Malware Analysis Report

2024-10-24 21:20

Sample ID 240729-hl8afsxenp
Target 3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118
SHA256 4bccf3d04c1a8dbd6be13c07f42e9467f21b2e2d0a89134e4db55b3e924fbd6c
Tags
antivm upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4bccf3d04c1a8dbd6be13c07f42e9467f21b2e2d0a89134e4db55b3e924fbd6c

Threat Level: Shows suspicious behavior

The file 3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

antivm upx

Deletes itself

Executes dropped EXE

UPX packed file

Checks CPU configuration

Reads system network configuration

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-29 06:50

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-29 06:50

Reported

2024-07-29 12:05

Platform

ubuntu2204-amd64-20240729-en

Max time kernel

149s

Max time network

148s

Command Line

[/tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118]

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A /tmp/freeBSD N/A
N/A N/A /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118a N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/freeBSD /tmp/freeBSD N/A
N/A /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118a /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118a N/A
N/A /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118 /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118 N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118 N/A

Reads system network configuration

Description Indicator Process Target
File opened for reading /proc/net/dev /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118 N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/sys/kernel/version /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118 N/A
File opened for reading /proc/stat /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118 N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118 /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118a N/A
File opened for modification /tmp/fake.cfg /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118 N/A
File opened for modification /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118 /usr/bin/cp N/A
File opened for modification /tmp/freeBSD /usr/bin/cp N/A
File opened for modification /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118a /usr/bin/cp N/A

Processes

/tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118

[/tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118]

/bin/sh

[sh -c cp /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118 /tmp/freeBSD]

/usr/bin/cp

[cp /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118 /tmp/freeBSD]

/bin/sh

[sh -c cp /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118 /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118a]

/tmp/freeBSD

[/tmp/freeBSD /tmp/freeBSD 1]

/usr/bin/cp

[cp /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118 /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118a]

/tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118a

[/tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118a /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118]

/tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118

/bin/sh

[sh -c cp /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118a /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118]

/usr/bin/cp

[cp /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118a /tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 198.13.96.38:10991 tcp
US 198.13.96.38:10991 tcp

Files

/tmp/freeBSD

MD5 3b5dc047c1aa2200136cce6490b9c912
SHA1 bd273b4aa47546d108119a45212bb96bbb216eb1
SHA256 4bccf3d04c1a8dbd6be13c07f42e9467f21b2e2d0a89134e4db55b3e924fbd6c
SHA512 f92c245beb9537fe1e4d9b6c09c3c7a62ae6b3ee5728189515fba07a0157c3a61a0dd922120bb4d77ce872e06193d12a126ca9ff48a9730093f2683889ccabe2

memory/1507-1-0x0000000008048000-0x00000000082a063c-memory.dmp

/tmp/3b5dc047c1aa2200136cce6490b9c912_JaffaCakes118

MD5 2c87dc6553988b587e0755a1bd11d265
SHA1 9e63beee5f714dd36ae867008e9cfd4022dd0e4e
SHA256 229ab234a460de38c88542c1a8f07e476f6680f4e3cd87c3143b5cb21942aba9
SHA512 27a77bfd62f23f7a1c8fe8d95b56ebb1ab71b483d909f7c8a48b351d4ba4b93df2e3d568da49bf23fda992dfc983300146c2b64db10328cec2e55bbb42c965df

memory/1510-2-0x0000000008048000-0x00000000082a063c-memory.dmp

memory/1513-3-0x0000000008048000-0x00000000082a063c-memory.dmp