8c62d8bdd00942195415b22a70774a45a58dce5d7e06c57e0f47bb699b8d4e8d

Analysis

max time kernel
149s
max time network
149s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20240729-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20240729-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
27/07/2024, 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00885ad8a0536145c63cc22f39413ab9_JaffaCakes118
Size

1.1MB
MD5

00885ad8a0536145c63cc22f39413ab9
SHA1

3bff60f091d18501d2c4238bea80b06c92359fc1
SHA256

8c62d8bdd00942195415b22a70774a45a58dce5d7e06c57e0f47bb699b8d4e8d
SHA512

f12fa48c1ad7137b51e16166594a4652515c4ce5f6827d2353f14fbd009c81f2eb154e178c949657a85e755442d630e81aec3213f297a49078f1483933323d74
SSDEEP

24576:8SlXre0q1r+GsNUV81TSCi1R5qoaMeLCA10vbG62OgH4/okMcEbpdUu5g:8SNt4rONU6NAqoaVbKFgHCofcENdUu5g

Score

7^/10

antivm upx

Malware Config

Signatures

Deletes itself 2 IoCs

pid	Process
1514	freeBSD
1517	00885ad8a0536145c63cc22f39413ab9_JaffaCakes118a

Executes dropped EXE 3 IoCs

ioc	pid	Process
/tmp/freeBSD	1514	freeBSD
/tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118a	1517	00885ad8a0536145c63cc22f39413ab9_JaffaCakes118a
/tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118	1518	00885ad8a0536145c63cc22f39413ab9_JaffaCakes118

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/fstream-1.dat	upx

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened for reading	/proc/cpuinfo	00885ad8a0536145c63cc22f39413ab9_JaffaCakes118

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

description	ioc	Process
File opened for reading	/proc/net/dev	00885ad8a0536145c63cc22f39413ab9_JaffaCakes118

Reads runtime system information 5 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/sys/kernel/version	00885ad8a0536145c63cc22f39413ab9_JaffaCakes118
File opened for reading	/proc/stat	00885ad8a0536145c63cc22f39413ab9_JaffaCakes118
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp

Writes file to tmp directory 5 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118	00885ad8a0536145c63cc22f39413ab9_JaffaCakes118a
File opened for modification	/tmp/fake.cfg	00885ad8a0536145c63cc22f39413ab9_JaffaCakes118
File opened for modification	/tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118	cp
File opened for modification	/tmp/freeBSD	cp
File opened for modification	/tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118a	cp

/tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118
/tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118
1⤵
PID:1511
- /bin/sh
  sh -c "cp /tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118 /tmp/freeBSD"
  2⤵
  PID:1512
- - /usr/bin/cp
    cp /tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118 /tmp/freeBSD
    3⤵
    - Reads runtime system information
    - Writes file to tmp directory
    PID:1513
- /bin/sh
  sh -c "cp /tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118 /tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118a"
  2⤵
  PID:1515
- - /usr/bin/cp
    cp /tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118 /tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118a
    3⤵
    - Reads runtime system information
    - Writes file to tmp directory
    PID:1516
- /tmp/freeBSD
  /tmp/freeBSD /tmp/freeBSD 1
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:1514

/tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118a
/tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118a /tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118
1⤵
- Deletes itself
- Executes dropped EXE
- Writes file to tmp directory
PID:1517
- /tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118
  2⤵
  - Executes dropped EXE
  - Checks CPU configuration
  - Reads system network configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1518
- /bin/sh
  sh -c "cp /tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118a /tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118"
  2⤵
  PID:1523
- - /usr/bin/cp
    cp /tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118a /tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118
    3⤵
    - Reads runtime system information
    - Writes file to tmp directory
    PID:1524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118

Filesize
1.3MB

MD5
6b7afb9feebd1a3a40405f6dba2171c9

SHA1
c51dd98d7aadb3482e47ea19522436491f2dda90

SHA256
a48cf406878a1231ffed91f269db5d3879d2bf3698863c86a45b17a69cc40ae4

SHA512
34a5ee694fe5ccddbaf181e0288a3f2ab9990635203e4b28af223a078f5c3914b43f45768f9ab35ae660ac4f34c4c6086a0201ae57f1d5235fd37775ae56b44a

Download Submit
/tmp/freeBSD

Filesize
1.1MB

MD5
00885ad8a0536145c63cc22f39413ab9

SHA1
3bff60f091d18501d2c4238bea80b06c92359fc1

SHA256
8c62d8bdd00942195415b22a70774a45a58dce5d7e06c57e0f47bb699b8d4e8d

SHA512
f12fa48c1ad7137b51e16166594a4652515c4ce5f6827d2353f14fbd009c81f2eb154e178c949657a85e755442d630e81aec3213f297a49078f1483933323d74

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads