Analysis Overview
SHA256
7cfa4573cad5c3387f58cbf1e49ed6210fbeb4de06e814a9b35ecbd933144f0a
Threat Level: Shows suspicious behavior
The file 17ebd53ea0834244677e4b6214c69192_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Deletes itself
Executes dropped EXE
Checks CPU configuration
Reads system network configuration
Reads runtime system information
Writes file to tmp directory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-28 16:39
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-28 16:39
Reported
2024-07-29 11:52
Platform
ubuntu2204-amd64-20240729-en
Max time kernel
149s
Max time network
148s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/freeBSD | N/A |
| N/A | N/A | /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118a | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/freeBSD | /tmp/freeBSD | N/A |
| N/A | /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118a | /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118a | N/A |
| N/A | /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118 | /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118 | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118 | N/A |
Reads system network configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/dev | /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118 | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/filesystems | /usr/bin/cp | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/cp | N/A |
| File opened for reading | /proc/sys/kernel/version | /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118 | N/A |
| File opened for reading | /proc/stat | /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118 | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/cp | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118 | /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118a | N/A |
| File opened for modification | /tmp/fake.cfg | /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118 | N/A |
| File opened for modification | /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118 | /usr/bin/cp | N/A |
| File opened for modification | /tmp/freeBSD | /usr/bin/cp | N/A |
| File opened for modification | /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118a | /usr/bin/cp | N/A |
Processes
/tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118
[/tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118]
/bin/sh
[sh -c cp /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118 /tmp/freeBSD]
/usr/bin/cp
[cp /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118 /tmp/freeBSD]
/bin/sh
[sh -c cp /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118 /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118a]
/tmp/freeBSD
[/tmp/freeBSD /tmp/freeBSD 1]
/usr/bin/cp
[cp /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118 /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118a]
/tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118a
[/tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118a /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118]
/tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118
/bin/sh
[sh -c cp /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118a /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118]
/usr/bin/cp
[cp /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118a /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 104.149.88.217:10771 | tcp | |
| US | 104.149.88.217:10771 | tcp |
Files
/tmp/freeBSD
| MD5 | 17ebd53ea0834244677e4b6214c69192 |
| SHA1 | 056a4e25c5e569f46d90d892793b078b131d1132 |
| SHA256 | 7cfa4573cad5c3387f58cbf1e49ed6210fbeb4de06e814a9b35ecbd933144f0a |
| SHA512 | b82439bbc33253452b3b6985f8638d63c6e3e5dd5e1f2651d8850303b69f31d2cb017360468d3f964bea7c39af97043b687e9e659bd4352562a07e968e8fd258 |
/tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118
| MD5 | 0bc785619a6a46d1f931de5fd34e6912 |
| SHA1 | aaeece46bda245f0a3199231cfe99837c195b6b5 |
| SHA256 | 19212bbee34e2ed8ec9c583ed3d95d7d682e78895133dc19bf53ddce7e5d69af |
| SHA512 | 0bf581ff1df47258f19ac060c88b0ec7a06e114c4cec989a3fb27d4ef13b9f7dfccebfc3cf32107c3efbd4ed6b944adbd2cb8abe1739a5621dbf489dacc01494 |