xorddos | ae38c170144317b0f8e3e0a761085431e18d2eac562622880a6d8e83fd4dee88 | Triage

Submit
Reports

Overview

overview

Static

static

76741721ae...82.elf

ubuntu-20.04-amd64

Sharing

General

Target

455b46bf3f93b8853137de2b99ef0f4c.bin
Size

257KB
Sample

240325-b3922sce65
MD5

b614eddce18a5272852d3d01a7448078
SHA1

bcd7fbd3b9a6c976a754c627168a921c27940a02
SHA256

ae38c170144317b0f8e3e0a761085431e18d2eac562622880a6d8e83fd4dee88
SHA512

af81ca863457d86379d90eb4cf4a9d6fd5924e6c7d8c69e1c59e46566fa1fd41cc728e85c79164ca4cdfc8c925dbece67cd3e1dff0388bca9949740e1320a94f
SSDEEP

6144:ampXERvHw0JULkgwnDoiZDIBXPU3Ym1AAe0K/4K1FmDs5T:a2XERvQzL6DoiGB/VmG0vs3V

Score

10^/10

xorddos botnet downloader linux persistence

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882.elf

Resource

ubuntu2004-amd64-20240221-en

xorddos botnet downloader persistence

ubuntu-20.04-amd64

14 signatures

150 seconds

Malware Config

Extracted

Family

xorddos

C2

bb.markerbio.com:13307

bb.myserv012.com:13307

http://qq.com/lib.asp

Attributes

crc_polynomial
CDB88320

xor.plain

Targets

- Target
  
  76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882.elf
- Size
  
  549KB
- MD5
  
  455b46bf3f93b8853137de2b99ef0f4c
- SHA1
  
  99387d92aee1ad50c8af0a5192f651ad8021d1d4
- SHA256
  
  76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882
- SHA512
  
  a43cc62e55da2d23f2f57bffc3e2f3e406e41b0e1ba24b38d274a12e25d87d005f89f03e98c4fbf91622b75a4009c38033ea9d74316696469d26f9ea3a3237fa
- SSDEEP
  
  12288:VeRvuKqiVZ4En5drNK0pPEfJKlHZ8mG97Qxee6yzmx6:VIv/qiVNHNDEfJKHZ8mG9QeeO6
Score

10^/10

xorddos botnet downloader persistence
- XorDDoS
  Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
  botnet downloader xorddos
- XorDDoS payload
- Deletes itself
- Executes dropped EXE
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Creates/modifies Cron job
  Cron allows running tasks on a schedule, and is commonly used for malware persistence.
  persistence
- Enumerates active TCP sockets
  Gets active TCP sockets from /proc virtual filesystem.
- Enumerates running processes
  Discovers information about currently running processes on the system
- Modifies init.d
  Adds/modifies system service, likely for persistence.
  persistence
- Write file to user bin folder
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Hijack Execution Flow

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Hijack Execution Flow

Scheduled Task/Job

Defense Evasion

Hijack Execution Flow

Credential Access

Discovery

System Network Configuration Discovery

System Network Connections Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xorddosbotnetdownloaderpersistence

© 2018-2024

Terms | Privacy