Malware Analysis Report

2024-10-24 21:20

Sample ID 240728-a7pfga1ema
Target 041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118
SHA256 bdb1dc0d6bb4a1abe8c68df20f28a484c17fdc97f920d0a1285b245965e2bedf
Tags
upx antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

bdb1dc0d6bb4a1abe8c68df20f28a484c17fdc97f920d0a1285b245965e2bedf

Threat Level: Shows suspicious behavior

The file 041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx antivm

UPX packed file

Deletes itself

Executes dropped EXE

Reads system network configuration

Checks CPU configuration

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-28 00:51

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-28 00:51

Reported

2024-07-29 11:29

Platform

ubuntu1804-amd64-20240729-en

Max time kernel

149s

Max time network

150s

Command Line

[/tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118]

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A /tmp/freeBSD N/A
N/A N/A /tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118a N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/freeBSD /tmp/freeBSD N/A
N/A /tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118a /tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118a N/A
N/A /tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118 /tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118 N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118 N/A

Reads system network configuration

Description Indicator Process Target
File opened for reading /proc/net/dev /tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118 N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/stat /tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118 N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/filesystems /bin/cp N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/freeBSD /bin/cp N/A
File opened for modification /tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118a /bin/cp N/A
File opened for modification /tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118 /tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118a N/A
File opened for modification /tmp/fake.cfg /tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118 N/A
File opened for modification /tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118 /bin/cp N/A

Processes

/tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118

[/tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118]

/bin/sh

[sh -c cp /tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118 /tmp/freeBSD]

/bin/cp

[cp /tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118 /tmp/freeBSD]

/bin/sh

[sh -c cp /tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118 /tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118a]

/tmp/freeBSD

[/tmp/freeBSD /tmp/freeBSD 1]

/bin/cp

[cp /tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118 /tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118a]

/tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118a

[/tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118a /tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118]

/tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118

/bin/sh

[sh -c cp /tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118a /tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118]

/bin/cp

[cp /tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118a /tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 151.101.193.91:443 tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.193.91:443 tcp
CN 121.40.85.20:10771 tcp
GB 89.187.167.38:443 tcp
CN 121.40.85.20:10771 tcp

Files

/tmp/freeBSD

MD5 041f6a1b500fe2a6ed9dbea66c741bd6
SHA1 aab7f55d4e09b3fe17c27189736c391e62e88856
SHA256 bdb1dc0d6bb4a1abe8c68df20f28a484c17fdc97f920d0a1285b245965e2bedf
SHA512 b0e90de75d1c9a85d6649890fad18030ad99c1cfa2f05f76e13c778756da10f47a64dbc7ca15a8737a89080059ed72d11427944208c3d4d34b521c6aac325c20

memory/1510-1-0x0000000008048000-0x00000000082b04dc-memory.dmp

/tmp/041f6a1b500fe2a6ed9dbea66c741bd6_JaffaCakes118

MD5 e81d759964abe7c10d478336a126b70b
SHA1 1699583f10309a0633e35fe86e693a0874206695
SHA256 69069b25fcec9c1f4977df0790a56bf3db20265ef3c3f1615c5d48e35e9c9bda
SHA512 8990e4654f78178c0175f3f6a684e45a7b305e6b80da9d8219022a89d976fa46ce347da26695a6689405a9e496d092f0b0c03471fb7fa857e874b0530dfccc14

memory/1514-2-0x0000000008048000-0x00000000082b04dc-memory.dmp

memory/1517-3-0x0000000008048000-0x00000000082b04dc-memory.dmp