xorddos | afb23b7eb037423c3a6b3c8d28bd8b6ef7f8d3ebc9615ce91292e5a2c067dda4 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

8195401195...kes118

ubuntu-18.04-amd64

Sharing

General

Target

8195401195f52008f2680bd3f1d17ec8_JaffaCakes118
Size

610KB
Sample

240801-w7v4xaxfnd
MD5

8195401195f52008f2680bd3f1d17ec8
SHA1

7a21e5bf147c1e2bc9041b9111b8d3d34f4adddf
SHA256

afb23b7eb037423c3a6b3c8d28bd8b6ef7f8d3ebc9615ce91292e5a2c067dda4
SHA512

b580d70ac7d27759222377b1e55dc1d07659d908ceb99d1bf0359bfa8b3eac2ec23b62c73703cc46ab770aebf94c007d198f6241ef5be74406b0074dc1948f7e
SSDEEP

12288:WBxHsnhar0nJ7FGY5HRYxC1mqiL40qFCWU7k/rU6yZNnXgW4UlUuTh1Ac:WBxHgaUVFGAR11mTL40q/ZGpXgUl/91x

Score

10^/10

xorddos antivm botnet downloader linux persistence

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

8195401195f52008f2680bd3f1d17ec8_JaffaCakes118

Resource

ubuntu1804-amd64-20240611-en

xorddos antivm botnet downloader persistence

ubuntu-18.04-amd64

8 signatures

150 seconds

Malware Config

Extracted

Family

xorddos

C2

http://www1.gggatat456.com/dd.rar

t456.com:6005

t456.com:6004

aaa.gggatat456.com:6003

aaa.xxxatat456.com:6003

bbb.gggatat456.com:22

bbb.xxxatat456.com:22

bbb.gggatat456.com:443

bbb.xxxatat456.com:443

Attributes

crc_polynomial
EDB88320

xor.plain

Targets

- Target
  
  8195401195f52008f2680bd3f1d17ec8_JaffaCakes118
- Size
  
  610KB
- MD5
  
  8195401195f52008f2680bd3f1d17ec8
- SHA1
  
  7a21e5bf147c1e2bc9041b9111b8d3d34f4adddf
- SHA256
  
  afb23b7eb037423c3a6b3c8d28bd8b6ef7f8d3ebc9615ce91292e5a2c067dda4
- SHA512
  
  b580d70ac7d27759222377b1e55dc1d07659d908ceb99d1bf0359bfa8b3eac2ec23b62c73703cc46ab770aebf94c007d198f6241ef5be74406b0074dc1948f7e
- SSDEEP
  
  12288:WBxHsnhar0nJ7FGY5HRYxC1mqiL40qFCWU7k/rU6yZNnXgW4UlUuTh1Ac:WBxHgaUVFGAR11mTL40q/ZGpXgUl/91x
Score

10^/10

xorddos antivm botnet downloader persistence
- XorDDoS
  Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
  botnet downloader xorddos
- XorDDoS payload
- Executes dropped EXE
- Creates/modifies Cron job
  Cron allows running tasks on a schedule, and is commonly used for malware persistence.
  persistence
- Modifies init.d
  Adds/modifies system service, likely for persistence.
  persistence
- Write file to user bin folder
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Hijack Execution Flow

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Hijack Execution Flow

Scheduled Task/Job

Defense Evasion

Hijack Execution Flow

Virtualization/Sandbox Evasion

Credential Access

Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xorddosantivmbotnetdownloaderpersistence

© 2018-2025

Terms | Privacy