Resubmissions
02-11-2023 08:28
231102-kdepaahe7v 1002-11-2023 08:25
231102-kbbjvabd87 1002-11-2023 08:23
231102-kaly7ahe31 1031-10-2023 10:42
231031-mr4lnsfe3y 10Analysis
-
max time kernel
62s -
max time network
84s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20231026-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20231026-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
02-11-2023 08:25
Behavioral task
behavioral1
Sample
3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba.elf
Resource
ubuntu1804-amd64-20231026-en
ubuntu-18.04-amd64
General
-
Target
3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba.elf
-
Size
611KB
-
MD5
85682d3effdb2d559fd84df491e9461a
-
SHA1
2fb53f36a77339e1dd8458dd3fe561355de76211
-
SHA256
3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba
-
SHA512
f4cb94b160ed93d57b05d151c949c4dfd3a8b44d45af6d9432d2a9f1fafc02dec4e66d4f3cbdeeba16c769fc97b4f48a611aa92f653b1aa8f07b90d876168a86
-
SSDEEP
12288:FBXOvdwV1/n/dQFhWlH/c1dHo4h9L+zNZrryT6yF8EEP4UlUuTh1Ae:FBXmkN/+Fhu/Qo4h9L+zNNyBVEBl/91f
Malware Config
Extracted
xorddos
http://www1.gggatat456.com/dd.rar
ppp.gggatat456.com:1525
ppp.xxxatat456.com:1525
p5.dddgata789.com:1525
p5.lpjulidny7.com:1525
-
crc_polynomial
EDB88320
Signatures
-
XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
-
XorDDoS payload 16 IoCs
Processes:
resource yara_rule behavioral1/files/fstream-5.dat family_xorddos behavioral1/files/fstream-6.dat family_xorddos behavioral1/files/fstream-8.dat family_xorddos behavioral1/files/fstream-9.dat family_xorddos behavioral1/files/fstream-10.dat family_xorddos behavioral1/files/fstream-11.dat family_xorddos behavioral1/files/fstream-12.dat family_xorddos behavioral1/files/fstream-13.dat family_xorddos behavioral1/files/fstream-14.dat family_xorddos behavioral1/files/fstream-15.dat family_xorddos behavioral1/files/fstream-16.dat family_xorddos behavioral1/files/fstream-17.dat family_xorddos behavioral1/files/fstream-18.dat family_xorddos behavioral1/files/fstream-19.dat family_xorddos behavioral1/files/fstream-20.dat family_xorddos behavioral1/files/fstream-21.dat family_xorddos -
Deletes itself 3 IoCs
Processes:
pid 1667 1671 1673 -
Executes dropped EXE 23 IoCs
Processes:
ypcgbteiygypcgbteiygypcgbteiygypcgbteiygypcgbteiygxldqdjyzksxldqdjyzksxldqdjyzksxldqdjyzksxldqdjyzkstrdfomjisdtrdfomjisdtrdfomjisdtrdfomjisdtrdfomjisdbutauxogtdbutauxogtdbutauxogtdbutauxogtdbutauxogtdfrppszxbmkfrppszxbmkfrppszxbmkioc pid Process /usr/bin/ypcgbteiyg 1558 ypcgbteiyg /usr/bin/ypcgbteiyg 1562 ypcgbteiyg /usr/bin/ypcgbteiyg 1566 ypcgbteiyg /usr/bin/ypcgbteiyg 1568 ypcgbteiyg /usr/bin/ypcgbteiyg 1572 ypcgbteiyg /usr/bin/xldqdjyzks 1618 xldqdjyzks /usr/bin/xldqdjyzks 1621 xldqdjyzks /usr/bin/xldqdjyzks 1624 xldqdjyzks /usr/bin/xldqdjyzks 1627 xldqdjyzks /usr/bin/xldqdjyzks 1630 xldqdjyzks /usr/bin/trdfomjisd 1633 trdfomjisd /usr/bin/trdfomjisd 1636 trdfomjisd /usr/bin/trdfomjisd 1639 trdfomjisd /usr/bin/trdfomjisd 1642 trdfomjisd /usr/bin/trdfomjisd 1645 trdfomjisd /usr/bin/butauxogtd 1648 butauxogtd /usr/bin/butauxogtd 1651 butauxogtd /usr/bin/butauxogtd 1653 butauxogtd /usr/bin/butauxogtd 1657 butauxogtd /usr/bin/butauxogtd 1660 butauxogtd /usr/bin/frppszxbmk 1665 frppszxbmk /usr/bin/frppszxbmk 1668 frppszxbmk /usr/bin/frppszxbmk 1670 frppszxbmk -
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
description ioc File opened for reading /proc/cpuinfo -
Creates/modifies Cron job 1 TTPs 2 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
shdescription ioc Process File opened for modification /etc/cron.hourly/gcc.sh