Malware Analysis Report

2024-10-24 21:20

Sample ID 240728-cx5e2swepf
Target 05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118
SHA256 7d32806b4bd7f853c7cbfaee0b6a644e3828200a055778275b846cc855bec588
Tags
antivm upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

7d32806b4bd7f853c7cbfaee0b6a644e3828200a055778275b846cc855bec588

Threat Level: Shows suspicious behavior

The file 05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

antivm upx

UPX packed file

Deletes itself

Executes dropped EXE

Checks CPU configuration

Reads system network configuration

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-28 02:28

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-28 02:28

Reported

2024-07-29 12:14

Platform

ubuntu2204-amd64-20240729-en

Max time kernel

149s

Max time network

148s

Command Line

[/tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118]

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A /tmp/freeBSD N/A
N/A N/A /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118a N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/freeBSD /tmp/freeBSD N/A
N/A /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118a /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118a N/A
N/A /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118 /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118 N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118 N/A

Reads system network configuration

Description Indicator Process Target
File opened for reading /proc/net/dev /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118 N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/sys/kernel/version /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118 N/A
File opened for reading /proc/stat /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118 N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/fake.cfg /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118 N/A
File opened for modification /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118 /usr/bin/cp N/A
File opened for modification /tmp/freeBSD /usr/bin/cp N/A
File opened for modification /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118a /usr/bin/cp N/A
File opened for modification /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118 /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118a N/A

Processes

/tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118

[/tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118]

/bin/sh

[sh -c cp /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118 /tmp/freeBSD]

/usr/bin/cp

[cp /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118 /tmp/freeBSD]

/bin/sh

[sh -c cp /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118 /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118a]

/tmp/freeBSD

[/tmp/freeBSD /tmp/freeBSD 1]

/usr/bin/cp

[cp /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118 /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118a]

/tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118a

[/tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118a /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118]

/tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118

/bin/sh

[sh -c cp /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118a /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118]

/usr/bin/cp

[cp /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118a /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
CN 121.42.144.22:28099 tcp
CN 121.42.144.22:28099 tcp

Files

/tmp/freeBSD

MD5 05f44e74d3557c4e2e43c0b237b0972f
SHA1 9e38cd9c2eb810442bcaa658d301e4777ba3c962
SHA256 7d32806b4bd7f853c7cbfaee0b6a644e3828200a055778275b846cc855bec588
SHA512 bcdb6be64bfb0f66205616be84d39dba0e6cc855ef8b6999deeb456edb03693e6e7d3cb852b7f540d8fd8cb171204556807e72f6ca6af4bd73db908696e8f7d3

memory/1515-1-0x0000000008048000-0x00000000082a063c-memory.dmp

/tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118

MD5 cb8907209654960b42324acee6af2e3c
SHA1 3d74c3840178bf9ed9a7627014db33dbd9f8c761
SHA256 cc49bbdb1a9232a2694f31159d65197367f8ee28255c7c8995afa25e9dbe3a72
SHA512 09dc16e75c46087fc7b6f517c91cab25104302eb039b0a33ac4f8bd048541603c8c951456d15c356e2a2307c46eed40eb9ab3b52a7fc5e91e734b266ca3fa5e8

memory/1518-2-0x0000000008048000-0x00000000082a063c-memory.dmp

memory/1521-3-0x0000000008048000-0x00000000082a063c-memory.dmp