Analysis
-
max time kernel
149s -
max time network
151s -
platform
ubuntu-20.04_amd64 -
resource
ubuntu2004-amd64-20240508-en -
resource tags
-
submitted
12-05-2024 17:58
General
-
Target
3b614f5f8145fa12d8ab1adaf46dd252_JaffaCakes118
-
Size
647KB
-
MD5
3b614f5f8145fa12d8ab1adaf46dd252
-
SHA1
cca3b65a7f388f74b34d149b90c73411783a2e4e
-
SHA256
ed03a03a98f1b157c0b2eda15f9669f3e2f24262d329313542d9a4e6e34188d4
-
SHA512
6507ce97950bb4bcc0f628192d6f0a4aa9e3071f6dbb899e57218671ccc2a13703fad009ca152fb72b8528649c5c548d1e286b8f52045de472d436b33116ee05
-
SSDEEP
12288:RBRO1UmJJ0nHgBL9YfJip2qm+x4h1Ton3p6y07l7mtBDvnD/u9hMHDB:RBRpmJ+HyL9AiAqm+x4h1m36wvnDWXMN
Malware Config
Extracted
xorddos
http://info1.3000uc.com/b/u.php
benniaogg.benniao.date:2000
8u.yesoday.com:7770
8u2.yesoday.com:7771
-
crc_polynomial
EDB88320
Signatures
-
XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
-
XorDDoS payload 1 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 31 IoCs
-
Reads EFI boot settings 1 IoCs
Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.
-
Unexpected DNS network traffic destination 64 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Creates/modifies Cron job 1 TTPs 2 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
-
Enumerates kernel/hardware configuration 1 TTPs 1 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
-
Reads runtime system information 10 IoCs
Reads data from /proc virtual filesystem.
Processes
-
/tmp/3b614f5f8145fa12d8ab1adaf46dd252_JaffaCakes118/tmp/3b614f5f8145fa12d8ab1adaf46dd252_JaffaCakes1181⤵
- Reads runtime system information
-
/boot/jpteolpijy/boot/jpteolpijy1⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Modifies init.d
- Reads runtime system information
-
/bin/shsh -c "sed -i '/\\/etc\\/cron.hourly\\/cron.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/cron.sh' >> /etc/crontab"2⤵
- Creates/modifies Cron job
-
/bin/sedsed -i "/\\/etc\\/cron.hourly\\/cron.sh/d" /etc/crontab3⤵
- Reads runtime system information
-
-
-
/bin/chkconfigchkconfig --add jpteolpijy1⤵
-
/sbin/chkconfigchkconfig --add jpteolpijy1⤵
-
/usr/bin/chkconfigchkconfig --add jpteolpijy1⤵
-
/usr/sbin/chkconfigchkconfig --add jpteolpijy1⤵
-
/usr/local/bin/chkconfigchkconfig --add jpteolpijy1⤵
-
/usr/local/sbin/chkconfigchkconfig --add jpteolpijy1⤵
-
/usr/X11R6/bin/chkconfigchkconfig --add jpteolpijy1⤵
-
/bin/update-rc.dupdate-rc.d jpteolpijy defaults1⤵
-
/sbin/update-rc.dupdate-rc.d jpteolpijy defaults1⤵
-
/bin/systemctlsystemctl daemon-reload2⤵
- Reads EFI boot settings
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
/boot/sdjywteduu/boot/sdjywteduu "netstat -an" 14431⤵
- Executes dropped EXE
-
/boot/xzcirtjxmi/boot/xzcirtjxmi gnome-terminal 14431⤵
- Executes dropped EXE
-
/boot/hqcmdklxfq/boot/hqcmdklxfq "cat resolv.conf" 14431⤵
- Executes dropped EXE
-
/boot/rimcrspcuq/boot/rimcrspcuq "route -n" 14431⤵
- Executes dropped EXE
-
/boot/rzowklutxq/boot/rzowklutxq "route -n" 14431⤵
- Executes dropped EXE
-
/boot/tescxaqpks/boot/tescxaqpks whoami 14431⤵
- Executes dropped EXE
-
/boot/ixgufxvrgj/boot/ixgufxvrgj ls 14431⤵
- Executes dropped EXE
-
/boot/xpltdwwppa/boot/xpltdwwppa id 14431⤵
- Executes dropped EXE
-
/boot/bosgtomarb/boot/bosgtomarb uptime 14431⤵
- Executes dropped EXE
-
/boot/ncsvbrvvqz/boot/ncsvbrvvqz bash 14431⤵
- Executes dropped EXE
-
/boot/zzhbsolekn/boot/zzhbsolekn "sleep 1" 14431⤵
- Executes dropped EXE
-
/boot/vzthnoamki/boot/vzthnoamki bash 14431⤵
- Executes dropped EXE
-
/boot/mlvzcihhkl/boot/mlvzcihhkl "netstat -an" 14431⤵
- Executes dropped EXE
-
/boot/brgxmufkrf/boot/brgxmufkrf uptime 14431⤵
- Executes dropped EXE
-
/boot/hbyzwezfvk/boot/hbyzwezfvk top 14431⤵
- Executes dropped EXE
-
/boot/lshljzgbgl/boot/lshljzgbgl pwd 14431⤵
- Executes dropped EXE
-
/boot/lykimcovjo/boot/lykimcovjo su 14431⤵
- Executes dropped EXE
-
/boot/eozkykrcig/boot/eozkykrcig pwd 14431⤵
- Executes dropped EXE
-
/boot/zwadnvmdhd/boot/zwadnvmdhd "ps -ef" 14431⤵
- Executes dropped EXE
-
/boot/nfanxjbpbp/boot/nfanxjbpbp "ls -la" 14431⤵
- Executes dropped EXE
-
/boot/mbiwvdoxhs/boot/mbiwvdoxhs su 14431⤵
- Executes dropped EXE
-
/boot/jmkjmwhkez/boot/jmkjmwhkez bash 14431⤵
- Executes dropped EXE
-
/boot/drnkseghqc/boot/drnkseghqc "netstat -antop" 14431⤵
- Executes dropped EXE
-
/boot/gpegnleasp/boot/gpegnleasp id 14431⤵
- Executes dropped EXE
-
/boot/rumijuuolx/boot/rumijuuolx ls 14431⤵
- Executes dropped EXE
-
/boot/pmzgucnpuy/boot/pmzgucnpuy ls 14431⤵
- Executes dropped EXE
-
/boot/ltfnufbgso/boot/ltfnufbgso top 14431⤵
- Executes dropped EXE
-
/boot/afzecogvrr/boot/afzecogvrr uptime 14431⤵
- Executes dropped EXE
-
/boot/hzklzspchl/boot/hzklzspchl "ifconfig eth0" 14431⤵
- Executes dropped EXE
-
/boot/rtgbfnwczc/boot/rtgbfnwczc "ls -la" 14431⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
223B
MD5b791b087b1795e3674a9aa765c76fc04
SHA1b53f478234ae97f3cdbf2e7fe7ec68d687feb7c1
SHA2561c1e9b69cf8021bf7ce1f60dcaa2d31c1e21ed4b6e474f3571da81ffd5a9b69e
SHA5122dcc2e478c51cf8118306fd5c744aad7147e368cbc4329db1cc5fac52088a7f3354079ae2b582b270495789e4fb4591538ec88bb5ea40eec646f360bac33bbb2
-
Filesize
1KB
MD5025668d5c5556a09e474efb8c86a5386
SHA13946e355c493dae571f427906058d877dd000bc5
SHA256442a198f06e95043ad28dd345a2ec9b84799a434425b21ab24eeea6f296915d5
SHA512f72df72c05fdcc6e3d11a4dcfe5b48486d391b4d61e25d82f6707b02bcd84b5d0989abf037abebcc6518ca106061de9c8d1b0dd2c2bd0b73649e85617aa15218
-
Filesize
317B
MD5b30af880642ec739fd4f8e4f147b5761
SHA180a1b4ae9fa2518fe3be1959a81fa288454c1639
SHA256617b76b2c6f869c22db3bc9167d9f52dc1b3c541c7d8cdf6ef586a4ac671441e
SHA512a9dac19a62448c4609efbf3ea5c21abe11ec5065acb89c99c9275cb1868080a993e58d6bcdecacf715e63e5507ab7b0d5ef608a57d51f22e62ec78f56879f62a
-
Filesize
1KB
MD544df62f8c671c9306af920e2839cda53
SHA190db86feb0aa6d41208eeb8097929407d79d95cc
SHA256c5c9241274bee45e7e60d8b247a15bd5f69bf821b813215194156fd60fc4afc9
SHA5120b86ddc2a648da07820a8ef90c71a54908650f589cc7a6c9ca40d74083909f56cdc68633dca82174ca6ddfd340bbd538bdb3a9ace8ba5031b474a4db01d5427d
-
Filesize
32B
MD5a4b33ca9fc99459867767f7496402b8b
SHA17c7a508bf380a0f2cc30a186636d740e7d19f599
SHA2568b35245636586ed4197df339ee640f26e694b3cb350b8f6a181450314c555747
SHA512d1bd83bcc74f7ced5d3d360ede712c92ada848225f050a71ef215c3b34752965232f7c4db9cd6fcdb50fa4a29b352ff11dbd3dd741bb9600cd5fa4b508d7ec8b
-
Filesize
647KB
MD53b614f5f8145fa12d8ab1adaf46dd252
SHA1cca3b65a7f388f74b34d149b90c73411783a2e4e
SHA256ed03a03a98f1b157c0b2eda15f9669f3e2f24262d329313542d9a4e6e34188d4
SHA5126507ce97950bb4bcc0f628192d6f0a4aa9e3071f6dbb899e57218671ccc2a13703fad009ca152fb72b8528649c5c548d1e286b8f52045de472d436b33116ee05