Overview

overview

10

Static

static

7

018f5f90bc...kes118

ubuntu-20.04-amd64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    018f5f90bc3052d4d77fa8a627e1db2a_JaffaCakes118

  • Size

    247KB

  • Sample

    240328-knb15sgf4v

  • MD5

    018f5f90bc3052d4d77fa8a627e1db2a

  • SHA1

    570c0414ea4b8bec35b7cb795b6d3e8c1dadf98f

  • SHA256

    22a21f11a94c0c614d87883b82f461e1a0ed4661d3fb91d9fd20f1cf54738541

  • SHA512

    a2c3300eab0c701397222f11ae78afdd1283f1f4a43a91bed53594f89da3f6106b9f14830527b6d8c92d5e1cfbd41ead58dc069adb3482fb4afe36e71a9a5b56

  • SSDEEP

    6144:nSDFOrnwRgUbMisI6sdkH+M6hWOcy5KOZW7U6NCPhhhR//mqYl:mZRgUY/fsJcO1KOiXOhhhBel

Score
10/10
xorddosantivmbotnetdownloaderinfostealerlinuxpersistenceupx

Malware Config

Extracted

Family

xorddos

Attributes
  • crc_polynomial

    EDB88320

Targets

    • Target

      018f5f90bc3052d4d77fa8a627e1db2a_JaffaCakes118

    • Size

      247KB

    • MD5

      018f5f90bc3052d4d77fa8a627e1db2a

    • SHA1

      570c0414ea4b8bec35b7cb795b6d3e8c1dadf98f

    • SHA256

      22a21f11a94c0c614d87883b82f461e1a0ed4661d3fb91d9fd20f1cf54738541

    • SHA512

      a2c3300eab0c701397222f11ae78afdd1283f1f4a43a91bed53594f89da3f6106b9f14830527b6d8c92d5e1cfbd41ead58dc069adb3482fb4afe36e71a9a5b56

    • SSDEEP

      6144:nSDFOrnwRgUbMisI6sdkH+M6hWOcy5KOZW7U6NCPhhhR//mqYl:mZRgUY/fsJcO1KOiXOhhhBel

    Score
    10/10
    xorddosantivmbotnetdownloaderinfostealerpersistenceupx

    • XorDDoS

      Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

      botnetdownloaderxorddos

    • Executes dropped EXE

    • Reads EFI boot settings

      Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.

      infostealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Checks CPU configuration

      Checks CPU information which indicate if the system is a virtual machine.

      antivm

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

      persistence

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

      persistence

    • Write file to user bin folder

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Boot or Logon Autostart Execution

1
T1547

Hijack Execution Flow

1
T1574

Privilege Escalation

Scheduled Task/Job

1
T1053

Boot or Logon Autostart Execution

1
T1547

Hijack Execution Flow

1
T1574

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Hijack Execution Flow

1
T1574

Credential Access

Discovery

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks