xorddos | eb8a811dce3dfe9227be55d995d82d362296e5858f4f0ff9d7a9d54e8fe2cc0d

Analysis

max time kernel
150s
max time network
152s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
22-12-2023 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40b099e6bc67aead2daa62163d1e3ba8
Size

596KB
MD5

40b099e6bc67aead2daa62163d1e3ba8
SHA1

ef203a2d1cac02f877a9fb3c37e598333db95da2
SHA256

eb8a811dce3dfe9227be55d995d82d362296e5858f4f0ff9d7a9d54e8fe2cc0d
SHA512

34e626e1af66a49cd6cfa0fddda396aa873fbb7d6fe75c3e91dc528e776c31a95576c03778a902e316f5a93bf48bc6ad3f772c16e75baa5ea26b5b1c525b3d50
SSDEEP

12288:bfTGy+n69+5rTlFEcMWbHvx5SGEuWdeF6yxm9Ah7Dxu9hc7L:rTG/0+5dq4bHvx5SGodeLTD4XcP

Score

10^/10

xorddos botnet downloader persistence

Malware Config

Extracted

Family

xorddos

http://info1.3000uc.com/b/u.php

gh.dsaj2a1.org:2818

103.24.0.162:2818

101.fwq.me:2818

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 12 IoCs

resource	yara_rule
behavioral1/files/fstream-5.dat	family_xorddos
behavioral1/files/fstream-8.dat	family_xorddos
behavioral1/files/fstream-9.dat	family_xorddos
behavioral1/files/fstream-11.dat	family_xorddos
behavioral1/files/fstream-12.dat	family_xorddos
behavioral1/files/fstream-14.dat	family_xorddos
behavioral1/files/fstream-15.dat	family_xorddos
behavioral1/files/fstream-16.dat	family_xorddos
behavioral1/files/fstream-17.dat	family_xorddos
behavioral1/files/fstream-18.dat	family_xorddos
behavioral1/files/fstream-20.dat	family_xorddos
behavioral1/files/fstream-21.dat	family_xorddos

Deletes itself 6 IoCs

pid
1603
1592
1595
1598
1602
1627

Executes dropped EXE 24 IoCs

ioc	pid	Process
/usr/bin/nnrbjwwyzp	1537	nnrbjwwyzp
/usr/bin/nnrbjwwyzp	1543	nnrbjwwyzp
/usr/bin/nnrbjwwyzp	1564	nnrbjwwyzp
/usr/bin/nnrbjwwyzp	1569	nnrbjwwyzp
/usr/bin/nnrbjwwyzp	1572	nnrbjwwyzp
/usr/bin/qyhteuldqi	1575	qyhteuldqi
/usr/bin/qyhteuldqi	1577	qyhteuldqi
/usr/bin/qyhteuldqi	1581	qyhteuldqi
/usr/bin/qyhteuldqi	1584	qyhteuldqi
/usr/bin/qyhteuldqi	1587	qyhteuldqi
/usr/bin/sgdsxtjrqg	1590	sgdsxtjrqg
/usr/bin/sgdsxtjrqg	1593	sgdsxtjrqg
/usr/bin/sgdsxtjrqg	1596	sgdsxtjrqg
/usr/bin/sgdsxtjrqg	1599	sgdsxtjrqg
/usr/bin/sgdsxtjrqg	1601	sgdsxtjrqg
/usr/bin/tqjlghtvck	1605	tqjlghtvck
/usr/bin/tqjlghtvck	1608	tqjlghtvck
/usr/bin/tqjlghtvck	1610	tqjlghtvck
/usr/bin/tqjlghtvck	1614	tqjlghtvck
/usr/bin/tqjlghtvck	1617	tqjlghtvck
/usr/bin/slkudzczms	1622	slkudzczms
/usr/bin/slkudzczms	1624	slkudzczms
/usr/bin/slkudzczms	1628	slkudzczms
/usr/bin/slkudzczms	1631	slkudzczms

Unexpected DNS network traffic destination 19 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228

Creates/modifies Cron job 1 TTPs 2 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/etc/cron.hourly/udev.sh	Process not Found
File opened for modification	/etc/crontab	sh

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
File opened for modification	/etc/init.d/40b099e6bc67aead2daa62163d1e3ba8

Write file to user bin folder 1 TTPs 5 IoCs

Hijack Execution Flow

T1574

description	ioc
File opened for modification	/usr/bin/nnrbjwwyzp
File opened for modification	/usr/bin/qyhteuldqi
File opened for modification	/usr/bin/sgdsxtjrqg
File opened for modification	/usr/bin/tqjlghtvck
File opened for modification	/usr/bin/slkudzczms

Reads runtime system information 8 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/stat	Process not Found
File opened for reading	/proc/filesystems	systemctl

/tmp/40b099e6bc67aead2daa62163d1e3ba8
/tmp/40b099e6bc67aead2daa62163d1e3ba8
1⤵
PID:1524

/bin/sh
sh -c "sed -i '/\\/etc\\/cron.hourly\\/udev.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/udev.sh' >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:1530
- /bin/sed
  sed -i "/\\/etc\\/cron.hourly\\/udev.sh/d" /etc/crontab
  2⤵
  - Reads runtime system information
  PID:1531

/bin/chkconfig
chkconfig --add 40b099e6bc67aead2daa62163d1e3ba8
1⤵
PID:1527

/sbin/chkconfig
chkconfig --add 40b099e6bc67aead2daa62163d1e3ba8
1⤵
PID:1527

/usr/bin/chkconfig
chkconfig --add 40b099e6bc67aead2daa62163d1e3ba8
1⤵
PID:1527

/usr/sbin/chkconfig
chkconfig --add 40b099e6bc67aead2daa62163d1e3ba8
1⤵
PID:1527

/usr/local/bin/chkconfig
chkconfig --add 40b099e6bc67aead2daa62163d1e3ba8
1⤵
PID:1527

/usr/local/sbin/chkconfig
chkconfig --add 40b099e6bc67aead2daa62163d1e3ba8
1⤵
PID:1527

/usr/X11R6/bin/chkconfig
chkconfig --add 40b099e6bc67aead2daa62163d1e3ba8
1⤵
PID:1527

/bin/update-rc.d
update-rc.d 40b099e6bc67aead2daa62163d1e3ba8 defaults
1⤵
PID:1529

/sbin/update-rc.d
update-rc.d 40b099e6bc67aead2daa62163d1e3ba8 defaults
1⤵
PID:1529

/usr/bin/update-rc.d
update-rc.d 40b099e6bc67aead2daa62163d1e3ba8 defaults
1⤵
PID:1529

/usr/sbin/update-rc.d
update-rc.d 40b099e6bc67aead2daa62163d1e3ba8 defaults
1⤵
PID:1529
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:1536

/usr/bin/nnrbjwwyzp
/usr/bin/nnrbjwwyzp who 1525
1⤵
- Executes dropped EXE
PID:1537

/usr/bin/nnrbjwwyzp
/usr/bin/nnrbjwwyzp bash 1525
1⤵
- Executes dropped EXE
PID:1543

/usr/bin/nnrbjwwyzp
/usr/bin/nnrbjwwyzp "grep \"A\"" 1525
1⤵
- Executes dropped EXE
PID:1564

/usr/bin/nnrbjwwyzp
/usr/bin/nnrbjwwyzp whoami 1525
1⤵
- Executes dropped EXE
PID:1569

/usr/bin/nnrbjwwyzp
/usr/bin/nnrbjwwyzp "grep \"A\"" 1525
1⤵
- Executes dropped EXE
PID:1572

/usr/bin/qyhteuldqi
/usr/bin/qyhteuldqi "ifconfig eth0" 1525
1⤵
- Executes dropped EXE
PID:1575

/usr/bin/qyhteuldqi
/usr/bin/qyhteuldqi id 1525
1⤵
- Executes dropped EXE
PID:1577

/usr/bin/qyhteuldqi
/usr/bin/qyhteuldqi "echo \"find\"" 1525
1⤵
- Executes dropped EXE
PID:1581

/usr/bin/qyhteuldqi
/usr/bin/qyhteuldqi "cat resolv.conf" 1525
1⤵
- Executes dropped EXE
PID:1584

/usr/bin/qyhteuldqi
/usr/bin/qyhteuldqi "netstat -antop" 1525
1⤵
- Executes dropped EXE
PID:1587

/usr/bin/sgdsxtjrqg
/usr/bin/sgdsxtjrqg "ifconfig eth0" 1525
1⤵
- Executes dropped EXE
PID:1590

/usr/bin/sgdsxtjrqg
/usr/bin/sgdsxtjrqg "grep \"A\"" 1525
1⤵
- Executes dropped EXE
PID:1593

/usr/bin/sgdsxtjrqg
/usr/bin/sgdsxtjrqg ls 1525
1⤵
- Executes dropped EXE
PID:1596

/usr/bin/sgdsxtjrqg
/usr/bin/sgdsxtjrqg top 1525
1⤵
- Executes dropped EXE
PID:1599

/usr/bin/sgdsxtjrqg
/usr/bin/sgdsxtjrqg ifconfig 1525
1⤵
- Executes dropped EXE
PID:1601

/usr/bin/tqjlghtvck
/usr/bin/tqjlghtvck "netstat -an" 1525
1⤵
- Executes dropped EXE
PID:1605

/usr/bin/tqjlghtvck
/usr/bin/tqjlghtvck su 1525
1⤵
- Executes dropped EXE
PID:1608

/usr/bin/tqjlghtvck
/usr/bin/tqjlghtvck whoami 1525
1⤵
- Executes dropped EXE
PID:1610

/usr/bin/tqjlghtvck
/usr/bin/tqjlghtvck id 1525
1⤵
- Executes dropped EXE
PID:1614

/usr/bin/tqjlghtvck
/usr/bin/tqjlghtvck "sleep 1" 1525
1⤵
- Executes dropped EXE
PID:1617

/usr/bin/slkudzczms
/usr/bin/slkudzczms "route -n" 1525
1⤵
- Executes dropped EXE
PID:1622

/usr/bin/slkudzczms
/usr/bin/slkudzczms pwd 1525
1⤵
- Executes dropped EXE
PID:1624

/usr/bin/slkudzczms
/usr/bin/slkudzczms ifconfig 1525
1⤵
- Executes dropped EXE
PID:1628

/usr/bin/slkudzczms
/usr/bin/slkudzczms "ifconfig eth0" 1525
1⤵
- Executes dropped EXE
PID:1631

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/udev.sh

Filesize
146B

MD5
ddb9a901eadce597284d68ebd9fe9311

SHA1
1d26318bbe55f2f936ae1015df656535427083c2

SHA256
3bb8ebd394bcaea3f083d93daa3c3bcf918a4618f84ab45a1942759d16b070fc

SHA512
e94bd51f02c323d2376e666a9c56a87c2f55d1805b44762d4bc6d5d60ca52e85ce996ba51142213ba783ac858660a3ba254988215b0f4d398b1e99bf132a5d1c

Download Submit
/etc/init.d/40b099e6bc67aead2daa62163d1e3ba8

Filesize
425B

MD5
c9f311db4e445cbc07d84025cb913db9

SHA1
1a5a82bdb9a30138f7665ef43a795575d990a6d8

SHA256
ef118e32696a6854713efeeb89b2769b7334c8bd46ed95f3fa57fdf3231ce2f5

SHA512
3e57e24a39419bdbe5d4faf3fbe958e9831b58848777cd6c03d2af0f3890a5296c9d20a63d708c3e0135268ad99340c31ed3eeed7fa6b5d6bf22b2a29be97b9e

Download Submit
/etc/sedSfdYyK

Filesize
722B

MD5
8f111d100ea459f68d333d63a8ef2205

SHA1
077ca9c46a964de67c0f7765745d5c6f9e2065c3

SHA256
0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354

SHA512
d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

Download Submit
/lib/libgcc4.so

Filesize
596KB

MD5
40b099e6bc67aead2daa62163d1e3ba8

SHA1
ef203a2d1cac02f877a9fb3c37e598333db95da2

SHA256
eb8a811dce3dfe9227be55d995d82d362296e5858f4f0ff9d7a9d54e8fe2cc0d

SHA512
34e626e1af66a49cd6cfa0fddda396aa873fbb7d6fe75c3e91dc528e776c31a95576c03778a902e316f5a93bf48bc6ad3f772c16e75baa5ea26b5b1c525b3d50

Download Submit
/run/udev.pid

Filesize
32B

MD5
193c3f99c1a83b95f6febdef0765fd8e

SHA1
f0d701b25702ad25640ac2d5b54536d327deb79a

SHA256
9714dc720090f768f2b8c42c00322fa59e898d7722b49bdc75e3bcd4acf83c89

SHA512
8f0bf96bca2db3dab6cbb54dcf13735fc6a89913c72f264fbea3564e1561d106f9f589a2e13ef829f227080352b6199416005c59a58e67ca1082609e3f82be47

Download Submit
/usr/bin/nnrbjwwyzp

Filesize
596KB

MD5
f5d390e71b7c8291cf16ad02f37f1dd7

SHA1
17f3f7fd7086c9fecee5d3c1487289084c6466ad

SHA256
569935406f31c4c1558564f0057a931fe2d14791ecb44ba959c46df7a9496bb9

SHA512
f261deab27c9d74ea63219f7c07d42666fd31b9afc179eba5a3c48bca9ae9fa98471fa013159cd93be075eaf57a47e366520b39b8c527343ae2af03ab4229769

Download Submit
/usr/bin/nnrbjwwyzp

Filesize
596KB

MD5
16e591f4aa76bb87dd8f05d5e3dcc190

SHA1
b15b388a85c18fa711e2d80f36510360305987ef

SHA256
ccaa177c77b71e8df1d4be7af914c3fc1efe76c7516389987c2b3b255c69ac0a

SHA512
efcc557765a6592d35dccd3af8c65d26051a0dfc2c94019c736e79cd84b43fe82595c2c0c4c7a3e3cd1396af0532f909688e14f0bcde594ee08903cd321272c1

Download Submit
/usr/bin/qyhteuldqi

Filesize
596KB

MD5
fc623911644b3960a467163f90429411

SHA1
32552806cdc12df49673757f621a461c825bf02e

SHA256
84162dcb8bd0ca57072085dad7e1ec817068b4c905c865297e5f3885797ef762

SHA512
9d17097907027b250a5d8321c9d204954283749a91a10bb7eb25b127d3198246e0cf8dd78d03f623218b5003c94758f556c3154073aa3e868bc5a9e7da69cdee

Download Submit
/usr/bin/qyhteuldqi

Filesize
596KB

MD5
bf7dfe7434cc57f644fa9fe047fd665a

SHA1
b45d1d27959a084609940bff9bc0ce5088215641

SHA256
f1b552a191e2452a6313976d007e0aa03ca91db801d7e43b3d65cd461ed8f5f1

SHA512
c21f5f8de46c75c84a0d4c97601e741920b1db27d9d64ef2423e45241729d420100701267aa51e7b74cbd9061618fff6635d75ddbf98c4fbf542e6c09f46b9da

Download Submit
/usr/bin/sgdsxtjrqg

Filesize
596KB

MD5
e1e61dbfe65e65fff0a86bf4e23b254e

SHA1
90975923b2c352eb827ae5a099b413ca85b27c74

SHA256
e8a92c6734672ffdb2a9398244976da2376e626d3b5c944ca8d7157a58c22a53

SHA512
428ce84766080506a5ef8ac8c74c1b1243d5eb98475cb444fb4c706a53e7cdfe82ca38cc007814f9dd80c4bbbe5cc72320c516a4ba415c2483721ed888bc837a

Download Submit
/usr/bin/sgdsxtjrqg

Filesize
596KB

MD5
d90160ab135ade50df38fb7947ba254d

SHA1
4a9ac0ea82b0216f4f080fc6d396262545486609

SHA256
6eb5cf0e8169d9c93ef99b589749db2e049f4f17ca568d658a575a23c413d3ee

SHA512
18d18e22544506ffcb3600f64dd267e63cbaf6ad22e0cf309fd6932d034a8f8d2a898a1e7ec9c31fe50b9c6ed74e9e5dca4b6cff3b3a3d4b85636d40abe2e305

Download Submit
/usr/bin/slkudzczms

Filesize
596KB

MD5
8b2696759cad5cf43cec2e631d25722b

SHA1
89fd066870c603df5486746d4eea9fe7ec3d581b

SHA256
7080a812a2c9f544770d53a2b631d8f88671bc453e4d7bf12ed3755ca55214a8

SHA512
f8b1fb36f8df1d7ac4ed822a8c98de54460cb72bdc353aecef171460ed764e3b843a72da775ace40ae04952a14b6f5dfc68584641612521edc345bfaa9117b0a

Download Submit
/usr/bin/slkudzczms

Filesize
596KB

MD5
a5d924759c41ccd941d66907db05ef7f

SHA1
2e196f1eb88f2c57e70b55b42998dbbe99263a65

SHA256
385c02e96d70990fab3009ea5ab465435cd452e660951c82859d4592ff4bb8bd

SHA512
700253f80436674b4c690d1334d75e590e15daaac2a6f78d245fcb62194420e81ea643eecca249b557b1b79382b81621ca0373399a7cf9f4ab3b4540e78253d2

Download Submit
/usr/bin/tqjlghtvck

Filesize
502KB

MD5
a93f0edbb8dddcbac3d560a5b82f5d28

SHA1
27faa9eaf0c39631212138867b22f55d9147b74c

SHA256
a8d5b87891e737e219c136c6e14aa096d58f5c3127c342694310516cd4c768bf

SHA512
aeb5c7c1762b9520a5f591c7e9e9ef16c1ec81c275bbbaa01339783be3ac6425ef271a9797aa1055777f8db9d9def9c5857fce56526cffd2192190c9edec8a50

Download Submit
/usr/bin/tqjlghtvck

Filesize
596KB

MD5
b8519b9e9035cddb1a9c75723f2c7486

SHA1
0a91f2f4c004ca24a9011fdba9406b8baf77ea2f

SHA256
816d6ef354ab5a33f23f90aadc45171ec54dcdb5a0708dd18b77c2a9d1e8b0f1

SHA512
f78262991f303b403dbb7714aacc6bcbac8f2c2a3b06c513704b58c2a2d60b104a64e6ce67a093f9468f21716d0e362e65602862b157b5e3da89240a3c3f3ee2

Download Submit
/usr/bin/tqjlghtvck

Filesize
596KB

MD5
f00dadb6142bf9d2b15ef967ba4a2457

SHA1
79575d2d8fd000b008dbabc4f05dad368968798d

SHA256
fb45ccaa0f9e71ced0398cda79637a9af0b1e264a961f3a70171753a1831049f

SHA512
f087c53c2c78784dd36ad81b49308b82e33ca7d6056f33323c361b55fa107edd86c043198cf2b29ebef3c9691de029692d6cba798c81ec7686e5255e3f28ad22

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads