Malware Analysis Report

2024-10-24 21:19

Sample ID 240729-f5a3ysygqa
Target 399176415f868f4635f2ebc0f16e4676_JaffaCakes118
SHA256 8e2219230f2e3f5978f48a74e2184a42f4557ea99b9baace3834a73b5f5e3010
Tags
antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

8e2219230f2e3f5978f48a74e2184a42f4557ea99b9baace3834a73b5f5e3010

Threat Level: Shows suspicious behavior

The file 399176415f868f4635f2ebc0f16e4676_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

antivm

Deletes itself

Executes dropped EXE

Checks CPU configuration

Reads system network configuration

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-29 05:26

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-29 05:26

Reported

2024-07-29 11:38

Platform

ubuntu2004-amd64-20240729-en

Max time kernel

149s

Max time network

150s

Command Line

[/tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118]

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A /tmp/freeBSD N/A
N/A N/A /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118a N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/freeBSD /tmp/freeBSD N/A
N/A /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118a /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118a N/A
N/A /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118 /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118 N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118 N/A

Reads system network configuration

Description Indicator Process Target
File opened for reading /proc/net/dev /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118 N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/sys/kernel/version /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118 N/A
File opened for reading /proc/stat /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118 N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118 /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118a N/A
File opened for modification /tmp/fake.cfg /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118 N/A
File opened for modification /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118 /usr/bin/cp N/A
File opened for modification /tmp/freeBSD /usr/bin/cp N/A
File opened for modification /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118a /usr/bin/cp N/A

Processes

/tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118

[/tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118]

/bin/sh

[sh -c cp /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118 /tmp/freeBSD]

/usr/bin/cp

[cp /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118 /tmp/freeBSD]

/bin/sh

[sh -c cp /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118 /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118a]

/tmp/freeBSD

[/tmp/freeBSD /tmp/freeBSD 1]

/usr/bin/cp

[cp /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118 /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118a]

/tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118a

[/tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118a /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118]

/tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118

/bin/sh

[sh -c cp /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118a /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118]

/usr/bin/cp

[cp /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118a /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 142.0.132.107:10991 tcp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
US 142.0.132.107:10991 tcp

Files

/tmp/freeBSD

MD5 399176415f868f4635f2ebc0f16e4676
SHA1 c6637bb1d77cc394af34c71efd15f9de31210050
SHA256 8e2219230f2e3f5978f48a74e2184a42f4557ea99b9baace3834a73b5f5e3010
SHA512 22d3c07c9b60f8856337bfa32c9f3c3b7fcdc797a3d5b64991afa948d6235ab5bab85658f95c72f8e38996cd0e613df4120d74aa2e03533991487d99d2aba9ad

/tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118

MD5 08a05734595d2fdf700b2e4e5e513683
SHA1 daa4ca8a22a60845088f0a9f69a9938baea7eecc
SHA256 2c801bad37a668d45e125f509dd208473b319b4106b08d706a6a9e71b9753a6d
SHA512 380656eed4bcd98cef180dd03745bf6cd607ffb09b82c762d1491f39ee03ad034d0cf27ed92aeae179f65adc149fa91e21e9c8a2fe0a8d6606bbe22a5da5e4b1