xorddos | 93b1a887ed2648b92a7a76b4635a0f0cf3a96f4eae606562e1fac611585a71f8

Resubmissions

20-12-2023 05:38

231220-gb18qahbg5 10

10-11-2023 10:31

231110-mkezqseg4v 10

Analysis

max time kernel
301s
max time network
212s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231026-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231026-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
10-11-2023 10:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4a25e8d960c631699e1b9adab8d29e5e4a2ae0d3be1c7739275a6a72b9b0876.elf
Size

647KB
MD5

d20e3e491d242d649c3fcf4879f2cbf2
SHA1

681406d197c6de50bc611bb466c012f0cd9b4aa6
SHA256

f4a25e8d960c631699e1b9adab8d29e5e4a2ae0d3be1c7739275a6a72b9b0876
SHA512

de50e27b457d3ee8e9d41800c83fd5eb4a1f0b0d568f02a4ecd482a4390b435410c15a262c123162e7e7f877219ff8fe13ce763ecece80f96872cd050895141c
SSDEEP

12288:RBRO1UmJJ0nHgBL9YfJip2qm+x4h1Tonbp6y07l7mtBDvnD/u9hMHDB:RBRpmJ+HyL9AiAqm+x4h1mb6wvnDWXMN

Score

10^/10

xorddos botnet downloader persistence

Malware Config

Extracted

Family

xorddos

http://info1.3000uc.com/b/u.php

aaaaaaaaaa.re67das.com:5859

aa369369.f3322.org:2897

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 37 IoCs

Processes:

resource	yara_rule
behavioral1/files/fstream-1.dat	family_xorddos
behavioral1/files/fstream-2.dat	family_xorddos
behavioral1/files/fstream-7.dat	family_xorddos
behavioral1/files/fstream-8.dat	family_xorddos
behavioral1/files/fstream-9.dat	family_xorddos
behavioral1/files/fstream-10.dat	family_xorddos
behavioral1/files/fstream-11.dat	family_xorddos
behavioral1/files/fstream-12.dat	family_xorddos
behavioral1/files/fstream-13.dat	family_xorddos
behavioral1/files/fstream-14.dat	family_xorddos
behavioral1/files/fstream-15.dat	family_xorddos
behavioral1/files/fstream-16.dat	family_xorddos
behavioral1/files/fstream-17.dat	family_xorddos
behavioral1/files/fstream-18.dat	family_xorddos
behavioral1/files/fstream-19.dat	family_xorddos
behavioral1/files/fstream-20.dat	family_xorddos
behavioral1/files/fstream-21.dat	family_xorddos
behavioral1/files/fstream-22.dat	family_xorddos
behavioral1/files/fstream-23.dat	family_xorddos
behavioral1/files/fstream-24.dat	family_xorddos
behavioral1/files/fstream-25.dat	family_xorddos
behavioral1/files/fstream-26.dat	family_xorddos
behavioral1/files/fstream-27.dat	family_xorddos
behavioral1/files/fstream-28.dat	family_xorddos
behavioral1/files/fstream-29.dat	family_xorddos
behavioral1/files/fstream-30.dat	family_xorddos
behavioral1/files/fstream-31.dat	family_xorddos
behavioral1/files/fstream-32.dat	family_xorddos
behavioral1/files/fstream-33.dat	family_xorddos
behavioral1/files/fstream-34.dat	family_xorddos
behavioral1/files/fstream-35.dat	family_xorddos
behavioral1/files/fstream-36.dat	family_xorddos
behavioral1/files/fstream-37.dat	family_xorddos
behavioral1/files/fstream-38.dat	family_xorddos
behavioral1/files/fstream-39.dat	family_xorddos
behavioral1/files/fstream-40.dat	family_xorddos
behavioral1/files/fstream-41.dat	family_xorddos

Deletes itself 1 IoCs

Processes:

pid
1541

Executes dropped EXE 36 IoCs

Processes:

lprdlnqwotzpbnsiokyhtttsnyejwhwsorbebmhfkylneudyadoudhajyusgwksaapvbzjbroxaylguoaqilzrbykgyuuwpivflyxhkntlvkhgevzccysgjkmooptumclnlsfpouqtroipokzapdazytsxrlsttevhwklcbzexfmgumkteyrsmlfrowbrstmoatckkzomulxknifakvjdacpacxvtvgckdjejcklprlxyynpzigyeupnumumqzlmrzrhriefizkyawoeethctiotajwepkjizlpxtgadbbctjdhryqbtpudrgqoquayyptnnywaokvyuozygdqjxjqwsekmnuothrbcsntvv

ioc	pid	Process
/boot/lprdlnqwot	1543	lprdlnqwot
/boot/zpbnsiokyh	1558	zpbnsiokyh
/boot/tttsnyejwh	1581	tttsnyejwh
/boot/wsorbebmhf	1584	wsorbebmhf
/boot/kylneudyad	1587	kylneudyad
/boot/oudhajyusg	1590	oudhajyusg
/boot/wksaapvbzj	1595	wksaapvbzj
/boot/broxaylguo	1598	broxaylguo
/boot/aqilzrbykg	1601	aqilzrbykg
/boot/yuuwpivfly	1604	yuuwpivfly
/boot/xhkntlvkhg	1607	xhkntlvkhg
/boot/evzccysgjk	1610	evzccysgjk
/boot/mooptumcln	1613	mooptumcln
/boot/lsfpouqtro	1616	lsfpouqtro
/boot/ipokzapdaz	1619	ipokzapdaz
/boot/ytsxrlstte	1622	ytsxrlstte
/boot/vhwklcbzex	1625	vhwklcbzex
/boot/fmgumkteyr	1628	fmgumkteyr
/boot/smlfrowbrs	1631	smlfrowbrs
/boot/tmoatckkzo	1634	tmoatckkzo
/boot/mulxknifak	1637	mulxknifak
/boot/vjdacpacxv	1640	vjdacpacxv
/boot/tvgckdjejc	1643	tvgckdjejc
/boot/klprlxyynp	1646	klprlxyynp
/boot/zigyeupnum	1649	zigyeupnum
/boot/umqzlmrzrh	1652	umqzlmrzrh
/boot/riefizkyaw	1655	riefizkyaw
/boot/oeethctiot	1658	oeethctiot
/boot/ajwepkjizl	1661	ajwepkjizl
/boot/pxtgadbbct	1664	pxtgadbbct
/boot/jdhryqbtpu	1667	jdhryqbtpu
/boot/drgqoquayy	1685	drgqoquayy
/boot/ptnnywaokv	1688	ptnnywaokv
/boot/yuozygdqjx	1691	yuozygdqjx
/boot/jqwsekmnuo	1695	jqwsekmnuo
/boot/thrbcsntvv	1699	thrbcsntvv

Unexpected DNS network traffic destination 38 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114

Creates/modifies Cron job 1 TTPs 2 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

Processes:

description	ioc	Process
File opened for modification	/etc/crontab	sh
File opened for modification	/etc/cron.hourly/cron.sh