Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    ubuntu-24.04_amd64
  • resource
    ubuntu2404-amd64-20240523-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
  • submitted
    17-08-2024 05:35

General

  • Target

    a15e9d2d69c1407ac5b42ba46d71fc58_JaffaCakes118

  • Size

    603KB

  • MD5

    a15e9d2d69c1407ac5b42ba46d71fc58

  • SHA1

    5a124a3a2f363bd3740ab792044d9a06dc4256d5

  • SHA256

    7aa8eab2f01783bfe9bb7d8e051baebf563629645d73b2af42022d28a8143179

  • SHA512

    f38eeae08e03f19339d03b01a271df14284bd22194887b492c24f6e4c89ef7b416507350cab6a5de8d90084519703b78cd844f35a54a4fa13b8643f0c6a395c5

  • SSDEEP

    12288:R40XBrnlTCbI5ZBP5IePtqLn4yFeC+oT6ygF9b4elMuThmVF:e01tCbqNNPtqLn4yFmoEbdlH9mn

Malware Config

Extracted

Family

xorddos

C2

http://info1.3000uc.com/b/u.php

gh.dsaj2a1.org:2822

www.wangzongfacai.com:2822

174.139.217.145:2822

Attributes
  • crc_polynomial

    EDB88320

xor.plain

Signatures

  • XorDDoS

    Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

  • XorDDoS payload 31 IoCs
  • Writes memory of remote process 2 IoCs
  • Loads a kernel module 64 IoCs

    Loads a Linux kernel module, potentially to achieve persistence

  • Unexpected DNS network traffic destination 20 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes

  • /tmp/a15e9d2d69c1407ac5b42ba46d71fc58_JaffaCakes118
    /tmp/a15e9d2d69c1407ac5b42ba46d71fc58_JaffaCakes118
    1⤵
    • Writes memory of remote process
    • Loads a kernel module
    PID:4066

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /etc/cron.hourly/udev.sh

    Filesize

    146B

    MD5

    ddb9a901eadce597284d68ebd9fe9311

    SHA1

    1d26318bbe55f2f936ae1015df656535427083c2

    SHA256

    3bb8ebd394bcaea3f083d93daa3c3bcf918a4618f84ab45a1942759d16b070fc

    SHA512

    e94bd51f02c323d2376e666a9c56a87c2f55d1805b44762d4bc6d5d60ca52e85ce996ba51142213ba783ac858660a3ba254988215b0f4d398b1e99bf132a5d1c

  • /etc/init.d/a15e9d2d69c1407ac5b42ba46d71fc58_JaffaCakes118

    Filesize

    495B

    MD5

    9ad76747bb14a936fd6aa494fed2fd54

    SHA1

    169b2502e309f3d0700311ae77e74ebf5d70d71f

    SHA256

    e4f7da63754079b67e49c0ce4ac5bc4c9fb2faea3d8beed4f7108bf400217e45

    SHA512

    9beedcd96023c37a29f3f5f71e665f4e7d21523cf08b3ac3a2a0938729a0e00f3991723d3272464f8c370023fe1741a0328f9a6f0ef7e385f1995a6b686f9a63

  • /run/udev.pid

    Filesize

    32B

    MD5

    0f660e54fa532e7e86021fbac79fe59d

    SHA1

    7ed100f91519d287bacc96f57fe318c51aecfa53

    SHA256

    7e164da81ad9d2c4a0ac3e23296a8c4ceeff6b9a6742575ec4c3aa599070e99a

    SHA512

    dc6e655160bc403554814fc015e73ef1e0ef758cea84dd21f6dc2efccc7be655758137953a2a66883911b5822ff69090d9177f725617b0c13ca9a99f49f2a0b8

  • /usr/bin/aaszjnkhkz

    Filesize

    603KB

    MD5

    8fbc65f7ceec4201f38a31b47767cf22

    SHA1

    11ad5690fb1d9e8bd214ca949f88bffda3d3ffe5

    SHA256

    3a4aea20443a658737fa7f27b8dc4b20abbf1dda023ab8b0ddf83161a5df4142

    SHA512

    40e73b2d02f6b5d76046d79822fc0bf69215da4239b1148b764cbeda8d39d4bbdd802e572281c33133ef30343f6039af8d70032bfc5305d38e6514cbf71d57dc

  • /usr/bin/amdrjpgqay

    Filesize

    603KB

    MD5

    b0061f454f2fcdd0898623d803f8f4c7

    SHA1

    7b309b9b7b972da6db5f4559de5e8f3550a6513b

    SHA256

    d1eacbcb9a64c7c1d6aad266315bc15d6057c1d00e5c8bc1428022ce1e5255d6

    SHA512

    4d9a12e16810a911dd41db318381afb02259613c034a1f60653aebcab11070f837698c0391e7f23a236e9c358c8dc143af21aa04b1e7ec355e26c506cbeb6d29

  • /usr/bin/bugnhgqjcp

    Filesize

    603KB

    MD5

    d430264bcf6a16d221f17fb562f8ac38

    SHA1

    9c40bfc4548790e409db88071e492fd2daa340a2

    SHA256

    24c2d78f968bccb817c3ba561bdc333b76cc31746129e6ab5febb3cc2999fe33

    SHA512

    96fc07ba25e6fb0957bab1ddff614efcd1b8850ac9d23502bfa6ae041154957398a51ad44273e9c7656c975e2e63ea9ee8fefcf855a49410d2580cc29a901e31

  • /usr/bin/ciygmructb

    Filesize

    603KB

    MD5

    c3d97f4d47ee5782a3f18ea0e4d0acde

    SHA1

    ba39b14288e2badaa40d51a6e151035d5b267c15

    SHA256

    bcee20767e362d4a7b2a0101244972a98352d655586abc16c5d68cd59cd20bbf

    SHA512

    e91ee8f4c16a1b88ce987878cc2eaf96fbabfa3aabc7715246e6cbf6ea4a183ab66475860e0aed01ff98754244e05fa29bf947e56e7c63e4fc8f0bc25c1c7102

  • /usr/bin/ckqawgedfr

    Filesize

    603KB

    MD5

    4b7e594e5594d5d9afd2f751c647d618

    SHA1

    8dfccd58595d739a28c0f7fdcadb898fb95ec393

    SHA256

    34932766da6592e90f8e3103585554a9f61ea4221e608117944a0fc771c79d82

    SHA512

    84ba67e62b6d59974c2122ffba8ec362682917d4b46322461ed915604baee47ffcc0cb77c1f898b9eaae79e56638e8e6d4b74c12ef342d9791f2da01a9d70863

  • /usr/bin/cwsmbypzah

    Filesize

    603KB

    MD5

    c59542dac77db870cc193833c1ddf580

    SHA1

    cfa7e04594c5e7f91c2b31c933fa475e496363d0

    SHA256

    078f26f357536b00799d51d6f3af877c0e052aa699628260253dba5b959ed8c1

    SHA512

    7f77187b2bc34e9ad3efc5e5e158900cb2b03d2c47ef6cd5c2609c3d3b9b7983fdcd56c4b99d09f7b55c3c36f5dd8c8dff529b1d447664556ac7652cd54205b0

  • /usr/bin/czlzguqdxo

    Filesize

    603KB

    MD5

    1f78dc421a320cfaecd51fe13fc21bc0

    SHA1

    6df8e3b7768ed52f40f7cbcf1c74c20fda7ebe9a

    SHA256

    d87936fb511ac04376b1c3876461955d109153ba615d805b9992955fe9520c02

    SHA512

    aafaf026bd6194e5ae5957a409b7d450298f985440edcdb44f634d43d7b3dc7f0c1806f8d041e468b7097b79ce8b6434429c1ced64a17aeac95069365c33b0c6

  • /usr/bin/ddkgugljgu

    Filesize

    603KB

    MD5

    4498da61e56713ec08dc077be2e70376

    SHA1

    53b128a6dafe3ea471869ec41eb91cc53b029c73

    SHA256

    d8fd3246917491cb0809200881ebc85358f39ee2e7fdd06259e3d919bbbf1430

    SHA512

    66093b4ade474f9ea464b814b0fa777446fa7d7eeacd6b8e2a68a35fdae300189bed5fdf307d0cf48d64c9a996dd27267ef22992f02b1148f436071e3380031e

  • /usr/bin/hpuzfavwrk

    Filesize

    603KB

    MD5

    06a9cadc3b4397a4d39e61e49b94e2cc

    SHA1

    a23c7414739758f9bcba57d9b3c04d8b0d30d2ef

    SHA256

    ac166202cd97f9306b8c8b1d5707d9df7c2b6bc94fa9f1001e96ffe579a960aa

    SHA512

    a212f03e2ab8dacb1f6c0ab5f6b48932cf2d69ad9c99d291bd550fa4819649f52a0a07dbe867cb6fa68d8d1d47b97688b03b3dbc7fd4201e81a1d61ef236abe5

  • /usr/bin/hrbbdvrith

    Filesize

    603KB

    MD5

    e0f64a1811d8fdcf42251e74d5d7bd72

    SHA1

    82af6cbc9c31aaaec22fa2555ec8ce9a178e05ed

    SHA256

    8aff3091904579e59cfee0743edad78d29e0d699ce85296904d978254922129b

    SHA512

    f88c26118b934aac08c3e1c59f401c91d86db723cf085c7dc0ba191e1af2f4bee8bb8a6653d1cf8a872fbe8d227b69ceb891fb0b12086e842d2a73775d652960

  • /usr/bin/husyjovisp

    Filesize

    603KB

    MD5

    e9cf751fbd4da8572592e90a6417a02b

    SHA1

    450a6d7b50b4e96c8d5e4497b06edaae16638348

    SHA256

    e5659c8b7d594a1ca1f3e7cb12813efafb0a76223ddd1945a5b0f378b786fbe8

    SHA512

    6221acf04a20ba8c4d6c87de4298572f3e4d26743389574954fc7eb9c315933c667b3a1b156734404a3d83c71b682ba71ac1088aa365b5510adc33e9e462a7d1

  • /usr/bin/iihttbtwkk

    Filesize

    603KB

    MD5

    605d96872ef3eafbcd0cb64b1ca421f4

    SHA1

    0c3f4e227b6e397597849167b915ad52564ca5e7

    SHA256

    6b69bbbc2d815d483461f741be25a61c47395fe33b4081544b02f37701b06b93

    SHA512

    a7434c2422ecbe1cb7c74fef72aa417d77dba3ada35beeb84b034795a762975f352574b81a4b44e80f3d576c8bee606812a5b768edcd1aebdd144928d0615a0b

  • /usr/bin/jnvzwqfsbf

    Filesize

    603KB

    MD5

    709c41d59dfac71de6087dcd5a28a3ed

    SHA1

    29e048fbb6d124301f99af8b99da094df702eb7a

    SHA256

    61346dd97e895a04b4c19897b04a2b85c2e7b52b3e7b47450dc606677abb73bc

    SHA512

    f3f52299d819a663e7c4cf396e5b7af76895e9ea5bc7d592887f35803d08e664cd40f6602d194d747eaf307cbb96649b87a9365bff624009a484425bdd8fcc83

  • /usr/bin/lyrmtibejv

    Filesize

    603KB

    MD5

    1261554ec814336b7fd0010f8de58ca9

    SHA1

    0b51dbb37cb5711dfbe0b9d32a88bd75f44a4a53

    SHA256

    004b5d5d580e388bba1d102b7a012d3a53d8c60d8e48d03c06b035dd0c05861b

    SHA512

    8a2841d9a4b377ba10592b8a99f7a1744d4872601246c0c946d0e3c831f637c3008d8e4a9d0ace416123d7481373f47419137ecfae6dd8b5cd74ce9d5b1c3515

  • /usr/bin/mrldqqkwkv

    Filesize

    603KB

    MD5

    e01bff3693eaefed8293a320fda63a8f

    SHA1

    4ae71f5d72a073204439656883664606ca14a386

    SHA256

    8e89bd7ae8b1a58c034c1c92b5d055fe91a8e50b6705ec2c25f0c6ff37676748

    SHA512

    fd96f2cd5bcbb222038989715c422915db14b0116c671d01eaeab5b6b983d5614269f792c2e86760478ea21b7e3b83c4f5bcc055dbad06d75ecb435e8ca325bb

  • /usr/bin/pqadwhahgf

    Filesize

    603KB

    MD5

    c1e42e9f7840864ba76e5bdea6b0e882

    SHA1

    ee3e0d53783e251e5dcefe8874bc76712727df9d

    SHA256

    ed0e6701da1e9d212e777eb15e40246befae4f62cc39e3aade5703bd016d4695

    SHA512

    96efb770cdb837942c4643f15ba4d5a08752919d664488d0d4cf680b500d1f645db90d7cf9fa50f302e892886ee88636a3a99defc28f7ef343dcf44ab63880e3

  • /usr/bin/qjfrniacdh

    Filesize

    603KB

    MD5

    893452183440a8f3461f964cf64c7b0b

    SHA1

    12af83a0a8286cbf48641e4a25939db65f759e65

    SHA256

    c3f78e9904c4622972bee043184f9a40a5517c43ca806df98538a2cbff8dd8d8

    SHA512

    05d21ae29bdadf3be9a635888b480d5af7803c922aa7eb6c7b96aa66a8459e239cb6c7c9405ee6f5f66fec1f0ec224c1fbfa7c7b4f9730741fb98d58d2449b3d

  • /usr/bin/reidszuscm

    Filesize

    603KB

    MD5

    c6c391e7be1873c04cf867cd1399a387

    SHA1

    0ae173f2480f2f36c0d112af3a5fcaf5e42252a7

    SHA256

    549f0e8c3b3560e71da90fc991c7f06d46c86b3ef8ee4672a0c642f01d6b181f

    SHA512

    4461405a4140d296ab0799ac74a1968ff9fd97e87b0253a6701c19fe3c7ceebb45e761a2ebc20c46ebeacd0f49d7e50f390845b4a1f4a9c10abbe3d45241663a

  • /usr/bin/sapflyqdeg

    Filesize

    603KB

    MD5

    b41135a984ab0e1107af15b621f79042

    SHA1

    b95b0d97bacc76a8f69ada6f1e48f6ea460fbb96

    SHA256

    1c8abd7b55251f8407e962c14a11fd2a0d666506a687290b4d15b6e3e220f061

    SHA512

    4395efdb15b6ccb7c2b9c64a820c1e7cbd697b5c971805a7e5a55eb54fb9f5bc47a43f25eb11cdef0ecb8dbb906c896a4fc60d77dd83fd6c9d814a5f376f790d

  • /usr/bin/teejrexmkr

    Filesize

    603KB

    MD5

    205c72e59f95bf269cdfd7f738daec9d

    SHA1

    51b7c877d0f8f2f091662d34493fcc28cdb99a06

    SHA256

    428d68fb2f2d7a3cb942771af1041e63afdd92800d50535178d26bce3a2e4402

    SHA512

    d9ac5e72ee9efe3b1576a986bfd6a1fe39c39e1be783e71e40803bf47d2613758ae38a8914bfe703e61fb2312119867627a593b9b3c5cdb1729bbf4c6894a5d5

  • /usr/bin/tfgqtkwzsb

    Filesize

    603KB

    MD5

    b4eabfe6462538b474e78bbe194fa6a0

    SHA1

    f1b9ad7b71366eaed570555b61f05f11b14500ce

    SHA256

    fa5a46f766730805a0ba7ed5c27bbc5062bae6c7249561135c8b42f8081de75d

    SHA512

    a1c45307e6ef4639ed1265c695116a7bc89a407cce46d9bbc80e93e3fe7132b85690782ad053dddc6b7c62c00726c491ee97e5c05dd0b8d50f858f2d29706a38

  • /usr/bin/tocjenvzmm

    Filesize

    603KB

    MD5

    25d1d0e462082b086e3868ef4d189205

    SHA1

    a008d2ea301f6bffa8399e3ffb578c8482ed4014

    SHA256

    f8c8a6aa6360d1c37c13f021c98e2f062eb2bc7cc7e96f470eeaf9db83b53e62

    SHA512

    3c0d12bb4ac59578aa188111e3e31de3fec89990b913eb703ec663d49c169f1af613be36ab8b702a43535447d5ca8439f9e49d29e1a6498eb0e81ab83cb605d0

  • /usr/bin/tzahyptdjv

    Filesize

    603KB

    MD5

    db3934925492924f9cf9a7adbf8c6b89

    SHA1

    5cbe60246414f16ac8c80e54454c680c7c76d77f

    SHA256

    1c3c26775ceb86d990dbd5cd47c7e58b0f0226f4cc1129fd333c7ab5eeb5d5a6

    SHA512

    098393d843bdfde18c5679cf4d409138a51cc441bc01d31b36dd4d64f7096b60e827c2187090b35fb93e98b10fe0d53b5e430947087c1876d5b62d03b29da09e

  • /usr/bin/ubkddnwizn

    Filesize

    603KB

    MD5

    771f7d486553e02b8ae8740fd0e691f4

    SHA1

    a22b483d760cdf6675bc6d39468cf540c02b4f82

    SHA256

    a371bd4dab149a3d7010f729caa5176558d1414bef2ed92f2953741c3268130f

    SHA512

    8be539d8eb824731275f3021f48213ad8ee0307ebd067da1cbc5c23b15590dee30f9ccd7345c97eaa2ee0a3bb70a398ac72bee04a6ec64a8522a85abb5dfc59f

  • /usr/bin/vowdycimhv

    Filesize

    603KB

    MD5

    088b4a8e72cb7febe18485d620dcc079

    SHA1

    3f9b3c0488974d1c6cc7e59335ee028a9c7387a1

    SHA256

    9f241a952d4964eda22bdb4dfa088e3001987e6bdce82f7f0a6d0f393277343d

    SHA512

    6f6d621fa81c815e72128ce7d169152bba0743b9bb288559f8626b2fc711da126629851edfa70a612c0065281aaa159e963e107452a947eb6b943fb38cfc39fd

  • /usr/bin/wkdcgyrmax

    Filesize

    603KB

    MD5

    5bb6fc48b4ee4b0f18c9a3a688938cfd

    SHA1

    9331a098385ada5f7f5fd16afd7955cfbc29e530

    SHA256

    29f21fac6adb69991eb0ab671ca71aabc238a7a07f5c2a9043a668970ed97edb

    SHA512

    ad590789aae312e06e25375558b080d80ec265efc46ae9f969f94be26e5492647b8fb7541d30797c4453a4ed5477f3bc117cf237ab40dd0be17a33c582079d95

  • /usr/bin/wwotssvrck

    Filesize

    603KB

    MD5

    7035988df30ccddaa9680f54bd73c511

    SHA1

    3ebb5b1123d150df01a4de68c98aba8ee7f75c89

    SHA256

    2c4de5d4569767cd9cbcf7045a1dc536457008d012a38b495d679422c61e5058

    SHA512

    3ac3e386dac1628bd2a20eb785696e98d2559eb096fab4343b6834ee2eb23eceed3cf3866bf8b99b9e6faef2b8d8a7635f299ddb463c934391d73651dfdc2e21

  • /usr/bin/xjpxrmmtou

    Filesize

    603KB

    MD5

    773b6401324feff6fc534bd5566db644

    SHA1

    5cd84c57caa6fc776d0b42f37919f6b879cec083

    SHA256

    113db8e44e5df49b9b8dc123a690834a533496551b9334ba9c1bbfa4f45f9b4d

    SHA512

    4ba561045de8fc382886af43825d720b41805169e746387a2be4e85463a3ac21f1d14a4e2360f3babdebf5436bd9ae555e7f803c3d02cfc46a0db73d6cfe3b75

  • /usr/bin/zjnlrbmwqa

    Filesize

    603KB

    MD5

    fb9566060debf49c90c8ed6fca096bc8

    SHA1

    3f48b0653440dce6556607396e3411f15ce7e8d2

    SHA256

    63cd7d5e2a7cb092a5c9a3d399714117eff24f049edf64fb568a89729e05502c

    SHA512

    762c5e132e48a68a9bef2d441843457b6b5f0c4a4f41f2ccfe0ff569b98da860defb816d6ed4385ca76de22b9398a1aba27d564ed3c32727d42351f10f058536

  • /usr/bin/zuxzvkdqze

    Filesize

    603KB

    MD5

    25f098314a330532a6c2cf9a52bfaba0

    SHA1

    1cfa31f8e6968b85014efb900a9a6e1854810a57

    SHA256

    c6902ebcaf52dbb5b12d0c78381d7b8e3c6d98818cb3caaa7cab1fae9006c05a

    SHA512

    d2247cfccb7c56bd3226ace320f90bdfce85b9196a3751e026dc57d9405cbdffa743feaf75af2592430a3b8c411a57f136cd00c9405ff9b83729f187e0fb5a34

  • /usr/lib/libgcc4.so

    Filesize

    603KB

    MD5

    a15e9d2d69c1407ac5b42ba46d71fc58

    SHA1

    5a124a3a2f363bd3740ab792044d9a06dc4256d5

    SHA256

    7aa8eab2f01783bfe9bb7d8e051baebf563629645d73b2af42022d28a8143179

    SHA512

    f38eeae08e03f19339d03b01a271df14284bd22194887b492c24f6e4c89ef7b416507350cab6a5de8d90084519703b78cd844f35a54a4fa13b8643f0c6a395c5