xorddos | c6a4177e8bf1cba88b1a8d6c62f681031449b08ee805b5bf320439e771d84862

Analysis

max time kernel
153s
max time network
157s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
20-12-2023 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e83b8d304f6e712cf24817dc50723dfe
Size

647KB
MD5

e83b8d304f6e712cf24817dc50723dfe
SHA1

1a2abe9d5fab204d10127e50f3877777bb8d3e87
SHA256

c6a4177e8bf1cba88b1a8d6c62f681031449b08ee805b5bf320439e771d84862
SHA512

d58742c54f001ff4950961190ce89ffb9025a482fc76ee59a50cdd88ece21cd1ee6a94c92683089c98cd041b430fd1d7b4805532df59903be297fa08164acf12
SSDEEP

12288:RBRO1UmJJ0nHgBL9YfJip2qm+x4h1TonXp6y07l7mtBDvnD/u9hMHDB:RBRpmJ+HyL9AiAqm+x4h1mX6wvnDWXMN

Score

10^/10

xorddos botnet downloader persistence

Malware Config

Extracted

Family

xorddos

http://info1.3000uc.com/b/u.php

www.linux8000.com:6666

168.1.131:3826

abcd.com:8080

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 9 IoCs

Processes:

resource	yara_rule
/lib/udev/udev	family_xorddos
/boot/lzszlnisll	family_xorddos
/boot/skvuducogk	family_xorddos
/boot/erdxwbmpgq	family_xorddos
/boot/jlsjptfssq	family_xorddos
/boot/yqxfbcfbkr	family_xorddos
/boot/txpzkbvkva	family_xorddos
/boot/qmcgsrokwj	family_xorddos
/boot/nfctqvyate	family_xorddos

Deletes itself 1 IoCs

Processes:

pid

1557

pid
1557

Executes dropped EXE 31 IoCs

Processes:

lzszlnislltullzawwxwskvuducogkyhihshfmoyyjurzatqjudvmfgkceogerdxwbmpgqgypnxmscydbllwfykyigyllssxzemzczxlonxaitjlsjptfssqyqxfbcfbkraooysngyojvyruygaoqyjatlhpivsbtxpzkbvkvaqmcgsrokwjjjqyqljycucrgmlbbuixgldywzizzfshmfhgayligkbruhqcluicxzvsqrxqqqhmhyadflyigxzayyvhxaenyyikcjklmqckprligodlrzlhqefycyulzhahnfctqvyate

ioc	pid	process
/boot/lzszlnisll	1559	lzszlnisll
/boot/tullzawwxw	1577	tullzawwxw
/boot/skvuducogk	1611	skvuducogk
/boot/yhihshfmoy	1614	yhihshfmoy
/boot/yjurzatqju	1617	yjurzatqju
/boot/dvmfgkceog	1620	dvmfgkceog
/boot/erdxwbmpgq	1625	erdxwbmpgq
/boot/gypnxmscyd	1628	gypnxmscyd
/boot/bllwfykyig	1631	bllwfykyig
/boot/yllssxzemz	1634	yllssxzemz
/boot/czxlonxait	1637	czxlonxait
/boot/jlsjptfssq	1640	jlsjptfssq
/boot/yqxfbcfbkr	1643	yqxfbcfbkr
/boot/aooysngyoj	1661	aooysngyoj
/boot/vyruygaoqy	1664	vyruygaoqy
/boot/jatlhpivsb	1667	jatlhpivsb
/boot/txpzkbvkva	1670	txpzkbvkva
/boot/qmcgsrokwj	1673	qmcgsrokwj
/boot/jjqyqljycu	1676	jjqyqljycu
/boot/crgmlbbuix	1679	crgmlbbuix
/boot/gldywzizzf	1682	gldywzizzf
/boot/shmfhgayli	1685	shmfhgayli
/boot/gkbruhqclu	1688	gkbruhqclu
/boot/icxzvsqrxq	1691	icxzvsqrxq
/boot/qqhmhyadfl	1694	qqhmhyadfl
/boot/yigxzayyvh	1697	yigxzayyvh
/boot/xaenyyikcj	1700	xaenyyikcj
/boot/klmqckprli	1703	klmqckprli
/boot/godlrzlhqe	1706	godlrzlhqe
/boot/fycyulzhah	1709	fycyulzhah
/boot/nfctqvyate	1712	nfctqvyate

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114

Creates/modifies Cron job 1 TTPs 2 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

sh

description ioc

File opened for modification /etc/cron.hourly/cron.sh
File opened for modification /etc/crontab sh
Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

description ioc

File opened for modification /etc/init.d/lzszlnisll

description	ioc
File opened for modification	/etc/cron.hourly/cron.sh
File opened for modification	/etc/crontab	sh

description	ioc
File opened for modification	/etc/init.d/lzszlnisll

Reads runtime system information 9 IoCs

Reads data from /proc virtual filesystem.

Processes:

systemctlsed

description	ioc
File opened for reading	/proc/rs_dev
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/stat
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/stat	systemctl

/tmp/e83b8d304f6e712cf24817dc50723dfe
/tmp/e83b8d304f6e712cf24817dc50723dfe
1⤵
PID:1556

/boot/lzszlnisll
/boot/lzszlnisll
1⤵
- Executes dropped EXE
PID:1559

/bin/sh
sh -c "sed -i '/\\/etc\\/cron.hourly\\/cron.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/cron.sh' >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:1565
- /bin/sed
  sed -i "/\\/etc\\/cron.hourly\\/cron.sh/d" /etc/crontab
  2⤵
  - Reads runtime system information
  PID:1572

/bin/update-rc.d
update-rc.d lzszlnisll defaults
1⤵
PID:1564

/sbin/update-rc.d
update-rc.d lzszlnisll defaults
1⤵
PID:1564

/usr/bin/update-rc.d
update-rc.d lzszlnisll defaults
1⤵
PID:1564

/usr/sbin/update-rc.d
update-rc.d lzszlnisll defaults
1⤵
PID:1564
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:1578

/bin/chkconfig
chkconfig --add lzszlnisll
1⤵
PID:1562

/sbin/chkconfig
chkconfig --add lzszlnisll
1⤵
PID:1562

/usr/bin/chkconfig
chkconfig --add lzszlnisll
1⤵
PID:1562

/usr/sbin/chkconfig
chkconfig --add lzszlnisll
1⤵
PID:1562

/usr/local/bin/chkconfig
chkconfig --add lzszlnisll
1⤵
PID:1562

/usr/local/sbin/chkconfig
chkconfig --add lzszlnisll
1⤵
PID:1562

/usr/X11R6/bin/chkconfig
chkconfig --add lzszlnisll
1⤵
PID:1562

/boot/tullzawwxw
/boot/tullzawwxw whoami 1560
1⤵
- Executes dropped EXE
PID:1577

/boot/skvuducogk
/boot/skvuducogk "cd /etc" 1560
1⤵
- Executes dropped EXE
PID:1611

/boot/yhihshfmoy
/boot/yhihshfmoy top 1560
1⤵
- Executes dropped EXE
PID:1614

/boot/yjurzatqju
/boot/yjurzatqju sh 1560
1⤵
- Executes dropped EXE
PID:1617

/boot/dvmfgkceog
/boot/dvmfgkceog pwd 1560
1⤵
- Executes dropped EXE
PID:1620

/boot/erdxwbmpgq
/boot/erdxwbmpgq "netstat -antop" 1560
1⤵
- Executes dropped EXE
PID:1625

/boot/gypnxmscyd
/boot/gypnxmscyd "echo \"find\"" 1560
1⤵
- Executes dropped EXE
PID:1628

/boot/bllwfykyig
/boot/bllwfykyig id 1560
1⤵
- Executes dropped EXE
PID:1631

/boot/yllssxzemz
/boot/yllssxzemz top 1560
1⤵
- Executes dropped EXE
PID:1634

/boot/czxlonxait
/boot/czxlonxait ls 1560
1⤵
- Executes dropped EXE
PID:1637

/boot/jlsjptfssq
/boot/jlsjptfssq ifconfig 1560
1⤵
- Executes dropped EXE
PID:1640

/boot/yqxfbcfbkr
/boot/yqxfbcfbkr whoami 1560
1⤵
- Executes dropped EXE
PID:1643

/boot/aooysngyoj
/boot/aooysngyoj "netstat -antop" 1560
1⤵
- Executes dropped EXE
PID:1661

/boot/vyruygaoqy
/boot/vyruygaoqy "sleep 1" 1560
1⤵
- Executes dropped EXE
PID:1664

/boot/jatlhpivsb
/boot/jatlhpivsb "route -n" 1560
1⤵
- Executes dropped EXE
PID:1667

/boot/txpzkbvkva
/boot/txpzkbvkva "sleep 1" 1560
1⤵
- Executes dropped EXE
PID:1670

/boot/qmcgsrokwj
/boot/qmcgsrokwj who 1560
1⤵
- Executes dropped EXE
PID:1673

/boot/jjqyqljycu
/boot/jjqyqljycu pwd 1560
1⤵
- Executes dropped EXE
PID:1676

/boot/crgmlbbuix
/boot/crgmlbbuix "echo \"find\"" 1560
1⤵
- Executes dropped EXE
PID:1679

/boot/gldywzizzf
/boot/gldywzizzf pwd 1560
1⤵
- Executes dropped EXE
PID:1682

/boot/shmfhgayli
/boot/shmfhgayli "route -n" 1560
1⤵
- Executes dropped EXE
PID:1685

/boot/gkbruhqclu
/boot/gkbruhqclu "route -n" 1560
1⤵
- Executes dropped EXE
PID:1688

/boot/icxzvsqrxq
/boot/icxzvsqrxq "cat resolv.conf" 1560
1⤵
- Executes dropped EXE
PID:1691

/boot/qqhmhyadfl
/boot/qqhmhyadfl "grep \"A\"" 1560
1⤵
- Executes dropped EXE
PID:1694

/boot/yigxzayyvh
/boot/yigxzayyvh gnome-terminal 1560
1⤵
- Executes dropped EXE
PID:1697

/boot/xaenyyikcj
/boot/xaenyyikcj ifconfig 1560
1⤵
- Executes dropped EXE
PID:1700

/boot/klmqckprli
/boot/klmqckprli "cat resolv.conf" 1560
1⤵
- Executes dropped EXE
PID:1703

/boot/godlrzlhqe
/boot/godlrzlhqe su 1560
1⤵
- Executes dropped EXE
PID:1706

/boot/fycyulzhah
/boot/fycyulzhah uptime 1560
1⤵
- Executes dropped EXE
PID:1709

/boot/nfctqvyate
/boot/nfctqvyate pwd 1560
1⤵
- Executes dropped EXE
PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/boot/erdxwbmpgq

Filesize
404KB

MD5
7a999c6a19572a95d355d705fc501541

SHA1
29dec94b2eb9b762bf09169435d13995098ec0e1

SHA256
0eb8a7c9a1096a0b768b1b5bf879023f35b1cfa115615edc48c1db9bd88810a7

SHA512
57b621928c99e9acf59545087ff506b81098b85f842bccb65a96e70ee5d12ee62fd8327457dd78bd90183878a23c281658bbefb88f06583119285e7470defb98

Download Submit
/boot/jlsjptfssq

Filesize
3KB

MD5
3f80718478c0c735ddae7ed68eb5ed65

SHA1
841daeea30d1808e7e0712ff3692b71edd42ed52

SHA256
5e18424810037e1f2b6e705535a7fca831c472fc8f5bcd4e101b45807eee2b6d

SHA512
95f95755ce6dc2f52f657caa44d0aa2002f72d65cf4445ae9a143b55e6375e9d8da59c63c5ea1b22e7aadb9475cd50b12a5c1c6ac995c7cfff069346d2350e61

Download Submit
/boot/lzszlnisll

Filesize
413KB

MD5
8a4d873f6cd037ecd3cd0b2ef8e0bab0

SHA1
45e0d4b27a057131a0bcc4939fa6b97900fc9d3c

SHA256
e75116c035ef6c00cc19b33cd7a12f47e68c1a7e8994dad3f5b78a96236e8d1b

SHA512
faa683a59ec9deaab1e558b883ea9cb489e0a7c7cc146234e2de9c585bd78a4e6d8858990fcab910b33a84f956c998017a873afd32871e5e78eaae1daa469e63

Download Submit
/boot/nfctqvyate

Filesize
88KB

MD5
d020cbeb6f0075528daf648ba3c1a785

SHA1
3484978b732eaf5e3298488a8e993fe2b9580809

SHA256
f5227ba82ffa8d983aacb4751cc4e2a56da1e2dc4567271f0fb934fd09787e0e

SHA512
009935837c0a6e55fe522fce2f6b101e309d7f4a1936b64ef16268c5cdc01b4f746fcd233e834679f6380bcfe120a197cc57e88305f05106fcb60f2f17e75bb4

Download Submit
/boot/qmcgsrokwj

Filesize
7KB

MD5
a58dcd7b3e1b592e0b414635576fc979

SHA1
e6c9f53b9fdca5ef87489c681322f9a127fe971d

SHA256
95f7bede38933d6b005be7bac32c0fd97569a9510539ce931b75e0ab39e91b1e

SHA512
36517439519bf8d4dc2b4cb910421743d1e40db123557f671b7cbabf3fc16972c9ee39211d7c556f4d916b71109626e78e6a17c56ea3b0e9588f62793f8e97f9

Download Submit
/boot/skvuducogk

Filesize
312KB

MD5
5b50116970ca33c0e9b7f2ce45c7d2f1

SHA1
1c8af183a14dab1d176ceb76d0870214dd538f58

SHA256
2b67fefe97d691de43237c390cb508549ff41d948a564b9c706c696423ea7e19

SHA512
f5e93d304e3d7e200538013c677f8ada40d25c6c4d9a7c2fdc66bfe35a314cca8c065cc95b3ba6d86865408fdbebebce60cf9fcd639f7584c680ceb70192e877

Download Submit
/boot/txpzkbvkva

Filesize
12KB

MD5
a16c35242962323b0b0385781311f978

SHA1
0bbfedc7f7e93d64d408bc2d467745a566de9a1e

SHA256
94bd242b7a0b7017a6f85fd6eeec6f09cfcb556cf622507b7654d1ec4bd9345d

SHA512
d242ed01bb4593cf19b3f37db43acf0eb7778b9080b86aba0a5798ea86d8abaea86f1b9447a788c860dc03412b7e1ee511b9d64dad70a9a07eef0d80598b9415

Download Submit
/boot/yqxfbcfbkr

Filesize
51KB

MD5
c31f06e64922ed6e9ca646b2d77b847f

SHA1
8269019a07c8d1c63ad7e78b4137049236a1434b

SHA256
b91b2c8b3925492a06f39d1d28c8a36ab3239dff60f9e588da68a95684415587

SHA512
1ddac57db52615b7e64dc24fdb3a7ed69a66af0469e9812e0dab3b7fd75fdac3e3ea33ae41d850ea6461c8e6d33a0c8f93313a031e5059291ebf5466d84f66ee

Download Submit
/etc/sedbaQFgn

Filesize
722B

MD5
8f111d100ea459f68d333d63a8ef2205

SHA1
077ca9c46a964de67c0f7765745d5c6f9e2065c3

SHA256
0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354

SHA512
d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

Download Submit
/lib/udev/udev

Filesize
647KB

MD5
e83b8d304f6e712cf24817dc50723dfe

SHA1
1a2abe9d5fab204d10127e50f3877777bb8d3e87

SHA256
c6a4177e8bf1cba88b1a8d6c62f681031449b08ee805b5bf320439e771d84862

SHA512
d58742c54f001ff4950961190ce89ffb9025a482fc76ee59a50cdd88ece21cd1ee6a94c92683089c98cd041b430fd1d7b4805532df59903be297fa08164acf12

Download Submit
/run/sftp.pid

Filesize
32B

MD5
135b5d09daa0b12bb9c246552b6fb29d

SHA1
cb63f13e6054d6ed7a1decca12b412529ef26393

SHA256
0e532ed1501d78d9736d0ebe1089dad61b3211454f07598e709081e1b8f395e0

SHA512
76731a673ff49aa9efb720b7364e4cbf3320ac3f735f36c303f2d02223941431753e2144ec9052b310ba72f06d9584733f557bf57514b4b489fa8010d0056864

Download Submit