Malware Analysis Report

2025-01-23 15:14

Sample ID 240824-2s9xeatgmc
Target bf96bba8b99c8a55f44841e8f670a259_JaffaCakes118
SHA256 2376a8ffe25301b0fe3113308ed96f0f9c259e35690264d0a4ccd7332f35829e
Tags
upx antivm persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

2376a8ffe25301b0fe3113308ed96f0f9c259e35690264d0a4ccd7332f35829e

Threat Level: Shows suspicious behavior

The file bf96bba8b99c8a55f44841e8f670a259_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx antivm persistence

UPX packed file

Executes dropped EXE

Modifies init.d

Write file to user bin folder

Reads system routing table

Writes file to system bin folder

Checks CPU configuration

Reads system network configuration

Writes file to tmp directory

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-24 22:51

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-24 22:51

Reported

2024-08-24 22:54

Platform

ubuntu2204-amd64-20240611-en

Max time kernel

149s

Max time network

150s

Command Line

[/tmp/bf96bba8b99c8a55f44841e8f670a259_JaffaCakes118]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /usr/bin/bsd-port/agent /usr/bin/bsd-port/agent N/A
N/A /usr/bin/acpid /usr/bin/acpid N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Modifies init.d

persistence
Description Indicator Process Target
File opened for modification /etc/init.d/DbSecurityMdt /tmp/bf96bba8b99c8a55f44841e8f670a259_JaffaCakes118 N/A
File opened for modification /etc/init.d/selinux /usr/bin/bsd-port/agent N/A

Reads system routing table

Description Indicator Process Target
File opened for reading /proc/net/route /usr/bin/bsd-port/agent N/A

Write file to user bin folder

Description Indicator Process Target
File opened for modification /usr/bin/bsd-port/agent.conf /tmp/bf96bba8b99c8a55f44841e8f670a259_JaffaCakes118 N/A
File opened for modification /usr/bin/bsd-port/agent.conf /usr/bin/bsd-port/agent N/A
File opened for modification /usr/bin/dpkgd/ps /usr/bin/cp N/A
File opened for modification /usr/bin/bsd-port/conf.n /usr/bin/bsd-port/agent N/A
File opened for modification /usr/bin/ps /usr/bin/cp N/A
File opened for modification /usr/bin/bsd-port/udevd.conf /tmp/bf96bba8b99c8a55f44841e8f670a259_JaffaCakes118 N/A
File opened for modification /usr/bin/bsd-port/agent /usr/bin/cp N/A
File opened for modification /usr/bin/acpid /usr/bin/cp N/A
File opened for modification /usr/bin/dpkgd/lsof /usr/bin/cp N/A
File opened for modification /usr/bin/lsof /usr/bin/cp N/A

Writes file to system bin folder

Description Indicator Process Target
File opened for modification /bin/lsof /usr/bin/cp N/A
File opened for modification /bin/ps /usr/bin/cp N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /tmp/bf96bba8b99c8a55f44841e8f670a259_JaffaCakes118 N/A
File opened for reading /proc/cpuinfo /usr/bin/bsd-port/agent N/A

Reads system network configuration

Description Indicator Process Target
File opened for reading /proc/net/dev /tmp/bf96bba8b99c8a55f44841e8f670a259_JaffaCakes118 N/A
File opened for reading /proc/net/dev /usr/bin/bsd-port/agent N/A
File opened for reading /proc/net/route /usr/bin/bsd-port/agent N/A
File opened for reading /proc/net/arp /usr/bin/bsd-port/agent N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/mkdir N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/cmdline /usr/sbin/insmod N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/stat /usr/bin/bsd-port/agent N/A
File opened for reading /proc/sys/kernel/version /tmp/bf96bba8b99c8a55f44841e8f670a259_JaffaCakes118 N/A
File opened for reading /proc/filesystems /usr/bin/mkdir N/A
File opened for reading /proc/filesystems /usr/bin/mkdir N/A
File opened for reading /proc/filesystems /usr/bin/mkdir N/A
File opened for reading /proc/filesystems /usr/bin/mkdir N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/sys/kernel/version /usr/bin/acpid N/A
File opened for reading /proc/filesystems /usr/bin/mkdir N/A
File opened for reading /proc/meminfo /tmp/bf96bba8b99c8a55f44841e8f670a259_JaffaCakes118 N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/mkdir N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/meminfo /usr/bin/bsd-port/agent N/A
File opened for reading /proc/sys/kernel/version /usr/bin/bsd-port/agent N/A
File opened for reading /proc/stat /tmp/bf96bba8b99c8a55f44841e8f670a259_JaffaCakes118 N/A
File opened for reading /proc/cmdline /usr/sbin/insmod N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/notify.file /usr/bin/acpid N/A
File opened for modification /tmp/gates.note /usr/bin/acpid N/A
File opened for modification /tmp/moni.note /tmp/bf96bba8b99c8a55f44841e8f670a259_JaffaCakes118 N/A
File opened for modification /tmp/bill.note /tmp/bf96bba8b99c8a55f44841e8f670a259_JaffaCakes118 N/A
File opened for modification /tmp/gates.note /tmp/bf96bba8b99c8a55f44841e8f670a259_JaffaCakes118 N/A
File opened for modification /tmp/notify.file /tmp/bf96bba8b99c8a55f44841e8f670a259_JaffaCakes118 N/A
File opened for modification /tmp/moni.note /usr/bin/acpid N/A

Processes

/tmp/bf96bba8b99c8a55f44841e8f670a259_JaffaCakes118

[/tmp/bf96bba8b99c8a55f44841e8f670a259_JaffaCakes118]

/bin/sh

[sh -c ln -s /etc/init.d/DbSecurityMdt /etc/rc1.d/S97DbSecurityMdt]

/usr/bin/ln

[ln -s /etc/init.d/DbSecurityMdt /etc/rc1.d/S97DbSecurityMdt]

/bin/sh

[sh -c ln -s /etc/init.d/DbSecurityMdt /etc/rc2.d/S97DbSecurityMdt]

/usr/bin/ln

[ln -s /etc/init.d/DbSecurityMdt /etc/rc2.d/S97DbSecurityMdt]

/bin/sh

[sh -c ln -s /etc/init.d/DbSecurityMdt /etc/rc3.d/S97DbSecurityMdt]

/usr/bin/ln

[ln -s /etc/init.d/DbSecurityMdt /etc/rc3.d/S97DbSecurityMdt]

/bin/sh

[sh -c ln -s /etc/init.d/DbSecurityMdt /etc/rc4.d/S97DbSecurityMdt]

/usr/bin/ln

[ln -s /etc/init.d/DbSecurityMdt /etc/rc4.d/S97DbSecurityMdt]

/bin/sh

[sh -c ln -s /etc/init.d/DbSecurityMdt /etc/rc5.d/S97DbSecurityMdt]

/usr/bin/ln

[ln -s /etc/init.d/DbSecurityMdt /etc/rc5.d/S97DbSecurityMdt]

/bin/sh

[sh -c mkdir -p /usr/bin/bsd-port]

/usr/bin/mkdir

[mkdir -p /usr/bin/bsd-port]

/bin/sh

[sh -c cp -f /tmp/bf96bba8b99c8a55f44841e8f670a259_JaffaCakes118 /usr/bin/bsd-port/agent]

/usr/bin/cp

[cp -f /tmp/bf96bba8b99c8a55f44841e8f670a259_JaffaCakes118 /usr/bin/bsd-port/agent]

/bin/sh

[sh -c /usr/bin/bsd-port/agent]

/usr/bin/bsd-port/agent

[/usr/bin/bsd-port/agent]

/bin/sh

[sh -c mkdir -p /usr/bin]

/usr/bin/mkdir

[mkdir -p /usr/bin]

/bin/sh

[sh -c cp -f /tmp/bf96bba8b99c8a55f44841e8f670a259_JaffaCakes118 /usr/bin/acpid]

/usr/bin/cp

[cp -f /tmp/bf96bba8b99c8a55f44841e8f670a259_JaffaCakes118 /usr/bin/acpid]

/bin/sh

[sh -c /usr/bin/acpid]

/usr/bin/acpid

[/usr/bin/acpid]

/bin/sh

[sh -c insmod /usr/lib/xpacket.ko]

/usr/sbin/insmod

[insmod /usr/lib/xpacket.ko]

/bin/sh

[sh -c ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux]

/usr/bin/ln

[ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux]

/bin/sh

[sh -c ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux]

/usr/bin/ln

[ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux]

/bin/sh

[sh -c ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux]

/usr/bin/ln

[ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux]

/bin/sh

[sh -c ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux]

/usr/bin/ln

[ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux]

/bin/sh

[sh -c ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux]

/usr/bin/ln

[ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux]

/bin/sh

[sh -c mkdir -p /usr/bin/dpkgd]

/usr/bin/mkdir

[mkdir -p /usr/bin/dpkgd]

/bin/sh

[sh -c cp -f /bin/lsof /usr/bin/dpkgd/lsof]

/usr/bin/cp

[cp -f /bin/lsof /usr/bin/dpkgd/lsof]

/bin/sh

[sh -c mkdir -p /bin]

/usr/bin/mkdir

[mkdir -p /bin]

/bin/sh

[sh -c cp -f /usr/bin/bsd-port/agent /bin/lsof]

/usr/bin/cp

[cp -f /usr/bin/bsd-port/agent /bin/lsof]

/bin/sh

[sh -c chmod 0755 /bin/lsof]

/usr/bin/chmod

[chmod 0755 /bin/lsof]

/bin/sh

[sh -c cp -f /bin/ps /usr/bin/dpkgd/ps]

/usr/bin/cp

[cp -f /bin/ps /usr/bin/dpkgd/ps]

/bin/sh

[sh -c mkdir -p /bin]

/usr/bin/mkdir

[mkdir -p /bin]

/bin/sh

[sh -c cp -f /usr/bin/bsd-port/agent /bin/ps]

/usr/bin/cp

[cp -f /usr/bin/bsd-port/agent /bin/ps]

/bin/sh

[sh -c chmod 0755 /bin/ps]

/usr/bin/chmod

[chmod 0755 /bin/ps]

/bin/sh

[sh -c mkdir -p /usr/bin]

/usr/bin/mkdir

[mkdir -p /usr/bin]

/bin/sh

[sh -c cp -f /usr/bin/bsd-port/agent /usr/bin/lsof]

/usr/bin/cp

[cp -f /usr/bin/bsd-port/agent /usr/bin/lsof]

/bin/sh

[sh -c chmod 0755 /usr/bin/lsof]

/usr/bin/chmod

[chmod 0755 /usr/bin/lsof]

/bin/sh

[sh -c mkdir -p /usr/bin]

/usr/bin/mkdir

[mkdir -p /usr/bin]

/bin/sh

[sh -c cp -f /usr/bin/bsd-port/agent /usr/bin/ps]

/usr/bin/cp

[cp -f /usr/bin/bsd-port/agent /usr/bin/ps]

/bin/sh

[sh -c chmod 0755 /usr/bin/ps]

/usr/bin/chmod

[chmod 0755 /usr/bin/ps]

/bin/sh

[sh -c insmod /usr/lib/xpacket.ko]

/usr/sbin/insmod

[insmod /usr/lib/xpacket.ko]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 shi1.720buy.cn udp
US 8.8.8.8:53 231.78en.com udp
US 1.1.1.1:53 shi1.720buy.cn udp
US 1.1.1.1:53 231.78en.com udp
US 1.1.1.1:53 shi1.720buy.cn udp
US 1.1.1.1:53 shi1.720buy.cn udp
US 8.8.8.8:53 231.78en.com udp
US 8.8.8.8:53 shi1.720buy.cn udp
US 8.8.8.8:53 shi1.720buy.cn udp
US 8.8.8.8:53 shi1.720buy.cn udp
US 1.1.1.1:53 231.78en.com udp
US 1.1.1.1:53 shi1.720buy.cn udp
CN 139.196.58.17:45000 231.78en.com tcp
US 8.8.8.8:53 shi1.720buy.cn udp
US 8.8.8.8:53 shi1.720buy.cn udp
US 8.8.8.8:53 shi1.720buy.cn udp
US 8.8.8.8:53 shi1.720buy.cn udp
US 8.8.8.8:53 shi1.720buy.cn udp
US 8.8.8.8:53 shi1.720buy.cn udp
US 8.8.8.8:53 shi1.720buy.cn udp
US 8.8.8.8:53 shi1.720buy.cn udp
US 1.1.1.1:53 shi1.720buy.cn udp
US 8.8.8.8:53 shi1.720buy.cn udp
US 8.8.8.8:53 shi1.720buy.cn udp
US 1.1.1.1:53 shi1.720buy.cn udp
US 8.8.8.8:53 shi1.720buy.cn udp
US 8.8.8.8:53 shi1.720buy.cn udp
US 8.8.8.8:53 shi1.720buy.cn udp
US 8.8.8.8:53 shi1.720buy.cn udp
US 8.8.8.8:53 shi1.720buy.cn udp
US 8.8.8.8:53 shi1.720buy.cn udp
US 8.8.8.8:53 shi1.720buy.cn udp
US 8.8.8.8:53 shi1.720buy.cn udp
US 1.1.1.1:53 shi1.720buy.cn udp
US 1.1.1.1:53 shi1.720buy.cn udp
US 8.8.8.8:53 shi1.720buy.cn udp
US 8.8.8.8:53 shi1.720buy.cn udp
US 8.8.8.8:53 shi1.720buy.cn udp
US 8.8.8.8:53 shi1.720buy.cn udp
US 1.1.1.1:53 shi1.720buy.cn udp
US 1.1.1.1:53 shi1.720buy.cn udp
US 8.8.8.8:53 shi1.720buy.cn udp
US 8.8.8.8:53 shi1.720buy.cn udp
US 8.8.8.8:53 shi1.720buy.cn udp
US 8.8.8.8:53 shi1.720buy.cn udp
US 8.8.8.8:53 shi1.720buy.cn udp
US 1.1.1.1:53 shi1.720buy.cn udp
US 1.1.1.1:53 shi1.720buy.cn udp
US 8.8.8.8:53 shi1.720buy.cn udp
US 8.8.8.8:53 shi1.720buy.cn udp
US 8.8.8.8:53 shi1.720buy.cn udp
US 8.8.8.8:53 shi1.720buy.cn udp
US 8.8.8.8:53 shi1.720buy.cn udp
US 8.8.8.8:53 shi1.720buy.cn udp
US 8.8.8.8:53 shi1.720buy.cn udp
US 1.1.1.1:53 shi1.720buy.cn udp
US 1.1.1.1:53 shi1.720buy.cn udp
US 8.8.8.8:53 shi1.720buy.cn udp
US 1.1.1.1:53 shi1.720buy.cn udp
US 8.8.8.8:53 shi1.720buy.cn udp
US 1.1.1.1:53 shi1.720buy.cn udp
US 1.1.1.1:53 shi1.720buy.cn udp
US 1.1.1.1:53 shi1.720buy.cn udp
US 1.1.1.1:53 shi1.720buy.cn udp
US 1.1.1.1:53 shi1.720buy.cn udp

Files

memory/1588-1-0x0000000008048000-0x0000000008129e8c-memory.dmp

/tmp/gates.note

MD5 dca5672ff3444c7e997aa9a2c4eb2094
SHA1 cdd8b8ab7d8c4ad5c8c0a829f5aa80c2ae7d5fed
SHA256 c5080dbc42e822a31c72ebf171d79394f57bba1e0511bad4a721c2c0f62ae6b3
SHA512 0119f9ebc71ba2f8ab8ee60f6560ba30ef9d9427d028ca186463a44c25a9aafb8d8dbefeff991afce20ce40da9932ac3137140c012e960596421943bc42313db

/etc/init.d/DbSecurityMdt

MD5 ff792b32abf780622de6c8b22b6f9fba
SHA1 dbb430f862ed4f078c5f15edefa8e598f8bada5c
SHA256 753e6abbc967a036e6c097bb4ad1953c44bec9fed090914f61ee07f46cdda229
SHA512 d43c78fb6b2d81ed93b893afaf8b05b400519c4489fb25ae659b22eb3e01ce2813433b27c7e8a7578728577925575d66c003959fc7fa4254471a605701be0c10

/usr/bin/bsd-port/agent

MD5 bf96bba8b99c8a55f44841e8f670a259
SHA1 144194bd7334735a03beb8811e79e5c5a34a623b
SHA256 2376a8ffe25301b0fe3113308ed96f0f9c259e35690264d0a4ccd7332f35829e
SHA512 cd6564bce6b0ca1026852204c2a1bb52cd891fcd5259471f1f591c97217e0b21cb201006f7dd427a8f1a0eaa5f23cda71e20847ee76489b93d9446e3e5d578cd

/tmp/notify.file

MD5 ea4da2fb557897b460c258632bda3a87
SHA1 29943c7c1cec9ea7c0aeb0d72d0636010748cb46
SHA256 296df1b91a512c139597523169bbe66dfd6077d7c8bf0cbbf20d910c72361bc2
SHA512 71efe39934a6dc8636cf68526eb102fb2e82a2ce8a3fc7855f2a7e8014b694090ce0631e5cdfd3a64528295a1ebc7d4f6a023e74db89fd084be6edb502ca531f

memory/1629-2-0x0000000008048000-0x0000000008129e8c-memory.dmp

memory/1637-3-0x0000000008048000-0x0000000008129e8c-memory.dmp

/etc/init.d/selinux

MD5 c6a80f08539a4c3176762f514976dd24
SHA1 bbc5826b01d20f5c4d315ff5dbc3f216760c64ef
SHA256 ea47e885ae227059ce55d020335f7869c565ec6d85f484497e83cd4998149d5d
SHA512 9a1e3b0142876305fe389e07880bd586e97bf709273a66299d9128ff2861459104054d4e5d836aecdf73f2c11886fa3a2a8498741adb3211b96116658b856175

/usr/bin/dpkgd/lsof

MD5 ab57b66cc531ae0f996963223e632b60
SHA1 bf7e5becd33f21c2539f5a75ffa0ab61c49c8795
SHA256 2484863a7bfda7f97b90bfd5dfceed4ec9f27dd51f9c5158c8daabbf4309b1df
SHA512 908acef13f3c1d80b7169ec3b16bb67006013453348fff75550bc3c6c2137e798b21d7990edbd5be63d756d9c41b06160aebf38aa80547e4bafa3a62596057f6

/usr/bin/dpkgd/ps

MD5 8146139c2ad7e550b1d1f49480997446
SHA1 074db8890c3227bd8a588417f5b9bde637bcf3af
SHA256 207df9d438f75185ab3af2ab1173d104831a6631c28ef40d38b2ab43de27b40f
SHA512 b6d71d537f593b9af833e6f798e412e95fc486a313414ed8cca9639f61be7ac9dca700e9f861c0d07c7f65b3783127a67f829f422472cad8938ba01d397ab9de

/tmp/moni.note

MD5 7e230522657ecdc50e4249581b861f8e
SHA1 db0477132b98737a6964423def574c8f78307501
SHA256 6df26dfff059f42aeb0607a761d34c2b820af73ab0c5bfb111f7fe9dadda850a
SHA512 dc5217e95f410349c1c25fdb340a412438068f536dc73bc340f6c1a731112cd99f454d3dbd242e1db0d04bed9b2909881c4a37a891fa7900c71a995c135f7ec6

/usr/bin/bsd-port/conf.n

MD5 cf21f2144745fbc229f893fc37e76bfa
SHA1 18380efb998f7d513eabd2544c12ea2a548088c1
SHA256 ed4cecc8c915556bd1547dc54e47f95e5fd1d9d565b7c286eb21865192e3e00c
SHA512 af4d0c96e7594b352e6a395db93d86766378c1d721d618c42ed02b30e659f0b2b30da9d69b762af78ff86f8654e2e061ec33e2c11fc1d6c4c3180696fa858873