xorddos | 303bb187a06415eedc0c5ece5692fe05b03e286435472d0e4fd4ca9386d9acf4

Resubmissions

10-01-2024 09:22

240110-lb7gysdfd5 10

02-01-2024 22:09

240102-1262fabeej 10

02-01-2024 20:59

240102-zsqsesebc6 10

Analysis

max time kernel
76s
max time network
300s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231222-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231222-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
02-01-2024 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BFtZ.bin
Size

535KB
MD5

35793cbfd0a4376ea9380ffed9182334
SHA1

31e5d905407966ca953def90eb45df417127cf38
SHA256

303bb187a06415eedc0c5ece5692fe05b03e286435472d0e4fd4ca9386d9acf4
SHA512

89fc15518e82cb7c7f97acb433a1881612d404585b5228e4554a3f9e58c3db7e9a057f669d98c11c10cf3dd5e73b48a9ebf2b983319eae709d9751f21dfaaf4a
SSDEEP

12288:4Ufrcn+vwK5ripVU4tdZ1pNL/pVbz266ySjQn36Eoj:/fUywKQ7Fb1pNL/p52fjQn36Eu

Score

10^/10

xorddos antivm botnet downloader persistence

Malware Config

Extracted

Family

xorddos

http://aa.hostasa.org/config.rar

ppp.gggatat456.com:1522

ppp.xxxatat456.com:1522

www1.gggatat456.com:1522

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 11 IoCs

Processes:

resource	yara_rule
/lib/libudev.so	family_xorddos
/usr/bin/hhyofvrxro	family_xorddos
/usr/bin/hhyofvrxro	family_xorddos
/usr/bin/akveopppfy	family_xorddos
/usr/bin/akveopppfy	family_xorddos
/usr/bin/hggpbwxjae	family_xorddos
/usr/bin/hggpbwxjae	family_xorddos
/usr/bin/kmzhwqzmtg	family_xorddos
/usr/bin/kmzhwqzmtg	family_xorddos
/usr/bin/zdddgqnlnn	family_xorddos
/usr/bin/zdddgqnlnn	family_xorddos

Deletes itself 2 IoCs

Processes:

pid

1711
1714

pid
1711
1714

Executes dropped EXE 23 IoCs

Processes:

hhyofvrxrohhyofvrxrohhyofvrxrohhyofvrxrohhyofvrxroakveopppfyakveopppfyakveopppfyakveopppfyakveopppfyhggpbwxjaehggpbwxjaehggpbwxjaehggpbwxjaehggpbwxjaekmzhwqzmtgkmzhwqzmtgkmzhwqzmtgkmzhwqzmtgkmzhwqzmtgzdddgqnlnnzdddgqnlnnzdddgqnlnn

ioc	pid	process
/usr/bin/hhyofvrxro	1609	hhyofvrxro
/usr/bin/hhyofvrxro	1632	hhyofvrxro
/usr/bin/hhyofvrxro	1635	hhyofvrxro
/usr/bin/hhyofvrxro	1638	hhyofvrxro
/usr/bin/hhyofvrxro	1642	hhyofvrxro
/usr/bin/akveopppfy	1664	akveopppfy
/usr/bin/akveopppfy	1667	akveopppfy
/usr/bin/akveopppfy	1670	akveopppfy
/usr/bin/akveopppfy	1673	akveopppfy
/usr/bin/akveopppfy	1676	akveopppfy
/usr/bin/hggpbwxjae	1679	hggpbwxjae
/usr/bin/hggpbwxjae	1681	hggpbwxjae
/usr/bin/hggpbwxjae	1685	hggpbwxjae
/usr/bin/hggpbwxjae	1688	hggpbwxjae
/usr/bin/hggpbwxjae	1691	hggpbwxjae
/usr/bin/kmzhwqzmtg	1694	kmzhwqzmtg
/usr/bin/kmzhwqzmtg	1697	kmzhwqzmtg
/usr/bin/kmzhwqzmtg	1700	kmzhwqzmtg
/usr/bin/kmzhwqzmtg	1703	kmzhwqzmtg
/usr/bin/kmzhwqzmtg	1706	kmzhwqzmtg
/usr/bin/zdddgqnlnn	1709	zdddgqnlnn
/usr/bin/zdddgqnlnn	1712	zdddgqnlnn
/usr/bin/zdddgqnlnn	1715	zdddgqnlnn

Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

Virtualization/Sandbox Evasion
T1497

Processes:

description ioc

File opened for reading /proc/cpuinfo
Creates/modifies Cron job 1 TTPs 2 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

sh

description ioc

File opened for modification /etc/cron.hourly/gcc.sh
File opened for modification /etc/crontab sh
Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

description ioc

File opened for modification /etc/init.d/BFtZ.bin

description	ioc
File opened for reading	/proc/cpuinfo

description	ioc
File opened for modification	/etc/cron.hourly/gcc.sh
File opened for modification	/etc/crontab	sh

description	ioc
File opened for modification	/etc/init.d/BFtZ.bin

Write file to user bin folder 1 TTPs 5 IoCs

Hijack Execution Flow

T1574

Processes:

description	ioc
File opened for modification	/usr/bin/hhyofvrxro
File opened for modification	/usr/bin/akveopppfy
File opened for modification	/usr/bin/hggpbwxjae
File opened for modification	/usr/bin/kmzhwqzmtg
File opened for modification	/usr/bin/zdddgqnlnn

Reads runtime system information 10 IoCs

Reads data from /proc virtual filesystem.

Processes:

systemctlsed

description	ioc	process
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/meminfo
File opened for reading	/proc/rs_dev
File opened for reading	/proc/stat
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/cmdline	systemctl

/tmp/BFtZ.bin
/tmp/BFtZ.bin
1⤵
PID:1587

/bin/chkconfig
chkconfig --add BFtZ.bin
1⤵
PID:1599

/sbin/chkconfig
chkconfig --add BFtZ.bin
1⤵
PID:1599

/usr/bin/chkconfig
chkconfig --add BFtZ.bin
1⤵
PID:1599

/usr/sbin/chkconfig
chkconfig --add BFtZ.bin
1⤵
PID:1599

/usr/local/bin/chkconfig
chkconfig --add BFtZ.bin
1⤵
PID:1599

/usr/local/sbin/chkconfig
chkconfig --add BFtZ.bin
1⤵
PID:1599

/usr/X11R6/bin/chkconfig
chkconfig --add BFtZ.bin
1⤵
PID:1599

/bin/update-rc.d
update-rc.d BFtZ.bin defaults
1⤵
PID:1601

/sbin/update-rc.d
update-rc.d BFtZ.bin defaults
1⤵
PID:1601

/usr/bin/update-rc.d
update-rc.d BFtZ.bin defaults
1⤵
PID:1601

/usr/sbin/update-rc.d
update-rc.d BFtZ.bin defaults
1⤵
PID:1601
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:1604

/bin/sh
sh -c "sed -i '/\\/etc\\/cron.hourly\\/gcc.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:1602
- /bin/sed
  sed -i "/\\/etc\\/cron.hourly\\/gcc.sh/d" /etc/crontab
  2⤵
  - Reads runtime system information
  PID:1603

/usr/bin/hhyofvrxro
/usr/bin/hhyofvrxro "route -n" 1597
1⤵
- Executes dropped EXE
PID:1609

/usr/bin/hhyofvrxro
/usr/bin/hhyofvrxro "cd /etc" 1597
1⤵
- Executes dropped EXE
PID:1632

/usr/bin/hhyofvrxro
/usr/bin/hhyofvrxro "route -n" 1597
1⤵
- Executes dropped EXE
PID:1635

/usr/bin/hhyofvrxro
/usr/bin/hhyofvrxro "ps -ef" 1597
1⤵
- Executes dropped EXE
PID:1638

/usr/bin/hhyofvrxro
/usr/bin/hhyofvrxro whoami 1597
1⤵
- Executes dropped EXE
PID:1642

/usr/bin/akveopppfy
/usr/bin/akveopppfy sh 1597
1⤵
- Executes dropped EXE
PID:1664

/usr/bin/akveopppfy
/usr/bin/akveopppfy "ifconfig eth0" 1597
1⤵
- Executes dropped EXE
PID:1667

/usr/bin/akveopppfy
/usr/bin/akveopppfy "ls -la" 1597
1⤵
- Executes dropped EXE
PID:1670

/usr/bin/akveopppfy
/usr/bin/akveopppfy "echo \"find\"" 1597
1⤵
- Executes dropped EXE
PID:1673

/usr/bin/akveopppfy
/usr/bin/akveopppfy "cat resolv.conf" 1597
1⤵
- Executes dropped EXE
PID:1676

/usr/bin/hggpbwxjae
/usr/bin/hggpbwxjae "route -n" 1597
1⤵
- Executes dropped EXE
PID:1679

/usr/bin/hggpbwxjae
/usr/bin/hggpbwxjae id 1597
1⤵
- Executes dropped EXE
PID:1681

/usr/bin/hggpbwxjae
/usr/bin/hggpbwxjae "ifconfig eth0" 1597
1⤵
- Executes dropped EXE
PID:1685

/usr/bin/hggpbwxjae
/usr/bin/hggpbwxjae gnome-terminal 1597
1⤵
- Executes dropped EXE
PID:1688

/usr/bin/hggpbwxjae
/usr/bin/hggpbwxjae su 1597
1⤵
- Executes dropped EXE
PID:1691

/usr/bin/kmzhwqzmtg
/usr/bin/kmzhwqzmtg "ls -la" 1597
1⤵
- Executes dropped EXE
PID:1694

/usr/bin/kmzhwqzmtg
/usr/bin/kmzhwqzmtg ifconfig 1597
1⤵
- Executes dropped EXE
PID:1697

/usr/bin/kmzhwqzmtg
/usr/bin/kmzhwqzmtg whoami 1597
1⤵
- Executes dropped EXE
PID:1700

/usr/bin/kmzhwqzmtg
/usr/bin/kmzhwqzmtg ls 1597
1⤵
- Executes dropped EXE
PID:1703

/usr/bin/kmzhwqzmtg
/usr/bin/kmzhwqzmtg who 1597
1⤵
- Executes dropped EXE
PID:1706

/usr/bin/zdddgqnlnn
/usr/bin/zdddgqnlnn "echo \"find\"" 1597
1⤵
- Executes dropped EXE
PID:1709

/usr/bin/zdddgqnlnn
/usr/bin/zdddgqnlnn "echo \"find\"" 1597
1⤵
- Executes dropped EXE
PID:1712

/usr/bin/zdddgqnlnn
/usr/bin/zdddgqnlnn "cat resolv.conf" 1597
1⤵
- Executes dropped EXE
PID:1715

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Defense Evasion

Hijack Execution Flow

T1574

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/gcc.sh

Filesize
228B

MD5
3bab747cedc5f0ebe86aaa7f982470cd

SHA1
3c7d1c6931c2b3dae39d38346b780ea57c8e6142

SHA256
74d31cac40d98ee64df2a0c29ceb229d12ac5fa699c2ee512fc69360f0cf68c5

SHA512
21e8a6d9ca8531d37def83d8903e5b0fa11ecf33d85d05edab1e0feb4acac65ae2cf5222650fb9f533f459ccc51bb2903276ff6f827b847cc5e6dac7d45a0a42

Download Submit
/etc/init.d/BFtZ.bin

Filesize
305B

MD5
0d22b5f635edd1830371ddb142ab4291

SHA1
f26bd3ef8886462b311518a6219596c72f33aeeb

SHA256
3d0b507735a60157692021de68649fc9a851032b42b57fadcb362e7772511aba

SHA512
22b2f21ab5f8ee868530f8a34755a198093725e573ab8b50ecc28ae2cf382e10af78b406dcb37584ee4030f285719fc50cb7a5a28f8f45c41092e46cdcedd288

Download Submit
/etc/sedsQ46x4

Filesize
722B

MD5
8f111d100ea459f68d333d63a8ef2205

SHA1
077ca9c46a964de67c0f7765745d5c6f9e2065c3

SHA256
0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354

SHA512
d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

Download Submit
/lib/libudev.so

Filesize
535KB

MD5
35793cbfd0a4376ea9380ffed9182334

SHA1
31e5d905407966ca953def90eb45df417127cf38

SHA256
303bb187a06415eedc0c5ece5692fe05b03e286435472d0e4fd4ca9386d9acf4

SHA512
89fc15518e82cb7c7f97acb433a1881612d404585b5228e4554a3f9e58c3db7e9a057f669d98c11c10cf3dd5e73b48a9ebf2b983319eae709d9751f21dfaaf4a

Download Submit
/run/gcc.pid

Filesize
32B

MD5
eff44537949566493285d374d212b018

SHA1
250a97f2dc39b7d5e99a80ba476e1ed6b4ebabb4

SHA256
e157e6bf13cb3bdb58ba16315178483dc99747587f97000d8e23cdc301091d80

SHA512
f1e82be1d34b395fa1bbb330e34a947ab01e434ae1ff22b3e67ce4c0d9020f19375448ba2eb0c4c2aa38ed431553d47e9764fa0889953a6a5ca038d4efca769d

Download Submit
/usr/bin/akveopppfy

Filesize
535KB

MD5
2bfcf9b3e63fdac111e18cb89296805a

SHA1
b1bc9e58de767b9a4fc804ece5d85f590825a68a

SHA256
823f91841557c9d209c4717640dd2e74812114fec81561d0518ab1e29148857a

SHA512
9cb8a36f65c6d382e4ef9deb17f556d16837308117ffdba423a1fed9b87cfc554d72dd10f0ab83fa0360d8888f659abc01939711857238a11bcddc7f4d7454b6

Download Submit
/usr/bin/akveopppfy

Filesize
535KB

MD5
38d7ef547f298af7fa476858b7513c2f

SHA1
01b4ba0a238a21937af849fc0c2dc80522c9e964

SHA256
ac726fd57a70c3b01f77e81c15d5ee263ae46573b41f6e1a5962440dd2707314

SHA512
78700e8bad5ecad5870e1aa6c8e30f68fefdf9504bdd392549e86c42d0b64b155f94a458e5fbc8f27f301687d48b225dbec5213c090a32bd88e56a424011f525

Download Submit
/usr/bin/hggpbwxjae

Filesize
535KB

MD5
dceeba4c2347da297b85bd810ff46b6f

SHA1
70b80937530693785172d38bcaf359ec6e694fd5

SHA256
ef6edb986da81391b5f8350250267fcd2ff57f21ae84aa70613fea152c6bc624

SHA512
4c3ff7380f83a4ccdd30a400e1640ece9a76864172c273d41a33dec73f13f7fc5d82760daeb51a5f2c3de758cebadfee58aa2eaf8d8a5d65c6f849260e243dfb

Download Submit
/usr/bin/hggpbwxjae

Filesize
535KB

MD5
72e17c0a9b2b24100e15bc42cc2ad754

SHA1
da01be9ff81fd472361581bdd44aefc57b6c11c3

SHA256
700af50bb99e4da6fa543766710a0ab7b4f10e78fea9674608a1d6f55658482e

SHA512
0608df87eaf8b40227f0bc154157f35f83a7876b4fb63e7b497d81004fb9a390e577bdd8b8558d63941a5fe878075a096882135a9b8650ed81d97515011dbb12

Download Submit
/usr/bin/hhyofvrxro

Filesize
535KB

MD5
7eed031278fabaaf1d5e918676c8032b

SHA1
e846f1f602fdcb224ae25f7642259bf8e0f11023

SHA256
3f1bc7744717a947f15e2de10bb33b789c2c4a45089e2b7f443d2fbdd8df1b9f

SHA512
5c7e891e003fc017d9f4c0410d90ee0ccd53f099200795f3d6e203bf3acd001ad2aed38ef2b7e23efa3395a61fe8eb3ddef84113711268585fde740f6154e18b

Download Submit
/usr/bin/hhyofvrxro

Filesize
535KB

MD5
cd653aeea189891bbe1af4a018c3e913

SHA1
9f52feed3aa878c84500a1cb807ca7793d3f1440

SHA256
391def546c9847fc09f5c87af4e54286cb7a624c9889cb56b3d4fbc2d9bbdd3e

SHA512
342024f82df1f324e9a2bd57ba03c7edb58b826a266cedb1b6126289fdd618ca93929889208aaf7e744eed73119945d8fbc1a1372a5f5a2230829ad02d670462

Download Submit
/usr/bin/kmzhwqzmtg

Filesize
535KB

MD5
73a44c6dd5a9fdccd21e2d8c34d93487

SHA1
94993673c401cb53f0371db64b0bbfd6aac42d7c

SHA256
d1f0d60a3c1a83bba2333be41e2763d426737028f8943e4a361f5f79179f39c6

SHA512
b7dfbbc6a059fb6e117368aecf991d6707c71787eb04633551aa1e0ae9a170f30b818c73ddaeac8c6282b0c561960fd42fe544baaab0ab6c46049ae871e70e2a

Download Submit
/usr/bin/kmzhwqzmtg

Filesize
535KB

MD5
403f85a0919d0e8eca977cdfbec3505f

SHA1
9c9e5197d36b27f89b5901066955b2c8b947b4e6

SHA256
4c57a6d0ca3ae63f89875be1a15c11eb7da0542174340d8eb4bd8dcb58dbfedd

SHA512
ee29be88ccbf8a210e7059bb09bde434ee52076c1e7748f1572340b5bdbe6b207cde3a9e4dc6d06d45ce622be93e60555b601b93e0cadb3a55b4e50a5ce8d07e

Download Submit
/usr/bin/zdddgqnlnn

Filesize
535KB

MD5
1b8a299507de17744b05121dca2241cd

SHA1
05c989987ea6d067271b5a1289c8bf1d0f7ff9bf

SHA256
d9d7eb2fac7a36a16976207cd5ee1734e8657a53fba24a32feb516c4732cb5bc

SHA512
bfb634dc7549e74c891bcd041db5c3620db5cb053620928166e18a158e6b86c8ee9da550123cf7c4703ebc6d9a91e214f85c229fbd4bf498f0600c8518cd7f9f

Download Submit
/usr/bin/zdddgqnlnn

Filesize
535KB

MD5
d752252878572c3b1f1836e67fff6aa6

SHA1
d7cbf9ead639b0602c8efd988d8dc520382e68de

SHA256
b4baf7c844bfd090be6a453ba0c1324276c6e7f965e067d6884628475ea4c60a

SHA512
5369950739f0a40182dbbbe49249ec07293a6051949b8f38648c38786528fad5d8a6637bf8cb55edba7d61bfe15e0368e5b70253249aa29a71047ecfd91929f0

Download Submit