Malware Analysis Report

2025-01-23 15:15

Sample ID 240824-t2vvvaygpa
Target bf00e5049ac0b147780a81db8a82ab56_JaffaCakes118
SHA256 84b44a53ba71dc027aec0dfbe11533f54d319524b05df5821c38b9954dc79a48
Tags
upx antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

84b44a53ba71dc027aec0dfbe11533f54d319524b05df5821c38b9954dc79a48

Threat Level: Shows suspicious behavior

The file bf00e5049ac0b147780a81db8a82ab56_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx antivm

UPX packed file

Deletes itself

Executes dropped EXE

Checks CPU configuration

Reads system network configuration

Writes file to tmp directory

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-24 16:33

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-24 16:33

Reported

2024-08-24 16:36

Platform

ubuntu2204-amd64-20240611-en

Max time kernel

149s

Max time network

132s

Command Line

[/tmp/bf00e5049ac0b147780a81db8a82ab56_JaffaCakes118]

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A /tmp/freeBSD N/A
N/A N/A /tmp/bf00e5049ac0b147780a81db8a82ab56_JaffaCakes118a N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/freeBSD /tmp/freeBSD N/A
N/A /tmp/bf00e5049ac0b147780a81db8a82ab56_JaffaCakes118a /tmp/bf00e5049ac0b147780a81db8a82ab56_JaffaCakes118a N/A
N/A /tmp/bf00e5049ac0b147780a81db8a82ab56_JaffaCakes118 /tmp/bf00e5049ac0b147780a81db8a82ab56_JaffaCakes118 N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /tmp/bf00e5049ac0b147780a81db8a82ab56_JaffaCakes118 N/A

Reads system network configuration

Description Indicator Process Target
File opened for reading /proc/net/dev /tmp/bf00e5049ac0b147780a81db8a82ab56_JaffaCakes118 N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/sys/kernel/version /tmp/bf00e5049ac0b147780a81db8a82ab56_JaffaCakes118 N/A
File opened for reading /proc/stat /tmp/bf00e5049ac0b147780a81db8a82ab56_JaffaCakes118 N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/freeBSD /usr/bin/cp N/A
File opened for modification /tmp/bf00e5049ac0b147780a81db8a82ab56_JaffaCakes118a /usr/bin/cp N/A
File opened for modification /tmp/bf00e5049ac0b147780a81db8a82ab56_JaffaCakes118 /tmp/bf00e5049ac0b147780a81db8a82ab56_JaffaCakes118a N/A
File opened for modification /tmp/fake.cfg /tmp/bf00e5049ac0b147780a81db8a82ab56_JaffaCakes118 N/A
File opened for modification /tmp/bf00e5049ac0b147780a81db8a82ab56_JaffaCakes118 /usr/bin/cp N/A

Processes

/tmp/bf00e5049ac0b147780a81db8a82ab56_JaffaCakes118

[/tmp/bf00e5049ac0b147780a81db8a82ab56_JaffaCakes118]

/bin/sh

[sh -c cp /tmp/bf00e5049ac0b147780a81db8a82ab56_JaffaCakes118 /tmp/freeBSD]

/usr/bin/cp

[cp /tmp/bf00e5049ac0b147780a81db8a82ab56_JaffaCakes118 /tmp/freeBSD]

/bin/sh

[sh -c cp /tmp/bf00e5049ac0b147780a81db8a82ab56_JaffaCakes118 /tmp/bf00e5049ac0b147780a81db8a82ab56_JaffaCakes118a]

/tmp/freeBSD

[/tmp/freeBSD /tmp/freeBSD 1]

/usr/bin/cp

[cp /tmp/bf00e5049ac0b147780a81db8a82ab56_JaffaCakes118 /tmp/bf00e5049ac0b147780a81db8a82ab56_JaffaCakes118a]

/tmp/bf00e5049ac0b147780a81db8a82ab56_JaffaCakes118a

[/tmp/bf00e5049ac0b147780a81db8a82ab56_JaffaCakes118a /tmp/bf00e5049ac0b147780a81db8a82ab56_JaffaCakes118]

/tmp/bf00e5049ac0b147780a81db8a82ab56_JaffaCakes118

/bin/sh

[sh -c cp /tmp/bf00e5049ac0b147780a81db8a82ab56_JaffaCakes118a /tmp/bf00e5049ac0b147780a81db8a82ab56_JaffaCakes118]

/usr/bin/cp

[cp /tmp/bf00e5049ac0b147780a81db8a82ab56_JaffaCakes118a /tmp/bf00e5049ac0b147780a81db8a82ab56_JaffaCakes118]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

/tmp/freeBSD

MD5 bf00e5049ac0b147780a81db8a82ab56
SHA1 f4e9648dc0ff23919750fdf269b66c7583140810
SHA256 84b44a53ba71dc027aec0dfbe11533f54d319524b05df5821c38b9954dc79a48
SHA512 0e9c966e6dddf4c976098d22accd9291944f8149b0c11439f863216ff495602f9b098ea49ad4890c6f6b1c41680f0fb087ec708746cbed57789c913a78fee49a

/tmp/bf00e5049ac0b147780a81db8a82ab56_JaffaCakes118

MD5 e48388930f3aadee740ee3dba168d61c
SHA1 a9258eeb5116e53349118d0e2140379501968a99
SHA256 5fc92e58681d436946dc36c0dcfe823f1a2bf5fffcd1f6289903caba3b9157dd
SHA512 359df77c4f917ecf0938665a7de74b6c666a29864e1e0f7bc180ea7efeeda7f3cba138d9bcd2bf53a71667c5985c40e216f6aedb7cd80d13517d12d99d0bb9db

memory/1578-1-0x0000000008048000-0x00000000082a063c-memory.dmp

memory/1590-2-0x0000000008048000-0x00000000082a063c-memory.dmp

memory/1593-3-0x0000000008048000-0x00000000082a063c-memory.dmp