Analysis Overview
SHA256
ead1f229097555af8724321021bb8bb5421947e67cd244065dbd2990a6dcdb49
Threat Level: Likely benign
The file 3c6492a33885e363cae2841e0597c730_JaffaCakes118 was found to be: Likely benign.
Malicious Activity Summary
Checks CPU configuration
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-29 07:40
Signatures
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-29 07:40
Reported
2024-07-29 10:59
Platform
debian9-mipsbe-20240729-en
Max time kernel
149s
Max time network
146s
Command Line
Signatures
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/self/maps | /usr/bin/awk | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/filesystems | /bin/mkdir | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
Processes
/tmp/3c6492a33885e363cae2841e0597c730_JaffaCakes118
[/tmp/3c6492a33885e363cae2841e0597c730_JaffaCakes118]
/usr/bin/touch
[touch /root/Library/Application Support/.upd2029]
/usr/bin/openssl
[openssl md5]
/usr/bin/tr
[tr -d \n]
/usr/bin/awk
[awk -F" /IOPlatformSerialNumber/{print $(NF-1)}]
/usr/bin/curl
[curl -s -L http://events.macmymacupdater.com/services/channel/?mid=(stdin)= d41d8cd98f00b204e9800998ecf8427e]
/bin/date
[date +%Y%m%d%H%M%S]
/bin/mkdir
[mkdir -p /private/tmp/.mmupdatescripts_20240729105900]
/usr/bin/curl
[curl -s --data-urlencode event=upd2029start --data-urlencode click_id=31006619970322272 --data-urlencode c3=(stdin)= d41d8cd98f00b204e9800998ecf8427e --data-urlencode is_root=true --data-urlencode platform_version= --data-urlencode safari_version= --data-urlencode chrome_version= --data-urlencode r4= --data-urlencode domain=request.macmymacupdater.com --data-urlencode webtools_brand=MyCouponsmart --data-urlencode search_domain=www.searchmine.net --data-urlencode webtools_channel=upd-2029 --data-urlencode search_channel= http://client.mm-bq.host/AsyncQueueWorkers/trackQueue.php?p=1]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | events.macmymacupdater.com | udp |
| US | 161.47.20.33:80 | events.macmymacupdater.com | tcp |
| US | 1.1.1.1:53 | client.mm-bq.host | udp |
| US | 35.231.195.62:80 | client.mm-bq.host | tcp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-07-29 07:40
Reported
2024-07-29 11:13
Platform
debian9-mipsel-20240729-en
Max time kernel
149s
Max time network
148s
Command Line
Signatures
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/self/maps | /usr/bin/awk | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/filesystems | /bin/mkdir | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
Processes
/tmp/3c6492a33885e363cae2841e0597c730_JaffaCakes118
[/tmp/3c6492a33885e363cae2841e0597c730_JaffaCakes118]
/usr/bin/touch
[touch /root/Library/Application Support/.upd2029]
/usr/bin/tr
[tr -d \n]
/usr/bin/awk
[awk -F" /IOPlatformSerialNumber/{print $(NF-1)}]
/usr/bin/openssl
[openssl md5]
/usr/bin/curl
[curl -s -L http://events.macmymacupdater.com/services/channel/?mid=(stdin)= d41d8cd98f00b204e9800998ecf8427e]
/bin/date
[date +%Y%m%d%H%M%S]
/bin/mkdir
[mkdir -p /private/tmp/.mmupdatescripts_20240729111242]
/usr/bin/curl
[curl -s --data-urlencode event=upd2029start --data-urlencode click_id=31006619970322272 --data-urlencode c3=(stdin)= d41d8cd98f00b204e9800998ecf8427e --data-urlencode is_root=true --data-urlencode platform_version= --data-urlencode safari_version= --data-urlencode chrome_version= --data-urlencode r4= --data-urlencode domain=request.macmymacupdater.com --data-urlencode webtools_brand=MyCouponsmart --data-urlencode search_domain=www.searchmine.net --data-urlencode webtools_channel=upd-2029 --data-urlencode search_channel= http://client.mm-bq.host/AsyncQueueWorkers/trackQueue.php?p=1]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | events.macmymacupdater.com | udp |
| US | 161.47.20.33:80 | events.macmymacupdater.com | tcp |
| US | 1.1.1.1:53 | client.mm-bq.host | udp |
| US | 35.231.195.62:80 | client.mm-bq.host | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-29 07:40
Reported
2024-07-29 11:25
Platform
ubuntu1804-amd64-20240729-en
Max time kernel
148s
Max time network
128s
Command Line
Signatures
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/self/maps | /usr/bin/awk | N/A |
Processes
/tmp/3c6492a33885e363cae2841e0597c730_JaffaCakes118
[/tmp/3c6492a33885e363cae2841e0597c730_JaffaCakes118]
/usr/bin/touch
[touch /root/Library/Application Support/.upd2029]
/usr/bin/openssl
[openssl md5]
/usr/bin/tr
[tr -d \n]
/usr/bin/awk
[awk -F" /IOPlatformSerialNumber/{print $(NF-1)}]
/usr/bin/curl
[curl -s -L http://events.macmymacupdater.com/services/channel/?mid=(stdin)= d41d8cd98f00b204e9800998ecf8427e]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | events.macmymacupdater.com | udp |
| US | 1.1.1.1:53 | events.macmymacupdater.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 185.125.188.62:443 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| US | 151.101.65.91:443 | tcp | |
| US | 151.101.65.91:443 | tcp | |
| GB | 84.17.50.8:443 | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-29 07:40
Reported
2024-07-29 10:44
Platform
debian9-armhf-20240729-en
Max time kernel
149s
Max time network
1s
Command Line
Signatures
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/self/maps | /usr/bin/awk | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
Processes
/tmp/3c6492a33885e363cae2841e0597c730_JaffaCakes118
[/tmp/3c6492a33885e363cae2841e0597c730_JaffaCakes118]
/usr/bin/touch
[touch /root/Library/Application Support/.upd2029]
/usr/bin/awk
[awk -F" /IOPlatformSerialNumber/{print $(NF-1)}]
/usr/bin/tr
[tr -d \n]
/usr/bin/openssl
[openssl md5]
/usr/bin/curl
[curl -s -L http://events.macmymacupdater.com/services/channel/?mid=(stdin)= d41d8cd98f00b204e9800998ecf8427e]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | events.macmymacupdater.com | udp |