xorddos | 74ea918b27f1952f47ab52e75de09f623e29928301da16ac5c27bd5ef8475520

Analysis

max time kernel
66s
max time network
65s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
22-12-2023 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6387622dc599a220749b77411a56d13f
Size

604KB
MD5

6387622dc599a220749b77411a56d13f
SHA1

112dd3302d0293399948fdeb8931a6159c62e390
SHA256

74ea918b27f1952f47ab52e75de09f623e29928301da16ac5c27bd5ef8475520
SHA512

03b8dd65a0574fda6a3eb7274439ccbea05b7bcf9d4a2ffbe0b46bdf58a13e8b25d784aa6f4338c3366bb207e9e973faf131127ef2ab9ae8f87953b34f27b094
SSDEEP

12288:IiqKgqkonFOSC3pZWKqAKSj6LJXDv429v6yrDKb4olUuThTcF:S1qPkSCvnvKSj6LJXDr9zDsl/9TE

Score

10^/10

xorddos antivm botnet downloader persistence

Malware Config

Extracted

Family

xorddos

103.25.9.245:8008

103.240.141.50:8008

66.102.253.30:8008

ndns.dsaj2a1.org:8008

ndns.dsaj2a.org:8008

ndns.hcxiaoao.com:8008

ndns.dsaj2a.com:8008

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 5 IoCs

resource	yara_rule
behavioral1/files/fstream-6.dat	family_xorddos
behavioral1/files/fstream-11.dat	family_xorddos
behavioral1/files/fstream-12.dat	family_xorddos
behavioral1/files/fstream-14.dat	family_xorddos
behavioral1/files/fstream-15.dat	family_xorddos

Executes dropped EXE 24 IoCs

ioc	pid	Process
/usr/bin/uahrwyjhta	1585	uahrwyjhta
/usr/bin/uahrwyjhta	1588	uahrwyjhta
/usr/bin/uahrwyjhta	1591	uahrwyjhta
/usr/bin/uahrwyjhta	1594	uahrwyjhta
/usr/bin/uahrwyjhta	1597	uahrwyjhta
/usr/bin/zsttqbunbf	1600	zsttqbunbf
/usr/bin/zsttqbunbf	1603	zsttqbunbf
/usr/bin/zsttqbunbf	1606	zsttqbunbf
/usr/bin/zsttqbunbf	1609	zsttqbunbf
/usr/bin/zsttqbunbf	1612	zsttqbunbf
/usr/bin/hnosvwaptk	1615	hnosvwaptk
/usr/bin/hnosvwaptk	1618	hnosvwaptk
/usr/bin/hnosvwaptk	1621	hnosvwaptk
/usr/bin/hnosvwaptk	1624	hnosvwaptk
/usr/bin/hnosvwaptk	1627	hnosvwaptk
/usr/bin/ymlxsacwrp	1632	ymlxsacwrp
/usr/bin/ymlxsacwrp	1635	ymlxsacwrp
/usr/bin/ymlxsacwrp	1638	ymlxsacwrp
/usr/bin/ymlxsacwrp	1641	ymlxsacwrp
/usr/bin/ymlxsacwrp	1644	ymlxsacwrp
/usr/bin/adahaxdilx	1662	adahaxdilx
/usr/bin/adahaxdilx	1665	adahaxdilx
/usr/bin/adahaxdilx	1668	adahaxdilx
/usr/bin/adahaxdilx	1671	adahaxdilx

Unexpected DNS network traffic destination 7 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc
File opened for reading	/proc/cpuinfo

Creates/modifies Cron job 1 TTPs 2 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/etc/cron.hourly/cron.sh	Process not Found
File opened for modification	/etc/crontab	sh

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
File opened for modification	/etc/init.d/6387622dc599a220749b77411a56d13f

Write file to user bin folder 1 TTPs 5 IoCs

Hijack Execution Flow

T1574

description	ioc
File opened for modification	/usr/bin/uahrwyjhta
File opened for modification	/usr/bin/zsttqbunbf
File opened for modification	/usr/bin/hnosvwaptk
File opened for modification	/usr/bin/ymlxsacwrp
File opened for modification	/usr/bin/adahaxdilx

Reads runtime system information 10 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/stat	Process not Found
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/rs_dev	Process not Found
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/meminfo	Process not Found

/tmp/6387622dc599a220749b77411a56d13f
/tmp/6387622dc599a220749b77411a56d13f
1⤵
PID:1539

/bin/chkconfig
chkconfig --add 6387622dc599a220749b77411a56d13f
1⤵
PID:1552

/sbin/chkconfig
chkconfig --add 6387622dc599a220749b77411a56d13f
1⤵
PID:1552

/usr/bin/chkconfig
chkconfig --add 6387622dc599a220749b77411a56d13f
1⤵
PID:1552

/usr/sbin/chkconfig
chkconfig --add 6387622dc599a220749b77411a56d13f
1⤵
PID:1552

/usr/local/bin/chkconfig
chkconfig --add 6387622dc599a220749b77411a56d13f
1⤵
PID:1552

/usr/local/sbin/chkconfig
chkconfig --add 6387622dc599a220749b77411a56d13f
1⤵
PID:1552

/usr/X11R6/bin/chkconfig
chkconfig --add 6387622dc599a220749b77411a56d13f
1⤵
PID:1552

/bin/sh
sh -c "sed -i '/\\/etc\\/cron.hourly\\/cron.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/cron.sh' >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:1555
- /bin/sed
  sed -i "/\\/etc\\/cron.hourly\\/cron.sh/d" /etc/crontab
  2⤵
  - Reads runtime system information
  PID:1556

/bin/update-rc.d
update-rc.d 6387622dc599a220749b77411a56d13f defaults
1⤵
PID:1554

/sbin/update-rc.d
update-rc.d 6387622dc599a220749b77411a56d13f defaults
1⤵
PID:1554

/usr/bin/update-rc.d
update-rc.d 6387622dc599a220749b77411a56d13f defaults
1⤵
PID:1554

/usr/sbin/update-rc.d
update-rc.d 6387622dc599a220749b77411a56d13f defaults
1⤵
PID:1554
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:1563

/usr/bin/uahrwyjhta
/usr/bin/uahrwyjhta bash 1550
1⤵
- Executes dropped EXE
PID:1585

/usr/bin/uahrwyjhta
/usr/bin/uahrwyjhta "ifconfig eth0" 1550
1⤵
- Executes dropped EXE
PID:1588

/usr/bin/uahrwyjhta
/usr/bin/uahrwyjhta su 1550
1⤵
- Executes dropped EXE
PID:1591

/usr/bin/uahrwyjhta
/usr/bin/uahrwyjhta uptime 1550
1⤵
- Executes dropped EXE
PID:1594

/usr/bin/uahrwyjhta
/usr/bin/uahrwyjhta "echo \"find\"" 1550
1⤵
- Executes dropped EXE
PID:1597

/usr/bin/zsttqbunbf
/usr/bin/zsttqbunbf "netstat -antop" 1550
1⤵
- Executes dropped EXE
PID:1600

/usr/bin/zsttqbunbf
/usr/bin/zsttqbunbf ls 1550
1⤵
- Executes dropped EXE
PID:1603

/usr/bin/zsttqbunbf
/usr/bin/zsttqbunbf "cat resolv.conf" 1550
1⤵
- Executes dropped EXE
PID:1606

/usr/bin/zsttqbunbf
/usr/bin/zsttqbunbf "ifconfig eth0" 1550
1⤵
- Executes dropped EXE
PID:1609

/usr/bin/zsttqbunbf
/usr/bin/zsttqbunbf who 1550
1⤵
- Executes dropped EXE
PID:1612

/usr/bin/hnosvwaptk
/usr/bin/hnosvwaptk "cat resolv.conf" 1550
1⤵
- Executes dropped EXE
PID:1615

/usr/bin/hnosvwaptk
/usr/bin/hnosvwaptk "ifconfig eth0" 1550
1⤵
- Executes dropped EXE
PID:1618

/usr/bin/hnosvwaptk
/usr/bin/hnosvwaptk who 1550
1⤵
- Executes dropped EXE
PID:1621

/usr/bin/hnosvwaptk
/usr/bin/hnosvwaptk "echo \"find\"" 1550
1⤵
- Executes dropped EXE
PID:1624

/usr/bin/hnosvwaptk
/usr/bin/hnosvwaptk "ps -ef" 1550
1⤵
- Executes dropped EXE
PID:1627

/usr/bin/ymlxsacwrp
/usr/bin/ymlxsacwrp pwd 1550
1⤵
- Executes dropped EXE
PID:1632

/usr/bin/ymlxsacwrp
/usr/bin/ymlxsacwrp "netstat -antop" 1550
1⤵
- Executes dropped EXE
PID:1635

/usr/bin/ymlxsacwrp
/usr/bin/ymlxsacwrp gnome-terminal 1550
1⤵
- Executes dropped EXE
PID:1638

/usr/bin/ymlxsacwrp
/usr/bin/ymlxsacwrp su 1550
1⤵
- Executes dropped EXE
PID:1641

/usr/bin/ymlxsacwrp
/usr/bin/ymlxsacwrp gnome-terminal 1550
1⤵
- Executes dropped EXE
PID:1644

/usr/bin/adahaxdilx
/usr/bin/adahaxdilx "route -n" 1550
1⤵
- Executes dropped EXE
PID:1662

/usr/bin/adahaxdilx
/usr/bin/adahaxdilx id 1550
1⤵
- Executes dropped EXE
PID:1665

/usr/bin/adahaxdilx
/usr/bin/adahaxdilx "cd /etc" 1550
1⤵
- Executes dropped EXE
PID:1668

/usr/bin/adahaxdilx
/usr/bin/adahaxdilx "ls -la" 1550
1⤵
- Executes dropped EXE
PID:1671

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Defense Evasion

Hijack Execution Flow

T1574

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/cron.sh

Filesize
229B

MD5
eb3aa38df5d98249f05687bd58ec5aa9

SHA1
fc35c059d8594e57f095d50ce7fe3e4ce467a7a1

SHA256
6d65d0f293c413396954a07244e036fc80a64d8e33f123375530e73e0557b60c

SHA512
6b409a48424cbe5b3f9a3e05c5784122e286d65152dfe62ef78c4202840cbf6c5dfee19d0b9ac9d58a3fba8ea69518368430ed2f6c959c261dc1a9a19322923f

Download Submit
/etc/init.d/6387622dc599a220749b77411a56d13f

Filesize
425B

MD5
e51d08fcbdf5d79728e7131776461a12

SHA1
9ef59035487be9e7322aeac5d88fb3994c263463

SHA256
12c2529ef335a2c244a56fd58330c5b91d5c0012e3992eba32ced3ea72657bfe

SHA512
e2ce5f799555f7a18f1319ca9f07f8c4dedae0003d92fdc1c6d39e2992e97167fc34342cf3ca9ff67d672f6ef55582dfd4f01366144fb52ccd1c5151591fc1b4

Download Submit
/etc/sedvgDtnB

Filesize
722B

MD5
8f111d100ea459f68d333d63a8ef2205

SHA1
077ca9c46a964de67c0f7765745d5c6f9e2065c3

SHA256
0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354

SHA512
d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

Download Submit
/lib/libgcc.so

Filesize
604KB

MD5
6387622dc599a220749b77411a56d13f

SHA1
112dd3302d0293399948fdeb8931a6159c62e390

SHA256
74ea918b27f1952f47ab52e75de09f623e29928301da16ac5c27bd5ef8475520

SHA512
03b8dd65a0574fda6a3eb7274439ccbea05b7bcf9d4a2ffbe0b46bdf58a13e8b25d784aa6f4338c3366bb207e9e973faf131127ef2ab9ae8f87953b34f27b094

Download Submit
/run/mount.pid

Filesize
32B

MD5
d7d332a9b58e58763aca9249a906f3a1

SHA1
68e6ff2f05865510ebe9c274dcea9e91f5f15103

SHA256
0543792ac060d7407dd7b70e9c75609e2aa9c153735a6046ceda04f85590f3da

SHA512
4a8c0e00a8be6a67e8ecf74d36b54e5c395c56c87122914dd55cc5415b7e4ee1d6adba708c5a99a048a1f359a532cabe54f189cbd38f3f9be77b49ac3c402129

Download Submit
/usr/bin/hnosvwaptk

Filesize
604KB

MD5
bfb32b233a6e26ff4c83f43b80525e22

SHA1
f2a4bf6f29cc0f977114cf9d392f25ba48c53256

SHA256
38dc4f0728070cf41b2e5251b676dafc4ba95672c73df38456dee80fe87837c3

SHA512
09a27a7421eeae50287b6018882a80d3c2d523ba676e64bd5c96810c1a35f77eb1b2755e683c1a8bad8e4c1bfa3950818abb75a4d915855b7adef5b10f8ea480

Download Submit
/usr/bin/hnosvwaptk

Filesize
604KB

MD5
4ec22b4ae87b105f31b62d2745662213

SHA1
0c91194ad4857ac960de27cd09db8bb1289c0984

SHA256
ed89721eaa61bfd384d6a2f131bc51645826c97c2bfa48602fa3ac15616a3067

SHA512
0e0339c55f3db15f1d6b05d253355a3e3134c61e6a02544ddc3fd2bac6ad837fb8e131a8a166ee8d1d9e547fc3dbb048e4f55b61d5d6c9f6c067f4a25635635c

Download Submit
/usr/bin/zsttqbunbf

Filesize
604KB

MD5
95967e7471752af71a0af9c30fd36d2e

SHA1
6fe4a023727971c92341ba29ca65e2dfb2659050

SHA256
b20345cd35b39724292fd2fa009e17e95e77a99325235f50694e7d3bef6b5362

SHA512
f79834b7cf69ea526164e0fdff9db893cd11b9381c99bf1081974f2e394372f919f374799b62fe7efe07815aa16f26783293c8cac2bf5bc67de9e4865e03c47c

Download Submit
/usr/bin/zsttqbunbf

Filesize
604KB

MD5
4c8b18ac00413646eaf805de36442d72

SHA1
d9545f2e5f5f0be53167193e83b7d2362ae0a9cb

SHA256
35415ae65fe7a65f4271857dfb6bc65298ef93109c99ae8dc78b271eaf546d7a

SHA512
baa8100ad1dcec5481a4154ff5f98e315001746379718d389b5851642a3768365f535b8b5d1d03669d9068f21c6ddeb4898ad749a327894b8311f26c793c77a5

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads