xorddos | 8e996db5961bec2587b92b94e946d2b58230187426757f199ca99b59074d6391

Resubmissions

02-11-2023 08:28

231102-kdepaahe7v 10

02-11-2023 08:25

231102-kbbjvabd87 10

02-11-2023 08:23

231102-kaly7ahe31 10

31-10-2023 10:42

231031-mr4lnsfe3y 10

Analysis

max time kernel
28s
max time network
56s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231026-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231026-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
02-11-2023 08:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba.elf
Size

611KB
MD5

85682d3effdb2d559fd84df491e9461a
SHA1

2fb53f36a77339e1dd8458dd3fe561355de76211
SHA256

3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba
SHA512

f4cb94b160ed93d57b05d151c949c4dfd3a8b44d45af6d9432d2a9f1fafc02dec4e66d4f3cbdeeba16c769fc97b4f48a611aa92f653b1aa8f07b90d876168a86
SSDEEP

12288:FBXOvdwV1/n/dQFhWlH/c1dHo4h9L+zNZrryT6yF8EEP4UlUuTh1Ae:FBXmkN/+Fhu/Qo4h9L+zNNyBVEBl/91f

Score

10^/10

xorddos antivm botnet discovery downloader persistence

Malware Config

Extracted

Family

xorddos

http://www1.gggatat456.com/dd.rar

ppp.gggatat456.com:1525

ppp.xxxatat456.com:1525

p5.dddgata789.com:1525

p5.lpjulidny7.com:1525

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 15 IoCs

resource	yara_rule
behavioral1/files/fstream-5.dat	family_xorddos
behavioral1/files/fstream-7.dat	family_xorddos
behavioral1/files/fstream-8.dat	family_xorddos
behavioral1/files/fstream-9.dat	family_xorddos
behavioral1/files/fstream-10.dat	family_xorddos
behavioral1/files/fstream-11.dat	family_xorddos
behavioral1/files/fstream-12.dat	family_xorddos
behavioral1/files/fstream-13.dat	family_xorddos
behavioral1/files/fstream-14.dat	family_xorddos
behavioral1/files/fstream-15.dat	family_xorddos
behavioral1/files/fstream-16.dat	family_xorddos
behavioral1/files/fstream-17.dat	family_xorddos
behavioral1/files/fstream-18.dat	family_xorddos
behavioral1/files/fstream-19.dat	family_xorddos
behavioral1/files/fstream-20.dat	family_xorddos

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 21 IoCs

ioc	pid	Process
/usr/bin/hytherwwzk	1552	hytherwwzk
/usr/bin/hytherwwzk	1571	hytherwwzk
/usr/bin/hytherwwzk	1578	hytherwwzk
/usr/bin/hytherwwzk	1581	hytherwwzk
/usr/bin/hytherwwzk	1584	hytherwwzk
/usr/bin/vsgnxolpzo	1598	vsgnxolpzo
/usr/bin/vsgnxolpzo	1601	vsgnxolpzo
/usr/bin/vsgnxolpzo	1604	vsgnxolpzo
/usr/bin/vsgnxolpzo	1607	vsgnxolpzo
/usr/bin/vsgnxolpzo	1610	vsgnxolpzo
/usr/bin/kvtxmphoej	1613	kvtxmphoej
/usr/bin/kvtxmphoej	1616	kvtxmphoej
/usr/bin/kvtxmphoej	1619	kvtxmphoej
/usr/bin/kvtxmphoej	1622	kvtxmphoej
/usr/bin/kvtxmphoej	1625	kvtxmphoej
/usr/bin/osvgzovsxr	1628	osvgzovsxr
/usr/bin/osvgzovsxr	1631	osvgzovsxr
/usr/bin/osvgzovsxr	1634	osvgzovsxr
/usr/bin/osvgzovsxr	1637	osvgzovsxr
/usr/bin/osvgzovsxr	1640	osvgzovsxr
/usr/bin/jisnlpxrlx	1645	jisnlpxrlx

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc
File opened for reading	/proc/cpuinfo

Creates/modifies Cron job 1 TTPs 2 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/etc/cron.hourly/gcc.sh	Process not Found
File opened for modification	/etc/crontab	sh

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
File opened for modification	/etc/init.d/3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba.elf

Write file to user bin folder 1 TTPs 5 IoCs

Hijack Execution Flow

T1574

description	ioc
File opened for modification	/usr/bin/jisnlpxrlx
File opened for modification	/usr/bin/hytherwwzk
File opened for modification	/usr/bin/vsgnxolpzo
File opened for modification	/usr/bin/kvtxmphoej
File opened for modification	/usr/bin/osvgzovsxr

Reads runtime system information 10 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/meminfo	Process not Found
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/rs_dev	Process not Found
File opened for reading	/proc/stat	Process not Found
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl

/tmp/3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba.elf
/tmp/3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba.elf
1⤵
PID:1536

/bin/sh
sh -c "sed -i '/\\/etc\\/cron.hourly\\/gcc.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:1542
- /bin/sed
  sed -i "/\\/etc\\/cron.hourly\\/gcc.sh/d" /etc/crontab
  2⤵
  - Reads runtime system information
  PID:1543

/bin/chkconfig
chkconfig --add 3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba.elf
1⤵
PID:1539

/sbin/chkconfig
chkconfig --add 3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba.elf
1⤵
PID:1539

/usr/bin/chkconfig
chkconfig --add 3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba.elf
1⤵
PID:1539

/usr/sbin/chkconfig
chkconfig --add 3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba.elf
1⤵
PID:1539

/usr/local/bin/chkconfig
chkconfig --add 3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba.elf
1⤵
PID:1539

/usr/local/sbin/chkconfig
chkconfig --add 3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba.elf
1⤵
PID:1539

/usr/X11R6/bin/chkconfig
chkconfig --add 3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba.elf
1⤵
PID:1539

/bin/update-rc.d
update-rc.d 3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba.elf defaults
1⤵
PID:1541

/sbin/update-rc.d
update-rc.d 3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba.elf defaults
1⤵
PID:1541

/usr/bin/update-rc.d
update-rc.d 3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba.elf defaults
1⤵
PID:1541

/usr/sbin/update-rc.d
update-rc.d 3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba.elf defaults
1⤵
PID:1541
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:1547

/usr/bin/hytherwwzk
/usr/bin/hytherwwzk "ps -ef" 1537
1⤵
- Executes dropped EXE
PID:1552

/usr/bin/hytherwwzk
/usr/bin/hytherwwzk ls 1537
1⤵
- Executes dropped EXE
PID:1571

/usr/bin/hytherwwzk
/usr/bin/hytherwwzk sh 1537
1⤵
- Executes dropped EXE
PID:1578

/usr/bin/hytherwwzk
/usr/bin/hytherwwzk ls 1537
1⤵
- Executes dropped EXE
PID:1581

/usr/bin/hytherwwzk
/usr/bin/hytherwwzk "ls -la" 1537
1⤵
- Executes dropped EXE
PID:1584

/usr/bin/vsgnxolpzo
/usr/bin/vsgnxolpzo su 1537
1⤵
- Executes dropped EXE
PID:1598

/usr/bin/vsgnxolpzo
/usr/bin/vsgnxolpzo ls 1537
1⤵
- Executes dropped EXE
PID:1601

/usr/bin/vsgnxolpzo
/usr/bin/vsgnxolpzo whoami 1537
1⤵
- Executes dropped EXE
PID:1604

/usr/bin/vsgnxolpzo
/usr/bin/vsgnxolpzo "cat resolv.conf" 1537
1⤵
- Executes dropped EXE
PID:1607

/usr/bin/vsgnxolpzo
/usr/bin/vsgnxolpzo "netstat -an" 1537
1⤵
- Executes dropped EXE
PID:1610

/usr/bin/kvtxmphoej
/usr/bin/kvtxmphoej id 1537
1⤵
- Executes dropped EXE
PID:1613

/usr/bin/kvtxmphoej
/usr/bin/kvtxmphoej "ls -la" 1537
1⤵
- Executes dropped EXE
PID:1616

/usr/bin/kvtxmphoej
/usr/bin/kvtxmphoej pwd 1537
1⤵
- Executes dropped EXE
PID:1619

/usr/bin/kvtxmphoej
/usr/bin/kvtxmphoej "netstat -antop" 1537
1⤵
- Executes dropped EXE
PID:1622

/usr/bin/kvtxmphoej
/usr/bin/kvtxmphoej "ps -ef" 1537
1⤵
- Executes dropped EXE
PID:1625

/usr/bin/osvgzovsxr
/usr/bin/osvgzovsxr "cd /etc" 1537
1⤵
- Executes dropped EXE
PID:1628

/usr/bin/osvgzovsxr
/usr/bin/osvgzovsxr id 1537
1⤵
- Executes dropped EXE
PID:1631

/usr/bin/osvgzovsxr
/usr/bin/osvgzovsxr top 1537
1⤵
- Executes dropped EXE
PID:1634

/usr/bin/osvgzovsxr
/usr/bin/osvgzovsxr who 1537
1⤵
- Executes dropped EXE
PID:1637

/usr/bin/osvgzovsxr
/usr/bin/osvgzovsxr ifconfig 1537
1⤵
- Executes dropped EXE
PID:1640

/usr/bin/jisnlpxrlx
/usr/bin/jisnlpxrlx "ifconfig eth0" 1537
1⤵
- Executes dropped EXE
PID:1645

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Defense Evasion

Hijack Execution Flow

T1574

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Network Service Discovery

T1046

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/gcc.sh

Filesize
228B

MD5
3bab747cedc5f0ebe86aaa7f982470cd

SHA1
3c7d1c6931c2b3dae39d38346b780ea57c8e6142

SHA256
74d31cac40d98ee64df2a0c29ceb229d12ac5fa699c2ee512fc69360f0cf68c5

SHA512
21e8a6d9ca8531d37def83d8903e5b0fa11ecf33d85d05edab1e0feb4acac65ae2cf5222650fb9f533f459ccc51bb2903276ff6f827b847cc5e6dac7d45a0a42

Download Submit
/etc/init.d/3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba.elf

Filesize
605B

MD5
422d14188d05ccccbd7d6c01b3a633fc

SHA1
cfc080d110a8c19b65554fa4779537a769353504

SHA256
f396b4e2dc56426e0b65860d408c989dd09e732c953a4be2ea235c6a040fade2

SHA512
44fa90ca306668779a441cfc1344eb18ded225a4e72011cac0b8f90e1326724ea977c24f4bd173d2c9bacb02fef8369ccd2f94e4c3c84ba1d2966c79b3e4a3e8

Download Submit
/etc/sedDL86Wv

Filesize
722B

MD5
8f111d100ea459f68d333d63a8ef2205

SHA1
077ca9c46a964de67c0f7765745d5c6f9e2065c3

SHA256
0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354

SHA512
d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

Download Submit
/lib/libudev.so

Filesize
611KB

MD5
85682d3effdb2d559fd84df491e9461a

SHA1
2fb53f36a77339e1dd8458dd3fe561355de76211

SHA256
3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba

SHA512
f4cb94b160ed93d57b05d151c949c4dfd3a8b44d45af6d9432d2a9f1fafc02dec4e66d4f3cbdeeba16c769fc97b4f48a611aa92f653b1aa8f07b90d876168a86

Download Submit
/run/gcc.pid

Filesize
32B

MD5
72ab3e55fda1bad86702fd2e1ec2293c

SHA1
b3d3ba7d52e652ddb95e2b68c44a2eebb62c4252

SHA256
b1ac767ab0e04034c1341d36d202b6d6c90377d2d73538d3ee98f0228ec8decc

SHA512
490d17bec4c0800b03fef23623cf98cd8b53c6c3b05b5c90d41646370e4c3dc505c612e1a7edf850b1b8530f16f30eb77a42a7397403b2f7fc67090abe6751aa

Download Submit
/usr/bin/hytherwwzk

Filesize
611KB

MD5
85682d3effdb2d559fd84df491e9461a

SHA1
2fb53f36a77339e1dd8458dd3fe561355de76211

SHA256
3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba

SHA512
f4cb94b160ed93d57b05d151c949c4dfd3a8b44d45af6d9432d2a9f1fafc02dec4e66d4f3cbdeeba16c769fc97b4f48a611aa92f653b1aa8f07b90d876168a86

Download Submit
/usr/bin/hytherwwzk

Filesize
611KB

MD5
b79c8de68d5cf1987e415aa2d0d4bef4

SHA1
0f7bf2460d143661b4f9b0084e4c9e8d4b368c57

SHA256
d2a1c34d89bf0960bf35606986d6adffe93e76dbc81ac570a1357413a8eeee59

SHA512
9e890f1c901c1a15bb7efb23776f36e3ce993a70a15aa1f30c35c0c3d70c53499c014fba196a505f22c1817aa1b5d940eb8579d882c771ebcc58c9e073068fb5

Download Submit
/usr/bin/hytherwwzk

Filesize
611KB

MD5
061761271eefdb242c844ad212471f70

SHA1
f4efcb701e5834b7fb21048d70cb14cd4151eb4f

SHA256
32849c55e04e1eb5958145767c5f6a3458eba2aca59b07d2536dae97d611d3ae

SHA512
5c8fd1a688364720a1a2ac34ae5d9434d319e826183931ca14ce0fcc1eefc8b6ea1523fed60788e1d3a3ebcff45719b4ef16323cf8d470cde5225029affb646a

Download Submit
/usr/bin/jisnlpxrlx

Filesize
611KB

MD5
85682d3effdb2d559fd84df491e9461a

SHA1
2fb53f36a77339e1dd8458dd3fe561355de76211

SHA256
3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba

SHA512
f4cb94b160ed93d57b05d151c949c4dfd3a8b44d45af6d9432d2a9f1fafc02dec4e66d4f3cbdeeba16c769fc97b4f48a611aa92f653b1aa8f07b90d876168a86

Download Submit
/usr/bin/jisnlpxrlx

Filesize
611KB

MD5
96dc0b996ba588dee45f8f6242622aa8

SHA1
bf2eaac1136c8b8e05fb093d7e697c89e2cd9b5f

SHA256
5f69ad20ddba158560fc7f7d67c2484e7eeaea4db174afd12d4d517107eae90c

SHA512
f743149fe4b03674c1060f31fe5aa3b9d74536f0ae215d78535cd462fac264321bd636eed82e3f4fb71ad201ba87539e5a067b1754861cbdeea1ad27b93e03f1

Download Submit
/usr/bin/kvtxmphoej

Filesize
611KB

MD5
85682d3effdb2d559fd84df491e9461a

SHA1
2fb53f36a77339e1dd8458dd3fe561355de76211

SHA256
3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba

SHA512
f4cb94b160ed93d57b05d151c949c4dfd3a8b44d45af6d9432d2a9f1fafc02dec4e66d4f3cbdeeba16c769fc97b4f48a611aa92f653b1aa8f07b90d876168a86

Download Submit
/usr/bin/kvtxmphoej

Filesize
611KB

MD5
5b1010d8b41ff0c7afa93df023046333

SHA1
16ea757afd405ea9b90a09860aa51c6eb0c13b09

SHA256
9f828c15f2e0ca5dfe5726f91b4fd4acbebe29a377effb9af72c8f89737819e1

SHA512
65afca3c7702e5c9f72fd8fab1c37c7d90fb1cf18d24a45b67ce3ffc067e3123a8dd3ab228fbc02cee17674fd25e79475009261249f78149c12d0e6e75d3eeed

Download Submit
/usr/bin/kvtxmphoej

Filesize
611KB

MD5
4a961e50ff7ae463f2852566fa4c0af4

SHA1
7ab69228671c96ea42466ab4c95a119a9dda838e

SHA256
e06e18c399b30430499f2a003dd103ba512d94b9f9c915eea1e3e30fdd040618

SHA512
4b2f7018080829dc632a8c23315861d592ea713e4be9600e2404b216b598ccd24e9258d36e181847cf6f63d6aad6b646c1ea9fb1f2092b9450629b4d413f8221

Download Submit
/usr/bin/osvgzovsxr

Filesize
611KB

MD5
85682d3effdb2d559fd84df491e9461a

SHA1
2fb53f36a77339e1dd8458dd3fe561355de76211

SHA256
3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba

SHA512
f4cb94b160ed93d57b05d151c949c4dfd3a8b44d45af6d9432d2a9f1fafc02dec4e66d4f3cbdeeba16c769fc97b4f48a611aa92f653b1aa8f07b90d876168a86

Download Submit
/usr/bin/osvgzovsxr

Filesize
611KB

MD5
0d0f61405260d65281fcc972c819c51d

SHA1
69beceb3b82aa300707df42d422085ad225cc9a2

SHA256
e0ce7a115903663f39421ef1bc04110472c6d6d6a89db5480d532991979eebf1

SHA512
b034a9bf8c9fddc6952ae14e3bc209245a4b266ec8d292648d952c5317943d55bfcd96f65d86c05347721f2bc9e98a65bc8b567f8a5ad46b757e09296966a41f

Download Submit
/usr/bin/osvgzovsxr

Filesize
611KB

MD5
96e0057bc0ef60d358d06c6be348df8c

SHA1
d172eb01dcc364603b31c2e5f78f0e464a9ac3ec

SHA256
86127312c35a4b450a3d6a65a8cc5288e7deffa2114e7933c59aff9b6c2e6810

SHA512
efb873e95d663c46c086ce90b0f9da949ecc55fe1bd56402a5f1f57cce7b4f33345c0065557274334934877e06da06150814c872907f1be8c8f910dde8e41f45

Download Submit
/usr/bin/vsgnxolpzo

Filesize
611KB

MD5
85682d3effdb2d559fd84df491e9461a

SHA1
2fb53f36a77339e1dd8458dd3fe561355de76211

SHA256
3a8a11b60fd8e2f93d29fb46cdda68fd404b06147a7c717d3619b088e39875ba

SHA512
f4cb94b160ed93d57b05d151c949c4dfd3a8b44d45af6d9432d2a9f1fafc02dec4e66d4f3cbdeeba16c769fc97b4f48a611aa92f653b1aa8f07b90d876168a86

Download Submit
/usr/bin/vsgnxolpzo

Filesize
611KB

MD5
94b169553a0269d2ba67f7813379b17f

SHA1
0e29800d1ffff18bc4764da4a8ae826d9bf692f9

SHA256
33d2452d8f174aa66388fe5c18b7824d287a1866ddeb307ac66223eb2ed80cb3

SHA512
4cc56ab56307997e284c3d32459c8e974ac58a48750d3c8ddd868dee6bd3e681093db315f0e3cc9dd66acad58131bf0de3280ac98055dd5a01c90b415d2a6b58

Download Submit
/usr/bin/vsgnxolpzo

Filesize
611KB

MD5
08dce6f68263acab8563371b29980f12

SHA1
9c913a9f2582d626ee50236dbc92bfb265a58b42

SHA256
67c06af5d274dff8389b3114c61c5cc5242b1ce288996f403040205aae309aab

SHA512
060fd37a4b5e0a4644d1d8c24f83562797a5162454036b24f011986dade3a02937acaa3a86fc91d04de471bea8ce6817c2e0ad51d767e7c11162413b18f0da76

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads