General

  • Target

    a6ea3e2aa4751022d24a8053619bbfa9_JaffaCakes118

  • Size

    610KB

  • Sample

    240818-q79peawfjh

  • MD5

    a6ea3e2aa4751022d24a8053619bbfa9

  • SHA1

    26e14b0eb3c2f7cef909c1e50ac326c06892e5ca

  • SHA256

    b52d5c430f6b2d4061ee5ea4bb73289f9ee2da02e8dde46c08a958913252c4f9

  • SHA512

    a22ab0be5c822ee569e6d62289c5cd30b2559777c5e4783cfc647b55bfff336de095114101a1da6e875eb51ebb13dcb7d8aebb534192633853a912454ab38451

  • SSDEEP

    12288:kBvdieCWYsnxRQfx8HH70AlhEaLbljkj8O7Z/Yx6y9lSNU4UlUuTh1AG:kBveWDbQfEHtlh1LbljxPrMNWl/91h

Malware Config

Extracted

Family

xorddos

C2

ndns.dsaj2a1.org:3504

ndns.dsaj2a.org:3504

ndns.hcxiaoao.com:3504

ndns.dsaj2a.com:3504

103.25.9.245:3504

103.240.141.50:3504

Attributes
  • crc_polynomial

    EDB88320

xor.plain

Targets

    • Target

      a6ea3e2aa4751022d24a8053619bbfa9_JaffaCakes118

    • Size

      610KB

    • MD5

      a6ea3e2aa4751022d24a8053619bbfa9

    • SHA1

      26e14b0eb3c2f7cef909c1e50ac326c06892e5ca

    • SHA256

      b52d5c430f6b2d4061ee5ea4bb73289f9ee2da02e8dde46c08a958913252c4f9

    • SHA512

      a22ab0be5c822ee569e6d62289c5cd30b2559777c5e4783cfc647b55bfff336de095114101a1da6e875eb51ebb13dcb7d8aebb534192633853a912454ab38451

    • SSDEEP

      12288:kBvdieCWYsnxRQfx8HH70AlhEaLbljkj8O7Z/Yx6y9lSNU4UlUuTh1AG:kBveWDbQfEHtlh1LbljxPrMNWl/91h

    • XorDDoS

      Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

    • XorDDoS payload

    • Writes memory of remote process

    • Loads a kernel module

      Loads a Linux kernel module, potentially to achieve persistence

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

MITRE ATT&CK Matrix

Tasks