General

  • Target

    55f3c016025b72ae40fee768b17d59de72f9b9f9bfdfb4ca768d1a588afd7060

  • Size

    535KB

  • Sample

    220620-xmmsgaadhk

  • MD5

    318d18a0c89b1438fd4e05a3c07776ca

  • SHA1

    65f5b14dae2427cf63e59fd5c7d9bdccd6ad5728

  • SHA256

    55f3c016025b72ae40fee768b17d59de72f9b9f9bfdfb4ca768d1a588afd7060

  • SHA512

    4f5a35ba37a9b6aa87baef8b53ec4d1ad0f4272cb6d3f1d5a0ca68eafe176b96962ce12b18b4922bcfd87a0959f7cccf184f9e854b60e17011554772d72beaec

Malware Config

Extracted

Family

xorddos

C2

tat456.com:1520

ppp.gggatat456.com:1520

ppp.xxxatat456.com:1520

www1.gggatat456.com:1520

Targets

    • Target

      55f3c016025b72ae40fee768b17d59de72f9b9f9bfdfb4ca768d1a588afd7060

    • Size

      535KB

    • MD5

      318d18a0c89b1438fd4e05a3c07776ca

    • SHA1

      65f5b14dae2427cf63e59fd5c7d9bdccd6ad5728

    • SHA256

      55f3c016025b72ae40fee768b17d59de72f9b9f9bfdfb4ca768d1a588afd7060

    • SHA512

      4f5a35ba37a9b6aa87baef8b53ec4d1ad0f4272cb6d3f1d5a0ca68eafe176b96962ce12b18b4922bcfd87a0959f7cccf184f9e854b60e17011554772d72beaec

    Score
    10/10
    • suricata: ET MALWARE DDoS.XOR Checkin

      suricata: ET MALWARE DDoS.XOR Checkin

    • suricata: ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (aa.hostasa.org)

      suricata: ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (aa.hostasa.org)

    • Writes file to system bin folder

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Modifies rc script

      Adding/modifying system rc scripts is a common persistence mechanism.

    • Write file to user bin folder

    • Reads runtime system information

      Reads data from /proc virtual filesystem.

    • Writes file to tmp directory

      Malware often drops required files in the /tmp directory.

MITRE ATT&CK Enterprise v6

Tasks