Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    ubuntu-24.04_amd64
  • resource
    ubuntu2404-amd64-20240523-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
  • submitted
    21-08-2024 11:02

General

  • Target

    b3353b56611b7626bdcbf7e99c2d2eb8_JaffaCakes118

  • Size

    544KB

  • MD5

    b3353b56611b7626bdcbf7e99c2d2eb8

  • SHA1

    6a5878cd0556d2d5819268993eb9fe8e35a9d483

  • SHA256

    23d5ef8b34e1db697543b07e7b5a2fb9ab90e176dabfa8141f227cf639da2312

  • SHA512

    4f5849c6619962ae4f27b9e038ebd36edf70c0c819fa4bd9d190c00837c8dc78f440381a8c7dd171781cf65e7dcb9d95fa6df77601be557ec2394af4bd35a8e3

  • SSDEEP

    12288:JbinNy0Y1nvEtXBx6DkkJmAGyPexU279WnjVZ6ySWK:1iNy0evmxvkJmApPexUm9cVE

Malware Config

Extracted

Family

xorddos

C2

topbannersun.com:23

wowapplecar.com:23

Attributes
  • crc_polynomial

    CDB88320

xor.plain

Signatures

  • XorDDoS

    Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

  • XorDDoS payload 2 IoCs
  • Writes memory of remote process 2 IoCs
  • Loads a kernel module 64 IoCs

    Loads a Linux kernel module, potentially to achieve persistence

Processes

  • /tmp/b3353b56611b7626bdcbf7e99c2d2eb8_JaffaCakes118
    /tmp/b3353b56611b7626bdcbf7e99c2d2eb8_JaffaCakes118
    1⤵
    • Writes memory of remote process
    • Loads a kernel module
    PID:2434

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /dev/shm/sem.fpF0ez

    Filesize

    16B

    MD5

    076933ff9904d1110d896e2c525e39e5

    SHA1

    4188442577fa77f25820d9b2d01cc446e30684ac

    SHA256

    4cbbd8ca5215b8d161aec181a74b694f4e24b001d5b081dc0030ed797a8973e0

    SHA512

    6fcee9a7b7a7b821d241c03c82377928bc6882e7a08c78a4221199bfa220cdc55212273018ee613317c8293bb8d1ce08d1e017508e94e06ab85a734c99c7cc34

  • /etc/cron.hourly/dydbghzwyfphl.sh

    Filesize

    162B

    MD5

    6c7c4844c14ec25a95a0695cdcdf3d11

    SHA1

    41cf49e2442933b80f34274ad26687dbcb30001d

    SHA256

    19b55b9551cc2c29ecedd995c6663c4a475d61cd558e39fe60f6e5670cb1d288

    SHA512

    aa253ea77908fb623c99d880c54de09da8c1c4247309a3a6e56d2cb391f322386c47e374f166ce5b9c7c427acbe94c721aa661432810c0622daa954265ed8cc2

  • /etc/daemon.cfg

    Filesize

    32B

    MD5

    18cd21768afc1961f5d4846a92cdee19

    SHA1

    8ec1edae511ab3f77525d8113a3a6285ba6585ba

    SHA256

    98790312664d6de9bc00699af315fe48661ea1f71926a26e6565948fc70e8cba

    SHA512

    baf583e9f07f2ebea98b76eb93da4e6e4b9f86fe5583e92311f73069a8b9350b928b605a29f769a7cda44f889988441345430660f4881c15ce84aca2a612d074

  • /usr/bin/fsimjrrwxznmbe

    Filesize

    288KB

    MD5

    7349f3ca7e6609649b01eef05df81482

    SHA1

    6b424e74dfd43d074717e5d51230169168fccaec

    SHA256

    229d5cffe5648d0f2ec18f5c59587e7a6790d88f3e7f9b2fbe1fb4415f8b64aa

    SHA512

    bf58e0c56f19cc77793ea587f0f4185272267b70fa5a10f07c4d307417a00d0a3cce5433a5ee826e0f3fdbcca4a14f3193e93d78cd46386b1449a2c8b00ca72d

  • /usr/bin/lhpfywzhgbdyd

    Filesize

    544KB

    MD5

    e941a92db3ff98d4f1390bef5e9bba4d

    SHA1

    ec75a8ad8e9157a74062a384fee1f463f46bdf43

    SHA256

    f294994eb7227c5b18493954b3d5a2195b2a34ee516cb66ab524b1435ed811e6

    SHA512

    ffbf88cd079a5a42278f4dfa9255210edaac4a724b3ccadf3dc014e3c1d191870405047473ccd8d800325dc07cd629d3219356354b9c16cd9013b04b3f728d52