xorddos | 5837609d4cfa0c9db43136ea748ff39ca90591966611b2ad1ae48938844f775b

Analysis

max time kernel
152s
max time network
153s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
20/12/2023, 12:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af9bd7aaca9749816ef700d9dccdfe8e
Size

647KB
MD5

af9bd7aaca9749816ef700d9dccdfe8e
SHA1

d636b30b14b80378808735a8b5002824ba94d005
SHA256

5837609d4cfa0c9db43136ea748ff39ca90591966611b2ad1ae48938844f775b
SHA512

830eba48452b8d6b3d5aa5aaac6d9e3f5c2c6440c4bf636795906e903eaa3dbc0f8d88f81760716f2a1bb3f19074e23b2a70a4f1948d396d110899ca384c9a2e
SSDEEP

12288:RBRO1UmJJ0nHgBL9YfJip2qm+x4h1TonDp6y07l7mtBDvnD/u9hMHDB:RBRpmJ+HyL9AiAqm+x4h1mD6wvnDWXMN

Score

10^/10

xorddos botnet downloader persistence

Malware Config

Extracted

Family

xorddos

http://info1.3000uc.com/b/u.php

43.230.144.12:5521

192.168.1.131:3826

abcd.com:8080

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 5 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_xorddos
behavioral1/files/fstream-2.dat	family_xorddos
behavioral1/files/fstream-7.dat	family_xorddos
behavioral1/files/fstream-29.dat	family_xorddos
behavioral1/files/fstream-35.dat	family_xorddos

Deletes itself 1 IoCs

pid
1524

Executes dropped EXE 31 IoCs

ioc	pid	Process
/boot/nexvvsezwo	1526	nexvvsezwo
/boot/osiqjeupxu	1538	osiqjeupxu
/boot/ilycvrfpjo	1564	ilycvrfpjo
/boot/nisplmvhru	1567	nisplmvhru
/boot/ceqjycnwys	1570	ceqjycnwys
/boot/hmqgtmfqyf	1573	hmqgtmfqyf
/boot/ebpbqmdcsz	1576	ebpbqmdcsz
/boot/mhfznsgxmk	1581	mhfznsgxmk
/boot/fypnjxoviv	1584	fypnjxoviv
/boot/hveybcfoka	1587	hveybcfoka
/boot/qvybybdfln	1590	qvybybdfln
/boot/alpvvrikve	1593	alpvvrikve
/boot/uypxkhrdbv	1596	uypxkhrdbv
/boot/lnilljwkme	1599	lnilljwkme
/boot/kfmshybfaf	1602	kfmshybfaf
/boot/gfridiozob	1605	gfridiozob
/boot/fkyakpwgzz	1608	fkyakpwgzz
/boot/vceqichjua	1611	vceqichjua
/boot/efssxyiift	1614	efssxyiift
/boot/zgwfriiukj	1617	zgwfriiukj
/boot/pgpmcvzdwe	1620	pgpmcvzdwe
/boot/bjhajrijdr	1623	bjhajrijdr
/boot/wdvpbsnkzw	1626	wdvpbsnkzw
/boot/lfpwrwxiaj	1644	lfpwrwxiaj
/boot/rtbdmhpfps	1647	rtbdmhpfps
/boot/fngeolngyv	1650	fngeolngyv
/boot/fmwjymyzac	1653	fmwjymyzac
/boot/plsegkxejd	1656	plsegkxejd
/boot/kailzukjtf	1659	kailzukjtf
/boot/dueboowasn	1662	dueboowasn
/boot/fpaisdpkif	1665	fpaisdpkif

Creates/modifies Cron job 1 TTPs 2 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/etc/cron.hourly/cron.sh	Process not Found
File opened for modification	/etc/crontab	sh

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
File opened for modification	/etc/init.d/nexvvsezwo

Reads runtime system information 9 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/stat	Process not Found
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/rs_dev	Process not Found
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/1/environ	systemctl

/tmp/af9bd7aaca9749816ef700d9dccdfe8e
/tmp/af9bd7aaca9749816ef700d9dccdfe8e
1⤵
PID:1523

/boot/nexvvsezwo
/boot/nexvvsezwo
1⤵
- Executes dropped EXE
PID:1526

/bin/chkconfig
chkconfig --add nexvvsezwo
1⤵
PID:1529

/sbin/chkconfig
chkconfig --add nexvvsezwo
1⤵
PID:1529

/usr/bin/chkconfig
chkconfig --add nexvvsezwo
1⤵
PID:1529

/usr/sbin/chkconfig
chkconfig --add nexvvsezwo
1⤵
PID:1529

/usr/local/bin/chkconfig
chkconfig --add nexvvsezwo
1⤵
PID:1529

/usr/local/sbin/chkconfig
chkconfig --add nexvvsezwo
1⤵
PID:1529

/usr/X11R6/bin/chkconfig
chkconfig --add nexvvsezwo
1⤵
PID:1529

/bin/update-rc.d
update-rc.d nexvvsezwo defaults
1⤵
PID:1531

/sbin/update-rc.d
update-rc.d nexvvsezwo defaults
1⤵
PID:1531

/usr/bin/update-rc.d
update-rc.d nexvvsezwo defaults
1⤵
PID:1531

/usr/sbin/update-rc.d
update-rc.d nexvvsezwo defaults
1⤵
PID:1531
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:1536

/bin/sh
sh -c "sed -i '/\\/etc\\/cron.hourly\\/cron.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/cron.sh' >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:1532
- /bin/sed
  sed -i "/\\/etc\\/cron.hourly\\/cron.sh/d" /etc/crontab
  2⤵
  - Reads runtime system information
  PID:1533

/boot/osiqjeupxu
/boot/osiqjeupxu "route -n" 1527
1⤵
- Executes dropped EXE
PID:1538

/boot/ilycvrfpjo
/boot/ilycvrfpjo id 1527
1⤵
- Executes dropped EXE
PID:1564

/boot/nisplmvhru
/boot/nisplmvhru whoami 1527
1⤵
- Executes dropped EXE
PID:1567

/boot/ceqjycnwys
/boot/ceqjycnwys "cd /etc" 1527
1⤵
- Executes dropped EXE
PID:1570

/boot/hmqgtmfqyf
/boot/hmqgtmfqyf pwd 1527
1⤵
- Executes dropped EXE
PID:1573

/boot/ebpbqmdcsz
/boot/ebpbqmdcsz "ps -ef" 1527
1⤵
- Executes dropped EXE
PID:1576

/boot/mhfznsgxmk
/boot/mhfznsgxmk "ps -ef" 1527
1⤵
- Executes dropped EXE
PID:1581

/boot/fypnjxoviv
/boot/fypnjxoviv "netstat -an" 1527
1⤵
- Executes dropped EXE
PID:1584

/boot/hveybcfoka
/boot/hveybcfoka "sleep 1" 1527
1⤵
- Executes dropped EXE
PID:1587

/boot/qvybybdfln
/boot/qvybybdfln top 1527
1⤵
- Executes dropped EXE
PID:1590

/boot/alpvvrikve
/boot/alpvvrikve ifconfig 1527
1⤵
- Executes dropped EXE
PID:1593

/boot/uypxkhrdbv
/boot/uypxkhrdbv "ps -ef" 1527
1⤵
- Executes dropped EXE
PID:1596

/boot/lnilljwkme
/boot/lnilljwkme "ls -la" 1527
1⤵
- Executes dropped EXE
PID:1599

/boot/kfmshybfaf
/boot/kfmshybfaf whoami 1527
1⤵
- Executes dropped EXE
PID:1602

/boot/gfridiozob
/boot/gfridiozob whoami 1527
1⤵
- Executes dropped EXE
PID:1605

/boot/fkyakpwgzz
/boot/fkyakpwgzz "echo \"find\"" 1527
1⤵
- Executes dropped EXE
PID:1608

/boot/vceqichjua
/boot/vceqichjua top 1527
1⤵
- Executes dropped EXE
PID:1611

/boot/efssxyiift
/boot/efssxyiift "route -n" 1527
1⤵
- Executes dropped EXE
PID:1614

/boot/zgwfriiukj
/boot/zgwfriiukj "echo \"find\"" 1527
1⤵
- Executes dropped EXE
PID:1617

/boot/pgpmcvzdwe
/boot/pgpmcvzdwe gnome-terminal 1527
1⤵
- Executes dropped EXE
PID:1620

/boot/bjhajrijdr
/boot/bjhajrijdr whoami 1527
1⤵
- Executes dropped EXE
PID:1623

/boot/wdvpbsnkzw
/boot/wdvpbsnkzw whoami 1527
1⤵
- Executes dropped EXE
PID:1626

/boot/lfpwrwxiaj
/boot/lfpwrwxiaj "netstat -an" 1527
1⤵
- Executes dropped EXE
PID:1644

/boot/rtbdmhpfps
/boot/rtbdmhpfps "cd /etc" 1527
1⤵
- Executes dropped EXE
PID:1647

/boot/fngeolngyv
/boot/fngeolngyv "cd /etc" 1527
1⤵
- Executes dropped EXE
PID:1650

/boot/fmwjymyzac
/boot/fmwjymyzac "netstat -an" 1527
1⤵
- Executes dropped EXE
PID:1653

/boot/plsegkxejd
/boot/plsegkxejd ls 1527
1⤵
- Executes dropped EXE
PID:1656

/boot/kailzukjtf
/boot/kailzukjtf su 1527
1⤵
- Executes dropped EXE
PID:1659

/boot/dueboowasn
/boot/dueboowasn "echo \"find\"" 1527
1⤵
- Executes dropped EXE
PID:1662

/boot/fpaisdpkif
/boot/fpaisdpkif bash 1527
1⤵
- Executes dropped EXE
PID:1665

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/boot/dueboowasn

Filesize
140KB

MD5
b9dade3c10a9fa4f92757e8078b620fc

SHA1
96a84d356384e4435cdfe2594a608936f787f9d2

SHA256
02d948fd6d07e0b29aeaeb9fa98c0ec129f80becf8555ff4f9b7797360813b8c

SHA512
7e3b7941121b4db0e09b285e454d977a0e6a6a1e1b0c84dc8aef5d3c6657521ba0314dc6c571cc0254e35708d2c21a5f3a025ec478ebede7a48b717f434701e2

Download Submit
/boot/lfpwrwxiaj

Filesize
8KB

MD5
95c8a2dbf57c1a1251087b9d48af858b

SHA1
4a6a3cf788bdb8e2edf654e519e19a0f21169a89

SHA256
795fe264bf36290c0b0b0c8dfce7beb34285f5fa4ed8ee7b7d8dff01a5af2495

SHA512
1e3fa729e886e96dc3fa5f917579902fed3ef296774cf36d2bf9fce6be1d8921de98263b998511177e01d41d148af9673a49899ce88e0172dcfe6f92ad9079c7

Download Submit
/boot/nexvvsezwo

Filesize
538KB

MD5
9a58d60169d5d10eeb81053cf5db2463

SHA1
0751019f81b1fabfee0b47a38301d595a38c001b

SHA256
c2a89f63cb54240c689294c6e190d0821003dda4d7597844960b001591ae9924

SHA512
91010f93e6a18db112371fffd787f063b89656dc8948ffe26497995d3e8d2cf1640305c1f271c61d8ec0e50be56109f2b910ccdcf3aff402af0eb8501b0bc15b

Download Submit
/boot/osiqjeupxu

Filesize
647KB

MD5
af9bd7aaca9749816ef700d9dccdfe8e

SHA1
d636b30b14b80378808735a8b5002824ba94d005

SHA256
5837609d4cfa0c9db43136ea748ff39ca90591966611b2ad1ae48938844f775b

SHA512
830eba48452b8d6b3d5aa5aaac6d9e3f5c2c6440c4bf636795906e903eaa3dbc0f8d88f81760716f2a1bb3f19074e23b2a70a4f1948d396d110899ca384c9a2e

Download Submit
/etc/cron.hourly/cron.sh

Filesize
223B

MD5
b791b087b1795e3674a9aa765c76fc04

SHA1
b53f478234ae97f3cdbf2e7fe7ec68d687feb7c1

SHA256
1c1e9b69cf8021bf7ce1f60dcaa2d31c1e21ed4b6e474f3571da81ffd5a9b69e

SHA512
2dcc2e478c51cf8118306fd5c744aad7147e368cbc4329db1cc5fac52088a7f3354079ae2b582b270495789e4fb4591538ec88bb5ea40eec646f360bac33bbb2

Download Submit
/etc/init.d/nexvvsezwo

Filesize
317B

MD5
761edf5a3398ebb41414917620a841af

SHA1
e11ec677d9667466de22f2b39a7252e0433c0f7a

SHA256
d97950cb99af9b44e5e8629e6edf17cb1a8a301e9ea13bb25e4cb803f3ef9c64

SHA512
fc2cb3bdf8fe4c74d1efc80a4135f66310accbbc5469acc2f588557f353b4dc6f800224050bfcda96cebb843f5119c044d81fa84caff13c71a363142c4583d66

Download Submit
/etc/sedmlv2ta

Filesize
722B

MD5
8f111d100ea459f68d333d63a8ef2205

SHA1
077ca9c46a964de67c0f7765745d5c6f9e2065c3

SHA256
0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354

SHA512
d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

Download Submit
/lib/udev/udev

Filesize
119KB

MD5
dc27779cf8e8b086a98979068d750177

SHA1
918ffac0c9013c0c5b2e9350c7c5da1736549827

SHA256
17d6e19c1851a621ec5a3e75a88f320b76381989808577f9658347058715900d

SHA512
a575437499017b2906a24d697d744446709838d7014e59270f0142d4a563e1ce4f861db0d4d82aa6371daaae0448dcfc754dd6ce39bba98307ba5ae1a7f834f5

Download Submit
/run/sftp.pid

Filesize
32B

MD5
e68d0d28392ed1cf94ac5fcc481f56bb

SHA1
ab817b42ee8b13f58cf672bc0a00e11f10c6c1b9

SHA256
22fa36d8d4174fa769a89beab25a20e32c05983de10162c602d7d2e392b8b2f3

SHA512
c0dbcb3a00c43b1852d82f9fb7917f38d0b5d559e8a0ecaa99a54a907d2b35f4e6900e23222f9e439adf96757c6d8810ee4696f9542845779aa5a2ffcf0d17b6

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads