Overview

overview

10

Static

static

7

41a3a79180...kes118

ubuntu-20.04-amd64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    41a3a79180e513fc91608425b0e6c577_JaffaCakes118

  • Size

    247KB

  • Sample

    240330-w7b12abg6y

  • MD5

    41a3a79180e513fc91608425b0e6c577

  • SHA1

    696422c330d28538b6623f7f3efa8752b44e6924

  • SHA256

    52ae63185e64d30c1f678752833a21d7e864369c8283aba88334c1e7b5ab5255

  • SHA512

    354cf85f373fd5a81ee8e6d14084d744a71bbbf2f7353fad721dc88f96ae19b7370eee4f982f8bb7ac15eb4417cf2d3e315b4eb1959c1139ed0924e3c2e59e5f

  • SSDEEP

    6144:gSDFOrnwRgUbMisI6sdkH+M6hWOcy5KOZW7U6NCyShhh3P/M9ts/mqYi:zZRgUY/fsJcO1KOiXuhhh89Cei

Score
10/10
xorddosantivmbotnetdownloaderinfostealerlinuxpersistenceupx

Malware Config

Extracted

Family

xorddos

Attributes
  • crc_polynomial

    EDB88320

Targets

    • Target

      41a3a79180e513fc91608425b0e6c577_JaffaCakes118

    • Size

      247KB

    • MD5

      41a3a79180e513fc91608425b0e6c577

    • SHA1

      696422c330d28538b6623f7f3efa8752b44e6924

    • SHA256

      52ae63185e64d30c1f678752833a21d7e864369c8283aba88334c1e7b5ab5255

    • SHA512

      354cf85f373fd5a81ee8e6d14084d744a71bbbf2f7353fad721dc88f96ae19b7370eee4f982f8bb7ac15eb4417cf2d3e315b4eb1959c1139ed0924e3c2e59e5f

    • SSDEEP

      6144:gSDFOrnwRgUbMisI6sdkH+M6hWOcy5KOZW7U6NCyShhh3P/M9ts/mqYi:zZRgUY/fsJcO1KOiXuhhh89Cei

    Score
    10/10
    xorddosantivmbotnetdownloaderinfostealerpersistenceupx

    • XorDDoS

      Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

      botnetdownloaderxorddos

    • Executes dropped EXE

    • Reads EFI boot settings

      Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.

      infostealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Checks CPU configuration

      Checks CPU information which indicate if the system is a virtual machine.

      antivm

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

      persistence

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

      persistence

    • Write file to user bin folder

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Boot or Logon Autostart Execution

1
T1547

Hijack Execution Flow

1
T1574

Privilege Escalation

Scheduled Task/Job

1
T1053

Boot or Logon Autostart Execution

1
T1547

Hijack Execution Flow

1
T1574

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Hijack Execution Flow

1
T1574

Credential Access

Discovery

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks