Analysis
-
max time kernel
149s -
max time network
155s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system -
submitted
29-07-2024 20:23
Behavioral task
behavioral1
Sample
5de386b209befcb96c835a048b3fd178_JaffaCakes118
Resource
ubuntu2204-amd64-20240611-en
General
-
Target
5de386b209befcb96c835a048b3fd178_JaffaCakes118
-
Size
647KB
-
MD5
5de386b209befcb96c835a048b3fd178
-
SHA1
c701990533a21d5aae6c0067c475ef2d02fb4f16
-
SHA256
84e40a4e1e02a719aa93c734049c96bae0cfa6d075f47d64b63b84eece3648d6
-
SHA512
085b3d3b78896f8a11279d9c53ef433c0c620c02db5e79a162908738f652dd4c64e485a72706974fa4560ca5f67daf8ee30630a84bb27bae430077b2b29dd50b
-
SSDEEP
12288:RBRO1UmJJ0nHgBL9YfJip2qm+x4h1Tonjp6y07l7mtBDvnD/u9hMHDB:RBRpmJ+HyL9AiAqm+x4h1mj6wvnDWXMN
Malware Config
Extracted
xorddos
http://info1.3000uc.com/b/u.php
tt1.v5zz.com:350
192.168.1.131:3826
abcd.com:8080
-
crc_polynomial
EDB88320
Signatures
-
XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
-
XorDDoS payload 1 IoCs
resource yara_rule behavioral1/files/fstream-1.dat family_xorddos -
Deletes itself 1 IoCs
pid 1605 -
Executes dropped EXE 31 IoCs
ioc pid Process /boot/uhtdntwicq 1607 uhtdntwicq /boot/nibqgogkva 1618 nibqgogkva /boot/usblucpwhy 1664 usblucpwhy /boot/qwjgdknvfn 1667 qwjgdknvfn /boot/kxmlkywhjh 1670 kxmlkywhjh /boot/geayoygwwv 1673 geayoygwwv /boot/qypzqnhdyj 1676 qypzqnhdyj /boot/lxoilsbwjg 1681 lxoilsbwjg /boot/dbunuamqne 1684 dbunuamqne /boot/augzbxevvr 1687 augzbxevvr /boot/orqtijfqie 1690 orqtijfqie /boot/krjdujxfix 1693 krjdujxfix /boot/dhwwbbmjwx 1696 dhwwbbmjwx /boot/gfmghkvntj 1699 gfmghkvntj /boot/hjzbjreprj 1717 hjzbjreprj /boot/mlpzfqlzdq 1720 mlpzfqlzdq /boot/putzlniuye 1723 putzlniuye /boot/vzlmujlepv 1726 vzlmujlepv /boot/spthyiuoml 1729 spthyiuoml /boot/kbgdreentv 1732 kbgdreentv /boot/owlyjixhov 1735 owlyjixhov /boot/irzmccdacu 1738 irzmccdacu /boot/psruwsmxev 1741 psruwsmxev /boot/wnltvvyreg 1744 wnltvvyreg /boot/ctuhpluvnq 1747 ctuhpluvnq /boot/iwrojqictz 1753 iwrojqictz /boot/iywnvlqoks 1756 iywnvlqoks /boot/tkwfnzkqqi 1759 tkwfnzkqqi /boot/cchvotxeob 1762 cchvotxeob /boot/hbbzkxylwg 1765 hbbzkxylwg /boot/xchxmstpjh 1768 xchxmstpjh -
Unexpected DNS network traffic destination 64 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 -
Creates/modifies Cron job 1 TTPs 2 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /etc/cron.hourly/cron.sh uhtdntwicq File opened for modification /etc/crontab sh -
description ioc Process File opened for modification /etc/init.d/uhtdntwicq uhtdntwicq -
Reads runtime system information 5 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/rs_dev 5de386b209befcb96c835a048b3fd178_JaffaCakes118 File opened for reading /proc/rs_dev uhtdntwicq File opened for reading /proc/filesystems sed File opened for reading /proc/stat uhtdntwicq File opened for reading /proc/filesystems systemctl
Processes
-
/tmp/5de386b209befcb96c835a048b3fd178_JaffaCakes118/tmp/5de386b209befcb96c835a048b3fd178_JaffaCakes1181⤵
- Reads runtime system information
PID:1604
-
/boot/uhtdntwicq/boot/uhtdntwicq1⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Modifies init.d
- Reads runtime system information
PID:1607 -
/bin/shsh -c "sed -i '/\\/etc\\/cron.hourly\\/cron.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/cron.sh' >> /etc/crontab"2⤵
- Creates/modifies Cron job
PID:1613 -
/bin/sedsed -i "/\\/etc\\/cron.hourly\\/cron.sh/d" /etc/crontab3⤵
- Reads runtime system information
PID:1614
-
-
-
/bin/chkconfigchkconfig --add uhtdntwicq1⤵PID:1610
-
/sbin/chkconfigchkconfig --add uhtdntwicq1⤵PID:1610
-
/usr/bin/chkconfigchkconfig --add uhtdntwicq1⤵PID:1610
-
/usr/sbin/chkconfigchkconfig --add uhtdntwicq1⤵PID:1610
-
/usr/local/bin/chkconfigchkconfig --add uhtdntwicq1⤵PID:1610
-
/usr/local/sbin/chkconfigchkconfig --add uhtdntwicq1⤵PID:1610
-
/usr/X11R6/bin/chkconfigchkconfig --add uhtdntwicq1⤵PID:1610
-
/bin/update-rc.dupdate-rc.d uhtdntwicq defaults1⤵PID:1612
-
/sbin/update-rc.dupdate-rc.d uhtdntwicq defaults1⤵PID:1612
-
/bin/systemctlsystemctl daemon-reload2⤵
- Reads runtime system information
PID:1622
-
-
/boot/nibqgogkva/boot/nibqgogkva "route -n" 16081⤵
- Executes dropped EXE
PID:1618
-
/boot/usblucpwhy/boot/usblucpwhy "echo \"find\"" 16081⤵
- Executes dropped EXE
PID:1664
-
/boot/qwjgdknvfn/boot/qwjgdknvfn pwd 16081⤵
- Executes dropped EXE
PID:1667
-
/boot/kxmlkywhjh/boot/kxmlkywhjh gnome-terminal 16081⤵
- Executes dropped EXE
PID:1670
-
/boot/geayoygwwv/boot/geayoygwwv "cd /etc" 16081⤵
- Executes dropped EXE
PID:1673
-
/boot/qypzqnhdyj/boot/qypzqnhdyj "sleep 1" 16081⤵
- Executes dropped EXE
PID:1676
-
/boot/lxoilsbwjg/boot/lxoilsbwjg whoami 16081⤵
- Executes dropped EXE
PID:1681
-
/boot/dbunuamqne/boot/dbunuamqne "ls -la" 16081⤵
- Executes dropped EXE
PID:1684
-
/boot/augzbxevvr/boot/augzbxevvr "cd /etc" 16081⤵
- Executes dropped EXE
PID:1687
-
/boot/orqtijfqie/boot/orqtijfqie gnome-terminal 16081⤵
- Executes dropped EXE
PID:1690
-
/boot/krjdujxfix/boot/krjdujxfix "ps -ef" 16081⤵
- Executes dropped EXE
PID:1693
-
/boot/dhwwbbmjwx/boot/dhwwbbmjwx whoami 16081⤵
- Executes dropped EXE
PID:1696
-
/boot/gfmghkvntj/boot/gfmghkvntj bash 16081⤵
- Executes dropped EXE
PID:1699
-
/boot/hjzbjreprj/boot/hjzbjreprj gnome-terminal 16081⤵
- Executes dropped EXE
PID:1717
-
/boot/mlpzfqlzdq/boot/mlpzfqlzdq "ls -la" 16081⤵
- Executes dropped EXE
PID:1720
-
/boot/putzlniuye/boot/putzlniuye "netstat -an" 16081⤵
- Executes dropped EXE
PID:1723
-
/boot/vzlmujlepv/boot/vzlmujlepv pwd 16081⤵
- Executes dropped EXE
PID:1726
-
/boot/spthyiuoml/boot/spthyiuoml sh 16081⤵
- Executes dropped EXE
PID:1729
-
/boot/kbgdreentv/boot/kbgdreentv "ls -la" 16081⤵
- Executes dropped EXE
PID:1732
-
/boot/owlyjixhov/boot/owlyjixhov su 16081⤵
- Executes dropped EXE
PID:1735
-
/boot/irzmccdacu/boot/irzmccdacu gnome-terminal 16081⤵
- Executes dropped EXE
PID:1738
-
/boot/psruwsmxev/boot/psruwsmxev uptime 16081⤵
- Executes dropped EXE
PID:1741
-
/boot/wnltvvyreg/boot/wnltvvyreg "cat resolv.conf" 16081⤵
- Executes dropped EXE
PID:1744
-
/boot/ctuhpluvnq/boot/ctuhpluvnq whoami 16081⤵
- Executes dropped EXE
PID:1747
-
/boot/iwrojqictz/boot/iwrojqictz ls 16081⤵
- Executes dropped EXE
PID:1753
-
/boot/iywnvlqoks/boot/iywnvlqoks who 16081⤵
- Executes dropped EXE
PID:1756
-
/boot/tkwfnzkqqi/boot/tkwfnzkqqi "route -n" 16081⤵
- Executes dropped EXE
PID:1759
-
/boot/cchvotxeob/boot/cchvotxeob sh 16081⤵
- Executes dropped EXE
PID:1762
-
/boot/hbbzkxylwg/boot/hbbzkxylwg who 16081⤵
- Executes dropped EXE
PID:1765
-
/boot/xchxmstpjh/boot/xchxmstpjh uptime 16081⤵
- Executes dropped EXE
PID:1768
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
223B
MD5b791b087b1795e3674a9aa765c76fc04
SHA1b53f478234ae97f3cdbf2e7fe7ec68d687feb7c1
SHA2561c1e9b69cf8021bf7ce1f60dcaa2d31c1e21ed4b6e474f3571da81ffd5a9b69e
SHA5122dcc2e478c51cf8118306fd5c744aad7147e368cbc4329db1cc5fac52088a7f3354079ae2b582b270495789e4fb4591538ec88bb5ea40eec646f360bac33bbb2
-
Filesize
1KB
MD58333938f8704c2a0c7c0277d4a2ddd37
SHA12a521562227e522aa045aa959bf5c9092fb3470d
SHA25673561733495eb44881664ab0410642751e0afc3973c5a52ebd27900cde398988
SHA512a415a5002a1636c6e0cf7a5aa06a221621c656864bbbdbf384affdf8f9eefcc17eef3c980c6be454d30eb109b973b92689ae418959ac331dca538782e6c9b649
-
Filesize
317B
MD57723ac20048d92a188a6cea09fe30d26
SHA11c536964e7fdff8777a868d5e7710540c5143381
SHA256b754bf129f8d39e2566871963b73ed1826b0b375b483a9b4460a28116c009882
SHA512c537d59930cd04216c7ffa9c2f4993fad4fbb24f40068afa71a1c4f229adb32d0066c2e1ca510879eed36c2a968a18f4b178f197d9825beca1a7da46ca892280
-
Filesize
1KB
MD5e57fd77c50de7b8a8eec19de0ec3f4f3
SHA1835d38771a0c5b112596ab8841a7904f41c266ee
SHA2563494e2d3ce0fb77633d00b247cad543cca29c7673da802a23bd5fe0364eb2c13
SHA512e6103d07bb6ed51cba953a9a861e39a36be0dc37899ec0fa353f5c991f71f9e7ec8433c054ac18a74da0a1c46054ad7cd637a1c64301d52cb0e6ac3d59f5c86c
-
Filesize
32B
MD539d27735755bb2b83cffe30f87b7d1ae
SHA1e54d0a70a9625ffc6410e766495cc24a7536546f
SHA256461f0a5ee3a266f5424f4559fda864725d556a9a7f1587c5baa582c1e135c149
SHA512126c0e62d2bf835c559bd04e4c57168cba3a681a3ce363d1142121a88fb8134894f69c8e664fc04dff718f78a8cf192db0bd43be329ecdb7125bfb1dee655297
-
Filesize
647KB
MD55de386b209befcb96c835a048b3fd178
SHA1c701990533a21d5aae6c0067c475ef2d02fb4f16
SHA25684e40a4e1e02a719aa93c734049c96bae0cfa6d075f47d64b63b84eece3648d6
SHA512085b3d3b78896f8a11279d9c53ef433c0c620c02db5e79a162908738f652dd4c64e485a72706974fa4560ca5f67daf8ee30630a84bb27bae430077b2b29dd50b