Overview

overview

10

Static

static

7

0081ba6e05...kes118

ubuntu-20.04-amd64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0081ba6e059dd38a8c0098e71031ec7b_JaffaCakes118

  • Size

    247KB

  • Sample

    240328-jcsdbafe2w

  • MD5

    0081ba6e059dd38a8c0098e71031ec7b

  • SHA1

    f3953141c60bca96eb305e99626876662d263f60

  • SHA256

    a4917c19543d244216ab440d355e4e87fe806d2dbf57892dd8f62c51804f371a

  • SHA512

    91673e9b3eee2a8c6690c8fa7b983cc92c9003e86d6cb673c5d58ab59d4e0752188bd188523417529c73a91955bf454979243e87ad1f0ad1b7d368952a048bdc

  • SSDEEP

    6144:nSDFOrnwRgUbMisI6sdkH+M6hWOcy5KOZW7U6NCPhhhR//mqYT:mZRgUY/fsJcO1KOiXOhhhBeT

Score
10/10
xorddosantivmbotnetdownloaderinfostealerlinuxpersistenceupx

Malware Config

Extracted

Family

xorddos

Attributes
  • crc_polynomial

    EDB88320

Targets

    • Target

      0081ba6e059dd38a8c0098e71031ec7b_JaffaCakes118

    • Size

      247KB

    • MD5

      0081ba6e059dd38a8c0098e71031ec7b

    • SHA1

      f3953141c60bca96eb305e99626876662d263f60

    • SHA256

      a4917c19543d244216ab440d355e4e87fe806d2dbf57892dd8f62c51804f371a

    • SHA512

      91673e9b3eee2a8c6690c8fa7b983cc92c9003e86d6cb673c5d58ab59d4e0752188bd188523417529c73a91955bf454979243e87ad1f0ad1b7d368952a048bdc

    • SSDEEP

      6144:nSDFOrnwRgUbMisI6sdkH+M6hWOcy5KOZW7U6NCPhhhR//mqYT:mZRgUY/fsJcO1KOiXOhhhBeT

    Score
    10/10
    xorddosantivmbotnetdownloaderinfostealerpersistenceupx

    • XorDDoS

      Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

      botnetdownloaderxorddos

    • Executes dropped EXE

    • Reads EFI boot settings

      Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.

      infostealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Checks CPU configuration

      Checks CPU information which indicate if the system is a virtual machine.

      antivm

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

      persistence

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

      persistence

    • Write file to user bin folder

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Boot or Logon Autostart Execution

1
T1547

Hijack Execution Flow

1
T1574

Privilege Escalation

Scheduled Task/Job

1
T1053

Boot or Logon Autostart Execution

1
T1547

Hijack Execution Flow

1
T1574

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Hijack Execution Flow

1
T1574

Credential Access

Discovery

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks