xorddos | 69f25865872f994878482e280078d7e7fe15e810ff9f10910e6f0ec23e71095d

Analysis

max time kernel
147s
max time network
123s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
22-12-2023 12:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c3eb0472652b5462616b11c07844f77
Size

596KB
MD5

8c3eb0472652b5462616b11c07844f77
SHA1

e579c03b3cc8cba626873786aa4a5dd84e6e3a8a
SHA256

69f25865872f994878482e280078d7e7fe15e810ff9f10910e6f0ec23e71095d
SHA512

66039f1fe4242e0aac47a88a83dafeb8e12a5a912bde18e7d38c9aaed712b285472ebd87e04d2ab2916a7f5700dddc73cf085dd3a064916f247c4136f39f5986
SSDEEP

12288:rPTJS+naeW9kclFEcMWbHdxZ7GkR2fV/6y9P/YAh7Dxu9hc7L:DTJfrW99q4bHdxZ7G1fVFND4XcP

Score

10^/10

xorddos botnet downloader persistence

Malware Config

Extracted

Family

xorddos

http://full.dsaj2a.org/b/u.php

gh.dsaj2a1.org:2885

8uc.q77y.com:2885

23.234.24.20:2885

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 10 IoCs

resource	yara_rule
behavioral1/files/fstream-6.dat	family_xorddos
behavioral1/files/fstream-8.dat	family_xorddos
behavioral1/files/fstream-9.dat	family_xorddos
behavioral1/files/fstream-10.dat	family_xorddos
behavioral1/files/fstream-14.dat	family_xorddos
behavioral1/files/fstream-15.dat	family_xorddos
behavioral1/files/fstream-17.dat	family_xorddos
behavioral1/files/fstream-18.dat	family_xorddos
behavioral1/files/fstream-20.dat	family_xorddos
behavioral1/files/fstream-21.dat	family_xorddos

Deletes itself 1 IoCs

pid
1660

Executes dropped EXE 23 IoCs

ioc	pid	Process
/usr/bin/xvejmdyomo	1553	xvejmdyomo
/usr/bin/xvejmdyomo	1558	xvejmdyomo
/usr/bin/xvejmdyomo	1561	xvejmdyomo
/usr/bin/xvejmdyomo	1581	xvejmdyomo
/usr/bin/xvejmdyomo	1585	xvejmdyomo
/usr/bin/aviskrypex	1591	aviskrypex
/usr/bin/aviskrypex	1594	aviskrypex
/usr/bin/aviskrypex	1597	aviskrypex
/usr/bin/aviskrypex	1600	aviskrypex
/usr/bin/aviskrypex	1603	aviskrypex
/usr/bin/llyrammubj	1616	llyrammubj
/usr/bin/llyrammubj	1618	llyrammubj
/usr/bin/llyrammubj	1622	llyrammubj
/usr/bin/llyrammubj	1625	llyrammubj
/usr/bin/llyrammubj	1628	llyrammubj
/usr/bin/vloixnmlxg	1642	vloixnmlxg
/usr/bin/vloixnmlxg	1644	vloixnmlxg
/usr/bin/vloixnmlxg	1647	vloixnmlxg
/usr/bin/vloixnmlxg	1651	vloixnmlxg
/usr/bin/vloixnmlxg	1654	vloixnmlxg
/usr/bin/zvnbcfmfja	1657	zvnbcfmfja
/usr/bin/zvnbcfmfja	1659	zvnbcfmfja
/usr/bin/zvnbcfmfja	1662	zvnbcfmfja

Unexpected DNS network traffic destination 15 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228

Creates/modifies Cron job 1 TTPs 2 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/etc/cron.hourly/gcc4.sh	Process not Found
File opened for modification	/etc/crontab	sh

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
File opened for modification	/etc/init.d/8c3eb0472652b5462616b11c07844f77

Write file to user bin folder 1 TTPs 5 IoCs

Hijack Execution Flow

T1574

description	ioc
File opened for modification	/usr/bin/llyrammubj
File opened for modification	/usr/bin/vloixnmlxg
File opened for modification	/usr/bin/zvnbcfmfja
File opened for modification	/usr/bin/xvejmdyomo
File opened for modification	/usr/bin/aviskrypex

Reads runtime system information 8 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/stat	Process not Found
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/cmdline	systemctl

/tmp/8c3eb0472652b5462616b11c07844f77
/tmp/8c3eb0472652b5462616b11c07844f77
1⤵
PID:1536

/bin/sh
sh -c "sed -i '/\\/etc\\/cron.hourly\\/gcc4.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc4.sh' >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:1542
- /bin/sed
  sed -i "/\\/etc\\/cron.hourly\\/gcc4.sh/d" /etc/crontab
  2⤵
  - Reads runtime system information
  PID:1543

/bin/update-rc.d
update-rc.d 8c3eb0472652b5462616b11c07844f77 defaults
1⤵
PID:1541

/sbin/update-rc.d
update-rc.d 8c3eb0472652b5462616b11c07844f77 defaults
1⤵
PID:1541

/usr/bin/update-rc.d
update-rc.d 8c3eb0472652b5462616b11c07844f77 defaults
1⤵
PID:1541

/usr/sbin/update-rc.d
update-rc.d 8c3eb0472652b5462616b11c07844f77 defaults
1⤵
PID:1541
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:1551

/bin/chkconfig
chkconfig --add 8c3eb0472652b5462616b11c07844f77
1⤵
PID:1539

/sbin/chkconfig
chkconfig --add 8c3eb0472652b5462616b11c07844f77
1⤵
PID:1539

/usr/bin/chkconfig
chkconfig --add 8c3eb0472652b5462616b11c07844f77
1⤵
PID:1539

/usr/sbin/chkconfig
chkconfig --add 8c3eb0472652b5462616b11c07844f77
1⤵
PID:1539

/usr/local/bin/chkconfig
chkconfig --add 8c3eb0472652b5462616b11c07844f77
1⤵
PID:1539

/usr/local/sbin/chkconfig
chkconfig --add 8c3eb0472652b5462616b11c07844f77
1⤵
PID:1539

/usr/X11R6/bin/chkconfig
chkconfig --add 8c3eb0472652b5462616b11c07844f77
1⤵
PID:1539

/usr/bin/xvejmdyomo
/usr/bin/xvejmdyomo "sleep 1" 1537
1⤵
- Executes dropped EXE
PID:1553

/usr/bin/xvejmdyomo
/usr/bin/xvejmdyomo "ifconfig eth0" 1537
1⤵
- Executes dropped EXE
PID:1558

/usr/bin/xvejmdyomo
/usr/bin/xvejmdyomo uptime 1537
1⤵
- Executes dropped EXE
PID:1561

/usr/bin/xvejmdyomo
/usr/bin/xvejmdyomo "cat resolv.conf" 1537
1⤵
- Executes dropped EXE
PID:1581

/usr/bin/xvejmdyomo
/usr/bin/xvejmdyomo top 1537
1⤵
- Executes dropped EXE
PID:1585

/usr/bin/aviskrypex
/usr/bin/aviskrypex sh 1537
1⤵
- Executes dropped EXE
PID:1591

/usr/bin/aviskrypex
/usr/bin/aviskrypex "netstat -antop" 1537
1⤵
- Executes dropped EXE
PID:1594

/usr/bin/aviskrypex
/usr/bin/aviskrypex ifconfig 1537
1⤵
- Executes dropped EXE
PID:1597

/usr/bin/aviskrypex
/usr/bin/aviskrypex "ps -ef" 1537
1⤵
- Executes dropped EXE
PID:1600

/usr/bin/aviskrypex
/usr/bin/aviskrypex "ls -la" 1537
1⤵
- Executes dropped EXE
PID:1603

/usr/bin/llyrammubj
/usr/bin/llyrammubj ifconfig 1537
1⤵
- Executes dropped EXE
PID:1616

/usr/bin/llyrammubj
/usr/bin/llyrammubj sh 1537
1⤵
- Executes dropped EXE
PID:1618

/usr/bin/llyrammubj
/usr/bin/llyrammubj gnome-terminal 1537
1⤵
- Executes dropped EXE
PID:1622

/usr/bin/llyrammubj
/usr/bin/llyrammubj whoami 1537
1⤵
- Executes dropped EXE
PID:1625

/usr/bin/llyrammubj
/usr/bin/llyrammubj "sleep 1" 1537
1⤵
- Executes dropped EXE
PID:1628

/usr/bin/vloixnmlxg
/usr/bin/vloixnmlxg bash 1537
1⤵
- Executes dropped EXE
PID:1642

/usr/bin/vloixnmlxg
/usr/bin/vloixnmlxg sh 1537
1⤵
- Executes dropped EXE
PID:1644

/usr/bin/vloixnmlxg
/usr/bin/vloixnmlxg top 1537
1⤵
- Executes dropped EXE
PID:1647

/usr/bin/vloixnmlxg
/usr/bin/vloixnmlxg who 1537
1⤵
- Executes dropped EXE
PID:1651

/usr/bin/vloixnmlxg
/usr/bin/vloixnmlxg "ps -ef" 1537
1⤵
- Executes dropped EXE
PID:1654

/usr/bin/zvnbcfmfja
/usr/bin/zvnbcfmfja ifconfig 1537
1⤵
- Executes dropped EXE
PID:1657

/usr/bin/zvnbcfmfja
/usr/bin/zvnbcfmfja sh 1537
1⤵
- Executes dropped EXE
PID:1659

/usr/bin/zvnbcfmfja
/usr/bin/zvnbcfmfja pwd 1537
1⤵
- Executes dropped EXE
PID:1662

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/gcc4.sh

Filesize
149B

MD5
4bc702c21d7b2bbb32638e37ec6c3943

SHA1
6b097d447b57c10f10f67ccd5efac4e4d39ddd38

SHA256
f702b3fd1837f30a23c74d5605e0c9cf79a480b942ef7d3bb9f79d448101a8b3

SHA512
19523b3e006eaa41a22a6af5ad1d0b23adf7eb5c653e367229b2d6bf69066a7630d637ae4131e5ae98e63434b00f6af5bef4ece54d7ad66d5c92b8f549f5b3f8

Download Submit
/etc/init.d/8c3eb0472652b5462616b11c07844f77

Filesize
425B

MD5
fe89b26b3f66e4d56482f068da37cc5c

SHA1
7c45d5d956bf12fdfd17b1e3e84fa63c73b10e53

SHA256
1feb925393a0f664b82e7a2ac723c14a2726f66bc5e3216db4ad9fb303bf573a

SHA512
aedc02450f2af42ad0d784cbac38b0c08315cd3f5a22d1a49a0e3eeb32289727a2af18d9af9980437cef36581212c5b4643881914e1ff8c3302a8ad1cd0806d5

Download Submit
/etc/sedoDxFdg

Filesize
722B

MD5
8f111d100ea459f68d333d63a8ef2205

SHA1
077ca9c46a964de67c0f7765745d5c6f9e2065c3

SHA256
0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354

SHA512
d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

Download Submit
/lib/libudev4.so

Filesize
596KB

MD5
8c3eb0472652b5462616b11c07844f77

SHA1
e579c03b3cc8cba626873786aa4a5dd84e6e3a8a

SHA256
69f25865872f994878482e280078d7e7fe15e810ff9f10910e6f0ec23e71095d

SHA512
66039f1fe4242e0aac47a88a83dafeb8e12a5a912bde18e7d38c9aaed712b285472ebd87e04d2ab2916a7f5700dddc73cf085dd3a064916f247c4136f39f5986

Download Submit
/run/gcc4.pid

Filesize
32B

MD5
2f7c7f125a800e55c206658e162a2c81

SHA1
c75aea27147f0a9a0d36bf5665b5bc4df31433b7

SHA256
cafffd30de0c3194d24c1760264de2282b56acd6ae555dc874e3b0e852e0c351

SHA512
7041bb39822860bd688094d9b8daf007084f58ca3e2e560d4ceaf9f4421f47e6d4c901ed73ba83afce3de10f5d7f1bc6d91b70c5ad33866c7bf8200d5fedb665

Download Submit
/usr/bin/aviskrypex

Filesize
87KB

MD5
38710cdd5a36105881e361e214c4fe6d

SHA1
91cbe6d256fb4af75adebb496d96fb9d07634dc3

SHA256
f8af35fa4251de6900e401cf7224e9942fee49a95fd0bce9ca9511a140a41602

SHA512
78412c6a8c76977183a5673211689fa90957678ba36abb42ad513772a681584eb943c4ad2b7a1f1bcb65f12b10d4064af9a5758afafadf0a7e84f56d76bfd69e

Download Submit
/usr/bin/llyrammubj

Filesize
596KB

MD5
c43cdd80c9de0e1340a3e57873f1780d

SHA1
d9d9ca9d10352544cd11501b63fbeee0c1ee1e77

SHA256
1abddc24375ec1be28416e8158c819116e678ab751955aa33912dac56d5fe036

SHA512
eb06460b74e4c773e2ea5c4cb0b1dbf3b8d9e940c56d2c64e52414ebbd1463d2c00d8f19c116a4153f521a47e262c3cf77596fb97cf776700cd0dc27fccc8c5f

Download Submit
/usr/bin/llyrammubj

Filesize
596KB

MD5
cd360e809476dad31f56b457cb2d7b1d

SHA1
26f479cefbc6906b8ed9e65d12e26dae70a73417

SHA256
1ea0b45c46b2caf38e932056dede6e0e7e50aef14a8e8b7c38259b76c912d71b

SHA512
ee25bb071d129ddd16cedfdf5da1c5bf651f7a3a948725b9a07990563ad89d2925dd5732c7d34872711f0ece641bb6d2bbc989f68660bcf86d318ea7f85f5dfb

Download Submit
/usr/bin/vloixnmlxg

Filesize
596KB

MD5
e1a0f74bdb5292c0057792aff7883d36

SHA1
ef7faf39f0c0cba87df2afaf778676fd45076c8f

SHA256
46e0120986ac570023cccf6d32430342252dcea6293038b14b6324c01f1922e4

SHA512
11d014e19d8225320d3cf0f49f9b8373636c5984e3ada6c81f2c3dd6280ce85c4099a27be054db6dac87e285b01ec16de4578b8b35591678eeb371c6e88c9b84

Download Submit
/usr/bin/vloixnmlxg

Filesize
596KB

MD5
60adbde47ada7f39d703192e0a8db65d

SHA1
028d947d8085420a236b1ce11951ceaca59fb9be

SHA256
0a766ff0c9a8060e3bbe2aa2cd8326c1fc859f111d198fbd6973a62d0cbdcd47

SHA512
1b1e8cb5286311dd7381421e30612f3a106f64efb57b6b345f0f0ac3c69311c0bf61117cbe3c5ef3f5a4d16ed5c7b0f41aafdfc3ce8ef68f1958ad1e1908ee06

Download Submit
/usr/bin/xvejmdyomo

Filesize
596KB

MD5
b08882c071f05b336c7b3bf26e97cd5e

SHA1
b19acf537bcc93cc2aba4869145818421b43938f

SHA256
243e0adfcddfa9e68a41bdb93fcb194804c8dc61b3066171256c5c05293e11f1

SHA512
f096a9518ac5bcb86d560faf4bdd927784cff5664bfc374d3a9e166caf5c38786976dcfa0de9c80c54d86ba6c9949d5819ebeaca66c7541f0947266c61651c88

Download Submit
/usr/bin/xvejmdyomo

Filesize
596KB

MD5
26154d58c6bbb160b0f8903f815cd707

SHA1
b54c071fe8c2e2c586d9e30a440ff77a2b9faf65

SHA256
9c17cce1d13c49d6b7d81e1cd3441ea5a77fb92d891ad15e58cfd0f799679f99

SHA512
4823f09b55b1be52d479284fc567d6726a33d1ed65ca4990577455a668cc9f972085ad32e8440788ed5f775ca75d1c5396b32a282b69b11e6b5ac77ad2485542

Download Submit
/usr/bin/zvnbcfmfja

Filesize
596KB

MD5
8117f4b5c184c53179858f6c0cb4a99f

SHA1
1f955bc2b907625d53e98a88fded42e29cd640aa

SHA256
b360d4d44a7c5aa7f992b8fed625fb4e20beec12bb975220929091984ecf10cc

SHA512
e42a446a23ca538d95a6c182b1bb5ad5709e429d56d1650237fd32eb1ea7afd38b973689486908d0bd95dcde95188f9c313f68f3e4fd877bca836a18ec444120

Download Submit
/usr/bin/zvnbcfmfja

Filesize
596KB

MD5
94c59900dbe72bf936e1e1d1bd875e7f

SHA1
9d25d55012cd75eed0369fa6890cb5d1de187835

SHA256
0db21f6ae246c614b61cc08ef170ab2c2dc23c16ec6bc85bcfd4215e3d33da1c

SHA512
230e174e7dc6f3652f35de3acc6b04f4aa3b47a8bf870a9829561b8cce8c96533384ab8d4c7264d50accac1d020236734d993c5197e3f24d8f2dc5b8b1a64eee

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads