Resubmissions

09-09-2024 19:21

240909-x2vfvsxdmc 10

22-12-2023 13:24

231222-qnwcnsgfhj 10

General

  • Target

    a1da9b563db9056c96523a8727a279e3

  • Size

    603KB

  • Sample

    240909-x2vfvsxdmc

  • MD5

    a1da9b563db9056c96523a8727a279e3

  • SHA1

    264124d50c9c25cea15459acb662b750bd7987c5

  • SHA256

    f5b098419bdcd2aee198c074b895e113fb7cac9132ad1b592005d31f1394ad3f

  • SHA512

    1418a5fc3fd23a0b10533a60ab76cfd71cd0894c0bf8fdc859fdc27a3673a4f5fc63320ab4e0aab81eefeaba933266933a74e60021a3985bb5dbe8ca90a93aaf

  • SSDEEP

    12288:R40XBrnlTCbI5ZBP5IePtqLn4yFeC+oT6ygF9b4elMuThmVF:e01tCbqNNPtqLn4yFmoEbdlH9mn

Malware Config

Extracted

Family

xorddos

C2

http://info1.3000uc.com/b/u.php

gh.dsaj2a1.org:2857

navert0p.com:2857

wangzongfacai.com:2857

Attributes
  • crc_polynomial

    EDB88320

xor.plain

Targets

    • Target

      a1da9b563db9056c96523a8727a279e3

    • Size

      603KB

    • MD5

      a1da9b563db9056c96523a8727a279e3

    • SHA1

      264124d50c9c25cea15459acb662b750bd7987c5

    • SHA256

      f5b098419bdcd2aee198c074b895e113fb7cac9132ad1b592005d31f1394ad3f

    • SHA512

      1418a5fc3fd23a0b10533a60ab76cfd71cd0894c0bf8fdc859fdc27a3673a4f5fc63320ab4e0aab81eefeaba933266933a74e60021a3985bb5dbe8ca90a93aaf

    • SSDEEP

      12288:R40XBrnlTCbI5ZBP5IePtqLn4yFeC+oT6ygF9b4elMuThmVF:e01tCbqNNPtqLn4yFmoEbdlH9mn

    • XorDDoS

      Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

    • XorDDoS payload

    • Executes dropped EXE

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Write file to user bin folder

MITRE ATT&CK Enterprise v15

Tasks