Malware Analysis Report

2024-10-16 06:19

Sample ID 240713-dcyx7ssemk
Target 3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118
SHA256 6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c
Tags
antivm persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c

Threat Level: Likely malicious

The file 3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

antivm persistence

Adds new SSH keys

Deletes itself

Deletes log files

Enumerates running processes

Checks CPU configuration

Reads CPU attributes

Writes file to tmp directory

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-13 02:52

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-13 02:52

Reported

2024-07-13 02:55

Platform

ubuntu2204-amd64-20240611-en

Max time kernel

149s

Max time network

149s

Command Line

[/tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118]

Signatures

Adds new SSH keys

persistence
Description Indicator Process Target
File opened for modification /root/.ssh/authorized_keys /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Deletes log files

Description Indicator Process Target
File deleted /var/log/tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A

Enumerates running processes

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/cat N/A

Reads CPU attributes

Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/85/stat /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A
File opened for reading /proc/self/auxv /usr/bin/free N/A
File opened for reading /proc/416/cmdline /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A
File opened for reading /proc/1054/cmdline /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A
File opened for reading /proc/1184/cmdline /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A
File opened for reading /proc/201/cmdline /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A
File opened for reading /proc/81/stat /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A
File opened for reading /proc/114/cmdline /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A
File opened for reading /proc/747/cmdline /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A
File opened for reading /proc/675/stat /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A
File opened for reading /proc/meminfo /usr/bin/free N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/uptime N/A
File opened for reading /proc/498/cmdline /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A
File opened for reading /proc/15/stat /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A
File opened for reading /proc/meminfo /usr/bin/free N/A
File opened for reading /proc/self/auxv /usr/bin/free N/A
File opened for reading /proc/1507/cmdline /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A
File opened for reading /proc/filesystems /usr/bin/journalctl N/A
File opened for reading /proc/610/stat /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A
File opened for reading /proc/meminfo /usr/bin/free N/A
File opened for reading /proc/409/cmdline /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A
File opened for reading /proc/1164/stat /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A
File opened for reading /proc/634/stat /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A
File opened for reading /proc/963/stat /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A
File opened for reading /proc/uptime /usr/bin/uptime N/A
File opened for reading /proc/1487/cmdline /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A
File opened for reading /proc/2/cmdline /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A
File opened for reading /proc/263/stat /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/free N/A
File opened for reading /proc/114/stat /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A
File opened for reading /proc/1386/stat /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A
File opened for reading /proc/716/stat /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/free N/A
File opened for reading /proc/1107/cmdline /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A
File opened for reading /proc/1248/cmdline /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A
File opened for reading /proc/315/cmdline /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A
File opened for reading /proc/746/cmdline /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A
File opened for reading /proc/641/stat /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/uptime N/A
File opened for reading /proc/91/stat /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A
File opened for reading /proc/522/cmdline /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A
File opened for reading /proc/88/cmdline /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A
File opened for reading /proc/92/cmdline /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A
File opened for reading /proc/12/cmdline /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A
File opened for reading /proc/522/stat /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A
File opened for reading /proc/1434/cmdline /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/free N/A
File opened for reading /proc/199/stat /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A
File opened for reading /proc/203/stat /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A
File opened for reading /proc/27/stat /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A
File opened for reading /proc/loadavg /usr/bin/uptime N/A
File opened for reading /proc/1525/cmdline /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A
File opened for reading /proc/110/stat /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A
File opened for reading /proc/1575/stat /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A
File opened for reading /proc/499/cmdline /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/uptime N/A
File opened for reading /proc/588/stat /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A
File opened for reading /proc/205/cmdline /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A
File opened for reading /proc/1276/stat /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A
File opened for reading /proc/499/stat /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A
File opened for reading /proc/193/cmdline /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A
File opened for reading /proc/1280/stat /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A
File opened for reading /proc/3/stat /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A
File opened for reading /proc/113/cmdline /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/nc /tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118 N/A

Processes

/tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118

[/tmp/3fe7b88a9ba6c5acee4faae760642b78_JaffaCakes118]

/usr/bin/uname

[uname -a]

/usr/bin/cat

[cat /proc/cpuinfo]

/usr/bin/cat

[cat /etc/issue]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/journalctl

[journalctl -S @0 -u sshd]

/usr/bin/cat

[cat /var/log/auth*]

/usr/bin/zcat

[zcat /var/log/auth*]

/usr/local/sbin/gzip

[gzip -cd /var/log/auth*]

/usr/local/bin/gzip

[gzip -cd /var/log/auth*]

/usr/sbin/gzip

[gzip -cd /var/log/auth*]

/usr/bin/gzip

[gzip -cd /var/log/auth*]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 22.53.203.1:22 tcp
CN 106.17.30.71:2222 tcp
US 21.203.103.193:2222 tcp
CN 118.67.123.91:22 tcp
US 16.101.2.171:2222 tcp
ES 185.221.131.92:2222 tcp
US 6.71.39.31:2222 tcp
CN 58.201.189.121:22 tcp
JP 202.223.123.196:22 tcp
US 140.145.155.162:2222 tcp
CA 20.39.136.164:2222 tcp
CN 106.17.30.71:22 tcp
GB 178.108.4.238:22 tcp
US 100.221.71.234:2222 tcp
US 55.180.102.36:22 tcp
ES 185.221.131.92:22 tcp
US 69.174.252.82:2222 tcp
TW 61.63.229.206:2222 tcp
MU 102.201.56.4:2222 tcp
US 99.85.10.229:22 tcp
CN 110.60.107.121:2222 tcp
N/A 242.33.46.87:2222 tcp
US 98.159.21.161:2222 tcp
US 69.174.252.82:22 tcp
US 13.17.67.130:2222 tcp
FR 84.102.182.168:22 tcp
CN 117.169.138.30:2222 tcp
US 128.21.151.181:2222 tcp
US 21.203.103.193:22 tcp
SA 100.136.47.176:22 tcp
US 108.181.28.209:2222 tcp
TR 83.66.98.72:22 tcp
US 6.71.39.31:22 tcp
US 99.85.10.229:2222 tcp
CN 117.169.138.30:22 tcp
US 21.144.253.220:2222 tcp
US 108.181.28.209:22 tcp
RU 194.63.157.152:22 tcp
CZ 109.164.42.244:2222 tcp
US 38.86.124.115:22 tcp
US 98.117.236.51:22 tcp
ZA 163.199.171.219:22 tcp
US 208.27.24.80:22 tcp
CN 118.67.123.91:2222 tcp
US 16.101.2.171:22 tcp
CN 182.36.171.193:2222 tcp
CN 125.82.99.140:22 tcp
CN 120.204.236.186:2222 tcp
US 153.78.120.235:2222 tcp
US 146.10.39.212:2222 tcp
ZA 163.199.171.219:2222 tcp
US 208.203.17.25:2222 tcp
CZ 109.164.42.244:22 tcp
US 192.239.133.247:22 tcp
US 216.46.175.215:22 tcp
US 140.145.155.162:22 tcp
JP 202.223.123.196:2222 tcp
CN 182.36.171.193:22 tcp
LT 78.58.77.76:2222 tcp
US 146.10.39.212:22 tcp
CN 125.82.99.140:2222 tcp
US 208.203.17.25:22 tcp
TW 61.63.229.206:22 tcp

Files

/tmp/nc

MD5 3fe7b88a9ba6c5acee4faae760642b78
SHA1 bae245bc98c516604838c6ce5a233f066de44a50
SHA256 6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c
SHA512 02abc8d4fe280306a9ac6a25d28cf174a8d51a43d98b6837bc129701d8c0ab486eebaeef11062b58c455627d4de7c8782b3828aa02891fe439ca1ca617038f95