General

  • Target

    b6e04d4eea2d4e044b9b5c3dde3bce0d_JaffaCakes118

  • Size

    611KB

  • Sample

    240822-jnp3bswbkd

  • MD5

    b6e04d4eea2d4e044b9b5c3dde3bce0d

  • SHA1

    338ed179a905da39961250674e80be17a916884a

  • SHA256

    242e172ee2185e78da0164b1669ae390458003da4a720da029fc4fc83d187bcd

  • SHA512

    01cfe2b25d4883f5c1a687a096dd4cdb008114ec916b8ed319d130cb00758fd8c0c14e83dbaed44efddbe26463cf09124e092ab87658b7d11e0b8b9afa5b633b

  • SSDEEP

    12288:FBXOvdwV1/n/dQFhWlH/c1dHo4h9L+zNZrr+T6yF8EEP4UlUuTh1AG:FBXmkN/+Fhu/Qo4h9L+zNN+BVEBl/91h

Malware Config

Extracted

Family

xorddos

C2

http://aa.hostasa.org/config.rar

ns3.hostasa.org:4308

ns4.hostasa.org:4308

ns1.hostasa.org:4308

ns2.hostasa.org:4308

Attributes
  • crc_polynomial

    EDB88320

xor.plain

Targets

    • Target

      b6e04d4eea2d4e044b9b5c3dde3bce0d_JaffaCakes118

    • Size

      611KB

    • MD5

      b6e04d4eea2d4e044b9b5c3dde3bce0d

    • SHA1

      338ed179a905da39961250674e80be17a916884a

    • SHA256

      242e172ee2185e78da0164b1669ae390458003da4a720da029fc4fc83d187bcd

    • SHA512

      01cfe2b25d4883f5c1a687a096dd4cdb008114ec916b8ed319d130cb00758fd8c0c14e83dbaed44efddbe26463cf09124e092ab87658b7d11e0b8b9afa5b633b

    • SSDEEP

      12288:FBXOvdwV1/n/dQFhWlH/c1dHo4h9L+zNZrr+T6yF8EEP4UlUuTh1AG:FBXmkN/+Fhu/Qo4h9L+zNN+BVEBl/91h

    • XorDDoS

      Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

    • XorDDoS payload

    • Executes dropped EXE

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Write file to user bin folder

MITRE ATT&CK Enterprise v15

Tasks