Overview

overview

10

Static

static

10

xlzyktus.elf

ubuntu-18.04-amd64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    xlzyktus.elf

  • Size

    549KB

  • Sample

    230514-xdqg1afd8w

  • MD5

    895f7fff165ddfba70b7d718ac3de989

  • SHA1

    2663c2ebb853083f5cf645cdc0cce31c8ace4fba

  • SHA256

    311c93575efd4eeeb9c6674d0ab8de263b72a8fb060d04450daccc78ec095151

  • SHA512

    c4d3a5eea879e69d347e29a60780e2ddc31f0d2a78abc7429b8d2b4306065c34f0ed1a03cd0a74234f5098ef239f745fccb87086c5cdaf9f65383d119e77e617

  • SSDEEP

    12288:VeRvuKqiVZ4En5drNK0pPEfJKlHZ8mG97Qxee6yzmxd:VIv/qiVNHNDEfJKHZ8mG9QeeOd

Score
10/10
xorddosbotnetdownloaderlinuxpersistence

Malware Config

Extracted

Family

xorddos

C2

www.imagetw0.com:889

www.myserv012.com:889

http://qq.com/lib.asp
Attributes
  • crc_polynomial

    CDB88320

xor.plain

Targets

    • Target

      xlzyktus.elf

    • Size

      549KB

    • MD5

      895f7fff165ddfba70b7d718ac3de989

    • SHA1

      2663c2ebb853083f5cf645cdc0cce31c8ace4fba

    • SHA256

      311c93575efd4eeeb9c6674d0ab8de263b72a8fb060d04450daccc78ec095151

    • SHA512

      c4d3a5eea879e69d347e29a60780e2ddc31f0d2a78abc7429b8d2b4306065c34f0ed1a03cd0a74234f5098ef239f745fccb87086c5cdaf9f65383d119e77e617

    • SSDEEP

      12288:VeRvuKqiVZ4En5drNK0pPEfJKlHZ8mG97Qxee6yzmxd:VIv/qiVNHNDEfJKHZ8mG9QeeOd

    Score
    10/10
    xorddosbotnetdownloaderpersistence

    • XorDDoS

      Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

      botnetdownloaderxorddos

    • XorDDoS payload

    • Writes file to system bin folder

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

      persistence

    • Deletes itself

    • Enumerates active TCP sockets

      Gets active TCP sockets from /proc virtual filesystem.

    • Executes dropped EXE

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

      persistence

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Writes file to shm directory

      Malware can drop malicious files in the shm directory which will run directly from RAM.

    • Reads system network configuration

      Uses contents of /proc filesystem to enumerate network settings.

    • Reads runtime system information

      Reads data from /proc virtual filesystem.

    • Writes file to tmp directory

      Malware often drops required files in the /tmp directory.

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Hijack Execution Flow

1
T1574

Scheduled Task

1
T1053

Boot or Logon Autostart Execution

1
T1547

Privilege Escalation

Hijack Execution Flow

1
T1574

Scheduled Task

1
T1053

Boot or Logon Autostart Execution

1
T1547

Defense Evasion

Hijack Execution Flow

1
T1574

Credential Access

Discovery

System Network Connections Discovery

1
T1049

System Network Configuration Discovery

1
T1016

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks