Analysis
-
max time kernel
151s -
max time network
154s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20231215-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
22-12-2023 10:10
Behavioral task
behavioral1
Sample
83eea5625ca2affd3e841d3b374e88eb
Resource
ubuntu1804-amd64-20231215-en
ubuntu-18.04-amd64
General
-
Target
83eea5625ca2affd3e841d3b374e88eb
-
Size
611KB
-
MD5
83eea5625ca2affd3e841d3b374e88eb
-
SHA1
dca946f677a1be95fb3ef6adc950730b4736a405
-
SHA256
fd6060b963d1b5ca7a07b5a283ad99105298a6708e44d286440a506738a17e34
-
SHA512
a856a78004812a5aa75f52ecaa3690d5edfc98179b4c34f23434cd9d60e0a0ea7dc6e3ab30e311f7da088267de026552155c9a46cc3c3dda99544e67969e3a1c
-
SSDEEP
12288:UB1tATMVAqnf+ExxBHYpmA38X8LYkCW6Tipx6yB1/iGK4UlUuTh1AG:UB1BVpmExDYp38X8LYTWhpfNiGQl/91h
Malware Config
Extracted
xorddos
http://aa.hostasa.org/game.rar
ns3.hostasa.org:3310
ns4.hostasa.org:3310
ns1.hostasa.org:3310
ns2.hostasa.org:3310
-
crc_polynomial
EDB88320
Signatures
-
XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
-
XorDDoS payload 11 IoCs
Processes:
resource yara_rule behavioral1/files/fstream-5.dat family_xorddos behavioral1/files/fstream-8.dat family_xorddos behavioral1/files/fstream-9.dat family_xorddos behavioral1/files/fstream-11.dat family_xorddos behavioral1/files/fstream-12.dat family_xorddos behavioral1/files/fstream-14.dat family_xorddos behavioral1/files/fstream-15.dat family_xorddos behavioral1/files/fstream-17.dat family_xorddos behavioral1/files/fstream-18.dat family_xorddos behavioral1/files/fstream-20.dat family_xorddos behavioral1/files/fstream-21.dat family_xorddos -
Deletes itself 6 IoCs
Processes:
pid 1633 1637 1639 1642 1644 1648 -
Executes dropped EXE 22 IoCs
Processes:
iypfdlcleoiypfdlcleoiypfdlcleoiypfdlcleoiypfdlcleoycmojhtwqaycmojhtwqaycmojhtwqaycmojhtwqaycmojhtwqafibmwhyckofibmwhyckofibmwhyckofibmwhyckofibmwhyckothyyakdgqbthyyakdgqbthyyakdgqbthyyakdgqbthyyakdgqbvfjtvvzkxmvfjtvvzkxmioc pid Process /usr/bin/iypfdlcleo 1532 iypfdlcleo /usr/bin/iypfdlcleo 1537 iypfdlcleo /usr/bin/iypfdlcleo 1541 iypfdlcleo /usr/bin/iypfdlcleo 1544 iypfdlcleo /usr/bin/iypfdlcleo 1547 iypfdlcleo /usr/bin/ycmojhtwqa 1571 ycmojhtwqa /usr/bin/ycmojhtwqa 1574 ycmojhtwqa /usr/bin/ycmojhtwqa 1577 ycmojhtwqa /usr/bin/ycmojhtwqa 1580 ycmojhtwqa /usr/bin/ycmojhtwqa 1583 ycmojhtwqa /usr/bin/fibmwhycko 1589 fibmwhycko /usr/bin/fibmwhycko 1592 fibmwhycko /usr/bin/fibmwhycko 1595 fibmwhycko /usr/bin/fibmwhycko 1598 fibmwhycko /usr/bin/fibmwhycko 1601 fibmwhycko /usr/bin/thyyakdgqb 1625 thyyakdgqb /usr/bin/thyyakdgqb 1634 thyyakdgqb /usr/bin/thyyakdgqb 1636 thyyakdgqb /usr/bin/thyyakdgqb 1640 thyyakdgqb /usr/bin/thyyakdgqb 1643 thyyakdgqb /usr/bin/vfjtvvzkxm 1646 vfjtvvzkxm /usr/bin/vfjtvvzkxm 1649 vfjtvvzkxm -
Creates/modifies Cron job 1 TTPs 2 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
shdescription ioc Process File opened for modification /etc/crontab sh File opened for modification /etc/cron.hourly/gcc.sh