General

  • Target

    clcghvuyu

  • Size

    549KB

  • Sample

    240131-pc8cesbgd5

  • MD5

    c57833b58d55d499ef46663216a196d6

  • SHA1

    f9c5672d95b40c4c4ed68269c3b55035aa29d830

  • SHA256

    ae30644277ee1b1352839d218becb0f4cc18dedc62615600ab8c57a01ba5753c

  • SHA512

    1b9f920ad78813c5aaf1a2345439e8630033582568a2dadf9665c183b7a1c8a7cd08212a86568ab41dcc94c958ee092d76d53836c085ce988c2e4f154cbf9e55

  • SSDEEP

    12288:VeRvuKqiVZ4En5drNK0pPEfJKlHZ8mG97Qxee6yzmxi:VIv/qiVNHNDEfJKHZ8mG9QeeOi

Malware Config

Extracted

Family

xorddos

C2

p5.2017fly.com:53

p5.2017fly.com:80

p5.2018fly.com:53

p5.2018fly.com:80

p5.sb1024.net:53

p5.sb1024.net:80

http://fuck.2017fly.com/i.php

Attributes
  • crc_polynomial

    CDB88320

xor.plain

Targets

    • Target

      clcghvuyu

    • Size

      549KB

    • MD5

      c57833b58d55d499ef46663216a196d6

    • SHA1

      f9c5672d95b40c4c4ed68269c3b55035aa29d830

    • SHA256

      ae30644277ee1b1352839d218becb0f4cc18dedc62615600ab8c57a01ba5753c

    • SHA512

      1b9f920ad78813c5aaf1a2345439e8630033582568a2dadf9665c183b7a1c8a7cd08212a86568ab41dcc94c958ee092d76d53836c085ce988c2e4f154cbf9e55

    • SSDEEP

      12288:VeRvuKqiVZ4En5drNK0pPEfJKlHZ8mG97Qxee6yzmxi:VIv/qiVNHNDEfJKHZ8mG9QeeOi

    • XorDDoS

      Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

    • XorDDoS payload

    • Deletes itself

    • Executes dropped EXE

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Writes file to system bin folder

MITRE ATT&CK Enterprise v15

Tasks