xorddos | 95b9670a733d04cc9bfc48893d6805ee905c2d4cad4e9b946c02a85ca88b96db | Triage

Submit
Reports

Overview

overview

Static

static

c08ed46f97...a68193

ubuntu-18.04-amd64

Sharing

General

Target

c08ed46f971b08258588363986a68193
Size

660KB
Sample

231222-rq4bqshhdp
MD5

c08ed46f971b08258588363986a68193
SHA1

ede25fe191143cca12c2dc04b9a147e9fd3ac264
SHA256

95b9670a733d04cc9bfc48893d6805ee905c2d4cad4e9b946c02a85ca88b96db
SHA512

f96d16b2af468d9564890ad792c6db646be6b5ac7b1b2a29f3ae348f30885994a30dfe2e3140aca34d79a9e1509039433c7ba31de6f1a047ad65a2dbdc96feb6
SSDEEP

12288:yB6hZ/D+2wZn/Dj3y3NDghlVx3LxAnbZ4F36yT+VmgiZM+yqGTh5AZ2:yB6PL+2S/Dj0NDAVx3LxAnuFjoiLyqGT

Score

10^/10

xorddos antivm botnet downloader linux persistence

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

c08ed46f971b08258588363986a68193

Resource

ubuntu1804-amd64-20231215-en

xorddos antivm botnet downloader persistence

ubuntu-18.04-amd64

8 signatures

150 seconds

Malware Config

Extracted

Family

xorddos

C2

103.25.9.245:3505

103.240.141.50:3505

66.102.253.30:3505

ndns.dsaj2a1.org:3505

ndns.dsaj2a.org:3505

ndns.hcxiaoao.com:3505

ndns.dsaj2a.com:3505

Attributes

crc_polynomial
EDB88320

xor.plain

Targets

- Target
  
  c08ed46f971b08258588363986a68193
- Size
  
  660KB
- MD5
  
  c08ed46f971b08258588363986a68193
- SHA1
  
  ede25fe191143cca12c2dc04b9a147e9fd3ac264
- SHA256
  
  95b9670a733d04cc9bfc48893d6805ee905c2d4cad4e9b946c02a85ca88b96db
- SHA512
  
  f96d16b2af468d9564890ad792c6db646be6b5ac7b1b2a29f3ae348f30885994a30dfe2e3140aca34d79a9e1509039433c7ba31de6f1a047ad65a2dbdc96feb6
- SSDEEP
  
  12288:yB6hZ/D+2wZn/Dj3y3NDghlVx3LxAnbZ4F36yT+VmgiZM+yqGTh5AZ2:yB6PL+2S/Dj0NDAVx3LxAnuFjoiLyqGT
Score

10^/10

xorddos antivm botnet downloader persistence
- XorDDoS
  Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
  botnet downloader xorddos
- XorDDoS payload
- Deletes itself
- Executes dropped EXE
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Checks CPU configuration
  Checks CPU information which indicate if the system is a virtual machine.
  antivm
- Modifies init.d
  Adds/modifies system service, likely for persistence.
  persistence
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Privilege Escalation

Boot or Logon Autostart Execution

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xorddosantivmbotnetdownloaderpersistence

© 2018-2024

Terms | Privacy