xorddos | a40587bfb96d4803a538113844d82b50f5b57351ad4d5e7b79e07d4004f85ea3

Analysis

max time kernel
125s
max time network
65s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
19-12-2023 23:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e34bff8e13cf6068f4a30218b55b549
Size

611KB
MD5

3e34bff8e13cf6068f4a30218b55b549
SHA1

28231d2555db240754f3a8018144849f1c8385cf
SHA256

a40587bfb96d4803a538113844d82b50f5b57351ad4d5e7b79e07d4004f85ea3
SHA512

8516d2a10a5adf4d264eb80529aa73c769eb876a2cedc43e108ff906df582e7b039b1f8dc81991af0aabdbede0f92c2b4c0ffd6d2b49ab3cb3d50713375fe23e
SSDEEP

12288:FBXOvdwV1/n/dQFhWlH/c1dHo4h9L+zNZrrKT6yF8EEP4UlUuTh1AG:FBXmkN/+Fhu/Qo4h9L+zNNKBVEBl/91h

Score

10^/10

xorddos botnet downloader persistence

Malware Config

Extracted

Family

xorddos

http://aa.finance1num.org/config.rar

cdn.netflix2cdn.com:3309

cdn.finance1num.com:3309

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 9 IoCs

resource	yara_rule
behavioral1/files/fstream-5.dat	family_xorddos
behavioral1/files/fstream-7.dat	family_xorddos
behavioral1/files/fstream-8.dat	family_xorddos
behavioral1/files/fstream-13.dat	family_xorddos
behavioral1/files/fstream-14.dat	family_xorddos
behavioral1/files/fstream-16.dat	family_xorddos
behavioral1/files/fstream-17.dat	family_xorddos
behavioral1/files/fstream-19.dat	family_xorddos
behavioral1/files/fstream-20.dat	family_xorddos

Deletes itself 3 IoCs

pid
1639
1636
1642

Executes dropped EXE 24 IoCs

ioc	pid	Process
/usr/bin/paaaqwpkvk	1572	paaaqwpkvk
/usr/bin/paaaqwpkvk	1575	paaaqwpkvk
/usr/bin/paaaqwpkvk	1578	paaaqwpkvk
/usr/bin/paaaqwpkvk	1581	paaaqwpkvk
/usr/bin/paaaqwpkvk	1584	paaaqwpkvk
/usr/bin/hhnciqrssa	1587	hhnciqrssa
/usr/bin/hhnciqrssa	1590	hhnciqrssa
/usr/bin/hhnciqrssa	1593	hhnciqrssa
/usr/bin/hhnciqrssa	1596	hhnciqrssa
/usr/bin/hhnciqrssa	1599	hhnciqrssa
/usr/bin/ffzmwplzjz	1602	ffzmwplzjz
/usr/bin/ffzmwplzjz	1605	ffzmwplzjz
/usr/bin/ffzmwplzjz	1608	ffzmwplzjz
/usr/bin/ffzmwplzjz	1611	ffzmwplzjz
/usr/bin/ffzmwplzjz	1614	ffzmwplzjz
/usr/bin/eirewjhjam	1617	eirewjhjam
/usr/bin/eirewjhjam	1620	eirewjhjam
/usr/bin/eirewjhjam	1623	eirewjhjam
/usr/bin/eirewjhjam	1626	eirewjhjam
/usr/bin/eirewjhjam	1629	eirewjhjam
/usr/bin/snjhonuqij	1634	snjhonuqij
/usr/bin/snjhonuqij	1637	snjhonuqij
/usr/bin/snjhonuqij	1640	snjhonuqij
/usr/bin/snjhonuqij	1643	snjhonuqij

Creates/modifies Cron job 1 TTPs 2 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/etc/cron.hourly/gcc.sh	Process not Found
File opened for modification	/etc/crontab	sh

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
File opened for modification	/etc/init.d/3e34bff8e13cf6068f4a30218b55b549

Write file to user bin folder 1 TTPs 5 IoCs

Hijack Execution Flow

T1574

description	ioc
File opened for modification	/usr/bin/ffzmwplzjz
File opened for modification	/usr/bin/eirewjhjam
File opened for modification	/usr/bin/snjhonuqij
File opened for modification	/usr/bin/paaaqwpkvk
File opened for modification	/usr/bin/hhnciqrssa

Reads runtime system information 9 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/rs_dev	Process not Found
File opened for reading	/proc/stat	Process not Found
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/cmdline	systemctl

/tmp/3e34bff8e13cf6068f4a30218b55b549
/tmp/3e34bff8e13cf6068f4a30218b55b549
1⤵
PID:1536

/bin/sh
sh -c "sed -i '/\\/etc\\/cron.hourly\\/gcc.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:1542
- /bin/sed
  sed -i "/\\/etc\\/cron.hourly\\/gcc.sh/d" /etc/crontab
  2⤵
  - Reads runtime system information
  PID:1543

/bin/chkconfig
chkconfig --add 3e34bff8e13cf6068f4a30218b55b549
1⤵
PID:1539

/sbin/chkconfig
chkconfig --add 3e34bff8e13cf6068f4a30218b55b549
1⤵
PID:1539

/usr/bin/chkconfig
chkconfig --add 3e34bff8e13cf6068f4a30218b55b549
1⤵
PID:1539

/usr/sbin/chkconfig
chkconfig --add 3e34bff8e13cf6068f4a30218b55b549
1⤵
PID:1539

/usr/local/bin/chkconfig
chkconfig --add 3e34bff8e13cf6068f4a30218b55b549
1⤵
PID:1539

/usr/local/sbin/chkconfig
chkconfig --add 3e34bff8e13cf6068f4a30218b55b549
1⤵
PID:1539

/usr/X11R6/bin/chkconfig
chkconfig --add 3e34bff8e13cf6068f4a30218b55b549
1⤵
PID:1539

/bin/update-rc.d
update-rc.d 3e34bff8e13cf6068f4a30218b55b549 defaults
1⤵
PID:1541

/sbin/update-rc.d
update-rc.d 3e34bff8e13cf6068f4a30218b55b549 defaults
1⤵
PID:1541

/usr/bin/update-rc.d
update-rc.d 3e34bff8e13cf6068f4a30218b55b549 defaults
1⤵
PID:1541

/usr/sbin/update-rc.d
update-rc.d 3e34bff8e13cf6068f4a30218b55b549 defaults
1⤵
PID:1541
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:1547

/usr/bin/paaaqwpkvk
/usr/bin/paaaqwpkvk id 1537
1⤵
- Executes dropped EXE
PID:1572

/usr/bin/paaaqwpkvk
/usr/bin/paaaqwpkvk ifconfig 1537
1⤵
- Executes dropped EXE
PID:1575

/usr/bin/paaaqwpkvk
/usr/bin/paaaqwpkvk top 1537
1⤵
- Executes dropped EXE
PID:1578

/usr/bin/paaaqwpkvk
/usr/bin/paaaqwpkvk gnome-terminal 1537
1⤵
- Executes dropped EXE
PID:1581

/usr/bin/paaaqwpkvk
/usr/bin/paaaqwpkvk gnome-terminal 1537
1⤵
- Executes dropped EXE
PID:1584

/usr/bin/hhnciqrssa
/usr/bin/hhnciqrssa su 1537
1⤵
- Executes dropped EXE
PID:1587

/usr/bin/hhnciqrssa
/usr/bin/hhnciqrssa pwd 1537
1⤵
- Executes dropped EXE
PID:1590

/usr/bin/hhnciqrssa
/usr/bin/hhnciqrssa "netstat -antop" 1537
1⤵
- Executes dropped EXE
PID:1593

/usr/bin/hhnciqrssa
/usr/bin/hhnciqrssa id 1537
1⤵
- Executes dropped EXE
PID:1596

/usr/bin/hhnciqrssa
/usr/bin/hhnciqrssa id 1537
1⤵
- Executes dropped EXE
PID:1599

/usr/bin/ffzmwplzjz
/usr/bin/ffzmwplzjz sh 1537
1⤵
- Executes dropped EXE
PID:1602

/usr/bin/ffzmwplzjz
/usr/bin/ffzmwplzjz gnome-terminal 1537
1⤵
- Executes dropped EXE
PID:1605

/usr/bin/ffzmwplzjz
/usr/bin/ffzmwplzjz ls 1537
1⤵
- Executes dropped EXE
PID:1608

/usr/bin/ffzmwplzjz
/usr/bin/ffzmwplzjz gnome-terminal 1537
1⤵
- Executes dropped EXE
PID:1611

/usr/bin/ffzmwplzjz
/usr/bin/ffzmwplzjz su 1537
1⤵
- Executes dropped EXE
PID:1614

/usr/bin/eirewjhjam
/usr/bin/eirewjhjam "cd /etc" 1537
1⤵
- Executes dropped EXE
PID:1617

/usr/bin/eirewjhjam
/usr/bin/eirewjhjam "cat resolv.conf" 1537
1⤵
- Executes dropped EXE
PID:1620

/usr/bin/eirewjhjam
/usr/bin/eirewjhjam ls 1537
1⤵
- Executes dropped EXE
PID:1623

/usr/bin/eirewjhjam
/usr/bin/eirewjhjam "echo \"find\"" 1537
1⤵
- Executes dropped EXE
PID:1626

/usr/bin/eirewjhjam
/usr/bin/eirewjhjam ifconfig 1537
1⤵
- Executes dropped EXE
PID:1629

/usr/bin/snjhonuqij
/usr/bin/snjhonuqij gnome-terminal 1537
1⤵
- Executes dropped EXE
PID:1634

/usr/bin/snjhonuqij
/usr/bin/snjhonuqij "cat resolv.conf" 1537
1⤵
- Executes dropped EXE
PID:1637

/usr/bin/snjhonuqij
/usr/bin/snjhonuqij "netstat -antop" 1537
1⤵
- Executes dropped EXE
PID:1640

/usr/bin/snjhonuqij
/usr/bin/snjhonuqij "cd /etc" 1537
1⤵
- Executes dropped EXE
PID:1643

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/gcc.sh

Filesize
228B

MD5
3bab747cedc5f0ebe86aaa7f982470cd

SHA1
3c7d1c6931c2b3dae39d38346b780ea57c8e6142

SHA256
74d31cac40d98ee64df2a0c29ceb229d12ac5fa699c2ee512fc69360f0cf68c5

SHA512
21e8a6d9ca8531d37def83d8903e5b0fa11ecf33d85d05edab1e0feb4acac65ae2cf5222650fb9f533f459ccc51bb2903276ff6f827b847cc5e6dac7d45a0a42

Download Submit
/etc/init.d/3e34bff8e13cf6068f4a30218b55b549

Filesize
425B

MD5
6dc1cca18e325cad811065744a69dc5d

SHA1
0a357ff4b93acc930986cd2e1dc38f85fcb6827c

SHA256
2e7134a35793bed50432e453570fe698542f2b1b7ac6b5414222760cde324476

SHA512
a3ed24b241b7f02ec1fab4bec025d95743a6c1d52d738854d00a9d9e5c72fe4920a2a26d82dad2901cadf3ea554733f56b6e0d50cf9b89be8877824ff190dd51

Download Submit
/etc/sedunsEZc

Filesize
722B

MD5
8f111d100ea459f68d333d63a8ef2205

SHA1
077ca9c46a964de67c0f7765745d5c6f9e2065c3

SHA256
0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354

SHA512
d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

Download Submit
/lib/libudev.so

Filesize
611KB

MD5
3e34bff8e13cf6068f4a30218b55b549

SHA1
28231d2555db240754f3a8018144849f1c8385cf

SHA256
a40587bfb96d4803a538113844d82b50f5b57351ad4d5e7b79e07d4004f85ea3

SHA512
8516d2a10a5adf4d264eb80529aa73c769eb876a2cedc43e108ff906df582e7b039b1f8dc81991af0aabdbede0f92c2b4c0ffd6d2b49ab3cb3d50713375fe23e

Download Submit
/run/gcc.pid

Filesize
32B

MD5
7fba83e5cfb889b6ea2700f0520a3fa4

SHA1
32e1745a9d679a8cbafb7cdff99fd608e59c9bbc

SHA256
56bb1ef3ea61e53e0774b1abf0a368699821bf59936c09e03e1538d54d983ff5

SHA512
ac7d841be810c68e32212de8b2d262c010aa99d253b64f34d2c6067fa89699de84c58b359c4d6a181b6a55b255773913fb523321bd067ff0330a937748594e80

Download Submit
/usr/bin/eirewjhjam

Filesize
611KB

MD5
270f3f178412ca5fbd0b1b55b9ecf615

SHA1
6db9fb16f96237d3f1998c61805263b97791823f

SHA256
d42ba7dc7f33809f0ced4a6f8fafec3a65490988f4cad2da49119807c0605c7c

SHA512
8ed51263c99161d20c4ee04804fce1277b335b51bc0e407f1760b33579377d0eb9ab569314bd646a888a167968cea1968e897f1e11273948ec57b81f869420c9

Download Submit
/usr/bin/eirewjhjam

Filesize
611KB

MD5
4c3b3ce7976177a01bea243a10ce22e5

SHA1
e22f6f81a2f459d23f2f5293612f9143db0ad2c6

SHA256
91d5fff7cd91b4b63f2b789f9c5e8e5a922fa83f2f9404415b2a4c456df60ecf

SHA512
516a3fe0aabf084e80417e267584c6706a29175634296999b0e9078025e4e3e880a4d4f2c9c1e5bdbd8fa02884be89027dbef84350aa1467cb0929efbd91398e

Download Submit
/usr/bin/ffzmwplzjz

Filesize
611KB

MD5
1f56fbf20ad4bba873c64ac12c8f5783

SHA1
02cc13d23ef3d4edb571266dc6dcd8d4bed3a918

SHA256
f199efffd3fc0519b88456f0cfe3baf09ce02d856591155ff2fa5b83b10aa51d

SHA512
b4c5edcbd5a9b6606f6bf8018e8f18ad76860362bb8197ef32f39476e35601c77e8bb0db7f890bd1f3e2fc027682e9ac71e9fa7f87130d08f552b0a2f22ff34d

Download Submit
/usr/bin/ffzmwplzjz

Filesize
611KB

MD5
1a363e501bc4b6ea07257d78465a84bd

SHA1
b12e8d68f319764921a1fab120e2f9621335d254

SHA256
e331d557067eeccdbf2c53c351361887544b85b3e1b9d5203d8943f5c33369ce

SHA512
f25239cafa9e30c5f285df76c21117c84126041bfcfccfd1124ded820b800effa6d41e39bda9b5c46ed647e0dbad63424d1c1b8ad3ea6396fed92822813b62d9

Download Submit
/usr/bin/paaaqwpkvk

Filesize
611KB

MD5
bbd3fc56f8eebc8cb07dfa0f43526170

SHA1
3eaf2ffd288573873564a0b94baaff695a972e13

SHA256
7c7b9fb0fee7424554cf0aef12b997ae5c8412871fbaa113fc2abb7bf0ce4dab

SHA512
355d6e1945152a7925a4e4109d131238044f59ca303ec2e279f8ed3cd4114236320adc919f7ee130b64fd95994ae418262159996b7d137b8e41f4c53fce49e01

Download Submit
/usr/bin/paaaqwpkvk

Filesize
611KB

MD5
dda70bcfb7ed3585fdc40f522c86b466

SHA1
2df5b494d82ae93ef7e4f67b28d62e9989c6754e

SHA256
3b169ca35265078cccba25fb3747f8bc58c06c51e0f2b464e999609a71e2feb2

SHA512
a2a8375dafd754f3e9e688c86e835d878cc7367571513333ea802e1fb1c793742b9b80ee781107ac54844bf83346ea2b687b4993a75202d51671388c095ed4b1

Download Submit
/usr/bin/snjhonuqij

Filesize
611KB

MD5
c6ffd2a7c950222bf2f6f3599a8cfbd8

SHA1
22b2dec2ba75a21ff1151d548e9a0eb317cdf729

SHA256
02e4e421b18a3966a791f9d4dda61c3ca6f709f2302efdf4635e6fe76bdb1348

SHA512
1643c55179db54c4b2b530d145da845410023eea9226ed80cf3e2f1f65392e7ee054d819cc45732f630e4a9648afe824bc25a5549e7915b5530ba0221016a1ff

Download Submit
/usr/bin/snjhonuqij

Filesize
611KB

MD5
060900addc738695c603927ae0d2a64b

SHA1
bb838a72a55cda34628cc3335325edb61ec79c94

SHA256
b792e3defa6170698a889a2f71693d9458debb73bc4513079c44a667c57912da

SHA512
442baf96b19f91a5e6a022fd1a90c29c2d0f03bdaee061c6dd27b34c4c3193dc7a74fc39fb9763e5cf6f59b74961bc3e92aa176bf1acdb61241ba0b4cd6cadfe

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads