Malware Analysis Report

2025-01-23 14:19

Sample ID 240829-tqzpnasdlq
Target c92b7cdc78a3d9d64aeb7063172d83ad_JaffaCakes118
SHA256 2a08156cc0744c144243bf0327d388d9c872c780b5a8e877a02a1c1b9ae156d2
Tags
upx antivm persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

2a08156cc0744c144243bf0327d388d9c872c780b5a8e877a02a1c1b9ae156d2

Threat Level: Shows suspicious behavior

The file c92b7cdc78a3d9d64aeb7063172d83ad_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx antivm persistence

UPX packed file

Executes dropped EXE

Modifies init.d

Reads system routing table

Writes file to system bin folder

Write file to user bin folder

Reads system network configuration

Checks CPU configuration

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-29 16:16

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-29 16:16

Reported

2024-08-29 16:18

Platform

ubuntu2204-amd64-20240729-en

Max time kernel

149s

Max time network

150s

Command Line

[/tmp/c92b7cdc78a3d9d64aeb7063172d83ad_JaffaCakes118]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /usr/bin/bsd-port/agent /usr/bin/bsd-port/agent N/A
N/A /usr/bin/acpid /usr/bin/acpid N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Modifies init.d

persistence
Description Indicator Process Target
File opened for modification /etc/init.d/DbSecurityMdt /tmp/c92b7cdc78a3d9d64aeb7063172d83ad_JaffaCakes118 N/A
File opened for modification /etc/init.d/selinux /usr/bin/bsd-port/agent N/A

Reads system routing table

Description Indicator Process Target
File opened for reading /proc/net/route /usr/bin/bsd-port/agent N/A

Write file to user bin folder

Description Indicator Process Target
File opened for modification /usr/bin/bsd-port/conf.n /usr/bin/bsd-port/agent N/A
File opened for modification /usr/bin/bsd-port/agent.lock /tmp/c92b7cdc78a3d9d64aeb7063172d83ad_JaffaCakes118 N/A
File opened for modification /usr/bin/bsd-port/agent /usr/bin/cp N/A
File opened for modification /usr/bin/bsd-port/agent.lock /usr/bin/bsd-port/agent N/A
File opened for modification /usr/bin/ps /usr/bin/cp N/A
File opened for modification /usr/bin/lsof /usr/bin/cp N/A
File opened for modification /usr/bin/bsd-port/udevd.lock /tmp/c92b7cdc78a3d9d64aeb7063172d83ad_JaffaCakes118 N/A
File opened for modification /usr/bin/acpid /usr/bin/cp N/A
File opened for modification /usr/bin/dpkgd/lsof /usr/bin/cp N/A
File opened for modification /usr/bin/dpkgd/ps /usr/bin/cp N/A

Writes file to system bin folder

Description Indicator Process Target
File opened for modification /bin/lsof /usr/bin/cp N/A
File opened for modification /bin/ps /usr/bin/cp N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /tmp/c92b7cdc78a3d9d64aeb7063172d83ad_JaffaCakes118 N/A
File opened for reading /proc/cpuinfo /usr/bin/bsd-port/agent N/A

Reads system network configuration

Description Indicator Process Target
File opened for reading /proc/net/arp /usr/bin/bsd-port/agent N/A
File opened for reading /proc/net/dev /tmp/c92b7cdc78a3d9d64aeb7063172d83ad_JaffaCakes118 N/A
File opened for reading /proc/net/dev /usr/bin/bsd-port/agent N/A
File opened for reading /proc/net/route /usr/bin/bsd-port/agent N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/sys/kernel/version /tmp/c92b7cdc78a3d9d64aeb7063172d83ad_JaffaCakes118 N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/meminfo /tmp/c92b7cdc78a3d9d64aeb7063172d83ad_JaffaCakes118 N/A
File opened for reading /proc/cmdline /usr/sbin/insmod N/A
File opened for reading /proc/cmdline /usr/sbin/insmod N/A
File opened for reading /proc/filesystems /usr/bin/mkdir N/A
File opened for reading /proc/filesystems /usr/bin/mkdir N/A
File opened for reading /proc/filesystems /usr/bin/mkdir N/A
File opened for reading /proc/filesystems /usr/bin/mkdir N/A
File opened for reading /proc/stat /usr/bin/bsd-port/agent N/A
File opened for reading /proc/sys/kernel/version /usr/bin/bsd-port/agent N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/mkdir N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/mkdir N/A
File opened for reading /proc/meminfo /usr/bin/bsd-port/agent N/A
File opened for reading /proc/filesystems /usr/bin/mkdir N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/sys/kernel/version /usr/bin/acpid N/A
File opened for reading /proc/stat /tmp/c92b7cdc78a3d9d64aeb7063172d83ad_JaffaCakes118 N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/bill.note /tmp/c92b7cdc78a3d9d64aeb7063172d83ad_JaffaCakes118 N/A
File opened for modification /tmp/gates.note /tmp/c92b7cdc78a3d9d64aeb7063172d83ad_JaffaCakes118 N/A
File opened for modification /tmp/notify.file /tmp/c92b7cdc78a3d9d64aeb7063172d83ad_JaffaCakes118 N/A
File opened for modification /tmp/moni.note /usr/bin/acpid N/A
File opened for modification /tmp/notify.file /usr/bin/acpid N/A
File opened for modification /tmp/gates.note /usr/bin/acpid N/A
File opened for modification /tmp/moni.note /tmp/c92b7cdc78a3d9d64aeb7063172d83ad_JaffaCakes118 N/A

Processes

/tmp/c92b7cdc78a3d9d64aeb7063172d83ad_JaffaCakes118

[/tmp/c92b7cdc78a3d9d64aeb7063172d83ad_JaffaCakes118]

/bin/sh

[sh -c ln -s /etc/init.d/DbSecurityMdt /etc/rc1.d/S97DbSecurityMdt]

/usr/bin/ln

[ln -s /etc/init.d/DbSecurityMdt /etc/rc1.d/S97DbSecurityMdt]

/bin/sh

[sh -c ln -s /etc/init.d/DbSecurityMdt /etc/rc2.d/S97DbSecurityMdt]

/usr/bin/ln

[ln -s /etc/init.d/DbSecurityMdt /etc/rc2.d/S97DbSecurityMdt]

/bin/sh

[sh -c ln -s /etc/init.d/DbSecurityMdt /etc/rc3.d/S97DbSecurityMdt]

/usr/bin/ln

[ln -s /etc/init.d/DbSecurityMdt /etc/rc3.d/S97DbSecurityMdt]

/bin/sh

[sh -c ln -s /etc/init.d/DbSecurityMdt /etc/rc4.d/S97DbSecurityMdt]

/usr/bin/ln

[ln -s /etc/init.d/DbSecurityMdt /etc/rc4.d/S97DbSecurityMdt]

/bin/sh

[sh -c ln -s /etc/init.d/DbSecurityMdt /etc/rc5.d/S97DbSecurityMdt]

/usr/bin/ln

[ln -s /etc/init.d/DbSecurityMdt /etc/rc5.d/S97DbSecurityMdt]

/bin/sh

[sh -c mkdir -p /usr/bin/bsd-port]

/usr/bin/mkdir

[mkdir -p /usr/bin/bsd-port]

/bin/sh

[sh -c cp -f /tmp/c92b7cdc78a3d9d64aeb7063172d83ad_JaffaCakes118 /usr/bin/bsd-port/agent]

/usr/bin/cp

[cp -f /tmp/c92b7cdc78a3d9d64aeb7063172d83ad_JaffaCakes118 /usr/bin/bsd-port/agent]

/bin/sh

[sh -c /usr/bin/bsd-port/agent]

/usr/bin/bsd-port/agent

[/usr/bin/bsd-port/agent]

/bin/sh

[sh -c mkdir -p /usr/bin]

/usr/bin/mkdir

[mkdir -p /usr/bin]

/bin/sh

[sh -c cp -f /tmp/c92b7cdc78a3d9d64aeb7063172d83ad_JaffaCakes118 /usr/bin/acpid]

/usr/bin/cp

[cp -f /tmp/c92b7cdc78a3d9d64aeb7063172d83ad_JaffaCakes118 /usr/bin/acpid]

/bin/sh

[sh -c /usr/bin/acpid]

/usr/bin/acpid

[/usr/bin/acpid]

/bin/sh

[sh -c insmod /usr/lib/xpacket.ko]

/usr/sbin/insmod

[insmod /usr/lib/xpacket.ko]

/bin/sh

[sh -c ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux]

/usr/bin/ln

[ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux]

/bin/sh

[sh -c ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux]

/usr/bin/ln

[ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux]

/bin/sh

[sh -c ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux]

/usr/bin/ln

[ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux]

/bin/sh

[sh -c ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux]

/usr/bin/ln

[ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux]

/bin/sh

[sh -c ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux]

/usr/bin/ln

[ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux]

/bin/sh

[sh -c mkdir -p /usr/bin/dpkgd]

/usr/bin/mkdir

[mkdir -p /usr/bin/dpkgd]

/bin/sh

[sh -c cp -f /bin/lsof /usr/bin/dpkgd/lsof]

/usr/bin/cp

[cp -f /bin/lsof /usr/bin/dpkgd/lsof]

/bin/sh

[sh -c mkdir -p /bin]

/usr/bin/mkdir

[mkdir -p /bin]

/bin/sh

[sh -c cp -f /usr/bin/bsd-port/agent /bin/lsof]

/usr/bin/cp

[cp -f /usr/bin/bsd-port/agent /bin/lsof]

/bin/sh

[sh -c chmod 0755 /bin/lsof]

/usr/bin/chmod

[chmod 0755 /bin/lsof]

/bin/sh

[sh -c cp -f /bin/ps /usr/bin/dpkgd/ps]

/usr/bin/cp

[cp -f /bin/ps /usr/bin/dpkgd/ps]

/bin/sh

[sh -c mkdir -p /bin]

/usr/bin/mkdir

[mkdir -p /bin]

/bin/sh

[sh -c cp -f /usr/bin/bsd-port/agent /bin/ps]

/usr/bin/cp

[cp -f /usr/bin/bsd-port/agent /bin/ps]

/bin/sh

[sh -c chmod 0755 /bin/ps]

/usr/bin/chmod

[chmod 0755 /bin/ps]

/bin/sh

[sh -c mkdir -p /usr/bin]

/usr/bin/mkdir

[mkdir -p /usr/bin]

/bin/sh

[sh -c cp -f /usr/bin/bsd-port/agent /usr/bin/lsof]

/usr/bin/cp

[cp -f /usr/bin/bsd-port/agent /usr/bin/lsof]

/bin/sh

[sh -c chmod 0755 /usr/bin/lsof]

/usr/bin/chmod

[chmod 0755 /usr/bin/lsof]

/bin/sh

[sh -c mkdir -p /usr/bin]

/usr/bin/mkdir

[mkdir -p /usr/bin]

/bin/sh

[sh -c cp -f /usr/bin/bsd-port/agent /usr/bin/ps]

/usr/bin/cp

[cp -f /usr/bin/bsd-port/agent /usr/bin/ps]

/bin/sh

[sh -c chmod 0755 /usr/bin/ps]

/usr/bin/chmod

[chmod 0755 /usr/bin/ps]

/bin/sh

[sh -c insmod /usr/lib/xpacket.ko]

/usr/sbin/insmod

[insmod /usr/lib/xpacket.ko]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 pp.pp1987.com udp
US 8.8.8.8:53 231.78en.com udp
CN 139.196.58.17:45000 231.78en.com tcp
US 8.8.8.8:53 pp.pp1987.com udp
US 8.8.8.8:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 8.8.8.8:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 8.8.8.8:53 pp.pp1987.com udp
US 8.8.8.8:53 pp.pp1987.com udp
US 8.8.8.8:53 pp.pp1987.com udp
US 8.8.8.8:53 pp.pp1987.com udp
US 8.8.8.8:53 pp.pp1987.com udp
US 8.8.8.8:53 pp.pp1987.com udp
US 8.8.8.8:53 pp.pp1987.com udp
US 8.8.8.8:53 pp.pp1987.com udp
US 8.8.8.8:53 pp.pp1987.com udp
US 8.8.8.8:53 pp.pp1987.com udp
US 8.8.8.8:53 pp.pp1987.com udp
US 8.8.8.8:53 pp.pp1987.com udp
US 8.8.8.8:53 pp.pp1987.com udp
US 8.8.8.8:53 pp.pp1987.com udp
US 8.8.8.8:53 pp.pp1987.com udp
US 8.8.8.8:53 pp.pp1987.com udp
US 8.8.8.8:53 pp.pp1987.com udp
US 8.8.8.8:53 pp.pp1987.com udp
US 8.8.8.8:53 pp.pp1987.com udp
US 8.8.8.8:53 pp.pp1987.com udp
US 8.8.8.8:53 pp.pp1987.com udp
US 8.8.8.8:53 pp.pp1987.com udp
US 8.8.8.8:53 pp.pp1987.com udp
US 8.8.8.8:53 pp.pp1987.com udp
US 8.8.8.8:53 pp.pp1987.com udp
US 8.8.8.8:53 pp.pp1987.com udp
US 8.8.8.8:53 pp.pp1987.com udp
US 8.8.8.8:53 pp.pp1987.com udp
US 8.8.8.8:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 8.8.8.8:53 pp.pp1987.com udp
US 8.8.8.8:53 pp.pp1987.com udp
US 8.8.8.8:53 pp.pp1987.com udp
US 8.8.8.8:53 pp.pp1987.com udp
US 8.8.8.8:53 pp.pp1987.com udp
US 8.8.8.8:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
CN 139.196.58.17:45000 231.78en.com tcp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp
US 1.1.1.1:53 pp.pp1987.com udp

Files

memory/1574-1-0x0000000008048000-0x00000000081abd54-memory.dmp

/tmp/gates.note

MD5 70efba66d3d8d53194fb1a8446ae07fa
SHA1 8639c2e8c44d79a5afaf095aa46f9c9231829b72
SHA256 679b0ecadd205e5143506d637aaec6849987ae11c8c8280fb79f4d1080326eec
SHA512 a3da83439d2d568e7b2f953f17c00bf8003e8a52a0d0cbd43eb69dff4641698c3c98ea76e1a8ec0001c2cb0394030fd686c41834fb50e78e7e66bc28218c01a9

/etc/init.d/DbSecurityMdt

MD5 6b2aab5b6b449a6c4d9239441cc28a86
SHA1 a7c014b9a3331fe1ca02fc551d5cc2ef85ad460c
SHA256 fb79240026dd2dda8e8f0ff2ed3f7b83d4bbb92131b3b670b239507dabc4bdc2
SHA512 ca81d0c40359020ae690395ba7702dc81e0c8c694a128deb86fe2b2a3b95ae86811aeb0f12eef593eefba492f7810e1741ed33889995b5fd2b8311e08884699d

/usr/bin/bsd-port/agent

MD5 c92b7cdc78a3d9d64aeb7063172d83ad
SHA1 2d41a6091e06188a85e2d7639d38b474eebcd765
SHA256 2a08156cc0744c144243bf0327d388d9c872c780b5a8e877a02a1c1b9ae156d2
SHA512 a83fb4fe3066f8289e07179076738bce4299858caeabbdcd1e13c70be3ed7b791910fd249b325e91bfbb0d6e9511a5197e2029a7dcba503b580c36508aab930c

/tmp/notify.file

MD5 4974178012b1ea9f1e082c49b696eb37
SHA1 f01aa0fd433717bb4e3ec4fa33c20b4bb5f175bd
SHA256 0b1ace23fcae114a02ac747c1b2aa9a0f6ec772b55ae0659cee163ac0809ecd5
SHA512 47f8f8bf8539a21240371940e4e50f51b7c5d5f94e1e92c3acc51c261eb950687f3d00e5953d907195da0a928aa3547fd85d6ba8cc39d908b1be4829c8ca351c

memory/1595-2-0x0000000008048000-0x00000000081abd54-memory.dmp

memory/1603-3-0x0000000008048000-0x00000000081abd54-memory.dmp

/etc/init.d/selinux

MD5 c6a80f08539a4c3176762f514976dd24
SHA1 bbc5826b01d20f5c4d315ff5dbc3f216760c64ef
SHA256 ea47e885ae227059ce55d020335f7869c565ec6d85f484497e83cd4998149d5d
SHA512 9a1e3b0142876305fe389e07880bd586e97bf709273a66299d9128ff2861459104054d4e5d836aecdf73f2c11886fa3a2a8498741adb3211b96116658b856175

/usr/bin/dpkgd/lsof

MD5 ab57b66cc531ae0f996963223e632b60
SHA1 bf7e5becd33f21c2539f5a75ffa0ab61c49c8795
SHA256 2484863a7bfda7f97b90bfd5dfceed4ec9f27dd51f9c5158c8daabbf4309b1df
SHA512 908acef13f3c1d80b7169ec3b16bb67006013453348fff75550bc3c6c2137e798b21d7990edbd5be63d756d9c41b06160aebf38aa80547e4bafa3a62596057f6

/usr/bin/dpkgd/ps

MD5 8146139c2ad7e550b1d1f49480997446
SHA1 074db8890c3227bd8a588417f5b9bde637bcf3af
SHA256 207df9d438f75185ab3af2ab1173d104831a6631c28ef40d38b2ab43de27b40f
SHA512 b6d71d537f593b9af833e6f798e412e95fc486a313414ed8cca9639f61be7ac9dca700e9f861c0d07c7f65b3783127a67f829f422472cad8938ba01d397ab9de

/tmp/moni.note

MD5 a368b0de8b91cfb3f91892fbf1ebd4b2
SHA1 422237776eebac1e9ce55eb11b9635704dfe1507
SHA256 361603c11612df16fcb9d48b4c22430535c8e53fe3b3c5a6a39bdf7e0543f65c
SHA512 94e2b403307ffc6882c873e8cf18965c1973d5c6a546628bd4368a56fb70410a6a6138994def58d0304ad265649ab4a3bdb85fc5a9b476d33945c94054ae1663

/usr/bin/bsd-port/conf.n

MD5 972a6d8ad3ef46774175ea464403611d
SHA1 6f3709969a11b631d7c37b173b65883644a14eae
SHA256 893023de145affdf2a80a9e87f7263b91a26779ea5cceed52fe8e2186f8d51e5
SHA512 5bde3e1517ce68060409bf4295f265ae703012b224dc61688141fa38084b9d73db0b0f719f43878c859dfff4165819bb6cdbc08152a605ea18e263010fb0ae5f