xorddos | 077574431ff1b30d6985d75d3b047f7df05c1d4ee471f68f84ad24909764ea33

Analysis

max time kernel
155s
max time network
158s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
22-12-2023 05:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c7dbfcef9364588a0afd8d1a1eab82f
Size

647KB
MD5

6c7dbfcef9364588a0afd8d1a1eab82f
SHA1

d46952dca5d5eaf1bb177f39611eae7cf0ede1f5
SHA256

077574431ff1b30d6985d75d3b047f7df05c1d4ee471f68f84ad24909764ea33
SHA512

141c02290e27316f5a1932d5121d6e4f08ece2a02d333d63adbd40918f69e699a0ac89992eedc376e4856e1d3e11622915dc467d3d59eb65307082927854ad46
SSDEEP

12288:RBRO1UmJJ0nHgBL9YfJip2qm+x4h1Tonbp6y07l7mtBDvnD/u9hMHDB:RBRpmJ+HyL9AiAqm+x4h1mb6wvnDWXMN

Score

10^/10

xorddos botnet downloader persistence

Malware Config

Extracted

Family

xorddos

http://info1.3000uc.com/b/u.php

pay.wowoinn.com:7709

2.168.1.131:3826

abcd.com:8080

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 5 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_xorddos
behavioral1/files/fstream-18.dat	family_xorddos
behavioral1/files/fstream-25.dat	family_xorddos
behavioral1/files/fstream-28.dat	family_xorddos
behavioral1/files/fstream-29.dat	family_xorddos

Deletes itself 1 IoCs

pid
1554

Executes dropped EXE 30 IoCs

ioc	pid	Process
/boot/ctibsexsvn	1556	ctibsexsvn
/boot/wxkfwmimdq	1568	wxkfwmimdq
/boot/atiddrczed	1595	atiddrczed
/boot/upoembrvcq	1598	upoembrvcq
/boot/ysdjqpvgke	1601	ysdjqpvgke
/boot/xozdbaslgb	1604	xozdbaslgb
/boot/vnpggqkvzl	1609	vnpggqkvzl
/boot/gojmyyhjja	1612	gojmyyhjja
/boot/eseecharyh	1615	eseecharyh
/boot/gsbmxgfrrz	1618	gsbmxgfrrz
/boot/feqksggdnb	1621	feqksggdnb
/boot/lxxjcvbxel	1624	lxxjcvbxel
/boot/bmsnpcisga	1627	bmsnpcisga
/boot/dyfisrkhle	1630	dyfisrkhle
/boot/dovjmraepk	1633	dovjmraepk
/boot/bmnmnyqtpr	1636	bmnmnyqtpr
/boot/zqjvidiayh	1639	zqjvidiayh
/boot/rekyahgsrd	1642	rekyahgsrd
/boot/vzdqjrpgjf	1645	vzdqjrpgjf
/boot/fwqyiaxwbc	1648	fwqyiaxwbc
/boot/fekuihjupj	1651	fekuihjupj
/boot/whbezxvmbw	1654	whbezxvmbw
/boot/gsjkwlmxnq	1657	gsjkwlmxnq
/boot/mceaagdtem	1661	mceaagdtem
/boot/iaaodhutta	1678	iaaodhutta
/boot/zybddbfsfe	1681	zybddbfsfe
/boot/ngrcltfzzq	1684	ngrcltfzzq
/boot/eektjtguxg	1687	eektjtguxg
/boot/mmumimbybc	1690	mmumimbybc
/boot/cvwtlmrpbr	1693	cvwtlmrpbr

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114

Creates/modifies Cron job 1 TTPs 2 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/etc/crontab	sh
File opened for modification	/etc/cron.hourly/cron.sh	Process not Found

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
File opened for modification	/etc/init.d/ctibsexsvn

Reads runtime system information 9 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/rs_dev	Process not Found
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/stat	Process not Found
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/cmdline	systemctl

/tmp/6c7dbfcef9364588a0afd8d1a1eab82f
/tmp/6c7dbfcef9364588a0afd8d1a1eab82f
1⤵
PID:1553

/boot/ctibsexsvn
/boot/ctibsexsvn
1⤵
- Executes dropped EXE
PID:1556

/bin/chkconfig
chkconfig --add ctibsexsvn
1⤵
PID:1559

/sbin/chkconfig
chkconfig --add ctibsexsvn
1⤵
PID:1559

/usr/bin/chkconfig
chkconfig --add ctibsexsvn
1⤵
PID:1559

/usr/sbin/chkconfig
chkconfig --add ctibsexsvn
1⤵
PID:1559

/usr/local/bin/chkconfig
chkconfig --add ctibsexsvn
1⤵
PID:1559

/usr/local/sbin/chkconfig
chkconfig --add ctibsexsvn
1⤵
PID:1559

/bin/sh
sh -c "sed -i '/\\/etc\\/cron.hourly\\/cron.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/cron.sh' >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:1562
- /bin/sed
  sed -i "/\\/etc\\/cron.hourly\\/cron.sh/d" /etc/crontab
  2⤵
  - Reads runtime system information
  PID:1563

/usr/X11R6/bin/chkconfig
chkconfig --add ctibsexsvn
1⤵
PID:1559

/bin/update-rc.d
update-rc.d ctibsexsvn defaults
1⤵
PID:1561

/sbin/update-rc.d
update-rc.d ctibsexsvn defaults
1⤵
PID:1561

/usr/bin/update-rc.d
update-rc.d ctibsexsvn defaults
1⤵
PID:1561

/usr/sbin/update-rc.d
update-rc.d ctibsexsvn defaults
1⤵
PID:1561
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:1566

/boot/wxkfwmimdq
/boot/wxkfwmimdq pwd 1557
1⤵
- Executes dropped EXE
PID:1568

/boot/atiddrczed
/boot/atiddrczed "route -n" 1557
1⤵
- Executes dropped EXE
PID:1595

/boot/upoembrvcq
/boot/upoembrvcq "netstat -an" 1557
1⤵
- Executes dropped EXE
PID:1598

/boot/ysdjqpvgke
/boot/ysdjqpvgke "netstat -antop" 1557
1⤵
- Executes dropped EXE
PID:1601

/boot/xozdbaslgb
/boot/xozdbaslgb "ls -la" 1557
1⤵
- Executes dropped EXE
PID:1604

/boot/vnpggqkvzl
/boot/vnpggqkvzl "sleep 1" 1557
1⤵
- Executes dropped EXE
PID:1609

/boot/gojmyyhjja
/boot/gojmyyhjja "sleep 1" 1557
1⤵
- Executes dropped EXE
PID:1612

/boot/eseecharyh
/boot/eseecharyh "echo \"find\"" 1557
1⤵
- Executes dropped EXE
PID:1615

/boot/gsbmxgfrrz
/boot/gsbmxgfrrz whoami 1557
1⤵
- Executes dropped EXE
PID:1618

/boot/feqksggdnb
/boot/feqksggdnb "grep \"A\"" 1557
1⤵
- Executes dropped EXE
PID:1621

/boot/lxxjcvbxel
/boot/lxxjcvbxel "sleep 1" 1557
1⤵
- Executes dropped EXE
PID:1624

/boot/bmsnpcisga
/boot/bmsnpcisga "echo \"find\"" 1557
1⤵
- Executes dropped EXE
PID:1627

/boot/dyfisrkhle
/boot/dyfisrkhle uptime 1557
1⤵
- Executes dropped EXE
PID:1630

/boot/dovjmraepk
/boot/dovjmraepk id 1557
1⤵
- Executes dropped EXE
PID:1633

/boot/bmnmnyqtpr
/boot/bmnmnyqtpr "ps -ef" 1557
1⤵
- Executes dropped EXE
PID:1636

/boot/zqjvidiayh
/boot/zqjvidiayh "echo \"find\"" 1557
1⤵
- Executes dropped EXE
PID:1639

/boot/rekyahgsrd
/boot/rekyahgsrd "route -n" 1557
1⤵
- Executes dropped EXE
PID:1642

/boot/vzdqjrpgjf
/boot/vzdqjrpgjf sh 1557
1⤵
- Executes dropped EXE
PID:1645

/boot/fwqyiaxwbc
/boot/fwqyiaxwbc ls 1557
1⤵
- Executes dropped EXE
PID:1648

/boot/fekuihjupj
/boot/fekuihjupj bash 1557
1⤵
- Executes dropped EXE
PID:1651

/boot/whbezxvmbw
/boot/whbezxvmbw whoami 1557
1⤵
- Executes dropped EXE
PID:1654

/boot/gsjkwlmxnq
/boot/gsjkwlmxnq "sleep 1" 1557
1⤵
- Executes dropped EXE
PID:1657

/boot/mceaagdtem
/boot/mceaagdtem "sleep 1" 1557
1⤵
- Executes dropped EXE
PID:1661

/boot/iaaodhutta
/boot/iaaodhutta su 1557
1⤵
- Executes dropped EXE
PID:1678

/boot/zybddbfsfe
/boot/zybddbfsfe "route -n" 1557
1⤵
- Executes dropped EXE
PID:1681

/boot/ngrcltfzzq
/boot/ngrcltfzzq bash 1557
1⤵
- Executes dropped EXE
PID:1684

/boot/eektjtguxg
/boot/eektjtguxg "sleep 1" 1557
1⤵
- Executes dropped EXE
PID:1687

/boot/mmumimbybc
/boot/mmumimbybc sh 1557
1⤵
- Executes dropped EXE
PID:1690

/boot/cvwtlmrpbr
/boot/cvwtlmrpbr "netstat -an" 1557
1⤵
- Executes dropped EXE
PID:1693

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/boot/bmsnpcisga

Filesize
39KB

MD5
679666861043d12ee00532dbd4ed0794

SHA1
de0d024226759b998d1e7315e9591a9398f2d78f

SHA256
b382ed14015c6d937413f275fd47fe12015966364029290f20bee3bb763db76b

SHA512
4556a72b83a07453dce6913720912be66f79899efe561b17cbb739417df26c52fcd2d72391e621c1f26ef40d77fe224b560ec60004527eebbbc3e508224354a7

Download Submit
/boot/fwqyiaxwbc

Filesize
87KB

MD5
a096d5b2995ebc6131b22ab2c92c099e

SHA1
009df16812edcb35fee9c0d39a554326a95e41ab

SHA256
906753d3b08b75eb85c29bd0ab8a67fa81333b5dd6d0c53040068b8e6f02ee0a

SHA512
a77cb4a23a0193604e67f0965f967621d636c4d4641309f6ccd12bc1edee09ef6307b92d5177068b49f4d6c30a59384a5ec3b319f260ecc7547d3e7cc63d5918

Download Submit
/boot/gsjkwlmxnq

Filesize
11KB

MD5
111663596afb7b9fbc98e8115c2c1bfb

SHA1
9f7fdb5a501ed052b41a8012f0e03f8bd0e621be

SHA256
91288ab08e6f4288f3e771a6e8db83ded98acb0283549f40538fcf1480516a27

SHA512
38127a6ea2416546de9643f4992b5b4ad1f107f547e68a4d5f030f036366f0cc4ca44a48d9f95314253408a36dfac227cd64f62fb07febed8717454ee8697b14

Download Submit
/boot/mceaagdtem

Filesize
20KB

MD5
e63ad2392ec7fe298660874f493e357c

SHA1
dda6cd05dac958076efc282521cc8be944d761ad

SHA256
86f976be89c9b6359a4fce5636c3c8511182e3fe2ed8159a1523d2503bac80be

SHA512
ee71245c66e6c18ae7f0b7d476dfebb9fc6b2dd721570835e456bfd328e2715f6146e741dccf1d76ff429e84b1bdce655b6b0363d3bfb10f97dcac7b5b6fd5f7

Download Submit
/etc/cron.hourly/cron.sh

Filesize
223B

MD5
b791b087b1795e3674a9aa765c76fc04

SHA1
b53f478234ae97f3cdbf2e7fe7ec68d687feb7c1

SHA256
1c1e9b69cf8021bf7ce1f60dcaa2d31c1e21ed4b6e474f3571da81ffd5a9b69e

SHA512
2dcc2e478c51cf8118306fd5c744aad7147e368cbc4329db1cc5fac52088a7f3354079ae2b582b270495789e4fb4591538ec88bb5ea40eec646f360bac33bbb2

Download Submit
/etc/init.d/ctibsexsvn

Filesize
317B

MD5
0dfdd206d3334d9dee26d977c9252c45

SHA1
d9e32387974ceec56ecee4dc5a76e21c85332acb

SHA256
ce2086390369abd17fc4f2f3c0c17dd6fe7a29f7af1fa16b5e363531f19e835c

SHA512
8304dbceb0a1417e150bc7eb2a75463cc9e98d26cc74ce2d88d75c541ea336877129cc3d967c50fd0a65094d9d59ce131d198918a0be896b95b971a6a2daade5

Download Submit
/etc/sedEYATpr

Filesize
722B

MD5
8f111d100ea459f68d333d63a8ef2205

SHA1
077ca9c46a964de67c0f7765745d5c6f9e2065c3

SHA256
0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354

SHA512
d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

Download Submit
/lib/udev/udev

Filesize
647KB

MD5
6c7dbfcef9364588a0afd8d1a1eab82f

SHA1
d46952dca5d5eaf1bb177f39611eae7cf0ede1f5

SHA256
077574431ff1b30d6985d75d3b047f7df05c1d4ee471f68f84ad24909764ea33

SHA512
141c02290e27316f5a1932d5121d6e4f08ece2a02d333d63adbd40918f69e699a0ac89992eedc376e4856e1d3e11622915dc467d3d59eb65307082927854ad46

Download Submit
/run/sftp.pid

Filesize
32B

MD5
2f2d62da95f9f76ba39e3bf6dc35c14a

SHA1
2b54b5c1e52bbbfc01a8141bca6336d969257414

SHA256
70877733fffc30a232e903a32ddf94f5e7c0a73f74d9d070f6b04018dd38640a

SHA512
ece15ffa7c6e4bd8026fae83e1d79401fbffde9daf7f867eff0c477cde1a26920fb9d7c115b1753ed2f246c69a4eb4324a6f5cb2114ad2f68916b18f8bc14e43

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads