xorddos | 292adb2a5917259e10fbfce5e936f993dad8bf1d813e3b9d5d9c9bf4ea4b8037

Analysis

max time kernel
149s
max time network
150s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231222-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231222-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
22-12-2023 14:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c10ffeaf668f69c1124f6cd5fe0dff3b
Size

595KB
MD5

c10ffeaf668f69c1124f6cd5fe0dff3b
SHA1

99b10f29a401f8846b1b94b0906ff9bad8128117
SHA256

292adb2a5917259e10fbfce5e936f993dad8bf1d813e3b9d5d9c9bf4ea4b8037
SHA512

1040df753d9a4c27cbcba709a5ac3120a001cac78803103c639c0506bfefa13836910baa391c17dd6123c494dc2fcea0a23202488306b8455eedae3072673f74
SSDEEP

12288:9bf8IKMnQXbeyFlGF/5oYAx//tqdx286yNrMu9h7Dxu9hc7L:tf8INobe0kxoYAx//tQ26TzD4XcP

Score

10^/10

xorddos botnet downloader persistence

Malware Config

Extracted

Family

xorddos

http://info1.3000uc.com/b/u.php

gh.dsaj2a1.org:2822

www.wangzongfacai.com:2822

174.139.217.145:2822

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 11 IoCs

Processes:

resource	yara_rule
/lib/libgcc4.so	family_xorddos
/usr/bin/rwethbootl	family_xorddos
/usr/bin/rwethbootl	family_xorddos
/usr/bin/iyhfwtaqff	family_xorddos
/usr/bin/iyhfwtaqff	family_xorddos
/usr/bin/nclpupahvv	family_xorddos
/usr/bin/uazkmtceqh	family_xorddos
/usr/bin/uazkmtceqh	family_xorddos
/usr/bin/ccpflxgcwn	family_xorddos
/usr/bin/ccpflxgcwn	family_xorddos
/usr/bin/ccpflxgcwn	family_xorddos

Deletes itself 3 IoCs

Processes:

pid

1684
1687
1689

pid
1684
1687
1689

Executes dropped EXE 23 IoCs

Processes:

rwethbootlrwethbootlrwethbootlrwethbootlrwethbootliyhfwtaqffiyhfwtaqffiyhfwtaqffiyhfwtaqffiyhfwtaqffnclpupahvvnclpupahvvnclpupahvvnclpupahvvnclpupahvvuazkmtceqhuazkmtceqhuazkmtceqhuazkmtceqhuazkmtceqhccpflxgcwnccpflxgcwnccpflxgcwn

ioc	pid	process
/usr/bin/rwethbootl	1586	rwethbootl
/usr/bin/rwethbootl	1595	rwethbootl
/usr/bin/rwethbootl	1598	rwethbootl
/usr/bin/rwethbootl	1605	rwethbootl
/usr/bin/rwethbootl	1608	rwethbootl
/usr/bin/iyhfwtaqff	1627	iyhfwtaqff
/usr/bin/iyhfwtaqff	1629	iyhfwtaqff
/usr/bin/iyhfwtaqff	1632	iyhfwtaqff
/usr/bin/iyhfwtaqff	1635	iyhfwtaqff
/usr/bin/iyhfwtaqff	1639	iyhfwtaqff
/usr/bin/nclpupahvv	1642	nclpupahvv
/usr/bin/nclpupahvv	1644	nclpupahvv
/usr/bin/nclpupahvv	1648	nclpupahvv
/usr/bin/nclpupahvv	1651	nclpupahvv
/usr/bin/nclpupahvv	1653	nclpupahvv
/usr/bin/uazkmtceqh	1657	uazkmtceqh
/usr/bin/uazkmtceqh	1659	uazkmtceqh
/usr/bin/uazkmtceqh	1662	uazkmtceqh
/usr/bin/uazkmtceqh	1665	uazkmtceqh
/usr/bin/uazkmtceqh	1669	uazkmtceqh
/usr/bin/ccpflxgcwn	1681	ccpflxgcwn
/usr/bin/ccpflxgcwn	1683	ccpflxgcwn
/usr/bin/ccpflxgcwn	1686	ccpflxgcwn

Unexpected DNS network traffic destination 20 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228

Creates/modifies Cron job 1 TTPs 2 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

sh

description ioc

File opened for modification /etc/cron.hourly/udev.sh
File opened for modification /etc/crontab sh
Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

description ioc

File opened for modification /etc/init.d/c10ffeaf668f69c1124f6cd5fe0dff3b

description	ioc
File opened for modification	/etc/cron.hourly/udev.sh
File opened for modification	/etc/crontab	sh

description	ioc
File opened for modification	/etc/init.d/c10ffeaf668f69c1124f6cd5fe0dff3b

Write file to user bin folder 1 TTPs 5 IoCs

Hijack Execution Flow

T1574

Processes:

description	ioc
File opened for modification	/usr/bin/rwethbootl
File opened for modification	/usr/bin/iyhfwtaqff
File opened for modification	/usr/bin/nclpupahvv
File opened for modification	/usr/bin/uazkmtceqh
File opened for modification	/usr/bin/ccpflxgcwn

Reads runtime system information 8 IoCs

Reads data from /proc virtual filesystem.

Processes:

systemctlsed

description	ioc	process
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/stat
File opened for reading	/proc/filesystems	systemctl

/tmp/c10ffeaf668f69c1124f6cd5fe0dff3b
/tmp/c10ffeaf668f69c1124f6cd5fe0dff3b
1⤵
PID:1559

/bin/sh
sh -c "sed -i '/\\/etc\\/cron.hourly\\/udev.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/udev.sh' >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:1565
- /bin/sed
  sed -i "/\\/etc\\/cron.hourly\\/udev.sh/d" /etc/crontab
  2⤵
  - Reads runtime system information
  PID:1566

/bin/chkconfig
chkconfig --add c10ffeaf668f69c1124f6cd5fe0dff3b
1⤵
PID:1562

/sbin/chkconfig
chkconfig --add c10ffeaf668f69c1124f6cd5fe0dff3b
1⤵
PID:1562

/usr/bin/chkconfig
chkconfig --add c10ffeaf668f69c1124f6cd5fe0dff3b
1⤵
PID:1562

/usr/sbin/chkconfig
chkconfig --add c10ffeaf668f69c1124f6cd5fe0dff3b
1⤵
PID:1562

/usr/local/bin/chkconfig
chkconfig --add c10ffeaf668f69c1124f6cd5fe0dff3b
1⤵
PID:1562

/usr/local/sbin/chkconfig
chkconfig --add c10ffeaf668f69c1124f6cd5fe0dff3b
1⤵
PID:1562

/usr/X11R6/bin/chkconfig
chkconfig --add c10ffeaf668f69c1124f6cd5fe0dff3b
1⤵
PID:1562

/bin/update-rc.d
update-rc.d c10ffeaf668f69c1124f6cd5fe0dff3b defaults
1⤵
PID:1564

/sbin/update-rc.d
update-rc.d c10ffeaf668f69c1124f6cd5fe0dff3b defaults
1⤵
PID:1564

/usr/bin/update-rc.d
update-rc.d c10ffeaf668f69c1124f6cd5fe0dff3b defaults
1⤵
PID:1564

/usr/sbin/update-rc.d
update-rc.d c10ffeaf668f69c1124f6cd5fe0dff3b defaults
1⤵
PID:1564
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:1568

/usr/bin/rwethbootl
/usr/bin/rwethbootl "grep \"A\"" 1560
1⤵
- Executes dropped EXE
PID:1586

/usr/bin/rwethbootl
/usr/bin/rwethbootl uptime 1560
1⤵
- Executes dropped EXE
PID:1595

/usr/bin/rwethbootl
/usr/bin/rwethbootl "grep \"A\"" 1560
1⤵
- Executes dropped EXE
PID:1598

/usr/bin/rwethbootl
/usr/bin/rwethbootl uptime 1560
1⤵
- Executes dropped EXE
PID:1605

/usr/bin/rwethbootl
/usr/bin/rwethbootl uptime 1560
1⤵
- Executes dropped EXE
PID:1608

/usr/bin/iyhfwtaqff
/usr/bin/iyhfwtaqff gnome-terminal 1560
1⤵
- Executes dropped EXE
PID:1627

/usr/bin/iyhfwtaqff
/usr/bin/iyhfwtaqff "netstat -antop" 1560
1⤵
- Executes dropped EXE
PID:1629

/usr/bin/iyhfwtaqff
/usr/bin/iyhfwtaqff "cd /etc" 1560
1⤵
- Executes dropped EXE
PID:1632

/usr/bin/iyhfwtaqff
/usr/bin/iyhfwtaqff "ifconfig eth0" 1560
1⤵
- Executes dropped EXE
PID:1635

/usr/bin/iyhfwtaqff
/usr/bin/iyhfwtaqff "echo \"find\"" 1560
1⤵
- Executes dropped EXE
PID:1639

/usr/bin/nclpupahvv
/usr/bin/nclpupahvv ls 1560
1⤵
- Executes dropped EXE
PID:1642

/usr/bin/nclpupahvv
/usr/bin/nclpupahvv "ps -ef" 1560
1⤵
- Executes dropped EXE
PID:1644

/usr/bin/nclpupahvv
/usr/bin/nclpupahvv "cat resolv.conf" 1560
1⤵
- Executes dropped EXE
PID:1648

/usr/bin/nclpupahvv
/usr/bin/nclpupahvv bash 1560
1⤵
- Executes dropped EXE
PID:1651

/usr/bin/nclpupahvv
/usr/bin/nclpupahvv "cd /etc" 1560
1⤵
- Executes dropped EXE
PID:1653

/usr/bin/uazkmtceqh
/usr/bin/uazkmtceqh ls 1560
1⤵
- Executes dropped EXE
PID:1657

/usr/bin/uazkmtceqh
/usr/bin/uazkmtceqh sh 1560
1⤵
- Executes dropped EXE
PID:1659

/usr/bin/uazkmtceqh
/usr/bin/uazkmtceqh "ps -ef" 1560
1⤵
- Executes dropped EXE
PID:1662

/usr/bin/uazkmtceqh
/usr/bin/uazkmtceqh ifconfig 1560
1⤵
- Executes dropped EXE
PID:1665

/usr/bin/uazkmtceqh
/usr/bin/uazkmtceqh gnome-terminal 1560
1⤵
- Executes dropped EXE
PID:1669

/usr/bin/ccpflxgcwn
/usr/bin/ccpflxgcwn "ls -la" 1560
1⤵
- Executes dropped EXE
PID:1681

/usr/bin/ccpflxgcwn
/usr/bin/ccpflxgcwn whoami 1560
1⤵
- Executes dropped EXE
PID:1683

/usr/bin/ccpflxgcwn
/usr/bin/ccpflxgcwn "ps -ef" 1560
1⤵
- Executes dropped EXE
PID:1686

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/udev.sh

Filesize
146B

MD5
ddb9a901eadce597284d68ebd9fe9311

SHA1
1d26318bbe55f2f936ae1015df656535427083c2

SHA256
3bb8ebd394bcaea3f083d93daa3c3bcf918a4618f84ab45a1942759d16b070fc

SHA512
e94bd51f02c323d2376e666a9c56a87c2f55d1805b44762d4bc6d5d60ca52e85ce996ba51142213ba783ac858660a3ba254988215b0f4d398b1e99bf132a5d1c

Download Submit
/etc/init.d/c10ffeaf668f69c1124f6cd5fe0dff3b

Filesize
425B

MD5
2ef1cdf9d8f8d62a55275dd63fcd8ecd

SHA1
8f56142f91b1e13c889fad983bf8223e7e28ff8c

SHA256
9ae2e95210943dabcdaadb61d0411cd2ad365b433189b7ad38dee640bcfc4c7d

SHA512
5f66c72e107be87b9ea563d87b8970ba4bf246e5a5fc786551b84b239c59a79e7bc5bb5e77426d3fd3ed472509596817edeca4e9181f03b1ad1a853f38aa6f06

Download Submit
/etc/sed9aQogj

Filesize
722B

MD5
8f111d100ea459f68d333d63a8ef2205

SHA1
077ca9c46a964de67c0f7765745d5c6f9e2065c3

SHA256
0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354

SHA512
d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

Download Submit
/lib/libgcc4.so

Filesize
595KB

MD5
c10ffeaf668f69c1124f6cd5fe0dff3b

SHA1
99b10f29a401f8846b1b94b0906ff9bad8128117

SHA256
292adb2a5917259e10fbfce5e936f993dad8bf1d813e3b9d5d9c9bf4ea4b8037

SHA512
1040df753d9a4c27cbcba709a5ac3120a001cac78803103c639c0506bfefa13836910baa391c17dd6123c494dc2fcea0a23202488306b8455eedae3072673f74

Download Submit
/run/udev.pid

Filesize
32B

MD5
6d7ec8fb97f438f12e10217876208771

SHA1
91c4e7ee62b36003ac4788fef294aa9f0d184d8a

SHA256
5ae7b90deecc02091bf1a1352b1fde177136289a83aac030cee948881340c609

SHA512
b0fce3a99557ba143bb9b1960699b674b28166cc34b12762f846c4026754a96f3c01036a81d6649d9a4afeafef93281c1f5b8251a5b8cad6eaf573169bda1f34

Download Submit
/usr/bin/ccpflxgcwn

Filesize
320KB

MD5
64a58c4364dce42a71992e5efa17c6a2

SHA1
2313a97b79dd5de4e5a490ea916675a7ebb86f1b

SHA256
ff0fce6b21d4ea9e09622f440897e5d9a3470b0c69dbe59e86394bf28f16e953

SHA512
365884827f7b5ce34934aecb2498dd2e39ae742186fba4ac225a82282f6922bb2ff049e3cdc818e43a1d16502f11afeb7fda09ef671128635e962740463e5fd3

Download Submit
/usr/bin/ccpflxgcwn

Filesize
595KB

MD5
6af5bb7053f1f98db9618531e3395128

SHA1
5eaea96006042eaae4283e0cfd9dd21a072f2213

SHA256
296c51943e35bcf7da9189744f99fbc7dd8097ee63936285e9b5ef897c260629

SHA512
f9fd1ad54336fa673777777cc029864c42f41ae2037befaaeca8a66080d25cdc53b7e3a7d4dff74e171a4b591c541573b8ea4660a428da0ad318597a4ae7748f

Download Submit
/usr/bin/ccpflxgcwn

Filesize
595KB

MD5
b60d1c659008e238c9d417fc3c3acb25

SHA1
8199e09c4a8877663cbf61e72b1cf5e93222bb62

SHA256
bb696c3c53494a6743bb766ad072252fb709e00020df1bf39c1f4758d6716d11

SHA512
38c4ee4e22c29bc4ebbeb93b2fc40d9cf784a3c068a90ec3ffd7d35defc86dcd173e48c1fe5c850825b4a96a169ccd692aee5d52740ce41e50bb43ffa529f904

Download Submit
/usr/bin/iyhfwtaqff

Filesize
595KB

MD5
fd1f58674cff393505d724620ed1b9c3

SHA1
cf22a7c70e0776e2002c1b144b8de2cc4041d26f

SHA256
380b207fe256e6a12dd0bc5457eab2778798d63aad9c74b999699125bf17367c

SHA512
ff343bda2e29b99f4e076c5fcd92b732803c8aa64662a333a3eef0962d2a51bb0cdd23c47da61085d072ae0c52e55efba2cf570a3537b290e00f5aeb651c0e54

Download Submit
/usr/bin/iyhfwtaqff

Filesize
595KB

MD5
b4717bcb1b7a00d5306144a65ad9664a

SHA1
3889cc34c5aeb969d75f05453cf01fb2bc56d725

SHA256
516256dcf88c5f6ac30b6b4dc0273e2b1bc32c7208f4be159a4ccee0184982e7

SHA512
dd25899fcde7dbbc1e821a476d25fd825dfe9beedbcb0b438321979cdf6d1bc5df08dc9acdcc0905fff6e6a8ee45f19f01b7095320fa650aeb9665263f309f28

Download Submit
/usr/bin/nclpupahvv

Filesize
320KB

MD5
33cd7db82ab758242ce7d9ed424989be

SHA1
6e15835b97b8a4c1e8fce98d70a0ad56ea66a34e

SHA256
590dd522c242dc458761aee6ffdd81990d192e7eac0e0b33694f64ad7c5c49bb

SHA512
ad70eee88c56ffbce756b6e4cfd55521f505d87162a9daee3c6e0de868e454e0d19169208e85750b36b10945b5537531af964c39f835cd18ac5e049f8fb13386

Download Submit
/usr/bin/rwethbootl

Filesize
595KB

MD5
a14f074228a5f7080e5cd10e6ff2f684

SHA1
616249f26147f879be1c4f3047ec978fd0ad0658

SHA256
ed29bd33bd0a540ee503ddff3e5ce2f786598d9af166cf21ea0cca6cf6f8eedc

SHA512
5e7b9ebfe068cf7fcaaa0e445763a66a226f8c6e7e2d1d994a285db97034f4007f14aaedc0a7a12217f6a5915f01add102468edf45230062c93cb3f8ff5f8061

Download Submit
/usr/bin/rwethbootl

Filesize
595KB

MD5
b84068dbb63a63ca418d46096e103ab0

SHA1
3d78e9c0418976b71712f8a852b6a68fc37a2c78

SHA256
67cca062ea94927bf066680d82a76c89433d23c033f2a8a035afad2d4b061920

SHA512
c5698d5070970ad76a99261845733876c02f1a2f2eb80239dd885efe99d383e8e3015617fc86df9faa9e528591893065dc581c441dcdd5aea897f383d1778acc

Download Submit
/usr/bin/uazkmtceqh

Filesize
595KB

MD5
3a92795a798711ccc88a5d27abbb4c83

SHA1
3b948f0b5ca4fee9d2f38e2b4b20531cc4fcd765

SHA256
7965316d77ac9914aad69043af51e6615c6028d7ff285dd2253b0a5afdf18f8d

SHA512
a0ae79eff7af0f72daae6fee01fb48f7b30932d8a9a4fec496977ef8010597846468be6cb936480605ec51d4ff7ea4c0b3281c0064a966bdd805944da4940b7d

Download Submit
/usr/bin/uazkmtceqh

Filesize
595KB

MD5
3e305048fd795814fdec0390206516ae

SHA1
ef2a3d096a802f095a4cbb0232554ec70a11a0d4

SHA256
503e8f8064cdcb175049b16c00a4b51e3dca2ef373d679e95a1d02a96edab3a2

SHA512
0c757960b4cdbb505e78bc3ebbe67ecbfbef165ebcf4140b0140216071e2517081aa9da7ee73a300f888945c0865723545fc1bcb8b4bd3ce275a9343d0aac3a1

Download Submit