xorddos | e19635381b2d291f2d2217efd78b80ad97d7ef34bfcbf10a4877263cfa7c9669

Analysis

max time kernel
151s
max time network
159s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
26-12-2023 09:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6488dcbdcea8b92132925c0561cbb5dd
Size

611KB
MD5

6488dcbdcea8b92132925c0561cbb5dd
SHA1

317404379d9c763ccd2930a4cc159c55856edf13
SHA256

e19635381b2d291f2d2217efd78b80ad97d7ef34bfcbf10a4877263cfa7c9669
SHA512

268d67117e4e0b03287c70ce871171e373fe8c404adaacffd9eadccfe095c14b3f1d637f04254bdc54008420f370ec566516c55a5dcf1eb1aa73f795552fbae0
SSDEEP

12288:FBXOvdwV1/n/dQFhWlH/c1dHo4h9L+zNZrrpT6yF8EEP4UlUuTh1AG:FBXmkN/+Fhu/Qo4h9L+zNNpBVEBl/91h

Score

10^/10

xorddos botnet downloader persistence

Malware Config

Extracted

Family

xorddos

http://aa.hostasa.org/config.rar

cdn.search2c.com:53

cdn.netflix2cdn.com:53

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 11 IoCs

Processes:

resource	yara_rule
/lib/libudev.so	family_xorddos
/usr/bin/kxoylzramn	family_xorddos
/usr/bin/kxoylzramn	family_xorddos
/usr/bin/uvbekxbqkg	family_xorddos
/usr/bin/uvbekxbqkg	family_xorddos
/usr/bin/ymxbibzxje	family_xorddos
/usr/bin/ymxbibzxje	family_xorddos
/usr/bin/evuohnugck	family_xorddos
/usr/bin/evuohnugck	family_xorddos
/usr/bin/gwlcjqvaqn	family_xorddos
/usr/bin/gwlcjqvaqn	family_xorddos

Deletes itself 6 IoCs

Processes:

pid

1631
1635
1637
1642
1647
1649

pid
1631
1635
1637
1642
1647
1649

Executes dropped EXE 24 IoCs

Processes:

kxoylzramnkxoylzramnkxoylzramnkxoylzramnkxoylzramnuvbekxbqkguvbekxbqkguvbekxbqkguvbekxbqkguvbekxbqkgymxbibzxjeymxbibzxjeymxbibzxjeymxbibzxjeymxbibzxjeevuohnugckevuohnugckevuohnugckevuohnugckevuohnugckgwlcjqvaqngwlcjqvaqngwlcjqvaqngwlcjqvaqn

ioc	pid	process
/usr/bin/kxoylzramn	1549	kxoylzramn
/usr/bin/kxoylzramn	1552	kxoylzramn
/usr/bin/kxoylzramn	1572	kxoylzramn
/usr/bin/kxoylzramn	1578	kxoylzramn
/usr/bin/kxoylzramn	1581	kxoylzramn
/usr/bin/uvbekxbqkg	1587	uvbekxbqkg
/usr/bin/uvbekxbqkg	1590	uvbekxbqkg
/usr/bin/uvbekxbqkg	1593	uvbekxbqkg
/usr/bin/uvbekxbqkg	1598	uvbekxbqkg
/usr/bin/uvbekxbqkg	1601	uvbekxbqkg
/usr/bin/ymxbibzxje	1612	ymxbibzxje
/usr/bin/ymxbibzxje	1615	ymxbibzxje
/usr/bin/ymxbibzxje	1618	ymxbibzxje
/usr/bin/ymxbibzxje	1621	ymxbibzxje
/usr/bin/ymxbibzxje	1624	ymxbibzxje
/usr/bin/evuohnugck	1629	evuohnugck
/usr/bin/evuohnugck	1632	evuohnugck
/usr/bin/evuohnugck	1634	evuohnugck
/usr/bin/evuohnugck	1638	evuohnugck
/usr/bin/evuohnugck	1640	evuohnugck
/usr/bin/gwlcjqvaqn	1644	gwlcjqvaqn
/usr/bin/gwlcjqvaqn	1646	gwlcjqvaqn
/usr/bin/gwlcjqvaqn	1650	gwlcjqvaqn
/usr/bin/gwlcjqvaqn	1652	gwlcjqvaqn

Creates/modifies Cron job 1 TTPs 2 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

sh

description ioc

File opened for modification /etc/cron.hourly/gcc.sh
File opened for modification /etc/crontab sh
Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

description ioc

File opened for modification /etc/init.d/6488dcbdcea8b92132925c0561cbb5dd

description	ioc
File opened for modification	/etc/cron.hourly/gcc.sh
File opened for modification	/etc/crontab	sh

description	ioc
File opened for modification	/etc/init.d/6488dcbdcea8b92132925c0561cbb5dd

Write file to user bin folder 1 TTPs 5 IoCs

Hijack Execution Flow

T1574

Processes:

description	ioc
File opened for modification	/usr/bin/kxoylzramn
File opened for modification	/usr/bin/uvbekxbqkg
File opened for modification	/usr/bin/ymxbibzxje
File opened for modification	/usr/bin/evuohnugck
File opened for modification	/usr/bin/gwlcjqvaqn

Reads runtime system information 9 IoCs

Reads data from /proc virtual filesystem.

Processes:

systemctlsed

description	ioc
File opened for reading	/proc/stat
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/rs_dev
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	systemctl

/tmp/6488dcbdcea8b92132925c0561cbb5dd
/tmp/6488dcbdcea8b92132925c0561cbb5dd
1⤵
PID:1533

/bin/sh
sh -c "sed -i '/\\/etc\\/cron.hourly\\/gcc.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:1539
- /bin/sed
  sed -i "/\\/etc\\/cron.hourly\\/gcc.sh/d" /etc/crontab
  2⤵
  - Reads runtime system information
  PID:1540

/bin/chkconfig
chkconfig --add 6488dcbdcea8b92132925c0561cbb5dd
1⤵
PID:1536

/sbin/chkconfig
chkconfig --add 6488dcbdcea8b92132925c0561cbb5dd
1⤵
PID:1536

/usr/bin/chkconfig
chkconfig --add 6488dcbdcea8b92132925c0561cbb5dd
1⤵
PID:1536

/usr/sbin/chkconfig
chkconfig --add 6488dcbdcea8b92132925c0561cbb5dd
1⤵
PID:1536

/usr/local/bin/chkconfig
chkconfig --add 6488dcbdcea8b92132925c0561cbb5dd
1⤵
PID:1536

/usr/local/sbin/chkconfig
chkconfig --add 6488dcbdcea8b92132925c0561cbb5dd
1⤵
PID:1536

/usr/X11R6/bin/chkconfig
chkconfig --add 6488dcbdcea8b92132925c0561cbb5dd
1⤵
PID:1536

/bin/update-rc.d
update-rc.d 6488dcbdcea8b92132925c0561cbb5dd defaults
1⤵
PID:1538

/sbin/update-rc.d
update-rc.d 6488dcbdcea8b92132925c0561cbb5dd defaults
1⤵
PID:1538

/usr/bin/update-rc.d
update-rc.d 6488dcbdcea8b92132925c0561cbb5dd defaults
1⤵
PID:1538

/usr/sbin/update-rc.d
update-rc.d 6488dcbdcea8b92132925c0561cbb5dd defaults
1⤵
PID:1538
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:1547

/usr/bin/kxoylzramn
/usr/bin/kxoylzramn id 1534
1⤵
- Executes dropped EXE
PID:1549

/usr/bin/kxoylzramn
/usr/bin/kxoylzramn pwd 1534
1⤵
- Executes dropped EXE
PID:1552

/usr/bin/kxoylzramn
/usr/bin/kxoylzramn ls 1534
1⤵
- Executes dropped EXE
PID:1572

/usr/bin/kxoylzramn
/usr/bin/kxoylzramn ifconfig 1534
1⤵
- Executes dropped EXE
PID:1578

/usr/bin/kxoylzramn
/usr/bin/kxoylzramn bash 1534
1⤵
- Executes dropped EXE
PID:1581

/usr/bin/uvbekxbqkg
/usr/bin/uvbekxbqkg ls 1534
1⤵
- Executes dropped EXE
PID:1587

/usr/bin/uvbekxbqkg
/usr/bin/uvbekxbqkg pwd 1534
1⤵
- Executes dropped EXE
PID:1590

/usr/bin/uvbekxbqkg
/usr/bin/uvbekxbqkg sh 1534
1⤵
- Executes dropped EXE
PID:1593

/usr/bin/uvbekxbqkg
/usr/bin/uvbekxbqkg sh 1534
1⤵
- Executes dropped EXE
PID:1598

/usr/bin/uvbekxbqkg
/usr/bin/uvbekxbqkg who 1534
1⤵
- Executes dropped EXE
PID:1601

/usr/bin/ymxbibzxje
/usr/bin/ymxbibzxje whoami 1534
1⤵
- Executes dropped EXE
PID:1612

/usr/bin/ymxbibzxje
/usr/bin/ymxbibzxje gnome-terminal 1534
1⤵
- Executes dropped EXE
PID:1615

/usr/bin/ymxbibzxje
/usr/bin/ymxbibzxje "ls -la" 1534
1⤵
- Executes dropped EXE
PID:1618

/usr/bin/ymxbibzxje
/usr/bin/ymxbibzxje "route -n" 1534
1⤵
- Executes dropped EXE
PID:1621

/usr/bin/ymxbibzxje
/usr/bin/ymxbibzxje uptime 1534
1⤵
- Executes dropped EXE
PID:1624

/usr/bin/evuohnugck
/usr/bin/evuohnugck su 1534
1⤵
- Executes dropped EXE
PID:1629

/usr/bin/evuohnugck
/usr/bin/evuohnugck who 1534
1⤵
- Executes dropped EXE
PID:1632

/usr/bin/evuohnugck
/usr/bin/evuohnugck "ls -la" 1534
1⤵
- Executes dropped EXE
PID:1634

/usr/bin/evuohnugck
/usr/bin/evuohnugck "echo \"find\"" 1534
1⤵
- Executes dropped EXE
PID:1638

/usr/bin/evuohnugck
/usr/bin/evuohnugck top 1534
1⤵
- Executes dropped EXE
PID:1640

/usr/bin/gwlcjqvaqn
/usr/bin/gwlcjqvaqn "ls -la" 1534
1⤵
- Executes dropped EXE
PID:1644

/usr/bin/gwlcjqvaqn
/usr/bin/gwlcjqvaqn top 1534
1⤵
- Executes dropped EXE
PID:1646

/usr/bin/gwlcjqvaqn
/usr/bin/gwlcjqvaqn "ls -la" 1534
1⤵
- Executes dropped EXE
PID:1650

/usr/bin/gwlcjqvaqn
/usr/bin/gwlcjqvaqn "ps -ef" 1534
1⤵
- Executes dropped EXE
PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/gcc.sh

Filesize
228B

MD5
3bab747cedc5f0ebe86aaa7f982470cd

SHA1
3c7d1c6931c2b3dae39d38346b780ea57c8e6142

SHA256
74d31cac40d98ee64df2a0c29ceb229d12ac5fa699c2ee512fc69360f0cf68c5

SHA512
21e8a6d9ca8531d37def83d8903e5b0fa11ecf33d85d05edab1e0feb4acac65ae2cf5222650fb9f533f459ccc51bb2903276ff6f827b847cc5e6dac7d45a0a42

Download Submit
/etc/init.d/6488dcbdcea8b92132925c0561cbb5dd

Filesize
425B

MD5
d68a25ed3f3e1a5c521c040c1a211eff

SHA1
2b291a7a809f3e991b71eb4c97f1ca7499c8ab0e

SHA256
93813d56118f4b1f4016e4294dd997bf90cb936f23f491951dccc827ed57832d

SHA512
25e3daec62821c77454bad634a12ec26456554c778de186aa5cb4bd57e74cec120e9a6f07712e1be4d50d006511a6eb5a0280b2979a45f45b35de8b5a14cfddf

Download Submit
/etc/sedrNvhlB

Filesize
722B

MD5
8f111d100ea459f68d333d63a8ef2205

SHA1
077ca9c46a964de67c0f7765745d5c6f9e2065c3

SHA256
0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354

SHA512
d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

Download Submit
/lib/libudev.so

Filesize
611KB

MD5
6488dcbdcea8b92132925c0561cbb5dd

SHA1
317404379d9c763ccd2930a4cc159c55856edf13

SHA256
e19635381b2d291f2d2217efd78b80ad97d7ef34bfcbf10a4877263cfa7c9669

SHA512
268d67117e4e0b03287c70ce871171e373fe8c404adaacffd9eadccfe095c14b3f1d637f04254bdc54008420f370ec566516c55a5dcf1eb1aa73f795552fbae0

Download Submit
/run/gcc.pid

Filesize
32B

MD5
3e14b6ea3c853a6d0f9d7faafcc669ff

SHA1
656cc6614928d4e6d1121b2bed466c71c1ba1410

SHA256
088f3ddd8f50eff3ab6c098c83a2d2bc6724f04901d49961cffd30c31ef5e1bc

SHA512
6d453c187328ca19753c82b0dfab84ee1b0ffb78bd70a4dbf9b72e49adadf23319599cb8c54119d78a6765617e96e634a6e6f526106206c559dd978e0b01c5c1

Download Submit
/usr/bin/evuohnugck

Filesize
611KB

MD5
dea295f9cf789238ae5383d48eb556e8

SHA1
9d924d706d482bc8eb6306e2aa9fbe4ea22c0b6e

SHA256
666dc0f45f80b3cbed66205c67a2fb4962d2d5376781ae94f47fd0302003ead3

SHA512
1fc96898967ef23e360bf4a671870e6fef353f40cbde7f30df724cd98dda9e4bca41849eff0789dd0a553945d3815a2044012bb21b919a68e898251a291c8fd6

Download Submit
/usr/bin/evuohnugck

Filesize
611KB

MD5
93b4604796f8d17e8799d522da9c6988

SHA1
65c70a82d42c3909ad1605a2c2e66cb7c488dc31

SHA256
fa1003c8e995885d1c28168ed34ac9d9a11b4b84bfaa4b7e434ef9057a5fbbd7

SHA512
ea11f2128cc41270be81483a8133d155c89ec6b4b3ce6f0832597f982a4043ce4fecd903431b5b39532d956c3cb1a173c0c7d1b60b612a57905572e5648fb9d3

Download Submit
/usr/bin/gwlcjqvaqn

Filesize
611KB

MD5
82e7d390ca06dcd3d595c0ccaa9a8cb1

SHA1
73077e2c9bd9ad9a24ccb5c72c4b0e7fff6fc1b0

SHA256
c411111fb7314395389b00489edec421c53367455f2f437afa7b7c25bbd5d850

SHA512
c53e8b617af48b0ff727ab66148d9f2d98ce0c8334fba400005c8ec6594c1381d602e56ef54636d413af2da0fe0c8da8a45ae612a3896a839b2c3f87667a4209

Download Submit
/usr/bin/gwlcjqvaqn

Filesize
611KB

MD5
c832acb5c5d985d5f08effde5b9a1b86

SHA1
6a79b51f46f07d15b25b8013feff92e3705ab418

SHA256
aa02d3492f590d05c800a85cdea7251ce0d04c0585d50f5b935be2d688f4a2cf

SHA512
25eee3b8e3e819d9b8f262b490387ccda1bee6f35015d05454e7ea5c7a49abef691fde863a32ca7dc31966179a428b6403b0a6eba559d678a0d0478ee8053bb3

Download Submit
/usr/bin/kxoylzramn

Filesize
611KB

MD5
847cbfc6619a2a918b018a98ac8f39bd

SHA1
febf272f075707506ec966c0c1c128347aad457f

SHA256
31eca1616fe0b0484b0319df7254fafc5ceae3e0365d00d79fe6a58f11f565a8

SHA512
a938dfb0c0d1983c74d65e56f87c8b09d3ffbc40437ccc59585fb4a87f682d575d3b86059ba3f28b5b289cf46eda3c8c0cb3dc6fbfec2b4c50e819c329cf6df8

Download Submit
/usr/bin/kxoylzramn

Filesize
611KB

MD5
9ca3143919def0511e4e411a1e3768bc

SHA1
3ba399cf899f764dbe2f56482f5956c7e0d221d9

SHA256
ecea97a39e2ec4c5a7e95a51f894eeb61f4e54890c0cd92db83fa8845ad01cee

SHA512
854521a3d3d02a01ea4a386501812815870cb6074769de5deb0bcff183b4335341201d1d7168c263c81c266d31a4c69dd0e7741325ef5ef8d4c8a8dddc043840

Download Submit
/usr/bin/uvbekxbqkg

Filesize
611KB

MD5
bd83a4e3f04a7627aac917633f1b8fb4

SHA1
175ade2b444dcf6f3e26499f1a404d2354bdfbd0

SHA256
1c2707e76a13327754b4a69d25111a0828de9c11fae07dc0bb96ca437f741068

SHA512
6bdcb21cbd3b2ba3a747fab1a620ac7e02f04e2613646aec3e14b88e7e82bc7d9397114bbe8eec7be55e8e516379de44be65713db430728ba492434f9d2da359

Download Submit
/usr/bin/uvbekxbqkg

Filesize
611KB

MD5
c1d9cf4f378171f80b9d83290724f0fa

SHA1
0b2da805a840cfae6a20c1f4b23a2ae2fc8b9412

SHA256
daf4fb660c35bf47ec265fa89e76b6c13f10f556e2aa73b055c31e97266758e0

SHA512
9b45195acacf10b4c40d042e3dcc00e62637027c31c74d1eb2c6c465c1c1a5513af323db3bb9aa9edda4942bc3b8c01037f741f2c2c85341349451958dbc0bdd

Download Submit
/usr/bin/ymxbibzxje

Filesize
611KB

MD5
92e33a4adce475b7be84527073a076b6

SHA1
5336f221d4b033a8349cbe1a7b8be733dee9d160

SHA256
5ce64765b8a8c54f1723d4db8f877998b28dd2ace023c478d7cb52de3b2e3b61

SHA512
84f2cfe935e0d6869ee5ebe9330733a67914faaa852e2024d8d3bfd31bbd33bbd39bb86f10491e79f1c51d3539796bd51c68e39e415fe9869745451f86061347

Download Submit
/usr/bin/ymxbibzxje

Filesize
611KB

MD5
6051cde7c5a97fe069d8a91f6f8414ae

SHA1
5fe85fef4bcaf0ecdb113568cb9de6b093778a7b

SHA256
a2e0263ee760f233e0a53e2fdd617a07df8616c236ab7a6073193d43c853bcd0

SHA512
3568348c15350e7571d0855dae6b513de84a46575322c34cf81a3abce88739a9edc0db35f762887c96c73cbadf67f968873e227701511792aad644b46e423202

Download Submit