Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    ubuntu-22.04_amd64
  • resource
    ubuntu2204-amd64-20240729-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2204-amd64-20240729-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
  • submitted
    29/07/2024, 22:58

General

  • Target

    65b4eac6cbab5c4b11aa86484decce16_JaffaCakes118

  • Size

    647KB

  • MD5

    65b4eac6cbab5c4b11aa86484decce16

  • SHA1

    847b8daa617e08840ecad2ba519856cc603d8660

  • SHA256

    c7ef93aef90181a38af98fd27cb0a380777593f5c04a575ca81643eaa5897fb0

  • SHA512

    3b5690ae5af11f069044f2ad6bd3c33fa0e76fc57d1312b95e44cfb62dfd18dd8db0f6557685540e8123652f76591b7019172d2cbf873f57ca9a79048d3d4e6c

  • SSDEEP

    12288:RBRO1UmJJ0nHgBL9YfJip2qm+x4h1TonTp6y07l7mtBDvnD/u9hMHDB:RBRpmJ+HyL9AiAqm+x4h1mT6wvnDWXMN

Malware Config

Extracted

Family

xorddos

C2

http://info1.3000uc.com/b/u.php

aaaaaaaaaa.re67das.com:5859

182.18.22.240:8808

sx.gexgz.com:8808

Attributes
  • crc_polynomial

    EDB88320

xor.plain

Signatures

  • XorDDoS

    Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

  • XorDDoS payload 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 31 IoCs
  • Unexpected DNS network traffic destination 33 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Creates/modifies Cron job 1 TTPs 2 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Modifies init.d 1 TTPs 1 IoCs

    Adds/modifies system service, likely for persistence.

  • Reads runtime system information 5 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/65b4eac6cbab5c4b11aa86484decce16_JaffaCakes118
    /tmp/65b4eac6cbab5c4b11aa86484decce16_JaffaCakes118
    1⤵
    • Reads runtime system information
    PID:1563
  • /boot/bxryqfudom
    /boot/bxryqfudom
    1⤵
    • Executes dropped EXE
    • Creates/modifies Cron job
    • Modifies init.d
    • Reads runtime system information
    PID:1566
    • /bin/sh
      sh -c "sed -i '/\\/etc\\/cron.hourly\\/cron.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/cron.sh' >> /etc/crontab"
      2⤵
      • Creates/modifies Cron job
      PID:1572
      • /bin/sed
        sed -i "/\\/etc\\/cron.hourly\\/cron.sh/d" /etc/crontab
        3⤵
        • Reads runtime system information
        PID:1573
  • /bin/chkconfig
    chkconfig --add bxryqfudom
    1⤵
      PID:1569
    • /sbin/chkconfig
      chkconfig --add bxryqfudom
      1⤵
        PID:1569
      • /usr/bin/chkconfig
        chkconfig --add bxryqfudom
        1⤵
          PID:1569
        • /usr/sbin/chkconfig
          chkconfig --add bxryqfudom
          1⤵
            PID:1569
          • /usr/local/bin/chkconfig
            chkconfig --add bxryqfudom
            1⤵
              PID:1569
            • /usr/local/sbin/chkconfig
              chkconfig --add bxryqfudom
              1⤵
                PID:1569
              • /usr/X11R6/bin/chkconfig
                chkconfig --add bxryqfudom
                1⤵
                  PID:1569
                • /bin/update-rc.d
                  update-rc.d bxryqfudom defaults
                  1⤵
                    PID:1571
                  • /sbin/update-rc.d
                    update-rc.d bxryqfudom defaults
                    1⤵
                      PID:1571
                      • /bin/systemctl
                        systemctl daemon-reload
                        2⤵
                        • Reads runtime system information
                        PID:1582
                    • /boot/qkutmcrswd
                      /boot/qkutmcrswd bash 1567
                      1⤵
                      • Executes dropped EXE
                      PID:1577
                    • /boot/xaugylggcl
                      /boot/xaugylggcl ifconfig 1567
                      1⤵
                      • Executes dropped EXE
                      PID:1617
                    • /boot/nvnghccqdi
                      /boot/nvnghccqdi whoami 1567
                      1⤵
                      • Executes dropped EXE
                      PID:1620
                    • /boot/yheqprfkba
                      /boot/yheqprfkba whoami 1567
                      1⤵
                      • Executes dropped EXE
                      PID:1623
                    • /boot/bhlzcqolxe
                      /boot/bhlzcqolxe "netstat -antop" 1567
                      1⤵
                      • Executes dropped EXE
                      PID:1626
                    • /boot/cujumckuuo
                      /boot/cujumckuuo "ps -ef" 1567
                      1⤵
                      • Executes dropped EXE
                      PID:1629
                    • /boot/durdnepqfs
                      /boot/durdnepqfs sh 1567
                      1⤵
                      • Executes dropped EXE
                      PID:1634
                    • /boot/kzsxgxdqjs
                      /boot/kzsxgxdqjs "ifconfig eth0" 1567
                      1⤵
                      • Executes dropped EXE
                      PID:1637
                    • /boot/uurxspllwx
                      /boot/uurxspllwx "ifconfig eth0" 1567
                      1⤵
                      • Executes dropped EXE
                      PID:1640
                    • /boot/kchezukfjr
                      /boot/kchezukfjr pwd 1567
                      1⤵
                      • Executes dropped EXE
                      PID:1643
                    • /boot/uahcehuvqg
                      /boot/uahcehuvqg sh 1567
                      1⤵
                      • Executes dropped EXE
                      PID:1646
                    • /boot/ocxvxkiwpb
                      /boot/ocxvxkiwpb "grep \"A\"" 1567
                      1⤵
                      • Executes dropped EXE
                      PID:1649
                    • /boot/fwdbxxnxew
                      /boot/fwdbxxnxew uptime 1567
                      1⤵
                      • Executes dropped EXE
                      PID:1658
                    • /boot/pqnvqtievv
                      /boot/pqnvqtievv "netstat -an" 1567
                      1⤵
                      • Executes dropped EXE
                      PID:1676
                    • /boot/lzxgujwdho
                      /boot/lzxgujwdho "grep \"A\"" 1567
                      1⤵
                      • Executes dropped EXE
                      PID:1679
                    • /boot/odotpkmeqs
                      /boot/odotpkmeqs top 1567
                      1⤵
                      • Executes dropped EXE
                      PID:1682
                    • /boot/qyvpdmttcg
                      /boot/qyvpdmttcg sh 1567
                      1⤵
                      • Executes dropped EXE
                      PID:1685
                    • /boot/nwweknivdj
                      /boot/nwweknivdj bash 1567
                      1⤵
                      • Executes dropped EXE
                      PID:1688
                    • /boot/azunoahwwn
                      /boot/azunoahwwn "cd /etc" 1567
                      1⤵
                      • Executes dropped EXE
                      PID:1691
                    • /boot/lxvbpfnvmt
                      /boot/lxvbpfnvmt "route -n" 1567
                      1⤵
                      • Executes dropped EXE
                      PID:1694
                    • /boot/gaolrgxkrz
                      /boot/gaolrgxkrz id 1567
                      1⤵
                      • Executes dropped EXE
                      PID:1697
                    • /boot/fnoggizyxr
                      /boot/fnoggizyxr "netstat -an" 1567
                      1⤵
                      • Executes dropped EXE
                      PID:1700
                    • /boot/xbrwdtqleq
                      /boot/xbrwdtqleq "cat resolv.conf" 1567
                      1⤵
                      • Executes dropped EXE
                      PID:1703
                    • /boot/puzbbhfiaz
                      /boot/puzbbhfiaz uptime 1567
                      1⤵
                      • Executes dropped EXE
                      PID:1706
                    • /boot/zxqnwtqdby
                      /boot/zxqnwtqdby "echo \"find\"" 1567
                      1⤵
                      • Executes dropped EXE
                      PID:1712
                    • /boot/wzylkvxohn
                      /boot/wzylkvxohn uptime 1567
                      1⤵
                      • Executes dropped EXE
                      PID:1715
                    • /boot/cwzkeuwmsd
                      /boot/cwzkeuwmsd top 1567
                      1⤵
                      • Executes dropped EXE
                      PID:1718
                    • /boot/xdbkzmkoqg
                      /boot/xdbkzmkoqg "ls -la" 1567
                      1⤵
                      • Executes dropped EXE
                      PID:1721
                    • /boot/txyzqshore
                      /boot/txyzqshore gnome-terminal 1567
                      1⤵
                      • Executes dropped EXE
                      PID:1724
                    • /boot/umsmdojgmh
                      /boot/umsmdojgmh ifconfig 1567
                      1⤵
                      • Executes dropped EXE
                      PID:1727

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • /etc/cron.hourly/cron.sh

                      Filesize

                      223B

                      MD5

                      b791b087b1795e3674a9aa765c76fc04

                      SHA1

                      b53f478234ae97f3cdbf2e7fe7ec68d687feb7c1

                      SHA256

                      1c1e9b69cf8021bf7ce1f60dcaa2d31c1e21ed4b6e474f3571da81ffd5a9b69e

                      SHA512

                      2dcc2e478c51cf8118306fd5c744aad7147e368cbc4329db1cc5fac52088a7f3354079ae2b582b270495789e4fb4591538ec88bb5ea40eec646f360bac33bbb2

                    • /etc/crontab

                      Filesize

                      1KB

                      MD5

                      8333938f8704c2a0c7c0277d4a2ddd37

                      SHA1

                      2a521562227e522aa045aa959bf5c9092fb3470d

                      SHA256

                      73561733495eb44881664ab0410642751e0afc3973c5a52ebd27900cde398988

                      SHA512

                      a415a5002a1636c6e0cf7a5aa06a221621c656864bbbdbf384affdf8f9eefcc17eef3c980c6be454d30eb109b973b92689ae418959ac331dca538782e6c9b649

                    • /etc/init.d/bxryqfudom

                      Filesize

                      317B

                      MD5

                      186a40bde4071f8d4d92c39282176c63

                      SHA1

                      ae4c0533e2f0801b18e1afc5d17120da43ba4a0c

                      SHA256

                      f78c3b755069cc8813e43094d50a3c70c56ac7f24d84c7f3216271a2ccc0bd7e

                      SHA512

                      eec254c5308a0d3a8a8d9f447a173a333356f239130dba2f10d2a66d21486a290997d5b26b605fa4ad7ad473c52cafe8bb16cff0fe8ee4174ed676f312bffa1b

                    • /etc/seduBc8uC

                      Filesize

                      1KB

                      MD5

                      e57fd77c50de7b8a8eec19de0ec3f4f3

                      SHA1

                      835d38771a0c5b112596ab8841a7904f41c266ee

                      SHA256

                      3494e2d3ce0fb77633d00b247cad543cca29c7673da802a23bd5fe0364eb2c13

                      SHA512

                      e6103d07bb6ed51cba953a9a861e39a36be0dc37899ec0fa353f5c991f71f9e7ec8433c054ac18a74da0a1c46054ad7cd637a1c64301d52cb0e6ac3d59f5c86c

                    • /run/sftp.pid

                      Filesize

                      32B

                      MD5

                      d4928b85febf659f3e0605f1c259595f

                      SHA1

                      2c6d5361ebc30a6bcc74ed9a51b82488cd109423

                      SHA256

                      9a9d1dbd8e6a5eee877c5bd53d13f5eb951cc50a37141f073d4688daaa2acd85

                      SHA512

                      803f43eea92f7e74336caef1bf5b500b841ada46b45cb149bb0062ec14ef5ae650d299bab00b55fd63f1ff153ad77c43e4e21c3f71a04036ca78b1d3da1b6dc9

                    • /usr/lib/udev/udev

                      Filesize

                      647KB

                      MD5

                      65b4eac6cbab5c4b11aa86484decce16

                      SHA1

                      847b8daa617e08840ecad2ba519856cc603d8660

                      SHA256

                      c7ef93aef90181a38af98fd27cb0a380777593f5c04a575ca81643eaa5897fb0

                      SHA512

                      3b5690ae5af11f069044f2ad6bd3c33fa0e76fc57d1312b95e44cfb62dfd18dd8db0f6557685540e8123652f76591b7019172d2cbf873f57ca9a79048d3d4e6c