General

  • Target

    112.sh

  • Size

    308B

  • Sample

    250513-jp7nrsgk3v

  • MD5

    10103213750bee17bc18a8acf232403b

  • SHA1

    a4ca8ec9806534f5a05717513382ff2262bda16e

  • SHA256

    2eabdfccec742559769bc76082d79f2562fdb9c4199e029339afffc2f5680d3d

  • SHA512

    48ec06ed08205d4325a51644eebec981fe9b5add3642474fd03310aafcde1549319b7c8a287713879b212ae37e96094028b8ecafb881011ef7fcdbe3ddf52cde

Malware Config

Extracted

Family

xorddos

C2

whois.checkokdomain.com:112

winrar.monstervp.com:112

http://qq.com/lib.asp

http://aa.hostasa.org/config.rar

whois.checkokdomain.com:21

winrar.monstervp.com:21

Attributes
  • crc_polynomial

    CDB88320

xor.plain
xor.plain

Targets

    • Target

      112.sh

    • Size

      308B

    • MD5

      10103213750bee17bc18a8acf232403b

    • SHA1

      a4ca8ec9806534f5a05717513382ff2262bda16e

    • SHA256

      2eabdfccec742559769bc76082d79f2562fdb9c4199e029339afffc2f5680d3d

    • SHA512

      48ec06ed08205d4325a51644eebec981fe9b5add3642474fd03310aafcde1549319b7c8a287713879b212ae37e96094028b8ecafb881011ef7fcdbe3ddf52cde

    • XorDDoS

      Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

    • XorDDoS payload

    • Xorddos family

    • File and Directory Permissions Modification

      Adversaries may modify file or directory permissions to evade defenses.

    • Deletes itself

    • Executes dropped EXE

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Enumerates active TCP sockets

      Gets active TCP sockets from /proc virtual filesystem.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Writes file to system bin folder

MITRE ATT&CK Enterprise v16

Tasks