xorddos | 2674fcea6abf859f06e6bb629823423c326528a9e5623c8bdf05a370e78bdd4e

Analysis

max time kernel
129s
max time network
67s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
20-12-2023 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c8da16a2b9e7c318a9544ff032bddbe
Size

611KB
MD5

8c8da16a2b9e7c318a9544ff032bddbe
SHA1

6a73498e4a7ea07cb6a508552e10f859ebeb9e04
SHA256

2674fcea6abf859f06e6bb629823423c326528a9e5623c8bdf05a370e78bdd4e
SHA512

e14bf4ac5adb60aa1423074b7d79908d484909f211ff439e58ae8b4d9309e106646716975ea7be05c46fe00abb8e524d816d891221aadf1e7af2950b8ea2b645
SSDEEP

12288:FBXOvdwV1/n/dQFhWlH/c1dHo4h9L+zNZrrpT6yF8EEP4UlUuTh1AG:FBXmkN/+Fhu/Qo4h9L+zNNpBVEBl/91h

Score

10^/10

xorddos botnet downloader persistence

Malware Config

Extracted

Family

xorddos

http://aa.finance1num.org/config.rar

cdn.netflix2cdn.com:8080

cdn.finance1num.com:8080

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 11 IoCs

resource	yara_rule
behavioral1/files/fstream-5.dat	family_xorddos
behavioral1/files/fstream-8.dat	family_xorddos
behavioral1/files/fstream-9.dat	family_xorddos
behavioral1/files/fstream-11.dat	family_xorddos
behavioral1/files/fstream-12.dat	family_xorddos
behavioral1/files/fstream-14.dat	family_xorddos
behavioral1/files/fstream-15.dat	family_xorddos
behavioral1/files/fstream-17.dat	family_xorddos
behavioral1/files/fstream-18.dat	family_xorddos
behavioral1/files/fstream-20.dat	family_xorddos
behavioral1/files/fstream-21.dat	family_xorddos

Deletes itself 1 IoCs

pid
1682

Executes dropped EXE 24 IoCs

ioc	pid	Process
/usr/bin/xrngfkrkgh	1578	xrngfkrkgh
/usr/bin/xrngfkrkgh	1599	xrngfkrkgh
/usr/bin/xrngfkrkgh	1607	xrngfkrkgh
/usr/bin/xrngfkrkgh	1610	xrngfkrkgh
/usr/bin/xrngfkrkgh	1613	xrngfkrkgh
/usr/bin/gzcglffizq	1626	gzcglffizq
/usr/bin/gzcglffizq	1629	gzcglffizq
/usr/bin/gzcglffizq	1632	gzcglffizq
/usr/bin/gzcglffizq	1635	gzcglffizq
/usr/bin/gzcglffizq	1638	gzcglffizq
/usr/bin/pfdkjednif	1644	pfdkjednif
/usr/bin/pfdkjednif	1647	pfdkjednif
/usr/bin/pfdkjednif	1650	pfdkjednif
/usr/bin/pfdkjednif	1653	pfdkjednif
/usr/bin/pfdkjednif	1656	pfdkjednif
/usr/bin/idisdgqdel	1659	idisdgqdel
/usr/bin/idisdgqdel	1662	idisdgqdel
/usr/bin/idisdgqdel	1665	idisdgqdel
/usr/bin/idisdgqdel	1668	idisdgqdel
/usr/bin/idisdgqdel	1671	idisdgqdel
/usr/bin/bziriwwohm	1674	bziriwwohm
/usr/bin/bziriwwohm	1677	bziriwwohm
/usr/bin/bziriwwohm	1680	bziriwwohm
/usr/bin/bziriwwohm	1683	bziriwwohm

Creates/modifies Cron job 1 TTPs 2 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/etc/cron.hourly/gcc.sh	Process not Found
File opened for modification	/etc/crontab	sh

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
File opened for modification	/etc/init.d/8c8da16a2b9e7c318a9544ff032bddbe

Write file to user bin folder 1 TTPs 5 IoCs

Hijack Execution Flow

T1574

description	ioc
File opened for modification	/usr/bin/xrngfkrkgh
File opened for modification	/usr/bin/gzcglffizq
File opened for modification	/usr/bin/pfdkjednif
File opened for modification	/usr/bin/idisdgqdel
File opened for modification	/usr/bin/bziriwwohm

Reads runtime system information 9 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/stat	Process not Found
File opened for reading	/proc/rs_dev	Process not Found
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	sed

/tmp/8c8da16a2b9e7c318a9544ff032bddbe
/tmp/8c8da16a2b9e7c318a9544ff032bddbe
1⤵
PID:1565

/bin/chkconfig
chkconfig --add 8c8da16a2b9e7c318a9544ff032bddbe
1⤵
PID:1568

/sbin/chkconfig
chkconfig --add 8c8da16a2b9e7c318a9544ff032bddbe
1⤵
PID:1568

/usr/bin/chkconfig
chkconfig --add 8c8da16a2b9e7c318a9544ff032bddbe
1⤵
PID:1568

/usr/sbin/chkconfig
chkconfig --add 8c8da16a2b9e7c318a9544ff032bddbe
1⤵
PID:1568

/usr/local/bin/chkconfig
chkconfig --add 8c8da16a2b9e7c318a9544ff032bddbe
1⤵
PID:1568

/usr/local/sbin/chkconfig
chkconfig --add 8c8da16a2b9e7c318a9544ff032bddbe
1⤵
PID:1568

/usr/X11R6/bin/chkconfig
chkconfig --add 8c8da16a2b9e7c318a9544ff032bddbe
1⤵
PID:1568

/bin/sh
sh -c "sed -i '/\\/etc\\/cron.hourly\\/gcc.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:1571
- /bin/sed
  sed -i "/\\/etc\\/cron.hourly\\/gcc.sh/d" /etc/crontab
  2⤵
  - Reads runtime system information
  PID:1572

/bin/update-rc.d
update-rc.d 8c8da16a2b9e7c318a9544ff032bddbe defaults
1⤵
PID:1570

/sbin/update-rc.d
update-rc.d 8c8da16a2b9e7c318a9544ff032bddbe defaults
1⤵
PID:1570

/usr/bin/update-rc.d
update-rc.d 8c8da16a2b9e7c318a9544ff032bddbe defaults
1⤵
PID:1570

/usr/sbin/update-rc.d
update-rc.d 8c8da16a2b9e7c318a9544ff032bddbe defaults
1⤵
PID:1570
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:1574

/usr/bin/xrngfkrkgh
/usr/bin/xrngfkrkgh "grep \"A\"" 1566
1⤵
- Executes dropped EXE
PID:1578

/usr/bin/xrngfkrkgh
/usr/bin/xrngfkrkgh gnome-terminal 1566
1⤵
- Executes dropped EXE
PID:1599

/usr/bin/xrngfkrkgh
/usr/bin/xrngfkrkgh id 1566
1⤵
- Executes dropped EXE
PID:1607

/usr/bin/xrngfkrkgh
/usr/bin/xrngfkrkgh "route -n" 1566
1⤵
- Executes dropped EXE
PID:1610

/usr/bin/xrngfkrkgh
/usr/bin/xrngfkrkgh id 1566
1⤵
- Executes dropped EXE
PID:1613

/usr/bin/gzcglffizq
/usr/bin/gzcglffizq id 1566
1⤵
- Executes dropped EXE
PID:1626

/usr/bin/gzcglffizq
/usr/bin/gzcglffizq gnome-terminal 1566
1⤵
- Executes dropped EXE
PID:1629

/usr/bin/gzcglffizq
/usr/bin/gzcglffizq id 1566
1⤵
- Executes dropped EXE
PID:1632

/usr/bin/gzcglffizq
/usr/bin/gzcglffizq "grep \"A\"" 1566
1⤵
- Executes dropped EXE
PID:1635

/usr/bin/gzcglffizq
/usr/bin/gzcglffizq "echo \"find\"" 1566
1⤵
- Executes dropped EXE
PID:1638

/usr/bin/pfdkjednif
/usr/bin/pfdkjednif "cat resolv.conf" 1566
1⤵
- Executes dropped EXE
PID:1644

/usr/bin/pfdkjednif
/usr/bin/pfdkjednif "route -n" 1566
1⤵
- Executes dropped EXE
PID:1647

/usr/bin/pfdkjednif
/usr/bin/pfdkjednif "ls -la" 1566
1⤵
- Executes dropped EXE
PID:1650

/usr/bin/pfdkjednif
/usr/bin/pfdkjednif ls 1566
1⤵
- Executes dropped EXE
PID:1653

/usr/bin/pfdkjednif
/usr/bin/pfdkjednif "grep \"A\"" 1566
1⤵
- Executes dropped EXE
PID:1656

/usr/bin/idisdgqdel
/usr/bin/idisdgqdel top 1566
1⤵
- Executes dropped EXE
PID:1659

/usr/bin/idisdgqdel
/usr/bin/idisdgqdel bash 1566
1⤵
- Executes dropped EXE
PID:1662

/usr/bin/idisdgqdel
/usr/bin/idisdgqdel "sleep 1" 1566
1⤵
- Executes dropped EXE
PID:1665

/usr/bin/idisdgqdel
/usr/bin/idisdgqdel "route -n" 1566
1⤵
- Executes dropped EXE
PID:1668

/usr/bin/idisdgqdel
/usr/bin/idisdgqdel who 1566
1⤵
- Executes dropped EXE
PID:1671

/usr/bin/bziriwwohm
/usr/bin/bziriwwohm "cd /etc" 1566
1⤵
- Executes dropped EXE
PID:1674

/usr/bin/bziriwwohm
/usr/bin/bziriwwohm bash 1566
1⤵
- Executes dropped EXE
PID:1677

/usr/bin/bziriwwohm
/usr/bin/bziriwwohm sh 1566
1⤵
- Executes dropped EXE
PID:1680

/usr/bin/bziriwwohm
/usr/bin/bziriwwohm "cat resolv.conf" 1566
1⤵
- Executes dropped EXE
PID:1683

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/gcc.sh

Filesize
228B

MD5
3bab747cedc5f0ebe86aaa7f982470cd

SHA1
3c7d1c6931c2b3dae39d38346b780ea57c8e6142

SHA256
74d31cac40d98ee64df2a0c29ceb229d12ac5fa699c2ee512fc69360f0cf68c5

SHA512
21e8a6d9ca8531d37def83d8903e5b0fa11ecf33d85d05edab1e0feb4acac65ae2cf5222650fb9f533f459ccc51bb2903276ff6f827b847cc5e6dac7d45a0a42

Download Submit
/etc/init.d/8c8da16a2b9e7c318a9544ff032bddbe

Filesize
425B

MD5
bf6a5d8cc8ac2bd84fd8aaf69003ef06

SHA1
44febd95280f230281a71030f99e5c58da51ab30

SHA256
b8a97b326e9720d472fe6c09af32ca5f4f7dc799e3cb7622b54d6841bb84f853

SHA512
f5e24896dc288d0315ef148f6f4c7b5a15971fb919e96f34d741f75d7e23fcc6e7dd8d9734b5db51e22d9201ce0d9dd3500649bf351ad6ea706c7ab73ab9da92

Download Submit
/etc/sedsesc6d

Filesize
722B

MD5
8f111d100ea459f68d333d63a8ef2205

SHA1
077ca9c46a964de67c0f7765745d5c6f9e2065c3

SHA256
0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354

SHA512
d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

Download Submit
/lib/libudev.so

Filesize
611KB

MD5
8c8da16a2b9e7c318a9544ff032bddbe

SHA1
6a73498e4a7ea07cb6a508552e10f859ebeb9e04

SHA256
2674fcea6abf859f06e6bb629823423c326528a9e5623c8bdf05a370e78bdd4e

SHA512
e14bf4ac5adb60aa1423074b7d79908d484909f211ff439e58ae8b4d9309e106646716975ea7be05c46fe00abb8e524d816d891221aadf1e7af2950b8ea2b645

Download Submit
/run/gcc.pid

Filesize
32B

MD5
49897d97a08d30815985117e282dfc4b

SHA1
c21e0aa8a1e6600b3a509bf17b71dcb94a5f785a

SHA256
ec66d5b7d016954345496ba2e45c861821cbe9b0340b486b73b528c3ef30d245

SHA512
8e6a43a56cc16491852c4532b316ae97fba9f8d14fc859e0b0fbfecfa1cc33914c5a2780ba681c1fbd30d8df23a30b1a79dd96406aadca06feaef39a0d35e5c8

Download Submit
/usr/bin/bziriwwohm

Filesize
611KB

MD5
a2bd36230cfc77cc9388b68df9c89375

SHA1
93d04d7d347e69a293a2678be1ea560ae13a59a1

SHA256
48e5a0e9daba254c4631bf978b38857160fb126a996470ac1a940bca9ccad224

SHA512
6a69b31583bf1bc56276888ddf7f8818c48940885522287f518dc4746fced43812e1b27845a72492db9c58f0c6c2ecbd836ced633f955991c44963495dca5f6e

Download Submit
/usr/bin/bziriwwohm

Filesize
611KB

MD5
8d2f1bc5889dd92c760eabef8fd2eef5

SHA1
011aa481e44dc566f6dc9de0b059008d44eef1f2

SHA256
a137e63000fb6f83ac641ee024f468f2c89ec7c3e76901f2fb941bde4567f09c

SHA512
8b56d640b3ffbce4fad606ee786ed922008c240f73cbf8499fb2208c931544c2202377ab535711ac5e0a69a54f51d74bb87406897cb053eb449da881380b5dcc

Download Submit
/usr/bin/gzcglffizq

Filesize
611KB

MD5
976a3615a3bd52487fb51a271e97c192

SHA1
dfd4f2311dc1976ad6a93d8ebddcd167d35055b9

SHA256
7ee97986b45c00a72daf5d327e531ae5a403636e1779328c078c6c9d9a97fd0b

SHA512
79e3120db2b312e43ad74ed3b7cd055d9e08af90520edadc3e7c40a6518abe54e21a29fc0a8376d5908b10050cd819dd5f9898c377c6640facb2ba13ee8c8905

Download Submit
/usr/bin/gzcglffizq

Filesize
611KB

MD5
e9c4136e90e44360421ee511a1c886f4

SHA1
694796f5b0e2783d26a438b1ca74c73c0673b0f0

SHA256
1c0f65ae7448914c9271b547957818a071609ccea8d1aecd4744bb9134de5d8f

SHA512
395bc4c3dbb3470a43ee6703db1106b9a05697c28435dd4e7d36b9569054fec661ed8f0a14673afe702c21fc25a3ea076fa906b14970b592ffcc503d9fd573c7

Download Submit
/usr/bin/idisdgqdel

Filesize
611KB

MD5
341cd4a3882a600355c7dd4374779de9

SHA1
6e500b3822eefb8f8d81ccc49b35e41562c69dab

SHA256
791a65f64cbeeff836a17a58fefd9f469f4a029512d74aaac7650308ad3d4fe8

SHA512
8dc2f875ecf8e75a3b4d91dc7bb2586a9f3f4ef7ffec35325ff791a181c83bc922c209e4e3b55c607615da9cd77c55e86a97fe5f2718394a2de97679c24b2238

Download Submit
/usr/bin/idisdgqdel

Filesize
611KB

MD5
535d1b5aad40133b3f13eb2bb91ab9d4

SHA1
a76480a682161e05b674c129efa3f3767205ace2

SHA256
86cb80bb72dda5a0488d1aa374c55a8af47d17742059eec5bafec8ed01b4dff5

SHA512
372c973b1546d19df134f08bdb3409d7bb9fe15ae568a0d61c874d433693a2e4ade719b6ca54e4054e6be0b7a61af684b0eee6c0b669533e2d8343dd5b3f671e

Download Submit
/usr/bin/pfdkjednif

Filesize
611KB

MD5
d2c0012238cbc23d70c48f6d8237e2a2

SHA1
d583dfb7d8bf61b9ebe489269f1cffabc00f5f85

SHA256
467f17305aa856c7396adba5e0a8b3c082e792220f2dc113dc0ad0f43887aeaf

SHA512
342ab4e3c50e5f12a5aba4f63b88b092100bea92c1a0e30d4ffd1d043f813cd42d3e748fe3b53778b6c605554f31dfe0761a74e4f82488c3832796c8423d435f

Download Submit
/usr/bin/pfdkjednif

Filesize
611KB

MD5
4c9d72fdddf8ad594802254c9f4aee6f

SHA1
e95d9b6ba2ea4a80adcde583e19a70a1aa89c8a7

SHA256
af3b2ec55c373ed25178f613372c91582d0091809efd8db63237fc689f383ed4

SHA512
0103e9c33acaf3d5894daca2907979e751b2253e60be61899fb125aaa141291535c49e4641e1b051c7c81c0a475a78f58cb553d21abf2958fcd254ad11ba1a8b

Download Submit
/usr/bin/xrngfkrkgh

Filesize
611KB

MD5
22755f44b14e869e8c3978d2993b5646

SHA1
df1cecef6ee7f5a952a1bc6d1004cf726ce17154

SHA256
a5508bbba29b4525b50745051039817d634277d1c31eabbef914d01e7f5b77db

SHA512
f3ca93e5c6b1da2240f2f98fa06dd8c57d592e6d9ce4708076836a5b89460e1e6d77051fa4fd15a7702b151e7c0495c80d7aae4fd5d64c8f4b8de384794b2d7e

Download Submit
/usr/bin/xrngfkrkgh

Filesize
611KB

MD5
529a713ba208bf169859a0eda50839db

SHA1
e71a80fadfeb5100401c24af8ae3e2af283bc3b1

SHA256
6a2d097d10db6ebff90d06b9a87e1d1a92ed918d6b28ee769d927f58ca99f482

SHA512
48bcf0dbce3e5b2a751d7049abf1270ade763736a1a96cd9b7940c0de7d74a6aa482709d7dd264d8cf964de1b35a919a815fdf9af04a8d621659d960ca143e0b

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads