xorddos | 9c7e43e5212142a195a794486b13efcc9779f9c0742b608c66c18937856bb452 | Triage

Submit
Reports

Overview

overview

Static

static

7

01942bbe32...kes118

ubuntu-20.04-amd64

Sharing

General

Target

01942bbe326395e8bf8312c304b30c21_JaffaCakes118
Size

247KB
Sample

240328-knyvxaed32
MD5

01942bbe326395e8bf8312c304b30c21
SHA1

b8a481e91c77631aa74b8188b17166d9861dfde0
SHA256

9c7e43e5212142a195a794486b13efcc9779f9c0742b608c66c18937856bb452
SHA512

914224281378d60adca99c34848485550c1eb29f95a6755d83d10d9a55ea21fb6e973fc5bb144a20b3ebd25b8a8cdc8b5aa819aa2f345c3dada5d39d9c2d1b7b
SSDEEP

6144:nSDFOrnwRgUbMisI6sdkH+M6hWOcy5KOZW7U6NCPhhhR//mqYi:mZRgUY/fsJcO1KOiXOhhhBei

Score

10^/10

xorddos botnet downloader infostealer linux persistence upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

01942bbe326395e8bf8312c304b30c21_JaffaCakes118

Resource

ubuntu2004-amd64-20240221-en

xorddos botnet downloader infostealer persistence upx

ubuntu-20.04-amd64

10 signatures

150 seconds

Malware Config

Extracted

Family

xorddos

Attributes

crc_polynomial
EDB88320

Targets

- Target
  
  01942bbe326395e8bf8312c304b30c21_JaffaCakes118
- Size
  
  247KB
- MD5
  
  01942bbe326395e8bf8312c304b30c21
- SHA1
  
  b8a481e91c77631aa74b8188b17166d9861dfde0
- SHA256
  
  9c7e43e5212142a195a794486b13efcc9779f9c0742b608c66c18937856bb452
- SHA512
  
  914224281378d60adca99c34848485550c1eb29f95a6755d83d10d9a55ea21fb6e973fc5bb144a20b3ebd25b8a8cdc8b5aa819aa2f345c3dada5d39d9c2d1b7b
- SSDEEP
  
  6144:nSDFOrnwRgUbMisI6sdkH+M6hWOcy5KOZW7U6NCPhhhR//mqYi:mZRgUY/fsJcO1KOiXOhhhBei
Score

10^/10

xorddos botnet downloader infostealer persistence upx
- XorDDoS
  Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
  botnet downloader xorddos
- Executes dropped EXE
- Reads EFI boot settings
  Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.
  infostealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Creates/modifies Cron job
  Cron allows running tasks on a schedule, and is commonly used for malware persistence.
  persistence
- Modifies init.d
  Adds/modifies system service, likely for persistence.
  persistence
- Write file to user bin folder
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Boot or Logon Autostart Execution

Hijack Execution Flow

Privilege Escalation

Scheduled Task/Job

Boot or Logon Autostart Execution

Hijack Execution Flow

Defense Evasion

Hijack Execution Flow

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

xorddosbotnetdownloaderinfostealerpersistenceupx

© 2018-2024

Terms | Privacy