xorddos | 0a312a4154dcec2bc6ce1d3b51c037b122ace5848ec99c2b861ab6124addae9b

Analysis

max time kernel
148s
max time network
158s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
22-12-2023 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1b5b4b4b5a118e384c7ff487e14ac3f
Size

611KB
MD5

d1b5b4b4b5a118e384c7ff487e14ac3f
SHA1

038b7e9406fe5cb0a0be8f95ac935923c6d83c28
SHA256

0a312a4154dcec2bc6ce1d3b51c037b122ace5848ec99c2b861ab6124addae9b
SHA512

20885f782beeca1712924d6dec7fa474fb2fa7f926d7cbdbdd5f7fa18f6a3ac2bcd5dbd771a80c13c3403cbad05f2cda86ffefdc8170d6cc0f0b4b01a5baec74
SSDEEP

12288:UB1tATMVAqnf+ExxBHYpmA38X8LYkCW6TiLx6yB1/iGK4UlUuTh1AG:UB1BVpmExDYp38X8LYTWhLfNiGQl/91h

Score

10^/10

xorddos botnet downloader persistence

Malware Config

Extracted

Family

xorddos

http://aa.hostasa.org/game.rar

ns3.hostasa.org:3309

ns4.hostasa.org:3309

ns1.hostasa.org:3309

ns2.hostasa.org:3309

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 8 IoCs

Processes:

resource	yara_rule
/lib/libudev.so	family_xorddos
/usr/bin/skztyowcly	family_xorddos
/usr/bin/skztyowcly	family_xorddos
/usr/bin/vighiyqxse	family_xorddos
/usr/bin/npychpatac	family_xorddos
/usr/bin/npychpatac	family_xorddos
/usr/bin/rkicicvxcz	family_xorddos
/usr/bin/rkicicvxcz	family_xorddos

Deletes itself 3 IoCs

Processes:

pid

1623
1629
1627

pid
1623
1629
1627

Executes dropped EXE 24 IoCs

Processes:

skztyowclyskztyowclyskztyowclyskztyowclyskztyowclyvighiyqxsevighiyqxsevighiyqxsevighiyqxsevighiyqxsebomrmccjzgbomrmccjzgbomrmccjzgbomrmccjzgbomrmccjzgnpychpatacnpychpatacnpychpatacnpychpatacnpychpatacrkicicvxczrkicicvxczrkicicvxczrkicicvxcz

ioc	pid	process
/usr/bin/skztyowcly	1532	skztyowcly
/usr/bin/skztyowcly	1557	skztyowcly
/usr/bin/skztyowcly	1560	skztyowcly
/usr/bin/skztyowcly	1564	skztyowcly
/usr/bin/skztyowcly	1566	skztyowcly
/usr/bin/vighiyqxse	1570	vighiyqxse
/usr/bin/vighiyqxse	1572	vighiyqxse
/usr/bin/vighiyqxse	1575	vighiyqxse
/usr/bin/vighiyqxse	1578	vighiyqxse
/usr/bin/vighiyqxse	1581	vighiyqxse
/usr/bin/bomrmccjzg	1588	bomrmccjzg
/usr/bin/bomrmccjzg	1591	bomrmccjzg
/usr/bin/bomrmccjzg	1593	bomrmccjzg
/usr/bin/bomrmccjzg	1598	bomrmccjzg
/usr/bin/bomrmccjzg	1601	bomrmccjzg
/usr/bin/npychpatac	1604	npychpatac
/usr/bin/npychpatac	1606	npychpatac
/usr/bin/npychpatac	1609	npychpatac
/usr/bin/npychpatac	1613	npychpatac
/usr/bin/npychpatac	1616	npychpatac
/usr/bin/rkicicvxcz	1621	rkicicvxcz
/usr/bin/rkicicvxcz	1624	rkicicvxcz
/usr/bin/rkicicvxcz	1626	rkicicvxcz
/usr/bin/rkicicvxcz	1630	rkicicvxcz

Creates/modifies Cron job 1 TTPs 2 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

sh

description ioc

File opened for modification /etc/cron.hourly/gcc.sh
File opened for modification /etc/crontab sh
Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

description ioc

File opened for modification /etc/init.d/d1b5b4b4b5a118e384c7ff487e14ac3f

description	ioc
File opened for modification	/etc/cron.hourly/gcc.sh
File opened for modification	/etc/crontab	sh

description	ioc
File opened for modification	/etc/init.d/d1b5b4b4b5a118e384c7ff487e14ac3f

Write file to user bin folder 1 TTPs 5 IoCs

Hijack Execution Flow

T1574

Processes:

description	ioc
File opened for modification	/usr/bin/skztyowcly
File opened for modification	/usr/bin/vighiyqxse
File opened for modification	/usr/bin/bomrmccjzg
File opened for modification	/usr/bin/npychpatac
File opened for modification	/usr/bin/rkicicvxcz

Reads runtime system information 9 IoCs

Reads data from /proc virtual filesystem.

Processes:

sedsystemctl

description	ioc	process
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/rs_dev
File opened for reading	/proc/stat
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl

/tmp/d1b5b4b4b5a118e384c7ff487e14ac3f
/tmp/d1b5b4b4b5a118e384c7ff487e14ac3f
1⤵
PID:1519

/bin/sh
sh -c "sed -i '/\\/etc\\/cron.hourly\\/gcc.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:1525
- /bin/sed
  sed -i "/\\/etc\\/cron.hourly\\/gcc.sh/d" /etc/crontab
  2⤵
  - Reads runtime system information
  PID:1526

/bin/chkconfig
chkconfig --add d1b5b4b4b5a118e384c7ff487e14ac3f
1⤵
PID:1522

/sbin/chkconfig
chkconfig --add d1b5b4b4b5a118e384c7ff487e14ac3f
1⤵
PID:1522

/usr/bin/chkconfig
chkconfig --add d1b5b4b4b5a118e384c7ff487e14ac3f
1⤵
PID:1522

/usr/sbin/chkconfig
chkconfig --add d1b5b4b4b5a118e384c7ff487e14ac3f
1⤵
PID:1522

/usr/local/bin/chkconfig
chkconfig --add d1b5b4b4b5a118e384c7ff487e14ac3f
1⤵
PID:1522

/usr/local/sbin/chkconfig
chkconfig --add d1b5b4b4b5a118e384c7ff487e14ac3f
1⤵
PID:1522

/usr/X11R6/bin/chkconfig
chkconfig --add d1b5b4b4b5a118e384c7ff487e14ac3f
1⤵
PID:1522

/bin/update-rc.d
update-rc.d d1b5b4b4b5a118e384c7ff487e14ac3f defaults
1⤵
PID:1524

/sbin/update-rc.d
update-rc.d d1b5b4b4b5a118e384c7ff487e14ac3f defaults
1⤵
PID:1524

/usr/bin/update-rc.d
update-rc.d d1b5b4b4b5a118e384c7ff487e14ac3f defaults
1⤵
PID:1524

/usr/sbin/update-rc.d
update-rc.d d1b5b4b4b5a118e384c7ff487e14ac3f defaults
1⤵
PID:1524
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:1531

/usr/bin/skztyowcly
/usr/bin/skztyowcly sh 1520
1⤵
- Executes dropped EXE
PID:1532

/usr/bin/skztyowcly
/usr/bin/skztyowcly who 1520
1⤵
- Executes dropped EXE
PID:1557

/usr/bin/skztyowcly
/usr/bin/skztyowcly "ifconfig eth0" 1520
1⤵
- Executes dropped EXE
PID:1560

/usr/bin/skztyowcly
/usr/bin/skztyowcly id 1520
1⤵
- Executes dropped EXE
PID:1564

/usr/bin/skztyowcly
/usr/bin/skztyowcly uptime 1520
1⤵
- Executes dropped EXE
PID:1566

/usr/bin/vighiyqxse
/usr/bin/vighiyqxse "grep \"A\"" 1520
1⤵
- Executes dropped EXE
PID:1570

/usr/bin/vighiyqxse
/usr/bin/vighiyqxse "netstat -an" 1520
1⤵
- Executes dropped EXE
PID:1572

/usr/bin/vighiyqxse
/usr/bin/vighiyqxse "netstat -an" 1520
1⤵
- Executes dropped EXE
PID:1575

/usr/bin/vighiyqxse
/usr/bin/vighiyqxse id 1520
1⤵
- Executes dropped EXE
PID:1578

/usr/bin/vighiyqxse
/usr/bin/vighiyqxse "ps -ef" 1520
1⤵
- Executes dropped EXE
PID:1581

/usr/bin/bomrmccjzg
/usr/bin/bomrmccjzg "ps -ef" 1520
1⤵
- Executes dropped EXE
PID:1588

/usr/bin/bomrmccjzg
/usr/bin/bomrmccjzg ifconfig 1520
1⤵
- Executes dropped EXE
PID:1591

/usr/bin/bomrmccjzg
/usr/bin/bomrmccjzg sh 1520
1⤵
- Executes dropped EXE
PID:1593

/usr/bin/bomrmccjzg
/usr/bin/bomrmccjzg uptime 1520
1⤵
- Executes dropped EXE
PID:1598

/usr/bin/bomrmccjzg
/usr/bin/bomrmccjzg "ps -ef" 1520
1⤵
- Executes dropped EXE
PID:1601

/usr/bin/npychpatac
/usr/bin/npychpatac bash 1520
1⤵
- Executes dropped EXE
PID:1604

/usr/bin/npychpatac
/usr/bin/npychpatac uptime 1520
1⤵
- Executes dropped EXE
PID:1606

/usr/bin/npychpatac
/usr/bin/npychpatac id 1520
1⤵
- Executes dropped EXE
PID:1609

/usr/bin/npychpatac
/usr/bin/npychpatac "netstat -antop" 1520
1⤵
- Executes dropped EXE
PID:1613

/usr/bin/npychpatac
/usr/bin/npychpatac top 1520
1⤵
- Executes dropped EXE
PID:1616

/usr/bin/rkicicvxcz
/usr/bin/rkicicvxcz "ps -ef" 1520
1⤵
- Executes dropped EXE
PID:1621

/usr/bin/rkicicvxcz
/usr/bin/rkicicvxcz ls 1520
1⤵
- Executes dropped EXE
PID:1624

/usr/bin/rkicicvxcz
/usr/bin/rkicicvxcz "route -n" 1520
1⤵
- Executes dropped EXE
PID:1626

/usr/bin/rkicicvxcz
/usr/bin/rkicicvxcz whoami 1520
1⤵
- Executes dropped EXE
PID:1630

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/gcc.sh

Filesize
228B

MD5
3bab747cedc5f0ebe86aaa7f982470cd

SHA1
3c7d1c6931c2b3dae39d38346b780ea57c8e6142

SHA256
74d31cac40d98ee64df2a0c29ceb229d12ac5fa699c2ee512fc69360f0cf68c5

SHA512
21e8a6d9ca8531d37def83d8903e5b0fa11ecf33d85d05edab1e0feb4acac65ae2cf5222650fb9f533f459ccc51bb2903276ff6f827b847cc5e6dac7d45a0a42

Download Submit
/etc/init.d/d1b5b4b4b5a118e384c7ff487e14ac3f

Filesize
425B

MD5
93884b3aa71ff8a8ff21126fc97b61f3

SHA1
c4739e22ad8b5295db142193e686ada3cd9f3f40

SHA256
fb32b430aab8bcfc479b9912e128daaf93cf711e60dd2afc0f594898946ca0ed

SHA512
f5997cab4f285a5119761347511b895d8852e167189d8261b07af59a7c6ca9c19b55e1cbd9474a78c28920fd0fa432790d30e3bdac6beed90d0d04c90596fce2

Download Submit
/etc/sedQwRflW

Filesize
722B

MD5
8f111d100ea459f68d333d63a8ef2205

SHA1
077ca9c46a964de67c0f7765745d5c6f9e2065c3

SHA256
0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354

SHA512
d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

Download Submit
/lib/libudev.so

Filesize
611KB

MD5
d1b5b4b4b5a118e384c7ff487e14ac3f

SHA1
038b7e9406fe5cb0a0be8f95ac935923c6d83c28

SHA256
0a312a4154dcec2bc6ce1d3b51c037b122ace5848ec99c2b861ab6124addae9b

SHA512
20885f782beeca1712924d6dec7fa474fb2fa7f926d7cbdbdd5f7fa18f6a3ac2bcd5dbd771a80c13c3403cbad05f2cda86ffefdc8170d6cc0f0b4b01a5baec74

Download Submit
/run/gcc.pid

Filesize
32B

MD5
8e5cb22925d2e38c23b2b39ebabdde5f

SHA1
db859538287486e856b043d779cd1f24a43bc89b

SHA256
8ae7420eb082b1e70c76c796ce5c8ce3923d41c61ce836c9968f7b3bcfd6220a

SHA512
f385657391f26ddec500cc4711263aee95f021f8a95ca48c9d7581036a57c193c44bf81bf53a3cb43a0941860af4a65e88a83060a85959a017777a97ae9072e3

Download Submit
/usr/bin/npychpatac

Filesize
611KB

MD5
e79241f69757cd47cef5b6bb05a228d5

SHA1
7c6ff5ea480994be9e22c6433f98644343a89dab

SHA256
48d05c1d318bea560ce8e02360eaeefa66c11025b1dd1b2ade8f3c8146eba24a

SHA512
90d85f29b1d8ae405cdb488e81c2e10bd4bb40f05bd75f6719920010080f69c3511c4112a2ab54826b758606283105023faea61dd8b845fbcea15f8435975fe4

Download Submit
/usr/bin/npychpatac

Filesize
611KB

MD5
6f60447fa5fd299c9506eb52caf7e897

SHA1
f5a5a27fc5295cbe49c5674c6fd72ed0708f1fdd

SHA256
5ab140dc4c729f81a73d685d60de68ab358f785697e2b327d474d9a3732e5881

SHA512
806f9d0761b18c023aab279bcb2c5ea702cecc461addca401f9742547b43e1de0dc7b145e0198205eb4b3719dfaa16ef2007ab98727917d06861cad5fe33c782

Download Submit
/usr/bin/rkicicvxcz

Filesize
611KB

MD5
03842a6162495f6f2d91ec3709cdd24d

SHA1
6f152bf606201041509bd30620d6b8f6d87d0091

SHA256
a935a29a498daa6932c1cbd93d768259f873778f5a5f83f13a525811374522ce

SHA512
d72749f61dd0935f02d58a08e8cbd82c2e95240aa9d295b77658c18fd4800c718102549c2b8cf3a483c3590e7a636a6dac43b83c5760a89778b190216f3d2a18

Download Submit
/usr/bin/rkicicvxcz

Filesize
611KB

MD5
617960ca4d6476f597bda13a9332f3e2

SHA1
f45932eddffa484976f95d91727963b3cf6318da

SHA256
7d7f6d2b8815f9c79e6f2fce8ae6947c8c51f276d1de22dfa26784872bd54411

SHA512
817b3e52c32a170d4118392d7dad300373feabd68c447a835e6e3a97a0d434c5f5e6e7f38efab6be5d5506f79e99af91f038555b87316595fb6694f7a0f0d167

Download Submit
/usr/bin/skztyowcly

Filesize
611KB

MD5
d89d8fcb45bdf06d1a9153b2c5ebdc4f

SHA1
bede37daf1fdfc16c8346426fb2c1727645298d7

SHA256
b5d5c117913b354ed2a0fbef95ee5c6d0be18000299d5d691319a9a0beae6d61

SHA512
a0af88f19066e26a83ae5ff0a3a461d95904d53e88bb0301b1f14ab873d54fccb4852c876458a4b1051d95b6f03f12eeb82f9e630e61131ccca89fb1d8881816

Download Submit
/usr/bin/skztyowcly

Filesize
611KB

MD5
1f11caa9c6f6a99a321634a6b14c3aba

SHA1
5de58caf2d47cfc68189dbb148eb9308cb6ea56f

SHA256
c3ec7aef49fcbcd4393c3b6305397e877135294e6ece01a6eec03c42aae02804

SHA512
c1bdffa6af72c616e4ad5c7f404b33eadf5d2ceef22ccc8c0d25effe4ebfbf037011655c218a81e98be89c755f8185594fda7ea98a73c8b9230f1f62aa04a478

Download Submit
/usr/bin/vighiyqxse

Filesize
35KB

MD5
da5a510e69adeac8353194607dc1bc56

SHA1
fac744d5ac1bcafe81d2ce24e0c5a75b311034f5

SHA256
4cfeaee93a3126ff074b3019b71f47ff2d1c94f2f134272d215c36db42a00f71

SHA512
ed1a612f49ae21f0c1fe3c04d6ea494e2ce7f79ac4fd55d0cd73544bf2507a846afd8d11275b763540640bffc082340a4f1f48119390707033787f2f23664818

Download Submit