General

  • Target

    e9db2bcc3678779114f8ed31c875cbd3_JaffaCakes118

  • Size

    604KB

  • Sample

    240918-yhd57szeqe

  • MD5

    e9db2bcc3678779114f8ed31c875cbd3

  • SHA1

    1e20fe93f4926d431561ccc1ecb2c576d8c7ba4f

  • SHA256

    2f20b41d601bde086a823e505ae0c1d6cfd3d40469373963ec3e15cd8df3baba

  • SHA512

    c36b28078cb7c10d5fabb489a6fc19b9c856d1047cdb164191dc39ecf1d4a41c75d3e0e1591d2cf339388d943cf6966dbcc2fbd5da73c89eee7876e8a3834711

  • SSDEEP

    12288:IiqKgqkonFOSC3pZWKqAKSj6LJXDv42Hv6yrDKb4olUuThTcF:S1qPkSCvnvKSj6LJXDrHzDsl/9TE

Malware Config

Extracted

Family

xorddos

C2

103.25.9.245:8002

103.240.141.50:8002

66.102.253.30:8002

ndns.dsaj2a1.org:8002

ndns.dsaj2a.org:8002

ndns.hcxiaoao.com:8002

ndns.dsaj2a.com:8002

Attributes
  • crc_polynomial

    EDB88320

xor.plain

Targets

    • Target

      e9db2bcc3678779114f8ed31c875cbd3_JaffaCakes118

    • Size

      604KB

    • MD5

      e9db2bcc3678779114f8ed31c875cbd3

    • SHA1

      1e20fe93f4926d431561ccc1ecb2c576d8c7ba4f

    • SHA256

      2f20b41d601bde086a823e505ae0c1d6cfd3d40469373963ec3e15cd8df3baba

    • SHA512

      c36b28078cb7c10d5fabb489a6fc19b9c856d1047cdb164191dc39ecf1d4a41c75d3e0e1591d2cf339388d943cf6966dbcc2fbd5da73c89eee7876e8a3834711

    • SSDEEP

      12288:IiqKgqkonFOSC3pZWKqAKSj6LJXDv42Hv6yrDKb4olUuThTcF:S1qPkSCvnvKSj6LJXDrHzDsl/9TE

    • XorDDoS

      Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

    • XorDDoS payload

    • Executes dropped EXE

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Write file to user bin folder

MITRE ATT&CK Enterprise v15

Tasks