xorddos | ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73

General

Target

112
Size

549KB
MD5

f9191bab1e834d4aef3380700639cee9
SHA1

9c20269df6694260a24ac783de2e30d627a6928a
SHA256

ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73
SHA512

3d2758fe2d06183e627b5cc24919c08c84108f2efd7ab0a162029d55537476410d9535d50f3eb059f7153f7482c134284862eea121201f82838aace4b12283b5
SSDEEP

12288:VeRvuKqiVZ4En5drNK0pPEfJKlHZ8mG97Qxee6yzmx:VIv/qiVNHNDEfJKHZ8mG9QeeO

Score

10^/10

xorddos botnet downloader persistence

Malware Config

Extracted

Family

xorddos

C2

api.markerbio.com:112

api.enoan2107.com:112

http://qq.com/lib.asp

Attributes

crc_polynomial
CDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 4 IoCs

Processes:

resource	yara_rule
/bin/bsqwwn	family_xorddos
/bin/fbzphho	family_xorddos
/bin/yiqnhfhlxgsqvg	family_xorddos
/bin/xtcpvwmoysib	family_xorddos

Deletes itself 25 IoCs

Processes:

pid

1576
1585
1592
1594
1598
1600
1604
1608
1611
1614
1616
1619
1622
1626
1628
1631
1634
1637
1640
1643
1646
1649
1652
1655
1659

pid
1576
1585
1592
1594
1598
1600
1604
1608
1611
1614
1616
1619
1622
1626
1628
1631
1634
1637
1640
1643
1646
1649
1652
1655
1659

Executes dropped EXE 26 IoCs

Processes:

bsqwwnrjfazlhmrriimtelrfpipkzgbyxcwaxkegwxzggxszskuczhxzgfaedefbzphhogwngpojwiutktjugpxndrxftpmadthbyiqnhfhlxgsqvgaabciqufpjhtatbaeuplzywcsoazhakelbzsqkexeetqvgzyhjcvbnaorasxtdsdyeerpfxvkdwinglisxtcpvwmoysibstmfbhzaaqxwelwtxphelryodhjboyis

ioc	pid	process
/bin/bsqwwn	1579	bsqwwn
/bin/rjfazl	1584	rjfazl
/bin/hmrrii	1590	hmrrii
/bin/mtelrfpipk	1593	mtelrfpipk
/bin/zgbyxcwa	1596	zgbyxcwa
/bin/xkegwxzggxsz	1599	xkegwxzggxsz
/bin/skuczhxzgfaede	1603	skuczhxzgfaede
/bin/fbzphho	1606	fbzphho
/bin/gwngpojwiutkt	1609	gwngpojwiutkt
/bin/jugpxn	1612	jugpxn
/bin/drxftpmadthb	1615	drxftpmadthb
/bin/yiqnhfhlxgsqvg	1618	yiqnhfhlxgsqvg
/bin/aabciqufp	1621	aabciqufp
/bin/jhtatbaeuplz	1624	jhtatbaeuplz
/bin/ywcsoazha	1627	ywcsoazha
/bin/kelbzsqkexeet	1630	kelbzsqkexeet
/bin/qvgzyhjcv	1633	qvgzyhjcv
/bin/bnaorasxt	1636	bnaorasxt
/bin/dsdyeerpf	1639	dsdyeerpf
/bin/xvkdwinglis	1642	xvkdwinglis
/bin/xtcpvwmoysib	1645	xtcpvwmoysib
/bin/stmfbh	1648	stmfbh
/bin/zaaqxwel	1651	zaaqxwel
/bin/wtxphe	1654	wtxphe
/bin/lryodh	1657	lryodh
/bin/jboyis	1660	jboyis

Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 114.114.114.114
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

description ioc

File opened for modification /etc/cron.hourly/nwwqsb.sh
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery
T1049

Processes:

description ioc

File opened for reading /proc/net/tcp
Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

description ioc

File opened for modification /etc/init.d/nwwqsb

description	ioc
Destination IP	114.114.114.114

description	ioc
File opened for modification	/etc/cron.hourly/nwwqsb.sh

description	ioc
File opened for reading	/proc/net/tcp

description	ioc
File opened for modification	/etc/init.d/nwwqsb

Writes file to system bin folder 1 TTPs 29 IoCs

Hijack Execution Flow

T1574

Processes:

description	ioc
File opened for modification	/bin/jugpxn
File opened for modification	/bin/yiqnhfhlxgsqvg
File opened for modification	/bin/aabciqufp
File opened for modification	/bin/xtcpvwmoysib
File opened for modification	/bin/zaaqxwel
File opened for modification	/bin/jboyis
File opened for modification	/bin/zgbyxcwa
File opened for modification	/bin/skuczhxzgfaede
File opened for modification	/bin/fbzphho
File opened for modification	/bin/drxftpmadthb
File opened for modification	/bin/xvkdwinglis
File opened for modification	/bin/nwwqsb
File opened for modification	/bin/dsdyeerpf
File opened for modification	/bin/wtxphe
File opened for modification	/bin/hmrrii
File opened for modification	/bin/bnaorasxt
File opened for modification	/bin/nwwqsb.sh
File opened for modification	/bin/mtelrfpipk
File opened for modification	/bin/qvgzyhjcv
File opened for modification	/bin/mwbtbafuavxhqi
File opened for modification	/bin/bsqwwn
File opened for modification	/bin/rjfazl
File opened for modification	/bin/ywcsoazha
File opened for modification	/bin/stmfbh
File opened for modification	/bin/lryodh
File opened for modification	/bin/gwngpojwiutkt
File opened for modification	/bin/jhtatbaeuplz
File opened for modification	/bin/xkegwxzggxsz
File opened for modification	/bin/kelbzsqkexeet

Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery
T1016

Processes:

description ioc

File opened for reading /proc/net/tcp
Reads runtime system information 1 IoCs
Reads data from /proc virtual filesystem.

Processes:

description ioc

File opened for reading /proc/1/fd
Writes file to shm directory 2 IoCs
Malware can drop malicious files in the shm directory which will run directly from RAM.

Processes:

description ioc

File opened for modification /dev/shm/sem.qgvetw
File opened for modification /dev/shm/sem.uDwcZP

description	ioc
File opened for reading	/proc/net/tcp

description	ioc
File opened for reading	/proc/1/fd

description	ioc
File opened for modification	/dev/shm/sem.qgvetw
File opened for modification	/dev/shm/sem.uDwcZP

/tmp/112
/tmp/112
1⤵
PID:1575

/bin/bsqwwn
/bin/bsqwwn
1⤵
- Executes dropped EXE
PID:1579

/bin/rjfazl
/bin/rjfazl -d 1580
1⤵
- Executes dropped EXE
PID:1584

/bin/hmrrii
/bin/hmrrii -d 1580
1⤵
- Executes dropped EXE
PID:1590

/bin/mtelrfpipk
/bin/mtelrfpipk -d 1580
1⤵
- Executes dropped EXE
PID:1593

/bin/zgbyxcwa
/bin/zgbyxcwa -d 1580
1⤵
- Executes dropped EXE
PID:1596

/bin/xkegwxzggxsz
/bin/xkegwxzggxsz -d 1580
1⤵
- Executes dropped EXE
PID:1599

/bin/skuczhxzgfaede
/bin/skuczhxzgfaede -d 1580
1⤵
- Executes dropped EXE
PID:1603

/bin/fbzphho
/bin/fbzphho -d 1580
1⤵
- Executes dropped EXE
PID:1606

/bin/gwngpojwiutkt
/bin/gwngpojwiutkt -d 1580
1⤵
- Executes dropped EXE
PID:1609

/bin/jugpxn
/bin/jugpxn -d 1580
1⤵
- Executes dropped EXE
PID:1612

/bin/drxftpmadthb
/bin/drxftpmadthb -d 1580
1⤵
- Executes dropped EXE
PID:1615

/bin/yiqnhfhlxgsqvg
/bin/yiqnhfhlxgsqvg -d 1580
1⤵
- Executes dropped EXE
PID:1618

/bin/aabciqufp
/bin/aabciqufp -d 1580
1⤵
- Executes dropped EXE
PID:1621

/bin/jhtatbaeuplz
/bin/jhtatbaeuplz -d 1580
1⤵
- Executes dropped EXE
PID:1624

/bin/ywcsoazha
/bin/ywcsoazha -d 1580
1⤵
- Executes dropped EXE
PID:1627

/bin/kelbzsqkexeet
/bin/kelbzsqkexeet -d 1580
1⤵
- Executes dropped EXE
PID:1630

/bin/qvgzyhjcv
/bin/qvgzyhjcv -d 1580
1⤵
- Executes dropped EXE
PID:1633

/bin/bnaorasxt
/bin/bnaorasxt -d 1580
1⤵
- Executes dropped EXE
PID:1636

/bin/dsdyeerpf
/bin/dsdyeerpf -d 1580
1⤵
- Executes dropped EXE
PID:1639

/bin/xvkdwinglis
/bin/xvkdwinglis -d 1580
1⤵
- Executes dropped EXE
PID:1642

/bin/xtcpvwmoysib
/bin/xtcpvwmoysib -d 1580
1⤵
- Executes dropped EXE
PID:1645

/bin/stmfbh
/bin/stmfbh -d 1580
1⤵
- Executes dropped EXE
PID:1648

/bin/zaaqxwel
/bin/zaaqxwel -d 1580
1⤵
- Executes dropped EXE
PID:1651

/bin/wtxphe
/bin/wtxphe -d 1580
1⤵
- Executes dropped EXE
PID:1654

/bin/lryodh
/bin/lryodh -d 1580
1⤵
- Executes dropped EXE
PID:1657

/bin/jboyis
/bin/jboyis -d 1580
1⤵
- Executes dropped EXE
PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Hijack Execution Flow

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Hijack Execution Flow

Scheduled Task/Job

Defense Evasion

Hijack Execution Flow

1

T1574

Credential Access

Discovery

System Network Configuration Discovery

1

T1016

System Network Connections Discovery

1

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/bin/bsqwwn

Filesize
549KB

MD5
f32b06bf383643a2f09c4aab347f1bcf

SHA1
162aa3a908f5efe5f959f796cb126d1aeff31132

SHA256
d8af3d557c6bbb44d674c371a1ca27d92a0ddfc2d667725e968af84baab6ded7

SHA512
ab793d118be2b0d4ad98ef4c430818b0fbf2bd59e23129eb64b4435ee13031c48064b79e703d55b402d55c7f9c3ca5671156d390b0982e2e38642c0ec07da120

Download Submit
/bin/fbzphho

Filesize
164KB

MD5
0504ae8fd4ca3d8fe6ca42d60d4df206

SHA1
006d08db84a8caef3c25ec7367849d2467e7f319

SHA256
7cb7c53ce727697e19e475997c709f1c91c380109445b4fdb785776e8acbdc39

SHA512
7394091d788a8ee2e1d8f7799006185671b5bc491eec844deb476ea7ff2dbba86e4eb07affb10f9db919e0e3f571485682a78a6668af9cd5e272c42d3db5a128

Download Submit
/bin/xtcpvwmoysib

Filesize
396KB

MD5
5d5e1934b75b47fd4d3ba04c331869c3

SHA1
47264ac1824d25c17e428177ac6c47c4568c74d9

SHA256
cc42731bf94ff321ee0d9c9085dde80e2ee5268d571b98594eafc5c799113cd5

SHA512
b2fe021a800f3dfc71df045ae95e2cf46636c844eb80a97c95239827ae4d5d62431a5cd4bb5e4b7899a366d7b3ede1641177cae4610cb4855e5a5bd2aff59b7a

Download Submit
/bin/yiqnhfhlxgsqvg

Filesize
39KB

MD5
7a9c78aac853767710958b5a50343453

SHA1
7758c902ec9d0ce482d9951c5df1231552e2a04a

SHA256
9300434d60e31bbb3f5001584e60e310428cba604b824a3ef657c24494b649de

SHA512
b142c83afe86b17cf04be2b439b1248e86ef23717d658c20a368bfbd797012b8560ef1ced744c5e4b1f166515c0e087dabeec4cb57ad8d1a85449105bb0af851

Download Submit
/etc/cron.hourly/nwwqsb.sh

Filesize
143B

MD5
002112a115bfa34c01c76bc872c10123

SHA1
7d0c4e09c897b4757d54d3c5155a307841b0e6a1

SHA256
8e64bdc45bf6b6ba8ea1c2549157bdd8b9b96d82c9ab4840a7be0ffd99193a0f

SHA512
89f257e235d96274120af07d9a0e29db4e63c92d457cc233505de612588d51e3996d87f13bec257a45e1100a0acd90b3d8000e615506fa926011d6dd7e07f0db

Download Submit
/etc/daemon.cfg

Filesize
32B

MD5
23690b70bbf6fd87c0188630896df32d

SHA1
943f9a620b85d2c64b914ed5139f9756d1d01217

SHA256
5e2612bd16344df8140e0f97dc36f7ddfa7deabd1f0c6e35c7b142719102cb22

SHA512
97d681d3ea378f95e212cfac618bd690f28f2bf747dac659101c46656020b3a9defdfb49aab3c7dc5b25f822c537250829836f116d5aef715e5ad67e2fac2592

Download Submit
/etc/init.d/nwwqsb

Filesize
318B

MD5
d383903eae4d850d02758aac9f225d2d

SHA1
b3d7c924725b6aba3da43d96e70e103fa7704117

SHA256
c3f0e583b5f53a7e8e19cb2ee9194dcbcfe457c8707624e4515227c748a006d3

SHA512
ab92fc57c11257f71162602a5600d8855925763281a820d156df61ba6be72d4928aed6d09da10dafd0ef7837d7aa8d31ec38fb809231b387d8ff11d7df963bca

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads