Malware Analysis Report

2024-10-24 21:20

Sample ID 240727-zdp8cawhpn
Target 00885ad8a0536145c63cc22f39413ab9_JaffaCakes118
SHA256 8c62d8bdd00942195415b22a70774a45a58dce5d7e06c57e0f47bb699b8d4e8d
Tags
upx antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

8c62d8bdd00942195415b22a70774a45a58dce5d7e06c57e0f47bb699b8d4e8d

Threat Level: Shows suspicious behavior

The file 00885ad8a0536145c63cc22f39413ab9_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx antivm

UPX packed file

Deletes itself

Executes dropped EXE

Checks CPU configuration

Reads system network configuration

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-27 20:36

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-27 20:36

Reported

2024-07-29 12:10

Platform

ubuntu2204-amd64-20240729-en

Max time kernel

149s

Max time network

149s

Command Line

[/tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118]

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A /tmp/freeBSD N/A
N/A N/A /tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118a N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/freeBSD /tmp/freeBSD N/A
N/A /tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118a /tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118a N/A
N/A /tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118 /tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118 N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118 N/A

Reads system network configuration

Description Indicator Process Target
File opened for reading /proc/net/dev /tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118 N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/kernel/version /tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118 N/A
File opened for reading /proc/stat /tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118 N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118 /tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118a N/A
File opened for modification /tmp/fake.cfg /tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118 N/A
File opened for modification /tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118 /usr/bin/cp N/A
File opened for modification /tmp/freeBSD /usr/bin/cp N/A
File opened for modification /tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118a /usr/bin/cp N/A

Processes

/tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118

[/tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118]

/bin/sh

[sh -c cp /tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118 /tmp/freeBSD]

/usr/bin/cp

[cp /tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118 /tmp/freeBSD]

/bin/sh

[sh -c cp /tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118 /tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118a]

/tmp/freeBSD

[/tmp/freeBSD /tmp/freeBSD 1]

/usr/bin/cp

[cp /tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118 /tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118a]

/tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118a

[/tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118a /tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118]

/tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118

/bin/sh

[sh -c cp /tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118a /tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118]

/usr/bin/cp

[cp /tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118a /tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
CN 111.73.45.188:10991 tcp
CN 111.73.45.188:10991 tcp

Files

/tmp/freeBSD

MD5 00885ad8a0536145c63cc22f39413ab9
SHA1 3bff60f091d18501d2c4238bea80b06c92359fc1
SHA256 8c62d8bdd00942195415b22a70774a45a58dce5d7e06c57e0f47bb699b8d4e8d
SHA512 f12fa48c1ad7137b51e16166594a4652515c4ce5f6827d2353f14fbd009c81f2eb154e178c949657a85e755442d630e81aec3213f297a49078f1483933323d74

/tmp/00885ad8a0536145c63cc22f39413ab9_JaffaCakes118

MD5 6b7afb9feebd1a3a40405f6dba2171c9
SHA1 c51dd98d7aadb3482e47ea19522436491f2dda90
SHA256 a48cf406878a1231ffed91f269db5d3879d2bf3698863c86a45b17a69cc40ae4
SHA512 34a5ee694fe5ccddbaf181e0288a3f2ab9990635203e4b28af223a078f5c3914b43f45768f9ab35ae660ac4f34c4c6086a0201ae57f1d5235fd37775ae56b44a

memory/1511-1-0x0000000008048000-0x00000000082a063c-memory.dmp

memory/1514-2-0x0000000008048000-0x00000000082a063c-memory.dmp

memory/1517-3-0x0000000008048000-0x00000000082a063c-memory.dmp