xorddos | 61b0107a7a06ecbb8cc1d323967291d15450df7e8bab5d96c822a98c9399a521

Analysis

max time kernel
153s
max time network
157s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
22-12-2023 14:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bcb6b83a4e6e20ffe0ce3c750360ddf5
Size

611KB
MD5

bcb6b83a4e6e20ffe0ce3c750360ddf5
SHA1

d88755b78834e87418aa3cb3bfee5de5c378bd2f
SHA256

61b0107a7a06ecbb8cc1d323967291d15450df7e8bab5d96c822a98c9399a521
SHA512

f3be44f45eb0c453192b0ddeb7d37f3335499b41b46cc3190e918ac2909f048b3857d2496ebd33fa79ddce4024a1b47a5e44867ff576c18eb998c7e4f87914ca
SSDEEP

12288:UB1tATMVAqnf+ExxBHYpmA38X8LYkCW6TiZx6yB1/iGK4UlUuTh1AG:UB1BVpmExDYp38X8LYTWhZfNiGQl/91h

Score

10^/10

xorddos botnet downloader persistence

Malware Config

Extracted

Family

xorddos

http://aa.hostasa.org/game.rar

ns3.hostasa.org:3307

ns4.hostasa.org:3307

ns1.hostasa.org:3307

ns2.hostasa.org:3307

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 9 IoCs

resource	yara_rule
behavioral1/files/fstream-5.dat	family_xorddos
behavioral1/files/fstream-7.dat	family_xorddos
behavioral1/files/fstream-10.dat	family_xorddos
behavioral1/files/fstream-11.dat	family_xorddos
behavioral1/files/fstream-12.dat	family_xorddos
behavioral1/files/fstream-14.dat	family_xorddos
behavioral1/files/fstream-15.dat	family_xorddos
behavioral1/files/fstream-17.dat	family_xorddos
behavioral1/files/fstream-18.dat	family_xorddos

Deletes itself 3 IoCs

pid
1708
1702
1705

Executes dropped EXE 23 IoCs

ioc	pid	Process
/usr/bin/cazttevhte	1610	cazttevhte
/usr/bin/cazttevhte	1640	cazttevhte
/usr/bin/cazttevhte	1645	cazttevhte
/usr/bin/cazttevhte	1649	cazttevhte
/usr/bin/cazttevhte	1652	cazttevhte
/usr/bin/wufvlcffdp	1655	wufvlcffdp
/usr/bin/wufvlcffdp	1657	wufvlcffdp
/usr/bin/wufvlcffdp	1661	wufvlcffdp
/usr/bin/wufvlcffdp	1664	wufvlcffdp
/usr/bin/wufvlcffdp	1667	wufvlcffdp
/usr/bin/hrgmquwhwb	1670	hrgmquwhwb
/usr/bin/hrgmquwhwb	1673	hrgmquwhwb
/usr/bin/hrgmquwhwb	1676	hrgmquwhwb
/usr/bin/hrgmquwhwb	1679	hrgmquwhwb
/usr/bin/hrgmquwhwb	1682	hrgmquwhwb
/usr/bin/unjgetwmbf	1685	unjgetwmbf
/usr/bin/unjgetwmbf	1687	unjgetwmbf
/usr/bin/unjgetwmbf	1690	unjgetwmbf
/usr/bin/unjgetwmbf	1694	unjgetwmbf
/usr/bin/unjgetwmbf	1696	unjgetwmbf
/usr/bin/qysehxzwdj	1700	qysehxzwdj
/usr/bin/qysehxzwdj	1703	qysehxzwdj
/usr/bin/qysehxzwdj	1706	qysehxzwdj

Creates/modifies Cron job 1 TTPs 2 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/etc/cron.hourly/gcc.sh	Process not Found
File opened for modification	/etc/crontab	sh

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
File opened for modification	/etc/init.d/bcb6b83a4e6e20ffe0ce3c750360ddf5

Write file to user bin folder 1 TTPs 5 IoCs

Hijack Execution Flow

T1574

description	ioc
File opened for modification	/usr/bin/cazttevhte
File opened for modification	/usr/bin/wufvlcffdp
File opened for modification	/usr/bin/hrgmquwhwb
File opened for modification	/usr/bin/unjgetwmbf
File opened for modification	/usr/bin/qysehxzwdj

Reads runtime system information 9 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/rs_dev	Process not Found
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/stat	Process not Found
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/cmdline	systemctl

/tmp/bcb6b83a4e6e20ffe0ce3c750360ddf5
/tmp/bcb6b83a4e6e20ffe0ce3c750360ddf5
1⤵
PID:1594

/bin/sh
sh -c "sed -i '/\\/etc\\/cron.hourly\\/gcc.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:1600
- /bin/sed
  sed -i "/\\/etc\\/cron.hourly\\/gcc.sh/d" /etc/crontab
  2⤵
  - Reads runtime system information
  PID:1601

/bin/chkconfig
chkconfig --add bcb6b83a4e6e20ffe0ce3c750360ddf5
1⤵
PID:1597

/sbin/chkconfig
chkconfig --add bcb6b83a4e6e20ffe0ce3c750360ddf5
1⤵
PID:1597

/usr/bin/chkconfig
chkconfig --add bcb6b83a4e6e20ffe0ce3c750360ddf5
1⤵
PID:1597

/usr/sbin/chkconfig
chkconfig --add bcb6b83a4e6e20ffe0ce3c750360ddf5
1⤵
PID:1597

/usr/local/bin/chkconfig
chkconfig --add bcb6b83a4e6e20ffe0ce3c750360ddf5
1⤵
PID:1597

/usr/local/sbin/chkconfig
chkconfig --add bcb6b83a4e6e20ffe0ce3c750360ddf5
1⤵
PID:1597

/usr/X11R6/bin/chkconfig
chkconfig --add bcb6b83a4e6e20ffe0ce3c750360ddf5
1⤵
PID:1597

/bin/update-rc.d
update-rc.d bcb6b83a4e6e20ffe0ce3c750360ddf5 defaults
1⤵
PID:1599

/sbin/update-rc.d
update-rc.d bcb6b83a4e6e20ffe0ce3c750360ddf5 defaults
1⤵
PID:1599

/usr/bin/update-rc.d
update-rc.d bcb6b83a4e6e20ffe0ce3c750360ddf5 defaults
1⤵
PID:1599

/usr/sbin/update-rc.d
update-rc.d bcb6b83a4e6e20ffe0ce3c750360ddf5 defaults
1⤵
PID:1599
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:1609

/usr/bin/cazttevhte
/usr/bin/cazttevhte id 1595
1⤵
- Executes dropped EXE
PID:1610

/usr/bin/cazttevhte
/usr/bin/cazttevhte who 1595
1⤵
- Executes dropped EXE
PID:1640

/usr/bin/cazttevhte
/usr/bin/cazttevhte bash 1595
1⤵
- Executes dropped EXE
PID:1645

/usr/bin/cazttevhte
/usr/bin/cazttevhte "ps -ef" 1595
1⤵
- Executes dropped EXE
PID:1649

/usr/bin/cazttevhte
/usr/bin/cazttevhte "sleep 1" 1595
1⤵
- Executes dropped EXE
PID:1652

/usr/bin/wufvlcffdp
/usr/bin/wufvlcffdp top 1595
1⤵
- Executes dropped EXE
PID:1655

/usr/bin/wufvlcffdp
/usr/bin/wufvlcffdp "ifconfig eth0" 1595
1⤵
- Executes dropped EXE
PID:1657

/usr/bin/wufvlcffdp
/usr/bin/wufvlcffdp gnome-terminal 1595
1⤵
- Executes dropped EXE
PID:1661

/usr/bin/wufvlcffdp
/usr/bin/wufvlcffdp "cd /etc" 1595
1⤵
- Executes dropped EXE
PID:1664

/usr/bin/wufvlcffdp
/usr/bin/wufvlcffdp top 1595
1⤵
- Executes dropped EXE
PID:1667

/usr/bin/hrgmquwhwb
/usr/bin/hrgmquwhwb "ifconfig eth0" 1595
1⤵
- Executes dropped EXE
PID:1670

/usr/bin/hrgmquwhwb
/usr/bin/hrgmquwhwb "netstat -antop" 1595
1⤵
- Executes dropped EXE
PID:1673

/usr/bin/hrgmquwhwb
/usr/bin/hrgmquwhwb id 1595
1⤵
- Executes dropped EXE
PID:1676

/usr/bin/hrgmquwhwb
/usr/bin/hrgmquwhwb top 1595
1⤵
- Executes dropped EXE
PID:1679

/usr/bin/hrgmquwhwb
/usr/bin/hrgmquwhwb bash 1595
1⤵
- Executes dropped EXE
PID:1682

/usr/bin/unjgetwmbf
/usr/bin/unjgetwmbf "ls -la" 1595
1⤵
- Executes dropped EXE
PID:1685

/usr/bin/unjgetwmbf
/usr/bin/unjgetwmbf "ps -ef" 1595
1⤵
- Executes dropped EXE
PID:1687

/usr/bin/unjgetwmbf
/usr/bin/unjgetwmbf sh 1595
1⤵
- Executes dropped EXE
PID:1690

/usr/bin/unjgetwmbf
/usr/bin/unjgetwmbf id 1595
1⤵
- Executes dropped EXE
PID:1694

/usr/bin/unjgetwmbf
/usr/bin/unjgetwmbf gnome-terminal 1595
1⤵
- Executes dropped EXE
PID:1696

/usr/bin/qysehxzwdj
/usr/bin/qysehxzwdj "ls -la" 1595
1⤵
- Executes dropped EXE
PID:1700

/usr/bin/qysehxzwdj
/usr/bin/qysehxzwdj pwd 1595
1⤵
- Executes dropped EXE
PID:1703

/usr/bin/qysehxzwdj
/usr/bin/qysehxzwdj who 1595
1⤵
- Executes dropped EXE
PID:1706

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/gcc.sh

Filesize
228B

MD5
3bab747cedc5f0ebe86aaa7f982470cd

SHA1
3c7d1c6931c2b3dae39d38346b780ea57c8e6142

SHA256
74d31cac40d98ee64df2a0c29ceb229d12ac5fa699c2ee512fc69360f0cf68c5

SHA512
21e8a6d9ca8531d37def83d8903e5b0fa11ecf33d85d05edab1e0feb4acac65ae2cf5222650fb9f533f459ccc51bb2903276ff6f827b847cc5e6dac7d45a0a42

Download Submit
/etc/init.d/bcb6b83a4e6e20ffe0ce3c750360ddf5

Filesize
425B

MD5
e94a34457161f31b5861dd5a2c8469d3

SHA1
8225dedaff9b6f8c71e8d780a360b641fa080527

SHA256
d5e9ed4dab4d890761e83594795fdbf8f190e1bbc1e7a19d425e178ede3a045d

SHA512
86d885f76ee723c251d746dac457e62f66121a9bd7e047895f2499e59c574cc97bdf596e7a84e708163e9f8c9190f7b6f66978c143bb2cf4c2320be47777610c

Download Submit
/etc/sedlyeNJg

Filesize
722B

MD5
8f111d100ea459f68d333d63a8ef2205

SHA1
077ca9c46a964de67c0f7765745d5c6f9e2065c3

SHA256
0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354

SHA512
d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

Download Submit
/lib/libudev.so

Filesize
548KB

MD5
51f6a4cd624a863f21374eace580d0d0

SHA1
04363938c5e00ad09fdd0649610a704febbd6ae1

SHA256
815199abc44ff7f253d956c15f9d0bfd19f38fa9603bd0eb1f51207c8b623c3b

SHA512
1532b02dee9575ff9788b36033485edcc112cc83faaafdb3e0d33306e47fb927b96f3b89bfb47c047fd73f52249e23e4d21deca680262a01e6b78bbd81b953cd

Download Submit
/run/gcc.pid

Filesize
32B

MD5
4557fcd8e225f98fc2d41b47a48ae67d

SHA1
659ed280d76cd096cb17210abfa2f6fffa35ce8f

SHA256
2962b199ed3bafa2815a4b65c26090c95097d230b8a7ba270a73c104ad5675e1

SHA512
a8797370cbd96f7a1a4940beedca8bbc0c48d0939b40a926b8646db2514644c0ff2187890e1701a9f5cce37cb64b42802d38b5c0bd1513371799c5ff58def993

Download Submit
/usr/bin/cazttevhte

Filesize
268KB

MD5
50c94c79e986e6bc0e80cfd6f51dbb2e

SHA1
6c9fd4a0b40c358fba0f9a42d4b4ba81eb0f6a97

SHA256
a3c0c70626e11fbc5300a49dd56ba476802c7a02f1889ed63f5565ea2e0a6d23

SHA512
f43a6b4c0c9015fdcaeca3ca8c19812cf73cb1a7a0032a70320a3004d7af322bf963808f7a28607a32f376462938f765494bd746da56389f966da0601921e6b5

Download Submit
/usr/bin/hrgmquwhwb

Filesize
611KB

MD5
71a273933891c1d5ee2ed79fe4e0c354

SHA1
443088b2f4460350c932556f3c280cbec6c50429

SHA256
9f3d4c9d05b119f089196cad7a1b99e503f978514827a1427f181af0e9704a7a

SHA512
4e644d761e1d1a7a32e2e7748b8e0537fe5d65e891f262fb51929c92bb000a3a1d4c8ec7b1ea1064a04d3c8785e3ae026a1b0a2355d94f885ac121fbc158b784

Download Submit
/usr/bin/hrgmquwhwb

Filesize
611KB

MD5
c858e61a1808306e14eda187eafb6b2d

SHA1
26bbb62e32833ad878e4cafba763622e4e19abaa

SHA256
2e05954ade7ea39a0fc217928c2bdc17f91549d733d2820f92ac5c4cd67b1f61

SHA512
31fa116ebd4736aebb897e63806009ee60b3ebd1316bc2816444b151f1fa73a7075fcd80ea1b1778e807cf96ae29f3bfe4768ad6058fe55135a90885059a4c24

Download Submit
/usr/bin/unjgetwmbf

Filesize
611KB

MD5
edb5541d36a8fea0c50ecf8bfc3a045a

SHA1
0820911284b6cecca83098766bd05b99a1a2b458

SHA256
2186061e45e287e20ce2fc867fc9fad49ebad89775969cf3118fe9c916d291b1

SHA512
1cac2b6b817db839cc274d861135e8cf05b695f49d474173597c3b82dadf9ff29bbd2eb5c7ffcc724786543e66ecd9e0ad60f4936372ac4a5741c2c8247325ab

Download Submit
/usr/bin/unjgetwmbf

Filesize
611KB

MD5
8be295ea0deb2b54ad00e77679a4c351

SHA1
1af115bbf7157e99899ed9324bfee623c3ae703c

SHA256
b257f14f61c4ff13f6e5d72990bb1768d925d0b06ef30d3b245287d78c77cd41

SHA512
a40eb3f769280e6ceb086b61977c3d23c9de105e80f733f2ca81001bf675a3e89c356c49cd37cdbda95e465fb24a42136380ff52f79429a3f8034d705db0361b

Download Submit
/usr/bin/wufvlcffdp

Filesize
611KB

MD5
bcb6b83a4e6e20ffe0ce3c750360ddf5

SHA1
d88755b78834e87418aa3cb3bfee5de5c378bd2f

SHA256
61b0107a7a06ecbb8cc1d323967291d15450df7e8bab5d96c822a98c9399a521

SHA512
f3be44f45eb0c453192b0ddeb7d37f3335499b41b46cc3190e918ac2909f048b3857d2496ebd33fa79ddce4024a1b47a5e44867ff576c18eb998c7e4f87914ca

Download Submit
/usr/bin/wufvlcffdp

Filesize
611KB

MD5
0843a12740dfbc267cadfbf88d6aa4c5

SHA1
f5e0d7c12385f37228dd5ceba4945f724a52a8cb

SHA256
85a1a52b0f28cf41b495ea1185b09945ffffe848ad3a9135402417b0b90677eb

SHA512
275749fcd4da42adcceb2574b8d79d1a5e06078d01825ab42f4ee22d9f87802c058fdfe9b1a346b138fbd5daaeb462fd9790f9a03c785a44fa8f043901b95eb8

Download Submit
/usr/bin/wufvlcffdp

Filesize
611KB

MD5
75dcd6897ab8777a4c25d4c3f91a5b35

SHA1
2993d5bd26fc056a82c1b1cdaab57a180a5c5982

SHA256
24390d9d51dd0cda93a0632d819be55f59878a3ada0611e0313382f5645df7c2

SHA512
a1da3a5ee7a5e3602b4460388ecd86de65864295f17311cc8f1564054b28b42e441b9857f57c7b839b4c41d55675741209bd824d8ff97240bd72087e148a3696

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads