xorddos | 2154547c69bf8bee7f296bd8ce56ffa4115da65c2308e9fc6d5079b2eb9dec93

Analysis

max time kernel
134s
max time network
103s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
22-12-2023 14:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

atrdadsrcc
Size

659KB
MD5

1d79488a09ef56ae2e60e1985b18e7a2
SHA1

0b25e8f36a9738bb4d2dd2cd711f1aa7213db517
SHA256

4aaa0b0d1ccb91b090df97a47b15536157f6f141cdce67867d339d0f01b3981d
SHA512

b77fda07473e8f3e7ff2a1e25bb556164e3fddb40fe791a0b96538dfcc766f96c6e15082dccc77e79fff73f34497d0c43643134a633ff8740bbc4a287ec0c91b
SSDEEP

12288:aBo9ETRNT9Wn1J0OhS18tDm8PCExfLZ9JCCpyvOH36ybCQ7YLVN1/lFkThVArw:aBo9ANo70OE8A8PCExfLZ/CTvQrKLd/Q

Score

10^/10

xorddos antivm botnet downloader persistence

Malware Config

Extracted

Family

xorddos

103.25.9.245:8002

103.240.141.50:8002

66.102.253.30:8002

ndns.dsaj2a1.org:8002

ndns.dsaj2a.org:8002

ndns.hcxiaoao.com:8002

ndns.dsaj2a.com:8002

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 12 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_xorddos
behavioral1/files/fstream-3.dat	family_xorddos
behavioral1/files/fstream-9.dat	family_xorddos
behavioral1/files/fstream-10.dat	family_xorddos
behavioral1/files/fstream-12.dat	family_xorddos
behavioral1/files/fstream-13.dat	family_xorddos
behavioral1/files/fstream-15.dat	family_xorddos
behavioral1/files/fstream-16.dat	family_xorddos
behavioral1/files/fstream-18.dat	family_xorddos
behavioral1/files/fstream-19.dat	family_xorddos
behavioral1/files/fstream-21.dat	family_xorddos
behavioral1/files/fstream-22.dat	family_xorddos

Deletes itself 2 IoCs

pid
1530
1644

Executes dropped EXE 23 IoCs

ioc	pid	Process
/boot/lvbfqmhjzv	1532	lvbfqmhjzv
/boot/jzhabjfbpy	1546	jzhabjfbpy
/boot/jzhabjfbpy	1549	jzhabjfbpy
/boot/jzhabjfbpy	1570	jzhabjfbpy
/boot/jzhabjfbpy	1575	jzhabjfbpy
/boot/jzhabjfbpy	1577	jzhabjfbpy
/boot/tjortgxfvv	1581	tjortgxfvv
/boot/tjortgxfvv	1583	tjortgxfvv
/boot/tjortgxfvv	1587	tjortgxfvv
/boot/tjortgxfvv	1590	tjortgxfvv
/boot/tjortgxfvv	1593	tjortgxfvv
/boot/mfuiynluzp	1599	mfuiynluzp
/boot/mfuiynluzp	1601	mfuiynluzp
/boot/mfuiynluzp	1605	mfuiynluzp
/boot/mfuiynluzp	1608	mfuiynluzp
/boot/mfuiynluzp	1611	mfuiynluzp
/boot/zxanyzbncm	1616	zxanyzbncm
/boot/zxanyzbncm	1618	zxanyzbncm
/boot/zxanyzbncm	1624	zxanyzbncm
/boot/zxanyzbncm	1627	zxanyzbncm
/boot/zxanyzbncm	1632	zxanyzbncm
/boot/tawgklzegr	1642	tawgklzegr
/boot/tawgklzegr	1645	tawgklzegr

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc
File opened for reading	/proc/cpuinfo

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc
File opened for modification	/etc/cron.hourly/cron.sh

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
File opened for modification	/etc/init.d/lvbfqmhjzv

Reads runtime system information 9 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/rs_dev	Process not Found
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/meminfo	Process not Found
File opened for reading	/proc/stat	Process not Found
File opened for reading	/proc/filesystems	systemctl

/tmp/atrdadsrcc
/tmp/atrdadsrcc
1⤵
PID:1529

/boot/lvbfqmhjzv
/boot/lvbfqmhjzv
1⤵
- Executes dropped EXE
PID:1532

/bin/update-rc.d
update-rc.d lvbfqmhjzv defaults
1⤵
PID:1537

/sbin/update-rc.d
update-rc.d lvbfqmhjzv defaults
1⤵
PID:1537

/usr/bin/update-rc.d
update-rc.d lvbfqmhjzv defaults
1⤵
PID:1537

/usr/sbin/update-rc.d
update-rc.d lvbfqmhjzv defaults
1⤵
PID:1537
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:1545

/bin/chkconfig
chkconfig --add lvbfqmhjzv
1⤵
PID:1535

/sbin/chkconfig
chkconfig --add lvbfqmhjzv
1⤵
PID:1535

/usr/bin/chkconfig
chkconfig --add lvbfqmhjzv
1⤵
PID:1535

/usr/sbin/chkconfig
chkconfig --add lvbfqmhjzv
1⤵
PID:1535

/usr/local/bin/chkconfig
chkconfig --add lvbfqmhjzv
1⤵
PID:1535

/usr/local/sbin/chkconfig
chkconfig --add lvbfqmhjzv
1⤵
PID:1535

/usr/X11R6/bin/chkconfig
chkconfig --add lvbfqmhjzv
1⤵
PID:1535

/boot/jzhabjfbpy
/boot/jzhabjfbpy uptime 1533
1⤵
- Executes dropped EXE
PID:1546

/boot/jzhabjfbpy
/boot/jzhabjfbpy "route -n" 1533
1⤵
- Executes dropped EXE
PID:1549

/boot/jzhabjfbpy
/boot/jzhabjfbpy "ls -la" 1533
1⤵
- Executes dropped EXE
PID:1570

/boot/jzhabjfbpy
/boot/jzhabjfbpy "ifconfig eth0" 1533
1⤵
- Executes dropped EXE
PID:1575

/boot/jzhabjfbpy
/boot/jzhabjfbpy whoami 1533
1⤵
- Executes dropped EXE
PID:1577

/boot/tjortgxfvv
/boot/tjortgxfvv "ifconfig eth0" 1533
1⤵
- Executes dropped EXE
PID:1581

/boot/tjortgxfvv
/boot/tjortgxfvv whoami 1533
1⤵
- Executes dropped EXE
PID:1583

/boot/tjortgxfvv
/boot/tjortgxfvv "cd /etc" 1533
1⤵
- Executes dropped EXE
PID:1587

/boot/tjortgxfvv
/boot/tjortgxfvv "echo \"find\"" 1533
1⤵
- Executes dropped EXE
PID:1590

/boot/tjortgxfvv
/boot/tjortgxfvv "cat resolv.conf" 1533
1⤵
- Executes dropped EXE
PID:1593

/boot/mfuiynluzp
/boot/mfuiynluzp "ls -la" 1533
1⤵
- Executes dropped EXE
PID:1599

/boot/mfuiynluzp
/boot/mfuiynluzp uptime 1533
1⤵
- Executes dropped EXE
PID:1601

/boot/mfuiynluzp
/boot/mfuiynluzp top 1533
1⤵
- Executes dropped EXE
PID:1605

/boot/mfuiynluzp
/boot/mfuiynluzp "cd /etc" 1533
1⤵
- Executes dropped EXE
PID:1608

/boot/mfuiynluzp
/boot/mfuiynluzp "sleep 1" 1533
1⤵
- Executes dropped EXE
PID:1611

/boot/zxanyzbncm
/boot/zxanyzbncm "netstat -antop" 1533
1⤵
- Executes dropped EXE
PID:1616

/boot/zxanyzbncm
/boot/zxanyzbncm "echo \"find\"" 1533
1⤵
- Executes dropped EXE
PID:1618

/boot/zxanyzbncm
/boot/zxanyzbncm top 1533
1⤵
- Executes dropped EXE
PID:1624

/boot/zxanyzbncm
/boot/zxanyzbncm whoami 1533
1⤵
- Executes dropped EXE
PID:1627

/boot/zxanyzbncm
/boot/zxanyzbncm "ifconfig eth0" 1533
1⤵
- Executes dropped EXE
PID:1632

/boot/tawgklzegr
/boot/tawgklzegr "route -n" 1533
1⤵
- Executes dropped EXE
PID:1642

/boot/tawgklzegr
/boot/tawgklzegr bash 1533
1⤵
- Executes dropped EXE
PID:1645

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/boot/jzhabjfbpy

Filesize
659KB

MD5
28a1dbd6678d82d683bbc2bf3e119215

SHA1
27d7103563fe08e2320ac9765d025398c197462b

SHA256
82cc7bc87450355af4c59dd9782e538591bfbb1f51a1ea3dff89171f1bd79cce

SHA512
a4bc66f7023646b8d1871a6db5cc09c78a37cbd61bf5a88734958847a909ee05ab57751c823d50d7f16f62bc1c3ccde2e31a8317ac21bf6ab8970a111bc42536

Download Submit
/boot/jzhabjfbpy

Filesize
659KB

MD5
020881196899585c29c6afa337a42887

SHA1
57431c7a3f370fc5c227278c994c674cf8dfcf6a

SHA256
d865ce22a5e531c37ce4bd2ce1ae442e47c3ac0729bdd86f2260900e3515b241

SHA512
b5cef01544419d65e2e5f6073a372a4cdf470fd898954160817cc2f21f66e9679a043b9dfbf6670198c358656081e82963bf7a946c8bf315f365bc1b4095f2f1

Download Submit
/boot/lvbfqmhjzv

Filesize
659KB

MD5
423684aa52c59d83f7fdb88d460386ab

SHA1
2ab5855d962d55d8d3bd9803f96dfc8b58252624

SHA256
2133633316cd0bd53f3798ca0e5eac84f3ac71f600aa1a9914cbff939d92c569

SHA512
2c5bf8a9aa3812fa50754b2443e7e838261f0fea71a8eed5e4d256599ed170104f973dbc2a78d6ab08f79f00e48172c36f76f0c8ec044bafe46e2177f5235079

Download Submit
/boot/mfuiynluzp

Filesize
659KB

MD5
3ef242aafee5c53da517f245c996bb56

SHA1
e9e5629ce931f9d03c0af1e53d28466a56f60e2d

SHA256
add4e186a060211d0f892d9e242c89418d21a91d3bdb39cb24ef982bfd5a4ad4

SHA512
04604e20e47815ea04b19755c25f15e0090cb4a769387ee545adcf918e30234e60b6feff4ec9adb9b2c1a7e07f841670b165e8bdd1fb9eada16e8c23b754e27c

Download Submit
/boot/mfuiynluzp

Filesize
659KB

MD5
c476ee545300626f1e7449444d6b7dd5

SHA1
b72861d6938429a5cb4e89b3765d1f9f5131b71f

SHA256
1ac28c4b37978e17ef49dc846cb0797d5311e9e6ee1b0823397c0a61b51bd874

SHA512
f4407e1b89442d5bcab13b5804aff4d119379763fc64efe71efefba9cd0c4fbc3a41dc3d7c805f3a0563c2950e414dc81a847adbb22a3b61bc870bd918881d3c

Download Submit
/boot/tawgklzegr

Filesize
659KB

MD5
6bf1074d7c039738ef52c6afc148df67

SHA1
784cf8ab6339a005f73aa01d290142df1e99f391

SHA256
b0bc0f84a5040cede5736a7756831b96aefa60ad3fde6c76bf39d623fdc22ded

SHA512
43b565d731e1557fcd34e2a122a380a918a3e65d1b1536f42b33bd3f55b247192041ef1b75f660ecbbaff763091a7bac8161cc3c7cf4d1facacaf00fcee7293a

Download Submit
/boot/tawgklzegr

Filesize
659KB

MD5
22c6ec6e90e345d4f2a81e8d088b8192

SHA1
25097719ef31c1ea3f4d00c984c5004172f55cc4

SHA256
ca7739b4fccfba316e4be114d546ac8170a685e9dbcb515746ecc38c98022671

SHA512
6bb8554df4c766cc966ac01056f48b2daaef37f9608e1b67c9ee66670b929861883d431427ebc4f8136c9136075237611dd3fbfadc60c4fd2d574154129d2c6e

Download Submit
/boot/tjortgxfvv

Filesize
659KB

MD5
325ac234659e0c26234304a4c7691ead

SHA1
96901b09422daa31e0a1032bdebf85121db2f042

SHA256
ffd8db03e908b34c952f4e62a61fce26fd391950043cb8abdd94f92545d1bf14

SHA512
766105996b10047558b93bb4aaabcfcf2b263156975413c43f8a360d97213742569bfd18c62c14bad1f13393930ab628651eca88a881ba628b600b0d065587ca

Download Submit
/boot/tjortgxfvv

Filesize
659KB

MD5
f88a6d135d7b962e1f96c634d4f6826c

SHA1
edd8675a0fe0c5f469a5a79144ebc9a3bb865c15

SHA256
86aac989b1655fcc349f97e8b13e6e239576e7ae80c922301204b5fd076d4981

SHA512
4cc6edcc2d7cf360825b761f69a72c16dfc78c706d48b82cea9273f02db49ee7a46d22e5f588613d582703316f4cb5902c7a9b580db162ed78a77942b30c9846

Download Submit
/boot/zxanyzbncm

Filesize
659KB

MD5
78676b4f9315f12c50fea59a5aded998

SHA1
252586e65585d606597ff070d4a08a3a5d83f38d

SHA256
e81609c4b9841f0da41da17b919eddc6d740a70f40beddfea9b17ed59f3dee88

SHA512
b31b7c4fa3cc29de6ffa9bc7cdc97ddc76018f79a6e297d9caf39517d51c06700f5726fa855302375a02a565c10f0f846eacc8d4e74e5398717ba48d158cef1d

Download Submit
/boot/zxanyzbncm

Filesize
659KB

MD5
d112f0aa7783a676ca2c3120ed02bd50

SHA1
bc62d8220e66d88659284193796ceac85b255c44

SHA256
8607ed57f718383b1e25b90c5d0d1cd45603fa514bdf9a80bbf79515615c7686

SHA512
36625b475c38d645975dea02cf597e03d54bc12a91e39c45e108bb0baabcfdfd33d38a1f8e67232b79b5315b9267cceeede1b7041bce4e3843708253d01efaaf

Download Submit
/etc/cron.hourly/cron.sh

Filesize
60B

MD5
9747e4860b55cce370064443889a58cb

SHA1
bd2d786fbad80461ce01586a1b2b2bbd2b0e542c

SHA256
2776ff99dc0553a471d397fdef20e5e9982a487a49431671eb8dc1e105a4e34f

SHA512
95295374240c29e41a0be2be5b051a3a0805d123f9b4d2bd3c15bf29498c40d991d38ee006657e8c0ebf27703fdb04c40de59a77d8a297733f02159f2896f25c

Download Submit
/etc/init.d/lvbfqmhjzv

Filesize
317B

MD5
6012fd805dac2f33c3234b80ba701dea

SHA1
9f4412cf10d3bb40068c7fc203e4f0eef2d11e5a

SHA256
b6987fc65ef5314ea608c2f287d3b69205782bbb13c78cd8e17aaaa5f0751db5

SHA512
96854f80e131975602d9b10b93856565b1bc095337e72deda65e734c6d43a5568222e4d6b9ca9eed34056c37caf1b4879430db8cba2b6afd4dc911be02204170

Download Submit
/lib/udev/udev

Filesize
659KB

MD5
1d79488a09ef56ae2e60e1985b18e7a2

SHA1
0b25e8f36a9738bb4d2dd2cd711f1aa7213db517

SHA256
4aaa0b0d1ccb91b090df97a47b15536157f6f141cdce67867d339d0f01b3981d

SHA512
b77fda07473e8f3e7ff2a1e25bb556164e3fddb40fe791a0b96538dfcc766f96c6e15082dccc77e79fff73f34497d0c43643134a633ff8740bbc4a287ec0c91b

Download Submit
/run/sftp.pid

Filesize
32B

MD5
22d45aa20ff45b46b5787c6abf608781

SHA1
3f244179c61de4e5940a5ba044e4248134db99a1

SHA256
9ee736022720e1cef1d7912b36eb4a0259076b3632cbe9641c13d4e1df4c0397

SHA512
1cdd6bc87a745e9bbd91ea50154a8fa9f7a3ea3ac5e12fb22a3d1bb3c9808383227e3c53cec8234040f8af4560178cef6424342349408ba57b170c9ee8d92e7d

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads