xorddos | 580accbe4ec8e8ec6808c34eda1d6feae17d9940723acd1fe13db75d02e13ae9 | Triage

Submit
Reports

Overview

overview

Static

static

0190d66de8...kes118

ubuntu-20.04-amd64

Sharing

General

Target

0190d66de838c766a844e52c1f4f047a_JaffaCakes118
Size

611KB
Sample

240426-yw3eysbb99
MD5

0190d66de838c766a844e52c1f4f047a
SHA1

2e7fd825bec6d7fc7ddb9e2b60b3c9678bad6eae
SHA256

580accbe4ec8e8ec6808c34eda1d6feae17d9940723acd1fe13db75d02e13ae9
SHA512

c26e30f4f10959ecf529631e078651f0b720bd542722aad0e3c4178ae3fbf5ac8d7a6bc453e0a4c3d4b8ef7ebc4267b36a399f1e6b608596c509733c075468de
SSDEEP

12288:FBXOvdwV1/n/dQFhWlH/c1dHo4h9L+zNZrr3T6yF8EEP4UlUuTh1A7:FBXmkN/+Fhu/Qo4h9L+zNN3BVEBl/91W

Score

10^/10

xorddos botnet downloader infostealer linux persistence

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

0190d66de838c766a844e52c1f4f047a_JaffaCakes118

Resource

ubuntu2004-amd64-20240418-en

xorddos botnet downloader infostealer persistence

ubuntu-20.04-amd64

9 signatures

150 seconds

Malware Config

Extracted

Family

xorddos

C2

http://aa.finance1num.org/config.rar

cdn.netflix2cdn.com:3308

cdn.finance1num.com:3308

Attributes

crc_polynomial
EDB88320

xor.plain

Targets

- Target
  
  0190d66de838c766a844e52c1f4f047a_JaffaCakes118
- Size
  
  611KB
- MD5
  
  0190d66de838c766a844e52c1f4f047a
- SHA1
  
  2e7fd825bec6d7fc7ddb9e2b60b3c9678bad6eae
- SHA256
  
  580accbe4ec8e8ec6808c34eda1d6feae17d9940723acd1fe13db75d02e13ae9
- SHA512
  
  c26e30f4f10959ecf529631e078651f0b720bd542722aad0e3c4178ae3fbf5ac8d7a6bc453e0a4c3d4b8ef7ebc4267b36a399f1e6b608596c509733c075468de
- SSDEEP
  
  12288:FBXOvdwV1/n/dQFhWlH/c1dHo4h9L+zNZrr3T6yF8EEP4UlUuTh1A7:FBXmkN/+Fhu/Qo4h9L+zNN3BVEBl/91W
Score

10^/10

xorddos botnet downloader infostealer persistence
- XorDDoS
  Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
  botnet downloader xorddos
- XorDDoS payload
- Executes dropped EXE
- Reads EFI boot settings
  Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.
  infostealer
- Creates/modifies Cron job
  Cron allows running tasks on a schedule, and is commonly used for malware persistence.
  persistence
- Modifies init.d
  Adds/modifies system service, likely for persistence.
  persistence
- Write file to user bin folder
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Boot or Logon Autostart Execution

Hijack Execution Flow

Privilege Escalation

Scheduled Task/Job

Boot or Logon Autostart Execution

Hijack Execution Flow

Defense Evasion

Hijack Execution Flow

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

xorddosbotnetdownloaderinfostealerpersistence

© 2018-2024

Terms | Privacy