xorddos | 42629d9d813e59c3d2b7aac0da644ddb1824a8b286b39393ad50a945d51ab363

Analysis

max time kernel
147s
max time network
148s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231222-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231222-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
22-12-2023 10:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

854f9f0fd26d823d0b678b7228154138
Size

596KB
MD5

854f9f0fd26d823d0b678b7228154138
SHA1

ebaed77107d5ba6ff3d45155232d3c3e9fe34373
SHA256

42629d9d813e59c3d2b7aac0da644ddb1824a8b286b39393ad50a945d51ab363
SHA512

217d5d6d7436c98ea7b89d008fb1fd671ca327ba8b61edd48a5507a15717f105ab4d4ace798a90afffcb8ae0062041005777fd6bfd1f31dc014a7ccf9e9d6497
SSDEEP

12288:bfTGy+n69+5rTlFEcMWbHvx5SGEuWdMF6yxm9Ah7Dxu9hc7L:rTG/0+5dq4bHvx5SGodMLTD4XcP

Score

10^/10

xorddos botnet downloader persistence

Malware Config

Extracted

Family

xorddos

http://info1.3000uc.com/b/u.php

gh.dsaj2a1.org:2849

173.247.233.58:2849

iosapp.servegame.com:2849

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 12 IoCs

Processes:

resource	yara_rule
/lib/libgcc4.so	family_xorddos
/usr/bin/runpisbztk	family_xorddos
/usr/bin/runpisbztk	family_xorddos
/usr/bin/zmlbjpfxno	family_xorddos
/usr/bin/zmlbjpfxno	family_xorddos
/usr/bin/rgepgnpkni	family_xorddos
/usr/bin/rgepgnpkni	family_xorddos
/usr/bin/xeufyrnfwa	family_xorddos
/usr/bin/xeufyrnfwa	family_xorddos
/usr/bin/ahnfpgqmaw	family_xorddos
/usr/bin/ahnfpgqmaw	family_xorddos
/usr/bin/ahnfpgqmaw	family_xorddos

Deletes itself 3 IoCs

Processes:

pid

1722
1725
1728

pid
1722
1725
1728

Executes dropped EXE 23 IoCs

Processes:

runpisbztkrunpisbztkrunpisbztkrunpisbztkrunpisbztkzmlbjpfxnozmlbjpfxnozmlbjpfxnozmlbjpfxnozmlbjpfxnorgepgnpknirgepgnpknirgepgnpknirgepgnpknirgepgnpknixeufyrnfwaxeufyrnfwaxeufyrnfwaxeufyrnfwaxeufyrnfwaahnfpgqmawahnfpgqmawahnfpgqmaw

ioc	pid	process
/usr/bin/runpisbztk	1620	runpisbztk
/usr/bin/runpisbztk	1623	runpisbztk
/usr/bin/runpisbztk	1644	runpisbztk
/usr/bin/runpisbztk	1649	runpisbztk
/usr/bin/runpisbztk	1651	runpisbztk
/usr/bin/zmlbjpfxno	1665	zmlbjpfxno
/usr/bin/zmlbjpfxno	1667	zmlbjpfxno
/usr/bin/zmlbjpfxno	1670	zmlbjpfxno
/usr/bin/zmlbjpfxno	1673	zmlbjpfxno
/usr/bin/zmlbjpfxno	1676	zmlbjpfxno
/usr/bin/rgepgnpkni	1680	rgepgnpkni
/usr/bin/rgepgnpkni	1682	rgepgnpkni
/usr/bin/rgepgnpkni	1685	rgepgnpkni
/usr/bin/rgepgnpkni	1688	rgepgnpkni
/usr/bin/rgepgnpkni	1691	rgepgnpkni
/usr/bin/xeufyrnfwa	1704	xeufyrnfwa
/usr/bin/xeufyrnfwa	1706	xeufyrnfwa
/usr/bin/xeufyrnfwa	1709	xeufyrnfwa
/usr/bin/xeufyrnfwa	1712	xeufyrnfwa
/usr/bin/xeufyrnfwa	1716	xeufyrnfwa
/usr/bin/ahnfpgqmaw	1719	ahnfpgqmaw
/usr/bin/ahnfpgqmaw	1721	ahnfpgqmaw
/usr/bin/ahnfpgqmaw	1724	ahnfpgqmaw

Unexpected DNS network traffic destination 19 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228

Creates/modifies Cron job 1 TTPs 2 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

sh

description ioc

File opened for modification /etc/cron.hourly/udev.sh
File opened for modification /etc/crontab sh
Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

description ioc

File opened for modification /etc/init.d/854f9f0fd26d823d0b678b7228154138

description	ioc
File opened for modification	/etc/cron.hourly/udev.sh
File opened for modification	/etc/crontab	sh

description	ioc
File opened for modification	/etc/init.d/854f9f0fd26d823d0b678b7228154138

Write file to user bin folder 1 TTPs 5 IoCs

Hijack Execution Flow

T1574

Processes:

description	ioc
File opened for modification	/usr/bin/xeufyrnfwa
File opened for modification	/usr/bin/ahnfpgqmaw
File opened for modification	/usr/bin/runpisbztk
File opened for modification	/usr/bin/zmlbjpfxno
File opened for modification	/usr/bin/rgepgnpkni

Reads runtime system information 8 IoCs

Reads data from /proc virtual filesystem.

Processes:

sedsystemctl

description	ioc	process
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/stat
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/cmdline	systemctl

/tmp/854f9f0fd26d823d0b678b7228154138
/tmp/854f9f0fd26d823d0b678b7228154138
1⤵
PID:1607

/bin/sh
sh -c "sed -i '/\\/etc\\/cron.hourly\\/udev.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/udev.sh' >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:1613
- /bin/sed
  sed -i "/\\/etc\\/cron.hourly\\/udev.sh/d" /etc/crontab
  2⤵
  - Reads runtime system information
  PID:1614

/bin/chkconfig
chkconfig --add 854f9f0fd26d823d0b678b7228154138
1⤵
PID:1610

/sbin/chkconfig
chkconfig --add 854f9f0fd26d823d0b678b7228154138
1⤵
PID:1610

/usr/bin/chkconfig
chkconfig --add 854f9f0fd26d823d0b678b7228154138
1⤵
PID:1610

/usr/sbin/chkconfig
chkconfig --add 854f9f0fd26d823d0b678b7228154138
1⤵
PID:1610

/usr/local/bin/chkconfig
chkconfig --add 854f9f0fd26d823d0b678b7228154138
1⤵
PID:1610

/usr/local/sbin/chkconfig
chkconfig --add 854f9f0fd26d823d0b678b7228154138
1⤵
PID:1610

/usr/X11R6/bin/chkconfig
chkconfig --add 854f9f0fd26d823d0b678b7228154138
1⤵
PID:1610

/bin/update-rc.d
update-rc.d 854f9f0fd26d823d0b678b7228154138 defaults
1⤵
PID:1612

/sbin/update-rc.d
update-rc.d 854f9f0fd26d823d0b678b7228154138 defaults
1⤵
PID:1612

/usr/bin/update-rc.d
update-rc.d 854f9f0fd26d823d0b678b7228154138 defaults
1⤵
PID:1612

/usr/sbin/update-rc.d
update-rc.d 854f9f0fd26d823d0b678b7228154138 defaults
1⤵
PID:1612
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:1617

/usr/bin/runpisbztk
/usr/bin/runpisbztk ls 1608
1⤵
- Executes dropped EXE
PID:1620

/usr/bin/runpisbztk
/usr/bin/runpisbztk "netstat -antop" 1608
1⤵
- Executes dropped EXE
PID:1623

/usr/bin/runpisbztk
/usr/bin/runpisbztk "grep \"A\"" 1608
1⤵
- Executes dropped EXE
PID:1644

/usr/bin/runpisbztk
/usr/bin/runpisbztk "ls -la" 1608
1⤵
- Executes dropped EXE
PID:1649

/usr/bin/runpisbztk
/usr/bin/runpisbztk "grep \"A\"" 1608
1⤵
- Executes dropped EXE
PID:1651

/usr/bin/zmlbjpfxno
/usr/bin/zmlbjpfxno bash 1608
1⤵
- Executes dropped EXE
PID:1665

/usr/bin/zmlbjpfxno
/usr/bin/zmlbjpfxno bash 1608
1⤵
- Executes dropped EXE
PID:1667

/usr/bin/zmlbjpfxno
/usr/bin/zmlbjpfxno "cd /etc" 1608
1⤵
- Executes dropped EXE
PID:1670

/usr/bin/zmlbjpfxno
/usr/bin/zmlbjpfxno ls 1608
1⤵
- Executes dropped EXE
PID:1673

/usr/bin/zmlbjpfxno
/usr/bin/zmlbjpfxno uptime 1608
1⤵
- Executes dropped EXE
PID:1676

/usr/bin/rgepgnpkni
/usr/bin/rgepgnpkni "netstat -antop" 1608
1⤵
- Executes dropped EXE
PID:1680

/usr/bin/rgepgnpkni
/usr/bin/rgepgnpkni uptime 1608
1⤵
- Executes dropped EXE
PID:1682

/usr/bin/rgepgnpkni
/usr/bin/rgepgnpkni "ps -ef" 1608
1⤵
- Executes dropped EXE
PID:1685

/usr/bin/rgepgnpkni
/usr/bin/rgepgnpkni whoami 1608
1⤵
- Executes dropped EXE
PID:1688

/usr/bin/rgepgnpkni
/usr/bin/rgepgnpkni "netstat -antop" 1608
1⤵
- Executes dropped EXE
PID:1691

/usr/bin/xeufyrnfwa
/usr/bin/xeufyrnfwa su 1608
1⤵
- Executes dropped EXE
PID:1704

/usr/bin/xeufyrnfwa
/usr/bin/xeufyrnfwa sh 1608
1⤵
- Executes dropped EXE
PID:1706

/usr/bin/xeufyrnfwa
/usr/bin/xeufyrnfwa "ifconfig eth0" 1608
1⤵
- Executes dropped EXE
PID:1709

/usr/bin/xeufyrnfwa
/usr/bin/xeufyrnfwa ls 1608
1⤵
- Executes dropped EXE
PID:1712

/usr/bin/xeufyrnfwa
/usr/bin/xeufyrnfwa "sleep 1" 1608
1⤵
- Executes dropped EXE
PID:1716

/usr/bin/ahnfpgqmaw
/usr/bin/ahnfpgqmaw uptime 1608
1⤵
- Executes dropped EXE
PID:1719

/usr/bin/ahnfpgqmaw
/usr/bin/ahnfpgqmaw top 1608
1⤵
- Executes dropped EXE
PID:1721

/usr/bin/ahnfpgqmaw
/usr/bin/ahnfpgqmaw "netstat -antop" 1608
1⤵
- Executes dropped EXE
PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/udev.sh

Filesize
146B

MD5
ddb9a901eadce597284d68ebd9fe9311

SHA1
1d26318bbe55f2f936ae1015df656535427083c2

SHA256
3bb8ebd394bcaea3f083d93daa3c3bcf918a4618f84ab45a1942759d16b070fc

SHA512
e94bd51f02c323d2376e666a9c56a87c2f55d1805b44762d4bc6d5d60ca52e85ce996ba51142213ba783ac858660a3ba254988215b0f4d398b1e99bf132a5d1c

Download Submit
/etc/init.d/854f9f0fd26d823d0b678b7228154138

Filesize
425B

MD5
6aec5d783b236964c3d72980876ccb0e

SHA1
103f9ac0ea62fa6471b8d4b5e4df568bf8fde021

SHA256
5a5467dafd5f7ad7c717ff20dd485b14edc4dc25e133060f10873a0675b28617

SHA512
e51fa2a825dca3171cff36461e57e444b0397373f7701f637e8eb485089a41ad2f3e008e13e9e14acabf039ec850071a2e6a71a5b1b3a6a35d5d959d31798766

Download Submit
/etc/sedtKmkC0

Filesize
722B

MD5
8f111d100ea459f68d333d63a8ef2205

SHA1
077ca9c46a964de67c0f7765745d5c6f9e2065c3

SHA256
0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354

SHA512
d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

Download Submit
/lib/libgcc4.so

Filesize
596KB

MD5
854f9f0fd26d823d0b678b7228154138

SHA1
ebaed77107d5ba6ff3d45155232d3c3e9fe34373

SHA256
42629d9d813e59c3d2b7aac0da644ddb1824a8b286b39393ad50a945d51ab363

SHA512
217d5d6d7436c98ea7b89d008fb1fd671ca327ba8b61edd48a5507a15717f105ab4d4ace798a90afffcb8ae0062041005777fd6bfd1f31dc014a7ccf9e9d6497

Download Submit
/run/udev.pid

Filesize
32B

MD5
2b822e92ecbaef4b6844fec6850b2a76

SHA1
22a1e8b1f5d4cf66578f4e8f3ec4852cc3fa61fb

SHA256
1ff758c491b8d4d0eab45617df62e33e5fc6c46a47a06b3727a395c0023614c9

SHA512
eb8e87658a80dd383ec363522989157dd65ef5d66a6b4fc7809540fecdcee107c470d8e5de3a291ab0bc9ad7f3d5be23f1f81d4275baacb1866d721a85fad9be

Download Submit
/usr/bin/ahnfpgqmaw

Filesize
19KB

MD5
76308504960c9a9f85d92da8b1894eec

SHA1
f470460255d6903a1c5f4f19973333224033af61

SHA256
3f9c4c00e4a4be1559bb3643a173a95ad7999555c271ca7a606ea0ce9b383532

SHA512
75c7912b55292ba7b262223b621fefd287cbdaadbe627a71d0845bda55287d0612307312d66ad33a0b613cc59a3b6c9df114313c1b72200ef3c2ebf0ade0b0af

Download Submit
/usr/bin/ahnfpgqmaw

Filesize
596KB

MD5
8bfd132dee69dfa39a69544fc516cfe8

SHA1
525924dfdff197c2e65f31e106477344a8b357a0

SHA256
92d50e13fda185b24585d5de9a1fea8605a70fd735a352de64cdceae711c272a

SHA512
750252aa44f35dca34a8a66dd7e3d23d49bc84fadf1bf7a1859ffca4958523c747c914adb1cb6a03d8a80a1567f2b6ba4565d3bdb02e3eba4605954705e54c79

Download Submit
/usr/bin/ahnfpgqmaw

Filesize
596KB

MD5
4ba9d0c01381fa1d17e610c4963ae9bf

SHA1
2426ec1b14014e2c90d89ff4477ae16bc23b2af1

SHA256
bada41db153b652663293f9ef093bc599417476addc3755643eef3bfa12755be

SHA512
aa51fcb65fbe60ea5950f66f6f79f3c661d0e4594341387246c0441c8ecfedd7bedd46845e111ce6cb9f08415f87ae73e86ebd6559461c03353dfff0b261f3b8

Download Submit
/usr/bin/rgepgnpkni

Filesize
596KB

MD5
d51d25fea281410c1ab99e3e834f819b

SHA1
bd0d64dcc088fdd24579f3ecf684cbc44a540610

SHA256
70853929c1132278133111525463c071ed6f06127b12cee7f360978e1e1a2bea

SHA512
feb63735dd0374ca12743f08d8785cd3514a3ad8295434a0abf2a4fa45a87f8effa5cf6ac1894ea7a041425168073dc81354eb5272211bff1f9c9ef9de30dad5

Download Submit
/usr/bin/rgepgnpkni

Filesize
596KB

MD5
68dd4cb39de4db5bddf1d7521cd7d7e7

SHA1
fdf6490d864b4e84372cfbafa6941518021dc9e3

SHA256
0a6f288a518feab32bf7313b503b8427b1e6f02fa88b115b57194e96f824ce2a

SHA512
89e0609c44dce3ac7ca6e2737b1d14082865665425d2d6d83dcbb0d82bdc7d045f14f0ba334e63c8c3b5bc887367481497b04e2a3706a8aba76611feda2b0978

Download Submit
/usr/bin/runpisbztk

Filesize
596KB

MD5
029cb4c4148d52527d9bf08e6b811955

SHA1
4dc5ff8911c0fdd0d4a29ff5abcc550b99ee5564

SHA256
cadc5611d47dd71f5d57bc466273b952299a9ec5b1b0aa6e93a8f1d17441b06d

SHA512
d8a1a31565bff982f47a12c942654d159e9e774bc07231e886adbca8e1caf001511c9886601f710f27af98c0b4a157d7997b2e95551736624bcf4ffdd4a2f47a

Download Submit
/usr/bin/runpisbztk

Filesize
596KB

MD5
ae986c90555c38287a6512099e760ae4

SHA1
d855ff4577491389e46e5a6f1fb169519b8dd938

SHA256
c2092b817c7690cc8014ece176b25f2bdefd750fed750dc76b2a5e08b5d00fd1

SHA512
6d09da396dc083312527e5ddc51e3e31e601471dea238e19684adc2ed03ef1df7423e69083259a0961ffe083fd483edcbfd0b36ecf9d7bbb548243ed2edf8ef3

Download Submit
/usr/bin/xeufyrnfwa

Filesize
596KB

MD5
bf5e7901062e15ac418a94082c5f963a

SHA1
edac5fd64da79d0524e64a333f0c744b132f3f6d

SHA256
b37a59a23290e764dfefed27d0bbfa9d6c0cb6517e91897ebfb3f0a5853dc83c

SHA512
36b15c7a5ffb25975f0b8a1138ec18403d5343d9860010d88e0fd7127e1a24c95f8b87074aabc12f40dc3e1f9cdb814e23c8b3be973d56108894fa31438d8bd9

Download Submit
/usr/bin/xeufyrnfwa

Filesize
596KB

MD5
607b102451e2b4e332920b6870597957

SHA1
5ab1545dba81775f43ce617d008c999eb7ae7b60

SHA256
1247c14dd91c0f4f2c6e70b52e78dcf0bc88e2a0c68a286013cf64e099879771

SHA512
5396bcf3bada33fad09c332d860bfdb7c9c70ab33f4f5d3af832d69a7525e2ee231e59bcbaeac0e55b95a9e8fc5b936bb949cb95aa7860531ddfd79db98f5a76

Download Submit
/usr/bin/zmlbjpfxno

Filesize
596KB

MD5
d0f413719b20cbbc3d3dc2d15e95f422

SHA1
88eb90e76ac50843684e9ad19f31f7a34ce2a1ae

SHA256
44454fab1a9794dc16d8c1b5ff63ac8c62890903e8bffcf7e752fa070adb3b6e

SHA512
5b7b1850d4bda15e2c1981265fc37129e053e9371b0e1d1f4c5b781faf17922843e9aab3855cdf77f79761934e2feaf228b034f7ae0f7cb2d5ffc9763cd751c7

Download Submit
/usr/bin/zmlbjpfxno

Filesize
596KB

MD5
770f4ec16b17966050ee4db2e04e2f3d

SHA1
59f3c97c4a3426ff7e6e43c67c6f57ec9beba344

SHA256
1de4978ba90be224ee5437011079a2b7f7e2c6bb5e2fa9a2be24b1fb869137b1

SHA512
1b1f079167652b4c3de29676266d7a30ef2c47456756f5a627ca255aa5b3033888d3d7364567ef0fed58ebadfa99c5ac7d2dc8c67d8992818579969dff4110e7

Download Submit