Malware Analysis Report

2025-01-23 15:18

Sample ID 240825-aw35gszekk
Target bfc40b60f97ed67f6d8235c570cec176_JaffaCakes118
SHA256 3c391ea222288afe80344b561e0d3a311d3844119249ed79e99b7ad98c981d66
Tags
upx antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

3c391ea222288afe80344b561e0d3a311d3844119249ed79e99b7ad98c981d66

Threat Level: Shows suspicious behavior

The file bfc40b60f97ed67f6d8235c570cec176_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx antivm

UPX packed file

Deletes itself

Executes dropped EXE

Checks CPU configuration

Reads system network configuration

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-25 00:34

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-25 00:34

Reported

2024-08-25 00:37

Platform

ubuntu2204-amd64-20240729-en

Max time kernel

149s

Max time network

150s

Command Line

[/tmp/bfc40b60f97ed67f6d8235c570cec176_JaffaCakes118]

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A /tmp/freeBSD N/A
N/A N/A /tmp/bfc40b60f97ed67f6d8235c570cec176_JaffaCakes118a N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/freeBSD /tmp/freeBSD N/A
N/A /tmp/bfc40b60f97ed67f6d8235c570cec176_JaffaCakes118a /tmp/bfc40b60f97ed67f6d8235c570cec176_JaffaCakes118a N/A
N/A /tmp/bfc40b60f97ed67f6d8235c570cec176_JaffaCakes118 /tmp/bfc40b60f97ed67f6d8235c570cec176_JaffaCakes118 N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /tmp/bfc40b60f97ed67f6d8235c570cec176_JaffaCakes118 N/A

Reads system network configuration

Description Indicator Process Target
File opened for reading /proc/net/dev /tmp/bfc40b60f97ed67f6d8235c570cec176_JaffaCakes118 N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/stat /tmp/bfc40b60f97ed67f6d8235c570cec176_JaffaCakes118 N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/sys/kernel/version /tmp/bfc40b60f97ed67f6d8235c570cec176_JaffaCakes118 N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/freeBSD /usr/bin/cp N/A
File opened for modification /tmp/bfc40b60f97ed67f6d8235c570cec176_JaffaCakes118a /usr/bin/cp N/A
File opened for modification /tmp/bfc40b60f97ed67f6d8235c570cec176_JaffaCakes118 /tmp/bfc40b60f97ed67f6d8235c570cec176_JaffaCakes118a N/A
File opened for modification /tmp/fake.cfg /tmp/bfc40b60f97ed67f6d8235c570cec176_JaffaCakes118 N/A
File opened for modification /tmp/bfc40b60f97ed67f6d8235c570cec176_JaffaCakes118 /usr/bin/cp N/A

Processes

/tmp/bfc40b60f97ed67f6d8235c570cec176_JaffaCakes118

[/tmp/bfc40b60f97ed67f6d8235c570cec176_JaffaCakes118]

/bin/sh

[sh -c cp /tmp/bfc40b60f97ed67f6d8235c570cec176_JaffaCakes118 /tmp/freeBSD]

/usr/bin/cp

[cp /tmp/bfc40b60f97ed67f6d8235c570cec176_JaffaCakes118 /tmp/freeBSD]

/bin/sh

[sh -c cp /tmp/bfc40b60f97ed67f6d8235c570cec176_JaffaCakes118 /tmp/bfc40b60f97ed67f6d8235c570cec176_JaffaCakes118a]

/tmp/freeBSD

[/tmp/freeBSD /tmp/freeBSD 1]

/usr/bin/cp

[cp /tmp/bfc40b60f97ed67f6d8235c570cec176_JaffaCakes118 /tmp/bfc40b60f97ed67f6d8235c570cec176_JaffaCakes118a]

/tmp/bfc40b60f97ed67f6d8235c570cec176_JaffaCakes118a

[/tmp/bfc40b60f97ed67f6d8235c570cec176_JaffaCakes118a /tmp/bfc40b60f97ed67f6d8235c570cec176_JaffaCakes118]

/tmp/bfc40b60f97ed67f6d8235c570cec176_JaffaCakes118

/bin/sh

[sh -c cp /tmp/bfc40b60f97ed67f6d8235c570cec176_JaffaCakes118a /tmp/bfc40b60f97ed67f6d8235c570cec176_JaffaCakes118]

/usr/bin/cp

[cp /tmp/bfc40b60f97ed67f6d8235c570cec176_JaffaCakes118a /tmp/bfc40b60f97ed67f6d8235c570cec176_JaffaCakes118]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
CN 121.42.221.14:10991 tcp
CN 121.42.221.14:10991 tcp

Files

/tmp/freeBSD

MD5 bfc40b60f97ed67f6d8235c570cec176
SHA1 ef2024ab4358e9b2089dbb4d76f2ab01afe39754
SHA256 3c391ea222288afe80344b561e0d3a311d3844119249ed79e99b7ad98c981d66
SHA512 413948fdcfab287ee03a9b076ca1865f71fa6699a63fdc6f4828bb153b8c966fc98c297c863b026a54509489dc7f719f73c1655a8d8c0ab4d9730105cca0d895

memory/1570-1-0x0000000008048000-0x00000000082a063c-memory.dmp

/tmp/bfc40b60f97ed67f6d8235c570cec176_JaffaCakes118

MD5 da2bf2f92eaf7f30f1bf20015616e5b3
SHA1 ab8b6cdaf811f9ae2e975135a539b7fe62e43d0b
SHA256 a19627858104114b24a453f135f7dd675a0eb36048328e7447fa4d9f0a4d2a30
SHA512 93a85f6356cde6ec3bae2f358354ead8249686802b4123b815a7d6850d32c42c75323f52a1e6b83a2360e53af67948f584d309a224ca9efd5b322c8dc0865782

memory/1573-2-0x0000000008048000-0x00000000082a063c-memory.dmp

memory/1576-3-0x0000000008048000-0x00000000082a063c-memory.dmp