xorddos | c394440c56fdcda9739fbb966e9ac2eab9e11e2eeff0720eb4c850a05b33eefc

Analysis

max time kernel
150s
max time network
151s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231222-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231222-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
22-12-2023 00:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c49b5160b981f06bd5242662f8d0a54
Size

611KB
MD5

3c49b5160b981f06bd5242662f8d0a54
SHA1

c50933e1f8a194e608049839707d8d698dd5caa5
SHA256

c394440c56fdcda9739fbb966e9ac2eab9e11e2eeff0720eb4c850a05b33eefc
SHA512

d947f1ecfb10002bc05bb6d1786758dfecb9000b94140128ccc9a68bd3a032ccb7360f27a3f7f522df856b372691bde46792975f6ac82c6fa0218d38b0d8488e
SSDEEP

12288:UB1tATMVAqnf+ExxBHYpmA38X8LYkCW6Tikx6yB1/iGK4UlUuTh1AG:UB1BVpmExDYp38X8LYTWhkfNiGQl/91h

Score

10^/10

xorddos botnet downloader persistence

Malware Config

Extracted

Family

xorddos

http://aa.hostasa.org/game.rar

ns3.hostasa.org:3306

ns4.hostasa.org:3306

ns1.hostasa.org:3306

ns2.hostasa.org:3306

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 12 IoCs

Processes:

resource	yara_rule
/lib/libudev.so	family_xorddos
/usr/bin/usvfqghknj	family_xorddos
/usr/bin/usvfqghknj	family_xorddos
/usr/bin/usvfqghknj	family_xorddos
/usr/bin/ghhaitjsdi	family_xorddos
/usr/bin/ghhaitjsdi	family_xorddos
/usr/bin/qpjjarmozc	family_xorddos
/usr/bin/qpjjarmozc	family_xorddos
/usr/bin/dsedhshspr	family_xorddos
/usr/bin/dsedhshspr	family_xorddos
/usr/bin/peaisrnbzq	family_xorddos
/usr/bin/peaisrnbzq	family_xorddos

Deletes itself 4 IoCs

Processes:

pid

1693
1686
1689
1695

pid
1693
1686
1689
1695

Executes dropped EXE 24 IoCs

Processes:

usvfqghknjusvfqghknjusvfqghknjusvfqghknjusvfqghknjghhaitjsdighhaitjsdighhaitjsdighhaitjsdighhaitjsdiqpjjarmozcqpjjarmozcqpjjarmozcqpjjarmozcqpjjarmozcdsedhshsprdsedhshsprdsedhshsprdsedhshsprdsedhshsprpeaisrnbzqpeaisrnbzqpeaisrnbzqpeaisrnbzq

ioc	pid	process
/usr/bin/usvfqghknj	1615	usvfqghknj
/usr/bin/usvfqghknj	1623	usvfqghknj
/usr/bin/usvfqghknj	1626	usvfqghknj
/usr/bin/usvfqghknj	1630	usvfqghknj
/usr/bin/usvfqghknj	1636	usvfqghknj
/usr/bin/ghhaitjsdi	1639	ghhaitjsdi
/usr/bin/ghhaitjsdi	1641	ghhaitjsdi
/usr/bin/ghhaitjsdi	1645	ghhaitjsdi
/usr/bin/ghhaitjsdi	1648	ghhaitjsdi
/usr/bin/ghhaitjsdi	1651	ghhaitjsdi
/usr/bin/qpjjarmozc	1654	qpjjarmozc
/usr/bin/qpjjarmozc	1656	qpjjarmozc
/usr/bin/qpjjarmozc	1660	qpjjarmozc
/usr/bin/qpjjarmozc	1663	qpjjarmozc
/usr/bin/qpjjarmozc	1666	qpjjarmozc
/usr/bin/dsedhshspr	1669	dsedhshspr
/usr/bin/dsedhshspr	1672	dsedhshspr
/usr/bin/dsedhshspr	1675	dsedhshspr
/usr/bin/dsedhshspr	1678	dsedhshspr
/usr/bin/dsedhshspr	1681	dsedhshspr
/usr/bin/peaisrnbzq	1684	peaisrnbzq
/usr/bin/peaisrnbzq	1687	peaisrnbzq
/usr/bin/peaisrnbzq	1690	peaisrnbzq
/usr/bin/peaisrnbzq	1692	peaisrnbzq

Creates/modifies Cron job 1 TTPs 2 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

sh

description ioc

File opened for modification /etc/cron.hourly/gcc.sh
File opened for modification /etc/crontab sh
Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

description ioc

File opened for modification /etc/init.d/3c49b5160b981f06bd5242662f8d0a54

description	ioc
File opened for modification	/etc/cron.hourly/gcc.sh
File opened for modification	/etc/crontab	sh

description	ioc
File opened for modification	/etc/init.d/3c49b5160b981f06bd5242662f8d0a54

Write file to user bin folder 1 TTPs 5 IoCs

Hijack Execution Flow

T1574

Processes:

description	ioc
File opened for modification	/usr/bin/qpjjarmozc
File opened for modification	/usr/bin/dsedhshspr
File opened for modification	/usr/bin/peaisrnbzq
File opened for modification	/usr/bin/usvfqghknj
File opened for modification	/usr/bin/ghhaitjsdi

Reads runtime system information 9 IoCs

Reads data from /proc virtual filesystem.

Processes:

systemctlsed

description	ioc	process
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/rs_dev
File opened for reading	/proc/stat
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/1/sched	systemctl

/tmp/3c49b5160b981f06bd5242662f8d0a54
/tmp/3c49b5160b981f06bd5242662f8d0a54
1⤵
PID:1586

/bin/chkconfig
chkconfig --add 3c49b5160b981f06bd5242662f8d0a54
1⤵
PID:1589

/sbin/chkconfig
chkconfig --add 3c49b5160b981f06bd5242662f8d0a54
1⤵
PID:1589

/usr/bin/chkconfig
chkconfig --add 3c49b5160b981f06bd5242662f8d0a54
1⤵
PID:1589

/usr/sbin/chkconfig
chkconfig --add 3c49b5160b981f06bd5242662f8d0a54
1⤵
PID:1589

/usr/local/bin/chkconfig
chkconfig --add 3c49b5160b981f06bd5242662f8d0a54
1⤵
PID:1589

/usr/local/sbin/chkconfig
chkconfig --add 3c49b5160b981f06bd5242662f8d0a54
1⤵
PID:1589

/usr/X11R6/bin/chkconfig
chkconfig --add 3c49b5160b981f06bd5242662f8d0a54
1⤵
PID:1589

/bin/update-rc.d
update-rc.d 3c49b5160b981f06bd5242662f8d0a54 defaults
1⤵
PID:1591

/sbin/update-rc.d
update-rc.d 3c49b5160b981f06bd5242662f8d0a54 defaults
1⤵
PID:1591

/usr/bin/update-rc.d
update-rc.d 3c49b5160b981f06bd5242662f8d0a54 defaults
1⤵
PID:1591

/usr/sbin/update-rc.d
update-rc.d 3c49b5160b981f06bd5242662f8d0a54 defaults
1⤵
PID:1591
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:1594

/bin/sh
sh -c "sed -i '/\\/etc\\/cron.hourly\\/gcc.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:1592
- /bin/sed
  sed -i "/\\/etc\\/cron.hourly\\/gcc.sh/d" /etc/crontab
  2⤵
  - Reads runtime system information
  PID:1593

/usr/bin/usvfqghknj
/usr/bin/usvfqghknj "ps -ef" 1587
1⤵
- Executes dropped EXE
PID:1615

/usr/bin/usvfqghknj
/usr/bin/usvfqghknj "grep \"A\"" 1587
1⤵
- Executes dropped EXE
PID:1623

/usr/bin/usvfqghknj
/usr/bin/usvfqghknj "cd /etc" 1587
1⤵
- Executes dropped EXE
PID:1626

/usr/bin/usvfqghknj
/usr/bin/usvfqghknj "route -n" 1587
1⤵
- Executes dropped EXE
PID:1630

/usr/bin/usvfqghknj
/usr/bin/usvfqghknj gnome-terminal 1587
1⤵
- Executes dropped EXE
PID:1636

/usr/bin/ghhaitjsdi
/usr/bin/ghhaitjsdi "cd /etc" 1587
1⤵
- Executes dropped EXE
PID:1639

/usr/bin/ghhaitjsdi
/usr/bin/ghhaitjsdi su 1587
1⤵
- Executes dropped EXE
PID:1641

/usr/bin/ghhaitjsdi
/usr/bin/ghhaitjsdi ifconfig 1587
1⤵
- Executes dropped EXE
PID:1645

/usr/bin/ghhaitjsdi
/usr/bin/ghhaitjsdi top 1587
1⤵
- Executes dropped EXE
PID:1648

/usr/bin/ghhaitjsdi
/usr/bin/ghhaitjsdi "ls -la" 1587
1⤵
- Executes dropped EXE
PID:1651

/usr/bin/qpjjarmozc
/usr/bin/qpjjarmozc "cd /etc" 1587
1⤵
- Executes dropped EXE
PID:1654

/usr/bin/qpjjarmozc
/usr/bin/qpjjarmozc "netstat -an" 1587
1⤵
- Executes dropped EXE
PID:1656

/usr/bin/qpjjarmozc
/usr/bin/qpjjarmozc "ls -la" 1587
1⤵
- Executes dropped EXE
PID:1660

/usr/bin/qpjjarmozc
/usr/bin/qpjjarmozc "ifconfig eth0" 1587
1⤵
- Executes dropped EXE
PID:1663

/usr/bin/qpjjarmozc
/usr/bin/qpjjarmozc su 1587
1⤵
- Executes dropped EXE
PID:1666

/usr/bin/dsedhshspr
/usr/bin/dsedhshspr "ls -la" 1587
1⤵
- Executes dropped EXE
PID:1669

/usr/bin/dsedhshspr
/usr/bin/dsedhshspr ls 1587
1⤵
- Executes dropped EXE
PID:1672

/usr/bin/dsedhshspr
/usr/bin/dsedhshspr bash 1587
1⤵
- Executes dropped EXE
PID:1675

/usr/bin/dsedhshspr
/usr/bin/dsedhshspr ifconfig 1587
1⤵
- Executes dropped EXE
PID:1678

/usr/bin/dsedhshspr
/usr/bin/dsedhshspr "cat resolv.conf" 1587
1⤵
- Executes dropped EXE
PID:1681

/usr/bin/peaisrnbzq
/usr/bin/peaisrnbzq top 1587
1⤵
- Executes dropped EXE
PID:1684

/usr/bin/peaisrnbzq
/usr/bin/peaisrnbzq "route -n" 1587
1⤵
- Executes dropped EXE
PID:1687

/usr/bin/peaisrnbzq
/usr/bin/peaisrnbzq "netstat -antop" 1587
1⤵
- Executes dropped EXE
PID:1690

/usr/bin/peaisrnbzq
/usr/bin/peaisrnbzq "echo \"find\"" 1587
1⤵
- Executes dropped EXE
PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/sedKpXXp5

Filesize
722B

MD5
8f111d100ea459f68d333d63a8ef2205

SHA1
077ca9c46a964de67c0f7765745d5c6f9e2065c3

SHA256
0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354

SHA512
d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

Download Submit
/lib/libudev.so

Filesize
427KB

MD5
2c01e3324da3ca7dae7c8104d4c696a0

SHA1
102b5905afcdb13cb1dff91a44685be6b1e90551

SHA256
8079ab58a682565c036a1207e56a69da151913ce8c4b8a1841d3ce7432ed767b

SHA512
7a2b1b63fb321431deda42b3bfc75e0896100f253dcff48b4517cd2de310d0624aa922aad63ba8225ba0d5bfc5bb670a0d9369b9581bd3b8ffd820839107d17a

Download Submit
/run/gcc.pid

Filesize
32B

MD5
5054c63ce6fe6733238fb5e932f6ea67

SHA1
7afe5ce3e64e3d3efceaebf8964a6eb9c0b39a6e

SHA256
62b7c02bbba59be654e9756c60808311816beb1c3b737b31d38b4dc5189534ce

SHA512
b54d9810097b8188a563bb21b14d7c4082c3db9cc20d090284688028acc928c3f8798a4cb1b9b2d1c1e5fbc38cb1f50ef55de9be53ef993ff60bc341c61024b0

Download Submit
/usr/bin/dsedhshspr

Filesize
611KB

MD5
99dd503a56ba323decc608552fb6c2c2

SHA1
b23ef7b9a4ab0349d495c797263eb070ffc1b664

SHA256
93533b79cd20caca3b37accce39393330e1c45b5c7c1b4cc2ff6789190152858

SHA512
a5c573457b8772c47ef38b4356c717e5009c807d9ad6d328577546406a58d84e80949bb9543f64afbf457520149dd44e9297426892781609f1ef8654a621bc52

Download Submit
/usr/bin/dsedhshspr

Filesize
611KB

MD5
cf0bc2ac28e51b4aff82635a559ffa06

SHA1
ef23276754cd8ba3b0b263d5e4f9dd779c0f9f16

SHA256
16813645d3247816d96cfaf57610d1e9e4e677bc42ad5135d60711534a729643

SHA512
7854e82119924d722f0f6dfd8a3bea788570227be7908e787edf22a785a9019e98a2becd076696e03d1e6e1d2741bfa22ca4d5815ab1617e921b77825b7601ab

Download Submit
/usr/bin/ghhaitjsdi

Filesize
611KB

MD5
636a5a63d9a5249b5e784764bfe06168

SHA1
53b3454af71bf037aa6b8cd4243c82fcade29d88

SHA256
914e8275d74e72772477794b88d4a3cd93075dab1d39e993d4b1b7b48302c9a0

SHA512
a95cf24d77c70967f603015514e98694273ff3eccc7e763e0c1eccb1e5ad28271c89174a253095b89c5d996d4ee3267ad2d8205026dfbb148cfb8a2c510ff00b

Download Submit
/usr/bin/ghhaitjsdi

Filesize
611KB

MD5
0d83d30474bce0e0331da85bf5dc6d3b

SHA1
3fe566ce0c38ff60a69f3f364fe3deb50ce8f920

SHA256
9f1f18592d4cb19cc14bcf44aa1d276497b8bf9339e71d8f2a53858301b2d906

SHA512
b75de160c73343bf0bbc8d88497b2d2cdbaa6b967dd93e920d17c0435d26168e113c13eca1d3a9a3dc18cefdae5980d1fcb062f682e7b8778968f8eeded69080

Download Submit
/usr/bin/peaisrnbzq

Filesize
611KB

MD5
16c93007e48aaf3fabcce593699055fc

SHA1
10cb59a6a1e2a8b17751623579d60e8e84c0d248

SHA256
93392ac7eb3f1631e861f336f0d4b28dadc493dc781d74238e0f03c5d37b9c80

SHA512
26ace0f65a0e209dc473bf9086c480ae56e8554049dc57ee9995fe5437cc0175b777f2c8983ecec801495b31fc1248923ae6fc8e66d060ea11f6b4d515d8eec1

Download Submit
/usr/bin/peaisrnbzq

Filesize
611KB

MD5
6e4523c0213df731aec704a632b0f121

SHA1
4250b7f93f7c19fdf343c6a3286ffb97fd6613a7

SHA256
d6f7ce0dda86116a2860bb158bfe4451a3aba433ab999257e10da4ea7839fd11

SHA512
c7b7ab396d998ba82b118c3c8ccd5806fe274c094647a2d0598881965cd54adc25ae7ab0f11d3bbc98b1adc158f15bceeefa5f1d049646b1998594072e86e54d

Download Submit
/usr/bin/qpjjarmozc

Filesize
611KB

MD5
827bbe4375d0fee75e607829527efb7a

SHA1
850f6c5f11ee3a8056cd5c79ff3d7ed287e902ec

SHA256
e5312032c9173741f1e8ef89d9dde7dcf69fbd97cd158481a521de4bd20d7365

SHA512
3184ae81524ac4effee62bc010d7d9a325336a21205a79d7fab099105a894ca12d1711b1cea26d779cc0ff9e54e33a98070e9b50f2bd248db92946eab2fb77fd

Download Submit
/usr/bin/qpjjarmozc

Filesize
611KB

MD5
15a237b73c7ff839e599080703c79987

SHA1
7d66c3a9088326d0ec2a2ac8ae3727276e81693e

SHA256
72f5383281fbcd0f5cb425bb76cc65d64a7d2f2597937a73ad5a76ec8e93291e

SHA512
3cbc97c033e568f2a202b1db4e86a7ceb4a7a22c0e02ac0c9076a4fc4820ca853a315049c9b3ee856d1149c7a8ae48a238b5de700dbba65d699a612ee25363b0

Download Submit
/usr/bin/usvfqghknj

Filesize
611KB

MD5
3c49b5160b981f06bd5242662f8d0a54

SHA1
c50933e1f8a194e608049839707d8d698dd5caa5

SHA256
c394440c56fdcda9739fbb966e9ac2eab9e11e2eeff0720eb4c850a05b33eefc

SHA512
d947f1ecfb10002bc05bb6d1786758dfecb9000b94140128ccc9a68bd3a032ccb7360f27a3f7f522df856b372691bde46792975f6ac82c6fa0218d38b0d8488e

Download Submit
/usr/bin/usvfqghknj

Filesize
611KB

MD5
4f62bd8cc37e829fc0e11b13921ec719

SHA1
ebc157659cb733df4a82ebaeda8b4c9af65f8ca5

SHA256
81d515983b45e3bfbe3a5f2ef0139e63c22a06fdbf3c2ea29ee53179914c8fa7

SHA512
4288c8098360370f2ab69cd7ad3bfd4eaa427e7f9743b6e8be8ebf2566ea8014c07cdbf5f2c670b4b887169884484ba0d8e1f4b736b418025fc7d26fc23b1456

Download Submit
/usr/bin/usvfqghknj

Filesize
611KB

MD5
cd06b608a071b850feb1b276314357d0

SHA1
2f3236ccf3d789862a93d55ad7dc7b8bb1ac200f

SHA256
ff4df1d349f79fba660afafe1c11745ebe3206f0d2cc1935b4dddd2626f97e19

SHA512
4d3b6f5b6b766f57acac43af2a079ebf532ebf0c718492450af9f5b58fdc76c32e56b885f8a2246b2c2a008ca33752b47385d8180bd9e9a1a7b6e4245884d6d8

Download Submit