xorddos | 3cfc749a10fb708aac1b255d0fd2fb0fe3bcff19adb638421aab8fabb6621852

Analysis

max time kernel
116s
max time network
81s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231222-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231222-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
22-12-2023 13:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a609138f0791ce100bd2ad8efa1f74b2
Size

611KB
MD5

a609138f0791ce100bd2ad8efa1f74b2
SHA1

c8348ea38b3871218f305a382a9738cf9b3d59c9
SHA256

3cfc749a10fb708aac1b255d0fd2fb0fe3bcff19adb638421aab8fabb6621852
SHA512

6f5dd1f7e9781701e87b858ae138e930a2f32aa2e0c80fea81e3b2919788260173c6eeb486e6b8aa347830721e5fbd77d6753cbac56936a65e56eec5a3d55399
SSDEEP

12288:FBXOvdwV1/n/dQFhWlH/c1dHo4h9L+zNZrrgT6yF8EEP4UlUuTh1AG:FBXmkN/+Fhu/Qo4h9L+zNNgBVEBl/91h

Score

10^/10

xorddos botnet downloader persistence

Malware Config

Extracted

Family

xorddos

http://aa.hostasa.org/config.rar

ns3.hostasa.org:4306

ns4.hostasa.org:4306

ns1.hostasa.org:4306

ns2.hostasa.org:4306

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 11 IoCs

Processes:

resource	yara_rule
/lib/libudev.so	family_xorddos
/usr/bin/atlsvkohxk	family_xorddos
/usr/bin/atlsvkohxk	family_xorddos
/usr/bin/ejgzhzwvui	family_xorddos
/usr/bin/ejgzhzwvui	family_xorddos
/usr/bin/ttafxwnvsn	family_xorddos
/usr/bin/ttafxwnvsn	family_xorddos
/usr/bin/ghucytvlze	family_xorddos
/usr/bin/ghucytvlze	family_xorddos
/usr/bin/aibqcofvqw	family_xorddos
/usr/bin/aibqcofvqw	family_xorddos

Deletes itself 3 IoCs

Processes:

pid

1700
1697
1703

pid
1700
1697
1703

Executes dropped EXE 24 IoCs

Processes:

atlsvkohxkatlsvkohxkatlsvkohxkatlsvkohxkatlsvkohxkejgzhzwvuiejgzhzwvuiejgzhzwvuiejgzhzwvuiejgzhzwvuittafxwnvsnttafxwnvsnttafxwnvsnttafxwnvsnttafxwnvsnghucytvlzeghucytvlzeghucytvlzeghucytvlzeghucytvlzeaibqcofvqwaibqcofvqwaibqcofvqwaibqcofvqw

ioc	pid	process
/usr/bin/atlsvkohxk	1620	atlsvkohxk
/usr/bin/atlsvkohxk	1626	atlsvkohxk
/usr/bin/atlsvkohxk	1628	atlsvkohxk
/usr/bin/atlsvkohxk	1635	atlsvkohxk
/usr/bin/atlsvkohxk	1631	atlsvkohxk
/usr/bin/ejgzhzwvui	1649	ejgzhzwvui
/usr/bin/ejgzhzwvui	1651	ejgzhzwvui
/usr/bin/ejgzhzwvui	1655	ejgzhzwvui
/usr/bin/ejgzhzwvui	1657	ejgzhzwvui
/usr/bin/ejgzhzwvui	1660	ejgzhzwvui
/usr/bin/ttafxwnvsn	1664	ttafxwnvsn
/usr/bin/ttafxwnvsn	1667	ttafxwnvsn
/usr/bin/ttafxwnvsn	1669	ttafxwnvsn
/usr/bin/ttafxwnvsn	1672	ttafxwnvsn
/usr/bin/ttafxwnvsn	1675	ttafxwnvsn
/usr/bin/ghucytvlze	1679	ghucytvlze
/usr/bin/ghucytvlze	1681	ghucytvlze
/usr/bin/ghucytvlze	1684	ghucytvlze
/usr/bin/ghucytvlze	1688	ghucytvlze
/usr/bin/ghucytvlze	1691	ghucytvlze
/usr/bin/aibqcofvqw	1694	aibqcofvqw
/usr/bin/aibqcofvqw	1696	aibqcofvqw
/usr/bin/aibqcofvqw	1699	aibqcofvqw
/usr/bin/aibqcofvqw	1702	aibqcofvqw

Creates/modifies Cron job 1 TTPs 2 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

sh

description ioc

File opened for modification /etc/cron.hourly/gcc.sh
File opened for modification /etc/crontab sh
Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

description ioc

File opened for modification /etc/init.d/a609138f0791ce100bd2ad8efa1f74b2

description	ioc
File opened for modification	/etc/cron.hourly/gcc.sh
File opened for modification	/etc/crontab	sh

description	ioc
File opened for modification	/etc/init.d/a609138f0791ce100bd2ad8efa1f74b2

Write file to user bin folder 1 TTPs 5 IoCs

Hijack Execution Flow

T1574

Processes:

description	ioc
File opened for modification	/usr/bin/aibqcofvqw
File opened for modification	/usr/bin/atlsvkohxk
File opened for modification	/usr/bin/ejgzhzwvui
File opened for modification	/usr/bin/ttafxwnvsn
File opened for modification	/usr/bin/ghucytvlze

Reads runtime system information 9 IoCs

Reads data from /proc virtual filesystem.

Processes:

sedsystemctl

description	ioc	process
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/rs_dev
File opened for reading	/proc/stat
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/1/environ	systemctl

/tmp/a609138f0791ce100bd2ad8efa1f74b2
/tmp/a609138f0791ce100bd2ad8efa1f74b2
1⤵
PID:1590

/bin/sh
sh -c "sed -i '/\\/etc\\/cron.hourly\\/gcc.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:1596
- /bin/sed
  sed -i "/\\/etc\\/cron.hourly\\/gcc.sh/d" /etc/crontab
  2⤵
  - Reads runtime system information
  PID:1597

/bin/chkconfig
chkconfig --add a609138f0791ce100bd2ad8efa1f74b2
1⤵
PID:1593

/sbin/chkconfig
chkconfig --add a609138f0791ce100bd2ad8efa1f74b2
1⤵
PID:1593

/usr/bin/chkconfig
chkconfig --add a609138f0791ce100bd2ad8efa1f74b2
1⤵
PID:1593

/usr/sbin/chkconfig
chkconfig --add a609138f0791ce100bd2ad8efa1f74b2
1⤵
PID:1593

/usr/local/bin/chkconfig
chkconfig --add a609138f0791ce100bd2ad8efa1f74b2
1⤵
PID:1593

/usr/local/sbin/chkconfig
chkconfig --add a609138f0791ce100bd2ad8efa1f74b2
1⤵
PID:1593

/usr/X11R6/bin/chkconfig
chkconfig --add a609138f0791ce100bd2ad8efa1f74b2
1⤵
PID:1593

/bin/update-rc.d
update-rc.d a609138f0791ce100bd2ad8efa1f74b2 defaults
1⤵
PID:1595

/sbin/update-rc.d
update-rc.d a609138f0791ce100bd2ad8efa1f74b2 defaults
1⤵
PID:1595

/usr/bin/update-rc.d
update-rc.d a609138f0791ce100bd2ad8efa1f74b2 defaults
1⤵
PID:1595

/usr/sbin/update-rc.d
update-rc.d a609138f0791ce100bd2ad8efa1f74b2 defaults
1⤵
PID:1595
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:1599

/usr/bin/atlsvkohxk
/usr/bin/atlsvkohxk gnome-terminal 1591
1⤵
- Executes dropped EXE
PID:1620

/usr/bin/atlsvkohxk
/usr/bin/atlsvkohxk "netstat -antop" 1591
1⤵
- Executes dropped EXE
PID:1626

/usr/bin/atlsvkohxk
/usr/bin/atlsvkohxk ls 1591
1⤵
- Executes dropped EXE
PID:1628

/usr/bin/atlsvkohxk
/usr/bin/atlsvkohxk pwd 1591
1⤵
- Executes dropped EXE
PID:1635

/usr/bin/atlsvkohxk
/usr/bin/atlsvkohxk "cat resolv.conf" 1591
1⤵
- Executes dropped EXE
PID:1631

/usr/bin/ejgzhzwvui
/usr/bin/ejgzhzwvui whoami 1591
1⤵
- Executes dropped EXE
PID:1649

/usr/bin/ejgzhzwvui
/usr/bin/ejgzhzwvui who 1591
1⤵
- Executes dropped EXE
PID:1651

/usr/bin/ejgzhzwvui
/usr/bin/ejgzhzwvui ls 1591
1⤵
- Executes dropped EXE
PID:1655

/usr/bin/ejgzhzwvui
/usr/bin/ejgzhzwvui "grep \"A\"" 1591
1⤵
- Executes dropped EXE
PID:1657

/usr/bin/ejgzhzwvui
/usr/bin/ejgzhzwvui "cat resolv.conf" 1591
1⤵
- Executes dropped EXE
PID:1660

/usr/bin/ttafxwnvsn
/usr/bin/ttafxwnvsn bash 1591
1⤵
- Executes dropped EXE
PID:1664

/usr/bin/ttafxwnvsn
/usr/bin/ttafxwnvsn top 1591
1⤵
- Executes dropped EXE
PID:1667

/usr/bin/ttafxwnvsn
/usr/bin/ttafxwnvsn whoami 1591
1⤵
- Executes dropped EXE
PID:1669

/usr/bin/ttafxwnvsn
/usr/bin/ttafxwnvsn gnome-terminal 1591
1⤵
- Executes dropped EXE
PID:1672

/usr/bin/ttafxwnvsn
/usr/bin/ttafxwnvsn gnome-terminal 1591
1⤵
- Executes dropped EXE
PID:1675

/usr/bin/ghucytvlze
/usr/bin/ghucytvlze ifconfig 1591
1⤵
- Executes dropped EXE
PID:1679

/usr/bin/ghucytvlze
/usr/bin/ghucytvlze pwd 1591
1⤵
- Executes dropped EXE
PID:1681

/usr/bin/ghucytvlze
/usr/bin/ghucytvlze "netstat -an" 1591
1⤵
- Executes dropped EXE
PID:1684

/usr/bin/ghucytvlze
/usr/bin/ghucytvlze pwd 1591
1⤵
- Executes dropped EXE
PID:1688

/usr/bin/ghucytvlze
/usr/bin/ghucytvlze who 1591
1⤵
- Executes dropped EXE
PID:1691

/usr/bin/aibqcofvqw
/usr/bin/aibqcofvqw top 1591
1⤵
- Executes dropped EXE
PID:1694

/usr/bin/aibqcofvqw
/usr/bin/aibqcofvqw "grep \"A\"" 1591
1⤵
- Executes dropped EXE
PID:1696

/usr/bin/aibqcofvqw
/usr/bin/aibqcofvqw su 1591
1⤵
- Executes dropped EXE
PID:1699

/usr/bin/aibqcofvqw
/usr/bin/aibqcofvqw "ls -la" 1591
1⤵
- Executes dropped EXE
PID:1702

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/gcc.sh

Filesize
228B

MD5
3bab747cedc5f0ebe86aaa7f982470cd

SHA1
3c7d1c6931c2b3dae39d38346b780ea57c8e6142

SHA256
74d31cac40d98ee64df2a0c29ceb229d12ac5fa699c2ee512fc69360f0cf68c5

SHA512
21e8a6d9ca8531d37def83d8903e5b0fa11ecf33d85d05edab1e0feb4acac65ae2cf5222650fb9f533f459ccc51bb2903276ff6f827b847cc5e6dac7d45a0a42

Download Submit
/etc/init.d/a609138f0791ce100bd2ad8efa1f74b2

Filesize
425B

MD5
61ebaa815bcf93229cf3902308938633

SHA1
f30bb17302a2330e5830e6729a64d8a262cf221f

SHA256
f7c34de62b3753a107421980e573421f28b3b5839793006da270407dda4c7fa6

SHA512
8246505c23a593b8917301f1656b1f20f1965828066f8b7f49797585262839e489aab9d95a8b21b7490467f088b4ca67e1902ea06683919a5eff89348935af67

Download Submit
/etc/sedUwT5s5

Filesize
722B

MD5
8f111d100ea459f68d333d63a8ef2205

SHA1
077ca9c46a964de67c0f7765745d5c6f9e2065c3

SHA256
0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354

SHA512
d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

Download Submit
/lib/libudev.so

Filesize
611KB

MD5
a609138f0791ce100bd2ad8efa1f74b2

SHA1
c8348ea38b3871218f305a382a9738cf9b3d59c9

SHA256
3cfc749a10fb708aac1b255d0fd2fb0fe3bcff19adb638421aab8fabb6621852

SHA512
6f5dd1f7e9781701e87b858ae138e930a2f32aa2e0c80fea81e3b2919788260173c6eeb486e6b8aa347830721e5fbd77d6753cbac56936a65e56eec5a3d55399

Download Submit
/run/gcc.pid

Filesize
32B

MD5
8872519f59efa05c9042da07d0d26f9c

SHA1
4eaf49943ebb0a61098ccfde23408a67ac906b77

SHA256
f19bc83cf50d78bec37d78b4f0684f73790b1087cdd41345aff300b496edb80a

SHA512
ae058a633af5ee43c046c80051e142a0900eeea1a1506f0e10933ea0c6142ed781442b78c48a99bdd7f762bfc143349a82e81acca80335f9b81f90e240dae8b7

Download Submit
/usr/bin/aibqcofvqw

Filesize
611KB

MD5
4a14ade1a99c7a79518ba5d8d647497c

SHA1
f1786959a79d372d769486788f1cc9c9e963cff9

SHA256
3d1a625a5880da41aba024030af33fe430c23a5a8f6227bb17ba1f041f20cbd2

SHA512
b70af5e415a9bcee1faa63f7ee0f4a68bd70314632b3244f0aa21cadcf9f2c9f8e63d35dbe2fa460d5c04f00b0dd2ea5a219e14fc12431eab2909593c1230875

Download Submit
/usr/bin/aibqcofvqw

Filesize
611KB

MD5
bf46b3a04a2a5e6ccccf4a884314e8af

SHA1
f88fcee6f47edfb475bbef35e428c47d319f4511

SHA256
dc2835be10964a4a07a475c23edd3afbea72cfb6b1b6cab0a5c489303c6cf5c1

SHA512
728b26ef2429d761c15dd43cb42f31ae62a6e886a2cc290cbe7fb5085e345b356b41e144214c2910fcc836f3b2169fd7cb02fcaf0eccd0ae5647675d3304cfa1

Download Submit
/usr/bin/atlsvkohxk

Filesize
611KB

MD5
8a17d27cff55a39023dda3cddbfec095

SHA1
c03da02d4933bff761acc09aa4ab79dcdff39313

SHA256
0b4dbfbc4827b7fd7031822428d15a315ccd9e82d8d9348d61de7e3b5af23220

SHA512
e5b1547825bd3396efa4d758fc805f8956f7190c8d7928844f95a95974574ab67864bae984390d96c4de8560f83ec013f2fb2610d534f6b89e5c1899822cbe72

Download Submit
/usr/bin/atlsvkohxk

Filesize
611KB

MD5
ee8a779a651c0134adf50e3130fbf367

SHA1
33de5c6e6fe703a6c96840df3039885d59d8a1df

SHA256
6ccfeb65b2b16f2c6cd519a762ebe7949afd4f71c1fd5ad4bfe364350e754fd3

SHA512
a63b49ae309db53be5af13ca3548b4cc9edc54747d4efbd28d04a5d2bb958f7e721d6ed49db7a502674d576feaf1efc0a086af2a2f6f7d71fbc692df6cc4e54b

Download Submit
/usr/bin/ejgzhzwvui

Filesize
611KB

MD5
aa9292ef638b5aabbb03dd590b35e4e1

SHA1
416296678917edb089a2ba4cd303a0532c2e43ed

SHA256
c10f25a7a0d992c669f4957c3707c3e45a65c983d5c8adfd124a56597b7ef7a6

SHA512
5b5232a986d73523b3e0156d0ff93536046ded93fd102f6021b31e6b3a8c39bba5d8e27f4bbb8077a7a3c0ff683059678040e479d99ab4d693c0c4fbcf38f8d5

Download Submit
/usr/bin/ejgzhzwvui

Filesize
611KB

MD5
c9dbd45812e0ef0d6d95aaf41f4acae5

SHA1
c2117f43883a7733fdd032931b21f74b3c75db67

SHA256
8c4eefb34599377c19094cc6c7dedb362bdea254aa5a0b3f13dc74d9af4c13db

SHA512
2bb0f3c862e435fc8bf955e674d9918b07c306ad38eaf6ea1ae26dfe1b3bd839b13dd58620bfd8e36fc91a68a798a6e3a7e8e7c9a9785280b597ac4cd2142959

Download Submit
/usr/bin/ghucytvlze

Filesize
611KB

MD5
29b9a20740d8080267cdd5f9a654bc08

SHA1
aa0b7e0b2ac80d4d06266f8b0bee5c1e8377aca6

SHA256
0939b0b76b007d192133d0e6533276a8be3e5bce47ea3dd8abbcc81e30d82249

SHA512
22c209b756d9b05fa4ca0c6e0f9d6a84aa80cbc39d4e9a9f2b52aca89afede16e78d8620f98a63d4e925b95a7c9722c32ce71d9463b786c39886f125762a402f

Download Submit
/usr/bin/ghucytvlze

Filesize
611KB

MD5
3850beb661971337846aa4b6fcbbf21c

SHA1
a47539f768188428627b17ab3e9bb0ef05140847

SHA256
fa2a3eb3a1a207dc7fac34b8b2a57bd31e84018296c312b495455390126b892e

SHA512
a718bdef42dc080758e47a8c14f8492d4eb38c2db85992405b055588dd070e0c15b0d6bbe069c54efda449670215d76795ad94ccf40cb141b6f1c6c6649dcb7f

Download Submit
/usr/bin/ttafxwnvsn

Filesize
611KB

MD5
30c4a85dcba6e133a16a4f5c81520d40

SHA1
06365307abe9e53239d3077f5027bf3053220579

SHA256
98f36de4b115097074a271fc26dfa5dd0e88c968a8a300e844cd436fbade68ba

SHA512
46ad84dd440d3acfe4f63374f7985c74d7e8b06895bc7338f51ae372a7544399ddd8aac744ba5cfa3e8a6d646c6e5c5867a43bd9286c0ce5e438b1929d07bbc3

Download Submit
/usr/bin/ttafxwnvsn

Filesize
611KB

MD5
99ab6233cb710b0f2769a55c468772e4

SHA1
f1678e9e8f25357a99510f7f9fffa29c67c4817b

SHA256
de0da902f387f354b8c3cd8b71fadc2ac6588aaa0d0fecc54ada57edcb8cde53

SHA512
f6c9e67a90cef9b9008c17ebb46a9f03e430827d7613a52d6e02be9c10113bdb1ed667601c3f714a9bdbc38657ddd43b45fe00bf40f77eceb65277544db1219a

Download Submit