Resubmissions

06-12-2024 09:10

241206-k46kpawkgj 10

06-12-2024 04:01

241206-ellvnsvmdm 10

Analysis

  • max time kernel
    10s
  • max time network
    9s
  • platform
    ubuntu-24.04_amd64
  • resource
    ubuntu2404-amd64-20240523-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
  • submitted
    06-12-2024 09:10

General

  • Target

    caeeadeea0762565473ac39681101c29_JaffaCakes118

  • Size

    611KB

  • MD5

    caeeadeea0762565473ac39681101c29

  • SHA1

    1f7aad5e0e5996ed5c6634d08066df13b7e01440

  • SHA256

    94b59b4761147519fecf662cecba7219ac2f70682ae02685081a181758cb705f

  • SHA512

    3c0a150894fc8a84a2b4ccaaa935fcfc74f07b16626f1ca82b34f743d5ee77bae2e4143b132721648275c4c3e7e5ac27687da16d25607d7ff3cab3ad1b1d74a4

  • SSDEEP

    12288:FBXOvdwV1/n/dQFhWlH/c1dHo4h9L+zNZrrIT6yF8EEP4UlUuTh1AG:FBXmkN/+Fhu/Qo4h9L+zNNIBVEBl/91h

Malware Config

Extracted

Family

xorddos

C2

http://aaa.dsaj2a.org/config.rar

ww.dnstells.com:53

ww.gzcfr5axf6.com:53

ww.gzcfr5axf7.com:53

Attributes
  • crc_polynomial

    EDB88320

xor.plain

Signatures

  • XorDDoS

    Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

  • XorDDoS payload 4 IoCs
  • Xorddos family
  • Writes memory of remote process 2 IoCs
  • Loads a kernel module 64 IoCs

    Loads a Linux kernel module, potentially to achieve persistence

  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Reads runtime system information 2 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/caeeadeea0762565473ac39681101c29_JaffaCakes118
    /tmp/caeeadeea0762565473ac39681101c29_JaffaCakes118
    1⤵
    • Writes memory of remote process
    • Loads a kernel module
    • Creates/modifies Cron job
    PID:4068
    • /bin/sed
      sed -i "/\\/etc\\/cron.hourly\\/gcc.sh/d" /etc/crontab
      2⤵
      • Reads runtime system information
      PID:4076
    • /bin/systemctl
      systemctl daemon-reload
      2⤵
      • Reads runtime system information
      PID:4091

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /etc/cron.hourly/gcc.sh

    Filesize

    228B

    MD5

    3bab747cedc5f0ebe86aaa7f982470cd

    SHA1

    3c7d1c6931c2b3dae39d38346b780ea57c8e6142

    SHA256

    74d31cac40d98ee64df2a0c29ceb229d12ac5fa699c2ee512fc69360f0cf68c5

    SHA512

    21e8a6d9ca8531d37def83d8903e5b0fa11ecf33d85d05edab1e0feb4acac65ae2cf5222650fb9f533f459ccc51bb2903276ff6f827b847cc5e6dac7d45a0a42

  • /etc/crontab

    Filesize

    1KB

    MD5

    f85f0a4cb1d0da23b7e8e4a80a5a9f59

    SHA1

    f7b9ebeb87ee01c0caa97df076e6420f5e5c66a9

    SHA256

    696de2ac7d880173f049febcf30288e8f77b4ff54baf7ea70ef1261a3bbe5d97

    SHA512

    a770f7e2a0ce96ef084c9baf845148950ec23bd7a1e99d23438ff7872cfc039db690b10884e979de8aef200abde73ac5f69c9ce0cd7800ccda0b0ef0640eb27d

  • /etc/init.d/caeeadeea0762565473ac39681101c29_JaffaCakes118

    Filesize

    495B

    MD5

    5a1815a39c495ac397e0b698831c8b87

    SHA1

    a241152f39226030b2d3621b141e7a7bc218f129

    SHA256

    52c827d5f2bd57439eac7bcf4d0fe55c0d34239c87160e2bf4de90f77ccc3792

    SHA512

    f4439d9ed40cb2cac7599914bcb592862097e84c8397d66663e527d3338418d5abd44061ba0d25f91650db277107a9a2dcc1315ac8f5c26df555b7e24ff056ed

  • /etc/sedYfTiKL

    Filesize

    1KB

    MD5

    85f7ff2020ac8c72212f076ddf33c0be

    SHA1

    df06ddd9c29e8da5cff1aa356e9529336573422f

    SHA256

    ffb48ad57868ed639fad049d11ef4b9bcdd3d2d3e556754ce69b4d6b016969a3

    SHA512

    d7e2d6116adbe768dd078b490575f7757c0e98859a96d280756446bd7e6bf46e24381b0cf86bf5ae3eb4e15bb3743a34cf910f30dd27888de4c5d12bc0a7ea00

  • /run/gcc.pid

    Filesize

    32B

    MD5

    46ad5826153d127109a0a69aaca3cd72

    SHA1

    7a628d1a6b9f5f5bac654ffa983ef188722c736e

    SHA256

    7fb41b4a1085b29d9c7001184e7b398e68f0251e7a26f59f3ca1f0ad1abace3e

    SHA512

    dd05f7783deb11f579e47f13ce1221b830ec05dcc9fba3fb3cb94829713ecc10fffa6ce58c5ee6bfcbe00ea0c0e21d26f5cb4951b175377ba60e31c09d3da4e7

  • /usr/bin/gpxxnkgznz

    Filesize

    611KB

    MD5

    b97e725f502520a2cec86e6f54d20629

    SHA1

    87d1844242fb6c4665fccab19b40f782be981bcb

    SHA256

    44d0ac900d9e148ed9429c616febbaa49e760975ef5a35eb8ae0d5ee9dd0094b

    SHA512

    915cfd481da96dc857682fe57078d716f47a20524d58db5117c1c891f86c59303af0f8001647ac0033c5d17b9aa9aee36f17f3ffd28e572292a6ff00beb8429e

  • /usr/bin/hausrhfebm

    Filesize

    611KB

    MD5

    eba18f3a557757640cb11d2b74294655

    SHA1

    0ac70c198bcf3facee2894b82e99bea004953ffe

    SHA256

    4032e253b0ab8d8b6714956235f6230f2852dfa09d17eea3e0367f4f66988d12

    SHA512

    36c6b5d8e7394a189151d5e7c22d3407ffb82158e5c68b8223885a56cc9802db824ab6464f600e521cc14331f75aa804315c4608a5dd842c6c6404a0dcb14a24

  • /usr/bin/ieclocuncd

    Filesize

    302KB

    MD5

    fef1a8c8d14c7a283b0fea45073c3650

    SHA1

    385b3b4a355e172092a22499bb5fa02e8e8d5092

    SHA256

    95104713eb4718f9490e2fdab4c9f27e3f1309dad7625e49364e2868854d5999

    SHA512

    a88ad514587d8126437f54af12f11bc280c932e1b0785fb54d89930ca2c45a09d06c30283f8eec4b1b0604c7aaa42a2ba1c58a9f2edc2fdedc8d6183d6a6975e

  • /usr/lib/libudev.so

    Filesize

    611KB

    MD5

    caeeadeea0762565473ac39681101c29

    SHA1

    1f7aad5e0e5996ed5c6634d08066df13b7e01440

    SHA256

    94b59b4761147519fecf662cecba7219ac2f70682ae02685081a181758cb705f

    SHA512

    3c0a150894fc8a84a2b4ccaaa935fcfc74f07b16626f1ca82b34f743d5ee77bae2e4143b132721648275c4c3e7e5ac27687da16d25607d7ff3cab3ad1b1d74a4