Malware Analysis Report

2024-10-24 21:20

Sample ID 240727-1v3qfatfrh
Target 012f908e1c651d794e47178fa27a540c_JaffaCakes118
SHA256 3999afa4fac1040d414538ee7e5f4f4ec1678f28beb4a0445155b55bbd491cc4
Tags
antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

3999afa4fac1040d414538ee7e5f4f4ec1678f28beb4a0445155b55bbd491cc4

Threat Level: Shows suspicious behavior

The file 012f908e1c651d794e47178fa27a540c_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

antivm

Deletes itself

Executes dropped EXE

Checks CPU configuration

Reads system network configuration

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-27 21:59

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-27 21:59

Reported

2024-07-29 12:11

Platform

ubuntu2204-amd64-20240729-en

Max time kernel

149s

Max time network

148s

Command Line

[/tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118]

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A /tmp/freeBSD N/A
N/A N/A /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118a N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/freeBSD /tmp/freeBSD N/A
N/A /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118a /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118a N/A
N/A /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118 /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118 N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118 N/A

Reads system network configuration

Description Indicator Process Target
File opened for reading /proc/net/dev /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118 N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/sys/kernel/version /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118 N/A
File opened for reading /proc/stat /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118 N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/freeBSD /usr/bin/cp N/A
File opened for modification /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118a /usr/bin/cp N/A
File opened for modification /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118 /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118a N/A
File opened for modification /tmp/fake.cfg /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118 N/A
File opened for modification /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118 /usr/bin/cp N/A

Processes

/tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118

[/tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118]

/bin/sh

[sh -c cp /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118 /tmp/freeBSD]

/usr/bin/cp

[cp /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118 /tmp/freeBSD]

/bin/sh

[sh -c cp /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118 /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118a]

/tmp/freeBSD

[/tmp/freeBSD /tmp/freeBSD 1]

/usr/bin/cp

[cp /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118 /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118a]

/tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118a

[/tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118a /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118]

/tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118

/bin/sh

[sh -c cp /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118a /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118]

/usr/bin/cp

[cp /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118a /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
CN 118.123.119.24:10991 tcp
CN 118.123.119.24:10991 tcp

Files

/tmp/freeBSD

MD5 012f908e1c651d794e47178fa27a540c
SHA1 faf4ee0b07020a0940c822d609d57977fb5707bb
SHA256 3999afa4fac1040d414538ee7e5f4f4ec1678f28beb4a0445155b55bbd491cc4
SHA512 02adeeefd4b3c937f5704bcbe208e99376a7f1f6410314301bf5320f24b72b18fc1e84aca433549281a3f4575a0d213957d66679d1a4d678d9095b97de20ecf2

/tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118

MD5 d449ecaae747f7cd27adfe47358b366b
SHA1 7bc8908a7fa02b525df54b8c8236ae744d56bf60
SHA256 ef2943942946fbfd4ce4852f4e1ac443e75f6575f71f7a94a853cfb142ec970d
SHA512 2b6ecf953e59b0c0ff0ab19f9a146707bce82258db26b380ed5775b18b542e4e67dcc1bfb24587619a04ff2dc660f284b1dc43ab84adae54df307dedd58e42d0