Malware Analysis Report

2024-10-24 21:19

Sample ID 240728-t6dgcswhnb
Target 17ebd53ea0834244677e4b6214c69192_JaffaCakes118
SHA256 7cfa4573cad5c3387f58cbf1e49ed6210fbeb4de06e814a9b35ecbd933144f0a
Tags
antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

7cfa4573cad5c3387f58cbf1e49ed6210fbeb4de06e814a9b35ecbd933144f0a

Threat Level: Shows suspicious behavior

The file 17ebd53ea0834244677e4b6214c69192_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

antivm

Deletes itself

Executes dropped EXE

Checks CPU configuration

Reads system network configuration

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-28 16:39

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-28 16:39

Reported

2024-07-29 11:52

Platform

ubuntu2204-amd64-20240729-en

Max time kernel

149s

Max time network

148s

Command Line

[/tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118]

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A /tmp/freeBSD N/A
N/A N/A /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118a N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/freeBSD /tmp/freeBSD N/A
N/A /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118a /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118a N/A
N/A /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118 /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118 N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118 N/A

Reads system network configuration

Description Indicator Process Target
File opened for reading /proc/net/dev /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118 N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/sys/kernel/version /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118 N/A
File opened for reading /proc/stat /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118 N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118 /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118a N/A
File opened for modification /tmp/fake.cfg /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118 N/A
File opened for modification /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118 /usr/bin/cp N/A
File opened for modification /tmp/freeBSD /usr/bin/cp N/A
File opened for modification /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118a /usr/bin/cp N/A

Processes

/tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118

[/tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118]

/bin/sh

[sh -c cp /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118 /tmp/freeBSD]

/usr/bin/cp

[cp /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118 /tmp/freeBSD]

/bin/sh

[sh -c cp /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118 /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118a]

/tmp/freeBSD

[/tmp/freeBSD /tmp/freeBSD 1]

/usr/bin/cp

[cp /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118 /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118a]

/tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118a

[/tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118a /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118]

/tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118

/bin/sh

[sh -c cp /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118a /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118]

/usr/bin/cp

[cp /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118a /tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 104.149.88.217:10771 tcp
US 104.149.88.217:10771 tcp

Files

/tmp/freeBSD

MD5 17ebd53ea0834244677e4b6214c69192
SHA1 056a4e25c5e569f46d90d892793b078b131d1132
SHA256 7cfa4573cad5c3387f58cbf1e49ed6210fbeb4de06e814a9b35ecbd933144f0a
SHA512 b82439bbc33253452b3b6985f8638d63c6e3e5dd5e1f2651d8850303b69f31d2cb017360468d3f964bea7c39af97043b687e9e659bd4352562a07e968e8fd258

/tmp/17ebd53ea0834244677e4b6214c69192_JaffaCakes118

MD5 0bc785619a6a46d1f931de5fd34e6912
SHA1 aaeece46bda245f0a3199231cfe99837c195b6b5
SHA256 19212bbee34e2ed8ec9c583ed3d95d7d682e78895133dc19bf53ddce7e5d69af
SHA512 0bf581ff1df47258f19ac060c88b0ec7a06e114c4cec989a3fb27d4ef13b9f7dfccebfc3cf32107c3efbd4ed6b944adbd2cb8abe1739a5621dbf489dacc01494