General

  • Target

    23s.exe

  • Size

    549KB

  • Sample

    230701-hbq87agg6s

  • MD5

    63d6cd74a7cd01bf3a3921c36e90237f

  • SHA1

    f697783da228c7787cf1c6a67a10a8c065d6aaa7

  • SHA256

    4f02cc4d5426b63e3eca3ada3c9a8a111a952c0e373c5500519ea8eea5ade853

  • SHA512

    51b1aef53c8277b8700630b144f15c9a41df358a43d71ef0b9352bbdf71c8777774f1ef1e361c8c95930143b54fcde590885242df3da60dce5b1a1d3761e2db3

  • SSDEEP

    12288:VeRvuKqiVZ4En5drNK0pPEfJKlHZ8mG97Qxee6yzmx:VIv/qiVNHNDEfJKHZ8mG9QeeO

Malware Config

Extracted

Family

xorddos

C2

www.imagetw0.com:889

www.myserv012.com:889

http://qq.com/lib.asp

Attributes
  • crc_polynomial

    CDB88320

xor.plain

Targets

    • Target

      23s.exe

    • Size

      549KB

    • MD5

      63d6cd74a7cd01bf3a3921c36e90237f

    • SHA1

      f697783da228c7787cf1c6a67a10a8c065d6aaa7

    • SHA256

      4f02cc4d5426b63e3eca3ada3c9a8a111a952c0e373c5500519ea8eea5ade853

    • SHA512

      51b1aef53c8277b8700630b144f15c9a41df358a43d71ef0b9352bbdf71c8777774f1ef1e361c8c95930143b54fcde590885242df3da60dce5b1a1d3761e2db3

    • SSDEEP

      12288:VeRvuKqiVZ4En5drNK0pPEfJKlHZ8mG97Qxee6yzmx:VIv/qiVNHNDEfJKHZ8mG9QeeO

    • XorDDoS

      Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

    • XorDDoS payload

    • Deletes itself

    • Executes dropped EXE

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Enumerates active TCP sockets

      Gets active TCP sockets from /proc virtual filesystem.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Writes file to system bin folder

MITRE ATT&CK Enterprise v6

Tasks