General

  • Target

    3aa0531284135dbe4701da8c686386851f9d9eafc1602180f9ce95f1333b773e

  • Size

    611KB

  • Sample

    220625-c31daaaheq

  • MD5

    80f092f47420fcb57f3b96ce5ebce321

  • SHA1

    08ee68f169df94a1abf12eabb4522f722b32a6e1

  • SHA256

    3aa0531284135dbe4701da8c686386851f9d9eafc1602180f9ce95f1333b773e

  • SHA512

    52db70aa7dddf923427fbbcf2c0afab9082b4811433e4ea9ad2b98fffdea70a247211f8447516b1bf9a25a9721818dae31c5b9deaf9088f82aa1faf415c0fe66

Malware Config

Extracted

Family

xorddos

C2

ppp.gggatat456.com:53

ppp.xxxatat456.com:53

p5.dddgata789.com:53

p5.lpjulidny7.com:53

Targets

    • Target

      3aa0531284135dbe4701da8c686386851f9d9eafc1602180f9ce95f1333b773e

    • Size

      611KB

    • MD5

      80f092f47420fcb57f3b96ce5ebce321

    • SHA1

      08ee68f169df94a1abf12eabb4522f722b32a6e1

    • SHA256

      3aa0531284135dbe4701da8c686386851f9d9eafc1602180f9ce95f1333b773e

    • SHA512

      52db70aa7dddf923427fbbcf2c0afab9082b4811433e4ea9ad2b98fffdea70a247211f8447516b1bf9a25a9721818dae31c5b9deaf9088f82aa1faf415c0fe66

    Score
    10/10
    • suricata: ET MALWARE DDoS.XOR Checkin

      suricata: ET MALWARE DDoS.XOR Checkin

    • suricata: ET MALWARE DDoS.XOR Checkin via HTTP

      suricata: ET MALWARE DDoS.XOR Checkin via HTTP

    • Writes file to system bin folder

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Modifies rc script

      Adding/modifying system rc scripts is a common persistence mechanism.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Write file to user bin folder

    • Reads runtime system information

      Reads data from /proc virtual filesystem.

    • Writes file to tmp directory

      Malware often drops required files in the /tmp directory.

MITRE ATT&CK Enterprise v6

Tasks