xorddos | 0aac76180e779723716e014c5125aaa40a6576dc58da0308e7b397b2eb3d4137

General

Target

861af674fbaba4f5c58d964a4d891abf
Size

647KB
MD5

861af674fbaba4f5c58d964a4d891abf
SHA1

a879746df5e4999027d52a36e1cc19ce6a83320a
SHA256

0aac76180e779723716e014c5125aaa40a6576dc58da0308e7b397b2eb3d4137
SHA512

e9beb8d3522ab751afb6a88e53ee72f6940f98df5a6c2acc9b3e89df9da15ff6dee247832e0e51d46dfb6ef9d24aa6fc06082b82c349bd1dab8e60a8ec8153c7
SSDEEP

12288:RBRO1UmJJ0nHgBL9YfJip2qm+x4h1TonDp6y07l7mtBDvnD/u9hMHDB:RBRpmJ+HyL9AiAqm+x4h1mD6wvnDWXMN

Score

10^/10

xorddos botnet downloader persistence

Malware Config

Extracted

Family

xorddos

C2

http://info1.3000uc.com/b/u.php

linux.bc5j.com:2897

111.231.74.75:2897

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 2 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_xorddos
behavioral1/files/fstream-9.dat	family_xorddos

Deletes itself 1 IoCs

pid
1523

Executes dropped EXE 31 IoCs

ioc	pid	Process
/boot/iccaemuzam	1525	iccaemuzam
/boot/kxdrkgfdpp	1540	kxdrkgfdpp
/boot/ffixnooczr	1563	ffixnooczr
/boot/bffonhipln	1566	bffonhipln
/boot/wjkgkrmxtz	1569	wjkgkrmxtz
/boot/bdlutqdzbf	1572	bdlutqdzbf
/boot/qxqxzbsdqz	1577	qxqxzbsdqz
/boot/axearwrkus	1580	axearwrkus
/boot/sfkizxcdgt	1583	sfkizxcdgt
/boot/bvjoabfcsn	1586	bvjoabfcsn
/boot/xhatewrjut	1589	xhatewrjut
/boot/zgjzmtlfod	1592	zgjzmtlfod
/boot/pfevjhrkot	1595	pfevjhrkot
/boot/ficjgxmzzm	1598	ficjgxmzzm
/boot/mrjcozgmny	1601	mrjcozgmny
/boot/dydfrgklzo	1604	dydfrgklzo
/boot/asainpayxo	1607	asainpayxo
/boot/krjdujxfix	1610	krjdujxfix
/boot/mxchlzuqrb	1613	mxchlzuqrb
/boot/abzdqkvgrv	1616	abzdqkvgrv
/boot/bebqdvttcq	1619	bebqdvttcq
/boot/jmliydwmhi	1622	jmliydwmhi
/boot/gnbvfeazvm	1625	gnbvfeazvm
/boot/gnxbsyvrav	1628	gnxbsyvrav
/boot/ahpicpsgpz	1631	ahpicpsgpz
/boot/eaktcqmglq	1634	eaktcqmglq
/boot/ekjdipkked	1637	ekjdipkked
/boot/vztrqoowct	1640	vztrqoowct
/boot/gueeuwsgxq	1643	gueeuwsgxq
/boot/glvdfnfipv	1646	glvdfnfipv
/boot/gkzlodjnig	1649	gkzlodjnig

Unexpected DNS network traffic destination 12 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114

Creates/modifies Cron job 1 TTPs 2 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/etc/cron.hourly/cron.sh	Process not Found
File opened for modification	/etc/crontab	sh

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
File opened for modification	/etc/init.d/iccaemuzam

Reads runtime system information 9 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/rs_dev	Process not Found
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/stat	Process not Found

/tmp/861af674fbaba4f5c58d964a4d891abf
/tmp/861af674fbaba4f5c58d964a4d891abf
1⤵
PID:1522

/boot/iccaemuzam
/boot/iccaemuzam
1⤵
- Executes dropped EXE
PID:1525

/bin/sh
sh -c "sed -i '/\\/etc\\/cron.hourly\\/cron.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/cron.sh' >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:1531
- /bin/sed
  sed -i "/\\/etc\\/cron.hourly\\/cron.sh/d" /etc/crontab
  2⤵
  - Reads runtime system information
  PID:1532

/bin/chkconfig
chkconfig --add iccaemuzam
1⤵
PID:1528

/sbin/chkconfig
chkconfig --add iccaemuzam
1⤵
PID:1528

/usr/bin/chkconfig
chkconfig --add iccaemuzam
1⤵
PID:1528

/usr/sbin/chkconfig
chkconfig --add iccaemuzam
1⤵
PID:1528

/usr/local/bin/chkconfig
chkconfig --add iccaemuzam
1⤵
PID:1528

/usr/local/sbin/chkconfig
chkconfig --add iccaemuzam
1⤵
PID:1528

/usr/X11R6/bin/chkconfig
chkconfig --add iccaemuzam
1⤵
PID:1528

/bin/update-rc.d
update-rc.d iccaemuzam defaults
1⤵
PID:1530

/sbin/update-rc.d
update-rc.d iccaemuzam defaults
1⤵
PID:1530

/usr/bin/update-rc.d
update-rc.d iccaemuzam defaults
1⤵
PID:1530

/usr/sbin/update-rc.d
update-rc.d iccaemuzam defaults
1⤵
PID:1530
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:1539

/boot/kxdrkgfdpp
/boot/kxdrkgfdpp "route -n" 1526
1⤵
- Executes dropped EXE
PID:1540

/boot/ffixnooczr
/boot/ffixnooczr "echo \"find\"" 1526
1⤵
- Executes dropped EXE
PID:1563

/boot/bffonhipln
/boot/bffonhipln "sleep 1" 1526
1⤵
- Executes dropped EXE
PID:1566

/boot/wjkgkrmxtz
/boot/wjkgkrmxtz sh 1526
1⤵
- Executes dropped EXE
PID:1569

/boot/bdlutqdzbf
/boot/bdlutqdzbf sh 1526
1⤵
- Executes dropped EXE
PID:1572

/boot/qxqxzbsdqz
/boot/qxqxzbsdqz top 1526
1⤵
- Executes dropped EXE
PID:1577

/boot/axearwrkus
/boot/axearwrkus "ps -ef" 1526
1⤵
- Executes dropped EXE
PID:1580

/boot/sfkizxcdgt
/boot/sfkizxcdgt "cd /etc" 1526
1⤵
- Executes dropped EXE
PID:1583

/boot/bvjoabfcsn
/boot/bvjoabfcsn ifconfig 1526
1⤵
- Executes dropped EXE
PID:1586

/boot/xhatewrjut
/boot/xhatewrjut "sleep 1" 1526
1⤵
- Executes dropped EXE
PID:1589

/boot/zgjzmtlfod
/boot/zgjzmtlfod "netstat -antop" 1526
1⤵
- Executes dropped EXE
PID:1592

/boot/pfevjhrkot
/boot/pfevjhrkot "netstat -an" 1526
1⤵
- Executes dropped EXE
PID:1595

/boot/ficjgxmzzm
/boot/ficjgxmzzm id 1526
1⤵
- Executes dropped EXE
PID:1598

/boot/mrjcozgmny
/boot/mrjcozgmny bash 1526
1⤵
- Executes dropped EXE
PID:1601

/boot/dydfrgklzo
/boot/dydfrgklzo sh 1526
1⤵
- Executes dropped EXE
PID:1604

/boot/asainpayxo
/boot/asainpayxo pwd 1526
1⤵
- Executes dropped EXE
PID:1607

/boot/krjdujxfix
/boot/krjdujxfix "ps -ef" 1526
1⤵
- Executes dropped EXE
PID:1610

/boot/mxchlzuqrb
/boot/mxchlzuqrb pwd 1526
1⤵
- Executes dropped EXE
PID:1613

/boot/abzdqkvgrv
/boot/abzdqkvgrv "ifconfig eth0" 1526
1⤵
- Executes dropped EXE
PID:1616

/boot/bebqdvttcq
/boot/bebqdvttcq whoami 1526
1⤵
- Executes dropped EXE
PID:1619

/boot/jmliydwmhi
/boot/jmliydwmhi id 1526
1⤵
- Executes dropped EXE
PID:1622

/boot/gnbvfeazvm
/boot/gnbvfeazvm "ls -la" 1526
1⤵
- Executes dropped EXE
PID:1625

/boot/gnxbsyvrav
/boot/gnxbsyvrav ls 1526
1⤵
- Executes dropped EXE
PID:1628

/boot/ahpicpsgpz
/boot/ahpicpsgpz "ls -la" 1526
1⤵
- Executes dropped EXE
PID:1631

/boot/eaktcqmglq
/boot/eaktcqmglq "ifconfig eth0" 1526
1⤵
- Executes dropped EXE
PID:1634

/boot/ekjdipkked
/boot/ekjdipkked "cd /etc" 1526
1⤵
- Executes dropped EXE
PID:1637

/boot/vztrqoowct
/boot/vztrqoowct ls 1526
1⤵
- Executes dropped EXE
PID:1640

/boot/gueeuwsgxq
/boot/gueeuwsgxq "echo \"find\"" 1526
1⤵
- Executes dropped EXE
PID:1643

/boot/glvdfnfipv
/boot/glvdfnfipv "grep \"A\"" 1526
1⤵
- Executes dropped EXE
PID:1646

/boot/gkzlodjnig
/boot/gkzlodjnig id 1526
1⤵
- Executes dropped EXE
PID:1649

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/boot/bffonhipln

Filesize
4KB

MD5
ab19d1d81a8ee6c325de0e08ac2308f3

SHA1
b4263bb1f5a566005deb122b2b7fbb2cc9e34424

SHA256
a1a55c5647a93eca646d32e1c2d8293c8b9ba5bb6e5a3c86940ed0c3793f43eb

SHA512
951874443efb3a1940cef9a69137ad54238b6bea79e66f20621b21be4acb4c381d9f4159d0163c40aeb67a78e8aa1da6c794c029ee75218578ca0f57155f2808

Download Submit
/etc/cron.hourly/cron.sh

Filesize
223B

MD5
b791b087b1795e3674a9aa765c76fc04

SHA1
b53f478234ae97f3cdbf2e7fe7ec68d687feb7c1

SHA256
1c1e9b69cf8021bf7ce1f60dcaa2d31c1e21ed4b6e474f3571da81ffd5a9b69e

SHA512
2dcc2e478c51cf8118306fd5c744aad7147e368cbc4329db1cc5fac52088a7f3354079ae2b582b270495789e4fb4591538ec88bb5ea40eec646f360bac33bbb2

Download Submit
/etc/init.d/iccaemuzam

Filesize
317B

MD5
f95e16f570d22969c14afe6c9b988fb5

SHA1
d1dcfdc3c7fe1a3ff369ea57a12b6563686e0dc9

SHA256
964237df3fa6f83066903453d24a4798c11114a61cdfd602cdbd4616a59406c8

SHA512
c3f6129d5db55e809ac4b5d0a716c03274cd5546a325ef15e23229901659023753291a2a43854f2d58bcb2e36c9046db0264b2985ef5b5836a5cca5be222c48c

Download Submit
/etc/sedkopIrK

Filesize
722B

MD5
8f111d100ea459f68d333d63a8ef2205

SHA1
077ca9c46a964de67c0f7765745d5c6f9e2065c3

SHA256
0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354

SHA512
d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

Download Submit
/lib/udev/udev

Filesize
647KB

MD5
861af674fbaba4f5c58d964a4d891abf

SHA1
a879746df5e4999027d52a36e1cc19ce6a83320a

SHA256
0aac76180e779723716e014c5125aaa40a6576dc58da0308e7b397b2eb3d4137

SHA512
e9beb8d3522ab751afb6a88e53ee72f6940f98df5a6c2acc9b3e89df9da15ff6dee247832e0e51d46dfb6ef9d24aa6fc06082b82c349bd1dab8e60a8ec8153c7

Download Submit
/run/sftp.pid

Filesize
32B

MD5
a14df4d1db14fdb7b8487ee5e3ba3dde

SHA1
71a3d1562107d7efff813548ac3df80a049a262c

SHA256
302e2cfd0482f69a7f067e6ef21bc3c63fbf7ed228837de2810a423764f30468

SHA512
d408283bd9f321532bdfe3613d341bd4cb1797ffae086762c911c2297b0f204f04dd7b3b7553c46d0ff18ed0b152358c598481ab85c163ad697ab92047a7bafe

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads