Analysis Overview
SHA256
8e2219230f2e3f5978f48a74e2184a42f4557ea99b9baace3834a73b5f5e3010
Threat Level: Shows suspicious behavior
The file 399176415f868f4635f2ebc0f16e4676_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Deletes itself
Executes dropped EXE
Checks CPU configuration
Reads system network configuration
Reads runtime system information
Writes file to tmp directory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-29 05:26
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-29 05:26
Reported
2024-07-29 11:38
Platform
ubuntu2004-amd64-20240729-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/freeBSD | N/A |
| N/A | N/A | /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118a | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/freeBSD | /tmp/freeBSD | N/A |
| N/A | /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118a | /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118a | N/A |
| N/A | /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118 | /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118 | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118 | N/A |
Reads system network configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/net/dev | /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118 | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/filesystems | /usr/bin/cp | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/cp | N/A |
| File opened for reading | /proc/sys/kernel/version | /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118 | N/A |
| File opened for reading | /proc/stat | /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118 | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/cp | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118 | /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118a | N/A |
| File opened for modification | /tmp/fake.cfg | /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118 | N/A |
| File opened for modification | /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118 | /usr/bin/cp | N/A |
| File opened for modification | /tmp/freeBSD | /usr/bin/cp | N/A |
| File opened for modification | /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118a | /usr/bin/cp | N/A |
Processes
/tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118
[/tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118]
/bin/sh
[sh -c cp /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118 /tmp/freeBSD]
/usr/bin/cp
[cp /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118 /tmp/freeBSD]
/bin/sh
[sh -c cp /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118 /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118a]
/tmp/freeBSD
[/tmp/freeBSD /tmp/freeBSD 1]
/usr/bin/cp
[cp /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118 /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118a]
/tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118a
[/tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118a /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118]
/tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118
/bin/sh
[sh -c cp /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118a /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118]
/usr/bin/cp
[cp /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118a /tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 142.0.132.107:10991 | tcp | |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| US | 142.0.132.107:10991 | tcp |
Files
/tmp/freeBSD
| MD5 | 399176415f868f4635f2ebc0f16e4676 |
| SHA1 | c6637bb1d77cc394af34c71efd15f9de31210050 |
| SHA256 | 8e2219230f2e3f5978f48a74e2184a42f4557ea99b9baace3834a73b5f5e3010 |
| SHA512 | 22d3c07c9b60f8856337bfa32c9f3c3b7fcdc797a3d5b64991afa948d6235ab5bab85658f95c72f8e38996cd0e613df4120d74aa2e03533991487d99d2aba9ad |
/tmp/399176415f868f4635f2ebc0f16e4676_JaffaCakes118
| MD5 | 08a05734595d2fdf700b2e4e5e513683 |
| SHA1 | daa4ca8a22a60845088f0a9f69a9938baea7eecc |
| SHA256 | 2c801bad37a668d45e125f509dd208473b319b4106b08d706a6a9e71b9753a6d |
| SHA512 | 380656eed4bcd98cef180dd03745bf6cd607ffb09b82c762d1491f39ee03ad034d0cf27ed92aeae179f65adc149fa91e21e9c8a2fe0a8d6606bbe22a5da5e4b1 |