xorddos | f5b098419bdcd2aee198c074b895e113fb7cac9132ad1b592005d31f1394ad3f

Resubmissions

09-09-2024 19:21

240909-x2vfvsxdmc 10

22-12-2023 13:24

231222-qnwcnsgfhj 10

Analysis

max time kernel
103s
max time network
69s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
22-12-2023 13:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1da9b563db9056c96523a8727a279e3
Size

603KB
MD5

a1da9b563db9056c96523a8727a279e3
SHA1

264124d50c9c25cea15459acb662b750bd7987c5
SHA256

f5b098419bdcd2aee198c074b895e113fb7cac9132ad1b592005d31f1394ad3f
SHA512

1418a5fc3fd23a0b10533a60ab76cfd71cd0894c0bf8fdc859fdc27a3673a4f5fc63320ab4e0aab81eefeaba933266933a74e60021a3985bb5dbe8ca90a93aaf
SSDEEP

12288:R40XBrnlTCbI5ZBP5IePtqLn4yFeC+oT6ygF9b4elMuThmVF:e01tCbqNNPtqLn4yFmoEbdlH9mn

Score

10^/10

xorddos botnet downloader persistence

Malware Config

Extracted

Family

xorddos

http://info1.3000uc.com/b/u.php

gh.dsaj2a1.org:2857

navert0p.com:2857

wangzongfacai.com:2857

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 5 IoCs

resource	yara_rule
behavioral1/files/fstream-5.dat	family_xorddos
behavioral1/files/fstream-8.dat	family_xorddos
behavioral1/files/fstream-9.dat	family_xorddos
behavioral1/files/fstream-11.dat	family_xorddos
behavioral1/files/fstream-12.dat	family_xorddos

Deletes itself 3 IoCs

pid
1667
1661
1664

Executes dropped EXE 18 IoCs

ioc	pid	Process
/usr/bin/ttsqcldftt	1594	ttsqcldftt
/usr/bin/ttsqcldftt	1617	ttsqcldftt
/usr/bin/ttsqcldftt	1620	ttsqcldftt
/usr/bin/ttsqcldftt	1623	ttsqcldftt
/usr/bin/ttsqcldftt	1626	ttsqcldftt
/usr/bin/mjtotbalol	1629	mjtotbalol
/usr/bin/mjtotbalol	1632	mjtotbalol
/usr/bin/mjtotbalol	1635	mjtotbalol
/usr/bin/mjtotbalol	1638	mjtotbalol
/usr/bin/mjtotbalol	1641	mjtotbalol
/usr/bin/fbsfisbdml	1644	fbsfisbdml
/usr/bin/fbsfisbdml	1647	fbsfisbdml
/usr/bin/fbsfisbdml	1650	fbsfisbdml
/usr/bin/fbsfisbdml	1653	fbsfisbdml
/usr/bin/fbsfisbdml	1656	fbsfisbdml
/usr/bin/qemigvxpvs	1659	qemigvxpvs
/usr/bin/qemigvxpvs	1662	qemigvxpvs
/usr/bin/qemigvxpvs	1665	qemigvxpvs

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228

Creates/modifies Cron job 1 TTPs 2 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/etc/crontab	sh
File opened for modification	/etc/cron.hourly/udev.sh	Process not Found

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
File opened for modification	/etc/init.d/a1da9b563db9056c96523a8727a279e3

Write file to user bin folder 1 TTPs 4 IoCs

Hijack Execution Flow

T1574

description	ioc
File opened for modification	/usr/bin/mjtotbalol
File opened for modification	/usr/bin/fbsfisbdml
File opened for modification	/usr/bin/qemigvxpvs
File opened for modification	/usr/bin/ttsqcldftt

Reads runtime system information 8 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/stat	Process not Found

/tmp/a1da9b563db9056c96523a8727a279e3
/tmp/a1da9b563db9056c96523a8727a279e3
1⤵
PID:1577

/bin/sh
sh -c "sed -i '/\\/etc\\/cron.hourly\\/udev.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/udev.sh' >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:1583
- /bin/sed
  sed -i "/\\/etc\\/cron.hourly\\/udev.sh/d" /etc/crontab
  2⤵
  - Reads runtime system information
  PID:1584

/bin/chkconfig
chkconfig --add a1da9b563db9056c96523a8727a279e3
1⤵
PID:1580

/sbin/chkconfig
chkconfig --add a1da9b563db9056c96523a8727a279e3
1⤵
PID:1580

/usr/bin/chkconfig
chkconfig --add a1da9b563db9056c96523a8727a279e3
1⤵
PID:1580

/usr/sbin/chkconfig
chkconfig --add a1da9b563db9056c96523a8727a279e3
1⤵
PID:1580

/usr/local/bin/chkconfig
chkconfig --add a1da9b563db9056c96523a8727a279e3
1⤵
PID:1580

/usr/local/sbin/chkconfig
chkconfig --add a1da9b563db9056c96523a8727a279e3
1⤵
PID:1580

/usr/X11R6/bin/chkconfig
chkconfig --add a1da9b563db9056c96523a8727a279e3
1⤵
PID:1580

/bin/update-rc.d
update-rc.d a1da9b563db9056c96523a8727a279e3 defaults
1⤵
PID:1582

/sbin/update-rc.d
update-rc.d a1da9b563db9056c96523a8727a279e3 defaults
1⤵
PID:1582

/usr/bin/update-rc.d
update-rc.d a1da9b563db9056c96523a8727a279e3 defaults
1⤵
PID:1582

/usr/sbin/update-rc.d
update-rc.d a1da9b563db9056c96523a8727a279e3 defaults
1⤵
PID:1582
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:1592

/usr/bin/ttsqcldftt
/usr/bin/ttsqcldftt "ifconfig eth0" 1578
1⤵
- Executes dropped EXE
PID:1594

/usr/bin/ttsqcldftt
/usr/bin/ttsqcldftt top 1578
1⤵
- Executes dropped EXE
PID:1617

/usr/bin/ttsqcldftt
/usr/bin/ttsqcldftt gnome-terminal 1578
1⤵
- Executes dropped EXE
PID:1620

/usr/bin/ttsqcldftt
/usr/bin/ttsqcldftt ls 1578
1⤵
- Executes dropped EXE
PID:1623

/usr/bin/ttsqcldftt
/usr/bin/ttsqcldftt "ps -ef" 1578
1⤵
- Executes dropped EXE
PID:1626

/usr/bin/mjtotbalol
/usr/bin/mjtotbalol "route -n" 1578
1⤵
- Executes dropped EXE
PID:1629

/usr/bin/mjtotbalol
/usr/bin/mjtotbalol "ls -la" 1578
1⤵
- Executes dropped EXE
PID:1632

/usr/bin/mjtotbalol
/usr/bin/mjtotbalol sh 1578
1⤵
- Executes dropped EXE
PID:1635

/usr/bin/mjtotbalol
/usr/bin/mjtotbalol id 1578
1⤵
- Executes dropped EXE
PID:1638

/usr/bin/mjtotbalol
/usr/bin/mjtotbalol "cat resolv.conf" 1578
1⤵
- Executes dropped EXE
PID:1641

/usr/bin/fbsfisbdml
/usr/bin/fbsfisbdml top 1578
1⤵
- Executes dropped EXE
PID:1644

/usr/bin/fbsfisbdml
/usr/bin/fbsfisbdml ls 1578
1⤵
- Executes dropped EXE
PID:1647

/usr/bin/fbsfisbdml
/usr/bin/fbsfisbdml top 1578
1⤵
- Executes dropped EXE
PID:1650

/usr/bin/fbsfisbdml
/usr/bin/fbsfisbdml "cat resolv.conf" 1578
1⤵
- Executes dropped EXE
PID:1653

/usr/bin/fbsfisbdml
/usr/bin/fbsfisbdml "cd /etc" 1578
1⤵
- Executes dropped EXE
PID:1656

/usr/bin/qemigvxpvs
/usr/bin/qemigvxpvs "ifconfig eth0" 1578
1⤵
- Executes dropped EXE
PID:1659

/usr/bin/qemigvxpvs
/usr/bin/qemigvxpvs "ifconfig eth0" 1578
1⤵
- Executes dropped EXE
PID:1662

/usr/bin/qemigvxpvs
/usr/bin/qemigvxpvs su 1578
1⤵
- Executes dropped EXE
PID:1665

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/udev.sh

Filesize
146B

MD5
ddb9a901eadce597284d68ebd9fe9311

SHA1
1d26318bbe55f2f936ae1015df656535427083c2

SHA256
3bb8ebd394bcaea3f083d93daa3c3bcf918a4618f84ab45a1942759d16b070fc

SHA512
e94bd51f02c323d2376e666a9c56a87c2f55d1805b44762d4bc6d5d60ca52e85ce996ba51142213ba783ac858660a3ba254988215b0f4d398b1e99bf132a5d1c

Download Submit
/etc/init.d/a1da9b563db9056c96523a8727a279e3

Filesize
425B

MD5
6c83e8fe0dc6e1bd2a698cdaec472a7d

SHA1
8d3e06a0889b168014a30beee67b97af459cd508

SHA256
6e7692f8a3f4c6b1df36181092220e242f524a7dfd2c4ec0890145698ab7f0b1

SHA512
b1d775099fc08c9dd258df41c42327688026ab1a8e477a05af5aca88ab2c501bff01d511b71411e3dfd5177e3150c24fb11515a42adc71e39fea44be71f1d578

Download Submit
/etc/sed3YNqCh

Filesize
722B

MD5
8f111d100ea459f68d333d63a8ef2205

SHA1
077ca9c46a964de67c0f7765745d5c6f9e2065c3

SHA256
0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354

SHA512
d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

Download Submit
/lib/libgcc4.so

Filesize
603KB

MD5
a1da9b563db9056c96523a8727a279e3

SHA1
264124d50c9c25cea15459acb662b750bd7987c5

SHA256
f5b098419bdcd2aee198c074b895e113fb7cac9132ad1b592005d31f1394ad3f

SHA512
1418a5fc3fd23a0b10533a60ab76cfd71cd0894c0bf8fdc859fdc27a3673a4f5fc63320ab4e0aab81eefeaba933266933a74e60021a3985bb5dbe8ca90a93aaf

Download Submit
/run/udev.pid

Filesize
32B

MD5
3af92fd8316d68986f1c4a70337ca26d

SHA1
835df31eb095190b1ed55c073036e346fac03218

SHA256
26df316918f19e12ea8459be545acba4e4711567f1985649602e0a2c5fe7d03e

SHA512
69958def164eb3ab8b9af639e4f9237d879d70689c1b329fd083314235243b7524cddfa8788143a280665775819da5b2f4d04bb513677572e4e30d2425e93cc2

Download Submit
/usr/bin/mjtotbalol

Filesize
603KB

MD5
7090c8ee736ef636b57ab3f131aac36f

SHA1
7fe93359fe3e32545471427eeb9741bf385c45ff

SHA256
f7190273d944dd46c3ade0b0ce0a7abcc84399549a072a7a9327e6b62c1dc53e

SHA512
5c552e8335ca7c1032e3437b9117cd7b5b5f0d46ef2df12887d58bbb7f52cf57c1daa49f1abda0b0aa55aace1f3b165835f3383696e6c0af63375668ebc501bf

Download Submit
/usr/bin/mjtotbalol

Filesize
603KB

MD5
28721d1cc7484f75e151eb9ee2d9c1c9

SHA1
ec778b0b1791d8105d4d26c99e8ce77491c2145f

SHA256
57e75fdce076748dd7a5fc0559797aae7d771a815d81290f665577daf9f08699

SHA512
9000923c58652ed387d3d3160b7ce04eed35380fa925822ef3521b73da73274699f1a2fd555a284b949245a60c1afb1ab3b8b675a4f60adc6a5d87687653873e

Download Submit
/usr/bin/ttsqcldftt

Filesize
603KB

MD5
d372f83b731f86226f208ad0e212848a

SHA1
74669a20b9ce3550ca6b9c9ab1aaacfeca0b4500

SHA256
f710ee4a5fa1160f88853f05606bbccd82863ec3c448c4e56a5573d869f99bc6

SHA512
5f5347bc01a1e08a60f5e20506e5eef27b1f721e44b785a9c6f591d71951791f1e07a0897a73f36260bc1b3a717029a7ee755e85bc1380e65db7a9f0d0f5be4c

Download Submit
/usr/bin/ttsqcldftt

Filesize
603KB

MD5
66e87f93f32fe7f2d28e0df05d61e2af

SHA1
7d790848299d6cc35e4bb5f83e329f74a9fe1806

SHA256
0da72ede3ac2d268f87f9f57029cd70977805bef93254d5c80bd8449b1e1e3db

SHA512
e2389dece6ce976fdb6d15907eadb389a5c0ace6360fc2fcab57a266fd36308e4b71f6ab60e9f018cc6ef01f0bafff90892e55657048e77fa6c2032516e1a111

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads