xorddos | 5837609d4cfa0c9db43136ea748ff39ca90591966611b2ad1ae48938844f775b

Analysis

max time kernel
152s
max time network
153s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
20-12-2023 12:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af9bd7aaca9749816ef700d9dccdfe8e
Size

647KB
MD5

af9bd7aaca9749816ef700d9dccdfe8e
SHA1

d636b30b14b80378808735a8b5002824ba94d005
SHA256

5837609d4cfa0c9db43136ea748ff39ca90591966611b2ad1ae48938844f775b
SHA512

830eba48452b8d6b3d5aa5aaac6d9e3f5c2c6440c4bf636795906e903eaa3dbc0f8d88f81760716f2a1bb3f19074e23b2a70a4f1948d396d110899ca384c9a2e
SSDEEP

12288:RBRO1UmJJ0nHgBL9YfJip2qm+x4h1TonDp6y07l7mtBDvnD/u9hMHDB:RBRpmJ+HyL9AiAqm+x4h1mD6wvnDWXMN

Score

10^/10

xorddos botnet downloader persistence

Malware Config

Extracted

Family

xorddos

http://info1.3000uc.com/b/u.php

43.230.144.12:5521

192.168.1.131:3826

abcd.com:8080

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/files/fstream-1.dat	family_xorddos
behavioral1/files/fstream-2.dat	family_xorddos
behavioral1/files/fstream-7.dat	family_xorddos
behavioral1/files/fstream-29.dat	family_xorddos
behavioral1/files/fstream-35.dat	family_xorddos

Deletes itself 1 IoCs

Processes:

pid
1524

Executes dropped EXE 31 IoCs

Processes:

nexvvsezwoosiqjeupxuilycvrfpjonisplmvhruceqjycnwyshmqgtmfqyfebpbqmdcszmhfznsgxmkfypnjxovivhveybcfokaqvybybdflnalpvvrikveuypxkhrdbvlnilljwkmekfmshybfafgfridiozobfkyakpwgzzvceqichjuaefssxyiiftzgwfriiukjpgpmcvzdwebjhajrijdrwdvpbsnkzwlfpwrwxiajrtbdmhpfpsfngeolngyvfmwjymyzacplsegkxejdkailzukjtfdueboowasnfpaisdpkif

ioc	pid	Process
/boot/nexvvsezwo	1526	nexvvsezwo
/boot/osiqjeupxu	1538	osiqjeupxu
/boot/ilycvrfpjo	1564	ilycvrfpjo
/boot/nisplmvhru	1567	nisplmvhru
/boot/ceqjycnwys	1570	ceqjycnwys
/boot/hmqgtmfqyf	1573	hmqgtmfqyf
/boot/ebpbqmdcsz	1576	ebpbqmdcsz
/boot/mhfznsgxmk	1581	mhfznsgxmk
/boot/fypnjxoviv	1584	fypnjxoviv
/boot/hveybcfoka	1587	hveybcfoka
/boot/qvybybdfln	1590	qvybybdfln
/boot/alpvvrikve	1593	alpvvrikve
/boot/uypxkhrdbv	1596	uypxkhrdbv
/boot/lnilljwkme	1599	lnilljwkme
/boot/kfmshybfaf	1602	kfmshybfaf
/boot/gfridiozob	1605	gfridiozob
/boot/fkyakpwgzz	1608	fkyakpwgzz
/boot/vceqichjua	1611	vceqichjua
/boot/efssxyiift	1614	efssxyiift
/boot/zgwfriiukj	1617	zgwfriiukj
/boot/pgpmcvzdwe	1620	pgpmcvzdwe
/boot/bjhajrijdr	1623	bjhajrijdr
/boot/wdvpbsnkzw	1626	wdvpbsnkzw
/boot/lfpwrwxiaj	1644	lfpwrwxiaj
/boot/rtbdmhpfps	1647	rtbdmhpfps
/boot/fngeolngyv	1650	fngeolngyv
/boot/fmwjymyzac	1653	fmwjymyzac
/boot/plsegkxejd	1656	plsegkxejd
/boot/kailzukjtf	1659	kailzukjtf
/boot/dueboowasn	1662	dueboowasn
/boot/fpaisdpkif	1665	fpaisdpkif

Creates/modifies Cron job 1 TTPs 2 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

Processes:

description	ioc	Process
File opened for modification	/etc/cron.hourly/cron.sh