General

  • Target

    aafb7c71f2fff23af7cfb7b20d78b6ba278a2aaa3b482516f9c95e4973fa6fa2

  • Size

    535KB

  • Sample

    220625-zd9xrabbgr

  • MD5

    3843a9abd985fbc02f5f893070e4f09d

  • SHA1

    2ec63298b82e20e934efe47fb468fe3eb7c34879

  • SHA256

    aafb7c71f2fff23af7cfb7b20d78b6ba278a2aaa3b482516f9c95e4973fa6fa2

  • SHA512

    cada58c54e1501405b0439146839c8a524130c1a209232433579aa21e9bb4a4fb2f5f74bfe9dcfe6f95b97c1d85d929023be851316b5be656fc6fef2c4ec0cd9

Malware Config

Extracted

Family

xorddos

C2

tat456.com:1523

ppp.gggatat456.com:1523

ppp.xxxatat456.com:1523

www1.gggatat456.com:1523

Targets

    • Target

      aafb7c71f2fff23af7cfb7b20d78b6ba278a2aaa3b482516f9c95e4973fa6fa2

    • Size

      535KB

    • MD5

      3843a9abd985fbc02f5f893070e4f09d

    • SHA1

      2ec63298b82e20e934efe47fb468fe3eb7c34879

    • SHA256

      aafb7c71f2fff23af7cfb7b20d78b6ba278a2aaa3b482516f9c95e4973fa6fa2

    • SHA512

      cada58c54e1501405b0439146839c8a524130c1a209232433579aa21e9bb4a4fb2f5f74bfe9dcfe6f95b97c1d85d929023be851316b5be656fc6fef2c4ec0cd9

    Score
    10/10
    • suricata: ET MALWARE DDoS.XOR Checkin

      suricata: ET MALWARE DDoS.XOR Checkin

    • suricata: ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (aa.hostasa.org)

      suricata: ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (aa.hostasa.org)

    • Writes file to system bin folder

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Modifies rc script

      Adding/modifying system rc scripts is a common persistence mechanism.

    • Write file to user bin folder

    • Reads runtime system information

      Reads data from /proc virtual filesystem.

    • Writes file to tmp directory

      Malware often drops required files in the /tmp directory.

MITRE ATT&CK Enterprise v6

Tasks