xorddos | 66014710297270fcf37060d02b97c187573950416757a85644c7c22ce8469824

Analysis

max time kernel
154s
max time network
69s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
22-12-2023 13:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95efa79873f314005c30d9a1073ebea9
Size

660KB
MD5

95efa79873f314005c30d9a1073ebea9
SHA1

e06a22bf168f9522c79a2d7fcad4ae8ed961ea4b
SHA256

66014710297270fcf37060d02b97c187573950416757a85644c7c22ce8469824
SHA512

13680daa6ddb3283df0b8d21b4eb232602278b2d218274be0f2c0fbaf7bfd0fc593c50f14927c5a9cb00fd349cff6b4c0cfb4bb6fd771206e63fd36504605a6f
SSDEEP

12288:yB6hZ/D+2wZn/Dj3y3NDghlVx3LxAnbZ4s36yT+VmgiZM+yqGTh5AZ2:yB6PL+2S/Dj0NDAVx3LxAnusjoiLyqGT

Score

10^/10

xorddos antivm botnet downloader persistence

Malware Config

Extracted

Family

xorddos

103.25.9.245:3504

103.240.141.50:3504

66.102.253.30:3504

ndns.dsaj2a1.org:3504

ndns.dsaj2a.org:3504

ndns.hcxiaoao.com:3504

ndns.dsaj2a.com:3504

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 23 IoCs

Processes:

resource	yara_rule
behavioral1/files/fstream-1.dat	family_xorddos
behavioral1/files/fstream-2.dat	family_xorddos
behavioral1/files/fstream-3.dat	family_xorddos
behavioral1/files/fstream-8.dat	family_xorddos
behavioral1/files/fstream-10.dat	family_xorddos
behavioral1/files/fstream-12.dat	family_xorddos
behavioral1/files/fstream-14.dat	family_xorddos
behavioral1/files/fstream-16.dat	family_xorddos
behavioral1/files/fstream-18.dat	family_xorddos
behavioral1/files/fstream-20.dat	family_xorddos
behavioral1/files/fstream-22.dat	family_xorddos
behavioral1/files/fstream-24.dat	family_xorddos
behavioral1/files/fstream-26.dat	family_xorddos
behavioral1/files/fstream-28.dat	family_xorddos
behavioral1/files/fstream-30.dat	family_xorddos
behavioral1/files/fstream-32.dat	family_xorddos
behavioral1/files/fstream-34.dat	family_xorddos
behavioral1/files/fstream-36.dat	family_xorddos
behavioral1/files/fstream-48.dat	family_xorddos
behavioral1/files/fstream-50.dat	family_xorddos
behavioral1/files/fstream-52.dat	family_xorddos
behavioral1/files/fstream-54.dat	family_xorddos
behavioral1/files/fstream-56.dat	family_xorddos

Deletes itself 24 IoCs

Processes:

pid
1566
1569
1572
1553
1575
1577
1581
1584
1587
1590
1592
1596
1599
1602
1605
1607
1611
1614
1617
1620
1622
1628
1631
1634

Executes dropped EXE 25 IoCs

Processes:

pniwprivuclgoblbfbgpbhpfoypphvojbczcykgnnufnubgsufqknuxuujivtggzpvegjfrehlbdbhscrzrdwtuugomtkqkhycgqnlvbehkwqnavhxyfpatgtovmqsnxbqsummiwehdfttygmqyvckijhqpbnkefglpnrmdhheszjvngtrvuqbyummejeyaugxghlmfsizmrwxafbwodlwusxnhlqqzvyvaxcjawdthgvrhbtcboxsxnee

ioc	pid	Process
/boot/pniwprivuc	1555	pniwprivuc
/boot/lgoblbfbgp	1562	lgoblbfbgp
/boot/bhpfoypphv	1567	bhpfoypphv
/boot/ojbczcykgn	1570	ojbczcykgn
/boot/nufnubgsuf	1573	nufnubgsuf
/boot/qknuxuujiv	1576	qknuxuujiv
/boot/tggzpvegjf	1579	tggzpvegjf
/boot/rehlbdbhsc	1582	rehlbdbhsc
/boot/rzrdwtuugo	1585	rzrdwtuugo
/boot/mtkqkhycgq	1588	mtkqkhycgq
/boot/nlvbehkwqn	1591	nlvbehkwqn
/boot/avhxyfpatg	1594	avhxyfpatg
/boot/tovmqsnxbq	1597	tovmqsnxbq
/boot/summiwehdf	1600	summiwehdf
/boot/ttygmqyvck	1603	ttygmqyvck
/boot/ijhqpbnkef	1606	ijhqpbnkef
/boot/glpnrmdhhe	1609	glpnrmdhhe
/boot/szjvngtrvu	1612	szjvngtrvu
/boot/qbyummejey	1615	qbyummejey
/boot/augxghlmfs	1618	augxghlmfs
/boot/izmrwxafbw	1621	izmrwxafbw
/boot/odlwusxnhl	1626	odlwusxnhl
/boot/qqzvyvaxcj	1629	qqzvyvaxcj
/boot/awdthgvrhb	1632	awdthgvrhb
/boot/tcboxsxnee	1635	tcboxsxnee

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

Processes:

description	ioc
File opened for reading	/proc/cpuinfo

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

Processes:

description	ioc
File opened for modification	/etc/init.d/pniwprivuc

Reads runtime system information 3 IoCs

Reads data from /proc virtual filesystem.

Processes:

description	ioc
File opened for reading	/proc/rs_dev
File opened for reading	/proc/stat
File opened for reading	/proc/meminfo

/tmp/95efa79873f314005c30d9a1073ebea9
/tmp/95efa79873f314005c30d9a1073ebea9
1⤵
PID:1552

/boot/pniwprivuc
/boot/pniwprivuc
1⤵
- Executes dropped EXE
PID:1555

/boot/lgoblbfbgp
/boot/lgoblbfbgp uptime 1556
1⤵
- Executes dropped EXE
PID:1562

/boot/bhpfoypphv
/boot/bhpfoypphv "sleep 1" 1556
1⤵
- Executes dropped EXE
PID:1567

/boot/ojbczcykgn
/boot/ojbczcykgn "route -n" 1556
1⤵
- Executes dropped EXE
PID:1570

/boot/nufnubgsuf
/boot/nufnubgsuf "route -n" 1556
1⤵
- Executes dropped EXE
PID:1573

/boot/qknuxuujiv
/boot/qknuxuujiv "netstat -an" 1556
1⤵
- Executes dropped EXE
PID:1576

/boot/tggzpvegjf
/boot/tggzpvegjf gnome-terminal 1556
1⤵
- Executes dropped EXE
PID:1579

/boot/rehlbdbhsc
/boot/rehlbdbhsc uptime 1556
1⤵
- Executes dropped EXE
PID:1582

/boot/rzrdwtuugo
/boot/rzrdwtuugo pwd 1556
1⤵
- Executes dropped EXE
PID:1585

/boot/mtkqkhycgq
/boot/mtkqkhycgq "ifconfig eth0" 1556
1⤵
- Executes dropped EXE
PID:1588

/boot/nlvbehkwqn
/boot/nlvbehkwqn "grep \"A\"" 1556
1⤵
- Executes dropped EXE
PID:1591

/boot/avhxyfpatg
/boot/avhxyfpatg pwd 1556
1⤵
- Executes dropped EXE
PID:1594

/boot/tovmqsnxbq
/boot/tovmqsnxbq id 1556
1⤵
- Executes dropped EXE
PID:1597

/boot/summiwehdf
/boot/summiwehdf who 1556
1⤵
- Executes dropped EXE
PID:1600

/boot/ttygmqyvck
/boot/ttygmqyvck "netstat -an" 1556
1⤵
- Executes dropped EXE
PID:1603

/boot/ijhqpbnkef
/boot/ijhqpbnkef "ps -ef" 1556
1⤵
- Executes dropped EXE
PID:1606

/boot/glpnrmdhhe
/boot/glpnrmdhhe "grep \"A\"" 1556
1⤵
- Executes dropped EXE
PID:1609

/boot/szjvngtrvu
/boot/szjvngtrvu sh 1556
1⤵
- Executes dropped EXE
PID:1612

/boot/qbyummejey
/boot/qbyummejey "cat resolv.conf" 1556
1⤵
- Executes dropped EXE
PID:1615

/boot/augxghlmfs
/boot/augxghlmfs "ls -la" 1556
1⤵
- Executes dropped EXE
PID:1618

/boot/izmrwxafbw
/boot/izmrwxafbw "grep \"A\"" 1556
1⤵
- Executes dropped EXE
PID:1621

/boot/odlwusxnhl
/boot/odlwusxnhl "ls -la" 1556
1⤵
- Executes dropped EXE
PID:1626

/boot/qqzvyvaxcj
/boot/qqzvyvaxcj "netstat -an" 1556
1⤵
- Executes dropped EXE
PID:1629

/boot/awdthgvrhb
/boot/awdthgvrhb "grep \"A\"" 1556
1⤵
- Executes dropped EXE
PID:1632

/boot/tcboxsxnee
/boot/tcboxsxnee su 1556
1⤵
- Executes dropped EXE
PID:1635

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/boot/avhxyfpatg

Filesize
660KB

MD5
671c65287eba2a09836f65d385a2df4f

SHA1
469836087c2263f31a6ca443edde6596bc2aaaa5

SHA256
8d2b718029293ec4eb2dbb26b0c570a4222949f017e2d4a23866eb997e177f16

SHA512
1b2b8e3dfc1625e57996e497092669218b269007edc2e4b011ab757d735cc090446112b2ae7c11c8766fec250fa2cb51a5fa5b3ed51f4d7a805e148f9b7d7974

Download Submit
/boot/awdthgvrhb

Filesize
660KB

MD5
c70168d3134224b18279dae2392cbe18

SHA1
e3c9d022b3096c1c827561e2353b3951d40d1447

SHA256
8d0f75034c2183e9f065405cb14158c2961d57ff6887ce1d492f8bafaf4e96c9

SHA512
e1e68cd871c91e887564ae0dc33cc1da5c1578a7616d08eefec7af03883b9d5d33c7f990402e5db3fd42f4f29ca8633115fc218586085d28af5688b038002ce1

Download Submit
/boot/bhpfoypphv

Filesize
660KB

MD5
88215da1851c72c93decea13cf29e932

SHA1
1ac02cfb6a644ee12320dbce0f06283bfa9819ed

SHA256
875148dab67cfdedeeb4fbc8a7d11f34acdd607d190c4d414be799341996bc27

SHA512
50766a6df5639bbe484afcbb7a2e156341b4f65ed234a2506874c0062e7a0dd1bc9b25dd9dbdaac6b8818f486833ee099543fe590a762db3b5c1728067d68f2d

Download Submit
/boot/ijhqpbnkef

Filesize
660KB

MD5
dcba6c47a4dbbb5656be06ee4eefd2a0

SHA1
29400c9947742d2365908c22faec39d9762f94cd

SHA256
25ef3a4df5357d348021dc52e747ae1c42515373c9c5a6e5149db496a0d9d03c

SHA512
ccc165a7d21b637576ed999681a572f652ab2493cd6cec9b859a6958ab3c18082b72d98f750815bc7ba6d11e4fadadcd4286950cb201d905e3efdc77555718bd

Download Submit
/boot/kfevlogfgi

Filesize
660KB

MD5
35ca392e05a1bc801e9a0387f767d4c1

SHA1
b7b4bbabec6b7ad6d6c287394dc68aee116a15ef

SHA256
bcbb38d92209ad877168bf441df39f22f83474934ddcded20f8435843f0fb841

SHA512
75717ddf1ca593435e45f627a4d897f033dd5d324e196d3035206ac01e5c486474e99f70e428b023e7a3672e7a6f904d08f4807dd53ff8cdc30df3482b1e0650

Download Submit
/boot/lgoblbfbgp

Filesize
660KB

MD5
bb4fe087d0c1cbf3307cef5b945e370d

SHA1
f36385cce7727f34b98f4c4dc341bf63211773c1

SHA256
83b8dc1e8b8e6119bf0ce104f857bace058dc21f84fb382dfc79568aa08fda29

SHA512
1d8b288bf7bfdbd45cba7e30b944ea3861b66c6f9464c1dd43ca468cf06ba1a9e605783f381d7dff1c4c387df26f2fe78d14ddc582f197a6a88035d2154c42f2

Download Submit
/boot/mtkqkhycgq

Filesize
660KB

MD5
7a013e13357af63270e6635cc1d6a6fe

SHA1
b4d9feb2af83a449abe1c68aa401060310bf2c75

SHA256
8b8b592dcba6d7755a8f73ea43fdaeb8af29a924d0517566ef052770419cf61d

SHA512
f93db627b417d06769d32ada023db810aea2da7c95af6d0f76d193a8481148f9c84a5d21cd0012889593c2cae6e4e3915b740080d98c09e5a7d26ef18aedf5f4

Download Submit
/boot/nlvbehkwqn

Filesize
660KB

MD5
94b0f299a60f449117fef0b9460466f2

SHA1
f98ed3de08c93fae08e2f5adb91cb9324f1a327c

SHA256
a5011ab28bbea0c7407b2a03715ffcb1459ec49af9edac37f4b2c6ebab7cbafd

SHA512
f8036f6a4b35dc3c6b0c5cf22aa8c41a13f71a04f4f579c9bd6c1c48adf977b3df2261d931c5f6497df47f1198e904cdb648adc1f5f08abfff3717baab029d86

Download Submit
/boot/nufnubgsuf

Filesize
660KB

MD5
9823789d79f32be6b33f7bad353d7bcf

SHA1
d3e928df4907beb3ff398a3d01cd563f9bc8c5c1

SHA256
0dbdad32739a6c4924302572cb9186a3b82d2c3e35f6e85778528d4f36822c46

SHA512
2121e957060e7196f514420ed7b6f153af044d93794482dd4e2de2d1abd17b072cd2c52bc139057427f6a82aa1fc8bd968e20d28308ab313d11a115ceb88165c

Download Submit
/boot/odlwusxnhl

Filesize
660KB

MD5
307391bbf28e29ed26bfc432940211d8

SHA1
2bc3baa0d301c85903d0415206c51b575e41cfbe

SHA256
d094580f61d512b8bc4aaddc7b465462d160828dfd3d7f96baa0eecc8247b80e

SHA512
91250a5b6a421b2c1bb98853f22c6b94542aca04eafcb213a9e4cc0086a84b500cc73dd69055cf4039d12f2034af2092f61361f7d543377bfc80232f8c234781

Download Submit
/boot/ojbczcykgn

Filesize
660KB

MD5
7c42b56f5cd4abde4a0cc1e795ee53ba

SHA1
639b5de644d3baead8f939316a8b8c3dee89bcb1

SHA256
921473e8394c421c97809230d6f2b1a02c2da1022ac15f2095a0ebf26e630658

SHA512
2bf947cc07abf2dd411a3d1058bf103831fb6550e226a602352d2719f7508613d08210f6fbe440918a2023e440bd59257aa9f602932192b5ea5e6d5ae023a638

Download Submit
/boot/pniwprivuc

Filesize
660KB

MD5
95efa79873f314005c30d9a1073ebea9

SHA1
e06a22bf168f9522c79a2d7fcad4ae8ed961ea4b

SHA256
66014710297270fcf37060d02b97c187573950416757a85644c7c22ce8469824

SHA512
13680daa6ddb3283df0b8d21b4eb232602278b2d218274be0f2c0fbaf7bfd0fc593c50f14927c5a9cb00fd349cff6b4c0cfb4bb6fd771206e63fd36504605a6f

Download Submit
/boot/pniwprivuc

Filesize
660KB

MD5
969892b230bc41defe264fb824ef100d

SHA1
418e6a409a3bed92ff80fd7afb65984aca4aa824

SHA256
a0901ce7b17d07f19d9435f26f6c9db9ff9651582a1660d61e781210d4e0095f

SHA512
aef1cf79450adf2f3d029019256e320cbe292c0f8f16d31a5c1ed555f56e2a84ad58edfddc8cfccbbe2d65409b0e94298264796203762e52037133d5ffbc3b4c

Download Submit
/boot/qknuxuujiv

Filesize
660KB

MD5
5c7d08061216e863139fb8cb884d1f05

SHA1
221a28f0067f5628072e8c08ecbcae5e7469ec79

SHA256
7c14a5e0925b82ca6887c1835e912e9360770c8297a30114a68950ce02ca950b

SHA512
613e5f337a0b97abcc5e538bae3c831985dfc4db9e16b57da82020c6d74f4a1b822d7669dafc1adedacc109ed5e7ccddf30f51df89a2bf9db3c66833dd9975ae

Download Submit
/boot/qqzvyvaxcj

Filesize
660KB

MD5
a38c577c1f3eb507048e58ed55f16b89

SHA1
850b85b0db13a8389f73d095657a2e909cf7504f

SHA256
235e3db2c4c07a58869a7437fb59af58bfc94749367c40cc9617dd7187c59060

SHA512
55d21602a262d280dcb58521e6f308e9c89a230655e541a64e9f3653c44ea6f32912bc0ea36a29adbe81104427a372c182b82e6a3b82a90dae8e14a50e0c56e5

Download Submit
/boot/rehlbdbhsc

Filesize
660KB

MD5
042a4e66a82f9a6915bc604e5a11cec1

SHA1
694eb015c9707f88410b9352d3b9c2cbce3c4835

SHA256
7ba2139f0f9c63191377c05531f3ab90790fb411275ec2febbc31031dac08fec

SHA512
8858ac951ce2709fecdffbba25f7273887cc2f7c57cc97179ef3c89712334a389abcdb8690db5ffe5778bcbe8362c13196ef69813242ab4a7881a7d5ab4d9bd8

Download Submit
/boot/rzrdwtuugo

Filesize
660KB

MD5
456ba84b90284737ba85f509da9cbfe4

SHA1
8ce1f2849e436a20caaa1f62b336e496db2a6c0e

SHA256
f1749252e56f4c0cb1382b4995e9550adc20ef5ef623fbfd290b2764fc434e7e

SHA512
2aca9707743e7593b8bff87fca2aabe09efa7e81b0ae0c1e1348f5a09beb70f9728242fc5544189b5f366467183f691883f8cd76de61d93e15f93436d090eef7

Download Submit
/boot/summiwehdf

Filesize
660KB

MD5
0e98c8487a183bcdfa03a1027e75631a

SHA1
c8468a782dcdb841d86c4cc339cea4796359ebb0

SHA256
7e95be700267e0cd2bfcd8e0175858a26701c9412ff3ee6f38db9707c66e15ca

SHA512
f7ce3348280f55aa4170d841044a64c9e8102f3e012c1ea0cb7f72811b8bb4862f22b4be1b721a73480bfe115138de4bbcbec15e5c1f77419663d85128690ff4

Download Submit
/boot/tcboxsxnee

Filesize
660KB

MD5
88c4c2e25cbda2dc9f449614215586ed

SHA1
a7db2ec43669e78220a6b388f9d51ddc50ce62c9

SHA256
b60c7fa3d0080eebd08d086b660a675c53b6becd199765e08ce6c186cd058ad4

SHA512
f05e715118213186e9ca7ad94a56a8ca963c156ce27b623efc56aa77ab93a820a3a4d5b6368e736d17c58262150fe7917e7b09479ee7b81eed0161d9e3bdd498

Download Submit
/boot/tggzpvegjf

Filesize
660KB

MD5
df0cfe8fae00685f8cdbbe093ffb6c2a

SHA1
3b9c1536bca07dfa3155dcec9a4bad8cb852492f

SHA256
56dd114dff6cb680266eed719446d25be52be088a280ed8413e90e65963a4de8

SHA512
0a57f2a0ef5223381fe4f48eaa074840560fe738733fde717c95efc83590049101461b78d60e6c5c38ce4e254816c2b9ac4dfb20f337909b227056f72c45ff37

Download Submit
/boot/tovmqsnxbq

Filesize
660KB

MD5
0efdb8c0522babc858c80c0eaba78b57

SHA1
eeb973bac78eb4ad26bb304fe1ec733e1645166d

SHA256
9dafbdb0e48de0c970205a063cb0616ea827055f94eb582454048ef6f0a6a6d3

SHA512
5e8e2bf1cbec21dbe457927e059e3035b301ebc22a466692044fe677158545bd48b73766b3949ecd4ec005c3bca8d3b48549478e1b6bb4c8c021a3db141e32ef

Download Submit
/boot/ttygmqyvck

Filesize
660KB

MD5
73d25fb9997f5e05945dcf30c8732769

SHA1
1b761f3e6a5ce3fe88e0aed8bd88248f9d5f8b96

SHA256
a8bae29067a2ac7d37d457de76384a4e3888de2943ce215f6d0904d8aa788c97

SHA512
c332f34944ce360ece284b264f740f12a62b99d9937a363256ec36a65923fa90a77c8bf56b4ad6016b354eb4ba564a8da5223dbf5d9ea76eb79b6e7354ee2e63

Download Submit
/etc/init.d/pniwprivuc

Filesize
27B

MD5
fccf6c7ba30900685dcc61e2c6d2f3c0

SHA1
c9630da70c189da341ca7596d7fb14634a785809

SHA256
421572e199a10c94d61ce47f3fc62f1f72275a76eea22fb62ca2ce6a0209539c

SHA512
320c0b982d1edc0fc8b5eca526af64d858604fd3eb8eed8f7552263019c5e418a1d238404df8d5d5b73eeff0ab19baf807345027f7c351c2b99c33dddbd63326

Download Submit
/lib/udev/udev

Filesize
108KB

MD5
9c658f0f15622cb9d1c23c4ee73e2280

SHA1
5bdc5ac4a6294bc750009aff2ee60f9d3c55efa0

SHA256
86a42a4d8f4bc7076d88886c7a03867fc7a32dab7bb6b50c66c922d75c40bfa1

SHA512
80f4fe97876ecc0366e0493bd4dc0199eee30dff76e2dfa31ed0282e141a959874e926811910430f038861f30eff49b99cdd0cfdc629ee301f2fdc4ad4e4bfde

Download Submit
/run/sftp.pid

Filesize
32B

MD5
d1cd45dc01cb1e675397fdf9d29e2a45

SHA1
262b83651717d08d494e2d38d3b0877221d355f4

SHA256
5707a05a52af9c08da4caf44e2cb8cd462734aedfe82616e561f6c2bba5bcc1b

SHA512
6b7223d226c3fddf01a94a042e8f502c679fd34d83a056f446502de6b900f3388e5477bce60c2596c939ba218d34144a0d887d84929dca10c757f472e6613283

Download Submit