Malware Analysis Report

2024-10-24 21:19

Sample ID 240729-m5lm1svhmq
Target 426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118
SHA256 832afec6e96ed9c35fd606254a0ad6b5a7222dd318235a80bc100e10560feb48
Tags
upx antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

832afec6e96ed9c35fd606254a0ad6b5a7222dd318235a80bc100e10560feb48

Threat Level: Shows suspicious behavior

The file 426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx antivm

UPX packed file

Deletes itself

Executes dropped EXE

Checks CPU configuration

Reads system network configuration

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-29 11:02

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-29 11:02

Reported

2024-07-29 11:31

Platform

ubuntu2204-amd64-20240611-en

Max time kernel

149s

Max time network

153s

Command Line

[/tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118]

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A /tmp/freeBSD N/A
N/A N/A /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118a N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/freeBSD /tmp/freeBSD N/A
N/A /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118a /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118a N/A
N/A /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118 /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118 N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118 N/A

Reads system network configuration

Description Indicator Process Target
File opened for reading /proc/net/dev /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118 N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/sys/kernel/version /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118 N/A
File opened for reading /proc/stat /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118 N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/fake.cfg /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118 N/A
File opened for modification /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118 /usr/bin/cp N/A
File opened for modification /tmp/freeBSD /usr/bin/cp N/A
File opened for modification /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118a /usr/bin/cp N/A
File opened for modification /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118 /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118a N/A

Processes

/tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118

[/tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118]

/bin/sh

[sh -c cp /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118 /tmp/freeBSD]

/usr/bin/cp

[cp /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118 /tmp/freeBSD]

/tmp/freeBSD

[/tmp/freeBSD /tmp/freeBSD 1]

/bin/sh

[sh -c cp /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118 /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118a]

/usr/bin/cp

[cp /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118 /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118a]

/tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118a

[/tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118a /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118]

/tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118

/bin/sh

[sh -c cp /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118a /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118]

/usr/bin/cp

[cp /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118a /tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
CN 123.249.45.180:10991 tcp
CN 123.249.45.180:10991 tcp

Files

/tmp/freeBSD

MD5 426cc76727e027d992c2de8f3fb6d5b7
SHA1 2f4e032c375ed5cf78fb7971b842eb43ee545655
SHA256 832afec6e96ed9c35fd606254a0ad6b5a7222dd318235a80bc100e10560feb48
SHA512 f4c8753fbb838b9c37a2c0cb2768e6f3d664a7f32d7c8ce7692d314f6d2c0f15db86e2857e69f9b010dbc2030acf31d2e3555c465e1b47bf2c055ba570f2f387

memory/1563-1-0x0000000008048000-0x00000000082a063c-memory.dmp

/tmp/426cc76727e027d992c2de8f3fb6d5b7_JaffaCakes118

MD5 71c1364cd454c66c9fe53d4f1a0dca43
SHA1 13bcaa53e432d43c7b412077060a69b39d6db13a
SHA256 e1714f503e4c55ea56c97e869c4d915165a6a64b5644176f083a462d9029c7af
SHA512 80eb96ae6f6507d9baa16c540fc838d5d23542653f993bb6636cc7772b959b69bbf76a116ed760b3d353317a25f2af7cefe36614a26d1c51734da66735e44e58

memory/1583-2-0x0000000008048000-0x00000000082a063c-memory.dmp

memory/1593-3-0x0000000008048000-0x00000000082a063c-memory.dmp