Malware Analysis Report

2025-01-23 14:50

Sample ID 240830-j3vlcsvhmk
Target ca785e533e644889320e1c4782debf7b_JaffaCakes118
SHA256 d4a70373861d049caeff39740346b3121cef99571f5591e6ca18c3f76b95657c
Tags
upx antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d4a70373861d049caeff39740346b3121cef99571f5591e6ca18c3f76b95657c

Threat Level: Shows suspicious behavior

The file ca785e533e644889320e1c4782debf7b_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx antivm

UPX packed file

Deletes itself

Executes dropped EXE

Reads system network configuration

Checks CPU configuration

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-30 08:12

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-30 08:12

Reported

2024-08-30 08:14

Platform

ubuntu2204-amd64-20240611-en

Max time kernel

149s

Max time network

150s

Command Line

[/tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes118]

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A /tmp/freeBSD N/A
N/A N/A /tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes118a N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/freeBSD /tmp/freeBSD N/A
N/A /tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes118a /tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes118a N/A
N/A /tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes118 /tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes118 N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes118 N/A

Reads system network configuration

Description Indicator Process Target
File opened for reading /proc/net/dev /tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes118 N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/sys/kernel/version /tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes118 N/A
File opened for reading /proc/stat /tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes118 N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/fake.cfg /tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes118 N/A
File opened for modification /tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes118 /usr/bin/cp N/A
File opened for modification /tmp/freeBSD /usr/bin/cp N/A
File opened for modification /tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes118a /usr/bin/cp N/A
File opened for modification /tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes118 /tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes118a N/A

Processes

/tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes118

[/tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes118]

/bin/sh

[sh -c cp /tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes118 /tmp/freeBSD]

/usr/bin/cp

[cp /tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes118 /tmp/freeBSD]

/tmp/freeBSD

[/tmp/freeBSD /tmp/freeBSD 1]

/bin/sh

[sh -c cp /tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes118 /tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes118a]

/usr/bin/cp

[cp /tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes118 /tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes118a]

/tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes118a

[/tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes118a /tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes118]

/tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes118

/bin/sh

[sh -c cp /tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes118a /tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes118]

/usr/bin/cp

[cp /tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes118a /tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes118]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
CN 114.215.115.152:10991 tcp
CN 114.215.115.152:10991 tcp

Files

/tmp/freeBSD

MD5 ca785e533e644889320e1c4782debf7b
SHA1 81c26ef5d51bc1e93abe5d56de9d68ebf6e3b42e
SHA256 d4a70373861d049caeff39740346b3121cef99571f5591e6ca18c3f76b95657c
SHA512 267efd0fb5c9771367f7ad3d370e1d6083eedd7c302c4b08560bae204d8904ba5e32ef840249a1f668e707d8e09a8f43a22d6927f0ebc2b825eaa2a5f4a3094e

/tmp/ca785e533e644889320e1c4782debf7b_JaffaCakes118

MD5 91450d6fa9824d86424ccaae4e089629
SHA1 961b2f27081ee83b43ec6b0dd2d1aea59942d3f0
SHA256 aa9d435d8a7e9331a9d2400435e6c98ed876050f6acd0a2ecfa3eb3435ed8221
SHA512 d93f44c8c1af0047baa261bdca2dc60d1d4c28c8e0adcb65c1eb8f411c951dda49bad7eb69e82ac9cc0a808db8048740d68dc58aa13759eba575ae975c869da8

memory/1573-1-0x0000000008048000-0x00000000082a063c-memory.dmp

memory/1590-2-0x0000000008048000-0x00000000082a063c-memory.dmp

memory/1605-3-0x0000000008048000-0x00000000082a063c-memory.dmp