Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    ubuntu-24.04_amd64
  • resource
    ubuntu2404-amd64-20240523-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
  • submitted
    19-08-2024 04:36

General

  • Target

    a99c10cb9713770b9e7dda376cddee3a_JaffaCakes118

  • Size

    611KB

  • MD5

    a99c10cb9713770b9e7dda376cddee3a

  • SHA1

    1f1dd4d74eba8949fb1d2316c13f77b3ffa96f98

  • SHA256

    92a260d856e00056469fb26f5305a37f6ab443d735d1476281b053b10b3c4f86

  • SHA512

    1d410a7259469a16a1599fb28cb7cd82813270a112055e4fbe28327735a2968affbfdcba0a2001d504919e5ef3b271f40c45da6291be9c5f97c278418b241b79

  • SSDEEP

    12288:UB1tATMVAqnf+ExxBHYpmA38X8LYkCW6TiOx6yB1/iGK4UlUuTh1AG:UB1BVpmExDYp38X8LYTWhOfNiGQl/91h

Malware Config

Extracted

Family

xorddos

C2

http://aa.hostasa.org/game.rar

ns3.hostasa.org:3308

ns4.hostasa.org:3308

ns1.hostasa.org:3308

ns2.hostasa.org:3308

Attributes
  • crc_polynomial

    EDB88320

xor.plain

Signatures

  • XorDDoS

    Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

  • XorDDoS payload 30 IoCs
  • Writes memory of remote process 2 IoCs
  • Loads a kernel module 64 IoCs

    Loads a Linux kernel module, potentially to achieve persistence

Processes

  • /tmp/a99c10cb9713770b9e7dda376cddee3a_JaffaCakes118
    /tmp/a99c10cb9713770b9e7dda376cddee3a_JaffaCakes118
    1⤵
    • Writes memory of remote process
    • Loads a kernel module
    PID:2493

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /etc/cron.hourly/gcc.sh

    Filesize

    228B

    MD5

    3bab747cedc5f0ebe86aaa7f982470cd

    SHA1

    3c7d1c6931c2b3dae39d38346b780ea57c8e6142

    SHA256

    74d31cac40d98ee64df2a0c29ceb229d12ac5fa699c2ee512fc69360f0cf68c5

    SHA512

    21e8a6d9ca8531d37def83d8903e5b0fa11ecf33d85d05edab1e0feb4acac65ae2cf5222650fb9f533f459ccc51bb2903276ff6f827b847cc5e6dac7d45a0a42

  • /etc/init.d/a99c10cb9713770b9e7dda376cddee3a_JaffaCakes118

    Filesize

    495B

    MD5

    68e204cf64e1a226c94734dc382a3dcd

    SHA1

    ac80169203f526326e38f99fc2e5c4b3d0ed3f08

    SHA256

    4bb9861ea56e2b24828b549d78b70c1036ef377b5f14ef2ac1f8bdc88768328a

    SHA512

    7097e72cca2d6e894c45cb5f8b9cb99311b57fff84dcd6346c05282c2d59f86bb473878c1bc4c1e668c7a4d8ae41146bc672e954ade7b64d8273703795d51667

  • /run/gcc.pid

    Filesize

    32B

    MD5

    40ca86b147ee7a45cfe684186e880ab1

    SHA1

    9168a8c986f30a3324ea8240eda92f931e831b6a

    SHA256

    a26a4dbda1135c1855f5dd4dabd3fe451162aea1b66c0a705c894ce0f5109a88

    SHA512

    367aeafa34ac70f42d392692184a12c4b37ffa734d3f3b9b6459235b4147805cabab7aebb56c68b2f48efed096e3352d7a6a5e934c3415ea88047db0989da88c

  • /usr/bin/aavbfjzssc

    Filesize

    611KB

    MD5

    49fdb29a09a3c6764ba5b35b0f3f4134

    SHA1

    5b1f5f440005a1a8721907edfc0977a55046d315

    SHA256

    458ab049e7bc5d028eac9d6266462da932d13d809861366bf90995e335b2edb7

    SHA512

    ab8d8d769d5853712ae3c199b0a6b84d097476449c9377368f86942919f1815b8e3e1806d1150d855bbffe38b1f72912ab717fc93e90ed1bb4a5ceec93977edf

  • /usr/bin/awkjrnwuhu

    Filesize

    611KB

    MD5

    996998659676998e3d78e355ecf9cfd7

    SHA1

    a551f1ce3ee71484794342831b4cd543995ac827

    SHA256

    0fdcb37a454c701852afda3f92fc46c839f3bb9bd1f3f0274907ecbe10c68d1b

    SHA512

    eb1f5964b7d03e40e2eac49530d5d473077480920ab7044d18572e49cee0602865dbdd208c71ea7fd902bfb670b42ab22b738040a86f7097237e6f391f0a19c9

  • /usr/bin/bddyspoyhz

    Filesize

    611KB

    MD5

    4f4a979ad7d069815e00497c1bc78517

    SHA1

    c8edb3cf97178af52e51c50305416dc62269d8da

    SHA256

    fbfaca14c3184a90da040efe89a9f83518cf65c16f373516bf8b39cd3993ea0f

    SHA512

    1899c67bdd449f4d82578a56e96ee510cb56db0b6f1cee82f9e24ae39881beb1ce9e8ef135be2b162493c367e67a9d60fcd558282380b56beb4b7294cb92aebc

  • /usr/bin/bzysxvenkh

    Filesize

    611KB

    MD5

    f4b3ebb13c0fb3464f6cf0de6f21862b

    SHA1

    50b221ac1ce93eca9f9fc09c13ff7a5186e75473

    SHA256

    44ef82fe1b34ddc64d34f5eaf631eaf66d5e79b6930c9f87141693aa54e9d278

    SHA512

    1b1f8394e53d98c3555c3534640c1b67bbefee86049d55d1691e862983664c8687c430700f7b1ecda3bd969d3e78187d2c5fed42b9049e999a7c524960661725

  • /usr/bin/cwuqcfzxkd

    Filesize

    611KB

    MD5

    bdc3231e3b386a2620a2c43b2bebb3e7

    SHA1

    af8230d14c16571f8ddd77ddfb6d16e1e8ed53ae

    SHA256

    3e1871d14021ef3c4d9327f51ee9344096995a66613542305bf126a9931dec23

    SHA512

    687999acf23567cb6b88a71956524bac31b9d6502526fb1eeb45e4ef47d35e245d06ad408373fcb5fd5b56801234a6c9a5414ae340fc87c7940af9c96b4cf791

  • /usr/bin/dhtatqcjeh

    Filesize

    611KB

    MD5

    c3a0520976a815e7c8cc05203a2dac14

    SHA1

    6ba6242b1bccfd70307ae6e9bad5fd4ff3cc56d8

    SHA256

    5133e38579d293510a6de64e1dd9f5d82c2b98ee7ae8d7980e900db4de135915

    SHA512

    0c4f0af9a3eceb9b90ea30df2380195158e7c5171bba0e40fdc4e4b119b1f02e737421f28f8b85a110fad9e6fb95c55293cac2e1f326b038edb49dd8917eb398

  • /usr/bin/ebyiaemdvx

    Filesize

    611KB

    MD5

    a18b34e656eb98d272aaec00f46802b8

    SHA1

    41b06895d556a7a00b46e1147834e7ddd4e2380c

    SHA256

    6d056f18a4ffa80ffdcbf60cf3d154dfdd7f06e09948e0023e24a08168617e3e

    SHA512

    a1641fb9d9ceeff6d59a465ae396f552fb4530bc4f510e99951234196cd0042416df6c235de6603986eb0e5eccb0fa9fe2f780666b809d95001977cc4075fcf3

  • /usr/bin/emcarjltcm

    Filesize

    611KB

    MD5

    b3d6b908ba3010204389d5084cad65db

    SHA1

    a736384978e46598cd39c34c984fda0bd4462924

    SHA256

    2c1d083e15a9a7042407b6a1b4290365bd093ae46717b56ca418a95738fe453a

    SHA512

    f98fb5271a66af8d8baff7f79230ddf0215eab3962f86a0118eee744652ba379b39138fff908bf7bb3032fe3e71dd16d2b792eb94a5948a7ea1d94cc6db3e3e9

  • /usr/bin/fxfazasiqi

    Filesize

    611KB

    MD5

    897e5cbd4562fba04eb91afcd4e39bf7

    SHA1

    0fee0477b713128a8ecce71a0e0b37ca2459ea2a

    SHA256

    5c211f275e47f8752ea1857d32130d723f5f788c55cb757a2d6de41ca1c40ed0

    SHA512

    5f7ea33ff29c546ffa4566d4a5518734f943f1f89a4a980d452ac1786c7e40b7ca38d3fe7f7ffc41c0b8fa420055b69988e08d0638f1a1f13e27f23061aea237

  • /usr/bin/hnvxfsjtvf

    Filesize

    611KB

    MD5

    dbebc432a5982b37198d1ff4f5ad4992

    SHA1

    dff982138d73a5e104e2407bae79f6b751561b38

    SHA256

    bad3f1b9e4887786d52ff77c2d29b8c6c95387ba2e0edd94135493f1c982f629

    SHA512

    03ff03033d099da3fd373cd1919e45aa0403328e697244af7cae3b74fa02d9d5d2678e2a291ef0ccb9a7f736f211dd428c89fd8715f7488d32c25f3ee04c9a92

  • /usr/bin/iadyoebzfx

    Filesize

    611KB

    MD5

    ed2724ae4024a3d6198329232c5a60bd

    SHA1

    fe406d268178d1c257c4ba63b2e6eb3e40b82f1b

    SHA256

    a2a50f312e6e39d97175d8849962ff1262a0ba9eadcfe18476e435c76245f761

    SHA512

    1fb43bb9fc2dc64fb52d3377395a22a4a5601565b2e734139226dfbd0be9fdc386ef82474009ff7ba4724c9db745ef6af164ecbc152f94d9600d41eb69eddb40

  • /usr/bin/ihyhuhmeku

    Filesize

    611KB

    MD5

    b30abd9424dd45079771b8d12a473f08

    SHA1

    85818b40c89b6aa933aed926776fb9cb3c93d4ed

    SHA256

    275f1ccc51d29fb87d382fdb8db31c8ed777e1b6144ed82e42ce779680eda33a

    SHA512

    72019a1aaea60e17937409dd871becee5f988354db169dbb6088cbdef6e17e341862e5c475c43f850dd5d698b23b38e630ee16649c37ebf04c554c7aba3ea963

  • /usr/bin/irsrpxvhjz

    Filesize

    611KB

    MD5

    77b25ecc76d46aab0dfd8056a1dea619

    SHA1

    210821444cc4accf86594ef66d6e7d5e1b47b6be

    SHA256

    75bf9d25d6240c36d5d8ea02855a42eaca996d2e694b525be1aae2d840d9125a

    SHA512

    26e8028fd5a2bc3ab4e4237f5137663377178ad01415ff76dcadd76131fc6563a3f74560c8891287deebb2b403ffeb4d882bf164d05f4948a603f894868fb5b8

  • /usr/bin/izpwyesiol

    Filesize

    611KB

    MD5

    2735d77c2ccc8f900b85f96c81ca90de

    SHA1

    ec7c4d29cb0bc742e143d122fc21dfd5b5ade681

    SHA256

    c1c45d7b9f057a5060d363a36401ffdf89c068884dc196fdebd15758cc4cc745

    SHA512

    cdafc3ac8134a738d529bd0091585ade4ba472de500cc1ac7fbb05f9daa177da1c6c83482cc8cf88ddbb715ce6911e2bb2564547456605373c9222d04a09f669

  • /usr/bin/lvkndoykuw

    Filesize

    611KB

    MD5

    a5661c089cb567f69aadf6410b650be4

    SHA1

    5561ec9e0b4b26bf6bb1ff47a2ec979efa4bb589

    SHA256

    d624e36a846ed7a78d5e16a21604c1f3bf4907390aeae87e9f2acb2b2f5a0043

    SHA512

    ef84780d0ef766f0634a76a1a2d5c493ad30a87325933a55e5c5e7810127ae1752074febd8b5fc29f9417d6ce0142a37894155f4f87b7a18e4b61e9478d15e4b

  • /usr/bin/lwqxvqlovd

    Filesize

    611KB

    MD5

    460c95e4b99688c7b63ebf192731473b

    SHA1

    72588184b5964dad6746699d2e6b2cc0585855e3

    SHA256

    bdc953ad28e302755aeff2b1629ab2225733092f42dc612fc03e08eefe2ddf68

    SHA512

    9139affbb70c7f4b98109faf7f4efdb4d4894a8d98ccfa7efa25e94e8cffd169f6dc41c262c1a824bc0071d5fe20a33d0ec05ee786c2ff42b07c4b596273af48

  • /usr/bin/lzioceqvok

    Filesize

    611KB

    MD5

    10c278cabaaf78586afdc8cbdaa0d63e

    SHA1

    fd73afecb1b6205fa341ca354a68825a7b0183a7

    SHA256

    ffc3bd45d3840d3ec8e4d556f4678b6e042955c9f890f77d70aedf81cd1d16ba

    SHA512

    d61d05b96bbd68920a9852c81e1ae2074ec2bf1359129a08db005680be558a0f48c7a55db39106e383c73664f2a6327af3dda64c015fa58eb365f904bc4a40d0

  • /usr/bin/ngbrnjqkoq

    Filesize

    611KB

    MD5

    c7c302f22a043fa436a13cee838f91d5

    SHA1

    5fe9d83ca4b818c80b1c4adaf0395978c8d35e8b

    SHA256

    8971d8f61ed19892d2101b06e2f6cb1f401ed627833ef0ae404e0e019d6dd68c

    SHA512

    8e1809821f5c84c87d9b4e6cb465a02edf3703cc945ac1d70795066e272830c17d8e57157213e33b72df3776d24e266bdbbcf7f1453a1b07e971ee79b0ac9094

  • /usr/bin/nltzppxcby

    Filesize

    611KB

    MD5

    79ec04ca7b26858d8aac5dc8fd435367

    SHA1

    a7728b8bc82ae2f88127814f4873090728771aca

    SHA256

    221a3dfb72f079ddf126428cb25d0b0fc3eae4d8c7b28304bb2646d376184137

    SHA512

    13e1095fec7f40813575cd4697151e5b7d139846243bd85b6f39c0fa040e158e94cb88412961a7f8b0d8356ab2def7cec25036d5a020d78b4142267abc3bfd62

  • /usr/bin/nwwayjmlqc

    Filesize

    611KB

    MD5

    bf19ef6fb75ab6e5a03114f3528d1166

    SHA1

    67d05beae4137a5983690599b53429320929504d

    SHA256

    708feda73afd34e97cd3247a916340fa60d1ad3cd04bcb8c29a7443f35f37f36

    SHA512

    6be78a15e81c7b615a408a6b4108e0ba09317f37ee86fe216f4331c34ae43fc40e7fd59d89a32382649c01044efe425bd47c3aa81e528ffb1cb830f9e42cbba7

  • /usr/bin/otzcasmosa

    Filesize

    611KB

    MD5

    1eba141ae354dd180644b8e01275e152

    SHA1

    663ec60ea53e2898bdb2ae67ad9c49977ff21497

    SHA256

    e0b4883d7732d40fd1600abe3c07017afeae0c14b0f7175ac0a2ac667cb6a6f9

    SHA512

    7cb76ee7c5d991ff59c39808a3998d71e6f80a8d5c61eef39929eb1bc38c37831025f361fe0d4ea5b72fe40c7c5f26c7c737afa4589e6b66d69ae08f07cd76f7

  • /usr/bin/rigoclxeiq

    Filesize

    611KB

    MD5

    0d41199ef47f7d2d671987f8b15f57b0

    SHA1

    819245ad021f4107d63aec5d998a7ae13758d4fb

    SHA256

    a8b8d7c9e182cbec54c548bed47e753d3e799391e50b4d0cde9af7fefe9a6bae

    SHA512

    60d73ca1f1b79af3cebcae38b89254f8ac44ab24c3c5cadd8b84d9b0cc20951127dfb0de8e4e7d730bc8407fc0ba05cd2dd8b0e03e224935ea83b8cddcba41b1

  • /usr/bin/sfepyunkmf

    Filesize

    611KB

    MD5

    b4dc62d8b45b3dfaa1b84c9fcc3a884b

    SHA1

    88eddff9e6def78a4c9fb562fb6f8df6f8093cd8

    SHA256

    8490cfb6e53eeae71bd035a2750f9502d731f08ae5c51391d07536d5614b4a42

    SHA512

    c235a4910c71f5623b4bdf8099bff26d975d544d2b0679bff423340fd4340b6dd0a2e79ef55a61f1c50e649232972d843204c1cd7548c75c93253ebd7c507bd4

  • /usr/bin/tkuymezgfu

    Filesize

    611KB

    MD5

    04c9c149e639a977eed8fa12ea761eef

    SHA1

    ad6883c9b1db7f2066d566561b1d9b7460ceaca5

    SHA256

    afcfa2a7ddc674d07475fc9e765d3b3540c1d5a9cdc135935b575edd5509fca5

    SHA512

    ce73cb0df15afbd4ded470c98c563d98b9232de1aecfc0f863ac99e09889ccaa300f8f78c481003f09df4e57864d4b54c20d59b0d31d5bd8a522b994c0f69959

  • /usr/bin/vcfultzuvd

    Filesize

    611KB

    MD5

    d0363e22b18a2f9a408d2adac36dbe90

    SHA1

    d256f4ea6247c82bb2b4fd6f55dbd2fb3a0006cd

    SHA256

    97d25b43f04e60a2a32f0bbd83a1fa2dbf34a4ac3d5c3937c59e5cb8b22245bb

    SHA512

    35422ab4ffe5a3a4097130fdbb7a2648ef76e9b3387252352d1ebc45dcad3c0a18b5336791e6f865998382b6aa68fc1dbb88a82e313822931bfeeb3f62699c2a

  • /usr/bin/vvgiaoydbu

    Filesize

    611KB

    MD5

    ec0589ceb66fd7fd6db520cfaaa4b734

    SHA1

    dc114fc383613c5873e1a62eca494ce5be808b0d

    SHA256

    c29504e22357700e9366ce07e3b193a2c1c78e5ad6d51f6f3fddb23de706fe82

    SHA512

    0efbc83cecb254a09820fcecf9e152cfac9279d0840d72fb862ee4dbca846f34dfb8675d7c62c523807a2a6da1cb07ee9e1ee14799d78ef9c00796ac5d2f6f63

  • /usr/bin/zgpzymptcj

    Filesize

    611KB

    MD5

    701b41eea86d460903ad4d7193329220

    SHA1

    febe03fb2321df0068042e8a88d92db772090975

    SHA256

    55f748ecb0c9c36ad88a26278c8df125d31b2380da32859a0b0e8cfa3f49428c

    SHA512

    821f1b3cc0a1fa42464b56796d15c9b6dc20e40c0690f0b46d4c6ae34d57179a98f36ea97568401f70d21f59580dda90294ba061eb85c5a90f86f71c58eda054

  • /usr/bin/zlnlktdrmj

    Filesize

    611KB

    MD5

    39cbd697c96b879ae0f876506cf54432

    SHA1

    ab7ca0403b9c29389a2f3fc2d6db1b144b0fab3a

    SHA256

    e3f4298ec365c7b4eb0b35388e49c9c1a805ff054bbaaca8a4c393a2b38cd480

    SHA512

    ebfabd7c33472d34a59acd3daec99f18afefddb38b188c9374dafe8e2ff482986e402bb3fecbeed13c617b190c26ce6648814d740b4ec9ff1dc9eed8a54ad636

  • /usr/bin/znmgluztpg

    Filesize

    611KB

    MD5

    ebb11954a040394d09e45a88b6aec440

    SHA1

    dee2da065365fb2cb74637587a773dcbc6166b13

    SHA256

    b04fcb00b64c9e3ee98df6e129278265c2138ad61c20709ff77ff7b0ffeb9202

    SHA512

    cd041b6a0f5c5c5e13a280c1c406fa34291b70b6a47714228abd66ba48aef391bd61ce905ca1f4e57dbcea74c1315daf36ce47413d7d78cc8e8aeed50b0f0a09

  • /usr/lib/libudev.so

    Filesize

    611KB

    MD5

    a99c10cb9713770b9e7dda376cddee3a

    SHA1

    1f1dd4d74eba8949fb1d2316c13f77b3ffa96f98

    SHA256

    92a260d856e00056469fb26f5305a37f6ab443d735d1476281b053b10b3c4f86

    SHA512

    1d410a7259469a16a1599fb28cb7cd82813270a112055e4fbe28327735a2968affbfdcba0a2001d504919e5ef3b271f40c45da6291be9c5f97c278418b241b79