xorddos | af8039032cc60ca4205c1bd471009977e331ca4926bf9d5203fca3ec30a5ba45

Analysis

max time kernel
153s
max time network
157s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
21-12-2023 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12580ef9ea8263664f1347834c162e98
Size

596KB
MD5

12580ef9ea8263664f1347834c162e98
SHA1

d44055754ad40c523f1a16e616813e43c3fb5808
SHA256

af8039032cc60ca4205c1bd471009977e331ca4926bf9d5203fca3ec30a5ba45
SHA512

eba7c3de269317baf6d5e6ee73607b110563e620ada6c3924bd82fef7599637fc6db92629b55a9e1273d77a2f006c56267488b50c33e0953bb4ac0c38ef161fc
SSDEEP

12288:bfTGy+n69+5rTlFEcMWbHvx5SGEuWd1F6yxm9Ah7Dxu9hc7L:rTG/0+5dq4bHvx5SGod1LTD4XcP

Score

10^/10

xorddos botnet downloader persistence

Malware Config

Extracted

Family

xorddos

http://info1.3000uc.com/b/u.php

gh.dsaj2a1.org:2854

103.24.3.11:2854

102.fwq.me:2854

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 12 IoCs

Processes:

resource	yara_rule
/lib/libgcc4.so	family_xorddos
/usr/bin/rlcvmnmyjr	family_xorddos
/usr/bin/rlcvmnmyjr	family_xorddos
/usr/bin/rlcvmnmyjr	family_xorddos
/usr/bin/tuulojpldk	family_xorddos
/usr/bin/tuulojpldk	family_xorddos
/usr/bin/jbjcresuyi	family_xorddos
/usr/bin/jbjcresuyi	family_xorddos
/usr/bin/nkhrttfkjz	family_xorddos
/usr/bin/nkhrttfkjz	family_xorddos
/usr/bin/melqjeigjt	family_xorddos
/usr/bin/melqjeigjt	family_xorddos

Deletes itself 1 IoCs

Processes:

pid

1644

pid
1644

Executes dropped EXE 23 IoCs

Processes:

rlcvmnmyjrrlcvmnmyjrrlcvmnmyjrrlcvmnmyjrrlcvmnmyjrtuulojpldktuulojpldktuulojpldktuulojpldktuulojpldkjbjcresuyijbjcresuyijbjcresuyijbjcresuyijbjcresuyinkhrttfkjznkhrttfkjznkhrttfkjznkhrttfkjznkhrttfkjzmelqjeigjtmelqjeigjtmelqjeigjt

ioc	pid	process
/usr/bin/rlcvmnmyjr	1555	rlcvmnmyjr
/usr/bin/rlcvmnmyjr	1580	rlcvmnmyjr
/usr/bin/rlcvmnmyjr	1584	rlcvmnmyjr
/usr/bin/rlcvmnmyjr	1587	rlcvmnmyjr
/usr/bin/rlcvmnmyjr	1590	rlcvmnmyjr
/usr/bin/tuulojpldk	1593	tuulojpldk
/usr/bin/tuulojpldk	1596	tuulojpldk
/usr/bin/tuulojpldk	1598	tuulojpldk
/usr/bin/tuulojpldk	1601	tuulojpldk
/usr/bin/tuulojpldk	1605	tuulojpldk
/usr/bin/jbjcresuyi	1608	jbjcresuyi
/usr/bin/jbjcresuyi	1610	jbjcresuyi
/usr/bin/jbjcresuyi	1614	jbjcresuyi
/usr/bin/jbjcresuyi	1617	jbjcresuyi
/usr/bin/jbjcresuyi	1620	jbjcresuyi
/usr/bin/nkhrttfkjz	1623	nkhrttfkjz
/usr/bin/nkhrttfkjz	1626	nkhrttfkjz
/usr/bin/nkhrttfkjz	1629	nkhrttfkjz
/usr/bin/nkhrttfkjz	1632	nkhrttfkjz
/usr/bin/nkhrttfkjz	1635	nkhrttfkjz
/usr/bin/melqjeigjt	1638	melqjeigjt
/usr/bin/melqjeigjt	1641	melqjeigjt
/usr/bin/melqjeigjt	1643	melqjeigjt

Unexpected DNS network traffic destination 20 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228

Creates/modifies Cron job 1 TTPs 2 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

sh

description ioc

File opened for modification /etc/cron.hourly/udev.sh
File opened for modification /etc/crontab sh
Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

description ioc

File opened for modification /etc/init.d/12580ef9ea8263664f1347834c162e98

description	ioc
File opened for modification	/etc/cron.hourly/udev.sh
File opened for modification	/etc/crontab	sh

description	ioc
File opened for modification	/etc/init.d/12580ef9ea8263664f1347834c162e98

Write file to user bin folder 1 TTPs 5 IoCs

Hijack Execution Flow

T1574

Processes:

description	ioc
File opened for modification	/usr/bin/tuulojpldk
File opened for modification	/usr/bin/jbjcresuyi
File opened for modification	/usr/bin/nkhrttfkjz
File opened for modification	/usr/bin/melqjeigjt
File opened for modification	/usr/bin/rlcvmnmyjr

Reads runtime system information 8 IoCs

Reads data from /proc virtual filesystem.

Processes:

systemctlsed

description	ioc	process
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/stat
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl

/tmp/12580ef9ea8263664f1347834c162e98
/tmp/12580ef9ea8263664f1347834c162e98
1⤵
PID:1542

/bin/sh
sh -c "sed -i '/\\/etc\\/cron.hourly\\/udev.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/udev.sh' >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:1548
- /bin/sed
  sed -i "/\\/etc\\/cron.hourly\\/udev.sh/d" /etc/crontab
  2⤵
  - Reads runtime system information
  PID:1549

/bin/chkconfig
chkconfig --add 12580ef9ea8263664f1347834c162e98
1⤵
PID:1545

/bin/update-rc.d
update-rc.d 12580ef9ea8263664f1347834c162e98 defaults
1⤵
PID:1547

/sbin/chkconfig
chkconfig --add 12580ef9ea8263664f1347834c162e98
1⤵
PID:1545

/usr/bin/chkconfig
chkconfig --add 12580ef9ea8263664f1347834c162e98
1⤵
PID:1545

/usr/sbin/chkconfig
chkconfig --add 12580ef9ea8263664f1347834c162e98
1⤵
PID:1545

/usr/local/bin/chkconfig
chkconfig --add 12580ef9ea8263664f1347834c162e98
1⤵
PID:1545

/sbin/update-rc.d
update-rc.d 12580ef9ea8263664f1347834c162e98 defaults
1⤵
PID:1547

/usr/local/sbin/chkconfig
chkconfig --add 12580ef9ea8263664f1347834c162e98
1⤵
PID:1545

/usr/bin/update-rc.d
update-rc.d 12580ef9ea8263664f1347834c162e98 defaults
1⤵
PID:1547

/usr/X11R6/bin/chkconfig
chkconfig --add 12580ef9ea8263664f1347834c162e98
1⤵
PID:1545

/usr/sbin/update-rc.d
update-rc.d 12580ef9ea8263664f1347834c162e98 defaults
1⤵
PID:1547
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:1553

/usr/bin/rlcvmnmyjr
/usr/bin/rlcvmnmyjr "route -n" 1543
1⤵
- Executes dropped EXE
PID:1555

/usr/bin/rlcvmnmyjr
/usr/bin/rlcvmnmyjr whoami 1543
1⤵
- Executes dropped EXE
PID:1580

/usr/bin/rlcvmnmyjr
/usr/bin/rlcvmnmyjr "netstat -antop" 1543
1⤵
- Executes dropped EXE
PID:1584

/usr/bin/rlcvmnmyjr
/usr/bin/rlcvmnmyjr "sleep 1" 1543
1⤵
- Executes dropped EXE
PID:1587

/usr/bin/rlcvmnmyjr
/usr/bin/rlcvmnmyjr whoami 1543
1⤵
- Executes dropped EXE
PID:1590

/usr/bin/tuulojpldk
/usr/bin/tuulojpldk id 1543
1⤵
- Executes dropped EXE
PID:1593

/usr/bin/tuulojpldk
/usr/bin/tuulojpldk "route -n" 1543
1⤵
- Executes dropped EXE
PID:1596

/usr/bin/tuulojpldk
/usr/bin/tuulojpldk bash 1543
1⤵
- Executes dropped EXE
PID:1598

/usr/bin/tuulojpldk
/usr/bin/tuulojpldk gnome-terminal 1543
1⤵
- Executes dropped EXE
PID:1601

/usr/bin/tuulojpldk
/usr/bin/tuulojpldk "ls -la" 1543
1⤵
- Executes dropped EXE
PID:1605

/usr/bin/jbjcresuyi
/usr/bin/jbjcresuyi "echo \"find\"" 1543
1⤵
- Executes dropped EXE
PID:1608

/usr/bin/jbjcresuyi
/usr/bin/jbjcresuyi sh 1543
1⤵
- Executes dropped EXE
PID:1610

/usr/bin/jbjcresuyi
/usr/bin/jbjcresuyi "echo \"find\"" 1543
1⤵
- Executes dropped EXE
PID:1614

/usr/bin/jbjcresuyi
/usr/bin/jbjcresuyi "ifconfig eth0" 1543
1⤵
- Executes dropped EXE
PID:1617

/usr/bin/jbjcresuyi
/usr/bin/jbjcresuyi pwd 1543
1⤵
- Executes dropped EXE
PID:1620

/usr/bin/nkhrttfkjz
/usr/bin/nkhrttfkjz ifconfig 1543
1⤵
- Executes dropped EXE
PID:1623

/usr/bin/nkhrttfkjz
/usr/bin/nkhrttfkjz ls 1543
1⤵
- Executes dropped EXE
PID:1626

/usr/bin/nkhrttfkjz
/usr/bin/nkhrttfkjz uptime 1543
1⤵
- Executes dropped EXE
PID:1629

/usr/bin/nkhrttfkjz
/usr/bin/nkhrttfkjz whoami 1543
1⤵
- Executes dropped EXE
PID:1632

/usr/bin/nkhrttfkjz
/usr/bin/nkhrttfkjz ifconfig 1543
1⤵
- Executes dropped EXE
PID:1635

/usr/bin/melqjeigjt
/usr/bin/melqjeigjt "route -n" 1543
1⤵
- Executes dropped EXE
PID:1638

/usr/bin/melqjeigjt
/usr/bin/melqjeigjt "ls -la" 1543
1⤵
- Executes dropped EXE
PID:1641

/usr/bin/melqjeigjt
/usr/bin/melqjeigjt bash 1543
1⤵
- Executes dropped EXE
PID:1643

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/udev.sh

Filesize
146B

MD5
ddb9a901eadce597284d68ebd9fe9311

SHA1
1d26318bbe55f2f936ae1015df656535427083c2

SHA256
3bb8ebd394bcaea3f083d93daa3c3bcf918a4618f84ab45a1942759d16b070fc

SHA512
e94bd51f02c323d2376e666a9c56a87c2f55d1805b44762d4bc6d5d60ca52e85ce996ba51142213ba783ac858660a3ba254988215b0f4d398b1e99bf132a5d1c

Download Submit
/etc/init.d/12580ef9ea8263664f1347834c162e98

Filesize
425B

MD5
18c8c47e1f6af72dc005e111a9bae219

SHA1
1f63abf97edd3de267364189c192bc02c00f5695

SHA256
c05b3011a0438d5c09997fafed6f0e87a60f1d90877942689ed619996dace6ec

SHA512
1d922f70b44614a8717451a8559f89ac8eedfa18766c513a54383d4d3a80eb7e0f03975f34cb779a854ff7d5c324f83ca905d6a6338640e4bd1984219f6a2691

Download Submit
/etc/sedroSUNJ

Filesize
722B

MD5
8f111d100ea459f68d333d63a8ef2205

SHA1
077ca9c46a964de67c0f7765745d5c6f9e2065c3

SHA256
0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354

SHA512
d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

Download Submit
/lib/libgcc4.so

Filesize
189KB

MD5
b804f7032ebc1ba49d22bba7a269edb9

SHA1
14af86dfee922a539f4af03dccc32ab4ff475130

SHA256
005eb70077f76e726ccab3d7b0d251b98c8036da656bb6cc7abbd7d32f4e2679

SHA512
bc9b46b26bc281e7c165b533acb68c189cdb7e0be63923fe88636597adadb7e78d8af29e1f5805f34b2cb782891f43684b201919929eff684a4662d684bd3cdc

Download Submit
/run/udev.pid

Filesize
32B

MD5
d0f49f249815f3e62fd1006ab933e84b

SHA1
46b2eadf323d318ffc2fb883b4e043a2c89fe5e4

SHA256
2a81a7e5d09cf43ba968b1436ccb3b8b7d331fd5f600153aa509dd1a0edcfb09

SHA512
bd385ce716e0ba6900abd0392819ce155d88ce64c20ddabd106ef2ca9f17182a9f58fcd5910b7dd31a20dc7c155d2cbf4ddfbe5733f0d7ea9a8950c102d1ec7a

Download Submit
/usr/bin/jbjcresuyi

Filesize
596KB

MD5
900380974a09c6b8ba06c4e37402a7b3

SHA1
b6a7538ab3c833ca6948196cfb655da3ab26209e

SHA256
332bc0c80cf428d8220047a7764ce3b4dadba10a7f8a4ea10e04c9fbb85feae6

SHA512
93d4ccdf994f77f1688e29010fcac5d82d557fb8b869fe4474dad4207aae89a54fd393a70fdccda7e93da05d29283287f45fdc4060e71eaa6e5a618a627a3df8

Download Submit
/usr/bin/jbjcresuyi

Filesize
596KB

MD5
05c4f082320db0857056ddcc280b6904

SHA1
eae95dc30a6874653a092964dd119bdce4776db1

SHA256
ca908c828e8e752399dd161acff01e4af87699b06a59c72b42c5b92295c647dc

SHA512
f59ec6f083414b327dd795420d186c02442cb61935d3e1a85ab7e7e21728711b3a4d13fc1a3442d79382cffef2ea022d4ecf354756a929abdffb77700208c46e

Download Submit
/usr/bin/melqjeigjt

Filesize
596KB

MD5
1279943797f5638fdbe182e2ece4418f

SHA1
d8157fde72b4e7945fab011cf3e5a32a12f4eb49

SHA256
6efe474239e1fb4cbe35685e333e6aa2858a5157fcd5ede5d58d261410b272e0

SHA512
b925b2893296d6738dcbaa00e307d0d5635ece1ef86859ee771175cb9b167b3bccf2e88028b0726a14ddc3ae47c67334b5912e1f088a9a070a134fc72d803c3a

Download Submit
/usr/bin/melqjeigjt

Filesize
596KB

MD5
37f102d96dc68085d18f06305a67a3b6

SHA1
785a51f3d515dfe28ba516e046073c229042a97f

SHA256
443d02ecffdbc9c017462dc13ca56a9847cc35ec08259b4a222c8d1726a6e7c8

SHA512
372691b33106a747cb938cb57df835718d1241717bee2f815f147a1ca2e863ee23ca0a0ab834bdfc239468136d4ac3e6507bbcf118883de6a0e04901626ca01d

Download Submit
/usr/bin/nkhrttfkjz

Filesize
596KB

MD5
5bc439dab7f5053b8736603634a0eae9

SHA1
6be2366d545ad79ef3f1622a6ec8109a8e38490f

SHA256
c52a7b870857eb268803c5e58f4e727284824610a046e70710367c5ed7dacd9e

SHA512
730578f8ca88d9e98962f5d8dc82eed705f2b0415e7b80c1aa2823f3951859b997009d2d9167c90ee9b556ef22cc621715d3639568d3163b9649c2d071c0a6f6

Download Submit
/usr/bin/nkhrttfkjz

Filesize
596KB

MD5
3b720fd9768081810207819f336be5ad

SHA1
93724288dca75fb3c88a63068355cb7c6b320fed

SHA256
23fc1d01650a78f9bbb149b5f3acde93dea27ef7fe3f05f1b1ebdafbf3f6f9dc

SHA512
afd8ae97698a8d599c108ef314f5ca44c665bfa28b84e29eabe68059aa329e380f19b17f04f9706dafcb2a354d17756942c6a40a6dca495baddb1ecdbf5a8424

Download Submit
/usr/bin/rlcvmnmyjr

Filesize
596KB

MD5
12580ef9ea8263664f1347834c162e98

SHA1
d44055754ad40c523f1a16e616813e43c3fb5808

SHA256
af8039032cc60ca4205c1bd471009977e331ca4926bf9d5203fca3ec30a5ba45

SHA512
eba7c3de269317baf6d5e6ee73607b110563e620ada6c3924bd82fef7599637fc6db92629b55a9e1273d77a2f006c56267488b50c33e0953bb4ac0c38ef161fc

Download Submit
/usr/bin/rlcvmnmyjr

Filesize
596KB

MD5
f00931ec64d933a3fd1ea3a97d19f0b6

SHA1
3931353cb5165aa2d9ce6d46ceced86e406a7db1

SHA256
f25958aeae5a1651dd3dfe5e2ee40b5356eb8a7757b97e93d2b2ee6f9e5303ec

SHA512
e2f38cbc3aa76b784db0efd57e71e91f0f62e799ce6d4c2288fa9fff4d52527ef172d0e71f28893c3607b4872771619c09338d27cbd88fd02c1556218ea1ae9c

Download Submit
/usr/bin/rlcvmnmyjr

Filesize
596KB

MD5
14d1d32f43bbcf783f6b68ba307daa4c

SHA1
d48ec160a1afbfa82e85811f50afc8daf202aee8

SHA256
aaa0276fc55194d525577d9d0dad8c759b23cf66b14eb480c8f51a58ff720247

SHA512
61f08d8c49a5ed090dadb53ef41205c908afa5f29c73e0dcffeeb993f154ad41bbf13c64371a6cacefbfda836194e53a7c097b51f45c8d49730bb1f78c9f6670

Download Submit
/usr/bin/tuulojpldk

Filesize
596KB

MD5
741a5ee981eabee15b2b173c665ac6be

SHA1
c6a33fa0f41336ba5b4232afa179835e42d625f1

SHA256
15c9c23687a860f1af2ba9ad7117c1b6e892aa97e7d0753602fd4ca6a48e9216

SHA512
88554923279310cf7eb5e192feddb99a419ec8a6e58e21dc784981a2d7d85b3261bed8395cfcb5a81d06720794560bec589956c513b827821d03eaae3901b311

Download Submit
/usr/bin/tuulojpldk

Filesize
596KB

MD5
68308dcb3e37f0366a9672e58708c5f4

SHA1
774c95a0c3d7481d191044f6a1d2613c46dd8692

SHA256
7e20a38bcb78a454ab94b10af2840abc6e2473b8fbb4409b52fd895a33392fcf

SHA512
61ed8f8a86716c904b57976bbdae1ea50796bdf836127085ea725a2a365251414e36b236bd9e92d12a2c22fc233052189712475c38a947f720d2ebb0c36a6d01

Download Submit