xorddos | 26afd8aa5395d48d260804313103452ffe2248d7820d0c688f19b9e2532f86d2 | Triage

Sharing

General

Target

84d952648c8b04ae92d8ae5c590bb796_JaffaCakes118
Size

549KB
Sample

240810-fdyd6szhjb
MD5

84d952648c8b04ae92d8ae5c590bb796
SHA1

226678d94699643f98278f12fc75ee2e91cb35ca
SHA256

26afd8aa5395d48d260804313103452ffe2248d7820d0c688f19b9e2532f86d2
SHA512

c5eade8014054e73800aa2776509eef9a851f61c34fca60132f1db534706a7cccbff2ed4a21d10b2a39602a3843f24792a8bf362b1655a88048af740a84b2f60
SSDEEP

12288:VeRvuKqiVZ4En5drNK0pPEfJKlHZ8mG97Qxee6yzmx:VIv/qiVNHNDEfJKHZ8mG9QeeO

Score

10^/10

xorddos botnet downloader linux persistence

Malware Config

Extracted

Family

xorddos

C2

p6.2017fly.com:21

p6.2017fly.com:80

p6.2018fly.com:21

p6.2018fly.com:80

p6.sb1024.net:21

p6.sb1024.net:80

http://fuck.2017fly.com/i.php

Attributes

crc_polynomial
CDB88320

xor.plain

Targets

- Target
  
  84d952648c8b04ae92d8ae5c590bb796_JaffaCakes118
- Size
  
  549KB
- MD5
  
  84d952648c8b04ae92d8ae5c590bb796
- SHA1
  
  226678d94699643f98278f12fc75ee2e91cb35ca
- SHA256
  
  26afd8aa5395d48d260804313103452ffe2248d7820d0c688f19b9e2532f86d2
- SHA512
  
  c5eade8014054e73800aa2776509eef9a851f61c34fca60132f1db534706a7cccbff2ed4a21d10b2a39602a3843f24792a8bf362b1655a88048af740a84b2f60
- SSDEEP
  
  12288:VeRvuKqiVZ4En5drNK0pPEfJKlHZ8mG97Qxee6yzmx:VIv/qiVNHNDEfJKHZ8mG9QeeO
Score

10^/10

xorddos botnet downloader persistence
- XorDDoS
  Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
  botnet downloader xorddos
- XorDDoS payload
- Deletes itself
- Executes dropped EXE
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Creates/modifies Cron job
  Cron allows running tasks on a schedule, and is commonly used for malware persistence.
  persistence
- Modifies init.d
  Adds/modifies system service, likely for persistence.
  persistence
- Write file to user bin folder
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Hijack Execution Flow

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Hijack Execution Flow

Scheduled Task/Job

Defense Evasion

Hijack Execution Flow

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xorddosbotnetdownloaderpersistence