General
-
Target
112.sh
-
Size
318B
-
Sample
241222-jsn1tszqbn
-
MD5
0368897400a135549c0a2d9d83d384cc
-
SHA1
29c933b2a8dd201b4aaea73789664dda02c2fe75
-
SHA256
ec991cf6eac0354077622d016f3408b35372c4bbb44e86bc250bc1fcbafedfc4
-
SHA512
00216c30c5ab73b63821846febd159ac0be3c5a6658921ce9753c858ff2f83d698518c67283a9b2bea9da6067698b1302b6d84bf65ada476aba60bc35eedd758
Malware Config
Extracted
xorddos
api.markerbio.com:112
api.enoan2107.com:112
http://qq.com/lib.asp
-
crc_polynomial
CDB88320
Targets
-
-
Target
112.sh
-
Size
318B
-
MD5
0368897400a135549c0a2d9d83d384cc
-
SHA1
29c933b2a8dd201b4aaea73789664dda02c2fe75
-
SHA256
ec991cf6eac0354077622d016f3408b35372c4bbb44e86bc250bc1fcbafedfc4
-
SHA512
00216c30c5ab73b63821846febd159ac0be3c5a6658921ce9753c858ff2f83d698518c67283a9b2bea9da6067698b1302b6d84bf65ada476aba60bc35eedd758
Score10/10-
XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
-
XorDDoS payload
-
Xorddos family
-
File and Directory Permissions Modification
Adversaries may modify file or directory permissions to evade defenses.
-
Deletes itself
-
Executes dropped EXE
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Creates/modifies Cron job
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Enumerates active TCP sockets
Gets active TCP sockets from /proc virtual filesystem.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Modifies init.d
Adds/modifies system service, likely for persistence.
-
Writes file to system bin folder
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Boot or Logon Initialization Scripts
1RC Scripts
1Scheduled Task/Job
1Cron
1Privilege Escalation
Boot or Logon Autostart Execution
1Boot or Logon Initialization Scripts
1RC Scripts
1Scheduled Task/Job
1Cron
1Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1