General

  • Target

    caeeadeea0762565473ac39681101c29_JaffaCakes118

  • Size

    611KB

  • Sample

    240830-qpparaxdpq

  • MD5

    caeeadeea0762565473ac39681101c29

  • SHA1

    1f7aad5e0e5996ed5c6634d08066df13b7e01440

  • SHA256

    94b59b4761147519fecf662cecba7219ac2f70682ae02685081a181758cb705f

  • SHA512

    3c0a150894fc8a84a2b4ccaaa935fcfc74f07b16626f1ca82b34f743d5ee77bae2e4143b132721648275c4c3e7e5ac27687da16d25607d7ff3cab3ad1b1d74a4

  • SSDEEP

    12288:FBXOvdwV1/n/dQFhWlH/c1dHo4h9L+zNZrrIT6yF8EEP4UlUuTh1AG:FBXmkN/+Fhu/Qo4h9L+zNNIBVEBl/91h

Malware Config

Extracted

Family

xorddos

C2

http://aaa.dsaj2a.org/config.rar

ww.dnstells.com:53

ww.gzcfr5axf6.com:53

ww.gzcfr5axf7.com:53

Attributes
  • crc_polynomial

    EDB88320

xor.plain

Targets

    • Target

      caeeadeea0762565473ac39681101c29_JaffaCakes118

    • Size

      611KB

    • MD5

      caeeadeea0762565473ac39681101c29

    • SHA1

      1f7aad5e0e5996ed5c6634d08066df13b7e01440

    • SHA256

      94b59b4761147519fecf662cecba7219ac2f70682ae02685081a181758cb705f

    • SHA512

      3c0a150894fc8a84a2b4ccaaa935fcfc74f07b16626f1ca82b34f743d5ee77bae2e4143b132721648275c4c3e7e5ac27687da16d25607d7ff3cab3ad1b1d74a4

    • SSDEEP

      12288:FBXOvdwV1/n/dQFhWlH/c1dHo4h9L+zNZrrIT6yF8EEP4UlUuTh1AG:FBXmkN/+Fhu/Qo4h9L+zNNIBVEBl/91h

    • XorDDoS

      Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

    • XorDDoS payload

    • Executes dropped EXE

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Enumerates active TCP sockets

      Gets active TCP sockets from /proc virtual filesystem.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Write file to user bin folder

MITRE ATT&CK Enterprise v15

Tasks