xorddos | fd6060b963d1b5ca7a07b5a283ad99105298a6708e44d286440a506738a17e34

Analysis

max time kernel
151s
max time network
154s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
22-12-2023 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83eea5625ca2affd3e841d3b374e88eb
Size

611KB
MD5

83eea5625ca2affd3e841d3b374e88eb
SHA1

dca946f677a1be95fb3ef6adc950730b4736a405
SHA256

fd6060b963d1b5ca7a07b5a283ad99105298a6708e44d286440a506738a17e34
SHA512

a856a78004812a5aa75f52ecaa3690d5edfc98179b4c34f23434cd9d60e0a0ea7dc6e3ab30e311f7da088267de026552155c9a46cc3c3dda99544e67969e3a1c
SSDEEP

12288:UB1tATMVAqnf+ExxBHYpmA38X8LYkCW6Tipx6yB1/iGK4UlUuTh1AG:UB1BVpmExDYp38X8LYTWhpfNiGQl/91h

Score

10^/10

xorddos botnet downloader persistence

Malware Config

Extracted

Family

xorddos

http://aa.hostasa.org/game.rar

ns3.hostasa.org:3310

ns4.hostasa.org:3310

ns1.hostasa.org:3310

ns2.hostasa.org:3310

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 11 IoCs

resource	yara_rule
behavioral1/files/fstream-5.dat	family_xorddos
behavioral1/files/fstream-8.dat	family_xorddos
behavioral1/files/fstream-9.dat	family_xorddos
behavioral1/files/fstream-11.dat	family_xorddos
behavioral1/files/fstream-12.dat	family_xorddos
behavioral1/files/fstream-14.dat	family_xorddos
behavioral1/files/fstream-15.dat	family_xorddos
behavioral1/files/fstream-17.dat	family_xorddos
behavioral1/files/fstream-18.dat	family_xorddos
behavioral1/files/fstream-20.dat	family_xorddos
behavioral1/files/fstream-21.dat	family_xorddos

Deletes itself 6 IoCs

pid
1633
1637
1639
1642
1644
1648

Executes dropped EXE 22 IoCs

ioc	pid	Process
/usr/bin/iypfdlcleo	1532	iypfdlcleo
/usr/bin/iypfdlcleo	1537	iypfdlcleo
/usr/bin/iypfdlcleo	1541	iypfdlcleo
/usr/bin/iypfdlcleo	1544	iypfdlcleo
/usr/bin/iypfdlcleo	1547	iypfdlcleo
/usr/bin/ycmojhtwqa	1571	ycmojhtwqa
/usr/bin/ycmojhtwqa	1574	ycmojhtwqa
/usr/bin/ycmojhtwqa	1577	ycmojhtwqa
/usr/bin/ycmojhtwqa	1580	ycmojhtwqa
/usr/bin/ycmojhtwqa	1583	ycmojhtwqa
/usr/bin/fibmwhycko	1589	fibmwhycko
/usr/bin/fibmwhycko	1592	fibmwhycko
/usr/bin/fibmwhycko	1595	fibmwhycko
/usr/bin/fibmwhycko	1598	fibmwhycko
/usr/bin/fibmwhycko	1601	fibmwhycko
/usr/bin/thyyakdgqb	1625	thyyakdgqb
/usr/bin/thyyakdgqb	1634	thyyakdgqb
/usr/bin/thyyakdgqb	1636	thyyakdgqb
/usr/bin/thyyakdgqb	1640	thyyakdgqb
/usr/bin/thyyakdgqb	1643	thyyakdgqb
/usr/bin/vfjtvvzkxm	1646	vfjtvvzkxm
/usr/bin/vfjtvvzkxm	1649	vfjtvvzkxm

Creates/modifies Cron job 1 TTPs 2 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/etc/crontab	sh
File opened for modification	/etc/cron.hourly/gcc.sh	Process not Found

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
File opened for modification	/etc/init.d/83eea5625ca2affd3e841d3b374e88eb

Write file to user bin folder 1 TTPs 5 IoCs

Hijack Execution Flow

T1574

description	ioc
File opened for modification	/usr/bin/iypfdlcleo
File opened for modification	/usr/bin/ycmojhtwqa
File opened for modification	/usr/bin/fibmwhycko
File opened for modification	/usr/bin/thyyakdgqb
File opened for modification	/usr/bin/vfjtvvzkxm

Reads runtime system information 9 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/rs_dev	Process not Found
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/stat	Process not Found
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/stat	systemctl

/tmp/83eea5625ca2affd3e841d3b374e88eb
/tmp/83eea5625ca2affd3e841d3b374e88eb
1⤵
PID:1520

/bin/sh
sh -c "sed -i '/\\/etc\\/cron.hourly\\/gcc.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:1526
- /bin/sed
  sed -i "/\\/etc\\/cron.hourly\\/gcc.sh/d" /etc/crontab
  2⤵
  - Reads runtime system information
  PID:1527

/bin/chkconfig
chkconfig --add 83eea5625ca2affd3e841d3b374e88eb
1⤵
PID:1523

/sbin/chkconfig
chkconfig --add 83eea5625ca2affd3e841d3b374e88eb
1⤵
PID:1523

/usr/bin/chkconfig
chkconfig --add 83eea5625ca2affd3e841d3b374e88eb
1⤵
PID:1523

/usr/sbin/chkconfig
chkconfig --add 83eea5625ca2affd3e841d3b374e88eb
1⤵
PID:1523

/usr/local/bin/chkconfig
chkconfig --add 83eea5625ca2affd3e841d3b374e88eb
1⤵
PID:1523

/usr/local/sbin/chkconfig
chkconfig --add 83eea5625ca2affd3e841d3b374e88eb
1⤵
PID:1523

/usr/X11R6/bin/chkconfig
chkconfig --add 83eea5625ca2affd3e841d3b374e88eb
1⤵
PID:1523

/bin/update-rc.d
update-rc.d 83eea5625ca2affd3e841d3b374e88eb defaults
1⤵
PID:1525

/sbin/update-rc.d
update-rc.d 83eea5625ca2affd3e841d3b374e88eb defaults
1⤵
PID:1525

/usr/bin/update-rc.d
update-rc.d 83eea5625ca2affd3e841d3b374e88eb defaults
1⤵
PID:1525

/usr/sbin/update-rc.d
update-rc.d 83eea5625ca2affd3e841d3b374e88eb defaults
1⤵
PID:1525
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:1549

/usr/bin/iypfdlcleo
/usr/bin/iypfdlcleo bash 1521
1⤵
- Executes dropped EXE
PID:1532

/usr/bin/iypfdlcleo
/usr/bin/iypfdlcleo "ls -la" 1521
1⤵
- Executes dropped EXE
PID:1537

/usr/bin/iypfdlcleo
/usr/bin/iypfdlcleo "ls -la" 1521
1⤵
- Executes dropped EXE
PID:1541

/usr/bin/iypfdlcleo
/usr/bin/iypfdlcleo "echo \"find\"" 1521
1⤵
- Executes dropped EXE
PID:1544

/usr/bin/iypfdlcleo
/usr/bin/iypfdlcleo bash 1521
1⤵
- Executes dropped EXE
PID:1547

/usr/bin/ycmojhtwqa
/usr/bin/ycmojhtwqa "echo \"find\"" 1521
1⤵
- Executes dropped EXE
PID:1571

/usr/bin/ycmojhtwqa
/usr/bin/ycmojhtwqa "route -n" 1521
1⤵
- Executes dropped EXE
PID:1574

/usr/bin/ycmojhtwqa
/usr/bin/ycmojhtwqa top 1521
1⤵
- Executes dropped EXE
PID:1577

/usr/bin/ycmojhtwqa
/usr/bin/ycmojhtwqa "ls -la" 1521
1⤵
- Executes dropped EXE
PID:1580

/usr/bin/ycmojhtwqa
/usr/bin/ycmojhtwqa ifconfig 1521
1⤵
- Executes dropped EXE
PID:1583

/usr/bin/fibmwhycko
/usr/bin/fibmwhycko ls 1521
1⤵
- Executes dropped EXE
PID:1589

/usr/bin/fibmwhycko
/usr/bin/fibmwhycko "sleep 1" 1521
1⤵
- Executes dropped EXE
PID:1592

/usr/bin/fibmwhycko
/usr/bin/fibmwhycko ls 1521
1⤵
- Executes dropped EXE
PID:1595

/usr/bin/fibmwhycko
/usr/bin/fibmwhycko su 1521
1⤵
- Executes dropped EXE
PID:1598

/usr/bin/fibmwhycko
/usr/bin/fibmwhycko id 1521
1⤵
- Executes dropped EXE
PID:1601

/usr/bin/thyyakdgqb
/usr/bin/thyyakdgqb pwd 1521
1⤵
- Executes dropped EXE
PID:1625

/usr/bin/thyyakdgqb
/usr/bin/thyyakdgqb pwd 1521
1⤵
- Executes dropped EXE
PID:1634

/usr/bin/thyyakdgqb
/usr/bin/thyyakdgqb who 1521
1⤵
- Executes dropped EXE
PID:1636

/usr/bin/thyyakdgqb
/usr/bin/thyyakdgqb bash 1521
1⤵
- Executes dropped EXE
PID:1640

/usr/bin/thyyakdgqb
/usr/bin/thyyakdgqb su 1521
1⤵
- Executes dropped EXE
PID:1643

/usr/bin/vfjtvvzkxm
/usr/bin/vfjtvvzkxm bash 1521
1⤵
- Executes dropped EXE
PID:1646

/usr/bin/vfjtvvzkxm
/usr/bin/vfjtvvzkxm "ps -ef" 1521
1⤵
- Executes dropped EXE
PID:1649

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/gcc.sh

Filesize
228B

MD5
3bab747cedc5f0ebe86aaa7f982470cd

SHA1
3c7d1c6931c2b3dae39d38346b780ea57c8e6142

SHA256
74d31cac40d98ee64df2a0c29ceb229d12ac5fa699c2ee512fc69360f0cf68c5

SHA512
21e8a6d9ca8531d37def83d8903e5b0fa11ecf33d85d05edab1e0feb4acac65ae2cf5222650fb9f533f459ccc51bb2903276ff6f827b847cc5e6dac7d45a0a42

Download Submit
/etc/init.d/83eea5625ca2affd3e841d3b374e88eb

Filesize
425B

MD5
9a0cfae1607e019dcda6d34984188199

SHA1
76bdb0e8ca42b2423558eac59ab76e676c486a37

SHA256
7ca2790ceac39720a92f893005ca59f3ba661acf51c243cfb4c960abc6448155

SHA512
f0b75f57663ee921b340eaa181fabe3e77b13594c531a573215fd3ef4ef6e1d254b0974d2b8aa0969c8048030f766fc5a9905f07d46e2c49dde1645df535615b

Download Submit
/etc/sedR0tDd0

Filesize
722B

MD5
8f111d100ea459f68d333d63a8ef2205

SHA1
077ca9c46a964de67c0f7765745d5c6f9e2065c3

SHA256
0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354

SHA512
d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

Download Submit
/lib/libudev.so

Filesize
611KB

MD5
83eea5625ca2affd3e841d3b374e88eb

SHA1
dca946f677a1be95fb3ef6adc950730b4736a405

SHA256
fd6060b963d1b5ca7a07b5a283ad99105298a6708e44d286440a506738a17e34

SHA512
a856a78004812a5aa75f52ecaa3690d5edfc98179b4c34f23434cd9d60e0a0ea7dc6e3ab30e311f7da088267de026552155c9a46cc3c3dda99544e67969e3a1c

Download Submit
/run/gcc.pid

Filesize
32B

MD5
797350e1cda5b87fe103c9ff366fec5d

SHA1
f374307aa1743765593a04c28aa29ef64c7373f3

SHA256
6f3683a104d7c924d55cb952384db8a16384e49f031e4b4b4d053413cb3ea19c

SHA512
01d52d08f0b2893bc91b0d41931dc893947c3f464c8ed74eb3f35070d8a01b36d2e04edfef0512c9991f1400a7f7828118da69b97ee123fbf368ccb0d808eea3

Download Submit
/usr/bin/fibmwhycko

Filesize
611KB

MD5
c55f9892956ae5d3e4b289ca2fd07046

SHA1
8d313c7facc41a3d4991b1b216c309993c3ab92b

SHA256
17f12bfacafcfdc7c68346ed7a5448315edbe086d7fadaf62faaf9a7093f35a0

SHA512
6c4f1423a6791b5953107961dc535f6dba21cb34de1603c05b328f2b1b68b2a621a2f7d81724d82ff7e081e7b19e12d619aae22873467689ba176af19b5dbc21

Download Submit
/usr/bin/fibmwhycko

Filesize
611KB

MD5
be34fe2cb7c48e7d362eb16db71de4f5

SHA1
2ad1d24c25082a7f4486258731e42c6cb36ed084

SHA256
9f596ca8cff6db1a50388cccc29d4b16242c695e221d12699425d70492f080a3

SHA512
032e92b2d25448ac9a71d18fa592185370ede150068f93c8d4e874f7bfd4164b2f311e2a0005aef7ed8754588556fb42a23c74f921daae13e45d5fdc86c765f4

Download Submit
/usr/bin/iypfdlcleo

Filesize
611KB

MD5
e90dabd864d6e771bdba2fac59c938d1

SHA1
bc2c50057b1661fc9fa5441d924909932850e01f

SHA256
94da6100a8eb6a62ed1db8dd877781d2c0a6636d8dd37447f8ee74cfffc29a66

SHA512
fc6516f3526e1c1c5cfc816190f47cab292a8a19f2053f54fab1ff70ece7f7acfcb29e9c4dc306940ae40b95e52a2d50b2bb6373d01917258d08650fce5cdc56

Download Submit
/usr/bin/iypfdlcleo

Filesize
611KB

MD5
4fd14159f59a1d3cc061c45e06d856ad

SHA1
1afe84a1a07f07e4e26bba31c1fe52149bcc646a

SHA256
68b18cb86afc5efb0fe1bcb28e56805ee90e3871b56690466a5c90f1436d5a49

SHA512
c36237dd30cee215a87c664c5c7cb2f40ee79591d34298f805af1f2c47baf6e2d3c314b9a03dfc08a363d2a956313a63bd8afb629b7938828f33a3be367ee854

Download Submit
/usr/bin/thyyakdgqb

Filesize
611KB

MD5
45b12396d8df488b7f3bec01966f5560

SHA1
6233054c321f4602f1197c497fd65b96919b66a7

SHA256
586603f6cfdf30322d7e8b4a9365d359aa7d68fa9f4e36787ea5cf00329e0342

SHA512
fe04e514ccd0e203f261f3952ae8ec9debe3c230b82f6f4627156a99cc7dfcdb6688747929207af72e5ba9108e982b6cf14ee17de1da6b2dabdf6bbb02ef90f0

Download Submit
/usr/bin/thyyakdgqb

Filesize
611KB

MD5
bf9c9beaa1bc5e1e34fe42f6e25eded8

SHA1
3ec929d6ddd0f8f1bc3b68dabed46be1f99573f4

SHA256
0ef5cd348e8337b53deb484f166121d1e23f5bac0696bd871f30bb989bce3e68

SHA512
7af5e3656200003b5d2815e24cffa407a53e77a880c0ee79da5cabd5a7b67a10cff0dd3e88fc76dcd9206ed2dc4a692b66fe1883686c5fb22d38824a9de2f309

Download Submit
/usr/bin/vfjtvvzkxm

Filesize
611KB

MD5
88f670ed83a40fc2fce78c99e7a501c0

SHA1
9bd3514ff679ceb48e2fb472a982b046b0c1d58c

SHA256
2382fff7ed5f3c0a364f81fef5ff47b365ac506ef15f3cfb4f6ae07755213579

SHA512
d4dbae1e0965fd5879c354f3f91d316b2cdfda240e7388ee8fe7e586a451fb112503c43e13599dcb18d2b1b4aa41a89bc9c3beb5797497c8a4be5a2fd58e3e1d

Download Submit
/usr/bin/vfjtvvzkxm

Filesize
611KB

MD5
e5d4a8dfc77ea40847a2a1c6845ad8ce

SHA1
9f0a92bf592c457fcc7b0bd028b84091365cccbe

SHA256
120663c6c8b5fb10d07db96143ae50c5422073f825909c4eef31a468be67a2cb

SHA512
891b30c601d991290f6228aab372aefe8ef71baee7838c8fa842e9c2e854f87c9e46bf06d25140b4c90309675b31f17f37969a8b88bcd024ce5dc08c004f2f5c

Download Submit
/usr/bin/ycmojhtwqa

Filesize
611KB

MD5
ce6e8d3b2027856a43e7465c8dd0de6e

SHA1
bbc3183141a3812d9db5123bf546710a88ce6638

SHA256
2c9db81de9eeeee3c8d073b8ce780760f181c9914d7758253e1f1255b5acf023

SHA512
c1c2d98e65cb24c8f8f93e7abb57c06375a3a51b41d8f19433f201de7fe5343ee1ebef0818a73838dea201a23245e8e3ea434cc3c26600151a7744f6d37d3b57

Download Submit
/usr/bin/ycmojhtwqa

Filesize
611KB

MD5
8b2a6ff24e99b2f2105f489354df8b75

SHA1
2d8ec0681372df428165b83083c774b9f1cf2e7c

SHA256
b772cd91513820a246ac75f41db709eff5b10a9ce2bd99314822894a260d7570

SHA512
81dadf4aadb3c3575da13c307effb33b2a30fcbb1ba03998b235b48d95dec2c9cd419ff597baf265e9a3d2e121face52a9d46608b27e2ece1fc3a1c49ecc1ee4

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads