General

  • Target

    1fb8a9dcce0ccb9486ba6de6a28f585d

  • Size

    548KB

  • Sample

    240826-qry8qswcqe

  • MD5

    1fb8a9dcce0ccb9486ba6de6a28f585d

  • SHA1

    44ff4db7684acadd452028b0122bc6b9312832ca

  • SHA256

    79dd2cc0a3c70fa185e1c3259ed8696354bc1c5d1c64b24f0e656c8d45e09bbb

  • SHA512

    515f1c6f102c327ebe46ee0e3f692b89e03d66a0ba299f493fd53fb0b1c0b2d0e2a4bb6cdbe5714960776abd472cbec6efd85546d4cd0e126387f771652d550d

  • SSDEEP

    12288:vPTJS+naeW9kclFEcMWbHdxZ7GkR2fh/6y9P/Yr:nTJfrW99q4bHdxZ7G1fhFq

Malware Config

Extracted

Family

xorddos

C2

http://full.dsaj2a.org/b/u.php

v8602.xffer.pw:60002

Attributes
  • crc_polynomial

    EDB88320

xor.plain

Targets

    • Target

      1fb8a9dcce0ccb9486ba6de6a28f585d

    • Size

      548KB

    • MD5

      1fb8a9dcce0ccb9486ba6de6a28f585d

    • SHA1

      44ff4db7684acadd452028b0122bc6b9312832ca

    • SHA256

      79dd2cc0a3c70fa185e1c3259ed8696354bc1c5d1c64b24f0e656c8d45e09bbb

    • SHA512

      515f1c6f102c327ebe46ee0e3f692b89e03d66a0ba299f493fd53fb0b1c0b2d0e2a4bb6cdbe5714960776abd472cbec6efd85546d4cd0e126387f771652d550d

    • SSDEEP

      12288:vPTJS+naeW9kclFEcMWbHdxZ7GkR2fh/6y9P/Yr:nTJfrW99q4bHdxZ7G1fhFq

    • XorDDoS

      Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

    • XorDDoS payload

    • Executes dropped EXE

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Write file to user bin folder

MITRE ATT&CK Enterprise v15

Tasks