Analysis Overview
SHA256
7d32806b4bd7f853c7cbfaee0b6a644e3828200a055778275b846cc855bec588
Threat Level: Shows suspicious behavior
The file 05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
UPX packed file
Deletes itself
Executes dropped EXE
Checks CPU configuration
Reads system network configuration
Reads runtime system information
Writes file to tmp directory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-28 02:28
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-28 02:28
Reported
2024-07-29 12:14
Platform
ubuntu2204-amd64-20240729-en
Max time kernel
149s
Max time network
148s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/freeBSD | N/A |
| N/A | N/A | /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118a | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/freeBSD | /tmp/freeBSD | N/A |
| N/A | /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118a | /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118a | N/A |
| N/A | /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118 | /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118 | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118 | N/A |
Reads system network configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/dev | /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118 | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/filesystems | /usr/bin/cp | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/cp | N/A |
| File opened for reading | /proc/sys/kernel/version | /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118 | N/A |
| File opened for reading | /proc/stat | /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118 | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/cp | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/fake.cfg | /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118 | N/A |
| File opened for modification | /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118 | /usr/bin/cp | N/A |
| File opened for modification | /tmp/freeBSD | /usr/bin/cp | N/A |
| File opened for modification | /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118a | /usr/bin/cp | N/A |
| File opened for modification | /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118 | /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118a | N/A |
Processes
/tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118
[/tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118]
/bin/sh
[sh -c cp /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118 /tmp/freeBSD]
/usr/bin/cp
[cp /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118 /tmp/freeBSD]
/bin/sh
[sh -c cp /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118 /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118a]
/tmp/freeBSD
[/tmp/freeBSD /tmp/freeBSD 1]
/usr/bin/cp
[cp /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118 /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118a]
/tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118a
[/tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118a /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118]
/tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118
/bin/sh
[sh -c cp /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118a /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118]
/usr/bin/cp
[cp /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118a /tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| CN | 121.42.144.22:28099 | tcp | |
| CN | 121.42.144.22:28099 | tcp |
Files
/tmp/freeBSD
| MD5 | 05f44e74d3557c4e2e43c0b237b0972f |
| SHA1 | 9e38cd9c2eb810442bcaa658d301e4777ba3c962 |
| SHA256 | 7d32806b4bd7f853c7cbfaee0b6a644e3828200a055778275b846cc855bec588 |
| SHA512 | bcdb6be64bfb0f66205616be84d39dba0e6cc855ef8b6999deeb456edb03693e6e7d3cb852b7f540d8fd8cb171204556807e72f6ca6af4bd73db908696e8f7d3 |
memory/1515-1-0x0000000008048000-0x00000000082a063c-memory.dmp
/tmp/05f44e74d3557c4e2e43c0b237b0972f_JaffaCakes118
| MD5 | cb8907209654960b42324acee6af2e3c |
| SHA1 | 3d74c3840178bf9ed9a7627014db33dbd9f8c761 |
| SHA256 | cc49bbdb1a9232a2694f31159d65197367f8ee28255c7c8995afa25e9dbe3a72 |
| SHA512 | 09dc16e75c46087fc7b6f517c91cab25104302eb039b0a33ac4f8bd048541603c8c951456d15c356e2a2307c46eed40eb9ab3b52a7fc5e91e734b266ca3fa5e8 |
memory/1518-2-0x0000000008048000-0x00000000082a063c-memory.dmp
memory/1521-3-0x0000000008048000-0x00000000082a063c-memory.dmp