xorddos | c0981ccf0cb2cefef67e5e52abd9bf4020ccacea1fb2f65a6ffc0f93922d22bb

Analysis

max time kernel
152s
max time network
66s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
20-12-2023 12:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b52205215441c3926b7eec083d4d3555
Size

611KB
MD5

b52205215441c3926b7eec083d4d3555
SHA1

f267c0c2d82b6642abcff6bb4ca5e38ef9fe1a23
SHA256

c0981ccf0cb2cefef67e5e52abd9bf4020ccacea1fb2f65a6ffc0f93922d22bb
SHA512

1bc0d0e3d43fd4b5b5c74a970a47f49090709d719f8e21b4c78b664f254ba4bd3f51771e723383f3677b02aa525e7960b5227e67e49fb46add25a907eafe25d7
SSDEEP

12288:FBXOv9wV1/n/dQFhWlH/c1dHo4h9L+zNZrr3T6yF8EEP4UlUuTh1AG:FBXGkN/+Fhu/Qo4h9L+zNN3BVEBl/91h

Score

10^/10

xorddos botnet downloader persistence

Malware Config

Extracted

Family

xorddos

http://aa.finance1num.org/config.rar

cdn.netflix2cdn.com:21

cdn.finance1num.com:21

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 14 IoCs

Processes:

resource	yara_rule
/lib/libudev.so	family_xorddos
/usr/bin/koffhpalkb	family_xorddos
/usr/bin/koffhpalkb	family_xorddos
/usr/bin/koffhpalkb	family_xorddos
/usr/bin/zkowgtiaiu	family_xorddos
/usr/bin/zkowgtiaiu	family_xorddos
/usr/bin/zkowgtiaiu	family_xorddos
/usr/bin/eofyvvrzra	family_xorddos
/usr/bin/eofyvvrzra	family_xorddos
/usr/bin/xbajaaagdq	family_xorddos
/usr/bin/xbajaaagdq	family_xorddos
/usr/bin/xbajaaagdq	family_xorddos
/usr/bin/qylpbdtaxw	family_xorddos
/usr/bin/qylpbdtaxw	family_xorddos

Deletes itself 3 IoCs

Processes:

pid

1648
1656
1653

pid
1648
1656
1653

Executes dropped EXE 24 IoCs

Processes:

koffhpalkbkoffhpalkbkoffhpalkbkoffhpalkbkoffhpalkbzkowgtiaiuzkowgtiaiuzkowgtiaiuzkowgtiaiuzkowgtiaiueofyvvrzraeofyvvrzraeofyvvrzraeofyvvrzraeofyvvrzraxbajaaagdqxbajaaagdqxbajaaagdqxbajaaagdqxbajaaagdqqylpbdtaxwqylpbdtaxwqylpbdtaxwqylpbdtaxw

ioc	pid	process
/usr/bin/koffhpalkb	1550	koffhpalkb
/usr/bin/koffhpalkb	1553	koffhpalkb
/usr/bin/koffhpalkb	1575	koffhpalkb
/usr/bin/koffhpalkb	1579	koffhpalkb
/usr/bin/koffhpalkb	1582	koffhpalkb
/usr/bin/zkowgtiaiu	1600	zkowgtiaiu
/usr/bin/zkowgtiaiu	1602	zkowgtiaiu
/usr/bin/zkowgtiaiu	1606	zkowgtiaiu
/usr/bin/zkowgtiaiu	1609	zkowgtiaiu
/usr/bin/zkowgtiaiu	1612	zkowgtiaiu
/usr/bin/eofyvvrzra	1615	eofyvvrzra
/usr/bin/eofyvvrzra	1618	eofyvvrzra
/usr/bin/eofyvvrzra	1621	eofyvvrzra
/usr/bin/eofyvvrzra	1624	eofyvvrzra
/usr/bin/eofyvvrzra	1627	eofyvvrzra
/usr/bin/xbajaaagdq	1630	xbajaaagdq
/usr/bin/xbajaaagdq	1633	xbajaaagdq
/usr/bin/xbajaaagdq	1636	xbajaaagdq
/usr/bin/xbajaaagdq	1639	xbajaaagdq
/usr/bin/xbajaaagdq	1641	xbajaaagdq
/usr/bin/qylpbdtaxw	1645	qylpbdtaxw
/usr/bin/qylpbdtaxw	1647	qylpbdtaxw
/usr/bin/qylpbdtaxw	1650	qylpbdtaxw
/usr/bin/qylpbdtaxw	1654	qylpbdtaxw

Creates/modifies Cron job 1 TTPs 2 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

sh

description ioc

File opened for modification /etc/cron.hourly/gcc.sh
File opened for modification /etc/crontab sh
Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

description ioc

File opened for modification /etc/init.d/b52205215441c3926b7eec083d4d3555

description	ioc
File opened for modification	/etc/cron.hourly/gcc.sh
File opened for modification	/etc/crontab	sh

description	ioc
File opened for modification	/etc/init.d/b52205215441c3926b7eec083d4d3555

Write file to user bin folder 1 TTPs 5 IoCs

Hijack Execution Flow

T1574

Processes:

description	ioc
File opened for modification	/usr/bin/zkowgtiaiu
File opened for modification	/usr/bin/eofyvvrzra
File opened for modification	/usr/bin/xbajaaagdq
File opened for modification	/usr/bin/qylpbdtaxw
File opened for modification	/usr/bin/koffhpalkb

Reads runtime system information 9 IoCs

Reads data from /proc virtual filesystem.

Processes:

systemctlsed

description	ioc	process
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/stat
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/rs_dev

/tmp/b52205215441c3926b7eec083d4d3555
/tmp/b52205215441c3926b7eec083d4d3555
1⤵
PID:1534

/bin/sh
sh -c "sed -i '/\\/etc\\/cron.hourly\\/gcc.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:1540
- /bin/sed
  sed -i "/\\/etc\\/cron.hourly\\/gcc.sh/d" /etc/crontab
  2⤵
  - Reads runtime system information
  PID:1541

/bin/chkconfig
chkconfig --add b52205215441c3926b7eec083d4d3555
1⤵
PID:1537

/sbin/chkconfig
chkconfig --add b52205215441c3926b7eec083d4d3555
1⤵
PID:1537

/usr/bin/chkconfig
chkconfig --add b52205215441c3926b7eec083d4d3555
1⤵
PID:1537

/usr/sbin/chkconfig
chkconfig --add b52205215441c3926b7eec083d4d3555
1⤵
PID:1537

/usr/local/bin/chkconfig
chkconfig --add b52205215441c3926b7eec083d4d3555
1⤵
PID:1537

/usr/local/sbin/chkconfig
chkconfig --add b52205215441c3926b7eec083d4d3555
1⤵
PID:1537

/usr/X11R6/bin/chkconfig
chkconfig --add b52205215441c3926b7eec083d4d3555
1⤵
PID:1537

/bin/update-rc.d
update-rc.d b52205215441c3926b7eec083d4d3555 defaults
1⤵
PID:1539

/sbin/update-rc.d
update-rc.d b52205215441c3926b7eec083d4d3555 defaults
1⤵
PID:1539

/usr/bin/update-rc.d
update-rc.d b52205215441c3926b7eec083d4d3555 defaults
1⤵
PID:1539

/usr/sbin/update-rc.d
update-rc.d b52205215441c3926b7eec083d4d3555 defaults
1⤵
PID:1539
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:1546

/usr/bin/koffhpalkb
/usr/bin/koffhpalkb whoami 1535
1⤵
- Executes dropped EXE
PID:1550

/usr/bin/koffhpalkb
/usr/bin/koffhpalkb "ifconfig eth0" 1535
1⤵
- Executes dropped EXE
PID:1553

/usr/bin/koffhpalkb
/usr/bin/koffhpalkb gnome-terminal 1535
1⤵
- Executes dropped EXE
PID:1575

/usr/bin/koffhpalkb
/usr/bin/koffhpalkb sh 1535
1⤵
- Executes dropped EXE
PID:1579

/usr/bin/koffhpalkb
/usr/bin/koffhpalkb "cd /etc" 1535
1⤵
- Executes dropped EXE
PID:1582

/usr/bin/zkowgtiaiu
/usr/bin/zkowgtiaiu pwd 1535
1⤵
- Executes dropped EXE
PID:1600

/usr/bin/zkowgtiaiu
/usr/bin/zkowgtiaiu "cat resolv.conf" 1535
1⤵
- Executes dropped EXE
PID:1602

/usr/bin/zkowgtiaiu
/usr/bin/zkowgtiaiu top 1535
1⤵
- Executes dropped EXE
PID:1606

/usr/bin/zkowgtiaiu
/usr/bin/zkowgtiaiu "grep \"A\"" 1535
1⤵
- Executes dropped EXE
PID:1609

/usr/bin/zkowgtiaiu
/usr/bin/zkowgtiaiu "cat resolv.conf" 1535
1⤵
- Executes dropped EXE
PID:1612

/usr/bin/eofyvvrzra
/usr/bin/eofyvvrzra uptime 1535
1⤵
- Executes dropped EXE
PID:1615

/usr/bin/eofyvvrzra
/usr/bin/eofyvvrzra "route -n" 1535
1⤵
- Executes dropped EXE
PID:1618

/usr/bin/eofyvvrzra
/usr/bin/eofyvvrzra "sleep 1" 1535
1⤵
- Executes dropped EXE
PID:1621

/usr/bin/eofyvvrzra
/usr/bin/eofyvvrzra who 1535
1⤵
- Executes dropped EXE
PID:1624

/usr/bin/eofyvvrzra
/usr/bin/eofyvvrzra "route -n" 1535
1⤵
- Executes dropped EXE
PID:1627

/usr/bin/xbajaaagdq
/usr/bin/xbajaaagdq "route -n" 1535
1⤵
- Executes dropped EXE
PID:1630

/usr/bin/xbajaaagdq
/usr/bin/xbajaaagdq ls 1535
1⤵
- Executes dropped EXE
PID:1633

/usr/bin/xbajaaagdq
/usr/bin/xbajaaagdq "cat resolv.conf" 1535
1⤵
- Executes dropped EXE
PID:1636

/usr/bin/xbajaaagdq
/usr/bin/xbajaaagdq "cd /etc" 1535
1⤵
- Executes dropped EXE
PID:1639

/usr/bin/xbajaaagdq
/usr/bin/xbajaaagdq "cd /etc" 1535
1⤵
- Executes dropped EXE
PID:1641

/usr/bin/qylpbdtaxw
/usr/bin/qylpbdtaxw "sleep 1" 1535
1⤵
- Executes dropped EXE
PID:1645

/usr/bin/qylpbdtaxw
/usr/bin/qylpbdtaxw "ps -ef" 1535
1⤵
- Executes dropped EXE
PID:1647

/usr/bin/qylpbdtaxw
/usr/bin/qylpbdtaxw uptime 1535
1⤵
- Executes dropped EXE
PID:1650

/usr/bin/qylpbdtaxw
/usr/bin/qylpbdtaxw "ifconfig eth0" 1535
1⤵
- Executes dropped EXE
PID:1654

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/gcc.sh

Filesize
228B

MD5
3bab747cedc5f0ebe86aaa7f982470cd

SHA1
3c7d1c6931c2b3dae39d38346b780ea57c8e6142

SHA256
74d31cac40d98ee64df2a0c29ceb229d12ac5fa699c2ee512fc69360f0cf68c5

SHA512
21e8a6d9ca8531d37def83d8903e5b0fa11ecf33d85d05edab1e0feb4acac65ae2cf5222650fb9f533f459ccc51bb2903276ff6f827b847cc5e6dac7d45a0a42

Download Submit
/etc/init.d/b52205215441c3926b7eec083d4d3555

Filesize
425B

MD5
33c2aa78ce2c61a35d0b2cc572cfc0a3

SHA1
02bf9f119a95b387100516563e22fd97f1ac24ef

SHA256
fb345ff2ebecb34970f07d6ac31e66b9613970b36644648bcc829feff884371d

SHA512
29027302c8575f0be758752707d97e5d083a3153144810aac34a54e16f9da9920b30621cc0e1ced307e3d115850d189bc0548b571e74f42c828f6f3bedfd2c92

Download Submit
/etc/sedcgagcC

Filesize
722B

MD5
8f111d100ea459f68d333d63a8ef2205

SHA1
077ca9c46a964de67c0f7765745d5c6f9e2065c3

SHA256
0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354

SHA512
d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

Download Submit
/lib/libudev.so

Filesize
543KB

MD5
7cc4078014e39fdc6dd17f2c953bc81d

SHA1
dff55a89893b91bf322418ba4d958f19bb0cd657

SHA256
9a27e2e878d3a5d3178c61802ae167e2b3244322644117bff426cbfe3f9534b1

SHA512
04b576258cc1ab148b5e6696bb2877d42bc550f9dfa703a529e4141fd74fbd738440c12cec98489d0d84172598473753e40c9dba91fc38f5eb54d6414f03c80e

Download Submit
/run/gcc.pid

Filesize
32B

MD5
100c4f13bb023eb513d5e7b5f71bb634

SHA1
ae1914a66270ccd3cc91e249fdeaa207a10283b7

SHA256
a94ca9c026f512aa984cb9a93de968da762dceca66c7227fb915bedba7d6e8fe

SHA512
9e79a628fd01b069323987b134a2052bdac885226db839ee2650e98040f50219d21d3c57b92c1f49ee3157ad18dcb55f0730439dc44dad090673812bb38021ff

Download Submit
/usr/bin/eofyvvrzra

Filesize
611KB

MD5
8544f07df133122cc897cb50f62a2fde

SHA1
c3996d372988db649276c4c19872ac9cfdc5f3b1

SHA256
c59a31d783387c05e33723d493966b03015c180972140acbd31477b76faddf8d

SHA512
b070538daad9c836ed77e7f7ec9a20c3323d37eab49896755ffbf9842b4cbb87097ed73fe73494f5707c949ee692356a39e661d1e23f741a1ae9bdcdad81953d

Download Submit
/usr/bin/eofyvvrzra

Filesize
611KB

MD5
f2cc5e46ee0585c6185b2595ea507066

SHA1
c9809d0f6d663959d2e7b3bec17c0493b3580f1b

SHA256
d872dc7696e186d8c5c974e7fd3cbef41932e735cfafee6fa2d161c6eab49b10

SHA512
8362a66a0dca34bc8e84ff2627143c5085612284bc7a6129956cad89353fcfca3d90de8b3cb666fb0fd55ea4e608aad0f8878a8b6219f6b77f88c6c9a8d87898

Download Submit
/usr/bin/koffhpalkb

Filesize
276KB

MD5
67e4e0849486d99b2d96b486acacc3d1

SHA1
bab76bb343846816b03548ee597d1def06899475

SHA256
9d94cfb68ece224ab3ea9b777ca33671c824b084b23b21c5b749e12262dee511

SHA512
7e3c328ffeffb82bb89f62a8e9d8010f0a048563b4af122a5567aaaec2d751031fc5a66a8aaa8d11151afc8fc3ee01955362e888c01c4441263c9006d69c9308

Download Submit
/usr/bin/koffhpalkb

Filesize
611KB

MD5
ca5e5683aa3940a9217e90c03010af83

SHA1
8f494c24ae3520345cf9858b9d55c8ff77b90b26

SHA256
1f0f57c0253f81141cef42c04a03dba9a9d330f76a355bfceeadc8237bdc9d2c

SHA512
6c3b3b8798915b3ba5229590cf4788c89e2449281983333c8f80c7b97b1418d6c93f5b2cd3c0a5a65119d9d21b6a511ea32b42d400a659cca34214f9d2a7c8dc

Download Submit
/usr/bin/koffhpalkb

Filesize
611KB

MD5
6fedd0fb17065c0348db90f2dbb3fff2

SHA1
f472efd011289ef865311b6e2034fc2efe01ae7d

SHA256
242835260df58ce7208e827e7cd148fad82b2c9e01753ae9318123d6555db348

SHA512
8f5f978efecc43eadce3cde7260e18f21674a705ac527298c6c3d532c289215df3ab3181ee38f1a4b1565c899137780687faea8a6684f38f60eaf3629da5daba

Download Submit
/usr/bin/qylpbdtaxw

Filesize
611KB

MD5
fdfc2cc694dbdcf785ded68a161dfda9

SHA1
e6c54708cc05b1f10e3261b37f35ea7aae2db442

SHA256
200e63e7fc9f955cc5d9b48bd12dc76bc4ece46f72d2cb0cda61deea7cc78a1b

SHA512
fe717d8f60982fc567c4119f8e63bd1ce178e0467d166a613a2e97063fd8aac246b7f22e2a9bac497fdb372d665fb78c0dcaf4ffb2905bef9d4cd55157ded2b4

Download Submit
/usr/bin/qylpbdtaxw

Filesize
611KB

MD5
1020967691a783dcdb7638e70080ca07

SHA1
1b9f97435bf94f0effdaa104b67972b6d6e3e2a6

SHA256
f82bf28308269a725e54785c1b3a18b3e5d16739d6d98c57c9ae80d2767f10cf

SHA512
968dbeeb334911976ad362854bb79a2b8db9f7eed842ceddc68b314585dc407f84a12bb49ac7c66ff428e0c06b62889833d0e7312a42577afe910726c60fef62

Download Submit
/usr/bin/xbajaaagdq

Filesize
544KB

MD5
64eff1a03c857f06815a634587c28e95

SHA1
79d2b9e8ec9c9482f3435e3c60772499d144340e

SHA256
4c024ebb2bd2a6d9693b78ca8e019daf9910c74e1e3972daeebfaa910bd09a18

SHA512
b75fadf2037f915878fcac523dbae731cfe558d773ae3e122d4031e2f4a1a2fa830f30e6303e3bfd764682ed24ebe5e9364ca608102b14e558b1d6dd3324bdbe

Download Submit
/usr/bin/xbajaaagdq

Filesize
611KB

MD5
68cb18cedbf62bc6d44e445ef7af6f8c

SHA1
d8d0071f2c61be686bb47735a0bb8fccc2d7a489

SHA256
e7425648b6acfe5b144ec906ee8f810da4ae165ed054129c79a6637df135587e

SHA512
c21d288f3d6c392abf51405532a35b80b8916a3979e1723ee1140c7458fb242a5ad7c003ca7acf3e364a31560eb94428279628f61a4348b556d8682818d8e26f

Download Submit
/usr/bin/xbajaaagdq

Filesize
611KB

MD5
40f25f4cf5bbb37ea2b6332f2334ba9d

SHA1
2fe73f663213611c9b3d4db1a8b90076ad7877a4

SHA256
8b54d257d6941618d747663bfaafcd314ab8428b5d39ea13d3162e2042843c78

SHA512
962f6c49d4019f8028a5f9a9173e2e4ae83f1f8726430bc2ea40ad6dde01ef6d5de739cdbc7e8cbc035ed2189eef7336899ce3bd465b3b8103fcd7198a6ec8c3

Download Submit
/usr/bin/zkowgtiaiu

Filesize
611KB

MD5
0e0441d8fb3047e6a01318bab27c245f

SHA1
653ce667755f660680ecb140c6cd373dd7d2f991

SHA256
cbef87e6b06dbf8c1d8d0b5b05f48463d79d2d433e97dc6900df83c79ef3cbe8

SHA512
848f8d4fb88a961f8a825b103962cb0f739d73e369e2b7c6bc17fd53acd3c622ba62e9fe469ae41a60a4b397520b22a8516510e6376aaaa2d81654a16c1dbcdc

Download Submit
/usr/bin/zkowgtiaiu

Filesize
611KB

MD5
48fe5094beaf005d20fa6e21906e32a5

SHA1
25ac95bf561a533e6fb86b568643d6fe0563c9c5

SHA256
753ba32b4aeb435ebe755546af529d231250022e38f1c09abb697d44d9f043ce

SHA512
fbcbf7cff02de0f24220deec9889a55f0115c318cc53554996e2e14fd90d06fd0efd31ef16b8b018c088d7f2a18541c4d70c107411efcc776986dbfe331c7b78

Download Submit
/usr/bin/zkowgtiaiu

Filesize
611KB

MD5
b52205215441c3926b7eec083d4d3555

SHA1
f267c0c2d82b6642abcff6bb4ca5e38ef9fe1a23

SHA256
c0981ccf0cb2cefef67e5e52abd9bf4020ccacea1fb2f65a6ffc0f93922d22bb

SHA512
1bc0d0e3d43fd4b5b5c74a970a47f49090709d719f8e21b4c78b664f254ba4bd3f51771e723383f3677b02aa525e7960b5227e67e49fb46add25a907eafe25d7

Download Submit