xorddos | 2154547c69bf8bee7f296bd8ce56ffa4115da65c2308e9fc6d5079b2eb9dec93

Analysis

max time kernel
134s
max time network
103s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
22-12-2023 14:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

atrdadsrcc
Size

659KB
MD5

1d79488a09ef56ae2e60e1985b18e7a2
SHA1

0b25e8f36a9738bb4d2dd2cd711f1aa7213db517
SHA256

4aaa0b0d1ccb91b090df97a47b15536157f6f141cdce67867d339d0f01b3981d
SHA512

b77fda07473e8f3e7ff2a1e25bb556164e3fddb40fe791a0b96538dfcc766f96c6e15082dccc77e79fff73f34497d0c43643134a633ff8740bbc4a287ec0c91b
SSDEEP

12288:aBo9ETRNT9Wn1J0OhS18tDm8PCExfLZ9JCCpyvOH36ybCQ7YLVN1/lFkThVArw:aBo9ANo70OE8A8PCExfLZ/CTvQrKLd/Q

Score

10^/10

xorddos antivm botnet downloader persistence

Malware Config

Extracted

Family

xorddos

103.25.9.245:8002

103.240.141.50:8002

66.102.253.30:8002

ndns.dsaj2a1.org:8002

ndns.dsaj2a.org:8002

ndns.hcxiaoao.com:8002

ndns.dsaj2a.com:8002

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 12 IoCs

Processes:

resource	yara_rule
/lib/udev/udev	family_xorddos
/boot/lvbfqmhjzv	family_xorddos
/boot/jzhabjfbpy	family_xorddos
/boot/jzhabjfbpy	family_xorddos
/boot/tjortgxfvv	family_xorddos
/boot/tjortgxfvv	family_xorddos
/boot/mfuiynluzp	family_xorddos
/boot/mfuiynluzp	family_xorddos
/boot/zxanyzbncm	family_xorddos
/boot/zxanyzbncm	family_xorddos
/boot/tawgklzegr	family_xorddos
/boot/tawgklzegr	family_xorddos

Deletes itself 2 IoCs

Processes:

pid

1530
1644

pid
1530
1644

Executes dropped EXE 23 IoCs

Processes:

lvbfqmhjzvjzhabjfbpyjzhabjfbpyjzhabjfbpyjzhabjfbpyjzhabjfbpytjortgxfvvtjortgxfvvtjortgxfvvtjortgxfvvtjortgxfvvmfuiynluzpmfuiynluzpmfuiynluzpmfuiynluzpmfuiynluzpzxanyzbncmzxanyzbncmzxanyzbncmzxanyzbncmzxanyzbncmtawgklzegrtawgklzegr

ioc	pid	process
/boot/lvbfqmhjzv	1532	lvbfqmhjzv
/boot/jzhabjfbpy	1546	jzhabjfbpy
/boot/jzhabjfbpy	1549	jzhabjfbpy
/boot/jzhabjfbpy	1570	jzhabjfbpy
/boot/jzhabjfbpy	1575	jzhabjfbpy
/boot/jzhabjfbpy	1577	jzhabjfbpy
/boot/tjortgxfvv	1581	tjortgxfvv
/boot/tjortgxfvv	1583	tjortgxfvv
/boot/tjortgxfvv	1587	tjortgxfvv
/boot/tjortgxfvv	1590	tjortgxfvv
/boot/tjortgxfvv	1593	tjortgxfvv
/boot/mfuiynluzp	1599	mfuiynluzp
/boot/mfuiynluzp	1601	mfuiynluzp
/boot/mfuiynluzp	1605	mfuiynluzp
/boot/mfuiynluzp	1608	mfuiynluzp
/boot/mfuiynluzp	1611	mfuiynluzp
/boot/zxanyzbncm	1616	zxanyzbncm
/boot/zxanyzbncm	1618	zxanyzbncm
/boot/zxanyzbncm	1624	zxanyzbncm
/boot/zxanyzbncm	1627	zxanyzbncm
/boot/zxanyzbncm	1632	zxanyzbncm
/boot/tawgklzegr	1642	tawgklzegr
/boot/tawgklzegr	1645	tawgklzegr

Unexpected DNS network traffic destination 5 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 103.25.9.228
Destination IP 103.25.9.228
Destination IP 103.25.9.228
Destination IP 103.25.9.228
Destination IP 103.25.9.228
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

Virtualization/Sandbox Evasion
T1497

Processes:

description ioc

File opened for reading /proc/cpuinfo
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

description ioc

File opened for modification /etc/cron.hourly/cron.sh
Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

description ioc

File opened for modification /etc/init.d/lvbfqmhjzv

description	ioc
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228

description	ioc
File opened for reading	/proc/cpuinfo

description	ioc
File opened for modification	/etc/cron.hourly/cron.sh

description	ioc
File opened for modification	/etc/init.d/lvbfqmhjzv

Reads runtime system information 9 IoCs

Reads data from /proc virtual filesystem.

Processes:

systemctl

description	ioc	process
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/rs_dev
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/meminfo
File opened for reading	/proc/stat
File opened for reading	/proc/filesystems	systemctl

/tmp/atrdadsrcc
/tmp/atrdadsrcc
1⤵
PID:1529

/boot/lvbfqmhjzv
/boot/lvbfqmhjzv
1⤵
- Executes dropped EXE
PID:1532

/bin/update-rc.d
update-rc.d lvbfqmhjzv defaults
1⤵
PID:1537

/sbin/update-rc.d
update-rc.d lvbfqmhjzv defaults
1⤵
PID:1537

/usr/bin/update-rc.d
update-rc.d lvbfqmhjzv defaults
1⤵
PID:1537

/usr/sbin/update-rc.d
update-rc.d lvbfqmhjzv defaults
1⤵
PID:1537
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:1545

/bin/chkconfig
chkconfig --add lvbfqmhjzv
1⤵
PID:1535

/sbin/chkconfig
chkconfig --add lvbfqmhjzv
1⤵
PID:1535

/usr/bin/chkconfig
chkconfig --add lvbfqmhjzv
1⤵
PID:1535

/usr/sbin/chkconfig
chkconfig --add lvbfqmhjzv
1⤵
PID:1535

/usr/local/bin/chkconfig
chkconfig --add lvbfqmhjzv
1⤵
PID:1535

/usr/local/sbin/chkconfig
chkconfig --add lvbfqmhjzv
1⤵
PID:1535

/usr/X11R6/bin/chkconfig
chkconfig --add lvbfqmhjzv
1⤵
PID:1535

/boot/jzhabjfbpy
/boot/jzhabjfbpy uptime 1533
1⤵
- Executes dropped EXE
PID:1546

/boot/jzhabjfbpy
/boot/jzhabjfbpy "route -n" 1533
1⤵
- Executes dropped EXE
PID:1549

/boot/jzhabjfbpy
/boot/jzhabjfbpy "ls -la" 1533
1⤵
- Executes dropped EXE
PID:1570

/boot/jzhabjfbpy
/boot/jzhabjfbpy "ifconfig eth0" 1533
1⤵
- Executes dropped EXE
PID:1575

/boot/jzhabjfbpy
/boot/jzhabjfbpy whoami 1533
1⤵
- Executes dropped EXE
PID:1577

/boot/tjortgxfvv
/boot/tjortgxfvv "ifconfig eth0" 1533
1⤵
- Executes dropped EXE
PID:1581

/boot/tjortgxfvv
/boot/tjortgxfvv whoami 1533
1⤵
- Executes dropped EXE
PID:1583

/boot/tjortgxfvv
/boot/tjortgxfvv "cd /etc" 1533
1⤵
- Executes dropped EXE
PID:1587

/boot/tjortgxfvv
/boot/tjortgxfvv "echo \"find\"" 1533
1⤵
- Executes dropped EXE
PID:1590

/boot/tjortgxfvv
/boot/tjortgxfvv "cat resolv.conf" 1533
1⤵
- Executes dropped EXE
PID:1593

/boot/mfuiynluzp
/boot/mfuiynluzp "ls -la" 1533
1⤵
- Executes dropped EXE
PID:1599

/boot/mfuiynluzp
/boot/mfuiynluzp uptime 1533
1⤵
- Executes dropped EXE
PID:1601

/boot/mfuiynluzp
/boot/mfuiynluzp top 1533
1⤵
- Executes dropped EXE
PID:1605

/boot/mfuiynluzp
/boot/mfuiynluzp "cd /etc" 1533
1⤵
- Executes dropped EXE
PID:1608

/boot/mfuiynluzp
/boot/mfuiynluzp "sleep 1" 1533
1⤵
- Executes dropped EXE
PID:1611

/boot/zxanyzbncm
/boot/zxanyzbncm "netstat -antop" 1533
1⤵
- Executes dropped EXE
PID:1616

/boot/zxanyzbncm
/boot/zxanyzbncm "echo \"find\"" 1533
1⤵
- Executes dropped EXE
PID:1618

/boot/zxanyzbncm
/boot/zxanyzbncm top 1533
1⤵
- Executes dropped EXE
PID:1624

/boot/zxanyzbncm
/boot/zxanyzbncm whoami 1533
1⤵
- Executes dropped EXE
PID:1627

/boot/zxanyzbncm
/boot/zxanyzbncm "ifconfig eth0" 1533
1⤵
- Executes dropped EXE
PID:1632

/boot/tawgklzegr
/boot/tawgklzegr "route -n" 1533
1⤵
- Executes dropped EXE
PID:1642

/boot/tawgklzegr
/boot/tawgklzegr bash 1533
1⤵
- Executes dropped EXE
PID:1645

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/boot/jzhabjfbpy

Filesize
659KB

MD5
28a1dbd6678d82d683bbc2bf3e119215

SHA1
27d7103563fe08e2320ac9765d025398c197462b

SHA256
82cc7bc87450355af4c59dd9782e538591bfbb1f51a1ea3dff89171f1bd79cce

SHA512
a4bc66f7023646b8d1871a6db5cc09c78a37cbd61bf5a88734958847a909ee05ab57751c823d50d7f16f62bc1c3ccde2e31a8317ac21bf6ab8970a111bc42536

Download Submit
/boot/jzhabjfbpy

Filesize
659KB

MD5
020881196899585c29c6afa337a42887

SHA1
57431c7a3f370fc5c227278c994c674cf8dfcf6a

SHA256
d865ce22a5e531c37ce4bd2ce1ae442e47c3ac0729bdd86f2260900e3515b241

SHA512
b5cef01544419d65e2e5f6073a372a4cdf470fd898954160817cc2f21f66e9679a043b9dfbf6670198c358656081e82963bf7a946c8bf315f365bc1b4095f2f1

Download Submit
/boot/lvbfqmhjzv

Filesize
659KB

MD5
423684aa52c59d83f7fdb88d460386ab

SHA1
2ab5855d962d55d8d3bd9803f96dfc8b58252624

SHA256
2133633316cd0bd53f3798ca0e5eac84f3ac71f600aa1a9914cbff939d92c569

SHA512
2c5bf8a9aa3812fa50754b2443e7e838261f0fea71a8eed5e4d256599ed170104f973dbc2a78d6ab08f79f00e48172c36f76f0c8ec044bafe46e2177f5235079

Download Submit
/boot/mfuiynluzp

Filesize
659KB

MD5
3ef242aafee5c53da517f245c996bb56

SHA1
e9e5629ce931f9d03c0af1e53d28466a56f60e2d

SHA256
add4e186a060211d0f892d9e242c89418d21a91d3bdb39cb24ef982bfd5a4ad4

SHA512
04604e20e47815ea04b19755c25f15e0090cb4a769387ee545adcf918e30234e60b6feff4ec9adb9b2c1a7e07f841670b165e8bdd1fb9eada16e8c23b754e27c

Download Submit
/boot/mfuiynluzp

Filesize
659KB

MD5
c476ee545300626f1e7449444d6b7dd5

SHA1
b72861d6938429a5cb4e89b3765d1f9f5131b71f

SHA256
1ac28c4b37978e17ef49dc846cb0797d5311e9e6ee1b0823397c0a61b51bd874

SHA512
f4407e1b89442d5bcab13b5804aff4d119379763fc64efe71efefba9cd0c4fbc3a41dc3d7c805f3a0563c2950e414dc81a847adbb22a3b61bc870bd918881d3c

Download Submit
/boot/tawgklzegr

Filesize
659KB

MD5
6bf1074d7c039738ef52c6afc148df67

SHA1
784cf8ab6339a005f73aa01d290142df1e99f391

SHA256
b0bc0f84a5040cede5736a7756831b96aefa60ad3fde6c76bf39d623fdc22ded

SHA512
43b565d731e1557fcd34e2a122a380a918a3e65d1b1536f42b33bd3f55b247192041ef1b75f660ecbbaff763091a7bac8161cc3c7cf4d1facacaf00fcee7293a

Download Submit
/boot/tawgklzegr

Filesize
659KB

MD5
22c6ec6e90e345d4f2a81e8d088b8192

SHA1
25097719ef31c1ea3f4d00c984c5004172f55cc4

SHA256
ca7739b4fccfba316e4be114d546ac8170a685e9dbcb515746ecc38c98022671

SHA512
6bb8554df4c766cc966ac01056f48b2daaef37f9608e1b67c9ee66670b929861883d431427ebc4f8136c9136075237611dd3fbfadc60c4fd2d574154129d2c6e

Download Submit
/boot/tjortgxfvv

Filesize
659KB

MD5
325ac234659e0c26234304a4c7691ead

SHA1
96901b09422daa31e0a1032bdebf85121db2f042

SHA256
ffd8db03e908b34c952f4e62a61fce26fd391950043cb8abdd94f92545d1bf14

SHA512
766105996b10047558b93bb4aaabcfcf2b263156975413c43f8a360d97213742569bfd18c62c14bad1f13393930ab628651eca88a881ba628b600b0d065587ca

Download Submit
/boot/tjortgxfvv

Filesize
659KB

MD5
f88a6d135d7b962e1f96c634d4f6826c

SHA1
edd8675a0fe0c5f469a5a79144ebc9a3bb865c15

SHA256
86aac989b1655fcc349f97e8b13e6e239576e7ae80c922301204b5fd076d4981

SHA512
4cc6edcc2d7cf360825b761f69a72c16dfc78c706d48b82cea9273f02db49ee7a46d22e5f588613d582703316f4cb5902c7a9b580db162ed78a77942b30c9846

Download Submit
/boot/zxanyzbncm

Filesize
659KB

MD5
78676b4f9315f12c50fea59a5aded998

SHA1
252586e65585d606597ff070d4a08a3a5d83f38d

SHA256
e81609c4b9841f0da41da17b919eddc6d740a70f40beddfea9b17ed59f3dee88

SHA512
b31b7c4fa3cc29de6ffa9bc7cdc97ddc76018f79a6e297d9caf39517d51c06700f5726fa855302375a02a565c10f0f846eacc8d4e74e5398717ba48d158cef1d

Download Submit
/boot/zxanyzbncm

Filesize
659KB

MD5
d112f0aa7783a676ca2c3120ed02bd50

SHA1
bc62d8220e66d88659284193796ceac85b255c44

SHA256
8607ed57f718383b1e25b90c5d0d1cd45603fa514bdf9a80bbf79515615c7686

SHA512
36625b475c38d645975dea02cf597e03d54bc12a91e39c45e108bb0baabcfdfd33d38a1f8e67232b79b5315b9267cceeede1b7041bce4e3843708253d01efaaf

Download Submit
/etc/cron.hourly/cron.sh

Filesize
60B

MD5
9747e4860b55cce370064443889a58cb

SHA1
bd2d786fbad80461ce01586a1b2b2bbd2b0e542c

SHA256
2776ff99dc0553a471d397fdef20e5e9982a487a49431671eb8dc1e105a4e34f

SHA512
95295374240c29e41a0be2be5b051a3a0805d123f9b4d2bd3c15bf29498c40d991d38ee006657e8c0ebf27703fdb04c40de59a77d8a297733f02159f2896f25c

Download Submit
/etc/init.d/lvbfqmhjzv

Filesize
317B

MD5
6012fd805dac2f33c3234b80ba701dea

SHA1
9f4412cf10d3bb40068c7fc203e4f0eef2d11e5a

SHA256
b6987fc65ef5314ea608c2f287d3b69205782bbb13c78cd8e17aaaa5f0751db5

SHA512
96854f80e131975602d9b10b93856565b1bc095337e72deda65e734c6d43a5568222e4d6b9ca9eed34056c37caf1b4879430db8cba2b6afd4dc911be02204170

Download Submit
/lib/udev/udev

Filesize
659KB

MD5
1d79488a09ef56ae2e60e1985b18e7a2

SHA1
0b25e8f36a9738bb4d2dd2cd711f1aa7213db517

SHA256
4aaa0b0d1ccb91b090df97a47b15536157f6f141cdce67867d339d0f01b3981d

SHA512
b77fda07473e8f3e7ff2a1e25bb556164e3fddb40fe791a0b96538dfcc766f96c6e15082dccc77e79fff73f34497d0c43643134a633ff8740bbc4a287ec0c91b

Download Submit
/run/sftp.pid

Filesize
32B

MD5
22d45aa20ff45b46b5787c6abf608781

SHA1
3f244179c61de4e5940a5ba044e4248134db99a1

SHA256
9ee736022720e1cef1d7912b36eb4a0259076b3632cbe9641c13d4e1df4c0397

SHA512
1cdd6bc87a745e9bbd91ea50154a8fa9f7a3ea3ac5e12fb22a3d1bb3c9808383227e3c53cec8234040f8af4560178cef6424342349408ba57b170c9ee8d92e7d

Download Submit