xorddos | a52428f16f891e1a17375cbee34fdb68c83632988e7b1ae1590bacda2724cc0b | Triage

Submit
Reports

Overview

overview

Static

static

d24e975bd1...kes118

ubuntu-24.04-amd64

Sharing

General

Target

d24e975bd11c5e17ce8fa6a5b8ab52ca_JaffaCakes118
Size

596KB
Sample

240907-teq85stflc
MD5

d24e975bd11c5e17ce8fa6a5b8ab52ca
SHA1

e83557dce06c238a6c2d04ec7da00d908c90c82e
SHA256

a52428f16f891e1a17375cbee34fdb68c83632988e7b1ae1590bacda2724cc0b
SHA512

16cb95f72708869d75c9e4f63d1cb5fa95ccddb9460fc6a4bc8c3837e46df512a8e4e87bf24e7e9ae9b44357536694fa96308a1436cdb7e6ac1609f192f3dc60
SSDEEP

12288:rPTJS+naeW9kclFEcMWbHdxZ7GkR2fo/6y9P/YAh7Dxu9hc7L:DTJfrW99q4bHdxZ7G1foFND4XcP

Score

10^/10

xorddos botnet discovery downloader execution linux persistence privilege_escalatio rootkit

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

d24e975bd11c5e17ce8fa6a5b8ab52ca_JaffaCakes118

Resource

ubuntu2404-amd64-20240523-en

xorddos botnet discovery downloader execution persistence privilege_escalatio rootkit

ubuntu-24.04-amd64

7 signatures

150 seconds

Malware Config

Extracted

Family

xorddos

C2

http://full.dsaj2a.org/b/u.php

gh.dsaj2a1.org:2415

pengpenga.xicp.net:2415

61.174.49.203:2415

Attributes

crc_polynomial
EDB88320

xor.plain

Targets

- Target
  
  d24e975bd11c5e17ce8fa6a5b8ab52ca_JaffaCakes118
- Size
  
  596KB
- MD5
  
  d24e975bd11c5e17ce8fa6a5b8ab52ca
- SHA1
  
  e83557dce06c238a6c2d04ec7da00d908c90c82e
- SHA256
  
  a52428f16f891e1a17375cbee34fdb68c83632988e7b1ae1590bacda2724cc0b
- SHA512
  
  16cb95f72708869d75c9e4f63d1cb5fa95ccddb9460fc6a4bc8c3837e46df512a8e4e87bf24e7e9ae9b44357536694fa96308a1436cdb7e6ac1609f192f3dc60
- SSDEEP
  
  12288:rPTJS+naeW9kclFEcMWbHdxZ7GkR2fo/6y9P/YAh7Dxu9hc7L:DTJfrW99q4bHdxZ7G1foFND4XcP
Score

10^/10

xorddos botnet discovery downloader execution persistence privilege_escalatio rootkit
- XorDDoS
  Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
  botnet downloader xorddos
- XorDDoS payload
- Writes memory of remote process
- Loads a kernel module
  Loads a Linux kernel module, potentially to achieve persistence
  rootkit
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Creates/modifies Cron job
  Cron allows running tasks on a schedule, and is commonly used for malware persistence.
  execution persistence privilege_escalatio
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Cron

Persistence

Scheduled Task/Job

Cron

Privilege Escalation

Scheduled Task/Job

Cron

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xorddosbotnetdiscoverydownloaderexecutionpersistenceprivilege_escalatiorootkit

© 2018-2024

Terms | Privacy