xorddos | 3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba

Analysis

max time kernel
71s
max time network
154s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231026-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231026-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
29/10/2023, 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dptxrnhxmx.elf
Size

611KB
MD5

85682d3effdb2d559fd84df491e9461a
SHA1

2fb53f36a77339e1dd8458dd3fe561355de76211
SHA256

3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba
SHA512

f4cb94b160ed93d57b05d151c949c4dfd3a8b44d45af6d9432d2a9f1fafc02dec4e66d4f3cbdeeba16c769fc97b4f48a611aa92f653b1aa8f07b90d876168a86
SSDEEP

12288:FBXOvdwV1/n/dQFhWlH/c1dHo4h9L+zNZrryT6yF8EEP4UlUuTh1Ae:FBXmkN/+Fhu/Qo4h9L+zNNyBVEBl/91f

Score

10^/10

xorddos antivm botnet discovery downloader persistence

Malware Config

Extracted

Family

xorddos

http://www1.gggatat456.com/dd.rar

ppp.gggatat456.com:1525

ppp.xxxatat456.com:1525

p5.dddgata789.com:1525

p5.lpjulidny7.com:1525

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 13 IoCs

resource	yara_rule
behavioral1/files/fstream-5.dat	family_xorddos
behavioral1/files/fstream-6.dat	family_xorddos
behavioral1/files/fstream-7.dat	family_xorddos
behavioral1/files/fstream-8.dat	family_xorddos
behavioral1/files/fstream-9.dat	family_xorddos
behavioral1/files/fstream-10.dat	family_xorddos
behavioral1/files/fstream-11.dat	family_xorddos
behavioral1/files/fstream-12.dat	family_xorddos
behavioral1/files/fstream-13.dat	family_xorddos
behavioral1/files/fstream-14.dat	family_xorddos
behavioral1/files/fstream-15.dat	family_xorddos
behavioral1/files/fstream-16.dat	family_xorddos
behavioral1/files/fstream-17.dat	family_xorddos

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Deletes itself 1 IoCs

pid
1631

Executes dropped EXE 18 IoCs

ioc	pid	Process
/usr/bin/iyfbtonygn	1556	iyfbtonygn
/usr/bin/iyfbtonygn	1578	iyfbtonygn
/usr/bin/iyfbtonygn	1582	iyfbtonygn
/usr/bin/iyfbtonygn	1584	iyfbtonygn
/usr/bin/iyfbtonygn	1588	iyfbtonygn
/usr/bin/gxwcxuuefl	1591	gxwcxuuefl
/usr/bin/gxwcxuuefl	1594	gxwcxuuefl
/usr/bin/gxwcxuuefl	1597	gxwcxuuefl
/usr/bin/gxwcxuuefl	1600	gxwcxuuefl
/usr/bin/gxwcxuuefl	1603	gxwcxuuefl
/usr/bin/vrvsjomocb	1608	vrvsjomocb
/usr/bin/vrvsjomocb	1611	vrvsjomocb
/usr/bin/vrvsjomocb	1614	vrvsjomocb
/usr/bin/vrvsjomocb	1617	vrvsjomocb
/usr/bin/vrvsjomocb	1620	vrvsjomocb
/usr/bin/medhgvkzab	1623	medhgvkzab
/usr/bin/medhgvkzab	1626	medhgvkzab
/usr/bin/medhgvkzab	1629	medhgvkzab

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc
File opened for reading	/proc/cpuinfo

Creates/modifies Cron job 1 TTPs 2 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/etc/cron.hourly/gcc.sh	Process not Found
File opened for modification	/etc/crontab	sh

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
File opened for modification	/etc/init.d/dptxrnhxmx.elf

Write file to user bin folder 1 TTPs 4 IoCs

Hijack Execution Flow

T1574

description	ioc
File opened for modification	/usr/bin/iyfbtonygn
File opened for modification	/usr/bin/gxwcxuuefl
File opened for modification	/usr/bin/vrvsjomocb
File opened for modification	/usr/bin/medhgvkzab

Reads runtime system information 10 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/stat	Process not Found
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/meminfo	Process not Found
File opened for reading	/proc/rs_dev	Process not Found

/tmp/dptxrnhxmx.elf
/tmp/dptxrnhxmx.elf
1⤵
PID:1540

/bin/sh
sh -c "sed -i '/\\/etc\\/cron.hourly\\/gcc.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:1546
- /bin/sed
  sed -i "/\\/etc\\/cron.hourly\\/gcc.sh/d" /etc/crontab
  2⤵
  - Reads runtime system information
  PID:1547

/bin/chkconfig
chkconfig --add dptxrnhxmx.elf
1⤵
PID:1543

/sbin/chkconfig
chkconfig --add dptxrnhxmx.elf
1⤵
PID:1543

/usr/bin/chkconfig
chkconfig --add dptxrnhxmx.elf
1⤵
PID:1543

/usr/sbin/chkconfig
chkconfig --add dptxrnhxmx.elf
1⤵
PID:1543

/usr/local/bin/chkconfig
chkconfig --add dptxrnhxmx.elf
1⤵
PID:1543

/usr/local/sbin/chkconfig
chkconfig --add dptxrnhxmx.elf
1⤵
PID:1543

/usr/X11R6/bin/chkconfig
chkconfig --add dptxrnhxmx.elf
1⤵
PID:1543

/bin/update-rc.d
update-rc.d dptxrnhxmx.elf defaults
1⤵
PID:1545

/sbin/update-rc.d
update-rc.d dptxrnhxmx.elf defaults
1⤵
PID:1545

/usr/bin/update-rc.d
update-rc.d dptxrnhxmx.elf defaults
1⤵
PID:1545

/usr/sbin/update-rc.d
update-rc.d dptxrnhxmx.elf defaults
1⤵
PID:1545
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:1555

/usr/bin/iyfbtonygn
/usr/bin/iyfbtonygn "sleep 1" 1541
1⤵
- Executes dropped EXE
PID:1556

/usr/bin/iyfbtonygn
/usr/bin/iyfbtonygn su 1541
1⤵
- Executes dropped EXE
PID:1578

/usr/bin/iyfbtonygn
/usr/bin/iyfbtonygn "ifconfig eth0" 1541
1⤵
- Executes dropped EXE
PID:1582

/usr/bin/iyfbtonygn
/usr/bin/iyfbtonygn uptime 1541
1⤵
- Executes dropped EXE
PID:1584

/usr/bin/iyfbtonygn
/usr/bin/iyfbtonygn whoami 1541
1⤵
- Executes dropped EXE
PID:1588

/usr/bin/gxwcxuuefl
/usr/bin/gxwcxuuefl who 1541
1⤵
- Executes dropped EXE
PID:1591

/usr/bin/gxwcxuuefl
/usr/bin/gxwcxuuefl "cd /etc" 1541
1⤵
- Executes dropped EXE
PID:1594

/usr/bin/gxwcxuuefl
/usr/bin/gxwcxuuefl "sleep 1" 1541
1⤵
- Executes dropped EXE
PID:1597

/usr/bin/gxwcxuuefl
/usr/bin/gxwcxuuefl "route -n" 1541
1⤵
- Executes dropped EXE
PID:1600

/usr/bin/gxwcxuuefl
/usr/bin/gxwcxuuefl whoami 1541
1⤵
- Executes dropped EXE
PID:1603

/usr/bin/vrvsjomocb
/usr/bin/vrvsjomocb "ls -la" 1541
1⤵
- Executes dropped EXE
PID:1608

/usr/bin/vrvsjomocb
/usr/bin/vrvsjomocb sh 1541
1⤵
- Executes dropped EXE
PID:1611

/usr/bin/vrvsjomocb
/usr/bin/vrvsjomocb "netstat -an" 1541
1⤵
- Executes dropped EXE
PID:1614

/usr/bin/vrvsjomocb
/usr/bin/vrvsjomocb sh 1541
1⤵
- Executes dropped EXE
PID:1617

/usr/bin/vrvsjomocb
/usr/bin/vrvsjomocb id 1541
1⤵
- Executes dropped EXE
PID:1620

/usr/bin/medhgvkzab
/usr/bin/medhgvkzab "echo \"find\"" 1541
1⤵
- Executes dropped EXE
PID:1623

/usr/bin/medhgvkzab
/usr/bin/medhgvkzab "ls -la" 1541
1⤵
- Executes dropped EXE
PID:1626

/usr/bin/medhgvkzab
/usr/bin/medhgvkzab "grep \"A\"" 1541
1⤵
- Executes dropped EXE
PID:1629

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Defense Evasion

Hijack Execution Flow

T1574

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Network Service Discovery

T1046

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/gcc.sh

Filesize
228B

MD5
3bab747cedc5f0ebe86aaa7f982470cd

SHA1
3c7d1c6931c2b3dae39d38346b780ea57c8e6142

SHA256
74d31cac40d98ee64df2a0c29ceb229d12ac5fa699c2ee512fc69360f0cf68c5

SHA512
21e8a6d9ca8531d37def83d8903e5b0fa11ecf33d85d05edab1e0feb4acac65ae2cf5222650fb9f533f459ccc51bb2903276ff6f827b847cc5e6dac7d45a0a42

Download Submit
/etc/init.d/dptxrnhxmx.elf

Filesize
335B

MD5
fe7661a66219e9fbf8ebae2ea9474338

SHA1
9012b20fd1a2896007a185bd4c2279e8f27ba5dd

SHA256
ff0ae208d55e859d7b8e0f6ebb2bedc580dc6bbe67d94a9b8fa9a812bf38a245

SHA512
f6aecaec980ebce610bf96991bc9619cb2d98ea077b57cef3aad0399b1b56daf189e6beaff85b154fef0870ab726ba752b70e3ef0c07d8c6d2441c980fdbc1c5

Download Submit
/etc/sedSuPifX

Filesize
722B

MD5
8f111d100ea459f68d333d63a8ef2205

SHA1
077ca9c46a964de67c0f7765745d5c6f9e2065c3

SHA256
0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354

SHA512
d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

Download Submit
/lib/libudev.so

Filesize
611KB

MD5
85682d3effdb2d559fd84df491e9461a

SHA1
2fb53f36a77339e1dd8458dd3fe561355de76211

SHA256
3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba

SHA512
f4cb94b160ed93d57b05d151c949c4dfd3a8b44d45af6d9432d2a9f1fafc02dec4e66d4f3cbdeeba16c769fc97b4f48a611aa92f653b1aa8f07b90d876168a86

Download Submit
/run/gcc.pid

Filesize
32B

MD5
9cc83768b1d997843d9647914b39081d

SHA1
f69b146cbf6924083bcfbf46b19c1c0d3dd9d0cb

SHA256
7a146618a433d2c01fa2619182774ed508ef321f51e2dc37890b4579d1e717f6

SHA512
b8a6cb621980bb80fdc779a1c2cef55683ffdc4b9aa6f9712dccc74bc170798009a63d1eb7adcbac3caa3e965ae495772bea6bd9b38578a9c3dc37089668516f

Download Submit
/usr/bin/gxwcxuuefl

Filesize
611KB

MD5
3357ffd55b03205fe6520007e8c2e1b9

SHA1
7066fea17fd2594461c361ee49e5395b4e09842a

SHA256
90a0bf2493d2a535272b062ca470f62456c64140dc336fd1df9d8ef6ba647d10

SHA512
d6d46d448618eebb3ae669a0ac7043fc1322a86d40224a1d306a570d38f493210c1e4ec946fe4babc8aca9b5d329102146858acb6fbf2f947eed0c75b9147a2d

Download Submit
/usr/bin/gxwcxuuefl

Filesize
611KB

MD5
7e6da438d1f265232ed2a0a2b8601a8d

SHA1
b67fdd99731ab024a3422ccc5f25dfbc0dd8dbad

SHA256
93d4101fc7f86ff01cc2bc51f0b66103080f37179ab847830d21c0293dc7f813

SHA512
6e09ac987cbfca99f03ca4293f78fa8e1ea4babcb85ce8c8c7bc80ea95fa262fd5c71c7c4a6e9b26a57e21dc5a103841039207166bceabee3c5cf6b210000052

Download Submit
/usr/bin/gxwcxuuefl

Filesize
611KB

MD5
85682d3effdb2d559fd84df491e9461a

SHA1
2fb53f36a77339e1dd8458dd3fe561355de76211

SHA256
3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba

SHA512
f4cb94b160ed93d57b05d151c949c4dfd3a8b44d45af6d9432d2a9f1fafc02dec4e66d4f3cbdeeba16c769fc97b4f48a611aa92f653b1aa8f07b90d876168a86

Download Submit
/usr/bin/iyfbtonygn

Filesize
611KB

MD5
85682d3effdb2d559fd84df491e9461a

SHA1
2fb53f36a77339e1dd8458dd3fe561355de76211

SHA256
3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba

SHA512
f4cb94b160ed93d57b05d151c949c4dfd3a8b44d45af6d9432d2a9f1fafc02dec4e66d4f3cbdeeba16c769fc97b4f48a611aa92f653b1aa8f07b90d876168a86

Download Submit
/usr/bin/iyfbtonygn

Filesize
611KB

MD5
339260adde6a8ddea4d728b64fa282ec

SHA1
936a7e9387b724228e714c948e397f2c75c355e3

SHA256
92ae394ae1a43420344f9a5912c27e891836882cc9c7ae4aea97913ca736ed65

SHA512
1e8610c49c4a1945142c78a68f874d66a52bd3794523bc4f5023e78a4981679aec4ca1b5123f7cbe51b4335226d912a0623ac18ba0baa6fdadaba83b06ed86f5

Download Submit
/usr/bin/iyfbtonygn

Filesize
611KB

MD5
71a52d982ddc0ed74f23cd73ea65b6ca

SHA1
78dd1b358d6dd91e7127bf6e68b5e90b3492b0b3

SHA256
a7e72b7c3a36df52ab485ffd7f6c13911d6e16c2667c0a8f9e1a0f8c69d6f860

SHA512
667da71a89e3fef1bde9e44788fd9cc5d29d7ebe60f63010de8e9f5a8829f135a33994577de26235bec35893923b3e22c5e5d30eb8e9610e1f1d419521e87950

Download Submit
/usr/bin/medhgvkzab

Filesize
611KB

MD5
85682d3effdb2d559fd84df491e9461a

SHA1
2fb53f36a77339e1dd8458dd3fe561355de76211

SHA256
3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba

SHA512
f4cb94b160ed93d57b05d151c949c4dfd3a8b44d45af6d9432d2a9f1fafc02dec4e66d4f3cbdeeba16c769fc97b4f48a611aa92f653b1aa8f07b90d876168a86

Download Submit
/usr/bin/medhgvkzab

Filesize
611KB

MD5
1d1bd0e762cceea76d5341e5313093a1

SHA1
703ea8c10d27db2bfdde7718d83a92c089410c5d

SHA256
2e890250fca9cc5589da5305b65fa419dff17ce5f10a91d4909fc8c69f84cd04

SHA512
5a0182ea52c44f137733d4ef1af5cf06e9efb5ec91bb2b5dfd390f9f9ee05c700febf7cc580c33cef0465cbdb618726c6afec69e7b4124c007f16d8089302a03

Download Submit
/usr/bin/medhgvkzab

Filesize
611KB

MD5
6faabe636052ab55ba77e4f4cf11c265

SHA1
6ee69c0ff3c4f9dbd0042a17bf64b31323f91d72

SHA256
2cfbdd6032e3e1d750484b570c02a401fbeee1df1950b787d3d684c8bcdcc28d

SHA512
86a3baca08f01a09c35b5931a846ac66e3d4525770bc8d511bf96275e9fb0162831c32d97e92eac269e477fe9a6b85320f39ee75395b8c9287d19f8e9c826cd0

Download Submit
/usr/bin/vrvsjomocb

Filesize
611KB

MD5
85682d3effdb2d559fd84df491e9461a

SHA1
2fb53f36a77339e1dd8458dd3fe561355de76211

SHA256
3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba

SHA512
f4cb94b160ed93d57b05d151c949c4dfd3a8b44d45af6d9432d2a9f1fafc02dec4e66d4f3cbdeeba16c769fc97b4f48a611aa92f653b1aa8f07b90d876168a86

Download Submit
/usr/bin/vrvsjomocb

Filesize
611KB

MD5
0c4e03afd77c0da34559cfbdcaa07a39

SHA1
146467a8684043dc96daf150a8506769641d492c

SHA256
9a63832f3e61321f26385f920e72f6c0932c8ff928432049ea6e2eef5ed79c66

SHA512
8dd40c246d36a36cd4a92218df3651f0b5ff54edab91ea9695cc1c207624f59264b2cb93a98bed0bf55c100eb53746b9d9c662a4855358f195228cda776e7f10

Download Submit
/usr/bin/vrvsjomocb

Filesize
611KB

MD5
df18c5d1977349494a7973c4d38f4e42

SHA1
50ea72f0212eed37eca96d5c0d154609517f9a57

SHA256
be32a836ce5f3fca7b5632bcc576f7812dd1109ea0c2aa190ba37bafd9c45f43

SHA512
f6601a286bba2bf2c779f05cc06d6e374d0a7fe17f768aa289e17c327ad319786ded42af74395ac8da29201597a3ad5b9a51e9aeb048d7012de904f18d4d4d07

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads