General
-
Target
d6a5d9bd5e6842bb595b18a9131a84a8_JaffaCakes118
-
Size
611KB
-
Sample
240909-tebtfswhlp
-
MD5
d6a5d9bd5e6842bb595b18a9131a84a8
-
SHA1
f2e3fd9d7e16665d91e3182ddaaa175be45d6e1d
-
SHA256
8d9b9e02aaa3ed855dfeed82b1af18131591c3621a96be730672a45f7ac43094
-
SHA512
06040501e65dbf6be2fcfd3c626d80c5ebcd9489807206e62bf8d1fad4fbe9a660f146fb49f3e57335f024ba9a131bbef8e4696038178f790f2e090822cae1f1
-
SSDEEP
12288:FBXOvdwV1/n/dQFhWlH/c1dHo4h9L+zNZrrrT6yF8EEP4UlUuTh1AG:FBXmkN/+Fhu/Qo4h9L+zNNrBVEBl/91h
Malware Config
Extracted
xorddos
http://aa.hostasa.org/config.rar
ns3.hostasa.org:4309
ns4.hostasa.org:4309
ns1.hostasa.org:4309
ns2.hostasa.org:4309
-
crc_polynomial
EDB88320
Targets
-
-
Target
d6a5d9bd5e6842bb595b18a9131a84a8_JaffaCakes118
-
Size
611KB
-
MD5
d6a5d9bd5e6842bb595b18a9131a84a8
-
SHA1
f2e3fd9d7e16665d91e3182ddaaa175be45d6e1d
-
SHA256
8d9b9e02aaa3ed855dfeed82b1af18131591c3621a96be730672a45f7ac43094
-
SHA512
06040501e65dbf6be2fcfd3c626d80c5ebcd9489807206e62bf8d1fad4fbe9a660f146fb49f3e57335f024ba9a131bbef8e4696038178f790f2e090822cae1f1
-
SSDEEP
12288:FBXOvdwV1/n/dQFhWlH/c1dHo4h9L+zNZrrrT6yF8EEP4UlUuTh1AG:FBXmkN/+Fhu/Qo4h9L+zNNrBVEBl/91h
Score10/10-
XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
-
XorDDoS payload
-
Executes dropped EXE
-
Creates/modifies Cron job
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Modifies init.d
Adds/modifies system service, likely for persistence.
-
Write file to user bin folder
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Boot or Logon Initialization Scripts
1RC Scripts
1Scheduled Task/Job
1Cron
1