Malware Analysis Report

2025-06-16 00:22

Sample ID 240929-3h9pbszdrf
Target ff80371810dff12a679bf85583920a51_JaffaCakes118
SHA256 fb3a2b9fa8fce18c92a0523846a5caf15c0094bb4215ed5a1947a387f5a48365
Tags
discovery rootkit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

fb3a2b9fa8fce18c92a0523846a5caf15c0094bb4215ed5a1947a387f5a48365

Threat Level: Likely malicious

The file ff80371810dff12a679bf85583920a51_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery rootkit

Writes memory of remote process

Loads a kernel module

Reads runtime system information

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-09-29 23:32

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-29 23:32

Reported

2024-09-29 23:34

Platform

ubuntu2404-amd64-20240523-en

Max time kernel

135s

Max time network

148s

Command Line

[/tmp/ff80371810dff12a679bf85583920a51_JaffaCakes118]

Signatures

Writes memory of remote process

Description Indicator Process Target
N/A N/A /tmp/ff80371810dff12a679bf85583920a51_JaffaCakes118 N/A
N/A N/A /tmp/ff80371810dff12a679bf85583920a51_JaffaCakes118 N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/filesystems /usr/bin/cp N/A

Processes

/tmp/ff80371810dff12a679bf85583920a51_JaffaCakes118

[/tmp/ff80371810dff12a679bf85583920a51_JaffaCakes118]

/usr/bin/cp

[cp -f /tmp/ff80371810dff12a679bf85583920a51_JaffaCakes118 /lib/ff80371810dff12a679bf85583920a51_JaffaCakes118]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 2.redhat-up.com udp
US 8.8.4.4:53 2.redhat-up.com udp
US 174.139.175.108:80 tcp
US 8.8.8.8:53 _http._tcp.se.archive.ubuntu.com udp
US 8.8.8.8:53 _http._tcp.security.ubuntu.com udp
US 8.8.8.8:53 security.ubuntu.com udp
US 8.8.8.8:53 security.ubuntu.com udp
US 8.8.8.8:53 se.archive.ubuntu.com udp
US 8.8.8.8:53 se.archive.ubuntu.com udp
US 91.189.91.83:80 security.ubuntu.com tcp
SE 194.71.11.173:80 se.archive.ubuntu.com tcp
US 8.8.8.8:53 2.redhat-up.com udp
US 8.8.4.4:53 2.redhat-up.com udp
US 174.139.175.108:80 tcp

Files

/usr/lib/5d570686-37ee-11e2-b228-000c292cb65c

MD5 8cdaebf5165f89c6a03fadc727e39f09
SHA1 f40723aaad902615ca8397d9c30b77c9e2ce77dd
SHA256 2993607ed496df8ae47650f392433c032b953d81548a289badcad9f45ffdcc3e
SHA512 4a5dfee9f0c661d58011b5e953a674101375185b3ad8dc58ec2b3afbefaf0f60fa31a13bba2946eb4c5aea9ee0e87cf1d31d9a7d35276b4b66435609889b6d63

/tmp/ff80371810dff12a679bf85583920a51_JaffaCakes118e

MD5 e236412fb598fd130d4c0c88cfb5d2ba
SHA1 626d970cf2251b4b6572d56d580da6bf2011b303
SHA256 efed8e0673d22e6bbabada6e6888274f0934794eedba1d1d68ea4c05a02a1126
SHA512 a61d4eac889548c1f1f5f3a747e9ce1f2a7afe8ae640d34776af2ec95589e7331efbee381e76bee0d7c09d2749a471ff1bc067bb94e0291c3509c72306815400