xorddos | c9bd6d01eb7258fef88ec5c9276431c1db45f063b316f83943e45b6a40a76783

General

Target

2a91a3170a5fd4fb3e30f3d63b9120de
Size

546KB
MD5

2a91a3170a5fd4fb3e30f3d63b9120de
SHA1

1a7a226833f43fdaee71cb6f84914f9a1e87de81
SHA256

c9bd6d01eb7258fef88ec5c9276431c1db45f063b316f83943e45b6a40a76783
SHA512

2d396f7fd0e661a2f15a1f0dc51341b89d9b28f6742a4bdfb7fe9115c5c7b44d9b8ac6e1c5e492f5971c2f9595f17c4154d979f7183df23d8f52ab0e24834d3f
SSDEEP

12288:D3P1A0+Kvdnd4Asvhc27/ao+PzENGtkZg0/CedRlZRqR6ysen:Dfm0+KlZsJc27io2zYGtk20/LdF0+8

Score

10^/10

xorddos botnet downloader persistence

Malware Config

Extracted

Family

xorddos

C2

topbannersun.com:5993

wowapplecar.com:5993

Attributes

crc_polynomial
CDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 4 IoCs

Processes:

resource	yara_rule
/tmp/ed0219b36d3f03e3bf4df5a0713a19a2	family_xorddos
/bin/iigzmsijeefr	family_xorddos
/bin/owoijyymag	family_xorddos
/bin/ftcsgiytshzdj	family_xorddos

Deletes itself 34 IoCs

Processes:

pid

1581
1584
1587
1590
1592
1606
1609
1612
1615
1617
1621
1624
1627
1630
1632
1636
1639
1642
1645
1647
1651
1654
1657
1661
1662
1668
1670
1674
1677
1679
1683
1686
1688
1692

pid
1581
1584
1587
1590
1592
1606
1609
1612
1615
1617
1621
1624
1627
1630
1632
1636
1639
1642
1645
1647
1651
1654
1657
1661
1662
1668
1670
1674
1677
1679
1683
1686
1688
1692

Executes dropped EXE 34 IoCs

Processes:

qaifsncvydrszqdetlpuceawkxvbkdjyevmsazwtslxcfkjwflafjneiigzmsijeefrlqezzdsusruuykurdfbkeneoysdczpsfqtiodbixaumowoijyymagaessvanoadkplnjhprutvtmhwvzgkzkcsiewfkiwydlhmdzslioiiuujhxbdknkvxitacmzduxevqdgznduxmtadylliptbplnbizwkvvugdjzyrmdfxarmutsszdrbntzxvvqcyzehavtdambuhtzhdqxyjaaiuhlkdhddhsdvdjcasxcsespeewnrzcfvaasejftcsgiytshzdjxpltfcshheejez

ioc	pid	process
/bin/qaifsncvy	1576	qaifsncvy
/bin/drszqdetl	1582	drszqdetl
/bin/puceawkxv	1585	puceawkxv
/bin/bkdjyevmsazwts	1588	bkdjyevmsazwts
/bin/lxcfkjwflafjne	1591	lxcfkjwflafjne
/bin/iigzmsijeefr	1604	iigzmsijeefr
/bin/lqezzdsusruuyk	1607	lqezzdsusruuyk
/bin/urdfbkeneoy	1610	urdfbkeneoy
/bin/sdczpsfqt	1613	sdczpsfqt
/bin/iodbixaum	1616	iodbixaum
/bin/owoijyymag	1619	owoijyymag
/bin/aessvanoadkpl	1622	aessvanoadkpl
/bin/njhprutvt	1625	njhprutvt
/bin/mhwvzgkzkcsie	1628	mhwvzgkzkcsie
/bin/wfkiwydlhmd	1631	wfkiwydlhmd
/bin/zslioiiuujhxb	1634	zslioiiuujhxb
/bin/dknkvxita	1637	dknkvxita
/bin/cmzduxevq	1640	cmzduxevq
/bin/dgznduxmtadyl	1643	dgznduxmtadyl
/bin/liptbp	1646	liptbp
/bin/lnbizwk	1649	lnbizwk
/bin/vvugdjz	1652	vvugdjz
/bin/yrmdfxarmutss	1655	yrmdfxarmutss
/bin/zdrbntzxv	1658	zdrbntzxv
/bin/vqcyzehavtd	1660	vqcyzehavtd
/bin/ambuhtzh	1666	ambuhtzh
/bin/dqxyjaa	1669	dqxyjaa
/bin/iuhlkdhddhsdv	1672	iuhlkdhddhsdv
/bin/djcasx	1675	djcasx
/bin/csespee	1678	csespee
/bin/wnrzcf	1681	wnrzcf
/bin/vaasej	1684	vaasej
/bin/ftcsgiytshzdj	1687	ftcsgiytshzdj
/bin/xpltfcshheejez	1690	xpltfcshheejez

Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

description ioc

File opened for modification /etc/cron.hourly/ed0219b36d3f03e3bf4df5a0713a19a2.sh
Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

description ioc

File opened for modification /etc/init.d/ed0219b36d3f03e3bf4df5a0713a19a2

description	ioc
File opened for modification	/etc/cron.hourly/ed0219b36d3f03e3bf4df5a0713a19a2.sh

description	ioc
File opened for modification	/etc/init.d/ed0219b36d3f03e3bf4df5a0713a19a2

Writes file to system bin folder 1 TTPs 35 IoCs

Hijack Execution Flow

T1574

Processes:

description	ioc
File opened for modification	/bin/bkdjyevmsazwts
File opened for modification	/bin/dknkvxita
File opened for modification	/bin/liptbp
File opened for modification	/bin/lnbizwk
File opened for modification	/bin/csespee
File opened for modification	/bin/wnrzcf
File opened for modification	/bin/vaasej
File opened for modification	/bin/lxcfkjwflafjne
File opened for modification	/bin/iuhlkdhddhsdv
File opened for modification	/bin/ftcsgiytshzdj
File opened for modification	/bin/njhprutvt
File opened for modification	/bin/mhwvzgkzkcsie
File opened for modification	/bin/vqcyzehavtd
File opened for modification	/bin/sdczpsfqt
File opened for modification	/bin/owoijyymag
File opened for modification	/bin/wfkiwydlhmd
File opened for modification	/bin/xpltfcshheejez
File opened for modification	/bin/ouxjypp
File opened for modification	/bin/puceawkxv
File opened for modification	/bin/urdfbkeneoy
File opened for modification	/bin/yrmdfxarmutss
File opened for modification	/bin/zdrbntzxv
File opened for modification	/bin/qaifsncvy
File opened for modification	/bin/vvugdjz
File opened for modification	/bin/dqxyjaa
File opened for modification	/bin/drszqdetl
File opened for modification	/bin/iodbixaum
File opened for modification	/bin/aessvanoadkpl
File opened for modification	/bin/zslioiiuujhxb
File opened for modification	/bin/ambuhtzh
File opened for modification	/bin/djcasx
File opened for modification	/bin/iigzmsijeefr
File opened for modification	/bin/lqezzdsusruuyk
File opened for modification	/bin/cmzduxevq
File opened for modification	/bin/dgznduxmtadyl

Writes file to shm directory 2 IoCs
Malware can drop malicious files in the shm directory which will run directly from RAM.

Processes:

description ioc

File opened for modification /dev/shm/sem.zexfcl
File opened for modification /dev/shm/sem.8xQc0N
Writes file to tmp directory 2 IoCs
Malware often drops required files in the /tmp directory.

Processes:

description ioc

File opened for modification /tmp/ed0219b36d3f03e3bf4df5a0713a19a2
File opened for modification /tmp/ed0219b36d3f03e3bf4df5a0713a19a2.sh

description	ioc
File opened for modification	/dev/shm/sem.zexfcl
File opened for modification	/dev/shm/sem.8xQc0N

description	ioc
File opened for modification	/tmp/ed0219b36d3f03e3bf4df5a0713a19a2
File opened for modification	/tmp/ed0219b36d3f03e3bf4df5a0713a19a2.sh

/tmp/2a91a3170a5fd4fb3e30f3d63b9120de
/tmp/2a91a3170a5fd4fb3e30f3d63b9120de
1⤵
PID:1571

/bin/qaifsncvy
/bin/qaifsncvy -d 1572
1⤵
- Executes dropped EXE
PID:1576

/bin/drszqdetl
/bin/drszqdetl -d 1572
1⤵
- Executes dropped EXE
PID:1582

/bin/puceawkxv
/bin/puceawkxv -d 1572
1⤵
- Executes dropped EXE
PID:1585

/bin/bkdjyevmsazwts
/bin/bkdjyevmsazwts -d 1572
1⤵
- Executes dropped EXE
PID:1588

/bin/lxcfkjwflafjne
/bin/lxcfkjwflafjne -d 1572
1⤵
- Executes dropped EXE
PID:1591

/bin/iigzmsijeefr
/bin/iigzmsijeefr -d 1572
1⤵
- Executes dropped EXE
PID:1604

/bin/lqezzdsusruuyk
/bin/lqezzdsusruuyk -d 1572
1⤵
- Executes dropped EXE
PID:1607

/bin/urdfbkeneoy
/bin/urdfbkeneoy -d 1572
1⤵
- Executes dropped EXE
PID:1610

/bin/sdczpsfqt
/bin/sdczpsfqt -d 1572
1⤵
- Executes dropped EXE
PID:1613

/bin/iodbixaum
/bin/iodbixaum -d 1572
1⤵
- Executes dropped EXE
PID:1616

/bin/owoijyymag
/bin/owoijyymag -d 1572
1⤵
- Executes dropped EXE
PID:1619

/bin/aessvanoadkpl
/bin/aessvanoadkpl -d 1572
1⤵
- Executes dropped EXE
PID:1622

/bin/njhprutvt
/bin/njhprutvt -d 1572
1⤵
- Executes dropped EXE
PID:1625

/bin/mhwvzgkzkcsie
/bin/mhwvzgkzkcsie -d 1572
1⤵
- Executes dropped EXE
PID:1628

/bin/wfkiwydlhmd
/bin/wfkiwydlhmd -d 1572
1⤵
- Executes dropped EXE
PID:1631

/bin/zslioiiuujhxb
/bin/zslioiiuujhxb -d 1572
1⤵
- Executes dropped EXE
PID:1634

/bin/dknkvxita
/bin/dknkvxita -d 1572
1⤵
- Executes dropped EXE
PID:1637

/bin/cmzduxevq
/bin/cmzduxevq -d 1572
1⤵
- Executes dropped EXE
PID:1640

/bin/dgznduxmtadyl
/bin/dgznduxmtadyl -d 1572
1⤵
- Executes dropped EXE
PID:1643

/bin/liptbp
/bin/liptbp -d 1572
1⤵
- Executes dropped EXE
PID:1646

/bin/lnbizwk
/bin/lnbizwk -d 1572
1⤵
- Executes dropped EXE
PID:1649

/bin/vvugdjz
/bin/vvugdjz -d 1572
1⤵
- Executes dropped EXE
PID:1652

/bin/yrmdfxarmutss
/bin/yrmdfxarmutss -d 1572
1⤵
- Executes dropped EXE
PID:1655

/bin/zdrbntzxv
/bin/zdrbntzxv -d 1572
1⤵
- Executes dropped EXE
PID:1658

/bin/vqcyzehavtd
/bin/vqcyzehavtd -d 1572
1⤵
- Executes dropped EXE
PID:1660

/bin/ambuhtzh
/bin/ambuhtzh -d 1572
1⤵
- Executes dropped EXE
PID:1666

/bin/dqxyjaa
/bin/dqxyjaa -d 1572
1⤵
- Executes dropped EXE
PID:1669

/bin/iuhlkdhddhsdv
/bin/iuhlkdhddhsdv -d 1572
1⤵
- Executes dropped EXE
PID:1672

/bin/djcasx
/bin/djcasx -d 1572
1⤵
- Executes dropped EXE
PID:1675

/bin/csespee
/bin/csespee -d 1572
1⤵
- Executes dropped EXE
PID:1678

/bin/wnrzcf
/bin/wnrzcf -d 1572
1⤵
- Executes dropped EXE
PID:1681

/bin/vaasej
/bin/vaasej -d 1572
1⤵
- Executes dropped EXE
PID:1684

/bin/ftcsgiytshzdj
/bin/ftcsgiytshzdj -d 1572
1⤵
- Executes dropped EXE
PID:1687

/bin/xpltfcshheejez
/bin/xpltfcshheejez -d 1572
1⤵
- Executes dropped EXE
PID:1690

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Hijack Execution Flow

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Hijack Execution Flow

Scheduled Task/Job

Defense Evasion

Hijack Execution Flow

1

T1574

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/bin/ftcsgiytshzdj

Filesize
172KB

MD5
cd2d418518c0079d67208edd0d19486e

SHA1
9529bccf87fb7a5d71a9f68fb80ddcd658df47c0

SHA256
86d48d84d9e059f370acebbcdd6ea07fb3a09e2f576aa679e3dcc61ba22d1fe5

SHA512
7292ff19773ec5b2556cc9b9465fa91f212d89945f0cc2d0c98d0d6dae37cabe4c70b166e710f729f7a84d50d826a884bd6d4a136e5739107aec32883afb51d2

Download Submit
/bin/iigzmsijeefr

Filesize
3KB

MD5
4c929c0a88a23ed32fde904d1c9a609c

SHA1
3c7a6df6f16677425a6f10fa7da07d587ddb9758

SHA256
fec04f59985d0f108e14c339fcb1aa6174d04cc6c9850aa311be3e9501713981

SHA512
3a0d08aa10f617d7b2bd7597cfacb2b1ae450d20e986238ac20d8bab7cf83b496816e84b225f0e2f765e4d4ee0847dc79f2e14ecbed91404ef2ef1e12becc3f6

Download Submit
/bin/owoijyymag

Filesize
68KB

MD5
6e079084758750272be4b280314972b7

SHA1
5d3ca1dfdf83a471a745244ed5742571075ba59d

SHA256
c9907ff14a50d4f1bf9dae0615c997e932b618f1b9f387d461fdb65a55348f68

SHA512
8d71c689d9b7dcdfff627bb221ca5d917b7f2f1e4f34ea20e2cbabf1dfcc577e66d4eeb337860e5654ac6c709bd64a4514800163bbaea2e2f056fa406cc47b38

Download Submit
/dev/shm/sem.8xQc0N

Filesize
16B

MD5
076933ff9904d1110d896e2c525e39e5

SHA1
4188442577fa77f25820d9b2d01cc446e30684ac

SHA256
4cbbd8ca5215b8d161aec181a74b694f4e24b001d5b081dc0030ed797a8973e0

SHA512
6fcee9a7b7a7b821d241c03c82377928bc6882e7a08c78a4221199bfa220cdc55212273018ee613317c8293bb8d1ce08d1e017508e94e06ab85a734c99c7cc34

Download Submit
/etc/cron.hourly/ed0219b36d3f03e3bf4df5a0713a19a2.sh

Filesize
169B

MD5
587f5ef1cda1d56140b1219f58615dd7

SHA1
6223c708ca00614ddd1493b9b5c27dd45f5821f4

SHA256
6c38a750a954676f68a53934773775260207feb363a4baf98e3092153d611bc1

SHA512
a24536f90e12981fc35e12613a37430e8b14b1c38e2ecabd0d80aaac21220dc93b7d83f7cbe77dbb4ecedc2168f215637b056252da22d40ce31f7327eec5de32

Download Submit
/etc/daemon.cfg

Filesize
32B

MD5
58aa00d2d03e609d2be4500364e22a97

SHA1
03bf04f147c3a45ae5c415c42d0d407cd29767bb

SHA256
588f4dddf3049936d0e0d343c2cc6e0179d19745ee9b8819abcb869d14673cf2

SHA512
3b12d81240d87e23a170f73a580d13130ec09b8f7cb6a852e26c9c9d07dfa110d5fd7d5fcff8e1bdb47237521cbeb752d6c3561e328cd59852bfc4223d9710da

Download Submit
/etc/init.d/ed0219b36d3f03e3bf4df5a0713a19a2

Filesize
448B

MD5
63786e169c94538975e45c139599d816

SHA1
d71443c31708add02f323523884b7d0e42e6b1cc

SHA256
113aaf92371586816c7e770ae3ee3d6a151f7ccc652f09a38f84c9b0f2edd69b

SHA512
fcc8ba9769022fc994eb64bb5a1e7676efc679f13984927680ebf690bb80900dd6f42bb9e3405f0be53fa58678ecb22044759731ae092be19909e0aa23536aae

Download Submit
/tmp/ed0219b36d3f03e3bf4df5a0713a19a2

Filesize
546KB

MD5
2a91a3170a5fd4fb3e30f3d63b9120de

SHA1
1a7a226833f43fdaee71cb6f84914f9a1e87de81

SHA256
c9bd6d01eb7258fef88ec5c9276431c1db45f063b316f83943e45b6a40a76783

SHA512
2d396f7fd0e661a2f15a1f0dc51341b89d9b28f6742a4bdfb7fe9115c5c7b44d9b8ac6e1c5e492f5971c2f9595f17c4154d979f7183df23d8f52ab0e24834d3f

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads