xorddos | e8b6b5fd2f6cdd43baad3210652ab93a3f79aaefa7e1d7febe03669778c60c65

Analysis

max time kernel
155s
max time network
159s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
20-12-2023 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3337a3e278ce7b8b2916f6b493b9b6e
Size

647KB
MD5

c3337a3e278ce7b8b2916f6b493b9b6e
SHA1

7e8f8dc6f89411a2a6f409687ba3c43f5b2eac4e
SHA256

e8b6b5fd2f6cdd43baad3210652ab93a3f79aaefa7e1d7febe03669778c60c65
SHA512

d8fcf9771d9865c131b6f8eb5bd6f3aa07598970e62ce46f73d36983ea1ed537e688321a6505dd5eae508085c448b82e22b74233547e00d9c9874656bde5967b
SSDEEP

12288:RBRO1UmJJ0nHgBL9YfJip2qm+x4h1Ton3p6y07l7mtBDvnD/u9hMHDB:RBRpmJ+HyL9AiAqm+x4h1m36wvnDWXMN

Score

10^/10

xorddos botnet downloader persistence

Malware Config

Extracted

Family

xorddos

http://info1.3000uc.com/b/u.php

aaaaaaaaaa.re67das.com:5859

www.hack365.win:10010

www.vy84.com:10010

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 4 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_xorddos
behavioral1/files/fstream-8.dat	family_xorddos
behavioral1/files/fstream-9.dat	family_xorddos
behavioral1/files/fstream-22.dat	family_xorddos

Deletes itself 1 IoCs

pid
1577

Executes dropped EXE 31 IoCs

ioc	pid	Process
/boot/jflezxouhv	1579	jflezxouhv
/boot/yqbgqfrvge	1594	yqbgqfrvge
/boot/wvegnagpxn	1617	wvegnagpxn
/boot/wphxtfvgyg	1620	wphxtfvgyg
/boot/fgyprdoxdh	1623	fgyprdoxdh
/boot/facjtstudt	1626	facjtstudt
/boot/crwnrjrtwo	1631	crwnrjrtwo
/boot/tauxkptnhi	1634	tauxkptnhi
/boot/cevlszyepc	1637	cevlszyepc
/boot/lvcmyebjqn	1640	lvcmyebjqn
/boot/jkjsnzwbkn	1643	jkjsnzwbkn
/boot/hzbmudhmbt	1646	hzbmudhmbt
/boot/pyulmxsjdi	1649	pyulmxsjdi
/boot/bptkwbuiqn	1652	bptkwbuiqn
/boot/psidonelyg	1655	psidonelyg
/boot/uchtldbifj	1673	uchtldbifj
/boot/srtbuixcxh	1676	srtbuixcxh
/boot/dvmxinaaee	1679	dvmxinaaee
/boot/tycheulsrp	1682	tycheulsrp
/boot/lytpcvdjbc	1685	lytpcvdjbc
/boot/wfaiekfkqs	1688	wfaiekfkqs
/boot/tnfchfqmvo	1691	tnfchfqmvo
/boot/uovwmoyopc	1694	uovwmoyopc
/boot/wfxgpoqkcf	1697	wfxgpoqkcf
/boot/ttizeasbfv	1700	ttizeasbfv
/boot/zmbbftutiv	1703	zmbbftutiv
/boot/kbrdnfafgs	1706	kbrdnfafgs
/boot/eeezmfcrkn	1709	eeezmfcrkn
/boot/omlsjufhrx	1712	omlsjufhrx
/boot/ypwvjiusoj	1715	ypwvjiusoj
/boot/jzzeaxyizx	1718	jzzeaxyizx

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114

Creates/modifies Cron job 1 TTPs 2 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/etc/cron.hourly/cron.sh	Process not Found
File opened for modification	/etc/crontab	sh

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
File opened for modification	/etc/init.d/jflezxouhv

Reads runtime system information 9 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/rs_dev	Process not Found
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/stat	Process not Found
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/1/environ	systemctl

/tmp/c3337a3e278ce7b8b2916f6b493b9b6e
/tmp/c3337a3e278ce7b8b2916f6b493b9b6e
1⤵
PID:1576

/boot/jflezxouhv
/boot/jflezxouhv
1⤵
- Executes dropped EXE
PID:1579

/bin/sh
sh -c "sed -i '/\\/etc\\/cron.hourly\\/cron.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/cron.sh' >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:1585
- /bin/sed
  sed -i "/\\/etc\\/cron.hourly\\/cron.sh/d" /etc/crontab
  2⤵
  - Reads runtime system information
  PID:1586

/bin/chkconfig
chkconfig --add jflezxouhv
1⤵
PID:1582

/sbin/chkconfig
chkconfig --add jflezxouhv
1⤵
PID:1582

/usr/bin/chkconfig
chkconfig --add jflezxouhv
1⤵
PID:1582

/usr/sbin/chkconfig
chkconfig --add jflezxouhv
1⤵
PID:1582

/usr/local/bin/chkconfig
chkconfig --add jflezxouhv
1⤵
PID:1582

/usr/local/sbin/chkconfig
chkconfig --add jflezxouhv
1⤵
PID:1582

/usr/X11R6/bin/chkconfig
chkconfig --add jflezxouhv
1⤵
PID:1582

/bin/update-rc.d
update-rc.d jflezxouhv defaults
1⤵
PID:1584

/sbin/update-rc.d
update-rc.d jflezxouhv defaults
1⤵
PID:1584

/usr/bin/update-rc.d
update-rc.d jflezxouhv defaults
1⤵
PID:1584

/usr/sbin/update-rc.d
update-rc.d jflezxouhv defaults
1⤵
PID:1584
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:1593

/boot/yqbgqfrvge
/boot/yqbgqfrvge "ifconfig eth0" 1580
1⤵
- Executes dropped EXE
PID:1594

/boot/wvegnagpxn
/boot/wvegnagpxn "echo \"find\"" 1580
1⤵
- Executes dropped EXE
PID:1617

/boot/wphxtfvgyg
/boot/wphxtfvgyg uptime 1580
1⤵
- Executes dropped EXE
PID:1620

/boot/fgyprdoxdh
/boot/fgyprdoxdh su 1580
1⤵
- Executes dropped EXE
PID:1623

/boot/facjtstudt
/boot/facjtstudt ls 1580
1⤵
- Executes dropped EXE
PID:1626

/boot/crwnrjrtwo
/boot/crwnrjrtwo uptime 1580
1⤵
- Executes dropped EXE
PID:1631

/boot/tauxkptnhi
/boot/tauxkptnhi whoami 1580
1⤵
- Executes dropped EXE
PID:1634

/boot/cevlszyepc
/boot/cevlszyepc pwd 1580
1⤵
- Executes dropped EXE
PID:1637

/boot/lvcmyebjqn
/boot/lvcmyebjqn "route -n" 1580
1⤵
- Executes dropped EXE
PID:1640

/boot/jkjsnzwbkn
/boot/jkjsnzwbkn bash 1580
1⤵
- Executes dropped EXE
PID:1643

/boot/hzbmudhmbt
/boot/hzbmudhmbt id 1580
1⤵
- Executes dropped EXE
PID:1646

/boot/pyulmxsjdi
/boot/pyulmxsjdi who 1580
1⤵
- Executes dropped EXE
PID:1649

/boot/bptkwbuiqn
/boot/bptkwbuiqn uptime 1580
1⤵
- Executes dropped EXE
PID:1652

/boot/psidonelyg
/boot/psidonelyg "cat resolv.conf" 1580
1⤵
- Executes dropped EXE
PID:1655

/boot/uchtldbifj
/boot/uchtldbifj "ifconfig eth0" 1580
1⤵
- Executes dropped EXE
PID:1673

/boot/srtbuixcxh
/boot/srtbuixcxh bash 1580
1⤵
- Executes dropped EXE
PID:1676

/boot/dvmxinaaee
/boot/dvmxinaaee "ps -ef" 1580
1⤵
- Executes dropped EXE
PID:1679

/boot/tycheulsrp
/boot/tycheulsrp top 1580
1⤵
- Executes dropped EXE
PID:1682

/boot/lytpcvdjbc
/boot/lytpcvdjbc "netstat -an" 1580
1⤵
- Executes dropped EXE
PID:1685

/boot/wfaiekfkqs
/boot/wfaiekfkqs "cd /etc" 1580
1⤵
- Executes dropped EXE
PID:1688

/boot/tnfchfqmvo
/boot/tnfchfqmvo "ls -la" 1580
1⤵
- Executes dropped EXE
PID:1691

/boot/uovwmoyopc
/boot/uovwmoyopc pwd 1580
1⤵
- Executes dropped EXE
PID:1694

/boot/wfxgpoqkcf
/boot/wfxgpoqkcf ifconfig 1580
1⤵
- Executes dropped EXE
PID:1697

/boot/ttizeasbfv
/boot/ttizeasbfv id 1580
1⤵
- Executes dropped EXE
PID:1700

/boot/zmbbftutiv
/boot/zmbbftutiv who 1580
1⤵
- Executes dropped EXE
PID:1703

/boot/kbrdnfafgs
/boot/kbrdnfafgs "ls -la" 1580
1⤵
- Executes dropped EXE
PID:1706

/boot/eeezmfcrkn
/boot/eeezmfcrkn sh 1580
1⤵
- Executes dropped EXE
PID:1709

/boot/omlsjufhrx
/boot/omlsjufhrx sh 1580
1⤵
- Executes dropped EXE
PID:1712

/boot/ypwvjiusoj
/boot/ypwvjiusoj ifconfig 1580
1⤵
- Executes dropped EXE
PID:1715

/boot/jzzeaxyizx
/boot/jzzeaxyizx "grep \"A\"" 1580
1⤵
- Executes dropped EXE
PID:1718

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/boot/wphxtfvgyg

Filesize
647KB

MD5
c3337a3e278ce7b8b2916f6b493b9b6e

SHA1
7e8f8dc6f89411a2a6f409687ba3c43f5b2eac4e

SHA256
e8b6b5fd2f6cdd43baad3210652ab93a3f79aaefa7e1d7febe03669778c60c65

SHA512
d8fcf9771d9865c131b6f8eb5bd6f3aa07598970e62ce46f73d36983ea1ed537e688321a6505dd5eae508085c448b82e22b74233547e00d9c9874656bde5967b

Download Submit
/boot/wvegnagpxn

Filesize
7KB

MD5
a58dcd7b3e1b592e0b414635576fc979

SHA1
e6c9f53b9fdca5ef87489c681322f9a127fe971d

SHA256
95f7bede38933d6b005be7bac32c0fd97569a9510539ce931b75e0ab39e91b1e

SHA512
36517439519bf8d4dc2b4cb910421743d1e40db123557f671b7cbabf3fc16972c9ee39211d7c556f4d916b71109626e78e6a17c56ea3b0e9588f62793f8e97f9

Download Submit
/lib/udev/udev

Filesize
580KB

MD5
231d94274a36bef665cf576dc00961a9

SHA1
e30668b75a0b4aac07401298561a04539319ba64

SHA256
b48b5d7adc61c022d9fe5f9b093fb21d3ddc48fc5fa8c9d3947c3892355cde1f

SHA512
917d65599c08b0930082a1a2070048e3344f24fc2638ebfecb8e650a52115fb2eb5f1065edca1c4e9e5503ebc42181fc589b94feea9baefde47f81ef041a8f1a

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads