General

  • Target

    494d9a5e25b9e1d3eedb7a2341aa49ad_JaffaCakes118

  • Size

    544KB

  • Sample

    240729-qq36aszgnq

  • MD5

    494d9a5e25b9e1d3eedb7a2341aa49ad

  • SHA1

    3f1f4ba2434d0ad07838ebc694ad4a4cf8c9641a

  • SHA256

    5f0a2b492c8accde73f1e3db51fe398d54e622655d34fd6d49f7a7264179a885

  • SHA512

    7b0514d9919a80e3585f2c5695acccd27b1cc9725c5995a7d657a49e6de04d07ca4e920328e7c59ab89f4395ce239881b23803710c87560950b596d00fa65b12

  • SSDEEP

    12288:JbinNy0Y1nvEtXBx6DkkJmAGyPexU279WnjVZ6ySWK:1iNy0evmxvkJmApPexUm9cVE

Malware Config

Extracted

Family

xorddos

C2

topbannersun.com:1433

wowapplecar.com:1433

Attributes
  • crc_polynomial

    CDB88320

xor.plain

Targets

    • Target

      494d9a5e25b9e1d3eedb7a2341aa49ad_JaffaCakes118

    • Size

      544KB

    • MD5

      494d9a5e25b9e1d3eedb7a2341aa49ad

    • SHA1

      3f1f4ba2434d0ad07838ebc694ad4a4cf8c9641a

    • SHA256

      5f0a2b492c8accde73f1e3db51fe398d54e622655d34fd6d49f7a7264179a885

    • SHA512

      7b0514d9919a80e3585f2c5695acccd27b1cc9725c5995a7d657a49e6de04d07ca4e920328e7c59ab89f4395ce239881b23803710c87560950b596d00fa65b12

    • SSDEEP

      12288:JbinNy0Y1nvEtXBx6DkkJmAGyPexU279WnjVZ6ySWK:1iNy0evmxvkJmApPexUm9cVE

    • XorDDoS

      Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

    • XorDDoS payload

    • Deletes itself

    • Executes dropped EXE

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Write file to user bin folder

MITRE ATT&CK Enterprise v15

Tasks