xorddos | 8c765d8fdc96e55d5d050e875b5b58108ec0754cef6b9bf76684db49890e2e28

Analysis

max time kernel
151s
max time network
155s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
19-12-2023 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28b4c1d34913014f2ea43298db493216
Size

611KB
MD5

28b4c1d34913014f2ea43298db493216
SHA1

113cb9d7f85f8d264f5a75ede41e275478841aac
SHA256

8c765d8fdc96e55d5d050e875b5b58108ec0754cef6b9bf76684db49890e2e28
SHA512

634af7f9986942d1e81fef965ea7f068051f72f2102e4dce0861a2df3c983f3d0001b7b9eec7ee98f6110eeed24761145aebaac9b7a267a84975797c00391e1b
SSDEEP

12288:FBXOvdwV1/n/dQFhWlH/c1dHo4h9L+zNZrrNT6yF8EEP4UlUuTh1AG:FBXmkN/+Fhu/Qo4h9L+zNNNBVEBl/91h

Score

10^/10

xorddos botnet downloader persistence

Malware Config

Extracted

Family

xorddos

http://aa.finance1num.org/config.rar

cdn.netflix2cdn.com:23

cdn.finance1num.com:23

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 10 IoCs

resource	yara_rule
behavioral1/files/fstream-5.dat	family_xorddos
behavioral1/files/fstream-8.dat	family_xorddos
behavioral1/files/fstream-9.dat	family_xorddos
behavioral1/files/fstream-11.dat	family_xorddos
behavioral1/files/fstream-12.dat	family_xorddos
behavioral1/files/fstream-13.dat	family_xorddos
behavioral1/files/fstream-17.dat	family_xorddos
behavioral1/files/fstream-18.dat	family_xorddos
behavioral1/files/fstream-20.dat	family_xorddos
behavioral1/files/fstream-21.dat	family_xorddos

Deletes itself 2 IoCs

pid
1640
1642

Executes dropped EXE 23 IoCs

ioc	pid	Process
/usr/bin/ixqshhvfie	1557	ixqshhvfie
/usr/bin/ixqshhvfie	1573	ixqshhvfie
/usr/bin/ixqshhvfie	1583	ixqshhvfie
/usr/bin/ixqshhvfie	1586	ixqshhvfie
/usr/bin/ixqshhvfie	1589	ixqshhvfie
/usr/bin/nmoamecnjb	1592	nmoamecnjb
/usr/bin/nmoamecnjb	1595	nmoamecnjb
/usr/bin/nmoamecnjb	1598	nmoamecnjb
/usr/bin/nmoamecnjb	1601	nmoamecnjb
/usr/bin/nmoamecnjb	1604	nmoamecnjb
/usr/bin/jtszupsmku	1607	jtszupsmku
/usr/bin/jtszupsmku	1610	jtszupsmku
/usr/bin/jtszupsmku	1613	jtszupsmku
/usr/bin/jtszupsmku	1616	jtszupsmku
/usr/bin/jtszupsmku	1618	jtszupsmku
/usr/bin/zksmiakjhg	1622	zksmiakjhg
/usr/bin/zksmiakjhg	1624	zksmiakjhg
/usr/bin/zksmiakjhg	1628	zksmiakjhg
/usr/bin/zksmiakjhg	1630	zksmiakjhg
/usr/bin/zksmiakjhg	1634	zksmiakjhg
/usr/bin/oxrrbzcehs	1637	oxrrbzcehs
/usr/bin/oxrrbzcehs	1639	oxrrbzcehs
/usr/bin/oxrrbzcehs	1643	oxrrbzcehs

Creates/modifies Cron job 1 TTPs 2 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/etc/cron.hourly/gcc.sh	Process not Found
File opened for modification	/etc/crontab	sh

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
File opened for modification	/etc/init.d/28b4c1d34913014f2ea43298db493216

Write file to user bin folder 1 TTPs 5 IoCs

Hijack Execution Flow

T1574

description	ioc
File opened for modification	/usr/bin/ixqshhvfie
File opened for modification	/usr/bin/nmoamecnjb
File opened for modification	/usr/bin/jtszupsmku
File opened for modification	/usr/bin/zksmiakjhg
File opened for modification	/usr/bin/oxrrbzcehs

Reads runtime system information 9 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/rs_dev	Process not Found
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/stat	Process not Found
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/cmdline	systemctl

/tmp/28b4c1d34913014f2ea43298db493216
/tmp/28b4c1d34913014f2ea43298db493216
1⤵
PID:1541

/bin/sh
sh -c "sed -i '/\\/etc\\/cron.hourly\\/gcc.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:1547
- /bin/sed
  sed -i "/\\/etc\\/cron.hourly\\/gcc.sh/d" /etc/crontab
  2⤵
  - Reads runtime system information
  PID:1548

/bin/chkconfig
chkconfig --add 28b4c1d34913014f2ea43298db493216
1⤵
PID:1544

/sbin/chkconfig
chkconfig --add 28b4c1d34913014f2ea43298db493216
1⤵
PID:1544

/usr/bin/chkconfig
chkconfig --add 28b4c1d34913014f2ea43298db493216
1⤵
PID:1544

/usr/sbin/chkconfig
chkconfig --add 28b4c1d34913014f2ea43298db493216
1⤵
PID:1544

/usr/local/bin/chkconfig
chkconfig --add 28b4c1d34913014f2ea43298db493216
1⤵
PID:1544

/usr/local/sbin/chkconfig
chkconfig --add 28b4c1d34913014f2ea43298db493216
1⤵
PID:1544

/usr/X11R6/bin/chkconfig
chkconfig --add 28b4c1d34913014f2ea43298db493216
1⤵
PID:1544

/bin/update-rc.d
update-rc.d 28b4c1d34913014f2ea43298db493216 defaults
1⤵
PID:1546

/sbin/update-rc.d
update-rc.d 28b4c1d34913014f2ea43298db493216 defaults
1⤵
PID:1546

/usr/bin/update-rc.d
update-rc.d 28b4c1d34913014f2ea43298db493216 defaults
1⤵
PID:1546

/usr/sbin/update-rc.d
update-rc.d 28b4c1d34913014f2ea43298db493216 defaults
1⤵
PID:1546
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:1556

/usr/bin/ixqshhvfie
/usr/bin/ixqshhvfie gnome-terminal 1542
1⤵
- Executes dropped EXE
PID:1557

/usr/bin/ixqshhvfie
/usr/bin/ixqshhvfie "sleep 1" 1542
1⤵
- Executes dropped EXE
PID:1573

/usr/bin/ixqshhvfie
/usr/bin/ixqshhvfie "cat resolv.conf" 1542
1⤵
- Executes dropped EXE
PID:1583

/usr/bin/ixqshhvfie
/usr/bin/ixqshhvfie uptime 1542
1⤵
- Executes dropped EXE
PID:1586

/usr/bin/ixqshhvfie
/usr/bin/ixqshhvfie ls 1542
1⤵
- Executes dropped EXE
PID:1589

/usr/bin/nmoamecnjb
/usr/bin/nmoamecnjb top 1542
1⤵
- Executes dropped EXE
PID:1592

/usr/bin/nmoamecnjb
/usr/bin/nmoamecnjb "ls -la" 1542
1⤵
- Executes dropped EXE
PID:1595

/usr/bin/nmoamecnjb
/usr/bin/nmoamecnjb su 1542
1⤵
- Executes dropped EXE
PID:1598

/usr/bin/nmoamecnjb
/usr/bin/nmoamecnjb "echo \"find\"" 1542
1⤵
- Executes dropped EXE
PID:1601

/usr/bin/nmoamecnjb
/usr/bin/nmoamecnjb pwd 1542
1⤵
- Executes dropped EXE
PID:1604

/usr/bin/jtszupsmku
/usr/bin/jtszupsmku ifconfig 1542
1⤵
- Executes dropped EXE
PID:1607

/usr/bin/jtszupsmku
/usr/bin/jtszupsmku gnome-terminal 1542
1⤵
- Executes dropped EXE
PID:1610

/usr/bin/jtszupsmku
/usr/bin/jtszupsmku "cat resolv.conf" 1542
1⤵
- Executes dropped EXE
PID:1613

/usr/bin/jtszupsmku
/usr/bin/jtszupsmku "ps -ef" 1542
1⤵
- Executes dropped EXE
PID:1616

/usr/bin/jtszupsmku
/usr/bin/jtszupsmku "ps -ef" 1542
1⤵
- Executes dropped EXE
PID:1618

/usr/bin/zksmiakjhg
/usr/bin/zksmiakjhg "grep \"A\"" 1542
1⤵
- Executes dropped EXE
PID:1622

/usr/bin/zksmiakjhg
/usr/bin/zksmiakjhg "ps -ef" 1542
1⤵
- Executes dropped EXE
PID:1624

/usr/bin/zksmiakjhg
/usr/bin/zksmiakjhg ls 1542
1⤵
- Executes dropped EXE
PID:1628

/usr/bin/zksmiakjhg
/usr/bin/zksmiakjhg ls 1542
1⤵
- Executes dropped EXE
PID:1630

/usr/bin/zksmiakjhg
/usr/bin/zksmiakjhg "grep \"A\"" 1542
1⤵
- Executes dropped EXE
PID:1634

/usr/bin/oxrrbzcehs
/usr/bin/oxrrbzcehs gnome-terminal 1542
1⤵
- Executes dropped EXE
PID:1637

/usr/bin/oxrrbzcehs
/usr/bin/oxrrbzcehs "grep \"A\"" 1542
1⤵
- Executes dropped EXE
PID:1639

/usr/bin/oxrrbzcehs
/usr/bin/oxrrbzcehs "cd /etc" 1542
1⤵
- Executes dropped EXE
PID:1643

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/gcc.sh

Filesize
228B

MD5
3bab747cedc5f0ebe86aaa7f982470cd

SHA1
3c7d1c6931c2b3dae39d38346b780ea57c8e6142

SHA256
74d31cac40d98ee64df2a0c29ceb229d12ac5fa699c2ee512fc69360f0cf68c5

SHA512
21e8a6d9ca8531d37def83d8903e5b0fa11ecf33d85d05edab1e0feb4acac65ae2cf5222650fb9f533f459ccc51bb2903276ff6f827b847cc5e6dac7d45a0a42

Download Submit
/etc/init.d/28b4c1d34913014f2ea43298db493216

Filesize
425B

MD5
775fd2755f109a09cdb4e2ee396067d8

SHA1
736f0be3a441f4be31ab6314e8c609442b4e328d

SHA256
5a743ae654019a6bd003487bb08d67a570168d7bc5f1788215f3434f227361b1

SHA512
69caaf798d0da98275bd8db453b61bef8435740a4b2835264d1aea6383f9014b3e0c8238e6bf531590f595b2a404823e27d40aa19225995e5290663d68dfba74

Download Submit
/etc/sed6Mr6nO

Filesize
722B

MD5
8f111d100ea459f68d333d63a8ef2205

SHA1
077ca9c46a964de67c0f7765745d5c6f9e2065c3

SHA256
0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354

SHA512
d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

Download Submit
/lib/libudev.so

Filesize
611KB

MD5
28b4c1d34913014f2ea43298db493216

SHA1
113cb9d7f85f8d264f5a75ede41e275478841aac

SHA256
8c765d8fdc96e55d5d050e875b5b58108ec0754cef6b9bf76684db49890e2e28

SHA512
634af7f9986942d1e81fef965ea7f068051f72f2102e4dce0861a2df3c983f3d0001b7b9eec7ee98f6110eeed24761145aebaac9b7a267a84975797c00391e1b

Download Submit
/run/gcc.pid

Filesize
32B

MD5
2e6e922f5f02c828275afca92cdebece

SHA1
3560abcb10f89d342d4288c7fd8bbc69946b6e83

SHA256
c9d4e31d3917f7b8653d8b212ba6d9a326f10b3a8eba418c9a5abe0bce225a2f

SHA512
8ed202c8744c3ebce2b38a3235099014c32a7a1e96c8b0ee99fb76357364847cc8da4c637dc4e5c2ce5809e36d659d3dba563b928aa848a5fed5f361d19272d0

Download Submit
/usr/bin/ixqshhvfie

Filesize
611KB

MD5
ac2eab909ae114ff0166cbb9b4464b07

SHA1
52fbc6fd18494ba1aa4534dd7f9a60e4dd090a18

SHA256
e7fd42c297043a8b65db629f02b9efa0affcb206b16c0f24fbcda6b7d5c65577

SHA512
ec656a3e23c5ee6845b8fe2ecb805fe17aff11f2993ed3b3ef847456490155f26c9c3ace8f151b95287e64bd8ffe90d11bfcd192c2cc1a869e6e68d58dc7b598

Download Submit
/usr/bin/ixqshhvfie

Filesize
611KB

MD5
2735bff2231f64dd181a71718feaee2e

SHA1
62411e019618bb00f190ab54d2a2cf697cc6818a

SHA256
35383b7aff6bc34404524686956d5d033b90ae829f37479d603e300f6ba52a83

SHA512
ac81a0c2e66148f0cbb283158d9a1bd3ab0553fe33e9f1cbf8f34493409335afae8dcb2d87b186915c0eb7bffdf1fb0899cf0aff86032ec90fe76e627b535d74

Download Submit
/usr/bin/jtszupsmku

Filesize
11KB

MD5
43b1fd48111318ab1939b0b8dc7ca704

SHA1
fb599ed919740eef53978c1144f90300a1d1c2b9

SHA256
f538f22ada79436d1d5b7d80dcb2743de2094bdd729f1de363689169fd8f8faa

SHA512
766775153cefa16be9865467598664f63167999cef4850375eaf0f386947f3f640ef7598058988e65f655957032b583191e4bfab49eb52e7b932c2d7dd493f3a

Download Submit
/usr/bin/nmoamecnjb

Filesize
611KB

MD5
47fa0cfde1769d1c091e46f811b4c574

SHA1
096e20207e9daa9c3a9ce17e4c9fac6d1fc7c46d

SHA256
60d258ef4422e1ae301818ac0f1e71ee50f0257ebb76dc96776e87a875c50093

SHA512
0b985cf6ec7a3e175f49b4f2563a80fefaf8f59bf68c754db7b314430c3c29e2b4038b08d1b165ef94aa992687b753fa0ab09ca75753ad4d0c6c79009ec316bd

Download Submit
/usr/bin/nmoamecnjb

Filesize
611KB

MD5
b1e694ea3615c6300ef3f6d2f2de307b

SHA1
670c7cbb43cc501c4bf9dacb74ef68f1acc030fb

SHA256
6b87d3b9b220fd35f40aafa83afda9e295317d6b1dba688f72c0a8a3b13d12a4

SHA512
092c4be4526c124218dfdb230be3726f5f7691ba7273f893abffd056b2d515ae8bab8e0d04047f5b758fab0c54c45f235f5a4e9869d317ee5888e03e29515684

Download Submit
/usr/bin/oxrrbzcehs

Filesize
611KB

MD5
fc71ee93d8b065ed68c289c274f16b33

SHA1
d400ae37549bb74fe0151ef6fa931be7f38da138

SHA256
97f5a7342e4a442b610ee47526e460631efc2560b11533888158cc2fd7b1f606

SHA512
74322a519b38182275c6828a8927cc235723d0d7bc0e3b03f19303198a581bf559567e1656a6c4f4c55cc320012f476dba843f81f485529ab340b45f18e82f59

Download Submit
/usr/bin/oxrrbzcehs

Filesize
611KB

MD5
2f1fdd49cac2418f2938008c9eca35d2

SHA1
5a693e317bf6713984f9a0f80caac70816a6d3d0

SHA256
426cc433a61ff514a70c9533ce6fde606e7770ce7eb277b02df4c09ab99b6f43

SHA512
a5e54ec81b6d8be164bbb2074009b79d9a109d31a50b90662f676e82ddc9bee72b58ce1549c5c0cbd2696680486c25a57b916aca5ec89871ea678d95124d2dce

Download Submit
/usr/bin/zksmiakjhg

Filesize
611KB

MD5
1392776de50c2608e14b5451d32522e9

SHA1
daa14b1c1e5e88ed2865f8abcbe4fcf13fd58529

SHA256
3efbafb4c1c95b0b2a70a031feb9f626c834d7046d462f9377100d514961723f

SHA512
310ecd58b4518f1faa6d767aad42c919687567a4d3470a525a5a39b2b1a6080b37c290b17c443966a57f0857cb6fa88c3d2e0bec85ce12bd9193dea7dc177924

Download Submit
/usr/bin/zksmiakjhg

Filesize
611KB

MD5
879769b29a5b159bdcca7882dd420603

SHA1
e5f5a6e46a31a84e0b9bf8a94140a363e2c76080

SHA256
c1fca74ef77fdf49cf91146d5eb5637eea274ba897e7727399039aa1dcdce8f4

SHA512
363306a8f8d83d81dcc2d230964aa90b05d4e978434c3298a3e68d93ff5d9f5218094c73936b923026be2794fd49aaa851795e9358f0059a447d7aabf9fd664a

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads