General

  • Target

    e40d4ba6f6aee3acd39faf65f471894a.elf

  • Size

    542KB

  • Sample

    240329-2yzcvsce22

  • MD5

    e40d4ba6f6aee3acd39faf65f471894a

  • SHA1

    7de3d9b9905cc4fde29d37ca73e2ffcf7bbb0eab

  • SHA256

    0e817a2325c215997de15851152a66924874739eeff5da4b434e5d36c83a76eb

  • SHA512

    2479a64b2cdcff25f87725f6541921fbb4590725f2a8ba7b4827a706ac326fb6124b6c10ea2635502a79081aa2d6b2a29ffeaaa269d320e281e26bb68a30a88f

  • SSDEEP

    12288:VB2bw1CH/FwznbIU9sE8c8lqd49N94wT4JXQLLp6yWrk3:VB2WCH/eMU9Uc8gd49N94BJXQLL4ru

Malware Config

Extracted

Family

xorddos

C2

http://ww.wowapplecar.com/config.rar

dd.vvbb321.com:1430

dd.jjkk567.com:1430

dd.nnmm234.com:1430

dd.aass654.com:1430

dd.xxcc789.com:1430

Attributes
  • crc_polynomial

    EDB88320

xor.plain

Targets

    • Target

      e40d4ba6f6aee3acd39faf65f471894a.elf

    • Size

      542KB

    • MD5

      e40d4ba6f6aee3acd39faf65f471894a

    • SHA1

      7de3d9b9905cc4fde29d37ca73e2ffcf7bbb0eab

    • SHA256

      0e817a2325c215997de15851152a66924874739eeff5da4b434e5d36c83a76eb

    • SHA512

      2479a64b2cdcff25f87725f6541921fbb4590725f2a8ba7b4827a706ac326fb6124b6c10ea2635502a79081aa2d6b2a29ffeaaa269d320e281e26bb68a30a88f

    • SSDEEP

      12288:VB2bw1CH/FwznbIU9sE8c8lqd49N94wT4JXQLLp6yWrk3:VB2WCH/eMU9Uc8gd49N94BJXQLL4ru

    • XorDDoS

      Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

    • XorDDoS payload

    • Executes dropped EXE

    • Checks CPU configuration

      Checks CPU information which indicate if the system is a virtual machine.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Write file to user bin folder

MITRE ATT&CK Enterprise v15

Tasks