Analysis Overview
SHA256
52fd30edc5188751dc78057b2c612f60228498663ec9b643380005267faaf31d
Threat Level: Shows suspicious behavior
The file a9044b8c7151b73977fb0c528a3c0066_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
UPX packed file
Executes dropped EXE
Creates/modifies Cron job
Reads runtime system information
Writes file to tmp directory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-14 09:41
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 09:41
Reported
2024-06-14 09:44
Platform
debian9-armhf-20240611-en
Max time network
129s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | pool.supportxmr.com | udp |
| US | 1.1.1.1:53 | debian9-armhf-20240611-en-3 | udp |
| US | 1.1.1.1:53 | debian9-armhf-20240611-en-3 | udp |
| US | 1.1.1.1:53 | debian9-armhf-20240611-en-3 | udp |
| US | 1.1.1.1:53 | debian9-armhf-20240611-en-3 | udp |
| US | 1.1.1.1:53 | debian9-armhf-20240611-en-3 | udp |
| US | 1.1.1.1:53 | debian9-armhf-20240611-en-3 | udp |
| US | 1.1.1.1:53 | debian9-armhf-20240611-en-3 | udp |
| US | 1.1.1.1:53 | debian9-armhf-20240611-en-3 | udp |
| US | 1.1.1.1:53 | debian9-armhf-20240611-en-3 | udp |
| US | 1.1.1.1:53 | debian9-armhf-20240611-en-3 | udp |
| US | 1.1.1.1:53 | debian9-armhf-20240611-en-3 | udp |
| US | 1.1.1.1:53 | debian9-armhf-20240611-en-3 | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-14 09:41
Reported
2024-06-14 09:41
Platform
debian9-mipsbe-20240418-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-14 09:41
Reported
2024-06-14 09:41
Platform
debian9-mipsel-20240611-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-14 09:41
Reported
2024-06-14 09:44
Platform
ubuntu2204-amd64-20240522.1-en
Max time network
151s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | xmr.winscp.top | udp |
| US | 8.8.8.8:53 | xmr.winscp.top | udp |
| US | 1.1.1.1:53 | xmr.winscp.top | udp |
| US | 1.1.1.1:53 | xmr.winscp.top | udp |
| US | 8.8.8.8:53 | xmr.winscp.top | udp |
| US | 8.8.8.8:53 | xmr.winscp.top | udp |
| US | 1.1.1.1:53 | xmr.winscp.top | udp |
| US | 1.1.1.1:53 | xmr.winscp.top | udp |
| US | 8.8.8.8:53 | xmr.winscp.top | udp |
| US | 8.8.8.8:53 | xmr.winscp.top | udp |
| US | 1.1.1.1:53 | xmr.winscp.top | udp |
| US | 1.1.1.1:53 | xmr.winscp.top | udp |
| US | 8.8.8.8:53 | xmr.winscp.top | udp |
| US | 8.8.8.8:53 | xmr.winscp.top | udp |
| US | 1.1.1.1:53 | xmr.winscp.top | udp |
| US | 1.1.1.1:53 | xmr.winscp.top | udp |
| US | 8.8.8.8:53 | tcp | |
| US | 1.1.1.1:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 1.1.1.1:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 1.1.1.1:53 | xmr.winscp.top | udp |
| US | 1.1.1.1:53 | xmr.winscp.top | udp |
| US | 8.8.8.8:53 | xmr.winscp.top | udp |
| US | 8.8.8.8:53 | xmr.winscp.top | udp |
| US | 1.1.1.1:53 | xmr.winscp.top | udp |
| US | 1.1.1.1:53 | xmr.winscp.top | udp |
| US | 8.8.8.8:53 | xmr.winscp.top | udp |
| US | 8.8.8.8:53 | xmr.winscp.top | udp |
| US | 1.1.1.1:53 | tcp | |
| US | 8.8.8.8:53 | tcp | |
| US | 1.1.1.1:53 | tcp | |
| US | 8.8.8.8:53 | tcp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-14 09:41
Reported
2024-06-14 09:44
Platform
ubuntu2204-amd64-20240611-en
Max time network
143s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | mine.winscp.top | udp |
| US | 8.8.8.8:53 | mine.winscp.top | udp |
| DE | 128.140.34.28:80 | mine.winscp.top | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 09:41
Reported
2024-06-14 09:44
Platform
ubuntu1804-amd64-20240611-en
Max time kernel
0s
Max time network
128s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/.init/.init/init | /tmp/.init/.init/init | N/A |
| N/A | /tmp/.init/init | /tmp/.init/init | N/A |
| N/A | /tmp/.init/.init/init | /tmp/.init/.init/init | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Creates/modifies Cron job
| Description | Indicator | Process | Target |
| File opened for modification | /var/spool/cron/crontabs/tmp.dsEvLR | /usr/bin/crontab | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/filesystems | /bin/cp | N/A |
| File opened for reading | /proc/filesystems | /bin/mkdir | N/A |
| File opened for reading | /proc/filesystems | /bin/cp | N/A |
| File opened for reading | /proc/filesystems | /bin/mkdir | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/.init/.init/init | /bin/cp | N/A |
| File opened for modification | /tmp/.init/init | /tmp/.init/go | N/A |
| File opened for modification | /tmp/.init/.init/init | /bin/cp | N/A |
Processes
/tmp/.init/go
[/tmp/.init/go]
/usr/bin/wc
[wc -l]
/bin/grep
[grep bytes of data]
/bin/ping
[ping -c 1 pool.supportxmr.com]
/usr/bin/crontab
[crontab -r]
/bin/rm
[rm -rf /tmp/.lock]
/bin/mkdir
[mkdir -- .init]
/bin/uname
[uname -m]
/bin/cp
[cp -f -- x86_64 .init/init]
/tmp/.init/.init/init
[./.init/init -f -c]
/bin/rm
[rm -rf .init]
/bin/uname
[uname -m]
/bin/chmod
[chmod +x -- init]
/tmp/.init/init
[./init]
/bin/mkdir
[mkdir -- .init]
/bin/cp
[cp -f -- x86_64 .init/init]
/tmp/.init/.init/init
[./.init/init -c -d]
/bin/rm
[rm -rf .init]
/usr/bin/crontab
[crontab -]
/usr/bin/uniq
[uniq -]
/usr/bin/sort
[sort -]
/bin/rm
[rm -rf go]
Network
| Country | Destination | Domain | Proto |
| GB | 185.125.188.61:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| US | 151.101.1.91:443 | tcp | |
| US | 151.101.1.91:443 | tcp | |
| US | 1.1.1.1:53 | pool.supportxmr.com | udp |
| US | 1.1.1.1:53 | pool.supportxmr.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | pool-fr.supportxmr.com | udp |
| GB | 195.181.164.20:443 | tcp |
Files
/tmp/.init/.init/init
| MD5 | d8c31b2512efea3ec0146ff2448a72d2 |
| SHA1 | f54da6771134ab689daf018a640f716457542dad |
| SHA256 | 231b71dc30c8ace458589a1c505d2dcbae5ba6c252a5043f671fee6060f40e25 |
| SHA512 | af757e65dab02f368389d8faeb5028cd096c6028420c116f51d0fc942681710032180f6570035c9c53fce9e546d642b5b8e728e46a3832ffa6e417e0d297e616 |
/tmp/.init/init
| MD5 | e15a4a2bb9362dcb024c5501857eb903 |
| SHA1 | dbd76242b61e175e70dbc4c5774913f282000720 |
| SHA256 | 3e26a58a5f4234e2ebacc12509be06f1f658a0ff91c11e79c4f8f4420d72fcbb |
| SHA512 | 2a003e76c97221260a8217cf97233ebcee1bd149a2dda004f8e645da8d3d161e1fd72aea0473ef3369d2cf238aa09724331d7fb86f23d7ad5aca89f03d01b624 |
/var/spool/cron/crontabs/tmp.dsEvLR
| MD5 | c48cf29e46b8f5d16431a4d10037ac6d |
| SHA1 | 0f6543960759732f8999d241d26b8e563e21305a |
| SHA256 | b01b7379698026433d672a01fd32ef62bb8929ccae58746e4bb7f2ef36a48fc3 |
| SHA512 | ae54840c5e0c9d60787af3239d395534bbf4e66697b08f52eed9308451aa12329f4d339c7c6dc1ea1e8b39698d7298f5dbc78e730599291e094b57115dd681fa |