xorddos | 84e40a4e1e02a719aa93c734049c96bae0cfa6d075f47d64b63b84eece3648d6 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

5de386b209...kes118

ubuntu-22.04-amd64

Sharing

General

Target

5de386b209befcb96c835a048b3fd178_JaffaCakes118
Size

647KB
Sample

240729-y6cmaatapd
MD5

5de386b209befcb96c835a048b3fd178
SHA1

c701990533a21d5aae6c0067c475ef2d02fb4f16
SHA256

84e40a4e1e02a719aa93c734049c96bae0cfa6d075f47d64b63b84eece3648d6
SHA512

085b3d3b78896f8a11279d9c53ef433c0c620c02db5e79a162908738f652dd4c64e485a72706974fa4560ca5f67daf8ee30630a84bb27bae430077b2b29dd50b
SSDEEP

12288:RBRO1UmJJ0nHgBL9YfJip2qm+x4h1Tonjp6y07l7mtBDvnD/u9hMHDB:RBRpmJ+HyL9AiAqm+x4h1mj6wvnDWXMN

Score

10^/10

xorddos botnet downloader linux persistence

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

5de386b209befcb96c835a048b3fd178_JaffaCakes118

Resource

ubuntu2204-amd64-20240611-en

xorddos botnet downloader persistence

ubuntu-22.04-amd64

8 signatures

150 seconds

Malware Config

Extracted

Family

xorddos

C2

http://info1.3000uc.com/b/u.php

tt1.v5zz.com:350

192.168.1.131:3826

abcd.com:8080

Attributes

crc_polynomial
EDB88320

xor.plain

1
BB2FA36AAA9541F0

Targets

- Target
  
  5de386b209befcb96c835a048b3fd178_JaffaCakes118
- Size
  
  647KB
- MD5
  
  5de386b209befcb96c835a048b3fd178
- SHA1
  
  c701990533a21d5aae6c0067c475ef2d02fb4f16
- SHA256
  
  84e40a4e1e02a719aa93c734049c96bae0cfa6d075f47d64b63b84eece3648d6
- SHA512
  
  085b3d3b78896f8a11279d9c53ef433c0c620c02db5e79a162908738f652dd4c64e485a72706974fa4560ca5f67daf8ee30630a84bb27bae430077b2b29dd50b
- SSDEEP
  
  12288:RBRO1UmJJ0nHgBL9YfJip2qm+x4h1Tonjp6y07l7mtBDvnD/u9hMHDB:RBRpmJ+HyL9AiAqm+x4h1mj6wvnDWXMN
Score

10^/10

xorddos botnet downloader persistence
- XorDDoS
  Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
  botnet downloader xorddos
- XorDDoS payload
- Deletes itself
- Executes dropped EXE
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Creates/modifies Cron job
  Cron allows running tasks on a schedule, and is commonly used for malware persistence.
  persistence
- Modifies init.d
  Adds/modifies system service, likely for persistence.
  persistence
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xorddosbotnetdownloaderpersistence

© 2018-2025

Terms | Privacy

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.