Malware Analysis Report

2025-01-23 14:36

Sample ID 240829-vzx3vssfrb
Target c947363b50231882723bd6b07bc291ca_JaffaCakes118
SHA256 985ffee662969825146d1b465d068ea4f5f01990d13827511415fd497cf9db86
Tags
antivm persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

985ffee662969825146d1b465d068ea4f5f01990d13827511415fd497cf9db86

Threat Level: Likely malicious

The file c947363b50231882723bd6b07bc291ca_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

antivm persistence

Adds new SSH keys

Deletes itself

Deletes log files

Enumerates running processes

Checks CPU configuration

Reads CPU attributes

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-29 17:26

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-29 17:26

Reported

2024-08-29 17:28

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

149s

Max time network

148s

Command Line

[/tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118]

Signatures

Adds new SSH keys

persistence
Description Indicator Process Target
File opened for modification /root/.ssh/authorized_keys /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Deletes log files

Description Indicator Process Target
File deleted /var/log/tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A

Enumerates running processes

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /bin/cat N/A

Reads CPU attributes

Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/956/cmdline /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/1105/stat /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/free N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/free N/A
File opened for reading /proc/1137/cmdline /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/meminfo /usr/bin/free N/A
File opened for reading /proc/1057/cmdline /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/34/cmdline /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/meminfo /usr/bin/free N/A
File opened for reading /proc/1132/cmdline /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/198/stat /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/1171/cmdline /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/695/stat /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/160/stat /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/437/cmdline /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/1364/cmdline /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/169/stat /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/556/stat /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/uptime /usr/bin/uptime N/A
File opened for reading /proc/23/cmdline /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/loadavg /usr/bin/uptime N/A
File opened for reading /proc/1115/cmdline /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/252/stat /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/meminfo /usr/bin/free N/A
File opened for reading /proc/1140/cmdline /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/423/stat /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/437/stat /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/uptime N/A
File opened for reading /proc/15/cmdline /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/1169/stat /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/668/cmdline /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/1115/stat /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/451/stat /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/474/stat /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/13/cmdline /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/1221/cmdline /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/7/stat /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/589/cmdline /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/1054/stat /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/16/stat /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/27/stat /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/1140/stat /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/267/cmdline /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/517/cmdline /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/1364/stat /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/169/cmdline /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/1239/stat /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/1487/cmdline /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/1459/stat /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/1105/cmdline /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/22/cmdline /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/uptime N/A
File opened for reading /proc/154/cmdline /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/24/cmdline /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/32/cmdline /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/126/stat /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/uptime /usr/bin/uptime N/A
File opened for reading /proc/11/cmdline /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/1240/stat /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/578/stat /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/uptime N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/free N/A
File opened for reading /proc/meminfo /usr/bin/free N/A
File opened for reading /proc/1154/cmdline /tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118 N/A

Processes

/tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118

[/tmp/c947363b50231882723bd6b07bc291ca_JaffaCakes118]

/bin/uname

[uname -a]

/bin/cat

[cat /proc/cpuinfo]

/bin/cat

[cat /etc/issue]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/bin/journalctl

[journalctl -S @0 -u sshd]

/bin/cat

[cat /var/log/auth*]

/bin/zcat

[zcat /var/log/auth*]

/bin/gzip

[gzip -cd /var/log/auth*]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.193.91:443 tcp
US 151.101.193.91:443 tcp
GB 89.187.167.3:443 tcp
CA 173.206.216.111:2222 tcp
GB 89.193.80.140:2222 tcp
US 215.47.91.83:22 tcp
CN 39.85.23.142:22 tcp
MY 182.63.47.121:2222 tcp
TW 34.80.6.33:2222 tcp
US 6.17.85.221:2222 tcp
CN 221.205.154.16:2222 tcp
MA 105.71.187.245:22 tcp
IT 78.213.149.149:2222 tcp
DZ 105.98.28.234:2222 tcp
US 192.177.95.68:2222 tcp
US 104.10.59.103:2222 tcp
CN 122.194.177.240:22 tcp
US 6.17.85.221:22 tcp
N/A 240.142.146.226:2222 tcp
US 171.73.115.217:2222 tcp
DK 77.214.229.60:2222 tcp
US 171.73.115.217:22 tcp
CN 27.31.65.214:2222 tcp
N/A 251.119.10.156:22 tcp
US 17.222.131.218:22 tcp
US 216.202.104.53:2222 tcp
FR 109.18.149.103:2222 tcp
FR 109.18.149.103:22 tcp
US 67.11.159.7:22 tcp
US 192.177.95.68:22 tcp
CN 27.31.65.214:22 tcp
N/A 246.237.35.77:22 tcp
US 96.150.142.218:2222 tcp
US 96.150.142.218:22 tcp
US 128.203.143.119:22 tcp
N/A 251.119.10.156:2222 tcp
US 169.186.65.121:2222 tcp
US 67.52.222.135:2222 tcp
TR 178.245.14.200:22 tcp
DE 24.134.162.235:2222 tcp
HU 86.101.204.26:22 tcp
US 38.73.130.58:22 tcp
HU 86.101.204.26:2222 tcp
US 216.202.104.53:22 tcp
MY 113.210.84.247:2222 tcp
JP 219.175.12.44:2222 tcp
CN 175.146.72.102:2222 tcp
CN 122.194.177.240:2222 tcp
US 4.116.118.223:22 tcp
PT 94.62.229.151:22 tcp
GB 130.148.106.87:22 tcp
US 65.137.193.50:22 tcp
US 65.137.193.50:2222 tcp
US 128.203.143.119:2222 tcp
CN 39.85.23.142:2222 tcp
US 169.186.65.121:22 tcp
US 8.4.137.5:22 tcp
US 28.84.2.111:22 tcp
US 48.160.118.159:2222 tcp
US 171.159.247.76:22 tcp
US 8.4.137.5:2222 tcp
FR 77.201.82.112:2222 tcp
TW 118.169.16.223:22 tcp
SG 43.77.214.83:22 tcp
US 74.141.13.72:22 tcp
FR 176.182.209.116:2222 tcp
SE 78.68.223.13:22 tcp
US 32.236.83.15:22 tcp
TR 178.245.14.200:2222 tcp
BR 186.200.191.200:22 tcp
GB 130.148.106.87:2222 tcp
TW 118.169.16.223:2222 tcp
US 104.10.59.103:22 tcp
CN 106.42.135.138:2222 tcp

Files

/root/.ssh/authorized_keys

MD5 9da18d38b6dd4c4aa84642378d63fa89
SHA1 c5a976691e4b5963b5e760044f22cc9685268db6
SHA256 43062900b2539d8d1f67f30fa7042c56b53541f63875b5f0de5d8fbde0e0a8bf
SHA512 222b20b5b2ff8956c13dbac1f8d3f81435613b751913d65f4c4082ea9c1a7c8ae91be17a24ef4ae0c708bfe09daab552bb209615714d70acfaaed89c536c71b3