Overview

overview

10

Static

static

10

76741721ae...82.elf

ubuntu-20.04-amd64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    455b46bf3f93b8853137de2b99ef0f4c.bin

  • Size

    257KB

  • Sample

    240325-b3922sce65

  • MD5

    b614eddce18a5272852d3d01a7448078

  • SHA1

    bcd7fbd3b9a6c976a754c627168a921c27940a02

  • SHA256

    ae38c170144317b0f8e3e0a761085431e18d2eac562622880a6d8e83fd4dee88

  • SHA512

    af81ca863457d86379d90eb4cf4a9d6fd5924e6c7d8c69e1c59e46566fa1fd41cc728e85c79164ca4cdfc8c925dbece67cd3e1dff0388bca9949740e1320a94f

  • SSDEEP

    6144:ampXERvHw0JULkgwnDoiZDIBXPU3Ym1AAe0K/4K1FmDs5T:a2XERvQzL6DoiGB/VmG0vs3V

Score
10/10
xorddosbotnetdownloaderlinuxpersistence

Malware Config

Extracted

Family

xorddos

C2

bb.markerbio.com:13307

bb.myserv012.com:13307

http://qq.com/lib.asp
Attributes
  • crc_polynomial

    CDB88320

xor.plain

Targets

    • Target

      76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882.elf

    • Size

      549KB

    • MD5

      455b46bf3f93b8853137de2b99ef0f4c

    • SHA1

      99387d92aee1ad50c8af0a5192f651ad8021d1d4

    • SHA256

      76741721aede86e5d9a78da5dd349cc7f418a993eba77457c00b27aa627f9882

    • SHA512

      a43cc62e55da2d23f2f57bffc3e2f3e406e41b0e1ba24b38d274a12e25d87d005f89f03e98c4fbf91622b75a4009c38033ea9d74316696469d26f9ea3a3237fa

    • SSDEEP

      12288:VeRvuKqiVZ4En5drNK0pPEfJKlHZ8mG97Qxee6yzmx6:VIv/qiVNHNDEfJKHZ8mG9QeeO6

    Score
    10/10
    xorddosbotnetdownloaderpersistence

    • XorDDoS

      Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

      botnetdownloaderxorddos

    • XorDDoS payload

    • Deletes itself

    • Executes dropped EXE

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

      persistence

    • Enumerates active TCP sockets

      Gets active TCP sockets from /proc virtual filesystem.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

      persistence

    • Write file to user bin folder

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Boot or Logon Autostart Execution

1
T1547

Hijack Execution Flow

1
T1574

Privilege Escalation

Scheduled Task/Job

1
T1053

Boot or Logon Autostart Execution

1
T1547

Hijack Execution Flow

1
T1574

Defense Evasion

Hijack Execution Flow

1
T1574

Credential Access

Discovery

System Network Connections Discovery

1
T1049

System Network Configuration Discovery

1
T1016

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks