xorddos | 48c39ca9e1d9fe8aa989413b70542bfb59ece57304284f9b43b74dbd7d860225 | Triage

Sharing

General

Target

48c39ca9e1d9fe8aa989413b70542bfb59ece57304284f9b43b74dbd7d860225
Size

611KB
Sample

220714-cd3gcagfhr
MD5

b9cb431c103bd716493a7b70133012de
SHA1

1df96aad70a565d00a545522d6b6626147a9ffee
SHA256

48c39ca9e1d9fe8aa989413b70542bfb59ece57304284f9b43b74dbd7d860225
SHA512

ebc7e5539b4110121c78c503bf2ffe3f91775e96f5c069470b588a673c1a80578659b1c6907a35887431fa5fb72672a5706c430a3d491ea02fe7a66f5e1ffe31

Score

10^/10

xorddos linux persistence

Malware Config

Extracted

Family

xorddos

C2

m.com:21

cdn.netflix2cdn.com:21

cdn.finance1num.com:21

Targets

- Target
  
  48c39ca9e1d9fe8aa989413b70542bfb59ece57304284f9b43b74dbd7d860225
- Size
  
  611KB
- MD5
  
  b9cb431c103bd716493a7b70133012de
- SHA1
  
  1df96aad70a565d00a545522d6b6626147a9ffee
- SHA256
  
  48c39ca9e1d9fe8aa989413b70542bfb59ece57304284f9b43b74dbd7d860225
- SHA512
  
  ebc7e5539b4110121c78c503bf2ffe3f91775e96f5c069470b588a673c1a80578659b1c6907a35887431fa5fb72672a5706c430a3d491ea02fe7a66f5e1ffe31
Score

9^/10

persistence
- Writes file to system bin folder
- Creates/modifies Cron job
  Cron allows running tasks on a schedule, and is commonly used for malware persistence.
  persistence
- Modifies rc script
  Adding/modifying system rc scripts is a common persistence mechanism.
  persistence
- Write file to user bin folder
- Reads runtime system information
  Reads data from /proc virtual filesystem.
- Writes file to tmp directory
  Malware often drops required files in the /tmp directory.
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Hijack Execution Flow

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Hijack Execution Flow

Scheduled Task

Defense Evasion

Hijack Execution Flow

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1