xorddos | ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73

General

Target

112s
Size

549KB
MD5

f9191bab1e834d4aef3380700639cee9
SHA1

9c20269df6694260a24ac783de2e30d627a6928a
SHA256

ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73
SHA512

3d2758fe2d06183e627b5cc24919c08c84108f2efd7ab0a162029d55537476410d9535d50f3eb059f7153f7482c134284862eea121201f82838aace4b12283b5
SSDEEP

12288:VeRvuKqiVZ4En5drNK0pPEfJKlHZ8mG97Qxee6yzmx:VIv/qiVNHNDEfJKHZ8mG9QeeO

Score

10^/10

xorddos botnet downloader persistence

Malware Config

Extracted

Family

xorddos

C2

api.markerbio.com:112

api.enoan2107.com:112

http://qq.com/lib.asp

Attributes

crc_polynomial
CDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 2 IoCs

resource	yara_rule
behavioral1/files/fstream-2.dat	family_xorddos
behavioral1/files/fstream-29.dat	family_xorddos

Deletes itself 28 IoCs

pid
1542
1552
1557
1560
1565
1566
1570
1573
1576
1579
1581
1585
1588
1591
1594
1596
1604
1608
1612
1615
1617
1622
1625
1628
1631
1633
1637
1640

Executes dropped EXE 28 IoCs

ioc	pid	Process
/bin/tdhxjggrmezmk	1545	tdhxjggrmezmk
/bin/vbtdqeqfghitjy	1550	vbtdqeqfghitjy
/bin/lpeejim	1556	lpeejim
/bin/gutsjlh	1559	gutsjlh
/bin/gljuvg	1562	gljuvg
/bin/sxsmwozkdf	1564	sxsmwozkdf
/bin/mocoojijdtu	1568	mocoojijdtu
/bin/mbyxvvelobea	1571	mbyxvvelobea
/bin/ubjygcm	1574	ubjygcm
/bin/eclpkuvdrirug	1577	eclpkuvdrirug
/bin/rbtcpwirvdshd	1580	rbtcpwirvdshd
/bin/mbqsshtnlljuch	1583	mbqsshtnlljuch
/bin/xqcybtv	1586	xqcybtv
/bin/pgbwlfgjrjbjck	1589	pgbwlfgjrjbjck
/bin/pvqbpuioraqpb	1592	pvqbpuioraqpb
/bin/nvbtxxgefpwps	1595	nvbtxxgefpwps
/bin/ukwixsjs	1602	ukwixsjs
/bin/jyvqptfhdyjr	1605	jyvqptfhdyjr
/bin/dawoupzsmqjgxs	1607	dawoupzsmqjgxs
/bin/wdcfmaxhzj	1613	wdcfmaxhzj
/bin/tpfwtkzr	1616	tpfwtkzr
/bin/mvothqqrscbl	1620	mvothqqrscbl
/bin/hjmrkdse	1623	hjmrkdse
/bin/vudntcdlnrjdmq	1626	vudntcdlnrjdmq
/bin/djoflz	1629	djoflz
/bin/ukmnvr	1632	ukmnvr
/bin/bcdvfqqjw	1635	bcdvfqqjw
/bin/zpnecfy	1638	zpnecfy

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc
File opened for modification	/etc/cron.hourly/kmzemrggjxhdt.sh

Enumerates active TCP sockets 1 TTPs 1 IoCs

Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery

T1049

description	ioc
File opened for reading	/proc/net/tcp

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
File opened for modification	/etc/init.d/kmzemrggjxhdt

Writes file to system bin folder 1 TTPs 31 IoCs

Hijack Execution Flow

T1574

description	ioc
File opened for modification	/bin/vudntcdlnrjdmq
File opened for modification	/bin/tdhxjggrmezmk
File opened for modification	/bin/gutsjlh
File opened for modification	/bin/pgbwlfgjrjbjck
File opened for modification	/bin/mocoojijdtu
File opened for modification	/bin/nvbtxxgefpwps
File opened for modification	/bin/jyvqptfhdyjr
File opened for modification	/bin/ukwixsjs
File opened for modification	/bin/mvothqqrscbl
File opened for modification	/bin/djoflz
File opened for modification	/bin/rbtcpwirvdshd
File opened for modification	/bin/mbqsshtnlljuch
File opened for modification	/bin/xqcybtv
File opened for modification	/bin/zpnecfy
File opened for modification	/bin/kmzemrggjxhdt
File opened for modification	/bin/kmzemrggjxhdt.sh
File opened for modification	/bin/lpeejim
File opened for modification	/bin/pmoanowa
File opened for modification	/bin/sxsmwozkdf
File opened for modification	/bin/ubjygcm
File opened for modification	/bin/ukmnvr
File opened for modification	/bin/dawoupzsmqjgxs
File opened for modification	/bin/bcdvfqqjw
File opened for modification	/bin/pvqbpuioraqpb
File opened for modification	/bin/wdcfmaxhzj
File opened for modification	/bin/gljuvg
File opened for modification	/bin/mbyxvvelobea
File opened for modification	/bin/eclpkuvdrirug
File opened for modification	/bin/vbtdqeqfghitjy
File opened for modification	/bin/tpfwtkzr
File opened for modification	/bin/hjmrkdse

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

description	ioc
File opened for reading	/proc/net/tcp

Writes file to shm directory 2 IoCs

Malware can drop malicious files in the shm directory which will run directly from RAM.

description	ioc
File opened for modification	/dev/shm/sem.petdda
File opened for modification	/dev/shm/sem.j11XrT

/tmp/112s
/tmp/112s
1⤵
PID:1541

/bin/tdhxjggrmezmk
/bin/tdhxjggrmezmk
1⤵
- Executes dropped EXE
PID:1545

/bin/vbtdqeqfghitjy
/bin/vbtdqeqfghitjy -d 1546
1⤵
- Executes dropped EXE
PID:1550

/bin/lpeejim
/bin/lpeejim -d 1546
1⤵
- Executes dropped EXE
PID:1556

/bin/gutsjlh
/bin/gutsjlh -d 1546
1⤵
- Executes dropped EXE
PID:1559

/bin/gljuvg
/bin/gljuvg -d 1546
1⤵
- Executes dropped EXE
PID:1562

/bin/sxsmwozkdf
/bin/sxsmwozkdf -d 1546
1⤵
- Executes dropped EXE
PID:1564

/bin/mocoojijdtu
/bin/mocoojijdtu -d 1546
1⤵
- Executes dropped EXE
PID:1568

/bin/mbyxvvelobea
/bin/mbyxvvelobea -d 1546
1⤵
- Executes dropped EXE
PID:1571

/bin/ubjygcm
/bin/ubjygcm -d 1546
1⤵
- Executes dropped EXE
PID:1574

/bin/eclpkuvdrirug
/bin/eclpkuvdrirug -d 1546
1⤵
- Executes dropped EXE
PID:1577

/bin/rbtcpwirvdshd
/bin/rbtcpwirvdshd -d 1546
1⤵
- Executes dropped EXE
PID:1580

/bin/mbqsshtnlljuch
/bin/mbqsshtnlljuch -d 1546
1⤵
- Executes dropped EXE
PID:1583

/bin/xqcybtv
/bin/xqcybtv -d 1546
1⤵
- Executes dropped EXE
PID:1586

/bin/pgbwlfgjrjbjck
/bin/pgbwlfgjrjbjck -d 1546
1⤵
- Executes dropped EXE
PID:1589

/bin/pvqbpuioraqpb
/bin/pvqbpuioraqpb -d 1546
1⤵
- Executes dropped EXE
PID:1592

/bin/nvbtxxgefpwps
/bin/nvbtxxgefpwps -d 1546
1⤵
- Executes dropped EXE
PID:1595

/bin/ukwixsjs
/bin/ukwixsjs -d 1546
1⤵
- Executes dropped EXE
PID:1602

/bin/jyvqptfhdyjr
/bin/jyvqptfhdyjr -d 1546
1⤵
- Executes dropped EXE
PID:1605

/bin/dawoupzsmqjgxs
/bin/dawoupzsmqjgxs -d 1546
1⤵
- Executes dropped EXE
PID:1607

/bin/wdcfmaxhzj
/bin/wdcfmaxhzj -d 1546
1⤵
- Executes dropped EXE
PID:1613

/bin/tpfwtkzr
/bin/tpfwtkzr -d 1546
1⤵
- Executes dropped EXE
PID:1616

/bin/mvothqqrscbl
/bin/mvothqqrscbl -d 1546
1⤵
- Executes dropped EXE
PID:1620

/bin/hjmrkdse
/bin/hjmrkdse -d 1546
1⤵
- Executes dropped EXE
PID:1623

/bin/vudntcdlnrjdmq
/bin/vudntcdlnrjdmq -d 1546
1⤵
- Executes dropped EXE
PID:1626

/bin/djoflz
/bin/djoflz -d 1546
1⤵
- Executes dropped EXE
PID:1629

/bin/ukmnvr
/bin/ukmnvr -d 1546
1⤵
- Executes dropped EXE
PID:1632

/bin/bcdvfqqjw
/bin/bcdvfqqjw -d 1546
1⤵
- Executes dropped EXE
PID:1635

/bin/zpnecfy
/bin/zpnecfy -d 1546
1⤵
- Executes dropped EXE
PID:1638

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Hijack Execution Flow

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Hijack Execution Flow

Scheduled Task/Job

Defense Evasion

Hijack Execution Flow

1

T1574

Credential Access

Discovery

System Network Configuration Discovery

1

T1016

System Network Connections Discovery

1

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/bin/eclpkuvdrirug

Filesize
201KB

MD5
572a666207d357f1107068a156a29857

SHA1
cd4da4776d8be85f048cf71df1777e4a97fe8b53

SHA256
3786c1960b4caee9223c71d1e6544014dbe4908d1c1415ef83fc314a8b841848

SHA512
95c846e1799b31384d57cc869a48815bed0df19090992cdbd4c8ec23584a3e0c7186375f7aa701bb3fc14efff36723b54620a7be7f37a85a99ac985a5c28888d

Download Submit
/bin/tdhxjggrmezmk

Filesize
549KB

MD5
e6430d8d0ba4672e6871a070a35ddbcd

SHA1
c4284586c2b26d43d460a440dcddd2060e2eccd2

SHA256
ec2ae23e4f7fb4327590c324ca2928b72d30752036f1b189b3d4a311d6c04cf7

SHA512
3e4f29f61fceb4735fd6defe05e540bec63f4b75e3cb374330715221eca2825e04b029449056d42b80e966bc61302a8669b974b7132ceb347fd4de4cb1c3c52a

Download Submit
/etc/cron.hourly/kmzemrggjxhdt.sh

Filesize
150B

MD5
c86316d798424eb97a6dcaa1df434d3b

SHA1
e08a9517970d8ff4dba179918e840fe717699eba

SHA256
0c63805a20c9f69c81a2b5687b134bb9b63520b037013c868b092a45b4a91276

SHA512
a61ae9d337896444b736025ae62e77049e147ce75d1c06ff214a679cf8ebf09e2aa2137aae85075711dabefe3680c8ee18cc2eee72d5c8cf78ce9ce527469eba

Download Submit
/etc/daemon.cfg

Filesize
32B

MD5
8e18c417f8be5ef8956722b1c947d38e

SHA1
7f97561ec2e6fa4013b640114730c8a68f6d45a4

SHA256
d68ac2f7af921b4c5892066439e0569a351bdb19e93b94bbbbc4562503894bd0

SHA512
22a7aa17953cd460b127eefd823295b6f8cbea53e5aa92daeefd062e8ee8436854878585f0079c524c24ffc8817cdf9854ea45d4bfe3c6524b0701ebf1ad2efd

Download Submit
/etc/init.d/kmzemrggjxhdt

Filesize
353B

MD5
267f35e0280730cd5e20f0fcdcdeeb0e

SHA1
dcf0cdb3b39ba9958758ed7f54ec9756d47e772f

SHA256
7ae13d8f82b59797ff78c868ada78d65164f80fe3fea143553ce1f811709e785

SHA512
e471371ae83b72e7fa52065e08b0fb717549d7ccca6405765f8abdc13cea1e449accd36614f99b5d382233f347e5a78d163b844c0a439ce7f9502a4f03fe976c

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads