xorddos | e38c5cf4542a8c885ae310ed03b3ce8cfb46f3d92cd7da2f54c19cfda6152345

Analysis

max time kernel
119s
max time network
63s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
20-12-2023 00:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

765f43adb33f4b603b73d61612fe4f7e
Size

610KB
MD5

765f43adb33f4b603b73d61612fe4f7e
SHA1

20169da4ccc0d5b9b7a223461528de0d0eac9309
SHA256

e38c5cf4542a8c885ae310ed03b3ce8cfb46f3d92cd7da2f54c19cfda6152345
SHA512

bc4e47dfe75fa21b8d65fc229bab795d1f49388c00de7574ef8d5fcda1c01adfa31c1ca44c072c8bb25507c533399af2c8be6692145b5da08e307a6fab6a7ac7
SSDEEP

12288:WBmHsnhar0nJ7FGY5HRYxC1mqiL40qFCWU7k/rU6yZNnXgW4UlUuTh1AG:WBmHgaUVFGAR11mTL40q/lGpXgUl/91h

Score

10^/10

xorddos botnet downloader persistence

Malware Config

Extracted

Family

xorddos

http://aa.hostasa.org/config.rar

www1.popmarchjopa1.com:25

www2.popmarchjopa1.com:25

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 10 IoCs

resource	yara_rule
behavioral1/files/fstream-5.dat	family_xorddos
behavioral1/files/fstream-8.dat	family_xorddos
behavioral1/files/fstream-9.dat	family_xorddos
behavioral1/files/fstream-10.dat	family_xorddos
behavioral1/files/fstream-14.dat	family_xorddos
behavioral1/files/fstream-15.dat	family_xorddos
behavioral1/files/fstream-17.dat	family_xorddos
behavioral1/files/fstream-18.dat	family_xorddos
behavioral1/files/fstream-20.dat	family_xorddos
behavioral1/files/fstream-21.dat	family_xorddos

Deletes itself 1 IoCs

pid
1634

Executes dropped EXE 24 IoCs

ioc	pid	Process
/usr/bin/nhakwfjcma	1546	nhakwfjcma
/usr/bin/nhakwfjcma	1568	nhakwfjcma
/usr/bin/nhakwfjcma	1572	nhakwfjcma
/usr/bin/nhakwfjcma	1575	nhakwfjcma
/usr/bin/nhakwfjcma	1578	nhakwfjcma
/usr/bin/aqacaigzsz	1581	aqacaigzsz
/usr/bin/aqacaigzsz	1584	aqacaigzsz
/usr/bin/aqacaigzsz	1586	aqacaigzsz
/usr/bin/aqacaigzsz	1590	aqacaigzsz
/usr/bin/aqacaigzsz	1593	aqacaigzsz
/usr/bin/pqspgnlanl	1596	pqspgnlanl
/usr/bin/pqspgnlanl	1598	pqspgnlanl
/usr/bin/pqspgnlanl	1602	pqspgnlanl
/usr/bin/pqspgnlanl	1605	pqspgnlanl
/usr/bin/pqspgnlanl	1608	pqspgnlanl
/usr/bin/xymnzsoejz	1611	xymnzsoejz
/usr/bin/xymnzsoejz	1614	xymnzsoejz
/usr/bin/xymnzsoejz	1616	xymnzsoejz
/usr/bin/xymnzsoejz	1619	xymnzsoejz
/usr/bin/xymnzsoejz	1623	xymnzsoejz
/usr/bin/llqfrwlytl	1626	llqfrwlytl
/usr/bin/llqfrwlytl	1629	llqfrwlytl
/usr/bin/llqfrwlytl	1632	llqfrwlytl
/usr/bin/llqfrwlytl	1635	llqfrwlytl

Creates/modifies Cron job 1 TTPs 2 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/etc/cron.hourly/gcc.sh	Process not Found
File opened for modification	/etc/crontab	sh

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
File opened for modification	/etc/init.d/765f43adb33f4b603b73d61612fe4f7e

Write file to user bin folder 1 TTPs 5 IoCs

Hijack Execution Flow

T1574

description	ioc
File opened for modification	/usr/bin/nhakwfjcma
File opened for modification	/usr/bin/aqacaigzsz
File opened for modification	/usr/bin/pqspgnlanl
File opened for modification	/usr/bin/xymnzsoejz
File opened for modification	/usr/bin/llqfrwlytl

Reads runtime system information 9 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/stat	Process not Found
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/rs_dev	Process not Found
File opened for reading	/proc/filesystems	sed

/tmp/765f43adb33f4b603b73d61612fe4f7e
/tmp/765f43adb33f4b603b73d61612fe4f7e
1⤵
PID:1530

/bin/sh
sh -c "sed -i '/\\/etc\\/cron.hourly\\/gcc.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:1536
- /bin/sed
  sed -i "/\\/etc\\/cron.hourly\\/gcc.sh/d" /etc/crontab
  2⤵
  - Reads runtime system information
  PID:1537

/bin/chkconfig
chkconfig --add 765f43adb33f4b603b73d61612fe4f7e
1⤵
PID:1533

/sbin/chkconfig
chkconfig --add 765f43adb33f4b603b73d61612fe4f7e
1⤵
PID:1533

/usr/bin/chkconfig
chkconfig --add 765f43adb33f4b603b73d61612fe4f7e
1⤵
PID:1533

/usr/sbin/chkconfig
chkconfig --add 765f43adb33f4b603b73d61612fe4f7e
1⤵
PID:1533

/usr/local/bin/chkconfig
chkconfig --add 765f43adb33f4b603b73d61612fe4f7e
1⤵
PID:1533

/usr/local/sbin/chkconfig
chkconfig --add 765f43adb33f4b603b73d61612fe4f7e
1⤵
PID:1533

/usr/X11R6/bin/chkconfig
chkconfig --add 765f43adb33f4b603b73d61612fe4f7e
1⤵
PID:1533

/bin/update-rc.d
update-rc.d 765f43adb33f4b603b73d61612fe4f7e defaults
1⤵
PID:1535

/sbin/update-rc.d
update-rc.d 765f43adb33f4b603b73d61612fe4f7e defaults
1⤵
PID:1535

/usr/bin/update-rc.d
update-rc.d 765f43adb33f4b603b73d61612fe4f7e defaults
1⤵
PID:1535

/usr/sbin/update-rc.d
update-rc.d 765f43adb33f4b603b73d61612fe4f7e defaults
1⤵
PID:1535
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:1541

/usr/bin/nhakwfjcma
/usr/bin/nhakwfjcma "ps -ef" 1531
1⤵
- Executes dropped EXE
PID:1546

/usr/bin/nhakwfjcma
/usr/bin/nhakwfjcma "sleep 1" 1531
1⤵
- Executes dropped EXE
PID:1568

/usr/bin/nhakwfjcma
/usr/bin/nhakwfjcma "echo \"find\"" 1531
1⤵
- Executes dropped EXE
PID:1572

/usr/bin/nhakwfjcma
/usr/bin/nhakwfjcma "ifconfig eth0" 1531
1⤵
- Executes dropped EXE
PID:1575

/usr/bin/nhakwfjcma
/usr/bin/nhakwfjcma top 1531
1⤵
- Executes dropped EXE
PID:1578

/usr/bin/aqacaigzsz
/usr/bin/aqacaigzsz ls 1531
1⤵
- Executes dropped EXE
PID:1581

/usr/bin/aqacaigzsz
/usr/bin/aqacaigzsz "ps -ef" 1531
1⤵
- Executes dropped EXE
PID:1584

/usr/bin/aqacaigzsz
/usr/bin/aqacaigzsz whoami 1531
1⤵
- Executes dropped EXE
PID:1586

/usr/bin/aqacaigzsz
/usr/bin/aqacaigzsz whoami 1531
1⤵
- Executes dropped EXE
PID:1590

/usr/bin/aqacaigzsz
/usr/bin/aqacaigzsz id 1531
1⤵
- Executes dropped EXE
PID:1593

/usr/bin/pqspgnlanl
/usr/bin/pqspgnlanl "cd /etc" 1531
1⤵
- Executes dropped EXE
PID:1596

/usr/bin/pqspgnlanl
/usr/bin/pqspgnlanl su 1531
1⤵
- Executes dropped EXE
PID:1598

/usr/bin/pqspgnlanl
/usr/bin/pqspgnlanl "cd /etc" 1531
1⤵
- Executes dropped EXE
PID:1602

/usr/bin/pqspgnlanl
/usr/bin/pqspgnlanl ls 1531
1⤵
- Executes dropped EXE
PID:1605

/usr/bin/pqspgnlanl
/usr/bin/pqspgnlanl id 1531
1⤵
- Executes dropped EXE
PID:1608

/usr/bin/xymnzsoejz
/usr/bin/xymnzsoejz "grep \"A\"" 1531
1⤵
- Executes dropped EXE
PID:1611

/usr/bin/xymnzsoejz
/usr/bin/xymnzsoejz "cat resolv.conf" 1531
1⤵
- Executes dropped EXE
PID:1614

/usr/bin/xymnzsoejz
/usr/bin/xymnzsoejz "cd /etc" 1531
1⤵
- Executes dropped EXE
PID:1616

/usr/bin/xymnzsoejz
/usr/bin/xymnzsoejz "ps -ef" 1531
1⤵
- Executes dropped EXE
PID:1619

/usr/bin/xymnzsoejz
/usr/bin/xymnzsoejz id 1531
1⤵
- Executes dropped EXE
PID:1623

/usr/bin/llqfrwlytl
/usr/bin/llqfrwlytl whoami 1531
1⤵
- Executes dropped EXE
PID:1626

/usr/bin/llqfrwlytl
/usr/bin/llqfrwlytl who 1531
1⤵
- Executes dropped EXE
PID:1629

/usr/bin/llqfrwlytl
/usr/bin/llqfrwlytl who 1531
1⤵
- Executes dropped EXE
PID:1632

/usr/bin/llqfrwlytl
/usr/bin/llqfrwlytl "ps -ef" 1531
1⤵
- Executes dropped EXE
PID:1635

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/gcc.sh

Filesize
228B

MD5
3bab747cedc5f0ebe86aaa7f982470cd

SHA1
3c7d1c6931c2b3dae39d38346b780ea57c8e6142

SHA256
74d31cac40d98ee64df2a0c29ceb229d12ac5fa699c2ee512fc69360f0cf68c5

SHA512
21e8a6d9ca8531d37def83d8903e5b0fa11ecf33d85d05edab1e0feb4acac65ae2cf5222650fb9f533f459ccc51bb2903276ff6f827b847cc5e6dac7d45a0a42

Download Submit
/etc/init.d/765f43adb33f4b603b73d61612fe4f7e

Filesize
425B

MD5
1bd79ab3ecd4414abb442f57efde9fbe

SHA1
eb9238b78f54c81fe7b7fbed57e9f38e284fcd4a

SHA256
7c7f16f38e4d1752eb2e20c902c2b4305445ae654fe2fcc03203e4a9ea4cab07

SHA512
473367ce7a9c190adbba6579788b784fbd0dfa85be7c321b5cd3936c2bd8e9156e22bf144ec5d8026bc7419b2d1c0734266f62165b58c29d1f9a1adc82d94e47

Download Submit
/etc/sedrYz9KY

Filesize
722B

MD5
8f111d100ea459f68d333d63a8ef2205

SHA1
077ca9c46a964de67c0f7765745d5c6f9e2065c3

SHA256
0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354

SHA512
d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

Download Submit
/lib/libudev.so

Filesize
610KB

MD5
765f43adb33f4b603b73d61612fe4f7e

SHA1
20169da4ccc0d5b9b7a223461528de0d0eac9309

SHA256
e38c5cf4542a8c885ae310ed03b3ce8cfb46f3d92cd7da2f54c19cfda6152345

SHA512
bc4e47dfe75fa21b8d65fc229bab795d1f49388c00de7574ef8d5fcda1c01adfa31c1ca44c072c8bb25507c533399af2c8be6692145b5da08e307a6fab6a7ac7

Download Submit
/run/gcc.pid

Filesize
32B

MD5
ef759ca0d3a999b7c84bb9840132b6be

SHA1
ece497426f37e18a9fb6d539c0b171ffc6a93fb8

SHA256
83617a900c4b48b7a3758bef607f50a462f15c780b084291d717c70c8bbe759c

SHA512
4d298703920658a3a43395c601f6617a751edd2fef619764a70150335b827afcfcdca40ff4a5669f070392748bb360dff0e9cbe1bb592bfb368ab4c7046345dd

Download Submit
/usr/bin/aqacaigzsz

Filesize
131KB

MD5
829932e0708598cd77a2abcee61bc6f2

SHA1
7e9858a1527df1022d4826ddc5c2c24e1740377e

SHA256
bdd0e37fb3bb0adf7d8dd737d80bcdf8f90a8c42a746d40fa26713a269009245

SHA512
c72e132a1d388e6af247be59d09af5b7314325c9c7575b5cc5ebea722f2f8c5d339e8b67aee5e5cbf23aa3975606f4ec9cb0c2940f3e0b9d4ac9c51522e65b9d

Download Submit
/usr/bin/llqfrwlytl

Filesize
610KB

MD5
0dd0d278bf47475b02e13e51effb43a8

SHA1
80d4164a20de991186c632fe1e43f4936839f099

SHA256
730fe2f8a54373a595fd7a16092e72a8a310da8aef657a138ec7f772b11a0788

SHA512
c7621dc8911e2543ac9c9ae6437e03b7004575b4c30a4419c1e08899e478f414b11428ff7774223104165383fe069e75c6a798a12efdec61a0ad790367627f8e

Download Submit
/usr/bin/llqfrwlytl

Filesize
610KB

MD5
ee9851bbb9b53b57ac7bf3ad6f35f492

SHA1
e6bdc7fea361c3eb2f3a0c2707a8b491d70cb9c0

SHA256
694d40bfe38141edf41922defaa917487548fc0eb2f722a881b73e9544003965

SHA512
9c14d78d5ad19f6868ef8566f996257c749541576ecc9f85e00265018fb31de23cdee5b210886f821b412891f486a952d36f4120ac5a9b43098149c9d6ea01a1

Download Submit
/usr/bin/nhakwfjcma

Filesize
610KB

MD5
82e56218afab61ae361156e60d00c878

SHA1
d6daf902a24d3b90acb84390e3e0fbe88ea406df

SHA256
ecfcc1a79bd7dec41efca10da5f6ef74d2c8efc3686c698f366996e8502ba157

SHA512
9d51054754212604c42c24274140e68f273601f5e251d86bfe3ee72611dd15e5988d0ffc9f90c362016156341584236fe2f9901355a42a9b7048844eeb48a2c9

Download Submit
/usr/bin/nhakwfjcma

Filesize
610KB

MD5
e0cf8e9f58410165f769e0fc0891f17c

SHA1
a094d87c4b13fd6e51df02decc5b9a967161fd1a

SHA256
bd2d1d39f861d4a8a03087094dc69af8d6f4e5d70f4b46bad12446e9fcbea0ec

SHA512
af1044fa80c88f472b878952bdcb082cb8397c7cd6724d2672843ed74fec55870d38c0a94ec6d226fabc5caf2a86b121c42b59470fe8b17e329268386b879e81

Download Submit
/usr/bin/pqspgnlanl

Filesize
610KB

MD5
e13aceb071b98de18da37eec0c26c05b

SHA1
965c58c35693d398574fecd781c7f40dec123eb0

SHA256
2e41915f971817e9e2d9a225fb504fe305f8e1a8401ace6cf74e961b11ea681b

SHA512
844852bb9ba759484fd7fbbd36bf97b1f38af5f61bc59ddf1ea70120ba1caf8703c03c005b60d34f39ffa0b824a2fbdf0b51ec24e2e1ce1a79419c0b54d7a36a

Download Submit
/usr/bin/pqspgnlanl

Filesize
610KB

MD5
b065bef49e9b89c58560097459fffbd6

SHA1
8db2af2749f563bd5e6940bb471bc57355ea2e6e

SHA256
0823992cd25670b50aa9e64870b88892e060609b7c8865964dcbee9311f14dc5

SHA512
cc9f4372ff98e5d012ea9efdef95e2b0ae23e58b52b8330f72370f562d63158d51140092259f8a4ce45c67b8795473978b6c9fc950c68b656cb4e0996a5badf6

Download Submit
/usr/bin/xymnzsoejz

Filesize
610KB

MD5
4eb8f59934ee9694290cbad78d5c9c49

SHA1
0b6801d703afae16ff545878920d53f218583622

SHA256
cf7d3a5cd948fa269b1ec793bcbed7ca5e2307c9212fff1120e9721b760f2ed7

SHA512
82379811464d7141485cf0acafc38f808e8abb68fdb794f2bc5746ae70ee5227f331e2bc5bad33f62fe948750e8aafa6f3c5a26a9a9893e54993160966d79e82

Download Submit
/usr/bin/xymnzsoejz

Filesize
610KB

MD5
fc201304702386874bc38c591192c3bc

SHA1
3a5583366b08805cee86dd6326e4f2db9b1b7732

SHA256
883e595caef6ca4ac97ba5565ee935a17c1dac0f75c6714d7bb14e21f746a287

SHA512
8444d959a772d155d51ec002ae5e07fc88cfc1cebbaab5bec6e10193517485e0bb46dc0a932b19ec4cb298683d6a06e7f4b8542a460eb0e9739201f7c09bc00f

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads