xorddos | 42d1a53a951c417d9ecfee401060e7eb6cdc7f1eee2199fc301bc954294a94a2

General

Target

5602159b146889a8d8f73317cd07c88c
Size

544KB
MD5

5602159b146889a8d8f73317cd07c88c
SHA1

7d27cf3a17a76da44da1b17258cd4768c6d6a2ce
SHA256

42d1a53a951c417d9ecfee401060e7eb6cdc7f1eee2199fc301bc954294a94a2
SHA512

63bba00e8d0965e49ac39d6fba2d3b3069299ef786ad805732ac5bd25e02718b94ac6f7f2ed8ab109966a0828ca249cd96aebd59cbd80d28c9469db1e9aae68a
SSDEEP

12288:JbinNy0Y1nvEtXBx6DkkJmAGyPexU279WnjVZ6ySWK:1iNy0evmxvkJmApPexUm9cVE

Score

10^/10

xorddos botnet downloader persistence

Malware Config

Extracted

Family

xorddos

C2

topbannersun.com:5717

wowapplecar.com:5717

Attributes

crc_polynomial
CDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 4 IoCs

resource	yara_rule
behavioral1/files/fstream-2.dat	family_xorddos
behavioral1/files/fstream-25.dat	family_xorddos
behavioral1/files/fstream-27.dat	family_xorddos
behavioral1/files/fstream-55.dat	family_xorddos

Deletes itself 33 IoCs

pid
1604
1613
1619
1622
1626
1628
1641
1644
1647
1650
1652
1662
1665
1668
1671
1673
1677
1679
1683
1686
1688
1691
1697
1698
1701
1703
1706
1709
1713
1716
1718
1723
1728

Executes dropped EXE 34 IoCs

ioc	pid	Process
/bin/vfctqkodqkhr	1607	vfctqkodqkhr
/bin/ldbrmkvcfpx	1612	ldbrmkvcfpx
/bin/ndggewlzpzjgd	1618	ndggewlzpzjgd
/bin/oazcvzbmbgvcz	1621	oazcvzbmbgvcz
/bin/pqvswdzvoykqit	1624	pqvswdzvoykqit
/bin/hjljlgin	1627	hjljlgin
/bin/mojnfcafgyqult	1639	mojnfcafgyqult
/bin/tofxku	1642	tofxku
/bin/zjnqvu	1645	zjnqvu
/bin/dsmtcb	1648	dsmtcb
/bin/gbgpbwjordjh	1651	gbgpbwjordjh
/bin/drduauf	1660	drduauf
/bin/wyfhkgmsvykv	1663	wyfhkgmsvykv
/bin/olfomtmyrmbk	1666	olfomtmyrmbk
/bin/yllfvkfcrq	1669	yllfvkfcrq
/bin/ekfevcwlpcaexm	1672	ekfevcwlpcaexm
/bin/urkhaxyncjjp	1675	urkhaxyncjjp
/bin/phvzvx	1678	phvzvx
/bin/nbgetolmequa	1681	nbgetolmequa
/bin/ghjgixkriawzhs	1684	ghjgixkriawzhs
/bin/crbrthx	1687	crbrthx
/bin/dwiefcfhuga	1690	dwiefcfhuga
/bin/pxbmhephbst	1693	pxbmhephbst
/bin/epuzjqnmox	1695	epuzjqnmox
/bin/taycug	1699	taycug
/bin/jvbmjk	1702	jvbmjk
/bin/ajpzogvuke	1705	ajpzogvuke
/bin/ilyzoytpzksn	1708	ilyzoytpzksn
/bin/gbdfimrkxij	1711	gbdfimrkxij
/bin/pgibkxj	1714	pgibkxj
/bin/xilvdcuqvh	1717	xilvdcuqvh
/bin/tvefsp	1722	tvefsp
/bin/pxpldshvprfsb	1725	pxpldshvprfsb
/bin/cuygyxqm	1727	cuygyxqm

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc
File opened for modification	/etc/cron.hourly/rhkqdokqtcfv.sh

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
File opened for modification	/etc/init.d/rhkqdokqtcfv

Writes file to system bin folder 1 TTPs 37 IoCs

Hijack Execution Flow

T1574

description	ioc
File opened for modification	/bin/wyfhkgmsvykv
File opened for modification	/bin/nbgetolmequa
File opened for modification	/bin/crbrthx
File opened for modification	/bin/xilvdcuqvh
File opened for modification	/bin/drduauf
File opened for modification	/bin/cuygyxqm
File opened for modification	/bin/vfctqkodqkhr
File opened for modification	/bin/hjljlgin
File opened for modification	/bin/ajpzogvuke
File opened for modification	/bin/rhhxpamt
File opened for modification	/bin/ndggewlzpzjgd
File opened for modification	/bin/phvzvx
File opened for modification	/bin/dwiefcfhuga
File opened for modification	/bin/pxbmhephbst
File opened for modification	/bin/tvefsp
File opened for modification	/bin/rhkqdokqtcfv
File opened for modification	/bin/pqvswdzvoykqit
File opened for modification	/bin/tofxku
File opened for modification	/bin/ekfevcwlpcaexm
File opened for modification	/bin/pgibkxj
File opened for modification	/bin/gbdfimrkxij
File opened for modification	/bin/rhkqdokqtcfv.sh
File opened for modification	/bin/oazcvzbmbgvcz
File opened for modification	/bin/gbgpbwjordjh
File opened for modification	/bin/olfomtmyrmbk
File opened for modification	/bin/yllfvkfcrq
File opened for modification	/bin/taycug
File opened for modification	/bin/ilyzoytpzksn
File opened for modification	/bin/pxpldshvprfsb
File opened for modification	/bin/ldbrmkvcfpx
File opened for modification	/bin/mojnfcafgyqult
File opened for modification	/bin/dsmtcb
File opened for modification	/bin/urkhaxyncjjp
File opened for modification	/bin/ghjgixkriawzhs
File opened for modification	/bin/jvbmjk
File opened for modification	/bin/zjnqvu
File opened for modification	/bin/epuzjqnmox

Writes file to shm directory 2 IoCs

Malware can drop malicious files in the shm directory which will run directly from RAM.

description	ioc
File opened for modification	/dev/shm/sem.ghheqt
File opened for modification	/dev/shm/sem.fSga8Y

/tmp/5602159b146889a8d8f73317cd07c88c
/tmp/5602159b146889a8d8f73317cd07c88c
1⤵
PID:1603

/bin/vfctqkodqkhr
/bin/vfctqkodqkhr
1⤵
- Executes dropped EXE
PID:1607

/bin/ldbrmkvcfpx
/bin/ldbrmkvcfpx -d 1608
1⤵
- Executes dropped EXE
PID:1612

/bin/ndggewlzpzjgd
/bin/ndggewlzpzjgd -d 1608
1⤵
- Executes dropped EXE
PID:1618

/bin/oazcvzbmbgvcz
/bin/oazcvzbmbgvcz -d 1608
1⤵
- Executes dropped EXE
PID:1621

/bin/pqvswdzvoykqit
/bin/pqvswdzvoykqit -d 1608
1⤵
- Executes dropped EXE
PID:1624

/bin/hjljlgin
/bin/hjljlgin -d 1608
1⤵
- Executes dropped EXE
PID:1627

/bin/mojnfcafgyqult
/bin/mojnfcafgyqult -d 1608
1⤵
- Executes dropped EXE
PID:1639

/bin/tofxku
/bin/tofxku -d 1608
1⤵
- Executes dropped EXE
PID:1642

/bin/zjnqvu
/bin/zjnqvu -d 1608
1⤵
- Executes dropped EXE
PID:1645

/bin/dsmtcb
/bin/dsmtcb -d 1608
1⤵
- Executes dropped EXE
PID:1648

/bin/gbgpbwjordjh
/bin/gbgpbwjordjh -d 1608
1⤵
- Executes dropped EXE
PID:1651

/bin/drduauf
/bin/drduauf -d 1608
1⤵
- Executes dropped EXE
PID:1660

/bin/wyfhkgmsvykv
/bin/wyfhkgmsvykv -d 1608
1⤵
- Executes dropped EXE
PID:1663

/bin/olfomtmyrmbk
/bin/olfomtmyrmbk -d 1608
1⤵
- Executes dropped EXE
PID:1666

/bin/yllfvkfcrq
/bin/yllfvkfcrq -d 1608
1⤵
- Executes dropped EXE
PID:1669

/bin/ekfevcwlpcaexm
/bin/ekfevcwlpcaexm -d 1608
1⤵
- Executes dropped EXE
PID:1672

/bin/urkhaxyncjjp
/bin/urkhaxyncjjp -d 1608
1⤵
- Executes dropped EXE
PID:1675

/bin/phvzvx
/bin/phvzvx -d 1608
1⤵
- Executes dropped EXE
PID:1678

/bin/nbgetolmequa
/bin/nbgetolmequa -d 1608
1⤵
- Executes dropped EXE
PID:1681

/bin/ghjgixkriawzhs
/bin/ghjgixkriawzhs -d 1608
1⤵
- Executes dropped EXE
PID:1684

/bin/crbrthx
/bin/crbrthx -d 1608
1⤵
- Executes dropped EXE
PID:1687

/bin/dwiefcfhuga
/bin/dwiefcfhuga -d 1608
1⤵
- Executes dropped EXE
PID:1690

/bin/pxbmhephbst
/bin/pxbmhephbst -d 1608
1⤵
- Executes dropped EXE
PID:1693

/bin/epuzjqnmox
/bin/epuzjqnmox -d 1608
1⤵
- Executes dropped EXE
PID:1695

/bin/taycug
/bin/taycug -d 1608
1⤵
- Executes dropped EXE
PID:1699

/bin/jvbmjk
/bin/jvbmjk -d 1608
1⤵
- Executes dropped EXE
PID:1702

/bin/ajpzogvuke
/bin/ajpzogvuke -d 1608
1⤵
- Executes dropped EXE
PID:1705

/bin/ilyzoytpzksn
/bin/ilyzoytpzksn -d 1608
1⤵
- Executes dropped EXE
PID:1708

/bin/gbdfimrkxij
/bin/gbdfimrkxij -d 1608
1⤵
- Executes dropped EXE
PID:1711

/bin/pgibkxj
/bin/pgibkxj -d 1608
1⤵
- Executes dropped EXE
PID:1714

/bin/xilvdcuqvh
/bin/xilvdcuqvh -d 1608
1⤵
- Executes dropped EXE
PID:1717

/bin/tvefsp
/bin/tvefsp -d 1608
1⤵
- Executes dropped EXE
PID:1722

/bin/pxpldshvprfsb
/bin/pxpldshvprfsb -d 1608
1⤵
- Executes dropped EXE
PID:1725

/bin/cuygyxqm
/bin/cuygyxqm -d 1608
1⤵
- Executes dropped EXE
PID:1727

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Hijack Execution Flow

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Hijack Execution Flow

Scheduled Task/Job

Defense Evasion

Hijack Execution Flow

1

T1574

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/bin/pxbmhephbst

Filesize
74KB

MD5
0f65bd8a103936fd446e45f0316a7bd4

SHA1
1bb03dfbdf07e2eede0e687bda9b1ceff5e0c59d

SHA256
7def82bdaff65a133cfa6e0664f4bd9d4fea62bacfc70637763d8370371fe763

SHA512
8c350b6359aabd29f2d6ab4c917164595e24d7fca0fe594564f25b2fa804381f44c79b04b1be102c3122c0444bf8dcd5f1b3d954a837de9566362f46e3a56024

Download Submit
/bin/tofxku

Filesize
472KB

MD5
80384b6905860fb1dd40323cea6f5c84

SHA1
94feb64f5c6eef8bc964fc9e4411527070850f5d

SHA256
a905d747f55cca4f2ceda10c466209e97da3d39c1fe21eb0d837446e8d82777d

SHA512
1aef48b0643b650f8997206b4677cbfb751adcc96eba5a3e0afb1f6cb0e80d77b20fa86383495f2e61878ac51758e69b4f865753effbdaf11a70cb38231ad618

Download Submit
/bin/vfctqkodqkhr

Filesize
544KB

MD5
c034e858e6070095a40649f86ec00d28

SHA1
4623606f813066b5cd0a0e5ce93e9b9e8c506474

SHA256
7c58ab658ef53e1e9d24d6d29d49a6d876f398e27427cae22ccff6a0371513b6

SHA512
476fe15bd608e4ddf1a1dbd637e5be366fa3d868a567420f7ca4ed67eaecbf73b09d3f6247f5bf24028e744b365671780d0089ae9e44b00d499dba4e31deeae4

Download Submit
/bin/zjnqvu

Filesize
58KB

MD5
f0a12a5e0046258f29a538c315310da5

SHA1
fa0a855d343ebca5b054d6992ea79d1477973eb8

SHA256
ec2e73c6d185f568905916dc9e28b2246a5f0227d6a29bf868d9687dd50d16ee

SHA512
cddf11d73a96780780d469c81936d45d17484dd3040eb22318fae2f6083cd5912e42a6f8345339c6bc79dad614bd94abbd320453737466e1d79780d7277fe501

Download Submit
/etc/cron.hourly/rhkqdokqtcfv.sh

Filesize
149B

MD5
e8eed4792d3991013f23ac463b9b3081

SHA1
ecea50b1f29798297e8b9c914d9d073033d5ee7d

SHA256
c3a6972eaba54981302e33c9267c49f11ef77144bd1b2408eafe8869be54b11a

SHA512
80dbe644d6ad5fd21d39b25eb9151715505b4f0863db3d915790cfc0fe5de9ebf4ed3479234ca8c6271855516c126b87bdaf5bdcd283bce1c9308a98d3419a01

Download Submit
/etc/daemon.cfg

Filesize
32B

MD5
321cf87b57022ebeff781cfd76ebd5f8

SHA1
41959b04a1ff667adf15adaf0dad6ca9cb5d1c31

SHA256
78b39aa36cb0563a4099a7efc64c716b78cc59b25c80a94dbcae6dfeb7fb38b1

SHA512
14fc84d12632f5db7f8ed99a90024256244c7d5ec06d1ab8347f0313a2508454abda18b6713af18bcbac283fd7c6e4169e3c662335ba4febfe07d4dfa4569de3

Download Submit
/etc/init.d/rhkqdokqtcfv

Filesize
348B

MD5
c36fba278f624fb9036db718afd3a341

SHA1
db7400ca8ffac25943296574b2ab6b91f2d04ac5

SHA256
d3122661b39d5f53c1eb2a85bc8ec9e5ae7d3edbd213a52bcf1ad071af19da04

SHA512
0d81db42c56423c2bd78afd39e85ea5a7aab18c87a91dccfeef4e62376b26b98e7ebf52ae9c4cad3af775fe4812704ce8ad45750bc15f0da82df4cb0abda4475

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads