Analysis Overview
SHA256
512183f4f032655ddcc163c995e3da7d7aa37202e457fb25c212cfc45c3f2e5f
Threat Level: Shows suspicious behavior
The file 17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Deletes itself
Executes dropped EXE
Checks CPU configuration
Reads system network configuration
Reads runtime system information
Writes file to tmp directory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-28 16:40
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-28 16:40
Reported
2024-07-29 11:52
Platform
ubuntu2204-amd64-20240729-en
Max time kernel
149s
Max time network
148s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/conimet | N/A |
| N/A | N/A | /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118a | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/conimet | /tmp/conimet | N/A |
| N/A | /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118a | /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118a | N/A |
| N/A | /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118 | /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118 | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118 | N/A |
Reads system network configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/dev | /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118 | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/stat | /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118 | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/cp | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/cp | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/cp | N/A |
| File opened for reading | /proc/sys/kernel/version | /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118 | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/conimet | /usr/bin/cp | N/A |
| File opened for modification | /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118a | /usr/bin/cp | N/A |
| File opened for modification | /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118 | /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118a | N/A |
| File opened for modification | /tmp/fake.cfg | /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118 | N/A |
| File opened for modification | /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118 | /usr/bin/cp | N/A |
Processes
/tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118
[/tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118]
/bin/sh
[sh -c cp /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118 /tmp/conimet]
/usr/bin/cp
[cp /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118 /tmp/conimet]
/bin/sh
[sh -c cp /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118 /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118a]
/tmp/conimet
[/tmp/conimet /tmp/conimet 1]
/usr/bin/cp
[cp /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118 /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118a]
/tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118a
[/tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118a /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118]
/tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118
/bin/sh
[sh -c cp /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118a /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118]
/usr/bin/cp
[cp /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118a /tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| CN | 117.21.176.64:10881 | tcp | |
| CN | 117.21.176.64:10881 | tcp |
Files
/tmp/conimet
| MD5 | 17f5e59fcd4e55d0cc56e080fe5ce4b4 |
| SHA1 | 4e7dfdc42b1364fcc47d49664220c99891daa761 |
| SHA256 | 512183f4f032655ddcc163c995e3da7d7aa37202e457fb25c212cfc45c3f2e5f |
| SHA512 | 458ea7bcf2e8dcfd49601df7f79a9932276d9066b59b740d5fecd342a4de0a93a0707cc72283380b15f8ad8562280ba784fa826fbcf095e7a18ef8a6cbbeeeaf |
/tmp/17f5e59fcd4e55d0cc56e080fe5ce4b4_JaffaCakes118
| MD5 | dffc8eaf00c21b5c1c273c7e265229e0 |
| SHA1 | 45d44447b31fd18495e5bbd26f01d935e5f9424b |
| SHA256 | f6260c40e72cf02acdc0c7ce7fe8ae4d3455500e8fb2f7a7caf6a34a6506a44a |
| SHA512 | 1517c24518a91ea25bd3ac712daa9f67637d48860e51602ce59a1de4741dda6f8cda63c08390c6c879da9a8e63691446480cc560118dd6edb5cb75e1ebac1f41 |