General

  • Target

    75bfd448e4274cc4e5804c43768f62a36ccb3fc3b1df06e14d9c892daa2cde19.elf

  • Size

    535KB

  • Sample

    241125-xgf3qsxman

  • MD5

    694a672878a1f7945c020a0a3ca74367

  • SHA1

    148caeaa8ac7fdf46d48fc2d1d0020d1bf41d442

  • SHA256

    75bfd448e4274cc4e5804c43768f62a36ccb3fc3b1df06e14d9c892daa2cde19

  • SHA512

    a239845b91d64b8559192e4683e2faa16ad0c8987bfc142cf692f620bd5fefa0d8d0bbe2e7f5f59651435eec4350e3574171d33e7cd4656136b539bccd00fb60

  • SSDEEP

    12288:4Ufrcn+vwK5ripVU4tdZ1pNL/pVbzP66ySjQn36Eoj:/fUywKQ7Fb1pNL/p5PfjQn36Eu

Malware Config

Extracted

Family

xorddos

C2

https://ww.aass654.com/config.rar

ee.aass654.com:1520

ee.xxcc789.com:1520

ee.vvbb321.com:1520

ee.jjkk567.com:1520

ee.nnmm234.com:1520

Attributes
  • crc_polynomial

    EDB88320

xor.plain

Targets

    • Target

      75bfd448e4274cc4e5804c43768f62a36ccb3fc3b1df06e14d9c892daa2cde19.elf

    • Size

      535KB

    • MD5

      694a672878a1f7945c020a0a3ca74367

    • SHA1

      148caeaa8ac7fdf46d48fc2d1d0020d1bf41d442

    • SHA256

      75bfd448e4274cc4e5804c43768f62a36ccb3fc3b1df06e14d9c892daa2cde19

    • SHA512

      a239845b91d64b8559192e4683e2faa16ad0c8987bfc142cf692f620bd5fefa0d8d0bbe2e7f5f59651435eec4350e3574171d33e7cd4656136b539bccd00fb60

    • SSDEEP

      12288:4Ufrcn+vwK5ripVU4tdZ1pNL/pVbzP66ySjQn36Eoj:/fUywKQ7Fb1pNL/p5PfjQn36Eu

    • XorDDoS

      Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

    • XorDDoS payload

    • Xorddos family

    • Executes dropped EXE

    • Reads EFI boot settings

      Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Write file to user bin folder

MITRE ATT&CK Enterprise v15

Tasks