Malware Analysis Report

2025-01-23 14:52

Sample ID 240831-vzj61awdqj
Target cd41c0e3d6aa075cbacadee78a42986c_JaffaCakes118
SHA256 3bb3a370af8aaefefff36a0c408ddf41f49c1a8bf176a68c2bf3f042bc8a2c5d
Tags
antivm evasion persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

3bb3a370af8aaefefff36a0c408ddf41f49c1a8bf176a68c2bf3f042bc8a2c5d

Threat Level: Shows suspicious behavior

The file cd41c0e3d6aa075cbacadee78a42986c_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

antivm evasion persistence

Deletes itself

Executes dropped EXE

Modifies systemd

Reads MAC address of network interface

Write file to user bin folder

Changes its process name

Checks CPU configuration

Reads runtime system information

Enumerates kernel/hardware configuration

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-31 17:25

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-31 17:25

Reported

2024-08-31 17:28

Platform

ubuntu2404-amd64-20240523-en

Max time kernel

146s

Max time network

142s

Command Line

[/tmp/cd41c0e3d6aa075cbacadee78a42986c_JaffaCakes118]

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A /tmp/cd41c0e3d6aa075cbacadee78a42986c_JaffaCakes118 N/A

Executes dropped EXE

Description Indicator Process Target
N/A /usr/bin/fsopen /usr/bin/fsopen N/A

Modifies systemd

persistence
Description Indicator Process Target
File opened for modification /lib/systemd/system/fsopen.service /tmp/cd41c0e3d6aa075cbacadee78a42986c_JaffaCakes118 N/A

Reads MAC address of network interface

evasion
Description Indicator Process Target
File opened for reading /sys/class/net/ens3/address /usr/bin/fsopen N/A

Write file to user bin folder

Description Indicator Process Target
File opened for modification /usr/bin/fsopen /tmp/cd41c0e3d6aa075cbacadee78a42986c_JaffaCakes118 N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself [ighlfflicj] /usr/bin/fsopen N/A
Changes the process name, possibly in an attempt to hide itself [ighlfflicj] N/A N/A
Changes the process name, possibly in an attempt to hide itself [nhdhirnapwuy] N/A N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/cat N/A

Enumerates kernel/hardware configuration

Description Indicator Process Target
File opened for reading /sys/block/dm-0/dm/name /usr/bin/mount N/A
File opened for reading /sys/class/net /usr/bin/fsopen N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/filesystems /usr/bin/mount N/A
File opened for reading /proc/self/mountinfo /usr/bin/mount N/A
File opened for reading /proc/filesystems /usr/bin/systemctl N/A
File opened for reading /proc/version /usr/bin/cat N/A
File opened for reading /proc/filesystems /sbin/setfiles N/A
File opened for reading /proc/filesystems /sbin/sefcontext_compile N/A
File opened for reading /proc/filesystems /sbin/sefcontext_compile N/A
File opened for reading /proc/filesystems /sbin/sefcontext_compile N/A
File opened for reading /proc/filesystems /usr/sbin/semanage N/A
File opened for reading /proc/sys/kernel/cap_last_cap /usr/sbin/semanage N/A
File opened for reading /proc/sys/kernel/cap_last_cap /usr/sbin/restorecon N/A
File opened for reading /proc/filesystems /usr/sbin/restorecon N/A
File opened for reading /proc/filesystems /usr/bin/id N/A
File opened for reading /proc/partitions /usr/bin/cat N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/sbin/semanage N/A
File opened for reading /proc/sys/kernel/random/boot_id /usr/sbin/semanage N/A
File opened for reading /proc/sys/kernel/cap_last_cap /sbin/setfiles N/A
File opened for reading /proc/sys/kernel/ngroups_max /usr/bin/id N/A
File opened for reading /proc/meminfo /usr/bin/cat N/A

Processes

/tmp/cd41c0e3d6aa075cbacadee78a42986c_JaffaCakes118

[/tmp/cd41c0e3d6aa075cbacadee78a42986c_JaffaCakes118]

/bin/sh

[sh -c mount -o remount,rw /system]

/usr/bin/mount

[mount -o remount,rw /system]

/bin/sh

[sh -c which semanage 2> /dev/null]

/usr/bin/which

[which semanage]

/bin/sh

[sh -c semanage fcontext -a -t bin_t "/usr/bin/fsopen" 2> /dev/null && restorecon "/usr/bin/fsopen"]

/usr/sbin/semanage

[semanage fcontext -a -t bin_t /usr/bin/fsopen]

/sbin/setfiles

[/sbin/setfiles -q -c /var/lib/selinux/final/default/policy/policy.33 /var/lib/selinux/final/default/contexts/files/file_contexts]

/sbin/sefcontext_compile

[/sbin/sefcontext_compile /var/lib/selinux/final/default/contexts/files/file_contexts]

/sbin/sefcontext_compile

[/sbin/sefcontext_compile /var/lib/selinux/final/default/contexts/files/file_contexts.local]

/sbin/sefcontext_compile

[/sbin/sefcontext_compile /var/lib/selinux/final/default/contexts/files/file_contexts.homedirs]

/usr/sbin/restorecon

[restorecon /usr/bin/fsopen]

/bin/sh

[sh -c systemctl enable fsopen.service 2>/dev/null]

/usr/bin/systemctl

[systemctl enable fsopen.service]

/bin/sh

[sh -c /usr/bin/fsopen 0 &]

/usr/bin/fsopen

[/usr/bin/fsopen 0]

/bin/sh

[sh -c id 2>/dev/null]

/usr/bin/id

[id]

/bin/sh

[sh -c uname -a 2>/dev/null]

/usr/bin/uname

[uname -a]

/bin/sh

[sh -c whoami 2>/dev/null]

/usr/bin/whoami

[whoami]

/bin/sh

[sh -c cat /proc/cpuinfo 2>/dev/null]

/usr/bin/cat

[cat /proc/cpuinfo]

/bin/sh

[sh -c cat /proc/meminfo 2>/dev/null]

/usr/bin/cat

[cat /proc/meminfo]

/bin/sh

[sh -c cat /proc/version 2>/dev/null]

/usr/bin/cat

[cat /proc/version]

/bin/sh

[sh -c cat /proc/partitions 2>/dev/null]

/usr/bin/cat

[cat /proc/partitions]

/bin/sh

[sh -c cat /etc/*release /etc/issue 2>/dev/null]

/usr/bin/cat

[cat /etc/lsb-release /etc/os-release /etc/issue]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 press.eonhep.com udp
US 8.8.8.8:53 press.eonhep.com udp
US 8.8.8.8:53 press.eonhep.com udp
US 8.8.8.8:53 press.eonhep.com udp
US 8.8.8.8:53 press.eonhep.com udp
US 8.8.8.8:53 press.eonhep.com udp
US 8.8.8.8:53 editor.akotae.com udp
US 8.8.8.8:53 editor.akotae.com udp
US 8.8.8.8:53 editor.akotae.com udp
US 8.8.8.8:53 editor.akotae.com udp
US 8.8.8.8:53 editor.akotae.com udp
US 8.8.8.8:53 editor.akotae.com udp
US 8.8.8.8:53 web.reeglais.com udp
US 8.8.8.8:53 web.reeglais.com udp
US 8.8.8.8:53 web.reeglais.com udp
US 8.8.8.8:53 web.reeglais.com udp
US 8.8.8.8:53 web.reeglais.com udp
US 8.8.8.8:53 web.reeglais.com udp
US 8.8.8.8:53 _http._tcp.se.archive.ubuntu.com udp
US 8.8.8.8:53 _http._tcp.security.ubuntu.com udp
US 8.8.8.8:53 security.ubuntu.com udp
US 8.8.8.8:53 security.ubuntu.com udp
US 8.8.8.8:53 se.archive.ubuntu.com udp
US 8.8.8.8:53 se.archive.ubuntu.com udp
US 91.189.91.81:80 security.ubuntu.com tcp
SE 194.71.11.173:80 se.archive.ubuntu.com tcp
US 8.8.8.8:53 press.eonhep.com udp
US 8.8.8.8:53 press.eonhep.com udp
US 8.8.8.8:53 press.eonhep.com udp
US 8.8.8.8:53 press.eonhep.com udp
US 8.8.8.8:53 press.eonhep.com udp
US 8.8.8.8:53 press.eonhep.com udp
US 8.8.8.8:53 editor.akotae.com udp
US 8.8.8.8:53 editor.akotae.com udp
US 8.8.8.8:53 editor.akotae.com udp
US 8.8.8.8:53 editor.akotae.com udp
US 8.8.8.8:53 editor.akotae.com udp
US 8.8.8.8:53 editor.akotae.com udp
US 8.8.8.8:53 web.reeglais.com udp
US 8.8.8.8:53 web.reeglais.com udp
US 8.8.8.8:53 web.reeglais.com udp
US 8.8.8.8:53 web.reeglais.com udp
US 8.8.8.8:53 web.reeglais.com udp
US 8.8.8.8:53 web.reeglais.com udp
US 8.8.8.8:53 press.eonhep.com udp
US 8.8.8.8:53 press.eonhep.com udp
US 8.8.8.8:53 press.eonhep.com udp
US 8.8.8.8:53 press.eonhep.com udp
US 8.8.8.8:53 press.eonhep.com udp
US 8.8.8.8:53 press.eonhep.com udp
US 8.8.8.8:53 editor.akotae.com udp
US 8.8.8.8:53 editor.akotae.com udp
US 8.8.8.8:53 editor.akotae.com udp
US 8.8.8.8:53 editor.akotae.com udp
US 8.8.8.8:53 editor.akotae.com udp
US 8.8.8.8:53 editor.akotae.com udp
US 8.8.8.8:53 web.reeglais.com udp
US 8.8.8.8:53 web.reeglais.com udp
US 8.8.8.8:53 web.reeglais.com udp
US 8.8.8.8:53 web.reeglais.com udp
US 8.8.8.8:53 web.reeglais.com udp
US 8.8.8.8:53 web.reeglais.com udp
US 8.8.8.8:53 press.eonhep.com udp
US 8.8.8.8:53 press.eonhep.com udp
US 8.8.8.8:53 press.eonhep.com udp
US 8.8.8.8:53 press.eonhep.com udp
US 8.8.8.8:53 press.eonhep.com udp
US 8.8.8.8:53 press.eonhep.com udp
US 8.8.8.8:53 editor.akotae.com udp
US 8.8.8.8:53 editor.akotae.com udp
US 8.8.8.8:53 editor.akotae.com udp
US 8.8.8.8:53 editor.akotae.com udp
US 8.8.8.8:53 editor.akotae.com udp
US 8.8.8.8:53 editor.akotae.com udp
US 8.8.8.8:53 web.reeglais.com udp
US 8.8.8.8:53 web.reeglais.com udp
US 8.8.8.8:53 web.reeglais.com udp
US 8.8.8.8:53 web.reeglais.com udp
US 8.8.8.8:53 web.reeglais.com udp
US 8.8.8.8:53 web.reeglais.com udp
US 8.8.8.8:53 press.eonhep.com udp
US 8.8.8.8:53 press.eonhep.com udp
US 8.8.8.8:53 press.eonhep.com udp
US 8.8.8.8:53 press.eonhep.com udp
US 8.8.8.8:53 press.eonhep.com udp
US 8.8.8.8:53 press.eonhep.com udp
US 8.8.8.8:53 editor.akotae.com udp
US 8.8.8.8:53 editor.akotae.com udp
US 8.8.8.8:53 editor.akotae.com udp
US 8.8.8.8:53 editor.akotae.com udp
US 8.8.8.8:53 editor.akotae.com udp
US 8.8.8.8:53 editor.akotae.com udp

Files

/usr/bin/fsopen

MD5 1ea98f56aaeedf1bb67080a14f80cb17
SHA1 93de5f011e7d978f7efbd81eeddd616bf0e6aa98
SHA256 d23ed0abcfafb30198a437866ffe4b29a4cc33889b04684f6b8fac283eab0d29
SHA512 57a225efb718574bbb57fcb6886b4d648787b5cb65ec6ebf47009bb2e990049f22ada85dc45a97f6cf12ff87e03c86ba522c91ab1ff48071a4f2f2db324f03ed

/var/lib/selinux/default/tmp/file_contexts.homedirs.tmp

MD5 10b9e663623f5903829e995949c5f5a8
SHA1 3749fb7c0b3115cf85e223ca4c22c5cb645be322
SHA256 958812d26d5e8aa58e00d8b2fe9914f9ec635c414d69f9e21cb242b82753df1c
SHA512 04d5cad77ad424ba3354ca158c99727a6753ef661b0238a62fecee819e3ddf51019218ec3a8301d7d403842f1920d2bab4ee036b421d18754b31cbb52bb85d9a

/var/lib/selinux/default/tmp/users_extra.linked.tmp

MD5 af66bbd7e3ab3608e1e413489e0b5090
SHA1 cb7c139f454e0dc1eafe71514b9477bf758fe45f
SHA256 99a883604033179c920b5d17f590c74ebc15d29c581b632d030c35ed7f8eb1cf
SHA512 1d9b0d398d60d4d8bfbc3dc1913d0ed99ee629e63aec2e66d3bbccdf26b8766ef21d91fbf6ce96456473189e9b80ccfe0aa88e49f723b586a8c153889195a87c

/var/lib/selinux/default/tmp/homedir_template.tmp

MD5 7876fd19db5e8146f0edc9e27092b719
SHA1 46433f610d6cd3c81782c417d06a4de7398da1d3
SHA256 1e92a147532caa911fe62c2d7783168ed26326285878ecc64f2cc4ec75eaa668
SHA512 9b7451c230071e1eefc7e683d27fe7206cc55b01dfb0fea08f06e542729e0a01c39d681430eabe1ef15c52197e4033e142c68c07e641f7ff6b53c53d2bbb788d

/var/lib/selinux/default/tmp/modules/100/logadm/hll.tmp

MD5 3b0c1f1663a45c303a60af61bf66418d
SHA1 b7c56398101c92c00bbc3672394df5997fc068be
SHA256 e9dfcd89c06618c28711415351a2a13582352f24790b2af2b800f4380f3b72d4
SHA512 f739d8be306e7ab5f8748d32f04679c7f0d2e1f1611a14df6c554fda1b25ee9666c4a6a640f10f93bdbca501f142223ada144cc2200fa9a948d8e756370158de

/var/lib/selinux/default/tmp/modules/100/logadm/lang_ext.tmp

MD5 c483f6ce851c9ecd9fb835ff7551737c
SHA1 6d3236ec3c88039ca534b81acad564e847ecb062
SHA256 d53315bea08cec50d2591fcaf3b32dc5d289cdc6c16b7e8bed8c8e3f7ceaa34e
SHA512 745d02ffe3f66d0e8d77936c200e1474f2ee8e6f1b1ffdeaeda983ffb722d883c31be89d7188b63bb0e9718569af03fc0f067d28f12bf318a94dbc07cae404ba

/var/lib/selinux/default/tmp/modules/100/logadm/cil.tmp

MD5 d2ec00f0deae3b67ec710e34a70269d4
SHA1 59f9d89fb1c100adfb075f0e2b720ee81c95f0ab
SHA256 2153d172b8d3465cc71350076f9baa4794b2c1fa51dcf07542e4abd420d6225f
SHA512 4bd874c841b14e7cf9861c4cbcad8a6f9d43412d1d5faaeb8377d1bb71bd0fecf6899ca06eebf0243c7714f8a392f300e3c9261c975354e5040ac362bf10793b

/var/lib/selinux/default/tmp/modules_checksum.tmp

MD5 e7696ee9880e18e7a0792bb1dfcac652
SHA1 eabe757a6ed4673b8136b42eae4aa873aadd31cb
SHA256 adb0d234a14c09fb728ebdffd4022ae4aba45ebd5ff3d336565afd58943ecb37
SHA512 5ed5566621a428d6865c26c0c5cb10c7cc267a3f6e569fbe360c07e97996586998aac62fef460fc5c51a6684583972718a16663d575fc04242d545639d384ca6

/var/lib/selinux/default/tmp/seusers.tmp

MD5 aad081dbd35481f70deec3aa7bac1dec
SHA1 6869925f38ad06a8fc5fbc56b6b6119d6f2ae731
SHA256 fc941b384be1ddf9f423feafc0cd64680df0ea5abec78b5286a9bba181d4562f
SHA512 14e153db2a3593d0860f1b3373b7f2f576677b97c06a6dda5ad3f55cce254d217f7e794646feb143d7604e90436f64be7e0b619236ef6d36a51f68d45cde1485

/var/lib/selinux/default/tmp/policy.kern.tmp

MD5 c795304f0657512f5b7fa00456a9a5fa
SHA1 2b1a977b539abd2362bd65dc0ef838d528df5278
SHA256 77dbef770ee7d1b18b76558524c09a317d1737722b1bd2f5e84d979999d4d176
SHA512 52ac5fc70bcf803e15b296af72c6e1070fc952de392e704ee167c0bdea7d4ee076f9460c4ba88c6f47ec963a25574fb7963dbcda86b4d23324007ea4153b7de9

/var/lib/selinux/default/tmp/commit_num.tmp

MD5 c08cc266624f6409b01432dac9576ab0
SHA1 f4d5a962086e8355e71ca948173917b55fa44e39
SHA256 255cbe0ae3ec01b56845b0d03a121e2f2eef1815b019731507a6f19fa140f148
SHA512 a45d8ffd265afd524d2d97b6bf6754efaa8f77afcc2fd71e657e8910d7944102d0340760571e043d58a9e33066520fbed67ac7e5acf4850f694960c7fa851673

/var/lib/selinux/default/tmp/policy.linked.tmp

MD5 d1694e2e68cfd4080b22a81785729427
SHA1 9ee9643428c5c94c14e29414ac76f469d27a67fb
SHA256 41351967cdd01df72b527f317f44d04925cd49f06d409ac4802d9b31dbdc14b6
SHA512 f1b9f759cb0fcd5e126230c40dda2b849afd291c396c63e89b719784224afe1737552d794d4d5f67a16eede12ac85dd5be0a8bbe4ba7ef2cbe8a84fecb86bfdd

/var/lib/selinux/final/default/policy/policy.33.tmp

MD5 132131b105f95f879cdb42281e4663fd
SHA1 b874099b17125ee3042aececc99a65c64b24b662
SHA256 a5bf89bad096b40b9a7a0cf9075bfb8466c2137f48ef11bca54036b54dd21d56
SHA512 4668f202aa096f25abd5032c5ae73ab19ab2b3b3152269d5b1c41060347a5c935842d90c97cdf4b00dab71583853af0c077b122fcdf73ef0237bef8c9617218c

/var/lib/selinux/final/default/contexts/files/file_contexts.local.tmp

MD5 4546e05c360a5255e1e4a4d248d46920
SHA1 df357815dbde9998040d1c66d4e681bc6d10cc67
SHA256 c25817343836442811b3ba3480983921e5a83930128c6172a10f9db7d90054a8
SHA512 5c282a15ce2aa83d80eeb08900d4ff609f4a4cd46c2315bbcc4dcdaea5fd10d1b2dbb7802263d4f32e1e9325e67b37f79523e429b3fc1f74b271b530f12bf296

/var/lib/selinux/default/tmp/commit_num

MD5 f9e86c7eb87008df11e1a658d9d4eb1a
SHA1 8d098113aca266b66df06d5e73fea5d07ba6ac1e
SHA256 bab5ee4df3e95905a9287de62ed921465a107f2571992a977afc70ecd135ac39
SHA512 3b9285a9ed41d11a9b5d30787e4e834860e67eb06e6756c1cbc3b0bd2e74f763839b5b680114981d031bd97d87a4d7d8b52aed829de471b1a0d5ac74eb2bcee3

/etc/selinux/default/contexts/files/file_contexts.bin.tmp

MD5 ecb2bed67a80b89150f39755a10ec8dd
SHA1 47039a0c0fc1de9af4438dd4166e779245d27276
SHA256 d99557a86112aeb9dcc7c556e9f97055b22cfa955062083bbe665317a0193c06
SHA512 38f6e38dea462391103e0e7e228d02d2ee7dcdbb0efd0cb51312ee15ecd5f8c125fc96070e58fbba894249c0a0db51c30ff6f6c0cfeaeb382d841e283eb648b7

/etc/selinux/default/contexts/files/file_contexts.homedirs.bin.tmp

MD5 31a81f7c0f0680bfead94e98a915a170
SHA1 130d569980b7970c98c898c8f32ac9900d5c8dff
SHA256 f5ab9ca11563dbc9228a6c6a76aa1abe2a5727f91dd3a9bf273979bcf6c94ac5
SHA512 91ce73bbcb5b30bac72e65acb8debb28b6b09e127f70dd185f8221159fe45ee624935c564dfbb361d8f11b3c40e2426e6947aad94fdfa6e9cbdbae590527dc69

/etc/selinux/default/contexts/files/file_contexts.local.bin.tmp

MD5 eee8bda5044925fabc2ee733c855fbf9
SHA1 b086958f36cfb14155464a3cca9b5058aa2313fa
SHA256 ff4d08ec3190a17945cae2298e9bbce43226a5ba82fe4d192c5bf034390a7928
SHA512 a1d7661009669013ede1f2e214db6caf690add0696e7dd13a2346f5e963f758016fe00ff80e525a86bfd18673d5c066825eecc8b7221f6630a593c6ed089b0c8

/usr/lib/systemd/system/fsopen.service

MD5 de5ea06884f7fab857b6ef207be08208
SHA1 f4b6d4a5b03c7ffb6476bd2030199b70371279fe
SHA256 f08c96015bb7a54439af159c89df88bb036dfa9a0567cf4a3f627993544ce888
SHA512 2f4cee23b3f99c43408e60125fa6981954be02d9b8cc560f057de9c8a0ed52a0104e769a76ca4693ab956bddec9f721a1edd9242d572bfe2843e2fae9ef4af0c

/etc/.wbgngofGaCave

MD5 13430ab9c49230b370b6493421901ff8
SHA1 d69fb1b454678c4227b4a1a9407b30be6886460d
SHA256 57b3ba1044a73ed7e94788fa16da34ba58158e56747021edd31534e13774fad8
SHA512 d36d023d967f78d6971afc659dce260f2c114f61b4c7fe7466f0828a0d5570132e81a6dbbe2de9f9d4355346255a11dc3152390e2e22f191521ca78ee7bc396a