Malware Analysis Report

2024-10-24 21:20

Sample ID 240729-pbhqdaxgkm
Target 45b6935f88538f5531afc2610a1cca23_JaffaCakes118
SHA256 fb7052fcf6f82cc40730deb412f0600946d01b2c2ba4b63db8e4de5dd3f897db
Tags
antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

fb7052fcf6f82cc40730deb412f0600946d01b2c2ba4b63db8e4de5dd3f897db

Threat Level: Shows suspicious behavior

The file 45b6935f88538f5531afc2610a1cca23_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

antivm

Renames itself

Executes dropped EXE

Enumerates running processes

Checks CPU configuration

Reads CPU attributes

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-29 12:09

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-29 12:09

Reported

2024-07-29 12:11

Platform

debian12-armhf-20240729-en

Max time kernel

147s

Max time network

145s

Command Line

[/tmp/45b6935f88538f5531afc2610a1cca23_JaffaCakes118]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/pro.sh /tmp/pro.sh N/A
N/A /tmp/pro.sh /tmp/pro.sh N/A

Renames itself

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates running processes

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/ps N/A
File opened for reading /proc/cpuinfo /usr/bin/cat N/A
File opened for reading /proc/cpuinfo /usr/bin/ps N/A
File opened for reading /proc/cpuinfo /usr/bin/ps N/A
File opened for reading /proc/cpuinfo /usr/bin/ps N/A
File opened for reading /proc/cpuinfo /usr/bin/cat N/A
File opened for reading /proc/cpuinfo /usr/bin/cat N/A
File opened for reading /proc/cpuinfo /usr/bin/cat N/A
File opened for reading /proc/cpuinfo /usr/bin/ps N/A
File opened for reading /proc/cpuinfo /usr/bin/cat N/A
File opened for reading /proc/cpuinfo /usr/bin/cat N/A
File opened for reading /proc/cpuinfo /usr/bin/ps N/A
File opened for reading /proc/cpuinfo /usr/bin/ps N/A
File opened for reading /proc/cpuinfo /usr/bin/cat N/A
File opened for reading /proc/cpuinfo /usr/bin/ps N/A
File opened for reading /proc/cpuinfo /usr/bin/ps N/A
File opened for reading /proc/cpuinfo /usr/bin/cat N/A
File opened for reading /proc/cpuinfo /usr/bin/ps N/A
File opened for reading /proc/cpuinfo /usr/bin/cat N/A
File opened for reading /proc/cpuinfo /usr/bin/ps N/A
File opened for reading /proc/cpuinfo /usr/bin/cat N/A
File opened for reading /proc/cpuinfo /usr/bin/ps N/A
File opened for reading /proc/cpuinfo /usr/bin/ps N/A
File opened for reading /proc/cpuinfo /usr/bin/ps N/A
File opened for reading /proc/cpuinfo /usr/bin/cat N/A
File opened for reading /proc/cpuinfo /usr/bin/cat N/A
File opened for reading /proc/cpuinfo /usr/bin/cat N/A
File opened for reading /proc/cpuinfo /usr/bin/ps N/A
File opened for reading /proc/cpuinfo /usr/bin/ps N/A

Reads CPU attributes

Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /tmp/._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes118 N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/301/cmdline /usr/bin/ps N/A
File opened for reading /proc/46/cmdline /usr/bin/ps N/A
File opened for reading /proc/4/status /usr/bin/ps N/A
File opened for reading /proc/20/stat /usr/bin/ps N/A
File opened for reading /proc/207/cmdline /usr/bin/ps N/A
File opened for reading /proc/206/stat /usr/bin/ps N/A
File opened for reading /proc/344/ctty /usr/bin/ps N/A
File opened for reading /proc/18/ctty /usr/bin/ps N/A
File opened for reading /proc/3/ctty /usr/bin/ps N/A
File opened for reading /proc/143/stat /usr/bin/ps N/A
File opened for reading /proc/28/cmdline /usr/bin/ps N/A
File opened for reading /proc/653/environ /usr/bin/ps N/A
File opened for reading /proc/142/cmdline /usr/bin/ps N/A
File opened for reading /proc/9/cmdline /usr/bin/ps N/A
File opened for reading /proc/783/environ /usr/bin/ps N/A
File opened for reading /proc/9/status /usr/bin/ps N/A
File opened for reading /proc/187/ctty /usr/bin/ps N/A
File opened for reading /proc/362/cmdline /usr/bin/ps N/A
File opened for reading /proc/734/stat /usr/bin/ps N/A
File opened for reading /proc/193/environ /usr/bin/ps N/A
File opened for reading /proc/26/environ /usr/bin/ps N/A
File opened for reading /proc/14/stat /usr/bin/ps N/A
File opened for reading /proc/73/ctty /usr/bin/ps N/A
File opened for reading /proc/19/cmdline /usr/bin/ps N/A
File opened for reading /proc/44/stat /usr/bin/ps N/A
File opened for reading /proc/26/status /usr/bin/ps N/A
File opened for reading /proc/3/environ /usr/bin/ps N/A
File opened for reading /proc/7/ctty /usr/bin/ps N/A
File opened for reading /proc/36/status /usr/bin/ps N/A
File opened for reading /proc/652/stat /usr/bin/ps N/A
File opened for reading /proc/323/cmdline /usr/bin/ps N/A
File opened for reading /proc/762/ctty /usr/bin/ps N/A
File opened for reading /proc/1/status /usr/bin/ps N/A
File opened for reading /proc/9/stat /usr/bin/ps N/A
File opened for reading /proc/9/stat /usr/bin/ps N/A
File opened for reading /proc/28/ctty /usr/bin/ps N/A
File opened for reading /proc/73/cmdline /usr/bin/ps N/A
File opened for reading /proc/18/ctty /usr/bin/ps N/A
File opened for reading /proc/206/ctty /usr/bin/ps N/A
File opened for reading /proc/652/cmdline /usr/bin/ps N/A
File opened for reading /proc/25/stat /usr/bin/ps N/A
File opened for reading /proc/16/environ /usr/bin/ps N/A
File opened for reading /proc/694/stat /usr/bin/ps N/A
File opened for reading /proc/839/stat /usr/bin/ps N/A
File opened for reading /proc/143/ctty /usr/bin/ps N/A
File opened for reading /proc/753/cmdline /usr/bin/ps N/A
File opened for reading /proc/19/stat /usr/bin/ps N/A
File opened for reading /proc/637/environ /usr/bin/ps N/A
File opened for reading /proc/9/ctty /usr/bin/ps N/A
File opened for reading /proc/350/environ /usr/bin/ps N/A
File opened for reading /proc/1/status /usr/bin/ps N/A
File opened for reading /proc/36/ctty /usr/bin/ps N/A
File opened for reading /proc/704/cmdline /usr/bin/ps N/A
File opened for reading /proc/35/ctty /usr/bin/ps N/A
File opened for reading /proc/9/ctty /usr/bin/ps N/A
File opened for reading /proc/27/ctty /usr/bin/ps N/A
File opened for reading /proc/44/ctty /usr/bin/ps N/A
File opened for reading /proc/694/cmdline /usr/bin/ps N/A
File opened for reading /proc/25/stat /usr/bin/ps N/A
File opened for reading /proc/10/cmdline /usr/bin/ps N/A
File opened for reading /proc/51/status /usr/bin/ps N/A
File opened for reading /proc/36/cmdline /usr/bin/ps N/A
File opened for reading /proc/323/ctty /usr/bin/ps N/A
File opened for reading /proc/12/ctty /usr/bin/ps N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes118.lock /tmp/45b6935f88538f5531afc2610a1cca23_JaffaCakes118 N/A
File opened for modification /tmp/pro.sh /tmp/45b6935f88538f5531afc2610a1cca23_JaffaCakes118 N/A
File opened for modification /tmp/._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes118.lock /tmp/._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes118 N/A
File opened for modification /tmp/pro.sh /tmp/._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes118 N/A

Processes

/tmp/45b6935f88538f5531afc2610a1cca23_JaffaCakes118

[/tmp/45b6935f88538f5531afc2610a1cca23_JaffaCakes118]

/bin/sh

[sh -c ulimit -n 2048]

/bin/sh

[sh -c chmod 777 pro.sh]

/usr/bin/chmod

[chmod 777 pro.sh]

/bin/sh

[sh -c ./pro.sh ._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes118 &]

/tmp/pro.sh

[./pro.sh ._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes118]

/usr/bin/ps

[ps -ef]

/usr/bin/grep

[grep ._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes118]

/usr/bin/grep

[grep -v grep]

/usr/bin/grep

[grep -v pro.sh]

/usr/bin/nohup

[nohup ./._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes118]

/tmp/._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes118

[./._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes118]

/bin/sh

[sh -c ulimit -n 2048]

/bin/sh

[sh -c chmod 777 pro.sh]

/usr/bin/chmod

[chmod 777 pro.sh]

/bin/sh

[sh -c ./pro.sh ._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes118 &]

/tmp/pro.sh

[./pro.sh ._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes118]

/bin/sh

[sh -c cat /proc/cpuinfo|grep 'cpu MHz'|sed -e 's/.*:[^0-9]//']

/usr/bin/cat

[cat /proc/cpuinfo]

/usr/bin/grep

[grep cpu MHz]

/usr/bin/sed

[sed -e s/.*:[^0-9]//]

/usr/bin/ps

[ps -ef]

/usr/bin/grep

[grep ._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes118]

/usr/bin/grep

[grep -v grep]

/usr/bin/grep

[grep -v pro.sh]

/usr/bin/sleep

[sleep 10]

/usr/bin/ps

[ps -ef]

/usr/bin/grep

[grep ._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes118]

/usr/bin/grep

[grep -v grep]

/usr/bin/grep

[grep -v pro.sh]

/usr/bin/sleep

[sleep 10]

/bin/sh

[sh -c cat /proc/cpuinfo|grep 'cpu MHz'|sed -e 's/.*:[^0-9]//']

/usr/bin/cat

[cat /proc/cpuinfo]

/usr/bin/grep

[grep cpu MHz]

/usr/bin/sed

[sed -e s/.*:[^0-9]//]

/usr/bin/ps

[ps -ef]

/usr/bin/grep

[grep ._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes118]

/usr/bin/grep

[grep -v grep]

/usr/bin/grep

[grep -v pro.sh]

/usr/bin/sleep

[sleep 10]

/bin/sh

[sh -c cat /proc/cpuinfo|grep 'cpu MHz'|sed -e 's/.*:[^0-9]//']

/usr/bin/grep

[grep cpu MHz]

/usr/bin/cat

[cat /proc/cpuinfo]

/usr/bin/sed

[sed -e s/.*:[^0-9]//]

/usr/bin/ps

[ps -ef]

/usr/bin/grep

[grep ._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes118]

/usr/bin/grep

[grep -v grep]

/usr/bin/grep

[grep -v pro.sh]

/usr/bin/sleep

[sleep 10]

/bin/sh

[sh -c cat /proc/cpuinfo|grep 'cpu MHz'|sed -e 's/.*:[^0-9]//']

/usr/bin/cat

[cat /proc/cpuinfo]

/usr/bin/grep

[grep cpu MHz]

/usr/bin/sed

[sed -e s/.*:[^0-9]//]

/usr/bin/grep

[grep ._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes118]

/usr/bin/ps

[ps -ef]

/usr/bin/grep

[grep -v grep]

/usr/bin/grep

[grep -v pro.sh]

/usr/bin/sleep

[sleep 10]

/bin/sh

[sh -c cat /proc/cpuinfo|grep 'cpu MHz'|sed -e 's/.*:[^0-9]//']

/usr/bin/cat

[cat /proc/cpuinfo]

/usr/bin/grep

[grep cpu MHz]

/usr/bin/sed

[sed -e s/.*:[^0-9]//]

/usr/bin/ps

[ps -ef]

/usr/bin/grep

[grep ._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes118]

/usr/bin/grep

[grep -v grep]

/usr/bin/grep

[grep -v pro.sh]

/usr/bin/sleep

[sleep 10]

/bin/sh

[sh -c cat /proc/cpuinfo|grep 'cpu MHz'|sed -e 's/.*:[^0-9]//']

/usr/bin/cat

[cat /proc/cpuinfo]

/usr/bin/grep

[grep cpu MHz]

/usr/bin/sed

[sed -e s/.*:[^0-9]//]

/usr/bin/ps

[ps -ef]

/usr/bin/grep

[grep ._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes118]

/usr/bin/grep

[grep -v grep]

/usr/bin/grep

[grep -v pro.sh]

/usr/bin/sleep

[sleep 10]

/bin/sh

[sh -c cat /proc/cpuinfo|grep 'cpu MHz'|sed -e 's/.*:[^0-9]//']

/usr/bin/cat

[cat /proc/cpuinfo]

/usr/bin/grep

[grep cpu MHz]

/usr/bin/sed

[sed -e s/.*:[^0-9]//]

/usr/bin/ps

[ps -ef]

/usr/bin/grep

[grep ._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes118]

/usr/bin/grep

[grep -v grep]

/usr/bin/grep

[grep -v pro.sh]

/usr/bin/sleep

[sleep 10]

/bin/sh

[sh -c cat /proc/cpuinfo|grep 'cpu MHz'|sed -e 's/.*:[^0-9]//']

/usr/bin/cat

[cat /proc/cpuinfo]

/usr/bin/grep

[grep cpu MHz]

/usr/bin/sed

[sed -e s/.*:[^0-9]//]

/usr/bin/ps

[ps -ef]

/usr/bin/grep

[grep ._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes118]

/usr/bin/grep

[grep -v grep]

/usr/bin/grep

[grep -v pro.sh]

/usr/bin/sleep

[sleep 10]

/usr/bin/grep

[grep ._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes118]

/usr/bin/ps

[ps -ef]

/usr/bin/grep

[grep -v grep]

/usr/bin/grep

[grep -v pro.sh]

/bin/sh

[sh -c cat /proc/cpuinfo|grep 'cpu MHz'|sed -e 's/.*:[^0-9]//']

/usr/bin/cat

[cat /proc/cpuinfo]

/usr/bin/grep

[grep cpu MHz]

/usr/bin/sed

[sed -e s/.*:[^0-9]//]

/usr/bin/sleep

[sleep 10]

/usr/bin/ps

[ps -ef]

/usr/bin/grep

[grep ._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes118]

/usr/bin/grep

[grep -v grep]

/usr/bin/grep

[grep -v pro.sh]

/usr/bin/sleep

[sleep 10]

/bin/sh

[sh -c cat /proc/cpuinfo|grep 'cpu MHz'|sed -e 's/.*:[^0-9]//']

/usr/bin/cat

[cat /proc/cpuinfo]

/usr/bin/grep

[grep cpu MHz]

/usr/bin/sed

[sed -e s/.*:[^0-9]//]

/usr/bin/grep

[grep ._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes118]

/usr/bin/ps

[ps -ef]

/usr/bin/grep

[grep -v grep]

/usr/bin/grep

[grep -v pro.sh]

/usr/bin/sleep

[sleep 10]

/bin/sh

[sh -c cat /proc/cpuinfo|grep 'cpu MHz'|sed -e 's/.*:[^0-9]//']

/usr/bin/cat

[cat /proc/cpuinfo]

/usr/bin/grep

[grep cpu MHz]

/usr/bin/sed

[sed -e s/.*:[^0-9]//]

/usr/bin/ps

[ps -ef]

/usr/bin/grep

[grep ._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes118]

/usr/bin/grep

[grep -v grep]

/usr/bin/grep

[grep -v pro.sh]

/usr/bin/sleep

[sleep 10]

/bin/sh

[sh -c cat /proc/cpuinfo|grep 'cpu MHz'|sed -e 's/.*:[^0-9]//']

/usr/bin/cat

[cat /proc/cpuinfo]

/usr/bin/grep

[grep cpu MHz]

/usr/bin/sed

[sed -e s/.*:[^0-9]//]

/usr/bin/ps

[ps -ef]

/usr/bin/grep

[grep ._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes118]

/usr/bin/grep

[grep -v grep]

/usr/bin/grep

[grep -v pro.sh]

/usr/bin/sleep

[sleep 10]

/bin/sh

[sh -c cat /proc/cpuinfo|grep 'cpu MHz'|sed -e 's/.*:[^0-9]//']

/usr/bin/cat

[cat /proc/cpuinfo]

/usr/bin/grep

[grep cpu MHz]

/usr/bin/sed

[sed -e s/.*:[^0-9]//]

/usr/bin/ps

[ps -ef]

/usr/bin/grep

[grep ._2024072945b6935f88538f5531afc2610a1cca23_JaffaCakes118]

/usr/bin/grep

[grep -v grep]

/usr/bin/grep

[grep -v pro.sh]

/usr/bin/sleep

[sleep 10]

Network

Country Destination Domain Proto
IN 103.214.171.242:1209 tcp
IN 103.214.171.242:1209 tcp
IN 103.214.171.242:1209 tcp
IN 103.214.171.242:1209 tcp
IN 103.214.171.242:1209 tcp
IN 103.214.171.242:1209 tcp
IN 103.214.171.242:1209 tcp
IN 103.214.171.242:1209 tcp
IN 103.214.171.242:1209 tcp
IN 103.214.171.242:1209 tcp
IN 103.214.171.242:1209 tcp
US 1.1.1.1:53 0.debian.pool.ntp.org udp
IN 103.214.171.242:1209 tcp
IN 103.214.171.242:1209 tcp

Files

/tmp/pro.sh

MD5 40d8d561d8ae7796e03a4f0f8e62a1ab
SHA1 2bc467db7ab4eb2bb4a5d082c452c0ad57a9813c
SHA256 6300dc9fa2a9a7d30906a535d938d6960dbbe883b93c6eeb12fa3a5696dd0010
SHA512 03743f2227c851bf0c3ad2e2fa4face0a0462c4f1c0d25b4beca5c511388b56c580b7ed38502ab1017b932edd5588c23563333a0dd055b649b708e7c0f7b2735