Resubmissions

12-05-2023 10:49

230512-mw2b4sfa3x 10

General

  • Target

    xlzyktus

  • Size

    549KB

  • Sample

    230512-mw2b4sfa3x

  • MD5

    895f7fff165ddfba70b7d718ac3de989

  • SHA1

    2663c2ebb853083f5cf645cdc0cce31c8ace4fba

  • SHA256

    311c93575efd4eeeb9c6674d0ab8de263b72a8fb060d04450daccc78ec095151

  • SHA512

    c4d3a5eea879e69d347e29a60780e2ddc31f0d2a78abc7429b8d2b4306065c34f0ed1a03cd0a74234f5098ef239f745fccb87086c5cdaf9f65383d119e77e617

  • SSDEEP

    12288:VeRvuKqiVZ4En5drNK0pPEfJKlHZ8mG97Qxee6yzmxd:VIv/qiVNHNDEfJKHZ8mG9QeeOd

Malware Config

Extracted

Family

xorddos

C2

www.imagetw0.com:889

www.myserv012.com:889

http://qq.com/lib.asp

Attributes
  • crc_polynomial

    CDB88320

xor.plain

Targets

    • Target

      xlzyktus

    • Size

      549KB

    • MD5

      895f7fff165ddfba70b7d718ac3de989

    • SHA1

      2663c2ebb853083f5cf645cdc0cce31c8ace4fba

    • SHA256

      311c93575efd4eeeb9c6674d0ab8de263b72a8fb060d04450daccc78ec095151

    • SHA512

      c4d3a5eea879e69d347e29a60780e2ddc31f0d2a78abc7429b8d2b4306065c34f0ed1a03cd0a74234f5098ef239f745fccb87086c5cdaf9f65383d119e77e617

    • SSDEEP

      12288:VeRvuKqiVZ4En5drNK0pPEfJKlHZ8mG97Qxee6yzmxd:VIv/qiVNHNDEfJKHZ8mG9QeeOd

    • XorDDoS

      Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

    • XorDDoS payload

    • Writes file to system bin folder

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Deletes itself

    • Enumerates active TCP sockets

      Gets active TCP sockets from /proc virtual filesystem.

    • Executes dropped EXE

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Writes file to shm directory

      Malware can drop malicious files in the shm directory which will run directly from RAM.

    • Reads system network configuration

      Uses contents of /proc filesystem to enumerate network settings.

    • Reads runtime system information

      Reads data from /proc virtual filesystem.

    • Writes file to tmp directory

      Malware often drops required files in the /tmp directory.

MITRE ATT&CK Enterprise v6

Tasks