xorddos | 93b1a887ed2648b92a7a76b4635a0f0cf3a96f4eae606562e1fac611585a71f8

General

Target

f4a25e8d960c631699e1b9adab8d29e5e4a2ae0d3be1c7739275a6a72b9b0876.elf
Size

647KB
MD5

d20e3e491d242d649c3fcf4879f2cbf2
SHA1

681406d197c6de50bc611bb466c012f0cd9b4aa6
SHA256

f4a25e8d960c631699e1b9adab8d29e5e4a2ae0d3be1c7739275a6a72b9b0876
SHA512

de50e27b457d3ee8e9d41800c83fd5eb4a1f0b0d568f02a4ecd482a4390b435410c15a262c123162e7e7f877219ff8fe13ce763ecece80f96872cd050895141c
SSDEEP

12288:RBRO1UmJJ0nHgBL9YfJip2qm+x4h1Tonbp6y07l7mtBDvnD/u9hMHDB:RBRpmJ+HyL9AiAqm+x4h1mb6wvnDWXMN

Score

10^/10

xorddos botnet downloader persistence

Malware Config

Extracted

Family

xorddos

C2

http://info1.3000uc.com/b/u.php

aaaaaaaaaa.re67das.com:5859

aa369369.f3322.org:2897

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 3 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_xorddos
behavioral1/files/fstream-13.dat	family_xorddos
behavioral1/files/fstream-20.dat	family_xorddos

Deletes itself 1 IoCs

pid
1565

Executes dropped EXE 32 IoCs

ioc	pid	Process
/boot/uwpuqxezrm	1567	uwpuqxezrm
/boot/povyqazkig	1582	povyqazkig
/boot/uavkunizvi	1605	uavkunizvi
/boot/vqdqbxqqli	1608	vqdqbxqqli
/boot/tkorhhsloh	1611	tkorhhsloh
/boot/dtfgkqcups	1614	dtfgkqcups
/boot/qmkiowifhm	1620	qmkiowifhm
/boot/xdpvwvlmvv	1623	xdpvwvlmvv
/boot/gtzrxvtpcm	1626	gtzrxvtpcm
/boot/kfngiugmyz	1630	kfngiugmyz
/boot/cblvdlfglq	1633	cblvdlfglq
/boot/jgoteqymxx	1636	jgoteqymxx
/boot/onpdbawcmf	1639	onpdbawcmf
/boot/mqsdovqhky	1642	mqsdovqhky
/boot/xapidsnwlb	1645	xapidsnwlb
/boot/hyoseovoid	1649	hyoseovoid
/boot/bfeaqsualg	1652	bfeaqsualg
/boot/wouvtwrowk	1655	wouvtwrowk
/boot/rkmkjkqdgo	1658	rkmkjkqdgo
/boot/lcgoctwgsj	1661	lcgoctwgsj
/boot/tptilnhqdz	1664	tptilnhqdz
/boot/zbbdtpvgac	1667	zbbdtpvgac
/boot/qvsphhuvbm	1670	qvsphhuvbm
/boot/moqcdpdknk	1674	moqcdpdknk
/boot/epjcepqexd	1678	epjcepqexd
/boot/yviipnzdni	1681	yviipnzdni
/boot/osvuvirawg	1685	osvuvirawg
/boot/rktwytmtvv	1688	rktwytmtvv
/boot/yigtykqwnj	1692	yigtykqwnj
/boot/xpcbygvnsd	1695	xpcbygvnsd
/boot/wetfucrlmg	1698	wetfucrlmg
/boot/ynjantovoh	1701	ynjantovoh

Unexpected DNS network traffic destination 35 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114

Creates/modifies Cron job 1 TTPs 2 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/etc/cron.hourly/cron.sh	Process not Found
File opened for modification	/etc/crontab	sh

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
File opened for modification	/etc/init.d/uwpuqxezrm

Reads runtime system information 9 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/rs_dev	Process not Found
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/stat	Process not Found
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/cmdline	systemctl

/tmp/f4a25e8d960c631699e1b9adab8d29e5e4a2ae0d3be1c7739275a6a72b9b0876.elf
/tmp/f4a25e8d960c631699e1b9adab8d29e5e4a2ae0d3be1c7739275a6a72b9b0876.elf
1⤵
PID:1564

/boot/uwpuqxezrm
/boot/uwpuqxezrm
1⤵
- Executes dropped EXE
PID:1567

/bin/sh
sh -c "sed -i '/\\/etc\\/cron.hourly\\/cron.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/cron.sh' >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:1573
- /bin/sed
  sed -i "/\\/etc\\/cron.hourly\\/cron.sh/d" /etc/crontab
  2⤵
  - Reads runtime system information
  PID:1574

/bin/chkconfig
chkconfig --add uwpuqxezrm
1⤵
PID:1570

/sbin/chkconfig
chkconfig --add uwpuqxezrm
1⤵
PID:1570

/usr/bin/chkconfig
chkconfig --add uwpuqxezrm
1⤵
PID:1570

/usr/sbin/chkconfig
chkconfig --add uwpuqxezrm
1⤵
PID:1570

/usr/local/bin/chkconfig
chkconfig --add uwpuqxezrm
1⤵
PID:1570

/usr/local/sbin/chkconfig
chkconfig --add uwpuqxezrm
1⤵
PID:1570

/usr/X11R6/bin/chkconfig
chkconfig --add uwpuqxezrm
1⤵
PID:1570

/bin/update-rc.d
update-rc.d uwpuqxezrm defaults
1⤵
PID:1572

/sbin/update-rc.d
update-rc.d uwpuqxezrm defaults
1⤵
PID:1572

/usr/bin/update-rc.d
update-rc.d uwpuqxezrm defaults
1⤵
PID:1572

/usr/sbin/update-rc.d
update-rc.d uwpuqxezrm defaults
1⤵
PID:1572
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:1580

/boot/povyqazkig
/boot/povyqazkig "echo \"find\"" 1568
1⤵
- Executes dropped EXE
PID:1582

/boot/uavkunizvi
/boot/uavkunizvi uptime 1568
1⤵
- Executes dropped EXE
PID:1605

/boot/vqdqbxqqli
/boot/vqdqbxqqli "route -n" 1568
1⤵
- Executes dropped EXE
PID:1608

/boot/tkorhhsloh
/boot/tkorhhsloh "ls -la" 1568
1⤵
- Executes dropped EXE
PID:1611

/boot/dtfgkqcups
/boot/dtfgkqcups whoami 1568
1⤵
- Executes dropped EXE
PID:1614

/boot/qmkiowifhm
/boot/qmkiowifhm who 1568
1⤵
- Executes dropped EXE
PID:1620

/boot/xdpvwvlmvv
/boot/xdpvwvlmvv "netstat -an" 1568
1⤵
- Executes dropped EXE
PID:1623

/boot/gtzrxvtpcm
/boot/gtzrxvtpcm uptime 1568
1⤵
- Executes dropped EXE
PID:1626

/boot/kfngiugmyz
/boot/kfngiugmyz bash 1568
1⤵
- Executes dropped EXE
PID:1630

/boot/cblvdlfglq
/boot/cblvdlfglq pwd 1568
1⤵
- Executes dropped EXE
PID:1633

/boot/jgoteqymxx
/boot/jgoteqymxx "route -n" 1568
1⤵
- Executes dropped EXE
PID:1636

/boot/onpdbawcmf
/boot/onpdbawcmf ls 1568
1⤵
- Executes dropped EXE
PID:1639

/boot/mqsdovqhky
/boot/mqsdovqhky gnome-terminal 1568
1⤵
- Executes dropped EXE
PID:1642

/boot/xapidsnwlb
/boot/xapidsnwlb pwd 1568
1⤵
- Executes dropped EXE
PID:1645

/boot/hyoseovoid
/boot/hyoseovoid sh 1568
1⤵
- Executes dropped EXE
PID:1649

/boot/bfeaqsualg
/boot/bfeaqsualg "ifconfig eth0" 1568
1⤵
- Executes dropped EXE
PID:1652

/boot/wouvtwrowk
/boot/wouvtwrowk ls 1568
1⤵
- Executes dropped EXE
PID:1655

/boot/rkmkjkqdgo
/boot/rkmkjkqdgo ifconfig 1568
1⤵
- Executes dropped EXE
PID:1658

/boot/lcgoctwgsj
/boot/lcgoctwgsj su 1568
1⤵
- Executes dropped EXE
PID:1661

/boot/tptilnhqdz
/boot/tptilnhqdz bash 1568
1⤵
- Executes dropped EXE
PID:1664

/boot/zbbdtpvgac
/boot/zbbdtpvgac "ps -ef" 1568
1⤵
- Executes dropped EXE
PID:1667

/boot/qvsphhuvbm
/boot/qvsphhuvbm "ps -ef" 1568
1⤵
- Executes dropped EXE
PID:1670

/boot/moqcdpdknk
/boot/moqcdpdknk "sleep 1" 1568
1⤵
- Executes dropped EXE
PID:1674

/boot/epjcepqexd
/boot/epjcepqexd "cat resolv.conf" 1568
1⤵
- Executes dropped EXE
PID:1678

/boot/yviipnzdni
/boot/yviipnzdni bash 1568
1⤵
- Executes dropped EXE
PID:1681

/boot/osvuvirawg
/boot/osvuvirawg id 1568
1⤵
- Executes dropped EXE
PID:1685

/boot/rktwytmtvv
/boot/rktwytmtvv "grep \"A\"" 1568
1⤵
- Executes dropped EXE
PID:1688

/boot/yigtykqwnj
/boot/yigtykqwnj uptime 1568
1⤵
- Executes dropped EXE
PID:1692

/boot/xpcbygvnsd
/boot/xpcbygvnsd "ifconfig eth0" 1568
1⤵
- Executes dropped EXE
PID:1695

/boot/wetfucrlmg
/boot/wetfucrlmg gnome-terminal 1568
1⤵
- Executes dropped EXE
PID:1698

/boot/ynjantovoh
/boot/ynjantovoh ifconfig 1568
1⤵
- Executes dropped EXE
PID:1701

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/boot/xapidsnwlb

Filesize
28KB

MD5
7be4d6e6260e1cf663a7487055019388

SHA1
a144672ef2749f31db26172f453efff24e3906b9

SHA256
e64975c4781c1f865d75f7f8d135c85198c5b50bb27533949dee6759b1bea815

SHA512
fdfb16e2db059c673813b331b31b28498d89cefc8054c4357e4c29366bfb43fb8c63ded91da8e58f02e4d967f0da4264a9b794083f657a4d45a7438a37902370

Download Submit
/boot/xdpvwvlmvv

Filesize
7KB

MD5
a58dcd7b3e1b592e0b414635576fc979

SHA1
e6c9f53b9fdca5ef87489c681322f9a127fe971d

SHA256
95f7bede38933d6b005be7bac32c0fd97569a9510539ce931b75e0ab39e91b1e

SHA512
36517439519bf8d4dc2b4cb910421743d1e40db123557f671b7cbabf3fc16972c9ee39211d7c556f4d916b71109626e78e6a17c56ea3b0e9588f62793f8e97f9

Download Submit
/etc/cron.hourly/cron.sh

Filesize
223B

MD5
b791b087b1795e3674a9aa765c76fc04

SHA1
b53f478234ae97f3cdbf2e7fe7ec68d687feb7c1

SHA256
1c1e9b69cf8021bf7ce1f60dcaa2d31c1e21ed4b6e474f3571da81ffd5a9b69e

SHA512
2dcc2e478c51cf8118306fd5c744aad7147e368cbc4329db1cc5fac52088a7f3354079ae2b582b270495789e4fb4591538ec88bb5ea40eec646f360bac33bbb2

Download Submit
/etc/init.d/uwpuqxezrm

Filesize
317B

MD5
46bf37690c0d90706ded0e6fd6c8d346

SHA1
6f8cc4f978498d6e59310a5e3657563a05874068

SHA256
87ef7ba3995e22f3178316ea917db4dfb611e0ac827971259b2a83ea47f82f86

SHA512
2372a38ff9d04c5d88bf9912b280550388a0d41e32c259a279dbff402b0097efae5d963f10b4fd84dca77002d51f0daabe1f7fd2456af6a852b3feb735743787

Download Submit
/etc/sedoft49s

Filesize
722B

MD5
8f111d100ea459f68d333d63a8ef2205

SHA1
077ca9c46a964de67c0f7765745d5c6f9e2065c3

SHA256
0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354

SHA512
d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

Download Submit
/lib/udev/udev

Filesize
647KB

MD5
d20e3e491d242d649c3fcf4879f2cbf2

SHA1
681406d197c6de50bc611bb466c012f0cd9b4aa6

SHA256
f4a25e8d960c631699e1b9adab8d29e5e4a2ae0d3be1c7739275a6a72b9b0876

SHA512
de50e27b457d3ee8e9d41800c83fd5eb4a1f0b0d568f02a4ecd482a4390b435410c15a262c123162e7e7f877219ff8fe13ce763ecece80f96872cd050895141c

Download Submit
/run/sftp.pid

Filesize
32B

MD5
d9cec6ed0a7fc873df3e97c6b62f88df

SHA1
23da6cbb77a8f3c2bcc84e224a091df3039db28e

SHA256
99f4ea34abcb0484e800de7622efe0d08ddc0409a5d99ce98cefe030db7cd501

SHA512
0def09ecfb07a0d93e42902720ea6272bb7f9ac107124b2df55d408936444e3ee0451e48af5aeb57b5f976f50bfd07352d22bc87d179e8901f089051856e8b8e

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads