Analysis Overview
SHA256
57ee14b30b52577e4600c1326d6b7918f06521468a4750317047442b4ce01bfc
Threat Level: Known bad
The file 57ee14b30b52577e4600c1326d6b7918f06521468a4750317047442b4ce01bfc was found to be: Known bad.
Malicious Activity Summary
Xorddos family
suricata: ET MALWARE DDoS.XOR Checkin
XorDDoS Payload
suricata: ET MALWARE DDoS.XOR Checkin via HTTP
Writes file to system bin folder
Modifies rc script
Write file to user bin folder
Creates/modifies Cron job
Reads runtime system information
Writes file to tmp directory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-27 19:02
Signatures
XorDDoS Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xorddos family
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-27 19:02
Reported
2022-05-27 19:53
Platform
ubuntu1804-amd64-en-20211208
Max time kernel
0s
Max time network
29s
Command Line
Signatures
suricata: ET MALWARE DDoS.XOR Checkin
suricata: ET MALWARE DDoS.XOR Checkin via HTTP
Writes file to system bin folder
| Description | Indicator | Process | Target |
| /bin/mdnnzthsio | /bin/mdnnzthsio | N/A | N/A |
| /bin/qkepdgyxpk | /bin/qkepdgyxpk | N/A | N/A |
| /bin/yydbqrbixr | /bin/yydbqrbixr | N/A | N/A |
Creates/modifies Cron job
| Description | Indicator | Process | Target |
| /etc/crontab | /etc/crontab | /bin/sed | N/A |
| /etc/crontab | /etc/crontab | /bin/sh | N/A |
Modifies rc script
| Description | Indicator | Process | Target |
| /etc/rc4.d/S9057ee14b30b52577e4600c1326d6b7918f06521468a4750317047442b4ce01bfc | /etc/rc4.d/S9057ee14b30b52577e4600c1326d6b7918f06521468a4750317047442b4ce01bfc | N/A | N/A |
| /etc/rc5.d/S9057ee14b30b52577e4600c1326d6b7918f06521468a4750317047442b4ce01bfc | /etc/rc5.d/S9057ee14b30b52577e4600c1326d6b7918f06521468a4750317047442b4ce01bfc | N/A | N/A |
| /etc/rc0.d/ | /etc/rc0.d/ | /usr/sbin/update-rc.d | N/A |
| /etc/rc2.d/ | /etc/rc2.d/ | /usr/sbin/update-rc.d | N/A |
| /etc/rc6.d/ | /etc/rc6.d/ | /usr/sbin/update-rc.d | N/A |
| /etc/rc1.d/ | /etc/rc1.d/ | /usr/sbin/update-rc.d | N/A |
| /etc/rc1.d/S9057ee14b30b52577e4600c1326d6b7918f06521468a4750317047442b4ce01bfc | /etc/rc1.d/S9057ee14b30b52577e4600c1326d6b7918f06521468a4750317047442b4ce01bfc | N/A | N/A |
| /etc/rc2.d/S9057ee14b30b52577e4600c1326d6b7918f06521468a4750317047442b4ce01bfc | /etc/rc2.d/S9057ee14b30b52577e4600c1326d6b7918f06521468a4750317047442b4ce01bfc | N/A | N/A |
| /etc/rc3.d/S9057ee14b30b52577e4600c1326d6b7918f06521468a4750317047442b4ce01bfc | /etc/rc3.d/S9057ee14b30b52577e4600c1326d6b7918f06521468a4750317047442b4ce01bfc | N/A | N/A |
| /etc/rc5.d/ | /etc/rc5.d/ | /usr/sbin/update-rc.d | N/A |
| /etc/rc4.d/ | /etc/rc4.d/ | /usr/sbin/update-rc.d | N/A |
| /etc/rc3.d/ | /etc/rc3.d/ | /usr/sbin/update-rc.d | N/A |
Write file to user bin folder
| Description | Indicator | Process | Target |
| /usr/sbin/update-rc.d | /usr/sbin/update-rc.d | /usr/sbin/update-rc.d | N/A |
| /usr/bin/qkepdgyxpk | /usr/bin/qkepdgyxpk | N/A | N/A |
| /usr/bin/yydbqrbixr | /usr/bin/yydbqrbixr | N/A | N/A |
| /usr/bin/mdnnzthsio | /usr/bin/mdnnzthsio | N/A | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| /proc/filesystems | /proc/filesystems | /bin/systemctl | N/A |
| /proc/self/stat | /proc/self/stat | /bin/systemctl | N/A |
| /proc/sys/kernel/osrelease | /proc/sys/kernel/osrelease | /bin/systemctl | N/A |
| /proc/1/environ | /proc/1/environ | /bin/systemctl | N/A |
| /proc/1/sched | /proc/1/sched | /bin/systemctl | N/A |
| /proc/cmdline | /proc/cmdline | /bin/systemctl | N/A |
| /proc/filesystems | /proc/filesystems | /bin/sed | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| /tmp/qkepdgyxpk | /tmp/qkepdgyxpk | N/A | N/A |
| /tmp/yydbqrbixr | /tmp/yydbqrbixr | N/A | N/A |
| /tmp/mdnnzthsio | /tmp/mdnnzthsio | N/A | N/A |
Processes
./57ee14b30b52577e4600c1326d6b7918f06521468a4750317047442b4ce01bfc
[./57ee14b30b52577e4600c1326d6b7918f06521468a4750317047442b4ce01bfc]
/bin/chkconfig
[chkconfig --add 57ee14b30b52577e4600c1326d6b7918f06521468a4750317047442b4ce01bfc]
/sbin/chkconfig
[chkconfig --add 57ee14b30b52577e4600c1326d6b7918f06521468a4750317047442b4ce01bfc]
/usr/bin/chkconfig
[chkconfig --add 57ee14b30b52577e4600c1326d6b7918f06521468a4750317047442b4ce01bfc]
/usr/sbin/chkconfig
[chkconfig --add 57ee14b30b52577e4600c1326d6b7918f06521468a4750317047442b4ce01bfc]
/bin/sh
[sh -c sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab]
/usr/local/bin/chkconfig
[chkconfig --add 57ee14b30b52577e4600c1326d6b7918f06521468a4750317047442b4ce01bfc]
/usr/local/sbin/chkconfig
[chkconfig --add 57ee14b30b52577e4600c1326d6b7918f06521468a4750317047442b4ce01bfc]
/usr/X11R6/bin/chkconfig
[chkconfig --add 57ee14b30b52577e4600c1326d6b7918f06521468a4750317047442b4ce01bfc]
/bin/update-rc.d
[update-rc.d 57ee14b30b52577e4600c1326d6b7918f06521468a4750317047442b4ce01bfc defaults]
/sbin/update-rc.d
[update-rc.d 57ee14b30b52577e4600c1326d6b7918f06521468a4750317047442b4ce01bfc defaults]
/usr/bin/update-rc.d
[update-rc.d 57ee14b30b52577e4600c1326d6b7918f06521468a4750317047442b4ce01bfc defaults]
/bin/sed
[sed -i /\/etc\/cron.hourly\/gcc.sh/d /etc/crontab]
/usr/sbin/update-rc.d
[update-rc.d 57ee14b30b52577e4600c1326d6b7918f06521468a4750317047442b4ce01bfc defaults]
/bin/systemctl
[systemctl daemon-reload]
/usr/bin/qkepdgyxpk
[/usr/bin/qkepdgyxpk echo "find" 572]
/usr/bin/qkepdgyxpk
[/usr/bin/qkepdgyxpk gnome-terminal 572]
/usr/bin/qkepdgyxpk
[/usr/bin/qkepdgyxpk sh 572]
/usr/bin/qkepdgyxpk
[/usr/bin/qkepdgyxpk id 572]
/usr/bin/qkepdgyxpk
[/usr/bin/qkepdgyxpk sleep 1 572]
/usr/bin/yydbqrbixr
[/usr/bin/yydbqrbixr who 572]
/usr/bin/yydbqrbixr
[/usr/bin/yydbqrbixr top 572]
/usr/bin/yydbqrbixr
[/usr/bin/yydbqrbixr id 572]
/usr/bin/yydbqrbixr
[/usr/bin/yydbqrbixr su 572]
/usr/bin/yydbqrbixr
[/usr/bin/yydbqrbixr netstat -an 572]
/usr/bin/mdnnzthsio
[/usr/bin/mdnnzthsio route -n 572]
/usr/bin/mdnnzthsio
[/usr/bin/mdnnzthsio echo "find" 572]
/usr/bin/mdnnzthsio
[/usr/bin/mdnnzthsio netstat -an 572]
/usr/bin/mdnnzthsio
[/usr/bin/mdnnzthsio ifconfig eth0 572]
/usr/bin/mdnnzthsio
[/usr/bin/mdnnzthsio ifconfig 572]
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | b12.dddgata789.com | udp |
| US | 8.8.4.4:53 | b12.dddgata789.com | udp |
| US | 8.8.8.8:53 | www1.gggatat456.com | udp |
| FR | 54.36.15.99:80 | www1.gggatat456.com | tcp |
| US | 8.8.8.8:53 | b12.xxxatat456.com | udp |
| FR | 54.36.15.98:1433 | b12.xxxatat456.com | tcp |