xorddos | 5a7d7f1d53f039e7b69cf8d040cc043d1264b14107a8a73034e6b90d8e81f87a

Analysis

max time kernel
152s
max time network
153s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
20-12-2023 08:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96671eab0913c0003c63f4d2c50318db
Size

535KB
MD5

96671eab0913c0003c63f4d2c50318db
SHA1

0ef56578885236f87ae7f1c7580b8ed50c9ade77
SHA256

5a7d7f1d53f039e7b69cf8d040cc043d1264b14107a8a73034e6b90d8e81f87a
SHA512

198d02b0312a271e88a4c3749cb7b828fcffd0ffb3327dc3e54c68953c99b03a0354192314e43691e0c02354a34d5ca074b0165568195d8ed0f6018b24857d82
SSDEEP

12288:4Ufrcn+vwK5ripVU4tdZ1pNL/pVbzZ66ySjQn36Eoj:/fUywKQ7Fb1pNL/p5ZfjQn36Eu

Score

10^/10

xorddos antivm botnet downloader persistence

Malware Config

Extracted

Family

xorddos

http://aa.hostasa.org/config.rar

ppp.gggatat456.com:1523

ppp.xxxatat456.com:1523

www1.gggatat456.com:1523

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 11 IoCs

resource	yara_rule
behavioral1/files/fstream-6.dat	family_xorddos
behavioral1/files/fstream-8.dat	family_xorddos
behavioral1/files/fstream-9.dat	family_xorddos
behavioral1/files/fstream-11.dat	family_xorddos
behavioral1/files/fstream-12.dat	family_xorddos
behavioral1/files/fstream-14.dat	family_xorddos
behavioral1/files/fstream-15.dat	family_xorddos
behavioral1/files/fstream-17.dat	family_xorddos
behavioral1/files/fstream-18.dat	family_xorddos
behavioral1/files/fstream-20.dat	family_xorddos
behavioral1/files/fstream-21.dat	family_xorddos

Deletes itself 3 IoCs

pid
1637
1631
1634

Executes dropped EXE 24 IoCs

ioc	pid	Process
/usr/bin/drlnqjmzsy	1546	drlnqjmzsy
/usr/bin/drlnqjmzsy	1552	drlnqjmzsy
/usr/bin/drlnqjmzsy	1572	drlnqjmzsy
/usr/bin/drlnqjmzsy	1578	drlnqjmzsy
/usr/bin/drlnqjmzsy	1581	drlnqjmzsy
/usr/bin/vmqrkqozzm	1584	vmqrkqozzm
/usr/bin/vmqrkqozzm	1587	vmqrkqozzm
/usr/bin/vmqrkqozzm	1590	vmqrkqozzm
/usr/bin/vmqrkqozzm	1593	vmqrkqozzm
/usr/bin/vmqrkqozzm	1596	vmqrkqozzm
/usr/bin/kkwubphxdg	1599	kkwubphxdg
/usr/bin/kkwubphxdg	1602	kkwubphxdg
/usr/bin/kkwubphxdg	1605	kkwubphxdg
/usr/bin/kkwubphxdg	1608	kkwubphxdg
/usr/bin/kkwubphxdg	1611	kkwubphxdg
/usr/bin/jjyrvzdvzm	1614	jjyrvzdvzm
/usr/bin/jjyrvzdvzm	1617	jjyrvzdvzm
/usr/bin/jjyrvzdvzm	1620	jjyrvzdvzm
/usr/bin/jjyrvzdvzm	1623	jjyrvzdvzm
/usr/bin/jjyrvzdvzm	1626	jjyrvzdvzm
/usr/bin/nvxmwqslcr	1629	nvxmwqslcr
/usr/bin/nvxmwqslcr	1632	nvxmwqslcr
/usr/bin/nvxmwqslcr	1635	nvxmwqslcr
/usr/bin/nvxmwqslcr	1638	nvxmwqslcr

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc
File opened for reading	/proc/cpuinfo

Creates/modifies Cron job 1 TTPs 2 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/etc/cron.hourly/gcc.sh	Process not Found
File opened for modification	/etc/crontab	sh

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
File opened for modification	/etc/init.d/96671eab0913c0003c63f4d2c50318db

Write file to user bin folder 1 TTPs 5 IoCs

Hijack Execution Flow

T1574

description	ioc
File opened for modification	/usr/bin/drlnqjmzsy
File opened for modification	/usr/bin/vmqrkqozzm
File opened for modification	/usr/bin/kkwubphxdg
File opened for modification	/usr/bin/jjyrvzdvzm
File opened for modification	/usr/bin/nvxmwqslcr

Reads runtime system information 10 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/rs_dev	Process not Found
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/stat	Process not Found
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/meminfo	Process not Found

/tmp/96671eab0913c0003c63f4d2c50318db
/tmp/96671eab0913c0003c63f4d2c50318db
1⤵
PID:1533

/bin/chkconfig
chkconfig --add 96671eab0913c0003c63f4d2c50318db
1⤵
PID:1536

/sbin/chkconfig
chkconfig --add 96671eab0913c0003c63f4d2c50318db
1⤵
PID:1536

/usr/bin/chkconfig
chkconfig --add 96671eab0913c0003c63f4d2c50318db
1⤵
PID:1536

/usr/sbin/chkconfig
chkconfig --add 96671eab0913c0003c63f4d2c50318db
1⤵
PID:1536

/usr/local/bin/chkconfig
chkconfig --add 96671eab0913c0003c63f4d2c50318db
1⤵
PID:1536

/usr/local/sbin/chkconfig
chkconfig --add 96671eab0913c0003c63f4d2c50318db
1⤵
PID:1536

/usr/X11R6/bin/chkconfig
chkconfig --add 96671eab0913c0003c63f4d2c50318db
1⤵
PID:1536

/bin/sh
sh -c "sed -i '/\\/etc\\/cron.hourly\\/gcc.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:1539
- /bin/sed
  sed -i "/\\/etc\\/cron.hourly\\/gcc.sh/d" /etc/crontab
  2⤵
  - Reads runtime system information
  PID:1540

/bin/update-rc.d
update-rc.d 96671eab0913c0003c63f4d2c50318db defaults
1⤵
PID:1538

/sbin/update-rc.d
update-rc.d 96671eab0913c0003c63f4d2c50318db defaults
1⤵
PID:1538

/usr/bin/update-rc.d
update-rc.d 96671eab0913c0003c63f4d2c50318db defaults
1⤵
PID:1538

/usr/sbin/update-rc.d
update-rc.d 96671eab0913c0003c63f4d2c50318db defaults
1⤵
PID:1538
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:1544

/usr/bin/drlnqjmzsy
/usr/bin/drlnqjmzsy "sleep 1" 1534
1⤵
- Executes dropped EXE
PID:1546

/usr/bin/drlnqjmzsy
/usr/bin/drlnqjmzsy "ls -la" 1534
1⤵
- Executes dropped EXE
PID:1552

/usr/bin/drlnqjmzsy
/usr/bin/drlnqjmzsy uptime 1534
1⤵
- Executes dropped EXE
PID:1572

/usr/bin/drlnqjmzsy
/usr/bin/drlnqjmzsy top 1534
1⤵
- Executes dropped EXE
PID:1578

/usr/bin/drlnqjmzsy
/usr/bin/drlnqjmzsy su 1534
1⤵
- Executes dropped EXE
PID:1581

/usr/bin/vmqrkqozzm
/usr/bin/vmqrkqozzm su 1534
1⤵
- Executes dropped EXE
PID:1584

/usr/bin/vmqrkqozzm
/usr/bin/vmqrkqozzm "sleep 1" 1534
1⤵
- Executes dropped EXE
PID:1587

/usr/bin/vmqrkqozzm
/usr/bin/vmqrkqozzm su 1534
1⤵
- Executes dropped EXE
PID:1590

/usr/bin/vmqrkqozzm
/usr/bin/vmqrkqozzm ifconfig 1534
1⤵
- Executes dropped EXE
PID:1593

/usr/bin/vmqrkqozzm
/usr/bin/vmqrkqozzm top 1534
1⤵
- Executes dropped EXE
PID:1596

/usr/bin/kkwubphxdg
/usr/bin/kkwubphxdg uptime 1534
1⤵
- Executes dropped EXE
PID:1599

/usr/bin/kkwubphxdg
/usr/bin/kkwubphxdg "ps -ef" 1534
1⤵
- Executes dropped EXE
PID:1602

/usr/bin/kkwubphxdg
/usr/bin/kkwubphxdg gnome-terminal 1534
1⤵
- Executes dropped EXE
PID:1605

/usr/bin/kkwubphxdg
/usr/bin/kkwubphxdg whoami 1534
1⤵
- Executes dropped EXE
PID:1608

/usr/bin/kkwubphxdg
/usr/bin/kkwubphxdg sh 1534
1⤵
- Executes dropped EXE
PID:1611

/usr/bin/jjyrvzdvzm
/usr/bin/jjyrvzdvzm "ifconfig eth0" 1534
1⤵
- Executes dropped EXE
PID:1614

/usr/bin/jjyrvzdvzm
/usr/bin/jjyrvzdvzm "route -n" 1534
1⤵
- Executes dropped EXE
PID:1617

/usr/bin/jjyrvzdvzm
/usr/bin/jjyrvzdvzm "sleep 1" 1534
1⤵
- Executes dropped EXE
PID:1620

/usr/bin/jjyrvzdvzm
/usr/bin/jjyrvzdvzm "netstat -an" 1534
1⤵
- Executes dropped EXE
PID:1623

/usr/bin/jjyrvzdvzm
/usr/bin/jjyrvzdvzm uptime 1534
1⤵
- Executes dropped EXE
PID:1626

/usr/bin/nvxmwqslcr
/usr/bin/nvxmwqslcr uptime 1534
1⤵
- Executes dropped EXE
PID:1629

/usr/bin/nvxmwqslcr
/usr/bin/nvxmwqslcr su 1534
1⤵
- Executes dropped EXE
PID:1632

/usr/bin/nvxmwqslcr
/usr/bin/nvxmwqslcr top 1534
1⤵
- Executes dropped EXE
PID:1635

/usr/bin/nvxmwqslcr
/usr/bin/nvxmwqslcr "ifconfig eth0" 1534
1⤵
- Executes dropped EXE
PID:1638

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Defense Evasion

Hijack Execution Flow

T1574

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/gcc.sh

Filesize
228B

MD5
3bab747cedc5f0ebe86aaa7f982470cd

SHA1
3c7d1c6931c2b3dae39d38346b780ea57c8e6142

SHA256
74d31cac40d98ee64df2a0c29ceb229d12ac5fa699c2ee512fc69360f0cf68c5

SHA512
21e8a6d9ca8531d37def83d8903e5b0fa11ecf33d85d05edab1e0feb4acac65ae2cf5222650fb9f533f459ccc51bb2903276ff6f827b847cc5e6dac7d45a0a42

Download Submit
/etc/init.d/96671eab0913c0003c63f4d2c50318db

Filesize
425B

MD5
4027ba6ea61adde5e904cd3c953a46c2

SHA1
85007fd3d950798e92354495f2078a50adfc1d68

SHA256
2da0ae862e5da40fcf6426b23914fd923d4359f1415a342d2ac2d6d12cd8de12

SHA512
797abdb48bd963979df806c6edc064efb577d368d2a10e266f0bce4999d71d464e4060e5649bf19ca77701c4cdd0a0d6f7f3099eac7867dcd33124ea594ff738

Download Submit
/etc/sedaZ3yZE

Filesize
722B

MD5
8f111d100ea459f68d333d63a8ef2205

SHA1
077ca9c46a964de67c0f7765745d5c6f9e2065c3

SHA256
0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354

SHA512
d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

Download Submit
/lib/libudev.so

Filesize
535KB

MD5
96671eab0913c0003c63f4d2c50318db

SHA1
0ef56578885236f87ae7f1c7580b8ed50c9ade77

SHA256
5a7d7f1d53f039e7b69cf8d040cc043d1264b14107a8a73034e6b90d8e81f87a

SHA512
198d02b0312a271e88a4c3749cb7b828fcffd0ffb3327dc3e54c68953c99b03a0354192314e43691e0c02354a34d5ca074b0165568195d8ed0f6018b24857d82

Download Submit
/run/gcc.pid

Filesize
32B

MD5
46264de885b285922491b7154546c5f0

SHA1
ef9c09ea854790bf0c187b701fc8cfb44209d823

SHA256
22e2c02a970b0f853faae1c8316798f59e71b268e799a8d83c763beff1777fc3

SHA512
739b7adf6cd5b38432b354ef89531cc3068fe61051ef8dd00c3d0efcbf281cca2c532c494189ff54bed076d949e0307e5bf16ca58d3de253c3287ec373433f73

Download Submit
/usr/bin/drlnqjmzsy

Filesize
535KB

MD5
b193840e55e15cf7caa07bc6e8306ec5

SHA1
b3f11cf0400ad563443b78ae3cdcfb4992324c0f

SHA256
4853f345de5d217c99433b791a8be9a36a977a128505ee2cfaf860e2dbedf07e

SHA512
09662c398e48ccea66711d70326b89f686b0ca2f78149a637496afb33e0ac1530457d0bb5632febeaa841329cdd3fd71ee9684c2a0406e951ce3d360675b57fb

Download Submit
/usr/bin/drlnqjmzsy

Filesize
535KB

MD5
28609fd4937cccd4648fe7d3592ac2d8

SHA1
9f9a039f312163b9ab866104090d1f3f9ea581c0

SHA256
f37d90126ced8290d2f2bb83e153604ae305e025d89ef53a58e5287f56f46f7c

SHA512
5e317021721534a502d47f236cc0c470be3c9f8e7e35abd86c475fa51f73f3d520bbed2d63bb37c2282c184c8d843cf93b68e9aa872aabd300d2b9e26974a361

Download Submit
/usr/bin/jjyrvzdvzm

Filesize
535KB

MD5
7d7498f69593b3baf1a1f255fd13ee83

SHA1
e35ec0291950d8fb5b45ae6a5be4bbce083a5f03

SHA256
7f7b46e41dfbbec915981d507019db72dabfafd8f90b06141e6259c97c6b47d0

SHA512
96830b44c58b42fe8a576598575865289da070495920d2942b4bb5917928a7ddde9c553bbc8ae74f9084e0362f9ce19e5ab28f9e3b9c00bb522dd1bb6f92a78e

Download Submit
/usr/bin/jjyrvzdvzm

Filesize
535KB

MD5
569b23d8c79106d46eed1c5d963c9879

SHA1
e18383aea9e1fbd3afbd71a05b1781edcef0353f

SHA256
e09ad137552e0bd870d14c244def25c59aee6af9fbec2b2e3b8b1f91b1851249

SHA512
fa5ecb1b78960da553dea84d188381bb9ebbfc01fbcc8ae2249b29016b76844f270370b068f1bb65e22d2131989910aac53dc913c1ef87594a71dc2ab56bf171

Download Submit
/usr/bin/kkwubphxdg

Filesize
535KB

MD5
107b327bf07bf11358bcba9a30ee32c1

SHA1
ce8a998743867fce02aa6eb11e3c7db762250d50

SHA256
8d15ed652d993f43113e2e9a27c9cb1cfb186d604c9710b56c45ab7f938866ac

SHA512
ae354a66e35533883810ecee1e845e1d4269c0adab7bf89f3941611def2012fc5f32d52f1f26f5cae2e2197c744a58f65504035ab9300620b1f34325c604d919

Download Submit
/usr/bin/kkwubphxdg

Filesize
535KB

MD5
de086d603b7d32014bf30305f03bf130

SHA1
d8afcc62210f0644c30495e3cf96e35725ce2608

SHA256
c20294bd5b6f4950131d03c6b2e5cfac79d9ca425ea8050643e7273239960821

SHA512
d456359988bc4c095f30400c6ee67120d05f0cdcbc425c9b63fb722df3aa3a3ead4dfb6c0d093d8ec559671ca67676a9f0a0309bef143f9100c0438be35a9396

Download Submit
/usr/bin/nvxmwqslcr

Filesize
535KB

MD5
f4daeea3f08abc0d29205c5b9b8e5caf

SHA1
82e2d38c5711f961e9b037e750c55081ea9153df

SHA256
1240814cde5bce0f18aeb6df25f3ad4fcddbfae0d9a4d8dbcbca412265a7f4cc

SHA512
513988ab711676f6af9f10d1a1e339338fdd5d055849ef23ede9d36a6d925506cfdec3c9c621ef5e3b85787971ca7026e38af51b11619d63beed92290ffa61cd

Download Submit
/usr/bin/nvxmwqslcr

Filesize
535KB

MD5
4606526db52b3ce492320cd30e628f0b

SHA1
95b37f718e688a21922a4d8483c1b24785d43163

SHA256
8af52056db3b6580a0902d77e28dbaca43caf6dc6e4563ca1b4d35cee7772c0e

SHA512
09c9a663c841e02f6ebf80eca9de4c7907f1d56669206c04620e70030fe8c602506ba68170fc83c78c41382a69178944b489a4fc94d1b61967bfb23d2f3ea5be

Download Submit
/usr/bin/vmqrkqozzm

Filesize
535KB

MD5
7e72bc713e5f6f365c9472728c55295f

SHA1
cc96e04ea456710a669cc7888fb8b69b4a85a388

SHA256
c9dc987a67f9b19235dc246320abfce669300c2386cfde8345f394aab6d8c33a

SHA512
f04210deffb3dd2703e4e231b6e33869bba2ebf55f5e8abaf43f837daa5c6fc1d6c1327b81bde343eeb681d20e3387f645e1e7789ce7aa29c5d67e8bcd220175

Download Submit
/usr/bin/vmqrkqozzm

Filesize
535KB

MD5
c7b1eaca986adbcb238aec1e6bb377ae

SHA1
97c7aa5081a0b854ce1cd9d54e03c96b30da00ec

SHA256
3c048a8d1e7e61dfffa2520a89a56363e51307b34fa87b324252b4338b741002

SHA512
a38a1740917ece6a2a8cc7721091d2fbb236c5cc10a7711b0c94fb5e3c30e7ff9b2f4920aa0a9a1f3467665db644a5c311c9222363f14f946fa87b1e8bc06eb6

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads