General

  • Target

    fcc3be118f2bc42f8757eef69496e89b_JaffaCakes118

  • Size

    611KB

  • Sample

    240928-vql91azbmf

  • MD5

    fcc3be118f2bc42f8757eef69496e89b

  • SHA1

    9d57a8ed4b8b64e2ff56032605b505d7eb2120dc

  • SHA256

    7358b6fc402681a3585d7cd69763d4b8f0c3093d746b85a35205b77e5b26e13d

  • SHA512

    90c4c59b917b9a5198d383c27f3aae1aa5e3863ed79c1cb01b7205582ebd49a899a5306be17201362e0256164ce175b613bc0f082379c6b15b17337ae97d49ff

  • SSDEEP

    12288:FBXOvdwV1/n/dQFhWlH/c1dHo4h9L+zNZrrkT6yF8EEP4UlUuTh1AG:FBXmkN/+Fhu/Qo4h9L+zNNkBVEBl/91h

Malware Config

Extracted

Family

xorddos

C2

http://www.s9xk32c.com/config.rar

ww.s9xk32c.com:3309

ww.s9xk32a.com:3309

ww.s9xk32b.com:3309

Attributes
  • crc_polynomial

    EDB88320

xor.plain

Targets

    • Target

      fcc3be118f2bc42f8757eef69496e89b_JaffaCakes118

    • Size

      611KB

    • MD5

      fcc3be118f2bc42f8757eef69496e89b

    • SHA1

      9d57a8ed4b8b64e2ff56032605b505d7eb2120dc

    • SHA256

      7358b6fc402681a3585d7cd69763d4b8f0c3093d746b85a35205b77e5b26e13d

    • SHA512

      90c4c59b917b9a5198d383c27f3aae1aa5e3863ed79c1cb01b7205582ebd49a899a5306be17201362e0256164ce175b613bc0f082379c6b15b17337ae97d49ff

    • SSDEEP

      12288:FBXOvdwV1/n/dQFhWlH/c1dHo4h9L+zNZrrkT6yF8EEP4UlUuTh1AG:FBXmkN/+Fhu/Qo4h9L+zNNkBVEBl/91h

    • XorDDoS

      Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

    • XorDDoS payload

    • Executes dropped EXE

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Write file to user bin folder

MITRE ATT&CK Enterprise v15

Tasks