Overview

overview

10

Static

static

10

f48d2e608f...ac03b3

linux_amd64

10

Resubmissions

02-06-2022 16:54

220602-vewz3aghc6 10

05-01-2022 12:00

220105-n6djgaaehl 1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f48d2e608faeb0747b32205489e8ca88a3b10ecfd3c2cc2ff31fabf11fac03b3

  • Size

    546KB

  • Sample

    220602-vewz3aghc6

  • MD5

    429164dbad09cd108d22105e628a3daa

  • SHA1

    85cd14daabf7ffa7dfec07fd50e8e82eca9b5855

  • SHA256

    f48d2e608faeb0747b32205489e8ca88a3b10ecfd3c2cc2ff31fabf11fac03b3

  • SHA512

    0bac37f71c3a5062884e65d3c0b4f3466b73cb8611e300662f6ecfb80d44e8a724c845c55746d5341965b2b56c62f366822f86cd4113df80f7fca85e445b5923

Score
10/10
xorddoslinuxpersistencesuricata

Malware Config

Extracted

Family

xorddos

C2

topbannersun.com:5993

wowapplecar.com:5993

Targets

    • Target

      f48d2e608faeb0747b32205489e8ca88a3b10ecfd3c2cc2ff31fabf11fac03b3

    • Size

      546KB

    • MD5

      429164dbad09cd108d22105e628a3daa

    • SHA1

      85cd14daabf7ffa7dfec07fd50e8e82eca9b5855

    • SHA256

      f48d2e608faeb0747b32205489e8ca88a3b10ecfd3c2cc2ff31fabf11fac03b3

    • SHA512

      0bac37f71c3a5062884e65d3c0b4f3466b73cb8611e300662f6ecfb80d44e8a724c845c55746d5341965b2b56c62f366822f86cd4113df80f7fca85e445b5923

    Score
    10/10
    persistencesuricata

    • suricata: ET MALWARE DDoS.XOR Checkin via HTTP

      suricata: ET MALWARE DDoS.XOR Checkin via HTTP

      suricata

    • Writes file to system bin folder

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

      persistence

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

      persistence

    • Modifies rc script

      Adding/modifying system rc scripts is a common persistence mechanism.

      persistence

    • Writes file to tmp directory

      Malware often drops required files in the /tmp directory.

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Hijack Execution Flow

1
T1574

Scheduled Task

1
T1053

Boot or Logon Autostart Execution

2
T1547

Privilege Escalation

Hijack Execution Flow

1
T1574

Scheduled Task

1
T1053

Boot or Logon Autostart Execution

2
T1547

Defense Evasion

Hijack Execution Flow

1
T1574

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks