xorddos | 86a8a2107448d28214e43a86e1367feec9e7f45201a3013c57bc200bf760e1ee

Analysis

max time kernel
154s
max time network
159s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
19-12-2023 23:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55a111f4625348cffd6d910e49f5dbdc
Size

611KB
MD5

55a111f4625348cffd6d910e49f5dbdc
SHA1

0cb723f7dcf9ae320501ee93dba2363699811576
SHA256

86a8a2107448d28214e43a86e1367feec9e7f45201a3013c57bc200bf760e1ee
SHA512

c2d30d334e2f30684474c72034ab170bf662aff8130606eb4eee7bc39bfd75f4c5d111957621ae290e821be3cd31d2f517e275dda571299671397248502301d7
SSDEEP

12288:FBXOvdwV1/n/dQFhWlH/c1dHo4h9L+zNZrrgT6yF8EEP4UlUuTh1AG:FBXmkN/+Fhu/Qo4h9L+zNNgBVEBl/91h

Score

10^/10

xorddos botnet downloader persistence

Malware Config

Extracted

Family

xorddos

http://aa.finance1num.org/config.rar

cdn.netflix2cdn.com:80

cdn.finance1num.com:80

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 9 IoCs

resource	yara_rule
behavioral1/files/fstream-5.dat	family_xorddos
behavioral1/files/fstream-8.dat	family_xorddos
behavioral1/files/fstream-9.dat	family_xorddos
behavioral1/files/fstream-11.dat	family_xorddos
behavioral1/files/fstream-12.dat	family_xorddos
behavioral1/files/fstream-14.dat	family_xorddos
behavioral1/files/fstream-15.dat	family_xorddos
behavioral1/files/fstream-20.dat	family_xorddos
behavioral1/files/fstream-21.dat	family_xorddos

Deletes itself 1 IoCs

pid
1657

Executes dropped EXE 24 IoCs

ioc	pid	Process
/usr/bin/jbefzghcqk	1560	jbefzghcqk
/usr/bin/jbefzghcqk	1563	jbefzghcqk
/usr/bin/jbefzghcqk	1566	jbefzghcqk
/usr/bin/jbefzghcqk	1590	jbefzghcqk
/usr/bin/jbefzghcqk	1599	jbefzghcqk
/usr/bin/zpfngytqoi	1605	zpfngytqoi
/usr/bin/zpfngytqoi	1607	zpfngytqoi
/usr/bin/zpfngytqoi	1611	zpfngytqoi
/usr/bin/zpfngytqoi	1614	zpfngytqoi
/usr/bin/zpfngytqoi	1617	zpfngytqoi
/usr/bin/yhxoimyuah	1620	yhxoimyuah
/usr/bin/yhxoimyuah	1622	yhxoimyuah
/usr/bin/yhxoimyuah	1626	yhxoimyuah
/usr/bin/yhxoimyuah	1629	yhxoimyuah
/usr/bin/yhxoimyuah	1631	yhxoimyuah
/usr/bin/owohplenmy	1637	owohplenmy
/usr/bin/owohplenmy	1640	owohplenmy
/usr/bin/owohplenmy	1643	owohplenmy
/usr/bin/owohplenmy	1646	owohplenmy
/usr/bin/owohplenmy	1649	owohplenmy
/usr/bin/zbnkgqibbk	1652	zbnkgqibbk
/usr/bin/zbnkgqibbk	1655	zbnkgqibbk
/usr/bin/zbnkgqibbk	1658	zbnkgqibbk
/usr/bin/zbnkgqibbk	1660	zbnkgqibbk

Creates/modifies Cron job 1 TTPs 2 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/etc/cron.hourly/gcc.sh	Process not Found
File opened for modification	/etc/crontab	sh

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
File opened for modification	/etc/init.d/55a111f4625348cffd6d910e49f5dbdc

Write file to user bin folder 1 TTPs 5 IoCs

Hijack Execution Flow

T1574

description	ioc
File opened for modification	/usr/bin/zpfngytqoi
File opened for modification	/usr/bin/yhxoimyuah
File opened for modification	/usr/bin/owohplenmy
File opened for modification	/usr/bin/zbnkgqibbk
File opened for modification	/usr/bin/jbefzghcqk

Reads runtime system information 9 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/rs_dev	Process not Found
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/stat	Process not Found
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/1/sched	systemctl

/tmp/55a111f4625348cffd6d910e49f5dbdc
/tmp/55a111f4625348cffd6d910e49f5dbdc
1⤵
PID:1544

/bin/sh
sh -c "sed -i '/\\/etc\\/cron.hourly\\/gcc.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:1550
- /bin/sed
  sed -i "/\\/etc\\/cron.hourly\\/gcc.sh/d" /etc/crontab
  2⤵
  - Reads runtime system information
  PID:1554

/bin/chkconfig
chkconfig --add 55a111f4625348cffd6d910e49f5dbdc
1⤵
PID:1547

/sbin/chkconfig
chkconfig --add 55a111f4625348cffd6d910e49f5dbdc
1⤵
PID:1547

/usr/bin/chkconfig
chkconfig --add 55a111f4625348cffd6d910e49f5dbdc
1⤵
PID:1547

/usr/sbin/chkconfig
chkconfig --add 55a111f4625348cffd6d910e49f5dbdc
1⤵
PID:1547

/usr/local/bin/chkconfig
chkconfig --add 55a111f4625348cffd6d910e49f5dbdc
1⤵
PID:1547

/usr/local/sbin/chkconfig
chkconfig --add 55a111f4625348cffd6d910e49f5dbdc
1⤵
PID:1547

/usr/X11R6/bin/chkconfig
chkconfig --add 55a111f4625348cffd6d910e49f5dbdc
1⤵
PID:1547

/bin/update-rc.d
update-rc.d 55a111f4625348cffd6d910e49f5dbdc defaults
1⤵
PID:1549

/sbin/update-rc.d
update-rc.d 55a111f4625348cffd6d910e49f5dbdc defaults
1⤵
PID:1549

/usr/bin/update-rc.d
update-rc.d 55a111f4625348cffd6d910e49f5dbdc defaults
1⤵
PID:1549

/usr/sbin/update-rc.d
update-rc.d 55a111f4625348cffd6d910e49f5dbdc defaults
1⤵
PID:1549
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:1556

/usr/bin/jbefzghcqk
/usr/bin/jbefzghcqk "route -n" 1545
1⤵
- Executes dropped EXE
PID:1560

/usr/bin/jbefzghcqk
/usr/bin/jbefzghcqk whoami 1545
1⤵
- Executes dropped EXE
PID:1563

/usr/bin/jbefzghcqk
/usr/bin/jbefzghcqk uptime 1545
1⤵
- Executes dropped EXE
PID:1566

/usr/bin/jbefzghcqk
/usr/bin/jbefzghcqk gnome-terminal 1545
1⤵
- Executes dropped EXE
PID:1590

/usr/bin/jbefzghcqk
/usr/bin/jbefzghcqk "ls -la" 1545
1⤵
- Executes dropped EXE
PID:1599

/usr/bin/zpfngytqoi
/usr/bin/zpfngytqoi "cd /etc" 1545
1⤵
- Executes dropped EXE
PID:1605

/usr/bin/zpfngytqoi
/usr/bin/zpfngytqoi who 1545
1⤵
- Executes dropped EXE
PID:1607

/usr/bin/zpfngytqoi
/usr/bin/zpfngytqoi id 1545
1⤵
- Executes dropped EXE
PID:1611

/usr/bin/zpfngytqoi
/usr/bin/zpfngytqoi id 1545
1⤵
- Executes dropped EXE
PID:1614

/usr/bin/zpfngytqoi
/usr/bin/zpfngytqoi "cat resolv.conf" 1545
1⤵
- Executes dropped EXE
PID:1617

/usr/bin/yhxoimyuah
/usr/bin/yhxoimyuah sh 1545
1⤵
- Executes dropped EXE
PID:1620

/usr/bin/yhxoimyuah
/usr/bin/yhxoimyuah ifconfig 1545
1⤵
- Executes dropped EXE
PID:1622

/usr/bin/yhxoimyuah
/usr/bin/yhxoimyuah "echo \"find\"" 1545
1⤵
- Executes dropped EXE
PID:1626

/usr/bin/yhxoimyuah
/usr/bin/yhxoimyuah "echo \"find\"" 1545
1⤵
- Executes dropped EXE
PID:1629

/usr/bin/yhxoimyuah
/usr/bin/yhxoimyuah "ps -ef" 1545
1⤵
- Executes dropped EXE
PID:1631

/usr/bin/owohplenmy
/usr/bin/owohplenmy uptime 1545
1⤵
- Executes dropped EXE
PID:1637

/usr/bin/owohplenmy
/usr/bin/owohplenmy ls 1545
1⤵
- Executes dropped EXE
PID:1640

/usr/bin/owohplenmy
/usr/bin/owohplenmy pwd 1545
1⤵
- Executes dropped EXE
PID:1643

/usr/bin/owohplenmy
/usr/bin/owohplenmy "echo \"find\"" 1545
1⤵
- Executes dropped EXE
PID:1646

/usr/bin/owohplenmy
/usr/bin/owohplenmy uptime 1545
1⤵
- Executes dropped EXE
PID:1649

/usr/bin/zbnkgqibbk
/usr/bin/zbnkgqibbk ls 1545
1⤵
- Executes dropped EXE
PID:1652

/usr/bin/zbnkgqibbk
/usr/bin/zbnkgqibbk "route -n" 1545
1⤵
- Executes dropped EXE
PID:1655

/usr/bin/zbnkgqibbk
/usr/bin/zbnkgqibbk "cd /etc" 1545
1⤵
- Executes dropped EXE
PID:1658

/usr/bin/zbnkgqibbk
/usr/bin/zbnkgqibbk sh 1545
1⤵
- Executes dropped EXE
PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/gcc.sh

Filesize
228B

MD5
3bab747cedc5f0ebe86aaa7f982470cd

SHA1
3c7d1c6931c2b3dae39d38346b780ea57c8e6142

SHA256
74d31cac40d98ee64df2a0c29ceb229d12ac5fa699c2ee512fc69360f0cf68c5

SHA512
21e8a6d9ca8531d37def83d8903e5b0fa11ecf33d85d05edab1e0feb4acac65ae2cf5222650fb9f533f459ccc51bb2903276ff6f827b847cc5e6dac7d45a0a42

Download Submit
/etc/init.d/55a111f4625348cffd6d910e49f5dbdc

Filesize
425B

MD5
1b17e29548f7ea0a563a7fde9df39fbd

SHA1
2d8289b6555dceeca89262ffd42fea1eb4cf344c

SHA256
720ed40ac42f0db46c3117b0dc2d334f94acaeade822b12ce00f946009e838f5

SHA512
1263a28c33f97e90c09a1166a9a049ecdee483097223d78905c624465e9b5e26a16488bf087e89561a1409942ee826a1470653f6c1af47222e23e60b194e039f

Download Submit
/etc/sedM1nu26

Filesize
722B

MD5
8f111d100ea459f68d333d63a8ef2205

SHA1
077ca9c46a964de67c0f7765745d5c6f9e2065c3

SHA256
0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354

SHA512
d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

Download Submit
/lib/libudev.so

Filesize
611KB

MD5
55a111f4625348cffd6d910e49f5dbdc

SHA1
0cb723f7dcf9ae320501ee93dba2363699811576

SHA256
86a8a2107448d28214e43a86e1367feec9e7f45201a3013c57bc200bf760e1ee

SHA512
c2d30d334e2f30684474c72034ab170bf662aff8130606eb4eee7bc39bfd75f4c5d111957621ae290e821be3cd31d2f517e275dda571299671397248502301d7

Download Submit
/run/gcc.pid

Filesize
32B

MD5
238487bb0a06305f903c9c6ac4b1e7cd

SHA1
3554680150e4e1ffaee7949ea5bdeec74655a438

SHA256
8c12c7390c63c6c27b0822f8a54ae617b471f13e775d4480768125d4b6ced903

SHA512
47e038a067cbeef22a5a5831564b443c0f068a9292f089879e331f34a00cc7cdfaa866a59d6f124b86995f879c230e3b1f335ed997fead9391dbad83cd498624

Download Submit
/usr/bin/jbefzghcqk

Filesize
611KB

MD5
6b31de7b7cb922c30b3f3a81d83fd45b

SHA1
40f9f5134f48772cb07f2be53287b478b8c8cd11

SHA256
243676163807e9621337fa44edde91719f29d1ea32df3c1c0b33825bbe2817c6

SHA512
f54aa99bfc914ef54afad8238bdb3bd167e177a799d0dd5a3453a4fc41e74b4a4bd0529e4aa2f8883105c2e2e9c4ad4ed6847da61ae9eebed3934ff0ef593944

Download Submit
/usr/bin/jbefzghcqk

Filesize
611KB

MD5
d5e6ca6b8314657e63b74bc6e1a59223

SHA1
b37b7bfde4a6eaddcb90803a57cab815d2d5565d

SHA256
b4bb50f7ecd7e2dc7b9addea4853a1fdc1f0d311e576c89437338a71f0555775

SHA512
57be8181246e9d9b6532ff61fa680d74ba5365673b0725f9bb40febfbcd84a8890a9b5ad71f0bd2ae68d55a132da4e2d3ecb710a36debd352167855d2ac2238a

Download Submit
/usr/bin/yhxoimyuah

Filesize
611KB

MD5
3a5b42ef5602654b596e7b87616e2453

SHA1
bd6669a62a3ebef4c33951596c113a2c20c365f4

SHA256
f57caf95ae835afee502c25346ef975d70191c5fb21d59be6fccf4af917bca04

SHA512
90f5464813e6823a84400c05a1294c4d606d59ce0f6debf5972df65dbe90a23fe49f43ae884656c498f63d5fdabfaf5e410608d6d905ae0075bc4539834bba51

Download Submit
/usr/bin/yhxoimyuah

Filesize
611KB

MD5
a90e8759c4d220a657ff1e5ed29a6ef5

SHA1
63ae5cc094e6256c9e65ff39030657a2bac4c9f6

SHA256
4da3556ab08096fc6fa4b6879e2f9bc08b5a25d52509f57fcff2a7a79e5eae92

SHA512
df09a4a61d59bee989a57e02fcce540f1a7264f3d64b1f0c802df855aad8cf2d92dce8c454f93a8bb7056fe2ba6da097e818158071322e5186c61b23a32806ae

Download Submit
/usr/bin/zbnkgqibbk

Filesize
611KB

MD5
f8eaf183c5d0a92a20e87d4455a9da30

SHA1
2ff7de02fc59ef895976bc1c92647719d33c5732

SHA256
4ab1ea160b9f424db1629c9ca4f8042260b7fb9988869c16cea6c5c0aa4081c9

SHA512
ac6a1fe0c5c624c81160008ce2d27773174e75159f48075fca03c3fc61b7a009e42a3f1d80f5f33a62184572c337f4a73c09ea43f74c3c24d6981c65c383829f

Download Submit
/usr/bin/zbnkgqibbk

Filesize
611KB

MD5
86e82c6b31f9f02689868cc0d039459f

SHA1
24d6fb6a5a22aa67c3ff4462d703c11d4028e32a

SHA256
87b6db4fbdf3626ebe047adeced664ebea50c6d65f49c887c1b180db08bfae03

SHA512
2b5a32ca2d19802a2f485a1ca150e8d52c1723767cfca0899e435c31ab3ef30e8b357773ad3bdebe838d10c8c83288a4a0dc7206122bb4ca6d761e866a706fe1

Download Submit
/usr/bin/zpfngytqoi

Filesize
611KB

MD5
85139cd4db85b1bd1c5b705510731abd

SHA1
c33afeb56cb39a55b75fb43231d0dd66bce2c948

SHA256
3de514ff8795a8da313643be105fc91526d61b61712fa55a77282dd197e89117

SHA512
b1c996a40bfc7b9a3db9d27b6e05834f4523e612fbd06a8546a37094f480c3295351edb5f8bddfff2ca0ddf58ef501e66b397d432c86be1e8d8ffc0768fe72a2

Download Submit
/usr/bin/zpfngytqoi

Filesize
611KB

MD5
ab466abd97a0ec7e206120b045ca0b22

SHA1
05026c87f382abfaae3bdcd866ef5b667766978f

SHA256
98f8605dff6c29b1f59e29e19c41567b3575bbbb9a74c44ea6ca14afd63af9c0

SHA512
0578bbbb54e8fb53cc3d9e1758aac9f16c94de8b11eedb0b1413de02bc766f6d37486bf3f27580d7faeb2a508367f5bbec0bf75ea3967acebedde4e3a0bb7e23

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads