General
-
Target
f4a25e8d960c631699e1b9adab8d29e5e4a2ae0d3be1c7739275a6a72b9b0876.zip
-
Size
294KB
-
Sample
231110-mkezqseg4v
-
MD5
b89d8fde813baf69d557b4039cd91fce
-
SHA1
d1d63c03a79227845c8a671dde1c6c02d383207f
-
SHA256
93b1a887ed2648b92a7a76b4635a0f0cf3a96f4eae606562e1fac611585a71f8
-
SHA512
c8be14007d15224f4045d22df20a4dc3496bf6fbd1bff84f6108b4907997422a3249e193611d81b595d6cf256812eaed322a21341f6ae8b6657742f3087bd4db
-
SSDEEP
6144:Jhlh47NwUGlag0mhrb/IlqAm2p2vXvLz/AQMaI5yQOtJ1+ngpL:Jm7ql5/bI02kvzDAQMaUpWfPL
Malware Config
Extracted
xorddos
http://info1.3000uc.com/b/u.php
aaaaaaaaaa.re67das.com:5859
aa369369.f3322.org:2897
-
crc_polynomial
EDB88320
Targets
-
-
Target
f4a25e8d960c631699e1b9adab8d29e5e4a2ae0d3be1c7739275a6a72b9b0876.elf
-
Size
647KB
-
MD5
d20e3e491d242d649c3fcf4879f2cbf2
-
SHA1
681406d197c6de50bc611bb466c012f0cd9b4aa6
-
SHA256
f4a25e8d960c631699e1b9adab8d29e5e4a2ae0d3be1c7739275a6a72b9b0876
-
SHA512
de50e27b457d3ee8e9d41800c83fd5eb4a1f0b0d568f02a4ecd482a4390b435410c15a262c123162e7e7f877219ff8fe13ce763ecece80f96872cd050895141c
-
SSDEEP
12288:RBRO1UmJJ0nHgBL9YfJip2qm+x4h1Tonbp6y07l7mtBDvnD/u9hMHDB:RBRpmJ+HyL9AiAqm+x4h1mb6wvnDWXMN
Score10/10-
XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
-
XorDDoS payload
-
Deletes itself
-
Executes dropped EXE
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Creates/modifies Cron job
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Modifies init.d
Adds/modifies system service, likely for persistence.
-