e70a5ec3268bdb27e2052c6f49ba7566385fbced6f1c426c78e41bb76d0dbdf985f26737a3b234093262

Download Submit
/var/spool/exim4/input/1sMlA5-0000By-UI-D
Filesize
5KB

MD5
20023cb42dbe41f228b4e2cf4007167e

SHA1
6af3ea0cd0c8cbc12a224096649059b69382fee2

SHA256
9c1b9f7501cb6b313d7b546da8642ccbd2ca3e690f88c622d978cfa108d7bb73

SHA512
7bc739217f93bf7b0bd3449f6b4265b18e5a58b65b548c79fe9321a5074f8c282fc85234ec4869f6c48552320b7bea3ab6f3cfcbc8770d3c30a23b611be8640f

Download Submit
/var/spool/exim4/input/1sMlA5-0000By-UI-J
Filesize
34B

MD5
d7d96d63d643a4ce3e408eba7dfcedc5

SHA1
c53607f95c5c57beafc1d8266646797a035f76ea

SHA256
21db3a59b2d0ce18fb250b787d6e2c85d12919f5fdf1448c8f48207c4083b159

SHA512
703a03e54776a6ad9b8adc6c475bbc91c06502618fa3b6f495b1a01a4f6f7aa6fb65dc6ba6885ddc6af961627062f1ce1e1d66688288cbd3bef7754d249fa9b3

Download Submit
/var/spool/exim4/input/hdr.739
Filesize
821B

MD5
3ed04779713171e36899d34c25d062cc

SHA1
fe6ccaea89a75bc9cce7c22524e006c27b5c1fa6

SHA256
2494873187b203be20d9c4ab8af2d6ca64401a84f4957d1373a8bcabfd87af58

SHA512
9ef0dc52c2a21671e4619aa6d3e86d2168d467a5fcc17928c478b0ff2eb7404510f86ac5ffb3085aa37b34716a1b432047c7e1f22cb8c19d0f7cb2d485e1349c

Download Submit
/var/spool/exim4/input/hdr.740
Filesize
842B

MD5
cfb0b0402ff7d8109eb1b64e7b0c7981

SHA1
b66a627119d421436ed532bea9d0c7b623d8e1b0

SHA256
5ce4748fa7565dca1033969124c7d59665194866c9d538b936e09893eba47438

SHA512
c1ed34bb32bce5c164c8586cb34a0cb493d9aad8f7af91b74ea5a47ba5e636c96c6c2206b0b11d3268600054a6d4001bffe5af33d515b203570ea9ec2fc71a85

Download Submit
/var/spool/exim4/input/hdr.742
Filesize
956B

MD5
04c0e4bc633cecf474451473b5d6fd02

SHA1
fc36aa04aa72a6e1e7579e2fdd87a14e829db072

SHA256
e42d5d25a2d6df4bad7220532f6f86143c335d59126081bc819a9757e06d3e45

SHA512
fe0c761d296d961d43dece017042d886ae36d7a305d8f01d1b375444019f49ce1d40d29f1db522d8aff035fe02cea379fffc510e8d013290e0ac7317d99e40a3

Download Submit
/var/spool/exim4/msglog/1sMl9w-0000Bv-NJ
Filesize
90B

MD5
048a07fe652656dd62d266caf0b06708

SHA1
03d19037e01a2ebe61182cc6dabca88b5b2bde5a

SHA256
57570f974e28d43d722700ac288b4457c397f1d325473861ae9c6de9b700dd29

SHA512
942b6838547f1ccfed6d8c89ddb02fe7bfddfef61504ee81534b4cbb0e601a7f326e52a2a451cade02dd025169fddad5bb0c7797ccc93f3253cfc06597488095

Download Submit
/var/spool/exim4/msglog/1sMl9w-0000Bv-NJ
Filesize
183B

MD5
53ca7b4a51ac3e72bbdd33bea20f0cec

SHA1
f7d54fa6d04862b47739c5c499af59dd97a6ae03

SHA256
c4aee2a5fa29c5a1dc7d6659c59f5d891fa485ae28b15c82e5a5c6fdad4c21b2

SHA512
24005a40edaaf919e6d4613f9ad03bc13392ea15c4f5c75ef92512484ca1aec4e021c8c3996f3618fd11c3760f2fbd20939782c8805c888bd2f4e9b3d88d230b

Download Submit
/var/spool/exim4/msglog/1sMlA5-0000By-UI
Filesize
85B

MD5
b221a8c13389abbd0069b1c2d52ff46b

SHA1
2ae7bc305f7b522bfff983631d9618f886e2c05e

SHA256
00eb4c323523445aac3deb567e655d9f5b1af8e5084aecde6d94c384a452c0aa

SHA512
778d7c8cb4dfa3e3087e76e472f79186b05546f0369515ae5c7b591ba52cba2976cd9f595672406423cb3b2d8acfe0c32aacdecfd008d63940d75af70a8de76e

Download Submit
/var/spool/exim4/msglog/1sMlA5-0000By-UI
Filesize
284B

MD5
82c17bdf35cfac7d40462a6dd625d604

SHA1
8823a4e271af438824426321e878b741d65842f7

SHA256
7e958c707c812ce28f022200c129abc94fd881cffe8e2cdd0e9add1256fa21c0

SHA512
f6fa5ab5e9cbf5fccb203f0f9e755bb09a57defb814d11844d9ed1195fbf969d9986a056a3c6c815b47519f0520dd8e969efcfe20d01f9285781c9745e186ea9

Download Submit