Malware Analysis Report

2024-10-24 21:20

Sample ID 240728-t6rzrasgql
Target 17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118
SHA256 512183f4f032655ddcc163c995e3da7d7aa37202e457fb25c212cfc45c3f2e5f
Tags
antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

512183f4f032655ddcc163c995e3da7d7aa37202e457fb25c212cfc45c3f2e5f

Threat Level: Shows suspicious behavior

The file 17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

antivm

Deletes itself

Executes dropped EXE

Checks CPU configuration

Reads system network configuration

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-28 16:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-28 16:40

Reported

2024-07-29 11:52

Platform

ubuntu2204-amd64-20240729-en

Max time kernel

149s

Max time network

148s

Command Line

[/tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118]

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A /tmp/conimet N/A
N/A N/A /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118a N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/conimet /tmp/conimet N/A
N/A /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118a /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118a N/A
N/A /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118 /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118 N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118 N/A

Reads system network configuration

Description Indicator Process Target
File opened for reading /proc/net/dev /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118 N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/stat /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118 N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/sys/kernel/version /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118 N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/conimet /usr/bin/cp N/A
File opened for modification /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118a /usr/bin/cp N/A
File opened for modification /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118 /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118a N/A
File opened for modification /tmp/fake.cfg /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118 N/A
File opened for modification /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118 /usr/bin/cp N/A

Processes

/tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118

[/tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118]

/bin/sh

[sh -c cp /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118 /tmp/conimet]

/usr/bin/cp

[cp /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118 /tmp/conimet]

/bin/sh

[sh -c cp /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118 /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118a]

/tmp/conimet

[/tmp/conimet /tmp/conimet 1]

/usr/bin/cp

[cp /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118 /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118a]

/tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118a

[/tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118a /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118]

/tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118

/bin/sh

[sh -c cp /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118a /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118]

/usr/bin/cp

[cp /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118a /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
CN 117.21.176.64:10881 tcp
CN 117.21.176.64:10881 tcp

Files

/tmp/conimet

MD5 17f5e59fcd4e55d0cc56e080fe5ce4b4
SHA1 4e7dfdc42b1364fcc47d49664220c99891daa761
SHA256 512183f4f032655ddcc163c995e3da7d7aa37202e457fb25c212cfc45c3f2e5f
SHA512 458ea7bcf2e8dcfd49601df7f79a9932276d9066b59b740d5fecd342a4de0a93a0707cc72283380b15f8ad8562280ba784fa826fbcf095e7a18ef8a6cbbeeeaf

/tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118

MD5 dffc8eaf00c21b5c1c273c7e265229e0
SHA1 45d44447b31fd18495e5bbd26f01d935e5f9424b
SHA256 f6260c40e72cf02acdc0c7ce7fe8ae4d3455500e8fb2f7a7caf6a34a6506a44a
SHA512 1517c24518a91ea25bd3ac712daa9f67637d48860e51602ce59a1de4741dda6f8cda63c08390c6c879da9a8e63691446480cc560118dd6edb5cb75e1ebac1f41