General

  • Target

    3c49b5160b981f06bd5242662f8d0a54

  • Size

    611KB

  • Sample

    231222-a62z6sbdf2

  • MD5

    3c49b5160b981f06bd5242662f8d0a54

  • SHA1

    c50933e1f8a194e608049839707d8d698dd5caa5

  • SHA256

    c394440c56fdcda9739fbb966e9ac2eab9e11e2eeff0720eb4c850a05b33eefc

  • SHA512

    d947f1ecfb10002bc05bb6d1786758dfecb9000b94140128ccc9a68bd3a032ccb7360f27a3f7f522df856b372691bde46792975f6ac82c6fa0218d38b0d8488e

  • SSDEEP

    12288:UB1tATMVAqnf+ExxBHYpmA38X8LYkCW6Tikx6yB1/iGK4UlUuTh1AG:UB1BVpmExDYp38X8LYTWhkfNiGQl/91h

Malware Config

Extracted

Family

xorddos

C2

http://aa.hostasa.org/game.rar

ns3.hostasa.org:3306

ns4.hostasa.org:3306

ns1.hostasa.org:3306

ns2.hostasa.org:3306

Attributes
  • crc_polynomial

    EDB88320

xor.plain

Targets

    • Target

      3c49b5160b981f06bd5242662f8d0a54

    • Size

      611KB

    • MD5

      3c49b5160b981f06bd5242662f8d0a54

    • SHA1

      c50933e1f8a194e608049839707d8d698dd5caa5

    • SHA256

      c394440c56fdcda9739fbb966e9ac2eab9e11e2eeff0720eb4c850a05b33eefc

    • SHA512

      d947f1ecfb10002bc05bb6d1786758dfecb9000b94140128ccc9a68bd3a032ccb7360f27a3f7f522df856b372691bde46792975f6ac82c6fa0218d38b0d8488e

    • SSDEEP

      12288:UB1tATMVAqnf+ExxBHYpmA38X8LYkCW6Tikx6yB1/iGK4UlUuTh1AG:UB1BVpmExDYp38X8LYTWhkfNiGQl/91h

    • XorDDoS

      Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

    • XorDDoS payload

    • Deletes itself

    • Executes dropped EXE

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Write file to user bin folder

MITRE ATT&CK Enterprise v15

Tasks