xorddos | 8e996db5961bec2587b92b94e946d2b58230187426757f199ca99b59074d6391

Resubmissions

02-11-2023 08:28

231102-kdepaahe7v 10

02-11-2023 08:25

231102-kbbjvabd87 10

02-11-2023 08:23

231102-kaly7ahe31 10

31-10-2023 10:42

231031-mr4lnsfe3y 10

Analysis

max time kernel
16s
max time network
20s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231026-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231026-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
02-11-2023 08:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba.elf
Size

611KB
MD5

85682d3effdb2d559fd84df491e9461a
SHA1

2fb53f36a77339e1dd8458dd3fe561355de76211
SHA256

3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba
SHA512

f4cb94b160ed93d57b05d151c949c4dfd3a8b44d45af6d9432d2a9f1fafc02dec4e66d4f3cbdeeba16c769fc97b4f48a611aa92f653b1aa8f07b90d876168a86
SSDEEP

12288:FBXOvdwV1/n/dQFhWlH/c1dHo4h9L+zNZrryT6yF8EEP4UlUuTh1Ae:FBXmkN/+Fhu/Qo4h9L+zNNyBVEBl/91f

Score

10^/10

xorddos botnet downloader persistence

Malware Config

Extracted

Family

xorddos

http://www1.gggatat456.com/dd.rar

ppp.gggatat456.com:1525

ppp.xxxatat456.com:1525

p5.dddgata789.com:1525

p5.lpjulidny7.com:1525

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 7 IoCs

Processes:

resource	yara_rule
/lib/libudev.so	family_xorddos
/usr/bin/kdggxzgzxv	family_xorddos
/usr/bin/kdggxzgzxv	family_xorddos
/usr/bin/kdggxzgzxv	family_xorddos
/usr/bin/xnymbhpffp	family_xorddos
/usr/bin/xnymbhpffp	family_xorddos
/usr/bin/xnymbhpffp	family_xorddos

Executes dropped EXE 10 IoCs

Processes:

kdggxzgzxvkdggxzgzxvkdggxzgzxvkdggxzgzxvkdggxzgzxvxnymbhpffpxnymbhpffpxnymbhpffpxnymbhpffpxnymbhpffp

ioc	pid	process
/usr/bin/kdggxzgzxv	1549	kdggxzgzxv
/usr/bin/kdggxzgzxv	1571	kdggxzgzxv
/usr/bin/kdggxzgzxv	1578	kdggxzgzxv
/usr/bin/kdggxzgzxv	1581	kdggxzgzxv
/usr/bin/kdggxzgzxv	1584	kdggxzgzxv
/usr/bin/xnymbhpffp	1602	xnymbhpffp
/usr/bin/xnymbhpffp	1604	xnymbhpffp
/usr/bin/xnymbhpffp	1608	xnymbhpffp
/usr/bin/xnymbhpffp	1611	xnymbhpffp
/usr/bin/xnymbhpffp	1614	xnymbhpffp

Creates/modifies Cron job 1 TTPs 2 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

sh

description ioc

File opened for modification /etc/cron.hourly/gcc.sh
File opened for modification /etc/crontab sh
Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

description ioc

File opened for modification /etc/init.d/3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba.elf
Write file to user bin folder 1 TTPs 2 IoCs

Hijack Execution Flow
T1574

Processes:

description ioc

File opened for modification /usr/bin/kdggxzgzxv
File opened for modification /usr/bin/xnymbhpffp

description	ioc
File opened for modification	/etc/cron.hourly/gcc.sh
File opened for modification	/etc/crontab	sh

description	ioc
File opened for modification	/etc/init.d/3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba.elf

description	ioc
File opened for modification	/usr/bin/kdggxzgzxv
File opened for modification	/usr/bin/xnymbhpffp

Reads runtime system information 9 IoCs

Reads data from /proc virtual filesystem.

Processes:

systemctlsed

description	ioc
File opened for reading	/proc/rs_dev
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/stat
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/1/sched	systemctl

/tmp/3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba.elf
/tmp/3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba.elf
1⤵
PID:1536

/bin/sh
sh -c "sed -i '/\\/etc\\/cron.hourly\\/gcc.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:1542
- /bin/sed
  sed -i "/\\/etc\\/cron.hourly\\/gcc.sh/d" /etc/crontab
  2⤵
  - Reads runtime system information
  PID:1543

/bin/chkconfig
chkconfig --add 3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba.elf
1⤵
PID:1539

/sbin/chkconfig
chkconfig --add 3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba.elf
1⤵
PID:1539

/usr/bin/chkconfig
chkconfig --add 3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba.elf
1⤵
PID:1539

/usr/sbin/chkconfig
chkconfig --add 3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba.elf
1⤵
PID:1539

/usr/local/bin/chkconfig
chkconfig --add 3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba.elf
1⤵
PID:1539

/usr/local/sbin/chkconfig
chkconfig --add 3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba.elf
1⤵
PID:1539

/usr/X11R6/bin/chkconfig
chkconfig --add 3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba.elf
1⤵
PID:1539

/bin/update-rc.d
update-rc.d 3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba.elf defaults
1⤵
PID:1541

/sbin/update-rc.d
update-rc.d 3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba.elf defaults
1⤵
PID:1541

/usr/bin/update-rc.d
update-rc.d 3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba.elf defaults
1⤵
PID:1541

/usr/sbin/update-rc.d
update-rc.d 3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba.elf defaults
1⤵
PID:1541
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:1547

/usr/bin/kdggxzgzxv
/usr/bin/kdggxzgzxv top 1537
1⤵
- Executes dropped EXE
PID:1549

/usr/bin/kdggxzgzxv
/usr/bin/kdggxzgzxv sh 1537
1⤵
- Executes dropped EXE
PID:1571

/usr/bin/kdggxzgzxv
/usr/bin/kdggxzgzxv whoami 1537
1⤵
- Executes dropped EXE
PID:1578

/usr/bin/kdggxzgzxv
/usr/bin/kdggxzgzxv gnome-terminal 1537
1⤵
- Executes dropped EXE
PID:1581

/usr/bin/kdggxzgzxv
/usr/bin/kdggxzgzxv id 1537
1⤵
- Executes dropped EXE
PID:1584

/usr/bin/xnymbhpffp
/usr/bin/xnymbhpffp "sleep 1" 1537
1⤵
- Executes dropped EXE
PID:1602

/usr/bin/xnymbhpffp
/usr/bin/xnymbhpffp "sleep 1" 1537
1⤵
- Executes dropped EXE
PID:1604

/usr/bin/xnymbhpffp
/usr/bin/xnymbhpffp ifconfig 1537
1⤵
- Executes dropped EXE
PID:1608

/usr/bin/xnymbhpffp
/usr/bin/xnymbhpffp id 1537
1⤵
- Executes dropped EXE
PID:1611

/usr/bin/xnymbhpffp
/usr/bin/xnymbhpffp "netstat -antop" 1537
1⤵
- Executes dropped EXE
PID:1614

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/gcc.sh

Filesize
228B

MD5
3bab747cedc5f0ebe86aaa7f982470cd

SHA1
3c7d1c6931c2b3dae39d38346b780ea57c8e6142

SHA256
74d31cac40d98ee64df2a0c29ceb229d12ac5fa699c2ee512fc69360f0cf68c5

SHA512
21e8a6d9ca8531d37def83d8903e5b0fa11ecf33d85d05edab1e0feb4acac65ae2cf5222650fb9f533f459ccc51bb2903276ff6f827b847cc5e6dac7d45a0a42

Download Submit
/etc/init.d/3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba.elf

Filesize
605B

MD5
422d14188d05ccccbd7d6c01b3a633fc

SHA1
cfc080d110a8c19b65554fa4779537a769353504

SHA256
f396b4e2dc56426e0b65860d408c989dd09e732c953a4be2ea235c6a040fade2

SHA512
44fa90ca306668779a441cfc1344eb18ded225a4e72011cac0b8f90e1326724ea977c24f4bd173d2c9bacb02fef8369ccd2f94e4c3c84ba1d2966c79b3e4a3e8

Download Submit
/etc/sedSGwq9e

Filesize
722B

MD5
8f111d100ea459f68d333d63a8ef2205

SHA1
077ca9c46a964de67c0f7765745d5c6f9e2065c3

SHA256
0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354

SHA512
d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

Download Submit
/lib/libudev.so

Filesize
611KB

MD5
85682d3effdb2d559fd84df491e9461a

SHA1
2fb53f36a77339e1dd8458dd3fe561355de76211

SHA256
3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba

SHA512
f4cb94b160ed93d57b05d151c949c4dfd3a8b44d45af6d9432d2a9f1fafc02dec4e66d4f3cbdeeba16c769fc97b4f48a611aa92f653b1aa8f07b90d876168a86

Download Submit
/run/gcc.pid

Filesize
32B

MD5
f9dfbaf81c4752f131a073b21855e4eb

SHA1
c96da0fc12f292c208110688a885b7f79bdf4e89

SHA256
cf883da6021e6388a54ac5571cdd412a14c7c255e27e8ad2f347d73d3afe54e9

SHA512
032ce1f0874183ee778f17eaa74eb2be10b74b16e87c0224d37139c309b531500f17b812ac1b7743fd5db0c65fa83c31ce03aadef51bcb0be06bf0fc615a85f5

Download Submit
/usr/bin/kdggxzgzxv

Filesize
611KB

MD5
85682d3effdb2d559fd84df491e9461a

SHA1
2fb53f36a77339e1dd8458dd3fe561355de76211

SHA256
3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba

SHA512
f4cb94b160ed93d57b05d151c949c4dfd3a8b44d45af6d9432d2a9f1fafc02dec4e66d4f3cbdeeba16c769fc97b4f48a611aa92f653b1aa8f07b90d876168a86

Download Submit
/usr/bin/kdggxzgzxv

Filesize
611KB

MD5
61c1b6fefd64e6f64fdcc58f5ee18342

SHA1
10d79d6f07dbc1e502d35309be141b3ec65bd787

SHA256
bb576ff740ef6cca4541f4da6cae6ddacef95b65c741f9685887fb9dcdb6b1f0

SHA512
1bf9f6e7f399cd07a4ea27c6e4dbf2f8bb056b9242e1ac25befeb0268720eb750f0f9b04293274d985392ae0f9c31f134f41683f6f4724533b31a89f4ab41d2c

Download Submit
/usr/bin/kdggxzgzxv

Filesize
611KB

MD5
e58a1a416c1bc19525a114ef65960aa3

SHA1
e3d235987cab35f07de7a836a988880b008cde9c

SHA256
1f56e58598d31ca64e8c38acff07d0fc7d7a2d760f231325feb4ff6beb6ecdc4

SHA512
8c2098d087b9b01cf0faa51aa179cd785b30765ca541fc0d05664daad8df18e8dc351f421a439c11e28f0651a22324c2abe6d31edefcf4e9f5bf96ad8fe1e4b5

Download Submit
/usr/bin/xnymbhpffp

Filesize
611KB

MD5
85682d3effdb2d559fd84df491e9461a

SHA1
2fb53f36a77339e1dd8458dd3fe561355de76211

SHA256
3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba

SHA512
f4cb94b160ed93d57b05d151c949c4dfd3a8b44d45af6d9432d2a9f1fafc02dec4e66d4f3cbdeeba16c769fc97b4f48a611aa92f653b1aa8f07b90d876168a86

Download Submit
/usr/bin/xnymbhpffp

Filesize
611KB

MD5
edb9683a9a5ef2a6d9d250985dda5f70

SHA1
ebdea9b479ed718c2db6a280b3cae66b0bdad961

SHA256
70a6179379262f410192f99832193ffb3f1aac57f397f1c04e1ce4509fe7072c

SHA512
9794c41d6e3fc19e0bf980664ea994e4732d49121793de74c56b1c9995d44ee1d426dfcbfc54127301e042a122f86697475a798a06d1b513224bd33b5d29fba1

Download Submit
/usr/bin/xnymbhpffp

Filesize
611KB

MD5
dea679f355206203d8b84d6cd49c5532

SHA1
c0b27d1ea8655d522a22303c9fd3ccfc79576674

SHA256
e5d415074f931c8941f3a615bb84b19b2b79beb16604113adf22cd83022b5148

SHA512
b8aa6e7792458165b7b9dd83e15764a6ee5e0471e936ca11de0557622e844feb0c241568f6f4ac40dea9db13a083aa461b7fe46459254567646f46e7d5528dba

Download Submit