Malware Analysis Report

2024-10-24 21:20

Sample ID 240728-wjwqjazeng
Target 1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118
SHA256 18f26cbad0f228e1bd4042603dfcb5e1b597f66dd968c832f77ea41564e808c2
Tags
antivm persistence upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

18f26cbad0f228e1bd4042603dfcb5e1b597f66dd968c832f77ea41564e808c2

Threat Level: Shows suspicious behavior

The file 1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

antivm persistence upx

Executes dropped EXE

UPX packed file

Modifies init.d

Write file to user bin folder

Writes file to system bin folder

Reads system routing table

Checks CPU configuration

Reads system network configuration

Writes file to tmp directory

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-28 17:57

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-28 17:57

Reported

2024-07-29 11:53

Platform

ubuntu2204-amd64-20240729-en

Max time kernel

149s

Max time network

146s

Command Line

[/tmp/1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /usr/bin/bsd-port/knerl /usr/bin/bsd-port/knerl N/A
N/A /usr/bin/pythno /usr/bin/pythno N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Modifies init.d

persistence
Description Indicator Process Target
File opened for modification /etc/init.d/VsystemsshMdt /tmp/1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118 N/A
File opened for modification /etc/init.d/selinux /usr/bin/bsd-port/knerl N/A

Reads system routing table

Description Indicator Process Target
File opened for reading /proc/net/route /tmp/1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118 N/A

Write file to user bin folder

Description Indicator Process Target
File opened for modification /usr/bin/bsd-port/knerl.conf /tmp/1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118 N/A
File opened for modification /usr/bin/bsd-port/udevd.conf /tmp/1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118 N/A
File opened for modification /usr/bin/bsd-port/knerl /usr/bin/cp N/A
File opened for modification /usr/bin/pythno /usr/bin/cp N/A
File opened for modification /usr/bin/bsd-port/knerl.conf /usr/bin/bsd-port/knerl N/A
File opened for modification /usr/bin/dpkgd/lsof /usr/bin/cp N/A
File opened for modification /usr/bin/dpkgd/ps /usr/bin/cp N/A
File opened for modification /usr/bin/lsof /usr/bin/cp N/A
File opened for modification /usr/bin/ps /usr/bin/cp N/A

Writes file to system bin folder

Description Indicator Process Target
File opened for modification /bin/lsof /usr/bin/cp N/A
File opened for modification /bin/ps /usr/bin/cp N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /tmp/1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118 N/A
File opened for reading /proc/cpuinfo /usr/bin/bsd-port/knerl N/A

Reads system network configuration

Description Indicator Process Target
File opened for reading /proc/net/dev /tmp/1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118 N/A
File opened for reading /proc/net/dev /usr/bin/bsd-port/knerl N/A
File opened for reading /proc/net/route /tmp/1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118 N/A
File opened for reading /proc/net/arp /tmp/1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118 N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/filesystems /usr/bin/mkdir N/A
File opened for reading /proc/filesystems /usr/bin/mkdir N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/mkdir N/A
File opened for reading /proc/sys/kernel/version /usr/bin/bsd-port/knerl N/A
File opened for reading /proc/sys/kernel/version /usr/bin/pythno N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/mkdir N/A
File opened for reading /proc/stat /usr/bin/bsd-port/knerl N/A
File opened for reading /proc/cmdline /usr/sbin/insmod N/A
File opened for reading /proc/sys/kernel/version /tmp/1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118 N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/meminfo /usr/bin/bsd-port/knerl N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/mkdir N/A
File opened for reading /proc/cmdline /usr/sbin/insmod N/A
File opened for reading /proc/filesystems /usr/bin/mkdir N/A
File opened for reading /proc/filesystems /usr/bin/mkdir N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/stat /tmp/1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118 N/A
File opened for reading /proc/meminfo /tmp/1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118 N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/idus.log /tmp/1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118 N/A
File opened for modification /tmp/apsh.conf /tmp/1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118 N/A
File opened for modification /tmp/vga.conf /tmp/1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118 N/A
File opened for modification /tmp/notify.file /tmp/1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118 N/A
File opened for modification /tmp/idus.log /usr/bin/pythno N/A
File opened for modification /tmp/notify.file /usr/bin/pythno N/A
File opened for modification /tmp/conf.n /tmp/1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118 N/A
File opened for modification /tmp/vga.conf /usr/bin/pythno N/A

Processes

/tmp/1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118

[/tmp/1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118]

/bin/sh

[sh -c ln -s /etc/init.d/VsystemsshMdt /etc/rc1.d/S97VsystemsshMdt]

/usr/bin/ln

[ln -s /etc/init.d/VsystemsshMdt /etc/rc1.d/S97VsystemsshMdt]

/bin/sh

[sh -c ln -s /etc/init.d/VsystemsshMdt /etc/rc2.d/S97VsystemsshMdt]

/usr/bin/ln

[ln -s /etc/init.d/VsystemsshMdt /etc/rc2.d/S97VsystemsshMdt]

/bin/sh

[sh -c ln -s /etc/init.d/VsystemsshMdt /etc/rc3.d/S97VsystemsshMdt]

/usr/bin/ln

[ln -s /etc/init.d/VsystemsshMdt /etc/rc3.d/S97VsystemsshMdt]

/bin/sh

[sh -c ln -s /etc/init.d/VsystemsshMdt /etc/rc4.d/S97VsystemsshMdt]

/usr/bin/ln

[ln -s /etc/init.d/VsystemsshMdt /etc/rc4.d/S97VsystemsshMdt]

/bin/sh

[sh -c ln -s /etc/init.d/VsystemsshMdt /etc/rc5.d/S97VsystemsshMdt]

/usr/bin/ln

[ln -s /etc/init.d/VsystemsshMdt /etc/rc5.d/S97VsystemsshMdt]

/bin/sh

[sh -c mkdir -p /usr/bin/bsd-port]

/usr/bin/mkdir

[mkdir -p /usr/bin/bsd-port]

/bin/sh

[sh -c cp -f /tmp/1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118 /usr/bin/bsd-port/knerl]

/usr/bin/cp

[cp -f /tmp/1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118 /usr/bin/bsd-port/knerl]

/bin/sh

[sh -c /usr/bin/bsd-port/knerl]

/usr/bin/bsd-port/knerl

[/usr/bin/bsd-port/knerl]

/bin/sh

[sh -c mkdir -p /usr/bin]

/usr/bin/mkdir

[mkdir -p /usr/bin]

/bin/sh

[sh -c cp -f /tmp/1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118 /usr/bin/pythno]

/usr/bin/cp

[cp -f /tmp/1ad0c890f8fbb9b392e0acb425de4f3c_JaffaCakes118 /usr/bin/pythno]

/bin/sh

[sh -c /usr/bin/pythno]

/usr/bin/pythno

[/usr/bin/pythno]

/bin/sh

[sh -c insmod /usr/lib/xpacket.ko]

/usr/sbin/insmod

[insmod /usr/lib/xpacket.ko]

/bin/sh

[sh -c ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux]

/usr/bin/ln

[ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux]

/bin/sh

[sh -c ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux]

/usr/bin/ln

[ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux]

/bin/sh

[sh -c ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux]

/usr/bin/ln

[ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux]

/bin/sh

[sh -c ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux]

/usr/bin/ln

[ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux]

/bin/sh

[sh -c ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux]

/usr/bin/ln

[ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux]

/bin/sh

[sh -c mkdir -p /usr/bin/dpkgd]

/usr/bin/mkdir

[mkdir -p /usr/bin/dpkgd]

/bin/sh

[sh -c cp -f /bin/lsof /usr/bin/dpkgd/lsof]

/usr/bin/cp

[cp -f /bin/lsof /usr/bin/dpkgd/lsof]

/bin/sh

[sh -c mkdir -p /bin]

/usr/bin/mkdir

[mkdir -p /bin]

/bin/sh

[sh -c cp -f /usr/bin/bsd-port/knerl /bin/lsof]

/usr/bin/cp

[cp -f /usr/bin/bsd-port/knerl /bin/lsof]

/bin/sh

[sh -c chmod 0755 /bin/lsof]

/usr/bin/chmod

[chmod 0755 /bin/lsof]

/bin/sh

[sh -c cp -f /bin/ps /usr/bin/dpkgd/ps]

/usr/bin/cp

[cp -f /bin/ps /usr/bin/dpkgd/ps]

/bin/sh

[sh -c mkdir -p /bin]

/usr/bin/mkdir

[mkdir -p /bin]

/bin/sh

[sh -c cp -f /usr/bin/bsd-port/knerl /bin/ps]

/usr/bin/cp

[cp -f /usr/bin/bsd-port/knerl /bin/ps]

/bin/sh

[sh -c chmod 0755 /bin/ps]

/usr/bin/chmod

[chmod 0755 /bin/ps]

/bin/sh

[sh -c mkdir -p /usr/bin]

/usr/bin/mkdir

[mkdir -p /usr/bin]

/bin/sh

[sh -c cp -f /usr/bin/bsd-port/knerl /usr/bin/lsof]

/usr/bin/cp

[cp -f /usr/bin/bsd-port/knerl /usr/bin/lsof]

/bin/sh

[sh -c chmod 0755 /usr/bin/lsof]

/usr/bin/chmod

[chmod 0755 /usr/bin/lsof]

/bin/sh

[sh -c mkdir -p /usr/bin]

/usr/bin/mkdir

[mkdir -p /usr/bin]

/bin/sh

[sh -c cp -f /usr/bin/bsd-port/knerl /usr/bin/ps]

/usr/bin/cp

[cp -f /usr/bin/bsd-port/knerl /usr/bin/ps]

/bin/sh

[sh -c chmod 0755 /usr/bin/ps]

/usr/bin/chmod

[chmod 0755 /usr/bin/ps]

/bin/sh

[sh -c insmod /usr/lib/xpacket.ko]

/usr/sbin/insmod

[insmod /usr/lib/xpacket.ko]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 mmm.920xz.com udp
US 172.67.218.235:920 mmm.920xz.com tcp
US 8.8.8.8:53 360.baidu.com.9kpk.com udp
US 1.1.1.1:53 360.baidu.com.9kpk.com udp
US 1.1.1.1:53 360.baidu.com.9kpk.com udp
US 8.8.8.8:53 360.baidu.com.9kpk.com udp
US 1.1.1.1:53 360.baidu.com.9kpk.com udp
US 1.1.1.1:53 360.baidu.com.9kpk.com udp
US 8.8.8.8:53 360.baidu.com.9kpk.com udp
US 8.8.8.8:53 360.baidu.com.9kpk.com udp
US 1.1.1.1:53 360.baidu.com.9kpk.com udp
US 1.1.1.1:53 360.baidu.com.9kpk.com udp
US 8.8.8.8:53 360.baidu.com.9kpk.com udp
US 8.8.8.8:53 360.baidu.com.9kpk.com udp
US 1.1.1.1:53 360.baidu.com.9kpk.com udp
US 1.1.1.1:53 360.baidu.com.9kpk.com udp
US 8.8.8.8:53 360.baidu.com.9kpk.com udp
US 8.8.8.8:53 360.baidu.com.9kpk.com udp
US 1.1.1.1:53 360.baidu.com.9kpk.com udp
US 1.1.1.1:53 360.baidu.com.9kpk.com udp
US 8.8.8.8:53 360.baidu.com.9kpk.com udp
US 8.8.8.8:53 360.baidu.com.9kpk.com udp
US 1.1.1.1:53 360.baidu.com.9kpk.com udp
US 1.1.1.1:53 360.baidu.com.9kpk.com udp
US 8.8.8.8:53 360.baidu.com.9kpk.com udp
US 8.8.8.8:53 360.baidu.com.9kpk.com udp
US 104.21.38.46:920 mmm.920xz.com tcp

Files

memory/1510-1-0x0000000008048000-0x0000000008129e8c-memory.dmp

/tmp/vga.conf

MD5 ebb71045453f38676c40deb9864f811d
SHA1 810bd2adca8109e71a0fa4995bb7a965fd8d905a
SHA256 0d0c9bc37ae955b26c8bfecc22fcd072c4ea5ce95947a5051b5ed7399bff4f2e
SHA512 3a3fc2e1174cf6fa5acf3b1d706c3f21b85915b8f7bc2bae7c5ca6ceb86fc5377e33ff347264e1dd620fcba5fec174ae4b8793e7a9aaaf2b0ec06d85e077efdf

/etc/init.d/VsystemsshMdt

MD5 b29de5cc181ffee698b7d2bfffa3671f
SHA1 5584faa078c8f4014a9acb622ec6401f3e3cde9b
SHA256 04fdb37f1673309d0929c98bd850f93336ac8374d4d117bd986d89530e6ab027
SHA512 2fe4873f48f3557e34c313ffd0ab0ba5806845d122c839d96405551a1d5efbebf7df9cd8f7b5be2ab89357692ed87aba2859237e3d53acf546843dcbe180c616

/usr/bin/bsd-port/knerl

MD5 1ad0c890f8fbb9b392e0acb425de4f3c
SHA1 de9a9671cc45e0a486c8d4e3c1f2c9156cf1673a
SHA256 18f26cbad0f228e1bd4042603dfcb5e1b597f66dd968c832f77ea41564e808c2
SHA512 fa7ad4d586839c94b0f8025e8a1106f8609c1a44e720dc2882b5ee4af739d34b40720d8bd83130d7bac375ca8ccbf5efe0278e04ff7b9f2d8805ea25972304d4

/tmp/notify.file

MD5 31475e954686ec0a008f86dc13b8fd22
SHA1 d2fdde5e7d26b546436cae313287aef8045346c9
SHA256 1ce47d832cb496a83bc09bd75b004c702b81b4e0e2f184a96ca2945aa68f2aa7
SHA512 6cd6d9b53d27456bbf8679b9933f8b0141fdf225bf3d7879418db591ed2d7af988ea7b5b50b2c6af9e638883981d54b2b6d571d4e7a44b76a35b664132e46a3d

memory/1532-2-0x0000000008048000-0x0000000008129e8c-memory.dmp

memory/1540-3-0x0000000008048000-0x0000000008129e8c-memory.dmp

/etc/init.d/selinux

MD5 caa27b819c9303446f702929874a00e8
SHA1 d24199c0e376edea3f822b215148cc0dc78364bf
SHA256 da9b535a14c6d9152857e211f14fb8da9056e84ba1b8d4dc27ab79c98264050b
SHA512 dcd9413eb2cb24d77f637edfc00ca0bb42229a1a3b0d84e29eff94a7b91aee6ee8c126c286a4b4103e01834d1c6aec9de09ffab3927e8de8015421005f31446e

/usr/bin/dpkgd/lsof

MD5 ab57b66cc531ae0f996963223e632b60
SHA1 bf7e5becd33f21c2539f5a75ffa0ab61c49c8795
SHA256 2484863a7bfda7f97b90bfd5dfceed4ec9f27dd51f9c5158c8daabbf4309b1df
SHA512 908acef13f3c1d80b7169ec3b16bb67006013453348fff75550bc3c6c2137e798b21d7990edbd5be63d756d9c41b06160aebf38aa80547e4bafa3a62596057f6

/usr/bin/dpkgd/ps

MD5 8146139c2ad7e550b1d1f49480997446
SHA1 074db8890c3227bd8a588417f5b9bde637bcf3af
SHA256 207df9d438f75185ab3af2ab1173d104831a6631c28ef40d38b2ab43de27b40f
SHA512 b6d71d537f593b9af833e6f798e412e95fc486a313414ed8cca9639f61be7ac9dca700e9f861c0d07c7f65b3783127a67f829f422472cad8938ba01d397ab9de

/tmp/idus.log

MD5 1373b284bc381890049e92d324f56de0
SHA1 d05785002742a30502dde3731b28883334e46040
SHA256 477e2d13152129e72c4a47a5abed06ce422daff2ca0e99d33bc527477effee34
SHA512 b409dbef7cad909beab9e2b251590e7a6773e6ef7bc3782a9adb4be3a2765fdefca68cb96b9b31e92e0edb23d521aa3adfb7c90ade660e75b1a04832d19d59f4

/tmp/conf.n

MD5 8f7922b090f3e1801fdb1d71d9c49abc
SHA1 626214a41cf5b8e83c3be7af1efe4cca585bb6b6
SHA256 fbf9d6e9acf4a30f08791be7f9416de4452e6b364867a52dd15cf5571d82aaf4
SHA512 54ac6efc27fd1ebf96b791732dc2e57c50c9ebd47c30c4c1d4f9d0f4f16a5450af7d911e92851a756a70511a85478e7fcafcdc9801fad7db51d265939bc5c155