Malware Analysis Report

2024-10-16 05:45

Sample ID 240715-fbgcwaybrm
Target 4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118
SHA256 9384b9e39334479194aacb53cb25ace289b6afe2e41bdc8619b2d2cae966b948
Tags
antivm persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

9384b9e39334479194aacb53cb25ace289b6afe2e41bdc8619b2d2cae966b948

Threat Level: Likely malicious

The file 4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

antivm persistence

Adds new SSH keys

Deletes itself

Deletes log files

Enumerates running processes

Checks CPU configuration

Reads CPU attributes

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-15 04:41

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-15 04:41

Reported

2024-07-15 04:44

Platform

ubuntu2204-amd64-20240611-en

Max time kernel

149s

Max time network

146s

Command Line

[/tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118]

Signatures

Adds new SSH keys

persistence
Description Indicator Process Target
File opened for modification /root/.ssh/authorized_keys /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Deletes log files

Description Indicator Process Target
File deleted /var/log/tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A

Enumerates running processes

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/cat N/A

Reads CPU attributes

Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/969/stat /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/free N/A
File opened for reading /proc/23/cmdline /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/99/cmdline /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/meminfo /usr/bin/free N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/uptime N/A
File opened for reading /proc/uptime /usr/bin/uptime N/A
File opened for reading /proc/sys/net/core/somaxconn /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/15/cmdline /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/76/stat /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/free N/A
File opened for reading /proc/793/stat /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/81/cmdline /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/101/stat /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/1108/stat /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/1158/stat /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/1174/stat /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/uptime N/A
File opened for reading /proc/1033/cmdline /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/1094/cmdline /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/1374/cmdline /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/1222/stat /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/73/stat /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/1103/stat /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/1183/stat /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/1196/stat /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/26/stat /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/1044/cmdline /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/13/stat /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/1084/cmdline /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/788/cmdline /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/114/stat /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/1557/stat /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/795/stat /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/23/stat /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/411/stat /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/593/stat /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/101/cmdline /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/221/cmdline /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/409/cmdline /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/411/cmdline /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/1307/stat /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/self/auxv /usr/bin/uptime N/A
File opened for reading /proc/meminfo /usr/bin/free N/A
File opened for reading /proc/1238/stat /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/78/stat /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/1219/stat /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/4/stat /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/749/stat /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/205/stat /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/758/stat /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/loadavg /usr/bin/uptime N/A
File opened for reading /proc/1161/cmdline /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/585/cmdline /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/957/cmdline /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/1345/stat /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/1429/stat /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/413/stat /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/uptime /usr/bin/uptime N/A
File opened for reading /proc/26/cmdline /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A
File opened for reading /proc/self/auxv /usr/bin/uptime N/A
File opened for reading /proc/self/auxv /usr/bin/uptime N/A
File opened for reading /proc/self/auxv /usr/bin/uptime N/A
File opened for reading /proc/stat /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/nc /tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118 N/A

Processes

/tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118

[/tmp/4842d5cc29c97aa611fba5ca07b060a5_JaffaCakes118]

/usr/bin/uname

[uname -a]

/usr/bin/cat

[cat /proc/cpuinfo]

/usr/bin/cat

[cat /etc/issue]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/journalctl

[journalctl -S @0 -u sshd]

/usr/bin/cat

[cat /var/log/auth*]

/usr/bin/zcat

[zcat /var/log/auth*]

/usr/local/sbin/gzip

[gzip -cd /var/log/auth*]

/usr/local/bin/gzip

[gzip -cd /var/log/auth*]

/usr/sbin/gzip

[gzip -cd /var/log/auth*]

/usr/bin/gzip

[gzip -cd /var/log/auth*]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
CN 111.45.10.183:2222 tcp
SE 62.116.246.9:22 tcp
US 44.245.211.34:22 tcp
SE 193.241.174.44:22 tcp
CA 142.193.13.74:2222 tcp
N/A 244.60.192.156:22 tcp
GB 86.165.130.203:2222 tcp
CN 1.12.94.74:22 tcp
US 50.31.86.182:2222 tcp
NO 20.100.69.112:22 tcp
KR 118.128.35.252:22 tcp
FR 90.80.27.147:22 tcp
US 9.149.61.162:2222 tcp
IR 89.198.197.96:2222 tcp
US 162.240.29.214:2222 tcp
US 67.232.127.6:2222 tcp
N/A 248.65.22.167:2222 tcp
NO 20.100.69.112:2222 tcp
SE 193.241.174.44:2222 tcp
US 48.195.90.160:2222 tcp
AE 20.233.148.84:22 tcp
DE 31.250.122.209:22 tcp
US 132.20.91.106:2222 tcp
FR 77.153.7.217:2222 tcp
US 99.168.50.111:22 tcp
IN 117.240.143.116:22 tcp
N/A 248.65.22.167:22 tcp
US 48.195.90.160:22 tcp
KR 118.128.35.252:2222 tcp
US 100.20.181.14:2222 tcp
AR 186.59.143.48:22 tcp
US 204.253.198.253:2222 tcp
BR 179.221.12.16:2222 tcp
UA 195.140.169.253:22 tcp
AU 110.145.99.54:2222 tcp
US 155.103.195.237:2222 tcp
MA 196.75.104.169:2222 tcp
CN 111.45.10.183:22 tcp
DE 89.52.175.196:22 tcp
US 143.21.175.9:22 tcp
ID 202.93.241.184:22 tcp
N/A 248.78.206.200:2222 tcp
US 99.97.64.15:22 tcp
AR 186.59.143.48:2222 tcp
SG 203.190.181.207:22 tcp
US 44.6.128.249:2222 tcp
UA 195.140.169.253:2222 tcp
SG 203.190.181.207:2222 tcp
CN 171.88.113.176:22 tcp
US 162.240.29.214:22 tcp
US 126.243.79.247:22 tcp
MA 196.75.104.169:22 tcp
MX 189.148.222.45:2222 tcp
TW 111.81.112.236:2222 tcp
FR 89.87.5.95:22 tcp
US 99.97.64.15:2222 tcp
US 50.31.86.182:22 tcp
N/A 248.78.206.200:22 tcp
US 100.20.181.14:22 tcp
US 184.44.220.53:2222 tcp
US 184.44.220.53:22 tcp
US 143.21.175.9:2222 tcp
US 135.82.88.171:22 tcp
JP 183.76.83.221:22 tcp
CN 115.226.16.87:2222 tcp
CA 142.16.130.190:22 tcp
TW 111.81.112.236:22 tcp
US 66.222.80.178:2222 tcp
GB 86.165.130.203:22 tcp
US 66.222.80.178:22 tcp
US 155.103.195.237:22 tcp
US 64.250.125.142:22 tcp

Files

/tmp/nc

MD5 4842d5cc29c97aa611fba5ca07b060a5
SHA1 f93772038406f28fa4ca1cfb23349193562414b2
SHA256 9384b9e39334479194aacb53cb25ace289b6afe2e41bdc8619b2d2cae966b948
SHA512 cf1cb3f0291f3e0c3b47ff3ee9074b624e2d9781f9637d14ede0628ebb4b8b0fe13e16583f6a933a3e20872ec084dc812237f021757efe2a6d527a0a1723b5c8