Extracted

• • Target

    311c93575efd4eeeb9c6674d0ab8de263b72a8fb060d04450daccc78ec095151.elf

  • Size

    549KB

  • MD5

    895f7fff165ddfba70b7d718ac3de989

  • SHA1

    2663c2ebb853083f5cf645cdc0cce31c8ace4fba

  • SHA256

    311c93575efd4eeeb9c6674d0ab8de263b72a8fb060d04450daccc78ec095151

  • SHA512

    c4d3a5eea879e69d347e29a60780e2ddc31f0d2a78abc7429b8d2b4306065c34f0ed1a03cd0a74234f5098ef239f745fccb87086c5cdaf9f65383d119e77e617

  • SSDEEP

    12288:VeRvuKqiVZ4En5drNK0pPEfJKlHZ8mG97Qxee6yzmxd:VIv/qiVNHNDEfJKHZ8mG9QeeOd

  Score

  10^/10

  xorddosbotnetdownloaderpersistence

  • XorDDoS

    Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

    botnetdownloaderxorddos

  • XorDDoS payload

  • Writes file to system bin folder

  • Creates/modifies Cron job

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    persistence

  • Deletes itself

  • Enumerates active TCP sockets

    Gets active TCP sockets from /proc virtual filesystem.

  • Executes dropped EXE

  • Modifies init.d

    Adds/modifies system service, likely for persistence.

    persistence

  • Unexpected DNS network traffic destination

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Writes file to shm directory

    Malware can drop malicious files in the shm directory which will run directly from RAM.

  • Reads system network configuration

    Uses contents of /proc filesystem to enumerate network settings.

  • Reads runtime system information

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory

    Malware often drops required files in the /tmp directory.

  behavioral1