General

  • Target

    4354ecf6edd10d7625b429d765308ee2_JaffaCakes118

  • Size

    543KB

  • Sample

    240729-ngjzyswdmq

  • MD5

    4354ecf6edd10d7625b429d765308ee2

  • SHA1

    a936a99d2fbcb2666dbf4dcadd9e89ceadacb971

  • SHA256

    f17b59caed6d1c06938854996cd6064308f31ec88a39ff2553b52368f9a12384

  • SHA512

    c561361f8d1f9a211cc2e08662ff88b99c53700d77da6603d227379f122525171ced92d00edb1c7b5cfc9825b02cd24a1a060367e775e9ed630f853a2bbb5f79

  • SSDEEP

    12288:1p+duTlNbCIn53vlJU0VkW3C3jyiXcsPl3D2KSKqfj6y1mC:r+ITlNblJ3UHW3CuiXcsPZDmKqfx7

Malware Config

Extracted

Family

xorddos

C2

topbannersun.com:5616

wowapplecar.com:5616

Attributes
  • crc_polynomial

    CDB88320

xor.plain

Targets

    • Target

      4354ecf6edd10d7625b429d765308ee2_JaffaCakes118

    • Size

      543KB

    • MD5

      4354ecf6edd10d7625b429d765308ee2

    • SHA1

      a936a99d2fbcb2666dbf4dcadd9e89ceadacb971

    • SHA256

      f17b59caed6d1c06938854996cd6064308f31ec88a39ff2553b52368f9a12384

    • SHA512

      c561361f8d1f9a211cc2e08662ff88b99c53700d77da6603d227379f122525171ced92d00edb1c7b5cfc9825b02cd24a1a060367e775e9ed630f853a2bbb5f79

    • SSDEEP

      12288:1p+duTlNbCIn53vlJU0VkW3C3jyiXcsPl3D2KSKqfj6y1mC:r+ITlNblJ3UHW3CuiXcsPZDmKqfx7

    • XorDDoS

      Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

    • XorDDoS payload

    • Deletes itself

    • Executes dropped EXE

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Write file to user bin folder

MITRE ATT&CK Enterprise v15

Tasks