Malware Analysis Report

2024-10-10 11:09

Sample ID 240614-ln7y9avekh
Target a9044b8c7151b73977fb0c528a3c0066_JaffaCakes118
SHA256 52fd30edc5188751dc78057b2c612f60228498663ec9b643380005267faaf31d
Tags
upx persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

52fd30edc5188751dc78057b2c612f60228498663ec9b643380005267faaf31d

Threat Level: Shows suspicious behavior

The file a9044b8c7151b73977fb0c528a3c0066_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx persistence

UPX packed file

Executes dropped EXE

Creates/modifies Cron job

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 09:41

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 09:41

Reported

2024-06-14 09:44

Platform

debian9-armhf-20240611-en

Max time network

129s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
US 1.1.1.1:53 pool.supportxmr.com udp
US 1.1.1.1:53 debian9-armhf-20240611-en-3 udp
US 1.1.1.1:53 debian9-armhf-20240611-en-3 udp
US 1.1.1.1:53 debian9-armhf-20240611-en-3 udp
US 1.1.1.1:53 debian9-armhf-20240611-en-3 udp
US 1.1.1.1:53 debian9-armhf-20240611-en-3 udp
US 1.1.1.1:53 debian9-armhf-20240611-en-3 udp
US 1.1.1.1:53 debian9-armhf-20240611-en-3 udp
US 1.1.1.1:53 debian9-armhf-20240611-en-3 udp
US 1.1.1.1:53 debian9-armhf-20240611-en-3 udp
US 1.1.1.1:53 debian9-armhf-20240611-en-3 udp
US 1.1.1.1:53 debian9-armhf-20240611-en-3 udp
US 1.1.1.1:53 debian9-armhf-20240611-en-3 udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-14 09:41

Reported

2024-06-14 09:41

Platform

debian9-mipsbe-20240418-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-14 09:41

Reported

2024-06-14 09:41

Platform

debian9-mipsel-20240611-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-14 09:41

Reported

2024-06-14 09:44

Platform

ubuntu2204-amd64-20240522.1-en

Max time network

151s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 xmr.winscp.top udp
US 8.8.8.8:53 xmr.winscp.top udp
US 1.1.1.1:53 xmr.winscp.top udp
US 1.1.1.1:53 xmr.winscp.top udp
US 8.8.8.8:53 xmr.winscp.top udp
US 8.8.8.8:53 xmr.winscp.top udp
US 1.1.1.1:53 xmr.winscp.top udp
US 1.1.1.1:53 xmr.winscp.top udp
US 8.8.8.8:53 xmr.winscp.top udp
US 8.8.8.8:53 xmr.winscp.top udp
US 1.1.1.1:53 xmr.winscp.top udp
US 1.1.1.1:53 xmr.winscp.top udp
US 8.8.8.8:53 xmr.winscp.top udp
US 8.8.8.8:53 xmr.winscp.top udp
US 1.1.1.1:53 xmr.winscp.top udp
US 1.1.1.1:53 xmr.winscp.top udp
US 8.8.8.8:53 tcp
US 1.1.1.1:53 tcp
US 8.8.8.8:53 tcp
US 1.1.1.1:53 tcp
US 8.8.8.8:53 tcp
US 1.1.1.1:53 xmr.winscp.top udp
US 1.1.1.1:53 xmr.winscp.top udp
US 8.8.8.8:53 xmr.winscp.top udp
US 8.8.8.8:53 xmr.winscp.top udp
US 1.1.1.1:53 xmr.winscp.top udp
US 1.1.1.1:53 xmr.winscp.top udp
US 8.8.8.8:53 xmr.winscp.top udp
US 8.8.8.8:53 xmr.winscp.top udp
US 1.1.1.1:53 tcp
US 8.8.8.8:53 tcp
US 1.1.1.1:53 tcp
US 8.8.8.8:53 tcp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-14 09:41

Reported

2024-06-14 09:44

Platform

ubuntu2204-amd64-20240611-en

Max time network

143s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 mine.winscp.top udp
US 8.8.8.8:53 mine.winscp.top udp
DE 128.140.34.28:80 mine.winscp.top tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 09:41

Reported

2024-06-14 09:44

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

0s

Max time network

128s

Command Line

[/tmp/.init/go]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/.init/.init/init /tmp/.init/.init/init N/A
N/A /tmp/.init/init /tmp/.init/init N/A
N/A /tmp/.init/.init/init /tmp/.init/.init/init N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Creates/modifies Cron job

persistence
Description Indicator Process Target
File opened for modification /var/spool/cron/crontabs/tmp.dsEvLR /usr/bin/crontab N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/filesystems /bin/mkdir N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/.init/.init/init /bin/cp N/A
File opened for modification /tmp/.init/init /tmp/.init/go N/A
File opened for modification /tmp/.init/.init/init /bin/cp N/A

Processes

/tmp/.init/go

[/tmp/.init/go]

/usr/bin/wc

[wc -l]

/bin/grep

[grep bytes of data]

/bin/ping

[ping -c 1 pool.supportxmr.com]

/usr/bin/crontab

[crontab -r]

/bin/rm

[rm -rf /tmp/.lock]

/bin/mkdir

[mkdir -- .init]

/bin/uname

[uname -m]

/bin/cp

[cp -f -- x86_64 .init/init]

/tmp/.init/.init/init

[./.init/init -f -c]

/bin/rm

[rm -rf .init]

/bin/uname

[uname -m]

/bin/chmod

[chmod +x -- init]

/tmp/.init/init

[./init]

/bin/mkdir

[mkdir -- .init]

/bin/cp

[cp -f -- x86_64 .init/init]

/tmp/.init/.init/init

[./.init/init -c -d]

/bin/rm

[rm -rf .init]

/usr/bin/crontab

[crontab -]

/usr/bin/uniq

[uniq -]

/usr/bin/sort

[sort -]

/bin/rm

[rm -rf go]

Network

Country Destination Domain Proto
GB 185.125.188.61:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.1.91:443 tcp
US 151.101.1.91:443 tcp
US 1.1.1.1:53 pool.supportxmr.com udp
US 1.1.1.1:53 pool.supportxmr.com udp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 pool-fr.supportxmr.com udp
GB 195.181.164.20:443 tcp

Files

/tmp/.init/.init/init

MD5 d8c31b2512efea3ec0146ff2448a72d2
SHA1 f54da6771134ab689daf018a640f716457542dad
SHA256 231b71dc30c8ace458589a1c505d2dcbae5ba6c252a5043f671fee6060f40e25
SHA512 af757e65dab02f368389d8faeb5028cd096c6028420c116f51d0fc942681710032180f6570035c9c53fce9e546d642b5b8e728e46a3832ffa6e417e0d297e616

/tmp/.init/init

MD5 e15a4a2bb9362dcb024c5501857eb903
SHA1 dbd76242b61e175e70dbc4c5774913f282000720
SHA256 3e26a58a5f4234e2ebacc12509be06f1f658a0ff91c11e79c4f8f4420d72fcbb
SHA512 2a003e76c97221260a8217cf97233ebcee1bd149a2dda004f8e645da8d3d161e1fd72aea0473ef3369d2cf238aa09724331d7fb86f23d7ad5aca89f03d01b624

/var/spool/cron/crontabs/tmp.dsEvLR

MD5 c48cf29e46b8f5d16431a4d10037ac6d
SHA1 0f6543960759732f8999d241d26b8e563e21305a
SHA256 b01b7379698026433d672a01fd32ef62bb8929ccae58746e4bb7f2ef36a48fc3
SHA512 ae54840c5e0c9d60787af3239d395534bbf4e66697b08f52eed9308451aa12329f4d339c7c6dc1ea1e8b39698d7298f5dbc78e730599291e094b57115dd681fa