Malware Analysis Report

2025-01-23 14:51

Sample ID 240831-ky3a3swbkl
Target cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118
SHA256 1511b961af2df26097d353ea30e24acc5372af97c77dd510ed42a7526005535e
Tags
upx antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

1511b961af2df26097d353ea30e24acc5372af97c77dd510ed42a7526005535e

Threat Level: Shows suspicious behavior

The file cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx antivm

UPX packed file

Deletes itself

Executes dropped EXE

Checks CPU configuration

Reads system network configuration

Writes file to tmp directory

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-31 09:01

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-31 09:01

Reported

2024-08-31 09:04

Platform

ubuntu2004-amd64-20240611-en

Max time kernel

149s

Max time network

134s

Command Line

[/tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118]

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A /tmp/freeBSD N/A
N/A N/A /tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118a N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/freeBSD /tmp/freeBSD N/A
N/A /tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118a /tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118a N/A
N/A /tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118 /tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118 N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118 N/A

Reads system network configuration

Description Indicator Process Target
File opened for reading /proc/net/dev /tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118 N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/sys/kernel/version /tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118 N/A
File opened for reading /proc/stat /tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118 N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118a /usr/bin/cp N/A
File opened for modification /tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118 /tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118a N/A
File opened for modification /tmp/fake.cfg /tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118 N/A
File opened for modification /tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118 /usr/bin/cp N/A
File opened for modification /tmp/freeBSD /usr/bin/cp N/A

Processes

/tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118

[/tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118]

/bin/sh

[sh -c cp /tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118 /tmp/freeBSD]

/usr/bin/cp

[cp /tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118 /tmp/freeBSD]

/tmp/freeBSD

[/tmp/freeBSD /tmp/freeBSD 1]

/bin/sh

[sh -c cp /tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118 /tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118a]

/usr/bin/cp

[cp /tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118 /tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118a]

/tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118a

[/tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118a /tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118]

/tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118

/bin/sh

[sh -c cp /tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118a /tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118]

/usr/bin/cp

[cp /tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118a /tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp

Files

/tmp/freeBSD

MD5 cc85aa29aaefeb42659d1fea3a84bf91
SHA1 cdaed4c668a6028337855f156556c311e0c3fc3e
SHA256 1511b961af2df26097d353ea30e24acc5372af97c77dd510ed42a7526005535e
SHA512 5ece883badd8f84e9be54d2b6303913243c3cda2d76e40bd8a60952743d5cb90437e600cdbb295ae2e751315e0b0ccbbd85b2c24b7475e7e720a54bd512d4200

memory/1404-1-0x0000000008048000-0x00000000082a063c-memory.dmp

/tmp/cc85aa29aaefeb42659d1fea3a84bf91_JaffaCakes118

MD5 9cc45ca3218455a6d9fc20da1d7876e2
SHA1 4122ab96334e9745a7f1b06c6d3da9048a9bdab4
SHA256 08345e090465730e6b37c9c67b98d391880064db3e2d01d4adde4b113f276dc6
SHA512 c2a13b9b370ed401145200be47e60f89c0607d547e3b897c8751911ff1424da29ec3149d7fe07fcedba948f5392f39dfff7802a739933734249eb969db1422e7

memory/1410-2-0x0000000008048000-0x00000000082a063c-memory.dmp

memory/1413-3-0x0000000008048000-0x00000000082a063c-memory.dmp