Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
152s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20240729-en -
resource tags
arch:amd64arch:i386image:ubuntu2204-amd64-20240729-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system -
submitted
29/07/2024, 22:58
Behavioral task
behavioral1
Sample
65b4eac6cbab5c4b11aa86484decce16_JaffaCakes118
Resource
ubuntu2204-amd64-20240729-en
General
-
Target
65b4eac6cbab5c4b11aa86484decce16_JaffaCakes118
-
Size
647KB
-
MD5
65b4eac6cbab5c4b11aa86484decce16
-
SHA1
847b8daa617e08840ecad2ba519856cc603d8660
-
SHA256
c7ef93aef90181a38af98fd27cb0a380777593f5c04a575ca81643eaa5897fb0
-
SHA512
3b5690ae5af11f069044f2ad6bd3c33fa0e76fc57d1312b95e44cfb62dfd18dd8db0f6557685540e8123652f76591b7019172d2cbf873f57ca9a79048d3d4e6c
-
SSDEEP
12288:RBRO1UmJJ0nHgBL9YfJip2qm+x4h1TonTp6y07l7mtBDvnD/u9hMHDB:RBRpmJ+HyL9AiAqm+x4h1mT6wvnDWXMN
Malware Config
Extracted
xorddos
http://info1.3000uc.com/b/u.php
aaaaaaaaaa.re67das.com:5859
182.18.22.240:8808
sx.gexgz.com:8808
-
crc_polynomial
EDB88320
Signatures
-
XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
-
XorDDoS payload 1 IoCs
resource yara_rule behavioral1/files/fstream-1.dat family_xorddos -
Deletes itself 1 IoCs
pid 1564 -
Executes dropped EXE 31 IoCs
ioc pid Process /boot/bxryqfudom 1566 bxryqfudom /boot/qkutmcrswd 1577 qkutmcrswd /boot/xaugylggcl 1617 xaugylggcl /boot/nvnghccqdi 1620 nvnghccqdi /boot/yheqprfkba 1623 yheqprfkba /boot/bhlzcqolxe 1626 bhlzcqolxe /boot/cujumckuuo 1629 cujumckuuo /boot/durdnepqfs 1634 durdnepqfs /boot/kzsxgxdqjs 1637 kzsxgxdqjs /boot/uurxspllwx 1640 uurxspllwx /boot/kchezukfjr 1643 kchezukfjr /boot/uahcehuvqg 1646 uahcehuvqg /boot/ocxvxkiwpb 1649 ocxvxkiwpb /boot/fwdbxxnxew 1658 fwdbxxnxew /boot/pqnvqtievv 1676 pqnvqtievv /boot/lzxgujwdho 1679 lzxgujwdho /boot/odotpkmeqs 1682 odotpkmeqs /boot/qyvpdmttcg 1685 qyvpdmttcg /boot/nwweknivdj 1688 nwweknivdj /boot/azunoahwwn 1691 azunoahwwn /boot/lxvbpfnvmt 1694 lxvbpfnvmt /boot/gaolrgxkrz 1697 gaolrgxkrz /boot/fnoggizyxr 1700 fnoggizyxr /boot/xbrwdtqleq 1703 xbrwdtqleq /boot/puzbbhfiaz 1706 puzbbhfiaz /boot/zxqnwtqdby 1712 zxqnwtqdby /boot/wzylkvxohn 1715 wzylkvxohn /boot/cwzkeuwmsd 1718 cwzkeuwmsd /boot/xdbkzmkoqg 1721 xdbkzmkoqg /boot/txyzqshore 1724 txyzqshore /boot/umsmdojgmh 1727 umsmdojgmh -
Unexpected DNS network traffic destination 33 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 -
Creates/modifies Cron job 1 TTPs 2 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /etc/cron.hourly/cron.sh bxryqfudom File opened for modification /etc/crontab sh -
description ioc Process File opened for modification /etc/init.d/bxryqfudom bxryqfudom -
Reads runtime system information 5 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/rs_dev 65b4eac6cbab5c4b11aa86484decce16_JaffaCakes118 File opened for reading /proc/rs_dev bxryqfudom File opened for reading /proc/filesystems sed File opened for reading /proc/stat bxryqfudom File opened for reading /proc/filesystems systemctl
Processes
-
/tmp/65b4eac6cbab5c4b11aa86484decce16_JaffaCakes118/tmp/65b4eac6cbab5c4b11aa86484decce16_JaffaCakes1181⤵
- Reads runtime system information
PID:1563
-
/boot/bxryqfudom/boot/bxryqfudom1⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Modifies init.d
- Reads runtime system information
PID:1566 -
/bin/shsh -c "sed -i '/\\/etc\\/cron.hourly\\/cron.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/cron.sh' >> /etc/crontab"2⤵
- Creates/modifies Cron job
PID:1572 -
/bin/sedsed -i "/\\/etc\\/cron.hourly\\/cron.sh/d" /etc/crontab3⤵
- Reads runtime system information
PID:1573
-
-
-
/bin/chkconfigchkconfig --add bxryqfudom1⤵PID:1569
-
/sbin/chkconfigchkconfig --add bxryqfudom1⤵PID:1569
-
/usr/bin/chkconfigchkconfig --add bxryqfudom1⤵PID:1569
-
/usr/sbin/chkconfigchkconfig --add bxryqfudom1⤵PID:1569
-
/usr/local/bin/chkconfigchkconfig --add bxryqfudom1⤵PID:1569
-
/usr/local/sbin/chkconfigchkconfig --add bxryqfudom1⤵PID:1569
-
/usr/X11R6/bin/chkconfigchkconfig --add bxryqfudom1⤵PID:1569
-
/bin/update-rc.dupdate-rc.d bxryqfudom defaults1⤵PID:1571
-
/sbin/update-rc.dupdate-rc.d bxryqfudom defaults1⤵PID:1571
-
/bin/systemctlsystemctl daemon-reload2⤵
- Reads runtime system information
PID:1582
-
-
/boot/qkutmcrswd/boot/qkutmcrswd bash 15671⤵
- Executes dropped EXE
PID:1577
-
/boot/xaugylggcl/boot/xaugylggcl ifconfig 15671⤵
- Executes dropped EXE
PID:1617
-
/boot/nvnghccqdi/boot/nvnghccqdi whoami 15671⤵
- Executes dropped EXE
PID:1620
-
/boot/yheqprfkba/boot/yheqprfkba whoami 15671⤵
- Executes dropped EXE
PID:1623
-
/boot/bhlzcqolxe/boot/bhlzcqolxe "netstat -antop" 15671⤵
- Executes dropped EXE
PID:1626
-
/boot/cujumckuuo/boot/cujumckuuo "ps -ef" 15671⤵
- Executes dropped EXE
PID:1629
-
/boot/durdnepqfs/boot/durdnepqfs sh 15671⤵
- Executes dropped EXE
PID:1634
-
/boot/kzsxgxdqjs/boot/kzsxgxdqjs "ifconfig eth0" 15671⤵
- Executes dropped EXE
PID:1637
-
/boot/uurxspllwx/boot/uurxspllwx "ifconfig eth0" 15671⤵
- Executes dropped EXE
PID:1640
-
/boot/kchezukfjr/boot/kchezukfjr pwd 15671⤵
- Executes dropped EXE
PID:1643
-
/boot/uahcehuvqg/boot/uahcehuvqg sh 15671⤵
- Executes dropped EXE
PID:1646
-
/boot/ocxvxkiwpb/boot/ocxvxkiwpb "grep \"A\"" 15671⤵
- Executes dropped EXE
PID:1649
-
/boot/fwdbxxnxew/boot/fwdbxxnxew uptime 15671⤵
- Executes dropped EXE
PID:1658
-
/boot/pqnvqtievv/boot/pqnvqtievv "netstat -an" 15671⤵
- Executes dropped EXE
PID:1676
-
/boot/lzxgujwdho/boot/lzxgujwdho "grep \"A\"" 15671⤵
- Executes dropped EXE
PID:1679
-
/boot/odotpkmeqs/boot/odotpkmeqs top 15671⤵
- Executes dropped EXE
PID:1682
-
/boot/qyvpdmttcg/boot/qyvpdmttcg sh 15671⤵
- Executes dropped EXE
PID:1685
-
/boot/nwweknivdj/boot/nwweknivdj bash 15671⤵
- Executes dropped EXE
PID:1688
-
/boot/azunoahwwn/boot/azunoahwwn "cd /etc" 15671⤵
- Executes dropped EXE
PID:1691
-
/boot/lxvbpfnvmt/boot/lxvbpfnvmt "route -n" 15671⤵
- Executes dropped EXE
PID:1694
-
/boot/gaolrgxkrz/boot/gaolrgxkrz id 15671⤵
- Executes dropped EXE
PID:1697
-
/boot/fnoggizyxr/boot/fnoggizyxr "netstat -an" 15671⤵
- Executes dropped EXE
PID:1700
-
/boot/xbrwdtqleq/boot/xbrwdtqleq "cat resolv.conf" 15671⤵
- Executes dropped EXE
PID:1703
-
/boot/puzbbhfiaz/boot/puzbbhfiaz uptime 15671⤵
- Executes dropped EXE
PID:1706
-
/boot/zxqnwtqdby/boot/zxqnwtqdby "echo \"find\"" 15671⤵
- Executes dropped EXE
PID:1712
-
/boot/wzylkvxohn/boot/wzylkvxohn uptime 15671⤵
- Executes dropped EXE
PID:1715
-
/boot/cwzkeuwmsd/boot/cwzkeuwmsd top 15671⤵
- Executes dropped EXE
PID:1718
-
/boot/xdbkzmkoqg/boot/xdbkzmkoqg "ls -la" 15671⤵
- Executes dropped EXE
PID:1721
-
/boot/txyzqshore/boot/txyzqshore gnome-terminal 15671⤵
- Executes dropped EXE
PID:1724
-
/boot/umsmdojgmh/boot/umsmdojgmh ifconfig 15671⤵
- Executes dropped EXE
PID:1727
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
223B
MD5b791b087b1795e3674a9aa765c76fc04
SHA1b53f478234ae97f3cdbf2e7fe7ec68d687feb7c1
SHA2561c1e9b69cf8021bf7ce1f60dcaa2d31c1e21ed4b6e474f3571da81ffd5a9b69e
SHA5122dcc2e478c51cf8118306fd5c744aad7147e368cbc4329db1cc5fac52088a7f3354079ae2b582b270495789e4fb4591538ec88bb5ea40eec646f360bac33bbb2
-
Filesize
1KB
MD58333938f8704c2a0c7c0277d4a2ddd37
SHA12a521562227e522aa045aa959bf5c9092fb3470d
SHA25673561733495eb44881664ab0410642751e0afc3973c5a52ebd27900cde398988
SHA512a415a5002a1636c6e0cf7a5aa06a221621c656864bbbdbf384affdf8f9eefcc17eef3c980c6be454d30eb109b973b92689ae418959ac331dca538782e6c9b649
-
Filesize
317B
MD5186a40bde4071f8d4d92c39282176c63
SHA1ae4c0533e2f0801b18e1afc5d17120da43ba4a0c
SHA256f78c3b755069cc8813e43094d50a3c70c56ac7f24d84c7f3216271a2ccc0bd7e
SHA512eec254c5308a0d3a8a8d9f447a173a333356f239130dba2f10d2a66d21486a290997d5b26b605fa4ad7ad473c52cafe8bb16cff0fe8ee4174ed676f312bffa1b
-
Filesize
1KB
MD5e57fd77c50de7b8a8eec19de0ec3f4f3
SHA1835d38771a0c5b112596ab8841a7904f41c266ee
SHA2563494e2d3ce0fb77633d00b247cad543cca29c7673da802a23bd5fe0364eb2c13
SHA512e6103d07bb6ed51cba953a9a861e39a36be0dc37899ec0fa353f5c991f71f9e7ec8433c054ac18a74da0a1c46054ad7cd637a1c64301d52cb0e6ac3d59f5c86c
-
Filesize
32B
MD5d4928b85febf659f3e0605f1c259595f
SHA12c6d5361ebc30a6bcc74ed9a51b82488cd109423
SHA2569a9d1dbd8e6a5eee877c5bd53d13f5eb951cc50a37141f073d4688daaa2acd85
SHA512803f43eea92f7e74336caef1bf5b500b841ada46b45cb149bb0062ec14ef5ae650d299bab00b55fd63f1ff153ad77c43e4e21c3f71a04036ca78b1d3da1b6dc9
-
Filesize
647KB
MD565b4eac6cbab5c4b11aa86484decce16
SHA1847b8daa617e08840ecad2ba519856cc603d8660
SHA256c7ef93aef90181a38af98fd27cb0a380777593f5c04a575ca81643eaa5897fb0
SHA5123b5690ae5af11f069044f2ad6bd3c33fa0e76fc57d1312b95e44cfb62dfd18dd8db0f6557685540e8123652f76591b7019172d2cbf873f57ca9a79048d3d4e6c