xorddos | 303bb187a06415eedc0c5ece5692fe05b03e286435472d0e4fd4ca9386d9acf4

Resubmissions

10-01-2024 09:22

240110-lb7gysdfd5 10

02-01-2024 22:09

240102-1262fabeej 10

02-01-2024 20:59

240102-zsqsesebc6 10

Analysis

max time kernel
7s
max time network
154s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
10-01-2024 09:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BFtZ.bin
Size

535KB
MD5

35793cbfd0a4376ea9380ffed9182334
SHA1

31e5d905407966ca953def90eb45df417127cf38
SHA256

303bb187a06415eedc0c5ece5692fe05b03e286435472d0e4fd4ca9386d9acf4
SHA512

89fc15518e82cb7c7f97acb433a1881612d404585b5228e4554a3f9e58c3db7e9a057f669d98c11c10cf3dd5e73b48a9ebf2b983319eae709d9751f21dfaaf4a
SSDEEP

12288:4Ufrcn+vwK5ripVU4tdZ1pNL/pVbz266ySjQn36Eoj:/fUywKQ7Fb1pNL/p52fjQn36Eu

Score

10^/10

xorddos antivm botnet discovery downloader persistence

Malware Config

Extracted

Family

xorddos

http://aa.hostasa.org/config.rar

ppp.gggatat456.com:1522

ppp.xxxatat456.com:1522

www1.gggatat456.com:1522

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 4 IoCs

Processes:

resource	yara_rule
/lib/libudev.so	family_xorddos
/usr/bin/dvygqhhbnx	family_xorddos
/usr/bin/dvygqhhbnx	family_xorddos
/usr/bin/dvygqhhbnx	family_xorddos

Executes dropped EXE 5 IoCs

Processes:

dvygqhhbnxdvygqhhbnxdvygqhhbnxdvygqhhbnxdvygqhhbnx

ioc	pid	process
/usr/bin/dvygqhhbnx	1531	dvygqhhbnx
/usr/bin/dvygqhhbnx	1537	dvygqhhbnx
/usr/bin/dvygqhhbnx	1540	dvygqhhbnx
/usr/bin/dvygqhhbnx	1543	dvygqhhbnx
/usr/bin/dvygqhhbnx	1546	dvygqhhbnx

Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

Virtualization/Sandbox Evasion
T1497

Processes:

description ioc

File opened for reading /proc/cpuinfo
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates/modifies Cron job 1 TTPs 2 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

sh

description ioc

File opened for modification /etc/cron.hourly/gcc.sh
File opened for modification /etc/crontab sh
Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

description ioc

File opened for modification /etc/init.d/BFtZ.bin
Write file to user bin folder 1 TTPs 1 IoCs

Hijack Execution Flow
T1574

Processes:

description ioc

File opened for modification /usr/bin/dvygqhhbnx

description	ioc
File opened for reading	/proc/cpuinfo

description	ioc
File opened for modification	/etc/cron.hourly/gcc.sh
File opened for modification	/etc/crontab	sh

description	ioc
File opened for modification	/etc/init.d/BFtZ.bin

description	ioc
File opened for modification	/usr/bin/dvygqhhbnx

Reads runtime system information 10 IoCs

Reads data from /proc virtual filesystem.

Processes:

systemctlsed

description	ioc
File opened for reading	/proc/stat
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/rs_dev
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/meminfo
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/1/environ	systemctl

/tmp/BFtZ.bin
/tmp/BFtZ.bin
1⤵
PID:1518

/bin/sh
sh -c "sed -i '/\\/etc\\/cron.hourly\\/gcc.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:1524
- /bin/sed
  sed -i "/\\/etc\\/cron.hourly\\/gcc.sh/d" /etc/crontab
  2⤵
  - Reads runtime system information
  PID:1525

/bin/chkconfig
chkconfig --add BFtZ.bin
1⤵
PID:1521

/sbin/chkconfig
chkconfig --add BFtZ.bin
1⤵
PID:1521

/usr/bin/chkconfig
chkconfig --add BFtZ.bin
1⤵
PID:1521

/usr/sbin/chkconfig
chkconfig --add BFtZ.bin
1⤵
PID:1521

/usr/local/bin/chkconfig
chkconfig --add BFtZ.bin
1⤵
PID:1521

/usr/local/sbin/chkconfig
chkconfig --add BFtZ.bin
1⤵
PID:1521

/usr/X11R6/bin/chkconfig
chkconfig --add BFtZ.bin
1⤵
PID:1521

/bin/update-rc.d
update-rc.d BFtZ.bin defaults
1⤵
PID:1523

/sbin/update-rc.d
update-rc.d BFtZ.bin defaults
1⤵
PID:1523

/usr/bin/update-rc.d
update-rc.d BFtZ.bin defaults
1⤵
PID:1523

/usr/sbin/update-rc.d
update-rc.d BFtZ.bin defaults
1⤵
PID:1523
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:1529

/usr/bin/dvygqhhbnx
/usr/bin/dvygqhhbnx id 1519
1⤵
- Executes dropped EXE
PID:1531

/usr/bin/dvygqhhbnx
/usr/bin/dvygqhhbnx ls 1519
1⤵
- Executes dropped EXE
PID:1537

/usr/bin/dvygqhhbnx
/usr/bin/dvygqhhbnx bash 1519
1⤵
- Executes dropped EXE
PID:1540

/usr/bin/dvygqhhbnx
/usr/bin/dvygqhhbnx "netstat -antop" 1519
1⤵
- Executes dropped EXE
PID:1543

/usr/bin/dvygqhhbnx
/usr/bin/dvygqhhbnx uptime 1519
1⤵
- Executes dropped EXE
PID:1546

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Defense Evasion

Hijack Execution Flow

T1574

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Network Service Discovery

T1046

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/gcc.sh

Filesize
228B

MD5
3bab747cedc5f0ebe86aaa7f982470cd

SHA1
3c7d1c6931c2b3dae39d38346b780ea57c8e6142

SHA256
74d31cac40d98ee64df2a0c29ceb229d12ac5fa699c2ee512fc69360f0cf68c5

SHA512
21e8a6d9ca8531d37def83d8903e5b0fa11ecf33d85d05edab1e0feb4acac65ae2cf5222650fb9f533f459ccc51bb2903276ff6f827b847cc5e6dac7d45a0a42

Download Submit
/etc/init.d/BFtZ.bin

Filesize
305B

MD5
0d22b5f635edd1830371ddb142ab4291

SHA1
f26bd3ef8886462b311518a6219596c72f33aeeb

SHA256
3d0b507735a60157692021de68649fc9a851032b42b57fadcb362e7772511aba

SHA512
22b2f21ab5f8ee868530f8a34755a198093725e573ab8b50ecc28ae2cf382e10af78b406dcb37584ee4030f285719fc50cb7a5a28f8f45c41092e46cdcedd288

Download Submit
/etc/sedEYGapw

Filesize
722B

MD5
8f111d100ea459f68d333d63a8ef2205

SHA1
077ca9c46a964de67c0f7765745d5c6f9e2065c3

SHA256
0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354

SHA512
d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

Download Submit
/lib/libudev.so

Filesize
189KB

MD5
74a3cbd7e922a51642f218d44c3a2cfb

SHA1
cb93c3ba27ac9f05cce669c899548008a37b07d8

SHA256
b5cec7c6b2eb096b0471ffd141b90b44909da54efebb5587d3dddde53c37262b

SHA512
da3b45a43a04d4e5e93d206cfed33ed1892a62b49cdf098b8d7117e866514eaf91811953cf39b4c5f31e136943cf46f718572b169ba791af08083b4bf211c06b

Download Submit
/run/gcc.pid

Filesize
32B

MD5
58d2acc2dc76620fc3742d980671bebc

SHA1
6a0a4d4d25cc3626329f3c47dd18527abe51f75a

SHA256
42c0e80a4c26c32a7f25a291bc209dc6a460bf02ffb8e8a63f6d51cdbc081752

SHA512
532f83a9d54e1d9fe393c8248fdf403ba105eaee9b90a59675e08d75452b197d583a5ca642b667e31ecc1f4be5907c82cde39175ccdcb50908190a184e3c8c97

Download Submit
/usr/bin/dvygqhhbnx

Filesize
535KB

MD5
35793cbfd0a4376ea9380ffed9182334

SHA1
31e5d905407966ca953def90eb45df417127cf38

SHA256
303bb187a06415eedc0c5ece5692fe05b03e286435472d0e4fd4ca9386d9acf4

SHA512
89fc15518e82cb7c7f97acb433a1881612d404585b5228e4554a3f9e58c3db7e9a057f669d98c11c10cf3dd5e73b48a9ebf2b983319eae709d9751f21dfaaf4a

Download Submit
/usr/bin/dvygqhhbnx

Filesize
535KB

MD5
a099278dc518a4670cb7c5d36cd9b44b

SHA1
05a651b3b87c41076b75a438ebeaaed89f90f6d9

SHA256
5c3d36b6572b4f86d03377a733ad40eb4e1a4c7d7b0bb762ba2a56931920f7fe

SHA512
d4a36dc79d130711999c9e5e5b9a41570a9b3bec361db96cf4bce2287bf3bbd641d2907d1d7db9bd1a1decfac08745d12d8609f45e832e6a321371948d34614c

Download Submit
/usr/bin/dvygqhhbnx

Filesize
535KB

MD5
12126888cdb45605f9dff36a72f520b6

SHA1
573e741b1e1404348867160a5ce12cf6ff1e345c

SHA256
de422f412531a3cc8f18737539db4475675e458419dc749f88a223c98c69d446

SHA512
33a7cd9c882ac2adc9e179320b9be76eb0482ceeaf7a68dc0628cc32fc8314e60eef1f746048e80894b5df700473d0de5b1ee9ac8c74fce1a6dc75b7a0e16f78

Download Submit