Resubmissions

27-04-2024 19:52

240427-yldzlsff2s 10

27-04-2024 19:40

240427-ydkgeseh65 10

General

  • Target

    fb18a78ab398c101ec335992020bdbf6ca35db5d74b6c708d126cf4d4ebf289d.elf

  • Size

    549KB

  • Sample

    240427-yldzlsff2s

  • MD5

    450cea21132fad13be77c7030d2a9e9d

  • SHA1

    e0fdfb05fb79f5ba1cafc69b78a50a0eed6eeedb

  • SHA256

    fb18a78ab398c101ec335992020bdbf6ca35db5d74b6c708d126cf4d4ebf289d

  • SHA512

    6d282ecf3df15592a2e000906e5aca9665421309a35b31d7aed3cedcc0f46b2f7b6db2426afa7a02f49173b59b9be5c6089dbd0f8a4da8e962ca254e00854f49

  • SSDEEP

    12288:VeRvuKqiVZ4En5drNK0pPEfJKlHZ8mG97Qxee6yzmx:VIv/qiVNHNDEfJKHZ8mG9QeeO

Malware Config

Extracted

Family

xorddos

C2

user.myserv012.com:123

user.search2c.com:123

http://qq.com/lib.asp

Attributes
  • crc_polynomial

    CDB88320

xor.plain

Targets

    • Target

      fb18a78ab398c101ec335992020bdbf6ca35db5d74b6c708d126cf4d4ebf289d.elf

    • Size

      549KB

    • MD5

      450cea21132fad13be77c7030d2a9e9d

    • SHA1

      e0fdfb05fb79f5ba1cafc69b78a50a0eed6eeedb

    • SHA256

      fb18a78ab398c101ec335992020bdbf6ca35db5d74b6c708d126cf4d4ebf289d

    • SHA512

      6d282ecf3df15592a2e000906e5aca9665421309a35b31d7aed3cedcc0f46b2f7b6db2426afa7a02f49173b59b9be5c6089dbd0f8a4da8e962ca254e00854f49

    • SSDEEP

      12288:VeRvuKqiVZ4En5drNK0pPEfJKlHZ8mG97Qxee6yzmx:VIv/qiVNHNDEfJKHZ8mG9QeeO

    • XorDDoS

      Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

    • XorDDoS payload

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Deletes itself

    • Executes dropped EXE

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Write file to user bin folder

MITRE ATT&CK Enterprise v15

Tasks