Malware Analysis Report

2024-10-24 21:20

Sample ID 240728-ezenhsxfrk
Target 08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118
SHA256 63bc03d3d2fe38d005b5ee7f629aa0d9f1b8ebfb415471ee829284267b29450f
Tags
upx antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

63bc03d3d2fe38d005b5ee7f629aa0d9f1b8ebfb415471ee829284267b29450f

Threat Level: Shows suspicious behavior

The file 08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx antivm

UPX packed file

Deletes itself

Executes dropped EXE

Checks CPU configuration

Reads system network configuration

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-28 04:22

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-28 04:22

Reported

2024-07-29 12:23

Platform

ubuntu2204-amd64-20240729-en

Max time kernel

149s

Max time network

148s

Command Line

[/tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118]

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A /tmp/freeBSD N/A
N/A N/A /tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118a N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/freeBSD /tmp/freeBSD N/A
N/A /tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118a /tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118a N/A
N/A /tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118 /tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118 N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118 N/A

Reads system network configuration

Description Indicator Process Target
File opened for reading /proc/net/dev /tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118 N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/stat /tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118 N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/sys/kernel/version /tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118 N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/freeBSD /usr/bin/cp N/A
File opened for modification /tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118a /usr/bin/cp N/A
File opened for modification /tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118 /tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118a N/A
File opened for modification /tmp/fake.cfg /tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118 N/A
File opened for modification /tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118 /usr/bin/cp N/A

Processes

/tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118

[/tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118]

/bin/sh

[sh -c cp /tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118 /tmp/freeBSD]

/usr/bin/cp

[cp /tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118 /tmp/freeBSD]

/bin/sh

[sh -c cp /tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118 /tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118a]

/tmp/freeBSD

[/tmp/freeBSD /tmp/freeBSD 1]

/usr/bin/cp

[cp /tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118 /tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118a]

/tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118a

[/tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118a /tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118]

/tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118

/bin/sh

[sh -c cp /tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118a /tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118]

/usr/bin/cp

[cp /tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118a /tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
CN 222.186.58.121:10991 tcp
CN 222.186.58.121:10991 tcp

Files

/tmp/freeBSD

MD5 08e635ad50de0e51bcce87bbae1d424b
SHA1 912579d64cdd6e04a6b7111ea611d1e4fee2e88d
SHA256 63bc03d3d2fe38d005b5ee7f629aa0d9f1b8ebfb415471ee829284267b29450f
SHA512 80f58194aaebb06957e324919a3573d1c0aca7f0766094398010ecf3d84be304e7732e7c60f3f493e1a82c8e1a990ab65a79bb54c044e1f713afb30bccf47670

memory/1509-1-0x0000000008048000-0x00000000082a063c-memory.dmp

/tmp/08e635ad50de0e51bcce87bbae1d424b_JaffaCakes118

MD5 2a2c922ee8da011c0d8f6b4bff7710d9
SHA1 825e26405d3d474e82818e23b4851bcd24552479
SHA256 5a908ec622fa0dee4aa4eb364d569950c8725c07d16a16a68dc84bed0027608b
SHA512 430cf621238637fb0c6191ed0439c472017a7fe2d4855c1205c4dd256141ae49fc00028ab655550592040f7747b4a1ce4131b5e3846e8e8dcfe9d9491046a90d

memory/1512-2-0x0000000008048000-0x00000000082a063c-memory.dmp

memory/1515-3-0x0000000008048000-0x00000000082a063c-memory.dmp