Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    ubuntu-22.04_amd64
  • resource
    ubuntu2204-amd64-20240729-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2204-amd64-20240729-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
  • submitted
    29-07-2024 06:50

General

  • Target

    3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118

  • Size

    821KB

  • MD5

    3b5dc047c1aa2200136cce6490b9c912

  • SHA1

    bd273b4aa47546d108119a45212bb96bbb216eb1

  • SHA256

    4bccf3d04c1a8dbd6be13c07f42e9467f21b2e2d0a89134e4db55b3e924fbd6c

  • SHA512

    f92c245beb9537fe1e4d9b6c09c3c7a62ae6b3ee5728189515fba07a0157c3a61a0dd922120bb4d77ce872e06193d12a126ca9ff48a9730093f2683889ccabe2

  • SSDEEP

    24576:4wijaA7f7G35Mn4WahdvOItw02h90PG+bwYh:4wSlfyJq4FhuTheFbJ

Score
7/10

Malware Config

Signatures

  • Deletes itself 2 IoCs
  • Executes dropped EXE 3 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks CPU configuration 1 TTPs 1 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Reads system network configuration 1 TTPs 1 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • Reads runtime system information 5 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 5 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118
    /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118
    1⤵
      PID:1507
      • /bin/sh
        sh -c "cp /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118 /tmp/freeBSD"
        2⤵
          PID:1508
          • /usr/bin/cp
            cp /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118 /tmp/freeBSD
            3⤵
            • Reads runtime system information
            • Writes file to tmp directory
            PID:1509
        • /bin/sh
          sh -c "cp /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118 /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118a"
          2⤵
            PID:1511
            • /usr/bin/cp
              cp /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118 /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118a
              3⤵
              • Reads runtime system information
              • Writes file to tmp directory
              PID:1512
          • /tmp/freeBSD
            /tmp/freeBSD /tmp/freeBSD 1
            2⤵
            • Deletes itself
            • Executes dropped EXE
            PID:1510
        • /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118a
          /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118a /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118
          1⤵
          • Deletes itself
          • Executes dropped EXE
          • Writes file to tmp directory
          PID:1513
          • /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118
            2⤵
            • Executes dropped EXE
            • Checks CPU configuration
            • Reads system network configuration
            • Reads runtime system information
            • Writes file to tmp directory
            PID:1514
          • /bin/sh
            sh -c "cp /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118a /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118"
            2⤵
              PID:1519
              • /usr/bin/cp
                cp /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118a /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118
                3⤵
                • Reads runtime system information
                • Writes file to tmp directory
                PID:1520

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118

            Filesize

            1.3MB

            MD5

            2c87dc6553988b587e0755a1bd11d265

            SHA1

            9e63beee5f714dd36ae867008e9cfd4022dd0e4e

            SHA256

            229ab234a460de38c88542c1a8f07e476f6680f4e3cd87c3143b5cb21942aba9

            SHA512

            27a77bfd62f23f7a1c8fe8d95b56ebb1ab71b483d909f7c8a48b351d4ba4b93df2e3d568da49bf23fda992dfc983300146c2b64db10328cec2e55bbb42c965df

          • /tmp/freeBSD

            Filesize

            821KB

            MD5

            3b5dc047c1aa2200136cce6490b9c912

            SHA1

            bd273b4aa47546d108119a45212bb96bbb216eb1

            SHA256

            4bccf3d04c1a8dbd6be13c07f42e9467f21b2e2d0a89134e4db55b3e924fbd6c

            SHA512

            f92c245beb9537fe1e4d9b6c09c3c7a62ae6b3ee5728189515fba07a0157c3a61a0dd922120bb4d77ce872e06193d12a126ca9ff48a9730093f2683889ccabe2

          • memory/1507-1-0x0000000008048000-0x00000000082a063c-memory.dmp

          • memory/1510-2-0x0000000008048000-0x00000000082a063c-memory.dmp

          • memory/1513-3-0x0000000008048000-0x00000000082a063c-memory.dmp