General

  • Target

    250510-g5hcpsvvgz.bin

  • Size

    308B

  • Sample

    250510-g6zndawnw7

  • MD5

    53ff5173c085a698036707289dc16ad5

  • SHA1

    b0718127211a39286a4dde03fbaca1c1d7723ad5

  • SHA256

    2a118171db67cc79402839884415a075851d1d208753197f44359961c3ff6c84

  • SHA512

    29c21f7ad939bb00d3134606657587a1f8e9627a402a8008c3e86cfa883f270610fcd77425451e0fb19103b0ea6a8669147cc88e2c8aeeb9c7f5b92f49f6411b

Malware Config

Extracted

Family

xorddos

C2

whois.checkokdomain.com:112

winrar.monstervp.com:112

http://qq.com/lib.asp

http://aa.hostasa.org/config.rar

whois.checkokdomain.com:21

winrar.monstervp.com:21

Attributes
  • crc_polynomial

    CDB88320

xor.plain
xor.plain

Targets

    • Target

      250510-g5hcpsvvgz.bin

    • Size

      308B

    • MD5

      53ff5173c085a698036707289dc16ad5

    • SHA1

      b0718127211a39286a4dde03fbaca1c1d7723ad5

    • SHA256

      2a118171db67cc79402839884415a075851d1d208753197f44359961c3ff6c84

    • SHA512

      29c21f7ad939bb00d3134606657587a1f8e9627a402a8008c3e86cfa883f270610fcd77425451e0fb19103b0ea6a8669147cc88e2c8aeeb9c7f5b92f49f6411b

    • XorDDoS

      Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

    • XorDDoS payload

    • Xorddos family

    • File and Directory Permissions Modification

      Adversaries may modify file or directory permissions to evade defenses.

    • Deletes itself

    • Executes dropped EXE

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Enumerates active TCP sockets

      Gets active TCP sockets from /proc virtual filesystem.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Writes file to system bin folder

MITRE ATT&CK Enterprise v16

Tasks