xorddos | 2f20b41d601bde086a823e505ae0c1d6cfd3d40469373963ec3e15cd8df3baba

Analysis

max time kernel
154s
max time network
69s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
22-12-2023 16:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e9db2bcc3678779114f8ed31c875cbd3
Size

604KB
MD5

e9db2bcc3678779114f8ed31c875cbd3
SHA1

1e20fe93f4926d431561ccc1ecb2c576d8c7ba4f
SHA256

2f20b41d601bde086a823e505ae0c1d6cfd3d40469373963ec3e15cd8df3baba
SHA512

c36b28078cb7c10d5fabb489a6fc19b9c856d1047cdb164191dc39ecf1d4a41c75d3e0e1591d2cf339388d943cf6966dbcc2fbd5da73c89eee7876e8a3834711
SSDEEP

12288:IiqKgqkonFOSC3pZWKqAKSj6LJXDv42Hv6yrDKb4olUuThTcF:S1qPkSCvnvKSj6LJXDrHzDsl/9TE

Score

10^/10

xorddos antivm botnet downloader persistence

Malware Config

Extracted

Family

xorddos

103.25.9.245:8002

103.240.141.50:8002

66.102.253.30:8002

ndns.dsaj2a1.org:8002

ndns.dsaj2a.org:8002

ndns.hcxiaoao.com:8002

ndns.dsaj2a.com:8002

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 7 IoCs

resource	yara_rule
behavioral1/files/fstream-5.dat	family_xorddos
behavioral1/files/fstream-8.dat	family_xorddos
behavioral1/files/fstream-9.dat	family_xorddos
behavioral1/files/fstream-10.dat	family_xorddos
behavioral1/files/fstream-14.dat	family_xorddos
behavioral1/files/fstream-15.dat	family_xorddos
behavioral1/files/fstream-19.dat	family_xorddos

Deletes itself 2 IoCs

pid
1648
1650

Executes dropped EXE 23 IoCs

ioc	pid	Process
/usr/bin/jbebdzbzcu	1553	jbebdzbzcu
/usr/bin/jbebdzbzcu	1573	jbebdzbzcu
/usr/bin/jbebdzbzcu	1579	jbebdzbzcu
/usr/bin/jbebdzbzcu	1582	jbebdzbzcu
/usr/bin/jbebdzbzcu	1585	jbebdzbzcu
/usr/bin/ikeieggyjj	1588	ikeieggyjj
/usr/bin/ikeieggyjj	1591	ikeieggyjj
/usr/bin/ikeieggyjj	1594	ikeieggyjj
/usr/bin/ikeieggyjj	1597	ikeieggyjj
/usr/bin/ikeieggyjj	1600	ikeieggyjj
/usr/bin/udlwnnoswj	1613	udlwnnoswj
/usr/bin/udlwnnoswj	1616	udlwnnoswj
/usr/bin/udlwnnoswj	1619	udlwnnoswj
/usr/bin/udlwnnoswj	1622	udlwnnoswj
/usr/bin/udlwnnoswj	1625	udlwnnoswj
/usr/bin/xypwwkcflc	1628	xypwwkcflc
/usr/bin/xypwwkcflc	1631	xypwwkcflc
/usr/bin/xypwwkcflc	1634	xypwwkcflc
/usr/bin/xypwwkcflc	1636	xypwwkcflc
/usr/bin/xypwwkcflc	1640	xypwwkcflc
/usr/bin/mznzypbxfo	1643	mznzypbxfo
/usr/bin/mznzypbxfo	1647	mznzypbxfo
/usr/bin/mznzypbxfo	1651	mznzypbxfo

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc
File opened for reading	/proc/cpuinfo

Creates/modifies Cron job 1 TTPs 2 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/etc/cron.hourly/cron.sh	Process not Found
File opened for modification	/etc/crontab	sh

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
File opened for modification	/etc/init.d/e9db2bcc3678779114f8ed31c875cbd3

Write file to user bin folder 1 TTPs 5 IoCs

Hijack Execution Flow

T1574

description	ioc
File opened for modification	/usr/bin/mznzypbxfo
File opened for modification	/usr/bin/jbebdzbzcu
File opened for modification	/usr/bin/ikeieggyjj
File opened for modification	/usr/bin/udlwnnoswj
File opened for modification	/usr/bin/xypwwkcflc

Reads runtime system information 10 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/stat	Process not Found
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/meminfo	Process not Found
File opened for reading	/proc/rs_dev	Process not Found
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/filesystems	sed

/tmp/e9db2bcc3678779114f8ed31c875cbd3
/tmp/e9db2bcc3678779114f8ed31c875cbd3
1⤵
PID:1537

/bin/sh
sh -c "sed -i '/\\/etc\\/cron.hourly\\/cron.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/cron.sh' >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:1543
- /bin/sed
  sed -i "/\\/etc\\/cron.hourly\\/cron.sh/d" /etc/crontab
  2⤵
  - Reads runtime system information
  PID:1544

/bin/chkconfig
chkconfig --add e9db2bcc3678779114f8ed31c875cbd3
1⤵
PID:1540

/sbin/chkconfig
chkconfig --add e9db2bcc3678779114f8ed31c875cbd3
1⤵
PID:1540

/usr/bin/chkconfig
chkconfig --add e9db2bcc3678779114f8ed31c875cbd3
1⤵
PID:1540

/usr/sbin/chkconfig
chkconfig --add e9db2bcc3678779114f8ed31c875cbd3
1⤵
PID:1540

/usr/local/bin/chkconfig
chkconfig --add e9db2bcc3678779114f8ed31c875cbd3
1⤵
PID:1540

/usr/local/sbin/chkconfig
chkconfig --add e9db2bcc3678779114f8ed31c875cbd3
1⤵
PID:1540

/usr/X11R6/bin/chkconfig
chkconfig --add e9db2bcc3678779114f8ed31c875cbd3
1⤵
PID:1540

/bin/update-rc.d
update-rc.d e9db2bcc3678779114f8ed31c875cbd3 defaults
1⤵
PID:1542

/sbin/update-rc.d
update-rc.d e9db2bcc3678779114f8ed31c875cbd3 defaults
1⤵
PID:1542

/usr/bin/update-rc.d
update-rc.d e9db2bcc3678779114f8ed31c875cbd3 defaults
1⤵
PID:1542

/usr/sbin/update-rc.d
update-rc.d e9db2bcc3678779114f8ed31c875cbd3 defaults
1⤵
PID:1542
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:1551

/usr/bin/jbebdzbzcu
/usr/bin/jbebdzbzcu ls 1538
1⤵
- Executes dropped EXE
PID:1553

/usr/bin/jbebdzbzcu
/usr/bin/jbebdzbzcu whoami 1538
1⤵
- Executes dropped EXE
PID:1573

/usr/bin/jbebdzbzcu
/usr/bin/jbebdzbzcu "sleep 1" 1538
1⤵
- Executes dropped EXE
PID:1579

/usr/bin/jbebdzbzcu
/usr/bin/jbebdzbzcu "ps -ef" 1538
1⤵
- Executes dropped EXE
PID:1582

/usr/bin/jbebdzbzcu
/usr/bin/jbebdzbzcu "ifconfig eth0" 1538
1⤵
- Executes dropped EXE
PID:1585

/usr/bin/ikeieggyjj
/usr/bin/ikeieggyjj "grep \"A\"" 1538
1⤵
- Executes dropped EXE
PID:1588

/usr/bin/ikeieggyjj
/usr/bin/ikeieggyjj "ps -ef" 1538
1⤵
- Executes dropped EXE
PID:1591

/usr/bin/ikeieggyjj
/usr/bin/ikeieggyjj uptime 1538
1⤵
- Executes dropped EXE
PID:1594

/usr/bin/ikeieggyjj
/usr/bin/ikeieggyjj "ls -la" 1538
1⤵
- Executes dropped EXE
PID:1597

/usr/bin/ikeieggyjj
/usr/bin/ikeieggyjj sh 1538
1⤵
- Executes dropped EXE
PID:1600

/usr/bin/udlwnnoswj
/usr/bin/udlwnnoswj top 1538
1⤵
- Executes dropped EXE
PID:1613

/usr/bin/udlwnnoswj
/usr/bin/udlwnnoswj id 1538
1⤵
- Executes dropped EXE
PID:1616

/usr/bin/udlwnnoswj
/usr/bin/udlwnnoswj "sleep 1" 1538
1⤵
- Executes dropped EXE
PID:1619

/usr/bin/udlwnnoswj
/usr/bin/udlwnnoswj "echo \"find\"" 1538
1⤵
- Executes dropped EXE
PID:1622

/usr/bin/udlwnnoswj
/usr/bin/udlwnnoswj sh 1538
1⤵
- Executes dropped EXE
PID:1625

/usr/bin/xypwwkcflc
/usr/bin/xypwwkcflc "ls -la" 1538
1⤵
- Executes dropped EXE
PID:1628

/usr/bin/xypwwkcflc
/usr/bin/xypwwkcflc "netstat -an" 1538
1⤵
- Executes dropped EXE
PID:1631

/usr/bin/xypwwkcflc
/usr/bin/xypwwkcflc "grep \"A\"" 1538
1⤵
- Executes dropped EXE
PID:1634

/usr/bin/xypwwkcflc
/usr/bin/xypwwkcflc "grep \"A\"" 1538
1⤵
- Executes dropped EXE
PID:1636

/usr/bin/xypwwkcflc
/usr/bin/xypwwkcflc ls 1538
1⤵
- Executes dropped EXE
PID:1640

/usr/bin/mznzypbxfo
/usr/bin/mznzypbxfo sh 1538
1⤵
- Executes dropped EXE
PID:1643

/usr/bin/mznzypbxfo
/usr/bin/mznzypbxfo "cat resolv.conf" 1538
1⤵
- Executes dropped EXE
PID:1647

/usr/bin/mznzypbxfo
/usr/bin/mznzypbxfo ls 1538
1⤵
- Executes dropped EXE
PID:1651

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Defense Evasion

Hijack Execution Flow

T1574

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/cron.sh

Filesize
229B

MD5
eb3aa38df5d98249f05687bd58ec5aa9

SHA1
fc35c059d8594e57f095d50ce7fe3e4ce467a7a1

SHA256
6d65d0f293c413396954a07244e036fc80a64d8e33f123375530e73e0557b60c

SHA512
6b409a48424cbe5b3f9a3e05c5784122e286d65152dfe62ef78c4202840cbf6c5dfee19d0b9ac9d58a3fba8ea69518368430ed2f6c959c261dc1a9a19322923f

Download Submit
/etc/init.d/e9db2bcc3678779114f8ed31c875cbd3

Filesize
425B

MD5
3ee7c8a27d9dd79501718eaa87747ce7

SHA1
7907673ac9611853b406effe39bfa1c2c187d1ca

SHA256
6157ab8aad4806672a0b05abf8700b7db3e8012b15b9fa84a0c95f5817a738e0

SHA512
f79e9e62f0f2ca69291c266e60a59a5516a833951da0a69468de01992dd39a46c852c2a9b22ab3c33230bf0fde263de1844339b230a307429d564f93fefb5c34

Download Submit
/etc/sedu2istu

Filesize
722B

MD5
8f111d100ea459f68d333d63a8ef2205

SHA1
077ca9c46a964de67c0f7765745d5c6f9e2065c3

SHA256
0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354

SHA512
d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

Download Submit
/lib/libgcc.so

Filesize
604KB

MD5
e9db2bcc3678779114f8ed31c875cbd3

SHA1
1e20fe93f4926d431561ccc1ecb2c576d8c7ba4f

SHA256
2f20b41d601bde086a823e505ae0c1d6cfd3d40469373963ec3e15cd8df3baba

SHA512
c36b28078cb7c10d5fabb489a6fc19b9c856d1047cdb164191dc39ecf1d4a41c75d3e0e1591d2cf339388d943cf6966dbcc2fbd5da73c89eee7876e8a3834711

Download Submit
/run/mount.pid

Filesize
32B

MD5
788fc6a14e2073a9926a0cc1ba6b2034

SHA1
4a12fc5fed7e3ac54494731713ad11bbd1b31963

SHA256
687694788c76ab113102545dfa4dae2e5bba3d661b840576121b50ac5070e2f8

SHA512
5916521c363ae0adbe950c31be22303c59bfd3a440dc60850ddf8b404f6bb66efe26ec67b1b491eb51ce9a75ffa18b05d58812c0c3b8fadfe37cf20603cf2c97

Download Submit
/usr/bin/jbebdzbzcu

Filesize
604KB

MD5
291a2b3ead7b458fe3b02df593e467a2

SHA1
216a01fca40c6f433d505bc366a4c2dada619d94

SHA256
8f74666886babb39bb570384788203f826d7ec7835ec108bc9867459f3675e70

SHA512
2fc0bf6272f0044f399ad41c8effbb2ab9cf1cc41f137bfe93a83a7399948d82ccb845e387f735d084699a8560a954f10858f2ac2f04a714bfa02f3d06fb4814

Download Submit
/usr/bin/jbebdzbzcu

Filesize
604KB

MD5
f557f996c9e2edcb24026ebc51cabc16

SHA1
4b84b27f905182ed93af291b9abb07376abfc4bf

SHA256
8a971706386450ac801d527f016fb09c0ac49b3cd369ad5a12700cff46c60960

SHA512
dc8ba8b6e0ea9be914e7c7350a8b9e403909e9b9f180221d457fab99d344cad76c27f9cec1b1bdf13fef4add39d2119701cc57709e8f1b085881cf2e7ac962df

Download Submit
/usr/bin/mznzypbxfo

Filesize
15KB

MD5
7b5fd053fa7d6fc14caf4f5ca33297b0

SHA1
337069dd4d1125c76c6f49d223596a6bf715c00f

SHA256
bf8d45137d8ff24397f4ac58ac594bb84cbba49a98ea97ed8452dcaed048c5a6

SHA512
dfe79282d62a35d23cb829da98eb2b150937dc3bdec9d8f87a34cd0650c884776508c248bec42f5715c1d2c03ce6c9f5b018d44d10a37587966bb3f51641500f

Download Submit
/usr/bin/udlwnnoswj

Filesize
604KB

MD5
58d6c114f842afb0c8cc78f561387804

SHA1
e720a5ab82af7c1941449bf7ada7e13cb5999511

SHA256
68701a53b1de0bcfc92b333296bb562b2698840db27e6c66b9048ab968035051

SHA512
909f92aaf458d8689ecf50da86d802ca03839de16dce7dc94d2f3cda5b6ac837038adf78a666cfc15f73b75b75b2dcc74f588bcec54d33a22b52bb248e660479

Download Submit
/usr/bin/udlwnnoswj

Filesize
604KB

MD5
1f1b6f04e16e1bf193e5da84629f1503

SHA1
9388cfc8ec76bd1bdc7aa0a464c489b3604084af

SHA256
d9387c8a11afa0885c10e58991edbccb2c90c101a95a3592eae553da71f006ac

SHA512
ad96b3986bca763bc25409820beb50f92a1fff15e622e56ebb94530e0d5d67ca34be9fe6880bd9a7192d4a489ce0d0731d1fab9836f394db71ae170cb52f5d23

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads