xorddos | 0972688711161e347d08ce1c931eb41904fc6f4e4764548e1f14da132a0d1b5d

Analysis

max time kernel
155s
max time network
157s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
20-12-2023 02:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d44757d809641646e02ab76ed93ede8
Size

647KB
MD5

7d44757d809641646e02ab76ed93ede8
SHA1

332f38022f433a472dc5aa6683c9b9ccccf46e0d
SHA256

0972688711161e347d08ce1c931eb41904fc6f4e4764548e1f14da132a0d1b5d
SHA512

ecf553a88eb61f122f8f8d5afc1a6331189ca15af0179ed81e38d7c95aaa0eaf1e7953eabfeb142a539465e6c2dee24d984dc6a03309a15b6c19326dcb005b77
SSDEEP

12288:RBRO1UmJJ0nHgBL9YfJip2qm+x4h1TonHp6y07l7mtBDvnD/u9hMHDB:RBRpmJ+HyL9AiAqm+x4h1mH6wvnDWXMN

Score

10^/10

xorddos antivm botnet downloader persistence

Malware Config

Extracted

Family

xorddos

http://info1.3000uc.com/b/u.php

aaaaaaaaaa.re67das.com:5859

103.115.42.70:2222

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 12 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_xorddos
behavioral1/files/fstream-2.dat	family_xorddos
behavioral1/files/fstream-8.dat	family_xorddos
behavioral1/files/fstream-9.dat	family_xorddos
behavioral1/files/fstream-12.dat	family_xorddos
behavioral1/files/fstream-13.dat	family_xorddos
behavioral1/files/fstream-18.dat	family_xorddos
behavioral1/files/fstream-20.dat	family_xorddos
behavioral1/files/fstream-29.dat	family_xorddos
behavioral1/files/fstream-31.dat	family_xorddos
behavioral1/files/fstream-33.dat	family_xorddos
behavioral1/files/fstream-35.dat	family_xorddos

Deletes itself 1 IoCs

pid
1540

Executes dropped EXE 31 IoCs

ioc	pid	Process
/boot/yfizygcdwt	1542	yfizygcdwt
/boot/pyunnjeihk	1557	pyunnjeihk
/boot/ztajoptaml	1580	ztajoptaml
/boot/yirregffjr	1583	yirregffjr
/boot/mkhjhillsb	1586	mkhjhillsb
/boot/hhwrjhmimy	1589	hhwrjhmimy
/boot/bpyjvltwgb	1594	bpyjvltwgb
/boot/qesietsasy	1597	qesietsasy
/boot/gnflzqjgkg	1600	gnflzqjgkg
/boot/cytwftbqdz	1603	cytwftbqdz
/boot/ffwaleibiy	1606	ffwaleibiy
/boot/rgkegaejzp	1609	rgkegaejzp
/boot/dcprqoyslt	1627	dcprqoyslt
/boot/znplzllozp	1630	znplzllozp
/boot/wwxjyrmjyt	1633	wwxjyrmjyt
/boot/hrcwsowllg	1636	hrcwsowllg
/boot/sppapnoajp	1639	sppapnoajp
/boot/cvznxcmbvl	1642	cvznxcmbvl
/boot/hbfpvdkovu	1645	hbfpvdkovu
/boot/oeswxtlyry	1648	oeswxtlyry
/boot/nuawudjbhc	1651	nuawudjbhc
/boot/wgssavkjew	1654	wgssavkjew
/boot/vhqwiaszur	1657	vhqwiaszur
/boot/dnsbuvipnc	1660	dnsbuvipnc
/boot/aympkkwvvd	1663	aympkkwvvd
/boot/ueyjndexoj	1666	ueyjndexoj
/boot/bxatewkzij	1669	bxatewkzij
/boot/nktvllqmwv	1672	nktvllqmwv
/boot/bpyfbfvifh	1675	bpyfbfvifh
/boot/dlaeztmijr	1678	dlaeztmijr
/boot/afnlqwbzjj	1681	afnlqwbzjj

Unexpected DNS network traffic destination 19 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc
File opened for reading	/proc/cpuinfo

Creates/modifies Cron job 1 TTPs 2 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/etc/cron.hourly/cron.sh	Process not Found
File opened for modification	/etc/crontab	sh

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
File opened for modification	/etc/init.d/yfizygcdwt

Reads runtime system information 10 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/meminfo	Process not Found
File opened for reading	/proc/rs_dev	Process not Found
File opened for reading	/proc/stat	Process not Found
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/1/sched	systemctl

/tmp/7d44757d809641646e02ab76ed93ede8
/tmp/7d44757d809641646e02ab76ed93ede8
1⤵
PID:1539

/boot/yfizygcdwt
/boot/yfizygcdwt
1⤵
- Executes dropped EXE
PID:1542

/bin/sh
sh -c "sed -i '/\\/etc\\/cron.hourly\\/cron.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/cron.sh' >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:1548
- /bin/sed
  sed -i "/\\/etc\\/cron.hourly\\/cron.sh/d" /etc/crontab
  2⤵
  - Reads runtime system information
  PID:1552

/bin/chkconfig
chkconfig --add yfizygcdwt
1⤵
PID:1545

/sbin/chkconfig
chkconfig --add yfizygcdwt
1⤵
PID:1545

/usr/bin/chkconfig
chkconfig --add yfizygcdwt
1⤵
PID:1545

/usr/sbin/chkconfig
chkconfig --add yfizygcdwt
1⤵
PID:1545

/usr/local/bin/chkconfig
chkconfig --add yfizygcdwt
1⤵
PID:1545

/usr/local/sbin/chkconfig
chkconfig --add yfizygcdwt
1⤵
PID:1545

/usr/X11R6/bin/chkconfig
chkconfig --add yfizygcdwt
1⤵
PID:1545

/bin/update-rc.d
update-rc.d yfizygcdwt defaults
1⤵
PID:1547

/sbin/update-rc.d
update-rc.d yfizygcdwt defaults
1⤵
PID:1547

/usr/bin/update-rc.d
update-rc.d yfizygcdwt defaults
1⤵
PID:1547

/usr/sbin/update-rc.d
update-rc.d yfizygcdwt defaults
1⤵
PID:1547
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:1555

/boot/pyunnjeihk
/boot/pyunnjeihk id 1543
1⤵
- Executes dropped EXE
PID:1557

/boot/ztajoptaml
/boot/ztajoptaml ifconfig 1543
1⤵
- Executes dropped EXE
PID:1580

/boot/yirregffjr
/boot/yirregffjr who 1543
1⤵
- Executes dropped EXE
PID:1583

/boot/mkhjhillsb
/boot/mkhjhillsb "netstat -an" 1543
1⤵
- Executes dropped EXE
PID:1586

/boot/hhwrjhmimy
/boot/hhwrjhmimy top 1543
1⤵
- Executes dropped EXE
PID:1589

/boot/bpyjvltwgb
/boot/bpyjvltwgb sh 1543
1⤵
- Executes dropped EXE
PID:1594

/boot/qesietsasy
/boot/qesietsasy gnome-terminal 1543
1⤵
- Executes dropped EXE
PID:1597

/boot/gnflzqjgkg
/boot/gnflzqjgkg id 1543
1⤵
- Executes dropped EXE
PID:1600

/boot/cytwftbqdz
/boot/cytwftbqdz "ps -ef" 1543
1⤵
- Executes dropped EXE
PID:1603

/boot/ffwaleibiy
/boot/ffwaleibiy whoami 1543
1⤵
- Executes dropped EXE
PID:1606

/boot/rgkegaejzp
/boot/rgkegaejzp uptime 1543
1⤵
- Executes dropped EXE
PID:1609

/boot/dcprqoyslt
/boot/dcprqoyslt "route -n" 1543
1⤵
- Executes dropped EXE
PID:1627

/boot/znplzllozp
/boot/znplzllozp "ls -la" 1543
1⤵
- Executes dropped EXE
PID:1630

/boot/wwxjyrmjyt
/boot/wwxjyrmjyt "echo \"find\"" 1543
1⤵
- Executes dropped EXE
PID:1633

/boot/hrcwsowllg
/boot/hrcwsowllg id 1543
1⤵
- Executes dropped EXE
PID:1636

/boot/sppapnoajp
/boot/sppapnoajp id 1543
1⤵
- Executes dropped EXE
PID:1639

/boot/cvznxcmbvl
/boot/cvznxcmbvl ifconfig 1543
1⤵
- Executes dropped EXE
PID:1642

/boot/hbfpvdkovu
/boot/hbfpvdkovu bash 1543
1⤵
- Executes dropped EXE
PID:1645

/boot/oeswxtlyry
/boot/oeswxtlyry uptime 1543
1⤵
- Executes dropped EXE
PID:1648

/boot/nuawudjbhc
/boot/nuawudjbhc "route -n" 1543
1⤵
- Executes dropped EXE
PID:1651

/boot/wgssavkjew
/boot/wgssavkjew who 1543
1⤵
- Executes dropped EXE
PID:1654

/boot/vhqwiaszur
/boot/vhqwiaszur "cd /etc" 1543
1⤵
- Executes dropped EXE
PID:1657

/boot/dnsbuvipnc
/boot/dnsbuvipnc "sleep 1" 1543
1⤵
- Executes dropped EXE
PID:1660

/boot/aympkkwvvd
/boot/aympkkwvvd "ifconfig eth0" 1543
1⤵
- Executes dropped EXE
PID:1663

/boot/ueyjndexoj
/boot/ueyjndexoj gnome-terminal 1543
1⤵
- Executes dropped EXE
PID:1666

/boot/bxatewkzij
/boot/bxatewkzij "netstat -antop" 1543
1⤵
- Executes dropped EXE
PID:1669

/boot/nktvllqmwv
/boot/nktvllqmwv "ps -ef" 1543
1⤵
- Executes dropped EXE
PID:1672

/boot/bpyfbfvifh
/boot/bpyfbfvifh su 1543
1⤵
- Executes dropped EXE
PID:1675

/boot/dlaeztmijr
/boot/dlaeztmijr "ifconfig eth0" 1543
1⤵
- Executes dropped EXE
PID:1678

/boot/afnlqwbzjj
/boot/afnlqwbzjj "cd /etc" 1543
1⤵
- Executes dropped EXE
PID:1681

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/boot/bpyjvltwgb

Filesize
31KB

MD5
4080f46dddb863b99a7d7fcfd0f19438

SHA1
71a5a3c034234e65012cb104a894ed86deb9ee0a

SHA256
619544aba116c404ce9049b4e6483f2a35679207c3d5a04ffd7ba21055ae4c1b

SHA512
2a4c71b8db1211152d7e0904b4a2d3d64f37097c869afb22d6360494322bdf35510f0150a4755b114a0e3eab3c956a188564268a2edd65abc82257f5931c2297

Download Submit
/boot/dcprqoyslt

Filesize
8KB

MD5
95c8a2dbf57c1a1251087b9d48af858b

SHA1
4a6a3cf788bdb8e2edf654e519e19a0f21169a89

SHA256
795fe264bf36290c0b0b0c8dfce7beb34285f5fa4ed8ee7b7d8dff01a5af2495

SHA512
1e3fa729e886e96dc3fa5f917579902fed3ef296774cf36d2bf9fce6be1d8921de98263b998511177e01d41d148af9673a49899ce88e0172dcfe6f92ad9079c7

Download Submit
/boot/dlaeztmijr

Filesize
284KB

MD5
b29613d62b91297a6f855e2a0fb01c99

SHA1
da75d943acab102dbef87b9aaba63ae038ddf62b

SHA256
3c572c86d35dee3e6c05379cbb56d882245d90454380d8eaa943589948c34aa0

SHA512
e3bf353be2353226829cf8df1675d5b20f6d88acd2e6ce82d043cbff3dcc3dc09d63d5ccba8766dcbd6157477d31c9a7f9e17662f5fccd88dcbda2086abeccf9

Download Submit
/boot/dnsbuvipnc

Filesize
43KB

MD5
8de9ffa75f58467ccfe1bb897321c7a1

SHA1
97aaf1b97b21d79faaab300164efe66c0328a8a4

SHA256
9987aa08c5ac0707f1438182f51afb1d619852ebf3f38effe74e642d2fb0d8c8

SHA512
cf60b2a3fe75d3e733dbc59231a9683764db6b6e510c6a15ae26d1c2997a07bde9dd054ac9555f375c4590d90ab622db0017181d6eff5da0b071834ab7e050b9

Download Submit
/boot/nktvllqmwv

Filesize
40KB

MD5
2cfae8ba2b360dfaefd4e1555ca02404

SHA1
d9fd37b50e0df70e942fc7153643d0072adda0ff

SHA256
8ba6ed2163baaae5a27e3be4ea66cc533a8060286cb8c9d7815b7841fb06cde9

SHA512
a1456a6c6d9b7340aa6727d996cda9d50e707edc2b8423e540db0b89cc4b7fa46b04efb313aa17555aeae55578a398ffd4873f051291c50cbef13bdbcbf8fcd7

Download Submit
/boot/qesietsasy

Filesize
19KB

MD5
45c59316909169c42544511316945afa

SHA1
14cf666ca9eff25b547478b7348f9806b09b75ce

SHA256
e6d4d561fe542c213170dc2182ddaf0192fee814e6c6c4f02c26cea560d2faa1

SHA512
47644d107ad62ca9c5ca00e4880e44bcf5b9b7d29ff9322538ffd3f50eeb153546e9ecd917b6130db43c050b2f363ac467a09f1ed3afc311fe5b7e33025e71d2

Download Submit
/boot/ueyjndexoj

Filesize
11KB

MD5
111663596afb7b9fbc98e8115c2c1bfb

SHA1
9f7fdb5a501ed052b41a8012f0e03f8bd0e621be

SHA256
91288ab08e6f4288f3e771a6e8db83ded98acb0283549f40538fcf1480516a27

SHA512
38127a6ea2416546de9643f4992b5b4ad1f107f547e68a4d5f030f036366f0cc4ca44a48d9f95314253408a36dfac227cd64f62fb07febed8717454ee8697b14

Download Submit
/boot/wwxjyrmjyt

Filesize
4KB

MD5
ab19d1d81a8ee6c325de0e08ac2308f3

SHA1
b4263bb1f5a566005deb122b2b7fbb2cc9e34424

SHA256
a1a55c5647a93eca646d32e1c2d8293c8b9ba5bb6e5a3c86940ed0c3793f43eb

SHA512
951874443efb3a1940cef9a69137ad54238b6bea79e66f20621b21be4acb4c381d9f4159d0163c40aeb67a78e8aa1da6c794c029ee75218578ca0f57155f2808

Download Submit
/boot/yfizygcdwt

Filesize
8KB

MD5
9c7798d350459a6e80b3d9a04f690a86

SHA1
622199198564bc3452ae48e4171931b921c2afe3

SHA256
6c14d6b6c9026ee4daf26c21177d7f8ef9fef7efd0067f921ba55f75de7c0a10

SHA512
5393ae70d46bde223892b2d0de22d57637680eb4b56ab03fd311ff5d5951514ead1ff9c6f2c01477862031b668e24fd8de6dd1c79e51ea1d77757bfe770a5f16

Download Submit
/boot/yirregffjr

Filesize
318KB

MD5
f2d03465b46ed361c8883a6ad1383dbd

SHA1
6dac529c7ffb4810991925fda235658d45f49819

SHA256
a6fe750050dcd3b4e4ce3474a2d965708ce54c26eb09f2dfd09603f01f2b7826

SHA512
40f889924b0b38da4959635dd8473c564abfab9c3d227d042d82ca1982975eebb662c3b8b6c35d5cbcb6550cb8129a35efe97748cdff10bf7e66de8d7677685d

Download Submit
/boot/ztajoptaml

Filesize
647KB

MD5
7d44757d809641646e02ab76ed93ede8

SHA1
332f38022f433a472dc5aa6683c9b9ccccf46e0d

SHA256
0972688711161e347d08ce1c931eb41904fc6f4e4764548e1f14da132a0d1b5d

SHA512
ecf553a88eb61f122f8f8d5afc1a6331189ca15af0179ed81e38d7c95aaa0eaf1e7953eabfeb142a539465e6c2dee24d984dc6a03309a15b6c19326dcb005b77

Download Submit
/lib/udev/udev

Filesize
468KB

MD5
4d0dcf9a4e794e56297f39f841ccd358

SHA1
a2ee8bf6ad31959da7adc2adf521cd7523fd1c60

SHA256
881edc487f02eb4fe0ed21330eeebe94bf7510a6cf244f265772333646631ab3

SHA512
043fc8613b54167ef9858af9e1c8d47c51da8cbce58033b6f77f8aae614ab9d83c63de858fa97e8d289c23ff53aa53217400ce796078b388484b0d9bd783b8e6

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads