Malware Analysis Report

2024-10-16 06:24

Sample ID 240627-m9578ayalg
Target 15c7b600329249a4895395e61a9a88fe_JaffaCakes118
SHA256 90be418508dffa4910e0fd27fd29627260bb3fab2147344c624f99c51fd56404
Tags
antivm
score
4/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
4/10

SHA256

90be418508dffa4910e0fd27fd29627260bb3fab2147344c624f99c51fd56404

Threat Level: Likely benign

The file 15c7b600329249a4895395e61a9a88fe_JaffaCakes118 was found to be: Likely benign.

Malicious Activity Summary

antivm

Checks CPU configuration

Reads CPU attributes

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-27 11:10

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-27 11:10

Reported

2024-06-27 11:13

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

11s

Max time network

131s

Command Line

[/tmp/15c7b600329249a4895395e61a9a88fe_JaffaCakes118]

Signatures

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /bin/cat N/A

Reads CPU attributes

Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/meminfo /usr/bin/free N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/uptime N/A
File opened for reading /proc/uptime /usr/bin/uptime N/A
File opened for reading /proc/loadavg /usr/bin/uptime N/A
File opened for reading /proc/self/mountinfo /bin/df N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/free N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/info2 /tmp/15c7b600329249a4895395e61a9a88fe_JaffaCakes118 N/A

Processes

/tmp/15c7b600329249a4895395e61a9a88fe_JaffaCakes118

[/tmp/15c7b600329249a4895395e61a9a88fe_JaffaCakes118]

/bin/uname

[uname -a]

/bin/grep

[grep inet]

/sbin/ifconfig

[/sbin/ifconfig]

/usr/bin/uptime

[uptime]

/bin/cat

[cat /proc/cpuinfo]

/bin/cat

[cat /etc/passwd]

/bin/cat

[cat /etc/shadow]

/bin/df

[df -h]

/usr/bin/free

[free]

/bin/ping

[ping -c 2 216.115.108.245]

/bin/cat

[cat /etc/hosts]

/bin/sleep

[sleep 5]

/bin/cat

[cat info2]

/bin/uname

[uname -a]

/bin/sleep

[sleep 5]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 185.125.188.61:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.65.91:443 tcp
US 151.101.65.91:443 tcp
GB 195.181.164.18:443 tcp

Files

/tmp/info2

MD5 2bb6aed5111ef9726bcf6eef982ff32b
SHA1 4d49d894436449e792b0cdf8522584065b298c90
SHA256 e5e61fed291cefe8bd2c2b895b3001e679931c3d93f3597fb5e27b5bcae8f825
SHA512 5c0aa37c6fa67edf72abdd2f7789538d0a2c12a1fec2dc575ee1df3c1874a4bda33259b3b60127ef4365410d85c742a0fb463f920b99c30863ff3c502494b3bf

/tmp/info2

MD5 335ece3e9dba12747d3e10bb8db453dd
SHA1 03c7fbd3b7ac9aea1fb78136361a948513d89ee8
SHA256 ca61c9a13c329ab2e5b8171436f31ddea0d2283f7a2616e2d50e4656f9c63be4
SHA512 3c9e53b8c10ee9c8b8c727d9ed897b88773d2b201d961b945a0afdfe627bfe04ca258b35f2d409f9e4d93ac117bce3f503c29f36c4a65d0c4d389d181959a32e

/tmp/info2

MD5 b0b11628c9fc34dacdfa7064ad4e04b0
SHA1 e214b69b58448da323912968aad22e9148704847
SHA256 caa61489c7e16b8d6d829b03db34fa7b5d878adc6eaca3bb755fdab2749d3f52
SHA512 def71617c0672e34b8a98d4a6c851d36b839895d5b84d48dc4ee3023aff12072b1bbbc26f822aa2c17c6b935325d5fb7b7f4116cf87e1ac472eb1e73d1cecfcc

/tmp/info2

MD5 29ebed68cace8f8b5105c01253263b8e
SHA1 f1f23c180947993968dd7ace165936e21f598ac4
SHA256 4258bd3c42b7e89fbb33d60c5f2adc4216e87c77643202f7caecde87ac87c9ab
SHA512 39e8b1c4c6f8ac6634f4581bc152aaa2402a9cd99eccfb4430de0d694306390808cacab654e079ec2df779f9b7844a44277fc1039f4a403a98a5ebcdcdd53bac

/tmp/info2

MD5 8cb7586a325ebd65d8e4f23246986562
SHA1 48c5f5806446ecf76120daf4336bdf755f518ac3
SHA256 460c7ebd8b4f7c14b75e05d96307796cfb092fa88a8c0915e7ea115c9846f478
SHA512 a6adb0766e868481f2739010042554be44d90a1a9ea3c97411547579c55588bc3544227a2d73e8a966c0230a205a7c96d99e122ba832904376edc3787714453a

/tmp/info2

MD5 f98849479006f7b7801f2c55e02be569
SHA1 27701cea48f1e0fd27586e0976c8b12f7195f29a
SHA256 e47942d84e33bdd142e170dbf479f017ee801d6c4007737f43eae9030e784782
SHA512 b32b4cf0d6fddf752d80b388572d0e96740525f3ac895321c03d987fda6926940160b7944aeacbe31bf47e9b6915dc3ec9c0ecb94e580e79fdd16c826abdc732

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-27 11:10

Reported

2024-06-27 11:13

Platform

debian9-armhf-20240611-en

Max time kernel

18s

Max time network

21s

Command Line

[/tmp/15c7b600329249a4895395e61a9a88fe_JaffaCakes118]

Signatures

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /bin/cat N/A

Reads CPU attributes

Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /usr/sbin/exim4 N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/sbin/exim4 N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/kernel/osrelease /usr/bin/uptime N/A
File opened for reading /proc/uptime /usr/bin/uptime N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/free N/A
File opened for reading /proc/filesystems /usr/bin/free N/A
File opened for reading /proc/meminfo /usr/bin/free N/A
File opened for reading /proc/sys/kernel/ngroups_max /usr/sbin/sendmail N/A
File opened for reading /proc/sys/kernel/ngroups_max /usr/sbin/exim4 N/A
File opened for reading /proc/filesystems /usr/bin/uptime N/A
File opened for reading /proc/loadavg /usr/bin/uptime N/A
File opened for reading /proc/self/mountinfo /bin/df N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/muMv7q9y /usr/bin/mail N/A
File opened for modification /tmp/info2 /tmp/15c7b600329249a4895395e61a9a88fe_JaffaCakes118 N/A
File opened for modification /tmp/mu0nxEma /usr/bin/mail N/A

Processes

/tmp/15c7b600329249a4895395e61a9a88fe_JaffaCakes118

[/tmp/15c7b600329249a4895395e61a9a88fe_JaffaCakes118]

/bin/uname

[uname -a]

/sbin/ifconfig

[/sbin/ifconfig]

/bin/grep

[grep inet]

/usr/bin/uptime

[uptime]

/bin/cat

[cat /proc/cpuinfo]

/bin/cat

[cat /etc/passwd]

/bin/cat

[cat /etc/shadow]

/bin/df

[df -h]

/usr/bin/free

[free]

/bin/ping

[ping -c 2 216.115.108.245]

/bin/cat

[cat /etc/hosts]

/bin/sleep

[sleep 5]

/bin/cat

[cat info2]

/bin/uname

[uname -a]

/usr/bin/mail

[mail -s Linux debian9-armhf-20240611-en-7 4.9.0-13-armmp-lpae #1 SMP Debian 4.9.228-1 (2020-07-05) armv7l GNU/Linux [email protected]]

/usr/sbin/sendmail

[/usr/sbin/sendmail -oi -f root@debian9-armhf-20240611-en-7 -t]

/usr/sbin/exim4

[/usr/sbin/exim4 -Mc 1sMl9o-0000BP-2E]

/bin/sleep

[sleep 5]

/usr/sbin/exim4

[/usr/sbin/exim4 -t -oem -oi -f <> -E1sMl9o-0000BP-2E]

/usr/sbin/exim4

[/usr/sbin/exim4 -Mc 1sMl9r-0000Be-Ow]

Network

Country Destination Domain Proto
US 1.1.1.1:53 debian9-armhf-20240611-en-7 udp
US 1.1.1.1:53 debian9-armhf-20240611-en-7 udp
US 1.1.1.1:53 debian9-armhf-20240611-en-7 udp
US 1.1.1.1:53 debian9-armhf-20240611-en-7 udp
US 1.1.1.1:53 debian9-armhf-20240611-en-7 udp
US 1.1.1.1:53 debian9-armhf-20240611-en-7 udp
US 1.1.1.1:53 debian9-armhf-20240611-en-7 udp
US 1.1.1.1:53 debian9-armhf-20240611-en-7 udp
US 1.1.1.1:53 debian9-armhf-20240611-en-7 udp

Files

/tmp/info2

MD5 2bb6aed5111ef9726bcf6eef982ff32b
SHA1 4d49d894436449e792b0cdf8522584065b298c90
SHA256 e5e61fed291cefe8bd2c2b895b3001e679931c3d93f3597fb5e27b5bcae8f825
SHA512 5c0aa37c6fa67edf72abdd2f7789538d0a2c12a1fec2dc575ee1df3c1874a4bda33259b3b60127ef4365410d85c742a0fb463f920b99c30863ff3c502494b3bf

/tmp/info2

MD5 903670a38483b980318f98b150af5e7e
SHA1 d9b2a72f60d7cd0aa21eab4dc978be181ea241ae
SHA256 93fe87fb401dedd150de8622a5422e07f50d2113d1637da87160399e917fbc96
SHA512 98d0477745e111563325df8254a95a7e1305522e6daf659791ad157eeb4ab949d883f95a12b3c9ef390ad2f746050539d535ad433d82c8dbb29913d56c3c4d3e

/tmp/info2

MD5 88d609b25a8d9c552cb539261483f936
SHA1 ede078695f97bf559efbf3d4c86776c2037315c2
SHA256 03153481a83245ce82a3b3ecf76684446d129ae759fe91d154ebaa6b87ce606d
SHA512 196fc9f706a4a1a3fe7b55525a44ecbb511d7074a0d6a5e310474049e17df6e40e450a8c70de6e16ee196d29f7a84bc9360e5d1dc30cb87c1605e9f127c9c6ab

/tmp/info2

MD5 6bccf5861b3d60ff36a794f0b9c90898
SHA1 65b6ed091dda6e7ec7e3ca3646880d018751e2ca
SHA256 4a31dab07ccaafacfad98c186640e2e4c86af6b96d10818732af23924731437a
SHA512 afcf7b5a76ad39de053e82bd4bbe39bac370641a86593a10f103c2d9237d39697d3e87893c5578eef6ed0d594016fc0eedcb9189b3db2ef89f4c73866dbedf48

/tmp/info2

MD5 e8cf5823d4b3e8f453cfae1dc1e343ed
SHA1 b277cad63e1daec54027bca427be63713742e646
SHA256 8aeb6b0cdaa39af408d33a71784981cf1be5e251b1817af3d5f169798be77d94
SHA512 001d2e7f43322802c9f2bc6ae633a3e8f6703a8247e30ac91c7c2e62ff4c3839befe24d458c885ab81c65f555057733e2bb9e80e17c0a31f99be3d3d03e4dc19

/tmp/info2

MD5 7289e35b3777e55732c7832cd79a196a
SHA1 bd5d2ed181de9ecbfa8863e379743772b8467c23
SHA256 38272b344be7cc003a9535e0bcd4e3fa520997e7363168468e0e598e8f9d149b
SHA512 dbcab41ed6b7ac1277b5e5f153876bb4a406ea829d884ba1ba4c386c6981148ae6a9615e951d885721fdae1fc58ab82c4e46dd0611959ad2a188e5f524c57f51

/var/spool/exim4/input/1sMl9o-0000BP-2E-D

MD5 252e90165600b216897520af4651d365
SHA1 e7c3d7d22a455c6b4be3da584df8c464017349d7
SHA256 bae03c9507e59c15c707124b7317d6f27b932ea2d68e878aec0295069e825138
SHA512 04d0a8dc3c8c0146e2c630499f93d90fa13afba1cb739f4d96b9c116d5f5e9d07ff275317bb6a3aa9af5c7228a99f00481ae757509b9212732dc8419d1405e09

/var/spool/exim4/input/hdr.707

MD5 9c5dee6e7563e37f484ccf907157edda
SHA1 8a681af6a7489a07bac173eb20f130ddfe411807
SHA256 8f26da4161c54fdf411dd0602b4b3da166bd30e62219f8e654034e3ca4ae09ca
SHA512 674d4ca5f963dd95b3fb97f2a076088e6e043c70001b49a99c77fea25bf7a77823a854f2f20d1be5817c8ea3de8d74fcb9c5a91efb6f21afc13ba9508d0bdc3f

/var/spool/exim4/msglog/1sMl9o-0000BP-2E

MD5 8608aa6c39c516a1b3dbe2ce47801e1a
SHA1 fd0b1152dd65f80e190577824d5b9cee7ff2a7d6
SHA256 e9b1052de7904483433f1d3175ebaebc5ae46be8fcf3cb9dea2ce616035e1c59
SHA512 d67b34370cabd108d4cf88fe0afcdfdaeae480693729374228e915a1cd781e3b41d964e76e76a916d993d2560dc3a17b10a0fe9d50fb05418293b03405bee734

/var/spool/exim4/msglog/1sMl9o-0000BP-2E

MD5 b2e0e175bb592a71f906ce85f1b0c777
SHA1 76ac787566330e04cff1f37c24d7ca816790b7ed
SHA256 4cd942bbe021a0d12194269980962e9421099503fe47385123755e9c7356758d
SHA512 5066df3ec71822928c51f750fda681cd8a504e4e329166ae1f171c708bc552df39e1746ed7a01e3e27a4b6dfc952562afe55d2f4cc57d97fac8a1eea608060fc

/var/spool/exim4/input/1sMl9r-0000Be-Ow-D

MD5 44e43453150ae4e9261ebecfd33dc5bf
SHA1 73fff7b9ff889747216ee28d4c46ca6a01df2cce
SHA256 da736bd8e4c48a02bb65e0e5939088f2c27d6b94e89d8b257d2ace187ad63dc8
SHA512 67ca65ab0621c3d6731931c0eec0326897b9661a837c3f5bb797c4a39d346f4942212d02bad93f74e81b79d94f8d09da0565746b647cffee573855358b34028d

/var/spool/exim4/input/hdr.722

MD5 79c9a7ba4c3d1c644772cb3842d75248
SHA1 1ead640a1d571c30b7f6ae076f238f9e8c134405
SHA256 7a8ac66d9cb22a7838421613dbb65e69c43914fe68e1aba6282c6f354db4e4cc
SHA512 a8841db8a238a9c525253f0b9a269c10264278c172d9b5f8bd4a6fc662850c13ece3b555d3996692e94215d4dd8f93b9a647c41052ff3576f8e7017b1d75f567

/var/spool/exim4/msglog/1sMl9r-0000Be-Ow

MD5 0c05b6c2476107483ffeefeef603d247
SHA1 3eb339f9c6bcabfbf969d002d234474001fbe604
SHA256 53b1be03c1c48c27c05a9984b6150eefa970a93e40d0225e3d6a9b6404d7e267
SHA512 7404c2e39887c7b39cc03983f90caa3b8eb7e578d2206d21d170fcd2aa6a0951788bc7ffc5631ed9beb34985861fbdfea63b3e473f73775367dd734fdd87d15d

/var/spool/exim4/input/hdr.713

MD5 6f6a7c6c332a08ab6c982acdf34117f4
SHA1 03e8c95d020a9f6ec81b1838caf656fc7154e26a
SHA256 fbd687a45d5d3d545f24d4651f334327ac33eb4e39e31f149a8c076eb36a735d
SHA512 a0be90e8ec23963268f29ed89ca44a74eedeef440802009111169847f9cb852052b264b2f0a55c396732aee907e1473c0c8e65d5a8e2ef202a84281f7985825e

/var/mail/user

MD5 4275f4ffb87a044f6315d870df0b37a3
SHA1 b71f04a5f73286bba95e04b4a488b2cb5e4118c4
SHA256 a61118165453514b76f7a1f175500d55a7382a0d24d34dac715b198986443f72
SHA512 2f87fc51fc1a504769be18c6269170901f06e82d304723a2edcd5676d7d5d676e98c26168972bdec6fc53b1cd6fe3d52e3152626325a2612550bdb615fe12266

/var/spool/exim4/input/1sMl9r-0000Be-Ow-J

MD5 d7d96d63d643a4ce3e408eba7dfcedc5
SHA1 c53607f95c5c57beafc1d8266646797a035f76ea
SHA256 21db3a59b2d0ce18fb250b787d6e2c85d12919f5fdf1448c8f48207c4083b159
SHA512 703a03e54776a6ad9b8adc6c475bbc91c06502618fa3b6f495b1a01a4f6f7aa6fb65dc6ba6885ddc6af961627062f1ce1e1d66688288cbd3bef7754d249fa9b3

/var/spool/exim4/msglog/1sMl9r-0000Be-Ow

MD5 349f43aeee342f44d53f7268d8a96269
SHA1 737b1f30b9c7e72f20411996dbfab05ad0c258cf
SHA256 37f4959f2c9ba4116f2949ea3da25e065a7cf7bb76de82ab85249e1f51106925
SHA512 590e87f2871a419cee80fb9f25d4180ef1076d0b41c6f253c4fdbd82df48b1bf87674a8de1edca97037e8be37cb4d6d8541642099a23ae3434ac8c40b2f5a47a

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-27 11:10

Reported

2024-06-27 11:13

Platform

debian9-mipsbe-20240611-en

Max time kernel

30s

Max time network

34s

Command Line

[/tmp/15c7b600329249a4895395e61a9a88fe_JaffaCakes118]

Signatures

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /bin/cat N/A

Reads CPU attributes

Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/sbin/exim4 N/A
File opened for reading /sys/devices/system/cpu/online /usr/sbin/exim4 N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/loadavg /usr/bin/uptime N/A
File opened for reading /proc/sys/kernel/ngroups_max /usr/sbin/exim4 N/A
File opened for reading /proc/self/mountinfo /bin/df N/A
File opened for reading /proc/filesystems /usr/bin/free N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/free N/A
File opened for reading /proc/meminfo /usr/bin/free N/A
File opened for reading /proc/sys/kernel/ngroups_max /usr/sbin/sendmail N/A
File opened for reading /proc/filesystems /usr/bin/uptime N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/uptime N/A
File opened for reading /proc/uptime /usr/bin/uptime N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/info2 /tmp/15c7b600329249a4895395e61a9a88fe_JaffaCakes118 N/A
File opened for modification /tmp/mupIalin /usr/bin/mail N/A
File opened for modification /tmp/mupzzMbI /usr/bin/mail N/A

Processes

/tmp/15c7b600329249a4895395e61a9a88fe_JaffaCakes118

[/tmp/15c7b600329249a4895395e61a9a88fe_JaffaCakes118]

/bin/uname

[uname -a]

/sbin/ifconfig

[/sbin/ifconfig]

/bin/grep

[grep inet]

/usr/bin/uptime

[uptime]

/bin/cat

[cat /proc/cpuinfo]

/bin/cat

[cat /etc/passwd]

/bin/cat

[cat /etc/shadow]

/bin/df

[df -h]

/usr/bin/free

[free]

/bin/ping

[ping -c 2 216.115.108.245]

/bin/cat

[cat /etc/hosts]

/bin/sleep

[sleep 5]

/bin/cat

[cat info2]

/bin/uname

[uname -a]

/usr/bin/mail

[mail -s Linux debian9-mipsbe-20240611-en-2 4.9.0-13-4kc-malta #1 Debian 4.9.228-1 (2020-07-05) mips GNU/Linux [email protected]]

/usr/sbin/sendmail

[/usr/sbin/sendmail -oi -f root@debian9-mipsbe-20240611-en-2 -t]

/usr/sbin/exim4

[/usr/sbin/exim4 -Mc 1sMl9w-0000Bv-NJ]

/bin/sleep

[sleep 5]

/usr/sbin/exim4

[/usr/sbin/exim4 -t -oem -oi -f <> -E1sMl9w-0000Bv-NJ]

/usr/sbin/exim4

[/usr/sbin/exim4 -Mc 1sMlA5-0000By-UI]

Network

Country Destination Domain Proto
US 1.1.1.1:53 debian9-mipsbe-20240611-en-2 udp
US 1.1.1.1:53 debian9-mipsbe-20240611-en-2 udp
US 1.1.1.1:53 debian9-mipsbe-20240611-en-2 udp
US 1.1.1.1:53 debian9-mipsbe-20240611-en-2 udp
US 1.1.1.1:53 debian9-mipsbe-20240611-en-2 udp
US 1.1.1.1:53 debian9-mipsbe-20240611-en-2 udp
US 1.1.1.1:53 debian9-mipsbe-20240611-en-2 udp
US 1.1.1.1:53 debian9-mipsbe-20240611-en-2 udp
US 1.1.1.1:53 debian9-mipsbe-20240611-en-2 udp

Files

/tmp/info2

MD5 2bb6aed5111ef9726bcf6eef982ff32b
SHA1 4d49d894436449e792b0cdf8522584065b298c90
SHA256 e5e61fed291cefe8bd2c2b895b3001e679931c3d93f3597fb5e27b5bcae8f825
SHA512 5c0aa37c6fa67edf72abdd2f7789538d0a2c12a1fec2dc575ee1df3c1874a4bda33259b3b60127ef4365410d85c742a0fb463f920b99c30863ff3c502494b3bf

/tmp/info2

MD5 e797a6d6452f2e9b0bec3fb481474e76
SHA1 8210d76a37aa5214ca436f510647134647a2020e
SHA256 ea81f932b0736b26fa123427b61d4fb505d631553a0e5c0b7281e956b6e1e36e
SHA512 aa8d94576a38eb29b6bf7a70c478cbe5dbb04e972d0d4596afef091b9f4df6133796d1a0ab183ec6902c18572995767653580b52fc5c0d98f78f3e10a1b86713

/tmp/info2

MD5 c9d801e5d5f2753a07c1a307045b8cf2
SHA1 29001e54f57a5e264b3760f70c5d6b3c34850e9f
SHA256 f34b16685e23364aaa810d0e190d5992da35c440ab9c1a2770f652ecb8b0831f
SHA512 5643bc1ad8812d520dd89d10080f5d2f7c8cacde58e2e4bccbcde01e75887ea836bc22add7e01e652ef3f5317a736775dce934d3a5a492c035acea2f3073cbd6

/tmp/info2

MD5 8ca71b821bac4b134680ec78feefd883
SHA1 3954007726c32e7c4a79a404bbb30000f0cc0ebb
SHA256 334748cfac8c69e731eab0a1b10b531c0f9c5fe9480d59d4d8d71ccbe58fd097
SHA512 29ce141eacc766a7f32dd685e4ab473f8ec230bcc522ae61ed190b4491f291169b23a6403a90b7a728367ffa59f67e0d0bf60e0469d748681cb7496aa37e82d7

/tmp/info2

MD5 0e3e21bce64867fc6bec23e24d08f81e
SHA1 fdc6cfb76e7ac6547e437cf0b8b21881a4c4ddbf
SHA256 dbbd961c7bb7342809575a9d52c4f2ec25f40a8fa9812dc3c2438cbac4c65ce8
SHA512 3f9eb23aaaa5614b50478d458bb3a0d5d5334129c33a487496563545bbd5860fa0857e288c612ab766008f368c501c708b1a38bbc0d88522fec95c878bc7311f

/tmp/info2

MD5 14d0b7ed1644a1c2b90e919b47e3e6ce
SHA1 8c044a952a046cc558af0ce3ae8a43bb72b0ce94
SHA256 7915b58d0bf16108faf62a5858f3e978017e15fc7f0b66b2879e2fdcf9f5c99c
SHA512 755364b301a0a8038b43fa973b60bebb18cf8244e23117b54f6da4b78726b39d7ce15020bde8d37a43e7c09e7971b32fc87a69bc22497984dc202a066ad94b70

/var/spool/exim4/input/1sMl9w-0000Bv-NJ-D

MD5 453f20bbeede53fd99eb3ec6208f7f71
SHA1 b8c6aa011f756fec1a0945f46d2c49cac0605cf0
SHA256 f46e288f77b829e278186e6843394db376c2b9625ad1604ccdc96683980b354c
SHA512 d350c4d624582f772ae8320aeef22441082ce477c1c1e70a5ec3268bdb27e2052c6f49ba7566385fbced6f1c426c78e41bb76d0dbdf985f26737a3b234093262

/var/spool/exim4/input/hdr.739

MD5 3ed04779713171e36899d34c25d062cc
SHA1 fe6ccaea89a75bc9cce7c22524e006c27b5c1fa6
SHA256 2494873187b203be20d9c4ab8af2d6ca64401a84f4957d1373a8bcabfd87af58
SHA512 9ef0dc52c2a21671e4619aa6d3e86d2168d467a5fcc17928c478b0ff2eb7404510f86ac5ffb3085aa37b34716a1b432047c7e1f22cb8c19d0f7cb2d485e1349c

/var/spool/exim4/msglog/1sMl9w-0000Bv-NJ

MD5 048a07fe652656dd62d266caf0b06708
SHA1 03d19037e01a2ebe61182cc6dabca88b5b2bde5a
SHA256 57570f974e28d43d722700ac288b4457c397f1d325473861ae9c6de9b700dd29
SHA512 942b6838547f1ccfed6d8c89ddb02fe7bfddfef61504ee81534b4cbb0e601a7f326e52a2a451cade02dd025169fddad5bb0c7797ccc93f3253cfc06597488095

/var/spool/exim4/msglog/1sMl9w-0000Bv-NJ

MD5 53ca7b4a51ac3e72bbdd33bea20f0cec
SHA1 f7d54fa6d04862b47739c5c499af59dd97a6ae03
SHA256 c4aee2a5fa29c5a1dc7d6659c59f5d891fa485ae28b15c82e5a5c6fdad4c21b2
SHA512 24005a40edaaf919e6d4613f9ad03bc13392ea15c4f5c75ef92512484ca1aec4e021c8c3996f3618fd11c3760f2fbd20939782c8805c888bd2f4e9b3d88d230b

/var/spool/exim4/input/1sMlA5-0000By-UI-D

MD5 20023cb42dbe41f228b4e2cf4007167e
SHA1 6af3ea0cd0c8cbc12a224096649059b69382fee2
SHA256 9c1b9f7501cb6b313d7b546da8642ccbd2ca3e690f88c622d978cfa108d7bb73
SHA512 7bc739217f93bf7b0bd3449f6b4265b18e5a58b65b548c79fe9321a5074f8c282fc85234ec4869f6c48552320b7bea3ab6f3cfcbc8770d3c30a23b611be8640f

/var/spool/exim4/input/hdr.742

MD5 04c0e4bc633cecf474451473b5d6fd02
SHA1 fc36aa04aa72a6e1e7579e2fdd87a14e829db072
SHA256 e42d5d25a2d6df4bad7220532f6f86143c335d59126081bc819a9757e06d3e45
SHA512 fe0c761d296d961d43dece017042d886ae36d7a305d8f01d1b375444019f49ce1d40d29f1db522d8aff035fe02cea379fffc510e8d013290e0ac7317d99e40a3

/var/spool/exim4/msglog/1sMlA5-0000By-UI

MD5 b221a8c13389abbd0069b1c2d52ff46b
SHA1 2ae7bc305f7b522bfff983631d9618f886e2c05e
SHA256 00eb4c323523445aac3deb567e655d9f5b1af8e5084aecde6d94c384a452c0aa
SHA512 778d7c8cb4dfa3e3087e76e472f79186b05546f0369515ae5c7b591ba52cba2976cd9f595672406423cb3b2d8acfe0c32aacdecfd008d63940d75af70a8de76e

/var/spool/exim4/input/hdr.740

MD5 cfb0b0402ff7d8109eb1b64e7b0c7981
SHA1 b66a627119d421436ed532bea9d0c7b623d8e1b0
SHA256 5ce4748fa7565dca1033969124c7d59665194866c9d538b936e09893eba47438
SHA512 c1ed34bb32bce5c164c8586cb34a0cb493d9aad8f7af91b74ea5a47ba5e636c96c6c2206b0b11d3268600054a6d4001bffe5af33d515b203570ea9ec2fc71a85

/var/mail/user

MD5 5471f53b1487964143cead1539c0156a
SHA1 e263808dfc68ccacfadcf4e2bce740e86b861e09
SHA256 64328ba9c42cd8845f54a82f2b8eed2e87a52d1d4c542f871cea58ccce2fd7a6
SHA512 80a9c221fc7df2b4629ac0e2d256cdbf880fd74655826d565362fc779b6332d08fa250a499a0164af0ac3324a991327653b8e157456ca8052858b1ac8a688e62

/var/spool/exim4/input/1sMlA5-0000By-UI-J

MD5 d7d96d63d643a4ce3e408eba7dfcedc5
SHA1 c53607f95c5c57beafc1d8266646797a035f76ea
SHA256 21db3a59b2d0ce18fb250b787d6e2c85d12919f5fdf1448c8f48207c4083b159
SHA512 703a03e54776a6ad9b8adc6c475bbc91c06502618fa3b6f495b1a01a4f6f7aa6fb65dc6ba6885ddc6af961627062f1ce1e1d66688288cbd3bef7754d249fa9b3

/var/spool/exim4/msglog/1sMlA5-0000By-UI

MD5 82c17bdf35cfac7d40462a6dd625d604
SHA1 8823a4e271af438824426321e878b741d65842f7
SHA256 7e958c707c812ce28f022200c129abc94fd881cffe8e2cdd0e9add1256fa21c0
SHA512 f6fa5ab5e9cbf5fccb203f0f9e755bb09a57defb814d11844d9ed1195fbf969d9986a056a3c6c815b47519f0520dd8e969efcfe20d01f9285781c9745e186ea9

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-27 11:10

Reported

2024-06-27 11:13

Platform

debian9-mipsel-20240418-en

Max time kernel

13s

Max time network

12s

Command Line

[/tmp/15c7b600329249a4895395e61a9a88fe_JaffaCakes118]

Signatures

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /bin/cat N/A

Reads CPU attributes

Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/sbin/exim4 N/A
File opened for reading /sys/devices/system/cpu/online /usr/sbin/exim4 N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/kernel/osrelease /usr/bin/uptime N/A
File opened for reading /proc/uptime /usr/bin/uptime N/A
File opened for reading /proc/filesystems /usr/bin/free N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/free N/A
File opened for reading /proc/meminfo /usr/bin/free N/A
File opened for reading /proc/filesystems /usr/bin/uptime N/A
File opened for reading /proc/loadavg /usr/bin/uptime N/A
File opened for reading /proc/self/mountinfo /bin/df N/A
File opened for reading /proc/sys/kernel/ngroups_max /usr/sbin/sendmail N/A
File opened for reading /proc/sys/kernel/ngroups_max /usr/sbin/exim4 N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/info2 /tmp/15c7b600329249a4895395e61a9a88fe_JaffaCakes118 N/A
File opened for modification /tmp/muTv8Nkw /usr/bin/mail N/A
File opened for modification /tmp/muS0iO4b /usr/bin/mail N/A

Processes

/tmp/15c7b600329249a4895395e61a9a88fe_JaffaCakes118

[/tmp/15c7b600329249a4895395e61a9a88fe_JaffaCakes118]

/bin/uname

[uname -a]

/sbin/ifconfig

[/sbin/ifconfig]

/bin/grep

[grep inet]

/usr/bin/uptime

[uptime]

/bin/cat

[cat /proc/cpuinfo]

/bin/cat

[cat /etc/passwd]

/bin/cat

[cat /etc/shadow]

/bin/df

[df -h]

/usr/bin/free

[free]

/bin/ping

[ping -c 2 216.115.108.245]

/bin/cat

[cat /etc/hosts]

/bin/sleep

[sleep 5]

/bin/cat

[cat info2]

/bin/uname

[uname -a]

/usr/bin/mail

[mail -s Linux debian9-mipsel-20240418-en-13 4.9.0-13-4kc-malta #1 Debian 4.9.228-1 (2020-07-05) mips GNU/Linux [email protected]]

/usr/sbin/sendmail

[/usr/sbin/sendmail -oi -f root@debian9-mipsel-20240418-en-13 -t]

/usr/sbin/exim4

[/usr/sbin/exim4 -Mc 1sMl9j-0000Ce-0G]

/bin/sleep

[sleep 5]

/usr/sbin/exim4

[/usr/sbin/exim4 -t -oem -oi -f <> -E1sMl9j-0000Ce-0G]

/usr/sbin/exim4

[/usr/sbin/exim4 -Mc 1sMl9k-0000Cn-Id]

Network

Country Destination Domain Proto
US 1.1.1.1:53 debian9-mipsel-20240418-en-13 udp
US 1.1.1.1:53 debian9-mipsel-20240418-en-13 udp
US 1.1.1.1:53 debian9-mipsel-20240418-en-13 udp
US 1.1.1.1:53 debian9-mipsel-20240418-en-13 udp
US 1.1.1.1:53 debian9-mipsel-20240418-en-13 udp
US 1.1.1.1:53 debian9-mipsel-20240418-en-13 udp
US 1.1.1.1:53 debian9-mipsel-20240418-en-13 udp
US 1.1.1.1:53 debian9-mipsel-20240418-en-13 udp
US 1.1.1.1:53 debian9-mipsel-20240418-en-13 udp

Files

/tmp/info2

MD5 2bb6aed5111ef9726bcf6eef982ff32b
SHA1 4d49d894436449e792b0cdf8522584065b298c90
SHA256 e5e61fed291cefe8bd2c2b895b3001e679931c3d93f3597fb5e27b5bcae8f825
SHA512 5c0aa37c6fa67edf72abdd2f7789538d0a2c12a1fec2dc575ee1df3c1874a4bda33259b3b60127ef4365410d85c742a0fb463f920b99c30863ff3c502494b3bf

/tmp/info2

MD5 d20fbc2555eae6799ca62c8abbcf0917
SHA1 6e0f851601aa4369bddbdedd64ec17a11d30e351
SHA256 409157d1a59e1b7a323634d91913348bade070e938c299eb883c120c0586df4b
SHA512 1f91720a0a1d9be44708941f3547286238a1c0313d4e9e68a9efb329e8bae37e1d45923154d811343b38891c65ec40a79c0eb7df14258b0dea6c5306806d3baf

/tmp/info2

MD5 d161e5c9d09b16c07cd4f33132023bc1
SHA1 5ee1f1c9c07bed5ef9faf9295e47c3d1406146f4
SHA256 65c1998c279949d05a346259388d16b7831d41c430ffe30584d87a1af593a3d5
SHA512 9fad5954017dcfd7c8f5372e9e7ee003fb75bfe2326f5f4cb2e5754f25dcf9e4ba9d9378702d58e1a8a317c5c045f32bae09768c4f39f85672170f9347d93af8

/tmp/info2

MD5 14dbdb43bacce2f3ceebe7d8e4a9b6f1
SHA1 82dde42ae994b21af9b1f5f70d9ef1d48a10f3f4
SHA256 7ddd4a31c23813ebf9992fb487d84c7c00e62e4311aa67425dc2f15de51e2f13
SHA512 616dcf28145980c1de02e2c49bd5ba9ebb57bea976a82b79e8a38f33764c7d0c4a2dcc42333b3d3eceebba0e6c42d2d16a4c442bfd04eb77b5f93fbe6264f352

/tmp/info2

MD5 c0ef4f37430c4e69b9e743954e4f0893
SHA1 a6f58652afb8a0dbe35e3d3cfb132c3cf82dc31a
SHA256 81f5ec6907d884054b46e37b5e2300918eed25cd5eefd0730a073718c030dd5b
SHA512 7e83ef04a7037a0320df68ea7a592e9e074a3a1a7f6bf8f83665d983ad9926981d8c1fab46b4422904afc66ca32a7fbf74933422b75b9180178b6b56f7601a48

/tmp/info2

MD5 15e07d6f143c0d49981b570c45d34a4d
SHA1 2a364272379857932a8a29e8350f974b2e1cb6ae
SHA256 ef0b515e85fd32e30fe97965a081ac5b85505bb46b0e5f7d0c44b7ee911545e5
SHA512 663ce0e9090f758de8601958c2c2a3d412be9d97fa0679a5c49e82a6c14fde028fa3815f1af9d6a4c9e9a81c248f56c00d48ec1f557809fdfd99e3f4daa5616a

/var/spool/exim4/input/1sMl9j-0000Ce-0G-D

MD5 22be44e3c2cdc8f06838b05acfe926a4
SHA1 2e85770ed74a180edb214d609729cbc4811219ad
SHA256 bc7af30d1c36e41f1eed8cb5e904342e668fe967cc2614bb4c984c989fa7568e
SHA512 570acf03fed85a4ce9397e78a16f085d33f680cf5b4ba8aed533d951b028fa74ce0f345abf263568468c276518560505e3d226ea4de4427f0da562a5b5c4e44b

/var/spool/exim4/input/hdr.784

MD5 aea7c90da811efc918935991bb659bbc
SHA1 b44cb50ecb8c03a4170a816a51c78bb7f1e009ff
SHA256 be5aff11865fec7933e5cefbc643b2ec708cbc8ed01df1daec2d51c2d34a0d96
SHA512 6136a82351de093750e8c97f6091d8ab3ab2fb7913ea6fd125d547ea670799e4ff1ec8f74ef593a5083d6e171636c8f1d412307293d324a711e8596267b82572

/var/spool/exim4/msglog/1sMl9j-0000Ce-0G

MD5 0d5b19d1e57bfd8ffaceb20f629657a3
SHA1 34efcdde1a3c62004e13514da29aca9e805b13e8
SHA256 4fb72715ce953c39a7e7dba7cc1d812d8217db60a909e003f767764cea9936de
SHA512 57c282ce3ad821245510686c11b62dc4ab5732a1d0624c0a1221f19793beba63240fe71d379afef54b4fbe2b90907fd736dc809aa2668aaa3579a816285146ff

/var/spool/exim4/msglog/1sMl9j-0000Ce-0G

MD5 e11b3c99ef47d5031867cc013c5334f9
SHA1 845bdc58a1abd4c70a2fe134379d77fa4dd8c8a3
SHA256 cab3138ede41219bc056840fb20b792cc19b4c3bf324270d39e2a7ff9a60b86b
SHA512 9f39f82243b808ee9b7417f9b94daec527419e12904e2590baa29df8fa7980e7433b0ddd8aa7f454690fb9ec05ab99ce2a9a07c1035dde147365b43160af658f

/var/spool/exim4/input/1sMl9k-0000Cn-Id-D

MD5 994e5f70eae8d6ac6dacde9573fc535e
SHA1 2c8b4fcb8805a37d830bb6c23c399fdbb51d8cc3
SHA256 a404395c4114405405f44413f8dcf70d2feb380348a8aa91472f6be791f720c1
SHA512 015dc8b3fc4593dc998ee437eb0b8b143b86ea38a45aafe3a3c195b9880aa61f39bccc7562ed0055a96d5932e614b65c83888844e4c59594cb4cf90d75ea0a23

/var/spool/exim4/input/hdr.793

MD5 9c44580466aefbea963f6ed85434ee2e
SHA1 a097bc187c1bc277093a851643d93ad1037154ee
SHA256 9f6fd40dfcac7c53ea211814990b4a25a9aedf7f151161c64b6f18a39152d29b
SHA512 c8adb6f609ffe5b60da2a16d9a58052f34f32f4d5986dbffff9b4b4828e1a8d8c32da24c0177131dca5b9cc699cfdff504735a3311db4a677a740bbe193eb294

/var/spool/exim4/msglog/1sMl9k-0000Cn-Id

MD5 3af5d89b4110bb0a80399167fc21e59e
SHA1 d015c18cf232a3f365f8866c4af6f935ae0b98c5
SHA256 c4484145e289743d6e090d79374abc2a132a5b9e3cc0601fa48b6b0d7f701813
SHA512 058f68d70629b32702d57d4e134501af9348fbe2ed493c02ebdcf339502d33e64863f1011c15e7d2b0711b8cbd9d23f4894b985651ebdde6ed8b9f65143aa4ee

/var/spool/exim4/input/hdr.790

MD5 a07da5d491e18fdce753af5ce1f843c9
SHA1 d8858ae1c2f7e6bf204ff91978b88d37bf5e10d8
SHA256 02ae76b449bd9bf98acf09ee2cbd66551cf5619a07cf4ab197f4e615538ee724
SHA512 7de37301a10d48a4905559af97c4c74df8ea2f9cfa6fda1209a11515719a338c38e74573c2442d0d477c46d3d30505498d07fb3ac25aa5f7551b9a53cfdf1ba9

/var/mail/user

MD5 3515ebcb849f017e8d1e6186b2c2f7ad
SHA1 0356b4b21b0fcdf79956d965f1ee03847ed21c0c
SHA256 20d2b30159081ced35f9f71da97c25ca1d241ae05aee8e42a4cf575526169239
SHA512 11dd497cbc8a8f0c7362ab86af85756c8a0835f4213d72174492ef7d87e72cf11e08fe8b1609e1166a44d2f6d25a3e9d3bb9cfc0876be106a0b0cfc15c3281a4

/var/spool/exim4/input/1sMl9k-0000Cn-Id-J

MD5 d7d96d63d643a4ce3e408eba7dfcedc5
SHA1 c53607f95c5c57beafc1d8266646797a035f76ea
SHA256 21db3a59b2d0ce18fb250b787d6e2c85d12919f5fdf1448c8f48207c4083b159
SHA512 703a03e54776a6ad9b8adc6c475bbc91c06502618fa3b6f495b1a01a4f6f7aa6fb65dc6ba6885ddc6af961627062f1ce1e1d66688288cbd3bef7754d249fa9b3

/var/spool/exim4/msglog/1sMl9k-0000Cn-Id

MD5 67f70b48845041e131628e1d8ca7e741
SHA1 2e7e14b6a62a2acb2c9cbc5a06d15a7c0433c54a
SHA256 71aabfb65e6091a7e059b303d4256ec337c88dab1bc7edbb8e1466346cba54b8
SHA512 116ec7f94749689307365fc889c9f71bcb069af65cc4daecf47a09927dc5b578f6aaacf0512cd7e04a08e1686d1d93cc843798a24416c8a231ff9b6ee850e610