xorddos | b52d5c430f6b2d4061ee5ea4bb73289f9ee2da02e8dde46c08a958913252c4f9

Analysis

max time kernel
95s
max time network
85s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231222-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231222-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
22-12-2023 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6ea3e2aa4751022d24a8053619bbfa9
Size

610KB
MD5

a6ea3e2aa4751022d24a8053619bbfa9
SHA1

26e14b0eb3c2f7cef909c1e50ac326c06892e5ca
SHA256

b52d5c430f6b2d4061ee5ea4bb73289f9ee2da02e8dde46c08a958913252c4f9
SHA512

a22ab0be5c822ee569e6d62289c5cd30b2559777c5e4783cfc647b55bfff336de095114101a1da6e875eb51ebb13dcb7d8aebb534192633853a912454ab38451
SSDEEP

12288:kBvdieCWYsnxRQfx8HH70AlhEaLbljkj8O7Z/Yx6y9lSNU4UlUuTh1AG:kBveWDbQfEHtlh1LbljxPrMNWl/91h

Score

10^/10

xorddos antivm botnet downloader persistence

Malware Config

Extracted

Family

xorddos

ndns.dsaj2a1.org:3504

ndns.dsaj2a.org:3504

ndns.hcxiaoao.com:3504

ndns.dsaj2a.com:3504

103.25.9.245:3504

103.240.141.50:3504

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 10 IoCs

resource	yara_rule
behavioral1/files/fstream-5.dat	family_xorddos
behavioral1/files/fstream-8.dat	family_xorddos
behavioral1/files/fstream-9.dat	family_xorddos
behavioral1/files/fstream-10.dat	family_xorddos
behavioral1/files/fstream-14.dat	family_xorddos
behavioral1/files/fstream-15.dat	family_xorddos
behavioral1/files/fstream-17.dat	family_xorddos
behavioral1/files/fstream-18.dat	family_xorddos
behavioral1/files/fstream-20.dat	family_xorddos
behavioral1/files/fstream-21.dat	family_xorddos

Deletes itself 1 IoCs

pid
1709

Executes dropped EXE 24 IoCs

ioc	pid	Process
/usr/bin/swzhozwkqk	1630	swzhozwkqk
/usr/bin/swzhozwkqk	1634	swzhozwkqk
/usr/bin/swzhozwkqk	1636	swzhozwkqk
/usr/bin/swzhozwkqk	1640	swzhozwkqk
/usr/bin/swzhozwkqk	1647	swzhozwkqk
/usr/bin/rtaduvgfuk	1658	rtaduvgfuk
/usr/bin/rtaduvgfuk	1661	rtaduvgfuk
/usr/bin/rtaduvgfuk	1663	rtaduvgfuk
/usr/bin/rtaduvgfuk	1667	rtaduvgfuk
/usr/bin/rtaduvgfuk	1670	rtaduvgfuk
/usr/bin/qkjylupmac	1673	qkjylupmac
/usr/bin/qkjylupmac	1675	qkjylupmac
/usr/bin/qkjylupmac	1679	qkjylupmac
/usr/bin/qkjylupmac	1682	qkjylupmac
/usr/bin/qkjylupmac	1684	qkjylupmac
/usr/bin/xbhjqzklyf	1688	xbhjqzklyf
/usr/bin/xbhjqzklyf	1690	xbhjqzklyf
/usr/bin/xbhjqzklyf	1693	xbhjqzklyf
/usr/bin/xbhjqzklyf	1696	xbhjqzklyf
/usr/bin/xbhjqzklyf	1700	xbhjqzklyf
/usr/bin/opebpqowsm	1703	opebpqowsm
/usr/bin/opebpqowsm	1706	opebpqowsm
/usr/bin/opebpqowsm	1708	opebpqowsm
/usr/bin/opebpqowsm	1711	opebpqowsm

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc
File opened for reading	/proc/cpuinfo

Creates/modifies Cron job 1 TTPs 2 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/etc/cron.hourly/cron.sh	Process not Found
File opened for modification	/etc/crontab	sh

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
File opened for modification	/etc/init.d/a6ea3e2aa4751022d24a8053619bbfa9

Write file to user bin folder 1 TTPs 5 IoCs

Hijack Execution Flow

T1574

description	ioc
File opened for modification	/usr/bin/swzhozwkqk
File opened for modification	/usr/bin/rtaduvgfuk
File opened for modification	/usr/bin/qkjylupmac
File opened for modification	/usr/bin/xbhjqzklyf
File opened for modification	/usr/bin/opebpqowsm

Reads runtime system information 10 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/meminfo	Process not Found
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/stat	Process not Found
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/rs_dev	Process not Found
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/1/environ	systemctl

/tmp/a6ea3e2aa4751022d24a8053619bbfa9
/tmp/a6ea3e2aa4751022d24a8053619bbfa9
1⤵
PID:1598

/bin/sh
sh -c "sed -i '/\\/etc\\/cron.hourly\\/cron.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/cron.sh' >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:1604
- /bin/sed
  sed -i "/\\/etc\\/cron.hourly\\/cron.sh/d" /etc/crontab
  2⤵
  - Reads runtime system information
  PID:1605

/bin/chkconfig
chkconfig --add a6ea3e2aa4751022d24a8053619bbfa9
1⤵
PID:1601

/sbin/chkconfig
chkconfig --add a6ea3e2aa4751022d24a8053619bbfa9
1⤵
PID:1601

/usr/bin/chkconfig
chkconfig --add a6ea3e2aa4751022d24a8053619bbfa9
1⤵
PID:1601

/usr/sbin/chkconfig
chkconfig --add a6ea3e2aa4751022d24a8053619bbfa9
1⤵
PID:1601

/usr/local/bin/chkconfig
chkconfig --add a6ea3e2aa4751022d24a8053619bbfa9
1⤵
PID:1601

/usr/local/sbin/chkconfig
chkconfig --add a6ea3e2aa4751022d24a8053619bbfa9
1⤵
PID:1601

/usr/X11R6/bin/chkconfig
chkconfig --add a6ea3e2aa4751022d24a8053619bbfa9
1⤵
PID:1601

/bin/update-rc.d
update-rc.d a6ea3e2aa4751022d24a8053619bbfa9 defaults
1⤵
PID:1603

/sbin/update-rc.d
update-rc.d a6ea3e2aa4751022d24a8053619bbfa9 defaults
1⤵
PID:1603

/usr/bin/update-rc.d
update-rc.d a6ea3e2aa4751022d24a8053619bbfa9 defaults
1⤵
PID:1603

/usr/sbin/update-rc.d
update-rc.d a6ea3e2aa4751022d24a8053619bbfa9 defaults
1⤵
PID:1603
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:1607

/usr/bin/swzhozwkqk
/usr/bin/swzhozwkqk sh 1599
1⤵
- Executes dropped EXE
PID:1630

/usr/bin/swzhozwkqk
/usr/bin/swzhozwkqk uptime 1599
1⤵
- Executes dropped EXE
PID:1634

/usr/bin/swzhozwkqk
/usr/bin/swzhozwkqk ifconfig 1599
1⤵
- Executes dropped EXE
PID:1636

/usr/bin/swzhozwkqk
/usr/bin/swzhozwkqk ls 1599
1⤵
- Executes dropped EXE
PID:1640

/usr/bin/swzhozwkqk
/usr/bin/swzhozwkqk "netstat -an" 1599
1⤵
- Executes dropped EXE
PID:1647

/usr/bin/rtaduvgfuk
/usr/bin/rtaduvgfuk id 1599
1⤵
- Executes dropped EXE
PID:1658

/usr/bin/rtaduvgfuk
/usr/bin/rtaduvgfuk "ps -ef" 1599
1⤵
- Executes dropped EXE
PID:1661

/usr/bin/rtaduvgfuk
/usr/bin/rtaduvgfuk gnome-terminal 1599
1⤵
- Executes dropped EXE
PID:1663

/usr/bin/rtaduvgfuk
/usr/bin/rtaduvgfuk "netstat -antop" 1599
1⤵
- Executes dropped EXE
PID:1667

/usr/bin/rtaduvgfuk
/usr/bin/rtaduvgfuk ifconfig 1599
1⤵
- Executes dropped EXE
PID:1670

/usr/bin/qkjylupmac
/usr/bin/qkjylupmac "route -n" 1599
1⤵
- Executes dropped EXE
PID:1673

/usr/bin/qkjylupmac
/usr/bin/qkjylupmac id 1599
1⤵
- Executes dropped EXE
PID:1675

/usr/bin/qkjylupmac
/usr/bin/qkjylupmac uptime 1599
1⤵
- Executes dropped EXE
PID:1679

/usr/bin/qkjylupmac
/usr/bin/qkjylupmac "grep \"A\"" 1599
1⤵
- Executes dropped EXE
PID:1682

/usr/bin/qkjylupmac
/usr/bin/qkjylupmac sh 1599
1⤵
- Executes dropped EXE
PID:1684

/usr/bin/xbhjqzklyf
/usr/bin/xbhjqzklyf su 1599
1⤵
- Executes dropped EXE
PID:1688

/usr/bin/xbhjqzklyf
/usr/bin/xbhjqzklyf "grep \"A\"" 1599
1⤵
- Executes dropped EXE
PID:1690

/usr/bin/xbhjqzklyf
/usr/bin/xbhjqzklyf "cd /etc" 1599
1⤵
- Executes dropped EXE
PID:1693

/usr/bin/xbhjqzklyf
/usr/bin/xbhjqzklyf "echo \"find\"" 1599
1⤵
- Executes dropped EXE
PID:1696

/usr/bin/xbhjqzklyf
/usr/bin/xbhjqzklyf "sleep 1" 1599
1⤵
- Executes dropped EXE
PID:1700

/usr/bin/opebpqowsm
/usr/bin/opebpqowsm "grep \"A\"" 1599
1⤵
- Executes dropped EXE
PID:1703

/usr/bin/opebpqowsm
/usr/bin/opebpqowsm pwd 1599
1⤵
- Executes dropped EXE
PID:1706

/usr/bin/opebpqowsm
/usr/bin/opebpqowsm "echo \"find\"" 1599
1⤵
- Executes dropped EXE
PID:1708

/usr/bin/opebpqowsm
/usr/bin/opebpqowsm "cat resolv.conf" 1599
1⤵
- Executes dropped EXE
PID:1711

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Defense Evasion

Hijack Execution Flow

T1574

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/sed95ODJ9

Filesize
722B

MD5
8f111d100ea459f68d333d63a8ef2205

SHA1
077ca9c46a964de67c0f7765745d5c6f9e2065c3

SHA256
0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354

SHA512
d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

Download Submit
/lib/libgcc.so

Filesize
610KB

MD5
a6ea3e2aa4751022d24a8053619bbfa9

SHA1
26e14b0eb3c2f7cef909c1e50ac326c06892e5ca

SHA256
b52d5c430f6b2d4061ee5ea4bb73289f9ee2da02e8dde46c08a958913252c4f9

SHA512
a22ab0be5c822ee569e6d62289c5cd30b2559777c5e4783cfc647b55bfff336de095114101a1da6e875eb51ebb13dcb7d8aebb534192633853a912454ab38451

Download Submit
/run/mount.pid

Filesize
32B

MD5
76890d2bb9e7684f4ec292c9879cd3a8

SHA1
6e0e75a5a6deb4a40fbd09e5f3f85e7488ebd91a

SHA256
55328fa863b08847b7e2f419b14fd9d470b1e38db056d6c4b81ca113a003ec2d

SHA512
d79ae9ec4ea0fb4bed3eddbd23a17e3abcdbf49261236921e9828cd008715360a114c93392ec4f7bbbc54ffa68a1894153ede028b8fdec33f463f3db14772f64

Download Submit
/usr/bin/opebpqowsm

Filesize
610KB

MD5
a6934098f8767297371d8ac48261be03

SHA1
0f5069a1ce9add029b0eef9d4891266ea8c98f4a

SHA256
31dd5bba76436877e01500715c5f3590d6f7c0cf45689f5190ae04283bf9b554

SHA512
e17a9a6fa312fdef478c1b676e330c2e11594a981a969211f5055f51f4efd560947a1462bea48a60bbe6627ca16eeba62d0af9d70eb03b5b8f0b7fe443e0cb3b

Download Submit
/usr/bin/opebpqowsm

Filesize
610KB

MD5
f82b7d72b38f08ad5199abfd4170c6a1

SHA1
d6038a35a3df8101152019eb6ed6975210730612

SHA256
c90712439776861dc8ee84e45a49de60d3541c5580c7a20b0bc27cc5e992454f

SHA512
5b4af4519ee33938b51f727466a25a9852d4e4971f5d586ea690c1950c34ce4ca75f640f8575122fc80d228a4e8972bf084ae36486927a3a016c45d66de76070

Download Submit
/usr/bin/qkjylupmac

Filesize
610KB

MD5
751aa1a27a6ebadc7eddcea8d5701855

SHA1
c27c0dca5730c760c79d4aa3051847a5b4560f2b

SHA256
d5226dbe962a66f9ea38e676c19fb3b02f16dbb51c572ea6106c3b0cc0fa452f

SHA512
278cb3bfc28f2a7b5f68c1aaa77c5240408237756bfca775756878f8ccda6bd69775d772818b2ad0e4d32f12876e64fedac566bbd95ecbe2f626e4d996ddf42b

Download Submit
/usr/bin/qkjylupmac

Filesize
610KB

MD5
99b88d29ac19d275d52284022e79467a

SHA1
b3f01764f182a5609b7fc79f8a4d316b13737486

SHA256
0c47f1a63e706fd1e000b5ca0debbc224adc599e2106802e9f1f56e34bd4e724

SHA512
23983586dc8d50d4243a8845adeab9344340bb1854d86a2664922de0d936c7679f5b645c25e8afd0a70c893ffb006333cfb720424359ed686c1bd505171d1ac7

Download Submit
/usr/bin/rtaduvgfuk

Filesize
352KB

MD5
aa25e5a215457babf0b268fc577521d6

SHA1
3083514e5f9409b3438af512405a7dbf278ce3a1

SHA256
e1ad7f381b115c45e93b1d7e384429ac6dc7f7760a3e844da3fa53f078111425

SHA512
1ab96c160596320047b2219f39fc5376d11c286b85d5038b57404dcc18dd1fcc484c1d53c57afaf478b50b06f00b8e8e0e80c125aa6a3c811552279921b18025

Download Submit
/usr/bin/swzhozwkqk

Filesize
610KB

MD5
e5659c1bb29da48f5bb3bc3e0eb66f12

SHA1
b94ad4f4224cbb69413d6d2712e0e0d840b87d8b

SHA256
d1cab693fabafb4d3b62d0c1ea54ef74702173329a7e987f65342659364dd5ea

SHA512
fa3e32495aa876bfd19d91b1c298f4ff14a2598064afdcf6da8230e7af6c66ca74d945c0efa462766e611b7f2e80f0d25209bbded54ecf8eb51d0997e0d0b643

Download Submit
/usr/bin/swzhozwkqk

Filesize
610KB

MD5
6c72ec2412981dfc5c44bb7d95394831

SHA1
6a9d80f1daa00a2cc32c4889d9d7256a742b219a

SHA256
32b19cdc638c9531fb9075d17c05e5e9655bd6038acce294b8280d845b9c11f2

SHA512
39b3e9523699df9c0bb3d29d54fc0e8ee824dd6331a5144a6055e52deef40d0cc4048dd08a376dfa06cbc8d274863484868d15e17a4f889d7b234b7b91a35970

Download Submit
/usr/bin/xbhjqzklyf

Filesize
610KB

MD5
a813a64f2d7266dd8f4b206d7bf8bbe9

SHA1
79a5b375b201fb400814121291bd6fbf064299fa

SHA256
805bf22a1d185498cba10781228fd85ccbb8b88dfe919fa0e103efe8b47673ba

SHA512
da47a38fd3cc39f03b6df666d56604ef11f0a592945e4ccd0744bd9337f203a9117a49e514f8f791abf8400a76b25ab64c74a732d9c3248619dd688bd5a8cbd4

Download Submit
/usr/bin/xbhjqzklyf

Filesize
610KB

MD5
41d37be63ceb1ff0d6c18cf9cc641bec

SHA1
ca371be339eea81fd975f9f4004a9c98eb058788

SHA256
68a2e0ab2025d93bf19c82eb3d660fbb0163dde838116bce106e11a908dd5fa2

SHA512
44961ec48621158bd7755154598b39dc50571ed7c99db2e044f1b6b8269d7888f18d6e131d102e6a7f068fbcb8e9f2b478f8673105e9478b9b3660c7e2e0d929

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads