General

  • Target

    35bc8d41eb573e8553bb7be33ab0b2ca1ce3b87842e8f6e8f383e6f13b57d9e5

  • Size

    611KB

  • Sample

    220626-2757rsgbg5

  • MD5

    9bd509238c2e3e4801daba9ca2860a4d

  • SHA1

    e95528ee6285d128d560966b18f069537a97154c

  • SHA256

    35bc8d41eb573e8553bb7be33ab0b2ca1ce3b87842e8f6e8f383e6f13b57d9e5

  • SHA512

    fbf287f9c9f695ad9eb6c1327be73ef9b4bd39a8eac22a84dea23f17878287847b9173e8e5cb219d6ae9b8efebf19e9425bcd9bbfd688c7716900cfb416a78f0

Malware Config

Extracted

Family

xorddos

C2

.com:3309

ww.myserv012.com:3309

ww.search2c.com:3309

Targets

    • Target

      35bc8d41eb573e8553bb7be33ab0b2ca1ce3b87842e8f6e8f383e6f13b57d9e5

    • Size

      611KB

    • MD5

      9bd509238c2e3e4801daba9ca2860a4d

    • SHA1

      e95528ee6285d128d560966b18f069537a97154c

    • SHA256

      35bc8d41eb573e8553bb7be33ab0b2ca1ce3b87842e8f6e8f383e6f13b57d9e5

    • SHA512

      fbf287f9c9f695ad9eb6c1327be73ef9b4bd39a8eac22a84dea23f17878287847b9173e8e5cb219d6ae9b8efebf19e9425bcd9bbfd688c7716900cfb416a78f0

    Score
    10/10
    • suricata: ET MALWARE DDoS.XOR Checkin

      suricata: ET MALWARE DDoS.XOR Checkin

    • suricata: ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (aa.hostasa.org)

      suricata: ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (aa.hostasa.org)

    • Writes file to system bin folder

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Modifies rc script

      Adding/modifying system rc scripts is a common persistence mechanism.

    • Write file to user bin folder

    • Reads runtime system information

      Reads data from /proc virtual filesystem.

    • Writes file to tmp directory

      Malware often drops required files in the /tmp directory.

MITRE ATT&CK Enterprise v6

Tasks