General

  • Target

    250512-1kzk2axye1.bin

  • Size

    549KB

  • Sample

    250512-1mgs1axygv

  • MD5

    527f82b2285ac2a6b2cfe3eb9712ebde

  • SHA1

    e51a2bae220d494d1c9345dd314756c2141e3e91

  • SHA256

    52f74b25e1c3de023526ea8d8d3f93990523506dd3e5535cc53695092c1f982b

  • SHA512

    6e4ecff1e26e015e688176c5c8fb62f65a3e10429ef71cc59a4e4c91bde847027cea9e763d2042edecc89c8c8c3d3fa42f9a3bdcc8af6cd99d91561e5ace09ac

  • SSDEEP

    12288:VeRvuKqiVZ4En5drNK0pPEfJKlHZ8mG97Qxee6yzmx:VIv/qiVNHNDEfJKHZ8mG9QeeO

Malware Config

Extracted

Family

xorddos

C2

whois.checkokdomain.com:112

winrar.monstervp.com:112

http://qq.com/lib.asp

Attributes
  • crc_polynomial

    CDB88320

xor.plain

Targets

    • Target

      250512-1kzk2axye1.bin

    • Size

      549KB

    • MD5

      527f82b2285ac2a6b2cfe3eb9712ebde

    • SHA1

      e51a2bae220d494d1c9345dd314756c2141e3e91

    • SHA256

      52f74b25e1c3de023526ea8d8d3f93990523506dd3e5535cc53695092c1f982b

    • SHA512

      6e4ecff1e26e015e688176c5c8fb62f65a3e10429ef71cc59a4e4c91bde847027cea9e763d2042edecc89c8c8c3d3fa42f9a3bdcc8af6cd99d91561e5ace09ac

    • SSDEEP

      12288:VeRvuKqiVZ4En5drNK0pPEfJKlHZ8mG97Qxee6yzmx:VIv/qiVNHNDEfJKHZ8mG9QeeO

    • XorDDoS

      Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

    • XorDDoS payload

    • Xorddos family

    • Deletes itself

    • Executes dropped EXE

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Enumerates active TCP sockets

      Gets active TCP sockets from /proc virtual filesystem.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Write file to user bin folder

MITRE ATT&CK Enterprise v16

Tasks