xorddos | 92a260d856e00056469fb26f5305a37f6ab443d735d1476281b053b10b3c4f86

Analysis

max time kernel
152s
max time network
158s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
22-12-2023 13:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a99c10cb9713770b9e7dda376cddee3a
Size

611KB
MD5

a99c10cb9713770b9e7dda376cddee3a
SHA1

1f1dd4d74eba8949fb1d2316c13f77b3ffa96f98
SHA256

92a260d856e00056469fb26f5305a37f6ab443d735d1476281b053b10b3c4f86
SHA512

1d410a7259469a16a1599fb28cb7cd82813270a112055e4fbe28327735a2968affbfdcba0a2001d504919e5ef3b271f40c45da6291be9c5f97c278418b241b79
SSDEEP

12288:UB1tATMVAqnf+ExxBHYpmA38X8LYkCW6TiOx6yB1/iGK4UlUuTh1AG:UB1BVpmExDYp38X8LYTWhOfNiGQl/91h

Score

10^/10

xorddos botnet downloader persistence

Malware Config

Extracted

Family

xorddos

http://aa.hostasa.org/game.rar

ns3.hostasa.org:3308

ns4.hostasa.org:3308

ns1.hostasa.org:3308

ns2.hostasa.org:3308

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 9 IoCs

resource	yara_rule
behavioral1/files/fstream-5.dat	family_xorddos
behavioral1/files/fstream-8.dat	family_xorddos
behavioral1/files/fstream-9.dat	family_xorddos
behavioral1/files/fstream-14.dat	family_xorddos
behavioral1/files/fstream-15.dat	family_xorddos
behavioral1/files/fstream-17.dat	family_xorddos
behavioral1/files/fstream-18.dat	family_xorddos
behavioral1/files/fstream-20.dat	family_xorddos
behavioral1/files/fstream-21.dat	family_xorddos

Deletes itself 2 IoCs

pid
1652
1655

Executes dropped EXE 23 IoCs

ioc	pid	Process
/usr/bin/ezytqikswp	1557	ezytqikswp
/usr/bin/ezytqikswp	1560	ezytqikswp
/usr/bin/ezytqikswp	1582	ezytqikswp
/usr/bin/ezytqikswp	1585	ezytqikswp
/usr/bin/ezytqikswp	1589	ezytqikswp
/usr/bin/uyfghmtazq	1602	uyfghmtazq
/usr/bin/uyfghmtazq	1605	uyfghmtazq
/usr/bin/uyfghmtazq	1608	uyfghmtazq
/usr/bin/uyfghmtazq	1611	uyfghmtazq
/usr/bin/uyfghmtazq	1614	uyfghmtazq
/usr/bin/kveehliiku	1617	kveehliiku
/usr/bin/kveehliiku	1620	kveehliiku
/usr/bin/kveehliiku	1623	kveehliiku
/usr/bin/kveehliiku	1625	kveehliiku
/usr/bin/kveehliiku	1628	kveehliiku
/usr/bin/usfptmwhbc	1632	usfptmwhbc
/usr/bin/usfptmwhbc	1635	usfptmwhbc
/usr/bin/usfptmwhbc	1637	usfptmwhbc
/usr/bin/usfptmwhbc	1641	usfptmwhbc
/usr/bin/usfptmwhbc	1644	usfptmwhbc
/usr/bin/jfhfvpppmc	1649	jfhfvpppmc
/usr/bin/jfhfvpppmc	1651	jfhfvpppmc
/usr/bin/jfhfvpppmc	1654	jfhfvpppmc

Creates/modifies Cron job 1 TTPs 2 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/etc/cron.hourly/gcc.sh	Process not Found
File opened for modification	/etc/crontab	sh

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
File opened for modification	/etc/init.d/a99c10cb9713770b9e7dda376cddee3a

Write file to user bin folder 1 TTPs 5 IoCs

Hijack Execution Flow

T1574

description	ioc
File opened for modification	/usr/bin/kveehliiku
File opened for modification	/usr/bin/usfptmwhbc
File opened for modification	/usr/bin/jfhfvpppmc
File opened for modification	/usr/bin/ezytqikswp
File opened for modification	/usr/bin/uyfghmtazq

Reads runtime system information 9 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/rs_dev	Process not Found
File opened for reading	/proc/stat	Process not Found
File opened for reading	/proc/1/environ	systemctl

/tmp/a99c10cb9713770b9e7dda376cddee3a
/tmp/a99c10cb9713770b9e7dda376cddee3a
1⤵
PID:1538

/bin/sh
sh -c "sed -i '/\\/etc\\/cron.hourly\\/gcc.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:1547
- /bin/sed
  sed -i "/\\/etc\\/cron.hourly\\/gcc.sh/d" /etc/crontab
  2⤵
  - Reads runtime system information
  PID:1548

/bin/chkconfig
chkconfig --add a99c10cb9713770b9e7dda376cddee3a
1⤵
PID:1544

/sbin/chkconfig
chkconfig --add a99c10cb9713770b9e7dda376cddee3a
1⤵
PID:1544

/usr/bin/chkconfig
chkconfig --add a99c10cb9713770b9e7dda376cddee3a
1⤵
PID:1544

/usr/sbin/chkconfig
chkconfig --add a99c10cb9713770b9e7dda376cddee3a
1⤵
PID:1544

/usr/local/bin/chkconfig
chkconfig --add a99c10cb9713770b9e7dda376cddee3a
1⤵
PID:1544

/usr/local/sbin/chkconfig
chkconfig --add a99c10cb9713770b9e7dda376cddee3a
1⤵
PID:1544

/usr/X11R6/bin/chkconfig
chkconfig --add a99c10cb9713770b9e7dda376cddee3a
1⤵
PID:1544

/bin/update-rc.d
update-rc.d a99c10cb9713770b9e7dda376cddee3a defaults
1⤵
PID:1546

/sbin/update-rc.d
update-rc.d a99c10cb9713770b9e7dda376cddee3a defaults
1⤵
PID:1546

/usr/bin/update-rc.d
update-rc.d a99c10cb9713770b9e7dda376cddee3a defaults
1⤵
PID:1546

/usr/sbin/update-rc.d
update-rc.d a99c10cb9713770b9e7dda376cddee3a defaults
1⤵
PID:1546
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:1552

/usr/bin/ezytqikswp
/usr/bin/ezytqikswp "route -n" 1542
1⤵
- Executes dropped EXE
PID:1557

/usr/bin/ezytqikswp
/usr/bin/ezytqikswp su 1542
1⤵
- Executes dropped EXE
PID:1560

/usr/bin/ezytqikswp
/usr/bin/ezytqikswp "netstat -antop" 1542
1⤵
- Executes dropped EXE
PID:1582

/usr/bin/ezytqikswp
/usr/bin/ezytqikswp "ls -la" 1542
1⤵
- Executes dropped EXE
PID:1585

/usr/bin/ezytqikswp
/usr/bin/ezytqikswp "echo \"find\"" 1542
1⤵
- Executes dropped EXE
PID:1589

/usr/bin/uyfghmtazq
/usr/bin/uyfghmtazq ifconfig 1542
1⤵
- Executes dropped EXE
PID:1602

/usr/bin/uyfghmtazq
/usr/bin/uyfghmtazq "ps -ef" 1542
1⤵
- Executes dropped EXE
PID:1605

/usr/bin/uyfghmtazq
/usr/bin/uyfghmtazq whoami 1542
1⤵
- Executes dropped EXE
PID:1608

/usr/bin/uyfghmtazq
/usr/bin/uyfghmtazq uptime 1542
1⤵
- Executes dropped EXE
PID:1611

/usr/bin/uyfghmtazq
/usr/bin/uyfghmtazq sh 1542
1⤵
- Executes dropped EXE
PID:1614

/usr/bin/kveehliiku
/usr/bin/kveehliiku su 1542
1⤵
- Executes dropped EXE
PID:1617

/usr/bin/kveehliiku
/usr/bin/kveehliiku id 1542
1⤵
- Executes dropped EXE
PID:1620

/usr/bin/kveehliiku
/usr/bin/kveehliiku "ifconfig eth0" 1542
1⤵
- Executes dropped EXE
PID:1623

/usr/bin/kveehliiku
/usr/bin/kveehliiku "ls -la" 1542
1⤵
- Executes dropped EXE
PID:1625

/usr/bin/kveehliiku
/usr/bin/kveehliiku "netstat -an" 1542
1⤵
- Executes dropped EXE
PID:1628

/usr/bin/usfptmwhbc
/usr/bin/usfptmwhbc "netstat -an" 1542
1⤵
- Executes dropped EXE
PID:1632

/usr/bin/usfptmwhbc
/usr/bin/usfptmwhbc su 1542
1⤵
- Executes dropped EXE
PID:1635

/usr/bin/usfptmwhbc
/usr/bin/usfptmwhbc sh 1542
1⤵
- Executes dropped EXE
PID:1637

/usr/bin/usfptmwhbc
/usr/bin/usfptmwhbc "cd /etc" 1542
1⤵
- Executes dropped EXE
PID:1641

/usr/bin/usfptmwhbc
/usr/bin/usfptmwhbc "grep \"A\"" 1542
1⤵
- Executes dropped EXE
PID:1644

/usr/bin/jfhfvpppmc
/usr/bin/jfhfvpppmc top 1542
1⤵
- Executes dropped EXE
PID:1649

/usr/bin/jfhfvpppmc
/usr/bin/jfhfvpppmc "ifconfig eth0" 1542
1⤵
- Executes dropped EXE
PID:1651

/usr/bin/jfhfvpppmc
/usr/bin/jfhfvpppmc id 1542
1⤵
- Executes dropped EXE
PID:1654

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/gcc.sh

Filesize
228B

MD5
3bab747cedc5f0ebe86aaa7f982470cd

SHA1
3c7d1c6931c2b3dae39d38346b780ea57c8e6142

SHA256
74d31cac40d98ee64df2a0c29ceb229d12ac5fa699c2ee512fc69360f0cf68c5

SHA512
21e8a6d9ca8531d37def83d8903e5b0fa11ecf33d85d05edab1e0feb4acac65ae2cf5222650fb9f533f459ccc51bb2903276ff6f827b847cc5e6dac7d45a0a42

Download Submit
/etc/init.d/a99c10cb9713770b9e7dda376cddee3a

Filesize
425B

MD5
543b968b534e735c660d4e2c4a2f2a99

SHA1
67af3a3caf9d3b5b582dfc7185c2ac1081a22d3a

SHA256
dc32db4d75a97ebda5d65e5a31aa749e8515185717f85c927cbfe8c472dd245a

SHA512
e2600afc20398f4893f0379d1f5fe1fe8130d79b26a8d43d85087124f4dc3ae37ed5484b9a353d419671db11b0978bcfc94dee13c1e9d0605a7994183dd75584

Download Submit
/etc/sedh75AXz

Filesize
722B

MD5
8f111d100ea459f68d333d63a8ef2205

SHA1
077ca9c46a964de67c0f7765745d5c6f9e2065c3

SHA256
0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354

SHA512
d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

Download Submit
/lib/libudev.so

Filesize
611KB

MD5
a99c10cb9713770b9e7dda376cddee3a

SHA1
1f1dd4d74eba8949fb1d2316c13f77b3ffa96f98

SHA256
92a260d856e00056469fb26f5305a37f6ab443d735d1476281b053b10b3c4f86

SHA512
1d410a7259469a16a1599fb28cb7cd82813270a112055e4fbe28327735a2968affbfdcba0a2001d504919e5ef3b271f40c45da6291be9c5f97c278418b241b79

Download Submit
/run/gcc.pid

Filesize
32B

MD5
46a3f05c42d0fd1a7e4c3273a1c6a819

SHA1
449d2939287a0516efcd89ac1c2ee7ac55deba09

SHA256
81f25f94f178d21cbb68480ad29636c58f9cc984eacd2e6f46898649c8fecfea

SHA512
ec799130b78f7935b2537922cc66256270388c73928c7f31edafb36b667cf6744902e2b2ce7bf196682301bab1e8d723659727c8c15dcbb5a43178f2106047d5

Download Submit
/usr/bin/ezytqikswp

Filesize
611KB

MD5
47a42148b0df0ec6e735ece4f6ab5701

SHA1
f390d944b3f0df8ef5b24c368216c6ddff084a8f

SHA256
98fbcdfc9b39e55b957e19cbd6faff6950e44044dee770e3571ac819247b43d6

SHA512
422e23dc43f3fee59d4c2e4e42cfce155a0e3654519175c31c7647a8c6102c65b667a40b850201de932c23970c81553b90d3b3270677ad64a13cf052ebcec619

Download Submit
/usr/bin/ezytqikswp

Filesize
611KB

MD5
5dbc70f3c6a1e2a195e6c8c6e17f139e

SHA1
105b648b85526f8783aeb1275d608e56f525304f

SHA256
179ba5214e5c836e83ab826ca243cbb6978eb4ff241009490d6a41e222f0fb3b

SHA512
4951909cb989e1a5aec7a22e1f0073cc3da636be984c73e229a4c1cb04d4d770f24cd0fc33750bf81a6f2298b2989bb1109e3c7017058a2031df3a140120d208

Download Submit
/usr/bin/jfhfvpppmc

Filesize
611KB

MD5
b8f73bff1d128e34da275d2b9e4c327f

SHA1
800601f32cd2e8f5aeb673eea2356b61fb88ed5c

SHA256
2e34de6acebca67418d0d22ce2c514e4e4829102edf5483b29c684bdfefe997e

SHA512
5a67a38fb53f1ccafa23c7f0b8863f88fec01c00e73d50023cada613891f9c470a58e2fe1e17e530178c93d0e5c66851b544d03b6337f596104364467f31dc3e

Download Submit
/usr/bin/jfhfvpppmc

Filesize
611KB

MD5
86abdd69dfc3e689720799958c469896

SHA1
80b6d0b4fcff78ac152ef15ee0c31a97d4d81568

SHA256
8c75989e50784f158ff263058049b678e06743d579dbe275446c339e72c1a116

SHA512
db2f8d539ccfbcbafdc5cc284a1ba00cf8ad1b241fdce999d91f47effab291e96478a6c7b85035abd413c82ab23ec6f0f63f4323ac904d6cbb817b0321711b8f

Download Submit
/usr/bin/kveehliiku

Filesize
611KB

MD5
d8fbd4700c8d5da60cba3672aaf6348a

SHA1
dd6ed0c9da754a59560080a8716b22f8a661a664

SHA256
c930cfa5963bad44090fd5d977ee77086bd948598764c4c1300c276d9725262d

SHA512
0a12f5bd5c6246e86b8269532e40f59965d8c4de3a98fc661ace8c5abe63035c9d5d0b914adb03c7f2cd3dc668970c7583f992f6e6696a87d7da38f8f7af8299

Download Submit
/usr/bin/kveehliiku

Filesize
611KB

MD5
70b6f04c33527bb8fa307e916bf25463

SHA1
86af439312a7dc3ba537b97985e355f69e997def

SHA256
d40e14cbf87713567516751fd862df43a41a71d51723d1f55ad94ea805e12223

SHA512
d41e653015251f81d18f3c5e90960c045de286731441c976db41288d7cfe2f140dfa09c971220b4f8234c1cc92001db1b841663be5a201ac8b0737d7c869aae3

Download Submit
/usr/bin/usfptmwhbc

Filesize
611KB

MD5
3188f68bbb0a4eecd6a544ff7b79fca6

SHA1
ce6c87935a0ecc61a2b79358f3d45f3036d1878a

SHA256
2c906af5582c24a24f5458fdaf47f269e58a1f8672e6b1dba1e3b669f29b5edc

SHA512
c63db525d403bd448a1e3a518cc296e89bb347b603676d17a7c85f9f82627d7a52a3103841cffc6300d5c188f115dd35c9ed24c1a37cf60d6c78ed398f3f00b7

Download Submit
/usr/bin/usfptmwhbc

Filesize
611KB

MD5
165132324a090bf24fa05f89a4000c3c

SHA1
cddff1e32ceb37dfa117d4ca14fca7eed859c5d0

SHA256
a557d2b90aa8517af57cd1a884e4fe78c556fc9f00f808057c99ddc85c2e1c2e

SHA512
d8a1c64f3ee0a301fbc5c88c722a8fab4279fbc10d5e75c525fc50575bf181e68f4d2c1261790bee188daed5ec5c249f9a5f908cc3da970924dbe18841bef34c

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads