xorddos | af4323d7f8b4626eaa5e110a3bfb59f1dd2b555cd7a5b801b667af80e306ff74

Analysis

max time kernel
67s
max time network
159s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
22-12-2023 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e555d685a5162bcef0f59a34a68ef819
Size

610KB
MD5

e555d685a5162bcef0f59a34a68ef819
SHA1

3ac8465d231841b93aeb4caeee56490c7e4748b8
SHA256

af4323d7f8b4626eaa5e110a3bfb59f1dd2b555cd7a5b801b667af80e306ff74
SHA512

ee9401e7341f5b2d14298b8332c03b9404535c0c3e2eb6286dd77bf01645334fb0765e16b49b0513b3983e727328200da29b33f64d175056ea7e331d2899f471
SSDEEP

12288:WBmHsnhar0nJ7FGY5HRYxC1mqiL40qFCWU7k/3U6yZNnXgW4UlUuTh1AG:WBmHgaUVFGAR11mTL40q/5GpXgUl/91h

Score

10^/10

xorddos antivm botnet discovery downloader persistence

Malware Config

Extracted

Family

xorddos

http://www1.gggatat456.com/dd.rar

ppp.gggatat456.com:1522

ppp.xxxatat456.com:1522

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 9 IoCs

resource	yara_rule
behavioral1/files/fstream-5.dat	family_xorddos
behavioral1/files/fstream-6.dat	family_xorddos
behavioral1/files/fstream-8.dat	family_xorddos
behavioral1/files/fstream-9.dat	family_xorddos
behavioral1/files/fstream-10.dat	family_xorddos
behavioral1/files/fstream-11.dat	family_xorddos
behavioral1/files/fstream-12.dat	family_xorddos
behavioral1/files/fstream-14.dat	family_xorddos
behavioral1/files/fstream-15.dat	family_xorddos

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Deletes itself 1 IoCs

pid
1658

Executes dropped EXE 15 IoCs

ioc	pid	Process
/usr/bin/igyvhiqzsv	1570	igyvhiqzsv
/usr/bin/igyvhiqzsv	1576	igyvhiqzsv
/usr/bin/igyvhiqzsv	1579	igyvhiqzsv
/usr/bin/igyvhiqzsv	1582	igyvhiqzsv
/usr/bin/igyvhiqzsv	1585	igyvhiqzsv
/usr/bin/rwmjdzxgmh	1608	rwmjdzxgmh
/usr/bin/rwmjdzxgmh	1611	rwmjdzxgmh
/usr/bin/rwmjdzxgmh	1614	rwmjdzxgmh
/usr/bin/rwmjdzxgmh	1616	rwmjdzxgmh
/usr/bin/rwmjdzxgmh	1620	rwmjdzxgmh
/usr/bin/uetmvsqpkv	1623	uetmvsqpkv
/usr/bin/uetmvsqpkv	1626	uetmvsqpkv
/usr/bin/uetmvsqpkv	1629	uetmvsqpkv
/usr/bin/uetmvsqpkv	1632	uetmvsqpkv
/usr/bin/uetmvsqpkv	1635	uetmvsqpkv

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc
File opened for reading	/proc/cpuinfo

Creates/modifies Cron job 1 TTPs 2 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/etc/cron.hourly/gcc.sh	Process not Found
File opened for modification	/etc/crontab	sh

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
File opened for modification	/etc/init.d/e555d685a5162bcef0f59a34a68ef819

Write file to user bin folder 1 TTPs 4 IoCs

Hijack Execution Flow

T1574

description	ioc
File opened for modification	/usr/bin/igyvhiqzsv
File opened for modification	/usr/bin/rwmjdzxgmh
File opened for modification	/usr/bin/uetmvsqpkv
File opened for modification	/usr/bin/waztpfnlku

Reads runtime system information 10 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/meminfo	Process not Found
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/rs_dev	Process not Found
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/stat	Process not Found
File opened for reading	/proc/self/stat	systemctl

/tmp/e555d685a5162bcef0f59a34a68ef819
/tmp/e555d685a5162bcef0f59a34a68ef819
1⤵
PID:1557

/bin/sh
sh -c "sed -i '/\\/etc\\/cron.hourly\\/gcc.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:1563
- /bin/sed
  sed -i "/\\/etc\\/cron.hourly\\/gcc.sh/d" /etc/crontab
  2⤵
  - Reads runtime system information
  PID:1564

/bin/chkconfig
chkconfig --add e555d685a5162bcef0f59a34a68ef819
1⤵
PID:1560

/sbin/chkconfig
chkconfig --add e555d685a5162bcef0f59a34a68ef819
1⤵
PID:1560

/usr/bin/chkconfig
chkconfig --add e555d685a5162bcef0f59a34a68ef819
1⤵
PID:1560

/usr/sbin/chkconfig
chkconfig --add e555d685a5162bcef0f59a34a68ef819
1⤵
PID:1560

/usr/local/bin/chkconfig
chkconfig --add e555d685a5162bcef0f59a34a68ef819
1⤵
PID:1560

/usr/local/sbin/chkconfig
chkconfig --add e555d685a5162bcef0f59a34a68ef819
1⤵
PID:1560

/usr/X11R6/bin/chkconfig
chkconfig --add e555d685a5162bcef0f59a34a68ef819
1⤵
PID:1560

/bin/update-rc.d
update-rc.d e555d685a5162bcef0f59a34a68ef819 defaults
1⤵
PID:1562

/sbin/update-rc.d
update-rc.d e555d685a5162bcef0f59a34a68ef819 defaults
1⤵
PID:1562

/usr/bin/update-rc.d
update-rc.d e555d685a5162bcef0f59a34a68ef819 defaults
1⤵
PID:1562

/usr/sbin/update-rc.d
update-rc.d e555d685a5162bcef0f59a34a68ef819 defaults
1⤵
PID:1562
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:1569

/usr/bin/igyvhiqzsv
/usr/bin/igyvhiqzsv pwd 1558
1⤵
- Executes dropped EXE
PID:1570

/usr/bin/igyvhiqzsv
/usr/bin/igyvhiqzsv ls 1558
1⤵
- Executes dropped EXE
PID:1576

/usr/bin/igyvhiqzsv
/usr/bin/igyvhiqzsv "echo \"find\"" 1558
1⤵
- Executes dropped EXE
PID:1579

/usr/bin/igyvhiqzsv
/usr/bin/igyvhiqzsv ifconfig 1558
1⤵
- Executes dropped EXE
PID:1582

/usr/bin/igyvhiqzsv
/usr/bin/igyvhiqzsv "ls -la" 1558
1⤵
- Executes dropped EXE
PID:1585

/usr/bin/rwmjdzxgmh
/usr/bin/rwmjdzxgmh gnome-terminal 1558
1⤵
- Executes dropped EXE
PID:1608

/usr/bin/rwmjdzxgmh
/usr/bin/rwmjdzxgmh "netstat -antop" 1558
1⤵
- Executes dropped EXE
PID:1611

/usr/bin/rwmjdzxgmh
/usr/bin/rwmjdzxgmh "ps -ef" 1558
1⤵
- Executes dropped EXE
PID:1614

/usr/bin/rwmjdzxgmh
/usr/bin/rwmjdzxgmh "grep \"A\"" 1558
1⤵
- Executes dropped EXE
PID:1616

/usr/bin/rwmjdzxgmh
/usr/bin/rwmjdzxgmh "sleep 1" 1558
1⤵
- Executes dropped EXE
PID:1620

/usr/bin/uetmvsqpkv
/usr/bin/uetmvsqpkv sh 1558
1⤵
- Executes dropped EXE
PID:1623

/usr/bin/uetmvsqpkv
/usr/bin/uetmvsqpkv "grep \"A\"" 1558
1⤵
- Executes dropped EXE
PID:1626

/usr/bin/uetmvsqpkv
/usr/bin/uetmvsqpkv "ifconfig eth0" 1558
1⤵
- Executes dropped EXE
PID:1629

/usr/bin/uetmvsqpkv
/usr/bin/uetmvsqpkv su 1558
1⤵
- Executes dropped EXE
PID:1632

/usr/bin/uetmvsqpkv
/usr/bin/uetmvsqpkv "echo \"find\"" 1558
1⤵
- Executes dropped EXE
PID:1635

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Defense Evasion

Hijack Execution Flow

T1574

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Network Service Discovery

T1046

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/gcc.sh

Filesize
228B

MD5
3bab747cedc5f0ebe86aaa7f982470cd

SHA1
3c7d1c6931c2b3dae39d38346b780ea57c8e6142

SHA256
74d31cac40d98ee64df2a0c29ceb229d12ac5fa699c2ee512fc69360f0cf68c5

SHA512
21e8a6d9ca8531d37def83d8903e5b0fa11ecf33d85d05edab1e0feb4acac65ae2cf5222650fb9f533f459ccc51bb2903276ff6f827b847cc5e6dac7d45a0a42

Download Submit
/etc/init.d/e555d685a5162bcef0f59a34a68ef819

Filesize
425B

MD5
16b226c32df19063771b0b8461d3506a

SHA1
9508c11c7d9576a2de679398277c806c8dc35061

SHA256
cc03a7905925bd8c1ee1facf97e61312629faa822d033bf2306934013ff5e0b8

SHA512
a8ecee2f0464e51ec58f4a2b62d117986b52a8b06feeb542628674e3825f6531946ca4d9cd67a0b2bb42c339ed55b35befc6fb432145602a57f473285bd1b688

Download Submit
/etc/sedmreYxq

Filesize
722B

MD5
8f111d100ea459f68d333d63a8ef2205

SHA1
077ca9c46a964de67c0f7765745d5c6f9e2065c3

SHA256
0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354

SHA512
d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

Download Submit
/lib/libudev.so

Filesize
173KB

MD5
a85f9a2ef3ace861f3646ec05f3dd269

SHA1
679ce0b2044385ca853a9f0ac8dc9deb611285e0

SHA256
02c68213ea34ac220f148334209dc11244a175b29c26dd2b3579908668c3895c

SHA512
e8c0b86509f0ae600323bb4b2c88377726297cd5ede9fd88b65f649ba3b2eeb06ead1a13c61a13d4d5b5dff80dd8f35768a506edbf7cc9e2e660788adbdff468

Download Submit
/run/gcc.pid

Filesize
32B

MD5
4af65dc370f5066eb6dce1898321321a

SHA1
8249452de17ab582ab5395d74e4fe83f1c11209c

SHA256
7255e5aaadeec13a193d23f1a42c284bac490b832894fab9a1c34a23f872652a

SHA512
52d8457180ab14bf192dcf37b219dc8c81052b7de49746901e4af42899ebbb0b8cb4fe255271737dfc7bbbdd3f266d56e31d8c9f91fea2fbf029032e8c55d9ce

Download Submit
/usr/bin/igyvhiqzsv

Filesize
195KB

MD5
e1166796713d0e33a3a06d8b001a1a65

SHA1
97f1edda5177ecc2e8e0f3a9481e631354a9b84d

SHA256
3e521543db00ddf93e2f1dccc1257c75221ee5a7c9fb02c8220489908c9faa2d

SHA512
674219492f2fff388dbfd5c61bf8def92f002d6fa827f020a158a8d2589737235ec8136b97661f7262d783028c7bf2aae4850434d17a3d9d59dc9043a998f632

Download Submit
/usr/bin/igyvhiqzsv

Filesize
610KB

MD5
739ba57d17be5514f713f3eb5106f539

SHA1
1b06cf5346fdb870714fe1df4a9251f2871a6472

SHA256
0a75e0362f06b11546983d34d2283f8d7c067bfaebaa40364c533050e84c8bc7

SHA512
debbcd79baa4f451cf864a89a50828f8bd8a6c709980856094ef4470ede8fd3f2336444748f9ab334a34664fd06d523d611cffb8fa0971e66ba24874d62b5403

Download Submit
/usr/bin/igyvhiqzsv

Filesize
610KB

MD5
75175484d3d911c21e88dec3020a190f

SHA1
a8802fd921c32ef4d88efdad10030ee7e0e092c0

SHA256
171e029c3a5c1075558c081b286b56440db822b21a7f7cec162d844515593aaf

SHA512
4fea2e21b6a98c1c3553e5a81b52775e4946dc3953b8a4130ca44bd87ef5fe788e09435577b5b29b50da814016cc1ec63088d736ebe9080ebeb1e104337cf232

Download Submit
/usr/bin/rwmjdzxgmh

Filesize
610KB

MD5
e555d685a5162bcef0f59a34a68ef819

SHA1
3ac8465d231841b93aeb4caeee56490c7e4748b8

SHA256
af4323d7f8b4626eaa5e110a3bfb59f1dd2b555cd7a5b801b667af80e306ff74

SHA512
ee9401e7341f5b2d14298b8332c03b9404535c0c3e2eb6286dd77bf01645334fb0765e16b49b0513b3983e727328200da29b33f64d175056ea7e331d2899f471

Download Submit
/usr/bin/rwmjdzxgmh

Filesize
610KB

MD5
4c2e79d641e87805ec8885c0e778cee1

SHA1
192cf1098d241598381282e8f14b17aac011a232

SHA256
0e1915eff3e268fe2874a8c97ce99cfaf6530206493ac146bb419b121488af64

SHA512
2bc23c69b261402dafddd0be26ecf33d4b320a5f95c345ab7c7bf872483a23791de545277cd28815b8288d0c73b58a5a5bd64291c96c562971d29f97357c1dc6

Download Submit
/usr/bin/rwmjdzxgmh

Filesize
610KB

MD5
f048975deb6097c0750321d61dbf141a

SHA1
4b89e160cacb98fb6cd91d8ca9ff4baafada387e

SHA256
eed036a879f629ef99878882d1386f762b18e8db55f40932a925bf25f8539b4b

SHA512
da803f478105f67b6bea768c58a34d09f925586dcbc46e12807911fedca1f6d7acd23651f585471241caae5c60cd529c4bbcc624b05cd3d55ae6c6fe8bc71320

Download Submit
/usr/bin/uetmvsqpkv

Filesize
610KB

MD5
33b68de6d23700e77143938a969511bd

SHA1
6227227af08305459a86822e3734da62dc997311

SHA256
f42a9b436160482d8da32eadc3fa343508f35c60791f47b22685bde43452e447

SHA512
ffa8b6ba6cec71d6aa3eeecc94512c295543ee24fd9ab3ca9786f5ba4f2042a9f86b3f4020875628ebd31a7620ffd3c51dbbb02708f28de3de2057002cffa690

Download Submit
/usr/bin/uetmvsqpkv

Filesize
610KB

MD5
99f16af65973a7e08988d694290c64bb

SHA1
1d58bd1d7beddf88054473a90835310ea01ad643

SHA256
a1eb4bc22212208c92299cf708443648495c682f58a4d4d0207d03bac38cd7b4

SHA512
123a3f1e4680be3d4b7efda028ddfe7ba895e243bb7c4e6e5c60c7072e10eec130508db5dc0c9553e4aa396cbf468c37075b4c3da95cc007c799e1c427598920

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads