xorddos | c2b9c35d9cf82d758ee678c733f5b180b7eb520e3aeef7c7fef373a537e7f359

General

Target

76b7d3ea85670884d680736ba9321ae2
Size

647KB
MD5

76b7d3ea85670884d680736ba9321ae2
SHA1

0adecbd972cf29c6b0f0fe94747a07d7f172a2f4
SHA256

c2b9c35d9cf82d758ee678c733f5b180b7eb520e3aeef7c7fef373a537e7f359
SHA512

b435bccd4ca21a769d8b23cc3064762951569087e9c53e514d628149e5b465f51a3bfd0ce73b38132a8205113dd17734538fd9bf97f3b1d2150c51a8b96ac035
SSDEEP

12288:RBRO1UmJJ0nHgBL9YfJip2qm+x4h1Ton/p6y07l7mtBDvnD/u9hMHDB:RBRpmJ+HyL9AiAqm+x4h1m/6wvnDWXMN

Score

10^/10

xorddos botnet downloader persistence

Malware Config

Extracted

Family

xorddos

C2

http://info1.3000uc.com/b/u.php

aaaaaaaaaa.re67das.com:5859

222.187.238.16:2897

xiaoji12.top:2897

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 4 IoCs

resource	yara_rule
behavioral1/files/fstream-8.dat	family_xorddos
behavioral1/files/fstream-21.dat	family_xorddos
behavioral1/files/fstream-23.dat	family_xorddos
behavioral1/files/fstream-36.dat	family_xorddos

Deletes itself 1 IoCs

pid
1584

Executes dropped EXE 31 IoCs

ioc	pid	Process
/boot/ckmducphgr	1586	ckmducphgr
/boot/cdmadbzlld	1600	cdmadbzlld
/boot/chtgcisjsv	1624	chtgcisjsv
/boot/favvknxcyw	1627	favvknxcyw
/boot/qutgiwdnto	1630	qutgiwdnto
/boot/bjeasgrczv	1633	bjeasgrczv
/boot/xvmsyihckk	1638	xvmsyihckk
/boot/vygxzfzruq	1641	vygxzfzruq
/boot/pcrighwbor	1644	pcrighwbor
/boot/quuduycagm	1647	quuduycagm
/boot/ubcibdsmik	1650	ubcibdsmik
/boot/ddpgkggvkz	1653	ddpgkggvkz
/boot/xpmgrxztdc	1656	xpmgrxztdc
/boot/iwgalpmqet	1659	iwgalpmqet
/boot/ablfghpqnn	1662	ablfghpqnn
/boot/tzwyyevzwn	1680	tzwyyevzwn
/boot/omznnnkdoq	1683	omznnnkdoq
/boot/fwjkfokews	1686	fwjkfokews
/boot/dbjxatzlgv	1689	dbjxatzlgv
/boot/voerqlpuoj	1692	voerqlpuoj
/boot/afgjgeytay	1695	afgjgeytay
/boot/qbirhebsoz	1698	qbirhebsoz
/boot/fbvfuscwok	1701	fbvfuscwok
/boot/vvbfnztqaw	1704	vvbfnztqaw
/boot/acjnlfnxqc	1707	acjnlfnxqc
/boot/yjxlmnzvfm	1710	yjxlmnzvfm
/boot/qvfzkyrdcy	1713	qvfzkyrdcy
/boot/tqmgflsgjq	1716	tqmgflsgjq
/boot/xsxbqqipkw	1719	xsxbqqipkw
/boot/ygjrxwxhbm	1722	ygjrxwxhbm
/boot/zglrqfzjtu	1725	zglrqfzjtu

Unexpected DNS network traffic destination 33 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114

Creates/modifies Cron job 1 TTPs 2 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/etc/cron.hourly/cron.sh	Process not Found
File opened for modification	/etc/crontab	sh

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
File opened for modification	/etc/init.d/ckmducphgr

Reads runtime system information 9 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/rs_dev	Process not Found
File opened for reading	/proc/stat	Process not Found
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/1/sched	systemctl

/tmp/76b7d3ea85670884d680736ba9321ae2
/tmp/76b7d3ea85670884d680736ba9321ae2
1⤵
PID:1583

/boot/ckmducphgr
/boot/ckmducphgr
1⤵
- Executes dropped EXE
PID:1586

/bin/sh
sh -c "sed -i '/\\/etc\\/cron.hourly\\/cron.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/cron.sh' >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:1592
- /bin/sed
  sed -i "/\\/etc\\/cron.hourly\\/cron.sh/d" /etc/crontab
  2⤵
  - Reads runtime system information
  PID:1593

/bin/update-rc.d
update-rc.d ckmducphgr defaults
1⤵
PID:1591

/sbin/update-rc.d
update-rc.d ckmducphgr defaults
1⤵
PID:1591

/usr/bin/update-rc.d
update-rc.d ckmducphgr defaults
1⤵
PID:1591

/usr/sbin/update-rc.d
update-rc.d ckmducphgr defaults
1⤵
PID:1591
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:1601

/bin/chkconfig
chkconfig --add ckmducphgr
1⤵
PID:1589

/sbin/chkconfig
chkconfig --add ckmducphgr
1⤵
PID:1589

/usr/bin/chkconfig
chkconfig --add ckmducphgr
1⤵
PID:1589

/usr/sbin/chkconfig
chkconfig --add ckmducphgr
1⤵
PID:1589

/usr/local/bin/chkconfig
chkconfig --add ckmducphgr
1⤵
PID:1589

/usr/local/sbin/chkconfig
chkconfig --add ckmducphgr
1⤵
PID:1589

/usr/X11R6/bin/chkconfig
chkconfig --add ckmducphgr
1⤵
PID:1589

/boot/cdmadbzlld
/boot/cdmadbzlld "grep \"A\"" 1587
1⤵
- Executes dropped EXE
PID:1600

/boot/chtgcisjsv
/boot/chtgcisjsv "route -n" 1587
1⤵
- Executes dropped EXE
PID:1624

/boot/favvknxcyw
/boot/favvknxcyw "ls -la" 1587
1⤵
- Executes dropped EXE
PID:1627

/boot/qutgiwdnto
/boot/qutgiwdnto ifconfig 1587
1⤵
- Executes dropped EXE
PID:1630

/boot/bjeasgrczv
/boot/bjeasgrczv top 1587
1⤵
- Executes dropped EXE
PID:1633

/boot/xvmsyihckk
/boot/xvmsyihckk sh 1587
1⤵
- Executes dropped EXE
PID:1638

/boot/vygxzfzruq
/boot/vygxzfzruq sh 1587
1⤵
- Executes dropped EXE
PID:1641

/boot/pcrighwbor
/boot/pcrighwbor gnome-terminal 1587
1⤵
- Executes dropped EXE
PID:1644

/boot/quuduycagm
/boot/quuduycagm top 1587
1⤵
- Executes dropped EXE
PID:1647

/boot/ubcibdsmik
/boot/ubcibdsmik uptime 1587
1⤵
- Executes dropped EXE
PID:1650

/boot/ddpgkggvkz
/boot/ddpgkggvkz "cat resolv.conf" 1587
1⤵
- Executes dropped EXE
PID:1653

/boot/xpmgrxztdc
/boot/xpmgrxztdc "netstat -an" 1587
1⤵
- Executes dropped EXE
PID:1656

/boot/iwgalpmqet
/boot/iwgalpmqet sh 1587
1⤵
- Executes dropped EXE
PID:1659

/boot/ablfghpqnn
/boot/ablfghpqnn ifconfig 1587
1⤵
- Executes dropped EXE
PID:1662

/boot/tzwyyevzwn
/boot/tzwyyevzwn "grep \"A\"" 1587
1⤵
- Executes dropped EXE
PID:1680

/boot/omznnnkdoq
/boot/omznnnkdoq "echo \"find\"" 1587
1⤵
- Executes dropped EXE
PID:1683

/boot/fwjkfokews
/boot/fwjkfokews pwd 1587
1⤵
- Executes dropped EXE
PID:1686

/boot/dbjxatzlgv
/boot/dbjxatzlgv "grep \"A\"" 1587
1⤵
- Executes dropped EXE
PID:1689

/boot/voerqlpuoj
/boot/voerqlpuoj "netstat -antop" 1587
1⤵
- Executes dropped EXE
PID:1692

/boot/afgjgeytay
/boot/afgjgeytay "cat resolv.conf" 1587
1⤵
- Executes dropped EXE
PID:1695

/boot/qbirhebsoz
/boot/qbirhebsoz "sleep 1" 1587
1⤵
- Executes dropped EXE
PID:1698

/boot/fbvfuscwok
/boot/fbvfuscwok "netstat -an" 1587
1⤵
- Executes dropped EXE
PID:1701

/boot/vvbfnztqaw
/boot/vvbfnztqaw "grep \"A\"" 1587
1⤵
- Executes dropped EXE
PID:1704

/boot/acjnlfnxqc
/boot/acjnlfnxqc "cat resolv.conf" 1587
1⤵
- Executes dropped EXE
PID:1707

/boot/yjxlmnzvfm
/boot/yjxlmnzvfm "ps -ef" 1587
1⤵
- Executes dropped EXE
PID:1710

/boot/qvfzkyrdcy
/boot/qvfzkyrdcy "netstat -antop" 1587
1⤵
- Executes dropped EXE
PID:1713

/boot/tqmgflsgjq
/boot/tqmgflsgjq bash 1587
1⤵
- Executes dropped EXE
PID:1716

/boot/xsxbqqipkw
/boot/xsxbqqipkw "ifconfig eth0" 1587
1⤵
- Executes dropped EXE
PID:1719

/boot/ygjrxwxhbm
/boot/ygjrxwxhbm "sleep 1" 1587
1⤵
- Executes dropped EXE
PID:1722

/boot/zglrqfzjtu
/boot/zglrqfzjtu whoami 1587
1⤵
- Executes dropped EXE
PID:1725

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/boot/chtgcisjsv

Filesize
647KB

MD5
76b7d3ea85670884d680736ba9321ae2

SHA1
0adecbd972cf29c6b0f0fe94747a07d7f172a2f4

SHA256
c2b9c35d9cf82d758ee678c733f5b180b7eb520e3aeef7c7fef373a537e7f359

SHA512
b435bccd4ca21a769d8b23cc3064762951569087e9c53e514d628149e5b465f51a3bfd0ce73b38132a8205113dd17734538fd9bf97f3b1d2150c51a8b96ac035

Download Submit
/boot/fwjkfokews

Filesize
35KB

MD5
8288d9ac77d0d2c62cc1b8aff1dd5382

SHA1
7a53b545c503b221b02ddb8d1346924a4ca7d245

SHA256
bcd320fbebcb391780b673efb4779e7a310c871889fec6448e73cda7c398697b

SHA512
afa19aef928d04f1c735be5483e20bf36e00efdc3b3766927cae85d2f37e94f88aa5f0fef9c2ae8a4b24513cf0d5cbd60fd6bed31350ffed89c658a4ff11d704

Download Submit
/boot/tzwyyevzwn

Filesize
63KB

MD5
dfbc259d435112d215102fa520d84157

SHA1
258139ab33728c0b810d1b06229450394000f211

SHA256
ac2d8741ae80f7c3d5c7f235a433f795eb96e7cca14d1b555c8672265f7e65e9

SHA512
2708a4900c50de698c1871a630c699423b9f79d46cbf5a8a14e9678110f2503df3b24e902b20534be70301e4442ec64bda707baea0fd78e42ffae26bff25d82d

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads