Malware Analysis Report

2024-10-24 21:20

Sample ID 240729-ngg6cszhkf
Target 43536e52614ea838a6955cc7603c833a_JaffaCakes118
SHA256 72a9ed5d3658cb4cf7d226ef8421844476a3ed4ad43f63783304150249c3dba2
Tags
upx antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

72a9ed5d3658cb4cf7d226ef8421844476a3ed4ad43f63783304150249c3dba2

Threat Level: Shows suspicious behavior

The file 43536e52614ea838a6955cc7603c833a_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx antivm

UPX packed file

Deletes itself

Executes dropped EXE

Checks CPU configuration

Reads system network configuration

Writes file to tmp directory

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-29 11:21

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-29 11:21

Reported

2024-07-29 11:48

Platform

ubuntu2204-amd64-20240729-en

Max time kernel

149s

Max time network

149s

Command Line

[/tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes118]

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A /tmp/freeBSD N/A
N/A N/A /tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes118a N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/freeBSD /tmp/freeBSD N/A
N/A /tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes118a /tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes118a N/A
N/A /tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes118 /tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes118 N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes118 N/A

Reads system network configuration

Description Indicator Process Target
File opened for reading /proc/net/dev /tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes118 N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/sys/kernel/version /tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes118 N/A
File opened for reading /proc/stat /tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes118 N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/freeBSD /usr/bin/cp N/A
File opened for modification /tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes118a /usr/bin/cp N/A
File opened for modification /tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes118 /tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes118a N/A
File opened for modification /tmp/fake.cfg /tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes118 N/A
File opened for modification /tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes118 /usr/bin/cp N/A

Processes

/tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes118

[/tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes118]

/bin/sh

[sh -c cp /tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes118 /tmp/freeBSD]

/usr/bin/cp

[cp /tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes118 /tmp/freeBSD]

/bin/sh

[sh -c cp /tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes118 /tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes118a]

/tmp/freeBSD

[/tmp/freeBSD /tmp/freeBSD 1]

/usr/bin/cp

[cp /tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes118 /tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes118a]

/tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes118a

[/tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes118a /tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes118]

/tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes118

/bin/sh

[sh -c cp /tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes118a /tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes118]

/usr/bin/cp

[cp /tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes118a /tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes118]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
CN 218.244.148.150:10888 tcp
CN 218.244.148.150:10888 tcp

Files

/tmp/freeBSD

MD5 43536e52614ea838a6955cc7603c833a
SHA1 38353898e4a2048b866c5a53a3e52d3006f6c890
SHA256 72a9ed5d3658cb4cf7d226ef8421844476a3ed4ad43f63783304150249c3dba2
SHA512 78b2f711448d7da7e9d65666ecbc84593aa434b5414c2aa23638825f61c7593218ed47dd73f0b6526a11156ea1eb621a7478c118a2f05ad1ddce55cd73a9920f

/tmp/43536e52614ea838a6955cc7603c833a_JaffaCakes118

MD5 81120b9ff418d5d660f21a8c389ec27e
SHA1 b0cd2f53ca40e5aaabb4e6134d96e580d40f11bd
SHA256 869f93060e503f1084c322e6bdce66ac04d7d11b236eab3b509e7a1c9d0cd227
SHA512 b4685fbff8b6eb2a41afce7c8a3fd0df8e389639421e9343eac18a45f9a229e0355afbe234a90f330328825434871ff2e39f6c2fde2ee2a7626f4aaee673382e

memory/1508-1-0x0000000008048000-0x00000000082a063c-memory.dmp

memory/1511-2-0x0000000008048000-0x00000000082a063c-memory.dmp

memory/1514-3-0x0000000008048000-0x00000000082a063c-memory.dmp