General
-
Target
895f7fff165ddfba70b7d718ac3de989.bin
-
Size
257KB
-
Sample
230516-bxfw1shd9s
-
MD5
f284891d040312839e3f649462b7b31a
-
SHA1
55825d2e89bb3dfcd3b6b64430433607002838c6
-
SHA256
66550b883c96c777db36bd96d9b8e669fac68e5b5ec29d9d45e74895e144d9a2
-
SHA512
89185ada0f4be28706b0bc6ecbca6d259398a7eb571596291f7df32ae772e34b295ab6ee39f0bf42378b5ea061b81f79af98113c9c9a432a99f808294cc74ef6
-
SSDEEP
6144:XbcWkF+gI1C1oJ4aPWUE3Gqa2xWuv2esGQa4+sE/+8VDcDrM/o:L98ieoVPBE3o2s40talsE/+ODqd
Behavioral task
behavioral1
Sample
311c93575efd4eeeb9c6674d0ab8de263b72a8fb060d04450daccc78ec095151.elf
Resource
ubuntu1804-amd64-20221111-en
Malware Config
Extracted
xorddos
www.imagetw0.com:889
www.myserv012.com:889
http://qq.com/lib.asp
-
crc_polynomial
CDB88320
Targets
-
-
Target
311c93575efd4eeeb9c6674d0ab8de263b72a8fb060d04450daccc78ec095151.elf
-
Size
549KB
-
MD5
895f7fff165ddfba70b7d718ac3de989
-
SHA1
2663c2ebb853083f5cf645cdc0cce31c8ace4fba
-
SHA256
311c93575efd4eeeb9c6674d0ab8de263b72a8fb060d04450daccc78ec095151
-
SHA512
c4d3a5eea879e69d347e29a60780e2ddc31f0d2a78abc7429b8d2b4306065c34f0ed1a03cd0a74234f5098ef239f745fccb87086c5cdaf9f65383d119e77e617
-
SSDEEP
12288:VeRvuKqiVZ4En5drNK0pPEfJKlHZ8mG97Qxee6yzmxd:VIv/qiVNHNDEfJKHZ8mG9QeeOd
Score10/10-
XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
-
XorDDoS payload
-
Writes file to system bin folder
-
Creates/modifies Cron job
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Deletes itself
-
Enumerates active TCP sockets
Gets active TCP sockets from /proc virtual filesystem.
-
Executes dropped EXE
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Writes file to shm directory
Malware can drop malicious files in the shm directory which will run directly from RAM.
-
Reads system network configuration
Uses contents of /proc filesystem to enumerate network settings.
-
Reads runtime system information
Reads data from /proc virtual filesystem.
-
Writes file to tmp directory
Malware often drops required files in the /tmp directory.
-