General

  • Target

    317c1be0ddc03360bc368bd36fdcb9cd8291eaeb34b056a9766b09249549370f

  • Size

    535KB

  • Sample

    220620-2e4s8sebg3

  • MD5

    4b0f3a383849f60ef08cc33eb623684a

  • SHA1

    8d3d001a347f09a67760abef06afee1e1b9ebd65

  • SHA256

    317c1be0ddc03360bc368bd36fdcb9cd8291eaeb34b056a9766b09249549370f

  • SHA512

    d431ffd10fa5606ec3a4a206758dface7812f1304d8c17eaa24a464954354de808535aacc12366eeab554aad3609f42d5c65a4c203e0a488948969935e751328

Malware Config

Extracted

Family

xorddos

C2

tat456.com:1522

ppp.gggatat456.com:1522

ppp.xxxatat456.com:1522

www1.gggatat456.com:1522

Targets

    • Target

      317c1be0ddc03360bc368bd36fdcb9cd8291eaeb34b056a9766b09249549370f

    • Size

      535KB

    • MD5

      4b0f3a383849f60ef08cc33eb623684a

    • SHA1

      8d3d001a347f09a67760abef06afee1e1b9ebd65

    • SHA256

      317c1be0ddc03360bc368bd36fdcb9cd8291eaeb34b056a9766b09249549370f

    • SHA512

      d431ffd10fa5606ec3a4a206758dface7812f1304d8c17eaa24a464954354de808535aacc12366eeab554aad3609f42d5c65a4c203e0a488948969935e751328

    Score
    10/10
    • suricata: ET MALWARE DDoS.XOR Checkin

      suricata: ET MALWARE DDoS.XOR Checkin

    • suricata: ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (aa.hostasa.org)

      suricata: ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (aa.hostasa.org)

    • Writes file to system bin folder

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Modifies rc script

      Adding/modifying system rc scripts is a common persistence mechanism.

    • Write file to user bin folder

    • Reads runtime system information

      Reads data from /proc virtual filesystem.

    • Writes file to tmp directory

      Malware often drops required files in the /tmp directory.

MITRE ATT&CK Enterprise v6

Tasks