xorddos | 7aa8eab2f01783bfe9bb7d8e051baebf563629645d73b2af42022d28a8143179

Analysis

max time kernel
155s
max time network
92s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
22-12-2023 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a15e9d2d69c1407ac5b42ba46d71fc58
Size

603KB
MD5

a15e9d2d69c1407ac5b42ba46d71fc58
SHA1

5a124a3a2f363bd3740ab792044d9a06dc4256d5
SHA256

7aa8eab2f01783bfe9bb7d8e051baebf563629645d73b2af42022d28a8143179
SHA512

f38eeae08e03f19339d03b01a271df14284bd22194887b492c24f6e4c89ef7b416507350cab6a5de8d90084519703b78cd844f35a54a4fa13b8643f0c6a395c5
SSDEEP

12288:R40XBrnlTCbI5ZBP5IePtqLn4yFeC+oT6ygF9b4elMuThmVF:e01tCbqNNPtqLn4yFmoEbdlH9mn

Score

10^/10

xorddos botnet downloader persistence

Malware Config

Extracted

Family

xorddos

http://info1.3000uc.com/b/u.php

gh.dsaj2a1.org:2822

www.wangzongfacai.com:2822

174.139.217.145:2822

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 9 IoCs

Processes:

resource	yara_rule
/lib/libgcc4.so	family_xorddos
/usr/bin/tsfogvmerh	family_xorddos
/usr/bin/tsfogvmerh	family_xorddos
/usr/bin/rbgbvanarv	family_xorddos
/usr/bin/rbgbvanarv	family_xorddos
/usr/bin/pbeanmyhib	family_xorddos
/usr/bin/pbeanmyhib	family_xorddos
/usr/bin/yekgmplzhy	family_xorddos
/usr/bin/yekgmplzhy	family_xorddos

Deletes itself 1 IoCs

Processes:

pid

1635

pid
1635

Executes dropped EXE 18 IoCs

Processes:

tsfogvmerhtsfogvmerhtsfogvmerhtsfogvmerhtsfogvmerhrbgbvanarvrbgbvanarvrbgbvanarvrbgbvanarvrbgbvanarvpbeanmyhibpbeanmyhibpbeanmyhibpbeanmyhibpbeanmyhibyekgmplzhyyekgmplzhyyekgmplzhy

ioc	pid	process
/usr/bin/tsfogvmerh	1559	tsfogvmerh
/usr/bin/tsfogvmerh	1581	tsfogvmerh
/usr/bin/tsfogvmerh	1585	tsfogvmerh
/usr/bin/tsfogvmerh	1588	tsfogvmerh
/usr/bin/tsfogvmerh	1591	tsfogvmerh
/usr/bin/rbgbvanarv	1594	rbgbvanarv
/usr/bin/rbgbvanarv	1597	rbgbvanarv
/usr/bin/rbgbvanarv	1600	rbgbvanarv
/usr/bin/rbgbvanarv	1603	rbgbvanarv
/usr/bin/rbgbvanarv	1608	rbgbvanarv
/usr/bin/pbeanmyhib	1618	pbeanmyhib
/usr/bin/pbeanmyhib	1621	pbeanmyhib
/usr/bin/pbeanmyhib	1624	pbeanmyhib
/usr/bin/pbeanmyhib	1626	pbeanmyhib
/usr/bin/pbeanmyhib	1630	pbeanmyhib
/usr/bin/yekgmplzhy	1633	yekgmplzhy
/usr/bin/yekgmplzhy	1636	yekgmplzhy
/usr/bin/yekgmplzhy	1639	yekgmplzhy

Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 103.25.9.228
Destination IP 103.25.9.228
Creates/modifies Cron job 1 TTPs 2 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

sh

description ioc process

File opened for modification /etc/crontab sh
File opened for modification /etc/cron.hourly/udev.sh
Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

description ioc

File opened for modification /etc/init.d/a15e9d2d69c1407ac5b42ba46d71fc58

description	ioc
Destination IP	103.25.9.228
Destination IP	103.25.9.228

description	ioc	process
File opened for modification	/etc/crontab	sh
File opened for modification	/etc/cron.hourly/udev.sh

description	ioc
File opened for modification	/etc/init.d/a15e9d2d69c1407ac5b42ba46d71fc58

Write file to user bin folder 1 TTPs 4 IoCs

Hijack Execution Flow

T1574

Processes:

description	ioc
File opened for modification	/usr/bin/tsfogvmerh
File opened for modification	/usr/bin/rbgbvanarv
File opened for modification	/usr/bin/pbeanmyhib
File opened for modification	/usr/bin/yekgmplzhy

Reads runtime system information 8 IoCs

Reads data from /proc virtual filesystem.

Processes:

systemctlsed

description	ioc
File opened for reading	/proc/stat
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	sed

/tmp/a15e9d2d69c1407ac5b42ba46d71fc58
/tmp/a15e9d2d69c1407ac5b42ba46d71fc58
1⤵
PID:1542

/bin/sh
sh -c "sed -i '/\\/etc\\/cron.hourly\\/udev.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/udev.sh' >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:1548
- /bin/sed
  sed -i "/\\/etc\\/cron.hourly\\/udev.sh/d" /etc/crontab
  2⤵
  - Reads runtime system information
  PID:1549

/bin/chkconfig
chkconfig --add a15e9d2d69c1407ac5b42ba46d71fc58
1⤵
PID:1545

/sbin/chkconfig
chkconfig --add a15e9d2d69c1407ac5b42ba46d71fc58
1⤵
PID:1545

/usr/bin/chkconfig
chkconfig --add a15e9d2d69c1407ac5b42ba46d71fc58
1⤵
PID:1545

/usr/sbin/chkconfig
chkconfig --add a15e9d2d69c1407ac5b42ba46d71fc58
1⤵
PID:1545

/usr/local/bin/chkconfig
chkconfig --add a15e9d2d69c1407ac5b42ba46d71fc58
1⤵
PID:1545

/usr/local/sbin/chkconfig
chkconfig --add a15e9d2d69c1407ac5b42ba46d71fc58
1⤵
PID:1545

/usr/X11R6/bin/chkconfig
chkconfig --add a15e9d2d69c1407ac5b42ba46d71fc58
1⤵
PID:1545

/bin/update-rc.d
update-rc.d a15e9d2d69c1407ac5b42ba46d71fc58 defaults
1⤵
PID:1547

/sbin/update-rc.d
update-rc.d a15e9d2d69c1407ac5b42ba46d71fc58 defaults
1⤵
PID:1547

/usr/bin/update-rc.d
update-rc.d a15e9d2d69c1407ac5b42ba46d71fc58 defaults
1⤵
PID:1547

/usr/sbin/update-rc.d
update-rc.d a15e9d2d69c1407ac5b42ba46d71fc58 defaults
1⤵
PID:1547
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:1554

/usr/bin/tsfogvmerh
/usr/bin/tsfogvmerh "netstat -an" 1543
1⤵
- Executes dropped EXE
PID:1559

/usr/bin/tsfogvmerh
/usr/bin/tsfogvmerh pwd 1543
1⤵
- Executes dropped EXE
PID:1581

/usr/bin/tsfogvmerh
/usr/bin/tsfogvmerh pwd 1543
1⤵
- Executes dropped EXE
PID:1585

/usr/bin/tsfogvmerh
/usr/bin/tsfogvmerh top 1543
1⤵
- Executes dropped EXE
PID:1588

/usr/bin/tsfogvmerh
/usr/bin/tsfogvmerh bash 1543
1⤵
- Executes dropped EXE
PID:1591

/usr/bin/rbgbvanarv
/usr/bin/rbgbvanarv uptime 1543
1⤵
- Executes dropped EXE
PID:1594

/usr/bin/rbgbvanarv
/usr/bin/rbgbvanarv gnome-terminal 1543
1⤵
- Executes dropped EXE
PID:1597

/usr/bin/rbgbvanarv
/usr/bin/rbgbvanarv uptime 1543
1⤵
- Executes dropped EXE
PID:1600

/usr/bin/rbgbvanarv
/usr/bin/rbgbvanarv gnome-terminal 1543
1⤵
- Executes dropped EXE
PID:1603

/usr/bin/rbgbvanarv
/usr/bin/rbgbvanarv sh 1543
1⤵
- Executes dropped EXE
PID:1608

/usr/bin/pbeanmyhib
/usr/bin/pbeanmyhib pwd 1543
1⤵
- Executes dropped EXE
PID:1618

/usr/bin/pbeanmyhib
/usr/bin/pbeanmyhib pwd 1543
1⤵
- Executes dropped EXE
PID:1621

/usr/bin/pbeanmyhib
/usr/bin/pbeanmyhib "route -n" 1543
1⤵
- Executes dropped EXE
PID:1624

/usr/bin/pbeanmyhib
/usr/bin/pbeanmyhib id 1543
1⤵
- Executes dropped EXE
PID:1626

/usr/bin/pbeanmyhib
/usr/bin/pbeanmyhib "ps -ef" 1543
1⤵
- Executes dropped EXE
PID:1630

/usr/bin/yekgmplzhy
/usr/bin/yekgmplzhy "route -n" 1543
1⤵
- Executes dropped EXE
PID:1633

/usr/bin/yekgmplzhy
/usr/bin/yekgmplzhy uptime 1543
1⤵
- Executes dropped EXE
PID:1636

/usr/bin/yekgmplzhy
/usr/bin/yekgmplzhy bash 1543
1⤵
- Executes dropped EXE
PID:1639

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/udev.sh

Filesize
146B

MD5
ddb9a901eadce597284d68ebd9fe9311

SHA1
1d26318bbe55f2f936ae1015df656535427083c2

SHA256
3bb8ebd394bcaea3f083d93daa3c3bcf918a4618f84ab45a1942759d16b070fc

SHA512
e94bd51f02c323d2376e666a9c56a87c2f55d1805b44762d4bc6d5d60ca52e85ce996ba51142213ba783ac858660a3ba254988215b0f4d398b1e99bf132a5d1c

Download Submit
/etc/init.d/a15e9d2d69c1407ac5b42ba46d71fc58

Filesize
425B

MD5
c1ce6278adaff6902d74c1fbac2c4cb1

SHA1
cd0d85731be37913eaef71739db5eb39647d84ff

SHA256
6b8512ffc3a7450771c86da3e3fd986d5f7ce9358a59f8e61842490ab21d44b9

SHA512
42c0ca5883c11207a44c1ce9fcb9980bf774dc59d4c4d4dbc678c41c00f1ce5b973f1b496e091fa201319261f7ba1548b4436fd75bba3ca2ce5c3e45ef3ae291

Download Submit
/etc/sedfvv9XH

Filesize
722B

MD5
8f111d100ea459f68d333d63a8ef2205

SHA1
077ca9c46a964de67c0f7765745d5c6f9e2065c3

SHA256
0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354

SHA512
d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

Download Submit
/lib/libgcc4.so

Filesize
603KB

MD5
a15e9d2d69c1407ac5b42ba46d71fc58

SHA1
5a124a3a2f363bd3740ab792044d9a06dc4256d5

SHA256
7aa8eab2f01783bfe9bb7d8e051baebf563629645d73b2af42022d28a8143179

SHA512
f38eeae08e03f19339d03b01a271df14284bd22194887b492c24f6e4c89ef7b416507350cab6a5de8d90084519703b78cd844f35a54a4fa13b8643f0c6a395c5

Download Submit
/run/udev.pid

Filesize
32B

MD5
046487b3afbd1ce51d3e4ab0ecc2acfe

SHA1
01b2031cb3798786c12cbec7d48c6bdb48c806ab

SHA256
7b4ba250dc3840194ee0e6733d21244cf1b913f56cf847f4d917cd67a6e1d786

SHA512
4e91a27332a0bc4607f5ef7e10f64a27183019d5ebc9ab844faf6e148964fd039c155f8150458d6a9126987b7aa56a58cb0e4fc53c34eed69202a00c8ed53f09

Download Submit
/usr/bin/pbeanmyhib

Filesize
603KB

MD5
1acc489dbc1260033163044e5fbc27d8

SHA1
2cb6b4a95e69a53c720ec788697fa2f5d127da80

SHA256
c7dd04886b2cec8ed2abcaa1e25312b9fccabc09c393b63664fdafc7d6d21ad5

SHA512
63d6ee62287b8d522c2f838e8e6f01bf0ea0092f5817f893483fcdeeb5ab09e64f8bff3e6c0b23019ca676d750d28ba3feb4ece1a8cc98da9fe29a66a1f7dc40

Download Submit
/usr/bin/pbeanmyhib

Filesize
603KB

MD5
d578f35e264a65a33c6e876fee383f8b

SHA1
b298f1002862113e8d0a19aa78546ecc45767cea

SHA256
c026c3cb180803a06ca3eef7884921a09add1ae5f51df47e984bb2058ef6d596

SHA512
0e4cff2f8470bb76384085d89b34c067744b4a3efd79b4949c3131ab1196b03afa987a2d0232e32db4057f685d3e68e2e3eaee1030f0eb58ca303579b2e96f9e

Download Submit
/usr/bin/rbgbvanarv

Filesize
603KB

MD5
bd37c24315f9b74273ec3c54f5be903b

SHA1
2e0d1d2dd014f315f4483198d9a5f6fe88850c22

SHA256
ab0b9eb6d399174002a2275aaa46236299271d3abf490ceac6377b572d6dd1a1

SHA512
0383a869f8d219b9bf297c74b6a4f0a96073fbeb1a8965a34556a2e8fa5a98fdac1d95b083a55bde3a4e890147a41b96695f316acd6eeb96f4f78919c3ce3df7

Download Submit
/usr/bin/rbgbvanarv

Filesize
603KB

MD5
e0a7a1432b82989bd5e96f36ee0d6921

SHA1
9ac1728e6b9f615a51d6250c78dbf77cba93f8b0

SHA256
b7aa14dc4046cb823b566bbb73e54285bb6c7b85027ae71353c092887baa8378

SHA512
47ab2d8150b9d67bb296f2fe14fc3f3c53b911b8ca1c5a4e7f3a21c83eb97ea8c71a724a8e353bf7e2c17359ab7bc44c79372668f63bbd1955b392adcb0a5595

Download Submit
/usr/bin/tsfogvmerh

Filesize
603KB

MD5
30e2484a3c0b060a5ba98517e7b26a33

SHA1
8af45a6144d0de0349fed828ff8398c6a78f54a3

SHA256
b03fdae789b8e951cbcce25ef66f17d054385b2551610152db96f7370cf70e44

SHA512
f62abc4c498c2a981d742b8bd1cd2083f488681144d74ce1405ea290582843a0ab30aa188f05cdc293dfacb381a47ccf1ccbb6552b0acf943a6a3dffae0af941

Download Submit
/usr/bin/tsfogvmerh

Filesize
603KB

MD5
0d8caadce02a48d583f56e5c3a2c78b9

SHA1
211ba81af8f67b4e54339b2a941746ed578c7913

SHA256
6b085dbef0a6e949d6346e34222a158154e88d1f1edc8da4389ee0d38b1017ac

SHA512
ce83d3703eecdc886ebc070e945c4a92f82072df071cb79ffa7fbe3b2123efe1a2fbd01636ad9a247962b59af730ebb739d4d30bd65cb5ad59185d6d46fefba7

Download Submit
/usr/bin/yekgmplzhy

Filesize
603KB

MD5
0c0a8445596b0dce8464517394b77762

SHA1
2ce1d8d17460dc1a3e1fe22d4991c1574f9cc5c6

SHA256
c893a628936a5d8e5d75bd4256e75bb03760366a9048eaee64806bdb72b69af8

SHA512
7b4722b866cea7578c1d4e5be8ee3af60963705a584df52b2e2f85460fb92b956bcf91315521c9507f0407a47ffe51e0c13a1aa848378f7ddd12c1706d5ff43e

Download Submit
/usr/bin/yekgmplzhy

Filesize
603KB

MD5
f4c58d3f652996104c21f512215d277e

SHA1
7e030f349668386a70b04271a6148626ea195278

SHA256
9ce7dd45791271ee80ff30f5a06430c40329723716a053db49b9abb1f67b5498

SHA512
7d9ade9ff3cea291f3c6466d86f8f0cb570e271087c941e99b2f5d778a1bc3ce74f34d5df38dafb2d8ae61694460295bf7b9eb83c2421b58b4c4a03e08145e63

Download Submit