Overview

overview

10

Static

static

10

696238c4be...kes118

ubuntu-24.04-amd64

10

Analysis

  • max time kernel
    38s
  • max time network
    40s
  • platform
    ubuntu-24.04_amd64
  • resource
    ubuntu2404-amd64-20240523-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
  • submitted
    30-07-2024 00:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    696238c4be30b209c5a724c48e51575e_JaffaCakes118

  • Size

    537KB

  • MD5

    696238c4be30b209c5a724c48e51575e

  • SHA1

    f2df00d4f8eca4605f6d5c8b06719fe5c9bd3f20

  • SHA256

    b8287196a4a9ca805698ab5dc377f275340552c70fd04bce08dc11ea48230e1c

  • SHA512

    ad9543b64653b61d6d0376ea9d16a49ba6b8f1eeea768c6caa5df9bb2546b5d10f3952545e4461f1bae1fff7b562084a1bda90132a3d59e52f48f81d96a75950

  • SSDEEP

    12288:ISraVbNYn/gpq5xnFeEu1eZ1gVcxfwbuHvh3u6yp5k:Im8bKEWt0EucZ1gVcxfwa53U

Score
10/10
xorddosbotnetdownloaderrootkit

Malware Config

Extracted

Family

xorddos

C2

topbannersun.com:5515

wowapplecar.com:5515
Attributes
  • crc_polynomial

    CDB88320

xor.plain

Signatures

  • XorDDoS

    Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

    botnetdownloaderxorddos
  • XorDDoS payload 1 IoCs
  • Writes memory of remote process 2 IoCs
  • Loads a kernel module 64 IoCs

    Loads a Linux kernel module, potentially to achieve persistence

    rootkit

Processes

  • /tmp/696238c4be30b209c5a724c48e51575e_JaffaCakes118
    /tmp/696238c4be30b209c5a724c48e51575e_JaffaCakes118
    1⤵
    • Writes memory of remote process
    • Loads a kernel module
    PID:2493

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /dev/shm/sem.bqlpDF
    Filesize

    16B

    MD5

    076933ff9904d1110d896e2c525e39e5

    SHA1

    4188442577fa77f25820d9b2d01cc446e30684ac

    SHA256

    4cbbd8ca5215b8d161aec181a74b694f4e24b001d5b081dc0030ed797a8973e0

    SHA512

    6fcee9a7b7a7b821d241c03c82377928bc6882e7a08c78a4221199bfa220cdc55212273018ee613317c8293bb8d1ce08d1e017508e94e06ab85a734c99c7cc34

    Download Submit

  • /etc/cron.hourly/dstktrw.sh
    Filesize

    156B

    MD5

    3c720305fe4c820f9f6a6d1f442e81f8

    SHA1

    3f969080acd4ddd42723933173c0e825aa9a2024

    SHA256

    64699f039784eed9ebdeade2dc3597908304ef8cd381ff93d6348c4ef9f08a6f

    SHA512

    f988a83567ecf8e8497de78a5dd11c4a0dc39fa32ff80491c394a0ab0fd5bd181a1f90dd36c438366811c60c2b56ed770fd56dc22db05a7a6193ed9067f131b6

    Download Submit

  • /etc/daemon.cfg
    Filesize

    32B

    MD5

    817224e4a37ef12fb99ad183efd1ad47

    SHA1

    b0ddfcc1293244191d79c431adfab0fc99cc3841

    SHA256

    4229eb7adc4060361bc4922e7313b0c8016ab016e9ace7f0f38b41a1f21cd76c

    SHA512

    2b82b75832419f9ae33749d93883d2f4d2884bc1dd05e200f3fa8f116a5bbb5a826bed53af77f431fd7eb4f6e88c24e59fa28477f647b9435768353397b9e6a6

    Download Submit

  • /usr/bin/wrtktsd
    Filesize

    537KB

    MD5

    cd4e228c4a17be408e4c083d09451f8d

    SHA1

    bd767edee59807d346c6fd6b6a513f8d769559ba

    SHA256

    fb3f8218b082d7dba11e4d5013286a3be9960668ffa0a2916d5697517a0037c9

    SHA512

    20a315d75540f90deffbbc5bfabe248fe919eccfb974363d3de85722b5fa07fa505400b9118228a40d17b6473c81ac166b0d53c10054a412da6e34befb69feed

    Download Submit