xorddos | 591895fe233e81599250a02d2418493ce9c249ad03be31dd38ba6b880a30c2dc

Analysis

max time kernel
153s
max time network
154s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
20-12-2023 17:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8f82cf76d78be5823b27bf92c794b80
Size

647KB
MD5

f8f82cf76d78be5823b27bf92c794b80
SHA1

5b3391ea0dfd9f6b4b3c58bbb2a5065d5e5beaef
SHA256

591895fe233e81599250a02d2418493ce9c249ad03be31dd38ba6b880a30c2dc
SHA512

3941f3cb3eb45812b2d466264ad7c6db2f2035a005e37698182135c54af6207e06a36bbe7ed6935f4c523b646c04d21f751a0988f1d9e48b9ea59dd8576747e8
SSDEEP

12288:RBRO1UmJJ0nHgBL9YfJip2qm+x4h1Tonvp6y07l7mtBDvnD/u9hMHDB:RBRpmJ+HyL9AiAqm+x4h1mv6wvnDWXMN

Score

10^/10

xorddos botnet downloader persistence

Malware Config

Extracted

Family

xorddos

http://info1.3000uc.com/b/u.php

43.230.144.12:5520

192.168.1.131:3826

abcd.com:8080

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 6 IoCs

Processes:

resource	yara_rule
/lib/udev/udev	family_xorddos
/boot/tdkgersvre	family_xorddos
/boot/inbcljfyfd	family_xorddos
/boot/kbbbgckvse	family_xorddos
/boot/stfgkncioz	family_xorddos
/boot/bxroxkjhfc	family_xorddos

Deletes itself 1 IoCs

Processes:

pid

1545

pid
1545

Executes dropped EXE 31 IoCs

Processes:

tdkgersvreyiiupzwuifinwhryeyjwinbcljfyfdikwcbfaycavcubtdysuxfvfmxazuvouhfbgdojyyzidyandjoijlheqztlbbfufsxmzfasgaqnvluabrnujjwhwuwqmvslhotlhtxnvoycbngashlbmjjomgtoayqvcfafakkhgkkkrikbbbgckvseynwllqiaqgcejtrenlpwkwqdxrjlhtlemfqlhifbiaqsamhwhofjyfxhmqdiuqaixbblaffvyocquysrstfgknciozooysqwneilbxroxkjhfcyrmzabglpq

ioc	pid	process
/boot/tdkgersvre	1547	tdkgersvre
/boot/yiiupzwuif	1559	yiiupzwuif
/boot/inwhryeyjw	1585	inwhryeyjw
/boot/inbcljfyfd	1588	inbcljfyfd
/boot/ikwcbfayca	1591	ikwcbfayca
/boot/vcubtdysux	1594	vcubtdysux
/boot/fvfmxazuvo	1599	fvfmxazuvo
/boot/uhfbgdojyy	1602	uhfbgdojyy
/boot/zidyandjoi	1605	zidyandjoi
/boot/jlheqztlbb	1608	jlheqztlbb
/boot/fufsxmzfas	1611	fufsxmzfas
/boot/gaqnvluabr	1614	gaqnvluabr
/boot/nujjwhwuwq	1617	nujjwhwuwq
/boot/mvslhotlht	1635	mvslhotlht
/boot/xnvoycbnga	1638	xnvoycbnga
/boot/shlbmjjomg	1641	shlbmjjomg
/boot/toayqvcfaf	1644	toayqvcfaf
/boot/akkhgkkkri	1647	akkhgkkkri
/boot/kbbbgckvse	1650	kbbbgckvse
/boot/ynwllqiaqg	1653	ynwllqiaqg
/boot/cejtrenlpw	1656	cejtrenlpw
/boot/kwqdxrjlht	1659	kwqdxrjlht
/boot/lemfqlhifb	1662	lemfqlhifb
/boot/iaqsamhwho	1665	iaqsamhwho
/boot/fjyfxhmqdi	1668	fjyfxhmqdi
/boot/uqaixbblaf	1671	uqaixbblaf
/boot/fvyocquysr	1674	fvyocquysr
/boot/stfgkncioz	1677	stfgkncioz
/boot/ooysqwneil	1680	ooysqwneil
/boot/bxroxkjhfc	1683	bxroxkjhfc
/boot/yrmzabglpq	1686	yrmzabglpq

Creates/modifies Cron job 1 TTPs 2 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

sh

description ioc

File opened for modification /etc/cron.hourly/cron.sh
File opened for modification /etc/crontab sh
Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

description ioc

File opened for modification /etc/init.d/tdkgersvre

description	ioc
File opened for modification	/etc/cron.hourly/cron.sh
File opened for modification	/etc/crontab	sh

description	ioc
File opened for modification	/etc/init.d/tdkgersvre

Reads runtime system information 9 IoCs

Reads data from /proc virtual filesystem.

Processes:

systemctlsed

description	ioc	process
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/stat
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/rs_dev

/tmp/f8f82cf76d78be5823b27bf92c794b80
/tmp/f8f82cf76d78be5823b27bf92c794b80
1⤵
PID:1544

/boot/tdkgersvre
/boot/tdkgersvre
1⤵
- Executes dropped EXE
PID:1547

/bin/chkconfig
chkconfig --add tdkgersvre
1⤵
PID:1550

/sbin/chkconfig
chkconfig --add tdkgersvre
1⤵
PID:1550

/usr/bin/chkconfig
chkconfig --add tdkgersvre
1⤵
PID:1550

/usr/sbin/chkconfig
chkconfig --add tdkgersvre
1⤵
PID:1550

/usr/local/bin/chkconfig
chkconfig --add tdkgersvre
1⤵
PID:1550

/usr/local/sbin/chkconfig
chkconfig --add tdkgersvre
1⤵
PID:1550

/usr/X11R6/bin/chkconfig
chkconfig --add tdkgersvre
1⤵
PID:1550

/bin/sh
sh -c "sed -i '/\\/etc\\/cron.hourly\\/cron.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/cron.sh' >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:1553
- /bin/sed
  sed -i "/\\/etc\\/cron.hourly\\/cron.sh/d" /etc/crontab
  2⤵
  - Reads runtime system information
  PID:1554

/bin/update-rc.d
update-rc.d tdkgersvre defaults
1⤵
PID:1552

/sbin/update-rc.d
update-rc.d tdkgersvre defaults
1⤵
PID:1552

/usr/bin/update-rc.d
update-rc.d tdkgersvre defaults
1⤵
PID:1552

/usr/sbin/update-rc.d
update-rc.d tdkgersvre defaults
1⤵
PID:1552
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:1557

/boot/yiiupzwuif
/boot/yiiupzwuif id 1548
1⤵
- Executes dropped EXE
PID:1559

/boot/inwhryeyjw
/boot/inwhryeyjw pwd 1548
1⤵
- Executes dropped EXE
PID:1585

/boot/inbcljfyfd
/boot/inbcljfyfd ls 1548
1⤵
- Executes dropped EXE
PID:1588

/boot/ikwcbfayca
/boot/ikwcbfayca "netstat -an" 1548
1⤵
- Executes dropped EXE
PID:1591

/boot/vcubtdysux
/boot/vcubtdysux "route -n" 1548
1⤵
- Executes dropped EXE
PID:1594

/boot/fvfmxazuvo
/boot/fvfmxazuvo "sleep 1" 1548
1⤵
- Executes dropped EXE
PID:1599

/boot/uhfbgdojyy
/boot/uhfbgdojyy "netstat -an" 1548
1⤵
- Executes dropped EXE
PID:1602

/boot/zidyandjoi
/boot/zidyandjoi ifconfig 1548
1⤵
- Executes dropped EXE
PID:1605

/boot/jlheqztlbb
/boot/jlheqztlbb gnome-terminal 1548
1⤵
- Executes dropped EXE
PID:1608

/boot/fufsxmzfas
/boot/fufsxmzfas gnome-terminal 1548
1⤵
- Executes dropped EXE
PID:1611

/boot/gaqnvluabr
/boot/gaqnvluabr pwd 1548
1⤵
- Executes dropped EXE
PID:1614

/boot/nujjwhwuwq
/boot/nujjwhwuwq ifconfig 1548
1⤵
- Executes dropped EXE
PID:1617

/boot/mvslhotlht
/boot/mvslhotlht su 1548
1⤵
- Executes dropped EXE
PID:1635

/boot/xnvoycbnga
/boot/xnvoycbnga "cat resolv.conf" 1548
1⤵
- Executes dropped EXE
PID:1638

/boot/shlbmjjomg
/boot/shlbmjjomg pwd 1548
1⤵
- Executes dropped EXE
PID:1641

/boot/toayqvcfaf
/boot/toayqvcfaf "ifconfig eth0" 1548
1⤵
- Executes dropped EXE
PID:1644

/boot/akkhgkkkri
/boot/akkhgkkkri ls 1548
1⤵
- Executes dropped EXE
PID:1647

/boot/kbbbgckvse
/boot/kbbbgckvse "ifconfig eth0" 1548
1⤵
- Executes dropped EXE
PID:1650

/boot/ynwllqiaqg
/boot/ynwllqiaqg "cat resolv.conf" 1548
1⤵
- Executes dropped EXE
PID:1653

/boot/cejtrenlpw
/boot/cejtrenlpw sh 1548
1⤵
- Executes dropped EXE
PID:1656

/boot/kwqdxrjlht
/boot/kwqdxrjlht ifconfig 1548
1⤵
- Executes dropped EXE
PID:1659

/boot/lemfqlhifb
/boot/lemfqlhifb "route -n" 1548
1⤵
- Executes dropped EXE
PID:1662

/boot/iaqsamhwho
/boot/iaqsamhwho "netstat -antop" 1548
1⤵
- Executes dropped EXE
PID:1665

/boot/fjyfxhmqdi
/boot/fjyfxhmqdi ifconfig 1548
1⤵
- Executes dropped EXE
PID:1668

/boot/uqaixbblaf
/boot/uqaixbblaf ifconfig 1548
1⤵
- Executes dropped EXE
PID:1671

/boot/fvyocquysr
/boot/fvyocquysr ls 1548
1⤵
- Executes dropped EXE
PID:1674

/boot/stfgkncioz
/boot/stfgkncioz "netstat -an" 1548
1⤵
- Executes dropped EXE
PID:1677

/boot/ooysqwneil
/boot/ooysqwneil "ls -la" 1548
1⤵
- Executes dropped EXE
PID:1680

/boot/bxroxkjhfc
/boot/bxroxkjhfc whoami 1548
1⤵
- Executes dropped EXE
PID:1683

/boot/yrmzabglpq
/boot/yrmzabglpq who 1548
1⤵
- Executes dropped EXE
PID:1686

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/boot/bxroxkjhfc

Filesize
100KB

MD5
49397650618456fac8b4f2446a1c7237

SHA1
d66368b52e18b6eeef21a49294a9b24f1fe2397a

SHA256
e4b54044b41384cc3dbad03d1579583c09ac7d9beba0c12332c2b525d7b5f6fe

SHA512
5385cdece65eeb096e623f42ce70ce871a401b03723022c4adbc4318e42f011abed651b7c5ff25864af3270e1b77a2daf758ec4dd5e9ff57dcf84a74522566ea

Download Submit
/boot/inbcljfyfd

Filesize
316KB

MD5
40501e0fa1d3c44a15ab758eb54b88ec

SHA1
5ca39d827e1b4cb3bdbf059a49b23664e51a2571

SHA256
7301b2188fcfb54a99abc96288dc2d74408b76449ff20125a743785cb340beb9

SHA512
11b90712830b30d2c378610589728e6f843db603d3e32fd0da1ca652b631c1209fa0ce9a35ed6cd64c700d1918db7c0a90701cacbf4f8c308de97a51073ad427

Download Submit
/boot/kbbbgckvse

Filesize
165KB

MD5
80b38714880ff7968f7571c7a8248330

SHA1
30c9ab714321199bcf75d5526f2823bd66a10496

SHA256
cd68af98e9a702bde8006ecc24c3c64ba2e7a58875de5a52e69523146a19fbc8

SHA512
c1b4a90e2ab4028d2743532620e00453d44359ac4ad1f9d145643c0131a9d70cdb4f0ec2bb789ec8c14e98b1ec5ae55214aa7f3d0748fcee8945fa9a48a005cf

Download Submit
/boot/stfgkncioz

Filesize
475KB

MD5
24cd5ab2d6c5fe92f1ddbad7021064c0

SHA1
124a39e98f6485729f084546ab465a567fca69d7

SHA256
52c33c0ba460a967dec14d07717c50bbcaea0515c98e79c42548a05aa2facd1f

SHA512
3692c2466334a2aa981cd6df8f13f5c554242cb3a234e5ed15b5d1fc10afa195aff5f905d8d2d3b99733ec5ed3fb0938b316f8bb35d27b79ce5dd30dcc1d8211

Download Submit
/boot/tdkgersvre

Filesize
647KB

MD5
f8f82cf76d78be5823b27bf92c794b80

SHA1
5b3391ea0dfd9f6b4b3c58bbb2a5065d5e5beaef

SHA256
591895fe233e81599250a02d2418493ce9c249ad03be31dd38ba6b880a30c2dc

SHA512
3941f3cb3eb45812b2d466264ad7c6db2f2035a005e37698182135c54af6207e06a36bbe7ed6935f4c523b646c04d21f751a0988f1d9e48b9ea59dd8576747e8

Download Submit
/etc/cron.hourly/cron.sh

Filesize
223B

MD5
b791b087b1795e3674a9aa765c76fc04

SHA1
b53f478234ae97f3cdbf2e7fe7ec68d687feb7c1

SHA256
1c1e9b69cf8021bf7ce1f60dcaa2d31c1e21ed4b6e474f3571da81ffd5a9b69e

SHA512
2dcc2e478c51cf8118306fd5c744aad7147e368cbc4329db1cc5fac52088a7f3354079ae2b582b270495789e4fb4591538ec88bb5ea40eec646f360bac33bbb2

Download Submit
/etc/init.d/tdkgersvre

Filesize
317B

MD5
f8434593ff72f4ce3a304e41e724c6ea

SHA1
2b10eb0380c0c52a5641de2d13ffe76af085d7cd

SHA256
312d508843fb0f5b497b4d30489a697309fd803692cc3e34aef68ce0daee6dc2

SHA512
a2cae97f689a6e823fdb9834e3754e51b35fd7edde9c5c338633423057e2036ac414a16804dc58e8712ae277ccdef9bb1678b946bce069fdf68789577c62b777

Download Submit
/etc/sedBR03ie

Filesize
722B

MD5
8f111d100ea459f68d333d63a8ef2205

SHA1
077ca9c46a964de67c0f7765745d5c6f9e2065c3

SHA256
0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354

SHA512
d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

Download Submit
/lib/udev/udev

Filesize
568KB

MD5
3ce4faff21e39f7cd90b450818207864

SHA1
79dbde958d523ba53c0c5b13fa63831ce683a81f

SHA256
bfc93ae59d975b25b18384914eb4609c0f171b70e16001f02b2f56d594a16dad

SHA512
79b528813e694a9de185ad79b88559e6acaae3be0f5a5aa7e6ebf54b65a3fadf3cfe524de8140e44439391e6b30345869d629c2bde0457944dc15e98b4d2cbf9

Download Submit
/run/sftp.pid

Filesize
32B

MD5
98610ea752146ea6ce149918bb3713f3

SHA1
fc617d3dbd19c66e0a87c6dec36e340e1aa5cd7b

SHA256
eff5930c2dc22a5ae3615829eb515039a80f266bb9a05d3414d3d31e2ec6443c

SHA512
92a956598498f22ad1ad656f0e3ee37937acec9f0243882421e24ca08b0dcbb2428f03c42d041a9099bf970ea77103a67ef25bad292bf26ec595d88c728c9e35

Download Submit