General

  • Target

    c3b424c0978555704a2395c2664ae673_JaffaCakes118

  • Size

    611KB

  • Sample

    240826-yf5kdasbqb

  • MD5

    c3b424c0978555704a2395c2664ae673

  • SHA1

    12aabee68e17990ed63d23e9399de7755b326649

  • SHA256

    0636d8749ecb285c293dc533c9b7690ba17ac7902488bf39164129a12d54c1c3

  • SHA512

    1d027ffcfedafb8d4877ef534acab607cf3fc75a066fa8b0148a95836252a5c8a46ef232c8266de93094b4f5558b47ae3a3c0a069c86e639ac7cff3e257bdac7

  • SSDEEP

    12288:FBXOvdwV1/n/dQFhWlH/c1dHo4h9L+zNZrrrT6yF8EEP4UlUuTh1AG:FBXmkN/+Fhu/Qo4h9L+zNNrBVEBl/91h

Malware Config

Extracted

Family

xorddos

C2

http://aaa.dsaj2a.org/config.rar

ww.dnstells.com:21

ww.gzcfr5axf6.com:21

ww.gzcfr5axf7.com:21

Attributes
  • crc_polynomial

    EDB88320

xor.plain

Targets

    • Target

      c3b424c0978555704a2395c2664ae673_JaffaCakes118

    • Size

      611KB

    • MD5

      c3b424c0978555704a2395c2664ae673

    • SHA1

      12aabee68e17990ed63d23e9399de7755b326649

    • SHA256

      0636d8749ecb285c293dc533c9b7690ba17ac7902488bf39164129a12d54c1c3

    • SHA512

      1d027ffcfedafb8d4877ef534acab607cf3fc75a066fa8b0148a95836252a5c8a46ef232c8266de93094b4f5558b47ae3a3c0a069c86e639ac7cff3e257bdac7

    • SSDEEP

      12288:FBXOvdwV1/n/dQFhWlH/c1dHo4h9L+zNZrrrT6yF8EEP4UlUuTh1AG:FBXmkN/+Fhu/Qo4h9L+zNNrBVEBl/91h

    • XorDDoS

      Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

    • XorDDoS payload

    • Executes dropped EXE

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Enumerates active TCP sockets

      Gets active TCP sockets from /proc virtual filesystem.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Write file to user bin folder

MITRE ATT&CK Enterprise v15

Tasks