Malware Analysis Report

2024-10-24 21:20

Sample ID 240727-ep1s1azand
Target 76fe4fdd628218f630ba50f91ceba852_JaffaCakes118
SHA256 041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742
Tags
antivm persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742

Threat Level: Likely malicious

The file 76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

antivm persistence

Adds new SSH keys

Deletes itself

Deletes log files

Enumerates running processes

Checks CPU configuration

Reads CPU attributes

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-27 04:07

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-27 04:07

Reported

2024-07-29 11:26

Platform

ubuntu1804-amd64-20240729-en

Max time kernel

149s

Max time network

140s

Command Line

[/tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118]

Signatures

Adds new SSH keys

persistence
Description Indicator Process Target
File opened for modification /root/.ssh/authorized_keys /tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Deletes log files

Description Indicator Process Target
File deleted /var/log/tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 /tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 N/A

Enumerates running processes

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /bin/cat N/A

Reads CPU attributes

Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/554/stat /tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 N/A
File opened for reading /proc/1069/cmdline /tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 N/A
File opened for reading /proc/cmdline /bin/journalctl N/A
File opened for reading /proc/159/stat /tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 N/A
File opened for reading /proc/6/stat /tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 N/A
File opened for reading /proc/21/cmdline /tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 N/A
File opened for reading /proc/488/cmdline /tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 N/A
File opened for reading /proc/23/cmdline /tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 N/A
File opened for reading /proc/174/stat /tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 N/A
File opened for reading /proc/137/cmdline /tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 N/A
File opened for reading /proc/self/stat /bin/journalctl N/A
File opened for reading /proc/537/stat /tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 N/A
File opened for reading /proc/meminfo /usr/bin/free N/A
File opened for reading /proc/167/cmdline /tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 N/A
File opened for reading /proc/17/stat /tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 N/A
File opened for reading /proc/1327/cmdline /tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 N/A
File opened for reading /proc/84/cmdline /tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 N/A
File opened for reading /proc/1052/stat /tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 N/A
File opened for reading /proc/meminfo /usr/bin/free N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/uptime N/A
File opened for reading /proc/17/cmdline /tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 N/A
File opened for reading /proc/960/cmdline /tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 N/A
File opened for reading /proc/538/stat /tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 N/A
File opened for reading /proc/1069/stat /tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 N/A
File opened for reading /proc/4/stat /tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 N/A
File opened for reading /proc/uptime /usr/bin/uptime N/A
File opened for reading /proc/1112/cmdline /tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 N/A
File opened for reading /proc/83/stat /tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 N/A
File opened for reading /proc/21/stat /tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 N/A
File opened for reading /proc/482/stat /tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 N/A
File opened for reading /proc/loadavg /usr/bin/uptime N/A
File opened for reading /proc/1130/cmdline /tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 N/A
File opened for reading /proc/20/cmdline /tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 N/A
File opened for reading /proc/969/cmdline /tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 N/A
File opened for reading /proc/171/stat /tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/uptime N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/free N/A
File opened for reading /proc/1175/stat /tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 N/A
File opened for reading /proc/137/stat /tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 N/A
File opened for reading /proc/7/cmdline /tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 N/A
File opened for reading /proc/418/stat /tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 N/A
File opened for reading /proc/451/stat /tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/uptime N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/uptime N/A
File opened for reading /proc/169/cmdline /tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 N/A
File opened for reading /proc/sys/kernel/osrelease /bin/journalctl N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/free N/A
File opened for reading /proc/178/cmdline /tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 N/A
File opened for reading /proc/uptime /usr/bin/uptime N/A
File opened for reading /proc/163/stat /tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 N/A
File opened for reading /proc/uptime /usr/bin/uptime N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/free N/A
File opened for reading /proc/1336/cmdline /tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/free N/A
File opened for reading /proc/loadavg /usr/bin/uptime N/A
File opened for reading /proc/173/cmdline /tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 N/A
File opened for reading /proc/10/stat /tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 N/A
File opened for reading /proc/1017/cmdline /tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 N/A
File opened for reading /proc/27/cmdline /tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 N/A
File opened for reading /proc/1065/stat /tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 N/A
File opened for reading /proc/160/stat /tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 N/A
File opened for reading /proc/1161/cmdline /tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 N/A
File opened for reading /proc/1318/cmdline /tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 N/A
File opened for reading /proc/sys/net/core/somaxconn /tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118 N/A

Processes

/tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118

[/tmp/76fe4fdd628218f630ba50f91ceba852_JaffaCakes118]

/bin/uname

[uname -a]

/bin/cat

[cat /proc/cpuinfo]

/bin/cat

[cat /etc/issue]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/bin/journalctl

[journalctl -S @0 -u sshd]

/bin/cat

[cat /var/log/auth*]

/bin/zcat

[zcat /var/log/auth*]

/bin/gzip

[gzip -cd /var/log/auth*]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.193.91:443 tcp
US 151.101.193.91:443 tcp
GB 89.187.167.38:443 tcp
US 205.10.213.5:22 tcp
US 99.31.66.203:2222 tcp
GB 51.6.232.240:22 tcp
N/A 248.71.112.204:22 tcp
CN 27.128.175.110:22 tcp
US 158.73.112.122:22 tcp
TW 1.164.65.171:2222 tcp
US 50.88.162.31:2222 tcp
NL 145.126.150.139:22 tcp
US 138.164.219.175:2222 tcp
US 107.47.124.181:22 tcp
US 206.99.252.234:22 tcp
SG 43.45.40.225:22 tcp
US 215.211.195.78:2222 tcp
SG 43.45.40.225:2222 tcp
N/A 253.55.159.218:2222 tcp
US 99.124.117.216:22 tcp
N/A 243.232.30.64:22 tcp
AU 122.150.201.62:2222 tcp
US 7.38.70.91:22 tcp
US 128.56.31.225:22 tcp
US 11.101.181.57:2222 tcp
LU 131.166.81.226:22 tcp
BE 78.22.217.106:22 tcp
US 35.95.43.156:22 tcp
BG 93.123.44.190:22 tcp
US 20.34.30.229:22 tcp
US 6.137.201.58:2222 tcp
US 164.199.252.114:22 tcp
NL 178.84.203.172:2222 tcp
TW 1.164.65.171:22 tcp
N/A 248.71.112.204:2222 tcp
N/A 251.92.91.9:2222 tcp
US 6.161.69.155:2222 tcp
US 29.239.21.94:2222 tcp
US 51.232.158.225:22 tcp
US 7.38.70.91:2222 tcp
US 17.4.20.125:2222 tcp
NL 178.84.203.172:22 tcp
US 206.99.252.234:2222 tcp
DE 93.122.63.37:2222 tcp
US 50.88.162.31:22 tcp
US 57.201.47.169:22 tcp
US 17.4.20.125:22 tcp
GB 51.6.232.240:2222 tcp
US 137.227.104.212:22 tcp
CN 27.128.175.110:2222 tcp
AT 143.130.9.246:2222 tcp
N/A 251.92.91.9:22 tcp
US 32.222.141.29:2222 tcp
KR 59.18.1.27:2222 tcp
US 11.101.181.57:22 tcp
US 146.149.160.78:22 tcp
US 215.211.195.78:22 tcp
US 51.232.158.225:2222 tcp
N/A 241.252.211.84:2222 tcp
BG 93.123.44.190:2222 tcp
US 6.161.69.155:22 tcp
US 173.3.119.141:22 tcp
US 99.158.240.207:2222 tcp
JP 180.26.127.151:2222 tcp
NL 145.134.167.160:22 tcp
SE 80.65.195.16:22 tcp
US 158.73.112.122:2222 tcp
DE 140.181.107.247:22 tcp
US 17.80.222.29:22 tcp

Files

/root/.ssh/authorized_keys

MD5 9da18d38b6dd4c4aa84642378d63fa89
SHA1 c5a976691e4b5963b5e760044f22cc9685268db6
SHA256 43062900b2539d8d1f67f30fa7042c56b53541f63875b5f0de5d8fbde0e0a8bf
SHA512 222b20b5b2ff8956c13dbac1f8d3f81435613b751913d65f4c4082ea9c1a7c8ae91be17a24ef4ae0c708bfe09daab552bb209615714d70acfaaed89c536c71b3