General

  • Target

    23.vir

  • Size

    611KB

  • Sample

    220618-k41z7sfghr

  • MD5

    9c7f574ad4c0e4a394f57d3d50227a58

  • SHA1

    d148b8051c438d792d2604c6aa69002743503197

  • SHA256

    b242c3eca68edc7c09505570455398cce9b02689287690971762899d1fb2b1a8

  • SHA512

    fb9f5c478e1266cf82ce5667478d47b7ce4b3949374648fe1a98a138d97ca07fede3a254bc1f56b031bdc328df61488f42cf51b104d58699ba6b3c9aaa0d792f

Malware Config

Extracted

Family

xorddos

C2

axf6.com:3309

www.enoan2107.com:3309

www.gzcfr5axf6.com:3309

Targets

    • Target

      23.vir

    • Size

      611KB

    • MD5

      9c7f574ad4c0e4a394f57d3d50227a58

    • SHA1

      d148b8051c438d792d2604c6aa69002743503197

    • SHA256

      b242c3eca68edc7c09505570455398cce9b02689287690971762899d1fb2b1a8

    • SHA512

      fb9f5c478e1266cf82ce5667478d47b7ce4b3949374648fe1a98a138d97ca07fede3a254bc1f56b031bdc328df61488f42cf51b104d58699ba6b3c9aaa0d792f

    Score
    10/10
    • suricata: ET MALWARE DDoS.XOR Checkin

      suricata: ET MALWARE DDoS.XOR Checkin

    • suricata: ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (aa.hostasa.org)

      suricata: ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (aa.hostasa.org)

    • Writes file to system bin folder

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Modifies rc script

      Adding/modifying system rc scripts is a common persistence mechanism.

    • Write file to user bin folder

    • Reads runtime system information

      Reads data from /proc virtual filesystem.

    • Writes file to tmp directory

      Malware often drops required files in the /tmp directory.

MITRE ATT&CK Enterprise v6

Tasks