Resubmissions

04-09-2024 18:33

240904-w7garavbrl 10

04-09-2024 18:29

240904-w4zmxsvbpm 10

General

  • Target

    3059449.bin

  • Size

    535KB

  • Sample

    240904-w4zmxsvbpm

  • MD5

    6147e779a72c49be7d1954ecd328c571

  • SHA1

    3f1d936fb22225d2dea85bd926f28430c811e4c6

  • SHA256

    d360716cab46152dedb9c0b7179d1dc36fc8040be312cf62f76229d1d3145bd7

  • SHA512

    69d2cf66c9ff304cb879c69debe589b304f855bfdc78fe11421e75d4aeb808362101e91afca4ddf158aeed392ec92fb194b68b3b941c9737f981e6bf790b03e1

  • SSDEEP

    12288:4Ufrcn+vwK5ripVU4tdZ1pNL/pVbzu66ySjQn36Eoj:/fUywKQ7Fb1pNL/p5ufjQn36Eu

Malware Config

Extracted

Family

xorddos

C2

https://ww.aass654.com/config.rar

gg.aass654.com:1523

gg.xxcc789.com:1523

gg.vvbb321.com:1523

gg.jjkk567.com:1523

gg.nnmm234.com:1523

Attributes
  • crc_polynomial

    EDB88320

xor.plain

Targets

    • Target

      3059449.bin

    • Size

      535KB

    • MD5

      6147e779a72c49be7d1954ecd328c571

    • SHA1

      3f1d936fb22225d2dea85bd926f28430c811e4c6

    • SHA256

      d360716cab46152dedb9c0b7179d1dc36fc8040be312cf62f76229d1d3145bd7

    • SHA512

      69d2cf66c9ff304cb879c69debe589b304f855bfdc78fe11421e75d4aeb808362101e91afca4ddf158aeed392ec92fb194b68b3b941c9737f981e6bf790b03e1

    • SSDEEP

      12288:4Ufrcn+vwK5ripVU4tdZ1pNL/pVbzu66ySjQn36Eoj:/fUywKQ7Fb1pNL/p5ufjQn36Eu

    • XorDDoS

      Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

    • XorDDoS payload

    • Executes dropped EXE

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Write file to user bin folder

MITRE ATT&CK Enterprise v15

Tasks