General

  • Target

    cfde10b9d5468ee167d578bbfe93a0dc_JaffaCakes118

  • Size

    596KB

  • Sample

    240906-s1k4kstgkn

  • MD5

    cfde10b9d5468ee167d578bbfe93a0dc

  • SHA1

    61646e20beb7f816cea1713f92f1d1da92450e8e

  • SHA256

    a7eb1d26c8069a933254341be5b5ebf61818d08d0867d64d48890e0ba80cff87

  • SHA512

    0faec1f88a4263c72dc87ce14c31e32ec9f353b27d944a32e0849e4015d7e0d50023ddc122673cd3b12d8614e7a53b49c5cf87758990c21a7e6e8b6d8a8a4596

  • SSDEEP

    12288:bfTGy+n69+5rTlFEcMWbHvx5SGEuWdiF6yxm9Ah7Dxu9hc7L:rTG/0+5dq4bHvx5SGodiLTD4XcP

Malware Config

Extracted

Family

xorddos

C2

http://info1.3000uc.com/b/u.php

gh.dsaj2a1.org:2879

iosapp622.ddns.net:2879

173.247.233.62:2879

Attributes
  • crc_polynomial

    EDB88320

xor.plain

Targets

    • Target

      cfde10b9d5468ee167d578bbfe93a0dc_JaffaCakes118

    • Size

      596KB

    • MD5

      cfde10b9d5468ee167d578bbfe93a0dc

    • SHA1

      61646e20beb7f816cea1713f92f1d1da92450e8e

    • SHA256

      a7eb1d26c8069a933254341be5b5ebf61818d08d0867d64d48890e0ba80cff87

    • SHA512

      0faec1f88a4263c72dc87ce14c31e32ec9f353b27d944a32e0849e4015d7e0d50023ddc122673cd3b12d8614e7a53b49c5cf87758990c21a7e6e8b6d8a8a4596

    • SSDEEP

      12288:bfTGy+n69+5rTlFEcMWbHvx5SGEuWdiF6yxm9Ah7Dxu9hc7L:rTG/0+5dq4bHvx5SGodiLTD4XcP

    • XorDDoS

      Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

    • XorDDoS payload

    • Executes dropped EXE

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Write file to user bin folder

MITRE ATT&CK Enterprise v15

Tasks