Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    ubuntu-24.04_amd64
  • resource
    ubuntu2404-amd64-20240523-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
  • submitted
    02-10-2024 06:18

General

  • Target

    09489b80975a6f1a076784f0838c91b5_JaffaCakes118

  • Size

    611KB

  • MD5

    09489b80975a6f1a076784f0838c91b5

  • SHA1

    a71ebc35aadce35194841607d314c83edd7afa27

  • SHA256

    32db4c85faf0d58065912af97522befafcfdf73e92a3d549ea11921d25cc6547

  • SHA512

    2d42430a5af31d99bb8f38dc456a8ae4f34516a1e20529d0aac6a1cf14cea1270611a3a7c1c2cc0696ea9a04b7167a70e6c6f242cd6086e01c5fd0a2fee77304

  • SSDEEP

    12288:FBXOvdwV1/n/dQFhWlH/c1dHo4h9L+zNZrrkT6yF8EEP4UlUuTh1AG:FBXmkN/+Fhu/Qo4h9L+zNNkBVEBl/91h

Malware Config

Extracted

Family

xorddos

C2

http://aaa.dsaj2a.org/config.rar

ww.dnstells.com:3306

ww.gzcfr5axf6.com:3306

ww.gzcfr5axf7.com:3306

Attributes
  • crc_polynomial

    EDB88320

xor.plain

Signatures

  • XorDDoS

    Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

  • XorDDoS payload 31 IoCs
  • Writes memory of remote process 2 IoCs
  • Loads a kernel module 64 IoCs

    Loads a Linux kernel module, potentially to achieve persistence

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Reads runtime system information 2 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/09489b80975a6f1a076784f0838c91b5_JaffaCakes118
    /tmp/09489b80975a6f1a076784f0838c91b5_JaffaCakes118
    1⤵
    • Writes memory of remote process
    • Loads a kernel module
    • Creates/modifies Cron job
    PID:2825
    • /bin/sed
      sed -i "/\\/etc\\/cron.hourly\\/gcc.sh/d" /etc/crontab
      2⤵
      • Reads runtime system information
      PID:2833
    • /bin/systemctl
      systemctl daemon-reload
      2⤵
      • Reads runtime system information
      PID:2848

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /etc/cron.hourly/gcc.sh

    Filesize

    228B

    MD5

    3bab747cedc5f0ebe86aaa7f982470cd

    SHA1

    3c7d1c6931c2b3dae39d38346b780ea57c8e6142

    SHA256

    74d31cac40d98ee64df2a0c29ceb229d12ac5fa699c2ee512fc69360f0cf68c5

    SHA512

    21e8a6d9ca8531d37def83d8903e5b0fa11ecf33d85d05edab1e0feb4acac65ae2cf5222650fb9f533f459ccc51bb2903276ff6f827b847cc5e6dac7d45a0a42

  • /etc/crontab

    Filesize

    1KB

    MD5

    f85f0a4cb1d0da23b7e8e4a80a5a9f59

    SHA1

    f7b9ebeb87ee01c0caa97df076e6420f5e5c66a9

    SHA256

    696de2ac7d880173f049febcf30288e8f77b4ff54baf7ea70ef1261a3bbe5d97

    SHA512

    a770f7e2a0ce96ef084c9baf845148950ec23bd7a1e99d23438ff7872cfc039db690b10884e979de8aef200abde73ac5f69c9ce0cd7800ccda0b0ef0640eb27d

  • /etc/init.d/09489b80975a6f1a076784f0838c91b5_JaffaCakes118

    Filesize

    495B

    MD5

    260c316684d2bf460e8cdaf2f9f44c62

    SHA1

    c69001a55d3a501f6cbe6a350f01c88649f56c6b

    SHA256

    471ceb1c787badb177c78f7b8b4cb3d13318769b76e15621868db20ee0eb7529

    SHA512

    c13dc2722d485e429bd31b03d83a1f92f2fbef81bab327f511a5185ae5cb5c002e8bd8c372c5eac42be03d9c8c494638db27d71a1ad526d14cb4007f9b9061ae

  • /etc/sedgm1sBT

    Filesize

    1KB

    MD5

    85f7ff2020ac8c72212f076ddf33c0be

    SHA1

    df06ddd9c29e8da5cff1aa356e9529336573422f

    SHA256

    ffb48ad57868ed639fad049d11ef4b9bcdd3d2d3e556754ce69b4d6b016969a3

    SHA512

    d7e2d6116adbe768dd078b490575f7757c0e98859a96d280756446bd7e6bf46e24381b0cf86bf5ae3eb4e15bb3743a34cf910f30dd27888de4c5d12bc0a7ea00

  • /run/gcc.pid

    Filesize

    32B

    MD5

    d6ce0e55546a811edd9167d9581deeff

    SHA1

    6da22da545521d37f4289f76206fc867afcb1c19

    SHA256

    8d2a62ea74f707304c5e0ddd8910ed90978e34b048cf3dd2725d6c5ac9621732

    SHA512

    31f2706ce48aefce568e81a9ad6db448ff25a0de7bf5f6a9bdf5bfbf18563c0da7ccf15663f52b1c920c2641318874457224100963210b0478095818c6562ee9

  • /usr/bin/bmxvgbqvfs

    Filesize

    611KB

    MD5

    6230a0d9a19dda1cdadc8f055add3fdd

    SHA1

    e39b7814c9f58c7d9a23c55df52a3de93fd555d3

    SHA256

    1f23e11b44a1ba12a72aba41d8ebd664fe6dc526939b956c9ed5e88cf62f2e41

    SHA512

    79b26b9c7db3596ba71227e2e51538f9565574e682ce385f6eb8f5d32b5100aed4560162d4c71c5ebe8828d288f467e495c39eee66c7483c53f8641d0282052a

  • /usr/bin/bsawlrbewj

    Filesize

    611KB

    MD5

    29c26999b01254230dccc54266d9acfe

    SHA1

    3b2e6738f85c2bae2a18fcbefa1983839790e89b

    SHA256

    39d6377c87b7b64d5b13f6e479196c664f11466153d731dbe657bb69ea3bec8d

    SHA512

    860aebab2cd76c1c772fda18a0484fbf532c4f735b55af17cda3b363a313e752d7fef6ac224ac5288f10f9b9e7e7ec18f8f46f31f78314af9df9facf1fc9f6ab

  • /usr/bin/calopwhdfv

    Filesize

    611KB

    MD5

    9db0208122000d4d95005b5a88d7683c

    SHA1

    36620069e9c20c9167a5b8e38c57b05bad541abf

    SHA256

    50f01b8b9909e437371d0399c7bb9ea827ea6d0b266f17ea331284ff2d718e1b

    SHA512

    72cd7a69ff34cb2bd762897e472d5639b4ce87617265746a66bbc9048a1de9fa9c473e938b78807c74edd9c9d6edc6e870dfddabbe52253c2077d9c7813265d4

  • /usr/bin/dssxyitkhe

    Filesize

    611KB

    MD5

    fe8b49c29ae47d8a3837f09856a8dea5

    SHA1

    1b16070bfc234a22d2d9c06aac53cff00d70fc67

    SHA256

    264bf5fc67bd06e222cb0bc1f0e05d1552d686b04a18613267d777e42d8d3cfd

    SHA512

    2c763678f05db14c852a37e384a52df2d6e5c895b05febd056ebdac61c39f9898d5a016a3c571b47e622ed7115f30a46132f81b17381c9832c3fb4f5d8b8e15d

  • /usr/bin/iwjnloinxs

    Filesize

    611KB

    MD5

    2a37fa98945b3c8ab447e1ac9261d753

    SHA1

    4717bb93e978c003fdd36fe77a93cddb65d94368

    SHA256

    7e0e530d868d19aa9fd52546d90727df1ce080b38a97b8a40a0db1de941a295e

    SHA512

    2ba03df59d7f4d440ba16422b7a18440c38a5b05e5e3d6dd064bd3f30b40531116b59d88bd77f9cd47cfce03081c7ffd817a980a23d2f5b657133fb858d1a4e4

  • /usr/bin/jpdphndbzq

    Filesize

    611KB

    MD5

    befe1d5e08da30d9cc317da51b6f13da

    SHA1

    e304eebdfe9b327ae93e2434c994532ec43346f8

    SHA256

    fe51ddc6cc35da60d8854c56192e0a5908550388840028e1da9fa9b922ccce57

    SHA512

    120e916dfb46242a2cc519409961b756b85f75ee610e2b7b5bff8882657bf2b55d06b874b8f34a590b43d6c0ee0f1271a1b025413847388c1f7c9365de3e1bf8

  • /usr/bin/lhbpvfmguv

    Filesize

    611KB

    MD5

    14ccd9b9fbc63d5f6b0f5370f4722d97

    SHA1

    fdf2c67b09c1a084492a401205b1dbd104f415ad

    SHA256

    add0f641ad590a636a663a3621d051104844aba1e05bdb89e6357cd1394a3ea0

    SHA512

    9b98aca7aa7d4d5e325d9e75761eebe3b35a963ccb7ac026789bf3472beca0a22d20f8a7793bbf7e654263ad6e4ad509c862481de6b5c68327dea2614a5266c6

  • /usr/bin/mfhcgttufd

    Filesize

    611KB

    MD5

    7fd74103bb5ea76b0e17ca4907f0d987

    SHA1

    dbb74442c677078ce5154d26c10067dc3a9f93e7

    SHA256

    6de8805545d48e7a3fb14ee22f2a13f933526bacfee5fc20e218b4e58e21ac3e

    SHA512

    86ec830fdef9452ca453987c5cf7d209d23346094c0095d37cd7c6b06faeb74eb8631e8c1420c6af7dce96ad7d50d159a8e453a52bd1e0342f49e2ac83844993

  • /usr/bin/mgkdnnfewp

    Filesize

    611KB

    MD5

    aa88002c5156f2390712c2ef19942def

    SHA1

    c860b20b280e497b93b5d225e0e97e401547270d

    SHA256

    60e3c6320acf0ff133eff249f9184d21a342746b64046e84e4ee40734f8b032a

    SHA512

    673630347551086193a4c096e65161cfb6e42ca27dd1578b3e41ffffa5f0e42384f383a416d3887d999a53cf0d76154029358ffe21815d2fcce4fae6ea1e6537

  • /usr/bin/ndgaogzhrq

    Filesize

    611KB

    MD5

    187c1282902801990661629e9aac702a

    SHA1

    e187f75be9fd7a9ec202914485c153bc38826b94

    SHA256

    c5adae1f510d626a87f4b05d691afd57c12557444ec3461b117a8b9d0ecb109f

    SHA512

    fbe880e3a781119af84c7351290cb3b45eb198cb6cb307b57e1634eee683397a0a7de21642dd9c2fc318ad3487fc43712fa5481f1226fc36787ab73c378b6a06

  • /usr/bin/necgzoeyyy

    Filesize

    611KB

    MD5

    4e1d6c7b49bde2e1e43c19786f57eddc

    SHA1

    1a68321d6f96f923d589ef6b1cf826460f0df874

    SHA256

    ad6c27c5deceb12a6826bd726cb7a144785db9cae50524cda6a3b17724067d94

    SHA512

    d5a091f0913f3a45479da9b44c3fe60f3b7a4f9761d3290e9d8b9c470ec7e765be3feb9b35e2168540787e2492935a164ae7c237209ccc48f0ca9a7998303b72

  • /usr/bin/nnstcvypsc

    Filesize

    611KB

    MD5

    968bad8c84fbf4b402c1c5c98b82433d

    SHA1

    69f2cc9edd52453d2ed1b8fa9042380d1586eb4e

    SHA256

    b62066b93bdc47da3996c0bd5b1395f28acf02818a7c7a93d0f3e995192a0f4c

    SHA512

    2870232e331960f6a75afcf0cedd0f953287d1084ee40a9449b259f6026870ac6f57d696aa60d20947dccc39b82de505122dc805068574f2e2e0d27b7a2d31d3

  • /usr/bin/oiyzmeyxlf

    Filesize

    611KB

    MD5

    92a68cd235658911bb1fa2550753bd97

    SHA1

    16eb3a12572cc4924144f0409997b0feb4ab0f13

    SHA256

    39027dcece7a536c94e9ab59eb7d01def5ed016f0e97cc40a904e738bbcbed46

    SHA512

    713619fdd7c2887b04bd9ea8aa0207f2ce5bf20a8c2f1d1891bcb4fc87c028030720e44ac0da0e80493303005f295b4a81b07840f54420ac118ff017d1a04a61

  • /usr/bin/prldqfviah

    Filesize

    611KB

    MD5

    1b1f1707400e5b66051c1f43a432a29c

    SHA1

    66eb0e0866cee5f9171ae9c52d74e9efa8fba198

    SHA256

    5dc41440246a4c0a5158fe581f72e6cf19d3774c4bd2c85540f543f0b9e8e477

    SHA512

    e3fe2d8c0f4b8ecf2cab79bdc809bba73a19a061dcd08e72fa49867599989c57b065b412a5318c969c5c544b26b5ee844c240b257216fccebf1a2b0486b7de29

  • /usr/bin/qdqibhonjd

    Filesize

    611KB

    MD5

    96cfeb15869ce9a33aafbe1bb621b1ed

    SHA1

    926e154108f9e5ca2250bed53d7d858553e63c34

    SHA256

    6e63b01f5ed815e7ad22485a112435956fd30828beed7587bc1f8d610e37718f

    SHA512

    cc89f9a64965790862e36964e6f8464c062afc91a3d8bad4b2ecfbac730a6b1cc5bfcce132807062d334f6bb8efd80710d84d698d7009faeaa22b66e0276df2f

  • /usr/bin/qfjpxodqiy

    Filesize

    611KB

    MD5

    8cbfb53d3dff440b0c5358b07c6a870a

    SHA1

    0694a3cb689f58ff5fd8ec4b97acaf4f40978362

    SHA256

    0629016f5c86e1cc5d6117c17ecdc27de0fd8ca260df8eeb82fdc7b661230422

    SHA512

    877db73a873e08009319f8b43caeb4f22aa8fb449ac98567ff2ef4af00a18c6e9d4e9122857ab47c412158c3145eb0ac2b377cb79e35783065c3d415c85a7e68

  • /usr/bin/qfmdqeozzp

    Filesize

    611KB

    MD5

    513b16c13ab63e370afa2be4035d5c6f

    SHA1

    9ef68df3b75442727965854e7bc7bd4667624152

    SHA256

    590386b4ddbcf1f8a36e74c56a2e7e99686cbe9bd04473dbd951ad8f9ce6ef29

    SHA512

    39eef9ee92f56490589c54c7f4b7a8354ee4bee908c6072f8f76796729b25f157c11ae8478db7ab51a3bad5821c5ad6deb64c53ad2a243fb1e5878eda2f02f5a

  • /usr/bin/rmkhdrevhd

    Filesize

    611KB

    MD5

    29b3ed89a913dbaf18ba1c00f58ce6c8

    SHA1

    2dd5d9bfd88c0adf5938c94efe0defb24e2ea174

    SHA256

    c930dac3a9f140fdd0ad87ae9ced99c1b8b12a4082f4d1fb97e07830f9c4c334

    SHA512

    e6f18e3a0f44bdaf659c5903a6c4fd29a37253dd29aedef33a302ce8baab2d0f806c80e975a6983529ad04a0653b3c225bfe9553823fc4b0f276ec3beaff7316

  • /usr/bin/szprsqjoqu

    Filesize

    611KB

    MD5

    f6baef93393d5fba43e541adf9c51027

    SHA1

    cfba0074e0cd27c6b40fdeaf82391a1503e68710

    SHA256

    65834a985668726d72adc718dc1fd473c2d39eae381062dabea2e0fa91be9a03

    SHA512

    58a4999b746741492d2ea0d918dd114c642af08e1bd7243e93ba261d34303a2520e4d051379477b2b88d2ffa67e6f3a0faae9ac7b5a7786528d506485d2332c6

  • /usr/bin/tvlyofiwnb

    Filesize

    611KB

    MD5

    3e6910dfa10f237c257d7035ac6d851c

    SHA1

    dce3d840df95d481ec0cc2f427c2ae208c8a80f9

    SHA256

    98d8edca6bbd67caded45100c754f58ae55ed5b683a4d070bde5fe863b6e4e29

    SHA512

    5f083978f4f7f97de8bb8473f1c8b5b7231bb6288ce7b6483122cc43bec040c8d1ee89e84d7597308e32a50928138df10f5cd6410867013e5813eb1d1e5132be

  • /usr/bin/tzobijefmc

    Filesize

    611KB

    MD5

    1e999e9db3dbd5d98b97e082a7f985ba

    SHA1

    5e876b6df46a812fdf26d667c921135493ec8323

    SHA256

    7424ecdc3f6ca68dd0b890e17a3579bf15678ae75f898022e40c3a7dbdcd14a3

    SHA512

    6d5d88393c77a8ec153496d1fe83e71f226c28f006ebfdf81f4688b8992e085254b1d742cf2169ed92c71fd09078c1cbd094e8b80f0e827926afeabd8f661593

  • /usr/bin/unjorzjpui

    Filesize

    611KB

    MD5

    7b6df67558ab7a8fa22f091df28aef69

    SHA1

    9ea888959a56aee877428861843cf7bf46e52f5b

    SHA256

    7c34111d9c538d67bc1657a98022459411107ce552dda3540aeb63eaf9105865

    SHA512

    4a3f124c6d3525e29621b3f271311d2890e654d69c348b5c619850284fe5c8b55de1ade9ad78665b1c8b42a8c413be14f2b2f3770ddc54f099fc6235256c64ad

  • /usr/bin/verxcvraqb

    Filesize

    611KB

    MD5

    cf6c133e802794b99a84522c7c28f3f9

    SHA1

    eb702f236225d74be7be4cfa821af20b059f2366

    SHA256

    fa764cba053ffc136393e9846ec7765c4760cf9ddbd1dc815e94f7ad4682d07b

    SHA512

    d5301ce75a7b9c21dda5c21d41cb04b60ce747413421e743fc65f0ca78cc753295ef88da3f2f172ef4729549673ed2aa20299bddd2f1f20abfe4f5302375f887

  • /usr/bin/voevjpkqgs

    Filesize

    611KB

    MD5

    0022f9e54d116e77f5f2b62cbe7ed5ea

    SHA1

    47e00c01e2d52d1a618e1934c42a78889344b555

    SHA256

    3078765d22fbb81496a609e018505b1243bf0d1740e5be9f69d065273ca43c3c

    SHA512

    4b0aa817c9d9989909b2544c45d7f2e2778208c5ed86118a22d17ae7d5d16a82c3f26f68e0302c3ff63e295a284a1d5be403fb51cf2c535d82bd8db95b641bdd

  • /usr/bin/vtfkccfofc

    Filesize

    611KB

    MD5

    303f5c2ba526da5591a6bc4b7164b270

    SHA1

    dbf222a4f6f84730082b15749cb342eda79d4f14

    SHA256

    2e09e636e42fee6d6750178b799e0c68ee8e80dcfeecfbc182a3bf0e325eeb83

    SHA512

    9a36e4b7e0b0be7dea751dd6c1a61c5c75201756cd574af9ab90ea2f0625027734867ab6ac086da6b0492375bc0fb9ada9ed34304987c616f336047a4907bd73

  • /usr/bin/vzibjnrbzh

    Filesize

    611KB

    MD5

    fed9d0429c5aeb9dfbb0d066860c0b04

    SHA1

    8f30a983123775a4882aed9b79e45cbd92e41827

    SHA256

    13f5263307182b27a7e20d31bc3b7d1062d2d11bf5f12cf366f40f9330fe8148

    SHA512

    0bb4364f2c7a351204311b11938294903fd72bc5aeb7b0b3b51f05caf8b3706f248c38f4588f2a89692212a2429d79dd2f9b193702e94356a96a013d53abb4a0

  • /usr/bin/wxfcxmjjuz

    Filesize

    611KB

    MD5

    f7af60d415e516aa8b26759003d60c18

    SHA1

    96f9a1c12ddcdaca58bd71989c3988a396bf4268

    SHA256

    2bb5ca8ab420cee21bc4f58a2036f68fa1700bfc55d9716ea025ee31e2f938f4

    SHA512

    32583dce4c952048fb8b8e9c7baed9a3aa5f6029fb1e37168a3a3f9843fd70af9bba6735e0f01b0f52f02b6d98bd1668ac6c6a1747b27c7d9b95e51f15842811

  • /usr/bin/yatteetlfp

    Filesize

    611KB

    MD5

    75107e5879a11c8ab9e7f916c47166fd

    SHA1

    e4c1037d229399b0458a0d84aae2e8e11c48b31c

    SHA256

    0631a12565a17ca96b23e13e9acf2f475d61f63444eb3aa1bb0f46239206e05f

    SHA512

    c2444cae427a8db77960ede90ca4e18ad771891e6e374c387d34ce08a0467a085a45a88451cde9c34040eae87e09ac716ba0a446235b63ffb674bd87ea169e41

  • /usr/bin/zippilkufs

    Filesize

    611KB

    MD5

    5eeda2122d30d0b146b4843d4d776632

    SHA1

    c70f30eca22f97731dc9ec09f00c9d1e3afb895e

    SHA256

    d66c05d81be191df2919c76af16c4b7550112f3613dc7824b5fad42efe7d60cd

    SHA512

    44d3fb18459503c6cca172909f9eb311f51a1795c6dbf16f48b449e8e30fa952e494358293e589342f31f4f4c5d7e523ae5f3b00d853fec7bd63589ac9e2a8cc

  • /usr/bin/zqjaemgdpp

    Filesize

    611KB

    MD5

    052957f676a95070cc054ba2941f95b3

    SHA1

    2726ed4bf435c5f9a673c0ebff04036e1b5a2415

    SHA256

    f7b1c6d2d705ad51f3a568124ed350df8f722e31dff3a3cdaf75e3ec5d441017

    SHA512

    a878870a822618f989b1b91015e9382a2f9e16fd1b2c698056a128f8db1e1cff9249eec3e21a14f076eab754c0b7f5ffe7c69ebf2b4b2682d3738b599a8c5406

  • /usr/lib/libudev.so

    Filesize

    611KB

    MD5

    09489b80975a6f1a076784f0838c91b5

    SHA1

    a71ebc35aadce35194841607d314c83edd7afa27

    SHA256

    32db4c85faf0d58065912af97522befafcfdf73e92a3d549ea11921d25cc6547

    SHA512

    2d42430a5af31d99bb8f38dc456a8ae4f34516a1e20529d0aac6a1cf14cea1270611a3a7c1c2cc0696ea9a04b7167a70e6c6f242cd6086e01c5fd0a2fee77304