Analysis Overview
SHA256
3999afa4fac1040d414538ee7e5f4f4ec1678f28beb4a0445155b55bbd491cc4
Threat Level: Shows suspicious behavior
The file 012f908e1c651d794e47178fa27a540c_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Deletes itself
Executes dropped EXE
Checks CPU configuration
Reads system network configuration
Reads runtime system information
Writes file to tmp directory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-27 21:59
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-27 21:59
Reported
2024-07-29 12:11
Platform
ubuntu2204-amd64-20240729-en
Max time kernel
149s
Max time network
148s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/freeBSD | N/A |
| N/A | N/A | /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118a | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/freeBSD | /tmp/freeBSD | N/A |
| N/A | /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118a | /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118a | N/A |
| N/A | /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118 | /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118 | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118 | N/A |
Reads system network configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/dev | /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118 | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/filesystems | /usr/bin/cp | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/cp | N/A |
| File opened for reading | /proc/sys/kernel/version | /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118 | N/A |
| File opened for reading | /proc/stat | /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118 | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/cp | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/freeBSD | /usr/bin/cp | N/A |
| File opened for modification | /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118a | /usr/bin/cp | N/A |
| File opened for modification | /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118 | /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118a | N/A |
| File opened for modification | /tmp/fake.cfg | /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118 | N/A |
| File opened for modification | /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118 | /usr/bin/cp | N/A |
Processes
/tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118
[/tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118]
/bin/sh
[sh -c cp /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118 /tmp/freeBSD]
/usr/bin/cp
[cp /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118 /tmp/freeBSD]
/bin/sh
[sh -c cp /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118 /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118a]
/tmp/freeBSD
[/tmp/freeBSD /tmp/freeBSD 1]
/usr/bin/cp
[cp /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118 /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118a]
/tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118a
[/tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118a /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118]
/tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118
/bin/sh
[sh -c cp /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118a /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118]
/usr/bin/cp
[cp /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118a /tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| CN | 118.123.119.24:10991 | tcp | |
| CN | 118.123.119.24:10991 | tcp |
Files
/tmp/freeBSD
| MD5 | 012f908e1c651d794e47178fa27a540c |
| SHA1 | faf4ee0b07020a0940c822d609d57977fb5707bb |
| SHA256 | 3999afa4fac1040d414538ee7e5f4f4ec1678f28beb4a0445155b55bbd491cc4 |
| SHA512 | 02adeeefd4b3c937f5704bcbe208e99376a7f1f6410314301bf5320f24b72b18fc1e84aca433549281a3f4575a0d213957d66679d1a4d678d9095b97de20ecf2 |
/tmp/012f908e1c651d794e47178fa27a540c_JaffaCakes118
| MD5 | d449ecaae747f7cd27adfe47358b366b |
| SHA1 | 7bc8908a7fa02b525df54b8c8236ae744d56bf60 |
| SHA256 | ef2943942946fbfd4ce4852f4e1ac443e75f6575f71f7a94a853cfb142ec970d |
| SHA512 | 2b6ecf953e59b0c0ff0ab19f9a146707bce82258db26b380ed5775b18b542e4e67dcc1bfb24587619a04ff2dc660f284b1dc43ab84adae54df307dedd58e42d0 |