General

  • Target

    6e480ae0b1e441e36684ebc848b0f3a5c9f4da9519d807c629a8aa4428f24475

  • Size

    596KB

  • Sample

    220620-jjg6xsagbk

  • MD5

    32391ecf8deb9ec63c882d2007713ff3

  • SHA1

    829a16f59f9b4bd57262ba5c3b5ed761efc07224

  • SHA256

    6e480ae0b1e441e36684ebc848b0f3a5c9f4da9519d807c629a8aa4428f24475

  • SHA512

    c4d13cf80b6f7f4cb2a01087c7001b1ea956d773c76a83110a2b41915ff5c5358719978557a17ca7ae853a1d94e9d8c0b73ad8730d2f59ab31ea54d1d43e038d

Malware Config

Extracted

Family

xorddos

C2

gh.dsaj2a1.org:2444

shaoqian.f3322.org:2444

183.60.202.2:2444

Targets

    • Target

      6e480ae0b1e441e36684ebc848b0f3a5c9f4da9519d807c629a8aa4428f24475

    • Size

      596KB

    • MD5

      32391ecf8deb9ec63c882d2007713ff3

    • SHA1

      829a16f59f9b4bd57262ba5c3b5ed761efc07224

    • SHA256

      6e480ae0b1e441e36684ebc848b0f3a5c9f4da9519d807c629a8aa4428f24475

    • SHA512

      c4d13cf80b6f7f4cb2a01087c7001b1ea956d773c76a83110a2b41915ff5c5358719978557a17ca7ae853a1d94e9d8c0b73ad8730d2f59ab31ea54d1d43e038d

    Score
    9/10
    • Writes file to system bin folder

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Modifies rc script

      Adding/modifying system rc scripts is a common persistence mechanism.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Write file to user bin folder

    • Reads runtime system information

      Reads data from /proc virtual filesystem.

    • Writes file to tmp directory

      Malware often drops required files in the /tmp directory.

MITRE ATT&CK Enterprise v6

Tasks