xorddos | 0e817a2325c215997de15851152a66924874739eeff5da4b434e5d36c83a76eb | Triage

Submit
Reports

Overview

overview

Static

static

11.txt

ubuntu-20.04-amd64

Sharing

General

Target

11.txt
Size

542KB
Sample

240330-j25pyabe9t
MD5

e40d4ba6f6aee3acd39faf65f471894a
SHA1

7de3d9b9905cc4fde29d37ca73e2ffcf7bbb0eab
SHA256

0e817a2325c215997de15851152a66924874739eeff5da4b434e5d36c83a76eb
SHA512

2479a64b2cdcff25f87725f6541921fbb4590725f2a8ba7b4827a706ac326fb6124b6c10ea2635502a79081aa2d6b2a29ffeaaa269d320e281e26bb68a30a88f
SSDEEP

12288:VB2bw1CH/FwznbIU9sE8c8lqd49N94wT4JXQLLp6yWrk3:VB2WCH/eMU9Uc8gd49N94BJXQLL4ru

Score

10^/10

xorddos antivm botnet downloader infostealer linux persistence

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

11.txt

Resource

ubuntu2004-amd64-20240221-en

xorddos antivm botnet downloader infostealer persistence

ubuntu-20.04-amd64

10 signatures

1800 seconds

Malware Config

Extracted

Family

xorddos

C2

http://ww.wowapplecar.com/config.rar

dd.vvbb321.com:1430

dd.jjkk567.com:1430

dd.nnmm234.com:1430

dd.aass654.com:1430

dd.xxcc789.com:1430

Attributes

crc_polynomial
EDB88320

xor.plain

Targets

- Target
  
  11.txt
- Size
  
  542KB
- MD5
  
  e40d4ba6f6aee3acd39faf65f471894a
- SHA1
  
  7de3d9b9905cc4fde29d37ca73e2ffcf7bbb0eab
- SHA256
  
  0e817a2325c215997de15851152a66924874739eeff5da4b434e5d36c83a76eb
- SHA512
  
  2479a64b2cdcff25f87725f6541921fbb4590725f2a8ba7b4827a706ac326fb6124b6c10ea2635502a79081aa2d6b2a29ffeaaa269d320e281e26bb68a30a88f
- SSDEEP
  
  12288:VB2bw1CH/FwznbIU9sE8c8lqd49N94wT4JXQLLp6yWrk3:VB2WCH/eMU9Uc8gd49N94BJXQLL4ru
Score

10^/10

xorddos antivm botnet downloader infostealer persistence
- XorDDoS
  Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
  botnet downloader xorddos
- XorDDoS payload
- Executes dropped EXE
- Reads EFI boot settings
  Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.
  infostealer
- Checks CPU configuration
  Checks CPU information which indicate if the system is a virtual machine.
  antivm
- Creates/modifies Cron job
  Cron allows running tasks on a schedule, and is commonly used for malware persistence.
  persistence
- Modifies init.d
  Adds/modifies system service, likely for persistence.
  persistence
- Write file to user bin folder
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Boot or Logon Autostart Execution

Hijack Execution Flow

Privilege Escalation

Scheduled Task/Job

Boot or Logon Autostart Execution

Hijack Execution Flow

Defense Evasion

Virtualization/Sandbox Evasion

Hijack Execution Flow

Credential Access

Discovery

Virtualization/Sandbox Evasion

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

xorddosantivmbotnetdownloaderinfostealerpersistence

© 2018-2024

Terms | Privacy