Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    ubuntu-22.04_amd64
  • resource
    ubuntu2204-amd64-20240611-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
  • submitted
    29-07-2024 11:02

General

  • Target

    426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118

  • Size

    1.1MB

  • MD5

    426cc76727e027d992c2de8f3fb6d5b7

  • SHA1

    2f4e032c375ed5cf78fb7971b842eb43ee545655

  • SHA256

    832afec6e96ed9c35fd606254a0ad6b5a7222dd318235a80bc100e10560feb48

  • SHA512

    f4c8753fbb838b9c37a2c0cb2768e6f3d664a7f32d7c8ce7692d314f6d2c0f15db86e2857e69f9b010dbc2030acf31d2e3555c465e1b47bf2c055ba570f2f387

  • SSDEEP

    24576:8SlXre0q1r+GsNUV81TSCi1REMVuS3CLOGqjnY4wHFTBjjo2OsLBB4J:8SNt4rONU6N1AUJ82OsLBBy

Score
7/10

Malware Config

Signatures

  • Deletes itself 2 IoCs
  • Executes dropped EXE 3 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks CPU configuration 1 TTPs 1 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Reads system network configuration 1 TTPs 1 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • Reads runtime system information 5 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 5 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118
    /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118
    1⤵
      PID:1563
      • /bin/sh
        sh -c "cp /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118 /tmp/freeBSD"
        2⤵
          PID:1576
          • /usr/bin/cp
            cp /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118 /tmp/freeBSD
            3⤵
            • Reads runtime system information
            • Writes file to tmp directory
            PID:1577
        • /tmp/freeBSD
          /tmp/freeBSD /tmp/freeBSD 1
          2⤵
          • Deletes itself
          • Executes dropped EXE
          PID:1583
        • /bin/sh
          sh -c "cp /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118 /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118a"
          2⤵
            PID:1584
            • /usr/bin/cp
              cp /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118 /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118a
              3⤵
              • Reads runtime system information
              • Writes file to tmp directory
              PID:1588
        • /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118a
          /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118a /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118
          1⤵
          • Deletes itself
          • Executes dropped EXE
          • Writes file to tmp directory
          PID:1593
          • /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118
            2⤵
            • Executes dropped EXE
            • Checks CPU configuration
            • Reads system network configuration
            • Reads runtime system information
            • Writes file to tmp directory
            PID:1594
          • /bin/sh
            sh -c "cp /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118a /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118"
            2⤵
              PID:1597
              • /usr/bin/cp
                cp /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118a /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118
                3⤵
                • Reads runtime system information
                • Writes file to tmp directory
                PID:1598

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118

            Filesize

            1.3MB

            MD5

            71c1364cd454c66c9fe53d4f1a0dca43

            SHA1

            13bcaa53e432d43c7b412077060a69b39d6db13a

            SHA256

            e1714f503e4c55ea56c97e869c4d915165a6a64b5644176f083a462d9029c7af

            SHA512

            80eb96ae6f6507d9baa16c540fc838d5d23542653f993bb6636cc7772b959b69bbf76a116ed760b3d353317a25f2af7cefe36614a26d1c51734da66735e44e58

          • /tmp/freeBSD

            Filesize

            1.1MB

            MD5

            426cc76727e027d992c2de8f3fb6d5b7

            SHA1

            2f4e032c375ed5cf78fb7971b842eb43ee545655

            SHA256

            832afec6e96ed9c35fd606254a0ad6b5a7222dd318235a80bc100e10560feb48

            SHA512

            f4c8753fbb838b9c37a2c0cb2768e6f3d664a7f32d7c8ce7692d314f6d2c0f15db86e2857e69f9b010dbc2030acf31d2e3555c465e1b47bf2c055ba570f2f387

          • memory/1563-1-0x0000000008048000-0x00000000082a063c-memory.dmp

          • memory/1583-2-0x0000000008048000-0x00000000082a063c-memory.dmp

          • memory/1593-3-0x0000000008048000-0x00000000082a063c-memory.dmp