DD Binary Padding Hash Change

Metadata

Author

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2020/11/10

Modification Date

2020/11/10

Tactics

[‘TA0005’]

Techniques

[‘T1027.001’]

Tags

None

Dataset Description

This dataset represents a threat actor using dd to add a zero to the binary to change the hash.

Notebooks

Notebooks created by the community leveraging the mordor datasets

Author

Name

Link

Simulation Plan

Environment

Tool Type

Module

Lab VM

Manual

sh

Adversary View

md5sum /tmp/psexec.py 
5aa8b93e9b40c04d6d9d0cc8cd3975ed  /tmp/psexec.py

dd if=/dev/zero bs=1 count=1 >> /tmp/psexec.py 
1+0 records in
1+0 records out
1 byte copied, 5.6002e-05 s, 17.9 kB/s

md5sum /tmp/psexec.py 
c509e5bd899de81d603da3f61e717837  /tmp/psexec.py

Explore Mordor Dataset

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/linux/defense_evasion/host/sh_binary_padding_dd.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")

Get to know your data

df = spark.sql(
'''
SELECT *
FROM mordorTable
'''
)
df.show(1, vertical=True)